Hi Johan, Wow, that worked. Thank you for all the info. I have a few more questions - Sudo - How do I get sudo working. I have not changed anything on the server side (default FreeIPA install config). Do I need to setup or add sudo policies to the usr/group on the server side? Home Dir - On my CentOS clients, I got it configured such that a home Dir is created the first time a user has a successful login (used ipa-client-install --mkhomedir). Can we do the same for Solaris servers?
Again, thank you for this info. I can verify that these instructions worked on a Oracle Solaris 11.1 SPARC machine. Once I have everything nailed out, i will respond to this thread with all the steps Thanks. On Thu, Apr 10, 2014 at 1:37 PM, Johan Petersson < johan.peters...@sscspace.com> wrote: > Proxy user is only necessary if you disable anonymous bind on the IPA LDAP. > > Example configuration for making Solaris 11 work as an IPA client. > If you want autofs of shared NFS home directory too, let me know and i can > provide it. > I will add this and more to IPA Wiki when i can find the time to go > through it properly and polish away some rough edges. > I hope it can provide some help. > > Solaris 11.1 IPA lient configuration. > > First make sure that the Solaris 11 machine are using the proper DNS and > NTP servers. > > On the IPA server or Client run: > > ipa host-add --force --ip-address=192.168.0.1 solaris.example.com > > ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k > /tmp/solaris.keytab > > Move the keytab to the Solaris machine /etc/krb5/krb5.keytab > > Make sure it have the proper owner and permissions: > > chown root:sys /etc/krb5/krb5.keytab > chmod 700 /etc/krb5/krb5.keytab > > Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and > "ipnodes" lines: > > hosts: files dns > ipnodes: files dns > > Edit /etc/krb5/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.COM > verify_ap_req_nofail = false > [realms] > EXAMPLE.COM = { > kdc = ipaserver.example.com > admin_server = ipaserver.example.com > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > > Run the ldapclient with the default DUAProfile. > The "-a domainName= example.com" is needed so that ldapclient does not > stop and complain about missing nisdomain name. > > ldapclient -v init -a profilename=default -a domainName=example.com > ipaserver.example.com > > In Solaris 11.1 the pam configuration have changed but for simplicity i > still use the /etc/pam.conf: > > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_krb5.so.1 > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > > other account requisite pam_roles.so.1 > other account required pam_unix_account.so.1 > other account required pam_krb5.so.1 > > other password requisite pam_authtok_check.so.1 force_check > other password sufficient pam_krb5.so.1 > other password required pam_authtok_store.so.1 > > ________________________________________ > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > on behalf of Rob Crittenden [rcrit...@redhat.com] > Sent: Thursday, April 10, 2014 19:04 > To: d...@redhat.com; quest monger > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] IPA client installation for Solaris 11. > > Dmitri Pal wrote: > > On 04/10/2014 12:18 PM, quest monger wrote: > >> Sorry about that. So I am Looking at the Solaris 10 client > >> documentation here - > >> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > >> > >> > >> It says do the following on Solaris client - > >> > >> ldapclient manual > >> ... > >> -a proxyPassword={NS1}fbc123a92116812 > >> ... > >> > >> > >> Whats that proxyPassword for? > >> > > > > I suspect that it is a password that corresponds to the proxy user. > > The client component on Solaris (pure speculation on my side) seems to > > use proxy user to connect to LDAP server and do some operations for the > > host. It is similar to SSSD but SSSD does not use passwords, it uses > > keytabs if talks to IPA. > > There are a number of different profile levels available, see > > http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74 > > proxy is usually a shared account that the Solaris box uses to > authenticate to the LDAP server. > > > Solaris uses passwords but to prevent them from being stored in > > configuration in clear the are "obfuscated" with the NS1 method > > http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/ > > I suspect there should be some tool on Solaris that takes password and > > creates an obfuscated string like this. > > I didn't experiment using a proxy password inside a profile. I'll bet > that if you manually enroll a client then you can dig out the password > on that local system and store that in the profile. > > There is also a self level which uses Kerberos. I've never used it > myself (it may be newer than my experience with Solaris) but there are > some fairly detailed docs on it at > http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl > > rob > > > > Thanks > > Dmitri > > > >> Thanks. > >> > >> > >> > >> On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <d...@redhat.com > >> <mailto:d...@redhat.com>> wrote: > >> > >> On 04/10/2014 11:41 AM, quest monger wrote: > >>> Thanks Rob, those bug reports help. > >>> One more question, in the official Solaris 10 documentation, i > >>> see this stuff - > >>> > >>> -aproxyPassword={NS1}*fbc123a92116812* > >>> > userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*= > >>> > >>> Is there a way to generate that password hash for a new password. > >>> I think that should be part of the documentation, dont want all > >>> Solaris IPA users to be using the same password and corresponding > >>> hash. > >>> > >> Can you rephrase the question? > >> It is unclear what hash you are asking about. > >> If you are using IPA you do not need local password hashes. > >> > >> > >>> Thanks. > >>> > >>> > >>> > >>> > >>> On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden > >>> <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote: > >>> > >>> quest monger wrote: > >>> > >>> > >>> I have read through the official documentation here for > >>> Solaris-10 - > >>> > http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html > >>> I have found a few web posts on how to make it work for > >>> Solaris-11. > >>> Have any of you tried adding a Solaris-11 host to an > >>> existing IPA > >>> server? If so, do you have any > >>> documentation/how-tos/instructions that i > >>> could use to do the same. Any help is appreciated. > >>> I am trying to do this to so I can centralize SSH > >>> authentication for all > >>> my Solaris-11 and Linux hosts. > >>> > >>> > >>> That is pretty much all we've got. There is a bug open with > >>> some documentation updates, > >>> https://bugzilla.redhat.com/show_bug.cgi?id=815533 and some > >>> more in https://bugzilla.redhat.com/show_bug.cgi?id=801883 > >>> > >>> We use sssd to help with centralized SSH auth so it probably > >>> won't work as smoothly on Solaris as it does on sssd-based > >>> Linux systems. See sss_ssh_authorizedkeys(1) and > >>> sss_ssh_knownhostsproxy(8). > >>> > >>> This document describes how it works in IPA > >>> > http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf > >>> > >>> rob > >>> > >>> > >>> > >>> > >>> _______________________________________________ > >>> Freeipa-users mailing list > >>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > >>> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > >> -- > >> Thank you, > >> Dmitri Pal > >> > >> Sr. Engineering Manager IdM portfolio > >> Red Hat, Inc. > >> > >> > >> _______________________________________________ > >> Freeipa-users mailing list > >> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> > >> > > > > > > -- > > Thank you, > > Dmitri Pal > > > > Sr. Engineering Manager IdM portfolio > > Red Hat, Inc. > > > > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > This e-mail is private and confidential between the sender and the > addressee. > In the event of misdirection, the recipient is prohibited from using, > copying or disseminating it or any information in it. Please notify the > above if any misdirection. > >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users