[geeks] Authenticating Solaris 9 from AD
David Stipp
dstipp at coolhack.net
Tue Sep 27 13:50:55 CDT 2005
On Tue, Sep 27, 2005 at 07:09:28PM +0100, Mike Meredith wrote:
> On Tue, 27 Sep 2005 10:07:46 -0400, geeks at litfire.com wrote:
> > I'm looking into authenticating Solaris 9 users against an AD box we'd
> > put into a colo. From the looks of what I've Googled, there's either
> > a mix of roll-your-own with OpenLDAP, Samba, Windows Services for
>
> Be afraid, very, very *very* afraid.
Indeed...
It depends on what you're doing though. If all you are talking about is
*authenticating* users, just use kerberos, with the proper ticket types,
and set the KDCs as the domain controllers. That's cake.
If you're talking about authentication *and* naming services, then it
gets more fun. (Either way, I suggest working kerberos into whatever
solution you go with. :-) )
> I've been doing the equivalent with Novell's NDS, and it is somewhat
> painful. I gather using Sun's DS isn't so bad, but I suspect using AD
> will be closer to NDS.
I have a unix only solution using openldap + mit krb5. Works pretty
nicely between linux & solaris machines.
> The trouble is that there is very little diagnostic information when
> things go wrong to the extent that I was changing the Solaris machine to
> talk in plain text (insecure and wouldn't work) just to get a packet
> dump to get a little more information.
I found it was easier to set my ldap server to output way too much debug
information, and go through that.
> Running something like 'id meredith' would result in just 'No such
> user', and there would be nothing in the logs to indicate what the
> problem might be (something like "ldapauth: 'meredith' lacks 'gecos',
> 'loginShell' attributes would be nice).
That *does* work with mine. Are you sure you have nss setup right? Or
all the correct fields for each user entry?
> Find a definitive list of what attributes Solaris requires to
> authenticate (I don't have a list to hand, but it includes stuff from
> posixAccount and shadowAccount classes), and ensure that the accounts
> you're trying do have those attributes.
ldaplist -h gives a nice list of the major categories, but that's not
what you're meaning. :-)
A great howto to read would be:
http://www.ofb.net/~jheiss/krbldap/howto.html
If you follow that, all you will have to add is
'objectClass: shadowAccount' to the records and it will work on Solaris.
Worked for me anyway.
David
--
David Stipp <dstipp at coolhack.net>
More information about the geeks
mailing list