Bug 757725

Summary:	[IPA Doc] IPA Client on Solaris 10: Insufficient steps.
Product:	Red Hat Enterprise Linux 6	Reporter:	Kaushik Banerjee <kbanerje>
Component:	doc-Identity_Management_Guide	Assignee:	Deon Ballard <dlackey>
Status:	CLOSED CURRENTRELEASE	QA Contact:	ecs-bugs
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.2	CC:	jskeoch
Target Milestone:	rc	Keywords:	Documentation
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-06-21 23:17:11 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Kaushik Banerjee 2011-11-28 14:10:35 UTC

Version-Release number of selected component (if applicable):
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Enterprise_Identity_Management_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_an_IPA_Client_on_Solaris.html

The above doc was found insufficient while configuring solaris 10 as an IPA Client against IPA Server 2.1

The following steps were executed to get solaris 10 to work against the IPA Server:

LDAP CLIENT:
1. Configure the ldap client using the "ldapclient" utility as follows:

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=none \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a defaultServerList=192.168.0.1 \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com \
-a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com

2. Remove "ldap" from all entries in /etc/nsswitch.conf except for "passwd:" and "group:" entries.

KERBEROS CLIENT:

3. Sync date and time with the IPA Server
ntpdate ipaserver.example.com

4. Configure kerberos client as( OR you may use "kclient" to configure this):

# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false

[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log

PAM Configuration:

5. For kerberos authentication, the /etc/pam.conf would look like:

# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1

# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1

NFS CLIENT:

6. Use the utility "kclient" to configure kerberos client (you will need to add the admin principal(kadmin.local -q "addprinc testadmin/admin") on the IPA Server and edit /var/kerberos/krb5kdc/kadm5.acl to allow access.)

# kclient

Starting client setup

---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: ipaserver.example.com
ipaserver.example.com

Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: testadmin
Obtaining TGT for testadmin/admin ...
Password for testadmin/admin:

Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n
No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: y

nfs/client.example.com entry ADDED to KDC database.
nfs/client.example.com entry ADDED to keytab.

host/client.example.com entry ADDED to KDC database.
host/client.example.com entry ADDED to keytab.

Do you want to copy over the master krb5.conf file ? [y/n]: n
No action performed.

---------------------------------------------------
Setup COMPLETE.

7. Verify the nfs service keytabs are successfully created:

klist -ekt /etc/krb5/krb5.keytab

8. Check if you are able to reach the nfs server:

showmount -e ipaserver.example.com

9. Check if the file /etc/nfssec.conf has the following line uncommented:

krb5 390003 kerberos_v5 default - # RPCSEC_GSS

10. Mount the nfs share:
# mount -t nfs4 ipaserver.example.com:/ /mnt/ -o sec=krb5

Comment 2 Deon Ballard 2011-12-07 20:47:50 UTC

New procedures are in place:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html

Comment 4 Deon Ballard 2012-06-21 23:17:11 UTC

Closing.