How about enabling the firewall, and use tcpdump on the ipa server or snoop on
the Solaris box to see where it stops and waits?
Rgds
Siggi
Johan Petersson <johan.peters...@sscspace.com> wrote:
>Forgot to add the ports opened in my last message. :)
>
>22 TCP
>80 TCP
>443 TCP
>389 TCP
>636 TCP
>7389 TCP
>88 TCP,UDP
>464 TCP,UDP
>53 TCP,UDP
>123 TCP,UDP
>111 TCP,UDP
>2049 TCP,UDP
>
>Also tried 749,750 and everything kerberos related from Solaris
>/etc/services.
>Solaris.example.com and solaris2.example.com is same machine, just typo
>from me when editing the log for publishing.
>
>Regards,
>Johan
>
>
>
>________________________________
>From: freeipa-users-boun...@redhat.com
>[freeipa-users-boun...@redhat.com] on behalf of Johan Petersson
>[johan.peters...@sscspace.com]
>Sent: Friday, December 28, 2012 13:40
>To: Sigbjorn Lie
>Cc: freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>Hi,
>
>I am getting these messages in my log when setting all instances of
>pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login:
>
>Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable
>to open connection to ADMIN server (t_error 13)
>Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error]
>PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey:
>Communication failure with server
>
>If i disable the firewall on my IPA Server everything works as fast as
>it should so clearly a firewall issue with iptables.
>However, i have all the ports enabled and Red Hat clients works with
>the firewall on.
>Clearly Solaris is using some secret other port(s) that is not
>mentioned.
>I have tried with 749 and 750 tcp and udp with no difference.
>
>Regards,
>Johan.
>
>________________________________
>From: Sigbjorn Lie [sigbj...@nixtra.com]
>Sent: Wednesday, December 26, 2012 18:56
>To: Johan Petersson
>Cc: freeipa-users@redhat.com
>Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>Cool. :)
>
>What do you see if you turn on pam debugging by touching /etc/pam_debug
>and enabling debug logging in the syslog daemon?
>
>
>Rgds
>Siggi
>
>Johan Petersson <johan.peters...@sscspace.com> wrote:
>Of course it was a simple thing like replacing auto.nethome with
>auto_nethome that worked.
>Thank you for that help!
>I did not even think that it was that simple. :)
>
>Now everything works for the more secure client configuration on
>Solaris 11.
>The only thing left to investigate is why there is a delay now for the
>IPA users.
>I get the message : Your Kerberos account/password will expire in 89
>days quickly but then it waits for about 20 seconds until i get a
>prompt.
>
>Regards,
>Johan.
>________________________________
>From: Sigbjorn Lie [sigbj...@nixtra.com]
>Sent: Wednesday, December 26, 2012 17:10
>To: Johan Petersson
>Cc: freeipa-users@redhat.com
>Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>What is the name of the other maps besides auto.master? You should use
>_ instead of . for any additional maps when you need Solaris autofs
>compatibility. This also need to be reflected in the auto.master.
>
>The Linux automounter does not care about . or _ as long as the naming
>is consistent between the additional maps and auto.master. The default
>for Linux is auto.master with a . and auto_master for Solaris. Hence
>the auto.master mapping in the Solaris dua profile.
>
>
>Rgds
>Siggi
>
>Johan Petersson <johan.peters...@sscspace.com> wrote:
>
>Got everything except automount to work with Solaris 11 and the more
>secure DUAProfile.
>Verified that i can manually mount with krb5 on Solaris 11, ssh, su and
>console login works (as well as expected with no home directory) and
>automount map works for Red Hat clients.
>I have now tried with another directory for users (/nethome) since when
>trying with /home autofs made local users unavailable. They are
>automounted locally to /home/ from /export/home/ on Solaris for some
>strange reason and autofs then tried finding local users home
>directories on the NFS Server :)
>
>root@solaris2:~# ldapclient list
>NS_LDAP_FILE_VERSION= 2.0
>NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
>NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXXXX
>NS_LDAP_SERVERS= server.example.org<http://server.example.org>
>NS_LDAP_SEARCH_BAS
> EDN=
>dc=example,dc=org
>NS_LDAP_AUTH= tls:simple
>NS_LDAP_SEARCH_REF= TRUE
>NS_LDAP_SEARCH_SCOPE= one
>NS_LDAP_SEARCH_TIME= 10
>NS_LDAP_CACHETTL= 6000
>NS_LDAP_PROFILE= solaris_authssl1
>NS_LDAP_CREDENTIAL_LEVEL= proxy
>NS_LDAP_SERVICE_SEARCH_DESC=
>passwd:cn=users,cn=accounts,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>group:cn=groups,cn=compat,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>ethers:cn=computers,cn=accounts,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>automount:cn=default,cn=automount,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>aliases:ou=aliases,ou=test,dc=example,dc=org
>NS_LDAP_SERVICE_SEARCH_DESC=
>printers:ou=printers,ou=test,dc=example,dc=org
>NS_LDAP_BIND_TIME= 5
>NS_LDAP_OBJECTCLASSMAP=
>shadow:shadowAccount=posixAccount
>NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
>
>root@solaris2:~# sharectl get autofs
>timeout=600
>automount_verbose=true
>automountd_verbose=true
>nobrowse=false
>trace=2
>environment=
>
>From /var/svc/log/system-filesystem-autofs\:default.log:
>
>t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
>t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
>t4 getmapent_ldap called
>t4 getmapent_ldap: key=[ user02 ]
>t4 ldap_match called
>t4 ldap_match: key =[ user02 ]
>t4 ldap_match: ldapkey =[ user02 ]
>t4 ldap_match: Requesting list for
>(&(objectClass=automount)(automountKey=user02)) in auto.nethome
>t4 ldap_match: __ns_ldap_list FAILED (2)
>t4 ldap_match: no entries found
>t4 ldap_match called
>t4 ldap_match: key =[ \2a ]
>t4 ldap_match: ldapkey =[ \2a ]
>t4 ldap_match: Requesting list for
>(&(objectClass=automount)(automountKey=\2a)) in auto.nethome
>t4 ldap_match: __ns_ldap_list FAILED (2)
>t4 ldap_match: no entries found
>t4 getmapent_ldap: exiting ...
>t4 do_lookup1: action=2 wildcard=FALSE error=2
>t4 LOOKUP REPLY : status=2
>The automount map is called auto.nethome
>key is: * -rw,soft
>server.example.org<http://server.example.org>:/nethome/&
>
>Is it that Solaris automount dont like asterisk(*) in a automount key?
>
>Regards,
>Johan.
>________________________________
>
>From: Sigbjorn Lie [sigbj...@nixtra.com]
>Sent: Thursday, December 20, 2012 15:20
>To: Johan Petersson
>Cc: freeipa-users@redhat.com
>Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>Thanks.
>
>I'm guessing it's taking such a long time because it's looking trough
>the entire LDAP server for
>your automount maps. The automountmap rules in the DUA profile will
>help w
> ith
>that. You'll
>also
>run into issues if you attempt to have several automount locations
>without having specified which
>one to use with a automountmap rule for auto master.
>
>If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT
>record to your DNS or set
>NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id
>used on your NFS server to
>get rid of the nobody:nobody default mapping and enable mapping between
>the NFS server and the
>client.
>
>
>
>Regards,
>Siggi
>
>
>
>
>On Thu, December 20, 2012 13:40, Johan Petersson wrote:
>Hi,
>
>
>Here is my pam.conf cleaned up a bit.
>
>
>login auth requisite pam_authtok_get.so<http://get.so>.1
>login auth required
>pam_dhkeys.so<
> /a>.1
>login auth sufficien
> t
>pam_<http://dhkeys.so>krb5.so<http://krb5.so>.1 try_first_pass login
>auth required
>pam_unix_cred.so<http://cred.so>.1 login auth required
>pam_unix_auth.so<http://auth.so>.1 login auth required
>pam_dial_auth.so<http://auth.so>.1
>
>gdm-autologin auth required pam_unix_cred.so<http://cred.so>.1
>gdm-autologin auth sufficient pam_allow.so<http://allow.so>.1
>
>other auth requisite pam_authtok_get.so<http://get.so>..1
>other auth required
>pam_dhkeys.so<http://dhkeys.so>.1 other auth required
>pam_unix_cred.so<http://cred.so>.1 other auth sufficient
>pam_krb5.so<http://krb5.so>.1 other auth required
>pam_unix_auth..so<http://auth.so>.1
>
>passwd auth required pam_passwd_auth.so<http://auth.so>.1
>
>gdm-autologin account suffici
> ent
>pam_allow.so<http://allowso>.1
>
>other account requisite pam_roles.so<http://roles.so>.1 other
>account required
>pam_unix_account.so<http://account.so>.1 other account required
> pam_krb5.so<http://krb5.so>.1
>
>other session required
>pam_unix_session.so<http://session.so>.1
>
>other password required pam_dhkeys.so<http://dhkeys.so>.1 other
> password requisite
>pam_authtok_get.so<http://get.so>.1
>
>other password requisite pam_authtok_check.so<http://check.so>.1
>force_check other password sufficient
>pam_krb5.so1 other password required
>pam_authtok_store.so<http://store.so>.1
>
>I am getting one error and it is for
>autofs.
>
>
>/var/adm/messages:
>Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error]
>Object not found
>
>
>/var/svc/log/system.filesystem-autofs:default.log:
>[ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs
>start"). ]
>automount: /net mounted
>automount: /nfs4 mounted
>automount: no unmounts
>[ Dec 20 12:24:22 Method "start" exited with status 0. ]
>
>
>ldapclient list NS_LDAP_FILE_VERSION= 2.0
>NS_LDAP_SERVERS= servername
>NS_LDAP_SEARCH_BASEDN= dc=home
>NS_LDAP_AUTH= none
>NS_LDAP_SEARCH_REF= TRUE
>NS_LDAP_SEARCH_TIME= 15
>NS_LDAP_PROFILE= default
>NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
>NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
>NS_LDAP_BIND_TIME= 5
>NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
>
>
>Thinking it has to do with missing automountmap
> in
>default DUAProfile.
>Automount still works though but takes time during login and everything
>is nobody:nobody :)
>
>
>________________________________
>
>From: Sigbjorn Lie
>[sigbj...@nixtra.com]
>Sent: Thursday, December 20, 2012 10:13
>To: Johan Petersson
>Cc: freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>
>Hi,
>
>
>This is interesting. When I tested Solaris 11 ssh worked, and su -
>testuser worked. However
>console login did not work giving some PAM errors.
>
>Could you please share your entire pam.conf file?
>
>
>Is this Solaris 11 or Solaris 11.1?
>
>
>
>
>Regards,
>Siggi
>
>
>
>
>On Thu, December 20, 2012 09:40, Johan Petersson wrote:
>
>I have now managed to use a Solaris 11 system as a client to IPA
>Server.
>su - testuser works ssh works and console login works. I get a delay
>before getting the prompt
>through ssh though and maybe from console t
> oo,
>probably something about autofs Going to see if
>i can increase loginformation (Solaris newbie). To get it to work i
>mainly followed Sigbjorn
>Lie's
>instructions for Solaris 10 in earlier posts here. I also used the
>/etc/pam.conf configuration
>example from the Solaris 10 client guide on Free IPA. I stuck with the
>default DUAProfile for
>now and use a NFS4 Kerberos share for home directories with autofs.
>Going to try the other
>DUAProfile
>too from Bug 815515 and hopefully i can get everything working.
>
>________________________________
>
>From: freeipa-users-boun...@redhat.com
>[freeipa-users-boun...@redhat.com] on behalf of Dmitri
>Pal
>[d...@redhat.com]
>Sent: Tuesday, December 18, 2012 17:50
>To: freeipa-users@redhat.com
>Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA
>server?
>
>
>
>On 12/18/2012 04:06 AM, Sigbjorn Lie wrote:
>
>
>On Tue, December 18, 2012 08:28, Johan Petersson wrote:
>
>
>Hi,
>
>
>
>
>We are implementing IPA Server and are gong to need to be able to
>authenticate properly
>with a number of Solaris 11 servers. I have browsed the archives and
>found a few threads
>mentioning some problems with Solaris 11 and IPA Server. Does anyone
>know if the issue have
>been solved?
>
>
>I don't think there is any problems with Solaris 11 except of nobody
>has yet sat down and
>figured out how to configure it as an IPA client yet.
>
>I had a got at it a while ago (some of the posts you've probably
>found), and found that there
>was enough differences in the LDAP/Kerberos client between Solaris 10
>and Solaris 11 for
>making it work with the setup guide I've
>created for Solaris 10. And there was a need for
>further investigation for finding out how to configure Solaris 11 as an
>IPA client.
>
>I've not looked into this further as we do not use Solaris 11 yet.
>
>
>
>I don't know if anyone else has had time to sit down and have a crack
>at this?
>
>
>
>And we would like to hear about this effort.
>If it produces instructions we would like to put them on the wiki.
>If it produces bugs we would investigate them.
>
>
>
>
>
>Regards,
>Siggi
>
>
>
>
>________________________________
>
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>
>
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>--
>Thank y
> ou,
>Dmi
> tri
>Pal
>
>
>
>Sr. Engineering Manager for IdM portfolio
>Red Hat Inc..
>
>
>
>
>________________________________
>
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts<http://www.redhat.com/carveoutcosts>/
>
>
>
>________________________________
>
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>________________________________
>
>Freeipa-users mailing list
>Freeipa-users@redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
>
>
>
>
>--
>Sent from my Android phone with K-9 Mail. Please excuse my brevity.
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity._______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
