Here are my notes applicable for Solaris 10. First of all install latest patches – a lot of related things fixed (but new bugs may appear :))
- Synchronize the system clock with AD server
domain ntp server(s) must be in/etc/inet/ntp.conf
then restart ntp daemonsvcadm restart /network/ntp - Solaris server must have a record in the DNS
- Domain name and name servers (DNS servers) must be in
/etc/resolv.conf - In the
/etc/nsswitch.conffile dns and files must be specified for hosts and ipnodes
...
hosts: dns files
ipnodes: dns files
... - In the
/etc/nodenameand/etc/hostname.<nic>files host name must be specified only, not a fully qualified domain name - Run adjoin script. You can find it here. It will:
- auto-detects the Active Directory domain controllers
- creates a machine account (also called a Computer object) for the Solaris host in Active Directory and generates a random password for this account
- configures the Solaris host as a Kerberos client of the Active Directory domain controller by using the
/etc/krb5/krb5.conffile - configures the
/etc/krb5/krb5.keytabfile on the Solaris host by using the keys for the machine account (also called host credentials)
Execute adjoin script with following options:
./adjoin -d <domain_name> -p <administrator_principal> -f -x
where-fto delete any pre-existing computer account for this host and-xto debug output.If your domain if geographically distributed with a lot of domain controllers (DC), script can detect inappropriate controllers. Just before entering admin password, check prepared
adjoin-krb5.conf.XXXXXXfile in the/tmpfolder and remove unnecessary controllers from it.Adjoin script can stop work with pkcs11_kernel.so syntax error on some SUN servers:
+ ./adjoin[859]: /usr/lib/security/$ISA/pkcs11_kernel.so:: syntax error
Then all you need is just to temporary rename this file and execute adjoin again
mv /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_kernel.so.orig
when adjoin finished successfully, rename it back - Run ldapsearch and klist to check Kerberos
ldapsearch -R -T -h dc1.xxxxxx.com -o authzid= -o mech=gssapi -b CN=Computers,DC=xxxxxx,DC=com -s sub cn=<computer_name>
klist
klist -e -k /etc/krb5/krb5.keytab - Enable dns client and cache daemons
svcadm enable /network/dns/client
svcadm enable /system/name-service-cache - In the
/etc/nsswitch.ldapfile dns and files must be specified for hosts and ipnodes
...
hosts: dns files
ipnodes: dns files
... - Set up a server as a client of an LDAP. Execute ldapclient
ldapclient -v manual \
-a credentialLevel=self \
-a authenticationMethod=sasl/gssapi \
-a defaultSearchBase=dc=xxxxxx,dc=com \
-a defaultSearchScope=sub \
-a domainName=xxxxxx.com \
-a defaultServerList="dc1.xxxxxx.com dc2.xxxxxx.com dc3.xxxxxx.com" \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor="passwd:ou=Accounts,ou=European office,dc=xxxxxx,dc=com?sub;ou=Accounts,ou=American Office,dc=xxxxxx,dc=com?sub" \
-a serviceSearchDescriptor=group:ou=Groups,dc=xxxxxx,dc=com?sub
ldapclient should finish without errors. To check useldapclient list - Edit the
/etc/nsswitch.conffile: files and ldap must be specified for passwd and group only
...
passwd: files ldap
group: files ldap
hosts: dns files
ipnodes: dns files
networks: files
protocols: files
...
remove ldap from everywhere else - Restart LDAP client
svcadm restart /network/ldap/client - Add pam_krb5.so.1 in the
/etc/pam.conffile
...
login auth sufficient pam_krb5.so.1
krlogin auth required pam_krb5.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_krb5.so.1
other auth sufficient pam_krb5.so.1
other account required pam_krb5.so.1
other password sufficient pam_krb5.so.1
...
To ensure that users could login on the host under their AD accounts, accounts in AD must have following additional attributes:
uid the same as sAMAccountName
uidNumber unique number
gidNumber number
unixHomeDirectory for example /tmp
loginShell for example /usr/bin/bash or /bin/false
To check it use getent or ldapsearch
getent passwd <uid>
ldapsearch -R -T -h dc1.xxxxxx.com -b "ou=Accounts,ou=American Office,dc=xxxxxx,dc=com" -o mech=gssapi -o authzid='' "uid=<uid>"
If you would like read more: link to SUN’s article “Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory”.
1. Comment by Shawn D. Cohoon
19/May/2010 at 4:29 pm
Serge,
Used your document, but have one question concerning authentication. I was only able to use simple with ldapclient, however after searches worked only with id having domain admin access. Do you have any ideas since I am almost where I want to be with Solaris 10 using AD for authentication.
Shawn.
2. Comment by Serge
19/May/2010 at 7:07 pm
Hi Shawn,
Can you show us an example of your test case and give us more info about your configuration? Also you can try to debug as described here.
3. Comment by Shawn D. Cohoon
20/May/2010 at 6:53 pm
I have a log file from adjoin script, initial ldapsearch, klist and klist with options prior running ldapclient. How can I send you this text file before running kerberos debug. As for enviroment I am running Solaris 10 x86 u8 fully recommended patch cluster applied, trying to authenticate to Windows 2003 AD.
Regards,
Shawn
4. Comment by Shawn D. Cohoon
20/May/2010 at 7:29 pm
Additional to previous message when I try running ldapclient either sasl/gssapi I get message Unable to set value: invalid authenticationMethod (sasl/gssapi). Where as if I use simple it runs without errors. Here is ldapclient command;
/usr/sbin/ldapclient -v manual \
-a credentialLevel=self \
-a authenticationMethod=gssapi \
-a defaultSearchBase=dc=masis,dc=tdclab,dc=com \
-a defaultSearchScope=sub \
-a domainName=masis.tdclab.mil \
-a defaultServerList=”otg-tdc-templat.masis.tdclab.mil” \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:ou=Accounts,dc=masis,dc=tdclab,dc=mil?sub \
-a serviceSearchDescriptor=group:ou=Groups,dc=masis,dc=tdclab,dc=mil?sub
This is the stdout;
# ./ldapclient7.sh
Parsing credentialLevel=self
Parsing authenticationMethod=gssapi
Parsing defaultSearchBase=dc=masis,dc=tdclab,dc=com
Parsing defaultSearchScope=sub
Parsing domainName=masis.tdclab.mil
Parsing defaultServerList=otg-tdc-templat.masis.tdclab.mil
Parsing attributeMap=passwd:gecos=cn
Parsing attributeMap=passwd:homedirectory=unixHomeDirectory
Parsing objectClassMap=group:posixGroup=group
Parsing objectClassMap=passwd:posixAccount=user
Parsing objectClassMap=shadow:shadowAccount=user
Parsing serviceSearchDescriptor=passwd:ou=Accounts,dc=masis,dc=tdclab,dc=mil?sub
Parsing serviceSearchDescriptor=group:ou=Groups,dc=masis,dc=tdclab,dc=mil?sub
Arguments parsed:
authenticationMethod: gssapi
defaultSearchBase: dc=masis,dc=tdclab,dc=com
credentialLevel: self
domainName: masis.tdclab.mil
objectclassMap:
arg[0]: group:posixGroup=group
arg[1]: passwd:posixAccount=user
arg[2]: shadow:shadowAccount=user
attributeMap:
arg[0]: passwd:gecos=cn
arg[1]: passwd:homedirectory=unixHomeDirectory
defaultSearchScope: sub
serviceSearchDescriptor:
arg[0]: passwd:ou=Accounts,dc=masis,dc=tdclab,dc=mil?sub
arg[1]: group:ou=Groups,dc=masis,dc=tdclab,dc=mil?sub
defaultServerList: otg-tdc-templat.masis.tdclab.mil
Handling manual option
Unable to set value: invalid authenticationMethod (gssapi)
Regards,
Shawn.
5. Comment by Shawn D. Cohoon
20/May/2010 at 7:43 pm
Here is the adjoin log, please note line #545 Result: Authentication error (3) ;
+ : ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub sAMAccountName=IMG-TDC-AMAS024$ dn
+ :
+ ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub sAMAccountName=IMG-TDC-AMAS024$ dn
+ 1> /dev/null 2>& 1
+ :
+ read j dn
+ ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub sAMAccountName=IMG-TDC-AMAS024$ dn
+ grep ^dn:
+ [[ -z CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil ]]
+ [[ false = false ]]
+ [[ false = false ]]
+ [[ -n CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil ]]
+ print Looking to see if the machine account contains other objects…
Looking to see if the machine account contains other objects…
+ read j sub_dn
+ ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -b CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub dn
+ [[ version: != dn: ]]
+ continue
+ read j sub_dn
+ [[ dn: != dn: ]]
+ [[ -z CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil ]]
+ [[ CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil = CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil ]]
+ continue
+ read j sub_dn
+ :
+ print Deleting existing machine account…
Deleting existing machine account…
+ : ldapdelete -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil
+ ldapdelete -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil
+ false
+ + mktemp -t -p /tmp adjoin-computer-object.XXXXXX
object=/tmp/adjoin-computer-object.p8aO.L
+ false
+ false
+ cat
+ 1> /tmp/adjoin-computer-object.p8aO.L 0< /dev/null
+ od -t x1
+ sed s/ //g
+ head -1
+ cut -d -f2-17
newpw=0c0cbc23c68942d857cf793f5d4af4ef
+ [[ 0c0cbc23c68942d857cf793f5d4af4ef = +([0-9a-zA-Z]) ]]
+ break
+ newpw=A0c0cbc23c68942d857cf793f5d4af4ef
+ : print A0c0cbc23c68942d857cf793f5d4af4ef | ./ksetpw host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL
+ :
+ ./ksetpw host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL
+ print A0c0cbc23c68942d857cf793f5d4af4ef
Result: Authentication error (3)
+ [[ 0 -ne 0 ]]
+ print Getting kvno
Getting kvno
+ : ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub cn=IMG-TDC-AMAS024 msDS-KeyVersionNumber
+ :
+ read j kvno
+ ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub cn=IMG-TDC-AMAS024 msDS-KeyVersionNumber
+ grep ^msDS-KeyVersionNumber
+ [[ -z 1 ]]
+ print KVNO: 1
KVNO: 1
+ userAccountControl=593920
+ set -A enctypes –
+ arcfour=false
+ des=false
+ [[ 5.10 = 5.11 ]]
+ read j minkeysize maxkeysize j
+ cryptoadm list -v mechanism=CKM_AES_CBC
+ 2> /dev/null
+ /usr/xpg4/bin/grep ^CKM_AES_CBC
+ minkeysize=128
+ maxkeysize=256
+ /usr/xpg4/bin/grep CKM_RC4
+ cryptoadm list -m provider=arcfour
+ 1> /dev/null 2>& 1
+ 2> /dev/null
+ [[ false = false ]]
+ /usr/xpg4/bin/grep CKM_RC4
+ 1> /dev/null 2>& 1
+ cryptoadm list -m provider=arcfour2048
+ 2> /dev/null
+ arcfour=:
+ /usr/xpg4/bin/grep CKM_DES_
+ 1> /dev/null 2>& 1
+ cryptoadm list -m provider=des
+ 2> /dev/null
+ des=:
+ val=
+ [[ 128 -eq 128 ]]
+ [[ 256 -eq 256 ]]
+ val=00000018
+ aes128=:
+ aes256=:
+ print Determining supported enctypes for machine account via LDAP
Determining supported enctypes for machine account via LDAP
+ cat
+ 1> /tmp/adjoin-computer-object.p8aO.L 0< /dev/null 2>& 1
+ [[ 16 -ne 0 ]]
+ aes128=false
+ aes256=false
+ print This must not be a Longhorn/Vista AD DC!
This must not be a Longhorn/Vista AD DC!
+ print \tSo we assume 1DES and arcfour enctypes
So we assume 1DES and arcfour enctypes
+ false
+ false
+ false
+ :
+ enctypes[0]=arcfour-hmac-md5
+ print ARCFOUR will be supported
ARCFOUR will be supported
+ :
+ enctypes[1]=des-cbc-crc
+ enctypes[2]=des-cbc-md5
+ [[ 3 -eq 0 ]]
+ print Finishing machine account
Finishing machine account
+ cat
+ 1> /tmp/adjoin-computer-object.p8aO.L 0< /dev/null 2>& 1
+ return 0
+ print — adjoin: Done
adjoin: Done
+ exit 0
+ cleanup
+ :
+ kdestroy
+ :
+ rm -f /tmp/adjoin-krb5ccache.aNay7L
+ [[ -n /tmp/adjoin-computer-object.p8aO.L ]]
+ rm -f /tmp/adjoin-computer-object.p8aO.L
6. Comment by Shawn D. Cohoon
20/May/2010 at 7:47 pm
After the adjoin script I am able to run next three commands from your document;
/usr/bin/ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= \
-o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub \
cn=img-tdc-amas024
output from above command;
# ./ldapsearch4.sh
version: 1
dn: CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: IMG-TDC-AMAS024
distinguishedName: CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil
instanceType: 4
whenCreated: 20100520144850.0Z
whenChanged: 20100520144850.0Z
uSNCreated: 159850
uSNChanged: 159852
name: IMG-TDC-AMAS024
objectGUID:: a2+yL2RMXES9G7lha3w1ew==
userAccountControl: 593920
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAHDka+OWOzeXgqtEYlgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: IMG-TDC-AMAS024$
sAMAccountType: 805306369
dNSHostName: img-tdc-amas024.masis.tdclab.mil
userPrincipalName: host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL
servicePrincipalName: host/img-tdc-amas024.masis.tdclab.mil
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=masis,DC=tdclab,DC=mil
isCriticalSystemObject: FALSE
Next two commands with output;
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@MASIS.TDCLAB.MIL
Valid starting Expires Service principal
05/20/10 11:20:51 05/20/10 21:20:55 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL
renew until 05/27/10 11:20:51
05/20/10 11:21:51 05/20/10 21:20:55 ldap/otg-tdc-templat.masis.tdclab.mil@MASIS.TDCLAB.MIL
renew until 05/27/10 11:20:51
# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
—- ————————————————————————–
1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (ArcFour with HMAC/md5)
1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (DES cbc mode with CRC-32)
1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (DES cbc mode with RSA-MD5)
#
7. Comment by Serge
20/May/2010 at 11:33 pm
Hi Shawn,
As I can see, adjoin script in your case didn’t finish successfully all its steps. Machine account has not been created and configured in AD, and this is why you can’t configure ldapclient. Below is my compilation of all steps that adjoin script does. You can try to perform these steps manually to join your domain:
1. kinit domain_admin_account
2. prepare file /tmp/1.tmp from this template:
dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com
objectClass: computer
cn: SERVERNAME
sAMAccountName: SERVERNAME$
userPrincipalName: host/servername.domain.com@domain.COM
servicePrincipalName: host/servername.domain.com
userAccountControl: 4130
dNSHostname: servername.domain.com
3. ldapadd -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/1.tmp
4. ./ksetpw host/servername.domain.com@domain.COM
enter any password then, like in your example: A0c0cbc23c68942d857cf793f5d4af4ef
5. prepare file /tmp/2.tmp from this template:
dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com
changetype: modify
add: msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 00000008
6. ldapmodify -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/2.tmp
7. prepare file /tmp/3.tmp from this template:
dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com
changetype: modify
replace: userAccountControl
userAccountControl: 593920
8. ldapmodify -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/3.tmp
9. ./ksetpw -n -v 2 -k /tmp/mykrb5keytab.tmp -e aes128-cts-hmac-sha1-96 -e arcfour-hmac-md5 -e des-cbc-crc -e des-cbc-md5 host/servername.domain.com@domain.COM
enter the same password from step 4.
10. kdestroy
11. create /etc/krb5/krb5.conf file from this template:
[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes_des = des-cbc-crc
[realms]
DOMAIN.COM = {
kdc = domaincontroller.domain.com
kdc = domaincontroller2.domain.com
kdc = domaincontroller3.domain.com
kpasswd_server = domaincontroller.domain.com
kpasswd_protocol = SET_CHANGE
admin_server = domaincontroller.domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
12. remove /etc/krb5/krb5.keytab file and run ktutil
ktutil: rkt /tmp/mykrb5keytab.tmp
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: quit
Then you can check your system using klist and ldapsearch. If it looks good, try to configure ldapclient. Let me know how it goes.
By the way, you can use binary ksetpw from adjoin/i368 folder, or even better to compile on your system from adjoin/src folder.
Regards,
Serge.
8. Comment by Shawn D. Cohoon
21/May/2010 at 5:27 pm
Hi Serge,
Started with individual steps you mentioned, thought first I went to AD DC removed computer manually and verified AD DC DNS working for solaris server trying to add. Also remove from solaris server /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab prior to starting.
# nslookup otg-tdc-templat
Server: 10.238.200.27
Address: 10.238.200.27#53
Name: otg-tdc-templat.masis.tdclab.mil
Address: 10.238.200.27
# nslookup 10.238.200.27
Server: 10.238.200.27
Address: 10.238.200.27#53
27.200.238.10.in-addr.arpa name = otg-tdc-templat.masis.tdclab.mil.
# nslookup img-tdc-amas024
Server: 10.238.200.27
Address: 10.238.200.27#53
Name: img-tdc-amas024.masis.tdclab.mil
Address: 10.238.202.233
#
# nslookup 10.238.202.233
Server: 10.238.200.27
Address: 10.238.200.27#53
233.202.238.10.in-addr.arpa name = img-tdc-amas024.masis.tdclab.mil.
#
# cat /tmp/1.tmp
dn: CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=com
objectClass: computer
cn: img-tdc-amas024
sAMAccountName: img-tdc-amas024$
userPrincipalName: host/img-tdc-amas024.masis.tdclab.com@domain.COM
servicePrincipalName: host/img-tdc-amas024.masis.tdclab.com
userAccountControl: 4130
dNSHostname: otg-tdc-templat.masis.tdclab.com
#
# kinit root
Password for root@MASIS.TDCLAB.MIL:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@MASIS.TDCLAB.MIL
Valid starting Expires Service principal
05/21/10 09:02:53 05/21/10 19:02:53 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL
renew until 05/28/10 09:02:53
#
# ldapadd -h otg-tdc-templat.masis.tdclab.com -o authzid= -o mech=gassapi -f /tmp/1.tmp
ldap_sasl_interactive_bind_s: Can’t connect to the LDAP server – Unknown error
#
I went back to AD DC and manually entered solaris server name into DC but still get same error as above when trying to execute ldapadd command. Any furhter ideas?
Shawn.
9. Comment by Serge
21/May/2010 at 5:57 pm
Hi Shawn,
You have to make some additional changes in /tmp/1.tmp file. Please check your zone: com or mil, check userPrincipalName, should it be host/img-tdc-amas024.masis.tdclab.mil@tdclab.MIL in your case? Also dNSHostname is not DC but Solaris host.
Then when you execute ldapadd, DC should be otg-tdc-templat.masis.tdclab.mil, this is why you can’t connect to it.
By the way, is root@MASIS.TDCLAB.MIL domain admin?
Serge.
10. Comment by Shawn D. Cohoon
21/May/2010 at 6:35 pm
Hi Serge,
Thanks for the heads up on typing errors, I have corrected 1.tmp and had to manually delete computer from AD DC before successful add.
bash-3.00# cat 1.tmp
dn: CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil
objectClass: computer
cn: img-tdc-amas024
sAMAccountName: img-tdc-amas024$
userPrincipalName: host/img-tdc-amas024.masis.tdclab.mil@TDCLAB.MIL
servicePrincipalName: host/img-tdc-amas024.masis.tdclab.mil
userAccountControl: 4130
dNSHostname: imm-tdc-amas024.masis.tdclab.mil
bash-3.00#
bash-3.00# ldapadd -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -f /tmp/1.tmp
adding new entry CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil
ldap_add: Already exists
ldap_add: additional info: 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0
bash-3.00# ldapadd -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -f /tmp/1.tmp
adding new entry CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil
When I try your noted step #4, the only ksetpw is from adjoin-s10u5/i386 and get the following error;
bash-3.00# /opt/adjoin-s10u5/i386/ksetpw host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL
Enter new password:
Result: Authentication error (3)
bash-3.00# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@MASIS.TDCLAB.MIL
Valid starting Expires Service principal
05/21/10 10:01:21 05/21/10 20:01:21 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL
renew until 05/28/10 10:01:21
05/21/10 10:03:00 05/21/10 20:01:21 ldap/otg-tdc-templat.masis.tdclab.mil@
renew until 05/28/10 10:01:21
05/21/10 10:17:26 05/21/10 10:19:26 kadmin/changepw@MASIS.TDCLAB.MIL
renew until 05/21/10 10:19:26
bash-3.00# /opt/adjoin-s10u5/i386/ksetpw host/img-tdc-amas024.masis.tdclab.mil@TDCLAB.MIL
Enter new password:
krb5_set_password() failed
bash-3.00#
Even though ldapadd run with no errors I do not see the server in the list of computers on the AD DC.
Regards,
Shawn.
11. Comment by Shawn D. Cohoon
21/May/2010 at 7:30 pm
Hi Serge,
Though I am using root ID in AD and Solaris currently the passwords are different. When I run kinit root and enter AD DC root password it is accepted. When I use Solaris root password on kinit root command it fails. This tells me I am using correct password for AD DC root who is AD DC administrator.
bash-3.00# kinit root
Password for root@MASIS.TDCLAB.MIL:
bash-3.00# kinit root
Password for root@MASIS.TDCLAB.MIL:
kinit(v5): Preauthentication failed while getting initial credentials
bash-3.00#
Just thought I would add this to ensure you that I am using correct passwords with authentication server.
Regards,
Shawn.
12. Comment by Serge
22/May/2010 at 12:18 am
Hi Shawn,
You must check 1.tmp again and correct userPrincipalName and dNSHostname at least. Then, if ksetpw is still not working on your Solaris box, you can try to set password for machine account on DC side and use setspn and ktpass on Windows to set SPN and create keytab file that copy to Solaris and import using ktutil. Look at step one in this my post as example.
In any case, do it carefully and it will work! I will be on vacation for next two weeks with no Internet access, hope that you successfully join the domain before I come back :)
All the Best,
Serge.