OmniOS domain join to FreeIPA fails

[keijko]

Hi,

I'm running an OmniOS v11 r151028v and I try to make an domain join to an FreeIPA. I tried to setup it with the manuals/hints from asenjo.nl, freeipa.org and docs.oracle.com. The ldapclient itself is working and I can get informations from ipa-server like "id username". Ntpdate to this ipa-server is running also. But the join to the domain fails always with "(DOMAIN_CONTROLLER_NOT_FOUND)". I've no idea what is the problem anymore and hope that someone of you can help me.

My files looks like:

/var/ldap/ldap_client_file

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= ipa.dom
NS_LDAP_SEARCH_BASEDN= dc=dom
NS_LDAP_AUTH= sasl/GSSAPI
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= self
NS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,cn=accounts,dc=dom
NS_LDAP_SERVICE_SEARCH_DESC= group:cn=groups,cn=compat,dc=dom
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=posixAccount

/etc/krb5/krb5.conf

[libdefaults]
        default_realm = DOM

[realms]
        DOM = {
                kdc = ipa.dom
                admin_server = ipa.dom
                kpasswd_server = ipa.dom
                kpasswd_protocol = SET_CHANGE
        }

[domain_realm]
        dom = DOM
        .dom = DOM

[logging]
       ....

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }

/etc/nsswitch.conf

passwd:     files ldap
group:      files ldap
hosts:      files dns ldap
ipnodes:    files dns ldap
networks:   files ldap
protocols:  files ldap
rpc:        files ldap
ethers:     files ldap
netmasks:   files ldap
bootparams: files ldap
publickey:  files ldap
netgroup:   ldap
automount:  files ldap
aliases:    files ldap
services:   files ldap
printers:   user files ldap
auth_attr:  files ldap
prof_attr:  files ldap
project:    files ldap
tnrhtp:     files ldap
tnrhdb:     files ldap

I also tried without ldap-option in nsswitch.conf. That didn't work too. Has someone an idea, what I'm doing wrong or what I should try?

 

[zxv]

Here's some tests I've used in the past to make sure the connection to the ldap server is working.
It's been a while, and I've only authenticated against samba.

DcHost=ipa
REALM=dom
DC='dc=dom,dc=ipa'
user=bob

ping ${DcHost}.${REALM}
ldapsearch -h ${DcHost}.${REALM} -b "cn=users,${DC}" -o authzid="" "cn=${user}"
ldapclient list
ldaplist -l passwd ${user}

Configuring Kerberos Clients - Oracle Solaris Administration: Security Services
https://wiki.openindiana.org/oi/Kerberos+and+LDAP

 

[keijko]

You hints about ping, ldapsearch, ldaplist and ldapclient are working. I change the domain from dom to dom.lan. Because I read it can be make problems when I just use a single level domain. Actually I'm looking to your links and concentrate to all things about dns.
dig SRV _ldap._tcp.dom.lan +short -> is working
dig SRV _gc._tcp.ad.hh.netafp.com -> return nothing.
That is service "3268/tcp Microsoft-GC" Therefore I care about this. Because it's seems that is known but not configured/running out of the box.

Edit:
No! I doesn't seems implemented in freeipa yet. See: Issue #3125: [RFE] Build a Global Catalog Service - freeipa - Pagure.io