[geeks] Authenticating Solaris 9 from AD
Mike Meredith
mike at redhairy1.demon.co.uk
Tue Sep 27 13:09:28 CDT 2005
On Tue, 27 Sep 2005 10:07:46 -0400, geeks at litfire.com wrote:
> I'm looking into authenticating Solaris 9 users against an AD box we'd
> put into a colo. From the looks of what I've Googled, there's either
> a mix of roll-your-own with OpenLDAP, Samba, Windows Services for
Be afraid, very, very *very* afraid.
I've been doing the equivalent with Novell's NDS, and it is somewhat
painful. I gather using Sun's DS isn't so bad, but I suspect using AD
will be closer to NDS.
The trouble is that there is very little diagnostic information when
things go wrong to the extent that I was changing the Solaris machine to
talk in plain text (insecure and wouldn't work) just to get a packet
dump to get a little more information.
Running something like 'id meredith' would result in just 'No such
user', and there would be nothing in the logs to indicate what the
problem might be (something like "ldapauth: 'meredith' lacks 'gecos',
'loginShell' attributes would be nice).
And just to keep things interesting, the ldapclient command does things
behind your back (copies /etc/nsswitch.ldap to /etc/nsswitch.conf (I
think), starts autofs, restarts Sendmail even if you don't have it
running/installed, etc.)
Find a definitive list of what attributes Solaris requires to
authenticate (I don't have a list to hand, but it includes stuff from
posixAccount and shadowAccount classes), and ensure that the accounts
you're trying do have those attributes.
More information about the geeks
mailing list