Difference between revisions of "Omnios ipa client"

From Asenjo
Jump to: navigation, search
m
Line 9: Line 9:
 
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
 
add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:
  
<code><pre>
+
<pre>
 
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter]
 
ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter]
  
 
ipa host-add-managedby --host ipaserver.example.com solaris.example.com
 
ipa host-add-managedby --host ipaserver.example.com solaris.example.com
</pre></code>
+
</pre>
  
 
== export keytab for machine account ==
 
== export keytab for machine account ==
  
 
just like before, run this as an admin user on host with ipa admin tools:
 
just like before, run this as an admin user on host with ipa admin tools:
<code><pre>
+
<pre>
 
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
 
ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab
</pre></code>
+
</pre>
  
 
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
 
Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:
  
<code><pre>
+
<pre>
 
chown root:sys krb5.keytab
 
chown root:sys krb5.keytab
 
chmod 600 krb5.keytab
 
chmod 600 krb5.keytab
</pre></code>
+
</pre>
  
 
== configure kerberos on omnios host==
 
== configure kerberos on omnios host==
  
 
Edit /etc/krb5/krb5.conf:
 
Edit /etc/krb5/krb5.conf:
<code><pre>
+
<pre>
 
[libdefaults]
 
[libdefaults]
 
         default_realm = EXAMPLE.COM
 
         default_realm = EXAMPLE.COM
Line 44: Line 44:
 
         example.com = EXAMPLE.COM
 
         example.com = EXAMPLE.COM
 
         .example.com = EXAMPLE.COM
 
         .example.com = EXAMPLE.COM
</pre></code>
+
</pre>
  
 
== configure ntp ==
 
== configure ntp ==
Line 51: Line 51:
 
server ipaserver.example.com iburst
 
server ipaserver.example.com iburst
  
<code><pre>
+
<pre>
 
# svcadm enable ntp
 
# svcadm enable ntp
</pre></code>
+
</pre>
  
 
To see it is running properly:
 
To see it is running properly:
<code><pre>
+
<pre>
 
# svcs ntp  
 
# svcs ntp  
</pre></code>
+
</pre>
  
 
To see what servers you are using:
 
To see what servers you are using:
<code><pre>
+
<pre>
 
# ntpq -p  
 
# ntpq -p  
</pre></code>
+
</pre>
  
 
== verify kerberos is working ==
 
== verify kerberos is working ==
<code><pre>
+
<pre>
 
root@testomnios:~# kinit admin
 
root@testomnios:~# kinit admin
 
Password for admin@EXAMPLE.COM:  
 
Password for admin@EXAMPLE.COM:  
Line 77: Line 77:
 
         renew until 04/08/13 14:17:23
 
         renew until 04/08/13 14:17:23
 
root@testomnios:~# kdestroy
 
root@testomnios:~# kdestroy
</pre></code>
+
</pre>
  
 
== configure ldap ==
 
== configure ldap ==
 
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
 
now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):
  
<code><pre>
+
<pre>
 
# ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com
 
# ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com
 
Parsing authenticationMethod=sasl/gssapi
 
Parsing authenticationMethod=sasl/gssapi
Line 132: Line 132:
 
System successfully configured
 
System successfully configured
  
</pre></code>
+
</pre>
  
 
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
 
Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:
<code><pre>
+
<pre>
 
root@testomnios:~# klist  
 
root@testomnios:~# klist  
 
Ticket cache: FILE:/tmp/krb5cc_0
 
Ticket cache: FILE:/tmp/krb5cc_0
Line 143: Line 143:
 
04/01/13 14:22:21  04/02/13 00:22:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
 
04/01/13 14:22:21  04/02/13 00:22:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
 
04/01/13 14:22:21  04/02/13 00:22:21  ldap/ipaserver.example.com@EXAMPLE.COM
 
04/01/13 14:22:21  04/02/13 00:22:21  ldap/ipaserver.example.com@EXAMPLE.COM
</pre></code>
+
</pre>
  
 
Verify ldap is working, we can see users info from the ldap database
 
Verify ldap is working, we can see users info from the ldap database
<code><pre>
+
<pre>
 
root@testomnios:~# id admin
 
root@testomnios:~# id admin
 
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)
 
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)
</pre></code>
+
</pre>
  
 
=== getent group <groupname> ===
 
=== getent group <groupname> ===
Line 157: Line 157:
 
The reason is that attribute 'member' in ipa has this format:
 
The reason is that attribute 'member' in ipa has this format:
  
<code>
+
 
 
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld
 
member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld
</code>
+
 
  
 
whereas the ldapclient that feeds its info to getent expects this:
 
whereas the ldapclient that feeds its info to getent expects this:
  
<code>
+
 
 
member: user
 
member: user
</code>
+
 
  
 
This format is in the compat tree of the directory. So if we change the
 
This format is in the compat tree of the directory. So if we change the
 
ldap duaconfig profile (default in
 
ldap duaconfig profile (default in
 
cn=default,ou=profile,dc=domain,dc=tld), to reflect this, it will work.
 
cn=default,ou=profile,dc=domain,dc=tld), to reflect this, it will work.

Revision as of 21:21, 28 August 2015


Thanks to Johan Petersson in the freeipa-users mailing list (https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html).

This method only works when anonymous log-in is allowed to the ldap servers. If you have disabled that, then you should bind with ldapclient (consult the man page).

add machine account to IPA domain

add a host to dns and create an machine account for it in the realm. In this example the host we want to join is solaris.example.com, the ipa server (kdc) is ipaserver.example.com. We assign solaris.example.com the ip address 192.168.0.1; run these commands as an admin user (with a kerberos ticket) on a host with the ipa admin tools installed:

ipa host-add --force --ip-address=192.168.0.1 solaris.example.com [enter]

ipa host-add-managedby --host ipaserver.example.com solaris.example.com

export keytab for machine account

just like before, run this as an admin user on host with ipa admin tools:

ipa-getkeytab -s ipaserver.example.com -p host/solaris.example.com -k /tmp/solaris.keytab

Copy this solaris.keytab file to the omnios host to /etc/krb5/krb5.keytab. Apply these permissions to this file:

chown root:sys krb5.keytab
chmod 600 krb5.keytab

configure kerberos on omnios host

Edit /etc/krb5/krb5.conf:

[libdefaults]
        default_realm = EXAMPLE.COM
        verify_ap_req_nofail = false
[realms]
        EXAMPLE.COM = {
                kdc = ipaserver.example.com
                admin_server = ipaserver.example.com

[domain_realm]
        example.com = EXAMPLE.COM
        .example.com = EXAMPLE.COM

configure ntp

Add serverlist to /etc/inet/ntp.client and rename it to ntp.conf:

server ipaserver.example.com iburst

# svcadm enable ntp

To see it is running properly:

# svcs ntp 

To see what servers you are using:

# ntpq -p 

verify kerberos is working

root@testomnios:~# kinit admin
Password for admin@EXAMPLE.COM: 
root@testomnios:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@EXAMPLE.COM

Valid starting                Expires                Service principal
04/01/13 14:17:23  04/02/13 14:17:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 04/08/13 14:17:23
root@testomnios:~# kdestroy

configure ldap

now we have ntp and kerberos configured, we can use sasl with ldap. Use the ldapclient tool for this (the ipa ldap server has an ldap default profile we can use for ldapclient):

# ldapclient init -v -a authenticationMethod=sasl/gssapi -a credentialLevel=self -a profileName=default ipaserver.example.com
Parsing authenticationMethod=sasl/gssapi
Parsing credentialLevel=self
Parsing profileName=default
Arguments parsed:
        authenticationMethod: sasl/gssapi
        credentialLevel: self
        profileName: default
        defaultServerList: ipaserver.example.com
Handling init option
About to configure machine by downloading a profile
Warning: init authentication method not found in DUAConfigProfile.
Proxy DN: NULL
Proxy password: NULL
Authentication method: 0
No proxyDN/proxyPassword required
Shadow Update is not enabled, no adminDN/adminPassword is required.
About to modify this machines configuration by writing the files
Stopping network services
Stopping sendmail
stop: network/smtp:sendmail... failed: entity not found
Stopping sendmail failed with (1). You may need to restart it manually for changes to take effect.
nscd not running
Stopping autofs
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: system/filesystem/autofs:default... success
ldap not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: nis domain is "example.com"
file_backup: stat(/var/yp/binding/example.com)=-1
file_backup: No /var/yp/binding/example.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname example.com... success
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: network/ldap/client:default... success
start: sleep 100000 microseconds
start: system/filesystem/autofs:default... success
restart: sleep 100000 microseconds
restart: milestone/name-services:default... success
System successfully configured

Verify it is working, we now have a ticket as the machine account we just joined (using the keytab file) and we see we have used the ldap service on the kdc to get ldap info:

root@testomnios:~# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/solaris.example.com@EXAMPLE.COM

Valid starting                Expires                Service principal
04/01/13 14:22:21  04/02/13 00:22:21  krbtgt/EXAMPLE.COM@EXAMPLE.COM
04/01/13 14:22:21  04/02/13 00:22:21  ldap/ipaserver.example.com@EXAMPLE.COM

Verify ldap is working, we can see users info from the ldap database

root@testomnios:~# id admin
uid=xxxxxxxxxxxxxxx(admin) gid=xxxxxxxxxxxxxxx(admins) groups=xxxxxxxxxxx(admins)

getent group <groupname>

if you use getent to return group information you will see the results are different to those in your linux hosts: they are empty.

The reason is that attribute 'member' in ipa has this format:


member: uid=user,cn=users,cn=accounts,dc=domain,dc=tld


whereas the ldapclient that feeds its info to getent expects this:


member: user


This format is in the compat tree of the directory. So if we change the ldap duaconfig profile (default in cn=default,ou=profile,dc=domain,dc=tld), to reflect this, it will work.