Difference between revisions of "Omnios ipa client"
(→enable the nscd service) |
|||
(6 intermediate revisions by the same user not shown) | |||
Line 4: | Line 4: | ||
Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html). | Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html). | ||
− | This method | + | This method works with sasl/gssapi ldap bindings, no proxy account in the ldapclient necessary. |
== add machine account to IPA domain == | == add machine account to IPA domain == | ||
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed: | add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed: | ||
− | + | <pre> | |
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] | ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] | ||
ipa host-add-managedby --host ipaserver.example.com solaris.example.com | ipa host-add-managedby --host ipaserver.example.com solaris.example.com | ||
− | </pre | + | </pre> |
== export keytab for machine account == | == export keytab for machine account == | ||
just like before, run this as an admin user on host with ipa admin tools: | just like before, run this as an admin user on host with ipa admin tools: | ||
− | + | <pre> | |
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab | ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab | ||
− | </pre | + | </pre> |
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file: | Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file: | ||
− | + | <pre> | |
chown root:sys krb5.keytab | chown root:sys krb5.keytab | ||
chmod 600 krb5.keytab | chmod 600 krb5.keytab | ||
− | </pre | + | </pre> |
== configure kerberos on omnios host== | == configure kerberos on omnios host== | ||
Edit /etc/krb5/krb5.conf: | Edit /etc/krb5/krb5.conf: | ||
− | + | <pre> | |
[libdefaults] | [libdefaults] | ||
default_realm = EXAMPLE.COM | default_realm = EXAMPLE.COM | ||
+ | dns_lookup_kdc = true | ||
verify_ap_req_nofail = false | verify_ap_req_nofail = false | ||
− | |||
− | |||
− | |||
− | |||
− | + | </pre> | |
− | + | ||
− | + | ||
− | </pre | + | |
== configure ntp == | == configure ntp == | ||
Line 51: | Line 45: | ||
server ipaserver.example.com iburst | server ipaserver.example.com iburst | ||
− | + | <pre> | |
# svcadm enable ntp | # svcadm enable ntp | ||
− | </pre | + | </pre> |
To see it is running properly: | To see it is running properly: | ||
− | + | <pre> | |
# svcs ntp | # svcs ntp | ||
− | </pre | + | </pre> |
To see what servers you are using: | To see what servers you are using: | ||
− | + | <pre> | |
# ntpq -p | # ntpq -p | ||
− | </pre | + | </pre> |
== verify kerberos is working == | == verify kerberos is working == | ||
− | + | <pre> | |
root@testomnios:~# kinit admin | root@testomnios:~# kinit admin | ||
Password for admin@EXAMPLE.COM: | Password for admin@EXAMPLE.COM: | ||
Line 77: | Line 71: | ||
renew until 04/08/13 14:17:23 | renew until 04/08/13 14:17:23 | ||
root@testomnios:~# kdestroy | root@testomnios:~# kdestroy | ||
− | </pre | + | </pre> |
== configure ldap == | == configure ldap == | ||
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient): | now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient): | ||
− | + | <pre> | |
− | # ldapclient | + | # ldapclient -v manual -a domainName=sub.domain.tld -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld -a objectclassMap=shadow:shadowAccount=posixAccount kdc1.sub.domain.tld [enter] |
− | Parsing | + | Parsing domainName=sub.domain.tld |
Parsing credentialLevel=self | Parsing credentialLevel=self | ||
− | Parsing | + | Parsing authenticationMethod=sasl/gssapi |
+ | Parsing defaultSearchBase=dc=sub,dc=domain,dc=tld | ||
+ | Parsing serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld | ||
+ | Parsing serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld | ||
+ | Parsing objectclassMap=shadow:shadowAccount=posixAccount | ||
Arguments parsed: | Arguments parsed: | ||
authenticationMethod: sasl/gssapi | authenticationMethod: sasl/gssapi | ||
+ | defaultSearchBase: dc=sub,dc=domain,dc=tld | ||
credentialLevel: self | credentialLevel: self | ||
− | + | domainName: sub.domain.tld | |
− | defaultServerList: | + | objectclassMap: |
− | Handling | + | arg[0]: shadow:shadowAccount=posixAccount |
− | + | serviceSearchDescriptor: | |
− | + | arg[0]: passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld | |
+ | arg[1]: group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld | ||
+ | defaultServerList: kdc1.sub.domain.tld | ||
+ | Handling manual option | ||
Proxy DN: NULL | Proxy DN: NULL | ||
Proxy password: NULL | Proxy password: NULL | ||
− | Authentication method: | + | Credential level: 2 |
+ | Authentication method: 2 | ||
No proxyDN/proxyPassword required | No proxyDN/proxyPassword required | ||
Shadow Update is not enabled, no adminDN/adminPassword is required. | Shadow Update is not enabled, no adminDN/adminPassword is required. | ||
About to modify this machines configuration by writing the files | About to modify this machines configuration by writing the files | ||
Stopping network services | Stopping network services | ||
− | + | sendmail not running | |
− | + | Stopping nscd | |
− | Stopping | + | |
− | nscd | + | |
− | + | ||
stop: sleep 100000 microseconds | stop: sleep 100000 microseconds | ||
− | + | stop: system/name-service-cache:default... success | |
− | stop: system/ | + | autofs not running |
ldap not running | ldap not running | ||
nis(yp) not running | nis(yp) not running | ||
Line 116: | Line 116: | ||
file_backup: stat(/etc/defaultdomain)=0 | file_backup: stat(/etc/defaultdomain)=0 | ||
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) | file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) | ||
− | file_backup: nis domain is " | + | file_backup: nis domain is "sub.domain.tld" |
− | file_backup: stat(/var/yp/binding/ | + | file_backup: stat(/var/yp/binding/sub.domain.tld)=-1 |
− | file_backup: No /var/yp/binding/ | + | file_backup: No /var/yp/binding/sub.domain.tld directory. |
file_backup: stat(/var/ldap/ldap_client_file)=-1 | file_backup: stat(/var/ldap/ldap_client_file)=-1 | ||
file_backup: No /var/ldap/ldap_client_file file. | file_backup: No /var/ldap/ldap_client_file file. | ||
Starting network services | Starting network services | ||
− | start: /usr/bin/domainname | + | start: /usr/bin/domainname sub.domain.tld ... success |
+ | start: DNS client is enabled | ||
start: sleep 100000 microseconds | start: sleep 100000 microseconds | ||
start: sleep 200000 microseconds | start: sleep 200000 microseconds | ||
+ | start: sleep 400000 microseconds | ||
+ | start: sleep 800000 microseconds | ||
+ | start: sleep 1600000 microseconds | ||
+ | start: sleep 3200000 microseconds | ||
start: network/ldap/client:default... success | start: network/ldap/client:default... success | ||
+ | start: sasl/GSSAPI bind works | ||
start: sleep 100000 microseconds | start: sleep 100000 microseconds | ||
− | start: system/ | + | start: sleep 200000 microseconds |
+ | start: system/name-service-cache:default... success | ||
restart: sleep 100000 microseconds | restart: sleep 100000 microseconds | ||
restart: milestone/name-services:default... success | restart: milestone/name-services:default... success | ||
System successfully configured | System successfully configured | ||
− | + | </pre> | |
− | </pre | + | |
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info: | Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info: | ||
− | + | <pre> | |
root@testomnios:~# klist | root@testomnios:~# klist | ||
Ticket cache: FILE:/tmp/krb5cc_0 | Ticket cache: FILE:/tmp/krb5cc_0 | ||
Line 143: | Line 149: | ||
04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM | 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM | ||
04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM | 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM | ||
− | </pre | + | </pre> |
Verify ldap is working, we can see users info from the ldap database | Verify ldap is working, we can see users info from the ldap database | ||
− | + | <pre> | |
root@testomnios:~# id admin | root@testomnios:~# id admin | ||
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins) | uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins) | ||
− | </pre></ | + | </pre> |
+ | |||
+ | === enable the nscd service === | ||
+ | unless this is running, user/group/etc lookups will be '''*very*''' slow. I know there are downsides for nscd but really, turn it on: | ||
+ | <pre> | ||
+ | # svcadm enable name-service-cache [enter] | ||
+ | </pre> | ||
+ | After that user look-ups will be instantaneous (or ls -l in a folder with different ldap user permissions). | ||
=== getent group <groupname> === | === getent group <groupname> === | ||
Line 157: | Line 170: | ||
The reason is that attribute 'member' in ipa has this format: | The reason is that attribute 'member' in ipa has this format: | ||
− | + | ||
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld | member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld | ||
− | + | ||
whereas the ldapclient that feeds its info to getent expects this: | whereas the ldapclient that feeds its info to getent expects this: | ||
− | |||
− | |||
− | |||
− | + | member: user | |
− | + | ||
− | + |
Latest revision as of 12:18, 1 July 2017
Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).
This method works with sasl/gssapi ldap bindings, no proxy account in the ldapclient necessary.
Contents
add machine account to IPA domain
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] ipa host-add-managedby --host ipaserver.example.com solaris.example.com
export keytab for machine account
just like before, run this as an admin user on host with ipa admin tools:
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
chown root:sys krb5.keytab chmod 600 krb5.keytab
configure kerberos on omnios host
Edit /etc/krb5/krb5.conf:
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true verify_ap_req_nofail = false
configure ntp
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:
server ipaserver.example.com iburst
# svcadm enable ntp
To see it is running properly:
# svcs ntp
To see what servers you are using:
# ntpq -p
verify kerberos is working
root@testomnios:~# kinit admin Password for admin@EXAMPLE.COM: root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:17:23 04/02/13 14:17:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 04/08/13 14:17:23 root@testomnios:~# kdestroy
configure ldap
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
# ldapclient -v manual -a domainName=sub.domain.tld -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld -a objectclassMap=shadow:shadowAccount=posixAccount kdc1.sub.domain.tld [enter] Parsing domainName=sub.domain.tld Parsing credentialLevel=self Parsing authenticationMethod=sasl/gssapi Parsing defaultSearchBase=dc=sub,dc=domain,dc=tld Parsing serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld Parsing serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld Parsing objectclassMap=shadow:shadowAccount=posixAccount Arguments parsed: authenticationMethod: sasl/gssapi defaultSearchBase: dc=sub,dc=domain,dc=tld credentialLevel: self domainName: sub.domain.tld objectclassMap: arg[0]: shadow:shadowAccount=posixAccount serviceSearchDescriptor: arg[0]: passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld arg[1]: group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld defaultServerList: kdc1.sub.domain.tld Handling manual option Proxy DN: NULL Proxy password: NULL Credential level: 2 Authentication method: 2 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services sendmail not running Stopping nscd stop: sleep 100000 microseconds stop: system/name-service-cache:default... success autofs not running ldap not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: nis domain is "sub.domain.tld" file_backup: stat(/var/yp/binding/sub.domain.tld)=-1 file_backup: No /var/yp/binding/sub.domain.tld directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname sub.domain.tld ... success start: DNS client is enabled start: sleep 100000 microseconds start: sleep 200000 microseconds start: sleep 400000 microseconds start: sleep 800000 microseconds start: sleep 1600000 microseconds start: sleep 3200000 microseconds start: network/ldap/client:default... success start: sasl/GSSAPI bind works start: sleep 100000 microseconds start: sleep 200000 microseconds start: system/name-service-cache:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/solaris.example.com@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM
Verify ldap is working, we can see users info from the ldap database
root@testomnios:~# id admin uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)
enable the nscd service
unless this is running, user/group/etc lookups will be *very* slow. I know there are downsides for nscd but really, turn it on:
# svcadm enable name-service-cache [enter]
After that user look-ups will be instantaneous (or ls -l in a folder with different ldap user permissions).
getent group <groupname>
if you use getent to return group information you will see the results are different to those in your linux hosts: they are empty.
The reason is that attribute 'member' in ipa has this format:
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld
whereas the ldapclient that feeds its info to getent expects this:
member: user