Difference between revisions of "Omnios ipa client"
m |
|||
Line 9: | Line 9: | ||
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed: | add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed: | ||
− | + | <pre> | |
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] | ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] | ||
ipa host-add-managedby --host ipaserver.example.com solaris.example.com | ipa host-add-managedby --host ipaserver.example.com solaris.example.com | ||
− | </pre | + | </pre> |
== export keytab for machine account == | == export keytab for machine account == | ||
just like before, run this as an admin user on host with ipa admin tools: | just like before, run this as an admin user on host with ipa admin tools: | ||
− | + | <pre> | |
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab | ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab | ||
− | </pre | + | </pre> |
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file: | Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file: | ||
− | + | <pre> | |
chown root:sys krb5.keytab | chown root:sys krb5.keytab | ||
chmod 600 krb5.keytab | chmod 600 krb5.keytab | ||
− | </pre | + | </pre> |
== configure kerberos on omnios host== | == configure kerberos on omnios host== | ||
Edit /etc/krb5/krb5.conf: | Edit /etc/krb5/krb5.conf: | ||
− | + | <pre> | |
[libdefaults] | [libdefaults] | ||
default_realm = EXAMPLE.COM | default_realm = EXAMPLE.COM | ||
Line 44: | Line 44: | ||
example.com = EXAMPLE.COM | example.com = EXAMPLE.COM | ||
.example.com = EXAMPLE.COM | .example.com = EXAMPLE.COM | ||
− | </pre | + | </pre> |
== configure ntp == | == configure ntp == | ||
Line 51: | Line 51: | ||
server ipaserver.example.com iburst | server ipaserver.example.com iburst | ||
− | + | <pre> | |
# svcadm enable ntp | # svcadm enable ntp | ||
− | </pre | + | </pre> |
To see it is running properly: | To see it is running properly: | ||
− | + | <pre> | |
# svcs ntp | # svcs ntp | ||
− | </pre | + | </pre> |
To see what servers you are using: | To see what servers you are using: | ||
− | + | <pre> | |
# ntpq -p | # ntpq -p | ||
− | </pre | + | </pre> |
== verify kerberos is working == | == verify kerberos is working == | ||
− | + | <pre> | |
root@testomnios:~# kinit admin | root@testomnios:~# kinit admin | ||
Password for admin@EXAMPLE.COM: | Password for admin@EXAMPLE.COM: | ||
Line 77: | Line 77: | ||
renew until 04/08/13 14:17:23 | renew until 04/08/13 14:17:23 | ||
root@testomnios:~# kdestroy | root@testomnios:~# kdestroy | ||
− | </pre | + | </pre> |
== configure ldap == | == configure ldap == | ||
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient): | now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient): | ||
− | + | <pre> | |
# ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com | # ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com | ||
Parsing authenticationMethod=sasl/gssapi | Parsing authenticationMethod=sasl/gssapi | ||
Line 132: | Line 132: | ||
System successfully configured | System successfully configured | ||
− | </pre | + | </pre> |
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info: | Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info: | ||
− | + | <pre> | |
root@testomnios:~# klist | root@testomnios:~# klist | ||
Ticket cache: FILE:/tmp/krb5cc_0 | Ticket cache: FILE:/tmp/krb5cc_0 | ||
Line 143: | Line 143: | ||
04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM | 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM | ||
04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM | 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM | ||
− | </pre | + | </pre> |
Verify ldap is working, we can see users info from the ldap database | Verify ldap is working, we can see users info from the ldap database | ||
− | + | <pre> | |
root@testomnios:~# id admin | root@testomnios:~# id admin | ||
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins) | uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins) | ||
− | </pre | + | </pre> |
=== getent group <groupname> === | === getent group <groupname> === | ||
Line 157: | Line 157: | ||
The reason is that attribute 'member' in ipa has this format: | The reason is that attribute 'member' in ipa has this format: | ||
− | + | ||
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld | member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld | ||
− | + | ||
whereas the ldapclient that feeds its info to getent expects this: | whereas the ldapclient that feeds its info to getent expects this: | ||
− | + | ||
member: user | member: user | ||
− | + | ||
This format is in the compat tree of the directory. So if we change the | This format is in the compat tree of the directory. So if we change the | ||
ldap duaconfig profile (default in | ldap duaconfig profile (default in | ||
cn=default,ou=profile,dc=domain,dc=tld), to reflect this, it will work. | cn=default,ou=profile,dc=domain,dc=tld), to reflect this, it will work. |
Revision as of 22:21, 28 August 2015
Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).
This method only works when anonymous log-in is allowed to the ldap servers. If you have disabled that, then you should bind with ldapclient (consult the man page).
Contents
add machine account to IPA domain
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] ipa host-add-managedby --host ipaserver.example.com solaris.example.com
export keytab for machine account
just like before, run this as an admin user on host with ipa admin tools:
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
chown root:sys krb5.keytab chmod 600 krb5.keytab
configure kerberos on omnios host
Edit /etc/krb5/krb5.conf:
[libdefaults] default_realm = EXAMPLE.COM verify_ap_req_nofail = false [realms] EXAMPLE.COM = { kdc = ipaserver.example.com admin_server = ipaserver.example.com [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
configure ntp
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:
server ipaserver.example.com iburst
# svcadm enable ntp
To see it is running properly:
# svcs ntp
To see what servers you are using:
# ntpq -p
verify kerberos is working
root@testomnios:~# kinit admin Password for admin@EXAMPLE.COM: root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:17:23 04/02/13 14:17:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 04/08/13 14:17:23 root@testomnios:~# kdestroy
configure ldap
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
# ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com Parsing authenticationMethod=sasl/gssapi Parsing credentialLevel=self Parsing profileName=default Arguments parsed: authenticationMethod: sasl/gssapi credentialLevel: self profileName: default defaultServerList: ipaserver.example.com Handling init option About to configure machine by downloading a profile Warning: init authentication method not found in DUAConfigProfile. Proxy DN: NULL Proxy password: NULL Authentication method: 0 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services Stopping sendmail stop: network/smtp:sendmail... failed: entity not found Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect. nscd not running Stopping autofs stop: sleep 100000 microseconds stop: sleep 200000 microseconds stop: system/filesystem/autofs:default... success ldap not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: nis domain is "example.com" file_backup: stat(/var/yp/binding/example.com)=-1 file_backup: No /var/yp/binding/example.com directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname example.com... success start: sleep 100000 microseconds start: sleep 200000 microseconds start: network/ldap/client:default... success start: sleep 100000 microseconds start: system/filesystem/autofs:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/solaris.example.com@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM
Verify ldap is working, we can see users info from the ldap database
root@testomnios:~# id admin uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)
getent group <groupname>
if you use getent to return group information you will see the results are different to those in your linux hosts: they are empty.
The reason is that attribute 'member' in ipa has this format:
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld
whereas the ldapclient that feeds its info to getent expects this:
member: user
This format is in the compat tree of the directory. So if we change the
ldap duaconfig profile (default in
cn=default,ou=profile,dc=domain,dc=tld), to reflect this, it will work.