Re: [OpenIndiana-discuss] ZFS/CIFS shares in cross domains
Question for the group at large: Was true Kerberos support for CIFS ever added? It's tough to tell because the old OpenSolaris documentation/bug tracking has been largely taken down. Here's one of the old references I can find: http://arc.opensolaris.org/caselog/PSARC/2009/673/20091209_natalie.li Alexei, If you read that, you'll see that as of when it was written, the CIFS service could do pass through auth but not true Kerberos auth. Maybe pass through is working for members of ADS.DOMAIN.EDU but not for KRB.REALM.EDU as those users are not part of ADS.DOMAIN.EDU. Maybe some packet captures would help see what the flow actually looks like? On Dec 12, 2011, at 10:08 PM, ale...@soemail.rutgers.edu wrote: Greetings, I'm trying to set OpenIndiana 151a as a storage server, ZFS/CIFS, in a cross Realm/Domain trust infrastructure. Namely, I have an MIT Kerbreros 5 server, providing realm KRB.REALM.EDU, and an Active Directory Windows 2003 server, providing domain ADS.DOMAIN.EDU, set with cross DOMAIN/REALM two-way trust. The OpenIndiana ZFS/CIFS server is added to the domain, ADS.DOMAIN.EDU, and allows mapping shares onto Windows 7 desktops in the domain for the domain users, for example a...@ads.domain.edu. However, the user who logins to the same desktop as the realm user, such as a...@krb.realm.edu, appears to ZFS/CIFS server as Guest and can not map the shares unlike the domain users. However, my NetApp filer, which also operates in ADS.DOMAIN.EDU, has no problem mapping the shares for both the domain and the realm accounts. Is there any limitation in ZFS/CIFS on OpenIndiana 151a that disallows access to the shares in the cross Domain/Realm two-way trust case? Any of your recommendations and advices would be appreciated. Thanks, Alexei ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] ZFS/CIFS shares in cross domains
I found that issue: https://www.illumos.org/issues/1087 However, that issue itself is that certain modes of access try to force Kerberos auth, not that Kerberos auth itself is broken. Do you know if the Kerberos auth issue was fixed or if they made accessing \\servername.fqdn work like \\servername (i.e. using pass through auth)? Googling for the Nexenta support number doesn't turn anything up. On Dec 13, 2011, at 7:44 PM, Christopher Chan christopher.c...@bradbury.edu.hk wrote: There is an illumos issue on this I think: #1087. A fix is available but I don't know if it has been applied to the illumos 151 tree and whether OI has packaged that. On Wednesday, December 14, 2011 08:18 AM, Patrick O'Sullivan wrote: Question for the group at large: Was true Kerberos support for CIFS ever added? It's tough to tell because the old OpenSolaris documentation/bug tracking has been largely taken down. Here's one of the old references I can find: http://arc.opensolaris.org/caselog/PSARC/2009/673/20091209_natalie.li Alexei, If you read that, you'll see that as of when it was written, the CIFS service could do pass through auth but not true Kerberos auth. Maybe pass through is working for members of ADS.DOMAIN.EDU but not for KRB.REALM.EDU as those users are not part of ADS.DOMAIN.EDU. Maybe some packet captures would help see what the flow actually looks like? On Dec 12, 2011, at 10:08 PM, ale...@soemail.rutgers.edu wrote: Greetings, I'm trying to set OpenIndiana 151a as a storage server, ZFS/CIFS, in a cross Realm/Domain trust infrastructure. Namely, I have an MIT Kerbreros 5 server, providing realm KRB.REALM.EDU, and an Active Directory Windows 2003 server, providing domain ADS.DOMAIN.EDU, set with cross DOMAIN/REALM two-way trust. The OpenIndiana ZFS/CIFS server is added to the domain, ADS.DOMAIN.EDU, and allows mapping shares onto Windows 7 desktops in the domain for the domain users, for example a...@ads.domain.edu. However, the user who logins to the same desktop as the realm user, such as a...@krb.realm.edu, appears to ZFS/CIFS server as Guest and can not map the shares unlike the domain users. However, my NetApp filer, which also operates in ADS.DOMAIN.EDU, has no problem mapping the shares for both the domain and the realm accounts. Is there any limitation in ZFS/CIFS on OpenIndiana 151a that disallows access to the shares in the cross Domain/Realm two-way trust case? Any of your recommendations and advices would be appreciated. Thanks, Alexei ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] KVM again
That list is not relevant. Joyent targeted their port strictly for Intel chips with VT-x and EPT. Basically this means you need a Nehalem or later (Westmere, Sandy Bridge) processor. On Friday, November 4, 2011, carlopmart carlopm...@gmail.com wrote: On 11/04/2011 01:33 PM, alessio wrote: I'm very interested in KVM on Openindiana. Unfortunately I don't actually have a CPU supporting KVM. I can buy a new PC, so I want to buy a system on wich I can install Openindiana and run KVM. Can someone tell me wich intel CPU model works with KVM for sure? Thank you for any advice. These: - http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Virtualization_Host_Configuration_and_Guest_Installation_Guide/ch03s02.html -- CL Martinez carlopmart {at} gmail {d0t} com ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Questions about AD integration
Forgot to post this earlier. Here are my personal notes for getting auth to AD working: (1) Add hostname/IP in DHCP (if applicable) and DNS (2) Configure NTP on host (need /etc/inet/ntp.conf, copy from /etc/inet/ntp.client) (3) pkg install pkg:/system/security/kerberos-5 (4) kclient (5) Enable stuff sudo svcadm enable svc:/network/dns/client:default sudo svcadm enable name-service-cache sudo svcs -a name-service-cache (6) Modify /etc/nsswitch.ldap -bash-4.0$ grep dns /etc/nsswitch.ldap hosts: dns files ipnodes:dns files (7) LDAP client config: sudo ldapclient -v manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=foo,dc=com -a domainName=foo.com -a defaultServerList=1.2.3.4 -a attributeMap=passwd:gecos=cn -a attributeMap=passwd:homedirectory=unixHomeDirectory -a objectClassMap=group:posixGroup=group -a objectClassMap=passwd:posixAccount=user -a objectClassMap=shadow:shadowAccount=user -a serviceSearchDescriptor=passwd:cn=users,dc=foo,dc=com?one -a serviceSearchDescriptor=group:cn=users,dc=foo,dc=com?one sudo svcadm restart svc:/network/ldap/client:default foo.com is the domain 1.2.3.4 is an AD server (8) Edit /etc/pam.conf to look like this # # # Copyright 2010 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 On Mon, Mar 7, 2011 at 10:14 AM, Roy Sigurd Karlsbakk r...@karlsbakk.net wrote: - I want to allow users to login to servers on S10, Linux and OI using their AD accounts, but this doesn't seem to work. I can't find any AD PAM module, and I didn't have much luck with SMB. The docs said passwd should create compatible passwords after a change, but passwd didn't let me do much: The integration is not that complete on *solaris. With an AD account, you can connect via the SMB service, but not login locally. Are you sure this isn't doable with the LDAP PAM support? Vennlige hilsener / Best regards roy -- Roy Sigurd Karlsbakk (+47) 97542685 r...@karlsbakk.net http://blogg.karlsbakk.net/ -- I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Good SLOG devices?
Next gen spec sheets suggest the X25-E will get a Power Safe Write Cache, something it does not have today. See: http://www.anandtech.com/Show/Index/3965?cPage=5all=Falsesort=0page=1slug=intels-3rd-generation-x25m-ssd-specs-revealed (Article is about X25-M, scroll down for X25-E info.) On Tuesday, March 1, 2011, Roy Sigurd Karlsbakk r...@karlsbakk.net wrote: a) do you need an SLOG at all? Some workloads (asynchronous ones) will never benefit from an SLOG. We're planning to use this box for CIFS/NFS, so we'll need an SLOG to speed things up. b) form factor. at least one manufacturer uses a PCIe card which is not compliant with the PCIe form-factor and will not fit in many cases -- especially typical 1U boxes. The box is 4U with some 7 8x PCIe slots, so I think it should do fine c) driver support. That was why I asked here in the first place... d) do they really just go straight to ram/flash, or do they have an on-device SAS or SATA bus? Some PCIe devices just stick a small flash device on a SAS or SATA controller. I suspect that those devices won't see a lot of benefit relative to an external drive (although they could theoretically drive that private SAS/SATA bus at much higher rates than an external bus -- but I've not checked into it.) The other thing with PCIe based devices is that they consume an IO slot, which may be precious to you depending on your system board and other I/O needs. As I mentioned above, we have sufficient slots. As for the SATA/SAS onboard controller, that was the reason I asked here in the first place. So - do anyone know a good device for this? X25-E is rather old now, so there should be better ones available.. Vennlige hilsener / Best regards roy -- Roy Sigurd Karlsbakk (+47) 97542685 r...@karlsbakk.net http://blogg.karlsbakk.net/ -- I all pedagogikk er det essensielt at pensum presenteres intelligibelt. Det er et elementært imperativ for alle pedagoger å unngå eksessiv anvendelse av idiomer med fremmed opprinnelse. I de fleste tilfeller eksisterer adekvate og relevante synonymer på norsk. ___ zfs-discuss mailing list zfs-disc...@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] svc:/system/auditset:default Failing When Booting Zone
Looks like the non-global zone still had an older version of SUNWcs: pkg://openindiana.org/sun...@0.5.11,5.11-0.148:20100914T033107Z I upgraded it to sun...@0.5.11,5.11-0.148:20101122T085724Z like the global zone and the problem is fixed. Thanks again for your help! On Sat, Dec 18, 2010 at 10:23 PM, Albert Lee tr...@opensolaris.org wrote: Yes, please make sure you have sun...@0.5.11,5.11-0.148:20101122T085724Z: # pkg info SUNWcs And you can test the auditset service manually, by running in the zone: # SMF_FMRI=svc:/system/auditset:default sudo /lib/svc/method/svc-auditset start This should produce no output if it's working correctly. -Albert On Sat, Dec 18, 2010 at 6:48 PM, Patrick O'Sullivan ir...@insaneirish.com wrote: Should the fix automatically work if the global zone and any non-global zones have been updated from oi147 to oi148? Mine are upgraded and I'm still seeing the error. Thanks for the help! On Dec 18, 2010, at 17:08, Jeppe Toustrup openindi...@tenzer.dk wrote: 2010/12/18 Patrick O'Sullivan ir...@insaneirish.com: Anyone else seeing similar messages when booting a zone? I've seen this now on two test systems, one a VM, and the other bare metal, first running oi147 and now oi148. Dec 18 12:43:55 svc.startd[1207]: svc:/system/auditset:default: Method /lib/svc/method/svc-auditset failed with exit status 1. It is a known issue in oi_147, and should be fixed in oi_148 according to this bug: http://www.illumos.org/issues/254 -- Venlig hilsen / Kind regards Jeppe Toustrup (aka. Tenzer) ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] OpenIndiana 134+ Stable X86, rev. 11
xvm is a Xen based virtualization tool. lvm is the linux volume management tool (that pains me even to speak of). On Sat, Dec 18, 2010 at 10:12 AM, Roelof van der Wal r...@4top.nl wrote: What is the benefit of using lvm dom0 on zfs? I am not familiar with lvm dom0 but after reading some info about it looks the same as zfs? Just a question.. -Oorspronkelijk bericht- Van: Alexander Sergeev [mailto:as.b...@gmail.com] Verzonden: zaterdag 18 december 2010 15:44 Aan: openindiana-discuss@openindiana.org Onderwerp: Re: [OpenIndiana-discuss] OpenIndiana 134+ Stable X86, rev. 11 Hi Bruno, Yes, it does. Rgds Alex Le 16/12/2010 23:06, Alexander Sergeev a ?crit : - ZFS zpool version 28 including 'zfs diff' and ZFS read-only pools; Nice news. Thanks for hard work. Does xvm Dom0 work with ZFS zpool version 28 ? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss # This e-mail message has been scanned for Viruses and Content and cleared by MailMarshal # ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] svc:/system/auditset:default Failing When Booting Zone
Anyone else seeing similar messages when booting a zone? I've seen this now on two test systems, one a VM, and the other bare metal, first running oi147 and now oi148. Dec 18 12:43:55 svc.startd[1207]: svc:/system/auditset:default: Method /lib/svc/method/svc-auditset failed with exit status 1. Dec 18 12:43:55 svc.startd[1207]: svc:/system/auditset:default: Method /lib/svc/method/svc-auditset failed with exit status 1. Dec 18 12:43:55 svc.startd[1207]: svc:/system/auditset:default: Method /lib/svc/method/svc-auditset failed with exit status 1. Dec 18 12:43:55 svc.startd[1207]: system/auditset:default failed: transitioned to maintenance (see 'svcs -xv' for details) r...@backuptest:~# svcs -xv auditset svc:/system/auditset:default (Set non-/attributable audit flags in the kernel context.) State: maintenance since Sat Dec 18 12:43:55 2010 Reason: Start method failed repeatedly, last exited with status 1. See: http://sun.com/msg/SMF-8000-KS See: /var/svc/log/system-auditset:default.log Impact: This service is not running. r...@backuptest:~# cat /var/svc/log/system-auditset:default.log | grep Dec 18 [ Dec 18 12:43:55 Enabled. ] [ Dec 18 12:43:55 Executing start method (/lib/svc/method/svc-auditset). ] [ Dec 18 12:43:55 Method start exited with status 1. ] [ Dec 18 12:43:55 Executing start method (/lib/svc/method/svc-auditset). ] [ Dec 18 12:43:55 Method start exited with status 1. ] [ Dec 18 12:43:55 Executing start method (/lib/svc/method/svc-auditset). ] [ Dec 18 12:43:55 Method start exited with status 1. ] Manually restarting it, I get this in the log: [ Dec 18 13:40:17 Leaving maintenance because disable requested. ] [ Dec 18 13:40:17 Disabled. ] [ Dec 18 13:40:35 Enabled. ] [ Dec 18 13:40:35 Executing start method (/lib/svc/method/svc-auditset). ] Could not update kernel context (A_SETAMASK). [ Dec 18 13:40:35 Method start exited with status 1. ] ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] svc:/system/auditset:default Failing When Booting Zone
Should the fix automatically work if the global zone and any non-global zones have been updated from oi147 to oi148? Mine are upgraded and I'm still seeing the error. Thanks for the help! On Dec 18, 2010, at 17:08, Jeppe Toustrup openindi...@tenzer.dk wrote: 2010/12/18 Patrick O'Sullivan ir...@insaneirish.com: Anyone else seeing similar messages when booting a zone? I've seen this now on two test systems, one a VM, and the other bare metal, first running oi147 and now oi148. Dec 18 12:43:55 svc.startd[1207]: svc:/system/auditset:default: Method /lib/svc/method/svc-auditset failed with exit status 1. It is a known issue in oi_147, and should be fixed in oi_148 according to this bug: http://www.illumos.org/issues/254 -- Venlig hilsen / Kind regards Jeppe Toustrup (aka. Tenzer) ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Amnesiac LDAP Configuration
Apparently I wasn't looking at my nsswitch.conf file close enough. Sure enough, it was getting changed on reboot. I disabled nwam and statically configured my network settings the old school way. I rebooted, reran ldapclient, and have rebooted several times. Each time, everything is working on reboot. Thanks for your help, everyone! On Thu, Nov 18, 2010 at 10:55 AM, Patrick O'Sullivan ir...@insaneirish.com wrote: I will give my nsswitch.conf file a bit more scrutiny and see if I can get this to work as well. Still curious that ldap/client doesn't start on boot, though. On Nov 18, 2010, at 10:02, Jonathan Adams t12nsloo...@gmail.com wrote: with a good nsswitch.conf I was able to get it working again be re-enabling the service ldap/client which seems to turn off after a reboot. I wish it wouldn't since I run a locally mirrored OpenLDAP server so that it works when I'm off site ... Good job I added local users before I set up the LDAP system or I'd have been real goosed over the upgrade to 147. Jon On 18 November 2010 14:56, Chris Ridd chrisr...@mac.com wrote: On 18 Nov 2010, at 14:46, Patrick O'Sullivan wrote: /var/ldap/ldap_client_file is populated correctly. Further, it's identical to the version that ldapclient backs up in the restore directory. That seemed to be the case for me as well. /etc/nsswitch.conf looks good too. Maybe this is a different problem? But it would be interesting if your problem is solved by avoiding nwam. Cheers, Chris ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Amnesiac LDAP Configuration
I'm just going to disable nwam just in case. I won't be using it in my production setup as I will have several VLANs. I only left it on for now to do these simple tests in VMs. On Nov 18, 2010, at 5:35, Chris Ridd chrisr...@mac.com wrote: On 18 Nov 2010, at 10:27, Tom Kranz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18 Nov 2010, at 02:41, Patrick O'Sullivan wrote: I've gotten a config working where I have Kerberos auth to AD and passwd lookups via LDAP to AD. I enable it, and it works fine, but on a reboot, it stops working. Please let me know if you have any thoughts as to why this happens. (This behavior is common to both oi147 and Solaris 11 Express.) At this stage (after you've run ldapclient) /var/ldap/ldap_client_file should be populated with the correct values - is that the case? There were a couple of long standing bugs in Solaris 10 - one of them was where the LDAP client couldn't contact an LDAP server when it came to update it's configuration, it would write down a zero byte ldap_client_file - with predictable results. The other one was when /var filled up, even for a moment, ldap_client_file would be zeroed out when doing a profile refresh. Both partly stem from LDAP client profile updates moving ldap_client_file before getting an update, and then not being able/willing to move it back again if something goes wrong. However, I think the problem here is - are you storing this LDAP profile in AD? The LDAP client will do a refresh of the config from the profile on the LDAP server - I suspect on boot it's trying to do a refresh, not finding a profile, and the zeroing out ldap_client_file. You need to keep an LDAP client profile in the right container in the tree because clients will poll and refresh from that profile. FWIW another possibility is that nwam is getting involved - getting the DHCP response and from the options set in that response, deciding to ignore the local nsswitch LDAP settings. A grub through the NWAM changes between 133 and 147 might bear fruit. Cheersm Chris ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Amnesiac LDAP Configuration
ldap_client_file definitely isn't getting zeroed. Does your suspicion still apply in that case? On Nov 18, 2010, at 5:27, Tom Kranz t...@siliconbunny.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18 Nov 2010, at 02:41, Patrick O'Sullivan wrote: I've gotten a config working where I have Kerberos auth to AD and passwd lookups via LDAP to AD. I enable it, and it works fine, but on a reboot, it stops working. Please let me know if you have any thoughts as to why this happens. (This behavior is common to both oi147 and Solaris 11 Express.) At this stage (after you've run ldapclient) /var/ldap/ldap_client_file should be populated with the correct values - is that the case? There were a couple of long standing bugs in Solaris 10 - one of them was where the LDAP client couldn't contact an LDAP server when it came to update it's configuration, it would write down a zero byte ldap_client_file - with predictable results. The other one was when /var filled up, even for a moment, ldap_client_file would be zeroed out when doing a profile refresh. Both partly stem from LDAP client profile updates moving ldap_client_file before getting an update, and then not being able/willing to move it back again if something goes wrong. However, I think the problem here is - are you storing this LDAP profile in AD? The LDAP client will do a refresh of the config from the profile on the LDAP server - I suspect on boot it's trying to do a refresh, not finding a profile, and the zeroing out ldap_client_file. You need to keep an LDAP client profile in the right container in the tree because clients will poll and refresh from that profile. Cheers, TOM - -- Tom Kranz Email: t...@gaeltd.comSkype: siliconbunny Mobile: 07779 149281Phone/fax: 01344 773240 http://www.gaeltd.comhttp://www.linkedin.com/in/tomkranz -BEGIN PGP SIGNATURE- iEYEARECAAYFAkzk/4QACgkQCaTe3ZK74hmAZQCeO+wSoLy8jiQG2hKJ1vRj3zju ekwAn26JK8oTCGWE3KEYTcOD2hafUtJB =L2es -END PGP SIGNATURE- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Amnesiac LDAP Configuration
/var/ldap/ldap_client_file is populated correctly. Further, it's identical to the version that ldapclient backs up in the restore directory. /etc/nsswitch.conf looks good too. On Nov 18, 2010, at 1:55, Chris Ridd chrisr...@mac.com wrote: On 18 Nov 2010, at 02:41, Patrick O'Sullivan wrote: I've gotten a config working where I have Kerberos auth to AD and passwd lookups via LDAP to AD. I enable it, and it works fine, but on a reboot, it stops working. Please let me know if you have any thoughts as to why this happens. (This behavior is common to both oi147 and Solaris 11 Express.) Configuring ldapclient: $ sudo ldapclient -v manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=osulvn,dc=net -a domainName=osulvn.net -a defaultServerList=ad1.osulvn.net -a attributeMap=passwd:gecos=cn -a attributeMap=passwd:homedirectory=unixHomeDirectory -a objectClassMap=group:posixGroup=group -a objectClassMap=passwd:posixAccount=user -a objectClassMap=shadow:shadowAccount=user -a serviceSearchDescriptor=passwd:cn=users,dc=osulvn,dc=net?one -a serviceSearchDescriptor=group:cn=users,dc=osulvn,dc=net?one ... System successfully configured $ getent passwd userfoo userfoo:x:20002:3:User Foo:/home/userfoo:/bin/bash At this point I can login as userfoo with GSSAPI auth over ssh or with a password on the console. After I reboot, I can no longer login as userfoo and 'getent' returns nothing. Yes, I'm seeing the same. At the point it has lost its mojo (:-) what's in the /var/ldap/ldap_client_file and is your nsswitch.conf what it should be or has something changed them? FWIW just re-running the ldapclient command (with flags) fixes things. I have a shell script that calls it with all our local values in, which makes things a little easier. Cheers, Chris ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Amnesiac LDAP Configuration
I've gotten a config working where I have Kerberos auth to AD and passwd lookups via LDAP to AD. I enable it, and it works fine, but on a reboot, it stops working. Please let me know if you have any thoughts as to why this happens. (This behavior is common to both oi147 and Solaris 11 Express.) Configuring ldapclient: $ sudo ldapclient -v manual -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=osulvn,dc=net -a domainName=osulvn.net -a defaultServerList=ad1.osulvn.net -a attributeMap=passwd:gecos=cn -a attributeMap=passwd:homedirectory=unixHomeDirectory -a objectClassMap=group:posixGroup=group -a objectClassMap=passwd:posixAccount=user -a objectClassMap=shadow:shadowAccount=user -a serviceSearchDescriptor=passwd:cn=users,dc=osulvn,dc=net?one -a serviceSearchDescriptor=group:cn=users,dc=osulvn,dc=net?one ... System successfully configured $ getent passwd userfoo userfoo:x:20002:3:User Foo:/home/userfoo:/bin/bash At this point I can login as userfoo with GSSAPI auth over ssh or with a password on the console. After I reboot, I can no longer login as userfoo and 'getent' returns nothing. I have the following log: Nov 17 21:29:29 oitest1 svc.startd[51]: [ID 293258 daemon.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' (''). Nov 17 21:29:47 oitest1 svc.startd[9]: [ID 293258 daemon.warning] libsldap: Status: 2 Mesg: Unable to load configuration '/var/ldap/ldap_client_file' (''). ldapclient isn't running: $ svcs -xv ldap/client:default svc:/network/ldap/client:default (LDAP client) State: disabled since November 17, 2010 09:29:49 PM EST Reason: Temporarily disabled by an administrator. See: http://sun.com/msg/SMF-8000-1S See: man -M /usr/share/man -s 1M ldap_cachemgr Impact: This service is not running. Manually enabling it doesn't help matters: $ sudo svcadm enable ldap/client:default $ svcs -xv ldap/client:default svc:/network/ldap/client:default (LDAP client) State: online since November 17, 2010 09:35:40 PM EST See: man -M /usr/share/man -s 1M ldap_cachemgr See: /var/svc/log/network-ldap-client:default.log Impact: None. $ getent passwd userfoo $ Why does it work before reboot but then loses its mojo when I reboot? ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] PAM Error (/etc/pam.conf no initial module present)
Hello all, I successfully have gotten authentication to an AD Kerberos server working along with uid/gid resolution from AD LDAP. However, I am getting a strange PAM error and the only reference I can find for it is in the OpenSolaris PAM source code. r...@oitest1:~# uname -a SunOS oitest1 5.11 oi_147 i86pc i386 i86pc Solaris Now, logging in from another machine: $ ssh user...@oitest1 Password: Your Kerberos account/password will expire in 9801 days. Last login: Sat Nov 13 13:42:30 2010 from 10.128.6.55 OpenIndiana SunOS 5.11 oi_147 September 2010 -bash-4.0$ id uid=20002(userfoo) gid=3(staff) -bash-4.0$ getent passwd userfoo userfoo:x:20002:3:User Foo:/home/userfoo:/bin/bash Now, the weird part. At the time of logging in, I get the following log entry: Nov 13 13:45:25 oitest1 sshd[3925]: [ID 414352 auth.error] /etc/pam.conf no initial module present Nov 13 13:47:09 oitest1 last message repeated 3 times Nov 13 13:47:11 oitest1 sshd[3945]: [ID 414352 auth.error] /etc/pam.conf no initial module present Here's my /etc/pam.conf: r...@oitest1:~# egrep -v ^\# /etc/pam.conf login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth sufficient pam_krb5.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other account requisite pam_roles.so.1 other account requiredpam_unix_account.so.1 other account requiredpam_krb5.so.1 other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 P.S. I also get this when logging in directly from console, except the error is associated with login instead of sshd. Anyone have any thoughts? Thanks in advance. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss