Create AD User Object
In order to map Kerberos Principal, add the following AD user object in DC:
- Location: Solaris OU
- User Name: host-cstokunix01
- Member: Domain Guests
- Password: S0!ar1s!
- Option: Password never expires
Security Principle
A Solaris client requires a keytab file to authenticate to Kerberos. Open command prompt and run the following command in DC:
C:\>ktpass -princ host/cstokunix01.allure.local@ALLURE.LOCAL -mapuser host-cstokunix01 –crypto DES-CBC-MD5 +DesOnly -pass S0!ar1s! -ptype KRB5_NT_PRINCIPAL -out C:\cstokunix01.keytab
If no error generated, teleport the keytab file from the DC to the Solaris client, in this example, cstokunix01:
# cp ./cstokunix01.keytab /etc/krb5/krb5.keytab
# chown root:root /etc/krb5/krb5.keytab
# chmod 600 /etc/krb5/krb5.keytab
Remark:
When a new keytab file is generated for an existing Solaris client, the old keytab file of the affected Solaris client has to be replaced.
Reference:
Windows Security and Directory Services for UNIX v1.0
Kerberos Configuration
# vi /etc/krb5/krb5.conf
[libdefaults]
default_realm = ALLURE.LOCAL
dns_lookup_realm = true
dns_lookup_kdc = true
verify_ap_req_nofail = true
forwardable = true
[realms]
ALLURE.LOCAL = {
kdc = ad1.allure.local
kdc = ad2.allure.local
admin_server = ad1.allure.local
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
.allure.local = ALLURE.LOCAL
allure.local = ALLURE.LOCAL
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
Reference:
krb5.conf (4)
Initialize LDAP Client
Run the following command to initialize LDAP client in bash shell.
# bash
# ldapclient manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN=cn=ice,ou=Unix,dc=allure,dc=local \
-a bindTimeLimit=1 \
-a searchTimeLimit=10 \
-a followReferrals=false \
-a defaultSearchScope=sub \
-a defaultSearchBase=ou=Unix,dc=allure,dc=local \
-a domainName=allure.local \
-a "defaultServerList=172.22.0.248 172.22.0.249" \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:memberuid=memberUid \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:ou=Unix,dc=allure,dc=local?sub \
-a serviceSearchDescriptor=group:ou=Unix,dc=allure,dc=local?sub
Enter the binding password when prompted, in this example, i.e. fireball!
Reference:
Windows Security and Directory Services for UNIX v1.0
Name Service Switch Configuration
# vi /etc/nsswitch.conf
#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)nsswitch.ldap 1.10 06/05/03 SMI"
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# LDAP service requires that svc:/network/ldap/client:default be enabled
# and online.
# the following two lines obviate the "+" entry in passwd and group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: dns files
# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes: dns files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: ldap
# for efficient getservbyname() avoid ldap
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files
Reference:
nsswitch.conf (4)
PAM Configuration
Warning: any typo made in PAM module files might render the machine inaccessible!
# vi /etc/pam.conf
#ident "@(#)pam.conf 1.28 04/04/21 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd auth required pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron account required pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account required pam_krb5.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#
Reference:
Windows Security and Directory Services for UNIX v1.0
Enable Other Services
The following services are required for SSO to function properly:
# svcadm enable dns/client
# svcadm enable name-service-cache
# svcadm enable ktkt_warn
Session Timeout
Similar to Linux system, let's set 5 minutes for both console and SSH.
# vi /etc/default/login and set the following for the console:
TIMEOUT=300
# vi /etc/ssh/sshd_config and specify the following:
LoginGraceTime 300
Configure NFS Client with AutoFS
Enable NFSv3 client instead of NFSv4 client.
# vi /etc/default/nfs and change the following line:
NFS_CLIENT_VERSMAX=3
# vi /etc/nsswitch.conf and change the following line to support ldap:
automount: files ldap
# mkdir /nfshome
# vi /etc/auto_master
# Copyright 2003 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)auto_master 1.8 03/04/28 SMI"
#
# Master map for automounter
#
+auto_master
/net -hosts -nosuid,nobrowse
#/home auto_home -nobrowse
/nfshome auto_home -nobrowse
# vi /etc/auto_home
* -rw cstokvmhost1:/data/home/&
Enable autofs service:
# svcadm enable autofs
Testing
If all configuration is correct, an AD user should be able to do the following:
- Login from SSH or GNOME
- Change password from an Unix system
- A centralized NFS home directory for user
- Authenticated with ad2 while ad1 is off-line
Remark:
Changing an AD user's password in Solaris requires to run kpasswd instead of passwd.
Reference:
Trouble Shooting
Please check the following:
- Time
- Typo
- Firewall
- Host name lookup
- Subnet mask
- Required services/daemons are running
- Required user's home directory is created in the NFS server
- Correct user/group permission in user's home directory
- User account is not locked out
- Keytab file is copied to the right place
- Reboot
Try su - penguin and see what error appears, check /var/log/messages and Event Viewer's Security Log in the DC might also help. Run ldapsearch and examine the query result.