SUMMARY: Authenticating Solaris 10 through Active Directory

From: Twardzik, Mark J. <Mark.Twardzik_at_jhuapl.edu>
Date: Thu May 19 2011 - 08:25:04 EDT
Thanks everyone for all the replies.

I tried using Likewise Open as suggested by Brandon below, and it worked for
my situation. It was much simpler and faster than trying to manually configure
everything. Very good documentation as well.

Thanks again!

Mark

_____________________________________________________________________________
_________________________________________________________________________

Hi Mark,

What we've recently started working with is the Likewise Open Source AD
package for Solaris and have had a good amount of success.  We haven't done a
full rollout yet as we still need to do more testing but this could be of some
use to you.  The page is at:
http://www.likewise.com/products/likewise_open/index.php

Hope that helps,
-Brandon

--
Brandon Battis


_____________________________________________________________________________
___________________________________________________________________


Thanks for the quick reply David. I have already been to those websites and
used some of the information. I believe it's just a matter of properly
configuring the ldap_client_file.




Haven't tried it myself, but you may want to check out:

	http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/
	http://blog.scottlowe.org/2008/11/19/no-solaris-ad-integration-update/

It's a bit old now, but the principles should still apply.

David Magda
_____________________________________________________________________________
_____________________________________________________________________


are you sure that the "proxy" account which you use, is defined in Active
Directory to allow a "simple" password authentication ? If I recall, per
default it will expect the Windows-style authentication, so will fail



Rob,

Thanks for the quick reply. My ldap_client_file has  a few different
attributes, such as NS_LDAP_AUTH= sasl/GSSAPI and NS_LDAP_CREDENTIAL_LEVEL=
self. I had previously tried using simple and proxy, but that didn't work
either. Snoop output  a different error message with proxy and simple:

*[LDAPMessage]
>           [message ID]
>      Operation *[APPL 1: Bind Response]
>                [Result Code]
>                          1
                    Invalid Credentials
>                [Matched DN]
>                [Error Message]
>                      80090308: LdapErr: DSID-0C0903A9
                         , comment: AcceptSecurityContext

I'm hoping it might just be a matter of tweaking the ldap_client_file.

Thanks again,

Mark






Mark,

you need a "bind" (or "proxy") account (and its password) in the LDAP (Active
Directory) repository, that your Solaris clients can use to request data from
the AD

This "bind" account is what you will use in the command to manually configure
a Solaris-10 client as LDAP client:

ldapclient -v manual -a defaultServerList=kdc.ourdomain.internal -a
defaultSearchBase="dc=ourdomain,dc=internal" -a authenticationMethod=simple -a
followReferrals=FALSE -a defaultSearchScope=one \
-a searchTimeLimit=30 -a credentialLevel=proxy \
-a
proxyDN="cn=bindaccount,ou=Process,ou=Logins,ou=THISDEPT,dc=ourdomain,dc=inte
rnal" \
-a proxyPassword=somepwd \
#-a objectclassMap=passwd:posixAccount=user \
-a
serviceSearchDescriptor=passwd:ou=PER,OU=People,OU=THISDEPT,DC=OURDOMAIN,DC=I
NTERNAL \
-a attributeMap=passwd:homeDirectory=unixHomeDirectory

This should result in a file "/var/ldap/ldap_client_file" with the following
contents :
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= kdc.ourdomain.internal
NS_LDAP_SEARCH_BASEDN= dc=ourdomain,dc=internal
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC=
passwd:ou=PER,OU=People,OU=THISDEPT,DC=OURDOMAIN,DC=INTERNAL
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user

There are some additional important steps to take (like editing /etc/pam.conf
and /etc/nsswitch.conf), but I guess you figured these already out. If not, I
can inform you of more.

good luck
Rob

Rob De Langhe

-----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Twardzik, Mark J.
Sent: Thursday, May 12, 2011 3:57 PM
To: sunmanagers@sunmanagers.org
Subject: Authenticating Solaris 10 through Active Directory

I have a Sun Netra T5440 SPARC running Solaris 5.10 with a fresh End User
installation, no additional patches. I am trying to authenticate it through
Active Directory on a Windows Server 2008 R2 system.  I followed the
instructions in Sun document 'Using Kerberos to Authenticate a SolarisTM 10
OS
LDAP Client With Microsoft Active Directory' , although I had to change a few
things to successfully navigate some of the steps. This was expected, as I
realize the document was written for Server 2003.

I believe Kerberos is configured properly, as 'kinit (test user)' obtains
tickets according to klist. However, neither 'ldaplist -l passwd (test user)'
nor 'getent passwd (test user)' work. It looks like a binding issue with
sasl/GSSAPI based on the following error messages:

'cat /var/adm/messages | grep ldap'  results contain the repeated error
'libsldap: makeConnection: failed to open connection using sasl/GSSAPI to
ForestDnsZones.my.domain'

'snoop -v | grep -I ldap'  contains

*[LDAPMessage]
          [message ID]
     Operation *[APPL 1: Bind Response]
               [Result Code]
                 Success
               [Matched DN]
               [Error Message]
          SASL Credentials    [7]

Any help would be greatly appreciated, as I have spent a great deal of time
looking through message boards and playing with different configurations.

Send email and I will summarize to the list.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Thu May 19 08:25:39 2011

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:18 EST