Comments on: Solaris 10-AD Integration, Version 3 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/ The weblog of an IT pro specializing in virtualization, storage, and servers Fri, 21 Nov 2008 06:37:57 +0000 http://wordpress.org/?v=2.6 By: vanpeer http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-42392 vanpeer Fri, 14 Nov 2008 13:39:55 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-42392 Hello, Some body know how to debug the pam_mkhomedir.so for Solaris? I followed this http://www.keutel.de/pam_mkhomedir/index.html to compile the pam_mkhomedir.so and the compilation is fine I put this line into /etc/pam.conf : other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022 debug But nothing work. The user of openldap base can logon but no directory create. Is it normal ? How can i debug it ? Thanks by advance for you answer. Hello,

Some body know how to debug the pam_mkhomedir.so for Solaris?

I followed this http://www.keutel.de/pam_mkhomedir/index.html to compile the pam_mkhomedir.so and the compilation is fine
I put this line into /etc/pam.conf :
other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022 debug

But nothing work. The user of openldap base can logon but no directory create. Is it normal ? How can i debug it ?
Thanks by advance for you answer.

]]> By: Henrik Enblom http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-42260 Henrik Enblom Tue, 04 Nov 2008 09:41:49 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-42260 Tony, I had the same problem - ForestDnsZones.xxxxx.xxx did not resolve. It seems I had forgotten to add the adequate 'dns' entries in 'nsswitch.conf' after running the 'ldapclient' utility... ------------------ hosts files dns ------------------ //Henrik Tony,

I had the same problem - ForestDnsZones.xxxxx.xxx did not resolve. It seems I had forgotten to add the adequate ‘dns’ entries in ‘nsswitch.conf’ after running the ‘ldapclient’ utility…

——————
hosts files dns
——————

//Henrik

]]> By: slowe http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-41863 slowe Tue, 07 Oct 2008 13:23:28 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-41863 Dstan, The domain_realm section isn't about multiple AD domains, it's about multiple DNS domains, and mapping those DNS domains to the corresponding Kerberos realm (or AD domain). In the example configuration, systems from both the example.com and subdomain.example.com DNS domains will authenticate against the EXAMPLE.COM Kerberos realm (or AD domain). I haven't found a way to authenticate against multiple AD domains, although I'm sure there is a way. Good luck! Dstan,

The domain_realm section isn’t about multiple AD domains, it’s about multiple DNS domains, and mapping those DNS domains to the corresponding Kerberos realm (or AD domain). In the example configuration, systems from both the example.com and subdomain.example.com DNS domains will authenticate against the EXAMPLE.COM Kerberos realm (or AD domain). I haven’t found a way to authenticate against multiple AD domains, although I’m sure there is a way.

Good luck!

]]> By: dstan http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-41862 dstan Tue, 07 Oct 2008 12:11:39 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-41862 I am working on the same issue as Hayat - trying to authenticate members of multiple domains to the same UNIX server. Of course we are having some issues, but we are still working through it and if we find a cmoplete solution I will post here again. But my question is regarding your sample krb5.conf file. You have multiple domains listed in the realms section [domain_realm] .example.com = EXAMPLE.COM .subdomain.example.com = EXAMPLE.COM Which would seem to indicate that both users from example.com and subdomain.example.com should be able to authenticate. Is this the case in your testing, or were you testing strictly against a single domain structure? I know in LDAP is we actually had UNIX hosts acting ad KDC's we can do cross realm authentication (both heirarchical and non) but as of yet, since the AD servers act as the KDC's and trust is setup within AD, we have not been able to find a definitive answer. The only thing we can think of, and we will be trying today, is to create the machine in both domains and merge the keytabs so that the machine essentially exists in both domains. Oh yes, of course we have to use the GC port (3268) and there was a specific patch level we had to be on for the follow referrers for the GC port to work, but that is as far as we have gotten so far. Any ideas are welcome. Thanks I am working on the same issue as Hayat - trying to authenticate members of multiple domains to the same UNIX server. Of course we are having some issues, but we are still working through it and if we find a cmoplete solution I will post here again. But my question is regarding your sample krb5.conf file.

You have multiple domains listed in the realms section
[domain_realm]
.example.com = EXAMPLE.COM
.subdomain.example.com = EXAMPLE.COM
Which would seem to indicate that both users from example.com and subdomain.example.com should be able to authenticate. Is this the case in your testing, or were you testing strictly against a single domain structure?

I know in LDAP is we actually had UNIX hosts acting ad KDC’s we can do cross realm authentication (both heirarchical and non) but as of yet, since the AD servers act as the KDC’s and trust is setup within AD, we have not been able to find a definitive answer.

The only thing we can think of, and we will be trying today, is to create the machine in both domains and merge the keytabs so that the machine essentially exists in both domains.

Oh yes, of course we have to use the GC port (3268) and there was a specific patch level we had to be on for the follow referrers for the GC port to work, but that is as far as we have gotten so far. Any ideas are welcome.

Thanks

]]> By: slowe http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40883 slowe Mon, 25 Aug 2008 16:42:27 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40883 Hayat, AFAIK, you can't authenticate against multiple AD domains. Hayat,

AFAIK, you can’t authenticate against multiple AD domains.

]]> By: Hayat http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40867 Hayat Sun, 24 Aug 2008 11:11:22 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40867 Thank you so much slowe, it is working fine but i have one more question i have one parent domain and 4 child domain.my all parent dc users are working fine my question is how can add my all child domain nd how can assign the unix attributes for child and how can use remot NIS server as PDC please help.mean i need to authenticate all domain users (parnet domain,child domain users) throgh sun box1 using ldap if you have any sample EXample?any sugguation for that?? Thanks Again for great help Regards Hayat Thank you so much slowe,
it is working fine but i have one more question i have one parent domain and 4 child domain.my all parent dc users are working fine my question is how can add my all child domain nd how can assign the unix attributes for child and how can use remot NIS server as PDC please help.mean i need to authenticate all domain users (parnet domain,child domain users) throgh sun box1 using ldap if you have any sample EXample?any sugguation for that??
Thanks Again for great help
Regards
Hayat

]]> By: Bart http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40844 Bart Fri, 22 Aug 2008 21:54:22 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40844 Hi Scott - I've been excited by the possibilities of Single Sign On and *NIX/AD integration since I first learned that Micro$oft had elected to implement LDAP and Kerberos. Fantastic to see the state of the technology on this so far along now. You have performed quite a service to the tech community by pulling all this together, thank you. Can you or anyone here give us all a sense of what the sizes are of the environments where *NIX/AD integration is being used? How many *NIX systems? How many users? What *NIX variants have been successfully integrated besides Solaris & Linux? HP-UX? AIX? *BSD? How about if we all agree to keep our organizations anonymous, but some quantification of where we are all at would be great. Thank you all for working to move the world forward. Warm regards, Bart Hi Scott -

I’ve been excited by the possibilities of Single Sign On and *NIX/AD integration since I first learned that Micro$oft had elected to implement LDAP and Kerberos. Fantastic to see the state of the technology on this so far along now.

You have performed quite a service to the tech community by pulling all this together, thank you.

Can you or anyone here give us all a sense of what the sizes are of the environments where *NIX/AD integration is being used?

How many *NIX systems?
How many users?

What *NIX variants have been successfully integrated besides Solaris & Linux? HP-UX? AIX? *BSD?

How about if we all agree to keep our organizations anonymous, but some quantification of where we are all at would be great.

Thank you all for working to move the world forward.

Warm regards,

Bart

]]> By: slowe http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40784 slowe Wed, 20 Aug 2008 10:52:02 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40784 Hayat, Try this: -a serviceSearchDescriptor=passwd:dc=mani,dc=com?sub \ -a serviceSearchDescriptor=group:dc=mani,dc=com?sub See if that helps. Good luck! Hayat,

Try this:

-a serviceSearchDescriptor=passwd:dc=mani,dc=com?sub \
-a serviceSearchDescriptor=group:dc=mani,dc=com?sub

See if that helps. Good luck!

]]> By: Hayat http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40780 Hayat Wed, 20 Aug 2008 08:47:44 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40780 Hi slowe, Still no luck ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN=cn=test,cn=users,dc=mani,dc=com \ -a proxyPassword=Admin123 \ -a defaultSearchBase=dc=mani,dc=com \ -a domainName=mani.com \ -a "defaultServerList=192.168.1.89" \ -a attributeMap=group:userpassword=msSFU30Password \ -a attributeMap=group:memberuid=msSFU30MemberUid \ -a attributeMap=group:gidnumber=msSFU30GidNumber \ -a attributeMap=passwd:gecos=msSFU30Gecos \ -a attributeMap=passwd:gidnumber=msSFU30GidNumber \ -a attributeMap=passwd:uidnumber=msSFU30UidNumber \ -a attributeMap=passwd:uid=sAMAccountName \ -a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \ -a attributeMap=passwd:loginshell=msSFU30LoginShell \ -a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \ -a attributeMap=shadow:userpassword=msSFU30Password \ -a attributeMap=shadow:uid=sAMAccountName \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor=passwd:dc=mani,dc=com? \ -a serviceSearchDescriptor=group:dc=mani,dc=com? "newall.sh" 26 lines, 1104 characters bash-3.00# bash-3.00# sh newall.sh System successfully configured bash-3.00# cp /opt/nsswitch.conf /etc bash-3.00# id test id: invalid user name: "test" bash-3.00# id test01 id: invalid user name: "test01" bash-3.00# Please help Thanks Hayat Hi slowe,
Still no luck

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=test,cn=users,dc=mani,dc=com \
-a proxyPassword=Admin123 \
-a defaultSearchBase=dc=mani,dc=com \
-a domainName=mani.com \
-a “defaultServerList=192.168.1.89″ \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a attributeMap=shadow:uid=sAMAccountName \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=mani,dc=com? \
-a serviceSearchDescriptor=group:dc=mani,dc=com?

“newall.sh” 26 lines, 1104 characters
bash-3.00#
bash-3.00# sh newall.sh
System successfully configured
bash-3.00# cp /opt/nsswitch.conf /etc
bash-3.00# id test
id: invalid user name: “test”
bash-3.00# id test01
id: invalid user name: “test01″
bash-3.00#

Please help Thanks
Hayat

]]> By: Hayat http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40777 Hayat Wed, 20 Aug 2008 08:07:18 +0000 http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/#comment-40777 I check but still no luck please can you change the line for me for pointing the domain my domain is mani.com -a serviceSearchDescriptor=passwd:ou=UNIX-OU?sub \ -a serviceSearchDescriptor=group:ou=UNIX-OUsub I check but still no luck please can you change the line for me
for pointing the domain my domain is mani.com

-a serviceSearchDescriptor=passwd:ou=UNIX-OU?sub \
-a serviceSearchDescriptor=group:ou=UNIX-OUsub

]]>