Configuring a Solaris 11.3 system as a FreeIPA client. I've read various articles,
mail list archives, and pages found on google trying to figure out how to properly make
this work. So far, I've only gotten the ability to do su - user(a)domain.tld and check
getent passwd/group. This successfully works. The things that do not work are ssh and
console logins. This is what I've tried so far:
Setting authenticationMethod to 'simple:tls'
-> My service account never seems to work and the log says: "libsldap: Status:
53 Mesg: openConnection: simple bind failed - DSA is unwilling to perform"
-> "libsldap: Status: 49 Mesg: openConnection: simple bind failed - Invalid
credentials" - This isn't the case as I've tried the credentials multiple
times using ldapsearch commands with success. My credentials for my users are correct
since I can login to a CentOS 6 and CentOS 7 client perfectly fine.
These are the steps I took:
-> Create host in IPA
-> ipa-getkeytab and transferred it to the client
-> Created nss database with CA certificate and placed it in /var/ldap with proper
permissions
-> Configured /etc/krb5/krb5.conf
-> Configured nsswitch.conf to be files ldap
-> Configured /etc/pam.d/* files accordingly
-> Used ldapclient init on the client
Here is my kinit and ldap tests.
# kinit admin
Password for admin(a)IPA.EXAMPLE.COM:
kinit: no ktkt_warnd warning possible
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin(a)IPA.EXAMPLE.COM
Valid starting Expires Service principal
09/13/17 16:22:29 09/14/17 16:22:29 krbtgt/IPA.EXAMPLE.COM(a)IPA.EXAMPLE.COM
renew until 09/20/17 16:22:29
# ldaplist -l passwd louis.abel
dn: uid=louis.abel,cn=users,cn=compat,dc=ipa,dc=example,dc=com
cn: Louis Abel
objectClass: posixAccount
objectClass: top
gidNumber: 1006800013
gecos: Louis Abel
uidNumber: 25439
loginShell: /bin/bash
homeDirectory: /home/louis.abel
uid: louis.abel(a)ad.example.com
uid: louis.abel
# ldaplist -l passwd louis.abel2
dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com
cn: Louis Abel
objectClass: posixAccount
objectClass: top
gidNumber: 1006800001
gecos: Louis Abel
uidNumber: 1006800001
loginShell: /bin/bash
homeDirectory: /home/louis.abel2
uid: louis.abel2(a)ipa.example.com
uid: louis.abel2
dn: uid=louis.abel2,cn=users,cn=compat,dc=ipa,dc=example,dc=com
cn: Louis Abel
objectClass: posixAccount
objectClass: ipaOverrideTarget
objectClass: top
gidNumber: 1006800001
gecos: Louis Abel
uidNumber: 1006800001
ipaAnchorUUID: :IPA:ipa.example.com:8babb9a8-5aaf-11e7-9769-00505690319e
loginShell: /bin/bash
homeDirectory: /home/louis.abel2
uid: louis.abel2
My pam configuration files:
/etc/pam.d/other
auth definitive pam_user_policy.so.1
auth sufficient pam_krb5.so.1
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth binding pam_unix_auth.so.1 server_policy
auth required pam_unix_cred.so.1
auth sufficient pam_krb5.so.1
account requisite pam_roles.so.1
account definitive pam_user_policy.so.1
account binding pam_unix_account.so.1 server_policy
account required pam_unix_account.so.1
account required pam_krb5.so.1
account required pam_tsol_account.so.1
session definitive pam_user_policy.so.1
session required pam_unix_session.so.1
password definitive pam_user_policy.so.1
password include pam_authtok_common
password sufficient pam_krb5.so.1
password required pam_authtok_store.so.1 server_policy
/etc/pam.d/login
auth requisite pam_authtok_get.so.1
auth required pam_dhkeys.so.1
auth required pam_unix_cred.so.1
auth sufficient pam_krb5.so.1 try_first_pass
auth required pam_unix_auth.so.1 use_first_pass
auth required pam_dial_auth.so.1
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=solaris,cn=sysaccounts,cn=etc,dc=ipa,dc=example,dc=com
NS_LDAP_BINDPASSWD= removed
NS_LDAP_SERVERS=
pentl01.ipa.example.com,
pentl02.ipa.example.com,
pentl03.ipa.example.com,
sentl01.ipa.example.com,
sentl02.ipa.example.com,
sentl03.ipa.example.com
NS_LDAP_SEARCH_BASEDN= dc=ipa,dc=example,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_TIME= 15
NS_LDAP_CACHETTL= 6000
NS_LDAP_PROFILE= default solaris_authssl
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=compat,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= netgroup:cn=ng,cn=compat,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= ethers:cn=computers,cn=accounts,dc=ipa,dc=example,dc=com
NS_LDAP_SERVICE_SEARCH_DESC= sudoers:ou=sudoers,dc=ipa,dc=example,dc=com
NS_LDAP_BIND_TIME= 5
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixaccount
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixgroup
nsswitch changes:
passwd: files ldap [NOTFOUND=return]
group: files ldap [NOTFOUND=return]
This is what I looked at:
https://www.redhat.com/archives/freeipa-users/2013-January/msg00021.html
https://www.redhat.com/archives/freeipa-users/2015-January/msg00017.html
http://etcfstab.com/oraclelinux/solaris_n_freeipa.html
https://mkosek.fedorapeople.org/publican_site/en-US/FreeIPA/3.3/html/Free...
Anyone have better experience or any documentation that could help?