Re: [Freeipa-users] openindiana ldap client
On 09/09/2012 04:25 PM, Sigbjorn Lie wrote: On 09/07/2012 08:38 PM, Dmitri Pal wrote: On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: On 09/02/2012 04:37 PM, Natxo Asenjo wrote: hi, Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code. I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command: # ldapclient manual \ -a authenticationMethod=none \ -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ -a domainName=*ipa.asenjo.nx* \ -a defaultServerList=kdc.ipa.asenjo.nx \ -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] you need to enable the ldap/client service: # svcadm enable ldap/client:default [enter] After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group: passwd: files ldap group: files ldap That's it, test it: # id admin uid=64280(admin) gid=64280(admins) groups=64280(admins) # getent passwd admin admin:x:64280:64280:Administrator:/home/admin:/bin/bash So it works. The kerberos stuff will be next ... One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest? If you find some inconsistency would mind filing a fedora doc bug? There are some issues in that document. I have been working with Rob with regards to the previous 2 bugzilla doc bug's I opened: https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 These BZ covers configuring a DUA profile and configuring Solaris 10 as an IPA client. I presume Rob's work will become the new Solaris 10 IPA Client documentation for both Fedora and RHEL? Thanks for update. We might ask you for a final review. The Fedora and RHEL documentation is a bit different in this regard. For Fedora we can easily document the information you provided. For RHEL we need to find some other avenue to deliver the information because Red Hat support organization can't be responsible for proper configuration of the non RHEL operating systems so we can't have it in the Red Hat documentation. But we will figure it out. Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openindiana ldap client
On 09/07/2012 08:38 PM, Dmitri Pal wrote: On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: On 09/02/2012 04:37 PM, Natxo Asenjo wrote: hi, Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code. I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command: # ldapclient manual \ -a authenticationMethod=none \ -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ -a domainName=*ipa.asenjo.nx* \ -a defaultServerList=kdc.ipa.asenjo.nx \ -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] you need to enable the ldap/client service: # svcadm enable ldap/client:default [enter] After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group: passwd: files ldap group: files ldap That's it, test it: # id admin uid=64280(admin) gid=64280(admins) groups=64280(admins) # getent passwd admin admin:x:64280:64280:Administrator:/home/admin:/bin/bash So it works. The kerberos stuff will be next ... One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest? If you find some inconsistency would mind filing a fedora doc bug? There are some issues in that document. I have been working with Rob with regards to the previous 2 bugzilla doc bug's I opened: https://bugzilla.redhat.com/show_bug.cgi?id=815533 https://bugzilla.redhat.com/show_bug.cgi?id=815515 These BZ covers configuring a DUA profile and configuring Solaris 10 as an IPA client. I presume Rob's work will become the new Solaris 10 IPA Client documentation for both Fedora and RHEL? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openindiana ldap client
On 09/02/2012 12:58 PM, Sigbjorn Lie wrote: On 09/02/2012 04:37 PM, Natxo Asenjo wrote: hi, Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code. I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command: # ldapclient manual \ -a authenticationMethod=none \ -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ -a domainName=*ipa.asenjo.nx* \ -a defaultServerList=kdc.ipa.asenjo.nx \ -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] you need to enable the ldap/client service: # svcadm enable ldap/client:default [enter] After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group: passwd: files ldap group: files ldap That's it, test it: # id admin uid=64280(admin) gid=64280(admins) groups=64280(admins) # getent passwd admin admin:x:64280:64280:Administrator:/home/admin:/bin/bash So it works. The kerberos stuff will be next ... One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 Siggi, can you please review http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html and confirm that this is correct and has the latest? If you find some inconsistency would mind filing a fedora doc bug? The ldap/client service is enabled when you run the ldapclient script. There should be no need for doing this manually. When you run ldapclient, run it with the -v flag and look for errors. After a reboot, what does svcs -xv ldap/client output? Is the services is depend on in online state? svcs -d ldap/client What does /var/svc/log/network-ldap-client:default.log display after a reboot? What files do you have in /var/ldap? What is the content of the /var/ldap/ldap_client_file? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openindiana ldap client
On Sun, Sep 2, 2012 at 9:57 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: Thank for your tips. I think there might just be something broken with the ldap/client service in openindiana. This DUAProfile thing is really nice to use Agreed, it sounds like a bug in OpenIndiana. That's odd. A service becomes temporarily disabled usually when a service it depends on cannot start due to failed depedencies or fails to start. On the SPARC platform you can boot with boot -v to get a verbose startup. Adding -v to the $kernel line in GRUB manually at startup will display a verbose startup on the X86 platform. Be aware, it will get really verbose. ok, I'll give that a try, thanks. Are you using a static IP or DHCP? dhcp so far, just testing. I'll try with a fixed ip. This should just work with dhcp too, obviously. following up, using a fixed ip address 'fixed' the problem :) no dhcp workstations with openindiana until this is 'fixed' then. -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openindiana ldap client
On 09/02/2012 04:37 PM, Natxo Asenjo wrote: hi, Recently I have been playing with the zfs for its native nfs4 acl capabilities. I have used openindiana for this. For those wondering about openindiana, it is a distribution of the former opensolaris code. I got the ldap client to work for retrieveing user/group info from ipa using the ldapclient command: # ldapclient manual \ -a authenticationMethod=none \ -a defaultSearchBase=*dc=ipa,dc=asenjo,dc=nx* \ -a domainName=*ipa.asenjo.nx* \ -a defaultServerList=kdc.ipa.asenjo.nx \ -a serviceSearchDescriptor='passwd:dc=ipa,dc=asenjo,dc=nx?sub' \ -a serviceSearchDescriptor='group:dc=ipa,dc=asenjo,dc=nx?sub' [enter] you need to enable the ldap/client service: # svcadm enable ldap/client:default [enter] After which, modify /etc/nsswitch.conf to add the ldap provider for passwd and group: passwd: files ldap group: files ldap That's it, test it: # id admin uid=64280(admin) gid=64280(admins) groups=64280(admins) # getent passwd admin admin:x:64280:64280:Administrator:/home/admin:/bin/bash So it works. The kerberos stuff will be next ... One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. -- Groeten, natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users Hi, I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 The ldap/client service is enabled when you run the ldapclient script. There should be no need for doing this manually. When you run ldapclient, run it with the -v flag and look for errors. After a reboot, what does svcs -xv ldap/client output? Is the services is depend on in online state? svcs -d ldap/client What does /var/svc/log/network-ldap-client:default.log display after a reboot? What files do you have in /var/ldap? What is the content of the /var/ldap/ldap_client_file? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openindiana ldap client
On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: On 09/02/2012 04:37 PM, Natxo Asenjo wrote: One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 ok, looks nice. I did not know about this automatic config tool. So If run ldapclient init -a profileName=default kdc.ipa.asenjo.nx it should work. Yes it does, awesome. Unfortunately, it keeps stopping after a reboot: Sep 2 20:05:19 Enabled. ] [ Sep 2 20:05:31 Executing start method (/lib/svc/method/ldap-client start). ] [ Sep 2 20:05:38 Method start exited with status 0. ] [ Sep 2 20:05:38 Stopping because service disabled. ] [ Sep 2 20:05:38 Executing stop method (/lib/svc/method/ldap-client stop). ] [ Sep 2 20:05:38 Method stop exited with status 0. ] There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 The ldap/client service is enabled when you run the ldapclient script. There should be no need for doing this manually. When you run ldapclient, run it with the -v flag and look for errors. I have rerun ldapclient after running ldapclient uninit and saw no errors. After a reboot, what does svcs -xv ldap/client output? # svcs -xv ldap/client svc:/network/ldap/client:default (LDAP client) State: disabled since September 2, 2012 08:05:38 PM CEST Reason: Temporarily disabled by an administrator. See: http://illumos.org/msg/SMF-8000-1S See: man -M /usr/share/man -s 1M ldap_cachemgr See: /var/svc/log/network-ldap-client:default.log Impact: This service is not running. But I have not temporarily disabled it (option -t to svcadm, I believe). Is the services is depend on in online state? svcs -d ldap/client # svcs -d ldap/client STATE STIMEFMRI online 19:51:58 svc:/system/filesystem/minimal:default online 19:51:59 svc:/network/initial:default online 19:52:10 svc:/network/location:default What does /var/svc/log/network-ldap-client:default.log display after a reboot? see above. What files do you have in /var/ldap? ls -l /var/ldap/ total 7 -rw-r--r-- 1 root root 2368 2012-09-02 15:28 cachemgr.log -r 1 root root 100 2012-09-02 11:16 ldap_client_cred -r 1 root root 371 2012-09-02 11:16 ldap_client_file drwxr-xr-x 2 root root4 2012-09-02 11:16 restore What is the content of the /var/ldap/ldap_client_file? # # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. # NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= kdc.ipa.asenjo.nx NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=asenjo,dc=nx NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=ipa,dc=asenjo,dc=nx NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thank for your tips. I think there might just be something broken with the ldap/client service in openindiana. This DUAProfile thing is really nice to use -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openindiana ldap client
On 09/02/2012 08:21 PM, Natxo Asenjo wrote: On Sun, Sep 2, 2012 at 6:58 PM, Sigbjorn Lie sigbj...@nixtra.com mailto:sigbj...@nixtra.com wrote: On 09/02/2012 04:37 PM, Natxo Asenjo wrote: One thing I have not yet gotten to work is that these changes are not persistent accross reboots. The ldapclient config stays, but the service ldap/client does not start (stays disabled) and nsswitch.conf missess the ldap entries. So far I am fixing this from cfengine (gotta love it). So apparently, for solaris 10 and newer versions, the procedure outlined in http://freeipa.com/page/ConfiguringSolarisClients is no longer necessary as far as the ldap client is concerned. I'm using Nexenta as an IPA client, another derivative of OpenSolaris. I use a DUAProfile with ldapclient. This stays configured and the ldap/client service is enabled across reboots. There is a DUAProfile included by default with IPA, but it requires some tweaking to support more than just the basic features. See this bugzilla for a more comprehensive example: https://bugzilla.redhat.com/show_bug.cgi?id=815515 ok, looks nice. I did not know about this automatic config tool. So If run ldapclient init -a profileName=default kdc.ipa.asenjo.nx it should work. Yes it does, awesome. Unfortunately, it keeps stopping after a reboot: Sep 2 20:05:19 Enabled. ] [ Sep 2 20:05:31 Executing start method (/lib/svc/method/ldap-client start). ] [ Sep 2 20:05:38 Method start exited with status 0. ] [ Sep 2 20:05:38 Stopping because service disabled. ] [ Sep 2 20:05:38 Executing stop method (/lib/svc/method/ldap-client stop). ] [ Sep 2 20:05:38 Method stop exited with status 0. ] There is also some more info about configuring Solaris clients in this bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=815533 The ldap/client service is enabled when you run the ldapclient script. There should be no need for doing this manually. When you run ldapclient, run it with the -v flag and look for errors. I have rerun ldapclient after running ldapclient uninit and saw no errors. After a reboot, what does svcs -xv ldap/client output? # svcs -xv ldap/client svc:/network/ldap/client:default (LDAP client) State: disabled since September 2, 2012 08:05:38 PM CEST Reason: Temporarily disabled by an administrator. See: http://illumos.org/msg/SMF-8000-1S See: man -M /usr/share/man -s 1M ldap_cachemgr See: /var/svc/log/network-ldap-client:default.log Impact: This service is not running. But I have not temporarily disabled it (option -t to svcadm, I believe). Is the services is depend on in online state? svcs -d ldap/client # svcs -d ldap/client STATE STIMEFMRI online 19:51:58 svc:/system/filesystem/minimal:default online 19:51:59 svc:/network/initial:default online 19:52:10 svc:/network/location:default What does /var/svc/log/network-ldap-client:default.log display after a reboot? see above. What files do you have in /var/ldap? ls -l /var/ldap/ total 7 -rw-r--r-- 1 root root 2368 2012-09-02 15:28 cachemgr.log -r 1 root root 100 2012-09-02 11:16 ldap_client_cred -r 1 root root 371 2012-09-02 11:16 ldap_client_file drwxr-xr-x 2 root root4 2012-09-02 11:16 restore What is the content of the /var/ldap/ldap_client_file? # # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead. # NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= kdc.ipa.asenjo.nx NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=asenjo,dc=nx NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=ipa,dc=asenjo,dc=nx NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=ipa,dc=asenjo,dc=nx NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thank for your tips. I think there might just be something broken with the ldap/client service in openindiana. This DUAProfile thing is really nice to use Agreed, it sounds like a bug in OpenIndiana. That's odd. A service becomes temporarily disabled usually when a service it depends on cannot start due to failed depedencies or fails to start. On the SPARC platform you can boot with boot -v to get a verbose startup. Adding -v to the $kernel line in GRUB manually at startup will display a verbose startup on the X86 platform. Be aware, it will get really verbose. Are you using a static IP or DHCP? Rgds, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] openindiana ldap client
On Sun, Sep 2, 2012 at 9:20 PM, Sigbjorn Lie sigbj...@nixtra.com wrote: Thank for your tips. I think there might just be something broken with the ldap/client service in openindiana. This DUAProfile thing is really nice to use Agreed, it sounds like a bug in OpenIndiana. That's odd. A service becomes temporarily disabled usually when a service it depends on cannot start due to failed depedencies or fails to start. On the SPARC platform you can boot with boot -v to get a verbose startup. Adding -v to the $kernel line in GRUB manually at startup will display a verbose startup on the X86 platform. Be aware, it will get really verbose. ok, I'll give that a try, thanks. Are you using a static IP or DHCP? dhcp so far, just testing. I'll try with a fixed ip. This should just work with dhcp too, obviously. Great tips, Sigbjorn. Much appreciated. -- natxo ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users