From: "Ron Ogle" <ogler@tce.com>
1. Use Kerberos on Solaris 9 via PAM to authenticate to AD using the
Windows username/password.
I've done that with vendor's implementation -- no code imported to system.
There's a good Microsoft paper at
http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp
It's an awkward configuration and not much fun to set up. The trick is to
implement a user within your Active Directory for the machine, set his
password, then import that information to Unix. It works but I never got
the password change figured out. I have some very rough notes here that I
can share:
http://ist.uwaterloo.ca/security/howto/drafts/2002-08-23/
As others have mentioned there's PAM samba SMB integration. They work but
the samba SMB authentication is case insensitive, requires that your DC's
be configured to support legacy methods and I'm not convinced that it does
any encryption of passwords. We've used this a lot but I am not at all
happy with it.
Recently I've been using LDAP authentication. An active directory will let
you bind to the UserPrincipalName (eg. reggers@ads.uwaterloo.ca) -- you
don't need to use the distinguished name. I've been written a version of
pam/ldap for Active directory that builds on that ... I never found a PAM
LDAP that did what I needed. In any case, while LDAP is case sensitive it's
not encrypted. I nevertheless see it as a step forward from SMB.
I can share my work if anyone is interested. I rely on vendor libraries for
the LDAP implemention. They work for me.
In all of the above I'm relying on a traditional password/group file and
just using PAM for authentication.
2. Use LDAP through NSS to get /etc/passwd and /etc/group type data from
AD.
That would require schema changes to the active directory and I'd not
recommend that path. At the end of the day the uid/gid you're grabbing for
Unix will have nothing to do with the Windows sids assigned to users and
groups.
3. Use Solaris RBAC to group the Windows userids into roles that will
manage the systems.
4. Have a very difficult root password (hopefully using MD5) on the local
machine in case AD is not available. I will use this authentication only
as a last resort.
We have a user "root" in our Active Directory. The userid is disabled so
that noone can login using that id.
I'm not aware of a pam module that says "fail now" if userid root (to stop
the stacking of PAM methods) but there's probably one around somewhere.
It's not hard to write one.
From what I've read the MIT version of Kerberos works better with AD, but
the Solaris SEAM version of Kerberos works better with Solaris. From
someone who's been there done that, MIT or SEAM?
The vendor provided stuff worked fine for me.
I've read the Microsoft document on integrating Unix into Windows 2003.
They either have SFU or recommend purchasing VAS. I know that there is
also PAM SMB authentication, but I don't believe that I want to do that.
Thanks
Ron Ogle
