[Freeipa-users] Does Solaris 11 work as client to IPA server?

Dmitri Pal dpal at redhat.com
Sat Jan 5 16:22:44 UTC 2013


On 01/04/2013 05:27 AM, Johan Petersson wrote:
> Here is the instructions for a IPA Server Solaris 11 client configuration with secure bind and a custom DUAProfile.
> Everything works as far as i have been able to test. Console login works, su - and ssh.

Thank you Johan!
We will put it onto the wiki.
It seems that it is a good opportunity to refine our client
configuration guide a bit.

Thanks
Dmitri

>
> Configuration done on the IPA Server.
>
> Create a DUAConfigProfile	solaris_authssl.ldif
>
> dn: cn=solaris_authssl,ou=profile,dc=example,dc=com
> objectClass: top
> objectClass: DUAConfigProfile
> cn: solaris_authssl
> authenticationMethod: tls:simple
> bindTimeLimit: 5
> credentialLevel: proxy
> defaultSearchBase: dc=example,dc=com
> defaultSearchScope: one
> defaultServerList: ipaserver.example.com
> followReferrals: TRUE
> objectclassMap: shadow:shadowAccount=posixAccount
> objectclassMap: printers:sunPrinter=printerService
> profileTTL: 6000
> searchTimeLimit: 10
> serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
> serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
> serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
> serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
> serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
> serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com
>
> Add the ldif to ipaserver:
>
> ldapadd -h ipaserver.example.com -x -W -D "cn=Directory Manager" -vvv -f solaris_authssl.ldif
>
> Create an account to use for authentication:
>
> ldapmodify -a -h ipaserver.example.com -D "cn=Directory Manager" -W
>
> dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com
> objectClass: account
> objectClass: simpleSecurityObject
> objectClass: top
> uid: solaris
> userPassword: setyourpasswordhere
>
> ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
>
> ipa host-add-managedby --host ipaserver.example.com solaris.example.com
>
> ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
>
> Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* so they are compatible with Solaris name standards.
>
> certutil -N -d .
>
> openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem
>
> certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /(directory of generated cert8.db and key3.db)
>
> scp the keytab to the solaris host /etc/krb5/krb5.keytab and scp the *.db to the solaris host /var/ldap/
>
>
>
> Solaris host configuration:
>
> Make sure to secure the krb5.keytab properly.
> chown root:sys krb5.keytab
> chmod 600 krb5.keytab
>
> Secure the *.db files created by certutil on IPA Server earlier.
>
> chown root:staff /var/ldap/*.db
> chmod 444 /var/ldap/*.db
>
> Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:
>
> hosts:          files dns 
> ipnodes:	files dns
>
> ldapclient -v init \
> -a profileName=solaris_authssl \
> -a domainName=example.com \
> -a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \
> -a proxyPassword="setyourpasswordhere" \
> -D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
> -w yourpasswordagain \
> ipaserver.example.com
>
> Enable ntp client:
>
> Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf
>
> Example:
> server ipaserver.example.com iburst
>
> svcadm restart ntp
>
> To see it is running properly:
>
> svcs ntp 
>
> To see what servers you are using:
>
> ntpq -p 
>
> Edit /etc/krb5/krb5.conf:
>
> krb5.conf:
>
> [libdefaults]
>         default_realm = EXAMPLE.COM
>         verify_ap_req_nofail = false
> [realms]
>         EXAMPLE.COM = {
>                 kdc = ipaserver.example.com
>                 admin_server = ipaserver.example.com
>
> [domain_realm]
>         example.com = EXAMPLE.COM
>         .example.com = EXAMPLE.COM
>
>
> Pam configuration changed slightly in Solaris 11.1.
> It is still possible to use /etc/pam.conf as before if preferable.
>
> Pam configuration in /etc/pam.d/
>
> login:
>
> login   auth requisite          pam_authtok_get.so.1
> login   auth required           pam_dhkeys.so.1
> login   auth required           pam_unix_cred.so.1
> login   auth sufficient         pam_krb5.so.1 try_first_pass
> login   auth required           pam_unix_auth.so.1
> login   auth required           pam_dial_auth.so.1
>
>
> other:
>
> auth definitive         pam_user_policy.so.1
> auth requisite          pam_authtok_get.so.1
> auth required           pam_dhkeys.so.1
> auth required           pam_unix_cred.so.1
> auth sufficient         pam_krb5.so.1
> auth required           pam_unix_auth.so.1
>
> account requisite       pam_roles.so.1
> account definitive      pam_user_policy.so.1
> account required        pam_unix_account.so.1
> account required        pam_krb5.so.1
> account required        pam_tsol_account.so.1
>
> password include        pam_authtok_common
> password sufficient     pam_krb5.so.1
> password required       pam_authtok_store.so.1
>
>
> For NFS:
>
> /etc/nfssec.conf enable these:
>
> krb5            390003  kerberos_v5     default -               # RPCSEC_GSS
> krb5i           390004  kerberos_v5     default integrity       # RPCSEC_GSS
> krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS
>
> Do not forget to set nfsmapid_domain to your domain to avoid nobody:nobody permission issues with NFS.
>
> sharectl set -p nfsmapid_domain=home nfs
>
> To see if it is properly set:
> sharectl get nfs


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130105/321f84ef/attachment.htm>


More information about the Freeipa-users mailing list