Solaris 10, nscd, Bug 369 issues

Greetings,

I'm trying to integrate a Solaris 10 machine with Active Directory
(using SFU 3.5) and since our schema is based on RFC2307bis groups (as
I understand it) Solaris's ldap client can't seem to deal with this.

So we've compiled and installed nss_ldap (version 264) from Padl,
building it against OpenLDAP (2.4.16) and having that authenticate
against our AD by use of GSSAPI and a kerberos key in the machines
keytab generated with ktpass.exe (full details are available of
exactly what we've done if anyone wants them).

The Solaris machine machine has the following showrev information:
Release: 5.10
Kernel architecture: sun4u
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain: lancs.local
Kernel version: SunOS 5.10 Generic_127127-11

I've also installed patch 140391-03
(http://sunsolve.sun.com/search/document.do?assetkey=1-21-140391-03-1)
which apparently fixes bug 6644077 which is related to nscd rejecting
forign nss backends.


However we've hit a snag involving nscd and what I assume is bug 369
in the Padl bugtracker (http://bugzilla.padl.com/show_bug.cgi?id=369)

Essentially if nscd is running then id, getent passwd and other calls
fail.

If nscd is not running these calls work fine, and the machine can be
logged into, authenticating against LDAP via PAM, which suggests that
our configuration is correct at least in this point.  However once
logged into programs like klist and ssh cannot be run as they seem to
depend on nscd.


I've tried the suggested solution in the bugzilla page, getting the
svc:/network/ldap/client:default service running.  Although I've not
tried renaming the library and functions.  This doesn't seem to change
the behaviour of nscd, as soon as its running these calls fail.


Can anyone offer any other suggestions for what I'm doing wrong?  Do I
just need to wait for the next release of nss_ldap?  Should I be
replying on the bugzilla?


If any more information is required on compilation options or
configuration used then please ask on or off list, I just didn't want
to swamp peoples inboxes.


Regards,

paul.


--
 ~ Paul Tipper ~
ISS Unix Support, Lancaster University
Website: http://www.lancs.ac.uk/~tipper/
Email: <p.tipper@...>  PGP Key: 0x8E8C2E9F

Hello Paul,

> I'm trying to integrate a Solaris 10 machine with Active Directory
> (using SFU 3.5) and since our schema is based on RFC2307bis groups (as
> I understand it) Solaris's ldap client can't seem to deal with this.

when using Solaris 10 U7 you can use the native LDAP client that comes
with Solaris. But you have to map the attributes. I also recommend
building indices for the attributes if you have more than 1000 users in
your AD. When you use the schema extensions that come with Window 2003
R2 you can even use the std. attributes.

something like that with the attributes you use:

ldapclient -v  manual \
        -a credentialLevel=proxy \
        -a authenticationMethod=simple \
        -a proxyDN=CN=ADLDAPF,OU=ErlF,OU=User,OU=_CentralServices,DC=ww004,DC=glanzmann,DC=net \
        -a proxyPassword=z61pAEQMsz61pAEQMs \
        -a defaultSearchBase=OU=ErlF,OU=User,OU=_CentralServices,DC=ww004,DC=glanzmann,DC=net \
        -a domainName=erlf.glanzmann.de \
        -a defaultServerList=157.163.248.31 \
        -a attributeMap=group:userpassword=userPassword \
        -a attributeMap=group:memberuid=memberUid \
        -a attributeMap=group:gidnumber=gidNumber \
        -a attributeMap=passwd:gecos=cn \
        -a attributeMap=passwd:gidnumber=gidNumber \
        -a attributeMap=passwd:uidnumber=uidNumber \
        -a attributeMap=passwd:homedirectory=unixHomeDirectory \
        -a attributeMap=passwd:loginshell=loginShell \
        -a attributeMap=shadow:shadowflag=shadowFlag \
        -a attributeMap=shadow:userpassword=userPassword \
        -a objectClassMap=group:posixGroup=group \
        -a objectClassMap=passwd:posixAccount=user \
        -a objectClassMap=shadow:shadowAccount=user \
        -a serviceSearchDescriptor=passwd:OU=ErlF,OU=User,OU=_CentralServices,DC=ww004,DC=glanzmann,DC=net?sub \
        -a serviceSearchDescriptor=group:OU=ErlF,OU=User,OU=_CentralServices,DC=ww004,DC=glanzmann,DC=net?sub \
        -a serviceSearchDescriptor=netgroup:OU=Netgroups,OU=ErlF,OU=UNIX,OU=_CentralServices,DC=ww004,DC=glanzmann,DC=net?sub

Make sure that you use U7 because U6 has a bug that doesn't allow you to use
netgroups in it. U5 is fine again IIRC.

> Can anyone offer any other suggestions for what I'm doing wrong?  Do I
> just need to wait for the next release of nss_ldap?  Should I be
> replying on the bugzilla?

At the moment there is no working nss_ldap solution. Someone is working
on it, I asked several times but the only thing I got till now is a
binary version for x86 but no source code.

        Thomas

Paul,

the nss_ldap code in 264 for the kerberos functions is borked! I have
patches that I have published (which is close to a complete rewrite)
that deals with this. I can send you these as applied to the nss 264
that was published in Fedora recently if that will help.

This will allow kerberos to work with a keytab for the root user (or a
ccache that has been set up for the root user) allow a ccache to be
provided that nscd can use and also use the logged in users ccache if
required. If a keytab is supplied then auto refresh also works. The only
problem I have not been able to nail down is that NSCD crashes (usually
after some time) where the machine has a local account that duplciates
one held in the AD/OpenLDAP/Fedora store...

I have not pushed hard for this to be mainstreamed as I need to do some
code tidy up.

Regards, Howard

Paul Tipper wrote: