Difference between revisions of "Omnios ipa client"
(Created page with "Category:Omnios Category:IPA To enable ldap queries from an omnios server we need to use the ldapclient tool as documented in http://docs.oracle.com/cd/E19253-01/816-...") |
|||
Line 2: | Line 2: | ||
[[Category:IPA]] | [[Category:IPA]] | ||
− | + | Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html). | |
− | + | == add machine account to IPA domain == | |
+ | add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed: | ||
+ | <code><ipa> | ||
+ | ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] | ||
+ | |||
+ | ipa host-add-managedby --host ipaserver.example.com solaris.example.com | ||
+ | </pre></code> | ||
+ | |||
+ | == export keytab for machine account == | ||
+ | |||
+ | just like before, run this as an admin user on host with ipa admin tools: | ||
<code><pre> | <code><pre> | ||
− | + | ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab | |
</pre></code> | </pre></code> | ||
− | + | Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file: | |
<code><pre> | <code><pre> | ||
− | + | chown root:sys krb5.keytab | |
− | + | chmod 600 krb5.keytab | |
− | + | </pre></code> | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
+ | == configure kerberos on omnios host== | ||
+ | |||
+ | Edit /etc/krb5/krb5.conf: | ||
+ | <code><pre> | ||
+ | [libdefaults] | ||
+ | default_realm = EXAMPLE.COM | ||
+ | verify_ap_req_nofail = false | ||
+ | [realms] | ||
+ | EXAMPLE.COM = { | ||
+ | kdc = ipaserver.example.com | ||
+ | admin_server = ipaserver.example.com | ||
+ | |||
+ | [domain_realm] | ||
+ | example.com = EXAMPLE.COM | ||
+ | .example.com = EXAMPLE.COM | ||
</pre></code> | </pre></code> | ||
− | + | == configure ntp == | |
+ | Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf: | ||
+ | |||
+ | server ipaserver.example.com iburst | ||
<code><pre> | <code><pre> | ||
− | + | # svcadm enable ntp | |
</pre></code> | </pre></code> | ||
− | + | To see it is running properly: | |
+ | <code><pre> | ||
+ | # svcs ntp | ||
+ | </pre></code> | ||
+ | To see what servers you are using: | ||
<code><pre> | <code><pre> | ||
− | # ldapclient init -v -a profileName=default | + | # ntpq -p |
+ | </pre></code> | ||
+ | |||
+ | == verify kerberos is working == | ||
+ | <code><pre> | ||
+ | root@testomnios:~# kinit admin | ||
+ | Password for admin@EXAMPLE.COM: | ||
+ | root@testomnios:~# klist | ||
+ | Ticket cache: FILE:/tmp/krb5cc_0 | ||
+ | Default principal: admin@EXAMPLE.COM | ||
+ | |||
+ | Valid starting Expires Service principal | ||
+ | 04/01/13 14:17:23 04/02/13 14:17:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM | ||
+ | renew until 04/08/13 14:17:23 | ||
+ | root@testomnios:~# kdestroy | ||
+ | </pre></code> | ||
+ | |||
+ | == configure ldap == | ||
+ | now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient): | ||
+ | |||
+ | <code><pre> | ||
+ | # ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com | ||
+ | Parsing authenticationMethod=sasl/gssapi | ||
+ | Parsing credentialLevel=self | ||
Parsing profileName=default | Parsing profileName=default | ||
Arguments parsed: | Arguments parsed: | ||
+ | authenticationMethod: sasl/gssapi | ||
+ | credentialLevel: self | ||
profileName: default | profileName: default | ||
− | defaultServerList: | + | defaultServerList: ipaserver.example.com |
Handling init option | Handling init option | ||
About to configure machine by downloading a profile | About to configure machine by downloading a profile | ||
+ | Warning: init authentication method not found in DUAConfigProfile. | ||
Proxy DN: NULL | Proxy DN: NULL | ||
Proxy password: NULL | Proxy password: NULL | ||
Line 124: | Line 104: | ||
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect. | Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect. | ||
nscd not running | nscd not running | ||
− | + | Stopping autofs | |
− | Stopping | + | |
− | + | ||
stop: sleep 100000 microseconds | stop: sleep 100000 microseconds | ||
− | stop: | + | stop: sleep 200000 microseconds |
+ | stop: system/filesystem/autofs:default... success | ||
+ | ldap not running | ||
nis(yp) not running | nis(yp) not running | ||
file_backup: stat(/etc/nsswitch.conf)=0 | file_backup: stat(/etc/nsswitch.conf)=0 | ||
Line 134: | Line 114: | ||
file_backup: stat(/etc/defaultdomain)=0 | file_backup: stat(/etc/defaultdomain)=0 | ||
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) | file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) | ||
− | file_backup: nis domain is " | + | file_backup: nis domain is "example.com" |
− | file_backup: stat(/var/yp/binding/ | + | file_backup: stat(/var/yp/binding/example.com)=-1 |
− | file_backup: No /var/yp/binding/ | + | file_backup: No /var/yp/binding/example.com directory. |
file_backup: stat(/var/ldap/ldap_client_file)=-1 | file_backup: stat(/var/ldap/ldap_client_file)=-1 | ||
file_backup: No /var/ldap/ldap_client_file file. | file_backup: No /var/ldap/ldap_client_file file. | ||
Starting network services | Starting network services | ||
− | start: /usr/bin/domainname | + | start: /usr/bin/domainname example.com... success |
start: sleep 100000 microseconds | start: sleep 100000 microseconds | ||
start: sleep 200000 microseconds | start: sleep 200000 microseconds | ||
start: network/ldap/client:default... success | start: network/ldap/client:default... success | ||
+ | start: sleep 100000 microseconds | ||
+ | start: system/filesystem/autofs:default... success | ||
restart: sleep 100000 microseconds | restart: sleep 100000 microseconds | ||
restart: milestone/name-services:default... success | restart: milestone/name-services:default... success | ||
System successfully configured | System successfully configured | ||
+ | |||
+ | </pre></code> | ||
+ | |||
+ | Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info: | ||
+ | <code><pre> | ||
+ | root@testomnios:~# klist | ||
+ | Ticket cache: FILE:/tmp/krb5cc_0 | ||
+ | Default principal: host/solaris.example.com@EXAMPLE.COM | ||
+ | |||
+ | Valid starting Expires Service principal | ||
+ | 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM | ||
+ | 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM | ||
+ | </pre></code> | ||
+ | |||
+ | Verify ldap is workin, we can see users info from the ldap database | ||
+ | <code><pre> | ||
root@testomnios:~# id admin | root@testomnios:~# id admin | ||
− | uid= | + | uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins) |
</pre></code> | </pre></code> |
Revision as of 14:29, 1 April 2013
Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).
Contents
add machine account to IPA domain
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
<ipa>
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter]
ipa host-add-managedby --host ipaserver.example.com solaris.example.com </pre>
export keytab for machine account
just like before, run this as an admin user on host with ipa admin tools:
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
chown root:sys krb5.keytab
chmod 600 krb5.keytab
configure kerberos on omnios host
Edit /etc/krb5/krb5.conf:
[libdefaults]
default_realm = EXAMPLE.COM
verify_ap_req_nofail = false
[realms]
EXAMPLE.COM = {
kdc = ipaserver.example.com
admin_server = ipaserver.example.com
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
configure ntp
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:
server ipaserver.example.com iburst
# svcadm enable ntp
To see it is running properly:
# svcs ntp
To see what servers you are using:
# ntpq -p
verify kerberos is working
root@testomnios:~# kinit admin
Password for admin@EXAMPLE.COM:
root@testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM
Valid starting Expires Service principal
04/01/13 14:17:23 04/02/13 14:17:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 04/08/13 14:17:23
root@testomnios:~# kdestroy
configure ldap
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
# ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com
Parsing authenticationMethod=sasl/gssapi
Parsing credentialLevel=self
Parsing profileName=default
Arguments parsed:
authenticationMethod: sasl/gssapi
credentialLevel: self
profileName: default
defaultServerList: ipaserver.example.com
Handling init option
About to configure machine by downloading a profile
Warning: init authentication method not found in DUAConfigProfile.
Proxy DN: NULL
Proxy password: NULL
Authentication method: 0
No proxyDN/proxyPassword required
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname example.com... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
root@testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/solaris.example.com@EXAMPLE.COM
Valid starting Expires Service principal
04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM
04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM
Verify ldap is workin, we can see users info from the ldap database
root@testomnios:~# id admin
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)