This discussion is archived
0 Replies Latest reply: Mar 30, 2011 7:15 PM by 851764 RSS

LDAP Problem during Kerberos setting for Win server 03 Active Directory

851764 Newbie
Currently Being Moderated
Hi, FYI, I'm new in Solaris

I'm trying to use Kerberos on authenticating LDAP Client with the Active Directory on Windows Server 2003 on both Solaris 10 5/08 and Solaris 10 9/10 by referring to the pdf file below:

http://www.sun.com/bigadmin/features/articles/kerberos_s10.pdf

everything runs fine, i can even do ldap search for the user created at Active Directory. The following are the result:

-----
# ldapsearch -h w2k3adsoltest.adsol.test.com -b "cn=users,dc=adsol,dc=test,dc=com" -o mech=gssapi -o authzid='' "cn=just a test"

version: 1
dn: CN=just a test,CN=Users,DC=ADSOL,DC=TEST,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: just a test
sn: test
givenName: just a
distinguishedName: CN=just a test,CN=Users,DC=ADSOL,DC=TEST,DC=COM
instanceType: 4
whenCreated: 20110331013253.0Z
whenChanged: 20110331013254.0Z
displayName: just a test
uSNCreated: 28689
uSNChanged: 28695
name: just a test
objectGUID:: M0SbXPO8Z0yqgXWUjLE2wA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 129460087738281250
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAANtggK1yqWWT5N+pNWwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: test
sAMAccountType: 805306368
userPrincipalName: test@ADSOL.TEST.COM
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ADSOL,DC=TEST,DC=COM

-----
if referred to page 17 of the mentioned manual,

this command able to run and get the expected result

# dig w2k3adsoltest.adsol.test.com +short
192.168.1.1

but

# dig -x 192.168.1.1 +short
*;; connection timed out; no servers could be reached*

-----

after that I tried to manually configure the client profile manually:

# ldapclient -v manual \
-a credentialLevel=self \
-a authenticationMethod=sasl/gssapi \
-a defaultSearchBase=dc=adsol,dc=test,dc=com \
-a domainName=adsol.test.com \
-a defaultServerList=192.168.1.1 \
-a attributeMap=group:userpassword=msSFU30Password \
-a attributeMap=group:memberuid=msSFU30MemberUid \
-a attributeMap=group:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:gecos=msSFU30Gecos \
-a attributeMap=passwd:gidnumber=msSFU30GidNumber \
-a attributeMap=passwd:uidnumber=msSFU30UidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=msSFU30HomeDirectory \
-a attributeMap=passwd:loginshell=msSFU30LoginShell \
-a attributeMap=shadow:shadowflag=msSFU30ShadowFlag \
-a attributeMap=shadow:userpassword=msSFU30Password \
-a attributeMap=shadow:uid=sAMAccountName \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor=passwd:cn=users,DC=adsol,DC=test,DC=com?one \
-a serviceSearchDescriptor=group:cn=users,DC=adsol,DC=test,DC=com?one

-----
the output:


Parsing credentialLevel=self
Parsing authenticationMethod=sasl/gssapi
Parsing defaultSearchBase=dc=adsol,dc=test,dc=com
Parsing domainName=adsol.test.com
Parsing defaultServerList=192.168.1.1
Parsing attributeMap=group:userpassword=msSFU30Password
Parsing attributeMap=group:memberuid=msSFU30MemberUid
Parsing attributeMap=group:gidnumber=msSFU30GidNumber
Parsing attributeMap=passwd:gecos=msSFU30Gecos
Parsing attributeMap=passwd:gidnumber=msSFU30GidNumber
Parsing attributeMap=passwd:uidnumber=msSFU30UidNumber
Parsing attributeMap=passwd:uid=sAMAccountName
Parsing attributeMap=passwd:homedirectory=msSFU30HomeDirectory
Parsing attributeMap=passwd:loginshell=msSFU30LoginShell
Parsing attributeMap=shadow:shadowflag=msSFU30ShadowFlag
Parsing attributeMap=shadow:userpassword=msSFU30Password
Parsing attributeMap=shadow:uid=sAMAccountName
Parsing objectClassMap=group:posixGroup=group
Parsing objectClassMap=passwd:posixAccount=user
Parsing objectClassMap=shadow:shadowAccount=user
Parsing serviceSearchDescriptor=passwd:cn=users,DC=adsol,DC=test,DC=com?one
Parsing serviceSearchDescriptor=group:cn=users,DC=adsol,DC=test,DC=com?one
Arguments parsed:
authenticationMethod: sasl/gssapi
defaultSearchBase: dc=adsol,dc=test,dc=com
credentialLevel: self
domainName: adsol.test.com
objectclassMap:
arg[0]: group:posixGroup=group
arg[1]: passwd:posixAccount=user
arg[2]: shadow:shadowAccount=user
attributeMap:
arg[0]: group:userpassword=msSFU30Password
arg[1]: group:memberuid=msSFU30MemberUid
arg[2]: group:gidnumber=msSFU30GidNumber
arg[3]: passwd:gecos=msSFU30Gecos
arg[4]: passwd:gidnumber=msSFU30GidNumber
arg[5]: passwd:uidnumber=msSFU30UidNumber
arg[6]: passwd:uid=sAMAccountName
arg[7]: passwd:homedirectory=msSFU30HomeDirectory
arg[8]: passwd:loginshell=msSFU30LoginShell
arg[9]: shadow:shadowflag=msSFU30ShadowFlag
arg[10]: shadow:userpassword=msSFU30Password
arg[11]: shadow:uid=sAMAccountName
serviceSearchDescriptor:
arg[0]: passwd:cn=users,DC=adsol,DC=test,DC=com?one
arg[1]: group:cn=users,DC=adsol,DC=test,DC=com?one
defaultServerList: 192.168.1.1
Handling manual option
Proxy DN: NULL
Proxy password: NULL
Credential level: 2
Authentication method: 2
No proxyDN/proxyPassword required
About to modify this machines configuration by writing the files
Stopping network services
sendmail not running
nscd not running
autofs not running
ldap not running
nisd not running
nis(yp) not running
file_backup: stat(/etc/nsswitch.conf)=0
file_backup: (/etc/nsswitch.conf -> /var/ldap/restore/nsswitch.conf)
file_backup: stat(/etc/defaultdomain)=0
file_backup: (/etc/defaultdomain -> /var/ldap/restore/defaultdomain)
file_backup: stat(/var/nis/NIS_COLD_START)=-1
file_backup: No /var/nis/NIS_COLD_START file.
file_backup: nis domain is "adsol.test.com"
file_backup: stat(/var/yp/binding/adsol.test.com)=-1
file_backup: No /var/yp/binding/adsol.test.com directory.
file_backup: stat(/var/ldap/ldap_client_file)=-1
file_backup: No /var/ldap/ldap_client_file file.
Starting network services
start: /usr/bin/domainname adsol.test.com... success
start: DNS client is enabled
start: sleep 100000 microseconds
start: sleep 200000 microseconds
start: network/ldap/client:default... success
start: Error: sasl/GSSAPI bind is not working. Abort.
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: sleep 400000 microseconds
restart: sleep 800000 microseconds
restart: milestone/name-services:default... success
Error resetting system.
Recovering old system settings.
Stopping network services
sendmail not running
nscd not running
autofs not running
Stopping ldap
stop: sleep 100000 microseconds
stop: sleep 200000 microseconds
stop: sleep 400000 microseconds
stop: network/ldap/client:default... success
nisd not running
nis(yp) not running
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: open(/var/ldap/restore/defaultdomain)
recover: read(/var/ldap/restore/defaultdomain)
recover: old domainname "adsol.test.com"
recover: stat(/var/ldap/restore/ldap_client_file)=-1
recover: stat(/var/ldap/restore/ldap_client_cred)=-1
recover: stat(/var/ldap/restore/NIS_COLD_START)=-1
recover: stat(/var/ldap/restore/adsol.test.com)=-1
recover: stat(/var/ldap/restore/nsswitch.conf)=0
recover: file_move(/var/ldap/restore/nsswitch.conf, /etc/nsswitch.conf)=0
recover: stat(/var/ldap/restore/defaultdomain)=0
recover: file_move(/var/ldap/restore/defaultdomain, /etc/defaultdomain)=0
Starting network services
start: /usr/bin/domainname adsol.test.com... success
restart: sleep 100000 microseconds
restart: sleep 200000 microseconds
restart: milestone/name-services:default... success

-----

Restart the LDAP Client:
# svcadm restart svc:/network/ldap/client:default

List the LDAP Client cache:
# ldapclient list

Cannot get print configuration
Unable to open filename '/var/ldap/ldap_client_file' for reading (errno=2).

Can someone tell me what happened? am I missed something?

Thank you~

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points