RE: [ActiveDir] Solaris authentication

[joe]

Title: RE: [ActiveDir] Ocra

I agree with Al, usually one of the reasons you buy something is so that you can get away from some level of complexity or knowledge of the topic.   Building your own setup may seem "Free" but you obviously have all of the people time and your level of support is completely self controlled.   I know of a company that spent over 2 years trying to properly kerberize their *nix clients/hosts and ran into issue after issue after issue due to the multirealm environement alone. Next on the plate was trying to manage all of the different kerb packages for the different platforms and they were simply working with HPUX (multiple revs) and Solaris (multiple revs),  they never got to working on the packages for RH, SUSE, AIX, and others they would need.      joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, May 04, 2005 9:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication Two things:   "As far as REQs Al……. 1. FREE            2. Add little complexity"   These two are sometimes [1] not complimentary to one another.  Consider the cost of your time and troubleshooting efforts when you say this. I read Joe's response later in the thread and he's absolutely correct that a) this idea of using a static DN to bind sux rocks and b) LDAP bind by itself is not authentication!!!!!  Arrrrgghhhhhhh.   There, I feel better about that. :)     As for the network trace, your servers come with netmon by default which you can use to capture network traces in a limited fashion.  In other words, you can capture traffic to and from the server itself and that's about it.  SMS comes with a more full featured network trace utility. There's also Ethereal and a host of other products that are free and downloadable, but Ethereal and Netmon tend to be my preferred.  Critter of habit I guess.   To use Netmon, http://support.microsoft.com/default.aspx?scid=kb;en-us;812953 will give some information about the product and what it's for.  In your case, you'd want to look at the traffic coming from the other hosts (Sun) that is using an LDAP bind and basically if you can read the traffic, so can others.  You do want to also check the destination port that the client is sending traffic to.  That may indicate if it's even trying to use some sort of secure traffic mechanism.  If it's destination is tcp 389, then the data protection would need to be handled at a different layer such as TLS or IPSec type of protection.   -ajm   [1] Ok, that's a litlte misleading.  Sometimes doesn't do it justice.  Often would be a better term here. Kerberos is not simple when you get beyond one or two machines.  Even then, it takes a bit of work.  That work typically has a cost associated with it.  That cost/benefit analysis might make it worth it to use a commercial product aimed at this problem vs. rolling your own solution.       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, May 03, 2005 10:30 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I may sounds like an idiot, but you guys are always talking about tracing stuff on the network to see if it is in plain text, and I have no clue how to do it. This is something I would really like to know how to do (as I think it would really help me understand some things….along with lessen the load of me asking these questions to you guysJ). I have tried using ethereal to do this, but either it doesn’t do it, or I just don’t know how to use the thing (which I am about 99% positive is the problem).   Do any of you have the quick and dirty steps to do this? Or a link to a good tutorial (which I can’t seem to find)?       As far as REQs Al……. 1. FREE            2. Add little complexity     Looks like I will either just use SFU, or keep the user repositories separate. I was just hoping that something free had come along since the last time that I looked that was worth doing.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, May 03, 2005 7:11 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication   The directions you reference on the sunone site make it look to me like it's an LDAP bind.  Best way to know for sure would be to trace it on the network to see what is passed.  If ldap bind, be sure to use some sort of encryption such as SSL.   I'm curious what the requirement here is?  If just to allow solaris to authenticate via kerb with AD and allow AD users to login to solaris workstations, have you considered a product such as Centrify?  www.centrify.com   Far cry better and easier to implement.   I'm interested in hearing what the requirements are though. The docs you referenced indicate a configuration that would be a PITA to manage in terms of reliability and effort IMHO.   Al       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Tuesday, May 03, 2005 3:20 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Solaris authentication I know someone doing auth from Solaris 9 and 10 against AD via Kerberos in production. I don’t know how they are populating /etc/passwd but can find out. I’ve never used NIS against AD so couldn’t say what’s going on here.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Monday, May 02, 2005 7:26 PM To: ActiveDir@mail.activedir.org Subject: Solaris authentication   Anyone know if this is passed in plain text? If so, i dont see any advantage to this versus the NIS server in SFU. Seems that the *nix community is making no progress in the secure authentication arena if this is the case. Any ideas or thoughts?   http://docs.sun.com/source/816-6775-10/a_activedirauth.html