Comments on: Solaris 10 and Active Directory Integration http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/ The weblog of an IT pro specializing in virtualization, storage, and servers Wed, 08 Feb 2012 17:13:47 +0000 hourly 1 http://wordpress.org/?v= By: Steve http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-2/#comment-52637 Steve Sat, 04 Feb 2012 17:58:23 +0000 http://blog.scottlowe.org/?p=320#comment-52637 Thanks for a great post. I'm currently setting up a Linux/win7 lan under a Samba 4 PDCand have used much of the stuff you mention here. http://linuxcostablanca.blogspot.com/p/samba-4.html It addresses some of the problems mentioned here and suggests alternatives which may also work with AD/Linux. Thanks again. Thanks for a great post. I’m currently setting up a Linux/win7 lan under a Samba 4 PDCand have used much of the stuff you mention here.
http://linuxcostablanca.blogspot.com/p/samba-4.html
It addresses some of the problems mentioned here and suggests alternatives which may also work with AD/Linux.
Thanks again.

]]> By: Albert Kwok http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-2/#comment-52605 Albert Kwok Wed, 01 Feb 2012 01:21:56 +0000 http://blog.scottlowe.org/?p=320#comment-52605 Did you ever try to configure Solaris 10 as NIS client to Win 08 R2 AD NIS server? I saw you other post at http://www.seedsofgenius.net/solaris/solaris-authentication-login-with-active-directory but don't understand why we need to configure LDAP in additional to NIS. Did you ever try to configure Solaris 10 as NIS client to Win 08 R2 AD NIS server? I saw you other post at http://www.seedsofgenius.net/solaris/solaris-authentication-login-with-active-directory but don’t understand why we need to configure LDAP in additional to NIS.

]]> By: Brian Jester http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-2/#comment-52545 Brian Jester Fri, 20 Jan 2012 22:26:57 +0000 http://blog.scottlowe.org/?p=320#comment-52545 I found a mistake in our /var/ldap/ldap_client_file, I had: group:posixAccount=group And it should have read: group:posixGroup=group Once I made the change, I could query groups. I found a mistake in our /var/ldap/ldap_client_file, I had:

group:posixAccount=group

And it should have read:

group:posixGroup=group

Once I made the change, I could query groups.

]]> By: Brian Jester http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-2/#comment-52538 Brian Jester Fri, 20 Jan 2012 15:43:38 +0000 http://blog.scottlowe.org/?p=320#comment-52538 Our Solaris 10 clients are using Windows 2008 R2 Active Directory for authentication (Kerberos) and (attempting) authorization (LDAP), but the LDAP part is erroring out. Here's the sequence of events: On Solaris 10 client: ldaplist passwd \* -Works correctly, and lists all users from Windows 2008 R2 Active Directory However, when I do the same command for groups, it errors out: ldaplist group \* -Errors out with: ldaplist: Object not found The AD groups for UNIX I've chosen the NIS domain on the UNIX Attributes tab, just like I did with AD UNIX users. Other commands that do work between Solaris 10 and Win 2008 R2 AD: kinit klist klist -k ldapsearch -h -D cn=proxy,cn=users,dc=mydomain,dc=com -w -b dc=mydomain,dc=com -s sub '(cn=tst*)' ldapsearch -h -s base -b "" "(objectclass=*)" The ldapsearch will actually list my groups (my groups are named tstgrp1, tstgrp2, tstgrp3, tstgrp4), but I think this works because it's searching for the Common Name (CN) tst*, and not for a type of object (group). These commands do not work as expected: getent passwd -This only shows local UNIX users getent group -This only shows local UNIX users The /etc/nsswitch.conf is set up for: passwd: files ldap [TRYAGAIN=continue] group: files ldap [TRYAGAIN=continue] hosts: files dns My references are: "Windows Security and Directory Services for UNIX v1.0", Microsoft http://technet.microsoft.com/en-us/library/bb496504.aspx "Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows" "Authenticating UNIX/Linux to Windows 2008R2. Part 2 : Solaris 10" http://osdude.wordpress.com/2011/08/ Systems: Solaris 10 (sparc) Windows 2008 R2 with Identity Management for UNIX Role added. Our Solaris 10 clients are using Windows 2008 R2 Active Directory for authentication (Kerberos) and (attempting) authorization (LDAP), but the LDAP part is erroring out. Here’s the sequence of events:

On Solaris 10 client:

ldaplist passwd \*

-Works correctly, and lists all users from Windows 2008 R2 Active Directory

However, when I do the same command for groups, it errors out:

ldaplist group \*

-Errors out with:

ldaplist: Object not found

The AD groups for UNIX I’ve chosen the NIS domain on the UNIX Attributes tab, just like I did with AD UNIX users.

Other commands that do work between Solaris 10 and Win 2008 R2 AD:

kinit
klist
klist -k
ldapsearch -h -D cn=proxy,cn=users,dc=mydomain,dc=com -w -b dc=mydomain,dc=com -s sub ‘(cn=tst*)’
ldapsearch -h -s base -b “” “(objectclass=*)”

The ldapsearch will actually list my groups (my groups are named tstgrp1, tstgrp2, tstgrp3, tstgrp4), but I think this works because it’s searching for the Common Name (CN) tst*, and not for a type of object (group).

These commands do not work as expected:

getent passwd

-This only shows local UNIX users

getent group

-This only shows local UNIX users

The /etc/nsswitch.conf is set up for:

passwd: files ldap [TRYAGAIN=continue]
group: files ldap [TRYAGAIN=continue]
hosts: files dns

My references are:
“Windows Security and Directory Services for UNIX v1.0″, Microsoft
http://technet.microsoft.com/en-us/library/bb496504.aspx
“Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows”
“Authenticating UNIX/Linux to Windows 2008R2. Part 2 : Solaris 10″
http://osdude.wordpress.com/2011/08/

Systems:
Solaris 10 (sparc)
Windows 2008 R2 with Identity Management for UNIX Role added.

]]> By: Greg Hitchcock http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-1/#comment-50464 Greg Hitchcock Thu, 24 Mar 2011 11:13:28 +0000 http://blog.scottlowe.org/?p=320#comment-50464 Hi Scott Thanks for a great blog it's helped clarify things a lot for me. Is there any way you know to integrate the solaris /etc/user_attr file into Windows 2008 AD ? Hi Scott

Thanks for a great blog it’s helped clarify things a lot for me.

Is there any way you know to integrate the solaris /etc/user_attr file into Windows 2008 AD ?

]]> By: Juan Pablo Soto http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-1/#comment-49270 Juan Pablo Soto Fri, 01 Oct 2010 13:42:10 +0000 http://blog.scottlowe.org/?p=320#comment-49270 Thank you so much for this detailed post. It's quite useful and it clears me a lot of things about AD integration with Solaris 10. In the end, I've done the level of integration that I need using a third-party free product (LikeWise Open http://www.likewiseopen.org/ ). I'm an IBM Rational ClearCase Administrator and using this product my users can view the network drives that the application use regardless which OS they're using and sharing a synchronized login. SSO it's the next step for us, but before to find an get LikeWise up and running this document was really useful for me and my team. Cheers and keep the good work. Juan Pablo Soto IBM Rational Consultant Thank you so much for this detailed post. It’s quite useful and it clears me a lot of things about AD integration with Solaris 10.
In the end, I’ve done the level of integration that I need using a third-party free product (LikeWise Open http://www.likewiseopen.org/ ). I’m an IBM Rational ClearCase Administrator and using this product my users can view the network drives that the application use regardless which OS they’re using and sharing a synchronized login. SSO it’s the next step for us, but before to find an get LikeWise up and running this document was really useful for me and my team.
Cheers and keep the good work.

Juan Pablo Soto
IBM Rational Consultant

]]> By: Bernd Markgraf http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-1/#comment-47841 Bernd Markgraf Sun, 11 Apr 2010 21:07:04 +0000 http://blog.scottlowe.org/?p=320#comment-47841 Excellent post, very helpful! One thing I noticed on my clients running Solaris 10 10/09 is that getent cannot enumerate the users or groups and also finger username fails when I use the objectClassMap provided in your examples. What works are logins with domainaccounts and also getent username finds the user. Does that work on your setup as expected? If i leave out the objectclassmap and instead give the user the additional objectclass posixaccount everything works including finger and getting the user/group list with getent. Excellent post, very helpful!
One thing I noticed on my clients running Solaris 10 10/09 is that getent cannot enumerate the users or groups and also finger username fails when I use the objectClassMap provided in your examples.
What works are logins with domainaccounts and also getent username finds the user. Does that work on your setup as expected?
If i leave out the objectclassmap and instead give the user the additional objectclass posixaccount everything works including finger and getting the user/group list with getent.

]]> By: Mohannad http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-1/#comment-47321 Mohannad Mon, 18 Jan 2010 10:55:57 +0000 http://blog.scottlowe.org/?p=320#comment-47321 Dears, I am a little bit confused, when to use the authentication bind account we created and when to use the user account (created for each host) in below command: ldapclient manual \ -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a defaultSearchBase=dc=example,dc=com \ -a domainName=example.com \ -a “defaultServerList=172.16.1.10” \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gecos=cn \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=unixHomeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \ -a serviceSearchDescriptor=group:dc=example,dc=com?sub please help Dears,

I am a little bit confused, when to use the authentication bind account we created and when to use the user account (created for each host) in below command:

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=none \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

please help

]]> By: RACH http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-1/#comment-46236 RACH Sun, 18 Oct 2009 00:43:10 +0000 http://blog.scottlowe.org/?p=320#comment-46236 Hi i am looking for a process document or user guide how can integrate solares, 7, 8,9,10 to actie directory , In order to migrate all users to active directory tx Hi i am looking for a process document or user guide how can integrate solares, 7, 8,9,10 to actie directory , In order to migrate all users to active directory
tx

]]> By: Kalpeshkumar Patel http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/comment-page-1/#comment-43860 Kalpeshkumar Patel Fri, 13 Mar 2009 20:35:23 +0000 http://blog.scottlowe.org/?p=320#comment-43860 Hi, I am trying to use NISnetgroup created in ADS through my solaris 10 ldapclient. Basically I am trying to setup Solaris authentication using ldap client and windows ADS. (as replacement of NIS). Please suggest good client configuration and configuration changes on ADS if any. Without netgroups, I am able to authenticate users of ADS. Any help will be a great help to me. Hi,

I am trying to use NISnetgroup created in ADS through my solaris 10 ldapclient.

Basically I am trying to setup Solaris authentication using ldap client and windows ADS. (as replacement of NIS).

Please suggest good client configuration and configuration changes on ADS if any.

Without netgroups, I am able to authenticate users of ADS.

Any help will be a great help to me.

]]>