Solaris 10-AD Integration, Version 3

Does the proxy DN need any access to the userPassword attribute? Can the ACL for the proxy DN be denied all access to it for security reasons? If the DN is ever compromised (it is on every Solaris machine) then an intruder could use it access LDAP records.

ok on this side. does it maintain username and privlidges, if you create a file with different usernames in the same directory?

The user’s password should be fairly well protected because of Kerberos itself, but since you’re connecting to the LDAP server via a plain-text bind:

-a authenticationMethod=simple

the proxy DN’s password can be exposed on the network. (It can also be possibly captured if your host is compromised, but then you usually have bigger issues.)

One way to protect the password over the network is to use a more secure LDAP bind method (via the ldapclient(1M) man page on Solaris 9):

sasl/CRAM-MD5
sasl/DIGEST-MD5
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5

One issue with using TLS is that you have to import the certificate of the LDAP server (or perhaps just the CA’s that signed it). For this you need certutil, which isn’t always installed with Solaris by default:

http://www.mozilla.org/projects/security/pki/nss/
http://blogs.sun.com/baban/entry/steps_to_setup_ssl_using

I’ve read that it is available in Solaris 10 in /usr/sfw/bin/ if you install the SUNWtlsu package.

David,

I have obtained our AD CA cert and followed the certutil instructions in the blog you linked to…. however although ldapsearch with TLS appears to work fine if I set the authentication method to tls:simple instead of simple getent just hangs until I ^C… no errors I can see on the log at all… any ideas?

James

P.S. Scott I hope you do work out some TLS/kerberos binding soon - it will make my life a lot easier

I thought this would be helpful to some people….

Searching for a way to unify linux and solaris home directories - but locally (we do not wish to get into nfs yet) i was trying to find a pam_mkhomedir for solaris. Unfortunately, given that /home is virtual and a mount point in solaris 10, /home/%user% was not a valid location to create a directory. I thought about hacking pam_mkhomedir to create in /export/home/ instead but then I came upon this:

http://www.mail-archive.com/sunray-users@filibeto.org/msg06348.html

talk about using a sledgehammer to knock in a nail…….

one simple replacement for auto_home later and linux (using pam_mkhomedir although this could be adapted for that also) along with solaris both can use /home/%user% in the home directory field of the LDAP server with the directory automatically being created if it doesn’t already exist - happiness!

James,

You may want to use strace(1M) to see what getent(1M) is doing. If you’re using Solaris 10 another option could be DTrace.

Unfortunately I don’t have a test setup to try things myself.

Hi Scott,

I’m curious how your sshd authenticates on the Solaris box, following your steps Samba places the host/fgqn@REALM key into /etc/krb5.keytab. However the native solaris utilities (including SSHD) will use the native Kerberos libraries (the old SEAM stuff) which are compiled with the keytab being /etc/krb5/krb5.keytab

# strings /usr/lib/gss/mech_krb5.so.1 | grep krb5.keytab
Bad magic number for krb5_keytab_entry structure
Bad magic number for krb5_keytab structure
FILE:/etc/krb5/krb5.keytab

Have you installed another version of SSH?

Great articles by the way!

Rgds

Richard

Scott,

Its not a show stopper, just a matter of copying /etc/krb5.keytab to /etc/krb5 directory. Didn’t seem to work by just copying the file so I used ktutil

I curiously also had to add a numerical value to the shadowFlag attribute as MMC didn’t seem to populate it. Without this pam_unix_account fails and prevented me from logging on.

Other than that worked like a charm!

Rgds

Richard

Scott,

First of all, thank you for your marvelous blog and all of the useful information I’ve been able to get from it. It’s truly been a lifesaver.

Now to my point - I have been able to successfully integrate Solaris10 and AD in a test environment using the above steps (basically, really - I’m not using samba, so I followed the old directions to get a keytab using ktpass, etc). When initially configuring ldapclient on the Solaris device (the working configuration), I set the service search descriptor for passwd/group to point to an OU containing all UNIX users that I have, and to do a subtree search, like so:
-a “serviceSearchDescriptor=passwd:ou=UNIX,?sub”
-a “serviceSearchDescriptor=group:ou=UNIX,?sub”

That works just fine. However, I’d like to restrict logins to certain devices to only certain groups/users. I tested this by changing the passwd line to the following:
-a “serviceSearchDescriptor=passwd:ou=UNIX,?sub?(|(uid=testuser1)(uid=testuser2))”

I verified the change by calling getent for several users. Only the two users specified were returned correctly; all other users were not in the passwd database, as expected. I thought I was good to go; however, I’ve found that I now can’t login remotely via SSH, Telnet, etc. What’s extra interesting is that when I SSH with the working configuration and enter an incorrect password, I get the “Kerberos Password” prompt as PAM does its magic and tries other methods. With this new configuration, I still get this with the incorrect password, but I don’t with the correct password - I just get another “normal” password prompt. That tells me that Kerberos is still auth’ing the user correctly, but something else is rejecting it (which I guess is expected, since I didn’t change anything Kerberos related, only LDAP).

Sorry for the extra long post, but I’m really hoping you can help me with my problem.

Hi Scott,

I really appreciate you collecting all these details and sharing them.

Got Solaris 10 11/06 and followed your procedure. Everything was working great right up to the net ads join. Users were able to SSH in with their AD domain accounts and everything. Seems to work with the kpass keytab until Samba joins the domain. I see the computer account in Active Directory and don’t get errors on the net ads join other than the one about the missing userPrincipalName. Once I do the join, none of the users can SSH in. Seems to be a Kerberos issue but I’m new to all of this.

Thanks for the reply…
I was getting these errors:
Jun 14 17:59:35 maki sshd[1344]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos database

Hmmm… tried leaving, deleting the computer object and rejoining but still having some issues. I did find a few things that might be having an influence on this like some tertiary DNS servers that are not the AD domain controllers. Tempted to try this out with Solaris Express Community Edition build 66 instead. Thanks - I’ll play around some more with this.

Hi Scott,
Good day.
I’m new to solaris OS and found myself interesting to know more about Solaris 10-AD Integration. Solaris 10 1/06 was installed and tried to follow your instructions. Unfortunately, I was not able to go further due to samba.

has samba installed during Solaris OS installatin (10 1/06 )?

I did download “samba-3.0.25a-sol10-x86-local.gz” from sunfreeware.com. I tried to use “pkgadd filename”, but it was not able to install. Besides, “net” command was not found, as ran “net ads join”. Hence, kindly share some useful guides.

millions of thanks,

Hi Scott,

Thanks for this resource! It’s been a tremendous help, and I’ve learned several things from it.

I managed to get a Solaris10 test machine to authenticate against a test Windows server I have. It took a bit of tweaking, but I was able to get it to work. Now I am trying it with some live machines. I have it about half-working, but am now stuck. If I try to login with either a straight telnet session or from a dtlogin session I get “Login incorrect” and the following error shows on the console: “PAM-KRB5: krb5_verify_init_creds failed: No such file of directory.” Looking at the security logs on the Windows server shows the proxy account connecting, seemingly without problem. Yet, if I first log on locally to solaris as root, then ’su’ to one of the Active Directory user accounts, it works fine. It even automounts the home folder from the Windows server! Kinit and getent also work fine as root. But directly logging in as an AD user fails. I’ve triple and quadruple checked the krb5.conf file, ldap config, nsswitch.conf file, DNS settings, reset passwords, rebooted twenty times and still no luck. I’m sure it’s a typo or some other simple config error, but after hacking away at it for days I still can’t find it. It doesn’t help that this is my first effort at using either Kerberos or LDAP, so I’m also learning those along the way.

Do you (or anyone else out there) have a suggestion as to where to look?

I’m using Solaris 10, release 11/06, and Windows Server 2003R2.

Thanks!

Bingo! I knew once I asked for help, I’d find the problem. And I was right, it was something simple (and as it turn out, stupid). Since it seemed to be tripping over the kerberos settings somewhere along the chain I decided to just recreate all windows accounts and the keytab files from scratch. In doing so I discovered that somewhere in my previous actions I had managed to move the krb5.keytab file to krb5.keytab.old, but failed to save out a valid one again. I created new keytab files and now it’s working.

Thanks again for such a helpful site!

Hi, Scott…

Thanks for the very informative site. I’m curious if you’ve had much luck integrating with Solaris 9. I haven’t had problems on Solaris 10, but I’m having consistent problems on Solaris 9 similar to what Nate described above. After setting up Kerberos and getting everything going, I’m able to run kinit and get in, but when I try an connect via SSH, I’m consistently failing to authenticate. In /var/adm/messages, I get
sshd[14353]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Server not found in Kerberos database

Now, the only significant difference seems to be that I’m trying to join a server from one domain into another domain. For example:

AD server: test.outside.example.com (domain: outside.example.com)

Server trying to join: test1.example.com

Any suggestions?

Hi,
I´m trying to follow your indications but I have some problems with the ldap part…. I dont know what exacly I need to change in the command to get it work with my configuration. I not really good on LDAP, so I would quite happy with any help

This is my command:

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=DES-AXAPTA,dc=AND \
-a proxyPassword=master \
-a defaultSearchBase=dc=DES-AXAPTA,dc=AND \
-a domainName=DES-AXAPTA.AND \
-a “defaultServerList=SRVAX-4.DES-AXAPTA.AND” \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=DES-AXAPTA,dc=AND?sub \
-a serviceSearchDescriptor=group:dc=DES-AXAPTA,dc=AND?sub

And this is the answer on my system:

Error resetting system.
Recovering old system settings.
Stopping ldap failed with (7)
Error (1) while stopping services during reset

All on windows system have been done by the administrator of that enviroment…

Thank you. This will save me a lot of time.

-ron

Thank you for your great work! I have written a step-by-step procedure in how one could permorm a Solaris10 into Active Directory Integration including LDAP over SSL and Kerberos support for ssh putty.exe single-sign on.

http://www.csnc.ch/estatic/download/index.html#anchor%20Solaris10

Feedback is welcomed.
Ivan

Does Solaris pick up supplementary groups from Active Directory for you?

I can’t get it to work, it only picks up the primary group from AD.

Which attribute mapping is used for supplementary groups?

Supplementary group membership is very important in our environment.

I’m wondering the same thing about secondary groups. The problem I’ve found is that AD (I’m using msSFU30 attributes) stores memberships within the group object as a Distinguised Name, not as a simple username.

The result, is that a “getent group somegroup” yields:

somegroup::9999:CN=Person,OU=users,DC=place,DC=com,DC=au,CN=Person2,OU=users,DC=place,DC=com,DC=au,CN=Person3,OU=users,DC=place,DC=com,DC=au

I’ve searched everywhere for weeks, and haven’t found a solution. Everything is working as it should, except for the fact that AD populates the msSFU30PosixMember field in this way. I could get around it by manually populating users into another field using adsiedit or something, but that’s a bit unmanageable

Hi Scott,

I’ve read through all your documentation both with Linux and Solaris 10 AD integration, and have gotten them to work successfully, but now I’m in a bind. In my particular instance, I can’t change the usernames that are configured in AD and the usernames aren’t compatible with UNIX in the sense that they start with numbers and they’re too long (which breaks the standard UNIX account name restrictions.) So, as an alternative, I decided to point the LDAP “passwd:uid” field to another field in AD via the ldapclient program. It works great… a “getent passwd ” brings up the entire line properly. (When I tried it against the illegal UNIX account name, it would return nothing, since it broke the UNIX restrictions.) The problem is this: Even though nss_ldap appears to work correctly, reading the /var/ldap/ldap_client_file right, pam_ldap does not seem to follow this convention. It doesn’t appear to be reading /var/ldap/ldap_client_file at all for the field mappings, because no matter how many times I change said file, pam_ldap still gives me an “illegal account name” or “account name not found” error in the debug lines from the messages or debug.log file I’ve set up via syslog. Would you know what file pam_ldap is attempting to read? I thought it might be some type of /etc/pam_ldap.conf file, but according to all the documentation I’ve read, it should be 100% compatible with /var/ldap/ldap_client_file. Lastly, all source code I look at is the Linux version of pam_ldap, which use completely different config files than the Solaris 10 version. Help!

Ian

Ok, I got it working. It turned out when I mapped passwd:uid to a new field under the attributeMap entries for ldapclient, I didn’t map shadow:uid as well. Because of this, when the system attempted to look up the password, it failed. (It was like having an entry in /etc/passwd, but not /etc/shadow.) Now that it’s in there, authentication against a new userid works perfectly. This way, Windows users can have a completely different UID from their Windows UID in UNIX.

Ian

No problem… actually, I’ve run into ANOTHER snag. Since I can’t use Kerberos for authentication with AD, as I’ve manually mapped the attributes differently, I want to use pam_ldap.so to control the password changing for AD. But, every time I issue a “passwd” command against an AD user from Solaris 10, I get the following error:

passwd[3474]: [ID 293258 user.info] libsldap: Status: 50 Mesg: Insufficient access

I’ve tried to change all combinations of access and credentials with no success. I have a feeling that either a) the proxyuser I’m using to query the LDAP database has insufficient access (which I doubt, since its a member of Domain Admins), or b) SSL is not turned on, which Microsoft AD is immediately denying all password changing because of.

I’m running into independent issues with AD SSL integration, but that’s not topic for this conversation. kpasswd works perfectly against the original account name (not the aliased one.. Kerberos is not attribute-mapping aware.) so its the only thing I can think of that’s causing the issue.

Ian

Hi Scott,

Thank you so much for all your help. I have recommended your blog to my friends and all of them found it very useful.

I have managed to get the AD-Solaris 10 authentication working but not samba.

I have started smbd and nmbd and tried to map a network drive from a windows server but it didn’t work. It just kept asking for my username and password. Here’s the setting of my smb.conf:

#====== Global Settings ========
[global]

workgroup = DEVLAB
security = ads
realm = DEVLAB.DEV.COM
use kerberos keytab = true
password server = PASSWD001 PASSWD002
server string = Samba Server
log file = /var/samba/log/log.%m

#======= Share Definitions ========

[testing]
path = /home/jackiewong
public = no
writable = yes
printable = no

[homes]
comment = Home Directories
read only = No
case sensitive = Yes

I am pretty sure it’s correct coz it works on Linux. I checked the samba log and got the following:

[2007/08/31 15:22:23, 0] nmbd/nmbd_incomingdgrams.c:(385)
process_master_browser_announce: Not configured as domain master - ignoring master announce.
[2007/08/31 15:25:22, 0] nmbd/nmbd_incomingdgrams.c:(385)
process_master_browser_announce: Not configured as domain master - ignoring master announce.
[2007/08/31 15:25:48, 0] nmbd/nmbd.c:(58)
Got SIGTERM: going down…
[2007/08/31 15:26:07, 0] nmbd/nmbd.c:(727)
Netbios nameserver version 3.0.21b started.
Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/08/31 15:26:07, 0] param/loadparm.c:(2645)
Unknown parameter encountered: “realm”
[2007/08/31 15:26:07, 0] param/loadparm.c:(3390)
Ignoring unknown parameter “realm”

Would you please give me some advice? Thank you very much.

Regards,
Jackie

Hi Scott,

Thanks a lot for your help. I really find that all the documents on your blog are extremely useful and really have made my life a lot easier. I will definitely recommend it to my friends.

Cheers,
Jackie

Was the question about supplementary groups ever solved? Right now it looks like this might work in our environment except that we don’t have any group listings except for primary.

Is the possible to restrict a ADS user to login to a unix client like “logon to” option in user property in ADS”

This configuration worked for me.
Note:My users are in top level domain.

ldapclient -vvv manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=CN=administrator,CN=Users,DC=eng,DC=int,DC=balaji,DC=com \
-a proxyPassword=Balaji \
-a defaultSearchBase=CN=users,DC=eng,DC=int,DC=balaji,DC=com \
-a defaultServerList=10.50.50.50:389 \
-a domainName=eng.int.balaji.com \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a attributeMap=shadow:uid=sAMAccountName \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:CN=users,DC=eng,DC=int,DC=balaji,DC=com?sub \
-a serviceSearchDescriptor=group:DC=CN=Users,eng,DC=int,DC=balaji,DC=com?sub

Nope, the supplementary group question remains. Are we the only people who use more than our primary groups, or has everybody else who’s implemented this just not noticed their other groups no longer work?

I’m not sure there is an answer though sadly — I’ve been scouring the internet for months.

Thanks to Scott though, for getting us up to this point!

In case anyone else has any more info this is the printout of a group via ldaplist. You can see the member of the group here, but doing getent group does not display any members, only gid. Any ideas?

root@ackbar:/usr/local/src$ ldaplist -l group cens_test
dn: CN=cens_test,OU=CENS Users and Groups,OU=CENS Labs,DC=students,DC=froot,DC=nau,DC=edu
objectClass: top
objectClass: posixGroup
cn: cens_test
member: CN=Christian,OU=CENS Users and Groups,OU=CENS Labs,DC=students,DC=froot,DC=nau,DC=edu
member: CN=mcm75,CN=Users,DC=students,DC=froot,DC=nau,DC=edu
distinguishedName: CN=cens_test,OU=CENS Users and Groups,OU=CENS Labs,DC=students,DC=froot,DC=nau,DC=edu
instanceType: 4
whenCreated: 20070912202323.0Z
whenChanged: 20070912202440.0Z
uSNCreated: 39801811
uSNChanged: 39801867
name: cens_test
objectGUID:
objectSid:
sAMAccountName: cens_test
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=froot,DC=nau,DC=edu
gidnumber: 1200
msSFU30NisDomain: nauunix

Hi Scott,

I’ve tried to configure AD support under Solaris 10, but have runned into some troubles with Solaris native LDAP client. It seems to require RFC2307bis support (nisDomainObject and other attributes), while Windows 2003 Server R2 officially supports only RFC2307.. It says that it can not find nisDomainObject under the top branch of the directory. So I’ve tried your steps several times, and ldapclient still is not working seamlessly. I doublechecked all the configs - they are exactly the same as you described with fixes regarding my own configuration.
Could you tell me please, am I need some specific version of Solaris and ldapclient? Am I missed something?
Best regards,
Nick.

Is the possible to restrict a ADS user to login to a unix client like “logon to” option in user property in ADS”

my ldapclient is solaris10

Scott,

Here is an output of the command

#ldapclient -v init dc.domain.com

Arguments parsed:
defaultServerList: dc.domain.com
Handling init option
About to configure machine by downloading a profile
No profile specified. Using “default”
findBaseDN: begins
findBaseDN: Stopping ldap
findBaseDN: calling __ns_ldap_default_config()
found 5 namingcontexts
findBaseDN: __ns_ldap_list(NULL, “(&(objectclass=nisDomainObject)(nisdomain=domain.com))”
rootDN[0] DC=RENCDDC,DC=DOM
NOTFOUND:Could not find the nisDomainObject for DN DC=DOMAIN,DC=COM
findBaseDN: __ns_ldap_list(NULL, “(&(objectclass=nisDomainObject)(nisdomain=domain.com))”
rootDN[1] CN=Configuration,DC=DOMAIN,DC=COM
NOTFOUND:Could not find the nisDomainObject for DN CN=Configuration,DC=DOMAIN,DC=COM
findBaseDN: __ns_ldap_list(NULL, “(&(objectclass=nisDomainObject)(nisdomain=domain.com))”
rootDN[2] CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
NOTFOUND:Could not find the nisDomainObject for DN CN=Schema,CN=Configuration,DC=DOMAIN,DC=COM
findBaseDN: __ns_ldap_list(NULL, “(&(objectclass=nisDomainObject)(nisdomain=domain.com))”
rootDN[3] DC=DomainDnsZones,DC=DOMAIN,DC=COM
NOTFOUND:Could not find the nisDomainObject for DN DC=DomainDnsZones,DC=DOMAIN,DC=COM
findBaseDN: __ns_ldap_list(NULL, “(&(objectclass=nisDomainObject)(nisdomain=domain.com))”
rootDN[4] DC=ForestDnsZones,DC=DOMAIN,DC=COM
NOTFOUND:Could not find the nisDomainObject for DN DC=ForestDnsZones,DC=DOMAIN,DC=COM
found_cxt = -1
findBaseDN: Err exit
Failed to find defaultSearchBase for domain domain.com

My Solaris version is Solaris 10 3/05 s10_74L2a released January 2005. It seems a kind of not updated one..

Slowe,

-a “serviceSearchDescriptor=passwd:CN=Users,DC=eng,DC=int,DC=rci,DC=com?sub?userWorkstations=$HOSTNAME” \
-a “serviceSearchDescriptor=shadow:CN=Users,DC=eng,DC=int,DC=rci,DC=com?sub?userWorkstations=$HOSTNAME” \
-a “serviceSearchDescriptor=group:CN=Users,DC=eng,DC=int,DC=rci,DC=com?sub”

this service search descriptor filters the users with workstation defined in windows user properties, but allow only one work station to define, please do you have any idea if a user has 2 3 workstation defined in the windows profile.

Your help is really appreciated.
Thanks in advance.

Christian,

Our problem is that AD stores each group member as a full DN. The only solution I’ve found so far is the suggestion to create a new attribute for groups in the schema, and populate each member (more than likely this will be for the third time) as a single CN.

This is obviously a ludicrous proposition, because it’s highly inefficient and would be atrocious to maintain. We’d end up with groups which have each person listed as a “member:” attribute (for Windows), and a “msfu30posixmember:” attribute (for AD’s SFU), and then as whatever this new one is.

From what I can gather, if we’re to get secondary groups to work, Solaris would somehow have to map each member’s DN back to a CN.
(groupOfUniqueNames, or groupOfNames?) getent, by itself, shows us what objectclass Solaris is expecting to find each member within a group.

If anybody knows how to do this, or if indeed it’s even possible… please let me know. It’s killing me!

Slowe,

Do you have any idea how a condition can be applied in servicesearchdescriptor.

thanks in adv
Balaji

Thanks for excellent information. I’m trying to replace our Sun Directory server with Active Directory. Unfortunately, we have a lot of solaris server profiles stored in the directory. Consequently my requirement is to run ldapclient against Active Directory to pull down a profile. I’ve extended AD to include the Solaris profile related classes and attributes-
(Classes called “nisdomainobject” and “DUAConfigprofile” and attribute “nisdomain” and others).

When I run ldaplclient I get the following:

# /usr/sbin/ldapclient -v init -a proxyDN=CN=apcproxy,OU=unixProfiles,DC=apc,DC=unix -a proxyPassword=password -a domainName=apc.unix -a profileName=CN=soltest1,CN=apc,OU=unixProfiles,DC=apc,DC=unix labtst1
Parsing proxyDN=CN=apcproxy,OU=unixProfiles,DC=apc,DC=unix
Parsing proxyPassword=password
Parsing domainName=apc.unix
Parsing profileName=CN=soltest1,CN=apc,OU=unixProfiles,DC=apc,DC=unix
Arguments parsed:
domainName: apc.unix
proxyDN: CN=apcproxy,OU=unixProfiles,DC=apc,DC=unix
profileName: CN=soltest1,CN=apc,OU=unixProfiles,DC=apc,DC=unix
proxyPassword: password
defaultServerList: labtst1
Handling init option
About to configure machine by downloading a profile
findBaseDN: begins
findBaseDN: ldap not running
findBaseDN: calling __ns_ldap_default_config()
found 5 namingcontexts
findBaseDN: __ns_ldap_list(NULL, “(&(objectclass=nisDomainObject)(nisdomain=apc.unix))”
rootDN[0] DC=apc,DC=unix
NOTFOUND:Could not find the nisDomainObject for DN DC=apc,DC=unix
found_cxt = -1
findBaseDN: Err exit
Failed to find defaultSearchBase for domain apc.unix

I’ve confirmed via a network trace that AD returns the DN of the organizational unit holding my solaris profiles.

Any advice would be appreciated. Thanks.

Hello Slowe, Hello all,

I’m trying to use your method to integrate a Samba server (Solaris 10 11/06 Sparc) to Windows 2003 AD server.
But when I add this line :
“other account required pam_ldap.so.1″, then root cannot connected to the Samba server! What is wrong? Is the root account must be also created on the AD server ? I dont undertand well who LDAP must manage the accounts : AD LDAP or Samba LDAP ?

Thanks

As far as the full dn for group info goes, in looking at my active directory setup, it looks like I don’t have a memberuid attribute. The best I have is the member attribute which is a users full dn.

This means group info still does not work, but since I’m seeing reference to this memberuid attribute is there something wrong with my active directory setup?

If I change the ldapclient command to point
attributeMap=group:memberuid=member

I can get output from getent group like:
cens_test2::1201:CN=mcm75,CN=Users,DC=nau,DC=froot,DC=nau,DC=edu

Any ideas? Is my ad schema wrong since I don’t have a memberuid attribute?

Thanks

Hi Scott,

we successfully setup the integration of our Solaris 10 servers and zones to our Windows 2003 R2 AD. Now that we have more users using our servers, we run into a strange problem. The name-service-cache daemon (NSCD) is opening many (too many, about 1000 in 2 hours) connections to the AD and leaves it open. After a while, the NSCD process reach is file descriptor limits and the integration stop working. Any ideas why nscd open so many connections?

Hi Scott and others,

I was reading with interest the posts about secondary groups, hoping that someone had got this working, then it occurred to me that this could possibly be a reporting issue with the ‘groups’ command rather than a functional issue.

I made a user a member of multiple unix groups in AD. “groups” for that user reported only a single group (not even the primary), however “getent group” reported the group members correctly.

When I created directories with various group permissions, my access to those directories was restricted correctly for the multiple groups. So, at a pure Unix level, it appears that secondary groups do ‘function’ correctly.

So it would seem that that the OS can find out “which users are members of a group” correctly, and only has an issue reporting “which groups a user is a member of.” Based on the discussions I have seen around LDAP/AD , this makes logical sense.

I will do more testing myself, but for any of those users who need secondary group functionality, I would be interested in your feedback - you may already have it - or may be able to modify your environment to work.

Hope this helps someone.

Cheers
John

OK, now I have what may seem like a dumb question. I’ve setup a fresh Solaris 10 box and followed all the instructions except for installing Blastwave Samba and joining the domain. Everything seems to be working and users can login using their AD credentials. There is no krb5.keytab file in existence on the system.

So is my understanding correct that the Samba steps are unnecessary if all you want is login authentication to the box ? Or am I going to come across some sort of problem later on ?

Cheers
J

Scott,

First, thank you for taking the time to put this all together and also for helping troubleshoot everyones issues.

I’ve been through all the posts here, and all over google as well, trying everything that everyone else has done to get Solaris 10 to authenticate with Active Directory. I think I am pretty close, just not quite there yet, and I believe my issue has to be with my ldap config. I can to an ldapsearch and get information back, but if I do any sort of ldaplist, I get the following error:

ldaplist: Object not found (Session error no available conn.)

kinit seems to work fine, as does klist, but when I run any getent commands, the only data returned, is what is found in the Solaris servers local files. Any advice is greatly appreciated.

Thanks Scott, I have updated nsswitch.conf and restarted nscd. I actually rebooted the server as well. I ran ldapclient, and made sure I had the correct proxyDN, by running a dsquery on the domain controller. I just can’t seem to figure out why the ldapsearch is working, but the ldaplist fails and getent only returns local data. I’m still plugging away at this, trying small changes here and there, but if you have any other things to check, that I may have over looked, any advice is much appreciated.

Shawn

ok, so I think I have been ignoring the information all along. For some reason, I thought I read that if using SFU3.5, I am supposed to use the same ldapclient settings as the 2003R2 settings. I’ve finally realized that you have been saying these settings assume 2003R2 all along, and that SFU3.0 and 3.5 should use the following settings for ldapclient

-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a attributeMap=shadow:uid=sAMAccountName \

Can you please confirm this for me, one last time. Should these attribute maps be used for SFU3.0 and SFU3.5? Also, where should I be able to look at this and verify, on the domain controller?

Thanks again for your help…

OK, sorry for all the posts, just want to up date my progress, so no one wastes their time replying to my other posts. After finally listening to what you’ve been saying all along, I am using the attributeMap entries for SFU3.5, which if anyone was making the same mistake, all need the msSFU30 prefix. I can now successfully run the ldaplist commands and can “su” to an account on my solaris server. My only issue now, is that I can not ssh in, I receive the following error:

Nov 2 11:39:03 wwwddcissuppi01 sshd[800]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found

I assume this is probably due to an error in pam.conf, but it looks like I have it correct. If you already have a good idea of where my problem is, based on the symptoms, please let me know.

Thanks

Thought I found my issue, because someone else has the same symptoms that I did, able to run ldaplist , ldapsearch, klist, kinit, and able to su to the user, but not able to telnet /ssh in. I tried re-generating my keytab files, and noticed that the account name was too long and being chopped off. I re-created the accounts with shorter names, created new keytab files, and transfered them over to the solaris servers. I was feeling confident, but still unable to ssh to the server, and receiving the same error.

Hoping someone can suggest anything, as I have got to be very close to getting this working.

Thanks..

Still no luck for me, but I am starting to lean towards the fact that my issue is probably an encryption issue. Can anyone that has this working between Solaris 10 and 2003 Server with SFU3.5 please confirm what encryption method is being used. While generating the keytab file with ktpass, I have tried specifying “-crypto DES-CBC-MD5″, “-crypto DES-CBC-MD5 +DesOnly”, and without the -crypto option altogether. None of these seem to work, unless I need to change things else where as well.

Also, on the domain controllers, if I open “services for unix administration”, there is an option in there to use MD5 or crypto. I’ve tried both, but do I need to regenerate the my keytab file if I make the change?

I seem to be monopolizing this blog today, but again, if anyone has any ideas for me to try, please let me know. I really need to get this working (as many others before me have already said).

The only error message I receive, is the following:

sshd[1433]: [ID 537602 auth.error] PAM-KRB5 (auth): krb5_verify_init_creds failed: Key table entry not found

I have tried adding a debug entry to pam.conf, for “other auth sufficient pam_krb5.so.1″, but when I do this and attempt a new ssh connection to the server, the attempt just fails and nothing is logged. On the server I try to ssh from, I just receive “connection closed by $SERVER_IP”. I tried to increase sshd logging to debug as well, and again the same occurs.

I am trying to get a second server to test with, so I can rule out the server itself, but not having much luck from the powers above. In the mean time, I have to keep plugging away with this server. I have spent a few late nights on this so far, and it’s driving me crazy. Is it possible that the encryption method I am using to generate the keytab, isn’t supported by the solaris server? Also, in an attempt to try and speed up my troubleshooting, I have generated 3 keytab files, one with des-cbc-md5, one with des-cbc-md5 +DesOnly, and one without specifying the -crypto flag at all. My plan was to just copy each one over to kerb5.keytab, anytime I made a chnage to things. Is this a waste of time? I ask because I read somewhere that the KVNO number in the keytab gets incremented each time you run ktpass, which I can see when I run a klist against the keytab files. So, are any keytab files generated previously, just a waste of time, will only the most recent one work? Sorry for all of the questions, but again, thanks for any assistance.

If it helps, I have Solaris 10 and SFU3.5 on Windows 2003 (not R2).

HERE IS MY KRB5.CONF

[libdefaults]
default_realm = NACHO.MAMA.COM
dns_lookup_kdc = true
default_checksum = rsa-md5
default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc
default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc
default_keytab_name = /etc/krb5/krb5.keytab

[realms]
NACHO.MAMA.COM = {
kdc = wwwddciwdconi01.nacho.mama.com
# kdc = wwwddciwdconi02.nacho.mama..com
admin_server = wwwddciwdconi01.nacho.mama.com
}

[domain_realm]
.nacho.mama.com = NACHO.MAMA.COM
.subdomain.nacho.mama.com = NACHO.MAMA.COM

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

HERE ARE MY LDAP CLIENT SETTINGS

NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= CN=solarisldap,OU=Users,OU=Associates,dc=nacho,dc=mama,dc=com
NS_LDAP_BINDPASSWD= {XXX}XXXXXXXXXXXX
NS_LDAP_SERVERS= 10.25.240.21
NS_LDAP_SEARCH_BASEDN= dc=nacho,dc=mama,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:dc=nacho,dc=mama,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:dc=nacho,dc=mama,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= group:userpassword=msSFU30Password
NS_LDAP_ATTRIBUTEMAP= group:memberuid=msSFU30MemberUid
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=msSFU30GidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=msSFU30Gecos
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=msSFU30GidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=msSFU30UidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:uid=sAMAccountName
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=msSFU30HomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=msSFU30LoginShell
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=msSFU30ShadowFlag
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=msSFU30Password
NS_LDAP_ATTRIBUTEMAP= shadow:uid=sAMAAccountName
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user

HERE IS MY PAM.CONF (other settings)

root@wwwddcissuppi01$cat /etc/pam.conf | grep other
# defined in the “other” section.
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

With these settings, I can do pretty much anything I need, accept the most important part, authenticate AD users. Sorry for the long post, appreciate any help, and I’ll update with any progress.

Shawn

Finally got things working last night, to be honest I’m not really sure what the final fix was. I think it’s safe to say that along the way I made every possible mistake in the process. So, thanks to every one that has posted info here, mainly your mistakes/issues have gotten me to a working point. Scott, thank you so much for putting all of this together. For the most part, if I had slowed down and carefully read your caveats, I would have finished a lot sooner.

Now that I’ve said my thank yous, I have to ask one more question, and see if anyone has fixed this. If I authenticate as an AD user, and then sudo to root, the KRB5CCNAME file, which stores in /tmp in my env., gets updated with root ownership. This doesn’t prevent me from logging in, but until I correct the ownership or remove the file, it generates a couple unwanted messages. This isn’t a big deal now, but if there are hundreds of people logging and doing some form or sudo, it could end up polluting the system log quite a bit. if anyone has any info on this, please do tell. Here are the log entries I receive:

Nov 4 14:22:52 wwwddcissuppi01 sshd[1308]: [ID 375328 auth.error] PAM-KRB5 (setcred): Cannot find creds for smithjo@NACHO.MAMA.COM (Credentials cache file permissions incorrect)
Nov 4 14:22:52 wwwddcissuppi01 sshd[1308]: [ID 720393 auth.error] PAM-KRB5 (setcred): pam_setcred failed for smithjo (Failure setting user credentials).

Thanks again, I’m now off to think about what to do about home directories, so I don’t have to manually create them.

As several have already said here, pam_mkhomedir.so works great for me, to create user home directories. I followed the steps at http://www.webservertalk.com/message1674632.html and it works like a champ. Reading the posts here, I wasn’t too confident that it would be as easy as it was. If anyone else is looking to add creating home directories when a new user logs on, definitely take a look.

So, functionally I am all set now. If anyone happens to know anything about the issue with changing the permissions of the KRB5CCNAME file when doing a sudo, please let me know.

John, you say you got getent group to show the correct list of groups, is that as just a list of group names (as we want) or as a list of distinguished names? If the former then please post your ldap client config!

Hi Nick,

My ldapclient file is as per the instructions here.

I might not have explained that clearly, “getent group groupname” will show all the *members* of a group correctly, as userids. I’ve also found some other interesting anomalies in more testing just now. I’ll try to summarise what I am seeing:

I am logged in via SSH as jgeorges@host. Primary group is set to aaa. In AD, my userid is a member of aaa, bbb and ccc

$ groups
bbb
- Incorrect response
- this is not even the primary group

$ groups jgeorges
aaa bbb ccc
- Correct response!
- using ‘groups $LOGNAME’ would be a generic alternative

$ getent group aaa
aaa::101:rjo,jgeorges,dsimonet
- Correct response!

So it is looking more like just “groups” on its own fails.

To overcome this, you could setup a systemwide command alias:

alias groups=”groups $LOGNAME”

If you put this in /etc/profile, any user who ran “groups” will start getting the correct responses back from the system.

Hope this clarifies, and helps.

John

Hi Scott, did you had the time to check your note for nscd daemon that doesn’t close its connection to the Active Directory and eventually reach it’s file descriptor limit?

Thanks again

Daniel

Scott, can I setup my pam.conf up, so that it prompts for the AD password first, and then asks for the local account password if the AD password is not found? Here is a snip from my pam.conf, which I configured to check for AD first.

# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth sufficient pam_krb5.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1

I’ve spent three weeks trying to get this to work, blaming/bashing solaris 10 and cursing. Keytable entry not found and core dumps… truss didn’t reveal much (although I must admit I’m a Windows-guy and my knowledge of Solaris is somewhat limited).

However, I found a solution to my problem and I hope this post will help others that are stuck with the same problem and symptoms. My mistake was using Windows Support Tools Service Pack 1 (and 2). This did not work at all for me, but regressing to ktpass.exe from Windows 2003 WITHOUT servicepacks whatsoever solved everything.

I assume if you’re using the Blastwave approach this will not be a problem for you… But if you’re determined that you don’t need cifs/samba support on your server and still want it to work with an AD, check your KTPASS version (working version ends with a ZERO. 5.2.3790.0 and is 80 kb.

I have authentication working at a Unix level quite nicely but I am having trouble now trying to get samba to work. The smbd daemon dies with a Bus error and when I run it in debug it dies at this point:

Primary group is 0 and contains 0 supplementary groups
pdb_getsampwsid: Building guest account
store_gid_sid_cache: gid 60001 in cache -> S-1-5-21-3640025915-183999177-3362999327-120003
fetch gid from cache 60001 -> S-1-5-21-3640025915-183999177-3362999327-120003
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
NT user token: (NULL)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
Bus Error(coredump)

If I remove ldap from nsswitch.conf it starts up without any problem.

I have tried Samba from but the stable and unstable branches of Blastwave.

This is probably something simple, but any pointers on where to look would be great.

Cheers
John