Solaris 10 and Active Directory Integration

Does this apply to authenticating Solaris 9 with a 2003 R2 active directory?

Hey Scott,

Your Unix to AD instructions have been very helpful. I’ve been able to get them to work on RHEL 4, but I’m having some trouble with Solaris. It seems like the Kerberos side is working - I’m not using TGT validation and “kinit username” does not return anything when I put in the correct password. The troublesome part has been LDAP. I’ve configured my AD to accept anonymous browsing, and I adjusted my ldapclient command accordingly:

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=none \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

However, “getent passwd” only returns local accounts, and ldapsearch returns: “Can’t connect to the LDAP server - Connection refused”. I know that the AD part is OK since RHEL 4 works correctly. Any thoughts?

Also, have you ever tried integrating HP-UX and AD?

Thanks,
Kevin

Hey Scott,

Sorry for the lack of replies - I’m still working on this. I actually decided to back up to Solaris 9, which of course has its own issues since it’s missing many of the features that come standard with Solaris 10. I’m also trying Linux (RHEL 4) but having some trouble there too. I gave up with anonymous browsing in favor of TGT validation. The one thing I don’t really like is having the bind user’s password in the ldap.conf file - it doesn’t matter if no one can really use that account - I know my security folks still won’t like it.

I spent a few days trying to implement the SSO solution using a Microsoft document:

http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/08wsdsu.mspx

I liked this idea because it mentioned a tool called css_adkadmin (http://www.css-security.com/downloads.html), which you can use to create the key table file on the UNIX system and it will automatically create an account in Active Directory for you, and you can assign a random password as well. Seems like a great idea, but I’ve simply had a real tough time getting it to actually work! The tough part has actually been compiling some of the open source applications on Solaris 9 (even after following their instructions).

Enough of my rambling - do you have any ideas?

Thanks,
Kevin

Thanks for this great post. I have now finally been able to set this up; using a combination of your site and the m$ documentation for their Directory Services For Unix. I have this running against W2K3r2 and am successfully using both kerberos and ldap.After setting it up I have 2 big questions.
Question 1: User Home Directories. Unfortunately I am in an environment where our info security will not let us use NFS. That means that the automounter and auto_home stuff will not work to have centralized directories for the user’s home. If I have to create a user home directory on each server (230 of them) that kinda scrubs one of the nice things about centralized user management. Is there a way that you know of to have the home directory created when a user first logs in, as well as if the user is deleted in AD removes the home directory from each server. Currently I am just creating group directories and having all users in a particular group home directory set to that directory. (These are all production servers and users shouldn’t be having personal files on them anyway)

Question 2: Limiting Users to Certain Servers. Is there a way to do this since the servers are actually using a user account as opposed to a computer account to identify it to AD. The only way that I can think to get this to work is to have a seperate container for each group of servers. But if I do that how do I allow administrative users have access to all containers and be authenticated, authorized, etc.

Thanks for your excellent article!

Hi Scott,

I’m a litte bit confuse on -princ, -mapuser, -pass syntax. Mind to give me a hint?

ktpass -princ HOST/fqdn@REALM -mapuser DOMAIN\account
-crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
-out filename

Thanks,
-Chris

Hi Scott,

This seems to be a stupid question but I need to verify w/ you if it’s true or not. I got this response which was posted awhile back & here is the link:

http://groups.google.com/group/compnetldap/browse_thread/thread/5493e670d0d173c4/ed7d625b540c04c4?hl=en#ed7d625b540c04c4

What i’m trying to do is that I want all of my exiting AD users (which is in a few hundreds) to be able to log into my solaris machine using their existing login & passwd. Can I accomplish the task through your procedure or do I need to have a Sun Java System Identity Synchronization for Windows? Any helps/suggestions are greatly appreciated.

Thanks,
-Chris

Hey Scott,

Thanks for this article, it really helped me along in getting kerb auth working against AD. I have not gone as far as using LDAP for authorization, but kerberos authentication is working great now.

I am having one problem with ssh shared keys, though. My basic method is to try kerberos and then unix via pam and comment users out of /etc/shadow to force them to go through AD. But when the user doesn’t exist in /etc/shadow, ssh shared keys stop working. If I put them back in shadow, it works fine until the local password expires and then nothing works.

Maybe I’m using the wrong method here. Butting them in shadow with NP and a 99999 expiration will work, but it feels insecure to me.

What do you do with the user’s /etc/shadow entry?

Hi
I am trying to configure ldap clint in sol 10 x86 not able to do so i am getting following errors in syslog
Nov 1 18:12:21 pamsol.pam.com ldap_cachemgr[5393]: [ID 178954 daemon.warning] l
ibc: bad lookup policy for hosts in /etc/nsswitch.conf, using defaults..

and when i try ldaplist following error came
ldaplist: “Object not found (Session error no available conn.
) ” on console and in syslog it is( openConnection: simple bind failed - Invalid credentials)

my nsswitch is as follow
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# “hosts:” and “services:” in this file are used only if the
# /etc/netconfig file has a “-” for nametoaddr_libs of “inet” transports.

# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.

# the following two lines obviate the “+” entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap

# consult /etc “files” only if ldap is down.

hosts: ldap files pam.com

“/etc/nsswitch.conf” 50 lines, 1096 characters

—————————————————————————————————-

And my

bash-3.00# ldapclient manual /
-a credentialLevel=proxy /
-a authenticationMethod=simple /
-a proxyDN=cn=Administrator,dc=pam,dc=com -a proxyPassword=Track123! /
-a defaultSearchBase=dc=pam,dc=com /
-a domainName=pam.com /
-a defaultServerList=172.16.146.66 /
-a serviceSearchDescriptor=passwd:dc=pam,dc=com?sub /
-a serviceSearchDescriptor=group:dc=pam,dc=com?sub

———————————————————————————————————-
but i am able to authenticate can u suggest what mistake i am making
Thanks in Advance for help

Give this a shot. It worked with Solaris 10 and W2K3 Server using SFU 3.5.

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=ldapsearch,ou=ldap,dc=test,dc=local \
-a proxyPassword=ldapsearch \
-a defaultSearchBase=dc=test,dc=local \
-a domainName=test.local \
-a “defaultServerList=192.168.20.100″ \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a attributeMap=shadow:uid=sAMAccountName \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:ou=users,ou=unix,dc=test,dc=local?sub \
-a serviceSearchDescriptor=group:ou=groups,ou=unix,dc=test,dc=local?sub

How did you get Solaris 10 LDAP and SSH shared keys to work? I can’t get it to work at all plus I just found this info on the Sun website. According to Sun LDAP and shared key logins will now work. Thanks in advance for your help.

http://docs.sun.com/app/docs/doc/816-4556/6maort2sn?a=view

Mr. Lowe,

Just found your blog — I think I’ve read some of the best blog entries EVER. I’ve set up AD / Kerberos / LDAP authentication with Solaris versions 2.6 - 9, and multiple variants of Linux (Slackware, Redhat, Fredora). All of this is good stuff.

As for ssh shared keys, I believe (unless I have it misconfigured) that ssh shared keys defeat the purpose of pam_krb5.so. That is, if you’re authenticating a user with an ssh shared key, and the user types “klist,” then there wil be no Kerberos TGT.

Further, as for mm’s post, I’d bet that ssh is referencing PAM, even though you’re using an SSH shared key, and your PAM.conf options are either wrong (sufficiant vs. required), or in the wrong order. As far as I know, you only need LDAP to *identify the user*, and Kerberos / SSH shared keys will take care of the actual authentication piece.

I’ll also be looking at that adkadmin utility also, just for the easiness of it. I’m about to go into round 2 of our Active Directory deployment, moving from AD 2000 to AD 2003 R2, so it’ll be pretty fun!

Heya,

I ran into snags (as anyone almost certainly will). Specifically, your solution left LDAP over SSL out — I used this document as my guide to getting LDAP over TLS working:

http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigration/unix/usecdirw/08wsdsu.mspx

(Actually, Kevin linked to this document above, I just wanted to recount its usefulness.) The other thing you MUST do is use a LOCAL copy of Mozilla (on the Solaris server!) to download the cert8.db, key3.db and secmod.db files. I used the copy of Mozilla on my macbook and copied those files to /var/ldap, but ldaplist wouldn’t work. Running truss, I found my system tryng to locate Mac libraries.

Finally, your ldapclient script sets this up:

-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

But I found that running id took FOREVER to return, so I changed it:

-a serviceSearchDescriptor=passwd:cn=Users,dc=adtest,dc=org?sub \
-a serviceSearchDescriptor=group:cn=Users,dc=adtest,dc=org?sub

Then my search results became much faster. I suspect there’s an indexing issue going on somehow.

Hi Scott,

I just want to say your document helped me setup Solaris 10 and AD very easily. I also wanted to point out that I don’t know if you found out, but you can add other OU’s to a ServiceSearchDescriptor. The syntax would be something like this:

-a serviceSearchDescriptor=passwd:ou=Unix Admins,;ou=Unix Users,;dc=example,dc=com?sub

We currently are using Vintela for our integration. I just used the pre-existing entries that Vintela used to update our schema with. I also was able to add all of my NIS Maps to AD without using Vintela or NFS Server for Unix. I added the automount attributes and classes by hand. I then created a separate OU and added all my maps using ADSIedit. I made a container with each map name and those containers contained the map data.

Good directions for a single AD domain, thanks. Do you have any ideas on the configuration for multiple domains, or multiple child domains that we would want to authenticate to?

Good day.
I’m new to solaris OS and I only have Solaris 10 1/6 version. Therefore, did follow your instructions, but unfortunately I cannot proceed it because i got no return after ran “getend passwd . kindly guide me.

May I know what is user account should be used during the “ldapclient” configuration? AD’s “Administrator” account? and, what user account should be used as running “kinit ”

Do I need to run any command on the generated solarissvr.keytab file, in my solaris computer?

Please guide me.

many thanks,

Good day.
I followed your instructions, but could not get any return as ran “getent passwd . kindly guide.

Scott,

Thanks a million for this write-up! It is such a huge administrative load lifted, now that I can authenticate my Solaris users to AD. It is also helping tremendously with PCI compliance.

SteveC,

Thanks to you, for providing the syntax for adding another search descriptor. I have been searching for this for weeks, and got no responses on BigAdmin. We have separate user OUs for each of our geographical locations, and it was absolutely maddening having to ditch that methodology and put all the Unix users into one special OU.

Slowe,

first of all thanks for your great work on interoperability.

I got it to work but I don’t manage to allow my users to change there password from the Solaris prompt.

I believe my pam.conf allows that, but this is not behaving as expected :

other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1 use_first_pass
other password required pam_authtok_store.so.1

the result of a passwd request is as follow :

dany@solaris8 # passwd
passwd: Changing password for dany
Enter existing login password:
New Password:
Re-enter new Password:
New Kerberos password:
Re-enter new Kerberos password:
Kerberos password not changed:
Password change rejected

Permission denied
dany@solaris8 #

So my questions are :

Why is that rejected ?
Why is the first password change request local ?

Checks :
-No logs of any reject are visible in the security audit.
-The password is respecting complexity.
-The user is authorized to change his password

I followed the setup but when my Solaris box queries AD I get an error:

resultCode: unavailableCriticalExtension (12)

I think it is related to VLV support, but I don’t know how get around this. I am using w2k3 R2.

Item sortKeyList
Item LDAP_CONTROL_VLVREQUEST VLV

Markus

I found that I can disable VLVs with ntdsutil.exe
by selecting configuration settings and the setting disable VLV to 1.

Did anybody else need to do that ?

Markus

Hi Scott,

Your guide has been very helpful. I’ve been able to get it working on Solaris 10. I have one question regarding keytab file.
I could make authentication to AD working without creating a keytab. I just created an empty keytab on the Solaris machine and it works.
Is there any harm for doing this?

Thank you for your time,
Mohammed

Hi Mohammed, from what I understand, if you have verify_ap_req_nofail set to false in krb5.conf, that is what you will see. If you have it set to true, I am pretty sure that the keytab file verified. I believe that it is desired to have this set to true, for better security.

Forgot to mention that if you follow the ktpass example exactly as it is here, you will not be able to get this to work if you switch verify_ap_req_nofail to true. The ktpass example here, uses HOST/fqdn@REALM. When I switched the HOST portion to lowercase, I was able to set “verify_ap_req_nofail = true”, and successfully logon. If you do not remember if you used upper or lower case, you can look in AD at the account you created, and go to the account tab. In that tab, have a look at the “User logon name”, as it will report what you specified with ktpass. If this has host in lowercase and there are no other issues with your keytab file, then this should work when you set it to “true”

I have multiple unix users but they are required to log on to the linux servers with the same home directory. Any ideas on what need to be done to enable this? Once i try to log on as the second user on this list of users, it comes up with user does not exist.

Hi,

Great article. I was mainly interested in the host kerberos authenication to AD. I assumed this wouldn’t need the NIS component in AD but I continually get

kinit(v5): Key table entry not found while getting initial credentials

config is exactly as you’ve documented on Sol10.

Any ideas?

Gary

When I use multiple domain (Using 3268) ldaplist passwd works but get passwd not working, so authentication is not happening.

Somebody help me if you have any experience on it.