Stuart Davidson wrote: > Trying to change passwords on UNIX accounts stored in Win2K Active > Directory... we have extracted the Solaris 2.6 passwd binary and replaced > 2.8 binary. However, still get the following error: > > # passwd dav > Permission denied > > The following is logged in /var/adm/messages > > Mar 25 20:09:18 sun6.CPQUNIX.NET passwd[11637]: [ID 280705 user.error] > pam_ldap: ldap_simple_bind Can't contact LDAP server > > Using truss on passwd appears to show a dialog with the Win2K system running > Active Directory, Enterprise Certificate Authority via SSL, port 636. The > reply from Win2K is read on fd 5 and possibly compared with the local client > database read on fd 4. However, this leads to ldap_simple_bind failing. > > We have exported the Microsoft Enterprise Certificate Authority certificate > from the Win2k system in base-64, DER and PKCS #7 format. The certificates > have been copied to the Solaris system. The certutil executable has been > copied from another Solaris system. However, attempts to add the > Certificates to the database on Solaris fail as follows: > > # ./certutil -d /etc/ssl/certs -A -n "CPQ UNIX ENTERPRISE CA" -t "C,C,C" -i > cpqunix_der.cer > certutil: failure authenticating to key database. > : Security I/O error > > Questions > > 1. how do we update the certifcate database on Solaris to include the Win2K > Enterprise CA?
You did not provide a database password and were not prompted for one. I guess this would indicate the database does not have a password set. Try "certutil -W -d /etc/ssl/certs" and see if that allows you to set a password. Once you have done that, attempt to add the cert as above. -Ian
