Hi,
I am getting these messages in my log when setting all instances of
pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login:
Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open
connection to ADMIN server (t_error 13)
Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error]
PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey:
Communication failure with server
If i disable the firewall on my IPA Server everything works as fast as it
should so clearly a firewall issue with iptables.
However, i have all the ports enabled and Red Hat clients works with the
firewall on.
Clearly Solaris is using some secret other port(s) that is not mentioned.
I have tried with 749 and 750 tcp and udp with no difference.
Regards,
Johan.
________________________________
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 18:56
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Cool. :)
What do you see if you turn on pam debugging by touching /etc/pam_debug and
enabling debug logging in the syslog daemon?
Rgds
Siggi
Johan Petersson <johan.peters...@sscspace.com> wrote:
Of course it was a simple thing like replacing auto.nethome with auto_nethome
that worked.
Thank you for that help!
I did not even think that it was that simple. :)
Now everything works for the more secure client configuration on Solaris 11.
The only thing left to investigate is why there is a delay now for the IPA
users.
I get the message : Your Kerberos account/password will expire in 89 days
quickly but then it waits for about 20 seconds until i get a prompt.
Regards,
Johan.
________________________________
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 17:10
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _
instead of . for any additional maps when you need Solaris autofs
compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming is
consistent between the additional maps and auto.master. The default for Linux
is auto.master with a . and auto_master for Solaris. Hence the auto.master
mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson <johan.peters...@sscspace.com> wrote:
Got everything except automount to work with Solaris 11 and the more secure
DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console
login works (as well as expected with no home directory) and automount map
works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when trying
with /home autofs made local users unavailable. They are automounted locally to
/home/ from /export/home/ on Solaris for some strange reason and autofs then
tried finding local users home directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX
NS_LDAP_SERVERS= server.example.org<http://server.example.org>
NS_LDAP_SEARCH_BAS
EDN=
dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP=
shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
root@solaris2:~# sharectl get autofs
timeout=600
automount_verbose=true
automountd_verbose=true
nobrowse=false
trace=2
environment=
>From /var/svc/log/system-filesystem-autofs\:default.log:
t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
t4 getmapent_ldap called
t4 getmapent_ldap: key=[ user02 ]
t4 ldap_match called
t4 ldap_match: key =[ user02 ]
t4 ldap_match: ldapkey =[ user02 ]
t4 ldap_match: Requesting list for
(&(objectClass=automount)(automountKey=user02)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 ldap_match called
t4 ldap_match: key =[ \2a ]
t4 ldap_match: ldapkey =[ \2a ]
t4 ldap_match: Requesting list for
(&(objectClass=automount)(automountKey=\2a)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 getmapent_ldap: exiting ...
t4 do_lookup1: action=2 wildcard=FALSE error=2
t4 LOOKUP REPLY : status=2
The automount map is called auto.nethome
key is: * -rw,soft server.example.org<http://server.example.org>:/nethome/&
Is it that Solaris automount dont like asterisk(*) in a automount key?
Regards,
Johan.
________________________________
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 15:20
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Thanks.
I'm guessing it's taking such a long time because it's looking trough the
entire LDAP server for
your automount maps. The automountmap rules in the DUA profile will help w
ith
that. You'll
also
run into issues if you attempt to have several automount locations without
having specified which
one to use with a automountmap rule for auto master.
If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to
your DNS or set
NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on
your NFS server to
get rid of the nobody:nobody default mapping and enable mapping between the NFS
server and the
client.
Regards,
Siggi
On Thu, December 20, 2012 13:40, Johan Petersson wrote:
Hi,
Here is my pam.conf cleaned up a bit.
login auth requisite pam_authtok_get.so<http://get.so>.1 login
auth required
pam_dhkeys.so<
/a>.1
login auth sufficien
t
pam_<http://dhkeys.so>krb5.so<http://krb5.so>.1 try_first_pass login auth
required
pam_unix_cred.so<http://cred.so>.1 login auth required
pam_unix_auth.so<http://auth.so>.1 login auth required
pam_dial_auth.so<http://auth.so>.1
gdm-autologin auth required pam_unix_cred.so<http://cred.so>.1
gdm-autologin auth sufficient pam_allow.so<http://allow.so>.1
other auth requisite pam_authtok_get.so<http://get.so>..1 other
auth required
pam_dhkeys.so<http://dhkeys.so>.1 other auth required
pam_unix_cred.so<http://cred.so>.1 other auth sufficient
pam_krb5.so<http://krb5.so>.1 other auth required
pam_unix_auth..so<http://auth.so>.1
passwd auth required pam_passwd_auth.so<http://auth.so>.1
gdm-autologin account suffici
ent
pam_allow.so<http://allowso>.1
other account requisite pam_roles.so<http://roles.so>.1 other account
required
pam_unix_account.so<http://account.so>.1 other account required
pam_krb5.so<http://krb5.so>.1
other session required pam_unix_session.so<http://session.so>.1
other password required pam_dhkeys.so<http://dhkeys.so>.1 other
password requisite
pam_authtok_get.so<http://get.so>.1
other password requisite pam_authtok_check.so<http://check.so>.1
force_check other password sufficient
pam_krb5.so1 other password required
pam_authtok_store.so<http://store.so>.1
I am getting one error and it is for
autofs.
/var/adm/messages:
Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not
found
/var/svc/log/system.filesystem-autofs:default.log:
[ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ]
automount: /net mounted
automount: /nfs4 mounted
automount: no unmounts
[ Dec 20 12:24:22 Method "start" exited with status 0. ]
ldapclient list NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= servername
NS_LDAP_SEARCH_BASEDN= dc=home
NS_LDAP_AUTH= none
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_PROFILE= default
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
Thinking it has to do with missing automountmap
in
default DUAProfile.
Automount still works though but takes time during login and everything is
nobody:nobody :)
________________________________
From: Sigbjorn Lie
[sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 10:13
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
This is interesting. When I tested Solaris 11 ssh worked, and su - testuser
worked. However
console login did not work giving some PAM errors.
Could you please share your entire pam.conf file?
Is this Solaris 11 or Solaris 11.1?
Regards,
Siggi
On Thu, December 20, 2012 09:40, Johan Petersson wrote:
I have now managed to use a Solaris 11 system as a client to IPA Server.
su - testuser works ssh works and console login works. I get a delay before
getting the prompt
through ssh though and maybe from console t
oo,
probably something about autofs Going to see if
i can increase loginformation (Solaris newbie). To get it to work i mainly
followed Sigbjorn
Lie's
instructions for Solaris 10 in earlier posts here. I also used the
/etc/pam.conf configuration
example from the Solaris 10 client guide on Free IPA. I stuck with the default
DUAProfile for
now and use a NFS4 Kerberos share for home directories with autofs. Going to
try the other
DUAProfile
too from Bug 815515 and hopefully i can get everything working.
________________________________
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Dmitri
Pal
[d...@redhat.com]
Sent: Tuesday, December 18, 2012 17:50
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/18/2012 04:06 AM, Sigbjorn Lie wrote:
On Tue, December 18, 2012 08:28, Johan Petersson wrote:
Hi,
We are implementing IPA Server and are gong to need to be able to authenticate
properly
with a number of Solaris 11 servers. I have browsed the archives and found a
few threads
mentioning some problems with Solaris 11 and IPA Server. Does anyone know if
the issue have
been solved?
I don't think there is any problems with Solaris 11 except of nobody has yet
sat down and
figured out how to configure it as an IPA client yet.
I had a got at it a while ago (some of the posts you've probably found), and
found that there
was enough differences in the LDAP/Kerberos client between Solaris 10 and
Solaris 11 for
making it work with the setup guide I've
created for Solaris 10. And there was a need for
further investigation for finding out how to configure Solaris 11 as an IPA
client.
I've not looked into this further as we do not use Solaris 11 yet.
I don't know if anyone else has had time to sit down and have a crack at this?
And we would like to hear about this effort.
If it produces instructions we would like to put them on the wiki.
If it produces bugs we would investigate them.
Regards,
Siggi
________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank y
ou,
Dmi
tri
Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc..
________________________________
Looking to carve out IT costs?
www.redhat.com/carveoutcosts<http://www.redhat.com/carveoutcosts>/
________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
