Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 01/04/2013 05:27 AM, Johan Petersson wrote: > Here is the instructions for a IPA Server Solaris 11 client configuration > with secure bind and a custom DUAProfile. > Everything works as far as i have been able to test. Console login works, su > - and ssh. Thank you Johan! We will put it onto the wiki. It seems that it is a good opportunity to refine our client configuration guide a bit. Thanks Dmitri > > Configuration done on the IPA Server. > > Create a DUAConfigProfile solaris_authssl.ldif > > dn: cn=solaris_authssl,ou=profile,dc=example,dc=com > objectClass: top > objectClass: DUAConfigProfile > cn: solaris_authssl > authenticationMethod: tls:simple > bindTimeLimit: 5 > credentialLevel: proxy > defaultSearchBase: dc=example,dc=com > defaultSearchScope: one > defaultServerList: ipaserver.example.com > followReferrals: TRUE > objectclassMap: shadow:shadowAccount=posixAccount > objectclassMap: printers:sunPrinter=printerService > profileTTL: 6000 > searchTimeLimit: 10 > serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com > serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com > serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com > serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com > serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com > serviceSearchDescriptor:auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com > > Add the ldif to ipaserver: > > ldapadd -h ipaserver.example.com -x -W -D "cn=Directory Manager" -vvv -f > solaris_authssl.ldif > > Create an account to use for authentication: > > ldapmodify -a -h ipaserver.example.com -D "cn=Directory Manager" -W > > dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com > objectClass: account > objectClass: simpleSecurityObject > objectClass: top > uid: solaris > userPassword: setyourpasswordhere > > ipa host-add --force --ip-address=192.168.0.1 solaris.example.com > > ipa host-add-managedby --host ipaserver.example.com solaris.example.com > > ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k > /tmp/solaris.keytab > > Make sure that the automount maps in ipaserver is named auto_* and NOT auto.* > so they are compatible with Solaris name standards. > > certutil -N -d . > > openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem > > certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /(directory of > generated cert8.db and key3.db) > > scp the keytab to the solaris host /etc/krb5/krb5.keytab and scp the *.db to > the solaris host /var/ldap/ > > > > Solaris host configuration: > > Make sure to secure the krb5.keytab properly. > chown root:sys krb5.keytab > chmod 600 krb5.keytab > > Secure the *.db files created by certutil on IPA Server earlier. > > chown root:staff /var/ldap/*.db > chmod 444 /var/ldap/*.db > > Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and > "ipnodes" lines: > > hosts: files dns > ipnodes: files dns > > ldapclient -v init \ > -a profileName=solaris_authssl \ > -a domainName=example.com \ > -a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \ > -a proxyPassword="setyourpasswordhere" \ > -D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \ > -w yourpasswordagain \ > ipaserver.example.com > > Enable ntp client: > > Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf > > Example: > server ipaserver.example.com iburst > > svcadm restart ntp > > To see it is running properly: > > svcs ntp > > To see what servers you are using: > > ntpq -p > > Edit /etc/krb5/krb5.conf: > > krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.COM > verify_ap_req_nofail = false > [realms] > EXAMPLE.COM = { > kdc = ipaserver.example.com > admin_server = ipaserver.example.com > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > > Pam configuration changed slightly in Solaris 11.1. > It is still possible to use /etc/pam.conf as before if preferable. > > Pam configuration in /etc/pam.d/ > > login: > > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_krb5.so.1 try_first_pass > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > > > other: > > auth definitive pam_user_policy.so.1 > auth requisite pam_authtok_get.so.1 > auth required pam_dhkeys.so.1 > auth required pam_unix_cred.so.1 > auth sufficient pam_krb5.so.1 > auth required pam_unix_auth.so.1 > > account requisite pam_roles.so.1 > account definitive pam_user_policy.so.1 > account requiredpam_unix_account.so.1 > account requiredpam_krb5.so.1 > account requiredpam_tsol_account.so.1 > > pas
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
privacy # RPCSEC_GSS Do not forget to set nfsmapid_domain to your domain to avoid nobody:nobody permission issues with NFS. sharectl set -p nfsmapid_domain=home nfs To see if it is properly set: sharectl get nfs Regards, Johan. From: Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 25, 2012 16:52 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/24/2012 05:27 PM, Johan Petersson wrote: > Here is a step by step instruction for a Solaris 11 machine as client to a > IPA server based on the default DUAProfile. > Console login works, su - and ssh. > Home directories automounted have the correct permissions. > The automount does not use wildcards since i had issues of the whole /home > being grabbed by autofs and thus making local users home directories > unavalable. > This can probably be solved by someone with more extensive experience of > Solaris autofs. > I am working on a instruction based on Sigbjorn Lie's DUAProfile and added > security and will post it too shortly. > > First make sure that the Solaris 11 machine are using the proper DNS and NTP > servers. > > On the IPA server or Client run: > > ipa host-add --force --ip-address=192.168.0.1 solaris.example.com > > ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k > /tmp/solaris.keytab > > Move the keytab to the Solaris machine /etc/krb5/krb5.keytab > > Make sure it have the proper owner and permissions: > > chown root:sys /etc/krb5/krb5.keytab > chmod 700 /etc/krb5/krb5.keytab > > Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and > "ipnodes" lines: > > hosts: files dns > ipnodes: files dns > > Edit /etc/krb5/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.COM > verify_ap_req_nofail = false > [realms] > EXAMPLE.COM = { > kdc = ipaserver.example.com > admin_server = ipaserver.example.com > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > > Run the ldapclient with the default DUAProfile. > The -a domainName= example.com is needed so that ldapclient does not stop and > complain about missing nisdomain name. > > ldapclient -v init -a profilename=default -a domainName=example.com > ipaserver.example.com > > In Solaris 11.1 the pam configuration have changed but for simplicity i still > use the /etc/pam.conf: > > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_krb5.so.1 try_first_pass > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > > other account requisite pam_roles.so.1 > other account requiredpam_unix_account.so.1 > other account requiredpam_krb5.so.1 > > other password requisite pam_authtok_check.so.1 force_check > other password sufficient pam_krb5.so.1 > other password required pam_authtok_store.so.1 > > For NFS and automount to work: > > In /etc/nfssec.conf enable these: > > krb5390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > > sharectl set -p nfsmapid_domain=example.com nfs > > If autofs is not on: > > svcadm enable system/filesystem/autofs:default > > In /etc/auto_home: > > testuser ipaserver.example.com:/home/testuser Thank you! Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
How about enabling the firewall, and use tcpdump on the ipa server or snoop on the Solaris box to see where it stops and waits? Rgds Siggi Johan Petersson wrote: >Forgot to add the ports opened in my last message. :) > >22 TCP >80 TCP >443 TCP >389 TCP >636 TCP >7389 TCP >88 TCP,UDP >464 TCP,UDP >53 TCP,UDP >123 TCP,UDP >111 TCP,UDP >2049 TCP,UDP > >Also tried 749,750 and everything kerberos related from Solaris >/etc/services. >Solaris.example.com and solaris2.example.com is same machine, just typo >from me when editing the log for publishing. > >Regards, >Johan > > > > >From: freeipa-users-boun...@redhat.com >[freeipa-users-boun...@redhat.com] on behalf of Johan Petersson >[johan.peters...@sscspace.com] >Sent: Friday, December 28, 2012 13:40 >To: Sigbjorn Lie >Cc: freeipa-users@redhat.com >Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Hi, > >I am getting these messages in my log when setting all instances of >pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: > >Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable >to open connection to ADMIN server (t_error 13) >Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] >PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: >Communication failure with server > >If i disable the firewall on my IPA Server everything works as fast as >it should so clearly a firewall issue with iptables. >However, i have all the ports enabled and Red Hat clients works with >the firewall on. >Clearly Solaris is using some secret other port(s) that is not >mentioned. >I have tried with 749 and 750 tcp and udp with no difference. > >Regards, >Johan. > >____________ >From: Sigbjorn Lie [sigbj...@nixtra.com] >Sent: Wednesday, December 26, 2012 18:56 >To: Johan Petersson >Cc: freeipa-users@redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Cool. :) > >What do you see if you turn on pam debugging by touching /etc/pam_debug >and enabling debug logging in the syslog daemon? > > >Rgds >Siggi > >Johan Petersson wrote: >Of course it was a simple thing like replacing auto.nethome with >auto_nethome that worked. >Thank you for that help! >I did not even think that it was that simple. :) > >Now everything works for the more secure client configuration on >Solaris 11. >The only thing left to investigate is why there is a delay now for the >IPA users. >I get the message : Your Kerberos account/password will expire in 89 >days quickly but then it waits for about 20 seconds until i get a >prompt. > >Regards, >Johan. > >From: Sigbjorn Lie [sigbj...@nixtra.com] >Sent: Wednesday, December 26, 2012 17:10 >To: Johan Petersson >Cc: freeipa-users@redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >What is the name of the other maps besides auto.master? You should use >_ instead of . for any additional maps when you need Solaris autofs >compatibility. This also need to be reflected in the auto.master. > >The Linux automounter does not care about . or _ as long as the naming >is consistent between the additional maps and auto.master. The default >for Linux is auto.master with a . and auto_master for Solaris. Hence >the auto.master mapping in the Solaris dua profile. > > >Rgds >Siggi > >Johan Petersson wrote: > >Got everything except automount to work with Solaris 11 and the more >secure DUAProfile. >Verified that i can manually mount with krb5 on Solaris 11, ssh, su and >console login works (as well as expected with no home directory) and >automount map works for Red Hat clients. >I have now tried with another directory for users (/nethome) since when >trying with /home autofs made local users unavailable. They are >automounted locally to /home/ from /export/home/ on Solaris for some >strange reason and autofs then tried finding local users home >directories on the NFS Server :) > >root@solaris2:~# ldapclient list >NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org >NS_LDAP_BINDPASSWD= {XXX}XX >NS_LDAP_SERVERS= server.example.org<http://server.example.org> >NS_LDAP_SEARCH_BAS > EDN= >dc=example,dc=org >NS_LDAP_AUTH= tls:simple >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_SCOPE= one >NS_LDAP_SEARCH_TIME= 10 >NS_LDAP_CACHETTL= 6000 >NS_LDAP_PROFILE= solaris_authssl1 >NS_LDAP_CREDENTIAL_LEVEL= proxy >NS_LDAP_SERVICE_SEARCH_DESC= >passwd:cn=users,cn=accounts,dc=example,dc=
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Forgot to add the ports opened in my last message. :) 22 TCP 80 TCP 443 TCP 389 TCP 636 TCP 7389 TCP 88 TCP,UDP 464 TCP,UDP 53 TCP,UDP 123 TCP,UDP 111 TCP,UDP 2049 TCP,UDP Also tried 749,750 and everything kerberos related from Solaris /etc/services. Solaris.example.com and solaris2.example.com is same machine, just typo from me when editing the log for publishing. Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Friday, December 28, 2012 13:40 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.org<http://server.example.org> NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@so
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, I am getting these messages in my log when setting all instances of pam_krb5.so.1 debug in /etc/pam.d/other, /etc/pam.d/login: Dec 28 12:59:12 solaris.example.com su: [ID 737709 auth.error] unable to open connection to ADMIN server (t_error 13) Dec 28 12:59:12 solaris2.example.com su: [ID 436431 auth.error] PAM-KRB5-AUTOMIGRATE (auth): Error while doing kadm5_init_with_skey: Communication failure with server If i disable the firewall on my IPA Server everything works as fast as it should so clearly a firewall issue with iptables. However, i have all the ports enabled and Red Hat clients works with the firewall on. Clearly Solaris is using some secret other port(s) that is not mentioned. I have tried with 749 and 750 tcp and udp with no difference. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 18:56 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson wrote: Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.org<http://server.example.org> NS_LDAP_SEARCH_BAS EDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Reques
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Cool. :) What do you see if you turn on pam debugging by touching /etc/pam_debug and enabling debug logging in the syslog daemon? Rgds Siggi Johan Petersson wrote: >Of course it was a simple thing like replacing auto.nethome with >auto_nethome that worked. >Thank you for that help! >I did not even think that it was that simple. :) > >Now everything works for the more secure client configuration on >Solaris 11. >The only thing left to investigate is why there is a delay now for the >IPA users. >I get the message : Your Kerberos account/password will expire in 89 >days quickly but then it waits for about 20 seconds until i get a >prompt. > >Regards, >Johan. > >From: Sigbjorn Lie [sigbj...@nixtra.com] >Sent: Wednesday, December 26, 2012 17:10 >To: Johan Petersson >Cc: freeipa-users@redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >What is the name of the other maps besides auto.master? You should use >_ instead of . for any additional maps when you need Solaris autofs >compatibility. This also need to be reflected in the auto.master. > >The Linux automounter does not care about . or _ as long as the naming >is consistent between the additional maps and auto.master. The default >for Linux is auto.master with a . and auto_master for Solaris. Hence >the auto.master mapping in the Solaris dua profile. > > >Rgds >Siggi > >Johan Petersson wrote: > >Got everything except automount to work with Solaris 11 and the more >secure DUAProfile. >Verified that i can manually mount with krb5 on Solaris 11, ssh, su and >console login works (as well as expected with no home directory) and >automount map works for Red Hat clients. >I have now tried with another directory for users (/nethome) since when >trying with /home autofs made local users unavailable. They are >automounted locally to /home/ from /export/home/ on Solaris for some >strange reason and autofs then tried finding local users home >directories on the NFS Server :) > >root@solaris2:~# ldapclient list >NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org >NS_LDAP_BINDPASSWD= {XXX}XX >NS_LDAP_SERVERS= server.example.org<http://server.example.org> >NS_LDAP_SEARCH_BASEDN= >dc=example,dc=org >NS_LDAP_AUTH= tls:simple >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_SCOPE= one >NS_LDAP_SEARCH_TIME= 10 >NS_LDAP_CACHETTL= 6000 >NS_LDAP_PROFILE= solaris_authssl1 >NS_LDAP_CREDENTIAL_LEVEL= proxy >NS_LDAP_SERVICE_SEARCH_DESC= >passwd:cn=users,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >group:cn=groups,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >ethers:cn=computers,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >automount:cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >aliases:ou=aliases,ou=test,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >printers:ou=printers,ou=test,dc=example,dc=org >NS_LDAP_BIND_TIME= 5 >NS_LDAP_OBJECTCLASSMAP= >shadow:shadowAccount=posixAccount >NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService > >root@solaris2:~# sharectl get autofs >timeout=600 >automount_verbose=true >automountd_verbose=true >nobrowse=false >trace=2 >environment= > >From /var/svc/log/system-filesystem-autofs\:default.log: > >t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 >t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 >t4 getmapent_ldap called >t4 getmapent_ldap: key=[ user02 ] >t4 ldap_match called >t4 ldap_match: key =[ user02 ] >t4 ldap_match: ldapkey =[ user02 ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=user02)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 ldap_match called >t4 ldap_match: key =[ \2a ] >t4 ldap_match: ldapkey =[ \2a ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=\2a)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 getmapent_ldap: exiting ... >t4 do_lookup1: action=2 wildcard=FALSE error=2 >t4 LOOKUP REPLY : status=2 >The automount map is called auto.nethome >key is: * -rw,soft >server.example.org<http://server.example.org>:/nethome/& > >Is it that Solaris automount dont like asterisk(*) in a automount key? > >Regards, >Johan. > > >From: Sigbjorn Lie [sigbj...@nixtra.com] >
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Of course it was a simple thing like replacing auto.nethome with auto_nethome that worked. Thank you for that help! I did not even think that it was that simple. :) Now everything works for the more secure client configuration on Solaris 11. The only thing left to investigate is why there is a delay now for the IPA users. I get the message : Your Kerberos account/password will expire in 89 days quickly but then it waits for about 20 seconds until i get a prompt. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Wednesday, December 26, 2012 17:10 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.org<http://server.example.org> NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org<http://server.example.org>:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
What is the name of the other maps besides auto.master? You should use _ instead of . for any additional maps when you need Solaris autofs compatibility. This also need to be reflected in the auto.master. The Linux automounter does not care about . or _ as long as the naming is consistent between the additional maps and auto.master. The default for Linux is auto.master with a . and auto_master for Solaris. Hence the auto.master mapping in the Solaris dua profile. Rgds Siggi Johan Petersson wrote: >Got everything except automount to work with Solaris 11 and the more >secure DUAProfile. >Verified that i can manually mount with krb5 on Solaris 11, ssh, su and >console login works (as well as expected with no home directory) and >automount map works for Red Hat clients. >I have now tried with another directory for users (/nethome) since when >trying with /home autofs made local users unavailable. They are >automounted locally to /home/ from /export/home/ on Solaris for some >strange reason and autofs then tried finding local users home >directories on the NFS Server :) > >root@solaris2:~# ldapclient list >NS_LDAP_FILE_VERSION= 2.0 >NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org >NS_LDAP_BINDPASSWD= {XXX}XX >NS_LDAP_SERVERS= server.example.org >NS_LDAP_SEARCH_BASEDN= dc=example,dc=org >NS_LDAP_AUTH= tls:simple >NS_LDAP_SEARCH_REF= TRUE >NS_LDAP_SEARCH_SCOPE= one >NS_LDAP_SEARCH_TIME= 10 >NS_LDAP_CACHETTL= 6000 >NS_LDAP_PROFILE= solaris_authssl1 >NS_LDAP_CREDENTIAL_LEVEL= proxy >NS_LDAP_SERVICE_SEARCH_DESC= >passwd:cn=users,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >group:cn=groups,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >ethers:cn=computers,cn=accounts,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >automount:cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >aliases:ou=aliases,ou=test,dc=example,dc=org >NS_LDAP_SERVICE_SEARCH_DESC= >printers:ou=printers,ou=test,dc=example,dc=org >NS_LDAP_BIND_TIME= 5 >NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount >NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService > >root@solaris2:~# sharectl get autofs >timeout=600 >automount_verbose=true >automountd_verbose=true >nobrowse=false >trace=2 >environment= > >From /var/svc/log/system-filesystem-autofs\:default.log: > >t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 >t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 >t4 getmapent_ldap called >t4 getmapent_ldap: key=[ user02 ] >t4 ldap_match called >t4 ldap_match: key =[ user02 ] >t4 ldap_match: ldapkey =[ user02 ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=user02)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 ldap_match called >t4 ldap_match: key =[ \2a ] >t4 ldap_match: ldapkey =[ \2a ] >t4 ldap_match: Requesting list for >(&(objectClass=automount)(automountKey=\2a)) in auto.nethome >t4 ldap_match: __ns_ldap_list FAILED (2) >t4 ldap_match: no entries found >t4 getmapent_ldap: exiting ... >t4 do_lookup1: action=2 wildcard=FALSE error=2 >t4 LOOKUP REPLY : status=2 >The automount map is called auto.nethome >key is: * -rw,soft server.example.org:/nethome/& > >Is it that Solaris automount dont like asterisk(*) in a automount key? > >Regards, >Johan. > >From: Sigbjorn Lie [sigbj...@nixtra.com] >Sent: Thursday, December 20, 2012 15:20 >To: Johan Petersson >Cc: freeipa-users@redhat.com >Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA >server? > >Thanks. > >I'm guessing it's taking such a long time because it's looking trough >the entire LDAP server for >your automount maps. The automountmap rules in the DUA profile will >help with that. You'll also >run into issues if you attempt to have several automount locations >without having specified which >one to use with a automountmap rule for auto master. > >If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT >record to your DNS or set >NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id >used on your NFS server to >get rid of the nobody:nobody default mapping and enable mapping between >the NFS server and the >client. > > > >Regards, >Siggi > > > > >On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Got everything except automount to work with Solaris 11 and the more secure DUAProfile. Verified that i can manually mount with krb5 on Solaris 11, ssh, su and console login works (as well as expected with no home directory) and automount map works for Red Hat clients. I have now tried with another directory for users (/nethome) since when trying with /home autofs made local users unavailable. They are automounted locally to /home/ from /export/home/ on Solaris for some strange reason and autofs then tried finding local users home directories on the NFS Server :) root@solaris2:~# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=org NS_LDAP_BINDPASSWD= {XXX}XX NS_LDAP_SERVERS= server.example.org NS_LDAP_SEARCH_BASEDN= dc=example,dc=org NS_LDAP_AUTH= tls:simple NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 10 NS_LDAP_CACHETTL= 6000 NS_LDAP_PROFILE= solaris_authssl1 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= aliases:ou=aliases,ou=test,dc=example,dc=org NS_LDAP_SERVICE_SEARCH_DESC= printers:ou=printers,ou=test,dc=example,dc=org NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= printers:sunPrinter=printerService root@solaris2:~# sharectl get autofs timeout=600 automount_verbose=true automountd_verbose=true nobrowse=false trace=2 environment= >From /var/svc/log/system-filesystem-autofs\:default.log: t4 LOOKUP REQUEST: Wed Dec 26 12:28:43 2012 t4 name=user02[] map=auto.nethome opts= path=/nethome direct=0 t4 getmapent_ldap called t4 getmapent_ldap: key=[ user02 ] t4 ldap_match called t4 ldap_match: key =[ user02 ] t4 ldap_match: ldapkey =[ user02 ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=user02)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 ldap_match called t4 ldap_match: key =[ \2a ] t4 ldap_match: ldapkey =[ \2a ] t4 ldap_match: Requesting list for (&(objectClass=automount)(automountKey=\2a)) in auto.nethome t4 ldap_match: __ns_ldap_list FAILED (2) t4 ldap_match: no entries found t4 getmapent_ldap: exiting ... t4 do_lookup1: action=2 wildcard=FALSE error=2 t4 LOOKUP REPLY : status=2 The automount map is called auto.nethome key is: * -rw,soft server.example.org:/nethome/& Is it that Solaris automount dont like asterisk(*) in a automount key? Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass > login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login > auth required > pam_dial_auth.so.1 > > gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth > sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other > auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account requiredpam_krb5.so.1
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/24/2012 05:27 PM, Johan Petersson wrote: > Here is a step by step instruction for a Solaris 11 machine as client to a > IPA server based on the default DUAProfile. > Console login works, su - and ssh. > Home directories automounted have the correct permissions. > The automount does not use wildcards since i had issues of the whole /home > being grabbed by autofs and thus making local users home directories > unavalable. > This can probably be solved by someone with more extensive experience of > Solaris autofs. > I am working on a instruction based on Sigbjorn Lie's DUAProfile and added > security and will post it too shortly. > > First make sure that the Solaris 11 machine are using the proper DNS and NTP > servers. > > On the IPA server or Client run: > > ipa host-add --force --ip-address=192.168.0.1 solaris.example.com > > ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k > /tmp/solaris.keytab > > Move the keytab to the Solaris machine /etc/krb5/krb5.keytab > > Make sure it have the proper owner and permissions: > > chown root:sys /etc/krb5/krb5.keytab > chmod 700 /etc/krb5/krb5.keytab > > Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and > "ipnodes" lines: > > hosts: files dns > ipnodes: files dns > > Edit /etc/krb5/krb5.conf: > > [libdefaults] > default_realm = EXAMPLE.COM > verify_ap_req_nofail = false > [realms] > EXAMPLE.COM = { > kdc = ipaserver.example.com > admin_server = ipaserver.example.com > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > > > Run the ldapclient with the default DUAProfile. > The -a domainName= example.com is needed so that ldapclient does not stop and > complain about missing nisdomain name. > > ldapclient -v init -a profilename=default -a domainName=example.com > ipaserver.example.com > > In Solaris 11.1 the pam configuration have changed but for simplicity i still > use the /etc/pam.conf: > > login auth requisite pam_authtok_get.so.1 > login auth required pam_dhkeys.so.1 > login auth required pam_unix_cred.so.1 > login auth sufficient pam_krb5.so.1 try_first_pass > login auth required pam_unix_auth.so.1 > login auth required pam_dial_auth.so.1 > > other auth requisite pam_authtok_get.so.1 > other auth required pam_dhkeys.so.1 > other auth required pam_unix_cred.so.1 > other auth sufficient pam_krb5.so.1 > other auth required pam_unix_auth.so.1 > > other account requisite pam_roles.so.1 > other account requiredpam_unix_account.so.1 > other account requiredpam_krb5.so.1 > > other password requisite pam_authtok_check.so.1 force_check > other password sufficient pam_krb5.so.1 > other password required pam_authtok_store.so.1 > > For NFS and automount to work: > > In /etc/nfssec.conf enable these: > > krb5390003 kerberos_v5 default - # RPCSEC_GSS > krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS > krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS > > sharectl set -p nfsmapid_domain=example.com nfs > > If autofs is not on: > > svcadm enable system/filesystem/autofs:default > > In /etc/auto_home: > > testuser ipaserver.example.com:/home/testuser Thank you! Dmitri ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Here is a step by step instruction for a Solaris 11 machine as client to a IPA server based on the default DUAProfile. Console login works, su - and ssh. Home directories automounted have the correct permissions. The automount does not use wildcards since i had issues of the whole /home being grabbed by autofs and thus making local users home directories unavalable. This can probably be solved by someone with more extensive experience of Solaris autofs. I am working on a instruction based on Sigbjorn Lie's DUAProfile and added security and will post it too shortly. First make sure that the Solaris 11 machine are using the proper DNS and NTP servers. On the IPA server or Client run: ipa host-add --force --ip-address=192.168.0.1 solaris.example.com ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab Move the keytab to the Solaris machine /etc/krb5/krb5.keytab Make sure it have the proper owner and permissions: chown root:sys /etc/krb5/krb5.keytab chmod 700 /etc/krb5/krb5.keytab Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines: hosts: files dns ipnodes:files dns Edit /etc/krb5/krb5.conf: [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM Run the ldapclient with the default DUAProfile. The -a domainName= example.com is needed so that ldapclient does not stop and complain about missing nisdomain name. ldapclient -v init -a profilename=default -a domainName=example.com ipaserver.example.com In Solaris 11.1 the pam configuration have changed but for simplicity i still use the /etc/pam.conf: login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 For NFS and automount to work: In /etc/nfssec.conf enable these: krb5390003 kerberos_v5 default - # RPCSEC_GSS krb5i 390004 kerberos_v5 default integrity # RPCSEC_GSS krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS sharectl set -p nfsmapid_domain=example.com nfs If autofs is not on: svcadm enable system/filesystem/autofs:default In /etc/auto_home: testuseripaserver.example.com:/home/testuser From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Saturday, December 22, 2012 13:14 To: d...@redhat.com; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, yes of course i can document it properly as soon as i have checked everything. I will send it to you so you can review it. Regards, Johan. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, December 21, 2012 23:39 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, > is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and > Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Johan Petersson [joh
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, yes of course i can document it properly as soon as i have checked everything. I will send it to you so you can review it. Regards, Johan. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Friday, December 21, 2012 23:39 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, > is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and > Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Johan Petersson [johan.peters...@sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. > :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts > right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the > entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with > that. You'll also > run into issues if you attempt to have several automount locations without > having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to > your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used > on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the > NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass >> login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login >> auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth >> sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other >> auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account requiredpam_krb5.so.1 >> >> other session requiredpam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other >> password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.erro
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, > is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and > Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan Johan, Would you mind summarizing your Solaris 11 experience in a step by step procedure so that we can add it to wiki or Fedora docs? Thanks Dmitri > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Johan Petersson [johan.peters...@sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. > :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts > right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the > entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with > that. You'll also > run into issues if you attempt to have several automount locations without > having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to > your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used > on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the > NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass >> login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login >> auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth >> sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other >> auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account requiredpam_krb5.so.1 >> >> other session requiredpam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other >> password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object >> not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs >> start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> lda
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/20/2012 07:13 PM, Johan Petersson wrote: > Hi, > > Was your example of a new DUAProfile ever added to Fedora or RHEL? > If so i can't find any reference to it or a fix of the documentation. If not, > is there a way to add it myself for my configuration? > There is always the manual way otherwise i guess. > Are Red Hat going to support RHEL clients only in IPA Server? Red Hat has a clear support statement on the matter. https://access.redhat.com/knowledge/articles/261973 > We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and > Mac OS X so the answer to that question is kind of interesting. :) > Regards, > Johan > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Johan Petersson [johan.peters...@sscspace.com] > Sent: Thursday, December 20, 2012 19:03 > To: Sigbjorn Lie > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Hi, > > Thank you for the tip about NFSMAPID_DOMAIN > > It was not set properly. > sharectl get nfs > > nfsmapid_domain= > > And by using: > sharectl set -p nfsmapid_domain=servername nfs > > It was properly set. > I must add that i prefer editing files instead of sharectl,svccfg and so on. > :) > > I also made a auto.home map in IPA Server to set the homedirectory automounts > right. > > And i almost forgot my Solaris version is 11 11/11. > > Regards, > Johan. > > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, December 20, 2012 15:20 > To: Johan Petersson > Cc: freeipa-users@redhat.com > Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > Thanks. > > I'm guessing it's taking such a long time because it's looking trough the > entire LDAP server for > your automount maps. The automountmap rules in the DUA profile will help with > that. You'll also > run into issues if you attempt to have several automount locations without > having specified which > one to use with a automountmap rule for auto master. > > If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to > your DNS or set > NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used > on your NFS server to > get rid of the nobody:nobody default mapping and enable mapping between the > NFS server and the > client. > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 13:40, Johan Petersson wrote: >> Hi, >> >> >> Here is my pam.conf cleaned up a bit. >> >> >> login auth requisite pam_authtok_get.so.1 login auth required >> pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass >> login auth required >> pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login >> auth required >> pam_dial_auth.so.1 >> >> gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth >> sufficient pam_allow.so.1 >> >> other auth requisite pam_authtok_get.so.1 other auth required >> pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other >> auth sufficient >> pam_krb5.so.1 other auth required pam_unix_auth.so.1 >> >> passwd auth required pam_passwd_auth.so.1 >> >> gdm-autologin account sufficient pam_allow.so.1 >> >> other account requisite pam_roles.so.1 other account required >> pam_unix_account.so.1 other account requiredpam_krb5.so.1 >> >> other session requiredpam_unix_session.so.1 >> >> other password required pam_dhkeys.so.1 other password requisite >> pam_authtok_get.so.1 >> >> other password requisite pam_authtok_check.so.1 force_check other >> password sufficient >> pam_krb5.so.1 other password required pam_authtok_store.so.1 >> >> I am getting one error and it is for autofs. >> >> >> /var/adm/messages: >> Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object >> not found >> >> >> /var/svc/log/system.filesystem-autofs:default.log: >> [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs >> start"). ] >> automount: /net mounted >> automount: /nfs4 mounted >> automount: no unmounts >> [ Dec 20 12:24:22 Method "start" exited with status 0. ] >> >> >> ldapclient list NS_LDAP_FILE_VERSION= 2.0 >> NS_LDAP_SERVERS= servername >&g
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Was your example of a new DUAProfile ever added to Fedora or RHEL? If so i can't find any reference to it or a fix of the documentation. If not, is there a way to add it myself for my configuration? There is always the manual way otherwise i guess. Are Red Hat going to support RHEL clients only in IPA Server? We will have several Linux flavours, Solaris, Windows 7/8 + Server 2012 and Mac OS X so the answer to that question is kind of interesting. :) Regards, Johan From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Johan Petersson [johan.peters...@sscspace.com] Sent: Thursday, December 20, 2012 19:03 To: Sigbjorn Lie Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass > login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login > auth required > pam_dial_auth.so.1 > > gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth > sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other > auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account requiredpam_krb5.so.1 > > other session requiredpam_unix_session.so.1 > > other password required pam_dhkeys.so.1 other password requisite > pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 force_check other > password sufficient > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object > not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs > start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is > nobody:nobody :) > > > > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc:
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Thank you for the tip about NFSMAPID_DOMAIN It was not set properly. sharectl get nfs nfsmapid_domain= And by using: sharectl set -p nfsmapid_domain=servername nfs It was properly set. I must add that i prefer editing files instead of sharectl,svccfg and so on. :) I also made a auto.home map in IPA Server to set the homedirectory automounts right. And i almost forgot my Solaris version is 11 11/11. Regards, Johan. From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 15:20 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: RE: [Freeipa-users] Does Solaris 11 work as client to IPA server? Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass > login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login > auth required > pam_dial_auth.so.1 > > gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth > sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other > auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account requiredpam_krb5.so.1 > > other session requiredpam_unix_session.so.1 > > other password required pam_dhkeys.so.1 other password requisite > pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 force_check other > password sufficient > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object > not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs > start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is > nobody:nobody :) > > > > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > Hi, > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser > worked. However > console login did not work giving some PAM errors. > > Could you please share your entire pam.conf file? > > > Is this Solaris 11 or Solaris 11.1? > > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >> I have now managed to use a Solaris 11 system as a client to IPA Server. >> su - testuser works ssh works and console login works. I get a delay before >> getting the prompt >> through ssh though and maybe from console too, probably something about >&
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Thanks. I'm guessing it's taking such a long time because it's looking trough the entire LDAP server for your automount maps. The automountmap rules in the DUA profile will help with that. You'll also run into issues if you attempt to have several automount locations without having specified which one to use with a automountmap rule for auto master. If you are using NFS4 you should add the _nfsv4idmapdomain dns TXT record to your DNS or set NFSMAPID_DOMAIN in /etc/default/nfs to the same value as the domain id used on your NFS server to get rid of the nobody:nobody default mapping and enable mapping between the NFS server and the client. Regards, Siggi On Thu, December 20, 2012 13:40, Johan Petersson wrote: > Hi, > > > Here is my pam.conf cleaned up a bit. > > > login auth requisite pam_authtok_get.so.1 login auth required > pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass > login auth required > pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login > auth required > pam_dial_auth.so.1 > > gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth > sufficient pam_allow.so.1 > > other auth requisite pam_authtok_get.so.1 other auth required > pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other > auth sufficient > pam_krb5.so.1 other auth required pam_unix_auth.so.1 > > passwd auth required pam_passwd_auth.so.1 > > gdm-autologin account sufficient pam_allow.so.1 > > other account requisite pam_roles.so.1 other account required > pam_unix_account.so.1 other account requiredpam_krb5.so.1 > > other session requiredpam_unix_session.so.1 > > other password required pam_dhkeys.so.1 other password requisite > pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 force_check other > password sufficient > pam_krb5.so.1 other password required pam_authtok_store.so.1 > > I am getting one error and it is for autofs. > > > /var/adm/messages: > Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object > not found > > > /var/svc/log/system.filesystem-autofs:default.log: > [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs > start"). ] > automount: /net mounted > automount: /nfs4 mounted > automount: no unmounts > [ Dec 20 12:24:22 Method "start" exited with status 0. ] > > > ldapclient list NS_LDAP_FILE_VERSION= 2.0 > NS_LDAP_SERVERS= servername > NS_LDAP_SEARCH_BASEDN= dc=home > NS_LDAP_AUTH= none > NS_LDAP_SEARCH_REF= TRUE > NS_LDAP_SEARCH_TIME= 15 > NS_LDAP_PROFILE= default > NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home > NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home > NS_LDAP_BIND_TIME= 5 > NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount > > > Thinking it has to do with missing automountmap in default DUAProfile. > Automount still works though but takes time during login and everything is > nobody:nobody :) > > > > From: Sigbjorn Lie [sigbj...@nixtra.com] > Sent: Thursday, December 20, 2012 10:13 > To: Johan Petersson > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > Hi, > > > This is interesting. When I tested Solaris 11 ssh worked, and su - testuser > worked. However > console login did not work giving some PAM errors. > > Could you please share your entire pam.conf file? > > > Is this Solaris 11 or Solaris 11.1? > > > > > Regards, > Siggi > > > > > On Thu, December 20, 2012 09:40, Johan Petersson wrote: > >> I have now managed to use a Solaris 11 system as a client to IPA Server. >> su - testuser works ssh works and console login works. I get a delay before >> getting the prompt >> through ssh though and maybe from console too, probably something about >> autofs Going to see if >> i can increase loginformation (Solaris newbie). To get it to work i mainly >> followed Sigbjorn >> Lie's >> instructions for Solaris 10 in earlier posts here. I also used the >> /etc/pam.conf configuration >> example from the Solaris 10 client guide on Free IPA. I stuck with the >> default DUAProfile for >> now and use a NFS4 Kerberos share for home directories with autofs. Going to >> try the other >> DUAProfile >> too from Bug 815515 and hopefully i can get everything working. >> >> >> From: freeipa-users-
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, Here is my pam.conf cleaned up a bit. login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 gdm-autologin auth requiredpam_unix_cred.so.1 gdm-autologin auth sufficient pam_allow.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 passwd auth required pam_passwd_auth.so.1 gdm-autologin account sufficient pam_allow.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other session requiredpam_unix_session.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 I am getting one error and it is for autofs. /var/adm/messages: Dec 20 12:56:58 servername automount[1651]: [ID 754625 daemon.error] Object not found /var/svc/log/system.filesystem-autofs:default.log: [ Dec 20 12:24:22 Executing start method ("/lib/svc/method/svc-autofs start"). ] automount: /net mounted automount: /nfs4 mounted automount: no unmounts [ Dec 20 12:24:22 Method "start" exited with status 0. ] ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= servername NS_LDAP_SEARCH_BASEDN= dc=home NS_LDAP_AUTH= none NS_LDAP_SEARCH_REF= TRUE NS_LDAP_SEARCH_TIME= 15 NS_LDAP_PROFILE= default NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=home NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=home NS_LDAP_BIND_TIME= 5 NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount Thinking it has to do with missing automountmap in default DUAProfile. Automount still works though but takes time during login and everything is nobody:nobody :) From: Sigbjorn Lie [sigbj...@nixtra.com] Sent: Thursday, December 20, 2012 10:13 To: Johan Petersson Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: > I have now managed to use a Solaris 11 system as a client to IPA Server. > su - testuser works ssh works and console login works. I get a delay before > getting the prompt > through ssh though and maybe from console too, probably something about > autofs. Going to see if i > can increase loginformation (Solaris newbie). To get it to work i mainly > followed Sigbjorn Lie's > instructions for Solaris 10 in earlier posts here. I also used the > /etc/pam.conf configuration > example from the Solaris 10 client guide on Free IPA. I stuck with the > default DUAProfile for now > and use a NFS4 Kerberos share for home directories with autofs. Going to try > the other DUAProfile > too from Bug 815515 and hopefully i can get everything working. > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal > [d...@redhat.com] > Sent: Tuesday, December 18, 2012 17:50 > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > >> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> >>> Hi, >>> >>> >>> >>> We are implementing IPA Server and are gong to need to be able to >>> authenticate properly with >>> a number of Solaris 11 servers. I have browsed the archives and found a few >>> threads mentioning >>> some problems with Solaris 11 and IPA Server. Does anyone know if the issue >>> have been solved? >>> >>> >> I don't think there is any problems with Solaris 11 except of nobody has yet >> sat down and >> figured out how to configure it as an IPA client yet. >> >> I had a got at it a while ago (some of the posts you've probably found), and >> found that there >> was enough differences in the LDAP/Kerberos client between Solaris 10 and >> Solaris 11 for making >&
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, This is interesting. When I tested Solaris 11 ssh worked, and su - testuser worked. However console login did not work giving some PAM errors. Could you please share your entire pam.conf file? Is this Solaris 11 or Solaris 11.1? Regards, Siggi On Thu, December 20, 2012 09:40, Johan Petersson wrote: > I have now managed to use a Solaris 11 system as a client to IPA Server. > su - testuser works ssh works and console login works. I get a delay before > getting the prompt > through ssh though and maybe from console too, probably something about > autofs. Going to see if i > can increase loginformation (Solaris newbie). To get it to work i mainly > followed Sigbjorn Lie's > instructions for Solaris 10 in earlier posts here. I also used the > /etc/pam.conf configuration > example from the Solaris 10 client guide on Free IPA. I stuck with the > default DUAProfile for now > and use a NFS4 Kerberos share for home directories with autofs. Going to try > the other DUAProfile > too from Bug 815515 and hopefully i can get everything working. > > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on > behalf of Dmitri Pal > [d...@redhat.com] > Sent: Tuesday, December 18, 2012 17:50 > To: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? > > > On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > >> On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> >>> Hi, >>> >>> >>> >>> We are implementing IPA Server and are gong to need to be able to >>> authenticate properly with >>> a number of Solaris 11 servers. I have browsed the archives and found a few >>> threads mentioning >>> some problems with Solaris 11 and IPA Server. Does anyone know if the issue >>> have been solved? >>> >>> >> I don't think there is any problems with Solaris 11 except of nobody has yet >> sat down and >> figured out how to configure it as an IPA client yet. >> >> I had a got at it a while ago (some of the posts you've probably found), and >> found that there >> was enough differences in the LDAP/Kerberos client between Solaris 10 and >> Solaris 11 for making >> it work with the setup guide I've created for Solaris 10. And there was a >> need for further >> investigation for finding out how to configure Solaris 11 as an IPA client. >> >> I've not looked into this further as we do not use Solaris 11 yet. >> >> >> I don't know if anyone else has had time to sit down and have a crack at >> this? >> > > And we would like to hear about this effort. > If it produces instructions we would like to put them on the wiki. > If it produces bugs we would investigate them. > > >> >> >> Regards, >> Siggi >> >> >> >> ___ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > Thank you, > Dmitri Pal > > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > > --- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users > > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
I have now managed to use a Solaris 11 system as a client to IPA Server. su - testuser works ssh works and console login works. I get a delay before getting the prompt through ssh though and maybe from console too, probably something about autofs. Going to see if i can increase loginformation (Solaris newbie). To get it to work i mainly followed Sigbjorn Lie's instructions for Solaris 10 in earlier posts here. I also used the /etc/pam.conf configuration example from the Solaris 10 client guide on Free IPA. I stuck with the default DUAProfile for now and use a NFS4 Kerberos share for home directories with autofs. Going to try the other DUAProfile too from Bug 815515 and hopefully i can get everything working. From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on behalf of Dmitri Pal [d...@redhat.com] Sent: Tuesday, December 18, 2012 17:50 To: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Does Solaris 11 work as client to IPA server? On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> Hi, >> >> >> We are implementing IPA Server and are gong to need to be able to >> authenticate properly with a >> number of Solaris 11 servers. I have browsed the archives and found a few >> threads mentioning some >> problems with Solaris 11 and IPA Server. Does anyone know if the issue have >> been solved? >> >> > I don't think there is any problems with Solaris 11 except of nobody has yet > sat down and figured > out how to configure it as an IPA client yet. > > I had a got at it a while ago (some of the posts you've probably found), and > found that there was > enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris > 11 for making it > work with the setup guide I've created for Solaris 10. And there was a need > for further > investigation for finding out how to configure Solaris 11 as an IPA client. > > I've not looked into this further as we do not use Solaris 11 yet. > > I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. > > > Regards, > Siggi > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On 12/18/2012 04:06 AM, Sigbjorn Lie wrote: > On Tue, December 18, 2012 08:28, Johan Petersson wrote: >> Hi, >> >> >> We are implementing IPA Server and are gong to need to be able to >> authenticate properly with a >> number of Solaris 11 servers. I have browsed the archives and found a few >> threads mentioning some >> problems with Solaris 11 and IPA Server. Does anyone know if the issue have >> been solved? >> >> > I don't think there is any problems with Solaris 11 except of nobody has yet > sat down and figured > out how to configure it as an IPA client yet. > > I had a got at it a while ago (some of the posts you've probably found), and > found that there was > enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris > 11 for making it > work with the setup guide I've created for Solaris 10. And there was a need > for further > investigation for finding out how to configure Solaris 11 as an IPA client. > > I've not looked into this further as we do not use Solaris 11 yet. > > I don't know if anyone else has had time to sit down and have a crack at this? And we would like to hear about this effort. If it produces instructions we would like to put them on the wiki. If it produces bugs we would investigate them. > > > Regards, > Siggi > > > ___ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Does Solaris 11 work as client to IPA server?
On Tue, December 18, 2012 08:28, Johan Petersson wrote: > Hi, > > > We are implementing IPA Server and are gong to need to be able to > authenticate properly with a > number of Solaris 11 servers. I have browsed the archives and found a few > threads mentioning some > problems with Solaris 11 and IPA Server. Does anyone know if the issue have > been solved? > > I don't think there is any problems with Solaris 11 except of nobody has yet sat down and figured out how to configure it as an IPA client yet. I had a got at it a while ago (some of the posts you've probably found), and found that there was enough differences in the LDAP/Kerberos client between Solaris 10 and Solaris 11 for making it work with the setup guide I've created for Solaris 10. And there was a need for further investigation for finding out how to configure Solaris 11 as an IPA client. I've not looked into this further as we do not use Solaris 11 yet. I don't know if anyone else has had time to sit down and have a crack at this? Regards, Siggi ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Does Solaris 11 work as client to IPA server?
Hi, We are implementing IPA Server and are gong to need to be able to authenticate properly with a number of Solaris 11 servers. I have browsed the archives and found a few threads mentioning some problems with Solaris 11 and IPA Server. Does anyone know if the issue have been solved? Johan. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users