Configuring FreeIPA Solaris clients
Posted on Sat 30 January 2016 in howto
FreeIPA with Solaris?
Working in an environment full of Solaris hosts, you might find yourself in a
situation where you need Solaris and Linux in the same authentication
domain. And you may have wrestled with the idea of purchasing an expensive
auth/identity suite, either from Oracle or someone else. This is usually about
the time you start contemplating suicide. But, you actually can set up a
Directory Server that will serve both linux and Solaris, all without spending
oodles of money, and/or running a craptastic obscure product from an
open source hostile company.
FreeIPA is a full-featured open source directory server developed by Red Hat. It’s the upstream version for Red Hat Directory Server, and with just a wee bit of setup.. you have everything you need to get your Solaris clients working with it; including automounts, sudo, etc.
So, make that happen..
This article describes how to configure Solaris LDAP clients for a mixed environment with Linux clients, using FreeIPA on Linux as the LDAP server. This configuration will support both Linux and Solaris 8-11 hosts. The implementation steps will differ somewhat between different versions of Solaris, so I’ll try my best to differentiate what has to happen for each one. The configuration described here enables authentication for users via login, su, sudo, and automounts via LDAP. So let’s go ahead and get those grubby Solaris hosts on the domain.
Setup FreeIPA Server to support Solaris clients
For our purposes, the only things we need to change for FreeIPA to support
Solaris clients are to change automount definitions and creating a working
Solaris client profile with a proxy account. For Solaris, the proxyagent
user account is necessary if you disable anonymous binds to the FreeIPA LDAP
servers (and you should.) This account is will be used by the client to bind to LDAP.
Create Solaris compatible automount definitions
Solaris uses different filenames than Linux for its autofs definitions, using
underscores vs periods. (Linux: /etc/auto.master, Solaris: /etc/auto_master)
This translates the same way with LDAP. Thankfully, Linux will honor
autofs definitions with underscores that are mapped from auto.master in LDAP,
so you don’t have to create duplicate copies of each one for each OS.
So the solution is to map the default auto.master entry in the Solaris client
profile, then use the underscore named, Solaris-compatible definitions in the
auto.master and everywhere else.
-
Remove existing automount definitions The first step is to remove the existing definitions from the auto.master in the freeIPA UI. Log in to freeIPA, then go to
Services > Automountunderauto.master, and removeauto.directand any other definitions. -
Create Solaris Compatible automount definitions With the existing definitions removed, you can now create the solaris compatible entries. Create
auto_home,auto_directkeys underauto.master. We will mapauto.masterin the solaris profile, so we don’t rename this entry. This preserves cross-platform compatibility.
Create Solaris Profile on IPA Server
Now we can create the Solaris client profile that Solaris clients will use to
map the LDAP schema with attributes they are expecting.
Create solarisprofile.ldif:
dn: cn=solaris,ou=profile,dc=example,dc=com
objectClass: top
objectClass: DUAConfigProfile
cn: SolarisProfile
authenticationMethod: none
defaultSearchBase: dc=example,dc=com
defaultSearchScope: one
defaultServerList: ipa1.example.com,ipa2.example.com
objectclassMap: shadow:shadowAccount=posixAccount
objectclassMap: printers:SunPrinter=printerService
serviceSearchDescriptor: passwd:cn=users,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: group:cn=groups,cn=compat,dc=example,dc=com
serviceSearchDescriptor: netgroup:cn=ng,cn=compat,dc=example,dc=com
serviceSearchDescriptor: ethers:cn=computers,cn=accounts,dc=example,dc=com
serviceSearchDescriptor: sudo:ou=sudoers,dc=example,dc=com
serviceSearchDescriptor: automount:cn=default,cn=automount,dc=example,dc=com
serviceSearchDescriptor: auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com
bindTimeLimit: 5
profileTTL: 6000
searchTimeLimit: 10
followReferrals: TRUE
If you have disabled anonymous binds to the domain, you will want to use the
Solaris Proxy account, by adding the following lines to solarisprofile.ldif
and removing the original authenticationMethod line:
credentialLevel: proxy
authenticationMethod: tls:simple
Then you can create the proxyagent user:
kinit admin
ldapmodify -a -h ipa1.example.com -Y GSSAPI
dn: uid=solaris,cn=sysaccounts,cn=etc,dc=example,dc=com
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: solaris
userPassword: setyourpasswordhere
And add the profile to the LDAP schema:
kinit admin
ldapadd -h ipa1.example.com -Y GSSAPI -f solarisprofile.ldif
Note: to delete the profile, you can run this command.. which helps when iterating over and testing the profile, or when you’ve messed something up:
ldapdelete -Y GSSAPI -h ipa1.example.com "cn=solaris,ou=profile,dc=example,dc=com"
At this point, FreeIPA server configuration is done!
Configure IPA Clients
Next up, we want to make sure that the Solaris client machine is using the proper DNS and NTP configuration, just like any other client. Then you may proceed in configuring the LDAP client.
NTP Configuration
Create an ntp.conf that points to your freeIPA servers:
echo "server ipa1.example.com" > /etc/inet/ntp.conf
echo "server ipa2.example.com" >> /etc/inet/ntp.conf
echo "driftfile /var/ntp/ntp.drift" >> /etc/inet/ntp.conf
echo "statsdir /var/ntp/ntpstats/" >> /etc/inet/ntp.conf
echo "filegen peerstats file peerstats type day enable" >> /etc/inet/ntp.conf
echo "filegen loopstats file loopstats type day enable" >> /etc/inet/ntp.conf
ntpdate ipa1.example.com
Then start the NTP daemon on Solaris 10/11 by doing: svcadm enable ntp
or doing /etc/init.d/xntpd start in Solaris 8/9.
Name Service Switch Configuration
Copy the nsswitch ldap template over your running config.
cp /etc/nsswitch.ldap /etc/nsswitch.conf
Then edit the nsswitch.conf:
change ipnodes and hosts entries to: files dns
Change everything else to files ldap
Change netgroups to ldap only..
Change RBAC (auth_attr, prof_attr, project) to files only.
Add line with sudoers using files ldap
Note: Normally on Solaris 11 you must change the name-service/switch smf properties, but ldapclient will make these changes permanent when it is run after configuring everything.
DNS configuration
For Solaris 8-10, we will edit /etc/resolv.conf:
domain example.com
nameserver 192.168.0.1
nameserver 192.168.0.2
then create /etc/defaultdomain:
example.com
For Solaris 11, we have to modify the SMF properties for dns/client:
svccfg -s network/dns/client setprop config/nameserver = net_address: "(192.168.0.1 192.168.0.2)"
svccfg -s network/dns/client setprop config/domain = astring: example.com
then we can enable the DNS client in Solaris 10/11 using svcadm enable dns/client
or /etc/init.d/nscd start in Solaris 8/9.
LDAP Configuration
On the FreeIPA server, run this command for each solaris host, using the hostname for your client:
ipa host-add --force --ip-address=192.168.0.100 client1.example.com
ipa-getkeytab -s ipa1.example.com -p host/client1.example.com -k /tmp/client1.keytab
Now copy the kerberos host key to the solaris client:
scp /tmp/client1.keytab client1:/etc/krb5/krb5.keytab
Now login to the client, and make sure it has the proper owner and permissions:
chown root:sys /etc/krb5/krb5.keytab
chmod 700 /etc/krb5/krb5.keytab
Setup kerberos settings on the solaris client by running kclient
on Solaris or edit /etc/krb5/krb5.conf:
[libdefaults]
verify_ap_req_nofail = false
default_realm = example.COM
[realms]
example.COM = {
kdc = ipa1.example.com
kdc = ipa2.example.com
admin_server = ipa1.example.com
admin_server = ipa2.example.com
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
ipa1.example.com = example.COM
ipa2.example.com = example.COM
.example.com = example.COM
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
versions = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable = true
no_addresses = true
}
Initialize LDAP client on the solaris host with the DUAProfile that was created. The “-a domainName= example.com” is needed so that ldapclient does not stop and complain about missing nisdomain name.
Initialize client on Solaris 11 w/o proxy:
ldapclient -v init \
-a profileName="SolarisProfile" \
-a domainName="```example.com```" \
ipa1.example.com
Start LDAP client:
svcadm enable ldap/client
Initialize client on Solaris 11 w/ proxy:
ldapclient -v init \
-a proxyDN="cn=proxyagent,ou=profile,dc=example,dc=com" \
-a proxyPassword="insertPasswordHere" \
-a profileName="SolarisProfile" \
-a domainName="example.com" \
ipa1.example.com
Start LDAP client:
svcadm enable ldap/client
Initialize client on Solaris 10:
On Solaris 10, you must create the ldap_client_file manually before
running ldapclient init because solaris 10 is stoopid and needs the ldap
client already running to do the init:
Create /var/ldap/ldap_client_file with these contents:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_AUTH= none
NS_LDAP_OBJECTCLASSMAP= printers:SunPrinter=printerService
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_BASEDN= dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= sudo:ou=sudoers,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= automount:cn=default,cn=automount,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= auto_master:automountMapName=auto.master,cn=default,cn=automount,dc=example,dc=com
NS_LDAP_BIND_TIME= 5
NS_LDAP_PROFILE= SolarisProfile
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SERVERS= ipa1.example.com, ipa2.example.com
NS_LDAP_SEARCH_TIME= 10
NS_LDAP_CACHETTL= 6000
Touch the cred file and start LDAP client:
touch /var/ldap/ldap_client_cred
svcadm enable ldap/client
You can then initialize LDAP client w/ the proxy’s DN:
ldapclient -v init \
-a proxyDN="uid=solarisproxyagent,cn=sysaccounts,cn=etc,dc=example,dc=com" \
-a proxyPassword="setyourpasswordhere" \
Edit PAM settings (Solaris 10 & 11):
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1 try_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
other password requisite pam_authtok_check.so.1 force_check
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
Setup sudoers (Solaris 10 & 11):
Create symlink for sudoers, since it doesn’t use the system’s settings. (Oracle fail.)
ln -s /etc/openldap/ldap.conf /etc/ldap.conf
Edit /etc/openldap/ldap.conf:
BASE dc=example,dc=com
URI ldap://ipa1.example.com
SUDOERS_BASE ou=sudoers,dc=example,dc=com
Wrap it up (Solaris 10 & 11):
Make sure ldap client is enabled, then reboot:
svcadm enable ldap/client
init 6