Bug 815533
Summary: | RFE: Update the Solaris 10 client documentation | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sigbjorn Lie <sigbjorn> | |
Component: | freeipa | Assignee: | Rob Crittenden <rcritten> | |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | rawhide | CC: | abokovoy, clasohm, dpal, extras-orphan, jgalipea, mkosek, pspacek, pviktori, rcritten, rmainz, sigbjorn, ssorce | |
Target Milestone: | --- | Keywords: | Documentation, FutureFeature, Reopened | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | All | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Enhancement | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 858007 (view as bug list) | Environment: | ||
Last Closed: | 2014-10-15 10:40:17 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 858007 |
Description
Sigbjorn Lie
2012-04-23 19:20:14 UTC
Some information about 16 groups limit: https://www.redhat.com/archives/freeipa-users/2012-May/msg00361.html BTW, there should be one additional step before running the "ldapclient" command. Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines: hosts: files dns ipnodes: files dns This is required as the nsswitch.conf is replaced with nsswitch.ldap file when the ldapclient command is run. The machine will stall if this is not changed, as the "hosts" information is not stored in IPA's LDAP server, but rather served via DNS. Availability of the pkcs11_softtoken_extra.so will be seen with the message "unsupported encryption type 18" instead of AES256 when a keytab from IPA is installed with default encryption types: $ klist -ket Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------------- 2 03/24/12 12:03:46 host/njord-z1.test.com (unsupported encryption type 18) 2 03/24/12 12:03:46 host/njord-z1.test.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 03/24/12 12:03:46 host/njord-z1.test.com (Triple DES cbc mode with HMAC/sha1) 2 03/24/12 12:03:46 host/njord-z1.test.com (ArcFour with HMAC/md5) To install the pkcs11_softtoken_extra.so module: $ cryptoadm install provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so $ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so mechanism=all Klist output should now read: $ klist -ket Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------------- 2 03/24/12 12:03:46 host/njord-z1.test.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 03/24/12 12:03:46 host/njord-z1.test.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 03/24/12 12:03:46 host/njord-z1.test.com (Triple DES cbc mode with HMAC/sha1) 2 03/24/12 12:03:46 host/njord-z1.test.com (ArcFour with HMAC/md5) I have a few comments when looking at the 6.3 beta document: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html Step 9.a, create a nfs kerberos service when the Solaris host is going to be a NFS client. I do use NFS4+krb5, and I've never had to create a nfs service for nfs clients. Only at the nfs server. Where does this information come from? However the entire section 9 can be replaced with how to install a keytab containing the "host" entries, as that's not explained in the documentation at all. Step 9.h is also incorrect. Using "-t nfs4" is only for old Linux clients such as RHEL 5. Solaris 10 has never used -t nfs4. The correct command line is: # mount -o vers=4,sec=krb5 ipaserver.example.com:/ /mnt/ Step 1 + 2, why is there used a objectclassMap for mapping posixGroup=posixgroup, and posixAccount=posixaccount. I have not done this for any of my Solaris clients. This seem unnecessary. Also all the attributeMap's in the manual config example is not required. The example for netgroup is incorrect, Solaris clients need to use the compat tree for groups and netgroups. Shadow is not required to be added as a separate serviceSearchDescriptor. Upstream ticket: https://fedorahosted.org/freeipa/ticket/3731 Kicking FreeIPA doc bugs over to Martin. This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. Hello Sigbjorn, I looked in this bug (I was lying there for a while) and tried summarize the updates into a functional article. However, I was not able to construct all the information here and in Bug 815515 into a meaningful article (as we discussed). For example, it is not clear how the /var/ldap directory on the master gets populated: ~~~~~~ solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/ solarishost $ chmod 444 /var/ldap/*.db ~~~~~~ In favor of preventing many round trips between us and further delays, do you think I could ask you to help us with that and update current state of the chapter? Last version is here: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html I would highly appreciate either an updated chapter in a format like LibreOffice or a simple text format... Or even better a DocBook format as the, now upstream, FreeIPA guide uses: http://www.freeipa.org/page/Contribute/Documentation This way, we would make the Solaris doc more complete and more helpful for FreeIPA users. The /var/ldap gets populated in the certutil commands just above the scp command. I'll see what I can do for you regarding the doc, however if you feel that information is missing from the instructions I provided above, I don't see how copying this into an LibreOffice document will be an improvement. I suggest you just ask for the information you feel is missing. I just reviewd the steps provided, and I believe they are still valid. (In reply to Sigbjorn Lie from comment #13) > The /var/ldap gets populated in the certutil commands just above the scp > command. I see, thanks for clarification and checking the procedure! > I'll see what I can do for you regarding the doc, however if you feel that > information is missing from the instructions I provided above, I don't see > how copying this into an LibreOffice document will be an improvement. I > suggest you just ask for the information you feel is missing. I just meant that to increase clarity of the requested change, it may be easier to create a LibreOffice document with requested changes applied to current state of the document or (even better) a patch by following http://www.freeipa.org/page/Contribute/Documentation. > I just reviewd the steps provided, and I believe they are still valid. Good! We have the documentation fix request in the upstream queue. As you see in low traffic in this Bugzilla, it takes time to do documentation fixes like this one, given scarce resources in this area. In case you want to speed it up, please consider following the procedure for contribution or contacting Customer Service with prioritization request. We had a discussion about this Bug. While IPA on Solaris and other platform should simply work when the standard protocols are used, in RHEL product we officially do not test, document or support IPA on Solaris platform. I am therefore moving this Bugzilla to Fedora product as upstream-only Bug to properly set the expectations and also to allow fixing the Bugzilla without forcing developers to be bound by RHEL product processes. Hello Sigbjorn, we have taken over documentation repository recently so it is easier to contribute documentation to it. If would be great if you could contribute documentation described in this bug. Unfortunatelly, we have no Solaris expert in our team so this bug will rot in Bugzilla for a long time without an external contribution. Please follow http://www.freeipa.org/page/Contribute/Documentation if you are interested or contact freeipa-devel mailing list as usual. Have a nice day! Just for reference, there was a patch contributed to this topic by rga on freeipa-devel list: https://www.redhat.com/archives/freeipa-devel/2014-April/msg00286.html Given the discussion in this bug and that FreeIPA upstream project no longer maintains it's own user guide besides the FreeIPA.org community wiki (details in http://www.freeipa.org/page/Upstream_User_Guide), I am closing this Bugzilla. Please follow or contribute in the upstream ticket: https://fedorahosted.org/freeipa/ticket/4633 |