Do you or anyone out there have any new info on getting

“…password management (the ability to change an AD
password from Solaris) ..”

working ? I haven’t been able to find any.
Bill

I’ve managed to get LDAPS+KRB5 working on Sol10U9, RHEL5.6, and RHEL6.0 to Win2k8R2. I’m using keytabs to prove the authenticity of the KDC, and stubbornly using LDAPS rather than LDAP.

Secondary Groups aren’t working for me in Solaris nor RHEL6.

Of particular annoyance was that Window 2008 R2 doesn’t like using AES256/128 for keytabs. I’m using RC4-HMAC.

Doco’ed here:

https://osdude.wordpress.com/2011/08/12/authenticating-unixlinux-to-windows-2008r2-part-1-set-up-windows/

https://osdude.wordpress.com/2011/08/11/authenticating-unixlinux-to-windows-2008r2-part-2-solaris-10/

https://osdude.wordpress.com/2011/08/12/authenticating-unixlinux-to-windows-2008r2-part-3-rhel-5-6/

https://osdude.wordpress.com/2011/08/12/authenticating-unixlinux-to-windows-2008r2-part-4-rhel-6-0/

etc..

cheers- chris

After many hours of looking around the internet, I was excited to find your Solaris-oriented description of how to integrate Solaris and AD. But one thing still isn’t clear. What value should be entered for the “proxyPassword in the ldapclient command? The administrative user password for the AD server, the root password for the Solaris system or some other value?

Thanks!

I tried to run samba server without actually running net ads join, with all the proper config in smb.conf such as security = ads, encrypt passwords = yes, use kerberos keytab = true and whole shebang, but I’m getting errors. Also, I don’t want to specify an explicit password server directive in the smb.conf. Someone tell me why samba is insistent on running net ads join command and essentially duplicating what I setup already anyway? The other problem is “net ads” requires windows Admin password, which I dont have. My questions

1. How to avoid running the net ads join altogether?
2. If I’m forced to run net ads anyway, how can I make it run as an non-admin user? (I studied Eric Roseme’s paper which is a bit dated)
3. Even if I run net ads I don’t want it to mess with krb5.keytab, Why does it have to anyway? I already got valid tickets (generated with ktpass.exe) for the authentication supported by Samba arcfour, DES etc.

The real issue, I’m trying to avoid is having to run to Windows admins every time there is an issue as the unix/windows teams are run independently. There must be a way out of not running net ads join and still have samba work…Thanks.

Thank you for your very helpful articles.

I’m coming back with a question about supplementary groups.

I’m using schema extensions provided by Windows Server 2003 R2.
All group memberships work fine when I configure ldapclient with the following mappings:
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:uniquemember=member
This makes it necessary to administer two attributes in AD.
In my Linux environment this is not necessary. The Linux LDAP client supports RF2307bis and follows the DN in member attribute to get the uid from the user entry.
I tried to invalidate the memberuid Attribute in Solaris by
NS_LDAP_ATTRIBUTEMAP= group:memberuid=noSuchAttribute
But this didn’t help.

Is it possible to activate this RF2307bis support also in Solaris-LDAP?

Thanks
Heiner

“The kerberos part seems to work since since when I use kinit “ADuser” and type in the correct password nothing comes back.

However, on the ldap client side I’m having a problem where running getent “ADuser” returns nothing”

Now, I have the same problem.
Can you share which attribute mappings errors?Thanks.