ldaplist -d group \* - Not Working (Object not found) from Solaris 10 to Windows 2008 R2 Active Directory

13 views
Skip to first unread message

brianjester

unread,
Jan 20, 2012, 10:29:11 AM1/20/12
to
Our Solaris 10 clients are using Windows 2008 R2 Active Directory for authentication (Kerberos) and (attempting) authorization (LDAP), but the LDAP part is erroring out. Here's the sequence of events:

On Solaris 10 client:

ldaplist passwd \*

-Works correctly, and lists all users from Windows 2008 R2 Active Directory

However, when I do the same command for groups, it errors out:

ldaplist group \*

-Errors out with:

ldaplist: Object not found

The AD groups for UNIX I've chosen the NIS domain on the UNIX Attributes tab, just like I did with AD UNIX users.

Other commands that do work between Solaris 10 and Win 2008 R2 AD:

kinit <user>
klist
klist -k
ldapsearch -h <DC> -D cn=proxy,cn=users,dc=mydomain,dc=com -w <PASSWD> -b dc=mydomain,dc=com -s sub '(cn=tst*)'
ldapsearch -h <DC> -s base -b "" "(objectclass=*)"

The ldapsearch will actually list my groups (my groups are named tstgrp1, tstgrp2, tstgrp3, tstgrp4), but I think this works because it's searching for the Common Name (CN) tst*, and not for a type of object (group).

These commands do not work as expected:

getent passwd

-This only shows local UNIX users

getent group

-This only shows local UNIX users

The /etc/nsswitch.conf is set up for:

passwd: files ldap [TRYAGAIN=continue]
group: files ldap [TRYAGAIN=continue]
hosts: files dns
My references are:
"Windows Security and Directory Services for UNIX v1.0", Microsoft
http://technet.microsoft.com/en-us/library/bb496504.aspx
"Authenticating UNIX/Linux to Windows 2008R2. Part 1 : Set up Windows"
"Authenticating UNIX/Linux to Windows 2008R2. Part 2 : Solaris 10"
http://osdude.wordpress.com/2011/08/

Systems:
Solaris 10 (sparc)
Windows 2008 R2 with Identity Management for UNIX Role added.

Brian Jester

unread,
Jan 20, 2012, 5:28:22 PM1/20/12
to
I found a mistake in our /var/ldap/ldap_client_file, I had:

group:posixAccount=group

And it should have read:

group:posixGroup=group

Once I made the change, I could query groups.
Reply all
Reply to author
Forward
0 new messages