Comments on: How to add Solaris 10 server into MS Active Directory domain http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/ thoughts and actions Fri, 11 May 2012 16:35:00 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Imhotep_cp http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-1177 Imhotep_cp Tue, 13 Sep 2011 19:16:00 +0000 http://tibcoadmin.com/?p=372#comment-1177 very nice howto, thanks alot very nice howto, thanks alot

]]> By: Hyper-V Guests: Linux Integration Components (v2) on Oracle Enterprise Linux (Virtual Box Howto) « Information Junkie http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-1176 Hyper-V Guests: Linux Integration Components (v2) on Oracle Enterprise Linux (Virtual Box Howto) « Information Junkie Tue, 13 Sep 2011 19:14:32 +0000 http://tibcoadmin.com/?p=372#comment-1176 [...] Single Sign On —> pam_mkhomedir.so Solaris 10 and Active Directory Integration (no SSL) How to add Solaris 10 server into MS Active Directory domain -> Solaris x86_64 via GUI Setup installieren und die entsprechenden Informationen zum Domain [...] [...] Single Sign On —> pam_mkhomedir.so Solaris 10 and Active Directory Integration (no SSL) How to add Solaris 10 server into MS Active Directory domain -> Solaris x86_64 via GUI Setup installieren und die entsprechenden Informationen zum Domain [...]

]]> By: Anonymous http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-1162 Anonymous Mon, 21 Mar 2011 15:15:00 +0000 http://tibcoadmin.com/?p=372#comment-1162 I was wondering about the error: ./adjoin[859]: /usr/lib/security/$ISA/pkcs11_kernel.so:: syntax error ...And found that the code on line 859 was trying to use the result returned from a cryptoadm call on line 856. Running the command by hand I noticed an extra line, which was probably not accounted for: # cryptoadm list -v mechanism=CKM_AES_CBC 2>/dev/null | grep "^CKM_AES_CBC" CKM_AES_CBC /usr/lib/security/$ISA/pkcs11_kernel.so: failed to retrieve the mechanism list. CKM_AES_CBC 16 32 . X X . . . . . . . X X . . Looks like the second line is what the pipe to read expects to parse, but it's taking the first line first. So, to get around this I just put in another grep in the pipeline like this: cryptoadm list -v mechanism=CKM_AES_CBC 2>/dev/null | $grep -v "failed to" | $grep ^CKM_AES_CBC | read j minkeysize maxkeysize j After doing this, if you look at the debug output, you'll see that the min/max key size gets set correctly: + minkeysize=128 + maxkeysize=256 I was wondering about the error:

./adjoin[859]: /usr/lib/security/$ISA/pkcs11_kernel.so:: syntax error

…And found that the code on line 859 was trying to use the result returned from a cryptoadm call on line 856. Running the command by hand I noticed an extra line, which was probably not accounted for:

# cryptoadm list -v mechanism=CKM_AES_CBC 2>/dev/null | grep “^CKM_AES_CBC”
CKM_AES_CBC /usr/lib/security/$ISA/pkcs11_kernel.so: failed to retrieve the mechanism list.
CKM_AES_CBC 16 32 . X X . . . . . . . X X . .

Looks like the second line is what the pipe to read expects to parse, but it’s taking the first line first.

So, to get around this I just put in another grep in the pipeline like this:

cryptoadm list -v mechanism=CKM_AES_CBC 2>/dev/null | $grep -v “failed to” |
$grep ^CKM_AES_CBC | read j minkeysize maxkeysize j

After doing this, if you look at the debug output, you’ll see that the min/max key size gets set correctly:

+ minkeysize=128
+ maxkeysize=256

]]> By: Serge http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-142 Serge Fri, 21 May 2010 20:18:18 +0000 http://tibcoadmin.com/?p=372#comment-142 Hi Shawn, You must check 1.tmp again and correct userPrincipalName and dNSHostname at least. Then, if ksetpw is still not working on your Solaris box, you can try to set password for machine account on DC side and use setspn and ktpass on Windows to set SPN and create keytab file that copy to Solaris and import using ktutil. Look at step one in <a href="http://tibcoadmin.com/ibm/informix/enabling-informix-sso-authentication/" rel="nofollow">this my post as example</a>. In any case, do it carefully and it will work! I will be on vacation for next two weeks with no Internet access, hope that you successfully join the domain before I come back :) All the Best, Serge. Hi Shawn,

You must check 1.tmp again and correct userPrincipalName and dNSHostname at least. Then, if ksetpw is still not working on your Solaris box, you can try to set password for machine account on DC side and use setspn and ktpass on Windows to set SPN and create keytab file that copy to Solaris and import using ktutil. Look at step one in this my post as example.

In any case, do it carefully and it will work! I will be on vacation for next two weeks with no Internet access, hope that you successfully join the domain before I come back :)

All the Best,
Serge.

]]> By: Shawn D. Cohoon http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-141 Shawn D. Cohoon Fri, 21 May 2010 15:30:50 +0000 http://tibcoadmin.com/?p=372#comment-141 Hi Serge, Though I am using root ID in AD and Solaris currently the passwords are different. When I run kinit root and enter AD DC root password it is accepted. When I use Solaris root password on kinit root command it fails. This tells me I am using correct password for AD DC root who is AD DC administrator. bash-3.00# kinit root Password for root@MASIS.TDCLAB.MIL: bash-3.00# kinit root Password for root@MASIS.TDCLAB.MIL: kinit(v5): Preauthentication failed while getting initial credentials bash-3.00# Just thought I would add this to ensure you that I am using correct passwords with authentication server. Regards, Shawn. Hi Serge,

Though I am using root ID in AD and Solaris currently the passwords are different. When I run kinit root and enter AD DC root password it is accepted. When I use Solaris root password on kinit root command it fails. This tells me I am using correct password for AD DC root who is AD DC administrator.

bash-3.00# kinit root
Password for root@MASIS.TDCLAB.MIL:
bash-3.00# kinit root
Password for root@MASIS.TDCLAB.MIL:
kinit(v5): Preauthentication failed while getting initial credentials
bash-3.00#

Just thought I would add this to ensure you that I am using correct passwords with authentication server.

Regards,
Shawn.

]]> By: Shawn D. Cohoon http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-140 Shawn D. Cohoon Fri, 21 May 2010 14:35:33 +0000 http://tibcoadmin.com/?p=372#comment-140 Hi Serge, Thanks for the heads up on typing errors, I have corrected 1.tmp and had to manually delete computer from AD DC before successful add. bash-3.00# cat 1.tmp dn: CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil objectClass: computer cn: img-tdc-amas024 sAMAccountName: img-tdc-amas024$ userPrincipalName: host/img-tdc-amas024.masis.tdclab.mil@TDCLAB.MIL servicePrincipalName: host/img-tdc-amas024.masis.tdclab.mil userAccountControl: 4130 dNSHostname: imm-tdc-amas024.masis.tdclab.mil bash-3.00# bash-3.00# ldapadd -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -f /tmp/1.tmp adding new entry CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil ldap_add: Already exists ldap_add: additional info: 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0 bash-3.00# ldapadd -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -f /tmp/1.tmp adding new entry CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil When I try your noted step #4, the only ksetpw is from adjoin-s10u5/i386 and get the following error; bash-3.00# /opt/adjoin-s10u5/i386/ksetpw host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL Enter new password: Result: Authentication error (3) bash-3.00# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root@MASIS.TDCLAB.MIL Valid starting Expires Service principal 05/21/10 10:01:21 05/21/10 20:01:21 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL renew until 05/28/10 10:01:21 05/21/10 10:03:00 05/21/10 20:01:21 ldap/otg-tdc-templat.masis.tdclab.mil@ renew until 05/28/10 10:01:21 05/21/10 10:17:26 05/21/10 10:19:26 kadmin/changepw@MASIS.TDCLAB.MIL renew until 05/21/10 10:19:26 bash-3.00# /opt/adjoin-s10u5/i386/ksetpw host/img-tdc-amas024.masis.tdclab.mil@TDCLAB.MIL Enter new password: krb5_set_password() failed bash-3.00# Even though ldapadd run with no errors I do not see the server in the list of computers on the AD DC. Regards, Shawn. Hi Serge,

Thanks for the heads up on typing errors, I have corrected 1.tmp and had to manually delete computer from AD DC before successful add.

bash-3.00# cat 1.tmp
dn: CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil
objectClass: computer
cn: img-tdc-amas024
sAMAccountName: img-tdc-amas024$
userPrincipalName: host/img-tdc-amas024.masis.tdclab.mil@TDCLAB.MIL
servicePrincipalName: host/img-tdc-amas024.masis.tdclab.mil
userAccountControl: 4130
dNSHostname: imm-tdc-amas024.masis.tdclab.mil
bash-3.00#
bash-3.00# ldapadd -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -f /tmp/1.tmp
adding new entry CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil
ldap_add: Already exists
ldap_add: additional info: 00000524: UpdErr: DSID-031A0F4F, problem 6005 (ENTRY_EXISTS), data 0

bash-3.00# ldapadd -h otg-tdc-templat.masis.tdclab.mil -o authzid= -o mech=gssapi -f /tmp/1.tmp
adding new entry CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=mil

When I try your noted step #4, the only ksetpw is from adjoin-s10u5/i386 and get the following error;

bash-3.00# /opt/adjoin-s10u5/i386/ksetpw host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL
Enter new password:
Result: Authentication error (3)
bash-3.00# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@MASIS.TDCLAB.MIL

Valid starting Expires Service principal
05/21/10 10:01:21 05/21/10 20:01:21 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL
renew until 05/28/10 10:01:21
05/21/10 10:03:00 05/21/10 20:01:21 ldap/otg-tdc-templat.masis.tdclab.mil@
renew until 05/28/10 10:01:21
05/21/10 10:17:26 05/21/10 10:19:26 kadmin/changepw@MASIS.TDCLAB.MIL
renew until 05/21/10 10:19:26
bash-3.00# /opt/adjoin-s10u5/i386/ksetpw host/img-tdc-amas024.masis.tdclab.mil@TDCLAB.MIL
Enter new password:
krb5_set_password() failed
bash-3.00#

Even though ldapadd run with no errors I do not see the server in the list of computers on the AD DC.

Regards,
Shawn.

]]> By: Serge http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-139 Serge Fri, 21 May 2010 13:57:08 +0000 http://tibcoadmin.com/?p=372#comment-139 Hi Shawn, You have to make some additional changes in /tmp/1.tmp file. Please check your zone: com or mil, check userPrincipalName, should it be host/img-tdc-amas024.masis.tdclab.mil@tdclab.MIL in your case? Also dNSHostname is not DC but Solaris host. Then when you execute ldapadd, DC should be otg-tdc-templat.masis.tdclab.<b>mil</b>, this is why you can't connect to it. By the way, is root@MASIS.TDCLAB.MIL domain admin? Serge. Hi Shawn,
You have to make some additional changes in /tmp/1.tmp file. Please check your zone: com or mil, check userPrincipalName, should it be host/img-tdc-amas024.masis.tdclab.mil@tdclab.MIL in your case? Also dNSHostname is not DC but Solaris host.
Then when you execute ldapadd, DC should be otg-tdc-templat.masis.tdclab.mil, this is why you can’t connect to it.
By the way, is root@MASIS.TDCLAB.MIL domain admin?

Serge.

]]> By: Shawn D. Cohoon http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-138 Shawn D. Cohoon Fri, 21 May 2010 13:27:00 +0000 http://tibcoadmin.com/?p=372#comment-138 Hi Serge, Started with individual steps you mentioned, thought first I went to AD DC removed computer manually and verified AD DC DNS working for solaris server trying to add. Also remove from solaris server /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab prior to starting. # nslookup otg-tdc-templat Server: 10.238.200.27 Address: 10.238.200.27#53 Name: otg-tdc-templat.masis.tdclab.mil Address: 10.238.200.27 # nslookup 10.238.200.27 Server: 10.238.200.27 Address: 10.238.200.27#53 27.200.238.10.in-addr.arpa name = otg-tdc-templat.masis.tdclab.mil. # nslookup img-tdc-amas024 Server: 10.238.200.27 Address: 10.238.200.27#53 Name: img-tdc-amas024.masis.tdclab.mil Address: 10.238.202.233 # # nslookup 10.238.202.233 Server: 10.238.200.27 Address: 10.238.200.27#53 233.202.238.10.in-addr.arpa name = img-tdc-amas024.masis.tdclab.mil. # # cat /tmp/1.tmp dn: CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=com objectClass: computer cn: img-tdc-amas024 sAMAccountName: img-tdc-amas024$ userPrincipalName: host/img-tdc-amas024.masis.tdclab.com@domain.COM servicePrincipalName: host/img-tdc-amas024.masis.tdclab.com userAccountControl: 4130 dNSHostname: otg-tdc-templat.masis.tdclab.com # # kinit root Password for root@MASIS.TDCLAB.MIL: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root@MASIS.TDCLAB.MIL Valid starting Expires Service principal 05/21/10 09:02:53 05/21/10 19:02:53 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL renew until 05/28/10 09:02:53 # # ldapadd -h otg-tdc-templat.masis.tdclab.com -o authzid= -o mech=gassapi -f /tmp/1.tmp ldap_sasl_interactive_bind_s: Can't connect to the LDAP server - Unknown error # I went back to AD DC and manually entered solaris server name into DC but still get same error as above when trying to execute ldapadd command. Any furhter ideas? Shawn. Hi Serge,

Started with individual steps you mentioned, thought first I went to AD DC removed computer manually and verified AD DC DNS working for solaris server trying to add. Also remove from solaris server /etc/krb5/krb5.conf and /etc/krb5/krb5.keytab prior to starting.

# nslookup otg-tdc-templat
Server: 10.238.200.27
Address: 10.238.200.27#53

Name: otg-tdc-templat.masis.tdclab.mil
Address: 10.238.200.27

# nslookup 10.238.200.27
Server: 10.238.200.27
Address: 10.238.200.27#53

27.200.238.10.in-addr.arpa name = otg-tdc-templat.masis.tdclab.mil.

# nslookup img-tdc-amas024
Server: 10.238.200.27
Address: 10.238.200.27#53

Name: img-tdc-amas024.masis.tdclab.mil
Address: 10.238.202.233

#
# nslookup 10.238.202.233
Server: 10.238.200.27
Address: 10.238.200.27#53

233.202.238.10.in-addr.arpa name = img-tdc-amas024.masis.tdclab.mil.

#
# cat /tmp/1.tmp
dn: CN=img-tdc-amas024,CN=Computers,DC=masis,DC=tdclab,DC=com
objectClass: computer
cn: img-tdc-amas024
sAMAccountName: img-tdc-amas024$
userPrincipalName: host/img-tdc-amas024.masis.tdclab.com@domain.COM
servicePrincipalName: host/img-tdc-amas024.masis.tdclab.com
userAccountControl: 4130
dNSHostname: otg-tdc-templat.masis.tdclab.com
#
# kinit root
Password for root@MASIS.TDCLAB.MIL:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@MASIS.TDCLAB.MIL

Valid starting Expires Service principal
05/21/10 09:02:53 05/21/10 19:02:53 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL
renew until 05/28/10 09:02:53
#
# ldapadd -h otg-tdc-templat.masis.tdclab.com -o authzid= -o mech=gassapi -f /tmp/1.tmp
ldap_sasl_interactive_bind_s: Can’t connect to the LDAP server – Unknown error
#

I went back to AD DC and manually entered solaris server name into DC but still get same error as above when trying to execute ldapadd command. Any furhter ideas?

Shawn.

]]> By: Serge http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-137 Serge Thu, 20 May 2010 19:33:36 +0000 http://tibcoadmin.com/?p=372#comment-137 Hi Shawn, As I can see, adjoin script in your case didn't finish successfully all its steps. Machine account has not been created and configured in AD, and this is why you can't configure ldapclient. Below is my compilation of all steps that adjoin script does. You can try to perform these steps manually to join your domain: 1. kinit domain_admin_account 2. prepare file /tmp/1.tmp from this template: dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com objectClass: computer cn: SERVERNAME sAMAccountName: SERVERNAME$ userPrincipalName: host/servername.domain.com@domain.COM servicePrincipalName: host/servername.domain.com userAccountControl: 4130 dNSHostname: servername.domain.com 3. ldapadd -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/1.tmp 4. ./ksetpw host/servername.domain.com@domain.COM enter any password then, like in your example: A0c0cbc23c68942d857cf793f5d4af4ef 5. prepare file /tmp/2.tmp from this template: dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com changetype: modify add: msDS-SupportedEncryptionTypes msDS-SupportedEncryptionTypes: 00000008 6. ldapmodify -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/2.tmp 7. prepare file /tmp/3.tmp from this template: dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com changetype: modify replace: userAccountControl userAccountControl: 593920 8. ldapmodify -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/3.tmp 9. ./ksetpw -n -v 2 -k /tmp/mykrb5keytab.tmp -e aes128-cts-hmac-sha1-96 -e arcfour-hmac-md5 -e des-cbc-crc -e des-cbc-md5 host/servername.domain.com@domain.COM enter the same password from step 4. 10. kdestroy 11. create /etc/krb5/krb5.conf file from this template: [libdefaults] default_realm = DOMAIN.COM default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5 default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5 default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5 default_etypes_des = des-cbc-crc [realms] DOMAIN.COM = { kdc = domaincontroller.domain.com kdc = domaincontroller2.domain.com kdc = domaincontroller3.domain.com kpasswd_server = domaincontroller.domain.com kpasswd_protocol = SET_CHANGE admin_server = domaincontroller.domain.com } [domain_realm] .domain.com = DOMAIN.COM 12. remove /etc/krb5/krb5.keytab file and run ktutil ktutil: rkt /tmp/mykrb5keytab.tmp ktutil: wkt /etc/krb5/krb5.keytab ktutil: quit Then you can check your system using klist and ldapsearch. If it looks good, try to configure ldapclient. Let me know how it goes. By the way, you can use binary ksetpw from adjoin/i368 folder, or even better to compile on your system from adjoin/src folder. Regards, Serge. Hi Shawn,

As I can see, adjoin script in your case didn’t finish successfully all its steps. Machine account has not been created and configured in AD, and this is why you can’t configure ldapclient. Below is my compilation of all steps that adjoin script does. You can try to perform these steps manually to join your domain:

1. kinit domain_admin_account

2. prepare file /tmp/1.tmp from this template:
dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com
objectClass: computer
cn: SERVERNAME
sAMAccountName: SERVERNAME$
userPrincipalName: host/servername.domain.com@domain.COM
servicePrincipalName: host/servername.domain.com
userAccountControl: 4130
dNSHostname: servername.domain.com

3. ldapadd -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/1.tmp

4. ./ksetpw host/servername.domain.com@domain.COM
enter any password then, like in your example: A0c0cbc23c68942d857cf793f5d4af4ef

5. prepare file /tmp/2.tmp from this template:
dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com
changetype: modify
add: msDS-SupportedEncryptionTypes
msDS-SupportedEncryptionTypes: 00000008

6. ldapmodify -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/2.tmp

7. prepare file /tmp/3.tmp from this template:
dn: CN=SERVERNAME,CN=Computers,DC=domain,DC=com
changetype: modify
replace: userAccountControl
userAccountControl: 593920

8. ldapmodify -h domaincontroller.domain.com -o authzid= -o mech=gssapi -f /tmp/3.tmp

9. ./ksetpw -n -v 2 -k /tmp/mykrb5keytab.tmp -e aes128-cts-hmac-sha1-96 -e arcfour-hmac-md5 -e des-cbc-crc -e des-cbc-md5 host/servername.domain.com@domain.COM
enter the same password from step 4.

10. kdestroy

11. create /etc/krb5/krb5.conf file from this template:
[libdefaults]
default_realm = DOMAIN.COM
default_tkt_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes = des-cbc-crc des-cbc-md5 arcfour-hmac-md5
default_etypes_des = des-cbc-crc

[realms]
DOMAIN.COM = {
kdc = domaincontroller.domain.com
kdc = domaincontroller2.domain.com
kdc = domaincontroller3.domain.com
kpasswd_server = domaincontroller.domain.com
kpasswd_protocol = SET_CHANGE
admin_server = domaincontroller.domain.com
}

[domain_realm]
.domain.com = DOMAIN.COM

12. remove /etc/krb5/krb5.keytab file and run ktutil
ktutil: rkt /tmp/mykrb5keytab.tmp
ktutil: wkt /etc/krb5/krb5.keytab
ktutil: quit

Then you can check your system using klist and ldapsearch. If it looks good, try to configure ldapclient. Let me know how it goes.
By the way, you can use binary ksetpw from adjoin/i368 folder, or even better to compile on your system from adjoin/src folder.

Regards,
Serge.

]]> By: Shawn D. Cohoon http://tibcoadmin.com/sun/solaris/how-to-add-solaris-10-server-into-ms-active-directory-domain/#comment-136 Shawn D. Cohoon Thu, 20 May 2010 15:47:27 +0000 http://tibcoadmin.com/?p=372#comment-136 After the adjoin script I am able to run next three commands from your document; /usr/bin/ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= \ -o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub \ cn=img-tdc-amas024 output from above command; # ./ldapsearch4.sh version: 1 dn: CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: IMG-TDC-AMAS024 distinguishedName: CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil instanceType: 4 whenCreated: 20100520144850.0Z whenChanged: 20100520144850.0Z uSNCreated: 159850 uSNChanged: 159852 name: IMG-TDC-AMAS024 objectGUID:: a2+yL2RMXES9G7lha3w1ew== userAccountControl: 593920 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 localPolicyFlags: 0 pwdLastSet: 0 primaryGroupID: 515 objectSid:: AQUAAAAAAAUVAAAAHDka+OWOzeXgqtEYlgQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: IMG-TDC-AMAS024$ sAMAccountType: 805306369 dNSHostName: img-tdc-amas024.masis.tdclab.mil userPrincipalName: host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL servicePrincipalName: host/img-tdc-amas024.masis.tdclab.mil objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=masis,DC=tdclab,DC=mil isCriticalSystemObject: FALSE Next two commands with output; # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root@MASIS.TDCLAB.MIL Valid starting Expires Service principal 05/20/10 11:20:51 05/20/10 21:20:55 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL renew until 05/27/10 11:20:51 05/20/10 11:21:51 05/20/10 21:20:55 ldap/otg-tdc-templat.masis.tdclab.mil@MASIS.TDCLAB.MIL renew until 05/27/10 11:20:51 # klist -e -k /etc/krb5/krb5.keytab Keytab name: FILE:/etc/krb5/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (ArcFour with HMAC/md5) 1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (DES cbc mode with CRC-32) 1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (DES cbc mode with RSA-MD5) # After the adjoin script I am able to run next three commands from your document;

/usr/bin/ldapsearch -R -T -h otg-tdc-templat.masis.tdclab.mil -o authzid= \
-o mech=gssapi -b CN=Computers,DC=masis,DC=tdclab,DC=mil -s sub \
cn=img-tdc-amas024

output from above command;

# ./ldapsearch4.sh
version: 1
dn: CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: IMG-TDC-AMAS024
distinguishedName: CN=IMG-TDC-AMAS024,CN=Computers,DC=masis,DC=tdclab,DC=mil
instanceType: 4
whenCreated: 20100520144850.0Z
whenChanged: 20100520144850.0Z
uSNCreated: 159850
uSNChanged: 159852
name: IMG-TDC-AMAS024
objectGUID:: a2+yL2RMXES9G7lha3w1ew==
userAccountControl: 593920
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
localPolicyFlags: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid:: AQUAAAAAAAUVAAAAHDka+OWOzeXgqtEYlgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: IMG-TDC-AMAS024$
sAMAccountType: 805306369
dNSHostName: img-tdc-amas024.masis.tdclab.mil
userPrincipalName: host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL
servicePrincipalName: host/img-tdc-amas024.masis.tdclab.mil
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=masis,DC=tdclab,DC=mil
isCriticalSystemObject: FALSE

Next two commands with output;

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@MASIS.TDCLAB.MIL

Valid starting Expires Service principal
05/20/10 11:20:51 05/20/10 21:20:55 krbtgt/MASIS.TDCLAB.MIL@MASIS.TDCLAB.MIL
renew until 05/27/10 11:20:51
05/20/10 11:21:51 05/20/10 21:20:55 ldap/otg-tdc-templat.masis.tdclab.mil@MASIS.TDCLAB.MIL
renew until 05/27/10 11:20:51
# klist -e -k /etc/krb5/krb5.keytab
Keytab name: FILE:/etc/krb5/krb5.keytab
KVNO Principal
—- ————————————————————————–
1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (ArcFour with HMAC/md5)
1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (DES cbc mode with CRC-32)
1 host/img-tdc-amas024.masis.tdclab.mil@MASIS.TDCLAB.MIL (DES cbc mode with RSA-MD5)
#

]]>