[TriLUG] Solaris and Active Directory

Matt Flyer matt at noway2.thruhere.net
Wed Feb 16 17:46:03 EST 2011 

I've noticed that this thread isn't getting a huge response.   I am not
sure if what I have to contribute is exactly along the lines of what you
are looking for, but I do have a little bit of experience along these
lines and may be able to help answer a few questions. 

At work, I came into a already active AD system and wanted to integrate
a Linux machine into it.  The AD system already consisted of three
"domain controllers" of the domain that I wanted to make the machine a
part of.  Combining the Linux and AD systems required the use of Samba
for Windows networking compatibility, LDAP as the authentication
mechanism, and Kerberos to allow the pieces to talk to each other. 

The biggest challenge I faced was not having a clue as to what I was
doing and I found a few helpful documents that I will forward to this
list.  I don't have them on this machine, so I will need to send them as
a separate reply.   The second challenge was getting each of the three
pieces compiled with support for the proper components.  It turned out
that the default package editions of Samba and Ldap didn't support
Kerberos.  Consequently, I needed to recompile each of these
applications from source and adjust the configurations.  ./configure
--help was useful here because it showed me whether or not the packages
had support for Kerberos and LDAP (I - can't recall which comes first,
but the how to I think I have does).

Once I had these applications installed, it was fairly simple for
everything to work and I was able to get the system to join the domain
with a couple of commands in a terminal.  I did get some error responses
at first and had to pay close attention to the logs and resolve any
errors that showed up in them.  

One other thing that was required was having Administrative privilege on
the Domain, which is beyond having administrator rights on a windows PC.
This user account is required for most of the commands.  

There are a few limitations of what Samba can do as a domain controller.
I think it can act as a primary domain controller, but not a secondary
domain controller, though the next version is supposedly going to
improve upon this.  Consequently, if you want multiple domain
controllers you will probably need to use Windows for those.

I really didn't have to get into the inner workings of LDAP and Kerberos
for this to work.  It all pretty much took care of itself.
If you have any implementation questions, I would be happy to try and
answer them, if I can.


On Wed, 2011-02-16 at 14:16 -0500, stan briggs wrote:

> all,
> 
> yes, i did just go there.
> 
> for reasons that i really don't want to get into i've been asked to look
> into using MS' Active Directory for our Solaris server's LDAP back-end (to
> replace NIS). so, let me ask, right up front, "has anyone done this?". now
> let me define what "this" is and why i'm feeling kinda' stuck.
> 
>    1. i've been able to find some good sites that describe replacing NIS
>    with AD (
>    http://technet.microsoft.com/en-us/library/cc782811%28WS.10%29.aspx is
>    probably one of the best ones. but this just replaces NIS services on a
>    Solaris box with NIS services on a Windows AD server. it does not replace
>    NIS.
>    2. i've been able to find some good sites that describe using AD as an
>    LDAP backend for user authentication (
>    http://wikis.sun.com/display/SecureGlobalDesktop/HOWTO+Use+Active+Directory+as+a+Solaris+Authentication+Sourceis
> a good reference for that). it even does a good job of describing the
>    necessary kerberos implementation. since i'm not intimate with LDAP (yes,
>    i'm embarrassed) i'm not sure if or how maps like the maps that automount
>    uses (auto_master and auto_home) get deployed in LDAP.
> 
> so, there is my quandary. can anyone make suggestions or point to
> documentation of successful deployments?
> thanks,
> stan
>

More information about the TriLUG mailing list