From: Bruce Shaw (Bruce.Shaw@gov.ab.ca)
Date: Wed Feb 20 2008 - 15:23:21 EST
I'm attempting to get Solaris 10 to authenticate users against a Windows
2008 Active Directory Server.
It's been suggested that Kerberos be used for authentication and LDAP to
retrieve group, home directory etc. information.
I've got the Kerberos bit working. That's not the problem. In ADS I've
got a computer account for the Solaris server, some UNIX groups, some
UNIX users with their UID's, GID's and home directories set.
Let's pretend we've got:
-an ADS server called "foo" or "foo.ca"
-a proxyuser for LDAP
-a client computer called "bar"
-a domain FOO.CA
Here's how Kerberos got set up:
#ktpass -princ host/bar.ca@FOO.CA -rndPass -out key.keytab -mapuser
bar$@FOO.CA -ptype KRB5_NT_SRV_HST -pass Hello.K1tty
I transferred the file over to Solaris and successfully did a ktinit and
klist.
Then I tried to get LDAP working.
This works.
#ldapsearch -v -h foo -D "CN=proxyuser,CN=Users,DC=foo,DC=ca" -b
"dc=foo,dc=ca" "objectclass=*"
I created a file to run ldapclient:
ldapclient -v manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=proxyuser,cn=Users,dc=foo,dc=ca \
-a proxyPassword=Harry.P0tter \
-a defaultSearchBase=dc=foo,dc=ca \
-a domainName=goat.dst.gov.ab.ca \
-a serviceSearchDescriptor=passwd:dc=foo,dc=ca?sub \
-a serviceSearchDescriptor=group:dc=foo,dc=ca?sub \
-a defaultServerList=192.168.232.136
I've also tried adding:
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
This apparently worked:
# more cachemgr.log
Wed Feb 20 11:20:14.3535 Starting ldap_cachemgr, logfile
/var/ldap/cachemgr.log
Wed Feb 20 11:20:14.4439 sig_ok_to_exit(): parent exiting...
# ./ldap_cachemgr -g
cachemgr configuration:
server debug level 0
server log file "/var/ldap/cachemgr.log"
number of calls to ldapcachemgr 94
cachemgr cache data statistics:
Configuration refresh information:
Configured to NO REFRESH.
Server information:
Previous refresh time: 2008/02/20 12:40:14
Next refresh time: 2008/02/20 13:20:14
server: 192.168.232.136, status: UP
Cache data information:
Maximum cache entries: 256
Number of cache entries: 0
Here's some files:
#more nsswitch.conf
passwd: files ldap
group: files ldap
hosts: files dns ldap
ipnodes: files ldap
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey: ldap [NOTFOUND=return] files
netgroup: ldap
automount: files ldap
aliases: files ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
#more pam.conf
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
########################################################################
####################
Finally, here's the problem.
#ldaplist
ldaplist: Object not found (LDAP ERROR (12): Unavailable critical
extension.)
Unfortunately, nothing appears to be logged or displayed anywhere to
tell me WHAT critical extension.
snoop shows nothing exciting other than the server and ADS talking to
each other on port 389. No errors (at least on this run, there used to
be some before I added the serviceSearchDescriptor parameters).
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed. If
you have received this email in error please notify the system manager. This
message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:47 EDT