Thanks everyone for all the replies. I tried using Likewise Open as suggested by Brandon below, and it worked for my situation. It was much simpler and faster than trying to manually configure everything. Very good documentation as well. Thanks again! Mark _____________________________________________________________________________ _________________________________________________________________________ Hi Mark, What we've recently started working with is the Likewise Open Source AD package for Solaris and have had a good amount of success. We haven't done a full rollout yet as we still need to do more testing but this could be of some use to you. The page is at: http://www.likewise.com/products/likewise_open/index.php Hope that helps, -Brandon -- Brandon Battis _____________________________________________________________________________ ___________________________________________________________________ Thanks for the quick reply David. I have already been to those websites and used some of the information. I believe it's just a matter of properly configuring the ldap_client_file. Haven't tried it myself, but you may want to check out: http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/ http://blog.scottlowe.org/2008/11/19/no-solaris-ad-integration-update/ It's a bit old now, but the principles should still apply. David Magda _____________________________________________________________________________ _____________________________________________________________________ are you sure that the "proxy" account which you use, is defined in Active Directory to allow a "simple" password authentication ? If I recall, per default it will expect the Windows-style authentication, so will fail Rob, Thanks for the quick reply. My ldap_client_file has a few different attributes, such as NS_LDAP_AUTH= sasl/GSSAPI and NS_LDAP_CREDENTIAL_LEVEL= self. I had previously tried using simple and proxy, but that didn't work either. Snoop output a different error message with proxy and simple: *[LDAPMessage] > [message ID] > Operation *[APPL 1: Bind Response] > [Result Code] > 1 Invalid Credentials > [Matched DN] > [Error Message] > 80090308: LdapErr: DSID-0C0903A9 , comment: AcceptSecurityContext I'm hoping it might just be a matter of tweaking the ldap_client_file. Thanks again, Mark Mark, you need a "bind" (or "proxy") account (and its password) in the LDAP (Active Directory) repository, that your Solaris clients can use to request data from the AD This "bind" account is what you will use in the command to manually configure a Solaris-10 client as LDAP client: ldapclient -v manual -a defaultServerList=kdc.ourdomain.internal -a defaultSearchBase="dc=ourdomain,dc=internal" -a authenticationMethod=simple -a followReferrals=FALSE -a defaultSearchScope=one \ -a searchTimeLimit=30 -a credentialLevel=proxy \ -a proxyDN="cn=bindaccount,ou=Process,ou=Logins,ou=THISDEPT,dc=ourdomain,dc=inte rnal" \ -a proxyPassword=somepwd \ #-a objectclassMap=passwd:posixAccount=user \ -a serviceSearchDescriptor=passwd:ou=PER,OU=People,OU=THISDEPT,DC=OURDOMAIN,DC=I NTERNAL \ -a attributeMap=passwd:homeDirectory=unixHomeDirectory This should result in a file "/var/ldap/ldap_client_file" with the following contents : NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_SERVERS= kdc.ourdomain.internal NS_LDAP_SEARCH_BASEDN= dc=ourdomain,dc=internal NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= one NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=PER,OU=People,OU=THISDEPT,DC=OURDOMAIN,DC=INTERNAL NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user There are some additional important steps to take (like editing /etc/pam.conf and /etc/nsswitch.conf), but I guess you figured these already out. If not, I can inform you of more. good luck Rob Rob De Langhe -----Original Message----- From: sunmanagers-bounces@sunmanagers.org [mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Twardzik, Mark J. Sent: Thursday, May 12, 2011 3:57 PM To: sunmanagers@sunmanagers.org Subject: Authenticating Solaris 10 through Active Directory I have a Sun Netra T5440 SPARC running Solaris 5.10 with a fresh End User installation, no additional patches. I am trying to authenticate it through Active Directory on a Windows Server 2008 R2 system. I followed the instructions in Sun document 'Using Kerberos to Authenticate a SolarisTM 10 OS LDAP Client With Microsoft Active Directory' , although I had to change a few things to successfully navigate some of the steps. This was expected, as I realize the document was written for Server 2003. I believe Kerberos is configured properly, as 'kinit (test user)' obtains tickets according to klist. However, neither 'ldaplist -l passwd (test user)' nor 'getent passwd (test user)' work. It looks like a binding issue with sasl/GSSAPI based on the following error messages: 'cat /var/adm/messages | grep ldap' results contain the repeated error 'libsldap: makeConnection: failed to open connection using sasl/GSSAPI to ForestDnsZones.my.domain' 'snoop -v | grep -I ldap' contains *[LDAPMessage] [message ID] Operation *[APPL 1: Bind Response] [Result Code] Success [Matched DN] [Error Message] SASL Credentials [7] Any help would be greatly appreciated, as I have spent a great deal of time looking through message boards and playing with different configurations. Send email and I will summarize to the list. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Thu May 19 08:25:39 2011
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:18 EST