Using Kerberos To Authenticate A Solaris 10 OS LDAP Client With Microsoft Active Directory

Using Kerberos to Authenticate a SolarisTM 10 OS LDAP Client With Microsoft Active Director
Wajih Ahmed and Baban Kenkre March 2008 (Updated May 2008) Sun Microsystems !nc"
Please note: #his con$i%uration uses a she&& script ca&&ed adjoin.sh to automate the process o$ joinin% the So&aris c&ient to the Acti'e (irectory domain and con$i%ures Kerberos on the c&ient" #his script is not supported by Sun and is not part o$ the So&aris distribution" (See the )or More !n$ormation section $or in$ormation about do*n&oadin% the adjoin script") #+, S-.U#!-/ (,S01!B,( !/ #+!S 2A2,1 S+-U.( B, #1,A#,( AS 21--) -) 0-/0,2# A/( S+-U.( /-# B, US,( !/ 21-(U0#!-/"
0opyri%ht 3 2008 Sun Microsystems !nc" 4560 /et*ork 0irc&e Santa 0&ara 0a&i$ornia 76064 U"S"A" A&& ri%hts reser'ed" U"S" 8o'ernment 1i%hts 9 0ommercia& so$t*are" 8o'ernment users are subject to the Sun Microsystems !nc" standard &icense a%reement and app&icab&e pro'isions o$ the )A1 and its supp&ements" Use is subject to &icense terms" #his distribution may inc&ude materia&s de'e&oped by third parties" 2arts o$ the product may be deri'ed $rom Berke&ey BS( systems &icensed $rom the Uni'ersity o$ 0a&i$ornia" U/!: is a re%istered trademark in the U"S" and in other countries e;c&usi'e&y &icensed throu%h :<-pen 0ompany .td" :<-pen is a re%istered trademark o$ :<-pen 0ompany .td" Sun Sun Microsystems the Sun &o%o So&aris and -penSo&aris are trademarks or re%istered trademarks o$ Sun Microsystems !nc" in the U"S" and other countries" Microso$t product screen shot(s) reprinted *ith permission $rom Microso$t 0orporation" #his product is co'ered and contro&&ed by U"S" ,;port 0ontro& &a*s and may be subject to the e;port or import &a*s in other countries" /uc&ear missi&e chemica& bio&o%ica& *eapons or nuc&ear maritime end uses or end users *hether direct or indirect are strict&y prohibited" ,;port or ree;port to countries subject to U"S" embar%o or to entities identi$ied on U"S" e;port e;c&usion &ists inc&udin% but not &imited to the denied persons and specia&&y desi%nated nationa&s &ists is strict&y prohibited" (-0UM,/#A#!-/ !S 21-=!(,( >AS !S> A/( A.. ,:21,SS -1 !M2.!,( 0-/(!#!-/S 1,21,S,/#A#!-/S A/( WA11A/#!,S !/0.U(!/8 A/? !M2.!,( WA11A/#? -) M,10+A/#AB!.!#? )!#/,SS )-1 A 2A1#!0U.A1 2U12-S, -1 /-/9!/)1!/8,M,/# A1, (!S0.A!M,( ,:0,2# #- #+, ,:#,/# #+A# SU0+ (!S0.A!M,1S A1, +,.( #- B, .,8A..? !/=A.!("
Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory
Table of Contents
!ntro"uction################################################################################################################################################$ !nstalling !"entity Manage%ent for U&!'#################################################################################################( Provisioning a U&!' User in Active Directory#########################################################################################) Configuring D&S#######################################################################################################################################* Synchroni+ing the Cloc,s an" Configuring -i%e .ones###########################################################################/ -uning Active Directory##########################################################################################################################10 Configuring Kerberos##############################################################################################################################1 !nitiali+ing the Solaris LDAP Client########################################################################################################1) Using the &a%ing Service S0itch an" Pluggable Authentication Mo"ules 1PAM2###############################1/ -esting the Client##################################################################################################################################### 0 -esting Pass0or" Manage%ent############################################################################################################### -roubleshooting####################################################################################################################################### $ 3or More !nfor%ation############################################################################################################################## $ Ac,no0le"ge%ents################################################################################################################################## ( Change Log############################################################################################################################################## (
Introduction
-his "ocu%ent "escribes ho0 to configure a Solaris O5erating Syste% client to use Microsoft Win"o0s Server 004 6 7nter5rise 7"ition 1Active Directory2 for authentication an" na%ing services# -he Solaris client uses 5er8user authentication 1also calle" self8cre"entials2 for na%ing service loo,u5s instea" of a 5ro9y account# -his ne0 functionality is available starting 0ith the Solaris 10 0*:0) OS# -his configuration uses a shell scri5t calle" adjoin.sh to auto%ate the 5rocess of ;oining the Solaris client to the Active Directory "o%ain an" configures Kerberos on the client# -his scri5t is not su55orte" by Sun an" is not 5art of the Solaris "istribution# 1See the 3or More !nfor%ation section for infor%ation about "o0nloa"ing the adjoin scri5t#2 -<7 SOLU-!O& D7SC6!=7D !& -<!S PAP76 S<OULD =7 -67A-7D AS P6OO3 O3 CO&C7P- A&D S<OULD &O- =7 US7D !& P6ODUC-!O&# 3igure 1 illustrates the e9a%5le to5ology use" in this "ocu%ent# )i%ure 5@ ,;amp&e #opo&o%y
Kerberos an" LDAP1 S2
Solaris 10 0*:0) OS dsee"company;yA"com 572"5B8"567"78 LDAP client
Win"o0s Server 004 6 *in2kC"company;yA"com 572"5B8"567"548 Active Directory
-he re%aining sections of this "ocu%ent "escribe ho0 to 5erfor% the configuration ste5s on the Microsoft Win"o0s an" Solaris syste%s# Note> -his "ocu%ent "oes not cover the installation of the o5erating syste%s or the Active Directory service# Perfor% the follo0ing tas,s on the Microsoft Win"o0s syste%>

!nstall Microsoft Win"o0s Server 004 6 7nter5rise 7"ition# Configure the Microsoft Win"o0s server as a "o%ain controller 0ith ?ty5ical@ o5tions an" a static !P a""ress# !nstall the Active Directory service# !nstall !"entity Manage%ent for U&!'A# A"" Do%ain &a%e Syste% 1D&S2 recor"s for the Solaris client# O5tionallyB tune Active Directory# A"" or 5rovision an Active Directory test user 0ith U&!' attributes#
Perfor% the follo0ing tas,s on the Solaris syste%>

!nstall at least the Solaris 10 0*:0) release an" ensure that the Kerberos client 5ac,ages are installe"# Do0nloa" an" run the adjoin tool# 6un ldapsearch 0ith the Ceneric Security Services A55lication Progra%%ing !nterface 1CSSAP!2 %echanis% to test connectivity#
$
!nitiali+e the Solaris LDAP client" -est the LDAP client#
Installing Identity Management for UNIX

After installing Active Directory on the Microsoft Win"o0s serverB 5erfor% the follo0ing ste5s to su55ort the POS!' sche%a in Active Directory# On Microsoft Win"o0s Server 004 6 7nter5rise 7"itionB you %ust install !"entity Manage%ent for U&!'# !f you are using a 5rior version of the Microsoft Win"o0s serverB install Services for U&!' 1S3U2B 0hich can be "o0nloa"e" fro% the Microsoft 0eb site# Note> =efore installing !"entity Manage%ent for U&!' on Microsoft Win"o0s Server 004 7nter5rise 7"itionB uninstall S3U if it 0as 5reviously installe"# 1# # 4# $# (# !n the control 5anelB choose A"" or 6e%ove Progra%s# Clic, A"":6e%ove Win"o0s Co%5onents# Select Active Directory Services# Clic, Details# Select only !"entity Manage%ent for U&!'B as sho0n in 3igures aB bB an" c# )i%ure 2a@ !nsta&&in% !dentity Mana%ement $or U/!: 9 !nitiate
)i%ure 2b@ !nsta&&in% !dentity Mana%ement $or U/!: 9 2ro%ress
)i%ure 2c@ !nsta&&in% !dentity Mana%ement $or U/!: 9 0omp&ete
After the installation is co%5leteB reboot the Microsoft Win"o0s server#
Provisioning a UNIX User in Active Directory

-he ne9t ste5 is to a"" U&!' attributes to Active Directory users an" grou5s on the Microsoft Win"o0s syste%# !"entity Manage%ent for U&!' a""s the U&!' Attributes tab to the userEs an" grou5Es Pro5erties 5age for this 5ur5ose# -his tab also a55ears if you are using S3U# -he ne0 Active Directory userB wahmedB is use" to test the configuration by resetting its 5ass0or" an" 5o5ulating its U&!' attributes# While the &!S "o%ain sho0n in 3igure 4 a55ears 0ithout the fully Fualifie" "o%ain na%e 1companyxyz2B the "o%ain use" by the Solaris client is fully Fualifie" 1companyxyz.com2#
)i%ure C@ /!S (omain
Configuring DNS
On the Microsoft Win"o0s syste%B create a for0ar" 1A2 an" reverse 1P-62 D&S recor" for the Solaris client# !n a""itionB create a reverse 1P-62 D&S recor" for the AD server# -hese recor"s are reFuire" for Kerberos to function 5ro5erly# -he for0ar" 1A2 D&S recor" for the Active Directory server is create" auto%atically 0hen configuring the Active Directory server# -he follo0ing e9a%5le assu%es that you are using Active Directory as the D&S server#
)i%ure 4@ )or*ard and 1e'erse .ookup Dones
Synchronizing the Clocks and Configuring ime !ones

-i%e synchroni+ation is essentia& for Kerberos to function 5ro5erly# =y "efaultB only a 4008secon" cloc, s,e0 is acce5table# 7nsure that ti%e +ones on all Microsoft Win"o0s an" Solaris servers are configure" 5ro5erly# Gou can use &-P to synchroni+e ti%e#
)i%ure 6@ 0on$i%urin% #ime Dones
uning Active Directory

On the Microsoft Win"o0s syste%B in"e9 the follo0ing Solaris client attributes> uidB uidnumberB gidB an" gidnumber# !n Active DirectoryB in"e9es can be a""e" by using the Sche%a Manage%ent Sna58!n for the Microsoft Manage%ent Console# -his sna58in %ust be registere" firstB as sho0n in 3igure D# )i%ure B@ 1e%isterin% the Schema Mana%ement Snap9!n
-henB a"" the Active Directory Sche%a 5lug8in to the Microsoft Manage%ent Console by running mmc /a fro% the co%%an" 5ro%5tB as sho0n in 3igure )#
10
)i%ure E@ Addin% the (irectory Schema 2&u%9!n
Save the sna58in to a fileB such as schema.mscB for later use# 3igure * sho0s ho0 to in"e9 the uid attribute#
11
)i%ure 8@ !nde;in% the uid Attribute
Configuring "er#eros
-he Solaris client %ust ;oin an Active Directory "o%ain to use Active Directory for security an" "irectory services# -he adjoin.sh scri5t auto%ates the "o%ain ;oin o5eration by e9ecuting the follo0ing ste5s fro% the Solaris client>

Auto8"etects the Active Directory "o%ain controller Creates a %achine account 1also calle" a Co%5uter ob;ect2 for the Solaris host in Active Directory an" generates a ran"o% 5ass0or" for this account Configures the Solaris host as a Kerberos client of the Active Directory "o%ain controller by using the /etc/krb5/krb5.conf file Configures the /etc/krb5/krb5.keytab file on the Solaris host by using the ,eys for the %achine account 1also calle" host cre"entials2
-he adjoin.sh scri5t uses the ksetpw binary to set the 5ass0or" for the %achine account an" to configure the local keytab file# 6un adjoin -h to see the o5tions su55orte" by the adjoin.sh scri5t# -his scri5t reFuires 5ro5er D&S configuration on the client# -hereforeB /etc/resolv.conf %ust 5oint to the correct D&S "o%ain an" serversB an" /etc/nsswitch.conf %ust use D&S for host resolution# 7nsure that the ksetpw binary is in the sa%e "irectory as adjoin.sh"
Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory 1
!n the follo0ing e9a%5leB the Solaris client is using the Active Directory server as its D&S server#
dsee% cat /etc/resolv.conf domain companyxyz.com nameserver !". #$. 5!. %$ dsee% egrep &hosts'ipnodes& /etc/nsswitch.conf hosts( files dns ipnodes( files dns
-he follo0ing adjoin.sh e9a%5le out5ut is for a Solaris hostB dseeB that tries to ;oin an Active Directory "o%ainB companyxyz.comB that is serve" by the Active Directory "o%ain controllerB win"k)# -he -f o5tion forces the creation of a %achine account for dsee even if one alrea"y e9ists# !f a %achine account alrea"y e9istsB the e9isting account is first re%ove" before being recreate"#
dsee% ./adjoin.sh -f *oining domain( companyxyz.com +ooking for domain controllers and global catalogs ,- ..s/ +ooking for 012s and 12s ,3.4 ..s/ 012s 5 win"k).companyxyz.com $$ 12s 5 wins"k).companyxyz.com )$! 6assword for -dministrator72896-:;<;=.289( +ooking for forest name >orest name 5 companyxyz.com +ooking for ?lobal 2atalog servers +ooking for site name +ooking for subnet object in the global catalog 2ould not find site name for any local subnet 3ite name not found. +ocal 12s/?2s will not be discovered +ooking to see if there@s an existing account... +ooking to see if the machine account contains other objects... 1eleting existing machine account... 2reating the machine account in -1 via +1-6 adding new entry 2:513AAB2:52omputersB125companyxyzB125com 3etting the password/keys of the machine account .esult( success ,C/ ?etting kvno 04:8( " 1etermining supported enctypes for machine account via +1-6 Dhis must not be a +onghorn/4ista -1 12E 3o we assume 1A3 and arcfour enctypes -.2>8F. will be supported >inishing machine account modifying entry 2:513AAB2:52omputersB125companyxyzB125com adjoin( 1one
Herify the setu5 by running the follo0ing ldapsearch co%%an" to bin" to Active Directory by using CSSAP!# -he co%%an" uses the host cre"entials that have been create" for the Solaris client by the adjoin.sh scri5t# !f the co%%an" runs 0ithout any errorsB the setu5 is correct# !t "oes not %atter 0hich base 1-b2 is use" for the follo0ing co%%an">
dsee% ldapsearch -h win"k).companyxyz.com -o mech5gssapi -o authzid5@@ -b &cn5dseeBcn5computersBdc5companyxyzBdc5com& -s base && cn version(
14
dn( cn5dseeBcn5computersBdc5companyxyzBdc5com cn( 13AA
Use klist to "is5lay the the Kerberos tic,et cache#

dsee% klist Dicket cache( >G+A(/tmp/krb5ccHC 1efault principal( host/dsee.companyxyz.com72896-:;<;=.289 4alid starting Axpires 3ervice principal C/"I/CI C(5"(C5 C/"I/CI "C(5 ("C krbtgt/2896-:;<;=.28972896-:;<;=.289 renew until C/"I/CI "C(5"(C5 C/"I/CI C(5 ("C C/"I/CI "C(5 ("C ldap/win"k).companyxyz.com72896-:;<;=.289 renew until C/"I/CI "C(5"(C5
List the host ,eys for the Solaris client dsee by running the follo0ing klist co%%an">
dsee% klist -e -k /etc/krb5/krb5.keytab 0eytab name( >G+A(/etc/krb5/krb5.keytab 04:8 6rincipal ---- -------------------------------------------------------------------------host/dsee.companyxyz.com72896-:;<;=.289 ,-rc>our with J9-2/md5/ host/dsee.companyxyz.com72896-:;<;=.289 ,1A3 cbc mode with 2.2-)"/ host/dsee.companyxyz.com72896-:;<;=.289 ,1A3 cbc mode with .3--915/
-he Active Directory console no0 sho0s an entry for Solaris client 1DS772 un"er the Co%5uters containerB as sho0n in 3igure /#
1$
)i%ure 7@ ,ntry $or So&aris 0&ient
-he contents of the krb5.conf file shoul" be as follo0s>

dsee% cat /etc/krb5/krb5.conf KlibdefaultsL defaultHrealm 5 2896-:;<;=.289 KrealmsL 2896-:;<;=.289 5 M kdc 5 win"k).companyxyz.com kpasswdHserver 5 win"k).companyxyz.com kpasswdHprotocol 5 3ADH2J-:?A adminHserver 5 win"k).companyxyz.com N
KdomainHrealmL .companyxyz.com 5 2896-:;<;=.289
1(
dsee% ldapsearch -h win"k).companyxyz.com -b &cn5usersBdc5companyxyzBdc5com& -o mech5gssapi -o authzid5@@ &cn5wajih ahmed&
Use the ldapsearch co%%an" for a user to ensure the 5resence of POS!' attributes# !n the follo0ing out5utB the attributes in #old 0ere a""e" by !"entity Manage%ent for U&!' an" those in ita&ics are the S3U attributes# Actual out5ut only sho0s one set of attributes# -he e9a%5le sho0s both sets to highlight the attribute na%es#
version( dn( 2:5Oajih -hmedB2:5FsersB125companyxyzB125com object2lass( top object2lass( person object2lass( organizational6erson object2lass( user cn( Oajih -hmed sn( -hmed given:ame( Oajih initials( F distinguished:ame( 2:5Oajih -hmedB2:5FsersB125companyxyzB125com instanceDype( % when2reated( "CCI C") $""%!.C= when2hanged( "CCI C)C #"$)".C= display:ame( Oajih -hmed u3:2reated( #% ) u3:2hanged( #!I" name( Oajih -hmed object?FG1(( h*dxx sO)Ae+oGJlPn=j0Q55 user-ccount2ontrol( ##C%$ bad6wd2ount( C code6age( C country2ode( C bad6asswordDime( "$)$ 55$ "))#CCCC last+ogoff( C last+ogon( "$)$""!$C)!))CCCC pwd+ast3et( "$)$ 55$"%)C%I5CC primary?roupG1( 5 ) object3id(( -QF-------F4----I"0b5Rz*Pt5uy+:P4QQ---55 accountAxpires( !""))I"C)#$5%II5$CI logon2ount( 5 s-9-ccount:ame( wahmed s-9-ccountDype( $C5)C#)#$ user6rincipal:ame( wahmed7companyxyz.com object2ategory( 2:56ersonB2:53chemaB2:52onfigurationB125companyxyzB125com uid: wahmed uidNumber: 1000 gidNumber: 10 unixHomeDirectory: /export/home/wahmed loginShell: /bin/bash msSFU30Name: wahmed msSFU30UidNumber: 1000 msSFU30GidNumber: 10 msSFU30LoginShell: /bin/bash msSFU30Password: uT !gSF"3So## msSFU30Nis$omain: %om&an'(') msSFU30*ome$ire% or': /e(&or /home/wahmed
1D
Initializing the Solaris $DAP Client

&o0 you configure the Solaris host as an LDAP client of Active DirectoryB 0hich allo0s the Solaris host to access na%ing service infor%ation fro% Active Directory# As 5rereFuisitesB the D&S client an" nscd shoul" be enable"B an" the /etc/resolv.conf file shoul" be 5ro5erly configure"# Herify that both for0ar" an" reverse D&S loo,u5 of the Active Directory server succee"s fro% the Solaris hostB as sho0n in the follo0ing e9a%5le# !f reverse D&S loo,u5 failsB then a"" a P-6 recor" for the Active Directory server to the D&S serverB if it "oes not e9ist# Mo"ify /etc/nsswitch.ldap to use D&S for hosts an" i5no"es# Unli,e earlier versionsB nscd in the Solaris 10 0*:0) release su55orts enhance" LDAP connection %anage%ent an" i%5rove" caching# Gou %ust enable nscd to use the 5er8user authentication functionality as follo0s>
dsee% svcadm enable svc(/network/dns/client(default dsee% svcadm enable name-service-cache dsee% dig win"k).companyxyz.com Pshort !". #$. 5!. %$ dsee% dig -x !". #$. 5!. %$ Pshort win"k).companyxyz.com. dsee% grep dns /etc/nsswitch.ldap hosts( dns files ipnodes( dns files
!n the follo0ing e9a%5leB Microsoft Win"o0s Server 004 7nter5rise 7"ition 6 has !"entity Manage%ent for U&!' enable"# -he POS!' attributes an" ob;ect classes a""e" to the Active Directory sche%a by !"entity Manage%ent for U&!' have the sa%e na%es as those use" by the Solaris LDAP client 10hich follo0s the 63C 40)bis !7-3 "raft2 e9ce5t for those that %ust use attribute %a55ing 1attribute9ap2 an" ob;ect class %a55ing 1object2lass9ap2#
dsee% ldapclient -v manual S -a credential+evel5self S -a authentication9ethod5sasl/gssapi S -a default3earchTase5dc5companyxyzBdc5com S -a domain:ame5companyxyz.com S -a default3erver+ist5 !". #$. 5!. %$ S -a attribute9ap5passwd(gecos5cn S -a attribute9ap5passwd(homedirectory5unixJome1irectory S -a object2lass9ap5group(posix?roup5group S -a object2lass9ap5passwd(posix-ccount5user S -a object2lass9ap5shadow(shadow-ccount5user S -a service3earch1escriptor5passwd(cn5usersBdc5companyxyzBdc5comUone S -a service3earch1escriptor5group(cn5usersBdc5companyxyzBdc5comUone
-he use of credential+evel5self "enotes 5er8user authenticationB 0hich %eans that the Solaris LDAP client uses the cre"entials of the user 0ho is %a,ing the na%ing service reFuest to bin" an" loo, u5 infor%ation in the LDAP server 1Active DirectoryB in this case2#
1)
-he use of authentication9ethod5sasl/gssapi "enotes that the Solaris LDAP client uses CSSAP!:Kerberos to authenticate to the LDAP server# -he 5er8user authentication can be use" only in con;unction 0ith sasl/gssapi# 1SASL refers to Si%5le Authentication an" Security Layer#2 -he follo0ing e9a%5le uses an ol"er version of Microsoft Win"o0s Server 004B 0hich has S3U installe"# -his configuration nee"s a""itional attribute %a55ings#
dsee% ldapclient -v manual S -a credential+evel5self S -a authentication9ethod5sasl/gssapi S -a default3earchTase5dc5companyxyzBdc5com S -a domain:ame5companyxyz.com S -a default3erver+ist5 !". #$. 5!. %$ S -a attribute9ap5group(userpassword5ms3>F)C6assword S -a attribute9ap5group(memberuid5ms3>F)C9emberFid S -a attribute9ap5group(gidnumber5ms3>F)C?id:umber S -a attribute9ap5passwd(gecos5ms3>F)C?ecos S -a attribute9ap5passwd(gidnumber5ms3>F)C?id:umber S -a attribute9ap5passwd(uidnumber5ms3>F)CFid:umber S -a attribute9ap5passwd(uid5s-9-ccount:ame S -a attribute9ap5passwd(homedirectory5ms3>F)CJome1irectory S -a attribute9ap5passwd(loginshell5ms3>F)C+ogin3hell S -a attribute9ap5shadow(shadowflag5ms3>F)C3hadow>lag S -a attribute9ap5shadow(userpassword5ms3>F)C6assword S -a attribute9ap5shadow(uid5s-9-ccount:ame S -a object2lass9ap5group(posix?roup5group S -a object2lass9ap5passwd(posix-ccount5user S -a object2lass9ap5shadow(shadow-ccount5user S -a service3earch1escriptor5passwd(cn5usersB125companyxyzB125comUone S -a service3earch1escriptor5group(cn5usersB125companyxyzB125comUone
Gou shoul" see the 3uccessfully configured %essage after running the ldapclient co%%an"# 6estart the LDAP client#
dsee% svcadm restart svc(/network/ldap/client(default
Herify the contents of the LDAP client cache# -he out5ut is "ifferent if you are using S3U#
dsee% ldapclient list :3H+1-6H>G+AH4A.3G8:5 ".C :3H+1-6H3A.4A.35 !". #$. 5!. %$ :3H+1-6H3A-.2JHT-3A1:5 dc5companyxyzBdc5com :3H+1-6H-FDJ5 sasl/?33-6G :3H+1-6H2.A1A:DG-+H+A4A+5 self :3H+1-6H3A.4G2AH3A-.2JH1A325 passwd(cn5usersBdc5companyxyzBdc5comUone :3H+1-6H3A.4G2AH3A-.2JH1A325 group(cn5usersBdc5companyxyzBdc5comUone :3H+1-6H-DD.GTFDA9-65 passwd(homedirectory5unixJome1irectory :3H+1-6H-DD.GTFDA9-65 passwd(gecos5cn :3H+1-6H8T*A2D2+-339-65 shadow(shadow-ccount5user :3H+1-6H8T*A2D2+-339-65 passwd(posix-ccount5user
1*
:3H+1-6H8T*A2D2+-339-65 group(posix?roup5group
Using the Naming Service S%itch and Plugga#le Authentication Modules !PAM&
-he follo0ing /etc/nsswitch.conf file configures the Solaris client to use Active Directory for users an" grou5sB D&S for host resolutionB an" local files for other na%ing service loo,u5s>
dsee% cat /etc/nsswitch.conf passwd( files ldap group( files ldap hosts( dns files ipnodes( dns files networks( files protocols( files rpc( files ethers( files netmasks( files bootparams( files publickey( files V -t present there isn@t a @files@ backend for netgroupW the system will V figure it out pretty RuicklyB and won@t use netgroups at all. netgroup( files automount( files aliases( files services( files printers( user files authHattr( files profHattr( files project( files tnrhtp( files tnrhdb( files
Use the pamHkrb5.so. %o"ule in the /etc/pam.conf file to enable authenticationB account %anage%entB an" 5ass0or" %anage%ent on the Solaris client by using Active Directory through Kerberos# Mini%allyB enable the %o"ule for login an" other services# -he follo0ing /etc/pam.conf file authenticates users by using Active Directory through Kerberos an" authenticates through the U&!' login only if the Kerberos authentication fails 1see the auth entries2# -his arrange%ent is hel5ful 0hen a %a;ority of the users are in Active Directory an" 0hen there are only a fe0 non8Active Directory user accountsB such as root# -he account entries chec, for 5ass0or" e95iration 0hen "ealing 0ith Active Directory an" local U&!' 5ass0or"8aging 5olicies# -he password entries change the Active Directory 5ass0or" of the user an" continue to change the local U&!' 5ass0or" only if the Active Directory 5ass0or" change fails#
login login login login login login auth auth auth auth auth auth reRuisite reRuired reRuired sufficient reRuired reRuired pamHauthtokHget.so. pamHdhkeys.so. pamHunixHcred.so. pam_ rb!"so"1 pamHunixHauth.so. pamHdialHauth.so.
1/
other other other other other other other other other other other other other
auth auth auth auth auth
reRuisite reRuired reRuired sufficient reRuired
pamHauthtokHget.so. pamHdhkeys.so. pamHunixHcred.so. pam_ rb!"so"1 pamHunixHauth.so. pamHroles.so. pamHunixHaccount.so. pam_ rb!"so"1 pamHdhkeys.so. pamHauthtokHget.so. pamHauthtokHcheck.so. pam_ rb!"so"1 pamHauthtokHstore.so.
account reRuisite account reRuired account re#uired password password password password password reRuired reRuisite reRuisite sufficient reRuired
esting the Client

-est the configuration by running the getent co%%an" for the passwd "atabase for a 5articular user# !f this co%%an" "oes not return the userB the client configuration faile"# Chec, the /var/adm/messages file or the console for errors#
dseeX getent passwd wahmed wahmed(x( CCC( C((/export/home/wahmed(/bin/bash
Use the ldaplist co%%an" to search for an" list na%ing infor%ation# &ote that running the ldaplist -l co%%an" returns a 2ritical Axtension not found errorB but if you s5ecify an Active Directory userB you shoul" get the correct out5ut# -he critical e9tension error occurs because Active Directory "oes not su55ort so%e of the LDAP Hersion 4 e9tensions that are use" by the Solaris LDAP client# !n 5articularB Active Directory "oes not su55ort the e9tension that is reFuire" for virtual list vie0 1HLH2 in"e9es#
dseeX ldaplist -l passwd wahmed dn( gecos5Oajih -hmedBgecos5FsersB125companyxyzB125com object2lass( top object2lass( person object2lass( organizational6erson object2lass( posix-ccount cn( Oajih -hmed sn( -hmed given:ame( Oajih initials( F distinguished:ame( 2:5Oajih -hmedB2:5FsersB125companyxyzB125com instanceDype( % when2reated( "CCI C") $""%!.C= when2hanged( "CCI C)C #"$)".C= display:ame( Oajih -hmed u3:2reated( #% ) u3:2hanged( #!I" name( Oajih -hmed object?FG1( R KV ? user-ccount2ontrol( ##C%$ bad6wd2ount( C code6age( C
country2ode( C bad6asswordDime( "$)$ 55$ "))#CCCC last+ogoff( C last+ogon( "$)$""!$C)!))CCCC pwd+ast3et( "$)$ 55$"%)C%I5CC primary?roupG1( 5 ) object3id( V accountAxpires( !""))I"C)#$5%II5$CI logon2ount( 5 s-9-ccount:ame( wahmed s-9-ccountDype( $C5)C#)#$ user6rincipal:ame( wahmed7companyxyz.com object2ategory( 2:56ersonB2:53chemaB2:52onfigurationB125companyxyzB 125com uid( wahmed ms3>F)C:ame( wahmed ms3>F)CFid:umber( CCC ms3>F)C?id:umber( C ms3>F)C+ogin3hell( /bin/bash ms3>F)C6assword( uDt4g3>k)3o"" ms3>F)C:is1omain( companyxyz ms3>F)CJome1irectory( /export/home/wahmed uidnumber( CCC gidnumber( C homedirectory( /export/home/wahmed loginshell( /bin/bash gecos( Oajih -hmed
Note: -he object?FG1 an" object3G1 attributes in the ldaplist out5ut have binary values# Herify that you can log in successfully to the Solaris client as an Active Directory user by using ssh# -he follo0ing e9a%5le uses a %anually create" local ho%e "irectory# <o%e "irectories that are share" by an &3S server can be auto%atically %ounte" at login ti%e by configuring automount11M2 on the Solaris client# &ote that the Solaris 10 0*:0) release "oes not su55ort the auto%ounting of re%ote ho%e "irectories using smbfs# -he smbfs functionality has been integrate" into O5enSolaris buil" *$# See the ?3or More !nfor%ation@ section for a lin, to the O5enSolaris C!3S client 5ro;ect#
localhost(YZ ssh -l wahmed dsee 6assword( +ast login( Dhu :ov 3un 9icrosystems Gnc. dseeX id uid5 CCC,wahmed/ gid5 C,staff/ dseeX klist Dicket cache( >G+A(/tmp/krb5ccH CCC 1efault principal( wahmed72896-:;<;=.289 4alid starting /C#/CI C(")( " renew until Axpires 3ervice principal /C#/CI "C( !()C krbtgt/2896-:;<;=.28972896-:;<;=.289 / )/CI C(")( " !(C5()" "CCI from gateway 3un83 5. C ?eneric *anuary "CC5
esting Pass%ord Management

3ollo0ing is a list of tests use" to chec, account an" 5ass0or" %anage%ent 0ith Active Directory# -he results sho0 that %ost of the co%%only occurring scenarios 0or, Fuite 0ell# -he tests 0ere 5erfor%e" using a Solaris 10 0*:0) client# Note> Use kpasswd instea" of the passwd co%%an" to change an Active Directory userEs 5ass0or" fro% the Solaris client# 1# Log in an" change the 5ass0or" of an Active Directory user fro% the Solaris client# Active Directory> 6eset the 5ass0or" for user wahmed to -dmin ")%. Solaris client> Log in successfully as wahmed 0ith the 5ass0or" -dmin ")%# Solaris client> As wahmedB successfully use kpasswd to change 5ass0or" to -bcd ")%# -henB log out# Solaris client> Log in successfully as wahmed using the ne0 5ass0or" -bcd ")%# Note> kpasswd uses the Active Directory 5ass0or" 5olicy for 5ass0or" changes# !f the ne0 5ass0or" "oes not %eet the Active Directory 5olicyB kpasswd issues the kpasswd( 6assword change rejected error# # 6eFuire the user to change the 5ass0or" "uring ne9t login# Active Directory> 6eset the 5ass0or" for user wahmed to -dmin ")%# Active Directory> Set Fser must change password on next logon# Solaris client> Log in successfully as wahmed using the 5ass0or" -dmin ")%# Solaris client> When 5ro%5te"B enter the ne0 5ass0or">
% ssh -l wahmed dsee 6assword( ;our 0erberos password has expired. :ew 6assword( .e-enter new 6assword( 0erberos password successfully changed +ast login( Due >eb 5 #(%%( % "CC$ from somewhere3un 9icrosystems Gnc. 3un83 5. C ?eneric *anuary "CC5 dseeX id uid5 CCC,wahmed/ gid5 C,staff/ dseeX
Note> !n this caseB PAM is changing the user 5ass0or"# -he pam.conf file being use" ensures that the 5ass0or" %eets both the Active Directory 5ass0or" 5olicy an" the local 1/etc/default/passwd2 5olicy# !f the ne0 5ass0or" "oes not %eet the local 5olicyB the 5ass0or" change fails an" the out5ut inclu"es the a55ro5riate error %essage# 3or e9a%5leB you %ight see the follo0ing error if the 5ass0or" is not long enough> 6assword too short - must be at least # characters. <o0everB if the ne0 5ass0or" "oes not %eet the Active Directory
5ass0or" 5olicyB the user sees only the 6assword change rejected errorB not an e95lanation of the failure# !n the follo0ing e9a%5leB the Active Directory 5ass0or" 5olicy reFuires a 5ass0or" 0ith a %ini%u% of seven charactersB 0hile the local 5olicy reFuires a %ini%u% of si9 characters# !f you ty5e a ne0 5ass0or" 0ith si9 charactersB it is re;ecte" by Active Directory#
% ssh -l wahmed dsee 6assword( ;our 0erberos password has expired. :ew 6assword( .e-enter new 6assword( 0erberos password not changed( 6assword change rejected
4# Disable the account by using the Active Directory console# Active Directory> Disable the wahmed account# Solaris client> Log in as wahmed as follo0s>
% ssh -l wahmed dsee 6assword( 6assword( 6assword( 6ermission denied ,gssapi-keyexBgssapi-with-micBpublickeyBkeyboard-interactive/.
$# Chec, the 5ass0or" Fuality an" strength# Active Directory> Set the 5ass0or" 5olicy to reFuire a %ini%u% of seven characters# Solaris client> 7nter a ne0 D8character 5ass0or" for user wahmed by using kpasswd#
dseeX id uid5 CCC,wahmed/ gid5 C,staff/ dseeX kpasswd kpasswd( 2hanging password for wahmed72896-:;<;=.289. 8ld password( :ew password( :ew password ,again/( kpasswd( 6assword change rejected
Solaris client> 7nter a ne0 )8character 5ass0or" for wahmed by using kpasswd#
dseeX kpasswd kpasswd( 2hanging password for wahmed72896-:;<;=.289. 8ld password( :ew password( :ew password ,again/( 0erberos password changed. dseeX
rou#leshooting
!f Active Directory is "o0nB an" hence the ,ey "istribution center 1KDC2 is not res5on"ingB the Solaris LDAP client %ight go into %aintenance %o"e# After the Active Directory server is u5B you can ?clear@ the service#
dsee% svcs ' grep ldap maintenance C(%%(% svc(/network/ldap/client(default
dsee% svcadm clear ldap/client dsee% svcs ' grep ldap online C("5(CC svc(/network/ldap/client(default
&ote that login fails if the "o%ain is not set correctly in the /etc/resolv.conf file or if nscd is not running# -he ldapclient co%%an" fails if /etc/nsswitch.ldap has not been %o"ifie" to use D&S for hosts an" i5no"es or if reverse D&S loo,u5 of the Active Directory server fails fro% the Solaris client#
'or More Information

Do0nloa" the adjoin tool>
http(//opensolaris.org/os/project/winchester/files/adjoin-s Cu%.tar.gz
A ne0 version of a";oin tool is available for the Solaris 10 (:0* release>
http(//opensolaris.org/os/project/winchester/files/adjoin-s Cu5.tar.gz
-his version contains an u5"ate" ksetpw source an" binary 0hich has been %o"ifie" to run on the Solaris 10 (:0* OS# See 67ADM7 file for %ore "etails# &ote that the ksetpw.c source file in this version can also be use" on O5enSolaris syste%s# &ote> -<7 SOLU-!O& D7SC6!=7D !& -<!S PAP76 S<OULD =7 -67A-7D AS P6OO3 O3 CO&C7P- A&D S<OULD &O- =7 US7D !& P6ODUC-!O&# <ere are a""itional resources>
-raining courses available at http(//www.sun.com/training/> Using LDAP as a &a%ing Service 1!&84(12 7nter5rise Security Using Kerberos an" LDAP 1SC84D02 LDAP Design an" De5loy%ent 1W!84(012 Su55ort>

6egister your Sun gear> https(//inventory.sun.com/inventory/ Services> http(//www.sun.com/services SunSolve Online> http(//sunsolve.sun.com S5ar,s 5ro;ectB 0hich 5rovi"es na%ing service enhance%ents>
O5en source resources>

http(//www.opensolaris.org/os/project/sparks/overview/
C!3S client for Solaris> http(//www.opensolaris.org/os/project/smbfs/
6elate" "ocu%ents>
Sun =luePrintsI boo, .(A2 in the So&aris -peratin% ,n'ironment@ (ep&oyin% Secure (irectory Ser'ices>
http(//www.sun.com/books/catalog/hainesHbialaskiHldap.xml
Docu%entation at http(//docs.sun.com DiscussionsB such as the Solaris 3oru%s at

http(//forum.java.sun.com/index.jspaUtab5solaris
6elate" 0eb sites an" articles>

Solaris !nfor%ation Center on the =igA"%in 0eb site>
http(//www.sun.com/bigadmin/hubs/documentation/
?Kerberos an" LDAP -roubleshooting -i5s@ on Microsoft 0eb site>
http(//www.microsoft.com/technet/solutionaccelerators/cits/interopmigr ation/unix/usecdirw/ Iwsdsu.mspx
7vents of interest to users of Sun 5ro"ucts>

Worl"0i"e "evelo5er events> http(//developers.sun.com/events/ Current events> http(//www.sun.com/events/index.jsp
$icensing Information
Unless other0ise s5ecifie"B the use of this soft0are is authori+e" 5ursuant to the ter%s of the license foun" at http(//www.sun.com/bigadmin/common/berkeleyHlicense.html#
Ackno%ledgements
-he authors 0oul" li,e to than, Sun"ee5 Dhall an" Cathleen 6eiher for their hel5#
Change $og
May 00* J A""e" "isclai%er on cover 5age an" infor%ation on Solaris (:0* in 3or More !nfor%ation section#

Using Kerberos To Authenticate A Solaris 10 OS LDAP Client With Microsoft Active Directory

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Using Kerberos To Authenticate A Solaris 10 OS LDAP Client With Microsoft Active Directory

Diunggah oleh

Hak Cipta:

Format Tersedia

Using Kerberos to Authenticate a SolarisTM 10 OS LDAP Client With Microsoft Active Director

Solaris 10 0*:0) OS dsee"company;yA"com 572"5B8"567"78 LDAP client

Win"o0s Server 004 6 *in2kC"company;yA"com 572"5B8"567"548 Active Directory

Perfor% the follo0ing tas,s on the Solaris syste%>

!nitiali+e the Solaris LDAP client" -est the LDAP client#

Installing Identity Management for UNIX

)i%ure 2b@ !nsta&&in% !dentity Mana%ement $or U/!: 9 2ro%ress

)i%ure 2c@ !nsta&&in% !dentity Mana%ement $or U/!: 9 0omp&ete

After the installation is co%5leteB reboot the Microsoft Win"o0s server#

Provisioning a UNIX User in Active Directory

)i%ure C@ /!S (omain

)i%ure 4@ )or*ard and 1e'erse .ookup Dones

Synchronizing the Clocks and Configuring ime !ones

)i%ure 6@ 0on$i%urin% #ime Dones

uning Active Directory

)i%ure E@ Addin% the (irectory Schema 2&u%9!n

)i%ure 8@ !nde;in% the uid Attribute

dn( cn5dseeBcn5computersBdc5companyxyzBdc5com cn( 13AA

Use klist to "is5lay the the Kerberos tic,et cache#

)i%ure 7@ ,ntry $or So&aris 0&ient

-he contents of the krb5.conf file shoul" be as follo0s>

KdomainHrealmL .companyxyz.com 5 2896-:;<;=.289

dsee% ldapsearch -h win"k).companyxyz.com -b &cn5usersBdc5companyxyzBdc5com& -o mech5gssapi -o authzid5@@ &cn5wajih ahmed&

Initializing the Solaris $DAP Client

auth auth auth auth auth

reRuisite reRuired reRuired sufficient reRuired

esting the Client

esting Pass%ord Management

'or More Information

O5en source resources>

C!3S client for Solaris> http(//www.opensolaris.org/os/project/smbfs/

Docu%entation at http(//docs.sun.com DiscussionsB such as the Solaris 3oru%s at

6elate" 0eb sites an" articles>

Solaris !nfor%ation Center on the =igA"%in 0eb site>

?Kerberos an" LDAP -roubleshooting -i5s@ on Microsoft 0eb site>

http(//www.microsoft.com/technet/solutionaccelerators/cits/interopmigr ation/unix/usecdirw/ Iwsdsu.mspx

7vents of interest to users of Sun 5ro"ucts>

Worl"0i"e "evelo5er events> http(//developers.sun.com/events/ Current events> http(//www.sun.com/events/index.jsp

Anda mungkin juga menyukai