I have implemented solaris login authenticating against an active directory server, using solaris x86 on a Dell R810 8xXeon CPUs and 262Gb RAM.
The actual OS is:
# uname -a
SunOS ms-svr012 5.10 Generic_142910-17 i86pc i386 i86pc
# cat /etc/release
Oracle Solaris 10 9/10 s10x_u9wos_14a X86
Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
Assembled 11 August 2010
#
The steps in:
Solaris Authentication Login with Active Directory|Seeds of Genius
were followed successfully.
It was found that there wasn't a need to create home directories for the logons.
The point of validating non-software owning users against Active Directory is to simplify audits.
This has led to investigate how I can audit the actual users that can login.
In order to be able to logon using the instructions I used, I need to use:
kinit <surnameinitial>@DOMAIN.CO.UK
before the user surnameinitial can logon.
Checking man for kinit I can see that the kinit command produced a file:
/tmp/krbcc<uid>
where uid is specified in the Unix Attributes tab on the AD server.
This is a ticket stored in a file.
If I reboot the server, that will clear the contents of /tmp, so will I have to run the command:
kinit <surnameinitial>@DOMAIN.CO.UK
again to get the user to login?
Until the point of reboot, can use the /tmp/krbcc<uid> files as an audit of users that login authenticating against AD?
The man page for kinit says that the tickets expire after a specified lifetime. Where is this lifetime defined?
Are the users that login authenticating against AD held elsewhere in an auditable format?
Thanks,
Jay