Refined Solaris 10-AD Integration Instructions

Monday, October 16, 2006 in Interoperability, UNIX | 103 comments

The original instructions are found here.  Note, however, that this post contains all the information from the original post plus a few added points found during the latest run through the steps.

Assumptions

This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product.  This will require changes to the “ldapclient manual” command shown below, which handles the schema/attribute mapping.

Preparing Active Directory (One-Time)

These steps only need to be performed once.  Note that if you have performed any of these steps as part of authenticating Linux or Solaris to Active Directory, they do not need to be performed again.  Simply make note of the information used earlier and re-use that information again this time.

  1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant.  Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console.  You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
  2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default.  This will speed up the login process and reduce the overall load on your DCs.  (For more information, refer to the Linux-Windows Server 2003 R2 integration instructions.)  It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
  3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
  4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

Preparing Active Directory (Each User)

Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component).  The attributes that must be populated are:

  • NIS domain:  It’s required on this tab in order to populate the other fields, but we won’t be using it.
  • UID:  This is actually the UID number.  Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
  • GID:  In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
  • Login Shell:  Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
  • Home Directory:  Specify the home directory (such as “/export/home/slowe”) that will be used for this user.  Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins.  I haven’t yet figured out how to reconcile these differences in a multi-platform environment (suggestions are welcome).

After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

Preparing Active Directory (Each Solaris Server)

These steps need to be repeated for each Solaris server that will authenticating via Kerberos to Active Directory.

  1. Create a user account (not a computer account) for each Solaris server.  (Review this article for more information on the reasoning behind this approach.)  I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server.  Since Solaris will use the host service principal, a name like “host-solarissrvr” would be good.  The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
  2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account.  The command will look something like this (substitute the appropriate values where necessary): 
    ktpass -princ host/fqdn@REALM -mapuser DOMAIN\account
-crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
-out filename

    Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file).  I suggest using the server’s name as the filename, i.e., something like “solarissrvr.keytab”.

Now that each Solaris server has a matching account in Active Directory, and each account has had a keytab generated for it, we’re almost ready to move on to configuring the Solaris servers themselves.  First, though, we need to take care of some name resolution issues.

Configuring Reverse DNS

On the DNS server handling the reverse lookup zones for the subnet on which the Solaris server is located, add a PTR record for the Solaris server and it’s IP address.  This will ensure that reverse DNS lookups work as expected.  Make sure that each Solaris server that will be authenticating against Active Directory has a reverse lookup record in DNS.

Configuring Solaris (Each Server)

The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

Configuring the hosts file

To enable reliable TGT validation (this ensures that the Kerberos ticket returned by a KDC actually came from the KDC and not a spoofed server), you’ll need to edit the hosts file.  On Solaris 10, this is found in /etc/inet/hosts and is read-only, even for root.  Edit this file (changing permissions as necessary) so that the line with the server’s IP address looks something like this:

10.1.1.1        hostname.example.com hostname loghost

What we’re doing here is making sure that the server’s fully qualified domain name (not just the short hostname) is the first name entry on the line for the server’s IP address.

There may or may not be other entries in the file; leave those entries untouched (unless you know you need to modify them).

Configuring Kerberos

Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf.  Edit this file using your editor of choice to look something like the one below.  Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true

[realms]
        EXAMPLE.COM = {
        kdc = dc01.example.com
        kdc = dc02.example.com
        admin_server = dc01.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        .subdomain.example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

You can’t simply copy and paste from here to the Solaris configuration file, as you’ll need to customize your version for your particular network, hostnames, domain names, etc.

Transfer the keytab generated earlier by the ktpass.exe utility (in our example, it was called “solarissrvr.keytab”) to the Solaris server in some secure fashion, like SFTP or SCP.  Place it in the /etc/krb5 directory as krb5.keytab, and make sure that only root has permissions to the file.

Configuring LDAP

We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris.  The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \
-a proxyPassword=Password1 \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP.  However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again.  Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

While you’re editing /etc/nsswitch.conf, be sure to add a “dns” entry at the end of the line for hosts:

hosts          files dns

This will help ensure that Solaris is properly configured to use DNS for host name resolution.

I think it’s necessary at this point to restart the LDAP client service:

svcadm restart svc:/network/ldap/client:default

Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

Configuring the DNS Client

You’ll also need to make sure that the DNS client is enabled and running.  Using “svcs -a | grep dns” will help you identify the correct service, which you can then enable with svcadm:

svcadm enable svc:/network/dns/client:default

Test DNS resolution using either the “host” or “nslookup” commands.

Configuring PAM

The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris.  You’ll need to edit the /etc/pam.conf file to look something like what’s shown below.  I’ve edited away all the non-essential sections, so only change the sections listed below.

# Default definition for Authentication management
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# Default definition for Account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
#

With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

Reboot the Solaris Server

I know this sounds stupid, but even after restarting LDAP and enabling/starting/restarting the DNS client, things still didn’t work for me in the lab.  However, after rebooting the Solaris server, it worked like a champ.  So, just in case, reboot the Solaris server after completing the configuration.

Testing the Configuration

Once all of the configuration steps have been completed, you can test the configuration with the following commands:

  • You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
  • You can use “kinit <Name of AD user>” to test Kerberos authentication.  A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing.  Both of these tests will need to be successful in order for authentication to work correctly.

If the tests are successful, then you should now be able to authenticate on a Solaris server using your Active Directory username and password.  I tested this using SSH and the X Desktop login.

Tags: , , , , ,

103 comments

Comments feed for this article

Monday, October 16, 2006 at 3:16 pm

chris

chris’s avatar

Hi Scott,

I posted my question on your original doc, but somehow it’s not shown when I refresh it. Anyway….. I’m under the impression that ldapclient can’t authenticate AD users without Sun Java Identy Synchronization product. The info can be found at:

http://groups.google.com/group/compnetldap/browse_thread/thread/5493e670d0d173c4/11072a68ea000a7a?lnk=arm&hl=en

So, is this true or not? What I’m trying to accomplish is to allow my existing AD users (in a few hundreds) on win2003 R2 to be able to login to my solaris machine using their existing login & password. I see there is a default ldapclient binary on sol machine. So, is your procedure applicable to my scenario? Or do I need to install a Sun Identy Sync product & Sun LDAP 5.2 product on my solaris machine? Any suggestions/comments are greatly appreciated.

Thanks a lot,
-Chris

Monday, October 16, 2006 at 9:57 pm

slowe

slowe’s avatar

Chris,

All comments are moderated, which is why you didn’t see it right away. Anyway, the question you’re asking and the question that was answered on the Google Groups link you posted are two different questions. From a client perspective, can Sun authenticate to Active Directory? Yes, of course it can–I’m doing it right now. Follow the instructions provided here and you should be good to go.

From a server perspective, no–Sun’s LDAP server won’t authenticate against Active Directory, won’t replicate with Active Directory, won’t do just about anything with Active Directory. But that’s irrelevant for you, because you’re interested in the Sun LDAP client side of things, and that works just fine.

Thursday, October 19, 2006 at 7:17 pm

chris

chris’s avatar

Hi Scott,

I encounter an abort when running a ktpass command on my window machine and wonder what am I missing here. Here is my command:

ktpass -princ host/winHost.sample.com@SAMPLE.COM -mapuser SAMPLE\aduser -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL -out c:\sol.keytab

Targeting domain controller: winHost.sample.com using legacy password setting method successfully mapped host/winHost.sample.com to aduser.
Aborted

Any ideas? Also, I have a few hundreds existing AD users on my window server, is there a way to solve the problem? I can’t run ktpass a few hundred times & have hundreds of different sol.keytab files.

Thank you very much for your efforts,
-Chris

Thursday, October 19, 2006 at 8:14 pm

slowe

slowe’s avatar

Chris,

You only need to run ktpass.exe once, and that’s to generate a keytab for an account that represents the Solaris server itself in Active Directory. You don’t need to create keytabs for every user–just for the user account that was created specifically to represent the Solaris server itself. You could use a computer account instead of a user account, but there are complications when you do that.

As for the abort error, I’m not really sure why that would be happening. Make sure you are using the correct version of ktpass.exe–it needs to be the one that corresponds to the version and service pack level of your copy of Windows. You might check the Microsoft Knowledge Base to see if there’s anything there. I haven’t run into any problems with ktpass.exe in all the Linux, Solaris, and BSD integration testing I’ve been performing.

Scott

Tuesday, October 24, 2006 at 7:40 pm

Shawn

Shawn’s avatar

I’ve been trying to use various examples online to authenticate AD users through Solaris 10 through pam.conf. I setup both the environments exactly as recommended in your article but am still unsuccessfull. For eg - when I do a test ‘getent passwd shawn’ get back nothing. When I do ‘kinit shawn’ it prompts me for a password. I rebooted the server, restarted the svcadm service for ldap and dns. I can do a nslookup/host just fine no problem. Don’t know what more to try?? Any ideas?

Tuesday, October 24, 2006 at 9:23 pm

slowe

slowe’s avatar

Shawn,

Getting prompted for a password when running a kinit is expected; enter your AD password here and then do a klist to see if you got a TGT from AD. If so, you know that the Kerberos side of things is working as expected.

As for the problems with getent passwd username, be sure that you left the “ldap” entry in /etc/nsswitch.conf for passwd and group. You can remove it everywhere else. Also be sure that the DN of the LDAP proxy user is correct (this is specified on the proxyDN line in the LDAP configuration) and that the password is correct as well. Go back and review your security logs on the AD domain controllers to see if the LDAP proxy account is working as expected.

Hope this helps!

Wednesday, October 25, 2006 at 4:19 pm

chris

chris’s avatar

Hi Scott,

Thank a lot for your helps & suggestions. I ‘ve gone through the setup on both window & solaris server; however, when I run getent passwd , I also get nothing. I already verify that ldap & dns entry in /etc/nsswitch.conf file as you suggested in the procedure. I also get an error msg when running kinit command & here is the error msg:

# kinit chris1
Password for Chris1@SAMPLE.NET:
kinit (v5): clock skew too great while getting initial credential

Please note that chris1 is an AD user. Also, I’m not sure whether my ldapclient syntax is correct, but when I run it, it’s successful. Here is my ldapclient syntax:

ldapclient manual \
-a credentialLevel=anonymous \
-a authenticationMethod=none \
-a defaultSearchBase=dc=example,dc=net \
-a domainName=example.com \
-a “defaultServerList=192.168.1.2” \

****** I only change the above value, the rest I keep it the same *****

-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \

****** except these 2 lines below *****

-a serviceSearchDescriptor=passwd:dc=example,dc=net?sub \
-a serviceSearchDescriptor=group:dc=example,dc=net?sub

Questions:
1) Is my ldapclient sytax correct? If it’s not, which field & value do I have to change? How & where do I find out on the window?

2) Is there a way to fix the error in kinit command?

Thank you very much for your helps,
-Chris

Wednesday, October 25, 2006 at 4:36 pm

slowe

slowe’s avatar

Chris,

The kinit error is due to a time synchronization error between the AD infrastructure and the Solaris 10 server. Kerberos requires that the clocks on all servers involved be within 5 minutes of each other. Change the date/time on the Solaris server to match the date/time on the AD servers, then configure time synchronization (NTP) on Solaris so that they stay in sync with each other. That will fix your kinit error.

The ldapclient syntax looks right, except for the authentication method. I have never made this work with anonymous authentication. Change that to simple and supply a password. Solaris is nice in that the password will be encrypted in the configuration file, so it’s not as big of a security problem as it is with Linux (which leaves the password in the clear in the configuration file).

Wednesday, October 25, 2006 at 5:57 pm

chris

chris’s avatar

Hi Scott,

I’m getting close to the destination, except a few more “inches” to go :) Could you pls help me? Of course, you will :)

I have sync ‘ed up my time on both of the machine & kinit works as expected. However, when I run:

# klist
Valid starting Expires Service principal
25/10/2006 14:04 26/10/2006 00:04 krbtgt/SAMPLE.NET@SAMPLE.NET
renew until 01/11/2006 13:04

Mind to explain to me what it means?

HOWEVER, when I change my ldapclient syntax to:

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=sample,dc=net \
-a proxyPassword=Welcome2CYZ \
-a defaultSearchBase=dc=sample,dc=net \
-a domainName=sample.net \
-a “defaultServerList=192.168.1.2” \

I only change the above value, the rest I keep it the same. The command returns that the configuration completed successfully. However, when I run:

# getent passwd chris1
(return nothing)

# kinit chris1
kinit (v5): cannot resolve network address for KDC in requested realm while gettting initial credential

I try to re-run the old ldapclient syntax & kinit command still gives the same errors :(

Could you please tell me what my ldapclient command should be? It looks like I’m stepping backward now :( Any helps are greatly appreciated.

TIA,
-Chris

Thursday, October 26, 2006 at 12:18 pm

chris

chris’s avatar

Scott,

I already sync ‘ed up the time on both of the servers & kinit command works fine now. However, I’ve played around w/ the ldapclient syntax as you suggested, and I’m still not able to make it work. Would you please tell show me the actuall ldapclient syntax?

Here is my ldapclient syntax:

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=sample,dc=net \
-a proxyPassword=Welcome2CYZ \
-a defaultSearchBase=dc=sample,dc=net \
-a domainName=sample.net\
-a “defaultServerList=192.168.1.2” \

The rest is exactly to your example. When I run getent passwd , it still returns nothing. Please keep in mind that my domain controller is setup very standard & has no proxy setting because I know nothing about proxy setting :( Any helps are really appreciated.

Thanks a lot,
-Chris

Thursday, October 26, 2006 at 4:39 pm

slowe

slowe’s avatar

Chris,

The “proxy” term here is being used merely to indicate that Solaris is connecting to Active Directory on the behalf of something else to retrieve account information. Generally speaking, if the LDAP service is running (check “svcs -a | grep ldap”), then your configuration should work. I would double-check the DN of the proxy user; sometimes that syntax can get a bit tricky. I would probably verify the password as well, just in case I fat-fingered something. You’ve mentioned that you already double-checked /etc/nsswitch.conf, so it shouldn’t be a problem there either. What do the logs in /var/adm say? Anything useful?

As for the kinit output, that simply indicates that you have been granted a Kerberos Ticket Granting Ticket (TGT) from the KDC (the AD domain controller); this is the expected output.

Keep working on it–we’ll get it figured out!

Thursday, October 26, 2006 at 8:21 pm

chris

chris’s avatar

Hi Scott,

I have checked a couple of things as you suggested & here is the info:

# svcs -a |grep ldap
online svc:/network/ldap/client:default
# svcs -a |grep dns/client
online svc:/network/dns/client:default
# getent passwd chris
(return nothing. Chris is an AD user)
# kinit chris1
Password for Chris1@SAMPLE.NET:
# more /var/adm/messages
……
sun-admin3 svc.startd[7]: svc:/network/security/kadmin: default: Method “/lib/svc/method/svc-kdc.master” failed with exit status 1
sun-admin3 svc:startd[34]: svc:/network/security/krb5kdc: default: Method “/lib/svc/method/svc-kdc.master” failed with exit status 1
sun-admin3 nscd [92] libsldap: status: 49 mesg: OpenConnection: simple bind failed - invalid credentials.

So, it looks like my method when running ldapclient is incorrect or something else. Could you please tell me how to check DN of proxy user & its password? Which file should I look into it and how to set up a DN of proxy user & passwd? I think this is a part that I’m missing, correct?

Thanks a lot,
-Chris

Thursday, October 26, 2006 at 9:43 pm

slowe

slowe’s avatar

Chris,

Your problem is most definitely with the LDAP configuration, either in the DN of the proxy user. The DN of the proxy user will be made up of the following components:

CN=object name,CN=Users (or OU=Custom OU Name),DC=domain,DC=com

If there are spaces anywhere along the way, you’ll have to encapsulate the whole thing in double quotes.

If you have ADSI Edit installed on the Windows server(s), you can use it to determine the DN of the user object you’re using.

Once you get the DN and/or password right, then that last line in the logs (where it says “simple bind failed - invalid credentials” will go away–that’s the reason the getent command isn’t working.

Scott

Friday, October 27, 2006 at 4:30 pm

chris

chris’s avatar

Hi Scott,

I just checked with my window network folks & they confirm that they don’t have any proxy settings on DC. So I think credentialLevel=none or anonymous should be the right direction that I should be heading to. I know you mentioned that you have never made this work with anonymous authentication, but have you tried this configuration lately? Or you have any thoughts on the configuration setting that I should be looking at? Really appreciated your helps.

TIA,
-Chris

Friday, October 27, 2006 at 10:44 pm

slowe

slowe’s avatar

Chris,

Once again, proxy settings on your network and/or proxy settings on your domain controllers are distinct and separate from what we are talking about here. Don’t get the two confused.

I have not tested with anonymous authentication. Based on the information you’ve provided, I would strongly imagine that your problem is an issue with the DN and/or password of the user that is binding to LDAP for name service lookups. Use ADSI Edit, LDP, or a similar tool to determine the correct DN for the designated user and try it again.

Tuesday, November 7, 2006 at 6:29 pm

chris

chris’s avatar

Hi Scott,

Somehow I get my getent passwd command to work as expected but my kinit command is fails. I already look at the krb5.conf & pam.conf serveral times & I still have no ideas what it is wrong w/ it. Could you please help me out?

# getent passwd
test01:x:65535:101::/export/home/test01:/sbin/sh

# kinit
Kinit (v5): can not contact any KDC for requested realm while getting
initial credentials.

# tail -f /var/adm/messages

dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root (can not
retrieve user credentials).

Here is my /etc/krb5/krb5.conf file:

[libdefaults]
default_realm = SAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
default_tkt_enctypes = des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des-cbc-md5 des-cbc-crc

[realms]
SAMPLE.COM = {
kdc = dc1.sample.com
admin_server = dc1.sample.com
kpasswd_protocol = SET_CHANGE
default_domain = whatever.com
}

[domain_realm]
.sample.com = SAMPLE.COM
sample.com = SAMPLE.COM

[logging]
default = FILE:/var/adm/krb5kdc.log
kdc = FILE:/var/adm/krb5kdc.log
kdc_rotate = {
period = 1d
version = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}

Here is my /etc/pam.conf:

# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

Any helps are appreciated.
TIA,
-Chris

Friday, November 10, 2006 at 10:55 pm

Eddie

Eddie’s avatar

I’ve thrown together some instructions on doing the whole GSSAPI thing. Thought you might be interested.

http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html

Saturday, November 11, 2006 at 10:57 pm

slowe

slowe’s avatar

Chris,

Is DNS resolution enabled and cofigured on the Solaris server?

Eddie,

Good instructions. Thanks for letting us know!

Wednesday, November 15, 2006 at 8:01 pm

chris

chris’s avatar

Hi Scott,

I finally figured it out & got it to work as expected. Basically, what I’d been missing was to add a userid to memberUid attribute in a usergroup. Once I did it, the problem was solved. I sincerely thank you for your efforts to help me out.

Thank you Eddie for the tips & url. It’ll be a great resource for me to look once I’ll start expanding my testing in ssh env. Actually ssh setting is what I ‘ll need to test on because it reflects to what my current prod env :)

Thanks a lot guys,
-Chris

Thursday, November 16, 2006 at 6:15 pm

Paul

Paul’s avatar

Hello
I have problem wiht ldap.
getent passwd Paul
(return nothing)
I read all respones on this web, my configuration is ok. In event viewer on Win2k3 I see that proxyuser logging success.
Tell me, should “ldaplist” working ok ?
ldaplist
ldaplist passwd
return: Object not found (ldap error 12): Unavaible critical extension.

Thursday, November 16, 2006 at 11:27 pm

slowe

slowe’s avatar

Paul,

What do the logs on the Solaris box say?

Friday, November 17, 2006 at 9:32 am

Paul

Paul’s avatar

Probably I have problem with my Win 2k3 r2. I will install other ( I have install on it SFU ). Logs in /var/adm/messages say nothing about ldap.

Friday, November 17, 2006 at 4:11 pm

slowe

slowe’s avatar

Paul,

Keep in mind that the object mapping rules for SFU are *very* different than the rules for Win2K3 R2, which implements a partial RFC 2307 schema. So, you may have some mapping rules incorrect if you are basing the configuration off SFU. Refer to my articles on Linux-AD with Win2K3 R2 integration for more details on the object mapping.

Monday, November 20, 2006 at 7:03 am

Paul

Paul’s avatar

Hello
My AD schema was bad. Now, It’s working.
Thank you for help.
Is it possible to integrate AD and NIS ?

Monday, November 20, 2006 at 10:49 am

slowe

slowe’s avatar

Paul,

I personally haven’t done any work with integrating NIS and Active Directory, but I’m confident that I can be done. I spent some time (just briefly) working with it in an attempt to get automounting home directories working in a Solaris-AD integration scenario, but was unsuccessful. From what perspective, in particular, are you interested in integrating NIS and AD?

Wednesday, November 22, 2006 at 3:36 am

Paul

Paul’s avatar

I would like to create trust between AD and NIS+. I want to synchronize users in this relationship. What do you think about it ? Maybe you know some links .

Wednesday, November 29, 2006 at 5:51 pm

Randy Reames

Randy Reames’s avatar

Scott,

I’ve been working on the UNIX/AD Authentication problem for quite a while and have finally worked out the basics of getting our three major platforms (Suse LInux, AIX 5.3, and Solaris 10) to authenticate via Kerberos from our AD domain and acquire the user info (UID,GID,home) from a separate Suse OpenLDAP server. This sorta killed two birds with one stone since we want to retire our NIS servers. We had parallel user accounts on AD and NIS so I was able to migrate the NIS domain to LDAP using the padl tools. The main restriction for us is ‘no schema mods’ on the AD domain. So far in preliminary testing all three platforms work and all the permissions are correct. Thanks much for the good info you posted on getting Solaris 10 to play. It was very helpful. The only gotcha I found for getting Solaris to work at all was that I found it neccessary to create an entry in /etc/shadow for each user - username:K*::::: - The K* indicating the Kerberos authentication should be used.
Now I’ve got to fill in all the rest of the blanks - user maintenance, encrypting communications, etc.

Randy R.

Wednesday, November 29, 2006 at 8:48 pm

slowe

slowe’s avatar

Randy,

Sounds like you’ve been hard at work! Although my Solaris instructions weren’t designed around integrating into a non-Active Directory environment, I’m glad they proved helpful anyway.

Scott

Friday, December 1, 2006 at 9:23 am

Nikolay

Nikolay’s avatar

Hello Scott,
I try to configure on my SunFire T2000 Server (SPARC) by Solaris 10 authenticate and autorization of users in AD.
After configuration I run test and have seen next:
kinit ldap@DOMAIN.NET - works fine (It’s proxy user)
kinit -k - works fine too.
But
getent passwd ldap.user - don’t works (return nothing)

I read “man pam_ldap” and see:
“account management component of pam_ldap will work only with the Sun Java System Directory Server”
It means, that I cannot configure my system for authorization in AD with use native pam_ldap?

Friday, December 1, 2006 at 9:34 am

Nikolay

Nikolay’s avatar

Oh, I have overlooked to tell. At attempt to go on ssh on the server to me gives out the following:
Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Illegal user test from 172.20.64.135
Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 800047 auth.info] input_userauth_request: illegal user test
Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Failed none for from 172.20.64.135 port 1319 ssh2
Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 293258 auth.warning] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can’t connect to the LDAP server
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =13, env =’KRB5CCNAME=FILE:/tmp/krb5cc_0′, age = 0, status = 9
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: No account present for user
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 293258 auth.warning] libsldap: Status: 91 Mesg: openConnection: simple bind failed - Can’t connect to the LDAP server
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 219349 auth.debug] pam_unix_auth: user test not found
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Failed keyboard-interactive for from 172.20.64.135 port 1319 ssh2
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Received disconnect from 172.20.64.135: 11: No supported authentication methods available
Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 13

Friday, December 1, 2006 at 9:50 am

slowe

slowe’s avatar

Nikolay,

You can definitely configure Solaris 10 to authenticate against Active Directory.

It looks like your problem lies somewhere in your LDAP configuration. I see errors in logs above indicating problems connecting to the LDAP server. Be sure to review your LDAP configuration–the errors above seem to point to a problem with the authentication of the proxy user against Active Directory.

Hope this helps,
Scott

Friday, December 1, 2006 at 10:47 am

Nikolay

Nikolay’s avatar

I have reinitialize my ldap client settings:
bash-3.00# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=ldap,cn=Users,dc=domain,dc=net
NS_LDAP_BINDPASSWD= {NS1}5e10c25544515e26
NS_LDAP_SERVERS= 172.20.0.151
NS_LDAP_SEARCH_BASEDN= dc=domain,dc=net
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=domain,dc=net?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:dc=domain,dc=net?sub
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=gecos
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
After this I try login on Solaris by ssh - AD user couldn’t login. And I see in logs:
Dec 1 18:38:07 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Illegal user test from 172.20.64.135
Dec 1 18:38:07 srv2-pp450 sshd[19605]: [ID 800047 auth.info] input_userauth_request: illegal user test
Dec 1 18:38:07 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Failed none for from 172.20.64.135 port 1903 ssh2
Dec 1 18:38:18 srv2-pp450 sshd[19605]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Dec 1 18:38:18 srv2-pp450 sshd[19605]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =13, env =’KRB5CCNAME=FILE:/tmp/krb5cc_0′, age = 0, status = 9
Dec 1 18:38:18 srv2-pp450 sshd[19605]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: No account present for user
Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 219349 auth.debug] pam_unix_auth: user test not found
Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user
Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Failed keyboard-interactive for from 172.20.64.135 port 1903 ssh2
Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Received disconnect from 172.20.64.135: 11: No supported authentication methods available
Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 13

Errors indicating on pam_ldap are not present
getent passwd ldap.user - return nothing

Have yuo any ideas?
P.S. Big thanks for answers!
P.P.S.
ldapsearch -h 172.20.0.151 -b “dc=domain,dc=net” -D “cn=ldap,cm=Users,dc=domain,dc=net” -w passwd sAMAccountName=ldap.test - works

Friday, December 1, 2006 at 1:35 pm

slowe

slowe’s avatar

Nikolay,

In that set of log messages, the error is coming from pam_krb5, not pam_ldap; refer to the sixth log line where pam_krb5 reports “No account present for user”.

Have you reconfigured nsswitch.conf yet to use LDAP for passwd and group entries?

Sunday, December 3, 2006 at 2:15 am

Nikolay

Nikolay’s avatar

Yes, when I try login on server by ssh, I can see in logs messages from pam_krb5, but not rom pam_ldap. I have looked network traffic between domain controller and Solaris server and I have not seen references to DC on port 389.
My nsswitch.conf:

passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: ldap [NOTFOUND=return] files
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey: ldap [NOTFOUND=return] files
netgroup: ldap
automount: files ldap
aliases: files ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap

P.S. Scott, if it is interesting, I can send configuration nss_ldap module of mine Linux (RHEL AS 4) server, which it is connected to DC through the gssapi auth mech.

Sunday, December 3, 2006 at 4:54 am

Nikolay

Nikolay’s avatar

I am stupid. Firewall blocked requests on 389 port between Solaris and DC. I have resolved all traffic.
After that I try to login on Solaris by ssh. I have looked in Security Events journal on DC and have seen there:
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 03.12.2006
Time: 11:35:35
User: DOMAIN\ldap
Computer: SRV-R2
Description:
Successful Network Logon:
User Name: ldap
Domain: DOMAIN
Logon ID: (0×0,0xDE2497)
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SRV-R2
Logon GUID: -
Caller User Name: SRV-R2$
Caller Domain: DOMAIN
Caller Logon ID: (0×0,0×3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: 172.20.1.49
Source Port: 51670

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

But I can not login on Solaris over ssh. In logs I see:

Dec 3 11:47:05 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Illegal user test from 172.20.64.135
Dec 3 11:47:05 srv2-pp450 sshd[5513]: [ID 800047 auth.info] input_userauth_request: illegal user test
Dec 3 11:47:05 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Failed none for from 172.20.64.135 port 3566 ssh2
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =13, env =’KRB5CCNAME=FILE:/tmp/krb5cc_0′, age = 0, status = 9
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: No account present for user
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 219349 auth.debug] pam_unix_auth: user test not found
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Failed keyboard-interactive for from 172.20.64.135 port 3566 ssh2
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Received disconnect from 172.20.64.135: 11: No supported authentication methods available
Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 13

Command kinit test@DOMIAN.NET - works fine.

In what a problem?

Sunday, December 3, 2006 at 10:51 pm

slowe

slowe’s avatar

Nikolay,

Send me an e-mail (scott dot lowe at scottlowe dot org) with your /etc/krb5/krb5.conf and the output of “ldapclient list” and let me see what I can figure out.

Scott

Thursday, December 7, 2006 at 7:07 am

Nikolay

Nikolay’s avatar

Scott,
I have sent you a message, are there any ideas?

Thursday, December 7, 2006 at 9:47 am

slowe

slowe’s avatar

Nikolay,

I sent you an e-mail response–did you not get it? Both LDAP and Kerberos appear to be working, yet something still isn’t right. I need to see your pam.conf file as well.

Scott

Thursday, December 7, 2006 at 12:44 pm

Nikolay

Nikolay’s avatar

Unfortunately I did not receive your answer :(
I sent my pam.conf.

Thursday, December 7, 2006 at 2:51 pm

slowe

slowe’s avatar

Nikolay,

The only difference I can see between the Solaris 10 system I have working right now and what you have sent me is that I don’t have a pam_ldap entry for the session stack–I have only the pam_unix_session entry. In addition, my account section is like the variant you listed at the bottom of your message.

Try removing the session line and see if that helps.

Scott

Friday, December 15, 2006 at 3:42 am

Nikolay

Nikolay’s avatar

Hello Scott,
After long attempts of the decision of a problem I have tried the decision Randy Reames - “to create an entry in /etc/shadow for each user - username:K*::::: - The K* indicating the Kerberos authentication should be used”. After this I could to login on server as AD user. But it seems to me, that it can be achieved through necessary attributes mapping (such as shadow:userpassword=?). Only in AD there is no attribute which would correspond to attribute userpassword :(

Monday, January 15, 2007 at 9:27 am

istvan

istvan’s avatar

Hi Scott,

thanks for this issue, it was very helpful. Unfortunately i have a problem with this configuration. kinit and getent works well but the X Desktop login rejects the AD users. What should be the problem?

Thanks for helping

Istvan

Monday, January 15, 2007 at 9:57 am

slowe

slowe’s avatar

Istvan,

The X Desktop login must be using a different PAM configuration. Check your log files and see if they provide any other information. Can you log in successfully via SSH?

Scott

Tuesday, January 16, 2007 at 7:25 pm

KR

KR’s avatar

anyone get pam_mkhomdir working on solaris 10. After about a week of pulling my hair out to get TLS working, I’m now stuck on auto home dir creation. Why have central user authentication if you still have to log in to each box to create the home directory. heh Anyone have insite to this?

Tuesday, January 16, 2007 at 8:24 pm

slowe

slowe’s avatar

KR,

Use the automounter and mount home directories as NFS mounts. See http://blog.scottlowe.org/2006/11/21/greater-ad-integration-via-nfs-and-automounts/ for more information.

Otherwise, I have no information on getting pam_mkhomedir.so working on Solaris. The automounter solution worked so well for me I haven’t even tried anything else.

Scott

Wednesday, January 17, 2007 at 12:53 pm

KR

KR’s avatar

Anyone know how to cache user login’s incase the ldap server goes down for a short period of time so “known” users are still able to log in?

Wednesday, January 17, 2007 at 1:40 pm

Greg

Greg’s avatar

I’ve followed the instructions and everything seems to be working fine until I attempt to create a new account. I create the account in active directory and set the UNIX account settings, but the account is not recognized on the Solaris machine. Is there another step that needs to be accomplished after the account is created in AD for the Solaris machine to be able to recognize it?

Wednesday, January 17, 2007 at 6:08 pm

slowe

slowe’s avatar

KR,

Take a look at the name service caching daemon (NSCD); it should be able to do what you are asking.

Greg,

I’m guessing that “kinit” and “getent” (sorry if that’s not the right Solaris command, my operating systems are running together right at the moment) are working correctly and will obtain a ticket and retrieve account information, respectively?

Scott

Wednesday, January 24, 2007 at 12:45 pm

Greg

Greg’s avatar

Thanks for the help but the problem was a typo not a configuration error. I ran a snoop on the line and noticed I was getting “object not found” errors when attempting to logon. After some research I realized that the AD OU my UNIX accounts are in is UNIX-OU, but the “serviceSearchDescriptor” listed “unix”. After I changed it everything started working.

Thanks again.

Wednesday, February 7, 2007 at 11:24 am

Andy

Andy’s avatar

Scott,

Howdy, it’s me again. After getting all this stuff working with with Linux, I found out I need to do this with Solaris. Great….

So, I’ve got the basics working. I can get authenticated to AD over port 389. I have a few things I’m stuck on.

1. There has been some discussion on a Solaris pam_mkhomdir module. A google search on “solaris pam_mkhomedir” pulls up a web site with a complied pam module for Solaris 8 (http://www.keutel.de/pam_mkhomedir/index.html - supposedly it should work under 10). I can’t seem to get that to work. Anyone try this?
2. Instead of using mkhomedir, you suggest using the automounter. Correct me if I’m wrong but this will work great IF you have home directories setup for the AD users on a windows file server somewhere. Correct? Otherwise, this wouldn’t be of much help.
3. Authentication and TLS. You wrote that you hadn’t done any of this but you might try. Did you? I have followed the steps in the MS documentation (http://www.microsoft.com/technet/solutionaccelerators/cits/interopmigration/unix/usecdirw/08wsdsu.mspx) and I can do kinit and klist successfully. However when I try to ssh I get a permission denied and when I try to do an id , it just hangs. There is nothing in the /var/adm/messages file. On the Windows side, I do a netstat -n and I see traffic over port 636 to the Solaris machine. The event viewer has lots of successful events in it. I’ve got the uid indexed in AD. Anyone have any ideas or any other places I could look?

Tanks.

Andy

Wednesday, February 7, 2007 at 10:48 pm

slowe

slowe’s avatar

Andy,

Good to hear from you again!

1. I haven’t tried any variations of pam_mkhomedir.so, so I can’t offer any additional information. Perhaps another reader can offer helpful information.

2. No, you don’t need home directories setup for the AD users on a Windows file server. You just need an NFS server (any NFS server will do, I just happened to use a Windows-based NFS server until I can get NetApp NFS working).

3. Still no time to test LDAP with TLS. Sorry!

Hopefully other readers can share more information. It’s unlikely I’m going to be able to start testing any more of this kind of stuff for the next month or so, unfortunately.

Scott

Friday, February 9, 2007 at 3:08 pm

Andy

Andy’s avatar

Scott,

In regards to #1 and #3, okay. In regards to #2, I don’t think I’m going to have an NFS server in my environment. Plus, I’m going to be running Sol 9 so maybe I can get the pam module working.

I’ve got a big picture question for you (and anyone else). All the testing I’ve done has been where the Linux/Solaris boxes all point to a DC in single domain. What happens when a trust comes into play. For instance, you have a network segment with a domain (DOM1) and a second network segment with a 2nd domain (DOM2). A firewall sits between them, restricting communication through it to just the DCs. These domains are in separate forests and you create an external trust between the two. From DOM1, the trust is Outgoing and from DOM2, the trust is Incoming. So, the users in DOM2 can log into boxes in the DOM1 domain. The Linux/Solaris boxes sit on the network segment with DOM1. I want to configure the Linux boxes to use DOM2 accounts.

Can this be done? On the Linux/Solaris boxes, I guess I would point the configuration to the DOM1 DC, right? I haven’t really noodled through this yet.

Curious to hear everyone’s thoughts.

Andy

Wednesday, February 14, 2007 at 6:12 pm

Adam

Adam’s avatar

Excellent blog, especially surrounding the area of AD integration.

I’ve followed the instructions; getent and kinit work as expected. However, I am unable to handle logins with SSH or X for that matter. All I see in the /var/adm/messages is:

PAM_KRB5 (auth): error reading service ticket (authentication failed): Key table entry not found

This would lead me to believe there is a problem with /etc/krb5/krb5.keytab

Can anyone point me in the right direction? I should mention this is on Sol 9, I figured I’m close but I’m at a loss.

Thanks

Wednesday, February 14, 2007 at 10:02 pm

slowe

slowe’s avatar

Adam,

Try displaying the contents of your /etc/krb5/krb5.keytab with the “klist -k” command (I think that’s the right switch; it might be “klist -t”). Then make sure that you have an appropriate keytab entry. You might also make sure that you generated a keytab in AD (using ktpass.exe) and that you’ve edited the /etc/hosts file to list the server’s FQDN first. Making sure that both forward and reverse DNS works as expected may also be a good idea.

Hope this helps,
Scott

Tuesday, February 20, 2007 at 12:59 pm

Reinhard

Reinhard’s avatar

Hi Scott,
thx for your article, it helps me setting up my solaris 10 boxes. But I have a problem.
We discovered, that from time to time it happens that I cannot login into my solaris boxes and the suddenly (~30 minutes later) it works again. A snoop trace figured out, that in case of this problem a TGT-REQ is sent to a server which doesn’t exists. In our case it uses the server test or server COM while it should be test.com.
Have you ever had such a problem?

Thank you
Reinhard

Tuesday, February 20, 2007 at 10:18 pm

slowe

slowe’s avatar

Reinhard,

The only thing I can think of would be an errant entry somewhere in the Kerberos configuration that is referencing the bogus realm TEST.COM; this, in turn, causes attempted connections to TEST and COM (and other variations). I have not noticed this behavior myself, so this is merely conjecture on my part.

Scott

Thursday, February 22, 2007 at 1:07 pm

Reinhard

Reinhard’s avatar

Hi Scott,
sorry for answering so late.
It might be that my english isn’t good enough but I can’t understand you reply.
If you say “bogus realm TEST.COM” it means that this domain doesn’t exists, or?
But it does. The domain is called TEST.COM and most the time it is working - should mean I can login into my solaris box with a domain account reinhard@TEST.COM - but then suddenly it stops working for a couple of minutes and start working again without any interaction from my side.

Excuse me if my english is good enough to explain my problem - but I hope I was a little bit clearer now.

Attached my krb5.conf file

[libdefaults]
default_realm = TEST.COM
# verify_ap_req_nofail = false
dns_lookup_kdc = true
[realms]
TEST.COM = {
kdc = dc1.TEST.COM
kdc = dc2.TEST.COM
admin_server = dc1.TEST.COM
}

[domain_realm]
.TEST.COM = TEST.COM
TEST.COM = TEST.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, …)

versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
gkadmin = {
help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
}

Thank you
Reinhard

Thursday, February 22, 2007 at 4:47 pm

slowe

slowe’s avatar

Reinhard,

Ah, now I understand–thanks for the clarification. I’m not sure what might be causing the problem, but you can try removing the “dns_lookup_kdc = true” option since you have specified DCs in the [realms] section. Are you noticing any DNS problems? It almost sounds like attempts to lookup a DC in test.com is failing, so the server is resorting to external lookups to find the server.

Scott

Friday, February 23, 2007 at 5:42 am

Reinhard

Reinhard’s avatar

Scott,
thank you - I will give it a try.

Reinhard

Friday, April 13, 2007 at 5:30 pm

Kory

Kory’s avatar

First off, I must commend you on actually helping people here. Plenty of people put things in a blog, then end up basically get offended for having any further questions. Glad to see you’re actually interested in resolving others’ issues.

I have gone through everything here (including the comments/responses) and cannot figure this out. kinit username and kinit -k -t work fine, but getent passwd username doesn’t return anything. I can’t find anything obvious in the logs. Is there any “common” cause of this?

Sunday, April 15, 2007 at 2:41 pm

slowe

slowe’s avatar

Kory,

The authentication (kinit) is separate from the user information stuff (getent). So, it’s very possible that kinit works but getent doesn’t. Double-check your LDAP configuration and make sure you’ve edited the /etc/nsswitch.conf file to include “LDAP” for passwd, shadow, and group.

Glad to be of some help!

Monday, April 16, 2007 at 12:05 pm

Kory

Kory’s avatar

I did not have a “shadow” entry in nsswitch.conf. I added it, but still no go. Just to be sure I understand this correctly, the Solaris computer user account created in AD is only used for Kerberos authentication, and not in the ldap config correct? And the proxy user account is what is supposed to go into this line:

-a proxyDN=cn=proxyuseracct,cn=Users,dc=exam,dc=ple,dc=com \

Is that correct?

As shown above, Our domain name is two-part, which accounts for the break in “example”. So instead of example.com, We have something more like exam.ple.com. Are there any special considerations with that?

Thank you.

Monday, April 16, 2007 at 9:15 pm

slowe

slowe’s avatar

Kory,

No special considerations with multi-part domain names; just use the usual syntax (i.e., “DC=exam,DC=ple,DC=com”, just as you’ve specified). You are correct about the Solaris computer user account; it’s used only for Kerberos authentication, and the proxy user account is what is specified for the proxyDN value. Be sure that your name for the proxyDN account is correct. If you’ve got access to another system and can perform some LDAP queries (I use an application on Mac OS X called Ldapper for this), you can verify that your proxyDN is correct. Also, verify that the name service caching daemon (nscd) isn’t running. I believe it is not running by default.

Hope this helps!

Tuesday, April 17, 2007 at 11:39 am

Kory

Kory’s avatar

Ha! I think I found my problem. You wrote that line at the top talking about changing the mapping for SFU. Apparently up until this point, I have chosen to ignore that bit of useful info. Going to try to figure that out now . . . I don’t suppose that there is anyone following this that has the correct mapping for SFU down?

Thanks for your help.

Tuesday, April 17, 2007 at 10:05 pm

slowe

slowe’s avatar

Kory,

Check this article:

http://blog.scottlowe.org/2005/12/22/complete-linux-ad-authentication-details/

It’s Linux-focused, but you should be able to derive the SfU mappings from that article and apply them to Solaris.

Hope this helps!

Wednesday, April 18, 2007 at 10:44 am

Kory

Kory’s avatar

OK, here’s what I have so far:

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyUsr,cn=Users,dc=eaxm,dc=ple,dc=com \
-a proxyPassword=proxyUsrPasswd \
-a defaultSearchBase=dc=exam,dc=ple,dc=com \
-a domainName=exam.ple.com \
-a “defaultServerList=192.168.1.1” \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=sAMAccountName \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=name \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=exam,dc=ple,dc=com?sub \
-a serviceSearchDescriptor=group:dc=exam,dc=ple,dc=com?sub

I am using an LDAP browser and see no “shadowflag” attribute on the Windows side. Also, there is this line in the Linux setup:

nss_map_attribute uniqueMember msSFU30PosixMember

Is this attribute supposed to be mapped in the Solaris setup?

Once again, thank you.

Wednesday, April 18, 2007 at 3:02 pm

slowe

slowe’s avatar

Kory,

I think you can omit the shadowFlag entry. I would include the attribute map for uniqueMember. Let me know how it turns out!

Thursday, April 19, 2007 at 8:01 am

Per Westerlund

Per Westerlund’s avatar

This is a followup/tip for an earlier version of this discussion. At one time there was a problem where you could look up a user or group using ‘getent passwd/group ‘ but the listsing version, ‘getent passwd/group’, didn’t work. I found the problem(s) and fixed one of them, the other is perhpas still present, more details below.

I feel I have to contribute somewhat, since I have had som much help by this site while integreating Solaris 10 with AD using LDAP and Kerberos!

1 - Unavailable Critical Extension

One reason ‘getent group’ fails is that the LDAP client tries to use VLV because the AD (2003 or 2003R2) announces that it supports VLV, although it doesn’t work! The fix is to apply the fix in KB 886683. First you must apply the hotfix (already applied in R2) and then follow the procedure at the end. What the fix really does is that it disables announcing the support for VLV, since it is broken!

2 - Bug in Solaris LDAP client/support library

With