UKOUG Technology Conference

Wednesday, October 03, 2012

Solaris 11 Authentication Login with Active Directory

Password Authentication in Computer Science at Birkbeck was always very complicated for no reason. Over the years we had multiple passwords which always confused our students:  YP & Active Directory, then NIS & AD, then LDAP with password Sync with AD, but with Solaris 11 & Solaris 10 I was finally in a position to get this sorted out.

There is a lot of pages out there which help with this, but the best I found was http://www.seedsofgenius.net/solaris/solaris-authentication-login-with-active-directory (This link does not seem to work now, so here is a cached version: https://web.archive.org/web/20151101112540/www.seedsofgenius.net/solaris/solaris-authentication-login-with-active-directory) so please go ahead and follow this for more details. I have a cut down version here for Solaris 11.

I will presume you have setup your Windows server (see link above Install UNIX Schema into Active Directory and Create ProxyDN User Account).

Updated: Testing Section (30th October 2012)
Updated: Setup DNS Section (7th July 2014)
Updated: Kerberos testing "kinit -V" (29th January 2016) 
Updated: Setup LDAP client "followReferrals=false" (29th January 2016)
Updated: Setup PAM (29th January 2016)
Updated: Tested on Solaris 11.3 (29th January 2016) 

Settings being used:
Windows 2008 R2 AD servers = dcsad01 (193.61.1.1) and dcsad02 (193.61.2.2)
Domain = dcs.bbk.ac.uk
Kerberos Realm = DCS.BBK.AC.UK

Setup DNS

Check DNS and make sure domain & search are present
# cat /etc/resolv.conf
domain  dcs.bbk.ac.uk
search  dcs.bbk.ac.uk
nameserver      193.61.1.1
nameserver      193.61.2.2
Update service if required:
# sudo svccfg
svc:> select dns/client
svc:/network/dns/client> setprop config/domain = astring: "dcs.bbk.ac.uk"
svc:/network/dns/client> setprop config/search = astring: "dcs.bbk.ac.uk"
svc:/network/dns/client> setprop config/nameserver = net_address: (193.61.1.1  193.61.2.2)
svc:/network/dns/client> select dns/client:default
svc:/network/dns/client> refresh
svc:/network/dns/client> validate
svc:/network/dns/client> exit
 Test DNS and AD servers are available:
  Note 7th July 2014: Solaris 11.1 SRU 19 onwards you need to add the domain name to the query since (nslookup -querytype=any _ldap._tcp) will fail :
# nslookup -querytype=any _ldap._tcp.dcs.bbk.ac.uk
Server:        193.61.1.1
Address:    193.61.1.1#53
_ldap._tcp.dcs.bbk.ac.uk    service = 0 100 389 dcsad02.dcs.bbk.ac.uk.
_ldap._tcp.dcs.bbk.ac.uk    service = 0 100 389 dcsad01.dcs.bbk.ac.uk.

# nslookup -querytype=any _gc._tcp.dcs.bbk.ac.uk
Server:        193.61.1.1
Address:    193.61.1.1#53
_gc._tcp.dcs.bbk.ac.uk    service = 0 100 3268 dcsad02.dcs.bbk.ac.uk.
_gc._tcp.dcs.bbk.ac.uk    service = 0 100 3268 dcsad01.dcs.bbk.ac.uk.

The follow shows what DNS servers you have registered. In our case it had more hosts (old hosts) than I expected, so I did some house keeping before continuing and deleted the old hosts.
# nslookup DomainDnsZones.dcs.bbk.ac.uk
Server:        193.61.1.1
Address:    193.61.1.1#53

Name:    DomainDnsZones.dcs.bbk.ac.uk
Address: 193.61.1.1
Name:    DomainDnsZones.dcs.bbk.ac.uk
Address: 193.61.2.2
Name:    DomainDnsZones.dcs.bbk.ac.uk
Address: 193.61.3.3

Setup Kerberos

Change /etc/krb5/krb5.conf to look like this:

# cat /etc/krb5/krb5.conf
#
#
# Copyright (c) 2007, Oracle and/or its affiliates. All rights reserved.
#

# krb5.conf template
# In order to complete this configuration file
# you will need to replace the ____ placeholders
# with appropriate values for your network and uncomment the
# appropriate entries.
#
[libdefaults]
        default_realm = DCS.BBK.AC.UK
        dns_lookup_kdc = true
        verify_ap_req_nofail = false

[realms]
       DCS.BBK.AC.UK = {
                kdc = dcsad02.dcs.bbk.ac.uk
                kdc = dcsad01.dcs.bbk.ac.uk
                admin_server = dcsad01.dcs.bbk.ac.uk
                default_domain = dcs.bbk.ac.uk
        }

[domain_realm]
        .dcs.bbk.ac.uk = DCS.BBK.AC.UK
        dcs.bbk.ac.uk = DCS.BBK.AC.UK

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10
        }
[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
Test all has been successful by running the kinit command. After entering the Windows administrator password you should just get a prompt back.

# kinit -V administrator@DCS.BBK.AC.UK
Password for administrator@DCS.BBK.AC.UK:
kinit: no ktkt_warnd warning possible
Authenticated to Kerberos v5
#
Setup LDAP client

Now time to initialise the client with Active Directory:
- Pay attention to the highlight parts which you will modify to point to the "full path of proxy user" and "proxy password", "domain name", "Top level search path", "IP of AD servers" and "domain name in service search description".

sudo ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=srv_ldapproxy,cn=Users,dc=dcs,dc=bbk,dc=ac,dc=uk \
-a proxyPassword=ClearTextPassword \
-a defaultSearchBase=dc=dcs,dc=bbk,dc=ac,dc=uk \
-a domainName=DCS.BBK.AC.UK \
-a "followReferrals=false" \
-a "defaultServerList=193.61.1.1,193.61.2.2" \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=description \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:dc=dcs,dc=bbk,dc=ac,dc=uk?sub \
-a serviceSearchDescriptor=group:dc=dcs,dc=bbk,dc=ac,dc=uk?sub
System successfully configured
$ ldaplist
dn: CN=Builtin,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=Computers,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=defaultMigrationContainer30,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=ForeignSecurityPrincipals,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=Infrastructure,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=LostAndFound,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=Managed Service Accounts,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=Microsoft Exchange System Objects,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=OpsMgrLatencyMonitors,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=Program Data,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=System,DC=dcs,DC=bbk,DC=ac,DC=uk
dn: CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk
* This may not working with Solaris 10, but should work with Solaris 11 and above:
$ ldaplist
ldaplist: Object not found (LDAP ERROR (12): Unavailable critical extension.)
$ domainname
DCS.BBK.AC.UK

Setup Name  Service Switch Configuration

So far so good but you need update /etc/nsswitch.conf. In my case I have ldap on passwd, groups and automoun. All other settings are put back to file.
# egrep "ldap|dns" /etc/nsswitch.conf
passwd:    files ldap
group:    files ldap
hosts:    files [SUCCESS=return] dns
ipnodes:    files [SUCCESS=return] dns
automount:    files ldap
# sudo svccfg
svc:> select name-service/switch
svc:/system/name-service/switch> 
 setprop config/password = "files ldap"
 setprop config/group = "files ldap"
 setprop config/host = "files [SUCCESS=return] dns"
 setprop config/network = "files"
 setprop config/protocol = "files"
 setprop config/rpc = "files"
 setprop config/ether = "files"
 setprop config/netmask = "files"
 setprop config/bootparam = "files"
 setprop config/publickey = "files"
 setprop config/netgroup= "files"
 setprop config/automount = "files ldap"
 setprop config/alias = "files"
 setprop config/service = "files"
 setprop config/project = "files"
 setprop config/auth_attr = "files"
 setprop config/prof_attr = "files"
 setprop config/tnrhtp = "files"
 setprop config/tnrhdb = "files"
 setprop config/printer = "user files"
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/system/name-service/switch:default> exit
 # sudo svcadm restart svc:/milestone/name-services:default
You can jump to Testing if you want check all has worked up to now.

Setup PAM modules
The final part is to alter PAM modules so that people can log into this system. Again, the changes to the default are highlighted.

   Setup /etc/pam.d/login (Only: Solaris 11.1 and above)
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# login service (explicit because of pam_dial_auth)
#
auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth required           pam_dhkeys.so.1
auth required           pam_unix_auth.so.1

auth sufficient         pam_krb5.so.1           
auth required           pam_unix_cred.so.1
auth required           pam_dial_auth.so.1
   Setup /etc/pam.d/other (Only: Solaris 11.1 and above)
# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
auth definitive      pam_user_policy.so.1
auth requisite       pam_authtok_get.so.1
auth required        pam_dhkeys.so.1
auth sufficient      pam_krb5.so.1
auth required        pam_unix_auth.so.1
auth required        pam_unix_cred.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
# pam_tsol_account(5) returns PAM_IGNORE if the system is not configured
# with Trusted Extensions (TX) enabled.  In TX environments some PAM services
# run in the Trusted Path where pam_tsol_account(5) isn't applicable so in
# those cases, like gdm(1m) or xscreensaver(1), PAM stacks are delivered
# in /etc/pam.d which exclude pam_tsol_account(5).  pam_tsol_account(5) does
# need to run in the Trusted Path for ensuring remote hosts connecting to the
# global zone have a CIPSO host type.
#
account requisite    pam_roles.so.1
account definitive   pam_user_policy.so.1
account required     pam_unix_account.so.1
account required     pam_tsol_account.so.1

account sufficient   pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
session definitive   pam_user_policy.so.1
session required     pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
password definitive    pam_user_policy.so.1
# Password construction requirements apply to all users.
# Edit /usr/lib/security/pam_authtok_common and remove force_check
# to have the traditional authorized administrator bypass of construction
# requirements.
password include     pam_authtok_common
password required    pam_authtok_store.so.1

   Setup /etc/pam.conf modules (Only: Solaris 10)
#
# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth sufficient          pam_krb5.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# GDM Autologin (explicit because of pam_allow).  These need to be
# here as there is no mechanism for packages to amend pam.conf as
# they are installed.
#
gdm-autologin auth  required    pam_unix_cred.so.1
gdm-autologin auth  sufficient  pam_allow.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth sufficient          pam_krb5.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# cups service (explicit because of non-usage of pam_roles.so.1)
#
cups    account required        pam_unix_account.so.1
#
# GDM Autologin (explicit because of pam_allow) This needs to be here
# as there is no mechanism for packages to amend pam.conf as they are
# installed.
#
gdm-autologin account  sufficient  pam_allow.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password required       pam_authtok_store.so.1
other   account sufficient         pam_ldap.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
Testing

After you have some users on AD with ths UNIX attributes added: i.e. andrew



# ldapsearch -h 193.61.1.1 -b "dc=dcs,dc=bbk,dc=ac,dc=uk"  -D "cn=srv_ldapproxy,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk"  -w ClearTextPassword  "samaccountname=andrew"
version: 1
dn: CN=andrew,OU=SystemsGroup,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk
objectClass: top
....lots of stuff will appear....
 
Lets check if we have all the passwd information:
# ldapsearch -h 193.61.1.1 -b "dc=dcs,dc=bbk,dc=ac,dc=uk"  -D "cn=srv_ldapproxy,CN=Users,DC=dcs,DC=bbk,DC=ac,DC=uk"  -w ClearTextPassword  "samaccountname=andrew" description uid name uidNumber gidNumber description loginShell unixHomeDirectory
version: 1
dn: CN=andrew,OU=SystemsGroup,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk
description: Andrew Watkins
name: andrew
uid: andrew
gidNumber: 10
loginShell: /bin/csh
unixHomeDirectory: /home/andrew
uidNumber: 45610

# getent passwd andrew
andrew:x:102:10:Andrew Watkins:/home/andrew:/bin/csh

# ldaplist -l passwd andrew
dn: CN=andrew,OU=SystemsGroup,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: posixAccount
    cn: andrew
    sn: Watkins
    description: Andrew Watkins
    telephoneNumber: 6720
    givenName: Andrew
    distinguishedName: CN=andrew,OU=SystemsGroup,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk
    instanceType: 4
    whenCreated: 20010926115902.0Z
    whenChanged: 20120928131015.0Z
    displayName: Andrew Watkins
    uSNCreated: 27739
    uSNChanged: 9618787
    proxyAddresses: SMTP:andrew@dcs.bbk.ac.uk
    displayNamePrintable: Andrew Watkins
    mAPIRecipient: FALSE
    mailNickname: andrew
    name: andrew
    badPwdCount: 0
    codePage: 0
    countryCode: 0
    homeDrive: I:
    badPasswordTime: 129936830414316837
    lastLogoff: 0
    lastLogon: 129936830877333741
    scriptPath: login.cmd
    logonHours:: ////////////////////////////
    pwdLastSet: 129932986053252606
    operatorCount: 0
    adminCount: 1
    accountExpires: 0
    logonCount: 538
    sAMAccountName: andrew
    sAMAccountType: 805306368
    userPrincipalName: andrew@dcs.bbk.ac.uk
    uid: andrew
    mail: andrew@dcs.bbk.ac.uk
    msSFU30PosixMemberOf: CN=lo,OU=Roles,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk
    msSFU30PosixMemberOf: CN=sg,OU=SystemsGroup,OU=StaffUsers,DC=dcs,DC=bbk,DC=ac,DC=uk
    msSFU30NisDomain: dcs
    gidnumber: 10
    loginshell: /bin/csh
    msExchRecipientDisplayType: 6
    homedirectory: /home/andrew
    gecos: Andrew Watkins
    msSFU30Name: andrew
    uidnumber: 102
    gecos: Andrew Watkins
Automount
I am working on that blog next so should be avaialble next week.


20 comments:

Anonymous said...

Thanks for this! This is great. I followed everything but I can't get getent password to show any ldap information but getent group will show ldap info.

Andrew Watkins said...

I have updated the testing section to include some "ldapsearch" commands. See if that helps. Andrew

Mobeen Akhtar said...

This is really great stuff.i followed and got every thing right except it logins in AD very late.is it normal?
any way to resolve this issue

Damien Benoist said...

Hello,
I have absolutely no knowledge about
solaris admin.
I have a fresh install of solaris 11
(done with sol-11_1-text-x86.iso)
I would like to set it as an ldap client.
I can do so with the ldapclient command
and the svccfg commands and it works.
But on every reboot all changes are lost.
/etc/nsswich.conf is restored to its initial state.
Any ideas?
Thanks for your help.

Andrew Watkins said...

Damien, it looks like you are editing /etc/nsswich.conf manually. You have to update nsswich.conf using SMF. Search this blog entry for "Setup Name Service Switch Configuration" and use the svccfg command in the example.

Andrew

Damien Benoist said...

Thanks for your answer Andrew.
Unfortunately no, I'm not touching
the /etc/nsswitch.conf
I'm using the svccfg command exactly as you describe. I retried:
#
# can't login with an ldap user on sol11i64
#
blackbeard@blackbird:~$ ssh blackbrd@sol11i64
blackbrd@sol11i64:~$ egrep "ldap|dns" /etc/nsswitch.conf
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4

blackbrd@sol11i64:~$ su -
Password:
Oracle Corporation SunOS 5.11 11.1 September 2012
root@sol11i64:~# ldapclient init -a profileName=default \
> -a proxyDN=cn=proxyagent,ou=profile,dc=dev,dc=local \
> -a proxyPassword=ldappwd \
> -a domainName=dev.local \
> ldap.dev.local
System successfully configured
root@sol11i64:~# egrep "ldap|dns" /etc/nsswitch.conf
passwd: files ldap
group: files ldap
hosts: files ldap
ipnodes: files ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
ethers: files ldap
netmasks: files ldap
bootparams: files ldap
publickey: files ldap
netgroup: ldap
automount: files ldap
aliases: files ldap
services: files ldap
printers: user files ldap
project: files ldap
auth_attr: files ldap
prof_attr: files ldap
tnrhtp: files ldap
tnrhdb: files ldap
root@sol11i64:~# svccfg
svc:> select name-service/switch
svc:/system/name-service/switch> setprop config/password = "files ldap"
svc:/system/name-service/switch> setprop config/group = "files ldap"
svc:/system/name-service/switch> setprop config/host = "files [SUCCESS=return] dns"
svc:/system/name-service/switch> setprop config/network = "files"
svc:/system/name-service/switch> setprop config/protocol = "files"
svc:/system/name-service/switch> setprop config/rpc = "files"
svc:/system/name-service/switch> setprop config/ether = "files"
svc:/system/name-service/switch> setprop config/netmask = "files"
svc:/system/name-service/switch> setprop config/bootparam = "files"
svc:/system/name-service/switch> setprop config/publickey = "files"
svc:/system/name-service/switch> setprop config/netgroup= "files"
svc:/system/name-service/switch> setprop config/automount = "files ldap"
svc:/system/name-service/switch> setprop config/alias = "files"
svc:/system/name-service/switch> setprop config/service = "files"
svc:/system/name-service/switch> setprop config/project = "files"
svc:/system/name-service/switch> setprop config/auth_attr = "files"
svc:/system/name-service/switch> setprop config/prof_attr = "files"
svc:/system/name-service/switch> setprop config/tnrhtp = "files"
svc:/system/name-service/switch> setprop config/tnrhdb = "files"
svc:/system/name-service/switch> setprop config/printer = "user files"
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/system/name-service/switch:default> exit
root@sol11i64:~# svcadm restart svc:/milestone/name-services:default
root@sol11i64:~# egrep "ldap|dns" /etc/nsswitch.conf
passwd: files ldap
group: files ldap
hosts: files [SUCCESS=return] dns
ipnodes: files [SUCCESS=return] dns
automount: files ldap
#
# can now login with ldap user on sol11i64
#
root@sol11i64:~# reboot
#
# can no longer login with ldap user on sol11i64
#
blackbeard@blackbird:~$ ssh blackbrd@sol11i64
blackbrd@sol11i64:~$ egrep "ldap|dns" /etc/nsswitch.conf
hosts: files dns mdns
ipnodes: files dns mdns
blackbrd@sol11i64:~$

Andrew Watkins said...

That is an intresting problem. I would post this to Oracle Solaris 11 Forum (https://forums.oracle.com/forums/forum.jspa?forumID=1321&start=0). Before that the only thing I can think of is that you have DHCP setup, which would reconfigire all network files on reboot?

Damien Benoist said...

Yes, you think right Andrew!
I have DHCP. But once again
my solaris knowledge is limited.
I just chose DHCP during install,
and I don't know where and what to
look for.
Do you have an idea how to setup
both DHCP and LDAP?
It doesn't seem such excentric configuration, is it?
Thanks again for your help!

Andrew Watkins said...

Damien, Solaris is getting better with it Administartion side, but it still is a pain.
Possible solution "sudo sysconfig configure -s" Will reset you system so that when you reboot it will ask for hostname,networking, etc ref: Have a look at. http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-111-s11-sysconfig-524498.html. If you do that then make a note of DNS (/etc/resolv.conf) and IP address before doing this.

Damien Benoist said...

Andrew, I don't understand why you tell me to remember /etc/resolv.conf.
I've done the "sysconfig configure -s"
reconfigured everything but I've had
no need for the resolv.conf.
Did you mean I should give up using
DHCP?

After reconfiguring (keeping DHCP),
if I log with an LDAP user, I get
the message "unable to load configuration /var/ldap/ldap_client_file" (and login fails)
If I reissue the ldapclient command,
I can log again with an LDAP user.
Once again it will be lost at next boot.

Thanks again for your help.


Andrew Watkins said...

Damien, I think I have a solution which I am working on. I am looking at http://www.oracle.com/technetwork/articles/servers-storage-dev/s11-network-config-1632927.html this page. I am happy to take this off line so drop me an e-mail "andrew at DCS dot BBK dot AC dot UK"

Alan Landucci-Ruiz said...

Is there a way to limit the users that can log in by the group that they're in, using the PAM, ldapclient, or krb5 settings, WITHOUT having to create a separate sub dn? E.g., I have a set of web developers that are in the webdev group.

Vishwanath Singh said...

Can you help me in getting any blog for integration solaris 11 with windows 2012 AD and I have to use NIS+.

Anonymous said...

Has this guide changed at all for 11.2/11.3?

New install and followed instructions exactly, but I am not able to authenticate. Ldap search commands return data correctly, however 'getent passwd username' doesn't return anything and ldaplist -l passwd returns ldaplist: LDAP error. Oddly enough just running getent passwd does dump all the users in AD which shows some of this is in fact working correctly. The only thing I potentially may have screwed up is the pam configs as they are now located in pam.d and have slight variations from the old values. Any ideas?

Andrew Watkins said...

I have got it working with Solaris 11.3 and I don't think there any changes.

Yes, pam is different but that is nothing to do with the getent, ldaplist not working. We can take it offline if you like contact me at andrew@

Bharath Sriramkumar said...

Hi - Can you please let me know what additional actions would be required , if you need to point to AD running 636 (secured) port. Do we need to import any certs ?

Andrew Watkins said...

I have done that here http://notallmicrosoft.blogspot.co.uk/2014/05/setting-up-ssl-for-solaris-11-ldap_29.html Setting up SSL for Solaris 11 LDAP (ldapclient to use LDAPS)

Hope that helps.

Andrew Watkins said...

I have done that here http://notallmicrosoft.blogspot.co.uk/2014/05/setting-up-ssl-for-solaris-11-ldap_29.html Setting up SSL for Solaris 11 LDAP (ldapclient to use LDAPS)

Hope that helps.

sherif Moussa said...

hello,
i am trying to integrate active directory with solaris 11.3.

how can i get ProxyDN value ?

what should ask from active directory team?

thanks

Andrew Watkins said...

Sherif

The ProxyDN user is a normal user in AD. In my case the user is a member "Domain Users"
Check out this link which talks about "Create ProxyDN User Account" https://web.archive.org/web/20151101112540/www.seedsofgenius.net/solaris/solaris-authentication-login-with-active-directory

Andrew