RE: Solaris 9 authentication and access control into Active Directory

From: Myers, Mike (Mike.Myers_at_nwdc.net)
Date: 09/20/04

  • Next message: El C0chin0: "Security Configuration Settings?"
    Date: Mon, 20 Sep 2004 08:14:24 -0700
    To: "Reg Quinton" <reggers@ist.uwaterloo.ca>, focus-sun@securityfocus.com
    
    

    The trick to changing passwords with the Kerberos on Solaris is to add this token to the krb5.conf in the [realms] section (inside of the definition for the realm):

            kpasswd_protocol = SET_CHANGE

    For example:

            [realms]
                    AD.EXAMPLE.COM = {
                            kdc = ...:88
                            admin_server = ...:464
                            [...]
                            kpasswd_protocol = SET_CHANGE
                    }

    After that, kpasswd works just fine.

    Cheers,
     - Mike Myers, Mike.Myers <at> nwdc.net

    -----Original Message-----
    From: Reg Quinton [mailto:reggers@ist.uwaterloo.ca]
    Sent: Wednesday, September 15, 2004 6:22 AM
    To: focus-sun@securityfocus.com
    Cc: "Ron Ogle"
    Subject: Re: Solaris 9 authentication and access control into Active
    Directory

    From: "Ron Ogle" <ogler@tce.com>
    > 1. Use Kerberos on Solaris 9 via PAM to authenticate to AD using the
    > Windows username/password.

    I've done that with vendor's implementation -- no code imported to system.
    There's a good Microsoft paper at

    http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp

    It's an awkward configuration and not much fun to set up. The trick is to
    implement a user within your Active Directory for the machine, set his
    password, then import that information to Unix. It works but I never got
    the password change figured out. I have some very rough notes here that I
    can share:

    http://ist.uwaterloo.ca/security/howto/drafts/2002-08-23/


  • Next message: El C0chin0: "Security Configuration Settings?"

    Relevant Pages

    • Re: cross-realm authentication works only with .k5login
      ... both REALMS. ... MASTER machine which is setted up for SOLARIS REALM as default. ... kdc = colcascms ... admin_server = colcascms ...
      (comp.protocols.kerberos)
    • Re: Installing x86 6/06 and update problem
      ... this machine seems to have ACPI ... isn't so much because of Solaris. ... Booting those discs on other pc's showed the GRUB bootloader. ... I found exactly one post somewhere mentioning that disabling Power Management in BIOS should do the trick, ...
      (comp.unix.solaris)
    • Re: Regarding libc
      ... The only thing touching it should be your vendor patches. ... (Or the boot ... on Solaris Express and up...) ... One neat trick that 10 does and that is useful if you want to replace something like a shared library which is used by everything, or almost everything, is to mount the new library on top of the old one. ...
      (comp.unix.solaris)
    • Re: recv and MSG_WAITALL
      ... Michael wrote: ... >It does not seem to work under Solaris 8. ... >Can anyone confirm this is the case, or is there some trick? ... Please DON'T copy followups to me -- I'll assume it wasn't posted to the group. ...
      (comp.unix.programmer)
    • Solaris 1.1.2 (SunOS 4.1.4) NIS -- cant find domain
      ... What am I missing? ... What stupid little Solaris 1.1.x trick do I not know? ... This is my first exposure to the ancient BSD-based Solaris and it hasn't been a happy experience so far. ...
      (SunManagers)