Product SiteDocumentation Site

3.5. Configuring a Solaris System as a FreeIPA Client

3.5.1. Configuring Solaris 10

  1. As with Fedora systems, FreeIPA provides an automated method of configuring Solaris 10 to function as a FreeIPA client. On the Solaris client, run the ldapclient with the information for the FreeIPA domain:
    [root@server ~]# ldapclient manual
             -a credentialLevel=anonymous
             -a authenticationMethod=none
             -a defaultSearchBase=dc=example,dc=com
             -a defaultServerList=
             -a attributeMap=group:memberuid=memberUid
             -a attributeMap=group:gidnumber=gidNumber
             -a attributeMap=passwd:gidnumber=gidNumber
             -a attributeMap=passwd:uidnumber=uidNumber
             -a attributeMap=passwd:homedirectory=homeDirectory
             -a attributeMap=passwd:loginshell=loginShell
             -a attributeMap=shadow:userpassword=userPassword
             -a objectClassMap=group:posixGroup=posixgroup
             -a objectClassMap=passwd:posixAccount=posixaccount
             -a objectClassMap=shadow:shadowAccount=posixaccount
             -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com
             -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com
  2. Remove the ldap option from all entries in /etc/nsswitch.conf except for the passwd: and group: entries.
  3. Configure and enable NTP and synchronize the time between the client and the FreeIPA server.
    [root@server ~]# ntpdate
  4. Configure the Kerberos client. The Kerberos configuration includes specifying the realm and domain details and default ticket attributes.
    [root@server ~]# vim /etc/krb5/krb5.conf
    default_realm = EXAMPLE.COM
    verify_ap_req_nofail = false
    kdc =
    admin_server =
    [domain_realm] = EXAMPLE.COM = EXAMPLE.COM
    default = FILE:/var/krb5/kdc.log
    kdc = FILE:/var/krb5/kdc.log
    kinit = {
    renewable = true
    forwardable= true
    The default file created by ldapclient configures forwardable tickets by default, which makes it possible to connect to the UI from any system and provides a way to audit administration operations.
  5. Configure PAM to use Kerberos authentication. For example:
    [root@server ~]# vim /etc/pam.conf 
    # login service (explicit because of pam_dial_auth)
    login   auth requisite
    login   auth required 
    login   auth sufficient try_first_pass
    login   auth required 
    login   auth required 
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    other   auth requisite
    other   auth required 
    other   auth required 
    other   auth sufficient
    other   auth required 
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    other   account requisite
    other   account required
    other   account required
    # Password construction requirements apply to all users.
    # Remove force_check to have the traditional authorized administrator
    # bypass of construction requirements.
    other   password requisite force_check
    other   password sufficient
    other   password required
  6. Configure NFS to work with the Kerberos domain.
    1. Add the admin principal on the FreeIPA server.
      [root@server ~]# kadmin.local -q "addprinc testadmin/admin"
    2. Edit the Kerberos KDC ACLs in /var/kerberos/krb5kdc/kadm5.acl on the FreeIPA server to allow access from the NFS client machine.
    3. Use the kclient command to set up the NFS client for Kerberos authentication.
      • Do not set up DNS.
      • Do enter the FreeIPA server and realm information.
      • Do answer yes to configure Kerberized NFS.
      • Do not copy over the master krb5.conf file.
      [root@server ~]# kclient
      Starting client setup
      Do you want to use DNS for kerberos lookups ? [y/n]: n
              No action performed.
      Enter the Kerberos realm: EXAMPLE.COM
      Specify the KDC hostname for the above realm:
      Note, this system and the KDC's time must be within 5 minutes of each other for
      Kerberos to function.  Both systems should run some form of time
      synchronization system like Network Time Protocol (NTP).
      Setting up /etc/krb5/krb5.conf.
      Enter the krb5 administrative principal to be used: testadmin
      Obtaining TGT for testadmin/admin ...
      Password for testadmin/admin@EXAMPLE.COM:
      Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ?
      [y/n]: n
              No action performed.
      Do you plan on doing Kerberized nfs ? [y/n]: y
      nfs/ entry ADDED to KDC database.
      nfs/ entry ADDED to keytab.
      host/ entry ADDED to KDC database.
      host/ entry ADDED to keytab.
      Do you want to copy over the master krb5.conf file ? [y/n]: n
              No action performed.
      Setup COMPLETE.
    4. Verify that the NFS service keytab was created:
      [root@server ~]# klist -ket /etc/krb5/krb5.keytab
    5. Verify that the NFS server is accessible:
      [root@server ~]# showmount -e
    6. Make sure that this line is uncommented in the /etc/nfssec.conf file.
      krb5	390003	kerberos_v5	default -	# RPCSEC_GSS
    7. Mount the NFS share.
      [root@server ~]# mount -t nfs4 /mnt/ -o sec=krb5
    8. On the FreeIPA client, use the ktutil command to import the contents into the main host keytab.
      # ktutil
      ktutil: read_kt /tmp/krb5.keytab
      ktutil: write_kt /etc/krb5/krb5.keytab
      ktutil: q

3.5.2. Configuring Solaris 9

  1. Perform steps 1 through 5 in Section 3.5.1, “Configuring Solaris 10” to set up the Solaris 9 client.
  2. Configure the NFS client.
    1. Configure the /etc/exports file on the NFS server.
    2. Add an NFS service principal for the client.
      [root@server ~]# ipa service-add nfs/
    3. Create the NFS keytab file.
      [root@server ~]# ipa-getkeytab -s -p nfs/ -k /tmp/krb5.keytab -e des-cbc-crc
    4. Copy the keytab from the server to the client.
      [root@server ~]# scp /tmp/krb5.keytab
    5. Make sure that this line is uncommented in the /etc/nfssec.conf file.
      krb5	390005	kerberos_v5	default -	# RPCSEC_GSS
    6. Obtain a ticket for the NFS client.
      [root@server ~]# kinit -k nfs/
    7. Mount the NFS share.
      [root@server ~]# mount -F nfs -o sec=krb5p /mnt/