Install Solaris on sparc then add samba for Active directory authentication in Solaris
Add server zone name in ADS first
and apply the following command in
host system
# echo "set ngroups_max=1024" >> /etc/system
#pkg install ntp
Create ntp.conf in /etc/inet
# vi ntp.conf
# provide ad dc IP
server your-ntp-usually-AD-DC
# svcadm enable network/ntp
done with host
----
Login into zone or guest domain. This works for both virtualization technologies
#zlogin guest
or
#telnet locahost 500x
once login into zone or guest.
#pkg install samba
Add DC controllers to vi /etc/hosts for Solaris and Linux
192.xx.xx.xx ad-dc ad-dc.domain
192.xx.xx.xx ad-dc2 ad-dc2.domain
enable dns/client
# svcadm enable svc:/network/dns/client:default
configure name services SMF - DNS client only in zones, for guest domains this is configured at setup. skip to "select name-service/switch"
#svccfg
svc:> select dns/client
svc:/network/dns/client> setprop config/search = astring: ("your-domain" "your-sub-domain")
svc:/network/dns/client:default> setprop config/nameserver = net_address: (xx.xx.xx.xx xx.xx.xx.xx)
svc:/network/dns/client:default> select dns/client:default
svc:/network/dns/client:default> refresh
---you only need to set the three properties below refresh and exit --
svc:/network/dns/client:default>select name-service/switch
svc:/system/name-service/switch> setprop config/host =astring: "files [SUCCESS=return] dns"
svc:/system/name-service/switch> setprop config/password = "files winbind"
svc:/system/name-service/switch> setprop config/group = "files [SUCCESS=return] winbind"
-- these properties should show as below -----
svc:/system/name-service/switch> setprop config/network = "files"
svc:/system/name-service/switch> setprop config/protocol = "files"
svc:/system/name-service/switch> setprop config/rpc = "files"
svc:/system/name-service/switch> setprop config/ether = "files"
svc:/system/name-service/switch> setprop config/netmask = "files"
svc:/system/name-service/switch> setprop config/bootparam = "files"
svc:/system/name-service/switch> setprop config/publickey = "files"
svc:/system/name-service/switch> setprop config/netgroup= "files"
svc:/system/name-service/switch> setprop config/automount = "files ldap"
svc:/system/name-service/switch> setprop config/alias = "files"
svc:/system/name-service/switch> setprop config/service = "files"
svc:/system/name-service/switch> setprop config/project = "files"
svc:/system/name-service/switch> setprop config/auth_attr = "files"
svc:/system/name-service/switch> setprop config/prof_attr = "files"
svc:/system/name-service/switch> setprop config/tnrhtp = "files"
svc:/system/name-service/switch> setprop config/tnrhdb = "files"
svc:/system/name-service/switch> setprop config/printer = "user files"
-----do this to save ------
svc:/system/name-service/switch> select system/name-service/switch:default
svc:/system/name-service/switch:default> refresh
svc:/system/name-service/switch:default> validate
svc:/network/dns/client:default> exit
Create a smb.conf file, this one will authenticate with winbind.
#vi /etc/samba.smb.conf
[global]
workgroup = domain
realm = domain.ca
security = ads
utmp = Yes
idmap config * : range = 16777216-33554431
winbind separator = +
template shell = /usr/bin/bash
template homedir = /data/%U
winbind use default domain = true
winbind offline logon = yes
unix charset = iso8859-15
winbind nss info = rfc2307
server string = somass
username map = /etc/samba/smbusers
# once this is working change log level to 1
log level = 5
log file = /var/samba/log/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
preferred master = No
winbind trusted domains only = no
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = Yes
dns proxy = No
###################################### printing cups disable ############
load printers = no
#printing =
printcap name = /dev/null
disable spoolss = yes
Then create the smb.conf
# testparm -s /etc/samba/smb.master > /etc/samba/smb.conf
If you want to only allow a list of users use pam security. Otherwise any AD user can login into the system. Also works with AD groups. No need for a winbind separator or domain. Just type the AD group name on the list.
#vi /etc/security/pam_winbind.conf
#
[global]
# request a cached login if possible
# (needs "winbind offline logon = yes" in smb.conf)
cached_login = yes
#debug = yes
require_membership_of =joe, rolando
#Authomatically create home dir
mkhomedir = yes
create kerberos config file
#vi /etc/krb5/krb5.conf
[libdefaults]
ticket_lifetime = 24000
default_realm = DOMAIN.CA
#default_tgs_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
# default_tkt_enctypes = RC4-HMAC DES-CBC-MD5 DES-CBC-CRC
default_tgs_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
default_tkt_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
permitted_enctypes = AES256-CTS-HMAC-SHA1-96 AES128-CTS-HMAC-SHA1-96 RC4-HMAC
allow_weak_crypto = true
# dns_lookup_realm = true
# dns_lookup_kdc = true
[realms]
DOMAIN = {
kdc = xx.xx.xx.xx
kdc = xx.xx.xx.xx
admin_server = xx.xx.xx.xx
}
[domain_realm]
.domain.ca= DOMAIN.CA
domain.ca= DOMAIN.CA
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
same for all OS but solaris gives a warning, check wiht klist to see if ticket was created
# kinit admin-user-in-ad@DOAMIN.CA
JOin domain same for all OS
# net join -w DOMAIN -U admin-user-in-ad
Enter admin-user-in-ad's password:
Using short domain name -- DOMAIN
Joined 'SOMASS' to dns domain 'DOMAIN'
configure PAM for SSO
#cp /etc/pam.conf-winbind /etc/pam.conf
note and modify the lines with pam_winbind.so.1 only
#vi /etc/pam.conf
#
login auth sufficient pam_winbind.so.1 try_first_pass
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
#login auth sufficient pam_krb5.so.1
login auth binding pam_unix_auth.so.1 server_policy
login auth required pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
#rlogin auth sufficient pam_winbind.so.1 try_first_pass
rlogin auth required pam_unix_auth.so.1
#
#
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
#rsh auth sufficient pam_winbind.so.1 try_first_pass
#
# Kerberized rsh service
#
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
#
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
#
#
gdm-autologin auth required pam_unix_cred.so.1
gdm-autologin auth sufficient pam_allow.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other auth sufficient pam_winbind.so.1 try_first_pass
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
#other auth sufficient pam_krb5.so.1
other auth required pam_unix_auth.so.1
#
#
passwd auth binding pam_passwd_auth.so.1 server_policy
cron account required pam_unix_account.so.1
cups account required pam_unix_account.so.1
gdm-autologin account sufficient pam_allow.so.1
#
other account sufficient pam_winbind.so.1 try_first_pass
other account requisite pam_roles.so.1
other account binding pam_unix_account.so.1 server_policy
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other session required pam_unix_session.so.1
other session sufficient pam_winbind.so.1 try_first_pass
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1 force_check
#other password sufficient pam_winbind.so.1 try_first_pass
other password required pam_authtok_store.so.1
other account sufficient pam_ldap.so.1
enable services for samba
#svcadm enable winbind samba
# svcs winbind samba swat wins
STATE STIME FMRI
disabled Dec_03 svc:/network/swat:default
disabled Dec_03 svc:/network/wins:default
online 14:41:00 svc:/network/samba:default
online 14:41:01 svc:/network/winbind:default
Check you see all the AD groups and Users
# wbinfo -g
# wbinfo -i "user"
add AD users to sudoers
#vi /etc/sudoers
User_Alias CHIS = joe,rolando
CHIS ALL=(ALL) ALL
%AD-GROUP ALL=(ALL) ALL
test by login with AD user and sudo commands
Monitor your server with nagios