2007-04-12 Security Link of The Day:
By Darren Moffat-Oracle on Apr 12, 2007
At the London OpenSolaris User Group meeting after the recent London Sun Tech Days event there were a few people asking questions about Solaris and Microsoft Windows interoperability. I stepped up to the plate to answer these since mostly they were around Active Directory interoperability and in a former job at I Sun I did my fair share of name services related work; also a lot of the integration work that is being done is based on lining up the security/authentication protocols between Solaris and Active Directory so even though I'm not actively working on it I have been in regular contact with the developers who are.One of the biggest favours I personally think Microsoft did the security community was choosing to use Kerberos as a core part of the security layers in Active Directory, particularly now that the PAC data format is documented. The Solaris Kerberos development team did a lot of work getting the base Kerberos functionality in Solaris to work better with Windows, by ensuring that cipher suites lined up, password change works and like Windows we could look in DNS to find the KDC and REALM information.
Just having working Kerberos is not enough for most people, in many cases what they really need is for their Solaris machine to "appear" to Active Directory "just like a Windows XP" machine would. That means that Solaris has to use LDAP as the name service. Well thats easy you say Solaris 8 supported that, not so fast! Its all about the schema and how it is used.
There are a few OpenSolaris projects that are working specifically on the name service client side of Solaris to make it a better Active Directory client. Those projects are: Sparks, Reno, Duckwater and Winchester. The Sparks project page has a good technical overview diagram of how it all fits together. Some of these have delivered all or part of their functionality to OpenSolaris already but the full picture is still in development. I look forward to the day when I can post here "It just works", in the mean time hold on in there, "we" are working on it!- Darren