Re: [SGD-Users] AD integration fun

Thu, 10 May 2007 10:30:29 -0700 


Rick Butland wrote:
1. Make sure to use the URL of the form ad://domainname - not hostname, and use the right userid format for binding, i.e. [EMAIL PROTECTED] 


Actually did not have @domain after the username. Made the change, and 
the error is the same. (Restarted SGD too just incase)



2.  Run this query:


# nslookup -query=any _ldap._tcp.example.com
Server:         192.168.43.22
Address:        192.168.43.22#53

_ldap._tcp.example.com       service = 0 100 389 ad01.example.com.

# nslookup -query=any _gc._tcp.example.com
Server:         192.168.43.22
Address:        192.168.43.22#53

_gc._tcp.example.com service = 0 100 3268 ad01.example.com.



3.  Make sure you have appropriate reverse lookup zones, with ptr 
records for each of your LDAP servers and SGD servers.


Check.


4.  Test the kerberos config with:
# kinit administrator


# kdestroy; sleep 1; kinit Administrator
Password for [EMAIL PROTECTED]:
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]

Valid starting                Expires                Service principal
05/10/07 11:18:39  05/10/07 21:19:12  krbtgt/[EMAIL PROTECTED]
        renew until 05/17/07 11:18:39


By the way, if you have support, by all means use it - no sense 
suffering in silence.  It does work, just AD is particularly cranky 
about who it talks to, so



Our clients do, we're a reseller. Is an option, but preferably a last 
resort.



Oh, and I've used Vintela Authentication Services a long time ago, and 
recently setup a Solaris 10 authenticating to an R2 AD Catalog Server - 
R2 adds the Posix  bits to AD, i.e. uid, gid, etc that Unix users need.  
Vintela and most others extend the schema as well, but I find it's far 
easier to convince your AD administrators to allow Microsoft to extend 
the AD schema, (in the form of "R2"), than some random hackers' script 
you downloaded from the Internet.   I wrote up my procedure if you'd 
like to have a look at it, itself, uh, "borrowed" from multiple sources 
.. :)


I've read:
http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/


Which sounds similar to what your talking about. Would love to see yours 
though. Actually that page is the only way I got the kerberos set up 
properly, I couldn't get it working till I generated a keytab file.



There are other approaches as well (most under the banner of "Identity 
Management") which typically replicates account information across your 
different authentication systems.

Rick


Is an option, but if SGD can do it, it seems like the preferred solution.

Thanks for the response. I'll keep whacking at it.

- Trev
_______________________________________________
SGD-Users mailing list
[email protected]
http://node1.filibeto.org/mailman/listinfo/sgd-users






















					Reply via email to