On 03/13/2012 06:27 AM, Eivind Olsen wrote: > Hello. > > I'm currently looking at implementing IPA in a mixed environment, > consisting of RHEL6, RHEL5 and Solaris 10 systems. The IPA server(s) is > the most recent one bundled with RHEL 6.2. > > I have some general rules I'll need to follow as best as I can, but I'm > not really sure how to do this in IPA without it seeming like a huge > work-around. This seems easy enough had it been for a pure RHEL6 > environment, but with Solaris there's no SSSD, I apparantly might need to > downgrade the encryption types for "older" Solaris 10, etc. All of this is > making my head dizzy, and I'd appreciate any help and pointers to clear my > mind :) > > Examples of the basic rules are (there's more of them, it's not only for > the DNS servers for example, but the other cases can be solved in the same > way): > - all sysadmins should be allowed to log into every system in the realm > - all sysadmins should be allowed to run certain commands (or to make it > easy, any command) through the use of "sudo", on all systems > - some users will be part of certain groups, giving them permission to log > into certain servers and run a set of commands through "sudo", for > example: members of the dns-managers group should be allowed to ssh into > the DNS servers (which consist of both RHEL6 and Solaris 10), and run > certain commands through "sudo" > - certain other users will be allowed to log into some systems, but > without any additional access through "sudo" (the fact that they're > allowed to log into system X doesn't mean they should be allowed to become > root, etc). > > I've read a suggestion about making a host group for the Red Hat systems, > a netgroup for the Solaris systems, and creating a user group which is > added as a member of both the host group and netgroup. But, will I still > need to worry about the old issue of Solaris apparantly not coping well > with users that have >16 additional groups to their name? > > I have also read about having to add / change compatibility plugins, > having to downgrade the algorithm for the Solaris 10 encryption type for > older Solaris 10 releases, etc. And there's probably a few more things I > need to watch out for and that aren't directly mentioned in the IPA > documentation. > > Oh, in case it matters - there's no common NFS home directories, so I'll > also need to automatically create the home directories (I've got this bit > sorted on RHEL6 with help from oddjob-mkhomedir). For Solaris, I've read > suggestions about using executable autofs maps to create home directories > in /export/home and have tham loopback-mounted to /home so they match the > homeDirectory attribute. >
The following bug captures best of our knowledge about Solaris setups https://bugzilla.redhat.com/show_bug.cgi?id=801883 so some of the info from this bug might be helpful for you. For the specific questions you ask above I will let more knowledgeable people to chime in. > Regards > Eivind "Confused" Olsen > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
