[TriLUG] Solaris and Active Directory

Matt Pusateri mpusateri at wickedtrails.com
Thu Feb 17 09:35:05 EST 2011


Stan,

Two ways I can see this working.  First it helps if you know what NIS maps your are trying to recreate (password,hosts, mount points, etc) b/c some maps may be easier to replace than others.

Option A: AD serves as an LDAP server to solaris.  Solaris is configured to just point at AD as it's ldap server for authentication, this would handle your passwd/groups auth.   Hosts are another story, I assume, you just move to using DNS for that.   Mount points, not sure how AD would store mount points.  But googling for "ldap solaris autofs" yields results so, if AD can serve the mount points up via LDAP, Solaris should be able to mount them.  A long time ago there was Microsoft Services For Unix (SFU), which extended the AD schema to include things like InetOrgPerson.  Not sure if this still exists and or is needed with the current state of AD.  Most AD admins, don't like extending the schema or so it seems.  One of the first things I would do is get s test Solaris box up, that I would try to point at my AD server like it's any other LDAP server and see if I can get Auth working.

Option B:  Host a Unix based LDAP server that removes the AD uniqueness and gives your solaris boxes a LDAP environment they expect.   I remember reading that the Fedora Directory Server which I think used to be the Netscape Directory server can act as a slave to AD(with some AD schema extensions), so that native AD users and groups can be used in your *nix environment.   I've been wanting to see how well that works, but atlas I no AD server at work in which to deal with.



Matt P.

On Feb 16, 2011, at 6:01 PM, stan briggs wrote:

> Matt, et. al.,
> I don't think that your experience is directly applicable to what I am
> trying to do. I do not want to add these Solaris machines as domain
> controllers or even share their filesystems via samba. I kinda' want
> to do what my item 2, below, describes but take it further to include
> all of the NIS maps that I currently have to be serviced via LDAP
> (read AD) on the windows domain controller. I have been assured,
> off-list, that this can happen. Now I just have to figure out how to
> get all of those other maps in service.
> Your experience, though, still may be of general interest to the group.
> Stan
> 
> On Wednesday, February 16, 2011, Matt Flyer <matt at noway2.thruhere.net> wrote:
>> I've noticed that this thread isn't getting a huge response.   I am not
>> sure if what I have to contribute is exactly along the lines of what you
>> are looking for, but I do have a little bit of experience along these
>> lines and may be able to help answer a few questions.
>> 
>> At work, I came into a already active AD system and wanted to integrate
>> a Linux machine into it.  The AD system already consisted of three
>> "domain controllers" of the domain that I wanted to make the machine a
>> part of.  Combining the Linux and AD systems required the use of Samba
>> for Windows networking compatibility, LDAP as the authentication
>> mechanism, and Kerberos to allow the pieces to talk to each other.
>> 
>> The biggest challenge I faced was not having a clue as to what I was
>> doing and I found a few helpful documents that I will forward to this
>> list.  I don't have them on this machine, so I will need to send them as
>> a separate reply.   The second challenge was getting each of the three
>> pieces compiled with support for the proper components.  It turned out
>> that the default package editions of Samba and Ldap didn't support
>> Kerberos.  Consequently, I needed to recompile each of these
>> applications from source and adjust the configurations.  ./configure
>> --help was useful here because it showed me whether or not the packages
>> had support for Kerberos and LDAP (I - can't recall which comes first,
>> but the how to I think I have does).
>> 
>> Once I had these applications installed, it was fairly simple for
>> everything to work and I was able to get the system to join the domain
>> with a couple of commands in a terminal.  I did get some error responses
>> at first and had to pay close attention to the logs and resolve any
>> errors that showed up in them.
>> 
>> One other thing that was required was having Administrative privilege on
>> the Domain, which is beyond having administrator rights on a windows PC.
>> This user account is required for most of the commands.
>> 
>> There are a few limitations of what Samba can do as a domain controller.
>> I think it can act as a primary domain controller, but not a secondary
>> domain controller, though the next version is supposedly going to
>> improve upon this.  Consequently, if you want multiple domain
>> controllers you will probably need to use Windows for those.
>> 
>> I really didn't have to get into the inner workings of LDAP and Kerberos
>> for this to work.  It all pretty much took care of itself.
>> If you have any implementation questions, I would be happy to try and
>> answer them, if I can.
>> 
>> 
>> On Wed, 2011-02-16 at 14:16 -0500, stan briggs wrote:
>> 
>>> all,
>>> 
>>> yes, i did just go there.
>>> 
>>> for reasons that i really don't want to get into i've been asked to look
>>> into using MS' Active Directory for our Solaris server's LDAP back-end (to
>>> replace NIS). so, let me ask, right up front, "has anyone done this?". now
>>> let me define what "this" is and why i'm feeling kinda' stuck.
>>> 
>>>    1. i've been able to find some good sites that describe replacing NIS
>>>    with AD (
>>>    http://technet.microsoft.com/en-us/library/cc782811%28WS.10%29.aspx is
>>>    probably one of the best ones. but this just replaces NIS services on a
>>>    Solaris box with NIS services on a Windows AD server. it does not replace
>>>    NIS.
>>>    2. i've been able to find some good sites that describe using AD as an
>>>    LDAP backend for user authentication (
>>>    http://wikis.sun.com/display/SecureGlobalDesktop/HOWTO+Use+Active+Directory+as+a+Solaris+Authentication+Sourceis
>>> a good reference for that). it even does a good job of describing the
>>>    necessary kerberos implementation. since i'm not intimate with LDAP (yes,
>>>    i'm embarrassed) i'm not sure if or how maps like the maps that automount
>>>    uses (auto_master and auto_home) get deployed in LDAP.
>>> 
>>> so, there is my quandary. can anyone make suggestions or point to
>>> documentation of successful deployments?
>>> thanks,
>>> stan
>>> 
>> 
>> 
>> --
>> This message was sent to: stan b. briggs <stanbriggs at gmail.com>
>> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
>> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
>> Unsubscribe or edit options on the web  : http://www.trilug.org/mailman/options/trilug/stanbriggs%40gmail.com
>> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions
>> 
> 
> -- 
> Stan B. Briggs
> +1-919-414-9513 | facebook<http://www.facebook.com/profile.php?id=1500439749>
> | LinkedIn<http://www.linkedin.com/profile/view?id=22227960&locale=en_US&trk=tab_pro>
> +++++++++++++++++++
> Little tiny dreams require little tiny thoughts and little tiny steps.
> Great big dreams require great big thoughts and little tiny steps.
> +++++++++++++++++++
> -- 
> This message was sent to: M. Pusateri <mpusateri at wickedtrails.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web	: http://www.trilug.org/mailman/options/trilug/mpusateri%40wickedtrails.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions




More information about the TriLUG mailing list