Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 01/04/2013 05:27 AM, Johan Petersson wrote:
Here is the instructions for a IPA Server Solaris 11 client configuration
with secure bind and a custom DUAProfile.
Everything works as far as i have been able to test. Console login works, su
- and ssh.
Thank you Johan!
We will put it onto the wiki.
It seems that it is a good opportunity to refine our client
configuration guide a bit.
Thanks
Dmitri
Configuration done on the IPA Server.
Create a DUAConfigProfile solaris_authssl.ldif
dn: cn=solaris_authssl,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: solaris_authssl
authenticationMethod: tls:simple
bindTimeLimit: 5
credentialLevel: proxy
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipaserver.example.com
followReferrals: TRUE
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:sunPrinter=printerService
profileTTL: 6000
searchTimeLimit: 10
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com
Add the ldif to ipaserver:
ldapadd -h ipaserver.example.com -x -W -D cn=Directory Manager -vvv -f
solaris_authssl.ldif
Create an account to use for authentication:
ldapmodify -a -h ipaserver.example.com -D cn=Directory Manager -W
dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: solaris
userPassword: setyourpasswordhere
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
ipa host-add-managedby --host ipaserver.example.com solaris.example.com
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k
/tmp/solaris.keytab
Make sure that the automount maps in ipaserver is named auto_* and NOT auto.*
so they are compatible with Solaris name standards.
certutil -N -d .
openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem
certutil -A -n ca-cert -i /etc/ipa/ca.pem -a -t CT -d /(directory of
generated cert8.db and key3.db)
scp the keytab to the solaris host /etc/krb5/krb5.keytab and scp the *.db to
the solaris host /var/ldap/
Solaris host configuration:
Make sure to secure the krb5.keytab properly.
chown root:sys krb5.keytab
chmod 600 krb5.keytab
Secure the *.db files created by certutil on IPA Server earlier.
chown root:staff /var/ldap/*.db
chmod 444 /var/ldap/*.db
Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and
ipnodes lines:
hosts: files dns
ipnodes: files dns
ldapclient -v init \
-a profileName=solaris_authssl \
-a domainName=example.com \
-a proxyDN=uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
-a proxyPassword=setyourpasswordhere \
-D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
-w yourpasswordagain \
ipaserver.example.com
Enable ntp client:
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf
Example:
server ipaserver.example.com iburst
svcadm restart ntp
To see it is running properly:
svcs ntp
To see what servers you are using:
ntpq -p
Edit /etc/krb5/krb5.conf:
krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Pam configuration changed slightly in Solaris 11.1.
It is still possible to use /etc/pam.conf as before if preferable.
Pam configuration in /etc/pam.d/
login:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other:
auth definitive pam_user_policy.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth sufficient pam_krb5.so.1
auth required pam_unix_auth.so.1
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account requiredpam_unix_account.so.1
account requiredpam_krb5.so.1
account requiredpam_tsol_account.so.1
password includepam_authtok_common
password sufficient pam_krb5.so.1
password required pam_authtok_store.so.1
For NFS:
/etc/nfssec.conf enable these:
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
permission issues with NFS.
sharectl set -p nfsmapid_domain=home nfs
To see if it is properly set:
sharectl get nfs
Regards,
Johan.
From: Dmitri Pal [d...@redhat.com]
Sent: Tuesday, December 25, 2012 16:52
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/24/2012 05:27 PM, Johan Petersson wrote:
Here is a step by step instruction for a Solaris 11 machine as client to a
IPA server based on the default DUAProfile.
Console login works, su - and ssh.
Home directories automounted have the correct permissions.
The automount does not use wildcards since i had issues of the whole /home
being grabbed by autofs and thus making local users home directories
unavalable.
This can probably be solved by someone with more extensive experience of
Solaris autofs.
I am working on a instruction based on Sigbjorn Lie's DUAProfile and added
security and will post it too shortly.
First make sure that the Solaris 11 machine are using the proper DNS and NTP
servers.
On the IPA server or Client run:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k
/tmp/solaris.keytab
Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
Make sure it have the proper owner and permissions:
chown root:sys /etc/krb5/krb5.keytab
chmod 700 /etc/krb5/krb5.keytab
Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and
ipnodes lines:
hosts: files dns
ipnodes: files dns
Edit /etc/krb5/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Run the ldapclient with the default DUAProfile.
The -a domainName= example.com is needed so that ldapclient does not stop and
complain about missing nisdomain name.
ldapclient -v init -a profilename=default -a domainName=example.com
ipaserver.example.com
In Solaris 11.1 the pam configuration have changed but for simplicity i still
use the /etc/pam.conf:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account requiredpam_unix_account.so.1
other account requiredpam_krb5.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
For NFS and automount to work:
In /etc/nfssec.conf enable these:
krb5390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
sharectl set -p nfsmapid_domain=example.com nfs
If autofs is not on:
svcadm enable system/filesystem/autofs:default
In /etc/auto_home:
testuser ipaserver.example.com:/home/testuser
Thank you!
Dmitri
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
I am getting these messages in my log when setting all instances of
pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login:
Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open
connection to ADMIN server (t_error 13)
Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error]
PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey:
Communication failure with server
If i disable the firewall on my IPA Server everything works as fast as it
should so clearly a firewall issue with iptables.
However, i have all the ports enabled and Red Hat clients works with the
firewall on.
Clearly Solaris is using some secret other port(s) that is not mentioned.
I have tried with 749 and 750 tcp and udp with no difference.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 18:56
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Cool. :)
What do you see if you turn on pam debugging by touching /etc/pam_debug and
enabling debug logging in the syslog daemon?
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Of course it was a simple thing like replacing auto.nethome with auto_nethome
that worked.
Thank you for that help!
I did not even think that it was that simple. :)
Now everything works for the more secure client configuration on Solaris 11.
The only thing left to investigate is why there is a delay now for the IPA
users.
I get the message : Your Kerberos account/password will expire in 89 days
quickly but then it waits for about 20 seconds until i get a prompt.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 17:10
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _
instead of . for any additional maps when you need Solaris autofs
compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming is
consistent between the additional maps and auto.master. The default for Linux
is auto.master with a . and auto_master for Solaris. Hence the auto.master
mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Got everything except automount to work with Solaris 11 and the more secure
DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console
login works (as well as expected with no home directory) and automount map
works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when trying
with /home autofs made local users unavailable. They are automounted locally to
/home/ from /export/home/ on Solaris for some strange reason and autofs then
tried finding local users home directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XX
NS_LDAP_SERVERS= server.example.orghttp://server.example.org
NS_LDAP_SEARCH_BAS
EDN=
dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP=
shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
root@solaris2:~# sharectl get autofs
timeout=600
automount_verbose=true
automountd_verbose=true
nobrowse=false
trace=2
environment=
From /var/svc/log/system-filesystem-autofs\:default.log:
t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
t4 getmapent_ldap called
t4 getmapent_ldap: key=[ user02 ]
t4 ldap_match called
t4 ldap_match: key =[ user02 ]
t4 ldap_match: ldapkey =[ user02 ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=user02)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 ldap_match called
t4 ldap_match: key =[ \2a ]
t4 ldap_match
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Forgot to add the ports opened in my last message. :)
22 TCP
80 TCP
443 TCP
389 TCP
636 TCP
7389 TCP
88 TCP,UDP
464 TCP,UDP
53 TCP,UDP
123 TCP,UDP
111 TCP,UDP
2049 TCP,UDP
Also tried 749,750 and everything kerberos related from Solaris /etc/services.
Solaris.example.com and solaris2.example.com is same machine, just typo from me
when editing the log for publishing.
Regards,
Johan
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Johan Petersson [johan.peters...@sscspace.com]
Sent: Friday, December 28, 2012 13:40
To: Sigbjorn Lie
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
I am getting these messages in my log when setting all instances of
pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login:
Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open
connection to ADMIN server (t_error 13)
Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error]
PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey:
Communication failure with server
If i disable the firewall on my IPA Server everything works as fast as it
should so clearly a firewall issue with iptables.
However, i have all the ports enabled and Red Hat clients works with the
firewall on.
Clearly Solaris is using some secret other port(s) that is not mentioned.
I have tried with 749 and 750 tcp and udp with no difference.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 18:56
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Cool. :)
What do you see if you turn on pam debugging by touching /etc/pam_debug and
enabling debug logging in the syslog daemon?
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Of course it was a simple thing like replacing auto.nethome with auto_nethome
that worked.
Thank you for that help!
I did not even think that it was that simple. :)
Now everything works for the more secure client configuration on Solaris 11.
The only thing left to investigate is why there is a delay now for the IPA
users.
I get the message : Your Kerberos account/password will expire in 89 days
quickly but then it waits for about 20 seconds until i get a prompt.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 17:10
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _
instead of . for any additional maps when you need Solaris autofs
compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming is
consistent between the additional maps and auto.master. The default for Linux
is auto.master with a . and auto_master for Solaris. Hence the auto.master
mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Got everything except automount to work with Solaris 11 and the more secure
DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console
login works (as well as expected with no home directory) and automount map
works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when trying
with /home autofs made local users unavailable. They are automounted locally to
/home/ from /export/home/ on Solaris for some strange reason and autofs then
tried finding local users home directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XX
NS_LDAP_SERVERS= server.example.orghttp://server.example.org
NS_LDAP_SEARCH_BAS
EDN=
dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP=
shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
How about enabling the firewall, and use tcpdump on the ipa server or snoop on
the Solaris box to see where it stops and waits?
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Forgot to add the ports opened in my last message. :)
22 TCP
80 TCP
443 TCP
389 TCP
636 TCP
7389 TCP
88 TCP,UDP
464 TCP,UDP
53 TCP,UDP
123 TCP,UDP
111 TCP,UDP
2049 TCP,UDP
Also tried 749,750 and everything kerberos related from Solaris
/etc/services.
Solaris.example.com and solaris2.example.com is same machine, just typo
from me when editing the log for publishing.
Regards,
Johan
From: freeipa-users-boun...@redhat.com
[freeipa-users-boun...@redhat.com] on behalf of Johan Petersson
[johan.peters...@sscspace.com]
Sent: Friday, December 28, 2012 13:40
To: Sigbjorn Lie
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA
server?
Hi,
I am getting these messages in my log when setting all instances of
pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login:
Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable
to open connection to ADMIN server (t_error 13)
Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error]
PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey:
Communication failure with server
If i disable the firewall on my IPA Server everything works as fast as
it should so clearly a firewall issue with iptables.
However, i have all the ports enabled and Red Hat clients works with
the firewall on.
Clearly Solaris is using some secret other port(s) that is not
mentioned.
I have tried with 749 and 750 tcp and udp with no difference.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 18:56
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
server?
Cool. :)
What do you see if you turn on pam debugging by touching /etc/pam_debug
and enabling debug logging in the syslog daemon?
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Of course it was a simple thing like replacing auto.nethome with
auto_nethome that worked.
Thank you for that help!
I did not even think that it was that simple. :)
Now everything works for the more secure client configuration on
Solaris 11.
The only thing left to investigate is why there is a delay now for the
IPA users.
I get the message : Your Kerberos account/password will expire in 89
days quickly but then it waits for about 20 seconds until i get a
prompt.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 17:10
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
server?
What is the name of the other maps besides auto.master? You should use
_ instead of . for any additional maps when you need Solaris autofs
compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming
is consistent between the additional maps and auto.master. The default
for Linux is auto.master with a . and auto_master for Solaris. Hence
the auto.master mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Got everything except automount to work with Solaris 11 and the more
secure DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and
console login works (as well as expected with no home directory) and
automount map works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when
trying with /home autofs made local users unavailable. They are
automounted locally to /home/ from /export/home/ on Solaris for some
strange reason and autofs then tried finding local users home
directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XX
NS_LDAP_SERVERS= server.example.orghttp://server.example.org
NS_LDAP_SEARCH_BAS
EDN=
dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
aliases:ou=aliases,ou=test,dc=example,dc=org
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Got everything except automount to work with Solaris 11 and the more secure
DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console
login works (as well as expected with no home directory) and automount map
works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when trying
with /home autofs made local users unavailable. They are automounted locally to
/home/ from /export/home/ on Solaris for some strange reason and autofs then
tried finding local users home directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XX
NS_LDAP_SERVERS= server.example.org
NS_LDAP_SEARCH_BASEDN= dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
root@solaris2:~# sharectl get autofs
timeout=600
automount_verbose=true
automountd_verbose=true
nobrowse=false
trace=2
environment=
From /var/svc/log/system-filesystem-autofs\:default.log:
t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
t4 getmapent_ldap called
t4 getmapent_ldap: key=[ user02 ]
t4 ldap_match called
t4 ldap_match: key =[ user02 ]
t4 ldap_match: ldapkey =[ user02 ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=user02)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 ldap_match called
t4 ldap_match: key =[ \2a ]
t4 ldap_match: ldapkey =[ \2a ]
t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=\2a))
in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 getmapent_ldap: exiting ...
t4 do_lookup1: action=2 wildcard=FALSE error=2
t4 LOOKUP REPLY : status=2
The automount map is called auto.nethome
key is: * -rw,soft server.example.org:/nethome/
Is it that Solaris automount dont like asterisk(*) in a automount key?
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 15:20
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Thanks.
I'm guessing it's taking such a long time because it's looking trough the
entire LDAP server for
your automount maps. The automountmap rules in the DUA profile will help with
that. You'll also
run into issues if you attempt to have several automount locations without
having specified which
one to use with a automountmap rule for auto master.
If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to
your DNS or set
NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on
your NFS server to
get rid of the nobody:nobody default mapping and enable mapping between the NFS
server and the
client.
Regards,
Siggi
On Thu, December 20, 2012 13:40, Johan Petersson wrote:
Hi,
Here is my pam.conf cleaned up a bit.
login auth requisite pam_authtok_get.so.1 login auth required
pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass
login auth required
pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login
auth required
pam_dial_auth.so.1
gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth
sufficient pam_allow.so.1
other auth requisite pam_authtok_get.so.1 other auth required
pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other
auth sufficient
pam_krb5.so.1 other auth required pam_unix_auth.so.1
passwd auth required pam_passwd_auth.so.1
gdm-autologin account sufficient pam_allow.so.1
other account requisite pam_roles.so.1 other account required
pam_unix_account.so.1 other account requiredpam_krb5.so.1
other session requiredpam_unix_session.so.1
other password required pam_dhkeys.so.1 other password requisite
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _
instead of . for any additional maps when you need Solaris autofs
compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming is
consistent between the additional maps and auto.master. The default for Linux
is auto.master with a . and auto_master for Solaris. Hence the auto.master
mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Got everything except automount to work with Solaris 11 and the more
secure DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and
console login works (as well as expected with no home directory) and
automount map works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when
trying with /home autofs made local users unavailable. They are
automounted locally to /home/ from /export/home/ on Solaris for some
strange reason and autofs then tried finding local users home
directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XX
NS_LDAP_SERVERS= server.example.org
NS_LDAP_SEARCH_BASEDN= dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
root@solaris2:~# sharectl get autofs
timeout=600
automount_verbose=true
automountd_verbose=true
nobrowse=false
trace=2
environment=
From /var/svc/log/system-filesystem-autofs\:default.log:
t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
t4 getmapent_ldap called
t4 getmapent_ldap: key=[ user02 ]
t4 ldap_match called
t4 ldap_match: key =[ user02 ]
t4 ldap_match: ldapkey =[ user02 ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=user02)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 ldap_match called
t4 ldap_match: key =[ \2a ]
t4 ldap_match: ldapkey =[ \2a ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=\2a)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 getmapent_ldap: exiting ...
t4 do_lookup1: action=2 wildcard=FALSE error=2
t4 LOOKUP REPLY : status=2
The automount map is called auto.nethome
key is: * -rw,soft server.example.org:/nethome/
Is it that Solaris automount dont like asterisk(*) in a automount key?
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 15:20
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
server?
Thanks.
I'm guessing it's taking such a long time because it's looking trough
the entire LDAP server for
your automount maps. The automountmap rules in the DUA profile will
help with that. You'll also
run into issues if you attempt to have several automount locations
without having specified which
one to use with a automountmap rule for auto master.
If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT
record to your DNS or set
NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id
used on your NFS server to
get rid of the nobody:nobody default mapping and enable mapping between
the NFS server and the
client.
Regards,
Siggi
On Thu, December 20, 2012 13:40, Johan Petersson wrote:
Hi,
Here is my pam.conf cleaned up a bit.
login auth requisite pam_authtok_get.so.1 login auth
required
pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1
try_first_pass login auth required
pam_unix_cred.so.1 login auth required pam_unix_auth.so.1
login auth required
pam_dial_auth.so.1
gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth
sufficient pam_allow.so.1
other auth requisite pam_authtok_get.so.1 other auth
required
pam_dhkeys.so.1 other auth
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Of course it was a simple thing like replacing auto.nethome with auto_nethome
that worked.
Thank you for that help!
I did not even think that it was that simple. :)
Now everything works for the more secure client configuration on Solaris 11.
The only thing left to investigate is why there is a delay now for the IPA
users.
I get the message : Your Kerberos account/password will expire in 89 days
quickly but then it waits for about 20 seconds until i get a prompt.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 17:10
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _
instead of . for any additional maps when you need Solaris autofs
compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming is
consistent between the additional maps and auto.master. The default for Linux
is auto.master with a . and auto_master for Solaris. Hence the auto.master
mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Got everything except automount to work with Solaris 11 and the more secure
DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console
login works (as well as expected with no home directory) and automount map
works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when trying
with /home autofs made local users unavailable. They are automounted locally to
/home/ from /export/home/ on Solaris for some strange reason and autofs then
tried finding local users home directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XX
NS_LDAP_SERVERS= server.example.orghttp://server.example.org
NS_LDAP_SEARCH_BASEDN=
dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP=
shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
root@solaris2:~# sharectl get autofs
timeout=600
automount_verbose=true
automountd_verbose=true
nobrowse=false
trace=2
environment=
From /var/svc/log/system-filesystem-autofs\:default.log:
t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
t4 getmapent_ldap called
t4 getmapent_ldap: key=[ user02 ]
t4 ldap_match called
t4 ldap_match: key =[ user02 ]
t4 ldap_match: ldapkey =[ user02 ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=user02)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 ldap_match called
t4 ldap_match: key =[ \2a ]
t4 ldap_match: ldapkey =[ \2a ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=\2a)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 getmapent_ldap: exiting ...
t4 do_lookup1: action=2 wildcard=FALSE error=2
t4 LOOKUP REPLY : status=2
The automount map is called auto.nethome
key is: * -rw,soft server.example.orghttp://server.example.org:/nethome/
Is it that Solaris automount dont like asterisk(*) in a automount key?
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 15:20
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Thanks.
I'm guessing it's taking such a long time because it's looking trough the
entire LDAP server for
your automount maps. The automountmap rules in the DUA profile will help with
that. You'll
also
run into issues if you attempt to have several automount locations without
having specified which
one to use with a automountmap rule for auto master.
If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to
your DNS or set
NFSMAPID_DOMAIN in /etc/default/nfs to the same
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Cool. :)
What do you see if you turn on pam debugging by touching /etc/pam_debug and
enabling debug logging in the syslog daemon?
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Of course it was a simple thing like replacing auto.nethome with
auto_nethome that worked.
Thank you for that help!
I did not even think that it was that simple. :)
Now everything works for the more secure client configuration on
Solaris 11.
The only thing left to investigate is why there is a delay now for the
IPA users.
I get the message : Your Kerberos account/password will expire in 89
days quickly but then it waits for about 20 seconds until i get a
prompt.
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Wednesday, December 26, 2012 17:10
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
server?
What is the name of the other maps besides auto.master? You should use
_ instead of . for any additional maps when you need Solaris autofs
compatibility. This also need to be reflected in the auto.master.
The Linux automounter does not care about . or _ as long as the naming
is consistent between the additional maps and auto.master. The default
for Linux is auto.master with a . and auto_master for Solaris. Hence
the auto.master mapping in the Solaris dua profile.
Rgds
Siggi
Johan Petersson johan.peters...@sscspace.com wrote:
Got everything except automount to work with Solaris 11 and the more
secure DUAProfile.
Verified that i can manually mount with krb5 on Solaris 11, ssh, su and
console login works (as well as expected with no home directory) and
automount map works for Red Hat clients.
I have now tried with another directory for users (/nethome) since when
trying with /home autofs made local users unavailable. They are
automounted locally to /home/ from /export/home/ on Solaris for some
strange reason and autofs then tried finding local users home
directories on the NFS Server :)
root@solaris2:~# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org
NS_LDAP_BINDPASSWD= {XXX}XX
NS_LDAP_SERVERS= server.example.orghttp://server.example.org
NS_LDAP_SEARCH_BASEDN=
dc=example,dc=org
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= solaris_authssl1
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:cn=users,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
group:cn=groups,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
ethers:cn=computers,cn=accounts,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
automount:cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
aliases:ou=aliases,ou=test,dc=example,dc=org
NS_LDAP_SERVICE_SEARCH_DESC=
printers:ou=printers,ou=test,dc=example,dc=org
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP=
shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService
root@solaris2:~# sharectl get autofs
timeout=600
automount_verbose=true
automountd_verbose=true
nobrowse=false
trace=2
environment=
From /var/svc/log/system-filesystem-autofs\:default.log:
t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012
t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0
t4 getmapent_ldap called
t4 getmapent_ldap: key=[ user02 ]
t4 ldap_match called
t4 ldap_match: key =[ user02 ]
t4 ldap_match: ldapkey =[ user02 ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=user02)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 ldap_match called
t4 ldap_match: key =[ \2a ]
t4 ldap_match: ldapkey =[ \2a ]
t4 ldap_match: Requesting list for
((objectClass=automount)(automountKey=\2a)) in auto.nethome
t4 ldap_match: __ns_ldap_list FAILED (2)
t4 ldap_match: no entries found
t4 getmapent_ldap: exiting ...
t4 do_lookup1: action=2 wildcard=FALSE error=2
t4 LOOKUP REPLY : status=2
The automount map is called auto.nethome
key is: * -rw,soft
server.example.orghttp://server.example.org:/nethome/
Is it that Solaris automount dont like asterisk(*) in a automount key?
Regards,
Johan.
From: Sigbjorn Lie [sigbj...@nixtra.com]
Sent: Thursday, December 20, 2012 15:20
To: Johan Petersson
Cc: freeipa-users@redhat.com
Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA
server?
Thanks.
I'm guessing it's taking such a long time because it's looking trough
the entire LDAP server for
your automount maps. The automountmap rules in the DUA profile will
help with that. You'll
also
run into issues if you attempt to have several automount locations
without having specified which
one to use
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/24/2012 05:27 PM, Johan Petersson wrote:
Here is a step by step instruction for a Solaris 11 machine as client to a
IPA server based on the default DUAProfile.
Console login works, su - and ssh.
Home directories automounted have the correct permissions.
The automount does not use wildcards since i had issues of the whole /home
being grabbed by autofs and thus making local users home directories
unavalable.
This can probably be solved by someone with more extensive experience of
Solaris autofs.
I am working on a instruction based on Sigbjorn Lie's DUAProfile and added
security and will post it too shortly.
First make sure that the Solaris 11 machine are using the proper DNS and NTP
servers.
On the IPA server or Client run:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k
/tmp/solaris.keytab
Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
Make sure it have the proper owner and permissions:
chown root:sys /etc/krb5/krb5.keytab
chmod 700 /etc/krb5/krb5.keytab
Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and
ipnodes lines:
hosts: files dns
ipnodes: files dns
Edit /etc/krb5/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Run the ldapclient with the default DUAProfile.
The -a domainName= example.com is needed so that ldapclient does not stop and
complain about missing nisdomain name.
ldapclient -v init -a profilename=default -a domainName=example.com
ipaserver.example.com
In Solaris 11.1 the pam configuration have changed but for simplicity i still
use the /etc/pam.conf:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account requiredpam_unix_account.so.1
other account requiredpam_krb5.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
For NFS and automount to work:
In /etc/nfssec.conf enable these:
krb5390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
sharectl set -p nfsmapid_domain=example.com nfs
If autofs is not on:
svcadm enable system/filesystem/autofs:default
In /etc/auto_home:
testuser ipaserver.example.com:/home/testuser
Thank you!
Dmitri
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Here is a step by step instruction for a Solaris 11 machine as client to a IPA
server based on the default DUAProfile.
Console login works, su - and ssh.
Home directories automounted have the correct permissions.
The automount does not use wildcards since i had issues of the whole /home
being grabbed by autofs and thus making local users home directories unavalable.
This can probably be solved by someone with more extensive experience of
Solaris autofs.
I am working on a instruction based on Sigbjorn Lie's DUAProfile and added
security and will post it too shortly.
First make sure that the Solaris 11 machine are using the proper DNS and NTP
servers.
On the IPA server or Client run:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k
/tmp/solaris.keytab
Move the keytab to the Solaris machine /etc/krb5/krb5.keytab
Make sure it have the proper owner and permissions:
chown root:sys /etc/krb5/krb5.keytab
chmod 700 /etc/krb5/krb5.keytab
Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and
ipnodes lines:
hosts: files dns
ipnodes:files dns
Edit /etc/krb5/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Run the ldapclient with the default DUAProfile.
The -a domainName= example.com is needed so that ldapclient does not stop and
complain about missing nisdomain name.
ldapclient -v init -a profilename=default -a domainName=example.com
ipaserver.example.com
In Solaris 11.1 the pam configuration have changed but for simplicity i still
use the /etc/pam.conf:
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account requiredpam_unix_account.so.1
other account requiredpam_krb5.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
For NFS and automount to work:
In /etc/nfssec.conf enable these:
krb5390003 kerberos_v5 default - # RPCSEC_GSS
krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
sharectl set -p nfsmapid_domain=example.com nfs
If autofs is not on:
svcadm enable system/filesystem/autofs:default
In /etc/auto_home:
testuseripaserver.example.com:/home/testuser
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Johan Petersson [johan.peters...@sscspace.com]
Sent: Saturday, December 22, 2012 13:14
To: d...@redhat.com; freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi,
yes of course i can document it properly as soon as i have checked everything.
I will send it to you so you can review it.
Regards,
Johan.
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Dmitri Pal [d...@redhat.com]
Sent: Friday, December 21, 2012 23:39
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote:
Hi,
Was your example of a new DUAProfile ever added to Fedora or RHEL?
If so i can't find any reference to it or a fix of the documentation. If not,
is there a way to add it myself for my configuration?
There is always the manual way otherwise i guess.
Are Red Hat going to support RHEL clients only in IPA Server?
We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and
Mac OS X so the answer to that question is kind of interesting. :)
Regards,
Johan
Johan,
Would you mind summarizing your Solaris 11 experience in a step by step
procedure so that we can add it to wiki or Fedora docs?
Thanks
Dmitri
From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
behalf of Johan Petersson [johan.peters...@sscspace.com]
Sent: Thursday, December 20, 2012 19:03
To: Sigbjorn Lie
Cc: freeipa-users@redhat.com
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, yes of course i can document it properly as soon as i have checked everything. I will send it to you so you can review it. Regards, Johan. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, December 21, 2012 23:39 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? Red Hat has a clear support statement on the matter. https://access.redhat.com/knowledge/articles/261973 We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
