Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionKaushik Banerjee
2011-11-28 14:33:24 UTC
Version-Release number of selected component (if applicable):
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Enterprise_Identity_Management_Guide/sect-Enterprise_Identity_Management_Guide-Configuring_an_IPA_Client_on_Solaris-Configuring_an_IPA_Client_on_Solaris_9.html
The above doc was found insufficient while configuring solaris 9 as an IPA
Client against IPA Server 2.1
The following steps were executed to get solaris 9 to work against the IPA
Server:
LDAP CLIENT:
1. Configure the ldap client using the "ldapclient" utility as follows:
ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=none \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a defaultServerList=192.168.0.1 \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=homeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=posixgroup \
-a objectClassMap=passwd:posixAccount=posixaccount \
-a objectClassMap=shadow:shadowAccount=posixaccount \
-a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com \
-a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com
2. Remove "ldap" from all entries in /etc/nsswitch.conf except for "passwd:"
and "group:" entries.
KERBEROS CLIENT:
3. Sync date and time with the IPA Server
ntpdate ipaserver.example.com
4. Configure kerberos client as:
# cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
PAM Configuration:
5. For kerberos authentication, the /etc/pam.conf would look like:
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
NFS CLIENT:
6. On the nfs server, configure /etc/exports as:
# cat /etc/exports
/nfs client.example.com(sec=krb5p,rw,sync,fsid=0,no_subtree_check)
7. ipa service-add nfs/client.example.com
8. ipa-getkeytab -s server.example.com -p nfs/client.example.com -e des-cbc-crc -k /opt/client.keytab
9. scp /opt/client.keytab to /etc/krb5/krb5.keytab on the solaris client.
10. Uncomment the following line from /etc/nfssec.conf:
krb5p 390005 kerberos_v5 default privacy # RPCSEC_GSS
11. kinit -k nfs/client.example.com
12. Mount the nfs share as:
# mount -F nfs -o sec=krb5p server.example.com:/nfs /mnt/