Bug 815533 - RFE: Update the Solaris 10 client documentation
RFE: Update the Solaris 10 client documentation
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: freeipa (Show other bugs)
rawhide
All All
unspecified Severity high
: ---
: ---
Assigned To: Rob Crittenden
Fedora Extras Quality Assurance
: Documentation, FutureFeature, Reopened
Depends On:
Blocks: 858007
  Show dependency treegraph
 
Reported: 2012-04-23 15:20 EDT by Sigbjorn Lie
Modified: 2017-06-14 14:34 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 858007 (view as bug list)
Environment:
Last Closed: 2014-10-15 06:40:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sigbjorn Lie 2012-04-23 15:20:14 EDT
Please update the Solaris 10 LDAP client documentation to use a DUA profile with ldapclient instead of a manual installation.

Using a DUAProfile is easier both for installing, and maintaining the Solaris clients as they will re-read configuration from the DUA profile periodically.

See BZ #815515 for an updated DUA config profile.

The documentation could state two examples, for configuring an authenticated and secured bind and for configuring anonymous binds:

LDAP configuration, anonymous bind using DUA profile "default".

solarishost $ ldapclient -v init \
-a profileName=default \
ipaserver.example.com


LDAP configuration, authenicated and secured bind. Requires a new default DUA profile named "default_secure". See BZ #815515 for details of a DUA profile example.

Create NSS DB (Don't enter password. Just hit return)
ipaserver $ certutil -N -d /var/ldap

Convert the IPA certificate to PEM format:
ipaserver $ openssl x509 -in /etc/ipa/ca.crt -outform pem -out /etc/ipa/ca.pem

Add CA certificate to the NSS DB
ipaserver $ certutil -A -n "ca-cert" -i /etc/ipa/ca.pem -a -t CT -d /var/ldap

Copy the *.db files from /var/ldap/ on the ipa server to /var/ldap on the Solaris host.
solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/
solarishost $ chmod 444 /var/ldap/*.db

Create an account to use for authentication:
ipaserver $ ldapmodify -a -h ipaserver -D "cn=Directory Manager" -W
dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: solaris
userPassword: setapasswordplease

Run ldapclient:
$ ldapclient -v init \
-a profileName=default_secure \
-a proxyDN="uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com" \
-a proxyPassword="setapasswordplease" \
-D uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com \
-w setapasswordplease \
ipaserver.example.com

The -D and -w is required as the nisdomainobject won't be available to the ldapclient script when the 389-ds ldap server is set to not allow anonymous bind, even then 389-ds is configured to allow anonymous bind to read the rootdse. The -D and -w options we're added in a fairly recent Solaris patch set.


Kerberos client setup:
Keep the existing section 3 and 4, but add the following:

Verify that the pkcs11_softtoken_extra.so provider has been installed and enabled for AES256 support:
solarishost $ cryptoadm list

If pkcs11_softtoken_extra.so is missing, use the "-e" option with ipa-getkeytab to limit the encryption type to aes128, or install and enable the provider. See the Solaris documentation for details.

Add the host to the IPA server and request a keytab for the host:
ipaserver $ ipa host-add solarishost.example.com
ipaserver $ ipa-getkeytab -s ipaserver -p host/solarishost.example.com -k /tmp/solarishost.keytab

Copy the keytab /etc/krb5/krb5.keytab on the Solaris client:
solarishost $ scp ipaserver:/tmp/solarishost.keytab /etc/krb5/krb5.keytab

Make sure it's secured:
solarishost $ chmod 600 /etc/krb5/krb5.keytab

PAM setup:
Keep the existing step 5.
Comment 2 Petr Spacek 2012-05-23 07:59:07 EDT
Some information about 16 groups limit:
https://www.redhat.com/archives/freeipa-users/2012-May/msg00361.html
Comment 3 Sigbjorn Lie 2012-06-10 14:59:40 EDT
BTW, there should be one additional step before running the "ldapclient" command.

Edit /etc/nsswitch.ldap, replace "ldap" with "dns" from the "hosts" and "ipnodes" lines:

hosts:          files dns 
ipnodes:	files dns


This is required as the nsswitch.conf is replaced with nsswitch.ldap file when the ldapclient command is run. The machine will stall if this is not changed, as the "hosts" information is not stored in IPA's LDAP server, but rather served via DNS.
Comment 4 Sigbjorn Lie 2012-06-10 15:24:51 EDT
Availability of the pkcs11_softtoken_extra.so will be seen with the message "unsupported encryption type 18" instead of AES256 when a keytab from IPA is installed with default encryption types:

$ klist -ket
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp               Principal
---- ----------------- ---------------------------------------------------------
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (unsupported encryption type 18) 
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (Triple DES cbc mode with HMAC/sha1) 
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (ArcFour with HMAC/md5) 



To install the pkcs11_softtoken_extra.so module:
$ cryptoadm install provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so
$ cryptoadm enable provider=/usr/lib/security/\$ISA/pkcs11_softtoken_extra.so mechanism=all




Klist output should now read:
$ klist -ket 
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Timestamp               Principal
---- ----------------- ---------------------------------------------------------
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (AES-256 CTS mode with 96-bit SHA-1 HMAC) 
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (AES-128 CTS mode with 96-bit SHA-1 HMAC) 
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (Triple DES cbc mode with HMAC/sha1) 
   2 03/24/12 12:03:46 host/njord-z1.test.com@TEST.COM (ArcFour with HMAC/md5)
Comment 5 Sigbjorn Lie 2012-06-10 15:53:27 EDT
I have a few comments when looking at the 6.3 beta document: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/Configuring_an_IPA_Client_on_Solaris.html

Step 9.a, create a nfs kerberos service when the Solaris host is going to be a NFS client. I do use NFS4+krb5, and I've never had to create a nfs service for nfs clients. Only at the nfs server. Where does this information come from?

However the entire section 9 can be replaced with how to install a keytab containing the "host" entries, as that's not explained in the documentation at all.

Step 9.h is also incorrect. Using "-t nfs4" is only for old Linux clients such as RHEL 5. Solaris 10 has never used -t nfs4. The correct command line is:

# mount -o vers=4,sec=krb5 ipaserver.example.com:/ /mnt/

Step 1 + 2, why is there used a objectclassMap for mapping posixGroup=posixgroup, and posixAccount=posixaccount. I have not done this for any of my Solaris clients. This seem unnecessary. Also all the attributeMap's in the manual config example is not required.

The example for netgroup is incorrect, Solaris clients need to use the compat tree for groups and netgroups. Shadow is not required to be added as a separate serviceSearchDescriptor.
Comment 6 Martin Kosek 2013-06-17 09:54:07 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3731
Comment 7 Deon Ballard 2013-06-25 15:33:20 EDT
Kicking FreeIPA doc bugs over to Martin.
Comment 8 Fedora End Of Life 2013-07-04 02:19:54 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 9 Fedora End Of Life 2013-08-01 13:50:56 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 12 Martin Kosek 2013-08-15 10:21:02 EDT
Hello Sigbjorn,

I looked in this bug (I was lying there for a while) and tried summarize the updates into a functional article. However, I was not able to construct all the information here and in Bug 815515 into a meaningful article (as we discussed).

For example, it is not clear how the /var/ldap directory on the master gets populated:

~~~~~~
solarishost $ scp ipaserver:/var/ldap/*.db /var/ldap/
solarishost $ chmod 444 /var/ldap/*.db
~~~~~~

In favor of preventing many round trips between us and further delays, do you think I could ask you to help us with that and update current state of the chapter? Last version is here:

http://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/Configuring_an_IPA_Client_on_Solaris.html

I would highly appreciate either an updated chapter in a format like LibreOffice or a simple text format... Or even better a DocBook format as the, now upstream, FreeIPA guide uses:

http://www.freeipa.org/page/Contribute/Documentation

This way, we would make the Solaris doc more complete and more helpful for FreeIPA users.
Comment 13 Sigbjorn Lie 2013-12-20 02:44:48 EST
The /var/ldap gets populated in the certutil commands just above the scp command.

I'll see what I can do for you regarding the doc, however if you feel that information is missing from the instructions I provided above, I don't see how copying this into an LibreOffice document will be an improvement. I suggest you just ask for the information you feel is missing. 

I just reviewd the steps provided, and I believe they are still valid.
Comment 14 Martin Kosek 2014-01-02 07:56:49 EST
(In reply to Sigbjorn Lie from comment #13)
> The /var/ldap gets populated in the certutil commands just above the scp
> command.

I see, thanks for clarification and checking the procedure!

> I'll see what I can do for you regarding the doc, however if you feel that
> information is missing from the instructions I provided above, I don't see
> how copying this into an LibreOffice document will be an improvement. I
> suggest you just ask for the information you feel is missing. 

I just meant that to increase clarity of the requested change, it may be easier to create a LibreOffice document with requested changes applied to current state of the document or (even better) a patch by following http://www.freeipa.org/page/Contribute/Documentation.

> I just reviewd the steps provided, and I believe they are still valid.

Good! We have the documentation fix request in the upstream queue. As you see in low traffic in this Bugzilla, it takes time to do documentation fixes like this one, given scarce resources in this area. In case you want to speed it up, please consider following the procedure for contribution or contacting Customer Service with prioritization request.
Comment 15 Martin Kosek 2014-01-23 08:06:20 EST
We had a discussion about this Bug. While IPA on Solaris and other platform should simply work when the standard protocols are used, in RHEL product we  officially do not test, document or support IPA on Solaris platform.

I am therefore moving this Bugzilla to Fedora product as upstream-only Bug to properly set the expectations and also to allow fixing the Bugzilla without forcing developers to be bound by RHEL product processes.
Comment 16 Petr Spacek 2014-03-12 16:29:27 EDT
Hello Sigbjorn,

we have taken over documentation repository recently so it is easier to contribute documentation to it. If would be great if you could contribute documentation described in this bug.

Unfortunatelly, we have no Solaris expert in our team so this bug will rot in Bugzilla for a long time without an external contribution.

Please follow
http://www.freeipa.org/page/Contribute/Documentation
if you are interested or contact freeipa-devel mailing list as usual.

Have a nice day!
Comment 17 Martin Kosek 2014-10-15 04:31:54 EDT
Just for reference, there was a patch contributed to this topic by rga on freeipa-devel list:
https://www.redhat.com/archives/freeipa-devel/2014-April/msg00286.html
Comment 18 Martin Kosek 2014-10-15 06:40:17 EDT
Given the discussion in this bug and that FreeIPA upstream project no longer maintains it's own user guide besides the FreeIPA.org community wiki (details in http://www.freeipa.org/page/Upstream_User_Guide), I am closing this Bugzilla.

Please follow or contribute in the upstream ticket:
https://fedorahosted.org/freeipa/ticket/4633

Note You need to log in before you can comment on or make changes to this bug.