Re: Solaris 9 authentication and access control into Active Directory

From: Erwin Fritz (efritz_at_GLJA.com)
Date: 09/14/04

  • Next message: Crist J. Clark: "Re: allowing ordinary users to open privileged ports"
    Date: Tue, 14 Sep 2004 12:16:23 -0600
    To: Ron Ogle <ogler@tce.com>
    
    

    Well, I've used Samba on Solaris 9 to come up with a single sign-on solution which worked very well. I used MIT Kerberos and the OpenLDAP client libraries, as the Solaris built-in LDAP libraries are very persnickety about non-Solaris LDAP servers.

    The problem I ran into, which put the entire project on hold until I have more time, was mapping AD user SIDs to UNIX user IDs. I didn't want to have local UNIX accounts, and Samba's winbind supports AD accounts being "massaged" into pseudo-UNIX accounts. Samba maps the SIDs to UNIX IDs just fine, but using a sequential approach. So the first AD user to telnet/ftp/CIFS in gets UNIX user id 10001, say, and the second one gets UNIX user ID 10002, and so on. That works just fine.

    Now, say the first user creates a file on an NFS share on that server. The file is owned by user ID 10001, naturally.

    Now say that the NFS share is mounted on a UNIX server, also running Samba. Say the second user telnets/ftps/CIFS to that server. He's the first one to do so, so he gets UNIX user ID 10001, and owns the file!

    The solution, according to the Samba docs, is to create an LDAP server and store the SID->uid mappings in an OU there. Well, thinking that AD is LDAP-compliant, I thought I'd keep things simple and use AD as the place to keep that OU. I could never properly get that to work, and then get pulled to other projects.

    I plan to revisit this issue, and will build an OpenLDAP server for this purpose. Seems a waste to have it, but if it'll solve this problem, I'll have my SSO solution.

    Microsoft suggests implementing Services for UNIX to solve the problem, but there are various issues with that product in my environment.

    Just my two bits.
    Erwin Fritz
    Network Admin

    Ron Ogle wrote:
    > Has anyone out there been very successful with completely integrating
    > Solaris 9 into Microsoft's Active Directory? This is what I'm hoping to
    > do:
    >
    > 1. Use Kerberos on Solaris 9 via PAM to authenticate to AD using the
    > Windows username/password.
    > 2. Use LDAP through NSS to get /etc/passwd and /etc/group type data from
    > AD.
    > 3. Use Solaris RBAC to group the Windows userids into roles that will
    > manage the systems.
    > 4. Have a very difficult root password (hopefully using MD5) on the
    > local machine in case AD is not available. I will use this
    > authentication only as a last resort.
    >
    > From what I've read the MIT version of Kerberos works better with AD,
    > but the Solaris SEAM version of Kerberos works better with Solaris. From
    > someone who's been there done that, MIT or SEAM?
    >
    > I've read the Microsoft document on integrating Unix into Windows 2003.
    > They either have SFU or recommend purchasing VAS. I know that there is
    > also PAM SMB authentication, but I don't believe that I want to do that.
    >
    > Thanks
    > Ron Ogle


  • Next message: Crist J. Clark: "Re: allowing ordinary users to open privileged ports"

    Relevant Pages

    • Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3
      ... be added in the future to avoid rebuilding Samba and installing MIT ... Although if possible I would rather not use Solaris Kerberos ... I did use the net ads join after recompiling Samba and the --dns-update ...
      (comp.protocols.kerberos)
    • Re: Solaris Pam_krb5.so.1 problem after installing MIT 1.6.3
      ... I was having an issue compiling samba3.2.3 on my Solaris 10 box. ... would not compile with the native Solaris 10 Kerberos libraries. ... install Samba by pointing it to the MIT libraries. ... Prior to installing MIT 1.6.3 Kerberos, ...
      (comp.protocols.kerberos)
    • RE: ssh publickey auth w/ kerb
      ... I'm thinking of the server being ssh'd to ask a kerberos client, ... Solaris 8 servers and it worked fine. ...
      (comp.protocols.kerberos)
    • Re: kinit locking up
      ... Like the x86 boxes if I already have a ticket or specifiy the ... I assume you are running Solaris. ... MIT 'kinit'. ... MIT Kerberos, the system already has all of the Kerberos pieces ...
      (comp.protocols.kerberos)
    • Re: [modauthkerb] Negotiate on Windows with cross-realm trust AD and MIT Kereros.
      ... The problem is that my HTTP/sugi.cbs.dk@xxxxxx is made on the MIT ... kerberos server and not the AD. ... So I have to set the ok-as-delegate on the MIT server, ... I found how to set ok-as-delegate for heimdal how is this done for MIT ...
      (comp.protocols.kerberos)