Please update the Solaris 10 LDAP client documentation to use a DUA profile with ldapclient instead of a manual installation. Using a DUAProfile is easier both for installing, and maintaining the Solaris clients as they will re-read configuration from the DUA profile periodically. See BZ #815515 for an updated DUA config profile. The documentation could state two examples, for configuring an authenticated and secured bind and for configuring anonymous binds: LDAP configuration, anonymous bind using DUA profile "default". solarishost $ ldapclient -v init \ -a profileName=default \ ipaserver.example.com LDAP configuration, authenicated and secured bind. Requires a new default DUA profile named "default_secure". See BZ #815515 for details of a DUA profile example. Create NSS DB (Don't enter password. Just hit return) ipaserver $ certutil -N -d /var/ldap Convert the IPA certificate to PEM format: ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem Add CA certificate to the NSS DB ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the Solaris host. solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/ solarishost $ chmod 444 /var/ldap/*.db Create an account to use for authentication: ipaserver $ ldapmodify -a -h ipaserver -D "cn=Directory Manager" -W dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com objectClass: account objectClass: simpleSecurityObject objectClass: top uid: solaris userPassword: setapasswordplease Run ldapclient: $ ldapclient -v init \ -a profileName=default_secure \ -a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \ -a proxyPassword="setapasswordplease" \ -D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \ -w setapasswordplease \ ipaserver.example.com The -D and -w is required as the nisdomainobject won't be available to the ldapclient script when the 389-ds ldap server is set to not allow anonymous bind, even then 389-ds is configured to allow anonymous bind to read the rootdse. The -D and -w options we're added in a fairly recent Solaris patch set. Kerberos client setup: Keep the existing section 3 and 4, but add the following: Verify that the pkcs11_softtoken_extra.so provider has been installed and enabled for AES256 support: solarishost $ cryptoadm list If pkcs11_softtoken_extra.so is missing, use the "-e" option with ipa-getkeytab to limit the encryption type to aes128, or install and enable the provider. See the Solaris documentation for details. Add the host to the IPA server and request a keytab for the host: ipaserver $ ipa host-add solarishost.example.com ipaserver $ ipa-getkeytab -s ipaserver -p host/solarishost.example.com -k /tmp/solarishost.keytab Copy the keytab /etc/krb5/krb5.keytab on the Solaris client: solarishost $ scp ipaserver:/tmp/solarishost.keytab /etc/krb5/krb5.keytab Make sure it's secured: solarishost $ chmod 600 /etc/krb5/krb5.keytab PAM setup: Keep the existing step 5.
Some information about 16 groups limit: https://www.redhat.com/archives/freeipa-users/2012-May/msg00361.html
BTW, there should be one additional step before running the "ldapclient" command. Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines: hosts: files dns ipnodes: files dns This is required as the nsswitch.conf is replaced with nsswitch.ldap file when the ldapclient command is run. The machine will stall if this is not changed, as the "hosts" information is not stored in IPA's LDAP server, but rather served via DNS.
Availability of the pkcs11_softtoken_extra.so will be seen with the message "unsupported encryption type 18" instead of AES256 when a keytab from IPA is installed with default encryption types: $ klist -ket Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------------- 2 03/24/12 12:03:46 host/njord-z1.test.com (unsupported encryption type 18) 2 03/24/12 12:03:46 host/njord-z1.test.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 03/24/12 12:03:46 host/njord-z1.test.com (Triple DES cbc mode with HMAC/sha1) 2 03/24/12 12:03:46 host/njord-z1.test.com (ArcFour with HMAC/md5) To install the pkcs11_softtoken_extra.so module: $ cryptoadm install provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so $ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so mechanism=all Klist output should now read: $ klist -ket Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Timestamp Principal ---- ----------------- --------------------------------------------------------- 2 03/24/12 12:03:46 host/njord-z1.test.com (AES-256 CTS mode with 96-bit SHA-1 HMAC) 2 03/24/12 12:03:46 host/njord-z1.test.com (AES-128 CTS mode with 96-bit SHA-1 HMAC) 2 03/24/12 12:03:46 host/njord-z1.test.com (Triple DES cbc mode with HMAC/sha1) 2 03/24/12 12:03:46 host/njord-z1.test.com (ArcFour with HMAC/md5)
I have a few comments when looking at the 6.3 beta document: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html Step 9.a, create a nfs kerberos service when the Solaris host is going to be a NFS client. I do use NFS4+krb5, and I've never had to create a nfs service for nfs clients. Only at the nfs server. Where does this information come from? However the entire section 9 can be replaced with how to install a keytab containing the "host" entries, as that's not explained in the documentation at all. Step 9.h is also incorrect. Using "-t nfs4" is only for old Linux clients such as RHEL 5. Solaris 10 has never used -t nfs4. The correct command line is: # mount -o vers=4,sec=krb5 ipaserver.example.com:/ /mnt/ Step 1 + 2, why is there used a objectclassMap for mapping posixGroup=posixgroup, and posixAccount=posixaccount. I have not done this for any of my Solaris clients. This seem unnecessary. Also all the attributeMap's in the manual config example is not required. The example for netgroup is incorrect, Solaris clients need to use the compat tree for groups and netgroups. Shadow is not required to be added as a separate serviceSearchDescriptor.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3731
Kicking FreeIPA doc bugs over to Martin.
This message is a reminder that Fedora 17 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 17. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '17'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 17's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 17 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 17's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.
Hello Sigbjorn, I looked in this bug (I was lying there for a while) and tried summarize the updates into a functional article. However, I was not able to construct all the information here and in Bug 815515 into a meaningful article (as we discussed). For example, it is not clear how the /var/ldap directory on the master gets populated: ~~~~~~ solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/ solarishost $ chmod 444 /var/ldap/*.db ~~~~~~ In favor of preventing many round trips between us and further delays, do you think I could ask you to help us with that and update current state of the chapter? Last version is here: http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html I would highly appreciate either an updated chapter in a format like LibreOffice or a simple text format... Or even better a DocBook format as the, now upstream, FreeIPA guide uses: http://www.freeipa.org/page/Contribute/Documentation This way, we would make the Solaris doc more complete and more helpful for FreeIPA users.
The /var/ldap gets populated in the certutil commands just above the scp command. I'll see what I can do for you regarding the doc, however if you feel that information is missing from the instructions I provided above, I don't see how copying this into an LibreOffice document will be an improvement. I suggest you just ask for the information you feel is missing. I just reviewd the steps provided, and I believe they are still valid.
(In reply to Sigbjorn Lie from comment #13) > The /var/ldap gets populated in the certutil commands just above the scp > command. I see, thanks for clarification and checking the procedure! > I'll see what I can do for you regarding the doc, however if you feel that > information is missing from the instructions I provided above, I don't see > how copying this into an LibreOffice document will be an improvement. I > suggest you just ask for the information you feel is missing. I just meant that to increase clarity of the requested change, it may be easier to create a LibreOffice document with requested changes applied to current state of the document or (even better) a patch by following http://www.freeipa.org/page/Contribute/Documentation. > I just reviewd the steps provided, and I believe they are still valid. Good! We have the documentation fix request in the upstream queue. As you see in low traffic in this Bugzilla, it takes time to do documentation fixes like this one, given scarce resources in this area. In case you want to speed it up, please consider following the procedure for contribution or contacting Customer Service with prioritization request.
We had a discussion about this Bug. While IPA on Solaris and other platform should simply work when the standard protocols are used, in RHEL product we officially do not test, document or support IPA on Solaris platform. I am therefore moving this Bugzilla to Fedora product as upstream-only Bug to properly set the expectations and also to allow fixing the Bugzilla without forcing developers to be bound by RHEL product processes.
Hello Sigbjorn, we have taken over documentation repository recently so it is easier to contribute documentation to it. If would be great if you could contribute documentation described in this bug. Unfortunatelly, we have no Solaris expert in our team so this bug will rot in Bugzilla for a long time without an external contribution. Please follow http://www.freeipa.org/page/Contribute/Documentation if you are interested or contact freeipa-devel mailing list as usual. Have a nice day!
Just for reference, there was a patch contributed to this topic by rga on freeipa-devel list: https://www.redhat.com/archives/freeipa-devel/2014-April/msg00286.html
Given the discussion in this bug and that FreeIPA upstream project no longer maintains it's own user guide besides the FreeIPA.org community wiki (details in http://www.freeipa.org/page/Upstream_User_Guide), I am closing this Bugzilla. Please follow or contribute in the upstream ticket: https://fedorahosted.org/freeipa/ticket/4633