On 12/24/2012 05:27 PM, Johan Petersson wrote: > Here is a step by step instruction for a Solaris 11 machine as client to a > IPA server based on the default DUAProfile. > Console login works, su - and ssh. > Home directories automounted have the correct permissions. > The automount does not use wildcards since i had issues of the whole /home > being grabbed by autofs and thus making local users home directories > unavalable. > This can probably be solved by someone with more extensive experience of > Solaris autofs. > I am working on a instruction based on Sigbjorn Lie's DUAProfile and added > security and will post it too shortly. > > First make sure that the Solaris 11 machine are using the proper DNS and NTP > servers. > > On the IPA server or Client run: > > ipa host-add --force --ip-address=192.168.0.1 solaris.example.com > > ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k > /tmp/solaris.keytab > > Move the keytab to the Solaris machine /etc/krb5/krb5.keytab > > Make sure it have the proper owner and permissions: > > chown root:sys /etc/krb5/krb5.keytab > chmod 700 /etc/krb5/krb5.keytab > > Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and > "ipnodes" lines: > > hosts: files dns > ipnodes: files dns > > Edit /etc/krb5/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.COM > verify_ap_req_nofail = false > [realms] > EXAMPLE.COM = { > kdc = ipaserver.example.com > admin_server = ipaserver.example.com > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > > Run the ldapclient with the default DUAProfile. > The -a domainName= example.com is needed so that ldapclient does not stop and > complain about missing nisdomain name. > > ldapclient -v init -a profilename=default -a domainName=example.com > ipaserver.example.com > > In Solaris 11.1 the pam configuration have changed but for simplicity i still > use the /etc/pam.conf: > > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_krb5.so.1 try_first_pass > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > other account required pam_krb5.so.1 > > other password requisite pam_authtok_check.so.1 force_check > other password sufficient pam_krb5.so.1 > other password required pam_authtok_store.so.1 > > For NFS and automount to work: > > In /etc/nfssec.conf enable these: > > krb5 390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > > sharectl set -p nfsmapid_domain=example.com nfs > > If autofs is not on: > > svcadm enable system/filesystem/autofs:default > > In /etc/auto_home: > > testuser ipaserver.example.com:/home/testuser
Thank you! Dmitri _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users