Difference between revisions of "Omnios ipa client"

From Asenjo
Jump to: navigation, search
(Created page with "Category:Omnios Category:IPA To enable ldap queries from an omnios server we need to use the ldapclient tool as documented in http://docs.oracle.com/cd/E19253-01/816-...")
 
(enable the nscd service)
 
(11 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
[[Category:IPA]]
 
[[Category:IPA]]
  
To enable ldap queries from an omnios server we need to use the ldapclient tool as documented in http://docs.oracle.com/cd/E19253-01/816-4556/clientsetup-1/index.html
+
Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).
  
But there is a catch22 when using ldapclient: the tool copies the file /etc/nsswitch.ldap to /etc/nsswitch.conf and this file has this line:
+
This method works with sasl/gssapi ldap bindings, no proxy account in the ldapclient necessary.
  
<code><pre>
+
== add machine account to IPA domain ==
hosts:   files ldap
+
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
</pre></code>
+
  
What this means is that all dns queries will ask first the local hosts file and then the ldap servers, but this is not what we want. When trying to configure the ldap resolution I was running into this problem:
+
<pre>
 +
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter]
  
<code><pre>
+
ipa host-add-managedby --host ipaserver.example.com solaris.example.com
# ldapclient init -v -a profileName=default kdc.ipa.asenjo.nxParsing profileName=default
+
</pre>
 +
 
 +
== export keytab for machine account ==
 +
 
 +
just like before, run this as an admin user on host with ipa admin tools:
 +
<pre>
 +
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
 +
</pre>
 +
 
 +
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
 +
 
 +
<pre>
 +
chown root:sys krb5.keytab
 +
chmod 600 krb5.keytab
 +
</pre>
 +
 
 +
== configure kerberos on omnios host==
 +
 
 +
Edit /etc/krb5/krb5.conf:
 +
<pre>
 +
[libdefaults]
 +
        default_realm = EXAMPLE.COM
 +
        dns_lookup_kdc = true
 +
        verify_ap_req_nofail = false
 +
 
 +
</pre>
 +
 
 +
== configure ntp ==
 +
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:
 +
 
 +
server ipaserver.example.com iburst
 +
 
 +
<pre>
 +
# svcadm enable ntp
 +
</pre>
 +
 
 +
To see it is running properly:
 +
<pre>
 +
# svcs ntp
 +
</pre>
 +
 
 +
To see what servers you are using:
 +
<pre>
 +
# ntpq -p
 +
</pre>
 +
 
 +
== verify kerberos is working ==
 +
<pre>
 +
root@testomnios:~# kinit admin
 +
Password for admin@EXAMPLE.COM:
 +
root@testomnios:~# klist
 +
Ticket cache: FILE:/tmp/krb5cc_0
 +
Default principal: admin@EXAMPLE.COM
 +
 
 +
Valid starting                Expires                Service principal
 +
04/01/13 14:17:23  04/02/13 14:17:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
 +
        renew until 04/08/13 14:17:23
 +
root@testomnios:~# kdestroy
 +
</pre>
 +
 
 +
== configure ldap ==
 +
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
 +
 
 +
<pre>
 +
# ldapclient -v manual -a domainName=sub.domain.tld -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld -a objectclassMap=shadow:shadowAccount=posixAccount kdc1.sub.domain.tld [enter]
 +
Parsing domainName=sub.domain.tld
 +
Parsing credentialLevel=self
 +
Parsing authenticationMethod=sasl/gssapi
 +
Parsing defaultSearchBase=dc=sub,dc=domain,dc=tld
 +
Parsing serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
 +
Parsing serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld
 +
Parsing objectclassMap=shadow:shadowAccount=posixAccount
 
Arguments parsed:
 
Arguments parsed:
         profileName: default
+
         authenticationMethod: sasl/gssapi
         defaultServerList: kdc.ipa.asenjo.nx
+
        defaultSearchBase: dc=sub,dc=domain,dc=tld
Handling init option
+
        credentialLevel: self
About to configure machine by downloading a profile
+
        domainName: sub.domain.tld
 +
        objectclassMap:
 +
                arg[0]: shadow:shadowAccount=posixAccount
 +
        serviceSearchDescriptor:
 +
                arg[0]: passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
 +
                arg[1]: group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld
 +
         defaultServerList: kdc1.sub.domain.tld
 +
Handling manual option
 
Proxy DN: NULL
 
Proxy DN: NULL
 
Proxy password: NULL
 
Proxy password: NULL
Authentication method: 0
+
Credential level: 2
 +
Authentication method: 2
 
No proxyDN/proxyPassword required
 
No proxyDN/proxyPassword required
 
Shadow Update is not enabled, no adminDN/adminPassword is required.
 
Shadow Update is not enabled, no adminDN/adminPassword is required.
 
About to modify this machines configuration by writing the files
 
About to modify this machines configuration by writing the files
 
Stopping network services
 
Stopping network services
Stopping sendmail
+
sendmail not running
stop: network/smtp:sendmail... failed: entity not found
+
Stopping nscd
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
+
nscd not running
+
autofs not running
+
Stopping ldap
+
stop: network/ldap/client:default... restoring from maintenance state
+
 
stop: sleep 100000 microseconds
 
stop: sleep 100000 microseconds
stop: network/ldap/client:default... success
+
stop: system/name-service-cache:default... success
 +
autofs not running
 +
ldap not running
 
nis(yp) not running
 
nis(yp) not running
 
file_backup: stat(/etc/nsswitch.conf)=0
 
file_backup: stat(/etc/nsswitch.conf)=0
Line 40: Line 116:
 
file_backup: stat(/etc/defaultdomain)=0
 
file_backup: stat(/etc/defaultdomain)=0
 
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
 
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "ipa.asenjo.nx"
+
file_backup: nis domain is "sub.domain.tld"
file_backup: stat(/var/yp/binding/ipa.asenjo.nx)=-1
+
file_backup: stat(/var/yp/binding/sub.domain.tld)=-1
file_backup: No /var/yp/binding/ipa.asenjo.nx directory.
+
file_backup: No /var/yp/binding/sub.domain.tld directory.
 
file_backup: stat(/var/ldap/ldap_client_file)=-1
 
file_backup: stat(/var/ldap/ldap_client_file)=-1
 
file_backup: No /var/ldap/ldap_client_file file.
 
file_backup: No /var/ldap/ldap_client_file file.
 
Starting network services
 
Starting network services
start: /usr/bin/domainname ipa.asenjo.nx... success
+
start: /usr/bin/domainname sub.domain.tld ... success
 +
start: DNS client is enabled
 
start: sleep 100000 microseconds
 
start: sleep 100000 microseconds
 
start: sleep 200000 microseconds
 
start: sleep 200000 microseconds
Line 53: Line 130:
 
start: sleep 1600000 microseconds
 
start: sleep 1600000 microseconds
 
start: sleep 3200000 microseconds
 
start: sleep 3200000 microseconds
start: sleep 6400000 microseconds
+
start: network/ldap/client:default... success
start: sleep 12800000 microseconds
+
start: sasl/GSSAPI bind works
start: sleep 25600000 microseconds
+
start: sleep 51200000 microseconds
+
start: sleep 17700000 microseconds
+
start: network/ldap/client:default... timed out
+
start: network/ldap/client:default... offline to disable
+
stop: sleep 100000 microseconds
+
stop: sleep 200000 microseconds
+
stop: network/ldap/client:default... success
+
restart: sleep 100000 microseconds
+
restart: milestone/name-services:default... success
+
Error resetting system.
+
Recovering old system settings.
+
Stopping network services
+
Stopping sendmail
+
stop: network/smtp:sendmail... failed: entity not found
+
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
+
nscd not running
+
autofs not running
+
ldap not running
+
nis(yp) not running
+
recover: stat(/var/ldap/restore/defaultdomain)=0
+
recover: open(/var/ldap/restore/defaultdomain)
+
recover: read(/var/ldap/restore/defaultdomain)
+
recover: old domainname "ipa.asenjo.nx"
+
recover: stat(/var/ldap/restore/ldap_client_file)=-1
+
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
+
recover: stat(/var/ldap/restore/ipa.asenjo.nx)=-1
+
recover: stat(/var/ldap/restore/nsswitch.conf)=0
+
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
+
recover: stat(/var/ldap/restore/defaultdomain)=0
+
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
+
Starting network services
+
start: /usr/bin/domainname ipa.asenjo.nx... success
+
 
start: sleep 100000 microseconds
 
start: sleep 100000 microseconds
 
start: sleep 200000 microseconds
 
start: sleep 200000 microseconds
start: network/ldap/client:default... maintenance
+
start: system/name-service-cache:default... success
 
restart: sleep 100000 microseconds
 
restart: sleep 100000 microseconds
 
restart: milestone/name-services:default... success
 
restart: milestone/name-services:default... success
Error (1) while starting services during reset
+
System successfully configured
 +
</pre>
  
</pre></code>
+
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
 +
<pre>
 +
root@testomnios:~# klist
 +
Ticket cache: FILE:/tmp/krb5cc_0
 +
Default principal: host/solaris.example.com@EXAMPLE.COM
  
After modifying /etc/nsswitch.ldap to have the line
+
Valid starting                Expires                Service principal
 +
04/01/13 14:22:21  04/02/13 00:22:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
 +
04/01/13 14:22:21  04/02/13 00:22:21  ldap/ipaserver.example.com@EXAMPLE.COM
 +
</pre>
  
<code><pre>
+
Verify ldap is working, we can see users info from the ldap database
hosts:     files dns
+
<pre>
</pre></code>
+
root@testomnios:~# id admin
 +
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)
 +
</pre>
  
I rerun the ldapclient command and this time it worked as it should:
+
=== enable the nscd service ===
 +
unless this is running, user/group/etc lookups will be '''*very*''' slow. I know there are downsides for nscd but really, turn it on:
 +
<pre>
 +
# svcadm enable name-service-cache [enter]
 +
</pre>
 +
After that user look-ups will be instantaneous (or ls -l in a folder with different ldap user permissions).
  
<code><pre>
+
=== getent group <groupname> ===
# ldapclient init -v -a profileName=default kdc.ipa.asenjo.nx
+
if you use getent to return group information you will see the results
Parsing profileName=default
+
are different to those in your linux hosts: they are empty.
Arguments parsed:
+
 
        profileName: default
+
The reason is that attribute 'member' in ipa has this format:
        defaultServerList: kdc.ipa.asenjo.nx
+
 
Handling init option
+
 
About to configure machine by downloading a profile
+
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld
Proxy DN: NULL
+
 
Proxy password: NULL
+
 
Authentication method: 0
+
whereas the ldapclient that feeds its info to getent expects this:
No proxyDN/proxyPassword required
+
 
Shadow Update is not enabled, no adminDN/adminPassword is required.
+
 
About to modify this machines configuration by writing the files
+
member: user
Stopping network services
+
Stopping sendmail
+
stop: network/smtp:sendmail... failed: entity not found
+
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
+
nscd not running
+
autofs not running
+
Stopping ldap
+
stop: network/ldap/client:default... restoring from maintenance state
+
stop: sleep 100000 microseconds
+
stop: network/ldap/client:default... success
+
nis(yp) not running
+
file_backup: stat(/etc/nsswitch.conf)=0
+
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
+
file_backup: stat(/etc/defaultdomain)=0
+
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
+
file_backup: nis domain is "ipa.asenjo.nx"
+
file_backup: stat(/var/yp/binding/ipa.asenjo.nx)=-1
+
file_backup: No /var/yp/binding/ipa.asenjo.nx directory.
+
file_backup: stat(/var/ldap/ldap_client_file)=-1
+
file_backup: No /var/ldap/ldap_client_file file.
+
Starting network services
+
start: /usr/bin/domainname ipa.asenjo.nx... success
+
start: sleep 100000 microseconds
+
start: sleep 200000 microseconds
+
start: network/ldap/client:default... success
+
restart: sleep 100000 microseconds
+
restart: milestone/name-services:default... success
+
System successfully configured
+
root@testomnios:~# id admin
+
uid=642800000(admin) gid=642800000(admins) groups=642800000(admins),642801438(libvirt)
+
</pre></code>
+

Latest revision as of 12:18, 1 July 2017


Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).

This method works with sasl/gssapi ldap bindings, no proxy account in the ldapclient necessary.

add machine account to IPA domain

add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed: 

ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter]

ipa host-add-managedby --host ipaserver.example.com solaris.example.com

export keytab for machine account

just like before, run this as an admin user on host with ipa admin tools: 

ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab

Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file: 

chown root:sys krb5.keytab
chmod 600 krb5.keytab

configure kerberos on omnios host

Edit /etc/krb5/krb5.conf: 

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true
        verify_ap_req_nofail = false

configure ntp

Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:

server ipaserver.example.com iburst 

# svcadm enable ntp

To see it is running properly: 

# svcs ntp

To see what servers you are using: 

# ntpq -p

verify kerberos is working

root@testomnios:~# kinit admin
Password for admin@EXAMPLE.COM: 
root@testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM

Valid starting                Expires                Service principal
04/01/13 14:17:23  04/02/13 14:17:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 04/08/13 14:17:23
root@testomnios:~# kdestroy

configure ldap

now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient): 

# ldapclient -v manual -a domainName=sub.domain.tld -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld -a objectclassMap=shadow:shadowAccount=posixAccount kdc1.sub.domain.tld [enter]
Parsing domainName=sub.domain.tld
Parsing credentialLevel=self
Parsing authenticationMethod=sasl/gssapi
Parsing defaultSearchBase=dc=sub,dc=domain,dc=tld
Parsing serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
Parsing serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld
Parsing objectclassMap=shadow:shadowAccount=posixAccount
Arguments parsed:
        authenticationMethod: sasl/gssapi
        defaultSearchBase: dc=sub,dc=domain,dc=tld
        credentialLevel: self
        domainName: sub.domain.tld
        objectclassMap: 
                arg[0]: shadow:shadowAccount=posixAccount
        serviceSearchDescriptor: 
                arg[0]: passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld
                arg[1]: group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld
        defaultServerList: kdc1.sub.domain.tld
Handling manual option
Proxy DN: NULL
Proxy password: NULL
Credential level: 2
Authentication method: 2
No proxyDN/proxyPassword required
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
Stopping nscd
stop: sleep 100000 microseconds
stop: system/name-service-cache:default... success
autofs not running
ldap not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "sub.domain.tld"
file_backup: stat(/var/yp/binding/sub.domain.tld)=-1
file_backup: No /var/yp/binding/sub.domain.tld directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname sub.domain.tld ... success
start: DNS client is enabled
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: sleep 400000 microseconds
start: sleep 800000 microseconds
start: sleep 1600000 microseconds
start: sleep 3200000 microseconds
start: network/ldap/client:default... success
start: sasl/GSSAPI bind works
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: system/name-service-cache:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured

Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info: 

root@testomnios:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/solaris.example.com@EXAMPLE.COM

Valid starting                Expires                Service principal
04/01/13 14:22:21  04/02/13 00:22:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
04/01/13 14:22:21  04/02/13 00:22:21  ldap/ipaserver.example.com@EXAMPLE.COM

Verify ldap is working, we can see users info from the ldap database 

root@testomnios:~# id admin
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)

enable the nscd service

unless this is running, user/group/etc lookups will be *very* slow. I know there are downsides for nscd but really, turn it on: 

# svcadm enable name-service-cache [enter]

After that user look-ups will be instantaneous (or ls -l in a folder with different ldap user permissions).

getent group <groupname>

if you use getent to return group information you will see the results are different to those in your linux hosts: they are empty.

The reason is that attribute 'member' in ipa has this format:


member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld


whereas the ldapclient that feeds its info to getent expects this:


member: user

Retrieved from "https://asenjo.nl/wiki/index.php?title=Omnios_ipa_client&oldid=328"