[Freeipa-users] Does Solaris 11 work as client to IPA server?

Dmitri Pal dpal at redhat.com
Fri Dec 21 22:37:13 UTC 2012 

On 12/20/2012 07:13 PM, Johan Petersson wrote:
> Hi,
>
> Was your example of a new DUAProfile ever added to Fedora or RHEL?
> If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration?
> There is always the manual way otherwise i guess.
> Are Red Hat going to support RHEL clients only in IPA Server?

Red Hat has a clear support statement on the matter.
https://access.redhat.com/knowledge/articles/261973

> We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :)
> Regards,
> Johan
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Johan Petersson [Johan.Petersson at sscspace.com]
> Sent: Thursday, December 20, 2012 19:03
> To: Sigbjorn Lie
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
> Hi,
>
> Thank you for the tip about NFSMAPID_DOMAIN
>
> It was not set properly.
> sharectl get nfs
>
> nfsmapid_domain=
>
> And by using:
> sharectl set -p nfsmapid_domain=servername nfs
>
> It was properly set.
> I must add that i prefer editing files instead of sharectl,svccfg and so on. :)
>
> I also made a auto.home map in IPA Server to set the homedirectory automounts right.
>
> And i almost forgot my Solaris version is 11 11/11.
>
> Regards,
> Johan.
> ________________________________________
> From: Sigbjorn Lie [sigbjorn at nixtra.com]
> Sent: Thursday, December 20, 2012 15:20
> To: Johan Petersson
> Cc: freeipa-users at redhat.com
> Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>
> Thanks.
>
> I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for
> your automount maps. The automountmap rules in the DUA profile will help with that. You'll also
> run into issues if you attempt to have several automount locations without having specified which
> one to use with a automountmap rule for auto master.
>
> If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set
> NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to
> get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the
> client.
>
>
>
> Regards,
> Siggi
>
>
>
>
> On Thu, December 20, 2012 13:40, Johan Petersson wrote:
>> Hi,
>>
>>
>> Here is my pam.conf cleaned up a bit.
>>
>>
>> login   auth requisite          pam_authtok_get.so.1 login   auth required
>> pam_dhkeys.so.1 login   auth sufficient         pam_krb5.so.1 try_first_pass login   auth required
>> pam_unix_cred.so.1 login   auth required           pam_unix_auth.so.1 login   auth required
>> pam_dial_auth.so.1
>>
>> gdm-autologin auth  required    pam_unix_cred.so.1 gdm-autologin auth  sufficient  pam_allow.so.1
>>
>> other   auth requisite          pam_authtok_get.so.1 other   auth required
>> pam_dhkeys.so.1 other   auth required           pam_unix_cred.so.1 other   auth sufficient
>> pam_krb5.so.1 other   auth required           pam_unix_auth.so.1
>>
>> passwd  auth required           pam_passwd_auth.so.1
>>
>> gdm-autologin account  sufficient  pam_allow.so.1
>>
>> other   account requisite       pam_roles.so.1 other   account required
>> pam_unix_account.so.1 other   account required        pam_krb5.so.1
>>
>> other   session required        pam_unix_session.so.1
>>
>> other   password required       pam_dhkeys.so.1 other   password requisite
>> pam_authtok_get.so.1
>>
>> other   password requisite      pam_authtok_check.so.1 force_check other   password sufficient
>> pam_krb5.so.1 other   password required       pam_authtok_store.so.1
>>
>> I am getting one error and it is for autofs.
>>
>>
>> /var/adm/messages:
>> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found
>>
>>
>> /var/svc/log/system.filesystem-autofs:default.log:
>> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ]
>> automount: /net mounted
>> automount: /nfs4 mounted
>> automount: no unmounts
>> [ Dec 20 12:24:22 Method "start" exited with status 0. ]
>>
>>
>> ldapclient list NS_LDAP_FILE_VERSION= 2.0
>> NS_LDAP_SERVERS= servername
>> NS_LDAP_SEARCH_BASEDN= dc=home
>> NS_LDAP_AUTH= none
>> NS_LDAP_SEARCH_REF= TRUE
>> NS_LDAP_SEARCH_TIME= 15
>> NS_LDAP_PROFILE= default
>> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home
>> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home
>> NS_LDAP_BIND_TIME= 5
>> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
>>
>>
>> Thinking it has to do with missing automountmap in default DUAProfile.
>> Automount still works though but takes time during login and everything is nobody:nobody :)
>>
>>
>> ________________________________________
>> From: Sigbjorn Lie [sigbjorn at nixtra.com]
>> Sent: Thursday, December 20, 2012 10:13
>> To: Johan Petersson
>> Cc: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>>
>>
>> Hi,
>>
>>
>> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However
>> console login did not work giving some PAM errors.
>>
>> Could you please share your entire pam.conf file?
>>
>>
>> Is this Solaris 11 or Solaris 11.1?
>>
>>
>>
>>
>> Regards,
>> Siggi
>>
>>
>>
>>
>> On Thu, December 20, 2012 09:40, Johan Petersson wrote:
>>
>>> I have now managed to use a Solaris 11 system as a client to IPA Server.
>>> su - testuser works ssh works and console login works. I get a delay before getting the prompt
>>> through ssh though and maybe from console too, probably something about autofs Going to see if
>>> i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn
>>> Lie's
>>> instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration
>>> example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for
>>> now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other
>>> DUAProfile
>>> too from Bug 815515 and hopefully i can get everything working.
>>>
>>> ________________________________________
>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Dmitri
>>> Pal
>>> [dpal at redhat.com]
>>> Sent: Tuesday, December 18, 2012 17:50
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
>>>
>>>
>>>
>>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote:
>>>
>>>
>>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> We are implementing IPA Server and are gong to need to be able to authenticate properly
>>>>> with a number of Solaris 11 servers. I have browsed the archives and found a few threads
>>>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have
>>>>> been solved?
>>>>>
>>>>>
>>>> I don't think there is any problems with Solaris 11 except of nobody has yet sat down and
>>>> figured out how to configure it as an IPA client yet.
>>>>
>>>> I had a got at it a while ago (some of the posts you've probably found), and found that there
>>>>  was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for
>>>> making it work with the setup guide I've created for Solaris 10. And there was a need for
>>>> further investigation for finding out how to configure Solaris 11 as an IPA client.
>>>>
>>>> I've not looked into this further as we do not use Solaris 11 yet.
>>>>
>>>>
>>>>
>>>> I don't know if anyone else has had time to sit down and have a crack at this?
>>>>
>>>>
>>> And we would like to hear about this effort.
>>> If it produces instructions we would like to put them on the wiki.
>>> If it produces bugs we would investigate them.
>>>
>>>
>>>
>>>>
>>>> Regards,
>>>> Siggi
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>
>>> --
>>> Thank you,
>>> Dmitri Pal
>>>
>>>
>>>
>>> Sr. Engineering Manager for IdM portfolio
>>> Red Hat Inc.
>>>
>>>
>>>
>>>
>>> -------------------------------
>>> Looking to carve out IT costs?
>>> www.redhat.com/carveoutcosts/
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>>
>>>
>>
>>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list