Solaris10 and Windows2000 authentication.

Tags
ldap, solaris, solaris10, solved, windows

Login to Reply

 
Thread Tools Search this Thread
# 1  
Old 1 Week Ago
Solaris10 and Windows2000 authentication.

Only for testing/learning I have setup a windows 2000 server with active directory
I connect to it a Solaris 10 machine "client".
I want Solaris10 take users from AD
I have follow this guide..


a)Setup active directory environment+services for UNIX
OK


b)I have created two users,one for ldap search(called proxyldap) and another for solaris server called host-solaris10
on AD windows 2000 server


c)I have create a kerberos keytab on Windows 2000 AD and copy to /etc/krb5.keytab of solaris


Code:
ktpass -princ HOST/solaris10.site.fake@SITE.FAKE -mapuser host-solaris10 -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL -out krb5.keytab


d)On solaris I have edited /etc/krb5/krb5.conf


Code:
[libdefaults]
   default_realm = SITE.FAKE
   dns_lookup_kdc = true
   verify_ap_req_nofail = false

[realms]
   SITE.FAKE = {
   kdc = windows2000.site.fake
   admin_server = windows2000.site.fake
   }

[domain_realm]
   .site.fake = SITE.FAKE

[logging]
   default = FILE:/var/krb5/kdc.log
   kdc = FILE:/var/krb5/kdc.log
   kdc_rotate = {
   period = 1d
   version = 10
 }

[appdefaults]
   kinit = {
   renewable = true
   forwardable= true
   }


e)Now configure the ldap client


Code:
ldapclient manual \
 -a credentialLevel=proxy \
 -a authenticationMethod=simple \
 -a proxyDN=cn=proxyldap,cn=Users,dc=site,dc=fake \
 -a proxyPassword=***** \
 -a defaultSearchBase=dc=site,dc=fake \
 -a defaultSearchScope=sub \
 -a domainName=site.bac \
 -a "preferredServerList=10.6.0.1" \
 -a "defaultServerList=10.6.0.1" \
 -a followReferrals=false \
 -a attributeMap=group:userpassword=userPassword \
 -a attributeMap=group:gmemberuid=memberUid \
 -a attributeMap=group:gidnumber=gidNumber \
 -a attributeMap=passwd:uid=cn \
 -a attributeMap=passwd:gidnumber=gidNumber \
 -a attributeMap=passwd:uidnumber=uidNumber \
 -a attributeMap=passwd:homedirectory=unixHomeDirectory \
 -a attributeMap=passwd:loginshell=loginShell \
 -a attributeMap=shadow:uid=cn \
 -a attributeMap=shadow:shadowflag=shadowFlag \
 -a attributeMap=shadow:userpassword=userPassword \
 -a objectClassMap=group:posixGroup=group \
 -a objectClassMap=passwd:posixAccount=user \
 -a objectClassMap=shadow:shadowAccount=user \
 -a serviceSearchDescriptor=passwd:dc=site,dc=fake?sub \
 -a serviceSearchDescriptor=group:dc=site,dc=fake?sub


f)Now configure /etc/nsswitch.conf


Code:
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

#
# /etc/nsswitch.dns:
#
# An example file that could be copied over to /etc/nsswitch.conf; it uses
# DNS for hosts lookups, otherwise it does not use any other naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# DNS service expects that an instance of svc:/network/dns/client be
# enabled and online.

passwd:     files ldap
group:      files ldap

# You must also set up the /etc/resolv.conf file for DNS name
# server lookup.  See resolv.conf(4).
hosts:      files dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:   files dns

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files

tnrhtp:     files
tnrhdb:     files


and pam.conf


Code:
#
#ident  "@(#)pam.conf   1.32    11/04/08 SMI"
#
# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
other   auth required           pam_ldap.so.1

#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1

#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#


Will work?


The command ldaplist return my ldap user


Code:
ldaplist passwd myuser
dn: uid=myuser,uid=Users,DC=site,DC=fake



kinit is ok


Code:
echo userpassword|kinit myuser


But..when I try getent,or id,or su..only works for local files and not ldap.
Why?
# 2  
Old 1 Week Ago
You provide a lot of great information; however you do not provide some of the most important information, which is the log file entries.

If you want to solve a problem on a server, the first place to start are with the messages in the log files.
# 3  
Old 6 Days Ago
Quote:
Originally Posted by Neo
You provide a lot of great information; however you do not provide some of the most important information, which is the log file entries.

If you want to solve a problem on a server, the first place to start are with the messages in the log files.
Thanks,I have "solved" upgrading to windows2008r2,now all works fine,if someone is interested I can post my procedure.
Login to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Similar Threads More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Solaris10 and pxeLinux Linusolaradm1 Solaris 0 12-13-2014 08:48 PM
Msktutil on Solaris10 Linusolaradm1 Solaris 0 01-28-2014 09:36 AM
How to create Zones on Solaris10 mobilethink Solaris 2 06-01-2012 05:00 AM
Storage Multipathing In Solaris10 fugitive Solaris 3 03-30-2010 01:19 PM
Solaris10 imran721 Solaris 3 06-07-2009 04:07 PM
Sun Solaris10 quickgun Solaris 2 02-16-2009 06:46 AM
Using mailx under solaris10 SnackS Solaris 3 09-07-2008 11:54 PM
Re: Crontab in solaris10 gullapalli Solaris 7 05-05-2008 08:29 PM
ftp problem from linux to windows2000 server 3rr0r_3rr0r Linux 2 01-31-2008 10:00 PM
Inst. Solaris10 mxlst14 UNIX for Dummies Questions & Answers 5 06-02-2006 04:20 AM
help,win2003 and solaris10 in a pc? keyi Solaris 1 12-18-2004 07:05 PM
is there any problem that install windows2000 and unix on one computer sw_water UNIX Desktop Questions & Answers 6 11-11-2002 05:20 AM
linux and windows2000 J.P UNIX for Dummies Questions & Answers 6 04-09-2002 07:37 PM
NFS and windows2000 Server Vanstraelen UNIX for Dummies Questions & Answers 3 10-30-2001 12:16 PM
networking solaris8 with windows2000 scotte UNIX for Dummies Questions & Answers 2 07-02-2001 12:37 PM
All times are GMT -4. The time now is 06:30 AM.

Unix & Linux Forums Content Copyright 1993-2018. All Rights Reserved.