Solaris10 and Windows2000 authentication.

UNIX Solaris
1

Only for testing/learning I have setup a windows 2000 server with active directory
I connect to it a Solaris 10 machine "client".
I want Solaris10 take users from AD
I have follow this guide..

a)Setup active directory environment+services for UNIX
OK

b)I have created two users,one for ldap search(called proxyldap) and another for solaris server called host-solaris10
on AD windows 2000 server

c)I have create a kerberos keytab on Windows 2000 AD and copy to /etc/krb5.keytab of solaris

ktpass -princ HOST/solaris10.site.fake@SITE.FAKE -mapuser host-solaris10 -crypto DES-CBC-MD5 +DesOnly -pass password -ptype KRB5_NT_PRINCIPAL -out krb5.keytab

d)On solaris I have edited /etc/krb5/krb5.conf

[libdefaults]
   default_realm = SITE.FAKE
   dns_lookup_kdc = true
   verify_ap_req_nofail = false

[realms]
   SITE.FAKE = {
   kdc = windows2000.site.fake
   admin_server = windows2000.site.fake
   }

[domain_realm]
   .site.fake = SITE.FAKE

[logging]
   default = FILE:/var/krb5/kdc.log
   kdc = FILE:/var/krb5/kdc.log
   kdc_rotate = {
   period = 1d
   version = 10
 }

[appdefaults]
   kinit = {
   renewable = true
   forwardable= true
   }

e)Now configure the ldap client

ldapclient manual \
 -a credentialLevel=proxy \
 -a authenticationMethod=simple \
 -a proxyDN=cn=proxyldap,cn=Users,dc=site,dc=fake \
 -a proxyPassword=***** \
 -a defaultSearchBase=dc=site,dc=fake \
 -a defaultSearchScope=sub \
 -a domainName=site.bac \
 -a "preferredServerList=10.6.0.1" \
 -a "defaultServerList=10.6.0.1" \
 -a followReferrals=false \
 -a attributeMap=group:userpassword=userPassword \
 -a attributeMap=group:gmemberuid=memberUid \
 -a attributeMap=group:gidnumber=gidNumber \
 -a attributeMap=passwd:uid=cn \
 -a attributeMap=passwd:gidnumber=gidNumber \
 -a attributeMap=passwd:uidnumber=uidNumber \
 -a attributeMap=passwd:homedirectory=unixHomeDirectory \
 -a attributeMap=passwd:loginshell=loginShell \
 -a attributeMap=shadow:uid=cn \
 -a attributeMap=shadow:shadowflag=shadowFlag \
 -a attributeMap=shadow:userpassword=userPassword \
 -a objectClassMap=group:posixGroup=group \
 -a objectClassMap=passwd:posixAccount=user \
 -a objectClassMap=shadow:shadowAccount=user \
 -a serviceSearchDescriptor=passwd:dc=site,dc=fake?sub \
 -a serviceSearchDescriptor=group:dc=site,dc=fake?sub

f)Now configure /etc/nsswitch.conf

#
# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#

#
# /etc/nsswitch.dns:
#
# An example file that could be copied over to /etc/nsswitch.conf; it uses
# DNS for hosts lookups, otherwise it does not use any other naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# DNS service expects that an instance of svc:/network/dns/client be
# enabled and online.

passwd:     files ldap
group:      files ldap

# You must also set up the /etc/resolv.conf file for DNS name
# server lookup.  See resolv.conf(4).
hosts:      files dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:   files dns

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will 
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files

tnrhtp:     files
tnrhdb:     files

and pam.conf

#
#ident  "@(#)pam.conf   1.32    11/04/08 SMI"
#
# Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
login   auth required           pam_ldap.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth required           pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth required           pam_krb5.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth required           pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth sufficient         pam_krb5.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
other   auth required           pam_ldap.so.1

#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
passwd  auth required           pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account sufficient      pam_unix_account.so.1
other   account required        pam_ldap.so.1

#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
# Password construction requirements apply to all users.
# Remove force_check to have the traditional authorized administrator
# bypass of construction requirements.
other   password requisite      pam_authtok_check.so.1 force_check
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
#

Will work?

The command ldaplist return my ldap user

ldaplist passwd myuser
dn: uid=myuser,uid=Users,DC=site,DC=fake

kinit is ok

echo userpassword|kinit myuser

But..when I try getent,or id,or su..only works for local files and not ldap.
Why?

2

You provide a lot of great information; however you do not provide some of the most important information, which is the log file entries.

If you want to solve a problem on a server, the first place to start are with the messages in the log files.

3

Thanks,I have "solved" upgrading to windows2008r2,now all works fine,if someone is interested I can post my procedure.