Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 757725

Summary: [IPA Doc] IPA Client on Solaris 10: Insufficient steps.
Product: Red Hat Enterprise Linux 6 Reporter: Kaushik Banerjee <kbanerje>
Component: doc-Identity_Management_GuideAssignee: Deon Ballard <dlackey>
Status: CLOSED CURRENTRELEASE QA Contact: ecs-bugs
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.2CC: jskeoch
Target Milestone: rcKeywords: Documentation
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-21 23:17:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kaushik Banerjee 2011-11-28 14:10:35 UTC 
Version-Release number of selected component (if applicable):
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Enterprise_Identity_Management_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_an_IPA_Client_on_Solaris.html

The above doc was found insufficient while configuring solaris 10 as an IPA Client against IPA Server 2.1

The following steps were executed to get solaris 10 to work against the IPA Server:

LDAP CLIENT:
1. Configure the ldap client using the "ldapclient" utility as follows:

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=none \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a defaultServerList=192.168.0.1 \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com \
-a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com

2. Remove "ldap" from all entries in /etc/nsswitch.conf except for "passwd:" and "group:" entries.


KERBEROS CLIENT:

3. Sync date and time with the IPA Server
ntpdate ipaserver.example.com

4. Configure kerberos client as( OR you may use "kclient" to configure this):

# cat /etc/krb5/krb5.conf
[libdefaults]
        default_realm = EXAMPLE.COM
        verify_ap_req_nofail = false

[realms]
        EXAMPLE.COM = {
                kdc = ipaserver.example.com
                admin_server = ipaserver.example.com
        }

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log



PAM Configuration:

5. For kerberos authentication, the /etc/pam.conf would look like:

# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_krb5.so.1 try_first_pass
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1

# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   account required        pam_krb5.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1


NFS CLIENT:

6. Use the utility "kclient" to configure kerberos client (you will need to add the admin principal(kadmin.local -q "addprinc testadmin/admin") on the IPA Server and edit /var/kerberos/krb5kdc/kadm5.acl to allow access.)

 # kclient

Starting client setup

---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
        No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: ipaserver.example.com
ipaserver.example.com

Note, this system and the KDC's time must be within 5 minutes of each other for Kerberos to function.  Both systems should run some form of time synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: testadmin
Obtaining TGT for testadmin/admin ...
Password for testadmin/admin:

Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ? [y/n]: n
        No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: y

nfs/client.example.com entry ADDED to KDC database.
nfs/client.example.com entry ADDED to keytab.

host/client.example.com entry ADDED to KDC database.
host/client.example.com entry ADDED to keytab.

Do you want to copy over the master krb5.conf file ? [y/n]: n
        No action performed.

---------------------------------------------------
Setup COMPLETE.

7. Verify the nfs service keytabs are successfully created:

klist -ekt /etc/krb5/krb5.keytab

8. Check if you are able to reach the nfs server:

showmount -e ipaserver.example.com

9. Check if the file /etc/nfssec.conf has the following line uncommented:

krb5            390003  kerberos_v5     default -               # RPCSEC_GSS

10. Mount the nfs share:
# mount -t nfs4 ipaserver.example.com:/ /mnt/ -o sec=krb5
Comment 2 Deon Ballard 2011-12-07 20:47:50 UTC 
New procedures are in place:
http://documentation-stage.bne.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html
Comment 4 Deon Ballard 2012-06-21 23:17:11 UTC 
Closing.