SUMMARY: Solaris login based on Windows Domain?

From: John Christian <john.christian_at_TheCReGroup.com>
Date: Wed Sep 15 2004 - 16:57:00 EDT
SUMMARY: Solaris login based on Windows Domain?

  [Original post at bottom]

Thanks for the input: Debbie Tropiano, Bousquet Francois, Alan Pae,
Chris Pinnock, Victor Schrader, Tristan Ball, Darryl Baker

We now have some new topics and directions to research. The biggest
disappointment was that (according to Chris) Solaris with RADIUS is
not supported yet. Looks like we'll need to dive into LDAP or
Kerberos if we're serious about addressing this issue. Of course
NIS or NIS+ related is possible, but what little NIS I see out
there is slowly disappearing. Below is a collection of the replies
with some additional links at the bottom.

>>>>>
It may be more than you want or need, but we use
Ganymede (http://tools.arlut.utexas.edu/gash2/)
here and using it allows up to have logins that
authenticate both for Windows and Solaris.  It's
open source, so perhaps it'll give you an idea
of how it's done (no, I don't know the internals).

>>>>>
Look for LDAP
I've just installed a Samba PDC with an LDAP backend to connect my Windows
Server and I am using pam_ldap to authenticate Solaris to LDAP.
This creates a centralized authentication for both types of server.  The
system is secure with SSL encrypted connections and standard with LDAP.
If you are not using Solaris 7 or minus or Windows NT 4.0 you might also
consider using Sun iPlanet (Sun LDAP server) and get support from Sun for
installation.

>>>>>
Although I've never used it, you might want to look into:
http://www.vintela.com/products/vas/ <http://www.vintela.com/products/vas/>
also, I think the Sun Blueprints site might have a doc on this subject.
[ed note: I did find a few docs which are listed further below.]

>>>>>
A1: It is possible with Kerberos. Active Directory is Kerberos underneath.
A2: You would need to have login linked against a radius library - possible
on FreeBSD but not on Solaris at the moment.

>>>>>
Supposedly (have not done this myself yet), MS has 'Services for Unix' that
will let W2K+ be a NIS master with passwd syncing between the 2 worlds.  I
have been using it, but not with NIS (yet).  Out of the box (it is free) it
has Korn shell and functions as a NFS server in parallel with CIFS shares.  I
have a mixed network of Solaris X86, various Linux versions and Windows
machines the idea seems attractive to me.  If you play with it let me know how
it goes.

>>>>>
Checkout the windbindd system that is part of samba-3.
You don't need to use samba, the winbindd part hooks in as a NSS
modules.

>>>>>
If it is a XP domain you could use the XP server as an LDAP server.


>>>>>
Additional information that needs to be digested:

Extending Authentication in Solaris 9 with PAM (part1)
http://www.sun.com/blueprints/0902/816-7669-10.pdf

Extending Authentication in Solaris 9 with PAM (part2)
http://www.sun.com/blueprints/1002/816-7670-10.pdf

Solaris and LDAP naming services
http://www.sun.com/books/catalog/bialaski.xml


  [original post follows...]

________________________________

From: sunmanagers-bounces@sunmanagers.org on behalf of John Christian
Sent: Tue 9/14/2004 3:24 PM
To: sunmanagers@sunmanagers.org
Subject: Solaris login based on Windows Domain?



Hi Sunmanagers,

QUESTION 1
   Instead of creating accounts on every host for each user, what is a
   popular way to "hook" Solaris logins (telnet, ssh, sftp) to
   authenticate against an existing Windows Domain? (I'm told our Win
   Domain is RADIUS accessible.)

QUESTION 2
   Perhaps we DO want to create an account on every host for each user and
   only have the password authentication [dis]approved by the Windows
   Domain. We only have ~10 hosts with ~15 users. Is there a way to logically
   replace /etc/shadow with the Windows Domain? (Except for root and admin
   accounts.)

DETAILS
   * I am told we can authenticate against the Windows Domain through a
     RADIUS server. Our VPN gateway is doing that now.
   * We're looking for a straightforward way to take advantage of the
     existing Windows Domain infrastructure. We do not have visions of SSO
     (single sign on) for the entire organization.
   * I don't think we want to create an entirely new LDAP-based directory
     server.
   * Solaris 9, latest media, latest patch cluster.
   * Hardware includes 240's, 440's, 880's, and 1280's.
   * All hosts (Windows and Solaris) are at the same site.

TIA for any cookbooks, suggestions, links, or personal experiences.
I will summarize!

-John C.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
<http://www.sunmanagers.org/mailman/listinfo/sunmanagers>
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Wed Sep 15 16:56:54 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:38 EST