[Freeipa-users] Installing IPA on Solaris 10

Rob Crittenden rcritten at redhat.com
Wed Feb 24 14:46:35 UTC 2010 

Andy Singleton wrote:
> Hi Rob,
> 
> Some notes on my attempts to integrate my Solaris 10 client into freeipa 1.2.2:
> 
> We still have an issue that ipa users cannot log on to our Solaris 10 client. ("800047 auth.error: pam Authentication failed")

Can't log in via console, ssh?

> Currently I can get a ticket with "kinit", and can see the ipa users/groups with "getent". "ldapclient init" worked eventually.
> However, there was some hoop jumping to get to this state:
> 
> I changed the following parts of the freeipa schema contents:
> 
> 1) The "passwd" serviceSearchDescriptor pointed to cn=accounts instead of cn=compat. I am not sure if this is deliberately set or not. "getent passwd" would refused to work otherwise.
> "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
> serviceSearchDescriptor: passwd:cn=users,cn=compat,dc=live,dc=tipp24,dc=net

Yeah, I need to investigate this further. It should work without having 
to go through compat. There is some VLV problem I need to figure out.

> 2) The defaultServerList defaults to the master server, which was not reachable from the clients subnet. (the linux clients rely on two slaves in this subnet)
> "dn: cn=default,ou=profile,dc=live,dc=tipp24,dc=net"
> defaultServerList: [slave].live.tipp24.net

Hmm, I think we can probably add in the replicas to this list when they 
are installed. Would that be an acceptable solution? Assuming of course 
that Solaris will skip to the next entry if one is not accessible.

> 3) Our install covers three separate domains, and solaris appears to require that nisDomain and associatedDomain conform to the clients specific domain only.
> "dn: dc=live,dc=tipp24,dc=net"
> nisDomain: live.tipp24.net
> associatedDomain: live.tipp24.net

That is a limitation of the Solaris ldap client. associatedDomain needs 
to match the client domain. I don't think there is a workaround for this.

> 
> Finally, when users attempt to connect, the dirsrv log on the slave has the following contents:
> [24/Feb/2010:11:53:45 +0100] conn=4672696 fd=389 slot=389 connection from [client IP] to [slave IP]
> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedSASLMechanisms"
> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=0 RESULT err=0 tag=101 nentries=1 etime=0
> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 UNBIND
> [24/Feb/2010:11:53:45 +0100] conn=4672696 op=1 fd=389 closed - U1

Clients attempt to connect and fail right? Are you saying this is the 
only thing logged in that case?

rob

> 
> 
> Any comments/advice would be appreciated.
> 
> Thanks
> Andy
> 
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com] 
> Sent: 05 February 2010 16:58
> To: Andy Singleton
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
> 
> Andy Singleton wrote:
>> Hi Rob,
>>
>> Ok ive switched on the compat plugin.
>> Incidentally, does this need to be done separately for all replicas?
> 
> Yes. The plugin configuration of each 389-ds is not replicated.
> 
>> However, when I run ldapclient init <ipa_server>, I get this message:
>> "Failed to find defaultSearchBase for domain"
> 
> Hmm, can you look in the DS logs to see what queries it is making/ 
> (/var/log/dirsrv/slapd-YOUR-INSTANCE/access).
> 
> Probably a good idea to ensure you have the Solaris default profile set 
> up too:
> 
> ldapsearch -x -b "cn=default,ou=profile,dc=example,dc=com"
> 
> rob
> 
>> Cheers
>> Andy
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com] 
>> Sent: 03 February 2010 17:34
>> To: Andy Singleton; freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>
>> Andy Singleton wrote:
>>> Hi Rob,
>>>
>>> Neither of the commands give any results.
>> /me smacks head
>>
>> Ok, sorry I didn't see this the first go-round.
>>
>> The Solaris nss_ldap doesn't use /etc/ldap.conf.
>>
>> What you want to do is something like:
>>
>> # ldapclient init ipa.example.com
>>
>> This should set everything up for you on the Solaris side assuming 
>> you're running freeIPA 1.2.2.
>>
>> You'll also need to enable the compat schema on the IPA side by running 
>> ipa-compat-manage enable and restarting the DS (if you haven't done so 
>> already).
>>
>> Note that the Solaris LDAP client assumes that if you want to use LDAP 
>> for anything then you want to use it for EVERYTHING, so you'll want to 
>> fix up /etc/nsswitch.conf, at least setting files and ipnodes back to 
>> dns from ldap.
>>
>> rob
>>> Andy
>>>
>>> -----Original Message-----
>>> From: Rob Crittenden [mailto:rcritten at redhat.com] 
>>> Sent: 03 February 2010 16:11
>>> To: Andy Singleton
>>> Cc: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>>
>>> Andy Singleton wrote:
>>>> Hi rob,
>>>>
>>>> Glad you caught up with this problem.
>>>>
>>>> The nsswitch.conf is set up as per the install document. So:
>>>>  passwd:     files ldap[NOTFOUND=return]
>>>>  group:    files ldap[NOTFOUND=return]
>>>>
>>>> The system uses the standard solaris nss_ldap package.
>>> Ok, can you see if you can get a specific user and group:
>>>
>>> getent passwd admin
>>> getent group ipausers
>>>
>>> rob
>>>
>>>> Cheers
>>>> Andy
>>>>
>>>> ----- Original Message -----
>>>> From: Rob Crittenden <rcritten at redhat.com>
>>>> To: Andy Singleton
>>>> Cc: freeipa-users at redhat.com <freeipa-users at redhat.com>
>>>> Sent: Tue Feb 02 21:01:33 2010
>>>> Subject: Re: [Freeipa-users] Installing IPA on Solaris 10
>>>>
>>>> Andy Singleton wrote:
>>>>  > Hi guys,
>>>>  >
>>>>  > 
>>>>  >
>>>>  > I am installing IPA 1.2.2 client installation on one of our Solaris
>>>>  > servers, and I cant seem to get the system to see the IPA users. “getent
>>>>  > passwd” only returns local users, and no traffic is leaving the client
>>>>  > for the IPA server for ldap.
>>>>  >
>>>>  > 
>>>>  >
>>>>  > I have followed the instructions from the documentation, but I
>>>>  > definitely get the feeling that something is missing.
>>>>  >
>>>>  > All the various configuration files are populated, and the Kerberos
>>>>  > portion works correctly because I can obtain a ticket.
>>>>  >
>>>>  > So possibly there is a problem with the nss_ldap part, or the ldap.conf
>>>>  > itself.
>>>>  >
>>>>  > 
>>>>  >
>>>>  > Does anyone know common problems that might have this result on 
>>>> Solaris 10?
>>>>  >
>>>>  > 
>>>>  >
>>>>  > For reference, here is the /etc/ldap.conf file:
>>>>  >
>>>>  > 
>>>>  >
>>>>  > ldap_version 3
>>>>  >
>>>>  > base cn=compat,dc=live,dc=tipp24,dc=net
>>>>  >
>>>>  > nss_base_passwd cn=users,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>>>  >
>>>>  > nss_base_group cn=groups,cn=compat,dc=live,dc=tipp24,dc=net?sub
>>>>  >
>>>>  > nss_schema rfc2307bis
>>>>  >
>>>>  > nss_map_objectclass shadowAccount posixAccount
>>>>  >
>>>>  > nss_map_attribute uniqueMember member
>>>>  >
>>>>  > nss_initgroups_ignoreusers root,dirsrv,oracle
>>>>  >
>>>>  > nss_reconnect_maxsleeptime 8
>>>>  >
>>>>  > nss_reconnect_sleeptime 1
>>>>  >
>>>>  > bind_timelimit 2
>>>>  >
>>>>  > timelimit 4
>>>>  >
>>>>  > nss_srv_domain live.tipp24.net
>>>>  >
>>>>  > uri ldap://ipaserver1.live.tipp24.net ldap://ipaserver2.live.tipp24.net
>>>>  >
>>>>  > 
>>>>  >
>>>>  > Thanks
>>>>  >
>>>>  > Andy
>>>>
>>>> Sorry, missed this one last week..
>>>>
>>>> What does /etc/nsswitch.conf read? Is it configured to use ldap?
>>>>
>>>> You might also try killing nscd in case it is interfering.
>>>>
>>>> rob
>>>>
>

More information about the Freeipa-users mailing list