Here are my notes applicable for Solaris 10. First of all install latest patches – a lot of related things fixed (but new bugs may appear :))

  1. Synchronize the system clock with AD server
    domain ntp server(s) must be in /etc/inet/ntp.conf
    then restart ntp daemon svcadm restart /network/ntp
  2. Solaris server must have a record in the DNS
  3. Domain name and name servers (DNS servers) must be in /etc/resolv.conf
  4. In the /etc/nsswitch.conf file dns and files must be specified for hosts and ipnodes
    hosts: dns files
    ipnodes: dns files
  5. In the /etc/nodename and /etc/hostname.<nic> files host name must be specified only, not a fully qualified domain name
  6. Run adjoin script. You can find it here. It will:
    • auto-detects the Active Directory domain controllers
    • creates a machine account (also called a Computer object) for the Solaris host in Active Directory and generates a random password for this account
    • configures the Solaris host as a Kerberos client of the Active Directory domain controller by using the /etc/krb5/krb5.conf file
    • configures the /etc/krb5/krb5.keytab file on the Solaris host by using the keys for the machine account (also called host credentials)

    Execute adjoin script with following options:
    ./adjoin -d <domain_name> -p <administrator_principal> -f -x
    where -f to delete any pre-existing computer account for this host and -x to debug output.

    If your domain if geographically distributed with a lot of domain controllers (DC), script can detect inappropriate controllers. Just before entering admin password, check prepared adjoin-krb5.conf.XXXXXX file in the /tmp folder and remove unnecessary controllers from it.

    Adjoin script can stop work with syntax error on some SUN servers:
    + ./adjoin[859]: /usr/lib/security/$ISA/ syntax error
    Then all you need is just to temporary rename this file and execute adjoin again
    mv /usr/lib/security/$ISA/ /usr/lib/security/$ISA/
    when adjoin finished successfully, rename it back

  7. Run ldapsearch and klist to check Kerberos
    ldapsearch -R -T -h -o authzid= -o mech=gssapi -b CN=Computers,DC=xxxxxx,DC=com -s sub cn=<computer_name>
    klist -e -k /etc/krb5/krb5.keytab
  8. Enable dns client and cache daemons
    svcadm enable /network/dns/client
    svcadm enable /system/name-service-cache
  9. In the /etc/nsswitch.ldap file dns and files must be specified for hosts and ipnodes
    hosts: dns files
    ipnodes: dns files
  10. Set up a server as a client of an LDAP. Execute ldapclient
    ldapclient -v manual \
    -a credentialLevel=self \
    -a authenticationMethod=sasl/gssapi \
    -a defaultSearchBase=dc=xxxxxx,dc=com \
    -a defaultSearchScope=sub \
    -a \
    -a defaultServerList="" \
    -a attributeMap=passwd:gecos=cn \
    -a attributeMap=passwd:homedirectory=unixHomeDirectory \
    -a objectClassMap=group:posixGroup=group \
    -a objectClassMap=passwd:posixAccount=user \
    -a objectClassMap=shadow:shadowAccount=user \
    -a serviceSearchDescriptor="passwd:ou=Accounts,ou=European office,dc=xxxxxx,dc=com?sub;ou=Accounts,ou=American Office,dc=xxxxxx,dc=com?sub" \
    -a serviceSearchDescriptor=group:ou=Groups,dc=xxxxxx,dc=com?sub

    ldapclient should finish without errors. To check use ldapclient list
  11. Edit the /etc/nsswitch.conf file: files and ldap must be specified for passwd and group only
    passwd: files ldap
    group: files ldap
    hosts: dns files
    ipnodes: dns files
    networks: files
    protocols: files

    remove ldap from everywhere else
  12. Restart LDAP client
    svcadm restart /network/ldap/client
  13. Add in the /etc/pam.conf file
    login auth sufficient
    krlogin auth required
    krsh auth required
    ktelnet auth required
    other auth sufficient
    other account required
    other password sufficient

To ensure that users could login on the host under their AD accounts, accounts in AD must have following additional attributes:
uid the same as sAMAccountName
uidNumber unique number
gidNumber number
unixHomeDirectory for example /tmp
loginShell for example /usr/bin/bash or /bin/false

To check it use getent or ldapsearch
getent passwd <uid>
ldapsearch -R -T -h -b "ou=Accounts,ou=American Office,dc=xxxxxx,dc=com" -o mech=gssapi -o authzid='' "uid=<uid>"

If you would like read more: link to SUN’s article “Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory”.