{"id":7702,"date":"2013-05-17T15:38:27","date_gmt":"2013-05-17T20:38:27","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=7702"},"modified":"2013-07-24T10:12:29","modified_gmt":"2013-07-24T15:12:29","slug":"solaris-authentication-with-active-directory","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=7702","title":{"rendered":"Solaris Authentication with Active Directory"},"content":{"rendered":"<div class='toc wptoc'>\n<h2>Contents<\/h2>\n<ol class='toc-odd level-1'>\n\t<li>\n\t\t<a href=\"#Environment\">Environment<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Prepare_Windows_Server\">Prepare Windows Server<\/a>\n\t\t<ol class='toc-even level-2'>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Install_Identity_Management_for_Unix\">Install Identity Management for Unix<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Tuning_AD\">Tuning AD<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Provision_a_Unix_User_in_AD\">Provision a Unix User in AD<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Configure_DNS\">Configure DNS<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t<li>\n\t\t<a href=\"#Synchronize_Solaris_Time_to_Windows_Server_NTP_Service\">Synchronize Solaris Time to Windows Server NTP Service<\/a>\n\t\t<ol class='toc-even level-2'>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Setup_Windows_2008_R2_NTP_Server\">Setup Windows 2008 R2 NTP Server<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Setup_Solaris_NTP_Client\">Setup Solaris NTP Client<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t<li>\n\t\t<a href=\"#Configure_Kerberos_with_adjoin_Script\">Configure Kerberos with adjoin Script<\/a>\n\t<\/li>\n\t<li>\n\t\t<a href=\"#Initialize_Solaris_LDAP_Client\">Initialize Solaris LDAP Client<\/a>\n\t\t<ol class='toc-even level-2'>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Prerequisites\">Prerequisites<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Initialize_with_ldapclient\">Initialize with ldapclient<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Using_Naming_Service_Switch_and_PAM\">Using Naming Service Switch and PAM<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Test_Password_Management\">Test Password Management<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t<li>\n\t\t<a href=\"#Useful_Tools\">Useful Tools<\/a>\n\t\t<ol class='toc-even level-2'>\n\t\t\t<li>\n\t\t\t\t<a href=\"#Export_ldif_File_from_AD:_ldifde\">Export ldif File from AD: ldifde<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#ldapadd\">ldapadd<\/a>\n\t\t\t<\/li>\n\t\t\t<li>\n\t\t\t\t<a href=\"#ldapmodify\">ldapmodify<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t<li>\n\t\t<a href=\"#References\">References<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n<div class='wptoc-end'>&nbsp;<\/div>\n<span id=\"Environment\"><h2>Environment<\/h2><\/span>\n<p>* Windows Server 2008R2 Enterprise Edition<br \/>\n* Solaris 10 x64 u11<\/p>\n<span id=\"Prepare_Windows_Server\"><h2>Prepare Windows Server<\/h2><\/span>\n<p>* See <a href=\"?p=7769\">this post<\/a> on how to install Windows Server 2008R2 on ESXi 5.1.<\/p>\n<span id=\"Install_Identity_Management_for_Unix\"><h3>Install Identity Management for Unix<\/h3><\/span>\n<p>* Login Windows Server 2008R2.<br \/>\n* Open <em>Start > Administrative Tools > Server Manager<\/em><br \/>\n* Right click <em>Server Manager > Roles > Active Directory Domain Service<\/em> and select<em> Add Role Services<\/em><br \/>\n* Select <em>Server for Network Information Services<\/em><\/p>\n<span id=\"\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes-300x120.jpg\" alt=\"\" title=\"sol10_ad_add_unix_attributes\" width=\"300\" height=\"120\" class=\"aligncenter size-medium wp-image-7798\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes-300x120.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes.jpg 561w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Click <em>Next <\/em>and then <em>Install<\/em>.<br \/>\n* Restart server.<br \/>\n* Open <em>Start > Administrative Tools > Active Directory Users and Computers<\/em>. Check the presence of UNIX Attributes:<\/p>\n<span id=\"_1\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes_2.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes_2-252x300.jpg\" alt=\"\" title=\"sol10_ad_add_unix_attributes_2\" width=\"252\" height=\"300\" class=\"aligncenter size-medium wp-image-7797\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes_2-252x300.jpg 252w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_add_unix_attributes_2.jpg 415w\" sizes=\"auto, (max-width: 252px) 100vw, 252px\" \/><\/a><\/h6><\/span>\n<span id=\"Tuning_AD\"><h3>Tuning AD<\/h3><\/span>\n<p>* These Solaris client attributes need to be tuned:<br \/>\n&#8211; uid<br \/>\n&#8211; uidnumber<br \/>\n&#8211; gid<br \/>\n&#8211; gidnumber<br \/>\n* Register Schema Management Snap-In<\/p>\n<pre lang=\"bash\">\r\nregsvr32 schmmgmt\r\n<\/pre>\n<p>* Open mmc console<\/p>\n<pre lang=\"bash\">\r\nmmc \/a\r\n<\/pre>\n<p>* Add Active Directory Schema snap-in:<br \/>\n<em>File > Add\/Remove snap-in&#8230; > Active Directory Schema<\/em><br \/>\n* Select <em>Console Root > Active Directory Schema > Attributes<\/em><br \/>\n* Index attributes: <em>uid, uidnumber, gid, gidnumber<\/em><\/p>\n<span id=\"_2\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_index_uid.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_index_uid-300x213.jpg\" alt=\"\" title=\"sol10_ad_index_uid\" width=\"300\" height=\"213\" class=\"aligncenter size-medium wp-image-7860\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_index_uid-300x213.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_index_uid.jpg 641w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"Provision_a_Unix_User_in_AD\"><h3>Provision a Unix User in AD<\/h3><\/span>\n<p>* Add a new user named <strong>johndoe<\/strong> to AD:<\/p>\n<span id=\"_3\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_1.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_1-300x250.jpg\" alt=\"\" title=\"sol10_ad_newUser_johndoe_1\" width=\"300\" height=\"250\" class=\"aligncenter size-medium wp-image-7861\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_1-300x250.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_1.jpg 437w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"_4\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_2.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_2-300x252.jpg\" alt=\"\" title=\"sol10_ad_newUser_johndoe_2\" width=\"300\" height=\"252\" class=\"aligncenter size-medium wp-image-7862\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_2-300x252.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_2.jpg 436w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"_5\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_3.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_3-300x249.jpg\" alt=\"\" title=\"sol10_ad_newUser_johndoe_3\" width=\"300\" height=\"249\" class=\"aligncenter size-medium wp-image-7863\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_3-300x249.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_3.jpg 437w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* With Unix attributes<\/p>\n<span id=\"_6\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_unix_attributes.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_unix_attributes-231x300.jpg\" alt=\"\" title=\"sol10_ad_newUser_johndoe_unix_attributes\" width=\"231\" height=\"300\" class=\"aligncenter size-medium wp-image-7864\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_unix_attributes-231x300.jpg 231w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_ad_newUser_johndoe_unix_attributes.jpg 419w\" sizes=\"auto, (max-width: 231px) 100vw, 231px\" \/><\/a><\/h6><\/span>\n<span id=\"Configure_DNS\"><h3>Configure DNS<\/h3><\/span>\n<p>* Create a forward (A) and reverse (PTR) DNS record for Solaris client:<\/p>\n<span id=\"_7\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1-300x300.jpg\" alt=\"\" title=\"sol10_dns_add_sol10x64vm1\" width=\"300\" height=\"300\" class=\"aligncenter size-medium wp-image-7865\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1-300x300.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1-150x150.jpg 150w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1.jpg 341w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Create a reverse (PTR) DNS record for AD server:<\/p>\n<span id=\"_8\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_ptr.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_ptr-300x239.jpg\" alt=\"\" title=\"sol10_dns_add_sol10x64vm1_ptr\" width=\"300\" height=\"239\" class=\"aligncenter size-medium wp-image-7866\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_ptr-300x239.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_ptr.jpg 607w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Check that both forward and reverse lookup worked:<\/p>\n<span id=\"_9\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_nslookup.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_nslookup-300x144.jpg\" alt=\"\" title=\"sol10_dns_add_sol10x64vm1_nslookup\" width=\"300\" height=\"144\" class=\"aligncenter size-medium wp-image-7867\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_nslookup-300x144.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_dns_add_sol10x64vm1_nslookup.jpg 364w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<span id=\"Synchronize_Solaris_Time_to_Windows_Server_NTP_Service\"><h2>Synchronize Solaris Time to Windows Server NTP Service<\/h2><\/span>\n<span id=\"Setup_Windows_2008_R2_NTP_Server\"><h3>Setup Windows 2008 R2 NTP Server<\/h3><\/span>\n<p>* Set HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Config\\<strong>AnnounceFlags<\/strong> to <strong>10<\/strong><\/p>\n<span id=\"_10\"><h6><\/h6><\/span>\n<p>* Set HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\\NtpServer\\<strong>Enabled<\/strong> to <strong>1<\/strong><br \/>\n* Restart <em>w32time<\/em><\/p>\n<pre lang=\"bah\">\r\nnet stop w32time && net start w32time\r\n<\/pre>\n<span id=\"Setup_Solaris_NTP_Client\"><h3>Setup Solaris NTP Client<\/h3><\/span>\n<pre lang=\"bash\">\r\ncp \/etc\/inet\/ntp.client \/etc\/inet\/ntp.conf\r\ntouch \/var\/ntp\/ntp.drift\r\nvi \/etc\/inet\/ntp.conf\r\n# With content:\r\nserver Exchangedc1\r\ndriftfile \/var\/ntp\/ntp.drift\r\nmulticastclient 224.0.1.1\r\n<\/pre>\n<p>* Refresh daemon NTP<\/p>\n<pre lang=\"bash\">\r\nsvcadm enable svc:\/network\/ntp\r\nsvcadm refresh svc:\/network\/ntp\r\nsvcadm restart svc:\/network\/ntp\r\n<\/pre>\n<p>* check status to make it&#8217;s status is online<\/p>\n<pre lang=\"bash\">\r\nsvcs ntp\r\nSTATE          STIME    FMRI\r\nonline         Jul_21   svc:\/network\/ntp:default\r\n<\/pre>\n<span id=\"Configure_Kerberos_with_adjoin_Script\"><h2>Configure Kerberos with adjoin Script<\/h2><\/span>\n<p>* Download <em>adjoin-s10u5.ta\u00adr.gz<\/em>, for example, from <a href=\"http:\/\/www.generalfiles.org\/download\/gs4cb65363h32i0\/adjoin-s10u5.tar.gz.html\">here<\/a><br \/>\n* Copy <em>adjoin-s10u5.ta\u00adr.gz<\/em> to <em>sol10x64vm1<\/em> and unzip it:<\/p>\n<pre lang=\"bash\">\r\ngunzip -c adjoin-s10u5.ta\u00adr.gz |tar xvf -\r\n<\/pre>\n<p>* Check <em>resolv.conf<\/em> and <em>nsswitch.dns<\/em><\/p>\n<span id=\"_11\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_etc_resolv_conf.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_etc_resolv_conf-300x68.jpg\" alt=\"\" title=\"sol10_etc_resolv_conf\" width=\"300\" height=\"68\" class=\"aligncenter size-medium wp-image-7869\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_etc_resolv_conf-300x68.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_etc_resolv_conf.jpg 549w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Run <em>adjoin -f<\/em><\/p>\n<span id=\"_12\"><h6><a href=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_adjoin_output.jpg\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_adjoin_output-300x286.jpg\" alt=\"\" title=\"sol10_adjoin_output\" width=\"300\" height=\"286\" class=\"aligncenter size-medium wp-image-7870\" srcset=\"https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_adjoin_output-300x286.jpg 300w, https:\/\/jianmingli.com\/wp\/wp-content\/uploads\/2013\/05\/sol10_adjoin_output.jpg 539w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/h6><\/span>\n<p>* Verify setup with ldapsearch<\/p>\n<pre lang=\"bash\">\r\nldapsearch -h Exchangedc1 -o mech=gssapi -o authzid='' -b \"cn=sol10x64vm1,cn=computers,dc=exchange,dc=local\" -s base \"\" cn\r\nversion: 1\r\ndn: cn=sol10x64vm1,cn=computers,dc=exchange,dc=local\r\ncn: SOL10X64VM1\r\n<\/pre>\n<p>* List Kerberos ticket cache:<\/p>\n<pre lang=\"bash\">\r\nklist\r\nTicket cache: FILE:\/tmp\/krb5cc_0\r\nDefault principal: host\/sol10x64vm1.exchange.local@EXCHANGE.LOCAL\r\n\r\nValid starting                Expires                Service principal\r\n07\/22\/13 19:52:26  07\/23\/13 05:52:26  krbtgt\/EXCHANGE.LOCAL@EXCHANGE.LOCAL\r\n07\/22\/13 19:52:26  07\/23\/13 05:52:26  ldap\/exchangedc1.exchange.local@EXCHANGE.LOCAL\r\n<\/pre>\n<p>* List host keys<\/p>\n<pre lang=\"bash\">\r\nklist -e -k \/etc\/krb5\/krb5.keytab\r\nKeytab name: FILE:\/etc\/krb5\/krb5.keytab\r\nKVNO Principal\r\n---- --------------------------------------------------------------------------\r\n   2 host\/sol10x64vm1.exchange.local@EXCHANGE.LOCAL (AES-256 CTS mode with 96-bit SHA-1 HMAC)\r\n   2 host\/sol10x64vm1.exchange.local@EXCHANGE.LOCAL (AES-128 CTS mode with 96-bit SHA-1 HMAC)\r\n   2 host\/sol10x64vm1.exchange.local@EXCHANGE.LOCAL (ArcFour with HMAC\/md5)\r\n   2 host\/sol10x64vm1.exchange.local@EXCHANGE.LOCAL (DES cbc mode with CRC-32)\r\n   2 host\/sol10x64vm1.exchange.local@EXCHANGE.LOCAL (DES cbc mode with RSA-MD5)\r\n<\/pre>\n<p>* List \/etc\/krb5\/krb5.conf file content:<\/p>\n<pre lang=\"bash\">\r\ncat \/etc\/krb5\/krb5.conf\r\n[libdefaults]\r\n        default_realm = EXCHANGE.LOCAL\r\n\r\n[realms]\r\n        EXCHANGE.LOCAL = {\r\n                kdc = exchangedc1.exchange.local\r\n                kpasswd_server = exchangedc1.exchange.local\r\n                kpasswd_protocol = SET_CHANGE\r\n                admin_server = exchangedc1.exchange.local\r\n        }\r\n\r\n[domain_realm]\r\n        .exchange.local = EXCHANGE.LOCAL\r\n<\/pre>\n<p>* Verify presence of Unix attribute for user<\/p>\n<pre lang=\"bash\">ldapsearch -h Exchangedc1 -o mech=gssapi -o authzid='' -b \"cn=users,dc=exchange,dc=local\" \"cn=John Doe\"\r\nversion: 1\r\ndn: CN=John Doe,CN=Users,DC=exchange,DC=local\r\nobjectClass: top\r\nobjectClass: person\r\nobjectClass: organizationalPerson\r\nobjectClass: user\r\ncn: John Doe\r\nsn: Doe\r\ngivenName: John\r\ndistinguishedName: CN=John Doe,CN=Users,DC=exchange,DC=local\r\n...\r\nuid: johndoe\r\nmsSFU30Name: johndoe\r\nmsSFU30NisDomain: exchange\r\nuidNumber: 10100\r\ngidNumber: 100\r\nunixHomeDirectory: \/export\/home\/johndoe\r\nloginShell: \/bin\/bash\r\n<\/pre>\n<span id=\"Initialize_Solaris_LDAP_Client\"><h2>Initialize Solaris LDAP Client<\/h2><\/span>\n<p>* This allows Solaris host to access naming service from AD<\/p>\n<span id=\"Prerequisites\"><h3>Prerequisites<\/h3><\/span>\n<p>* DNS client is enabled:<\/p>\n<pre lang=\"bash\">\r\nsvcadm enable svc:\/nework\/dns\/client:default\r\n\r\nsvcs -a |grep dns\r\ndisabled       Jul_20   svc:\/network\/dns\/server:default\r\nonline         18:34:27 svc:\/network\/dns\/client:default\r\n<\/pre>\n<p>* nscs, which is Solaris caching daemon, is enabled in order to use per-user authentication functionality:<\/p>\n<pre lang=\"bash\">\r\nsvcadm enable name-service-cache\r\n\r\nsvcs -a |grep name-service\r\nonline         19:53:01 svc:\/system\/name-service-cache:default\r\n<\/pre>\n<p>* \/etc\/resolv.conf file is properly configured:<\/p>\n<pre lang=\"bash\">\r\ncat \/etc\/resolv.conf\r\ndomain exchange.local\r\nnameserver 192.168.1.30\r\n<\/pre>\n<p>* Both forward and reverse DNS lookup for AD server are successful<\/p>\n<pre lang=\"bash\">\r\nnslookup exchangedc1\r\nnslookup 192.168.1.30\r\n<\/pre>\n<p>* \/etc\/nsswitch.ldap uses DNS for hosts and ipnodes<\/p>\n<pre lang=\"bash\">\r\ncat \/etc\/nsswitch.ldap|grep dns\r\nhosts:      dns ldap [NOTFOUND=return] files\r\nipnodes:    dns ldap [NOTFOUND=return] files\r\n<\/pre>\n<span id=\"Initialize_with_ldapclient\"><h3>Initialize with ldapclient<\/h3><\/span>\n<p>* Run ldapclient:<\/p>\n<pre lang=\"bash\">\r\nldapclient -v manual \\\r\n-a credentialLevel=self \\\r\n-a authenticationMethod=sasl\/gssapi \\\r\n-a defaultSearchBase=dc=exchange,dc=local \\\r\n-a domainName=exchange.local \\\r\n-a defaultServerList=192.168.1.30 \\\r\n-a attributeMap=passwd:gecos=cn \\\r\n-a attributeMap=passwd:homedirectory=unixHomeDirectory \\\r\n-a objectClassMap=group:posixGroup=group \\\r\n-a objectClassMap=passwd:posixAccount=user \\\r\n-a objectClassMap=shadow:shadowAccount=user \\\r\n-a serviceSearchDescriptor=passwd:cn=users,dc=exchange,dc=local?one \\\r\n-a serviceSearchDescriptor=group:cn=users,dc=exchange,dc=local?one\r\n<\/pre>\n<pre lang=\"bash\">\r\n> > > > > > > > > > > > Parsing credentialLevel=self\r\nParsing authenticationMethod=sasl\/gssapi\r\n...\r\nArguments parsed:\r\n        authenticationMethod: sasl\/gssapi\r\n        defaultSearchBase: dc=exchange,dc=local\r\n...\r\nAbout to modify this machines configuration by writing the files\r\nStopping network services\r\nStopping sendmail\r\n...\r\nldap not running\r\nnisd not running\r\nnis(yp) not running\r\nfile_backup: stat(\/etc\/nsswitch.conf)=0\r\nfile_backup: (\/etc\/nsswitch.conf -> \/var\/ldap\/restore\/nsswitch.conf)\r\n..\r\nStarting network services\r\nstart: \/usr\/bin\/domainname exchange.local... success\r\nstart: DNS client is enabled\r\n...\r\nrestart: sleep 100000 microseconds\r\nrestart: milestone\/name-services:default... success\r\nSystem successfully configured\r\n<\/pre>\n<p>* Restart LDAP client<\/p>\n<pre lang=\"bash\">\r\nsvcadm restart svc:\/network\/ldap\/client:default\r\nsvcs -a|grep ldap\r\nonline         19:54:08 svc:\/network\/ldap\/client:default\r\n<\/pre>\n<p>* Verify the contents of LDAP client cache:<\/p>\n<pre lang=\"bash\">\r\n# ldapclient list\r\nNS_LDAP_FILE_VERSION= 2.0\r\nNS_LDAP_SERVERS= 192.168.1.30\r\nNS_LDAP_SEARCH_BASEDN= dc=exchange,dc=local\r\nNS_LDAP_AUTH= sasl\/GSSAPI\r\nNS_LDAP_CACHETTL= 0\r\nNS_LDAP_CREDENTIAL_LEVEL= self\r\nNS_LDAP_SERVICE_SEARCH_DESC= passwd:cn=users,dc=exchange,dc=local?one\r\nNS_LDAP_SERVICE_SEARCH_DESC= group:cn=users,dc=exchange,dc=local?one\r\nNS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory\r\nNS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn\r\nNS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user\r\nNS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user\r\nNS_LDAP_OBJECTCLASSMAP= group:posixGroup=group\r\n<\/pre>\n<span id=\"Using_Naming_Service_Switch_and_PAM\"><h3>Using Naming Service Switch and PAM<\/h3><\/span>\n<p>* cat \/etc\/nsswitch.conf<\/p>\n<pre lang=\"bash\">\r\npasswd:     files ldap\r\ngroup:      files ldap\r\n\r\nhosts:      dns ldap [NOTFOUND=return] files\r\n\r\nipnodes:    dns ldap [NOTFOUND=return] files\r\n<\/pre>\n<p>* Add to \/etc\/pam.conf<br \/>\nlogin auth sufficient pam_krb5.so.1<br \/>\nother auth sufficient pam_krb5.so.1<br \/>\nother account required pam_krb5.so.1<br \/>\nother password sufficient pam_krb5.so.1<\/p>\n<pre lang=\"bash\">\r\n# grep pam_krb5 \/etc\/pam.conf\r\nlogin auth sufficient pam_krb5.so.1\r\nkrlogin auth required           pam_krb5.so.1\r\nkrsh    auth required           pam_krb5.so.1\r\nktelnet auth required           pam_krb5.so.1\r\nother auth sufficient pam_krb5.so.1\r\nother account required pam_krb5.so.1\r\nother password sufficient pam_krb5.so.1\r\n<\/pre>\n<h3Test LDAP Client><\/h3>\n<p>* getent<\/p>\n<pre lang=\"bash\">\r\n# getent passwd johndoe\r\njohndoe:x:10100:100:John Doe:\/export\/home\/johndoe:\/bin\/bash\r\n<\/pre>\n<p>* ldaplist<\/p>\n<pre lang=\"bash\">\r\n# ldaplist -l passwd johndoe\r\ndn: gecos=John Doe,gecos=Users,DC=exchange,DC=local\r\n        objectClass: top\r\n        objectClass: person\r\n        objectClass: organizationalPerson\r\n        objectClass: posixAccount\r\n        cn: John Doe\r\n        sn: Doe\r\n        givenName: John\r\n        distinguishedName: CN=John Doe,CN=Users,DC=exchange,DC=local\r\n...\r\n        uid: johndoe\r\n        msSFU30Name: johndoe\r\n        msSFU30NisDomain: exchange\r\n        uidNumber: 10100\r\n        gidNumber: 100\r\n        homedirectory: \/export\/home\/johndoe\r\n        loginShell: \/bin\/bash\r\n        gecos: John Doe\r\n<\/pre>\n<p>* Create home directory for johndoe<\/p>\n<pre lang=\"bash\">\r\nmkdir \/export\/home\/johndoe\r\nchown johndoe \/export\/home\/johndoe\r\n<\/pre>\n<p>* Login as johndoe<\/p>\n<pre lang=\"bash\">\r\nbash-3.2$ id\r\nuid=10100(johndoe) gid=100\r\nbash-3.2$ klist\r\nTicket cache: FILE:\/tmp\/krb5cc_10100\r\nDefault principal: johndoe@EXCHANGE.LOCAL\r\n\r\nValid starting                Expires                Service principal\r\n07\/22\/13 21:07:06  07\/23\/13 07:07:06  krbtgt\/EXCHANGE.LOCAL@EXCHANGE.LOCAL\r\n        renew until 07\/29\/13 21:07:06\r\n07\/22\/13 21:07:06  07\/23\/13 07:07:06  ldap\/exchangedc1.exchange.local@EXCHANGE.LOCAL\r\n        renew until 07\/29\/13 21:07:06\r\n<\/pre>\n<span id=\"Test_Password_Management\"><h3>Test Password Management<\/h3><\/span>\n<p>* Login as johndoe and change password with kpasswd (not passwd)<\/p>\n<span id=\"Useful_Tools\"><h2>Useful Tools<\/h2><\/span>\n<span id=\"Export_ldif_File_from_AD:_ldifde\"><h3>Export ldif File from AD: ldifde<\/h3><\/span>\n<pre lang=\"bash\">\r\nldifde -f johndoe.ldif -d \"CN=John Doe,CN=USERS,DC=exchange,DC=local\"\r\n<\/pre>\n<span id=\"ldapadd\"><h3>ldapadd<\/h3><\/span>\n<p>* <em>ldapadd<\/em> command example:<\/p>\n<pre lang=\"bash\">\r\nldapadd -h exchangedc1 -D \"cn=Administrator,cn=users,dc=exchange,dc=local\" -w \"Welcome1\" -f johndoe2.ldif -v\r\n<\/pre>\n<p>* <em>johndoe2.ldif<\/em><\/p>\n<pre lang=\"bash\">\r\ndn: cn=John Doe2,cn=Users,dc=exchange,dc=local\r\nobjectClass: user\r\ncn: John Doe2\r\nsn: Doe2\r\ngivenName: John\r\ndistinguishedName: cn=John Doe2,cn=Users,dc=exchange,dc=local\r\ndisplayName: John Doe2\r\nsAMAccountName: johndoe2\r\nuserPrincipalName: johndoe2@exchange.local\r\naccountExpires: 0\r\nmsSFU30NisDomain: exchange\r\nuid: johndoe2\r\nuidNumber: 10102\r\ngidNumber: 100\r\nunixHomeDirectory: \/export\/home\/johndoe2\r\nloginShell: \/bin\/bash\r\n<\/pre>\n<span id=\"ldapmodify\"><h3>ldapmodify<\/h3><\/span>\n<pre lang=\"bash\">\r\nldapadd -h exchangedc1 -D \"cn=Administrator,cn=users,dc=exchange,dc=local\" -w \"Welcome1\" -f johndoe2b.ldif -v\r\n<\/pre>\n<p>* <em>johndoe2.ldif<\/em><\/p>\n<pre lang=\"bash\">\r\ndn: cn=John Doe2,cn=Users,dc=exchange,dc=local\r\nchangetype: modify \r\nreplace: userAccountControl\r\nuserAccountControl: 512\r\n<\/pre>\n<p>* Note that this example does not work.<\/p>\n<span id=\"References\"><h2>References<\/h2><\/span>\n<p>* <a href=\"http:\/\/www.google.com\/url?sa=t&#038;rct=j&#038;q=&#038;esrc=s&#038;source=web&#038;cd=4&#038;cad=rja&#038;sqi=2&#038;ved=0CEMQFjAD&#038;url=http%3A%2F%2Fwww.netafp.com%2Fwp-content%2Fuploads%2Fkerberos_s10.pdf&#038;ei=b3bgUc3GKMOrygGrgIGgAw&#038;usg=AFQjCNHkoYF6C7JjnZq4S4xMS9YtEkcpsQ&#038;sig2=6ZHOgdm8YKMuHzjem2a0Fw&#038;bvm=bv.48705608,d.dmg\">kerberos_s10.pdf<\/a><br \/>\n* <a href=\"http:\/\/blog.scottlowe.org\/2006\/08\/15\/solaris-10-and-active-directory-integration\/comment-page-2\/#comments\">Solaris 10 and Active Directory Integration<\/a><br \/>\n* <a href=\"http:\/\/www.seedsofgenius.net\/solaris\/solaris-authentication-login-with-active-directory\">Solaris Authentication Login with Active Directory<br \/>\n<\/a><br \/>\n* <a href=\"http:\/\/ogris.de\/samba\/unix-active-directory.html\">Joining Unix-like systems to an Active Directory<\/a><br \/>\n* <a href=\"http:\/\/znogger.blogspot.com\/2010\/05\/solaris-automatic-creation-of-home-dirs.html\">Solaris : automatic creation of home dirs<\/a><br \/>\n* <a href=\"http:\/\/osdude.wordpress.com\/2011\/08\/11\/authenticating-unixlinux-to-windows-2008r2-part-2-solaris-10\/\">Authenticating UNIX\/Linux to Windows 2008R2. Part 2 : Solaris 10<\/a><br \/>\n* <a href=\"http:\/\/pig.made-it.com\/pig-adusers.html\">Creating Active Directory Accounts<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Environment * Windows Server 2008R2 Enterprise Edition * Solaris 10 x64 u11 Prepare Windows Server * See this post on how to install Windows Server 2008R2 on ESXi 5.1. Install Identity Management for Unix * Login Windows Server 2008R2. * &hellip; <a href=\"https:\/\/jianmingli.com\/wp\/?p=7702\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[287,45],"tags":[275,628,566,571],"class_list":["post-7702","post","type-post","status-publish","format-standard","hentry","category-kerberos","category-solaris","tag-ad","tag-kerberos","tag-ldap","tag-solaris"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-20e","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/7702","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7702"}],"version-history":[{"count":21,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/7702\/revisions"}],"predecessor-version":[{"id":7884,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/7702\/revisions\/7884"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7702"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7702"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7702"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}