info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ldaplist -d group \* - Not Working (Object not found) from Solaris 10 to Windows 2008 R2 Active Directory
16 views
Skip to first unread message
brianjester
Jan 20, 2012, 10:29:11 AM1/20/12
to
Our Solaris 10 clients are using Windows 2008 R2 Active Directory for authentication (Kerberos) and (attempting) authorization (LDAP), but the LDAP part is erroring out. Here's the sequence of events:
On Solaris 10 client:
ldaplist passwd \*
-Works correctly, and lists all users from Windows 2008 R2 Active Directory
However, when I do the same command for groups, it errors out:
ldaplist group \*
-Errors out with:
ldaplist: Object not found
The AD groups for UNIX I've chosen the NIS domain on the UNIX Attributes tab, just like I did with AD UNIX users.
Other commands that do work between Solaris 10 and Win 2008 R2 AD:
kinit <user>
klist
klist -k
ldapsearch -h <DC> -D cn=proxy,cn=users,dc=mydomain,dc=com -w <PASSWD> -b dc=mydomain,dc=com -s sub '(cn=tst*)'
ldapsearch -h <DC> -s base -b "" "(objectclass=*)"
The ldapsearch will actually list my groups (my groups are named tstgrp1, tstgrp2, tstgrp3, tstgrp4), but I think this works because it's searching for the Common Name (CN) tst*, and not for a type of object (group).
These commands do not work as expected:
getent passwd
-This only shows local UNIX users
getent group
-This only shows local UNIX users
The /etc/nsswitch.conf is set up for:
passwd: files ldap [TRYAGAIN=continue]
group: files ldap [TRYAGAIN=continue]
hosts: files dns
My references are:
"Windows Security and Directory Services for UNIX v1.0", Microsoft
http://technet.microsoft.com/en-us/library/bb496504.aspx
"Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows"
"Authenticating UNIX/Linux to Windows 2008R2. Part 2 : Solaris 10"
http://osdude.wordpress.com/2011/08/
Systems:
Solaris 10 (sparc)
Windows 2008 R2 with Identity Management for UNIX Role added.
On Solaris 10 client:
ldaplist passwd \*
-Works correctly, and lists all users from Windows 2008 R2 Active Directory
However, when I do the same command for groups, it errors out:
ldaplist group \*
-Errors out with:
ldaplist: Object not found
The AD groups for UNIX I've chosen the NIS domain on the UNIX Attributes tab, just like I did with AD UNIX users.
Other commands that do work between Solaris 10 and Win 2008 R2 AD:
kinit <user>
klist
klist -k
ldapsearch -h <DC> -D cn=proxy,cn=users,dc=mydomain,dc=com -w <PASSWD> -b dc=mydomain,dc=com -s sub '(cn=tst*)'
ldapsearch -h <DC> -s base -b "" "(objectclass=*)"
The ldapsearch will actually list my groups (my groups are named tstgrp1, tstgrp2, tstgrp3, tstgrp4), but I think this works because it's searching for the Common Name (CN) tst*, and not for a type of object (group).
These commands do not work as expected:
getent passwd
-This only shows local UNIX users
getent group
-This only shows local UNIX users
The /etc/nsswitch.conf is set up for:
passwd: files ldap [TRYAGAIN=continue]
group: files ldap [TRYAGAIN=continue]
hosts: files dns
My references are:
"Windows Security and Directory Services for UNIX v1.0", Microsoft
http://technet.microsoft.com/en-us/library/bb496504.aspx
"Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows"
"Authenticating UNIX/Linux to Windows 2008R2. Part 2 : Solaris 10"
http://osdude.wordpress.com/2011/08/
Systems:
Solaris 10 (sparc)
Windows 2008 R2 with Identity Management for UNIX Role added.
Brian Jester
Jan 20, 2012, 5:28:22 PM1/20/12
to
I found a mistake in our /var/ldap/ldap_client_file, I had:
group:posixAccount=group
And it should have read:
group:posixGroup=group
Once I made the change, I could query groups.
group:posixAccount=group
And it should have read:
group:posixGroup=group
Once I made the change, I could query groups.
0 new messages