Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain.

Published bySara Clark Modified over 6 years ago

Similar presentations

Presentation on theme: "Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain."— Presentation transcript:

1 Extending Active Directory Authentication and Account Management To Solaris 10 Systems
A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in a Windows 2003 Active Directory domain for the purpose of authentication and accounts management.

2 No xhier packages required.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in a Windows 2003 Active Directory domain for the purpose of authentication and accounts management. No xhier packages required.

3 Further Details Wiki page:

4 What Do You Need A Windows 2003 Active Directory (AD) Enterprise Admin credentials for your AD and logon access to the schema master Domain Admin credentials for the Domain where the Solaris host will authenticate and logon access to a domain controller (DC) in that domain Superuser (root) rights to the Solaris host and login access to that host May require Windows 2003 R2 installation disks

5 Account Management Involves Two Protocols
LDAP Account Lookup Kerberos User Authentication The AD and the Solaris host must be able to talk to each other using both these protocols

6 Account Management Involves Two Protocols
What do we have to start with? All domain controllers in an Active Directory are LDAP servers and Kerberos Key Distribution Centres (KDC) by default All Solaris 10 hosts have compatible vendor supplied LDAP and Kerberos clients All Active Directory domains are corresponding Kerberos realms

7 Preparation In The Active Directory
Extending Active Directory Authentication and Account Management To Solaris 10 Systems Preparation In The Active Directory

8 Preparation in the Active Directory
LDAP Configuration Extend the Schema with RFC 2307 attributes Allow Anonymous LDAP Connections Kerberos Credential Creation Create A User Account representing the Solaris host Create a keytab credential file for the Solaris host

9 Preparation in the Active Directory
LDAP Configuration: Extend The Active Directory Schema

10 Extend the Active Directory Schema
Why? Add AD user attributes that store required Solaris user information as part of user accounts. Such UNIX uid and gid numbers Full account management within the AD for Solaris users End the need for local user account maintenance on Solaris systems in /etc/passwd

11 Extend the Active Directory Schema
Many new attributes are added to the schema. Of interest are the following posixAccount attributes uidNumber gidNumber loginShell unixHomeDirectory

12 Extend the Active Directory Schema
How? Run the adprep tool found on the Windows 2003 R2 installation disk set on the AD schema master adprep /forestprep Enterprise or Schema Admin credentials are required Does not require implementation of Windows R2

13 Extend the Active Directory Schema
Reboot all domain controllers in the Active Directory

14 Extend the Active Directory Schema
Use ADSI Editor snap-in to (manually) populate the new user attributes uidNumber gidNumber unixHomeDirectory loginShell

15 Preparation in the Active Directory
LDAP Configuration: Allow Anonymous Read Of Active Directory LDAP Information

16 Allow Anonymous Read Of Active Directory LDAP Information
Why? Eliminates the need for a specific LDAP bind DN which can break if the bind account is ever moved within the AD Eliminates the need for LDAP bind credentials to be stored on every Solaris host

17 Allow Anonymous Read Of Active Directory LDAP Information
Security? Anonymous read rights are applied only to relevant AD objects such as common users Specific object attributes that must be secured can be denied anonymous read rights User data stored by CSCF in /etc/passwd and the Active Directory is not sensitive Domain controller LDAP ports can be secured using IPSec such that only authorized client subnets may connect to them

18 Allow Anonymous Read Of Active Directory LDAP Information
How? By default Windows 2003 Active Directory does not allow Anonymous connections to its LDAP service On the schema master use the ADSI Editor snap-in to edit the 'Directory Service' container properties Modify the dsHeuristics attribute such that the last numeral is a '2' (eg , if not previously set) Wait 30 minutes

19 Allow Anonymous Read Of Active Directory LDAP Information
Allowing Anonymous LDAP connections still does not imply Anonymous read rights Apply the List and Read rights for ANONYMOUS LOGON to containers (OUs) with common users Avoid placing these rights on containers with sensitive accounts such as Domain Admins

20 Allow Anonymous Read Of Active Directory LDAP Information
Success? Use ldapsearch to lookup an AD user without using a binding DN ldapsearch -h domain_controller -b DN_for_top_of_domain cn=username ldapsearch -h intacta -b dc=cs,dc=uwaterloo,dc=ca cn=dlgawley

21 Preparation in the Active Directory
Kerberos Credential Creation: Create A User Account For The Solaris System Within The Active Directory

22 Create A User Account For The Solaris System Within The Active Directory
Why? This account is used by the Solaris Kerberos client for user authentication within the Active Directory This account is to be associated with the Solaris host's Service Principle Name (SPN)

23 Create A User Account For The Solaris System Within The Active Directory
How? Within a domain in the AD, create a user account with a password for the Solaris host eg. computername-host DO NOT create a computer object Retain the password for the creation of the keytab file Enable account characteristics: 'Password never expires' 'Do not require kerberos pre-auth'

24 Preparation in the Active Directory
Kerberos Credential Creation: Create a keytab file for the Solaris host

25 Create a keytab file for the Solaris host
Why? To encode Solaris host account credentials into a file for porting to the corresponding Solaris host To associate a Kerberos Service Principle Name (SPN) with the Solaris host's AD account

26 Create A keytab File For The Solaris Host
How? On a corresponding domain controller, use the ktpass command to create a keytab file for the Solaris host Specify account name, password, host SPN, encryption method as well as a file name ktpass -ptype KRB5_NT_PRINCIPAL -crypto DES-CBC-MD5 -princ -mapuser Domain_Name\computername-host -pass ComplexPasswd -out c:\temp\krb5.keytab

27 Preparation On The Solaris Host Side
Extending Active Directory Authentication and Account Management To Solaris 10 Systems Preparation On The Solaris Host Side

28 Preparation On The Solaris Host Side
Configure the Kerberos client Configure the LDAP client Configure the PAM stack

29 Preparation On The Solaris Host Side
Configure the Kerberos Client

30 Configure The Solaris Kerberos Client
Securely install the Solaris host keytab file /etc/krb5/krb5.keytab Set file permissions to root read only

31 Configure The Solaris Kerberos Client
Configure the krb5.conf file with the appropriate Kerberos realms /etc/krb5/krb5.conf

32 Configure The Solaris Kerberos Client
# #pragma ident /07/20 SMI" # Copyright (c) 1999, by Sun Microsystems, Inc. # All rights reserved. [libdefaults] default_realm = CS.UWATERLOO.CA dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes default_tkt_enctypes = des-cbc-md5 ; or des-cbc-crc default_tgs_enctypes = des-cbc-md5 ; or des-cbc-crc verify_ap_req_nofail = false

33 Configure The Solaris Kerberos Client
[realms] CSCF.UWATERLOO.CA = { kdc = elisa.cscf.uwaterloo.ca:88 admin_server = elisa.cscf.uwaterloo.ca:464 kpasswd_server = elisa.cscf.uwaterloo.ca:464 kpasswd_protocol = SET_CHANGE } CS.UWATERLOO.CA = { kdc = intacta.cs.uwaterloo.ca:88 kdc = serverus.cs.uwaterloo.ca:88 kdc = viridis.cs.uwaterloo.ca:88 admin_server = intacta.cs.uwaterloo.ca:464 kpasswd_server = intacta.cs.uwaterloo.ca:464

34 Configure The Solaris Kerberos Client
[domain_realm] .cscf.uwaterloo.ca = CSCF.UWATERLOO.CA cscf.uwaterloo.ca = CSCF.UWATERLOO.CA .cs.uwaterloo.ca = CS.UWATERLOO.CA cs.uwaterloo.ca = CS.UWATERLOO.CA

35 Configure The Solaris Kerberos Client
Initialize the kerberos client using the kinit command kinit -k -t keytab_file_location kinit -k -t /etc/krb5/krb5.keytab Success? kinit will supply no output Successful kerberos logon events will appear in the AD domain Security logs for the computername- host account

36 Preparation On The Solaris Host Side
Configure the LDAP Client

37 Configure The Solaris LDAP Client
Make a copy the /etc/nsswitch.conf file Edit the nsswitch.conf copy such that both passwd and group databases fall over to ldap from files Or visa-versa

38 Configure The Solaris LDAP Client
/etc/nsswitch.conf: passwd: files group: files hosts: files dns ipnodes: files dns networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files netgroup: files ...

39 Configure The Solaris LDAP Client
Modifications to copy of nsswitch.conf: ... passwd: files ldap group: files ldap

40 Configure The Solaris LDAP Client
Use the ldapclient command in manual mode to configure the host's LDAP client Specify LDAP servers Specify search bases Specify object class mappings Specify attribute mappings for database lookup

41 Configure The Solaris LDAP Client
ldapclient manual \ -a credentialLevel=anonymous \ -a authenticationMethod=none \ -a defaultSearchBase=dc=cs,dc=uwaterloo,dc=ca \ -a defaultSearchScope=sub \ -a followReferrals=false \ -a domainName=cs.uwaterloo.ca \ -a defaultServerList= \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:uid=cn \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=unixHomeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:uid=cn \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor=passwd:"dc=cs,dc=uwaterloo,dc=ca?sub" \ -a serviceSearchDescriptor=group:"dc=cs,dc=uwaterloo,dc=ca?sub"

42 Configure The Solaris LDAP Client
Replace the /etc/nsswitch.conf file with your copy of nsswitch.conf Restart LDAP client service on the Solaris host svcadm restart svc:/network/ldap/client:default

43 Preparation On The Solaris Host Side
Configure the PAM Stack

44 Configure The Solaris PAM Stack
Use of Kerberos and LDAP clients must be specified in the PAM stack for each login service /etc/pam.conf Two native PAM modules are used pam_ldap.so.1 pam_krb5.so.1

45 Configure The Solaris PAM Stack
Several login services, each has a stack (sequence) of PAM modules controlling authentication and account lookup: login rlogin rsh cron passwd other

46 Configure The Solaris PAM Stack
For the 'other' service: Add pam_ldap.so.1 as a 'sufficient' condition for the account stacks prior to pam_unix_account.so.1 Add pam_krb5.so.1 as a 'sufficient' condition for the auth stacks prior to pam_unix_cred.so.1 Add pam_krb5.so.1 as a 'optional' condition for the session stacks prior to pam_unix_session.so.1

47 Configure The Solaris PAM Stack
other account requisite pam_roles.so.1 other account sufficient pam_ldap.so.1 other account sufficient pam_unix_account.so.1 ... other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_auth.so.1 other session optional pam_krb5.so.1 other session required pam_unix_session.so.1

48 Configure The Solaris PAM Stack
For the 'passwd' service: Add pam_krb5.so.1 as a sufficient condition for the auth stacks just prior to pam_unix_cred.so.1

49 Configure The Solaris PAM Stack
passwd auth requisite pam_authtok_get.so.1 passwd auth required pam_dhkeys.so.1 passwd auth sufficient pam_krb5.so.1 passwd auth required pam_unix_cred.so.1 passwd auth required pam_unix_auth.so.1

50 Configure The Solaris PAM Stack
Success? Use the getent command on the passwd database to look up a user that is in the AD but not /etc/passwd getent passwd username The user must have his new UNIX attributes already specified for this to work

51 Extending Active Directory Authentication and Account Management To Solaris 10 Systems
Success? Attempt to login to the Solaris host via ssh using an AD account username and password

52 Further Details Wiki page:

Download ppt "Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain."

Similar presentations

Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.

Unix/Windows Inter-Operability. What do we want? Single Username Password Access Users files (N drive) – Personal Machine – Multi-User Machines Information.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Understanding Active Directory

Understanding Active Directory
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.

03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
Module 1: Installing Active Directory Domain Services

Module 1: Installing Active Directory Domain Services
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.

Configuring CIFS Upon completion of this module, you should be able to: Configure the Data Mover for a Windows environment Create and Join a CIFS Server.
Chapter 11: Creating and Managing Shared Folders BAI617.

Chapter 11: Creating and Managing Shared Folders BAI617.
Windows interoperability with Unix/Linux. Introduction to Active Directory Integration for Unix and Linux Systems Unix/Linux interoperability components.

Windows interoperability with Unix/Linux. Introduction to Active Directory Integration for Unix and Linux Systems Unix/Linux interoperability components.
Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.

Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.

Similar presentations

Ads by Google