Bug 757731

Version-Release number of selected component (if applicable):
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Enterprise_Identity_Management_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9.html

The above doc was found insufficient while configuring solaris 9 as an IPA
Client against IPA Server 2.1

The following steps were executed to get solaris 9 to work against the IPA
Server:

LDAP CLIENT:
1. Configure the ldap client using the "ldapclient" utility as follows:

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=none \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a defaultServerList=192.168.0.1 \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com \
-a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com

2. Remove "ldap" from all entries in /etc/nsswitch.conf except for "passwd:"
and "group:" entries.


KERBEROS CLIENT:

3. Sync date and time with the IPA Server
ntpdate ipaserver.example.com

4. Configure kerberos client as:

# cat /etc/krb5/krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        verify_ap_req_nofail = false

[realms]
        EXAMPLE.COM = {
                kdc = ipaserver.example.com
                admin_server = ipaserver.example.com
        }

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log



PAM Configuration:

5. For kerberos authentication, the /etc/pam.conf would look like:

# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_krb5.so.1 try_first_pass
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1

# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   account required        pam_krb5.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1


NFS CLIENT:

6. On the nfs server, configure /etc/exports as:

# cat /etc/exports
/nfs client.example.com(sec=krb5p,rw,sync,fsid=0,no_subtree_check)

7. ipa service-add nfs/client.example.com

8. ipa-getkeytab -s server.example.com -p nfs/client.example.com -e des-cbc-crc -k /opt/client.keytab

9. scp /opt/client.keytab to /etc/krb5/krb5.keytab on the solaris client.

10. Uncomment the following line from /etc/nfssec.conf:

krb5p           390005  kerberos_v5     default privacy         # RPCSEC_GSS

11. kinit -k nfs/client.example.com

12. Mount the nfs share as:
# mount -F nfs -o sec=krb5p server.example.com:/nfs /mnt/