Solaris10 and Windows2000 authentication.


Login or Register to Reply

 
Thread Tools Search this Thread
# 1  
Solaris10 and Windows2000 authentication.

Only for testing/learning I have setup a windows 2000 server with active directory
I connect to it a Solaris 10 machine "client".
I want Solaris10 take users from AD
I have follow this guide..


a)Setup active directory environment+services for UNIX
OK


b)I have created two users,one for ldap search(called proxyldap) and another for solaris server called host-solaris10
on AD windows 2000 server


c)I have create a kerberos keytab on Windows 2000 AD and copy to /etc/krb5.keytab of solaris


Code:
ktpass -princ HOST/solaris10.site.fake@SITE.FAKE -mapuser host-solaris10 -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL -out krb5.keytab


d)On solaris I have edited /etc/krb5/krb5.conf


Code:
[libdefaults]
   default_realm = SITE.FAKE
   dns_lookup_kdc = true
   verify_ap_req_nofail = false

[realms]
   SITE.FAKE = {
   kdc = windows2000.site.fake
   admin_server = windows2000.site.fake
   }

[domain_realm]
   .site.fake = SITE.FAKE

[logging]
   default = FILE:/var/krb5/kdc.log
   kdc = FILE:/var/krb5/kdc.log
   kdc_rotate = {
   period = 1d
   version = 10
 }

[appdefaults]
   kinit = {
   renewable = true
   forwardable= true
   }


e)Now configure the ldap client


Code:
ldapclient manual \
 -a credentialLevel=proxy \
 -a authenticationMethod=simple \
 -a proxyDN=cn=proxyldap,cn=Users,dc=site,dc=fake \
 -a proxyPassword=***** \
 -a defaultSearchBase=dc=site,dc=fake \
 -a defaultSearchScope=sub \
 -a domainName=site.bac \
 -a "preferredServerList=10.6.0.1" \
 -a "defaultServerList=10.6.0.1" \
 -a followReferrals=false \
 -a attributeMap=group:userpassword=userPassword \
 -a attributeMap=group:gmemberuid=memberUid \
 -a attributeMap=group:gidnumber=gidNumber \
 -a attributeMap=passwd:uid=cn \
 -a attributeMap=passwd:gidnumber=gidNumber \
 -a attributeMap=passwd:uidnumber=uidNumber \
 -a attributeMap=passwd:homedirectory=unixHomeDirectory \
 -a attributeMap=passwd:loginshell=loginShell \
 -a attributeMap=shadow:uid=cn \
 -a attributeMap=shadow:shadowflag=shadowFlag \
 -a attributeMap=shadow:userpassword=userPassword \
 -a objectClassMap=group:posixGroup=group \
 -a objectClassMap=passwd:posixAccount=user \
 -a objectClassMap=shadow:shadowAccount=user \
 -a serviceSearchDescriptor=passwd:dc=site,dc=fake?sub \
 -a serviceSearchDescriptor=group:dc=site,dc=fake?sub


f)Now configure /etc/nsswitch.conf


Code:
#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

#
# /etc/nsswitch.dns:
#
# An example file that could be copied over to /etc/nsswitch.conf; it uses
# DNS for hosts lookups, otherwise it does not use any other naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# DNS service expects that an instance of svc:/network/dns/client be
# enabled and online.

passwd:     files ldap
group:      files ldap

# You must also set up the /etc/resolv.conf file for DNS name
# server lookup.  See resolv.conf(4).
hosts:      files dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:   files dns

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files

tnrhtp:     files
tnrhdb:     files


and pam.conf


Code:
#
#ident  "@(#)pam.conf   1.32    11/04/08 SMI"
#
# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
other   auth required           pam_ldap.so.1

#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1

#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#


Will work?


The command ldaplist return my ldap user


Code:
ldaplist passwd myuser
dn: uid=myuser,uid=Users,DC=site,DC=fake



kinit is ok


Code:
echo userpassword|kinit myuser


But..when I try getent,or id,or su..only works for local files and not ldap.
Why?
# 2  
You provide a lot of great information; however you do not provide some of the most important information, which is the log file entries.

If you want to solve a problem on a server, the first place to start are with the messages in the log files.
# 3  
Quote:
Originally Posted by Neo
You provide a lot of great information; however you do not provide some of the most important information, which is the log file entries.

If you want to solve a problem on a server, the first place to start are with the messages in the log files.
Thanks,I have "solved" upgrading to windows2008r2,now all works fine,if someone is interested I can post my procedure.
Login or Register to Reply

|
Thread Tools Search this Thread
Search this Thread:
Advanced Search

More UNIX and Linux Forum Topics You Might Find Helpful
ftp problem from linux to windows2000 server
3rr0r_3rr0r
Hi All, I was trying to ftp multiple files from my windows to my linux box, everything gets transfered but unfortunately some of them are corrupted. I found out that some of the files are in Ascii and some are binary, but since most of the files I'm trying to send are Ascii...the big ones...... Linux
2
Linux
is there any problem that install windows2000 and unix on one computer
sw_water
I want to know if there is any problem that install windows2000 and unix or linux on same computer.I partition my harddisk to 4, 3 of 4 are NTFS, 1 is FAT32, I want to install unix or linux on this partition.how should I do???... UNIX Desktop Questions & Answers
6
UNIX Desktop Questions & Answers
linux and windows2000
J.P
I have successfully installed Slackware 8.0 on a disk and Windows 2000 on the other. The win-disk being the master and linux-disk the slave. I do multi booting via LILO and everything works great. But recently I've decided to remove the harddrive with linux on and put it in another computer....... UNIX for Dummies Questions & Answers
6
UNIX for Dummies Questions & Answers
NFS and windows2000 Server
Vanstraelen
Hello, We use an WIN2000 NT Server and some Unix (Scitex Brisque) in our prepress network. We want to create a folder onto the unix machine which is visible for the NTServer. The nfs apllication is Disk Acces. The people at scitex told me to that I'd to make an export folder so the unix...... UNIX for Dummies Questions & Answers
3
UNIX for Dummies Questions & Answers
networking solaris8 with windows2000
scotte
I am a real newbie to linux/unix and need alot of help. I have been trying to find through books and internet , how to change the network properties(ip address,subnet mask, protocols,ect..)But I cant seem to find out how.Also do I need to install samba to network to other windows machines on a peer...... UNIX for Dummies Questions & Answers
2
UNIX for Dummies Questions & Answers