Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Solaris 11.1 login authenticate with windows active directory
Special Forums IP Networking Proxy Server Solaris 11.1 login authenticate with windows active directory Post 302917309 by Skrynesaver on Tuesday 16th of September 2014 01:29:31 AM
Old 09-16-2014
Yes, but it is a many stage process...

On the AD server you need to install the Unix schema, add a proxy account and add the Unix properties to the relevant users

On the Solaris host you need to add domain and search to dns, set up Kerberos, LDAP client and PAMD entries...

This looks like a good online resource on the topic
 

6 More Discussions You Might Find Interesting

1. Linux

How to Unite Redhat 9 Linux with Windows 2003 Active Directory authentication

Dear All, How to configure a Redhat 9 client to windows 2003 server. I have windows 2003 server which act has domain controller in my office. I have been asked to use redhat 9 has client. how to configure so that redhat 9 can authenticate with windows 2003 server .I have username created in... (0 Replies)
Discussion started by: solaris8in
0 Replies

2. Solaris

Connecting Solaris 9 to Windows Active Directory

Hi Everyone, Is it possible to for Solaris 9 box to join a Windows 2000 Active Directory Domain using Samba 3.X. If so are there any How To's out there or does anyone have experience with this. I have successfully done it with RHEL 3. Things that I configured in REDHAt to get it to... (0 Replies)
Discussion started by: morphous
0 Replies

3. Solaris

Connect smbclient to an windows server 2003 with active directory

Hello everybody .. i want connect with smbclient to an windows server 2003 with active directory. Exist a version of samba that can do this? Thank you very much for your time. Good Luck :b: (3 Replies)
Discussion started by: enkei17
3 Replies

4. Shell Programming and Scripting

UNIX Script to query Active Directory: give cn (NT login name) and receive mail (Email address)

Hi folks I need to write UNIX script (with ldapsearch) to query Active Directory. Input is NT login name and output is Email address. Attached a screenshot of Sysinternals "AD Explorer". I need to do the same in CLI. http://i.imgur.com/4s6FB.png I am absolute LDAP/ldapsearch noob. (0 Replies)
Discussion started by: slashdotweenie
0 Replies

5. AIX

Authenticate AIX users from MS Active Directory

First, let me start off saying this is not spam. This is me trying to help out other AIX Admins with MS AD servers. If it is not applicable to you, someone else will find it useful. As long as the "KDC" service is running on your AD server, these steps should work. There should be no... (3 Replies)
Discussion started by: kah00na
3 Replies

6. Solaris

Authenticating UNIX (Solaris 11) to Windows 2012R2 / Active Directory

Gentleman, i am trying to setup Authentication for my Solaris 11 Server through Active Directory (Server 2012 R2). At least some things are already working, for example a getent passwd mydomainuser and ldapsearch command comes back with a correct result. So not everything i did was wrong. ... (1 Reply)
Discussion started by: bahnhasser83
1 Replies

LEARN ABOUT OPENSOLARIS

krb5_auth_rules

krb5_auth_rules(5)					Standards, Environments, and Macros					krb5_auth_rules(5)

NAME

       krb5_auth_rules - overview of Kerberos V5 authorization

DESCRIPTION

       When  kerberized  versions of the ftp, rdist, rcp, rlogin, rsh, telnet, or ssh clients are used to connect to a server, the identity of the
       originating user must be authenticated to the Kerberos V5 authentication system. Account access	can  then  be  authorized  if  appropriate
       entries	exist in the ~/.k5login file, the gsscred table, or if the default GSS/Kerberos authentication rules successfully map the Kerberos
       principal name to Unix login name.

       To avoid security problems, the ~/.k5login file must be owned by the remote user on the server the client is attempting to access. The file
       should contain a private authorization list comprised of Kerberos principal names of the form principal/instance@realm. The /instance vari-
       able  is  optional  in  Kerberos   principal   names.   For   example,	different   principal	names	such   as   jdb@ENG.ACME.COM   and
       jdb/happy.eng.acme.com@ENG.ACME.COM  would  each  be legal, though not equivalent, Kerberos principals. The client is granted access if the
       ~/.k5login file is located in the login directory of the remote user account and if the originating user can be authenticated to one of the
       principals named in the file. See gkadmin(1M) and kadm5.acl(4) for more information on Kerberos principal names.

       When no ~/.k5login file is found in the remote user's login account, the Kerberos V5 principal name associated with the originating user is
       checked against the gsscred table. If a gsscred table exists and the principal name is matched in the table, access is granted if the  Unix
       user  ID listed in the table corresponds to the user account the client is attempting to access. If the Unix user ID does not match, access
       is denied. See gsscred(1M).

       For example, an originating user listed in the gsscred table with the principal name jdb@ENG.ACME.COM and the uid 23154 is  granted  access
       to the jdb-user account if 23154 is also the uid of jdb-user listed in the user account database. See passwd(4).

       Finally, if there is no ~/.k5login file and the Kerberos V5 identity of the originating user is not in the gsscred table, or if the gsscred
       table does not exist, the client is granted access to the account under the following conditions (default GSS/Kerberos auth rules):

	   o	  The user part of the authenticated principal name is the same as the Unix account name specified by the client.

	   o	  The realm part of the client and server are the same, unless the krb5.conf(4) auth_to_local_realm parameter is  used	to  create
		  equivalence.

	   o	  The Unix account name exists on the server.

       For example, if the originating user has the principal name jdb@ENG.ACME.COM and if the server is in realm SALES.ACME.COM, the client would
       be denied access even if jdb is a valid account name on the server. This is because the realms SALES.ACME.COM and ENG.ACME.COM differ.

       The krb5.conf(4) auth_to_local_realm parameter also affects authorization. Non-default realms can be equated with  the  default	realm  for
       authenticated name-to-local name mapping.

FILES

       ~/.k5login     Per user-account authorization file.

       /etc/passwd    System account file. This information may also be in a directory service. See passwd(4).

ATTRIBUTES

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       ftp(1),	rcp(1),  rdist(1),  rlogin(1),	rsh(1), telnet(1), gkadmin(1M), gsscred(1M), kadm5.acl(4), krb5.conf(4), passwd(4), attributes(5),
       gss_auth_rules(5)

SunOS 5.11							    07 Apr 2006 						krb5_auth_rules(5)
All times are GMT -4. The time now is 06:49 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy