Active Directory Integration

OmniOS can integrate itself into an active directory domain as an smb file server and it can use an active directory server for both login authentication as well as to provide name services for user accounts.

Preparing the System

Use AD as your dns server

# cat <<CFG_END >/etc/resolv.conf nameserver 10.1.1.1 domain my-ad-domain.local search my-ad-domain.local CFG_END 

Enable ntp as precise time is essential for kerberos operation.

# svcadm enable network/ntp 

Hooking up Kerberos

Install Kerberos support

# pkg install system/security/kerberos-5 

Setup Kerberos for MS Active Directory (ms_ad)

# kclient -T ms_ad # kinit -V administrator 

Enabling SMB Filesharing

To make sure we have the same user id numbers everywhere we want to keep them in Active Direcory.

# svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: idmu # svcadm refresh svc:/system/idmap 

Make sure you have the following properties configured for every user in your active directory:

* uid (username) * uidNumber * gidNumber * homeDirectory * loginShell * gecos

Active Directory Configuration

# sharectl set -p lmauth_level=5 smb # sharectl set -p system_comment="My Funny Fileserver" smb # svcadm enable -r smb/server 

Name Service Integration

The illumos active directory plugin does not support full login integration, therefore we have to setup a proxy ldap user and then configure the ldap client to enable unix logins with ldap accounts. The proxy AD user has to have appropriate rights to read the user account entries.

Proxy User Account

Now configure the ldap client accordingly

ldapclient manual \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN="cn=omnios ldap,cn=Users,dc=my-ad-domain,dc=local" \ -a proxyPassword=Plain Password \ -a defaultSearchBase=dc=my-ad-domain,dc=local \ -a domainName=my-ad-domain.local \ -a followReferrals=false \ -a defaultServerList=ad.my-ad-domain.local \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:memberuid=memberUid \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gecos=gecos \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:homedirectory=HomeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor=passwd:dc=my-ad-domain,dc=local?sub \ -a serviceSearchDescriptor=group:dc=my-ad-domain,dc=local?sub 

Make sure that /etc/nsswitch.conf only has ldap entries for passwd and group plus dns for hosts:

# ... passwd: files ldap ad group: files ldap ad # ... hosts: files dns ipnodes: files dns # ... 

Finally pam must be told to use kerberos where appropriate via /etc/pam.conf the entries are most likely already present you just have to remove the comment character #. See man pam_krb5 for details.

login auth sufficient pam_krb5.so.1 krlogin auth required pam_krb5.so.1 krsh auth required pam_krb5.so.1 ktelnet auth required pam_krb5.so.1 other auth sufficient pam_krb5.so.1 

Testing

Your OmniOS server should now be accessible as smb fileserver from windows clients allowing for SSO access.

On the omnios command line you should see all accounts using with getent passwd just create appropriate home directories and chown them to the users.

Thanks

Thanks to Manuel Oetiker for help in figuring this all out.

If you have any have input on how to improve this setup or the documentation, please be in touch.