Re: [Freeipa-users] Solaris 10 as IPA Client?
8><--- > "Vendors" in NZ just import in a box, its a function of our small population, > few have any depth of knowledgea few have happily admitted to me that if > we buy the hardware they will get some traininguntil then they are as > clueless as we are. Wow. Are you talking to technical staff or to sales people there? -- natxo 8>< hehe Its usually sales ppl, very few tehcies.typical sales of a few "boxes" per yearyou dont have many techies on that quantity.for instance with BlueArc/Hitachi they have imported a techy/architect over from OZ for a week to set this upthis is one of the first setups in NZ, there may not be another for many months. This is normal for NZ. Anything we do even until recently with RedHat...(no architects or any Red Hat employees on the ground here) is they fly over from OZSo we used to see RH architect 2 times a year if we were luckynow we have some senior level ppl in Auckland :D So I finally have a RH senior to talk to here...in MS heaven that's cool. (everything here is Microsoft). NZ is so small.we have 5000 employees that makes us something like in the top 20 biggest organisation in NZ. But if you think thats bad, I also deal with some pacific islands they get their hardware from NZ.and they are poor.Im talking to a friend in one island and the biggest 3 organisations there use freenas for a SAN/NAS regards ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On 12/05/2011 10:05 PM, Steven Jones wrote: What you need is some knowledge of LDAP, and to work with your vendors to figure out how they should be configured to work with IPA. 8><--- Funny but I thought a goal of IPA was to make this easierso you dont need such depth of knowledge. Like I keep saying its a translation process so you can start to understand it.Im having huge problems with it... which is a worry because if I have problems the other admins are probably going to fail. I have tried to self-educate myself but Im not getting far at it. And IPA still does make it easier, for the management of the server side. As far as client side goes, 3rd party vendors has had many years to adopt an Active Directory LDAP profile, containing a certain configuration of objectclasses and attributes to look for. In some years, perhaps 3rd party vendors will be making an IPA LDAP profile or 1:1 instructions for configuring their LDAP clients to more easily work with IPA LDAP. "Vendors" in NZ just import in a box, its a function of our small population, few have any depth of knowledgea few have happily admitted to me that if we buy the hardware they will get some traininguntil then they are as clueless as we are. The vendor will most likely have knowledge doc portal and central support outside NZ to help you? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On Mon, Dec 5, 2011 at 10:05 PM, Steven Jones wrote: > Hi > > 8>< > > What you need is some knowledge of LDAP, and to work with your vendors > to figure out how they should be configured to work with IPA. > > 8><--- > Funny but I thought a goal of IPA was to make this easierso you dont need > such depth of knowledge. > Like I keep saying its a translation process so you can start to understand > it.Im having huge problems with it... > which is a worry because if I have problems the other admins are probably > going to fail. I have tried to self-educate myself but Im not getting far at > it. I disagree with you here. Understanding ldap is quite essential stuff for deploying a directory based identity management system. I mean, if you just want to provision users and authenticate them to computer systems in an IPA realm, that's it, you need nothing more than the tools ipa give you. However, life is usually more complicated and people want to use other applications to do stuff. And those applications have ldap bindings, so you need to know how to use them. This is by the way no different as to how to do it with AD. I routinely configure applications to query our AD for user info/authentication/authorization, so I need to specify ldap bases, common names (cn) to bind, etc, .., as well. No difference here as to what you are experiencing. In my experience most vendors have technical info on how to configure and ldap connection to their applications/appliances. You name Bluecoat, and if I google 'bluecoat ldap' the first hit I get is a nice pdf with exactly the info you need (provided this is about the bluecoat.com company). I strongly suggest that you get a good grasp on ldap if you need to manage any directory based service, be it AD, IPA or whatever. > "Vendors" in NZ just import in a box, its a function of our small population, > few have any depth of knowledgea few have happily admitted to me that if > we buy the hardware they will get some traininguntil then they are as > clueless as we are. Wow. Are you talking to technical staff or to sales people there? -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi, Oh I know you can only do so much... :/ regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Simo Sorce [s...@redhat.com] Sent: Tuesday, 6 December 2011 10:14 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Solaris 10 as IPA Client? On Mon, 2011-12-05 at 21:05 +, Steven Jones wrote: > Funny but I thought a goal of IPA was to make this easierso you > dont need such depth of knowledge. That is our goal, but we can only do so much when 3rd parties are involved. Your best bet is to see our instructions for non-ipa clients. Those instruction may not apply 1:1 to whatever configuration methods all 3rd parties may have, but should set you in the right direction. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On Mon, 2011-12-05 at 21:05 +, Steven Jones wrote: > Funny but I thought a goal of IPA was to make this easierso you > dont need such depth of knowledge. That is our goal, but we can only do so much when 3rd parties are involved. Your best bet is to see our instructions for non-ipa clients. Those instruction may not apply 1:1 to whatever configuration methods all 3rd parties may have, but should set you in the right direction. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi 8>< What you need is some knowledge of LDAP, and to work with your vendors to figure out how they should be configured to work with IPA. 8><--- Funny but I thought a goal of IPA was to make this easierso you dont need such depth of knowledge. Like I keep saying its a translation process so you can start to understand it.Im having huge problems with it... which is a worry because if I have problems the other admins are probably going to fail. I have tried to self-educate myself but Im not getting far at it. "Vendors" in NZ just import in a box, its a function of our small population, few have any depth of knowledgea few have happily admitted to me that if we buy the hardware they will get some traininguntil then they are as clueless as we are. 8><--- BTW, for a proxy appliance I believe you want Kerberos authentication to provide single sign on, and use LDAP merely to do the authorization. 8><-- I suspected that but, no where in Bluecoat can I see anything to do kerberos to a kerberos server, so i suspect it wont work as single sign on, so I maybe wasting my time. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Use Base DN: dc=unix,dc=vuw,dc=ac,dc=nz. Make sure you've configured bluecoat to do search sub, and not search one. You should really speak to Bluecoat support about how to configure your appliance. IPA merely provides a LDAP server. There is loads of different ways applications is configured to use LDAP. Some appliances wants just a true/false, such as using a LDAP search, if a result is found the search is true, if a result is not found the search is considered false. Such as: '(&(objectclass=person)(memberOf=cn=internet-access,cn=groups,cn=accounts,dc=test,dc=com)(uid=username))' will return a record if the requested user is a member of the group, and return nothing if the user is not a member of the group. I just used a similar configuration for Squid. Other appliances want to be pointed at a group or a set of groups, where the appliance contains the required logic for searching for users within the group or groups. If you do this, you need to configure the objectclasses and attributes it's looking for, as this varies between different LDAP servers. This is usually configurable within the appliance. Run "ldapsearch -Y GSSAPI -b dc=unix,dc=vuw,dc=ac,dc=nz cn=internet-access" on your IPA server to see what object classes and attributes is associated with your internet-access group. This should give you some hints for how to configure your appliances. What you need is some knowledge of LDAP, and to work with your vendors to figure out how they should be configured to work with IPA. BTW, for a proxy appliance I believe you want Kerberos authentication to provide single sign on, and use LDAP merely to do the authorization. Regards, Siggi On 12/05/2011 08:42 PM, Steven Jones wrote: Hi, If I wanted a specific internet access group where the IPA group is "internet-users" What would the baseDN be? I have been using dc=unix,dc=vuw,dc=ac,dc=nz but I have tried a few combos, none workedalso I need to bind to the IPA? or will anonymous work? I cant search the tree as anonymous inside the bluecoat gui so I cant pick the group I wantwhich would make life easy. This goes back to my request to see the dc= stuff inside the gui.the gui "speaks" one way and everything else "speaks" differently, a translation is needed. So really you have succeeded in making the gui very easy to use, sure but not with other products. If I have to bind with a user so I can pick the group I want in the bluecoat gui I assume I need to create a user for that? with limited permissions? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 6 December 2011 3:40 a.m. To: Steven Jones Cc:freeipa-users@redhat.com Subject: Re: [Freeipa-users] Solaris 10 as IPA Client? Steven Jones wrote: 8><--- Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. So you need to enable compat tree on ipa side and point your Solaris nss_ldap to the compat tree. 8><-- We have a Sun solar storage SAN.uses Solaris I cant get it to workmaybe that's what I need to do to get them to talkhow to I enable "compat tree"? Also would other hardware vendors be similar? Im trying to get a bluecoat proxy server to talk to IPA and it cant compat is enabled by default, to double check run: ipa-compat-manage status For authentication typically all you need is the basedn of users (cn=users,cn=accounts,dc=example,dc=com). For SSL you can get a copy of the CA cert fromhttp://ipa.example.com/ipa/config/ca.crt. The 389-ds access logs can be found in /var/log/dirsrv/slapd-YOURINSTANCE/access. These are buffered for up to 30 seconds. The error log by default tends to only log catastrophic problems. You can enable server debugging, details are in the FAQ in the 389-ds wiki. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi, If I wanted a specific internet access group where the IPA group is "internet-users" What would the baseDN be? I have been using dc=unix,dc=vuw,dc=ac,dc=nz but I have tried a few combos, none workedalso I need to bind to the IPA? or will anonymous work? I cant search the tree as anonymous inside the bluecoat gui so I cant pick the group I wantwhich would make life easy. This goes back to my request to see the dc= stuff inside the gui.the gui "speaks" one way and everything else "speaks" differently, a translation is needed. So really you have succeeded in making the gui very easy to use, sure but not with other products. If I have to bind with a user so I can pick the group I want in the bluecoat gui I assume I need to create a user for that? with limited permissions? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: Rob Crittenden [rcrit...@redhat.com] Sent: Tuesday, 6 December 2011 3:40 a.m. To: Steven Jones Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Solaris 10 as IPA Client? Steven Jones wrote: > > 8><--- > > Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. > So you need to enable compat tree on ipa side and point your Solaris > nss_ldap to the compat tree. > > 8><-- > > We have a Sun solar storage SAN.uses Solaris I cant get it to > workmaybe that's what I need to do to get them to talkhow to I enable > "compat tree"? > > Also would other hardware vendors be similar? Im trying to get a bluecoat > proxy server to talk to IPA and it cant compat is enabled by default, to double check run: ipa-compat-manage status For authentication typically all you need is the basedn of users (cn=users,cn=accounts,dc=example,dc=com). For SSL you can get a copy of the CA cert from http://ipa.example.com/ipa/config/ca.crt. The 389-ds access logs can be found in /var/log/dirsrv/slapd-YOURINSTANCE/access. These are buffered for up to 30 seconds. The error log by default tends to only log catastrophic problems. You can enable server debugging, details are in the FAQ in the 389-ds wiki. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Steven Jones wrote: 8><--- Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. So you need to enable compat tree on ipa side and point your Solaris nss_ldap to the compat tree. 8><-- We have a Sun solar storage SAN.uses Solaris I cant get it to workmaybe that's what I need to do to get them to talkhow to I enable "compat tree"? Also would other hardware vendors be similar? Im trying to get a bluecoat proxy server to talk to IPA and it cant compat is enabled by default, to double check run: ipa-compat-manage status For authentication typically all you need is the basedn of users (cn=users,cn=accounts,dc=example,dc=com). For SSL you can get a copy of the CA cert from http://ipa.example.com/ipa/config/ca.crt. The 389-ds access logs can be found in /var/log/dirsrv/slapd-YOURINSTANCE/access. These are buffered for up to 30 seconds. The error log by default tends to only log catastrophic problems. You can enable server debugging, details are in the FAQ in the 389-ds wiki. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi, I found various appliances to require some specifications in terms of a LDAP filter to what to look for. E.g. for looking up a user in IPA will be (&(objectclass=person)(uid=username)). For AD the similar search can be specified such as (&(sAMAccountName=l0290061)(objectclass=person))'. If you have an option to choose LDAP or AD, the AD option would probably have a similar LDAP filter already set, while the LDAP option allows you to create your own filter that suites your LDAP server. Also making sure you have specified the correct base DN, and making sure that the appliance will search all sub CN's or OU's if required. With IPA: cn=users,cn=accounts, works for my Solaris clients. Making sure you bind with a user account if you have disabled anonymous access to your LDAP server. These are the most common issues I've come across for configuring appliances to use LDAP. Regards, Siggi On Mon, December 5, 2011 01:15, Steven Jones wrote: > Hi, > > > Maybe you do, I just didnt see it.I will ask what the bluecoat and > bluearc do. > > > regards > > Steven Jones > > > Technical Specialist - Linux RHCE > > > Victoria University, Wellington, NZ > > > 0064 4 463 6272 > > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal > [d...@redhat.com] > Sent: Monday, 5 December 2011 1:05 p.m. > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Solaris 10 as IPA Client? > > > On 12/04/2011 02:39 PM, Steven Jones wrote: > >> 8><--- >> >> >> Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. >> So you need to enable compat tree on ipa side and point your Solaris >> nss_ldap to the compat tree. >> >> 8><-- >> >> >> We have a Sun solar storage SAN.uses Solaris I cant get it to >> workmaybe that's what I >> need to do to get them to talkhow to I enable "compat tree"? > > > # ipa-compat-manage enable > > > > I checked the docs. I was surprised we do not mention that Solaris is 2307. > I will rise a bug. > > > > >> Also would other hardware vendors be similar? Im trying to get a bluecoat >> proxy server to talk >> to IPA and it cant >> >> regards >> >> Steven Jones >> >> >> Technical Specialist - Linux RHCE >> >> >> Victoria University, Wellington, NZ >> >> >> 0064 4 463 6272 >> >> >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> >> > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi, Maybe you do, I just didnt see it.I will ask what the bluecoat and bluearc do. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Monday, 5 December 2011 1:05 p.m. To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Solaris 10 as IPA Client? On 12/04/2011 02:39 PM, Steven Jones wrote: > 8><--- > > Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. > So you need to enable compat tree on ipa side and point your Solaris > nss_ldap to the compat tree. > > 8><-- > > We have a Sun solar storage SAN.uses Solaris I cant get it to > workmaybe that's what I need to do to get them to talkhow to I enable > "compat tree"? # ipa-compat-manage enable I checked the docs. I was surprised we do not mention that Solaris is 2307. I will rise a bug. > Also would other hardware vendors be similar? Im trying to get a bluecoat > proxy server to talk to IPA and it cant > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On 12/04/2011 02:39 PM, Steven Jones wrote: > 8><--- > > Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. > So you need to enable compat tree on ipa side and point your Solaris > nss_ldap to the compat tree. > > 8><-- > > We have a Sun solar storage SAN.uses Solaris I cant get it to > workmaybe that's what I need to do to get them to talkhow to I enable > "compat tree"? # ipa-compat-manage enable I checked the docs. I was surprised we do not mention that Solaris is 2307. I will rise a bug. > Also would other hardware vendors be similar? Im trying to get a bluecoat > proxy server to talk to IPA and it cant > > regards > > Steven Jones > > Technical Specialist - Linux RHCE > > Victoria University, Wellington, NZ > > 0064 4 463 6272 > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
8><--- Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. So you need to enable compat tree on ipa side and point your Solaris nss_ldap to the compat tree. 8><-- We have a Sun solar storage SAN.uses Solaris I cant get it to workmaybe that's what I need to do to get them to talkhow to I enable "compat tree"? Also would other hardware vendors be similar? Im trying to get a bluecoat proxy server to talk to IPA and it cant regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Solaris 10 as IPA Client?
On 12/01/2011 05:09 AM, Sigbjorn Lie wrote: > Hi, > > I use Solaris 10 as clients, several different updates. They all work fine. I > have replaced the > default DUAConfigProfile though, to include netgroups and automount support, > and use SSL > authenticated connctions, but the default should work well for basic user and > group. Even though > it uses unencrypted, unauthenticated connections to the LDAP server. :) > > Please note that you really need to change /etc/nsswitch.ldap before running > the ldapclient > script, as this is being copied into /etc/nsswitch.conf by the ldapclient > script. The default > nsswitch.ldap sets hosts to look from ldap, and removes dns. This does not > work with IPA as it > relies on DNS for name lookups, and the hosts tables does not exist in IPA's > LDAP server. This > prevents the ldap client from starting. > > I've configured my nsswitch.ldap to only look up passwd, group, automount, > netgroup and ethers for > now. > > Remember to configure the kerberos client afterwards. AES256 (which is the > first KRB encryption > type in IPA) was not included in Solaris 10 until Update 8 from what I've > read. On these machines > I have created keytabs using only AES128 and below for the keytab, and > limiting enctypes in > krb5.conf using default_tkt_enctypes and default_tgs_enctypes to AES128 and > downwards. > > Also Solaris assumes 2307 schema AFAIR and IPA is 2307bis. So you need to enable compat tree on ipa side and point your Solaris nss_ldap to the compat tree. > Regards, > Siggi > > > > > > > On Thu, December 1, 2011 06:31, Craig T wrote: >> Hi, >> >> >> Anyone had any success using Solaris 10 as a IPA client (using >> ipa-server-2.1.1-4.el6.x86_64)? >> Does anyone have any more detailed documentation on the topic? I find that >> Section "3.3.1. >> Configuring Solaris 10" from the Identitiy Management Guide very light. >> >> >> >> #Solaris 10 (Newest Edition) >> Oracle Solaris 10 8/11 s10x_u10wos_17b X86 >> Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved. >> Assembled 23 August 2011 >> >> >> >> bash-3.2# ldapclient -v init chtvm-389.teratext.saic.com.au Arguments parsed: >> defaultServerList: chtvm-389.teratext.saic.com.au >> Handling init option >> About to configure machine by downloading a profile >> No profile specified. Using "default" >> Proxy DN: NULL >> Proxy password: NULL >> Authentication method: 0 >> No proxyDN/proxyPassword required >> Shadow Update is not enabled, no adminDN/adminPassword is required. >> About to modify this machines configuration by writing the files >> Stopping network services >> Stopping sendmail >> stop: sleep 10 microseconds >> stop: network/smtp:sendmail... success >> Stopping nscd >> stop: sleep 10 microseconds >> stop: sleep 20 microseconds >> stop: system/name-service-cache:default... success >> Stopping autofs >> stop: sleep 10 microseconds >> stop: sleep 20 microseconds >> stop: sleep 40 microseconds >> stop: sleep 80 microseconds >> stop: sleep 160 microseconds >> stop: sleep 320 microseconds >> stop: system/filesystem/autofs:default... success >> ldap not running nisd not running nis(yp) not running file_backup: >> stat(/etc/nsswitch.conf)=0 >> file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) >> file_backup: stat(/etc/defaultdomain)=0 >> file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) >> file_backup: stat(/var/nis/NIS_COLD_START)=-1 >> file_backup: No /var/nis/NIS_COLD_START file. >> file_backup: nis domain is "teratext.saic.com.au" >> file_backup: stat(/var/yp/binding/teratext.saic.com.au)=-1 >> file_backup: No /var/yp/binding/teratext.saic.com.au directory. >> file_backup: stat(/var/ldap/ldap_client_file)=-1 >> file_backup: No /var/ldap/ldap_client_file file. >> Starting network services >> start: /usr/bin/domainname teratext.saic.com.au... success >> start: sleep 10 microseconds >> start: sleep 20 microseconds >> start: sleep 40 microseconds >> start: sleep 80 microseconds >> start: sleep 160 microseconds >> start: sleep 320 microseconds >> start: sleep 640 microseconds >> start: sleep 1280 microseconds >> start: sleep 2560 microseconds >> start: sleep 5120 microseconds >> > start: sleep 1770 microseconds > start: network/ldap/client:default... timed out > start: network/ldap/client:default... offline to disable > stop: sleep 10 microseconds > >> stop: sleep 20 microseconds >> stop: sleep 40 microseconds >> stop: sleep 80 microseconds >> stop: sleep 160 microseconds >> stop: sleep 320 microseconds >> stop: sleep 640 microseconds >> stop: sleep 1280 microseconds >> stop: sleep 2560 microseconds >> stop: sleep 890 microseconds >> stop: network/ldap/client:default... timed out >> start: sleep 10 microseco
Re: [Freeipa-users] Solaris 10 as IPA Client?
Hi, I use Solaris 10 as clients, several different updates. They all work fine. I have replaced the default DUAConfigProfile though, to include netgroups and automount support, and use SSL authenticated connctions, but the default should work well for basic user and group. Even though it uses unencrypted, unauthenticated connections to the LDAP server. :) Please note that you really need to change /etc/nsswitch.ldap before running the ldapclient script, as this is being copied into /etc/nsswitch.conf by the ldapclient script. The default nsswitch.ldap sets hosts to look from ldap, and removes dns. This does not work with IPA as it relies on DNS for name lookups, and the hosts tables does not exist in IPA's LDAP server. This prevents the ldap client from starting. I've configured my nsswitch.ldap to only look up passwd, group, automount, netgroup and ethers for now. Remember to configure the kerberos client afterwards. AES256 (which is the first KRB encryption type in IPA) was not included in Solaris 10 until Update 8 from what I've read. On these machines I have created keytabs using only AES128 and below for the keytab, and limiting enctypes in krb5.conf using default_tkt_enctypes and default_tgs_enctypes to AES128 and downwards. Regards, Siggi On Thu, December 1, 2011 06:31, Craig T wrote: > Hi, > > > Anyone had any success using Solaris 10 as a IPA client (using > ipa-server-2.1.1-4.el6.x86_64)? > Does anyone have any more detailed documentation on the topic? I find that > Section "3.3.1. > Configuring Solaris 10" from the Identitiy Management Guide very light. > > > > #Solaris 10 (Newest Edition) > Oracle Solaris 10 8/11 s10x_u10wos_17b X86 > Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved. > Assembled 23 August 2011 > > > > bash-3.2# ldapclient -v init chtvm-389.teratext.saic.com.au Arguments parsed: > defaultServerList: chtvm-389.teratext.saic.com.au > Handling init option > About to configure machine by downloading a profile > No profile specified. Using "default" > Proxy DN: NULL > Proxy password: NULL > Authentication method: 0 > No proxyDN/proxyPassword required > Shadow Update is not enabled, no adminDN/adminPassword is required. > About to modify this machines configuration by writing the files > Stopping network services > Stopping sendmail > stop: sleep 10 microseconds > stop: network/smtp:sendmail... success > Stopping nscd > stop: sleep 10 microseconds > stop: sleep 20 microseconds > stop: system/name-service-cache:default... success > Stopping autofs > stop: sleep 10 microseconds > stop: sleep 20 microseconds > stop: sleep 40 microseconds > stop: sleep 80 microseconds > stop: sleep 160 microseconds > stop: sleep 320 microseconds > stop: system/filesystem/autofs:default... success > ldap not running nisd not running nis(yp) not running file_backup: > stat(/etc/nsswitch.conf)=0 > file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) > file_backup: stat(/etc/defaultdomain)=0 > file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) > file_backup: stat(/var/nis/NIS_COLD_START)=-1 > file_backup: No /var/nis/NIS_COLD_START file. > file_backup: nis domain is "teratext.saic.com.au" > file_backup: stat(/var/yp/binding/teratext.saic.com.au)=-1 > file_backup: No /var/yp/binding/teratext.saic.com.au directory. > file_backup: stat(/var/ldap/ldap_client_file)=-1 > file_backup: No /var/ldap/ldap_client_file file. > Starting network services > start: /usr/bin/domainname teratext.saic.com.au... success > start: sleep 10 microseconds > start: sleep 20 microseconds > start: sleep 40 microseconds > start: sleep 80 microseconds > start: sleep 160 microseconds > start: sleep 320 microseconds > start: sleep 640 microseconds > start: sleep 1280 microseconds > start: sleep 2560 microseconds > start: sleep 5120 microseconds > start: sleep 1770 microseconds start: network/ldap/client:default... timed out start: network/ldap/client:default... offline to disable stop: sleep 10 microseconds > stop: sleep 20 microseconds > stop: sleep 40 microseconds > stop: sleep 80 microseconds > stop: sleep 160 microseconds > stop: sleep 320 microseconds > stop: sleep 640 microseconds > stop: sleep 1280 microseconds > stop: sleep 2560 microseconds > stop: sleep 890 microseconds > stop: network/ldap/client:default... timed out > start: sleep 10 microseconds > start: system/filesystem/autofs:default... success > start: sleep 10 microseconds > start: system/name-service-cache:default... success > start: sleep 10 microseconds > start: sleep 20 microseconds > start: network/smtp:sendmail... success > restart: sleep 10 microseconds restart: milestone/name
[Freeipa-users] Solaris 10 as IPA Client?
Hi, Anyone had any success using Solaris 10 as a IPA client (using ipa-server-2.1.1-4.el6.x86_64)? Does anyone have any more detailed documentation on the topic? I find that Section "3.3.1. Configuring Solaris 10" from the Identitiy Management Guide very light. #Solaris 10 (Newest Edition) Oracle Solaris 10 8/11 s10x_u10wos_17b X86 Copyright (c) 1983, 2011, Oracle and/or its affiliates. All rights reserved. Assembled 23 August 2011 bash-3.2# ldapclient -v init chtvm-389.teratext.saic.com.au Arguments parsed: defaultServerList: chtvm-389.teratext.saic.com.au Handling init option About to configure machine by downloading a profile No profile specified. Using "default" Proxy DN: NULL Proxy password: NULL Authentication method: 0 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services Stopping sendmail stop: sleep 10 microseconds stop: network/smtp:sendmail... success Stopping nscd stop: sleep 10 microseconds stop: sleep 20 microseconds stop: system/name-service-cache:default... success Stopping autofs stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: system/filesystem/autofs:default... success ldap not running nisd not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: stat(/var/nis/NIS_COLD_START)=-1 file_backup: No /var/nis/NIS_COLD_START file. file_backup: nis domain is "teratext.saic.com.au" file_backup: stat(/var/yp/binding/teratext.saic.com.au)=-1 file_backup: No /var/yp/binding/teratext.saic.com.au directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname teratext.saic.com.au... success start: sleep 10 microseconds start: sleep 20 microseconds start: sleep 40 microseconds start: sleep 80 microseconds start: sleep 160 microseconds start: sleep 320 microseconds start: sleep 640 microseconds start: sleep 1280 microseconds start: sleep 2560 microseconds start: sleep 5120 microseconds >>> start: sleep 1770 microseconds >>> start: network/ldap/client:default... timed out >>> start: network/ldap/client:default... offline to disable >>> stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: sleep 640 microseconds stop: sleep 1280 microseconds stop: sleep 2560 microseconds stop: sleep 890 microseconds stop: network/ldap/client:default... timed out start: sleep 10 microseconds start: system/filesystem/autofs:default... success start: sleep 10 microseconds start: system/name-service-cache:default... success start: sleep 10 microseconds start: sleep 20 microseconds start: network/smtp:sendmail... success >>> restart: sleep 10 microseconds >>> restart: milestone/name-services:default... success >>> Error resetting system. >>> Recovering old system settings. >>> Stopping network services Stopping sendmail stop: sleep 10 microseconds stop: network/smtp:sendmail... success Stopping nscd stop: sleep 10 microseconds stop: sleep 20 microseconds stop: system/name-service-cache:default... success Stopping autofs stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: system/filesystem/autofs:default... success Stopping ldap stop: sleep 10 microseconds stop: sleep 20 microseconds stop: sleep 40 microseconds stop: sleep 80 microseconds stop: sleep 160 microseconds stop: sleep 320 microseconds stop: sleep 640 microseconds stop: sleep 1280 microseconds stop: sleep 2560 microseconds stop: sleep 890 microseconds stop: network/ldap/client:default... timed out Stopping ldap failed with (7) Error (1) while stopping services during reset recover: stat(/var/ldap/restore/defaultdomain)=0 recover: open(/var/ldap/restore/defaultdomain) recover: read(/var/ldap/restore/defaultdomain) recover: old domainname "teratext.saic.com.au" recover: stat(/var/ldap/restore/ldap_client_file)=-1 recover: stat(/var/ldap/