[Freeipa-users] IPA client installation for Solaris 11.

Rob Crittenden rcritten at redhat.com
Thu Apr 10 17:04:09 UTC 2014 

Dmitri Pal wrote:
> On 04/10/2014 12:18 PM, quest monger wrote:
>> Sorry about that. So I am Looking at the Solaris 10 client
>> documentation here -
>> http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>
>>
>> It says do the following on Solaris client -
>>
>>     ldapclient manual
>>     ...
>>     -a proxyPassword={NS1}fbc123a92116812
>>     ...
>>
>>
>> Whats that proxyPassword for?
>>
>
> I suspect that it is a password that corresponds to the proxy user.
> The client component on Solaris (pure speculation on my side) seems to
> use proxy user to connect to LDAP server and do some operations for the
> host. It is similar to SSSD but SSSD does not use passwords, it uses
> keytabs if talks to IPA.

There are a number of different profile levels available, see 
http://docs.oracle.com/cd/E23824_01/html/821-1455/ldapsecure-66.html#ldapsecure-74

proxy is usually a shared account that the Solaris box uses to 
authenticate to the LDAP server.

> Solaris uses passwords but to prevent them from being stored in
> configuration in clear the are "obfuscated" with the NS1 method
> http://stuff.iain.cx/2008/05/03/ns103eb2365be169abbe3a45088a10a/
> I suspect there should be some tool on Solaris that takes password and
> creates an obfuscated string like this.

I didn't experiment using a proxy password inside a profile. I'll bet 
that if you manually enroll a client then you can dig out the password 
on that local system and store that in the profile.

There is also a self level which uses Kerberos. I've never used it 
myself (it may be newer than my experience with Solaris) but there are 
some fairly detailed docs on it at 
http://docs.oracle.com/cd/E23824_01/html/821-1455/clientsetup-49.html#gdzpl

rob
>
> Thanks
> Dmitri
>
>> Thanks.
>>
>>
>>
>> On Thu, Apr 10, 2014 at 12:09 PM, Dmitri Pal <dpal at redhat.com
>> <mailto:dpal at redhat.com>> wrote:
>>
>>     On 04/10/2014 11:41 AM, quest monger wrote:
>>>     Thanks Rob, those bug reports help.
>>>     One more question, in the official Solaris 10 documentation, i
>>>     see this stuff -
>>>
>>>     -aproxyPassword={NS1}*fbc123a92116812*
>>>     userPassword::*e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ*=
>>>
>>>     Is there a way to generate that password hash for a new password.
>>>     I think that should be part of the documentation, dont want all
>>>     Solaris IPA users to be using the same password and corresponding
>>>     hash.
>>>
>>     Can you rephrase the question?
>>     It is unclear what hash you are asking about.
>>     If you are using IPA you do not need local password hashes.
>>
>>
>>>     Thanks.
>>>
>>>
>>>
>>>
>>>     On Wed, Apr 9, 2014 at 4:36 PM, Rob Crittenden
>>>     <rcritten at redhat.com <mailto:rcritten at redhat.com>> wrote:
>>>
>>>         quest monger wrote:
>>>
>>>
>>>             I have read through the official documentation here for
>>>             Solaris-10 -
>>>             http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html
>>>             I have found a few web posts on how to make it work for
>>>             Solaris-11.
>>>             Have any of you tried adding a Solaris-11 host to an
>>>             existing IPA
>>>             server? If so, do you have any
>>>             documentation/how-tos/instructions that i
>>>             could use to do the same. Any help is appreciated.
>>>             I am trying to do this to so I can centralize SSH
>>>             authentication for all
>>>             my Solaris-11 and Linux hosts.
>>>
>>>
>>>         That is pretty much all we've got. There is a bug open with
>>>         some documentation updates,
>>>         https://bugzilla.redhat.com/show_bug.cgi?id=815533 and some
>>>         more in https://bugzilla.redhat.com/show_bug.cgi?id=801883
>>>
>>>         We use sssd to help with centralized SSH auth so it probably
>>>         won't work as smoothly on Solaris as it does on sssd-based
>>>         Linux systems. See sss_ssh_authorizedkeys(1) and
>>>         sss_ssh_knownhostsproxy(8).
>>>
>>>         This document describes how it works in IPA
>>>         http://www.freeipa.org/images/1/10/Freeipa30_SSSD_OpenSSH_integration.pdf
>>>
>>>         rob
>>>
>>>
>>>
>>>
>>>     _______________________________________________
>>>     Freeipa-users mailing list
>>>     Freeipa-users at redhat.com  <mailto:Freeipa-users at redhat.com>
>>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>     --
>>     Thank you,
>>     Dmitri Pal
>>
>>     Sr. Engineering Manager IdM portfolio
>>     Red Hat, Inc.
>>
>>
>>     _______________________________________________
>>     Freeipa-users mailing list
>>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>     https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list