Using Kerberos to Authenticate a LDAP Client for Solaris 10 OS


Find out how to configure a Solaris client to use Active Directory in Microsoft Windows Server 2003 for authentication and naming services. This article has lots of code examples for you.

Please note: This configuration uses a shell script called adjoin.sh to automate the process of joining the Solaris client to the Active Directory domain and configures Kerberos on the client. This script is not supported by Sun and is not part of the Solaris distribution. (See the "For More Information" section of the article for information about downloading the adjoin script.)

THE SOLUTION DESCRIBED IN THIS PAPER SHOULD BE TREATED AS PROOF OF CONCEPT AND SHOULD NOT BE USED IN PRODUCTION. 

Comments:

The article is great, but I still got some problems. Hope anyone who follows along the instruction can give me advices how to fix it.

On page 13, when using ./adjoin -f command, I got error in result. Here is the output

(...)
Setting the password/keys of machine account
Result: Authentication error(3)
KVNO:1
....

The reset of the output looks the same in the article.

Why am I getting "Authentication error(3)?

Posted by Van Hoang on April 08, 2008 at 09:40 AM PDT #

Thanks for your comment. I am the editor who does the blog entries, but I can't help with the question. I'll send it along to the authors of the Kerberos article and I'll post any info they send me.
Bye!

Posted by dogmother on April 08, 2008 at 09:46 AM PDT #

Are you using Windows 2008 or Longhorn server? If so then see "Issues" in the README file that's in the adjoin tarball. I've cut pasted it below. You'll need to update line 765 in the adjoin script as follow:

\*\* Issues:
1. To use this script with Windows 2008 server, remove "@${realm}" from the userPrincipalName otherwise you'll get Authentication error
# diff adjoin.win2k3 adjoin.longhorn
765c765
< userPrincipalName:host/${fqdn}@${realm}
---
> userPrincipalName: host/${fqdn}

Posted by Baban Kenkre on April 08, 2008 at 03:27 PM PDT #

No, I have Windows Server 2003 R2 with SP2. I'm very interested in this article because the adjoin script will save me a lot of times for joinning Solaris host to AD, creating krb5.conf and krb5.keytab file.

Actually, I successfully configured my Solaris 10 8/7 authenticate with Windows Server 2003 R2 SP2 with SSL. When I saw this article, I went over all steps again and again, but I'm not able to make it working as in the article.

I may need to twist mine and this article to make it better. I'll look into the script as you indicated. Thanks for advices.

Posted by Van Hoang on April 08, 2008 at 04:17 PM PDT #

I'm trying to run this against a Windows 2008 KDC and am having a problem setting the account password.

Here is the error I get:

Setting the password/keys of the machine account
krb5_kt_register() failed (err=-1765328192)
Failed to set account password!

I am running in 64bit so I thought maybe ksetpw was having an issue but I can't seem to get it to recompile. I keep getting an error with:

`krb5_ktf_writable_ops' undeclared

I've already made the edit talked about in the README (although it still got this far even before that edit). Do I need to remove the @${realm} from the ksetpw command also? Any advice?

Posted by Chris Geer on April 17, 2008 at 07:08 AM PDT #

Hi. Thanks for writing. I will send your info along to the writers of the article. Bye!

Posted by dogmother on April 17, 2008 at 07:17 AM PDT #

Hi Chris. Which release of Solaris are you using?

If using Solaris 10 8/7 then try to compile the ksetpw.c using 64-bit objects i.e. "cc ksetpw.c -o ksetpw -R/usr/lib/64/gss /usr/lib/64/gss/mech_krb5.so".

If it is S10U5 or OpenSolaris then you need a new version of ksetpw.c which we will be posting shortly. Basically you need to remove from ksetpw.c, "extern krb5_kt_ops krb5_ktf_writable_ops;" AND the call to "if ... krb5_kt_register ... { ... }" and compile using "cc ksetpw.c -o ksetpw -lkrb5"

Posted by Baban Kenkre on May 01, 2008 at 05:24 AM PDT #

A new version of adjoin tool is available for Solaris 10 5/08 (S10U5) at http://opensolaris.org/os/project/winchester/files/adjoin-s10u5.tar.gz
This version contains an updated ksetpw source and binary which has been modified to run on Solaris 10 5/08. See README file for more details. Note that the ksetpw.c source file in this version can also be used on OpenSolaris systems.

Posted by Baban Kenkre on May 01, 2008 at 09:49 AM PDT #

Per the authors, this configuration uses a shell script called adjoin.sh to automate the process of joining the Solaris client to the Active Directory domain and configures Kerberos on the client. This script is not supported by Sun and is not part of the Solaris distribution. (See the "For More Information" section of the article for information about downloading the adjoin script.)

THE SOLUTION DESCRIBED IN THIS PAPER SHOULD BE TREATED AS PROOF OF CONCEPT AND SHOULD NOT BE USED IN PRODUCTION.

Posted by dogmother on May 02, 2008 at 01:51 AM PDT #

While adjoin is not part of a supported product, it uses supported features of a supported product. You can use adjoin and get support for any problems you run into with Solaris 10 features -- we just don't offer support for bugs in adjoin, though, of course, we may well fix any such bugs anyways.

Posted by Nico on August 06, 2008 at 05:56 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

<script LANGUAGE="JavaScript"> window.location="http://blogs.oracle.com/otn/"; </script>

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today