UKOUG Solaris SIG November & December Slides

Here are the last 2 talks of 2012. It has been a good year and for the Solaris SIG and 2 goods talks to end it. Roll on 2013:

December 2012 - Peter Tribble : How Zones served Queen Victoria

ProQuest's Peter Tribble took us through how ProQuest builds and uses Solaris Zones to develop and deploy services to its customers with particular reference to a very Royal project, which involved the on-line publishing of Queen Victoria's Journals at http://www.queenvictoriasjournals.org.

 Slides:  Peter Tribble : How Zones served Queen Victoria

November 2012 - Chris Beal : Solaris 11 Serviceability Best Practices

Oracle's Chris Beal took us through best way to install, configure, and update your systems to identify when there has been a problem, and tools required to gather data to help solve it. Technologies to be discussed include: Automatic service request generation, Service Management Facility, Configuration, Oracle Support tools, Oracle Solaris configuration options, Managing package versions to minimize downtime, Version-lock facets, Shared/secure shell access

 Slides: Chris Beal : Solaris 11 Serviceability Best Practices

As always come an join us next time:

• UKOUG Solaris SIG main site
• LinkedIn
• Twitter (@SolarisSIG)  
• YouTube 

Solaris 11 Automount (auto.home) with Active Directory

Now that you have Authentication Login via your Active Directory server (See my previous entry) you now need to sort out your automount maps (auto.home/auto_home, auto.direct/auto_direct, etc). This was surprising very straight forward.

Updated: Testing Section (23rd November 2012) 

Reference:

nismap: http://technet.microsoft.com/en-us/library/cc772191.aspx
nis2ad:  http://technet.microsoft.com/en-us/library/cc754412.aspx
Solaris integration with Active Director: http://technicalprose.blogspot.co.uk/2011/12/solaris-integration-with-active_16.html

Notes:
On the windows side we referee to auto.home, but on the Solaris side we will be referring to auto_home

Settings being used:

Windows 2008 R2 AD servers = dcsad01 (193.61.1.1) and dcsad02 (193.61.2.2)
Domain = dcs.bbk.ac.uk
Kerberos Realm = DCS.BBK.AC.UK

UKOUG Solaris SIG 2012 Slides & Video so far

The Solaris Special Interest Group (SIG) has been active since 2005 in a different guise, as London OpenSolaris User Group (LOSUG). The group was formed with the help of Sun Microsystems to enhance the popularity of their next release of their operating system OpenSolaris. The world has changed a lot since then, but the UKOUG Solaris SIG has kept up with the changes in Oracle Solaris 11 and open source Solaris-based derivatives and still remains an independently run group.

Our events run frequently, in the evening on the third Wednesday of each month.  We have presentations given by professionals who are experts in their field, including Oracle Solaris developers and professionals as well as industry Solaris experts. Our members come from varied backgrounds including IT architects and engineers, analysts, system administrators, developers and many more. The events take place in the London Oracle City offices and are very popular, not just for the vast range of presentations, but also for the fact that participants and attendees can mingle and network with Solaris specialists, in a relaxed atmosphere over food and refreshments. 

The presentations are promoted via the UKOUG website and our social media channels where infromation about about our next talks can be found:

• UKOUG Solaris SIG main site
• LinkedIn
• Twitter (@SolarisSIG)  
• YouTube 

These are the talks we have had so far this year:

December 2012 - Peter Tribble : How Zones served Queen Victoria

ProQuest's Peter Tribble took us through how ProQuest builds and uses Solaris Zones to develop and deploy services to its customers with particular reference to a very Royal project, which involved the on-line publishing of Queen Victoria's Journals at http://www.queenvictoriasjournals.org.

 Slides:  Peter Tribble : How Zones served Queen Victoria

Solaris 11 Authentication Login with Active Directory

Password Authentication in Computer Science at Birkbeck was always very complicated for no reason. Over the years we had multiple passwords which always confused our students:  YP & Active Directory, then NIS & AD, then LDAP with password Sync with AD, but with Solaris 11 & Solaris 10 I was finally in a position to get this sorted out.

There is a lot of pages out there which help with this, but the best I found was http://www.seedsofgenius.net/solaris/solaris-authentication-login-with-active-directory (This link does not seem to work now, so here is a cached version: https://web.archive.org/web/20151101112540/www.seedsofgenius.net/solaris/solaris-authentication-login-with-active-directory) so please go ahead and follow this for more details. I have a cut down version here for Solaris 11.

I will presume you have setup your Windows server (see link above Install UNIX Schema into Active Directory and Create ProxyDN User Account).

Updated: Testing Section (30th October 2012)
Updated: Setup DNS Section (7th July 2014)
Updated: Kerberos testing "kinit -V" (29th January 2016) 
Updated: Setup LDAP client "followReferrals=false" (29th January 2016)
Updated: Setup PAM (29th January 2016)
Updated: Tested on Solaris 11.3 (29th January 2016) 

Settings being used:

Windows 2008 R2 AD servers = dcsad01 (193.61.1.1) and dcsad02 (193.61.2.2)
Domain = dcs.bbk.ac.uk
Kerberos Realm = DCS.BBK.AC.UK

Combine Solaris Automated Install and Repository on one image. Success

Following on my last entry about Solaris 11 Automated Install with no network (Standalone) I thought I would post this update saying that I have managed to get it working, well I have managed to create a new 6.7GB ISO which can boot a VirtualBox client and installs Solaris 11 with NO network I am not sure why it was failing last time, but since then I have reinstalled Solaris 11 and added another disk to my desktop.

Copy Oracle Solaris 11 11/11 Automated Installer from ISO to disk:

# mount -F hsfs sol-11-1111-ai-x86.iso /mnt
# cd /mnt
# mkdir /var/tmp/AIboot
# find . -depth -print | cpio -pdm /var/tmp/AIboot
# cd /
# umount /mnt

Copy Oracle Solaris 11 11/11 Repository Image from ISO to disk:

# mount -F hsfs sol-11-1111-repo-full.iso /mnt
# cd /mnt
# rsync -aP /mnt/repo/ /var/tmp/AIboot/repoSolaris11
# cd /
# umount /mnt

Check it and edit default manifest so that is uses local repository:

# du -hs /var/tmp/AIboot
7.0G /var/tmp/AIboot

# ls /var/tmp/AIboot

auto_install      devices           mnt               repoSolaris11     solaris.zlib
bin               export            platform          root              solarismisc.zlib
boot              home              proc              save              system
dev               jack              reconfigure       sbin              tmp

Edit /var/tmp/AIboot/auto_install/default.xml

             <publisher name="solaris">
                     <origin name="http://pkg.oracle.com/solaris/release"/>
             </publisher>

Change to:

             <publisher name="solaris">
                     <origin name="file:///.cdrom/repoSolaris11"/>
             </publisher>

Create a new ISO:

# mkisofs -o /var/tmp/output.iso -b boot/grub/stage2_eltorito \
-c .catalog -no-emul-boot -boot-load-size 4 \
-boot-info-table -N -R -U -allow-multidot -no-iso-translate \
-cache-inodes -iso-level 4 -d -D -V Solaris11 /var/tmp/AIboot

Warning: Creating ISO-9660:1999 (version 2) filesystem.
Warning: ISO-9660 filenames longer than 31 may cause buffer overflows in the OS.
Size of boot image is 4 sectors -> No emulation
Size of boot image is 4 sectors -> No emulation
0.99% done, estimate finish Fri Mar 9 13:23:05 2012
1.13% done, estimate finish Fri Mar 9 13:22:53 2012
...
99.83% done, estimate finish Fri Mar 9 13:37:07 2012
99.97% done, estimate finish Fri Mar 9 13:37:06 2012
Total translation table size: 2048
Total rockridge attributes bytes: 36023282
Total directory bytes: 68673536
Path table size(bytes): 136082
Max brk space used 10144000
3530910 extents written (6896 MB)

The above iso then was used to install Solaris 11 on VirtaulBox.

Solaris 11 Automated Install with no network (Standalone)

After my last blog entry about Solaris 11 Automated Install without a network boot I was thinking that we have all the building blocks to do a true standaone install of Solaris 11 without any network connection at all.

Oracle gives us the iso's for "Oracle Solaris 11 11/11 Automated Installer" and the full "Oracle Solaris 11 11/11 Repository Image" from the Solaris download page, so why do we need a network!

The problem is that the repository is 7GB so testing it is a little difficult and trying to put the above two ISO's onto one 8GB USB is even harder. At this stage I have been unable to put the 7GB repository ISO onto a USB stick. Also, unable to combine the 2 ISO into 1 ISO which works (I end up with repository errors on install)!

But, in theory it will work and to demonstrate the idea I will use VirtualBox and a network for the manifest file (ONLY for manifest file!).  You can use my previous blog to replace the AI boot image with a modified one.

1. Download the above iso for x86:
• sol-11-1111-ai-x86.iso
• sol-11-1111-repo-full.iso


2. Create a new VirtualBox Solaris client
• it needs to be on the network (download manifest file)
• Storage we will add both ISO files as CD





3. Create a manifest file for the installation and place it on a web server:
• There is only one change required from the default manifest (download version default.xml):


             <publisher name="solaris">
                     <origin name="http://pkg.oracle.com/solaris/release"/>
             </publisher>



Change to:


             <publisher name="solaris">
                     <origin name="file:///media/SOL11REPO_FULL/repo"/>
             </publisher>



4. Now boot you client:
• Pick default option Oracle Solaris 11 11/11 Automated Install custom:





• Enter the URL for the modified manifest file:

At this point it should go off and install the software.

The perfect solution which I am happy for someone to try is to place the both AI boot and repository onto one ISO and then use no network, but I have failed so far!

Solaris 11 Automated Install without a network boot

After my last blog about Solaris 11 Automated Installer quick setup guide in a zone I did some more reading and I realised that you don't require to boot the client with DHCP, but boot it from a local device (CD or USB).

If you check out the download page for solaris down you will see Automated Installer can be downloaded as an ISO or USB version. If you download this and put it on to a CD or USB you can boot your client with it. When you boot it you see

Oracle Solaris 11 11/11 Automated Install custom
Oracle Solaris 11 11/11 Automated Install
Oracle Solaris 11 11/11 Automated Install custom ttya
Oracle Solaris 11 11/11 Automated Install custom ttyb
Oracle Solaris 11 11/11 Automated Install ttya
Oracle Solaris 11 11/11 Automated Install ttyb

• Picking Oracle Solaris 11 11/11 Automated Install custom means you will be prompted for a URL where your manifest is located on the network
• Picking Oracle Solaris 11 11/11 Automated Install will install Solaris using a default manifest

Modifying the default settings:
If you have placed the AI image onto a USB then you can edit it and change the default manifest.

• Mount the USB image (USB)

# ls /media/DataTraveler 2.0
.                        .volsetid                  jack                      sbin
..                       auto_install             lost+found               solaris.zlib
.catalog                 bin                      mnt                      solarismisc.zlib
.cdrom                   boot                     platform                 system
.image_info              dev                      proc                     tmp
.liveusb                 devices                  reconfigure
.SELF-ASSEMBLY-REQUIRED  export                   root
.transfer-manifest.xml   home                     save

Edit the default.xml file:

# vi /media/DataTraveler 2.0/auto_install/manifest/default.xml

You would think you could edit the default profile as well, but you can't since it uses the default one located at /usr/share/auto_install/sc_profiles/enable_sci.xml which is not accessible, since /usr is a lofi mount. I think this should be classed as a bug, since you would expect it to use /auto_install/sc_profiles.

I have just filed a BUG report with Oracle for this

This is the way it should be done, if this BUG did not exist!!!

Edit default system configuration file:

# cd /media/DataTraveler 2.0/auto_install/sc_profiles/

# vi enable_sci.xml

Or use the sample one:

# cd /media/DataTraveler 2.0/auto_install/sc_profiles/

# cp sc_sample.xml enable_sci.xml

This is the way you have to do it now. Long way!!! We have to replace the solaris.zlib on the image

As before we mount the USB image

# cd /media/DataTraveler 2.0

Mount the image

# lofiadm -a solaris.zlib

# mount -F hsfs /dev/lofi/1 /mnt

Now copy the whole image

# mkdir /export/newsolaris

# cd /mnt

# find . -depth -print | cpio -pdm /export/newsolaris

# cd /export/newsolaris

Now we finally get to making are changes

# cd ./share/auto_install/sc_profiles/

# ls -l

total 27
-r--r--r--   1 root     sys         3104 Feb 23 17:39 enable_sci.xml
-r--r--r--   1 root     sys         3104 Oct 21 00:04 sc_sample.xml
-r--r--r--   1 root     sys         4656 Oct 21 00:04 static_network.xml

# cp -ip sc_sample.xml enable_sci.xml

#

Now re-create the solaris.zlib image

# mkisofs -o /tmp/solaris.zlib -quiet -N -l -R -U -allow-multidot -no-iso-translate -cache-inodes -d -D -V "compress" /export/newsolaris

Warning: creating filesystem that does not conform to ISO-9660.

It needs to be compressed

# lofiadm -C lzma /tmp/solaris.zlib

Copy it back to the USB image

# cp /tmp/solaris.zlib /media/DataTraveler 2.0

If you want to create an ISO so that you can test it on VirtualBox. Try:

# /usr/bin/mkisofs -d -D -J -l -r -U -relaxed-filenames -b boot/grub/stage2_eltorito -no-emul-boot -boot-load-size 4 -boot-info-table -c .catalog -V "my_volume_name" -o /var/tmp/output.iso "/media/DataTraveler 2.0"
Warning: creating filesystem that does not conform to ISO-9660.
Setting input-charset to 'UTF-8' from locale.
Size of boot image is 4 sectors -> No emulation
Size of boot image is 4 sectors -> No emulation
3.59% done, estimate finish Mon Feb 27 13:03:22 2012
7.17% done, estimate finish Mon Feb 27 13:03:22 2012
.....
96.77% done, estimate finish Mon Feb 27 13:03:33 2012
Total translation table size: 2048
Total rockridge attributes bytes: 45685
Total directory bytes: 290816
Path table size(bytes): 1864
Max brk space used 7e000
139507 extents written (272 MB)

Save it and try it out!
You still require a network since the install still uses a network IPS repository

I have tested it with VirtualBox booting of an iso file I created from the USB image.

Solaris 11 Automated Installer quick setup guide in a zone

Setting up an Automated Install server with Solaris 11 is now very easy. See my recent Solaris SIG talk about it but here is a quick guide.

• Setup zone:

# zonecfg -z aiserver 'create; set zonepath=/zones/aiserver'

• Create system profile to speed install process up:
• This allows you to setup hostname, server IP address, initial user, etc

# sysconfig create-profile -o sysconfig.xml

• Install Zone with default manifest and using the system configuration create above:

# zoneadm -z aiserver install -c /var/tmp/sysconfig.xml
A ZFS file system has been created for this zone.
Progress being logged to /var/log/zones/zoneadm.20120221T133021Z.aiserver.install
       Image: Preparing at /zones/aiserver/root.

Install Log: /system/volatile/install.17908/install_log
AI Manifest: /tmp/manifest.xml.yhaq9I
SC Profile: /var/tmp/sysconfig.xml
    Zonename: aiserver
Installation: Starting ...

              Creating IPS image
              Installing packages from:
                  solaris
                      origin:  http://pkg.oracle.com/solaris/support/
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                              167/167 32064/32064  175.8/175.8

PHASE                                        ACTIONS
Install Phase                            44313/44313

PHASE                                          ITEMS
Package State Update Phase                   167/167
Image State Update Phase                         2/2
Installation: Succeeded

        Note: Man pages can be obtained by installing pkg:/system/manual done.
        Done: Installation completed in 127.429 seconds
  Next Steps: Boot the zone, then log into the zone console (zlogin -C) to complete the configuration process.

Log saved in non-global zone as /zones/aiserver/root/var/log/zones/zoneadm.20120221T133021Z.aiserver.install

# zoneadm -z aiserver boot
# zlogin -C -e\@ aiserver

• Install auto-installer software in the zone

# svcadm enable /network/dns/multicast
# pkg list install/installadm
pkg list: no packages matching 'install/installadm' installed
# pkg install install/installadm
# pkg list install/installadm
NAME (PUBLISHER)                          &nbsVERSION                    IFO
install/installadm                         0.5.11-0.175.0.0.0.2.1482  i--

• Create the boot service.
• No need to specify an ISO since the software will download an image.

# installadm create-service -n solarisx86
Creating service from: pkg:/install-image/solaris-auto-install
OK to use default image path: /export/auto_install/solarisx86? [y/N]: y
Download: install-image/solaris-auto-install ...  Done
Install Phase ...  Done
Package State Update Phase ...  Done
Image State Update Phase ...  Done
Reading Existing Index ...  Done
Indexing Packages ...  Done

Creating service: solarisx86

Image path: /export/auto_install/solarisx86

Refreshing install services

Creating default-i386 alias.

No local DHCP configuration found. This service is the default
alias for all PXE clients. If not already in place, the following should
be added to the DHCP configuration:
        Boot server IP       : 193.xx.xx.xx
        Boot file            : default-i386/boot/grub/pxegrub

Refreshing install services

# ls -l /etc/netboot
total 6
drwxr-xr-x 19 root root 28 Feb 21 15:42 default-i386
drwxr-xr-x 19 root root 28 Feb 21 15:42 solarisx86

• You are ready to boot PXE client towards this server

Solaris 11: Setting up Sendmail / SASL to handle SMTP AUTH

I thought I would finally get SMTP AUTH working on my Solaris 11 servers, so that I could then setup my phone to send e-mail correctly. If you have seen my previous post you will see that Solaris 11 can't do it with the standard software.

Build Cyrus SASL

• Install the packages which we requite and download Cyrus SASL Library

# sudo pkg install pkg:/developer/build/make system/header developer/gcc-3 text/gnu-grep database/berkeleydb-5

# echo $PATH
/usr/sbin:/usr/bin
# export PATH=$PATH:/usr/gnu/bin:/usr/sfw/bin

• At this time it will not compile, so alter the following lines.

# gzip -dc cyrus-sasl-2.1.25 | tar xf -
# cd cyrus-sasl-2.1.25

# vi ./lib/saslutil.c ./plugins/kerberos4.c ./plugins/digestmd5.c utils/Makefile.am

./lib/saslutil.c
85c85
extern int gethostname(char *, int);
change to:
extern int gethostname(char *, unsigned int);

./plugins/kerberos4.c
113c113
extern int gethostname(char *, int);
change to:
extern int gethostname(char *, unsigned int);

./plugins/digestmd5.c
106c106
extern int gethostname(char *, int);
change to:
extern int gethostname(char *, unsigned int);

./utils/Makefile.am
59a60,62
add the following lines:
saslpasswd2_LDFLAGS = -rpath $(libdir)
dbconverter_2_LDFLAGS = -rpath $(libdir)
pluginviewer_LDFLAGS = -rpath $(libdir)

• Now we are ready for building.

# ./configure --enable-cram --enable-digest --enable-plain \
          --enable-login --disable-krb4 --disable-anon \
          --disable-gssapi --with-saslauthd=/var/run/saslauthd
# make
# sudo make install

•  Add the following links:

# sudo ln -s /usr/local/lib/sasl2 /usr/lib/sasl2
# sudo ln -s /usr/local/lib/libsasl2.so.2.0.25 /usr/lib/libsasl2.so.2

Build Sendmail

• Download sendmail  8.14.5

• Stop existing sendmail processes.

# sudo svcadm disable svc:/network/smtp:sendmail
# sudo svcadm disable svc:/network/sendmail-client:default

# gzip -dc sendmail.8.14.5.tar.gz | tar xf -
# cd sendmail-8.14.5

• Set up sendmail FEATURES (SSL, SASL, DB)

# cat > devtools/Site/site.config.m4
dnl ### Changes to disable the default NIS support
APPENDDEF(`confENVDEF', `-UNIS')

dnl ### Changes for STARTTLS support
APPENDDEF(`confENVDEF',`-DSTARTTLS')
APPENDDEF(`confLIBS', `-lssl -lcrypto')
APPENDDEF(`confLIBDIRS', `-L/usr/local/lib -L/usr/lib -R/usr/lib')
APPENDDEF(`confINCDIRS', `-I/usr/include/openssl')

dnl ### SASL support
APPENDDEF(`confENVDEF', `-DSASL=2')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl2')
APPENDDEF(`confINCDIRS', `-I/usr/local/sasl -I/usr/include')

dnl ### Berkley DB support
APPENDDEF(`confENVDEF', `-DNEWDB')
APPENDDEF(`confINCDIRS', `-I/usr/include')
APPENDDEF(`confLIBDIRS', `-L/usr/lib')

dnl ### TCP Wrapper
APPENDDEF(`confENVDEF', `-DTCPWRAPPERS')
APPENDDEF(`conf_sendmail_LIBS', `-lwrap')
EOF
#

•  Build Sendmail

# ./Build -c
/* It should build but ignore the gtroff:error at the end */
# sudo mv /usr/lib/sendmail /usr/lib/sendmail_orig
# sudo cp obj.SunOS.5.11.i86pc/sendmail/sendmail /usr/lib/sendmail
# sudo sudo chgrp smmsp /usr/lib/sendmail
# sudo sudo chmod g+s,u-ws /usr/lib/sendmail

• Now a Vendor and SASL support to sendmail.cf file (I hope you know what you are doing here)
• Edit sendmil.mc add add the extra lines:

define(`VENDOR_NAME', `Berkeley')
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

# cd /etc/mail/cf/cf
# cat sendmail.mc
divert(0)dnl
VERSIONID(`sendmail.mc (Sun)')
define(`VENDOR_NAME', `Berkeley')
OSTYPE(`solaris11')dnl
DOMAIN(`solaris-generic')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

LOCAL_NET_CONFIG
R$* < @ $* .$m. > $* $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3
#
# sudo make sendmail.cf
# sudo cp sendmail.cf ../../sendmail.cf

# sudo /usr/lib/sendmail -bt -d0 < /dev/null
Version 8.14.5
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
    NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB PIPELINING
    SASLv2 SCANF STARTTLS TCPWRAPPERS USERDB XDEBUG

Setup sasl authentication server

• Now lets set up SASL plugin via a Sendmail.conf

# sudo cat > /usr/local/lib/sasl2/Sendmail.conf
pwcheck_method: saslauthd
EOF
#

• For authentication to work the saslauthd has to be started, so you can start in as a one off process (good for debugging) and at boot time.

# sudo /usr/local/sbin/saslauthd -n 1 -V -d -a pam
saslauthd[398] :main : num_procs : 1
saslauthd[398] :main : mech_option: NULL
saslauthd[398] :main : run_path : /var/run/saslauthd
saslauthd[398] :main : auth_mech : pam
saslauthd[398] :ipc_init : using accept lock file: /var/run/saslauthd/mux.accept
saslauthd[398] :detach_tty : master pid is: 0
saslauthd[398] :ipc_init : listening on socket: /var/run/saslauthd/mux
saslauthd[398] :main : using process model
saslauthd[398] :get_accept_lock : acquired accept lock

• To set it up ant boot time we should set up a services, but for now we will stick to init.d files.
  

cat > /etc/init.d/saslauthd
#!/usr/sbin/sh
#
NAME=saslauthd
DAEMON="/usr/local/sbin/${NAME}"
DESC="SASL Authentication Daemon"

# -a Selects the authentication mechanism to use.
# -n Number of worker processes to create.
# -V Enable verbose logging
# -d Debugging (don't detach from tty, implies -V)

case "$1" in
'start')
${DAEMON} -n 1 -V -d -a pam
;;

'stop')
pgrep saslauthd
;;

*)
echo "Usage: $0 { start | stop }"
exit 1
;;
esac
EOF
#
# sudo ln init.d/saslauthd rc0.d/K38saslauthd
# sudo ln init.d/saslauthd rc1.d/K38saslauthd
# sudo ln init.d/saslauthd rc2.d/S82saslauthd
# sudo ln init.d/saslauthd rcS.d/K38saslauthd

• Time for some testing, via first the SASL daemon.

# cyrus-sasl-2.1.25/saslauthd/testsaslauthd -u RealUser -p MyPassword
0: OK "Success."

• We need the encrypted username and password to test sendmail:

# perl -MMIME::Base64 -e 'print encode_base64("\000MyUser\000MyPassword")'
AE15VXNlcgBNeVBhc3N3b3Jk

• Test the sendmail part:

# sudo /usr/lib/sendmail -bv  -O LogLevel=14 -bs -Am
220 mailer5.dcs.bbk.ac.uk ESMTP Sendmail 8.14.5/8.14.5; Tue, 31 Jan 2012 09:52:24 GMT
EHLO localhost
250-mailer5.dcs.bbk.ac.uk Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
AUTH PLAIN AE15VXNlcgBNeVBhc3N3b3Jk
235 2.0.0 OK Authenticated
quit
221 2.0.0 mailer5.dcs.bbk.ac.uk closing connection

• That is it.

refernces:
- Guía Instalación de Sendmail con SMTP-AUTH y (tema #2688)
- Sendmail-SMTP-AUTH-TLS-Howto
- OpenSolaris Sendmail Auth

Can Solaris 11 Sendmail / SASL handle SMTP AUTH

I thought I would finally get SMTP AUTH working on my Solaris 11 servers, so that I could then setup my phone to send e-mail correctly.

So can you do it with default Solaris 11 software?
If you can't wait the answer is NO! but here is what I tried just in case someone can solve the problem.

• First Solaris 11 comes with Sendmail and SASL, but worst luck Sendmail has not been built with SASL support (you see the following when you edit sendmail.cf. see later).

# sudo /usr/lib/sendmail -d0 -bt < /dev/null
Version 8.14.5+Sun
Compiled with: DNSMAP LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8
MIME8TO7 NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB NIS
PIPELINING SCANF STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT
XDEBUG
Warning: Option: AuthMechanisms requires SASL support (-DSASL)
Warning: Option: AuthOptions requires SASL support (-DSASL)

• Lets try compiling sendmail to see if Solaris SASL can work!
• Install the packages which we requite and download sendmail  8.14.5

# sudo pkg install pkg:/developer/build/make system/header developer/gcc-3 text/gnu-grep database/berkeleydb-5

# echo $PATH
/usr/sbin:/usr/bin
# export PATH=$PATH:/usr/gnu/bin:/usr/sfw/bin

• Stop existing sendmail processes.

# sudo svcadm disable svc:/network/smtp:sendmail
# sudo svcadm disable svc:/network/sendmail-client:default

# gzip -dc sendmail.8.14.5.tar.gz | tar xf -
# cd sendmail-8.14.5

• Set up sendmail FEATURES (SSL, SASL, DB)

# cat > devtools/Site/site.config.m4
dnl ### Changes for STARTTLS support
APPENDDEF(`confENVDEF',`-DSTARTTLS')
APPENDDEF(`confLIBS', `-lssl -lcrypto')
APPENDDEF(`confLIBDIRS', `-L/usr/lib -R/usr/li')
APPENDDEF(`confINCDIRS', `-I/usr/include/openssl')

dnl ### SASL support
APPENDDEF(`confENVDEF', `-DSASL')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl')
APPENDDEF(`confINCDIRS', `-I/usr/include/sasl')

dnl ### Berkley DB support
APPENDDEF(`confENVDEF', `-DNEWDB')
APPENDDEF(`confINCDIRS', `-I/usr/include')
APPENDDEF(`confLIBDIRS', `-L/usr/lib')
EOF

•  Build Sendmail

# ./Build -c
/* It should build but ignore the gtroff:error at the end */
# sudo mv /usr/lib/sendmail /usr/lib/sendmail_orig
# sudo cp obj.SunOS.5.11.i86pc/sendmail/sendmail /usr/lib/sendmail
# sudo sudo chgrp smmsp /usr/lib/sendmail
# sudo sudo chmod g+s,u-ws /usr/lib/sendmail

• Now a Vendor and SASL support to sendmail.cf file (I hope you know what you are doing here)
• Edit sendmil.mc add add the extra lines:

define(`VENDOR_NAME', `Berkeley')
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

# cd /etc/mail/cf/cf
# cat sendmail.mc
divert(0)dnl
VERSIONID(`sendmail.mc (Sun)')
define(`VENDOR_NAME', `Berkeley')
OSTYPE(`solaris11')dnl
DOMAIN(`solaris-generic')dnl
define(`confAUTH_OPTIONS', `A')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl define(`confFALLBACK_SMARTHOST', `mailhost$?m.$m$.')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl

LOCAL_NET_CONFIG
R$* < @ $* .$m. > $* $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3
#
# sudo make sendmail.cf
# sudo cp sendmail.cf ../../sendmail.cf

# sudo /usr/lib/sendmail -bt -d0 < /dev/null
Version 8.14.5
Compiled with: DNSMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7
NAMED_BIND NDBM NETINET NETINET6 NETUNIX NEWDB PIPELINING
SASLv2 SCANF STARTTLS USERDB XDEBUG

• Now lets set up SASL plugin via a Sendmail.conf

# cat > /etc/sasl/Sendmail.conf
# pw_check: shadow

• I have tried the following in the above with no luck: shadow,pam,auxprop, but none seem to check password information.
• Testing, but first we need the encrypted username and password:

# perl -MMIME::Base64 -e 'print encode_base64("\000MyUser\000MyPassword")'
AE15VXNlcgBNeVBhc3N3b3Jk

• Test the sendmail part:

# sudo /usr/lib/sendmail -bv  -O LogLevel=14 -bs -Am
220 mailer5.dcs.bbk.ac.uk ESMTP Sendmail 8.14.5/8.14.5; Tue, 31 Jan 2012 09:52:24 GMT
EHLO localhost
250-mailer5.dcs.bbk.ac.uk Hello root@localhost, pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-EXPN
250-VERB
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN
250-DELIVERBY
250 HELP
AUTH PLAIN AE15VXNlcgBNeVBhc3N3b3Jk
535 5.7.0 authentication failed
Jan 31 09:52:35 mailer5 sendmail[5928]: Password verification failed
Jan 31 09:52:35 mailer5 sendmail[5928]: q0V9qOd1005928: AUTH failure (PLAIN): user not found (-20) SASL(-13): user not found: Password verification failed, relay=root@localhost
quit
221 2.0.0 mailer5.dcs.bbk.ac.uk closing connection

• So no luck, if you can spot anything I am doing wrong please let me know.
• I will post shortly how to get over the above.

refernces:
- Guía Instalación de Sendmail con SMTP-AUTH y (tema #2688)
- Sendmail-SMTP-AUTH-TLS-Howto
- OpenSolaris Sendmail Auth