On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, > is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and > Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan
Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri > ________________________________________ > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Johan Petersson [johan.peters...@sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. > :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts > right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > ________________________________________ > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the > entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with > that. You'll also > run into issues if you attempt to have several automount locations without > having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to > your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used > on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the > NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass >> login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login >> auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth required pam_unix_cred.so.1 gdm-autologin auth >> sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other >> auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account required pam_krb5.so.1 >> >> other session required pam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other >> password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object >> not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs >> start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> ldapclient list NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_SERVERS= servername >> NS_LDAP_SEARCH_BASEDN= dc=home >> NS_LDAP_AUTH= none >> NS_LDAP_SEARCH_REF= TRUE >> NS_LDAP_SEARCH_TIME= 15 >> NS_LDAP_PROFILE= default >> NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home >> NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home >> NS_LDAP_BIND_TIME= 5 >> NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >> >> >> Thinking it has to do with missing automountmap in default DUAProfile. >> Automount still works though but takes time during login and everything is >> nobody:nobody :) >> >> >> ________________________________________ >> From: Sigbjorn Lie [sigbj...@nixtra.com] >> Sent: Thursday, December 20, 2012 10:13 >> To: Johan Petersson >> Cc: freeipa-users@redhat.com >> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >> >> >> Hi, >> >> >> This is interesting. When I tested Solaris 11 ssh worked, and su - testuser >> worked. However >> console login did not work giving some PAM errors. >> >> Could you please share your entire pam.conf file? >> >> >> Is this Solaris 11 or Solaris 11.1? >> >> >> >> >> Regards, >> Siggi >> >> >> >> >> On Thu, December 20, 2012 09:40, Johan Petersson wrote: >> >>> I have now managed to use a Solaris 11 system as a client to IPA Server. >>> su - testuser works ssh works and console login works. I get a delay before >>> getting the prompt >>> through ssh though and maybe from console too, probably something about >>> autofs Going to see if >>> i can increase loginformation (Solaris newbie). To get it to work i mainly >>> followed Sigbjorn >>> Lie's >>> instructions for Solaris 10 in earlier posts here. I also used the >>> /etc/pam.conf configuration >>> example from the Solaris 10 client guide on Free IPA. I stuck with the >>> default DUAProfile for >>> now and use a NFS4 Kerberos share for home directories with autofs. Going >>> to try the other >>> DUAProfile >>> too from Bug 815515 and hopefully i can get everything working. >>> >>> ________________________________________ >>> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] >>> on behalf of Dmitri >>> Pal >>> [d...@redhat.com] >>> Sent: Tuesday, December 18, 2012 17:50 >>> To: freeipa-users@redhat.com >>> Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? >>> >>> >>> >>> On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: >>> >>> >>>> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >>>> >>>> >>>>> Hi, >>>>> >>>>> >>>>> >>>>> >>>>> We are implementing IPA Server and are gong to need to be able to >>>>> authenticate properly >>>>> with a number of Solaris 11 servers. I have browsed the archives and >>>>> found a few threads >>>>> mentioning some problems with Solaris 11 and IPA Server. Does anyone know >>>>> if the issue have >>>>> been solved? >>>>> >>>>> >>>> I don't think there is any problems with Solaris 11 except of nobody has >>>> yet sat down and >>>> figured out how to configure it as an IPA client yet. >>>> >>>> I had a got at it a while ago (some of the posts you've probably found), >>>> and found that there >>>> was enough differences in the LDAP/Kerberos client between Solaris 10 and >>>> Solaris 11 for >>>> making it work with the setup guide I've created for Solaris 10. And there >>>> was a need for >>>> further investigation for finding out how to configure Solaris 11 as an >>>> IPA client. >>>> >>>> I've not looked into this further as we do not use Solaris 11 yet. >>>> >>>> >>>> >>>> I don't know if anyone else has had time to sit down and have a crack at >>>> this? >>>> >>>> >>> And we would like to hear about this effort. >>> If it produces instructions we would like to put them on the wiki. >>> If it produces bugs we would investigate them. >>> >>> >>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>> >>> -- >>> Thank you, >>> Dmitri Pal >>> >>> >>> >>> Sr. Engineering Manager for IdM portfolio >>> Red Hat Inc. >>> >>> >>> >>> >>> ------------------------------- >>> Looking to carve out IT costs? >>> www.redhat.com/carveoutcosts/ >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> >>> >> >> > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users