All,
Is this the appropriate alias for the question below.
Else, can I be pointed to the correct group for help on naming service
and setup of solaris as an ldap client to Active Directory
Intent.
- demonstrate opensolaris interop with AD.
-- user login via console, via SSH
- All users in AD
- kerberos for authentication
- attribute retrieval, password policy enforcement
Current
Kerberos
- I have kerberos configuration of my solaris server working against AD
(using kclient)
Name services.
- I can retrieve some attributes using
- getent passwd tus...@test.com
Pam.conf
- I've set this up to use kerberos for login, but this is not working
-----
<snipped>
-----
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1
----
<snipped>
----
Q) Do I need to setup "ldapclient" for this to work ?
thank you
sundeep
On 05/13/10 11:01 AM, Jordan Brown wrote:
sundeep dhall wrote:
Afshin,
I checked with my customer on this.
It seems they are interested in being able to delegate authentication
to the solaris server to AD using kerberos and
on the solaris server, they have scripts that would query the uid,
primary gid, secondary gid for the user.
and then execute using those permissions.
I am not sure that I fully understand the customer's needs, but it
seems like they're reinventing our existing LDAP and Kerberos
infrastructure.
If you just want to be able to log in using account information stored
in AD, you don't have to write any scripts. You just have to
configure your AD correctly (with IDMU) and set up LDAP and Kerberos
on the Solaris system. That's not as easy as it should be, but it can
be done.
Today they use SAMBA to achieve the authentication portion.
They do not need access to samba-like shares on the solaris server
Is this narrow requirement set possible in the current implementation
using b134 ?
- If so, would I only need to use the "kclient" script to setup the
authentication to AD ?
sundeep
On 5/11/2010 5:21 PM, Afshin Salek wrote:
Afshin
On 05/11/10 02:54 PM, sundeep dhall wrote:
Afshin,
I am coming to grips with the various terms, so please bear with me.
What I want to currently prototype is the following:-
- osol server authentication using kerberos against AD. User repo only
on AD
- retrieval of user and group attributes from AD.
-- ie getent or other similar calls on solaris would give me the uid,
gid set on AD
- password resets done on AD would be reflected on the osol side when
the user attempts to authenticate.
It seems that this setup was originally done using a script called
ADjoin (now deprecated) and is now done vis kclient
Q) Does this much work today ? either in 2009.06 or later ?
I am presuming that what you describe as not currently supported is
the
following
- AD is domain controller and is used for authentication
- OpenSolaris server is a CIFS (SMB) server operating in domain mode
Yes, that is what I'm referring to. So I'm not sure what you are
referring to as "osol server authentication using kerberos against AD".
Is there any SMB file access involved here in your prototype? What kind
of access to Osol are you trying to authenticate against AD using
Kerberos?
If that is so, then I presume that the CIFS capability works today in
workgroup mode where users repository is on the osol side.
There is no AD or kerberos is involved in workgroup mode. SMB server
performs the authentication against the local /var/smb/smbpasswd
Afshin
Please validate
thank you
sundeep
On 05/11/10 04:37 PM, Afshin Salek wrote:
Kerberos authentication for SMB users connecting to Solaris SMB
server
is under development, so it's not currently supported.
Afshin
On 05/11/10 02:27 PM, sundeep dhall wrote:
Hi Alan,
Thank you for the flag.
I am downloading b134 from genunix.org
I have setup AD on Win2008r2 as well as DNS
The intent is to show that users will be created in AD
Once osol is integrated with the AD as a kerberos client for
authentication, users will be able to login into osol via their auth
to AD.
I have skimmed through the docs on setting up kerberos client for AD
http://docs.sun.com/app/docs/doc/819-3321/ggtwg?l=en&a=view
Q1)I am presuming that perhaps prior to this, the only step
required on
the osol side would be to
setup nsswitch.conf and resolv.conf.
Is that correct ?
Q2) How does the CIFS setup on domain-mode work in conjunction to
the
above methodology ?
http://docs.sun.com/app/docs/doc/820-2429/configuredomainmodetask?l=en&a=view
Is that a 2ndary step I could do to show CIFS file sharing, or do
the
latter steps call kclient internally ?
thank you
sundeep
On 05/11/10 03:20 PM, Alan Wright wrote:
On 05/11/10 08:34 AM, sundeep dhall wrote:
All,
Intent is to demonstrate OpenSolaris2009.06 authentication with
AD on
Win2008r2 and UID, GID access based on user creation in AD
For use with Windows, it would be better to upgrade to something
more recent than OpenSolaris 2009.06. The SMB support in 2009.06
is broken.
Alan
I am reading up on the following for kclient
http://docs.sun.com/app/docs/doc/819-3321/setup-341?a=view
But my question is more on the AD side.
I have setup AD on the demo machine.
Q) In 2003, there was a SFU that enabled the AD to have the schema
for unix
Is a similar setting required for 2008 ?
Pointers to where this needs to be done would be appreciated.
thank you
sundeep
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
