Re: Solaris 9 authentication and access control into Active Directory
From: Erwin Fritz (efritz_at_GLJA.com)
Date: Tue, 14 Sep 2004 12:16:23 -0600 To: Ron Ogle <firstname.lastname@example.org>
Well, I've used Samba on Solaris 9 to come up with a single sign-on solution which worked very well. I used MIT Kerberos and the OpenLDAP client libraries, as the Solaris built-in LDAP libraries are very persnickety about non-Solaris LDAP servers.
The problem I ran into, which put the entire project on hold until I have more time, was mapping AD user SIDs to UNIX user IDs. I didn't want to have local UNIX accounts, and Samba's winbind supports AD accounts being "massaged" into pseudo-UNIX accounts. Samba maps the SIDs to UNIX IDs just fine, but using a sequential approach. So the first AD user to telnet/ftp/CIFS in gets UNIX user id 10001, say, and the second one gets UNIX user ID 10002, and so on. That works just fine.
Now, say the first user creates a file on an NFS share on that server. The file is owned by user ID 10001, naturally.
Now say that the NFS share is mounted on a UNIX server, also running Samba. Say the second user telnets/ftps/CIFS to that server. He's the first one to do so, so he gets UNIX user ID 10001, and owns the file!
The solution, according to the Samba docs, is to create an LDAP server and store the SID->uid mappings in an OU there. Well, thinking that AD is LDAP-compliant, I thought I'd keep things simple and use AD as the place to keep that OU. I could never properly get that to work, and then get pulled to other projects.
I plan to revisit this issue, and will build an OpenLDAP server for this purpose. Seems a waste to have it, but if it'll solve this problem, I'll have my SSO solution.
Microsoft suggests implementing Services for UNIX to solve the problem, but there are various issues with that product in my environment.
Just my two bits.
Ron Ogle wrote:
> Has anyone out there been very successful with completely integrating
> Solaris 9 into Microsoft's Active Directory? This is what I'm hoping to
> 1. Use Kerberos on Solaris 9 via PAM to authenticate to AD using the
> Windows username/password.
> 2. Use LDAP through NSS to get /etc/passwd and /etc/group type data from
> 3. Use Solaris RBAC to group the Windows userids into roles that will
> manage the systems.
> 4. Have a very difficult root password (hopefully using MD5) on the
> local machine in case AD is not available. I will use this
> authentication only as a last resort.
> From what I've read the MIT version of Kerberos works better with AD,
> but the Solaris SEAM version of Kerberos works better with Solaris. From
> someone who's been there done that, MIT or SEAM?
> I've read the Microsoft document on integrating Unix into Windows 2003.
> They either have SFU or recommend purchasing VAS. I know that there is
> also PAM SMB authentication, but I don't believe that I want to do that.
> Ron Ogle