Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Adding Solaris 10 machine to Active Directory Authentication

435 views
Skip to first unread message

Paul

unread,
Jan 11, 2005, 6:21:51 PM1/11/05
to
Hello all,

I am trying to join a Solaris 10 machine to a Windows 2003 domain using
LDAP. Does anyone know where documentation exists on how to do this.

Thanks
Paul


Al Mulnick

unread,
Jan 11, 2005, 7:25:41 PM1/11/05
to
Can you be more specific? What exactly do you want to accomplish in the
end? Just to use LDAP auth?

You don't want any of the Kerberos integration?

This link might be useful, but if you can provide some more requirements it
might help to narrow it down some more.
http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/03wsdsu.mspx

As a side note, there are third party tools that will make the Solaris OS
integrate better into your AD environment. If this is more than one host,
you may want to look at products such as the one here
http://www.centrify.com


Al


"Paul" <kristyp...@hotmail.com> wrote in message
news:jcZEd.83170$dv1.11749@edtnps89...

Joe Richards [MVP]

unread,
Jan 11, 2005, 10:23:51 PM1/11/05
to
Well LDAP isn't used for authentication for machines joined to AD because LDAP
isn't an authentication protocol and is pretty insecure. Kerberos, which is
secure, is used. If you are looking at truly joining a domain you might want to
look at the offerings from Centrify or Vintela as they let a UNIX host truly
join an AD Domain.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Paul

unread,
Jan 12, 2005, 1:27:30 PM1/12/05
to
In the end we would like to be able to save/delete/browse files from any
windows machine onto the Solaris machine and vise versa , and also be able
to use your Windows login to access the Solaris Machine. Yes Kerberose would
be preferred.


"Al Mulnick" <amulnick...@ncDOTrr.com> wrote in message
news:e15w#0D#EHA....@TK2MSFTNGP11.phx.gbl...

Paul

unread,
Jan 12, 2005, 1:30:39 PM1/12/05
to
Thanks - here is what I want to accomplish in the end.

Logging into the Solaris Machine with your Windows Login
Browse/Save/Delete folders and files from Windows to Solaris and vice versa.

Is LDAP needed in this case ?
Or is the only way to go , with something like Centrify ?
What about ADAM (Active Directory Application Mode) ?

Thanks for your help

Paul

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:#5k5nYF#EHA...@TK2MSFTNGP09.phx.gbl...

Joe Richards [MVP]

unread,
Jan 12, 2005, 7:34:24 PM1/12/05
to
AD/AM isn't going to do anything for you.

The products by Centrify and Vintela allow you to have a UNIX or LINUX machine
operate like a Windows machine. It hides all of the difficulties for you.

While it is possible to configure this stuff manually, the results either tend
to be complicated or insecure. I know one major company that spent the better
part of 2 years trying to implement kerberos on HP-UX and Solaris boxes using
Windows Servers as KDCs. It was more of an issue with the UNIX versions than
with Windows for the most part.

Paul

unread,
Jan 13, 2005, 11:18:17 AM1/13/05
to
Thanks Joe - very much

Paul

"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message

news:O554jeQ#EHA....@TK2MSFTNGP11.phx.gbl...

Doug

unread,
Jan 14, 2005, 4:38:09 PM1/14/05
to
Sun has some related documents:

Extending Authentication in the Solaris 9 Operating System Using
Pluggable Authentication Modules (PAM)
http://www.sun.com/software/whitepapers/solaris9/pam.pdf
In particular you should look at pam_krb5.

System Administration Guide: Naming and Directory Services (DNS, NIS,
and LDAP)
http://docs.sun.com/app/docs/doc/816-4556
In particular configuring the LDAP client and NSS

Solaris and LDAP Naming Services: Deploying LDAP in the Enterprise
http://www.sun.com/books/catalog/bialaski.xml

For commercial products:

http://www.vintela.com/
http://www.centrify.com/


For consulting help you might try:

Certified Security Solutions
http://www.css-security.com/

They have a tool called ADKadmin which can help with extracting
Kerberos keytables from Unix and other admin actions from Unix.
http://www.css-security.com/downloads.html

Doug

Doug

unread,
Jan 14, 2005, 5:23:20 PM1/14/05
to
For sharing files you likely want to look into Samba.
This allows the Unix systems to access and share out windows style
SMB/CIFS shares.
http://www.samba.org/

There are also some products that can allow windows to interact with
Unix style NFS shares.

Some examples:
Reflection NFS Client from http://www.wrq.com
ViewNow InterDrive Client from http://www.netmanage.com
NFS Maestro from http://www.hummingbird.com

Of course if you want to do it seamlessly you may want to look at
consolidating your authentication systems.

A slight clarification, if you were going to set up your Solaris
machines to authenticate and get authorization information from Active
Directory (join the domain). You would typically set it up so that:

Authentication: Do this using Kerberos.
Authorization: Do this using LDAP but protect the LDAP bind and data
using SSL/TLS or Kerberos/GSS_API.

So LDAP isn't necessarily insecure it is just that many people don't
secure it.

Another source of information is the
Microsoft Solution Guide for Windows Security and Directory Services
for UNIX

http://www.microsoft.com/technet/itsolutions/cits/interopmigration/unix/usecdirw/00wsdsu.mspx

Unfortunately it doesn't cover SSL/TLS so for a complete solution you
should try the Vintela product or contact:

Certified Security Solutions
http://www.css-security.com/

PADL
http://www.padl.com/

Doug

0 new messages