Authenticating Solaris Accounts on Active Directory
Introduction
Implementation of authentication on Solaris from an Active Directory (AD).
What this implementation allows for user management on a machine:
- Solaris accounts need to be created with an identifier identical to the AD one, with disk space.
- Password verification is done via AD.
This document is based on a scenario of implementing this type of authentication on Solaris 9.
The concepts described here apply to all UNIX operating systems that support Kerberos version 5 protocol.
Environment:
- server_ad.domain.com is the Active Directory server,
- domain.com is the domain managed by server_ad.
Prerequisites
Prerequisites:
- Kerberos version 5 (in Sun Enterprise Authentication Mechanism (SEAM) 1.0.1 product),
- ensure that DNS is properly configured on the domain that is managed by Active Directory,
- ensure that the date is properly synchronized with the AD server (ntpdate).
Configuration
Files to configure to allow authentication on the Solaris station via AD are:
/etc/pam.conf
to indicate that Kerberos should be used for authentication,/etc/krb5/krb5.conf
for using the KDC (Key Distribution Center) of the AD domain.
krb5.conf
New configuration file /etc/krb5/krb5.conf
:
pam.conf
First, back up the original version of krb5.conf:
The configuration:
The line "verify_ap_req_nofail = false" is extremely important if the file /etc/krb5/krb5.keytab is not filled with a line for your domain (i.e., a key that validates the KDC, see the man krb5.conf manual).
Testing this configuration
The AD account used for the test is ylethieis, which does not exist locally on the Solaris machine. But first, let's try with a dummy account that doesn't exist anywhere.
Note: kinit – obtain and cache Kerberos ticket-granting ticket.
Try with the ylethieis account but entering a wrong password:
Try with the ylethieis account and the correct password for AD:
The Kerberos client service on the Solaris machine correctly queries the AD.
Cached tickets:
Creating an AD account environment on the Solaris machine
Create the space for accounts authenticated via AD, and an ad user group to distinguish them from others (not mandatory!):
Add an ylethieis account:
This account has the ad group as its primary group.
The login name is indicated as too long but the account was successfully created!
At this stage, on the Solaris system, the ylethieis user:
- has no password,
- has ad as its primary group,
- is just listed in /etc/passwd.
Login to the Solaris system with the ylethieis account:
We can see that authentication via Active Directory has succeeded for the ylethieis account.