Thomas Mullaly

DevOps, Security and IT Leadership

Oracle Solaris 11

Oracle has released solaris 11. It’s great, but they have completely changed everything. Checkout the official docs here: http://www.oracle.com/technetwork/server-storage/solaris11/documentation/index.html

Here’s my notes:

Network Time Protocol

Since I don’t think there’s a vmware tools or open vm tools for solaris I’m putting ntp on.

cd /etc/inet
cp ntp.client ntp.conf
svcadm enable ntp
svcs | grep ntp

Kerberos

Make sure you’ve entered the hostname into DNS

Login in as root and type

kinit Administrator@TOM.UMB.EDU

You should see something like this in return

Password for Administrator@TOM.UMB.EDU:
kinit: no ktkt_warnd warning possible

Type klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator@TOM.UMB.EDU

Valid starting                     Expires                              Service principle
08/12/2012 21:11    09/12/2012 07:13 krbtgt/TOM.UMB.EDU@TOM.UMB.EDU
        renew until 15/12/2012 21:11

Samba and Winbind

pkg install samba

Copy the good smb config to /etc/samba

join the domain

net ads join -U Administrator@TOM.UMB.EDU

start samba and winbind

svcadm enable samba
svcadm enable winbind

test

wbinfo -u

edit nsswitch.conf

test

getent passwd

Setup PAM and nsswitch

Here we are going to enable the use of winbind through PAM. This will give us the capability of using active directory users and groups when assigning permissions on files and directories. We could also use this for other authentication methods that use PAM such as apache web sites (but that is another discussion).

Enable winbind in pam.conf

cp /etc/pam.conf /etc/pam.conf-OLD
cp /etc/pam.conf-winbind /etc/pam.conf

Enable winbind in nsswitch.conf to set up the search order for all authentication. The system will now look at the local files followed by a check against winbind.

svccfg -s name-service/switch 
> setprop config/password = "files winbind"
> setprop config/group = "files winbind"
> exit
svcadm refresh name-service/switch

Make sure the entries were adjusted in nsswitch by:

cat /etc/nsswitch.conf You should see the following entries in passwd and group:

passwd:     files winbind
group:      files winbind

Add OpenCSW to software package repositories

To install third party software from a package repository:

pkgadd -d https://get.opencsw.org/now

Add /opt/csw/bin to your path

export PATH=$PATH:/opt/csw/bin

You can now install with the pkgutil command:

pkgutil --install puppet

Services

List all services

scvs

Start/Stop/Restart/Enable/Disable a service

svcadm <cmd> <service>

Setup domainname

svcadm disable nis/domain
  svccfg -s svc:/network/nis/domain listprop config/domainname
  svccfg -s svc:/network/nis/domain setprop config/domainname = <your domain name>
  svccfg -s nis/domain:default refresh
  svcadm enable nis/domain

Verify that domainname is setup correctly

domainname

Installing kadmin

If you find youself thinking Kerberosis installed, but I could not find kadmin. What package is it in?

Only the basic packages are installed by default and the KDC is not one of them. If you want a package/command that isn’t included in the base install you can search for it like this:

$ pkg search -r kadmin