[TriLUG] Solaris and Active Directory

Jonathan Woodbury jpwoodbu at mybox.org
Thu Feb 17 13:25:26 EST 2011


Stan,

I believe I may have done something similar to what you're asking about with
Linux and AD.  I have several Debian and Ubuntu servers at my office
connected to AD for directory services and authentication.  I looked at
Likewise and Samba and they can both get this done, but I wanted the Linux
hosts to have a simple configuration that would, for the most part, look
like connecting them to OpenLDAP and MIT Kerberos.  I did have to install
the Microsoft Identity Management for UNIX component to our 2008 Small
Business Servers.  This adds a "UNIX Attributes" tab to the user properties
in Windows that allows you to set attributes like their home directory and
shell path.

My Linux boxen use libnss-ldapd to map attributes in AD to the passwd and
group NSS databases.  We use kerberos for authentication.  There's nothing
complicated about using AD's kerberos service in Linux.  I just set the
default realm to our AD domain and, for reasons that are silly, I had to
also specify our realm's kdc's and admin_server; normally you could depend
on DNS to find the kdc info.  Authentication is done with the kerberos PAM
module.

My configuration for libnss-ldapd includes all the mapping information I
required.  If I lookup myself in the passwd database, I see this entry
coming from AD:
    jwoodbury:*:10000:10000:Jonathan Woodbury:/home/jwoodbury:/bin/bash
Nice and clean!

Since AD users don't get UNIX attributes automatically, only the user's I've
setup specifically with UNIX attributes show up in my passwd and group
databases.  This works well for my needs, but might be annoying for an
already established large user base.  I suspect some automation could be
deployed to set UNIX attributes for existing users.

We don' t have network based home directories yet, so for now, I'm using a
PAM module (mkhomedir) to make the user's home directory on first login.

I should admit, that I did use Samba for one thing: making a kerberos host
principal and a corresponding kerberos keytab file: `net ads join -U <your
AD user name>`  This was necessary to allow people to authenticate via
kerberos to network services, namely SSH.  I actually removed all traced of
samba once I used it to make the keytab file.  I would like to be able to
use kdamin to do this step without Samba, but I had trouble with that on AD.
 There are probably Microsoft tools for making the keytab too.

I did run into one annoying problem: passwd and kpasswd don't work when
trying to change an AD user's password. Users must change their AD password
using native Microsoft means.  I tried using both kerberos and libpam_ldap
for this, but no dice.  I think this could be figured out, but it wasn't
important enough where I am to spend any more time troubleshooting it.

If this approach sounds like what you're after, feel free to email me off
the list if you want more information and/or config examples.

Jonathan



More information about the TriLUG mailing list