Our Solaris 10 clients are using Windows 2008 R2 Active Directory for authentication (Kerberos) and (attempting) authorization (LDAP), but the LDAP part is erroring out. Here is the sequence of events:
On Solaris 10 client:
ldaplist passwd \*
-Works correctly, and lists all users from Windows 2008 R2 Active Directory
However, when I do the same command for groups, it errors out:
ldaplist group \*
-Errors out with:
ldaplist: Object not found
The AD groups for UNIX I have chosen the NIS domain on the UNIX Attributes tab, just like I did with AD UNIX users.
Other commands that do work between Solaris 10 and Win 2008 R2 AD:
kinit <user>
klist
klist -k
ldapsearch -h <DC> -D cn=proxy,cn=users,dc=mydomain,dc=com -w <PASSWD> -b dc=mydomain,dc=com -s sub '(cn=tst*)'
ldapsearch -h <DC> -s base -b "" "(objectclass=*)"
The ldapsearch will actually list my groups (my groups are named tstgrp1, tstgrp2, tstgrp3, tstgrp4), but I think this works because it is searching for the Common Name (CN) tst*, and not for a type of object (group).
These commands do not work as expected:
getent passwd
-This only shows local UNIX users
getent group
-This only shows local UNIX users
The /etc/nsswitch.conf is set up for:
passwd: files ldap [TRYAGAIN=continue]
group: files ldap [TRYAGAIN=continue]
hosts: files dns
My references are:
http://technet.microsoft.com/en-us/library/bb496504.aspx
http://osdude.wordpress.com/2011/08/
Systems:
Solaris 10 (sparc)
Windows 2008 R2 with Identity Management for UNIX Role added.