Difference between revisions of "Omnios ipa client"
(→enable the nscd service) |
(→enable the nscd service) |
||
Line 158: | Line 158: | ||
=== enable the nscd service === | === enable the nscd service === | ||
− | unless this is running, user/group/etc lookups will be *very* slow. I know there are downsides for nscd but really, turn it on: | + | unless this is running, user/group/etc lookups will be '''*very*''' slow. I know there are downsides for nscd but really, turn it on: |
<pre> | <pre> | ||
# svcadm enable name-service-cache [enter] | # svcadm enable name-service-cache [enter] |
Latest revision as of 12:18, 1 July 2017
Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).
This method works with sasl/gssapi ldap bindings, no proxy account in the ldapclient necessary.
Contents
add machine account to IPA domain
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter] ipa host-add-managedby --host ipaserver.example.com solaris.example.com
export keytab for machine account
just like before, run this as an admin user on host with ipa admin tools:
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
chown root:sys krb5.keytab chmod 600 krb5.keytab
configure kerberos on omnios host
Edit /etc/krb5/krb5.conf:
[libdefaults] default_realm = EXAMPLE.COM dns_lookup_kdc = true verify_ap_req_nofail = false
configure ntp
Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:
server ipaserver.example.com iburst
# svcadm enable ntp
To see it is running properly:
# svcs ntp
To see what servers you are using:
# ntpq -p
verify kerberos is working
root@testomnios:~# kinit admin Password for admin@EXAMPLE.COM: root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:17:23 04/02/13 14:17:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 04/08/13 14:17:23 root@testomnios:~# kdestroy
configure ldap
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
# ldapclient -v manual -a domainName=sub.domain.tld -a credentialLevel=self -a authenticationMethod=sasl/gssapi -a defaultSearchBase=dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld -a serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld -a objectclassMap=shadow:shadowAccount=posixAccount kdc1.sub.domain.tld [enter] Parsing domainName=sub.domain.tld Parsing credentialLevel=self Parsing authenticationMethod=sasl/gssapi Parsing defaultSearchBase=dc=sub,dc=domain,dc=tld Parsing serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld Parsing serviceSearchDescriptor=group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld Parsing objectclassMap=shadow:shadowAccount=posixAccount Arguments parsed: authenticationMethod: sasl/gssapi defaultSearchBase: dc=sub,dc=domain,dc=tld credentialLevel: self domainName: sub.domain.tld objectclassMap: arg[0]: shadow:shadowAccount=posixAccount serviceSearchDescriptor: arg[0]: passwd:cn=users,cn=accounts,dc=sub,dc=domain,dc=tld arg[1]: group:cn=groups,cn=compat,dc=sub,dc=domain,dc=tld defaultServerList: kdc1.sub.domain.tld Handling manual option Proxy DN: NULL Proxy password: NULL Credential level: 2 Authentication method: 2 No proxyDN/proxyPassword required Shadow Update is not enabled, no adminDN/adminPassword is required. About to modify this machines configuration by writing the files Stopping network services sendmail not running Stopping nscd stop: sleep 100000 microseconds stop: system/name-service-cache:default... success autofs not running ldap not running nis(yp) not running file_backup: stat(/etc/nsswitch.conf)=0 file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf) file_backup: stat(/etc/defaultdomain)=0 file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain) file_backup: nis domain is "sub.domain.tld" file_backup: stat(/var/yp/binding/sub.domain.tld)=-1 file_backup: No /var/yp/binding/sub.domain.tld directory. file_backup: stat(/var/ldap/ldap_client_file)=-1 file_backup: No /var/ldap/ldap_client_file file. Starting network services start: /usr/bin/domainname sub.domain.tld ... success start: DNS client is enabled start: sleep 100000 microseconds start: sleep 200000 microseconds start: sleep 400000 microseconds start: sleep 800000 microseconds start: sleep 1600000 microseconds start: sleep 3200000 microseconds start: network/ldap/client:default... success start: sasl/GSSAPI bind works start: sleep 100000 microseconds start: sleep 200000 microseconds start: system/name-service-cache:default... success restart: sleep 100000 microseconds restart: milestone/name-services:default... success System successfully configured
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
root@testomnios:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/solaris.example.com@EXAMPLE.COM Valid starting Expires Service principal 04/01/13 14:22:21 04/02/13 00:22:21 krbtgt/EXAMPLE.COM@EXAMPLE.COM 04/01/13 14:22:21 04/02/13 00:22:21 ldap/ipaserver.example.com@EXAMPLE.COM
Verify ldap is working, we can see users info from the ldap database
root@testomnios:~# id admin uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)
enable the nscd service
unless this is running, user/group/etc lookups will be *very* slow. I know there are downsides for nscd but really, turn it on:
# svcadm enable name-service-cache [enter]
After that user look-ups will be instantaneous (or ls -l in a folder with different ldap user permissions).
getent group <groupname>
if you use getent to return group information you will see the results are different to those in your linux hosts: they are empty.
The reason is that attribute 'member' in ipa has this format:
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld
whereas the ldapclient that feeds its info to getent expects this:
member: user