[Freeipa-users] Installing IPA on Solaris 10
Andy Singleton
Andy.Singleton at tipp24os.co.uk
Wed Feb 24 11:11:05 UTC 2010
Hi Rob,
Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2:
We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed")
Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually.
However, there was some hoop jumping to get to this state:
I changed the following parts of the freeipa schema contents:
1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise.
"dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net
2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet)
"dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
defaultServerList: [slave].live.tipp24.net
3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only.
"dn: dc=live,dc=tipp24,dc=net"
nisDomain: live.tipp24.net
associatedDomain: live.tipp24.net
Finally, when users attempt to connect, the dirsrv log on the slave has the following contents:
[24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP]
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND
[24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1
Any comments/advice would be appreciated.
Thanks
Andy
-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com]
Sent: 05 February 2010 16:58
To: Andy Singleton
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
Andy Singleton wrote:
> Hi Rob,
>
> Ok ive switched on the compat plugin.
> Incidentally, does this need to be done separately for all replicas?
Yes. The plugin configuration of each 389-ds is not replicated.
> However, when I run ldapclient init <ipa_server>, I get this message:
> "Failed to find defaultSearchBase for domain"
Hmm, can you look in the DS logs to see what queries it is making/
(/var/log/dirsrv/slapd-YOUR-INSTANCE/access).
Probably a good idea to ensure you have the Solaris default profile set
up too:
ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com"
rob
>
> Cheers
> Andy
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: 03 February 2010 17:34
> To: Andy Singleton; freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>
> Andy Singleton wrote:
>> Hi Rob,
>>
>> Neither of the commands give any results.
>
> /me smacks head
>
> Ok, sorry I didn't see this the first go-round.
>
> The Solaris nss_ldap doesn't use /etc/ldap.conf.
>
> What you want to do is something like:
>
> # ldapclient init ipa.example.com
>
> This should set everything up for you on the Solaris side assuming
> you're running freeIPA 1.2.2.
>
> You'll also need to enable the compat schema on the IPA side by running
> ipa-compat-manage enable and restarting the DS (if you haven't done so
> already).
>
> Note that the Solaris LDAP client assumes that if you want to use LDAP
> for anything then you want to use it for EVERYTHING, so you'll want to
> fix up /etc/nsswitch.conf, at least setting files and ipnodes back to
> dns from ldap.
>
> rob
>> Andy
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: 03 February 2010 16:11
>> To: Andy Singleton
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>
>> Andy Singleton wrote:
>>> Hi rob,
>>>
>>> Glad you caught up with this problem.
>>>
>>> The nsswitch.conf is set up as per the install document. So:
>>> passwd: files ldap[NOTFOUND=return]
>>> group: files ldap[NOTFOUND=return]
>>>
>>> The system uses the standard solaris nss_ldap package.
>> Ok, can you see if you can get a specific user and group:
>>
>> getent passwd admin
>> getent group ipausers
>>
>> rob
>>
>>> Cheers
>>> Andy
>>>
>>> ----- Original Message -----
>>> From: Rob Crittenden <rcritten at redhat.com>
>>> To: Andy Singleton
>>> Cc: freeipa-users at redhat.com <freeipa-users at redhat.com>
>>> Sent: Tue Feb 02 21:01:33 2010
>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>>
>>> Andy Singleton wrote:
>>> > Hi guys,
>>> >
>>> >
>>> >
>>> > I am installing IPA 1.2.2 client installation on one of our Solaris
>>> > servers, and I cant seem to get the system to see the IPA users. “getent
>>> > passwd” only returns local users, and no traffic is leaving the client
>>> > for the IPA server for ldap.
>>> >
>>> >
>>> >
>>> > I have followed the instructions from the documentation, but I
>>> > definitely get the feeling that something is missing.
>>> >
>>> > All the various configuration files are populated, and the Kerberos
>>> > portion works correctly because I can obtain a ticket.
>>> >
>>> > So possibly there is a problem with the nss_ldap part, or the ldap.conf
>>> > itself.
>>> >
>>> >
>>> >
>>> > Does anyone know common problems that might have this result on
>>> Solaris 10?
>>> >
>>> >
>>> >
>>> > For reference, here is the /etc/ldap.conf file:
>>> >
>>> >
>>> >
>>> > ldap_version 3
>>> >
>>> > base cn=compat,dc=live,dc=tipp24,dc=net
>>> >
>>> > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>> >
>>> > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>> >
>>> > nss_schema rfc2307bis
>>> >
>>> > nss_map_objectclass shadowAccount posixAccount
>>> >
>>> > nss_map_attribute uniqueMember member
>>> >
>>> > nss_initgroups_ignoreusers root,dirsrv,oracle
>>> >
>>> > nss_reconnect_maxsleeptime 8
>>> >
>>> > nss_reconnect_sleeptime 1
>>> >
>>> > bind_timelimit 2
>>> >
>>> > timelimit 4
>>> >
>>> > nss_srv_domain live.tipp24.net
>>> >
>>> > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net
>>> >
>>> >
>>> >
>>> > Thanks
>>> >
>>> > Andy
>>>
>>> Sorry, missed this one last week..
>>>
>>> What does /etc/nsswitch.conf read? Is it configured to use ldap?
>>>
>>> You might also try killing nscd in case it is interfering.
>>>
>>> rob
>>>
>
More information about the Freeipa-users
mailing list