Product SiteDocumentation Site

3.5. Configuring a Solaris System as an IPA Client

3.5.1. Configuring Solaris 10

  1. As with Red Hat Enterprise Linux systems, IPA provides an automated method of configuring Solaris 10 to function as an IPA client. On the Solaris client, run the ldapclient with the information for the IPA domain: 
    [root@server ~]# ldapclient manual
         -a credentialLevel=anonymous
         -a authenticationMethod=none
         -a defaultSearchBase=dc=example,dc=com
         -a domainName=example.com
         -a defaultServerList=192.168.0.1
         -a attributeMap=group:memberuid=memberUid
         -a attributeMap=group:gidnumber=gidNumber
         -a attributeMap=passwd:gidnumber=gidNumber
         -a attributeMap=passwd:uidnumber=uidNumber
         -a attributeMap=passwd:homedirectory=homeDirectory
         -a attributeMap=passwd:loginshell=loginShell
         -a attributeMap=shadow:userpassword=userPassword
         -a objectClassMap=group:posixGroup=posixgroup
         -a objectClassMap=passwd:posixAccount=posixaccount
         -a objectClassMap=shadow:shadowAccount=posixaccount
         -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com
         -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com
  2. Remove the ldap option from all entries in /etc/nsswitch.conf except for the passwd: and group: entries.
  3. Configure and enable NTP and synchronize the time between the client and the IPA server. 
    [root@server ~]# ntpdate ipaserver.example.com
  4. Configure the Kerberos client. The Kerberos configuration includes specifying the realm and domain details and default ticket attributes. 
    [root@server ~]# vim /etc/krb5/krb5.conf

[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false

[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
}

[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
    The default file created by ldapclient configures forwardable tickets by default, which makes it possible to connect to the UI from any system and provides a way to audit administration operations.
  5. Configure PAM to use Kerberos authentication. For example: 
    [root@server ~]# vim /etc/pam.conf 

# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth sufficient         pam_krb5.so.1 try_first_pass
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1

# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
other   account required        pam_krb5.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password sufficient     pam_krb5.so.1
other   password required       pam_authtok_store.so.1
  6. Configure NFS to work with the Kerberos domain.
    1. Add the admin principal on the IPA server. 
      [root@server ~]# kadmin.local -q "addprinc testadmin/admin"
    2. Edit the Kerberos KDC ACLs in /var/kerberos/krb5kdc/kadm5.acl on the IPA server to allow access from the NFS client machine.
    3. Use the kclient command to set up the NFS client for Kerberos authentication.
      • Do not set up DNS.
      • Do enter the IPA server and realm information.
      • Do answer yes to configure Kerberized NFS.
      • Do not copy over the master krb5.conf file. 
      [root@server ~]# kclient

Starting client setup

---------------------------------------------------
Do you want to use DNS for kerberos lookups ? [y/n]: n
        No action performed.
Enter the Kerberos realm: EXAMPLE.COM
Specify the KDC hostname for the above realm: ipaserver.example.com
ipaserver.example.com

Note, this system and the KDC's time must be within 5 minutes of each other for
Kerberos to function.  Both systems should run some form of time
synchronization system like Network Time Protocol (NTP).

Setting up /etc/krb5/krb5.conf.

Enter the krb5 administrative principal to be used: testadmin
Obtaining TGT for testadmin/admin ...
Password for testadmin/admin@EXAMPLE.COM:

Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ?
[y/n]: n
        No action performed.

Do you plan on doing Kerberized nfs ? [y/n]: y

nfs/client.example.com entry ADDED to KDC database.
nfs/client.example.com entry ADDED to keytab.

host/client.example.com entry ADDED to KDC database.
host/client.example.com entry ADDED to keytab.

Do you want to copy over the master krb5.conf file ? [y/n]: n
        No action performed.

---------------------------------------------------
Setup COMPLETE.
    4. Verify that the NFS service keytab was created: 
      [root@server ~]# klist -ket /etc/krb5/krb5.keytab
    5. Verify that the NFS server is accessible: 
      [root@server ~]# showmount -e ipaserver.example.com
    6. Make sure that this line is uncommented in the /etc/nfssec.conf file. 
      krb5	390003	kerberos_v5	default -	# RPCSEC_GSS
    7. Mount the NFS share. 
      [root@server ~]# mount -t nfs4 ipaserver.example.com:/ /mnt/ -o sec=krb5
    8. On the IPA client, use the ktutil command to import the contents into the main host keytab. 
      # ktutil
ktutil: read_kt /tmp/krb5.keytab
ktutil: write_kt /etc/krb5/krb5.keytab
ktutil: q

3.5.2. Configuring Solaris 9

  1. Perform steps 1 through 5 in Section 3.5.1, “Configuring Solaris 10” to set up the Solaris 9 client.
  2. Configure the NFS client.
    1. Configure the /etc/exports file on the NFS server. 
      /nfs client.example.com(sec=krb5p,rw,sync,fsid=0,no_subtree_check)
    2. Add an NFS service principal for the client. 
      [root@server ~]# ipa service-add nfs/client.example.com
    3. Create the NFS keytab file. 
      [root@server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/client.example.com -k /tmp/krb5.keytab -e des-cbc-crc
    4. Copy the keytab from the server to the client. 
      [root@server ~]# scp /tmp/krb5.keytab root@client.example.com:/tmp/krb5.keytab
    5. Make sure that this line is uncommented in the /etc/nfssec.conf file. 
      krb5	390005	kerberos_v5	default -	# RPCSEC_GSS
    6. Obtain a ticket for the NFS client. 
      [root@server ~]# kinit -k nfs/client.example.com
    7. Mount the NFS share. 
      [root@server ~]# mount -F nfs -o sec=krb5p ipaserver.example.com:/nfs /mnt/