Friday, January 23, 2009

Single Sign On - Windows 2003 Setup

This section applies to the DCs, ad1 & ad2.


Prerequisite
Please make sure the following components are ready before continue:
  • Healthy DCs
  • Required host names and IP addresses are registered in DNS
  • Reliable NTP  
 

Hostname & IP Address

Hostname IP Address Comment
ad1 172.22.0.248 Windows 2003 R2 Server; DC
ad2 172.22.0.249 Windows 2003 R2 Server; DC
cstokunix01 172.22.0.62 Solaris 10; Unix client
cstokunix02 172.22.0.65 Red Hat Linux 9; Unix client
cstokunix03 172.22.0.66 RHEL5.2 Server; Unix client
cstokvmhost1 172.22.0.33 RHEL5.2 Server; NFS server



Install SSO Components
The following items are required:
  • Identity Management for UNIX (Under Active Directory Services)
    • Administration Components
    • Server For NIS
  • Microsoft Services for NFS (Under Other Network File and Print Services)
    • RPC External DataRepresentation
    • RPC Port Mapper
  • Windows 2003 Server Support Tools


Open Ports
The following ports need to be opened in DCs if firewall is enabled:


Protocol Port Comment
UDP 53 DNS
UDP 88 Kerberos
UDP 464 Kpasswd
TCP 389 LDAP


NIS ypclear Utility
NIS ypclear utility should be included in the Windows Firewall Exceptions.































Disable Server for NIS service
Please disable the service Server for NIS, it is not required.


Indexing uid in AD Schema
From command prompt, run C:\>regsvr32 schmmgmt.dll

Open Active Directory Schema MMC and look for uid object in the Attributes container, then open its Properties windows. Enable the checkbox Index this attribute in the Active Directory.


























Reference:
http://blog.scottlowe.org/2006/08/08/linux-active-directory-and-windows-server-2003-r2-revisited/
Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory


Create OU
Two OUs are created in allure.local domain:
  • Unix; stores all Unix related user, group, and OU objects














  • Solaris; child of Unix OU, stores all Solaris server security principal names
















Create user/group AD Object
Create a default Unix group:
  • Location: Unix OU
  • Group Name: arctic
  • Group Scope: Global
  • Group Type: Security
  • NIS Domain: allure
  • GID: 10000
Add a LDAP bind account:
  • Location: Unix OU
  • User Name: ice
  • Member: Domain Guests
  • Password: fireball!
  • Option: Password never expires
Add an AD user account:
  • Location: Unix OU
  • User Name: penguin
  • Member: Domain Users
  • Password: tuxracer!
  • NIS Domain: allure
  • UID: 10001
  • Login Shell: /bin/bash
  • Home Directory: /nfshome/penguin
  • Primary group name: arctic 



Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)