[Freeipa-users] Installing IPA on Solaris 10

Andy Singleton Andy.Singleton at tipp24os.co.uk
Wed Feb 24 11:11:05 UTC 2010


Hi Rob,

Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2:

We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed")

Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually.
However, there was some hoop jumping to get to this state:

I changed the following parts of the freeipa schema contents:

1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise.
"dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net

2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet)
"dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
defaultServerList: [slave].live.tipp24.net

3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only.
"dn: dc=live,dc=tipp24,dc=net"
nisDomain: live.tipp24.net
associatedDomain: live.tipp24.net



Finally, when users attempt to connect, the dirsrv log on the slave has the following contents:
[24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP]
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1


Any comments/advice would be appreciated.

Thanks
Andy

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: 05 February 2010 16:58
To: Andy Singleton
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10

Andy Singleton wrote:
> Hi Rob,
> 
> Ok ive switched on the compat plugin.
> Incidentally, does this need to be done separately for all replicas?

Yes. The plugin configuration of each 389-ds is not replicated.

> However, when I run ldapclient init <ipa_server>, I get this message:
> "Failed to find defaultSearchBase for domain"

Hmm, can you look in the DS logs to see what queries it is making/ 
(/var/log/dirsrv/slapd-YOUR-INSTANCE/access).

Probably a good idea to ensure you have the Solaris default profile set 
up too:

ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com"

rob

> 
> Cheers
> Andy
> 
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com] 
> Sent: 03 February 2010 17:34
> To: Andy Singleton; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
> 
> Andy Singleton wrote:
>> Hi Rob,
>>
>> Neither of the commands give any results.
> 
> /me smacks head
> 
> Ok, sorry I didn't see this the first go-round.
> 
> The Solaris nss_ldap doesn't use /etc/ldap.conf.
> 
> What you want to do is something like:
> 
> # ldapclient init ipa.example.com
> 
> This should set everything up for you on the Solaris side assuming 
> you're running freeIPA 1.2.2.
> 
> You'll also need to enable the compat schema on the IPA side by running 
> ipa-compat-manage enable and restarting the DS (if you haven't done so 
> already).
> 
> Note that the Solaris LDAP client assumes that if you want to use LDAP 
> for anything then you want to use it for EVERYTHING, so you'll want to 
> fix up /etc/nsswitch.conf, at least setting files and ipnodes back to 
> dns from ldap.
> 
> rob
>> Andy
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com] 
>> Sent: 03 February 2010 16:11
>> To: Andy Singleton
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>
>> Andy Singleton wrote:
>>> Hi rob,
>>>
>>> Glad you caught up with this problem.
>>>
>>> The nsswitch.conf is set up as per the install document. So:
>>>  passwd:     files ldap[NOTFOUND=return]
>>>  group:    files ldap[NOTFOUND=return]
>>>
>>> The system uses the standard solaris nss_ldap package.
>> Ok, can you see if you can get a specific user and group:
>>
>> getent passwd admin
>> getent group ipausers
>>
>> rob
>>
>>> Cheers
>>> Andy
>>>
>>> ----- Original Message -----
>>> From: Rob Crittenden <rcritten at redhat.com>
>>> To: Andy Singleton
>>> Cc: freeipa-users at redhat.com <freeipa-users at redhat.com>
>>> Sent: Tue Feb 02 21:01:33 2010
>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>>
>>> Andy Singleton wrote:
>>>  > Hi guys,
>>>  >
>>>  > 
>>>  >
>>>  > I am installing IPA 1.2.2 client installation on one of our Solaris
>>>  > servers, and I cant seem to get the system to see the IPA users. “getent
>>>  > passwd” only returns local users, and no traffic is leaving the client
>>>  > for the IPA server for ldap.
>>>  >
>>>  > 
>>>  >
>>>  > I have followed the instructions from the documentation, but I
>>>  > definitely get the feeling that something is missing.
>>>  >
>>>  > All the various configuration files are populated, and the Kerberos
>>>  > portion works correctly because I can obtain a ticket.
>>>  >
>>>  > So possibly there is a problem with the nss_ldap part, or the ldap.conf
>>>  > itself.
>>>  >
>>>  > 
>>>  >
>>>  > Does anyone know common problems that might have this result on 
>>> Solaris 10?
>>>  >
>>>  > 
>>>  >
>>>  > For reference, here is the /etc/ldap.conf file:
>>>  >
>>>  > 
>>>  >
>>>  > ldap_version 3
>>>  >
>>>  > base cn=compat,dc=live,dc=tipp24,dc=net
>>>  >
>>>  > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>>  >
>>>  > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>>  >
>>>  > nss_schema rfc2307bis
>>>  >
>>>  > nss_map_objectclass shadowAccount posixAccount
>>>  >
>>>  > nss_map_attribute uniqueMember member
>>>  >
>>>  > nss_initgroups_ignoreusers root,dirsrv,oracle
>>>  >
>>>  > nss_reconnect_maxsleeptime 8
>>>  >
>>>  > nss_reconnect_sleeptime 1
>>>  >
>>>  > bind_timelimit 2
>>>  >
>>>  > timelimit 4
>>>  >
>>>  > nss_srv_domain live.tipp24.net
>>>  >
>>>  > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net
>>>  >
>>>  > 
>>>  >
>>>  > Thanks
>>>  >
>>>  > Andy
>>>
>>> Sorry, missed this one last week..
>>>
>>> What does /etc/nsswitch.conf read? Is it configured to use ldap?
>>>
>>> You might also try killing nscd in case it is interfering.
>>>
>>> rob
>>>
> 





More information about the Freeipa-users mailing list