0 Replies Latest reply: Mar 30, 2011 9:15 PM by 851764 RSS

    LDAP Problem during Kerberos setting for Win server 03 Active Directory

    851764
      Hi, FYI, I'm new in Solaris

      I'm trying to use Kerberos on authenticating LDAP Client with the Active Directory on Windows Server 2003 on both Solaris 10 5/08 and Solaris 10 9/10 by referring to the pdf file below:

      http://www.sun.com/bigadmin/features/articles/kerberos_s10.pdf

      everything runs fine, i can even do ldap search for the user created at Active Directory. The following are the result:

      -----
      # ldapsearch -h w2k3adsoltest.adsol.test.com -b "cn=users,dc=adsol,dc=test,dc=com" -o mech=gssapi -o authzid='' "cn=just a test"

      version: 1
      dn: CN=just a test,CN=Users,DC=ADSOL,DC=TEST,DC=COM
      objectClass: top
      objectClass: person
      objectClass: organizationalPerson
      objectClass: user
      cn: just a test
      sn: test
      givenName: just a
      distinguishedName: CN=just a test,CN=Users,DC=ADSOL,DC=TEST,DC=COM
      instanceType: 4
      whenCreated: 20110331013253.0Z
      whenChanged: 20110331013254.0Z
      displayName: just a test
      uSNCreated: 28689
      uSNChanged: 28695
      name: just a test
      objectGUID:: M0SbXPO8Z0yqgXWUjLE2wA==
      userAccountControl: 66048
      badPwdCount: 0
      codePage: 0
      countryCode: 0
      badPasswordTime: 0
      lastLogoff: 0
      lastLogon: 0
      pwdLastSet: 129460087738281250
      primaryGroupID: 513
      objectSid:: AQUAAAAAAAUVAAAANtggK1yqWWT5N+pNWwQAAA==
      accountExpires: 9223372036854775807
      logonCount: 0
      sAMAccountName: test
      sAMAccountType: 805306368
      userPrincipalName: test@ADSOL.TEST.COM
      objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ADSOL,DC=TEST,DC=COM

      -----
      if referred to page 17 of the mentioned manual,

      this command able to run and get the expected result

      # dig w2k3adsoltest.adsol.test.com +short
      192.168.1.1

      but

      # dig -x 192.168.1.1 +short
      *;; connection timed out; no servers could be reached*

      -----

      after that I tried to manually configure the client profile manually:

      # ldapclient -v manual \
      -a credentialLevel=self \
      -a authenticationMethod=sasl/gssapi \
      -a defaultSearchBase=dc=adsol,dc=test,dc=com \
      -a domainName=adsol.test.com \
      -a defaultServerList=192.168.1.1 \
      -a attributeMap=group:userpassword=msSFU30Password \
      -a attributeMap=group:memberuid=msSFU30MemberUid \
      -a attributeMap=group:gidnumber=msSFU30GidNumber \
      -a attributeMap=passwd:gecos=msSFU30Gecos \
      -a attributeMap=passwd:gidnumber=msSFU30GidNumber \
      -a attributeMap=passwd:uidnumber=msSFU30UidNumber \
      -a attributeMap=passwd:uid=sAMAccountName \
      -a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
      -a attributeMap=passwd:loginshell=msSFU30LoginShell \
      -a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
      -a attributeMap=shadow:userpassword=msSFU30Password \
      -a attributeMap=shadow:uid=sAMAccountName \
      -a objectClassMap=group:posixGroup=group \
      -a objectClassMap=passwd:posixAccount=user \
      -a objectClassMap=shadow:shadowAccount=user \
      -a serviceSearchDescriptor=passwd:cn=users,DC=adsol,DC=test,DC=com?one \
      -a serviceSearchDescriptor=group:cn=users,DC=adsol,DC=test,DC=com?one

      -----
      the output:


      Parsing credentialLevel=self
      Parsing authenticationMethod=sasl/gssapi
      Parsing defaultSearchBase=dc=adsol,dc=test,dc=com
      Parsing domainName=adsol.test.com
      Parsing defaultServerList=192.168.1.1
      Parsing attributeMap=group:userpassword=msSFU30Password
      Parsing attributeMap=group:memberuid=msSFU30MemberUid
      Parsing attributeMap=group:gidnumber=msSFU30GidNumber
      Parsing attributeMap=passwd:gecos=msSFU30Gecos
      Parsing attributeMap=passwd:gidnumber=msSFU30GidNumber
      Parsing attributeMap=passwd:uidnumber=msSFU30UidNumber
      Parsing attributeMap=passwd:uid=sAMAccountName
      Parsing attributeMap=passwd:homedirectory=msSFU30HomeDirectory
      Parsing attributeMap=passwd:loginshell=msSFU30LoginShell
      Parsing attributeMap=shadow:shadowflag=msSFU30ShadowFlag
      Parsing attributeMap=shadow:userpassword=msSFU30Password
      Parsing attributeMap=shadow:uid=sAMAccountName
      Parsing objectClassMap=group:posixGroup=group
      Parsing objectClassMap=passwd:posixAccount=user
      Parsing objectClassMap=shadow:shadowAccount=user
      Parsing serviceSearchDescriptor=passwd:cn=users,DC=adsol,DC=test,DC=com?one
      Parsing serviceSearchDescriptor=group:cn=users,DC=adsol,DC=test,DC=com?one
      Arguments parsed:
      authenticationMethod: sasl/gssapi
      defaultSearchBase: dc=adsol,dc=test,dc=com
      credentialLevel: self
      domainName: adsol.test.com
      objectclassMap:
      arg[0]: group:posixGroup=group
      arg[1]: passwd:posixAccount=user
      arg[2]: shadow:shadowAccount=user
      attributeMap:
      arg[0]: group:userpassword=msSFU30Password
      arg[1]: group:memberuid=msSFU30MemberUid
      arg[2]: group:gidnumber=msSFU30GidNumber
      arg[3]: passwd:gecos=msSFU30Gecos
      arg[4]: passwd:gidnumber=msSFU30GidNumber
      arg[5]: passwd:uidnumber=msSFU30UidNumber
      arg[6]: passwd:uid=sAMAccountName
      arg[7]: passwd:homedirectory=msSFU30HomeDirectory
      arg[8]: passwd:loginshell=msSFU30LoginShell
      arg[9]: shadow:shadowflag=msSFU30ShadowFlag
      arg[10]: shadow:userpassword=msSFU30Password
      arg[11]: shadow:uid=sAMAccountName
      serviceSearchDescriptor:
      arg[0]: passwd:cn=users,DC=adsol,DC=test,DC=com?one
      arg[1]: group:cn=users,DC=adsol,DC=test,DC=com?one
      defaultServerList: 192.168.1.1
      Handling manual option
      Proxy DN: NULL
      Proxy password: NULL
      Credential level: 2
      Authentication method: 2
      No proxyDN/proxyPassword required
      About to modify this machines configuration by writing the files
      Stopping network services
      sendmail not running
      nscd not running
      autofs not running
      ldap not running
      nisd not running
      nis(yp) not running
      file_backup: stat(/etc/nsswitch.conf)=0
      file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
      file_backup: stat(/etc/defaultdomain)=0
      file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
      file_backup: stat(/var/nis/NIS_COLD_START)=-1
      file_backup: No /var/nis/NIS_COLD_START file.
      file_backup: nis domain is "adsol.test.com"
      file_backup: stat(/var/yp/binding/adsol.test.com)=-1
      file_backup: No /var/yp/binding/adsol.test.com directory.
      file_backup: stat(/var/ldap/ldap_client_file)=-1
      file_backup: No /var/ldap/ldap_client_file file.
      Starting network services
      start: /usr/bin/domainname adsol.test.com... success
      start: DNS client is enabled
      start: sleep 100000 microseconds
      start: sleep 200000 microseconds
      start: network/ldap/client:default... success
      start: Error: sasl/GSSAPI bind is not working. Abort.
      restart: sleep 100000 microseconds
      restart: sleep 200000 microseconds
      restart: sleep 400000 microseconds
      restart: sleep 800000 microseconds
      restart: milestone/name-services:default... success
      Error resetting system.
      Recovering old system settings.
      Stopping network services
      sendmail not running
      nscd not running
      autofs not running
      Stopping ldap
      stop: sleep 100000 microseconds
      stop: sleep 200000 microseconds
      stop: sleep 400000 microseconds
      stop: network/ldap/client:default... success
      nisd not running
      nis(yp) not running
      recover: stat(/var/ldap/restore/defaultdomain)=0
      recover: open(/var/ldap/restore/defaultdomain)
      recover: read(/var/ldap/restore/defaultdomain)
      recover: old domainname "adsol.test.com"
      recover: stat(/var/ldap/restore/ldap_client_file)=-1
      recover: stat(/var/ldap/restore/ldap_client_cred)=-1
      recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
      recover: stat(/var/ldap/restore/adsol.test.com)=-1
      recover: stat(/var/ldap/restore/nsswitch.conf)=0
      recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
      recover: stat(/var/ldap/restore/defaultdomain)=0
      recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
      Starting network services
      start: /usr/bin/domainname adsol.test.com... success
      restart: sleep 100000 microseconds
      restart: sleep 200000 microseconds
      restart: milestone/name-services:default... success

      -----

      Restart the LDAP Client:
      # svcadm restart svc:/network/ldap/client:default

      List the LDAP Client cache:
      # ldapclient list

      Cannot get print configuration
      Unable to open filename '/var/ldap/ldap_client_file' for reading (errno=2).

      Can someone tell me what happened? am I missed something?

      Thank you~