Product SiteDocumentation Site

3.8. Configuring a Solaris System as a FreeIPA Client

3.8.1. Configuring Solaris 10

  1. FreeIPA provides an example profile for configuring Solaris 10 as a FreeIPA client. This can be loaded using ldapclient and the init command:
    [root@solaris ~]# ldapclient init ipa.example.com
    The ldapclient can also be run to enter the information for the FreeIPA domain manually:
    [root@solaris ~]# ldapclient manual
             -a credentialLevel=proxy
             -a authenticationMethod=tls:simple
             -a defaultSearchBase=dc=example,dc=com
             -a domainName=example.com
    	 -a defaultServerList=192.168.0.1
    	 -a proxyDN=cn=proxyagent,ou=profile,dc=example,dc=com
    	 -a proxyPassword={NS1}fbc123a92116812
             -a attributeMap=group:memberuid=memberUid
             -a attributeMap=group:gidnumber=gidNumber
             -a attributeMap=passwd:gidnumber=gidNumber
             -a attributeMap=passwd:uidnumber=uidNumber
             -a attributeMap=passwd:homedirectory=homeDirectory
             -a attributeMap=passwd:loginshell=loginShell
             -a attributeMap=shadow:userpassword=userPassword
             -a objectClassMap=group:posixGroup=posixgroup
             -a objectClassMap=passwd:posixAccount=posixaccount
             -a objectClassMap=shadow:shadowAccount=posixaccount
             -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com
             -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com
             -a serviceSearchDescriptor=netgroup:cn=sysaccounts,cn=etc,dc=example,dc=com
             -a serviceSearchDescriptor=shadow:cn=sysaccounts,cn=etc,dc=example,dc=com
             -a serviceSearchDescriptor=sudoers:cn=sysaccounts,cn=etc,dc=example,dc=com
  2. Create a Solaris profile in the FreeIPA Directory Server instance for the Solaris domain clients to use. The LDAP entry should reflect the configuration that was passed to the Solaris machine in the ldapclient command.
    [root@ipaserver ~]# ldapadd -h 192.168.0.1 -p 389 -D "cn=directory manager" -w secret
    
    dn: cn=solaris,ou=profile,dc=example,dc=com
    objectClass: top
    objectClass: DUAConfigProfile
    cn: solaris
    credentialLevel: proxy
    authenticationMethod: tls:simple
    defaultSearchBase: dc=example,dc=com
    defaultServerList: 192.168.0.1
    objectclassMap: group:posixGroup=posixgroup
    objectclassMap: passwd:posixAccount=posixaccount
    objectclassMap: shadow:shadowAccount=posixAccount
    serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
    serviceSearchDescriptor: group:cn=groups,cn=accounts,dc=example,dc=com
    serviceSearchDescriptor: shadow:cn=sysaccounts,cn=etc,dc=example,dc=com
    serviceSearchDescriptor: netgroup:cn=sysaccounts,cn=etc,dc=example,dc=com
    serviceSearchDescriptor: sudoers:cn=sysaccounts,cn=etc,dc=example,dc=com
    bindTimeLimit: 10
    profileTTL: 43200
    searchTimeLimit: 30
    defaultSearchScope: one
    followReferrals: FALSE
  3. Create the cn=proxyagent account in the FreeIPA Directory Server instance.
    [root@ipaserver ~]# ldapadd -h 192.168.0.1 -p 389 -D "cn=directory manager" -w secret
    
    dn: cn=proxyagent,ou=profile,dc=example,dc=com
    objectClass: top
    objectClass: person
    sn: proxyagent
    cn: proxyagent
    userPassword:: e1NTSEF9Mm53KytGeU81Z1dka1FLNUZlaDdXOHJkK093TEppY2NjRmt6Wnc9PQ=
  4. On the FreeIPA server, use the certutil command to create cert8.db and key3.db databases.
    [root@ipaserver ~]# certutil -N -d .
    Then, copy the database over to the Solaris machine in the /var/ldap directory. For example:
    [root@ipaserver ~]# scp cert8.db solaris.example.com:/var/ldap
    [root@ipaserver ~]# scp key3.db solaris.example.com:/var/ldap
  5. Remove the ldap option from all entries in /etc/nsswitch.conf except for the passwd, group, shadow, netgroup, and sudoers entries.
  6. Configure and enable NTP and synchronize the time between the client and the FreeIPA server.
    [root@solaris ~]# ntpdate ipaserver.example.com
  7. Configure the Kerberos client. The Kerberos configuration includes specifying the realm and domain details and default ticket attributes.
    [root@solaris ~]# vim /etc/krb5/krb5.conf
    
    [libdefaults]
    default_realm = EXAMPLE.COM
    verify_ap_req_nofail = false
    
    [realms]
    EXAMPLE.COM = {
    kdc = ipaserver.example.com
    admin_server = ipaserver.example.com
    }
    
    [domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM
    
    [logging]
    default = FILE:/var/krb5/kdc.log
    kdc = FILE:/var/krb5/kdc.log
    
    [appdefaults]
    kinit = {
    renewable = true
    forwardable= true
    }
    The default file created by ldapclient configures forwardable tickets by default, which makes it possible to connect to the UI from any system and provides a way to audit administration operations.
  8. Configure PAM to use Kerberos authentication. For example:
    [root@solaris ~]# vim /etc/pam.conf 
    
    # login service (explicit because of pam_dial_auth)
    #
    login   auth requisite          pam_authtok_get.so.1
    login   auth required           pam_dhkeys.so.1
    login   auth sufficient         pam_krb5.so.1 try_first_pass
    login   auth required           pam_unix_auth.so.1
    login   auth required           pam_dial_auth.so.1
    
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    #
    other   auth requisite          pam_authtok_get.so.1
    other   auth required           pam_dhkeys.so.1
    other   auth required           pam_unix_cred.so.1
    other   auth sufficient         pam_krb5.so.1
    other   auth required           pam_unix_auth.so.1
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    #
    other   account requisite       pam_roles.so.1
    other   account required        pam_unix_account.so.1
    other   account required        pam_krb5.so.1
    # Password construction requirements apply to all users.
    # Remove force_check to have the traditional authorized administrator
    # bypass of construction requirements.
    other   password requisite      pam_authtok_check.so.1 force_check
    other   password sufficient     pam_krb5.so.1
    other   password required       pam_authtok_store.so.1
  9. Configure NFS to work with the Kerberos domain.
    1. Add an NFS service principal for the client.
      [root@ipaserver ~]# ipa service-add nfs/client.example.com
    2. Create the NFS keytab file.
      [root@ipaserver ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/client.example.com -k /tmp/krb5.keytab -e des-cbc-crc
    3. Copy the keytab from the server to the client.
      [root@ipaserver ~]# scp /tmp/krb5.keytab root@client.example.com:/tmp/krb5.keytab
    4. On the FreeIPA client, use the ktutil command to import the contents into the main host keytab.
      # ktutil
      ktutil: read_kt /tmp/krb5.keytab
      ktutil: write_kt /etc/krb5/krb5.keytab
      ktutil: q
    5. Verify that the NFS service keytab was created:
      [root@solaris ~]# klist -ket /etc/krb5/krb5.keytab
    6. Verify that the NFS server is accessible:
      [root@solaris ~]# showmount -e ipaserver.example.com
    7. Make sure that this line is uncommented in the /etc/nfssec.conf file.
      krb5	390003	kerberos_v5	default -	# RPCSEC_GSS
    8. Mount the NFS share.
      [root@solaris ~]# mount -t nfs4 ipaserver.example.com:/ /mnt/ -o sec=krb5
  10. Configure sudo on the Solaris machine to work with the FreeIPA server.
    1. If necessary, install the required packages for SASL, OpenSSL, sudo and LDAP, and BerkeleyDB:
      • CSWbdb4 (BerkeleyDB 4)
      • CSWcommon
      • CSWlibnet
      • CSWoldaprt
      • CSWossl
      • CSWossldevel
      • CSWosslrt
      • CSWosslutils
      • CSWsasl
      • CSWsudo-common
      • CSWsudoldap
      These are available from Blastwave.
    2. Edit the OpenLDAP ldap.conf file to use the secure URL for the FreeIPA Directory Server instance and to use the FreeIPA CA certificate.
      [root@solaris ~]# vim /opt/csw/etc/openldap/ldap.conf
      
      base dc=example,dc=com
      timelimit 120
      bind_timelimit 120
      idle_timelimit 3600
      uri ldaps://ipaserver.example.com
      ssl start_tls
      sudoers_base ou=SUDOers,dc=example,dc=com
      ssl on
      TLS_REQCERT     allow
      TLS_CACERT /etc/openldap/cacerts/ca.crt
      TLS_CACERTFILE /etc/openldap/cacerts/ca.crt
      TLS_CACERTDIR /etc/openldap/cacerts
      ...
    3. Download the FreeIPA CA certificate:
      http://ipaserver.example.com/ipa/config.ca.cert
    4. Copy the FreeIPA CA certificate to the /etc/openldap/cacerts directory.

3.8.2. Configuring Solaris 9

  1. Perform steps 1 through 8 in Section 3.8.1, “Configuring Solaris 10” to set up the Solaris 9 client.
  2. Configure the NFS client.
    1. Configure the /etc/exports file on the NFS server.
      /nfs client.example.com(sec=krb5p,rw,sync,fsid=0,no_subtree_check)
    2. Add an NFS service principal for the client.
      [root@ipaserver ~]# ipa service-add nfs/client.example.com
    3. Create the NFS keytab file.
      [root@ipaserver ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/client.example.com -k /tmp/krb5.keytab -e des-cbc-crc
    4. Copy the keytab from the server to the client.
      [root@ipaserver ~]# scp /tmp/krb5.keytab root@client.example.com:/tmp/krb5.keytab
    5. Make sure that this line is uncommented in the /etc/nfssec.conf file.
      krb5	390005	kerberos_v5	default -	# RPCSEC_GSS
    6. Obtain a ticket for the NFS client.
      [root@solaris ~]# kinit -k nfs/client.example.com
    7. Mount the NFS share.
      [root@solaris ~]# mount -F nfs -o sec=krb5p ipaserver.example.com:/nfs /mnt/
    8. On the FreeIPA client, use the ktutil command to import the contents into the main host keytab.
      # ktutil
      ktutil: read_kt /tmp/krb5.keytab
      ktutil: write_kt /etc/krb5/krb5.keytab
      ktutil: q