[geeks] Authenticating Solaris 9 from AD
velociraptor
velociraptor at gmail.com
Tue Sep 27 13:42:40 CDT 2005
On 9/27/05, Mike Meredith <mike at redhairy1.demon.co.uk> wrote:
> On Tue, 27 Sep 2005 10:07:46 -0400, geeks at litfire.com wrote:
> > I'm looking into authenticating Solaris 9 users against an AD box we'd
> > put into a colo. From the looks of what I've Googled, there's either
> > a mix of roll-your-own with OpenLDAP, Samba, Windows Services for
>
> Be afraid, very, very *very* afraid.
>
> I've been doing the equivalent with Novell's NDS, and it is somewhat
> painful. I gather using Sun's DS isn't so bad, but I suspect using AD
> will be closer to NDS.
>
> The trouble is that there is very little diagnostic information when
> things go wrong to the extent that I was changing the Solaris machine to
> talk in plain text (insecure and wouldn't work) just to get a packet
> dump to get a little more information.
>
> Running something like 'id meredith' would result in just 'No such
> user', and there would be nothing in the logs to indicate what the
> problem might be (something like "ldapauth: 'meredith' lacks 'gecos',
> 'loginShell' attributes would be nice).
>
> And just to keep things interesting, the ldapclient command does things
> behind your back (copies /etc/nsswitch.ldap to /etc/nsswitch.conf (I
> think), starts autofs, restarts Sendmail even if you don't have it
> running/installed, etc.)
>
> Find a definitive list of what attributes Solaris requires to
> authenticate (I don't have a list to hand, but it includes stuff from
> posixAccount and shadowAccount classes), and ensure that the accounts
> you're trying do have those attributes.
My investigation suggested that sufficient changes were necessary
to the AD schema that it would be a nightmare unless the enterprise
size was large enough for the additional work to make sense. In
particular, since there had been no attempt to "normalize" UNIX vs
Windows UIDs, etc., in our environment, a lot of work would need to
be done.
If you are starting from ground zero it might be easier, but for the
above issues.
=Nadine=
More information about the geeks
mailing list