Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 01/04/2013 05:27 AM, Johan Petersson wrote: Here is the instructions for a IPA Server Solaris 11 client configuration with secure bind and a custom DUAProfile. Everything works as far as i have been able to test. Console login works, su - and ssh. Thank you Johan! We will put it onto the wiki. It seems that it is a good opportunity to refine our client configuration guide a bit. Thanks Dmitri Configuration done on the IPA Server. Create a DUAConfigProfile solaris_authssl.ldif dn: cn=solaris_authssl,ou=profile,dc=example,dc=com objectClass: top objectClass: DUAConfigProfile cn: solaris_authssl authenticationMethod: tls:simple bindTimeLimit: 5 credentialLevel: proxy defaultSearchBase: dc=example,dc=com defaultSearchScope: one defaultServerList: ipaserver.example.com followReferrals: TRUE objectclassMap: shadow:shadowAccount=posixAccount objectclassMap: printers:sunPrinter=printerService profileTTL: 6000 searchTimeLimit: 10 serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com Add the ldif to ipaserver: ldapadd -h ipaserver.example.com -x -W -D cn=Directory Manager -vvv -f solaris_authssl.ldif Create an account to use for authentication: ldapmodify -a -h ipaserver.example.com -D cn=Directory Manager -W dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top uid: solaris userPassword: setyourpasswordhere ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa host-add-managedby --host ipaserver.example.com solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* so they are compatible with Solaris name standards. certutil -N -d . openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem certutil -A -n ca-cert -i /etc/ipa/ca.pem -a -t CT -d /(directory of generated cert8.db and key3.db) scp the keytab to the solaris host /etc/krb5/krb5.keytab and scp the *.db to the solaris host /var/ldap/ Solaris host configuration: Make sure to secure the krb5.keytab properly. chown root:sys krb5.keytab chmod 600 krb5.keytab Secure the *.db files created by certutil on IPA Server earlier. chown root:staff /var/ldap/*.db chmod 444 /var/ldap/*.db Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and ipnodes lines: hosts: files dns ipnodes: files dns ldapclient -v init \ -a profileName=solaris_authssl \ -a domainName=example.com \ -a proxyDN=uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \ -a proxyPassword=setyourpasswordhere \ -D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \ -w yourpasswordagain \ ipaserver.example.com Enable ntp client: Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf Example: server ipaserver.example.com iburst svcadm restart ntp To see it is running properly: svcs ntp To see what servers you are using: ntpq -p Edit /etc/krb5/krb5.conf: krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Pam configuration changed slightly in Solaris 11.1. It is still possible to use /etc/pam.conf as before if preferable. Pam configuration in /etc/pam.d/ login: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other: auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth required pam_dhkeys.so.1 auth required pam_unix_cred.so.1 auth sufficient pam_krb5.so.1 auth required pam_unix_auth.so.1 account requisite pam_roles.so.1 account definitive pam_user_policy.so.1 account requiredpam_unix_account.so.1 account requiredpam_krb5.so.1 account requiredpam_tsol_account.so.1 password includepam_authtok_common password sufficient pam_krb5.so.1 password required pam_authtok_store.so.1 For NFS: /etc/nfssec.conf enable these:
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
permission issues with NFS. sharectl set -p nfsmapid_domain=home nfs To see if it is properly set: sharectl get nfs Regards, Johan. From: Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 25, 2012 16:52 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/24/2012 05:27 PM, Johan Petersson wrote: Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile. Console login works, su - and ssh. Home directories automounted have the correct permissions. The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable. This can probably be solved by someone with more extensive experience of Solaris autofs. I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly. First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. On the IPA server or Client run: ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Move the keytab to the Solaris machine /etc/krb5/krb5.keytab Make sure it have the proper owner and permissions: chown root:sys /etc/krb5/krb5.keytab chmod 700 /etc/krb5/krb5.keytab Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and ipnodes lines: hosts: files dns ipnodes: files dns Edit /etc/krb5/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Run the ldapclient with the default DUAProfile. The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name. ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 For NFS and automount to work: In /etc/nfssec.conf enable these: krb5390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS sharectl set -p nfsmapid_domain=example.com nfs If autofs is not on: svcadm enable system/filesystem/autofs:default In /etc/auto_home: testuser ipaserver.example.com:/home/testuser Thank you! Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.orghttp://server.example.org NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Forgot to add the ports opened in my last message. :) 22 TCP 80 TCP 443 TCP 389 TCP 636 TCP 7389 TCP 88 TCP,UDP 464 TCP,UDP 53 TCP,UDP 123 TCP,UDP 111 TCP,UDP 2049 TCP,UDP Also tried 749,750 and everything kerberos related from Solaris /etc/services. Solaris.example.com and solaris2.example.com is same machine, just typo from me when editing the log for publishing. Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Friday, December 28, 2012 13:40 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.orghttp://server.example.org NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
How about enabling the firewall, and use tcpdump on the ipa server or snoop on the Solaris box to see where it stops and waits? Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Forgot to add the ports opened in my last message. :) 22 TCP 80 TCP 443 TCP 389 TCP 636 TCP 7389 TCP 88 TCP,UDP 464 TCP,UDP 53 TCP,UDP 123 TCP,UDP 111 TCP,UDP 2049 TCP,UDP Also tried 749,750 and everything kerberos related from Solaris /etc/services. Solaris.example.com and solaris2.example.com is same machine, just typo from me when editing the log for publishing. Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Friday, December 28, 2012 13:40 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.orghttp://server.example.org NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/ Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/ Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.orghttp://server.example.org NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.orghttp://server.example.org:/nethome/ Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson johan.peters...@sscspace.com wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.orghttp://server.example.org NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for ((objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.orghttp://server.example.org:/nethome/ Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/24/2012 05:27 PM, Johan Petersson wrote: Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile. Console login works, su - and ssh. Home directories automounted have the correct permissions. The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable. This can probably be solved by someone with more extensive experience of Solaris autofs. I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly. First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. On the IPA server or Client run: ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Move the keytab to the Solaris machine /etc/krb5/krb5.keytab Make sure it have the proper owner and permissions: chown root:sys /etc/krb5/krb5.keytab chmod 700 /etc/krb5/krb5.keytab Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and ipnodes lines: hosts: files dns ipnodes: files dns Edit /etc/krb5/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Run the ldapclient with the default DUAProfile. The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name. ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 For NFS and automount to work: In /etc/nfssec.conf enable these: krb5390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS sharectl set -p nfsmapid_domain=example.com nfs If autofs is not on: svcadm enable system/filesystem/autofs:default In /etc/auto_home: testuser ipaserver.example.com:/home/testuser Thank you! Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile. Console login works, su - and ssh. Home directories automounted have the correct permissions. The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable. This can probably be solved by someone with more extensive experience of Solaris autofs. I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly. First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. On the IPA server or Client run: ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Move the keytab to the Solaris machine /etc/krb5/krb5.keytab Make sure it have the proper owner and permissions: chown root:sys /etc/krb5/krb5.keytab chmod 700 /etc/krb5/krb5.keytab Edit /etc/nsswitch.ldap, replace ldap with dns from the hosts and ipnodes lines: hosts: files dns ipnodes:files dns Edit /etc/krb5/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Run the ldapclient with the default DUAProfile. The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name. ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 For NFS and automount to work: In /etc/nfssec.conf enable these: krb5390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS sharectl set -p nfsmapid_domain=example.com nfs If autofs is not on: svcadm enable system/filesystem/autofs:default In /etc/auto_home: testuseripaserver.example.com:/home/testuser From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Saturday, December 22, 2012 13:14 To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, yes of course i can document it properly as soon as i have checked everything. I will send it to you so you can review it. Regards, Johan. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, December 21, 2012 23:39 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, yes of course i can document it properly as soon as i have checked everything. I will send it to you so you can review it. Regards, Johan. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, December 21, 2012 23:39 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? Red Hat has a clear support statement on the matter. https://access.redhat.com/knowledge/articles/261973 We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method (/lib/svc/method/svc-autofs start). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method start exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: On Tue, December 18, 2012 08:28, Johan Petersson wrote: Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users