[Freeipa-users] Also attempting to integrate Solaris 10 clients with freeipa

Tue Apr 28 18:23:19 UTC 2015

On 04/28/2015 02:12 PM, Roderick Johnstone wrote:
> On 23/04/15 14:14, Rob Crittenden wrote:
>> Roderick Johnstone wrote:
>>> On 23/04/15 04:25, Rob Crittenden wrote:
>>>> Roderick Johnstone wrote:
>>>>> On 22/04/15 14:30, Dmitri Pal wrote:
>>>>>> On 04/21/2015 01:13 PM, Roderick Johnstone wrote:
>>>>>>> Hi
>>>>>>>
>>>>>>> I also need to integrate Solaris 10 clients with freeipa servers.
>>>>>>>
>>>>>>> I've been round many resources, eg freeipa wiki, Fedora and Red Hat
>>>>>>> manuals, various bug trackers and the freeipa-users mailing list.
>>>>>>>
>>>>>>> It looks to me as if this:
>>>>>>> https://www.redhat.com/archives/freeipa-users/2013-January/msg00030.html 
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> might be the best guide available, although I'm not sure what 
>>>>>>> changes
>>>>>>> I might need to make because I'm actually on Solaris 10 rather than
>>>>>>> 11.
>>>>>>>
>>>>>>> Can anyone advise please?
>>>>>>>
>>>>>>> There is a comment in the above post:
>>>>>>> "Make sure that the automount maps in ipaserver is named auto_* and
>>>>>>> NOT auto.* so they are compatible with Solaris name standards."
>>>>>>>
>>>>>>> My automount maps are already called eg auto.master, auto.home 
>>>>>>> on my
>>>>>>> ipa server and I'm sure I've seen a post somewhere suggesting an
>>>>>>> attributeMap can fix this issue, but I can't find it now, so 
>>>>>>> maybe I
>>>>>>> am mistaken.
>>>>>>>
>>>>>>> Am I on the right track? Is anyone familiar with that fix.
>>>>>>>
>>>>>>> Thanks
>>>>>>>
>>>>>>> Roderick Johnstone
>>>>>>>
>>>>>> We are not strong in Solaris so you really need to search user 
>>>>>> archives
>>>>>> or wait for someone who accomplished Solaris integration to chime in
>>>>>> here on the list.
>>>>>>
>>>>>
>>>>> Dmitri
>>>>>
>>>>> I had gathered that from previous postings to the list and was indeed
>>>>> hoping that one of the Solaris experts might comment.
>>>>>
>>>>> By the way, there are various suggestions on the list of putting the
>>>>> best Solaris instructions on the wiki. Is that still a 
>>>>> possibility? I'd
>>>>> be happy to help, but I'm not experienced with connecting Solaris 
>>>>> to ipa
>>>>> yet!
>>>>>
>>>>> Roderick
>>>>>
>>>>
>>>> A few weeks back I added what I thought were the most relevant threads
>>>> and pointers. The mailing list thread you refer to was converted into
>>>> some documentation bugs and tickets. I referenced those at
>>>> http://www.freeipa.org/page/ConfiguringUnixClients#Additional_Resources 
>>>>
>>>>
>>>> If there is anything I can improve here just let me know.
>>>
>>> Rob
>>>
>>> This page has expanded since I was searching a few weeks ago. Thanks 
>>> for
>>> that. I understand that the project has no direct Solaris expertise.
>>>
>>> There are some things that could be made easier to follow and others
>>> that seem inconsistent with the mailing list thread that I found. Maybe
>>> some are just different ways of doing the same thing.
>>>
>>> I started to point some some differences in this email, but its 
>>> probably
>>> best if I go through the mailing list link that I found and the web 
>>> page
>>> you referenced, systematically, and list what the differences are. I'll
>>> be in touch when I have done that.
>>>
>>> In the meantime I noticed a few of small html link issues on the web
>>> page you referenced...
>>>
>>> 1) Under the section Solaris 8/9/10 / Configuring Client Authentication
>>> the link to the reference files in /var/ldap
>>> (http://www.freeipa.com/page/ConfiguringUnixClients#Client_Configuration_Files), 
>>>
>>> for me,  resolves to the top level "Open Source Community page"
>>> http://community.redhat.com/software/. I do however see the files
>>> correctly linked from the section "Client Configuration Files" at 
>>> bottom
>>> of the page.
>>
>> Fixed.
>>
>>>
>>> 2) There is the same issue for the links to the nsswitch.conf and
>>> pam.conf files linked in items 2 and 4 below the above - sorry, its 
>>> hard
>>> to describe well where these links are.
>>
>> Fixed, and fixed a couple of similar issues in other OS's.
>>
>>> And it would be good if the patch ("Patch to update Solaris
>>> documentation") that is referred to in Solaris 8/9/10 / Additional
>>> resources could be applied to the original document and the patched
>>> document made available, or at least the information in it.
>>
>> Unfortunately the upstream doc project that this is patched against was
>> discontinued. The patch is mostly interesting for the two tickets it
>> links to.
>>
>> rob
>>
>
> Rob
>
> Sorry to be slow getting back on this.
>
> Thanks for fixing those links in the existing web page.
>
> It seems that the existing page and the mailing list thread that I 
> found are doing slightly different things in rather different ways. 
> The mailing list thread is more focused on using the DUAprofile and 
> tls encrypted connections to the ldap server as well as filling in 
> some more details of other parts of the Solaris configuration that are 
> necessary for other features.
>
> I think it would be good to have the prescription from the mailing 
> list also in the wiki to help others that come along. I'll not be in a 
> position to try to join a Solaris host to my ipa server until next 
> week at the earliest, but it is a priority for me, so when other 
> things stop getting in the way I'll definitely be doing this.
>
> I'll document what I do following the prescription in the mailing 
> list, for myself, and maybe this can all be made this into a new wiki 
> page. I would be happy to lead on writing the page (and giving 
> references where appropriate) if I had access, but realise that I 
> might not be able to get that access.

We can arrange that and give you permissions. Thank you for your desire 
to document this. It is really appreciated.
Please send me an email off list to set things up when you are ready.

>
> Thanks
>
> Roderick
>
>

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.