Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active DirectoryMarch, 2008 This document describes configuration of a Solaris client to use Microsoft Windows Server 2003 R2 Enterprise Edition (Active Directory) for authentication and naming services. Please note: This configuration uses a shell script called adjoin.sh to automate the process of joining the Solaris client to the Active Directory domain and configure Kerberos on the client. This script is not supported by Sun and is not part of the Solaris distribution. (See the "For More Information" section of the article for information about downloading the adjoin script.) A new version of the adjoin tool is available for the Solaris 10 5/08 release (see the "For More Information section" of the article). This version contains an updated ksetpw source and binary, which have been modified to run on the Solaris 10 5/08 OS. See the README file for more details. Note that the ksetpw.c source file in this version can also be used on OpenSolaris systems. THE SOLUTION DESCRIBED IN THIS ARTICLE SHOULD BE TREATED AS PROOF OF CONCEPT AND SHOULD NOT BE USED IN PRODUCTION. How to Leave Comments or Tag Pages1. Register. |
|
Comments (22)
Apr 22, 2008
Charles_Soto says:
I am getting an error with adjoin on Solaris 10 U5, but strangely it worked fine...I am getting an error with adjoin on Solaris 10 U5, but strangely it worked fine on a U4 test system:
userAccountControl: 4130
dNSHostname: colonialone.austin.utexas.edu
ldapadd -h dc01.austin.utexas.edu -o authzid= -o mech=gssapi -f /tmp/adjoin-computer-object.PQa4Dh
adding new entry CN=COLONIALONE,CN=Computers,DC=austin,DC=utexas,DC=edu
Setting the password/keys of the machine account
print A85cf01b09175a4e7e98f42c76272c03a | ./ksetpw host/colonialone.austin.utexas.edu@AUSTIN.UTEXAS.EDU
krb5_kt_register() failed (err=-1765328192)
Failed to set account password!
Google shows a few others experiencing this "krb5_kt_register() failed" error. Any ideas?
Apr 23, 2008
wajih says:
We are going to take a look at this issue of ksetpw with Update 5. First we'll ...We are going to take a look at this issue of ksetpw with Update 5. First we'll try to reproduce it and if we encounter a problem, we'll post a fix.
Thanks for bringing it to our attention.
May 01, 2008
LennartJung says:
Is there any progress on this fault? We are experiencing the same issue under a ...Is there any progress on this fault? We are experiencing the same issue under a fresh Win2k3 R2 install and Solaris 10 5/08 while trying to join the domain.
Is there any workaround in place? How long will it take to the release of update 5?
May 02, 2008
wajih says:
A new version of adjoin tool is available for Solaris 10 5/08 (S10U5) at http://...A new version of adjoin tool is available for Solaris 10 5/08 (S10U5) at http://opensolaris.org/os/project/winchester/files/adjoin-s10u5.tar.gz
This version contains an updated ksetpw source and binary which has been modified to run on Solaris 10 5/08. See README file for more details. Note that the ksetpw.c source file in this version can also be used for OpenSolaris systems.
Let us know if you have any issues.
May 13, 2008
Charles_Soto says:
I have tried the new version, but it still doesn't work. I get no error de...I have tried the new version, but it still doesn't work. I get no error details, unlike before:
May 14, 2008
wajih says:
The fix we provided is working as evident from your debug output above. You are...The fix we provided is working as evident from your debug output above. You are no longer getting "krb5_kt_register() failed (err=-1765328192)" error which means that the binary is now compatible with Solaris 10 U5.
You are getting a new error now of krb_set_password() failed. This routine uses krb5_set_password_using_ccache to set the password.
What error do you see on the Active Directory Server?
Can you also send me the output of klist and /etc/krb5/krb5.conf
if it exists.
Jun 18, 2008
Charles_Soto says:
I don't have the exact AD errors - I got sick the weekend after we tested this. ...I don't have the exact AD errors - I got sick the weekend after we tested this. I can try again and report back.
After the script fails, klist gives this:
But I assume the script is actually clearing that cache file. Do you want me to break at that moment and show klist? Here's the other information you requested:
bash-3.00# cat /etc/krb5/krb5.conf [libdefaults] default_realm = AUSTIN.UTEXAS.EDU [realms] AUSTIN.UTEXAS.EDU = { kdc = dc01.austin.utexas.edu kdc = dc02.austin.utexas.edu kdc = dc03.austin.utexas.edu kdc = dc04.austin.utexas.edu kpasswd_server = dc01.austin.utexas.edu kpasswd_protocol = SET_CHANGE admin_server = dc01.austin.utexas.edu } [domain_realm] .austin.utexas.edu = AUSTIN.UTEXAS.EDUFrom what I recall (before I got the plague), ksetpw was causing what are essentially "access denied" errors on the DC. This was despite my account being given full control over every right on the computer object and its container. And interestingly, ksetpw was working with U4.
May 20, 2008
robbyt says:
Hi All, Not really sure how to explain the problem, or even search for the answe...Hi All,
Not really sure how to explain the problem, or even search for the answer- so I apologize if I'm asking a very easy question.
I'm able to successfully join my machine to AD using this script- "adjoin-s10u5". Once joined, I'm able to successfully use ldapclient -v manual to setup the LDAP domain for mapping UIDs/GIDs. I'm also able to ssh into the system using GSSAPI/kerberos authentication.
But my question is, when I use smbadm join to bring the solaris cifs server onto the domain, ssh/kerberos authentication breaks. I know there has to be a way to have both SSH and CIFS using kerberos- can anyone point me in the right direction?
Jun 18, 2008
babank says:
Hi Robbyt, smbadm join is doing the equivalent of adjoin, well almost. It may h...Hi Robbyt,
smbadm join is doing the equivalent of adjoin, well almost. It may have changed the Kerberos configuration on your system. Please rerun "ldapclient manual ..." after smbadm join and retry.
Sep 22, 2008
Charles_Soto says:
We're still stuck. The new ksetpw doesn't work. It hangs, and eventually times...We're still stuck. The new ksetpw doesn't work. It hangs, and eventually times out, then the script fails. Our Windows guys couldn't figure it out - they gave my account full permissions on all attributes. Still, nothing. Any ideas?
Oct 23, 2008
paul-f says:
Any ideas? adding new entry CN=W1PAUL04,CN=Computers,DC=glsctldap,DC=test Se...Any ideas?
adding new entry CN=W1PAUL04,CN=Computers,DC=glsctldap,DC=test
Setting the password/keys of the machine account
print Aa3f7ff077808f2baba4854014d40ed39 | ./ksetpw host/w1paul04.glsctldap.test@GLSCTLDAP.TEST
ld.so.1: ksetpw: fatal: relocation error: file ksetpw: symbol krb5_set_password_using_ccache: referenced symbol not found
./adjoin[812]: 24426 Killed
Failed to set account password!
Solaris 10 1/06
Thanks....
Oct 24, 2008
wajih says:
Its been a while but if i remember correctly you need at least Solaris 10 U4 (8/...Its been a while but if i remember correctly you need at least Solaris 10 U4 (8/07)for ksetpw binary to work. Note you need not upgrade all your server to this version. Only one of them is required as the binary uses new libraries which were introduced in U4 and above.
Oct 25, 2008
wajih says:
Actually after posting the above reply i realized that you actually need S10 U4 ...Actually after posting the above reply i realized that you actually need S10 U4 (or above) on all systems which are going to act as a client to AD.
Jan 29, 2009
livercom says:
We have had the problem with ksetpw timing out, giving the messages ... krb5_se...We have had the problem with ksetpw timing out, giving the messages ...
krb5_set_password() failed
Failed to set account password!
The version of ksetpw is from adjoin-s10u5
The AD firewall allows traffic on port 464.
The credential cache appears to be very large (size 13662 )
Any ideas ?
Apr 13, 2009
YanM says:
Hey guys I successfully setup Solaris 10 to AD 2003R2 with ldapclient configure...Hey guys
I successfully setup Solaris 10 to AD 2003R2 with ldapclient configured
to used self creds and it worked fine until I setup nsswitch.conf+etc/passwd+etc/shadow
to use netgroups.
I try to do that in order to prevent users to be able to login to all solaris machines
I want them to be able to login only to machines they require access to
I used the passwd_compat and shadow_compat thing and now getting strange errors in
authlog, am I on the right track or should I use another mechanism to restrict users to login
only on certain machines ?
Apr 14, 2009
wajih says:
We have not tested with netgroups but it does appear from your experience that c...We have not tested with netgroups but it does appear from your experience that compatibility mode breaks self cred. Instead of getting into a lengthy ping pong game in which you send us logs and we review them and so on and so forth, I would suggest that you use an alternate mechanism that is sure to work.
You could either use the unsupported pam_netgroup module or if you are using Solaris 10 10/08 or later then use pam_list(5). Other alternatives includes defining Service Search Descriptors (SSD's).
Apr 30, 2009
YanM says:
I have a case open with Sun support about clarifying how to use the SSDs and pam...I have a case open with Sun support about clarifying how to use the SSDs
and pam_list
My preference is SSDs with the idea of adding MemberOf= attributes set to each
solaris OS machines hostnames to control access to them, that would be better
than netgroups in my opinion, I dont like having to set triple-type attributes
on the directory server in nisNetgroup objects
So I was looking at this document on how to set a filter on the passwd SSD and this
is a Sun document giving a clear example, but it doesnt work ..
http://dlc.sun.com/osol/docs/content/SYSADV5/ldapsecure-65.html
this part :
In the following example, the Solaris LDAP naming service client would perform a subtree search in ou=west,dc=example,dc=com for the passwd service. To look up the passwd data for user username, the subtree ou=west,dc=example,dc=com would be searched with the LDAP filter (&(fulltimeEmployee=TRUE)(uid=username)).
serviceSearchDescriptor: passwd:ou=west,dc=example,
dc=com?sub?fulltimeEmployee=TRUE
I feel that this is not sending a proper query to the ldap server but I dont know how to SNIFF
the query. This part might not have the proper syntax : ?fulltimeEmployee=TRUE
Does anyone knows what would be the right syntax for that SSD ? ( to add a search filter )
Or, how to debug to see what exact LDAP query is sent to the LDAP server ?
Apr 30, 2009
wajih says:
The syntax of your SSD looks ok to me. Although i would try the following. pa...The syntax of your SSD looks ok to me. Although i would try the following.
passwd: ou=west,dc=example,dc=com?sub?(fulltimeEmployee=TRUE)
Also to look at the exact ldap query you can check out the directory's access log.
May 05, 2009
YanM says:
I got it working, here is the right syntax The same filter has to be set for pas...I got it working, here is the right syntax
The same filter has to be set for passwd AND shadow for the thing to work..
ldapclient -v manual \
-a credentialLevel=self \
-a authenticationMethod=sasl/gssapi \
-a defaultSearchBase=dc=mydomain,dc=com \
-a domainName=mydomain.com \
-a defaultServerList=" adDC2.mydomain.com adDC1.mydomain.com" \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:ou=MyUserContainer,dc=mydomain,dc=com?sub(|(msSFU30NisDomain=mydomain)) \
-a serviceSearchDescriptor=shadow:ou=MyUserContainer,dc=mydomain,dc=com?sub(|(msSFU30NisDomain=mydomain)) \
-a serviceSearchDescriptor=group:ou=Groups,dc=mydomain,dc=com?sub
Jun 22
denis_01 says:
I am getting an error with adjoin on Solaris 10 U5 : Joining domain: example.co...I am getting an error with adjoin on Solaris 10 U5 :
Joining domain: example.com
Looking for domain controllers and global catalogs (A RRs)
Looking for KDCs and DCs (SRV RRs)
KDCs = vm09win2k01.example.com 88
DCs = vm09win2k01.example.com 389
kinit(v5): Client not found in Kerberos database while getting initial credentials
Could not get a Kerberos V TGT for your admin principal
Everything seems fine on Solaris and on the Windows 2003 R2 Active Directory.
Any idea?
Jun 22
YanM says:
I would check your patch level, some patches are required for adjoin to work pro...I would check your patch level, some patches are required for adjoin to work properly
There is also the DNS records, nsswitch, resolv.conf to check all that
is described in the Sun instruction in the PDF
You should also check if your Domain Admin account is "Administrator" and that you know
the password to it, otherwise, you have to specify another domain admin username on the commandline
when calling adjoin
hope it helps
Aug 12
D_Bond says:
Hi, I have been having problems with the configuration. I have set up as the do...Hi,
I have been having problems with the configuration. I have set up as the document suggests, and that works fine, but after teh host ticket is renewed, everything fails, that is until, either the ldap client service is restarted or the resolv.conf file it touched. Then all authentication starts to work again.
please see http://www.opensolaris.org/jive/thread.jspa?threadID=108808&tstart=0
David