Refined Solaris 10-AD Integration Instructions

Monday, October 16, 2006 in Interoperability, UNIX by slowe | 115 comments

The original instructions are found here.  Note, however, that this post contains all the information from the original post plus a few added points found during the latest run through the steps.

Assumptions

This procedure assumes that you are using Windows Server 2003 R2; if you are using a previous version, the LDAP attribute mapping will need to be modified to match the schema extensions found in Microsoft’s Services for Unix (SfU) add-on product.  This will require changes to the “ldapclient manual” command shown below, which handles the schema/attribute mapping.

Preparing Active Directory (One-Time)

These steps only need to be performed once.  Note that if you have performed any of these steps as part of authenticating Linux or Solaris to Active Directory, they do not need to be performed again.  Simply make note of the information used earlier and re-use that information again this time.

  1. Install the “Server for NIS” component on at least one Active Directory domain controller (DC), so that the Active Directory schema can be extended to become partially RFC 2307-compliant.  Installing this component will also add a “UNIX Attributes” tab to objects inside the Active Directory Users and Computers MMC console.  You may also need to install the Server for NIS administrative tools on your workstation to see the “UNIX Attributes” tab.
  2. Use the Schema Management MMC snap-in to index the uid attribute, which is not indexed by default.  This will speed up the login process and reduce the overall load on your DCs.  (For more information, refer to the Linux-Windows Server 2003 R2 integration instructions.)  It may be possible to change the attribute that Solaris is looking for, but I haven’t found a way to do that yet.
  3. Create an account in Active Directory that will be used to bind to Active Directory for LDAP queries.  This account does not need any special privileges; in fact, making the account a member of Domain Guests and not a member of Domain Users is perfectly fine.  I recommend giving this account a simple, short name; this will make specifying the DN of the account later easier to do.
  4. Create a global security group in Active Directory Users & Computers and set the UNIX attributes for this group.

Once these one-time steps have been completed, we can proceed to configuring the individual users that will be authenticating to Active Directory from your Solaris server(s).

Preparing Active Directory (Each User)

Each Active Directory account that will authenticate via Solaris must be configured with a uid and other UNIX attributes.  This is accomplished via the new “UNIX Attributes” tab on the properties dialog box of a user account (this tab was made visible by the installation of the Server for NIS component).  The attributes that must be populated are:

  • NIS domain:  It’s required on this tab in order to populate the other fields, but we won’t be using it.
  • UID:  This is actually the UID number.  Each user must have a unique UID; I believe that the Server for NIS defaults at a starting UID of 10000, which is pretty safe for most systems.
  • GID:  In addition, each member must have a GID (group ID); simply specify the group that was created earlier.
  • Login Shell:  Specify a login shell (such as “usr/bin/csh” or “/sbin/sh”) for each user.
  • Home Directory:  Specify the home directory (such as “/export/home/slowe”) that will be used for this user.  Keep in mind that these values may apply across multiple systems and platforms, and the path must be valid on all systems and platforms.

Based on my experience so far, the values for Solaris will often be very different than what might be specified for Linux-based logins.  I haven’t yet figured out how to reconcile these differences in a multi-platform environment (suggestions are welcome).

After all the user accounts have been configured, then we are ready to perform the additional tasks within Active Directory and on the Solaris server(s) that will enable the authentication.

Preparing Active Directory (Each Solaris Server)

These steps need to be repeated for each Solaris server that will authenticating via Kerberos to Active Directory.

  1. Create a user account (not a computer account) for each Solaris server.  (Review this article for more information on the reasoning behind this approach.)  I highly suggest using a naming convention that supports a) the service principal(s) involved; and b) the name of the server.  Since Solaris will use the host service principal, a name like “host-solarissrvr” would be good.  The password doesn’t matter, but do be sure to check the “Password never expires” check box, and after the account is created specify a good description so that you’ll remember what this account is for in 6 months.
  2. For each account that was created, run the ktpass.exe command to generate a unique keytab for each account.  The command will look something like this (substitute the appropriate values where necessary): 
    ktpass -princ host/fqdn@REALM -mapuser DOMAIN\account
-crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL
-out filename

    Be sure to specify a unique output filename (so that you don’t overwrite files; each server/account will needs its own unique file).  I suggest using the server’s name as the filename, i.e., something like “solarissrvr.keytab”.

Now that each Solaris server has a matching account in Active Directory, and each account has had a keytab generated for it, we’re almost ready to move on to configuring the Solaris servers themselves.  First, though, we need to take care of some name resolution issues.

Configuring Reverse DNS

On the DNS server handling the reverse lookup zones for the subnet on which the Solaris server is located, add a PTR record for the Solaris server and it’s IP address.  This will ensure that reverse DNS lookups work as expected.  Make sure that each Solaris server that will be authenticating against Active Directory has a reverse lookup record in DNS.

Configuring Solaris (Each Server)

The following steps need to be performed on each Solaris server that will authenticate against Active Directory.

Configuring the hosts file

To enable reliable TGT validation (this ensures that the Kerberos ticket returned by a KDC actually came from the KDC and not a spoofed server), you’ll need to edit the hosts file.  On Solaris 10, this is found in /etc/inet/hosts and is read-only, even for root.  Edit this file (changing permissions as necessary) so that the line with the server’s IP address looks something like this:

10.1.1.1        hostname.example.com hostname loghost

What we’re doing here is making sure that the server’s fully qualified domain name (not just the short hostname) is the first name entry on the line for the server’s IP address.

There may or may not be other entries in the file; leave those entries untouched (unless you know you need to modify them).

Configuring Kerberos

Solaris keeps its Kerberos configuration in the /etc/krb5 directory as krb5.conf.  Edit this file using your editor of choice to look something like the one below.  Depending upon how you configured Solaris during the installation, some of this configuration may already be present.

[libdefaults]
        default_realm = EXAMPLE.COM
        dns_lookup_kdc = true

[realms]
        EXAMPLE.COM = {
        kdc = dc01.example.com
        kdc = dc02.example.com
        admin_server = dc01.example.com
        }

[domain_realm]
        .example.com = EXAMPLE.COM
        .subdomain.example.com = EXAMPLE.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
        period = 1d
        version = 10
        }

[appdefaults]
        kinit = {
        renewable = true
        forwardable= true
        }

You can’t simply copy and paste from here to the Solaris configuration file, as you’ll need to customize your version for your particular network, hostnames, domain names, etc.

Transfer the keytab generated earlier by the ktpass.exe utility (in our example, it was called “solarissrvr.keytab”) to the Solaris server in some secure fashion, like SFTP or SCP.  Place it in the /etc/krb5 directory as krb5.keytab, and make sure that only root has permissions to the file.

Configuring LDAP

We’ll use the native Solaris “ldapclient” utility to configure the LDAP support in Solaris.  The command you’ll type in looks something like this (please don’t copy and paste this, as it contains generic/incorrect information that won’t work!):

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=example,dc=com \
-a proxyPassword=Password1 \
-a defaultSearchBase=dc=example,dc=com \
-a domainName=example.com \
-a “defaultServerList=172.16.1.10” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=example,dc=com?sub \
-a serviceSearchDescriptor=group:dc=example,dc=com?sub

The easiest way to handle this would probably be to copy it into a blank text file, edit it to include the specific details for your network, and then paste it into a terminal session on the Solaris server.

After this command has been run, Solaris will create the LDAP configuration in /var/ldap and will update /etc/nsswitch.conf to use LDAP.  However, because we only want to use LDAP for specific purposes, we’ll need to go back and edit /etc/nsswitch.conf again.  Just remove “ldap” from all entries in /etc/nsswitch.conf except for passwd and group.

While you’re editing /etc/nsswitch.conf, be sure to add a “dns” entry at the end of the line for hosts:

hosts          files dns

This will help ensure that Solaris is properly configured to use DNS for host name resolution.

I think it’s necessary at this point to restart the LDAP client service:

svcadm restart svc:/network/ldap/client:default

Use the “svcs -a | grep ldap” command to verify the exact name of the LDAP client service on your Solaris server.

Configuring the DNS Client

You’ll also need to make sure that the DNS client is enabled and running.  Using “svcs -a | grep dns” will help you identify the correct service, which you can then enable with svcadm:

svcadm enable svc:/network/dns/client:default

Test DNS resolution using either the “host” or “nslookup” commands.

Configuring PAM

The /etc/pam.conf file controls the PAM (Pluggable Authentication Mechanism) configuration on Solaris.  You’ll need to edit the /etc/pam.conf file to look something like what’s shown below.  I’ve edited away all the non-essential sections, so only change the sections listed below.

# Default definition for Authentication management
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# Default definition for Account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1
#

With this configuration in place, Solaris will use Kerberos authentication and will retrieve account information via LDAP.

Reboot the Solaris Server

I know this sounds stupid, but even after restarting LDAP and enabling/starting/restarting the DNS client, things still didn’t work for me in the lab.  However, after rebooting the Solaris server, it worked like a champ.  So, just in case, reboot the Solaris server after completing the configuration.

Testing the Configuration

Once all of the configuration steps have been completed, you can test the configuration with the following commands:

  • You can use “getent passwd <Name of AD user>” from the Solaris server; this command should return UID number, GID number, UNIX home directory, and login shell.
  • You can use “kinit <Name of AD user>” to test Kerberos authentication.  A succesful Kerberos test will not return any feedback, and the “klist” command will show a ticket granting ticket (TGT) from the Active Directory DC/KDC.

If either of these tests are unsuccessful, review the log files on the Solaris server and resolve the problems before continuing.  Both of these tests will need to be successful in order for authentication to work correctly.

If the tests are successful, then you should now be able to authenticate on a Solaris server using your Active Directory username and password.  I tested this using SSH and the X Desktop login.

Tags: , , , , ,

  1. chris’s avatar

    chris on Monday, October 16, 2006 at 3:16 pm

    Hi Scott,

    I posted my question on your original doc, but somehow it’s not shown when I refresh it. Anyway….. I’m under the impression that ldapclient can’t authenticate AD users without Sun Java Identy Synchronization product. The info can be found at:

    http://groups.google.com/group/compnetldap/browse_thread/thread/5493e670d0d173c4/11072a68ea000a7a?lnk=arm&hl=en

    So, is this true or not? What I’m trying to accomplish is to allow my existing AD users (in a few hundreds) on win2003 R2 to be able to login to my solaris machine using their existing login & password. I see there is a default ldapclient binary on sol machine. So, is your procedure applicable to my scenario? Or do I need to install a Sun Identy Sync product & Sun LDAP 5.2 product on my solaris machine? Any suggestions/comments are greatly appreciated.

    Thanks a lot,
    -Chris

  2. slowe’s avatar

    slowe on Monday, October 16, 2006 at 9:57 pm

    Chris,

    All comments are moderated, which is why you didn’t see it right away. Anyway, the question you’re asking and the question that was answered on the Google Groups link you posted are two different questions. From a client perspective, can Sun authenticate to Active Directory? Yes, of course it can–I’m doing it right now. Follow the instructions provided here and you should be good to go.

    From a server perspective, no–Sun’s LDAP server won’t authenticate against Active Directory, won’t replicate with Active Directory, won’t do just about anything with Active Directory. But that’s irrelevant for you, because you’re interested in the Sun LDAP client side of things, and that works just fine.

  3. chris’s avatar

    chris on Thursday, October 19, 2006 at 7:17 pm

    Hi Scott,

    I encounter an abort when running a ktpass command on my window machine and wonder what am I missing here. Here is my command:

    ktpass -princ host/winHost.sample.com@SAMPLE.COM -mapuser SAMPLE\aduser -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL -out c:\sol.keytab

    Targeting domain controller: winHost.sample.com using legacy password setting method successfully mapped host/winHost.sample.com to aduser.
    Aborted

    Any ideas? Also, I have a few hundreds existing AD users on my window server, is there a way to solve the problem? I can’t run ktpass a few hundred times & have hundreds of different sol.keytab files.

    Thank you very much for your efforts,
    -Chris

  4. slowe’s avatar

    slowe on Thursday, October 19, 2006 at 8:14 pm

    Chris,

    You only need to run ktpass.exe once, and that’s to generate a keytab for an account that represents the Solaris server itself in Active Directory. You don’t need to create keytabs for every user–just for the user account that was created specifically to represent the Solaris server itself. You could use a computer account instead of a user account, but there are complications when you do that.

    As for the abort error, I’m not really sure why that would be happening. Make sure you are using the correct version of ktpass.exe–it needs to be the one that corresponds to the version and service pack level of your copy of Windows. You might check the Microsoft Knowledge Base to see if there’s anything there. I haven’t run into any problems with ktpass.exe in all the Linux, Solaris, and BSD integration testing I’ve been performing.

    Scott

  5. Shawn’s avatar

    Shawn on Tuesday, October 24, 2006 at 7:40 pm

    I’ve been trying to use various examples online to authenticate AD users through Solaris 10 through pam.conf. I setup both the environments exactly as recommended in your article but am still unsuccessfull. For eg – when I do a test ‘getent passwd shawn’ get back nothing. When I do ‘kinit shawn’ it prompts me for a password. I rebooted the server, restarted the svcadm service for ldap and dns. I can do a nslookup/host just fine no problem. Don’t know what more to try?? Any ideas?

  6. slowe’s avatar

    slowe on Tuesday, October 24, 2006 at 9:23 pm

    Shawn,

    Getting prompted for a password when running a kinit is expected; enter your AD password here and then do a klist to see if you got a TGT from AD. If so, you know that the Kerberos side of things is working as expected.

    As for the problems with getent passwd username, be sure that you left the “ldap” entry in /etc/nsswitch.conf for passwd and group. You can remove it everywhere else. Also be sure that the DN of the LDAP proxy user is correct (this is specified on the proxyDN line in the LDAP configuration) and that the password is correct as well. Go back and review your security logs on the AD domain controllers to see if the LDAP proxy account is working as expected.

    Hope this helps!

  7. chris’s avatar

    chris on Wednesday, October 25, 2006 at 4:19 pm

    Hi Scott,

    Thank a lot for your helps & suggestions. I ‘ve gone through the setup on both window & solaris server; however, when I run getent passwd , I also get nothing. I already verify that ldap & dns entry in /etc/nsswitch.conf file as you suggested in the procedure. I also get an error msg when running kinit command & here is the error msg:

    # kinit chris1
    Password for Chris1@SAMPLE.NET:
    kinit (v5): clock skew too great while getting initial credential

    Please note that chris1 is an AD user. Also, I’m not sure whether my ldapclient syntax is correct, but when I run it, it’s successful. Here is my ldapclient syntax:

    ldapclient manual \
    -a credentialLevel=anonymous \
    -a authenticationMethod=none \
    -a defaultSearchBase=dc=example,dc=net \
    -a domainName=example.com \
    -a “defaultServerList=192.168.1.2” \

    ****** I only change the above value, the rest I keep it the same *****

    -a attributeMap=group:userpassword=userPassword \
    -a attributeMap=group:memberuid=memberUid \
    -a attributeMap=group:gidnumber=gidNumber \
    -a attributeMap=passwd:gecos=cn \
    -a attributeMap=passwd:gidnumber=gidNumber \
    -a attributeMap=passwd:uidnumber=uidNumber \
    -a attributeMap=passwd:homedirectory=unixHomeDirectory \
    -a attributeMap=passwd:loginshell=loginShell \
    -a attributeMap=shadow:shadowflag=shadowFlag \
    -a attributeMap=shadow:userpassword=userPassword \
    -a objectClassMap=group:posixGroup=group \
    -a objectClassMap=passwd:posixAccount=user \
    -a objectClassMap=shadow:shadowAccount=user \

    ****** except these 2 lines below *****

    -a serviceSearchDescriptor=passwd:dc=example,dc=net?sub \
    -a serviceSearchDescriptor=group:dc=example,dc=net?sub

    Questions:
    1) Is my ldapclient sytax correct? If it’s not, which field & value do I have to change? How & where do I find out on the window?

    2) Is there a way to fix the error in kinit command?

    Thank you very much for your helps,
    -Chris

  8. slowe’s avatar

    slowe on Wednesday, October 25, 2006 at 4:36 pm

    Chris,

    The kinit error is due to a time synchronization error between the AD infrastructure and the Solaris 10 server. Kerberos requires that the clocks on all servers involved be within 5 minutes of each other. Change the date/time on the Solaris server to match the date/time on the AD servers, then configure time synchronization (NTP) on Solaris so that they stay in sync with each other. That will fix your kinit error.

    The ldapclient syntax looks right, except for the authentication method. I have never made this work with anonymous authentication. Change that to simple and supply a password. Solaris is nice in that the password will be encrypted in the configuration file, so it’s not as big of a security problem as it is with Linux (which leaves the password in the clear in the configuration file).

  9. chris’s avatar

    chris on Wednesday, October 25, 2006 at 5:57 pm

    Hi Scott,

    I’m getting close to the destination, except a few more “inches” to go :) Could you pls help me? Of course, you will :)

    I have sync ‘ed up my time on both of the machine & kinit works as expected. However, when I run:

    # klist
    Valid starting Expires Service principal
    25/10/2006 14:04 26/10/2006 00:04 krbtgt/SAMPLE.NET@SAMPLE.NET
    renew until 01/11/2006 13:04

    Mind to explain to me what it means?

    HOWEVER, when I change my ldapclient syntax to:

    ldapclient manual \
    -a credentialLevel=proxy \
    -a authenticationMethod=simple \
    -a proxyDN=cn=proxyuser,cn=Users,dc=sample,dc=net \
    -a proxyPassword=Welcome2CYZ \
    -a defaultSearchBase=dc=sample,dc=net \
    -a domainName=sample.net \
    -a “defaultServerList=192.168.1.2” \

    I only change the above value, the rest I keep it the same. The command returns that the configuration completed successfully. However, when I run:

    # getent passwd chris1
    (return nothing)

    # kinit chris1
    kinit (v5): cannot resolve network address for KDC in requested realm while gettting initial credential

    I try to re-run the old ldapclient syntax & kinit command still gives the same errors :(

    Could you please tell me what my ldapclient command should be? It looks like I’m stepping backward now :( Any helps are greatly appreciated.

    TIA,
    -Chris

  10. chris’s avatar

    chris on Thursday, October 26, 2006 at 12:18 pm

    Scott,

    I already sync ‘ed up the time on both of the servers & kinit command works fine now. However, I’ve played around w/ the ldapclient syntax as you suggested, and I’m still not able to make it work. Would you please tell show me the actuall ldapclient syntax?

    Here is my ldapclient syntax:

    ldapclient manual \
    -a credentialLevel=proxy \
    -a authenticationMethod=simple \
    -a proxyDN=cn=proxyuser,cn=Users,dc=sample,dc=net \
    -a proxyPassword=Welcome2CYZ \
    -a defaultSearchBase=dc=sample,dc=net \
    -a domainName=sample.net\
    -a “defaultServerList=192.168.1.2” \

    The rest is exactly to your example. When I run getent passwd , it still returns nothing. Please keep in mind that my domain controller is setup very standard & has no proxy setting because I know nothing about proxy setting :( Any helps are really appreciated.

    Thanks a lot,
    -Chris

  11. slowe’s avatar

    slowe on Thursday, October 26, 2006 at 4:39 pm

    Chris,

    The “proxy” term here is being used merely to indicate that Solaris is connecting to Active Directory on the behalf of something else to retrieve account information. Generally speaking, if the LDAP service is running (check “svcs -a | grep ldap”), then your configuration should work. I would double-check the DN of the proxy user; sometimes that syntax can get a bit tricky. I would probably verify the password as well, just in case I fat-fingered something. You’ve mentioned that you already double-checked /etc/nsswitch.conf, so it shouldn’t be a problem there either. What do the logs in /var/adm say? Anything useful?

    As for the kinit output, that simply indicates that you have been granted a Kerberos Ticket Granting Ticket (TGT) from the KDC (the AD domain controller); this is the expected output.

    Keep working on it–we’ll get it figured out!

  12. chris’s avatar

    chris on Thursday, October 26, 2006 at 8:21 pm

    Hi Scott,

    I have checked a couple of things as you suggested & here is the info:

    # svcs -a |grep ldap
    online svc:/network/ldap/client:default
    # svcs -a |grep dns/client
    online svc:/network/dns/client:default
    # getent passwd chris
    (return nothing. Chris is an AD user)
    # kinit chris1
    Password for Chris1@SAMPLE.NET:
    # more /var/adm/messages
    ……
    sun-admin3 svc.startd[7]: svc:/network/security/kadmin: default: Method “/lib/svc/method/svc-kdc.master” failed with exit status 1
    sun-admin3 svc:startd[34]: svc:/network/security/krb5kdc: default: Method “/lib/svc/method/svc-kdc.master” failed with exit status 1
    sun-admin3 nscd [92] libsldap: status: 49 mesg: OpenConnection: simple bind failed – invalid credentials.

    So, it looks like my method when running ldapclient is incorrect or something else. Could you please tell me how to check DN of proxy user & its password? Which file should I look into it and how to set up a DN of proxy user & passwd? I think this is a part that I’m missing, correct?

    Thanks a lot,
    -Chris

  13. slowe’s avatar

    slowe on Thursday, October 26, 2006 at 9:43 pm

    Chris,

    Your problem is most definitely with the LDAP configuration, either in the DN of the proxy user. The DN of the proxy user will be made up of the following components:

    CN=object name,CN=Users (or OU=Custom OU Name),DC=domain,DC=com

    If there are spaces anywhere along the way, you’ll have to encapsulate the whole thing in double quotes.

    If you have ADSI Edit installed on the Windows server(s), you can use it to determine the DN of the user object you’re using.

    Once you get the DN and/or password right, then that last line in the logs (where it says “simple bind failed – invalid credentials” will go away–that’s the reason the getent command isn’t working.

    Scott

  14. chris’s avatar

    chris on Friday, October 27, 2006 at 4:30 pm

    Hi Scott,

    I just checked with my window network folks & they confirm that they don’t have any proxy settings on DC. So I think credentialLevel=none or anonymous should be the right direction that I should be heading to. I know you mentioned that you have never made this work with anonymous authentication, but have you tried this configuration lately? Or you have any thoughts on the configuration setting that I should be looking at? Really appreciated your helps.

    TIA,
    -Chris

  15. slowe’s avatar

    slowe on Friday, October 27, 2006 at 10:44 pm

    Chris,

    Once again, proxy settings on your network and/or proxy settings on your domain controllers are distinct and separate from what we are talking about here. Don’t get the two confused.

    I have not tested with anonymous authentication. Based on the information you’ve provided, I would strongly imagine that your problem is an issue with the DN and/or password of the user that is binding to LDAP for name service lookups. Use ADSI Edit, LDP, or a similar tool to determine the correct DN for the designated user and try it again.

  16. chris’s avatar

    chris on Tuesday, November 7, 2006 at 6:29 pm

    Hi Scott,

    Somehow I get my getent passwd command to work as expected but my kinit command is fails. I already look at the krb5.conf & pam.conf serveral times & I still have no ideas what it is wrong w/ it. Could you please help me out?

    # getent passwd
    test01:x:65535:101::/export/home/test01:/sbin/sh

    # kinit
    Kinit (v5): can not contact any KDC for requested realm while getting
    initial credentials.

    # tail -f /var/adm/messages

    dtsession [] PAM_KRB5 (sectcred): pam_setcred failed for root (can not
    retrieve user credentials).

    Here is my /etc/krb5/krb5.conf file:

    [libdefaults]
    default_realm = SAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true
    default_tkt_enctypes = des-cbc-md5 des-cbc-crc
    default_tgs_enctypes = des-cbc-md5 des-cbc-crc

    [realms]
    SAMPLE.COM = {
    kdc = dc1.sample.com
    admin_server = dc1.sample.com
    kpasswd_protocol = SET_CHANGE
    default_domain = whatever.com
    }

    [domain_realm]
    .sample.com = SAMPLE.COM
    sample.com = SAMPLE.COM

    [logging]
    default = FILE:/var/adm/krb5kdc.log
    kdc = FILE:/var/adm/krb5kdc.log
    kdc_rotate = {
    period = 1d
    version = 10
    }

    [appdefaults]
    kinit = {
    renewable = true
    forwardable= true
    }

    Here is my /etc/pam.conf:

    # login service (explicit because of pam_dial_auth)
    #
    login auth requisite pam_authtok_get.so.1
    login auth required pam_dhkeys.so.1
    login auth required pam_unix_cred.so.1
    login auth required pam_unix_auth.so.1
    login auth required pam_dial_auth.so.1
    #
    #
    # rlogin service (explicit because of pam_rhost_auth)
    #
    rlogin auth sufficient pam_rhosts_auth.so.1
    rlogin auth requisite pam_authtok_get.so.1
    rlogin auth required pam_dhkeys.so.1
    rlogin auth required pam_unix_cred.so.1
    rlogin auth required pam_unix_auth.so.1
    #
    # Kerberized rlogin service
    #
    krlogin auth required pam_unix_cred.so.1
    krlogin auth binding pam_krb5.so.1
    krlogin auth required pam_unix_auth.so.1
    #
    # rsh service (explicit because of pam_rhost_auth,
    # and pam_unix_auth for meaningful pam_setcred)
    #
    rsh auth sufficient pam_rhosts_auth.so.1
    rsh auth required pam_unix_cred.so.1
    #
    # Kerberized rsh service
    #
    krsh auth required pam_unix_cred.so.1
    krsh auth binding pam_krb5.so.1
    krsh auth required pam_unix_auth.so.1
    #
    # Kerberized telnet service
    #
    ktelnet auth required pam_unix_cred.so.1
    ktelnet auth binding pam_krb5.so.1
    ktelnet auth required pam_unix_auth.so.1
    #
    # PPP service (explicit because of pam_dial_auth)
    #
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_unix_cred.so.1
    ppp auth required pam_unix_auth.so.1
    ppp auth required pam_dial_auth.so.1
    #
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authentication
    #
    other auth requisite pam_authtok_get.so.1
    other auth required pam_dhkeys.so.1
    other auth required pam_unix_cred.so.1
    other auth required pam_unix_auth.so.1
    #
    # passwd command (explicit because of a different authentication module)
    #
    passwd auth required pam_passwd_auth.so.1
    #
    # cron service (explicit because of non-usage of pam_roles.so.1)
    #
    cron account required pam_unix_account.so.1
    #
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    #
    other account requisite pam_roles.so.1
    other account required pam_unix_account.so.1
    #
    # Default definition for Session management
    # Used when service name is not explicitly mentioned for session management
    #
    other session required pam_unix_session.so.1
    #
    # Default definition for Password management
    # Used when service name is not explicitly mentioned for password management
    #
    other password required pam_dhkeys.so.1
    other password requisite pam_authtok_get.so.1
    other password requisite pam_authtok_check.so.1
    other password required pam_authtok_store.so.1

    Any helps are appreciated.
    TIA,
    -Chris

  17. Eddie’s avatar

    Eddie on Friday, November 10, 2006 at 10:55 pm

    I’ve thrown together some instructions on doing the whole GSSAPI thing. Thought you might be interested.

    http://220-245-28-18.static.tpgi.com.au/~irvinee/gssapi-sol10/gssapi-howto.html

  18. slowe’s avatar

    slowe on Saturday, November 11, 2006 at 10:57 pm

    Chris,

    Is DNS resolution enabled and cofigured on the Solaris server?

    Eddie,

    Good instructions. Thanks for letting us know!

  19. chris’s avatar

    chris on Wednesday, November 15, 2006 at 8:01 pm

    Hi Scott,

    I finally figured it out & got it to work as expected. Basically, what I’d been missing was to add a userid to memberUid attribute in a usergroup. Once I did it, the problem was solved. I sincerely thank you for your efforts to help me out.

    Thank you Eddie for the tips & url. It’ll be a great resource for me to look once I’ll start expanding my testing in ssh env. Actually ssh setting is what I ‘ll need to test on because it reflects to what my current prod env :)

    Thanks a lot guys,
    -Chris

  20. Paul’s avatar

    Paul on Thursday, November 16, 2006 at 6:15 pm

    Hello
    I have problem wiht ldap.
    getent passwd Paul
    (return nothing)
    I read all respones on this web, my configuration is ok. In event viewer on Win2k3 I see that proxyuser logging success.
    Tell me, should “ldaplist” working ok ?
    ldaplist
    ldaplist passwd
    return: Object not found (ldap error 12): Unavaible critical extension.

  21. slowe’s avatar

    slowe on Thursday, November 16, 2006 at 11:27 pm

    Paul,

    What do the logs on the Solaris box say?

  22. Paul’s avatar

    Paul on Friday, November 17, 2006 at 9:32 am

    Probably I have problem with my Win 2k3 r2. I will install other ( I have install on it SFU ). Logs in /var/adm/messages say nothing about ldap.

  23. slowe’s avatar

    slowe on Friday, November 17, 2006 at 4:11 pm

    Paul,

    Keep in mind that the object mapping rules for SFU are *very* different than the rules for Win2K3 R2, which implements a partial RFC 2307 schema. So, you may have some mapping rules incorrect if you are basing the configuration off SFU. Refer to my articles on Linux-AD with Win2K3 R2 integration for more details on the object mapping.

  24. Paul’s avatar

    Paul on Monday, November 20, 2006 at 7:03 am

    Hello
    My AD schema was bad. Now, It’s working.
    Thank you for help.
    Is it possible to integrate AD and NIS ?

  25. slowe’s avatar

    slowe on Monday, November 20, 2006 at 10:49 am

    Paul,

    I personally haven’t done any work with integrating NIS and Active Directory, but I’m confident that I can be done. I spent some time (just briefly) working with it in an attempt to get automounting home directories working in a Solaris-AD integration scenario, but was unsuccessful. From what perspective, in particular, are you interested in integrating NIS and AD?

  26. Paul’s avatar

    Paul on Wednesday, November 22, 2006 at 3:36 am

    I would like to create trust between AD and NIS+. I want to synchronize users in this relationship. What do you think about it ? Maybe you know some links .

  27. Randy Reames’s avatar

    Randy Reames on Wednesday, November 29, 2006 at 5:51 pm

    Scott,

    I’ve been working on the UNIX/AD Authentication problem for quite a while and have finally worked out the basics of getting our three major platforms (Suse LInux, AIX 5.3, and Solaris 10) to authenticate via Kerberos from our AD domain and acquire the user info (UID,GID,home) from a separate Suse OpenLDAP server. This sorta killed two birds with one stone since we want to retire our NIS servers. We had parallel user accounts on AD and NIS so I was able to migrate the NIS domain to LDAP using the padl tools. The main restriction for us is ‘no schema mods’ on the AD domain. So far in preliminary testing all three platforms work and all the permissions are correct. Thanks much for the good info you posted on getting Solaris 10 to play. It was very helpful. The only gotcha I found for getting Solaris to work at all was that I found it neccessary to create an entry in /etc/shadow for each user – username:K*::::: – The K* indicating the Kerberos authentication should be used.
    Now I’ve got to fill in all the rest of the blanks – user maintenance, encrypting communications, etc.

    Randy R.

  28. slowe’s avatar

    slowe on Wednesday, November 29, 2006 at 8:48 pm

    Randy,

    Sounds like you’ve been hard at work! Although my Solaris instructions weren’t designed around integrating into a non-Active Directory environment, I’m glad they proved helpful anyway.

    Scott

  29. Nikolay’s avatar

    Nikolay on Friday, December 1, 2006 at 9:23 am

    Hello Scott,
    I try to configure on my SunFire T2000 Server (SPARC) by Solaris 10 authenticate and autorization of users in AD.
    After configuration I run test and have seen next:
    kinit ldap@DOMAIN.NET – works fine (It’s proxy user)
    kinit -k – works fine too.
    But
    getent passwd ldap.user – don’t works (return nothing)

    I read “man pam_ldap” and see:
    “account management component of pam_ldap will work only with the Sun Java System Directory Server”
    It means, that I cannot configure my system for authorization in AD with use native pam_ldap?

  30. Nikolay’s avatar

    Nikolay on Friday, December 1, 2006 at 9:34 am

    Oh, I have overlooked to tell. At attempt to go on ssh on the server to me gives out the following:
    Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Illegal user test from 172.20.64.135
    Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 800047 auth.info] input_userauth_request: illegal user test
    Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Failed none for from 172.20.64.135 port 1319 ssh2
    Dec 1 17:33:29 srv2-pp450 sshd[13777]: [ID 293258 auth.warning] libsldap: Status: 91 Mesg: openConnection: simple bind failed – Can’t connect to the LDAP server
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =13, env =’KRB5CCNAME=FILE:/tmp/krb5cc_0′, age = 0, status = 9
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: No account present for user
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 293258 auth.warning] libsldap: Status: 91 Mesg: openConnection: simple bind failed – Can’t connect to the LDAP server
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 219349 auth.debug] pam_unix_auth: user test not found
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Failed keyboard-interactive for from 172.20.64.135 port 1319 ssh2
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 800047 auth.info] Received disconnect from 172.20.64.135: 11: No supported authentication methods available
    Dec 1 17:33:34 srv2-pp450 sshd[13777]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 13

  31. slowe’s avatar

    slowe on Friday, December 1, 2006 at 9:50 am

    Nikolay,

    You can definitely configure Solaris 10 to authenticate against Active Directory.

    It looks like your problem lies somewhere in your LDAP configuration. I see errors in logs above indicating problems connecting to the LDAP server. Be sure to review your LDAP configuration–the errors above seem to point to a problem with the authentication of the proxy user against Active Directory.

    Hope this helps,
    Scott

  32. Nikolay’s avatar

    Nikolay on Friday, December 1, 2006 at 10:47 am

    I have reinitialize my ldap client settings:
    bash-3.00# ldapclient list
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=ldap,cn=Users,dc=domain,dc=net
    NS_LDAP_BINDPASSWD= {NS1}5e10c25544515e26
    NS_LDAP_SERVERS= 172.20.0.151
    NS_LDAP_SEARCH_BASEDN= dc=domain,dc=net
    NS_LDAP_AUTH= simple
    NS_LDAP_CACHETTL= 0
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=domain,dc=net?sub
    NS_LDAP_SERVICE_SEARCH_DESC= group:dc=domain,dc=net?sub
    NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
    NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
    NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
    NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
    NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
    NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
    NS_LDAP_ATTRIBUTEMAP= passwd:gecos=gecos
    NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
    NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
    NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
    NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
    NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
    NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
    After this I try login on Solaris by ssh – AD user couldn’t login. And I see in logs:
    Dec 1 18:38:07 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Illegal user test from 172.20.64.135
    Dec 1 18:38:07 srv2-pp450 sshd[19605]: [ID 800047 auth.info] input_userauth_request: illegal user test
    Dec 1 18:38:07 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Failed none for from 172.20.64.135 port 1903 ssh2
    Dec 1 18:38:18 srv2-pp450 sshd[19605]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
    Dec 1 18:38:18 srv2-pp450 sshd[19605]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =13, env =’KRB5CCNAME=FILE:/tmp/krb5cc_0′, age = 0, status = 9
    Dec 1 18:38:18 srv2-pp450 sshd[19605]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: No account present for user
    Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 219349 auth.debug] pam_unix_auth: user test not found
    Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user
    Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Failed keyboard-interactive for from 172.20.64.135 port 1903 ssh2
    Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 800047 auth.info] Received disconnect from 172.20.64.135: 11: No supported authentication methods available
    Dec 1 18:38:19 srv2-pp450 sshd[19605]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 13

    Errors indicating on pam_ldap are not present
    getent passwd ldap.user – return nothing

    Have yuo any ideas?
    P.S. Big thanks for answers!
    P.P.S.
    ldapsearch -h 172.20.0.151 -b “dc=domain,dc=net” -D “cn=ldap,cm=Users,dc=domain,dc=net” -w passwd sAMAccountName=ldap.test – works

  33. slowe’s avatar

    slowe on Friday, December 1, 2006 at 1:35 pm

    Nikolay,

    In that set of log messages, the error is coming from pam_krb5, not pam_ldap; refer to the sixth log line where pam_krb5 reports “No account present for user”.

    Have you reconfigured nsswitch.conf yet to use LDAP for passwd and group entries?

  34. Nikolay’s avatar

    Nikolay on Sunday, December 3, 2006 at 2:15 am

    Yes, when I try login on server by ssh, I can see in logs messages from pam_krb5, but not rom pam_ldap. I have looked network traffic between domain controller and Solaris server and I have not seen references to DC on port 389.
    My nsswitch.conf:

    passwd: files ldap
    group: files ldap
    hosts: files dns
    ipnodes: ldap [NOTFOUND=return] files
    networks: ldap [NOTFOUND=return] files
    protocols: ldap [NOTFOUND=return] files
    rpc: ldap [NOTFOUND=return] files
    ethers: ldap [NOTFOUND=return] files
    netmasks: ldap [NOTFOUND=return] files
    bootparams: ldap [NOTFOUND=return] files
    publickey: ldap [NOTFOUND=return] files
    netgroup: ldap
    automount: files ldap
    aliases: files ldap
    services: files ldap
    printers: user files ldap
    auth_attr: files ldap
    prof_attr: files ldap
    project: files ldap

    P.S. Scott, if it is interesting, I can send configuration nss_ldap module of mine Linux (RHEL AS 4) server, which it is connected to DC through the gssapi auth mech.

  35. Nikolay’s avatar

    Nikolay on Sunday, December 3, 2006 at 4:54 am

    I am stupid. Firewall blocked requests on 389 port between Solaris and DC. I have resolved all traffic.
    After that I try to login on Solaris by ssh. I have looked in Security Events journal on DC and have seen there:
    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 540
    Date: 03.12.2006
    Time: 11:35:35
    User: DOMAIN\ldap
    Computer: SRV-R2
    Description:
    Successful Network Logon:
    User Name: ldap
    Domain: DOMAIN
    Logon ID: (0×0,0xDE2497)
    Logon Type: 3
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: SRV-R2
    Logon GUID: -
    Caller User Name: SRV-R2$
    Caller Domain: DOMAIN
    Caller Logon ID: (0×0,0x3E7)
    Caller Process ID: 572
    Transited Services: -
    Source Network Address: 172.20.1.49
    Source Port: 51670

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    But I can not login on Solaris over ssh. In logs I see:

    Dec 3 11:47:05 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Illegal user test from 172.20.64.135
    Dec 3 11:47:05 srv2-pp450 sshd[5513]: [ID 800047 auth.info] input_userauth_request: illegal user test
    Dec 3 11:47:05 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Failed none for from 172.20.64.135 port 3566 ssh2
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =13, env =’KRB5CCNAME=FILE:/tmp/krb5cc_0′, age = 0, status = 9
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: No account present for user
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 219349 auth.debug] pam_unix_auth: user test not found
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Failed keyboard-interactive for from 172.20.64.135 port 3566 ssh2
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 800047 auth.info] Received disconnect from 172.20.64.135: 11: No supported authentication methods available
    Dec 3 11:47:08 srv2-pp450 sshd[5513]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 13

    Command kinit test@DOMIAN.NET – works fine.

    In what a problem?

  36. slowe’s avatar

    slowe on Sunday, December 3, 2006 at 10:51 pm

    Nikolay,

    Send me an e-mail (scott dot lowe at scottlowe dot org) with your /etc/krb5/krb5.conf and the output of “ldapclient list” and let me see what I can figure out.

    Scott

  37. Nikolay’s avatar

    Nikolay on Thursday, December 7, 2006 at 7:07 am

    Scott,
    I have sent you a message, are there any ideas?

  38. slowe’s avatar

    slowe on Thursday, December 7, 2006 at 9:47 am

    Nikolay,

    I sent you an e-mail response–did you not get it? Both LDAP and Kerberos appear to be working, yet something still isn’t right. I need to see your pam.conf file as well.

    Scott

  39. Nikolay’s avatar

    Nikolay on Thursday, December 7, 2006 at 12:44 pm

    Unfortunately I did not receive your answer :(
    I sent my pam.conf.

  40. slowe’s avatar

    slowe on Thursday, December 7, 2006 at 2:51 pm

    Nikolay,

    The only difference I can see between the Solaris 10 system I have working right now and what you have sent me is that I don’t have a pam_ldap entry for the session stack–I have only the pam_unix_session entry. In addition, my account section is like the variant you listed at the bottom of your message.

    Try removing the session line and see if that helps.

    Scott

  41. Nikolay’s avatar

    Nikolay on Friday, December 15, 2006 at 3:42 am

    Hello Scott,
    After long attempts of the decision of a problem I have tried the decision Randy Reames – “to create an entry in /etc/shadow for each user – username:K*::::: – The K* indicating the Kerberos authentication should be used”. After this I could to login on server as AD user. But it seems to me, that it can be achieved through necessary attributes mapping (such as shadow:userpassword=?). Only in AD there is no attribute which would correspond to attribute userpassword :(

  43. istvan’s avatar

    istvan on Monday, January 15, 2007 at 9:27 am

    Hi Scott,

    thanks for this issue, it was very helpful. Unfortunately i have a problem with this configuration. kinit and getent works well but the X Desktop login rejects the AD users. What should be the problem?

    Thanks for helping

    Istvan

  44. slowe’s avatar

    slowe on Monday, January 15, 2007 at 9:57 am

    Istvan,

    The X Desktop login must be using a different PAM configuration. Check your log files and see if they provide any other information. Can you log in successfully via SSH?

    Scott

  45. KR’s avatar

    KR on Tuesday, January 16, 2007 at 7:25 pm

    anyone get pam_mkhomdir working on solaris 10. After about a week of pulling my hair out to get TLS working, I’m now stuck on auto home dir creation. Why have central user authentication if you still have to log in to each box to create the home directory. heh Anyone have insite to this?

  46. slowe’s avatar

    slowe on Tuesday, January 16, 2007 at 8:24 pm

    KR,

    Use the automounter and mount home directories as NFS mounts. See http://blog.scottlowe.org/2006/11/21/greater-ad-integration-via-nfs-and-automounts/ for more information.

    Otherwise, I have no information on getting pam_mkhomedir.so working on Solaris. The automounter solution worked so well for me I haven’t even tried anything else.

    Scott

  47. KR’s avatar

    KR on Wednesday, January 17, 2007 at 12:53 pm

    Anyone know how to cache user login’s incase the ldap server goes down for a short period of time so “known” users are still able to log in?

  48. Greg’s avatar

    Greg on Wednesday, January 17, 2007 at 1:40 pm

    I’ve followed the instructions and everything seems to be working fine until I attempt to create a new account. I create the account in active directory and set the UNIX account settings, but the account is not recognized on the Solaris machine. Is there another step that needs to be accomplished after the account is created in AD for the Solaris machine to be able to recognize it?

  49. slowe’s avatar

    slowe on Wednesday, January 17, 2007 at 6:08 pm

    KR,

    Take a look at the name service caching daemon (NSCD); it should be able to do what you are asking.

    Greg,

    I’m guessing that “kinit” and “getent” (sorry if that’s not the right Solaris command, my operating systems are running together right at the moment) are working correctly and will obtain a ticket and retrieve account information, respectively?

    Scott

  50. Greg’s avatar

    Greg on Wednesday, January 24, 2007 at 12:45 pm

    Thanks for the help but the problem was a typo not a configuration error. I ran a snoop on the line and noticed I was getting “object not found” errors when attempting to logon. After some research I realized that the AD OU my UNIX accounts are in is UNIX-OU, but the “serviceSearchDescriptor” listed “unix”. After I changed it everything started working.

    Thanks again.

1 · 2 · 3 ·