Here are my notes applicable for Solaris 10. First of all install latest patches – a lot of related things fixed (but new bugs may appear :))

  1. Synchronize the system clock with AD server
    domain ntp server(s) must be in /etc/inet/ntp.conf
    then restart ntp daemon svcadm restart /network/ntp
  2. Solaris server must have a record in the DNS
  3. Domain name and name servers (DNS servers) must be in /etc/resolv.conf
  4. In the /etc/nsswitch.conf file dns and files must be specified for hosts and ipnodes
    ...
    hosts: dns files
    ipnodes: dns files
    ...
  5. In the /etc/nodename and /etc/hostname.<nic> files host name must be specified only, not a fully qualified domain name
  6. Run adjoin script. You can find it here. It will:
    • auto-detects the Active Directory domain controllers
    • creates a machine account (also called a Computer object) for the Solaris host in Active Directory and generates a random password for this account
    • configures the Solaris host as a Kerberos client of the Active Directory domain controller by using the /etc/krb5/krb5.conf file
    • configures the /etc/krb5/krb5.keytab file on the Solaris host by using the keys for the machine account (also called host credentials)

    Execute adjoin script with following options:
    ./adjoin -d <domain_name> -p <administrator_principal> -f -x
    where -f to delete any pre-existing computer account for this host and -x to debug output.

    If your domain if geographically distributed with a lot of domain controllers (DC), script can detect inappropriate controllers. Just before entering admin password, check prepared adjoin-krb5.conf.XXXXXX file in the /tmp folder and remove unnecessary controllers from it.

    Adjoin script can stop work with pkcs11_kernel.so syntax error on some SUN servers:
    + ./adjoin[859]: /usr/lib/security/$ISA/pkcs11_kernel.so:: syntax error
    Then all you need is just to temporary rename this file and execute adjoin again
    mv /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_kernel.so.orig
    when adjoin finished successfully, rename it back

  7. Run ldapsearch and klist to check Kerberos
    ldapsearch -R -T -h dc1.xxxxxx.com -o authzid= -o mech=gssapi -b CN=Computers,DC=xxxxxx,DC=com -s sub cn=<computer_name>
    klist
    klist -e -k /etc/krb5/krb5.keytab
  8. Enable dns client and cache daemons
    svcadm enable /network/dns/client
    svcadm enable /system/name-service-cache
  9. In the /etc/nsswitch.ldap file dns and files must be specified for hosts and ipnodes
    ...
    hosts: dns files
    ipnodes: dns files
    ...
  10. Set up a server as a client of an LDAP. Execute ldapclient
    ldapclient -v manual \
    -a credentialLevel=self \
    -a authenticationMethod=sasl/gssapi \
    -a defaultSearchBase=dc=xxxxxx,dc=com \
    -a defaultSearchScope=sub \
    -a domainName=xxxxxx.com \
    -a defaultServerList="dc1.xxxxxx.com dc2.xxxxxx.com dc3.xxxxxx.com" \
    -a attributeMap=passwd:gecos=cn \
    -a attributeMap=passwd:homedirectory=unixHomeDirectory \
    -a objectClassMap=group:posixGroup=group \
    -a objectClassMap=passwd:posixAccount=user \
    -a objectClassMap=shadow:shadowAccount=user \
    -a serviceSearchDescriptor="passwd:ou=Accounts,ou=European office,dc=xxxxxx,dc=com?sub;ou=Accounts,ou=American Office,dc=xxxxxx,dc=com?sub" \
    -a serviceSearchDescriptor=group:ou=Groups,dc=xxxxxx,dc=com?sub

    ldapclient should finish without errors. To check use ldapclient list
  11. Edit the /etc/nsswitch.conf file: files and ldap must be specified for passwd and group only
    ...
    passwd: files ldap
    group: files ldap
    hosts: dns files
    ipnodes: dns files
    networks: files
    protocols: files
    ...

    remove ldap from everywhere else
  12. Restart LDAP client
    svcadm restart /network/ldap/client
  13. Add pam_krb5.so.1 in the /etc/pam.conf file
    ...
    login auth sufficient pam_krb5.so.1
    krlogin auth required pam_krb5.so.1
    krsh auth required pam_krb5.so.1
    ktelnet auth required pam_krb5.so.1
    other auth sufficient pam_krb5.so.1
    other account required pam_krb5.so.1
    other password sufficient pam_krb5.so.1
    ...

To ensure that users could login on the host under their AD accounts, accounts in AD must have following additional attributes:
uid the same as sAMAccountName
uidNumber unique number
gidNumber number
unixHomeDirectory for example /tmp
loginShell for example /usr/bin/bash or /bin/false

To check it use getent or ldapsearch
getent passwd <uid>
ldapsearch -R -T -h dc1.xxxxxx.com -b "ou=Accounts,ou=American Office,dc=xxxxxx,dc=com" -o mech=gssapi -o authzid='' "uid=<uid>"

If you would like read more: link to SUN’s article “Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory”.