Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in a Windows 2003 Active Directory domain for the purpose of authentication and accounts management.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in a Windows 2003 Active Directory domain for the purpose of authentication and accounts management. No xhier packages required.
Further Details Wiki page:
What Do You Need A Windows 2003 Active Directory (AD) Enterprise Admin credentials for your AD and logon access to the schema master Domain Admin credentials for the Domain where the Solaris host will authenticate and logon access to a domain controller (DC) in that domain Superuser (root) rights to the Solaris host and login access to that host May require Windows 2003 R2 installation disks
Account Management Involves Two Protocols LDAP Account Lookup Kerberos User Authentication The AD and the Solaris host must be able to talk to each other using both these protocols
Account Management Involves Two Protocols What do we have to start with? All domain controllers in an Active Directory are LDAP servers and Kerberos Key Distribution Centres (KDC) by default All Solaris 10 hosts have compatible vendor supplied LDAP and Kerberos clients All Active Directory domains are corresponding Kerberos realms
Extending Active Directory Authentication and Account Management To Solaris 10 Systems Preparation In The Active Directory
Preparation in the Active Directory LDAP Configuration Extend the Schema with RFC 2307 attributes Allow Anonymous LDAP Connections Kerberos Credential Creation Create A User Account representing the Solaris host Create a keytab credential file for the Solaris host
Preparation in the Active Directory LDAP Configuration: Extend The Active Directory Schema
Extend the Active Directory Schema Why? Add AD user attributes that store required Solaris user information as part of user accounts. Such UNIX uid and gid numbers Full account management within the AD for Solaris users End the need for local user account maintenance on Solaris systems in /etc/passwd
Extend the Active Directory Schema Many new attributes are added to the schema. Of interest are the following posixAccount attributes uidNumber gidNumber loginShell unixHomeDirectory
Extend the Active Directory Schema How? Run the adprep tool found on the Windows 2003 R2 installation disk set on the AD schema master adprep /forestprep Enterprise or Schema Admin credentials are required Does not require implementation of Windows 2003 R2
Extend the Active Directory Schema Reboot all domain controllers in the Active Directory
Extend the Active Directory Schema Use ADSI Editor snap-in to (manually) populate the new user attributes uidNumber gidNumber unixHomeDirectory loginShell
Preparation in the Active Directory LDAP Configuration: Allow Anonymous Read Of Active Directory LDAP Information
Why? Eliminates the need for a specific LDAP bind DN which can break if the bind account is ever moved within the AD Eliminates the need for LDAP bind credentials to be stored on every Solaris host
Allow Anonymous Read Of Active Directory LDAP Information Security? Anonymous read rights are applied only to relevant AD objects such as common users Specific object attributes that must be secured can be denied anonymous read rights User data stored by CSCF in /etc/passwd and the Active Directory is not sensitive Domain controller LDAP ports can be secured using IPSec such that only authorized client subnets may connect to them
Allow Anonymous Read Of Active Directory LDAP Information How? By default Windows 2003 Active Directory does not allow Anonymous connections to its LDAP service On the schema master use the ADSI Editor snap-in to edit the ' Directory Service ' container properties Modify the dsHeuristics attribute such that the last numeral is a '2' (eg , if not previously set) Wait 30 minutes
Allow Anonymous Read Of Active Directory LDAP Information Allowing Anonymous LDAP connections still does not imply Anonymous read rights Apply the List and Read rights for ANONYMOUS LOGON to containers (OUs) with common users Avoid placing these rights on containers with sensitive accounts such as Domain Admins
Allow Anonymous Read Of Active Directory LDAP Information Success? Use ldapsearch to lookup an AD user without using a binding DN ldapsearch -h domain_controller -b DN_for_top_of_domain cn=username ldapsearch -h intacta -b dc=cs,dc=uwaterloo,dc=ca cn=dlgawley
Preparation in the Active Directory Kerberos Credential Creation: Create A User Account For The Solaris System Within The Active Directory
Why? This account is used by the Solaris Kerberos client for user authentication within the Active Directory This account is to be associated with the Solaris host's Service Principle Name (SPN)
Create A User Account For The Solaris System Within The Active Directory How? Within a domain in the AD, create a user account with a password for the Solaris host eg. computername-host DO NOT create a computer object Retain the password for the creation of the keytab file Enable account characteristics: ' Password never expires ' ' Do not require kerberos pre-auth '
Preparation in the Active Directory Kerberos Credential Creation: Create a keytab file for the Solaris host
Why? To encode Solaris host account credentials into a file for porting to the corresponding Solaris host To associate a Kerberos Service Principle Name (SPN) with the Solaris host's AD account
Create A keytab File For The Solaris Host How? On a corresponding domain controller, use the ktpass command to create a keytab file for the Solaris host Specify account name, password, host SPN, encryption method as well as a file name ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -princ -mapuser Domain_Name\computername-host -pass ComplexPasswd -out c:\temp\krb5.keytab
Extending Active Directory Authentication and Account Management To Solaris 10 Systems Preparation On The Solaris Host Side
Configure the Kerberos client Configure the LDAP client Configure the PAM stack
Preparation On The Solaris Host Side Configure the Kerberos Client
Configure The Solaris Kerberos Client Securely install the Solaris host keytab file /etc/krb5/krb5.keytab Set file permissions to root read only
Configure The Solaris Kerberos Client Configure the krb5.conf file with the appropriate Kerberos realms /etc/krb5/krb5.conf
Configure The Solaris Kerberos Client # #pragma ident /07/20 SMI" # Copyright (c) 1999, by Sun Microsystems, Inc. # All rights reserved. [libdefaults] default_realm = CS.UWATERLOO.CA dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc verify_ap_req_nofail = false
Configure The Solaris Kerberos Client [realms] CSCF.UWATERLOO.CA = { kdc = elisa.cscf.uwaterloo.ca:88 admin_server = elisa.cscf.uwaterloo.ca:464 kpasswd_server = elisa.cscf.uwaterloo.ca:464 kpasswd_protocol = SET_CHANGE } CS.UWATERLOO.CA = { kdc = intacta.cs.uwaterloo.ca:88 kdc = serverus.cs.uwaterloo.ca:88 kdc = viridis.cs.uwaterloo.ca:88 admin_server = intacta.cs.uwaterloo.ca:464 kpasswd_server = intacta.cs.uwaterloo.ca:464 kpasswd_protocol = SET_CHANGE }
Configure The Solaris Kerberos Client [domain_realm].cscf.uwaterloo.ca = CSCF.UWATERLOO.CA cscf.uwaterloo.ca = CSCF.UWATERLOO.CA.cs.uwaterloo.ca = CS.UWATERLOO.CA cs.uwaterloo.ca = CS.UWATERLOO.CA
Configure The Solaris Kerberos Client Initialize the kerberos client using the kinit command kinit -k -t keytab_file_location kinit -k -t /etc/krb5/krb5.keytab Success? kinit will supply no output Successful kerberos logon events will appear in the AD domain Security logs for the computername-host account
Preparation On The Solaris Host Side Configure the LDAP Client
Configure The Solaris LDAP Client Make a copy the /etc/nsswitch.conf file Edit the nsswitch.conf copy such that both passwd and group databases fall over to ldap from files Or visa-versa
Configure The Solaris LDAP Client /etc/nsswitch.conf: passwd: files group: files hosts: files dns ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files...
Configure The Solaris LDAP Client Modifications to copy of nsswitch.conf:... passwd: files ldap group: files ldap...
Configure The Solaris LDAP Client Use the ldapclient command in manual mode to configure the host's LDAP client Specify LDAP servers Specify search bases Specify object class mappings Specify attribute mappings for database lookup
Configure The Solaris LDAP Client ldapclient manual \ -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a defaultSearchBase=dc=cs,dc=uwaterloo,dc=ca \ -a defaultSearchScope=sub \ -a followReferrals=false \ -a domainName=cs.uwaterloo.ca \ -a defaultServerList= \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:uid=cn \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=unixHomeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:uid=cn \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor=passwd:"dc=cs,dc=uwaterloo,dc=ca?sub" \ -a serviceSearchDescriptor=group:"dc=cs,dc=uwaterloo,dc=ca?sub"
Configure The Solaris LDAP Client Replace the /etc/nsswitch.conf file with your copy of nsswitch.conf Restart LDAP client service on the Solaris host svcadm restart svc:/network/ldap/client:default
Preparation On The Solaris Host Side Configure the PAM Stack
Configure The Solaris PAM Stack Use of Kerberos and LDAP clients must be specified in the PAM stack for each login service /etc/pam.conf Two native PAM modules are used pam_ldap.so.1 pam_krb5.so.1
Configure The Solaris PAM Stack Several login services, each has a stack (sequence) of PAM modules controlling authentication and account lookup: login rlogin rsh cron passwd other
Configure The Solaris PAM Stack For the ' other ' service: Add pam_ldap.so.1 as a ' sufficient ' condition for the account stacks prior to pam_unix_account.so.1 Add pam_krb5.so.1 as a ' sufficient ' condition for the auth stacks prior to pam_unix_cred.so.1 Add pam_krb5.so.1 as a 'optional' condition for the session stacks prior to pam_unix_session.so.1
Configure The Solaris PAM Stack other account requisite pam_roles.so.1 other account sufficient pam_ldap.so.1 other account sufficient pam_unix_account.so.1... other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1... other session optional pam_krb5.so.1 other session required pam_unix_session.so.1
Configure The Solaris PAM Stack For the ' passwd ' service: Add pam_krb5.so.1 as a sufficient condition for the auth stacks just prior to pam_unix_cred.so.1
Configure The Solaris PAM Stack passwd auth requisite pam_authtok_get.so.1 passwd auth required pam_dhkeys.so.1 passwd auth sufficient pam_krb5.so.1 passwd auth required pam_unix_cred.so.1 passwd auth required pam_unix_auth.so.1
Configure The Solaris PAM Stack Success? Use the getent command on the passwd database to look up a user that is in the AD but not /etc/passwd getent passwd username The user must have his new UNIX attributes already specified for this to work
Extending Active Directory Authentication and Account Management To Solaris 10 Systems Success? Attempt to login to the Solaris host via ssh using an AD account username and password
Further Details Wiki page: