Product SiteDocumentation Site

3.5. Configuring a Solaris System as a FreeIPA Client

3.5.1. Configuring Solaris 10

  1. As with Fedora systems, FreeIPA provides an automated method of configuring Solaris 10 to function as a FreeIPA client. On the Solaris client, run the ldapclient with the information for the FreeIPA domain:
    [root@server ~]# ldapclient manual
             -a credentialLevel=anonymous
             -a authenticationMethod=none
             -a defaultSearchBase=dc=example,dc=com
             -a domainName=example.com
             -a defaultServerList=192.168.0.1
             -a attributeMap=group:memberuid=memberUid
             -a attributeMap=group:gidnumber=gidNumber
             -a attributeMap=passwd:gidnumber=gidNumber
             -a attributeMap=passwd:uidnumber=uidNumber
             -a attributeMap=passwd:homedirectory=homeDirectory
             -a attributeMap=passwd:loginshell=loginShell
             -a attributeMap=shadow:userpassword=userPassword
             -a objectClassMap=group:posixGroup=posixgroup
             -a objectClassMap=passwd:posixAccount=posixaccount
             -a objectClassMap=shadow:shadowAccount=posixaccount
             -a serviceSearchDescriptor=passwd:cn=users,cn=accounts,dc=example,dc=com
             -a serviceSearchDescriptor=group:cn=groups,cn=accounts,dc=example,dc=com
  2. Remove the ldap option from all entries in /etc/nsswitch.conf except for the passwd: and group: entries.
  3. Configure and enable NTP and synchronize the time between the client and the FreeIPA server.
    [root@server ~]# ntpdate ipaserver.example.com
  4. Configure the Kerberos client. The Kerberos configuration includes specifying the realm and domain details and default ticket attributes.
    [root@server ~]# vim /etc/krb5/krb5.conf
    
    [libdefaults]
    default_realm = EXAMPLE.COM
    verify_ap_req_nofail = false
    
    [realms]
    EXAMPLE.COM = {
    kdc = ipaserver.example.com
    admin_server = ipaserver.example.com
    }
    
    [domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM
    
    [logging]
    default = FILE:/var/krb5/kdc.log
    kdc = FILE:/var/krb5/kdc.log
    
    [appdefaults]
    kinit = {
    renewable = true
    forwardable= true
    }
    The default file created by ldapclient configures forwardable tickets by default, which makes it possible to connect to the UI from any system and provides a way to audit administration operations.
  5. Configure PAM to use Kerberos authentication. For example:
    [root@server ~]# vim /etc/pam.conf 
    
    # login service (explicit because of pam_dial_auth)
    #
    login   auth requisite          pam_authtok_get.so.1
    login   auth required           pam_dhkeys.so.1
    login   auth sufficient         pam_krb5.so.1 try_first_pass
    login   auth required           pam_unix_auth.so.1
    login   auth required           pam_dial_auth.so.1
    
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    #
    other   auth requisite          pam_authtok_get.so.1
    other   auth required           pam_dhkeys.so.1
    other   auth required           pam_unix_cred.so.1
    other   auth sufficient         pam_krb5.so.1
    other   auth required           pam_unix_auth.so.1
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    #
    other   account requisite       pam_roles.so.1
    other   account required        pam_unix_account.so.1
    other   account required        pam_krb5.so.1
    # Password construction requirements apply to all users.
    # Remove force_check to have the traditional authorized administrator
    # bypass of construction requirements.
    other   password requisite      pam_authtok_check.so.1 force_check
    other   password sufficient     pam_krb5.so.1
    other   password required       pam_authtok_store.so.1
  6. Configure NFS to work with the Kerberos domain.
    1. Add the admin principal on the FreeIPA server.
      [root@server ~]# kadmin.local -q "addprinc testadmin/admin"
    2. Edit the Kerberos KDC ACLs in /var/kerberos/krb5kdc/kadm5.acl on the FreeIPA server to allow access from the NFS client machine.
    3. Use the kclient command to set up the NFS client for Kerberos authentication.
      • Do not set up DNS.
      • Do enter the FreeIPA server and realm information.
      • Do answer yes to configure Kerberized NFS.
      • Do not copy over the master krb5.conf file.
      [root@server ~]# kclient
      
      Starting client setup
      
      ---------------------------------------------------
      Do you want to use DNS for kerberos lookups ? [y/n]: n
              No action performed.
      Enter the Kerberos realm: EXAMPLE.COM
      Specify the KDC hostname for the above realm: ipaserver.example.com
      ipaserver.example.com
      
      Note, this system and the KDC's time must be within 5 minutes of each other for
      Kerberos to function.  Both systems should run some form of time
      synchronization system like Network Time Protocol (NTP).
      
      Setting up /etc/krb5/krb5.conf.
      
      Enter the krb5 administrative principal to be used: testadmin
      Obtaining TGT for testadmin/admin ...
      Password for testadmin/admin@EXAMPLE.COM:
      
      Do you have multiple DNS domains spanning the Kerberos realm EXAMPLE.COM ?
      [y/n]: n
              No action performed.
      
      Do you plan on doing Kerberized nfs ? [y/n]: y
      
      nfs/client.example.com entry ADDED to KDC database.
      nfs/client.example.com entry ADDED to keytab.
      
      host/client.example.com entry ADDED to KDC database.
      host/client.example.com entry ADDED to keytab.
      
      Do you want to copy over the master krb5.conf file ? [y/n]: n
              No action performed.
      
      ---------------------------------------------------
      Setup COMPLETE.
    4. Verify that the NFS service keytab was created:
      [root@server ~]# klist -ket /etc/krb5/krb5.keytab
    5. Verify that the NFS server is accessible:
      [root@server ~]# showmount -e ipaserver.example.com
    6. Make sure that this line is uncommented in the /etc/nfssec.conf file.
      krb5	390003	kerberos_v5	default -	# RPCSEC_GSS
    7. Mount the NFS share.
      [root@server ~]# mount -t nfs4 ipaserver.example.com:/ /mnt/ -o sec=krb5
    8. On the FreeIPA client, use the ktutil command to import the contents into the main host keytab.
      # ktutil
      ktutil: read_kt /tmp/krb5.keytab
      ktutil: write_kt /etc/krb5/krb5.keytab
      ktutil: q

3.5.2. Configuring Solaris 9

  1. Perform steps 1 through 5 in Section 3.5.1, “Configuring Solaris 10” to set up the Solaris 9 client.
  2. Configure the NFS client.
    1. Configure the /etc/exports file on the NFS server.
      /nfs client.example.com(sec=krb5p,rw,sync,fsid=0,no_subtree_check)
    2. Add an NFS service principal for the client.
      [root@server ~]# ipa service-add nfs/client.example.com
    3. Create the NFS keytab file.
      [root@server ~]# ipa-getkeytab -s ipaserver.example.com -p nfs/client.example.com -k /tmp/krb5.keytab -e des-cbc-crc
    4. Copy the keytab from the server to the client.
      [root@server ~]# scp /tmp/krb5.keytab root@client.example.com:/tmp/krb5.keytab
    5. Make sure that this line is uncommented in the /etc/nfssec.conf file.
      krb5	390005	kerberos_v5	default -	# RPCSEC_GSS
    6. Obtain a ticket for the NFS client.
      [root@server ~]# kinit -k nfs/client.example.com
    7. Mount the NFS share.
      [root@server ~]# mount -F nfs -o sec=krb5p ipaserver.example.com:/nfs /mnt/