[TriLUG] Solaris and Active Directory

Keith Woodie kwoodie at gmail.com
Thu Feb 17 10:16:39 EST 2011


If you could afford a commercial product, I know from first hand experience
that Centrify is a great product that uses PAM to authenticate against AD.
 We currently use it where I work and I love having the same password on all
UNIX and windows machines.

It supports most UNIX platforms including Solaris (listed under Oracle
Solaris).

http://www.centrify.com/directcontrol/directcontrol-supported-platforms.asp


Keith Woodie


On Thu, Feb 17, 2011 at 9:35 AM, Matt Pusateri
<mpusateri at wickedtrails.com>wrote:

> Stan,
>
> Two ways I can see this working.  First it helps if you know what NIS maps
> your are trying to recreate (password,hosts, mount points, etc) b/c some
> maps may be easier to replace than others.
>
> Option A: AD serves as an LDAP server to solaris.  Solaris is configured to
> just point at AD as it's ldap server for authentication, this would handle
> your passwd/groups auth.   Hosts are another story, I assume, you just move
> to using DNS for that.   Mount points, not sure how AD would store mount
> points.  But googling for "ldap solaris autofs" yields results so, if AD can
> serve the mount points up via LDAP, Solaris should be able to mount them.  A
> long time ago there was Microsoft Services For Unix (SFU), which extended
> the AD schema to include things like InetOrgPerson.  Not sure if this still
> exists and or is needed with the current state of AD.  Most AD admins, don't
> like extending the schema or so it seems.  One of the first things I would
> do is get s test Solaris box up, that I would try to point at my AD server
> like it's any other LDAP server and see if I can get Auth working.
>
> Option B:  Host a Unix based LDAP server that removes the AD uniqueness and
> gives your solaris boxes a LDAP environment they expect.   I remember
> reading that the Fedora Directory Server which I think used to be the
> Netscape Directory server can act as a slave to AD(with some AD schema
> extensions), so that native AD users and groups can be used in your *nix
> environment.   I've been wanting to see how well that works, but atlas I no
> AD server at work in which to deal with.
>
>
>
> Matt P.
>
> On Feb 16, 2011, at 6:01 PM, stan briggs wrote:
>
> > Matt, et. al.,
> > I don't think that your experience is directly applicable to what I am
> > trying to do. I do not want to add these Solaris machines as domain
> > controllers or even share their filesystems via samba. I kinda' want
> > to do what my item 2, below, describes but take it further to include
> > all of the NIS maps that I currently have to be serviced via LDAP
> > (read AD) on the windows domain controller. I have been assured,
> > off-list, that this can happen. Now I just have to figure out how to
> > get all of those other maps in service.
> > Your experience, though, still may be of general interest to the group.
> > Stan
> >
> > On Wednesday, February 16, 2011, Matt Flyer <matt at noway2.thruhere.net>
> wrote:
> >> I've noticed that this thread isn't getting a huge response.   I am not
> >> sure if what I have to contribute is exactly along the lines of what you
> >> are looking for, but I do have a little bit of experience along these
> >> lines and may be able to help answer a few questions.
> >>
> >> At work, I came into a already active AD system and wanted to integrate
> >> a Linux machine into it.  The AD system already consisted of three
> >> "domain controllers" of the domain that I wanted to make the machine a
> >> part of.  Combining the Linux and AD systems required the use of Samba
> >> for Windows networking compatibility, LDAP as the authentication
> >> mechanism, and Kerberos to allow the pieces to talk to each other.
> >>
> >> The biggest challenge I faced was not having a clue as to what I was
> >> doing and I found a few helpful documents that I will forward to this
> >> list.  I don't have them on this machine, so I will need to send them as
> >> a separate reply.   The second challenge was getting each of the three
> >> pieces compiled with support for the proper components.  It turned out
> >> that the default package editions of Samba and Ldap didn't support
> >> Kerberos.  Consequently, I needed to recompile each of these
> >> applications from source and adjust the configurations.  ./configure
> >> --help was useful here because it showed me whether or not the packages
> >> had support for Kerberos and LDAP (I - can't recall which comes first,
> >> but the how to I think I have does).
> >>
> >> Once I had these applications installed, it was fairly simple for
> >> everything to work and I was able to get the system to join the domain
> >> with a couple of commands in a terminal.  I did get some error responses
> >> at first and had to pay close attention to the logs and resolve any
> >> errors that showed up in them.
> >>
> >> One other thing that was required was having Administrative privilege on
> >> the Domain, which is beyond having administrator rights on a windows PC.
> >> This user account is required for most of the commands.
> >>
> >> There are a few limitations of what Samba can do as a domain controller.
> >> I think it can act as a primary domain controller, but not a secondary
> >> domain controller, though the next version is supposedly going to
> >> improve upon this.  Consequently, if you want multiple domain
> >> controllers you will probably need to use Windows for those.
> >>
> >> I really didn't have to get into the inner workings of LDAP and Kerberos
> >> for this to work.  It all pretty much took care of itself.
> >> If you have any implementation questions, I would be happy to try and
> >> answer them, if I can.
> >>
> >>
> >> On Wed, 2011-02-16 at 14:16 -0500, stan briggs wrote:
> >>
> >>> all,
> >>>
> >>> yes, i did just go there.
> >>>
> >>> for reasons that i really don't want to get into i've been asked to
> look
> >>> into using MS' Active Directory for our Solaris server's LDAP back-end
> (to
> >>> replace NIS). so, let me ask, right up front, "has anyone done this?".
> now
> >>> let me define what "this" is and why i'm feeling kinda' stuck.
> >>>
> >>>    1. i've been able to find some good sites that describe replacing
> NIS
> >>>    with AD (
> >>>    http://technet.microsoft.com/en-us/library/cc782811%28WS.10%29.aspxis
> >>>    probably one of the best ones. but this just replaces NIS services
> on a
> >>>    Solaris box with NIS services on a Windows AD server. it does not
> replace
> >>>    NIS.
> >>>    2. i've been able to find some good sites that describe using AD as
> an
> >>>    LDAP backend for user authentication (
> >>>
> http://wikis.sun.com/display/SecureGlobalDesktop/HOWTO+Use+Active+Directory+as+a+Solaris+Authentication+Sourceis
> >>> a good reference for that). it even does a good job of describing the
> >>>    necessary kerberos implementation. since i'm not intimate with LDAP
> (yes,
> >>>    i'm embarrassed) i'm not sure if or how maps like the maps that
> automount
> >>>    uses (auto_master and auto_home) get deployed in LDAP.
> >>>
> >>> so, there is my quandary. can anyone make suggestions or point to
> >>> documentation of successful deployments?
> >>> thanks,
> >>> stan
> >>>
> >>
> >>
> >> --
> >> This message was sent to: stan b. briggs <stanbriggs at gmail.com>
> >> To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> >> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> >> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/stanbriggs%40gmail.com
> >> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
> >>
> >
> > --
> > Stan B. Briggs
> > +1-919-414-9513 | facebook<
> http://www.facebook.com/profile.php?id=1500439749>
> > | LinkedIn<
> http://www.linkedin.com/profile/view?id=22227960&locale=en_US&trk=tab_pro>
> > +++++++++++++++++++
> > Little tiny dreams require little tiny thoughts and little tiny steps.
> > Great big dreams require great big thoughts and little tiny steps.
> > +++++++++++++++++++
> > --
> > This message was sent to: M. Pusateri <mpusateri at wickedtrails.com>
> > To unsubscribe, send a blank message to trilug-leave at trilug.org from
> that address.
> > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> > Unsubscribe or edit options on the web        :
> http://www.trilug.org/mailman/options/trilug/mpusateri%40wickedtrails.com
> > TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>
> --
> This message was sent to: Keith Woodie <kwoodie at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/kwoodie%40gmail.com
> TriLUG FAQ          :
> http://www.trilug.org/wiki/Frequently_Asked_Questions
>



More information about the TriLUG mailing list