[Freeipa-users] Does Solaris 11 work as client to IPA server?
Dmitri Pal
dpal at redhat.com
Sat Jan 5 16:22:44 UTC 2013
On 01/04/2013 05:27 AM, Johan Petersson wrote:
> Here is the instructions for a IPA Server Solaris 11 client configuration with secure bind and a custom DUAProfile.
> Everything works as far as i have been able to test. Console login works, su - and ssh.
Thank you Johan!
We will put it onto the wiki.
It seems that it is a good opportunity to refine our client
configuration guide a bit.
Thanks
Dmitri
>
> Configuration done on the IPA Server.
>
> Create a DUAConfigProfile solaris_authssl.ldif
>
> dn: cn=solaris_authssl,ou=profile,dc=example,dc=com
> objectClass: top
> objectClass: DUAConfigProfile
> cn: solaris_authssl
> authenticationMethod: tls:simple
> bindTimeLimit: 5
> credentialLevel: proxy
> defaultSearchBase: dc=example,dc=com
> defaultSearchScope: one
> defaultServerList: ipaserver.example.com
> followReferrals: TRUE
> objectclassMap: shadow:shadowAccount=posixAccount
> objectclassMap: printers:sunPrinter=printerService
> profileTTL: 6000
> searchTimeLimit: 10
> serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
> serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
> serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
> serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
> serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
> serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com
>
> Add the ldif to ipaserver:
>
> ldapadd -h ipaserver.example.com -x -W -D "cn=Directory Manager" -vvv -f solaris_authssl.ldif
>
> Create an account to use for authentication:
>
> ldapmodify -a -h ipaserver.example.com -D "cn=Directory Manager" -W
>
> dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com
> objectClass: account
> objectClass: simpleSecurityObject
> objectClass: top
> uid: solaris
> userPassword: setyourpasswordhere
>
> ipa host-add --force --ip-address=192.168.0.1 solaris.example.com
>
> ipa host-add-managedby --host ipaserver.example.com solaris.example.com
>
> ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
>
> Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* so they are compatible with Solaris name standards.
>
> certutil -N -d .
>
> openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem
>
> certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /(directory of generated cert8.db and key3.db)
>
> scp the keytab to the solaris host /etc/krb5/krb5.keytab and scp the *.db to the solaris host /var/ldap/
>
>
>
> Solaris host configuration:
>
> Make sure to secure the krb5.keytab properly.
> chown root:sys krb5.keytab
> chmod 600 krb5.keytab
>
> Secure the *.db files created by certutil on IPA Server earlier.
>
> chown root:staff /var/ldap/*.db
> chmod 444 /var/ldap/*.db
>
> Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:
>
> hosts: files dns
> ipnodes: files dns
>
> ldapclient -v init \
> -a profileName=solaris_authssl \
> -a domainName=example.com \
> -a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \
> -a proxyPassword="setyourpasswordhere" \
> -D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
> -w yourpasswordagain \
> ipaserver.example.com
>
> Enable ntp client:
>
> Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf
>
> Example:
> server ipaserver.example.com iburst
>
> svcadm restart ntp
>
> To see it is running properly:
>
> svcs ntp
>
> To see what servers you are using:
>
> ntpq -p
>
> Edit /etc/krb5/krb5.conf:
>
> krb5.conf:
>
> [libdefaults]
> default_realm = EXAMPLE.COM
> verify_ap_req_nofail = false
> [realms]
> EXAMPLE.COM = {
> kdc = ipaserver.example.com
> admin_server = ipaserver.example.com
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
>
>
> Pam configuration changed slightly in Solaris 11.1.
> It is still possible to use /etc/pam.conf as before if preferable.
>
> Pam configuration in /etc/pam.d/
>
> login:
>
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth sufficient pam_krb5.so.1 try_first_pass
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
>
>
> other:
>
> auth definitive pam_user_policy.so.1
> auth requisite pam_authtok_get.so.1
> auth required pam_dhkeys.so.1
> auth required pam_unix_cred.so.1
> auth sufficient pam_krb5.so.1
> auth required pam_unix_auth.so.1
>
> account requisite pam_roles.so.1
> account definitive pam_user_policy.so.1
> account required pam_unix_account.so.1
> account required pam_krb5.so.1
> account required pam_tsol_account.so.1
>
> password include pam_authtok_common
> password sufficient pam_krb5.so.1
> password required pam_authtok_store.so.1
>
>
> For NFS:
>
> /etc/nfssec.conf enable these:
>
> krb5 390003 kerberos_v5 default - # RPCSEC_GSS
> krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS
> krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
>
> Do not forget to set nfsmapid_domain to your domain to avoid nobody:nobody permission issues with NFS.
>
> sharectl set -p nfsmapid_domain=home nfs
>
> To see if it is properly set:
> sharectl get nfs
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130105/321f84ef/attachment.htm>
More information about the Freeipa-users
mailing list