Hide Forgot
Version-Release number of selected component (if applicable): http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Enterprise_Identity_Management_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_an_IPA_Client_on_Solaris.html The above doc was found insufficient while configuring solaris 10 as an IPA Client against IPA Server 2.1 The following steps were executed to get solaris 10 to work against the IPA Server: LDAP CLIENT: 1. Configure the ldap client using the "ldapclient" utility as follows: ldapclient manual \ -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a defaultSearchBase=dc=example,dc=com \ -a domainName=example.com \ -a defaultServerList=192.168.0.1 \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=homeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=posixgroup \ -a objectClassMap=passwd:posixAccount=posixaccount \ -a objectClassMap=shadow:shadowAccount=posixaccount \ -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com \ -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com 2. Remove "ldap" from all entries in /etc/nsswitch.conf except for "passwd:" and "group:" entries. KERBEROS CLIENT: 3. Sync date and time with the IPA Server ntpdate ipaserver.example.com 4. Configure kerberos client as( OR you may use "kclient" to configure this): # cat /etc/krb5/krb5.conf [libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log PAM Configuration: 5. For kerberos authentication, the /etc/pam.conf would look like: # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_krb5.so.1 try_first_pass login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_krb5.so.1 # Password construction requirements apply to all users. # Remove force_check to have the traditional authorized administrator # bypass of construction requirements. other password requisite pam_authtok_check.so.1 force_check other password sufficient pam_krb5.so.1 other password required pam_authtok_store.so.1 NFS CLIENT: 6. Use the utility "kclient" to configure kerberos client (you will need to add the admin principal(kadmin.local -q "addprinc testadmin/admin") on the IPA Server and edit /var/kerberos/krb5kdc/kadm5.acl to allow access.) # kclient Starting client setup --------------------------------------------------- Do you want to use DNS for kerberos lookups ? [y/n]: n No action performed. Enter the Kerberos realm: EXAMPLE.COM Specify the KDC hostname for the above realm: ipaserver.example.com ipaserver.example.com Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function. Both systems should run some form of time synchronization system like Network Time Protocol (NTP). Setting up /etc/krb5/krb5.conf. Enter the krb5 administrative principal to be used: testadmin Obtaining TGT for testadmin/admin ... Password for testadmin/admin: Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n No action performed. Do you plan on doing Kerberized nfs ? [y/n]: y nfs/client.example.com entry ADDED to KDC database. nfs/client.example.com entry ADDED to keytab. host/client.example.com entry ADDED to KDC database. host/client.example.com entry ADDED to keytab. Do you want to copy over the master krb5.conf file ? [y/n]: n No action performed. --------------------------------------------------- Setup COMPLETE. 7. Verify the nfs service keytabs are successfully created: klist -ekt /etc/krb5/krb5.keytab 8. Check if you are able to reach the nfs server: showmount -e ipaserver.example.com 9. Check if the file /etc/nfssec.conf has the following line uncommented: krb5 390003 kerberos_v5 default - # RPCSEC_GSS 10. Mount the nfs share: # mount -t nfs4 ipaserver.example.com:/ /mnt/ -o sec=krb5
New procedures are in place: http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html
Closing.