Need opinions on integrating Solaris 10 and AD 3

[cnull]

I am tossing around the idea of using AD for Solaris authentication. I have not found alot of documentation on it and I just don't know if it is the right thing to do. We have 14 Solaris 10 servers, 5 of which are critical production servers running ArcGIS, OracleDB and Oracle iAS.
Up until now the admin has been maintaing separate users and groups for each server. For obviouse reasons (password sync, user and group creation, home directory consolidation) I would like to consolidate into one Directory. But does it make sense?

How reliable has it been for you and your organization?

Is there another way that I can accomplish the same thing without too much trouble?

Is it better to use NIS+? (but maintenance!!!!)

I really appreciate your knowledgable suggestions and advice!

Thanks,
cnull

 

[GunnarD]

Maybe samba winbndd

http://us1.samba.org/samba/docs/man/manpages-3/winbindd.8.html

If not i should use ldap instead off NIS/NIS+

 

[Annihilannic]

Until last year we used to use the pam_smb module from samba.org to authenticate against active directory. It was very simple to set up and very reliable. Version 2 also authenticates against multiple domains. You still have to configure the users locally on the Unix system(s), but their passwords are checked against AD.

However I understand that an upgrade or configuration change in AD in our organisation was going to break pam_smb, so the powers that be recommended Quest's Vintela Authentication Services (VAS), which is more like NIS/LDAP. The users do not need to be configured locally on the system, and it also allows AD groups to be used just like local Unix groups. Access to the system is controlled through users.allow/users.deny files. It's a lot more complicated, does a lot more than pam_smb, and we have had our fair share of teething problems, but it may be an option for you. And of course, unlike pam_smb, it is not free.

Annihilannic.

 

[coffeysm]

I have setup Solaris 10 against AD Authentication. If you give me a few I can dig up my notes and documents I made.

 

[coffeysm]

Annihilannic I have also used Vintela, I decided to move away from it because it gets pretty pricey.

 

[coffeysm]

First and foremost YOU NEED permission to update and change the Active Directory Schema. If your Windows admins won't allow you. Then you will probably have to setup your own LDAP Server or something. The latest version of Active Directory, which is in 2003 R2 I believe has the NIS attributes in place. If you are using a prior release you will need Services For Unix, Vintela, or have to make changes to the schema by hand. You can't unmake a change to the AD Schema though.

I have NIS/Kerberos/AD running in my environment. I was having a hard time getting netgroups to work under AD. Also, setting up hosts was just to annoying. So, I have a NIS server that has hosts and netgroups and that is all.

 

[coffeysm]

If you want to use Kerberos you need to make a config file and create a keytab. I used Vintela to create my keytabs, but you can use Samba or ktpass.exe which is on the Windows resource kit. You also should setup /etc/resolv.conf.

/etc/krb5/krb5.conf

[libdefaults]
default_realm = YOUR.DOMAIN.NAME
default_checksum = rsa-md5
dns_lookup_kdc = true
ticket_lifetime = 36000
default_keytab_name = /etc/krb5/krb5.keytab

[realms]
YOUR.DOMAIN.NAME = {
    kdc = your.domain.controller:88
    kpasswd_server = your.domain.controller:464
    kpasswd_protocol = SET_CHANGE
}

[domain_realm]
your.domain.name = YOUR.DOMAIN.NAME

/etc/resolv.conf

search domain.name
nameserver xxx.xxx.xxx.xxx

/etc/pam.conf

Add these lines under pam_authtok_get.so.1

login auth sufficient pam_krb5.so.1
dtlogin auth sufficient pam_krb5.so.1
other auth sufficient pam_krb5.so.1

Change the pam_unix_account.so.1 to this:

login account sufficient pam_unix_account.so.1
login account required pam_ldap.so.1

dtlogin account sufficient pam_unix_account.so.1
dtlogin account required pam_ldap.so.1

other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1

/etc/nsswitch.conf

passwd: files ldap
group: files ldap
hosts: files dns

*You also need to create a Proxy Account, this does not have to be an admin account it just allows the Solaris Machines to connect and read information*

I added the following lines to a script:

#!/sbin/sh -x

ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN="THE DIT TO THE PROXY ACCOUNT" \
-a proxyPassword=PASSWORD FOR ACCOUNT \
-a defaultSeachBase=dc=YOUR,dc=DOMAIN,dc=NAME \
-a domainName="YOUR DOMAIN NAME" \
-a "preferredServerList="IP ADDRESS" \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:gecos=gecos \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:uid=sAMAccountName \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a serviceSearchDescriptor="passwd:ou=ACCOUNTS,dc=YOUR,dc=DOMAIN,dc=NAME?sub" \
-a serviceSearchDescriptor="group:ou=groups,dc=YOUR,dc=DOMAIN,dc=NAME?sub"

*When you run the ldap command it will overwrite your /etc/nsswitch.conf.  Make sure you edit afterwards and add DNS.  I would also not change pam.conf until you reboot and make sure the LDAP queries work first.  You can verify Kerberos works by using this command: kinit <USERNAME> it will prompt for a password.  You can test LDAP by entering getent passwd <USERNAME>

This is rush through if you have more questions you can message me or something.

 

[cnull]

Wow! I was out one day and I get a wealth of knowledge. I will go through all of this info today.

Thanks everyone,
cnull