Difference between revisions of "Omnios ipa client"
(Created page with "Category:Omnios Category:IPA To enable ldap queries from an omnios server we need to use the ldapclient tool as documented in http://docs.oracle.com/cd/E19253-01/816-...") |
(→enable the nscd service) |
||
(11 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
[[Category:IPA]] | [[Category:IPA]] | ||
− | + | Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html). | |
− | + | This method works with sasl/gssapi ldap bindings, no proxy account in the ldapclient necessary. | |
− | + | == add machine account to IPA domain == | |
− | + | add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed: | |
− | + | ||
− | + | <pre> | |
+ | ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] | ||
− | < | + | ipa host-add-managedby --host ipaserver.example.com solaris.example.com |
− | # ldapclient | + | </pre> |
+ | |||
+ | == export keytab for machine account == | ||
+ | |||
+ | just like before, run this as an admin user on host with ipa admin tools: | ||
+ | <pre> | ||
+ | ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab | ||
+ | </pre> | ||
+ | |||
+ | Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file: | ||
+ | |||
+ | <pre> | ||
+ | chown root:sys krb5.keytab | ||
+ | chmod 600 krb5.keytab | ||
+ | </pre> | ||
+ | |||
+ | == configure kerberos on omnios host== | ||
+ | |||
+ | Edit /etc/krb5/krb5.conf: | ||
+ | <pre> | ||
+ | [libdefaults] | ||
+ | default_realm = EXAMPLE.COM | ||
+ | dns_lookup_kdc = true | ||
+ | verify_ap_req_nofail = false | ||
+ | |||
+ | </pre> | ||
+ | |||
+ | == configure ntp == | ||
+ | Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf: | ||
+ | |||
+ | server ipaserver.example.com iburst | ||
+ | |||
+ | <pre> | ||
+ | # svcadm enable ntp | ||
+ | </pre> | ||
+ | |||
+ | To see it is running properly: | ||
+ | <pre> | ||
+ | # svcs ntp | ||
+ | </pre> | ||
+ | |||
+ | To see what servers you are using: | ||
+ | <pre> | ||
+ | # ntpq -p | ||
+ | </pre> | ||
+ | |||
+ | == verify kerberos is working == | ||
+ | <pre> | ||
+ | root@testomnios:~# kinit admin | ||
+ | Password for admin@EXAMPLE.COM: | ||
+ | root@testomnios:~# klist | ||
+ | Ticket cache: FILE:/tmp/krb5cc_0 | ||
+ | Default principal: admin@EXAMPLE.COM | ||
+ | |||
+ | Valid starting Expires Service principal | ||
+ | 04/01/13 14:17:23 04/02/13 14:17:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM | ||
+ | renew until 04/08/13 14:17:23 | ||
+ | root@testomnios:~# kdestroy | ||
+ | </pre> | ||
+ | |||
+ | == configure ldap == | ||
+ | now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient): | ||
+ | |||
+ | <pre> | ||
+ | # ldapclient -v manual -a domainName=sub.domain.tld -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld -a objectclassMap=shadow:shadowAccount=posixAccount kdc1.sub.domain.tld [enter] | ||
+ | Parsing domainName=sub.domain.tld | ||
+ | Parsing credentialLevel=self | ||
+ | Parsing authenticationMethod=sasl/gssapi | ||
+ | Parsing defaultSearchBase=dc=sub,dc=domain,dc=tld | ||
+ | Parsing serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld | ||
+ | Parsing serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld | ||
+ | Parsing objectclassMap=shadow:shadowAccount=posixAccount | ||
Arguments parsed: | Arguments parsed: | ||
− | + | authenticationMethod: sasl/gssapi | |
− | defaultServerList: | + | defaultSearchBase: dc=sub,dc=domain,dc=tld |
− | Handling | + | credentialLevel: self |
− | + | domainName: sub.domain.tld | |
+ | objectclassMap: | ||
+ | arg[0]: shadow:shadowAccount=posixAccount | ||
+ | serviceSearchDescriptor: | ||
+ | arg[0]: passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld | ||
+ | arg[1]: group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld | ||
+ | defaultServerList: kdc1.sub.domain.tld | ||
+ | Handling manual option | ||
Proxy DN: NULL | Proxy DN: NULL | ||
Proxy password: NULL | Proxy password: NULL | ||
− | Authentication method: | + | Credential level: 2 |
+ | Authentication method: 2 | ||
No proxyDN/proxyPassword required | No proxyDN/proxyPassword required | ||
Shadow Update is not enabled, no adminDN/adminPassword is required. | Shadow Update is not enabled, no adminDN/adminPassword is required. | ||
About to modify this machines configuration by writing the files | About to modify this machines configuration by writing the files | ||
Stopping network services | Stopping network services | ||
− | + | sendmail not running | |
− | + | Stopping nscd | |
− | Stopping | + | |
− | nscd | + | |
− | + | ||
− | + | ||
− | + | ||
stop: sleep 100000 microseconds | stop: sleep 100000 microseconds | ||
− | stop: | + | stop: system/name-service-cache:default... success |
+ | autofs not running | ||
+ | ldap not running | ||
nis(yp) not running | nis(yp) not running | ||
file_backup: stat(/etc/nsswitch.conf)=0 | file_backup: stat(/etc/nsswitch.conf)=0 | ||
Line 40: | Line 116: | ||
file_backup: stat(/etc/defaultdomain)=0 | file_backup: stat(/etc/defaultdomain)=0 | ||
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) | file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) | ||
− | file_backup: nis domain is " | + | file_backup: nis domain is "sub.domain.tld" |
− | file_backup: stat(/var/yp/binding/ | + | file_backup: stat(/var/yp/binding/sub.domain.tld)=-1 |
− | file_backup: No /var/yp/binding/ | + | file_backup: No /var/yp/binding/sub.domain.tld directory. |
file_backup: stat(/var/ldap/ldap_client_file)=-1 | file_backup: stat(/var/ldap/ldap_client_file)=-1 | ||
file_backup: No /var/ldap/ldap_client_file file. | file_backup: No /var/ldap/ldap_client_file file. | ||
Starting network services | Starting network services | ||
− | start: /usr/bin/domainname | + | start: /usr/bin/domainname sub.domain.tld ... success |
+ | start: DNS client is enabled | ||
start: sleep 100000 microseconds | start: sleep 100000 microseconds | ||
start: sleep 200000 microseconds | start: sleep 200000 microseconds | ||
Line 53: | Line 130: | ||
start: sleep 1600000 microseconds | start: sleep 1600000 microseconds | ||
start: sleep 3200000 microseconds | start: sleep 3200000 microseconds | ||
− | + | start: network/ldap/client:default... success | |
− | + | start: sasl/GSSAPI bind works | |
− | + | ||
− | + | ||
− | + | ||
− | start | + | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | start: / | + | |
start: sleep 100000 microseconds | start: sleep 100000 microseconds | ||
start: sleep 200000 microseconds | start: sleep 200000 microseconds | ||
− | start: | + | start: system/name-service-cache:default... success |
restart: sleep 100000 microseconds | restart: sleep 100000 microseconds | ||
restart: milestone/name-services:default... success | restart: milestone/name-services:default... success | ||
− | + | System successfully configured | |
+ | </pre> | ||
− | < | + | Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info: |
+ | <pre> | ||
+ | root@testomnios:~# klist | ||
+ | Ticket cache: FILE:/tmp/krb5cc_0 | ||
+ | Default principal: host/solaris.example.com@EXAMPLE.COM | ||
− | + | Valid starting Expires Service principal | |
+ | 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM | ||
+ | 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM | ||
+ | </pre> | ||
− | + | Verify ldap is working, we can see users info from the ldap database | |
− | + | <pre> | |
− | </pre | + | root@testomnios:~# id admin |
+ | uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins) | ||
+ | </pre> | ||
− | + | === enable the nscd service === | |
+ | unless this is running, user/group/etc lookups will be '''*very*''' slow. I know there are downsides for nscd but really, turn it on: | ||
+ | <pre> | ||
+ | # svcadm enable name-service-cache [enter] | ||
+ | </pre> | ||
+ | After that user look-ups will be instantaneous (or ls -l in a folder with different ldap user permissions). | ||
− | < | + | === getent group <groupname> === |
− | + | if you use getent to return group information you will see the results | |
− | + | are different to those in your linux hosts: they are empty. | |
− | + | ||
− | + | The reason is that attribute 'member' in ipa has this format: | |
− | + | ||
− | + | ||
− | + | member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld | |
− | + | ||
− | + | ||
− | + | whereas the ldapclient that feeds its info to getent expects this: | |
− | + | ||
− | + | ||
− | + | member: user | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | + |
Latest revision as of 12:18, 1 July 2017
Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).
This method works with sasl/gssapi ldap bindings, no proxy account in the ldapclient necessary.
Contents
add machine account to IPA domain
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] ipa host-add-managedby --host ipaserver.example.com solaris.example.com
export keytab for machine account
just like before, run this as an admin user on host with ipa admin tools:
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
chown root:sys krb5.keytab chmod 600 krb5.keytab
configure kerberos on omnios host
Edit /etc/krb5/krb5.conf:
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true verify_ap_req_nofail = false
configure ntp
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:
server ipaserver.example.com iburst
# svcadm enable ntp
To see it is running properly:
# svcs ntp
To see what servers you are using:
# ntpq -p
verify kerberos is working
root@testomnios:~# kinit admin Password for admin@EXAMPLE.COM: root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:17:23 04/02/13 14:17:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 04/08/13 14:17:23 root@testomnios:~# kdestroy
configure ldap
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
# ldapclient -v manual -a domainName=sub.domain.tld -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld -a objectclassMap=shadow:shadowAccount=posixAccount kdc1.sub.domain.tld [enter] Parsing domainName=sub.domain.tld Parsing credentialLevel=self Parsing authenticationMethod=sasl/gssapi Parsing defaultSearchBase=dc=sub,dc=domain,dc=tld Parsing serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld Parsing serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld Parsing objectclassMap=shadow:shadowAccount=posixAccount Arguments parsed: authenticationMethod: sasl/gssapi defaultSearchBase: dc=sub,dc=domain,dc=tld credentialLevel: self domainName: sub.domain.tld objectclassMap: arg[0]: shadow:shadowAccount=posixAccount serviceSearchDescriptor: arg[0]: passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld arg[1]: group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld defaultServerList: kdc1.sub.domain.tld Handling manual option Proxy DN: NULL Proxy password: NULL Credential level: 2 Authentication method: 2 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services sendmail not running Stopping nscd stop: sleep 100000 microseconds stop: system/name-service-cache:default... success autofs not running ldap not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: nis domain is "sub.domain.tld" file_backup: stat(/var/yp/binding/sub.domain.tld)=-1 file_backup: No /var/yp/binding/sub.domain.tld directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname sub.domain.tld ... success start: DNS client is enabled start: sleep 100000 microseconds start: sleep 200000 microseconds start: sleep 400000 microseconds start: sleep 800000 microseconds start: sleep 1600000 microseconds start: sleep 3200000 microseconds start: network/ldap/client:default... success start: sasl/GSSAPI bind works start: sleep 100000 microseconds start: sleep 200000 microseconds start: system/name-service-cache:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/solaris.example.com@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM
Verify ldap is working, we can see users info from the ldap database
root@testomnios:~# id admin uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)
enable the nscd service
unless this is running, user/group/etc lookups will be *very* slow. I know there are downsides for nscd but really, turn it on:
# svcadm enable name-service-cache [enter]
After that user look-ups will be instantaneous (or ls -l in a folder with different ldap user permissions).
getent group <groupname>
if you use getent to return group information you will see the results are different to those in your linux hosts: they are empty.
The reason is that attribute 'member' in ipa has this format:
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld
whereas the ldapclient that feeds its info to getent expects this:
member: user