[sparks-discuss] Active Directory name service module (nss_ad) [PSARC/2008/441 FastTrack timeout 07/18/2008]

Nicolas Williams Nicolas.Williams at sun.com
Fri Jul 18 12:02:34 PDT 2008 

On Fri, Jul 18, 2008 at 12:29:59PM -0500, Nicolas Williams wrote:
> On Fri, Jul 18, 2008 at 12:58:37PM +0200, Serge Dussud wrote:
> > man page for ad(5) should also mention this.
> 
> We'll add text to ad(5) saying that nss_ad does not support logons by
> Windows users.
> 
> We'll also add nsswitch.ad with a comment as suggested by Julian.
> 
> I'll update the materials and send a note.

I've updated ad(5) as follows:

+++ ad.5.txt    Fri Jul 18 11:10:26 2008
@@ -7,16 +7,24 @@
      to an AD domain and using the keyword ad in the nsswitch.conf(4)
      file. AD domain join can be executed using the kclient(1) utility.
      The naming databases currently supported by AD name service are
-     passwd and group. The AD servers are auto-discovered.
+     passwd and group.  Logins by Windows users are not yet supported
+     however: the user_attr(4) database currently has no entries for
+     Windows users, and the passwd(1) command does not support
+     synchronizing user passwords with AD.
 
-     The Solaris AD client uses LDAP v3 protocol to access naming
-     information from the AD servers. No schema modification is needed
-     on the AD servers because the Solaris client works with native
-     AD schema. The Solaris AD client uses idmap(1M) service to map
-     Windows SIDs to POSIX UIDs/GIDs and vice-versa.
+     The Solaris AD client auto-discovers AD directory servers ("domain
+     controllers" and "global catalog" servers) and uses LDAP v3
+     protocol to access naming information from the AD servers.  No
+     schema modification is needed on the AD servers because the Solaris
+     client works with native AD schema. The Solaris AD client uses
+     idmap(1M) service to map Windows SIDs to POSIX UIDs/GIDs and
+     vice-versa.  User and group names are taken from the sAMAccountName
+     attribute of user and group objects in AD, and are then suffixed
+     with '@' and the name of the AD domain where the objects reside.
 
-     Security model used by the client is SASL/GSSAPI/KRB5. Kerberos v5
-     is configured on the client at the time of domain join.
+     The security model used by the client is SASL/GSSAPI/KRB5.
+     Kerberos v5 must be configured on the client at the time of domain
+     join; see kclient(1M).
 
 
 FILES


And I've updated nsswitch.conf(4) as follows:

------- nsswitch.conf.4.txt -------
--- /tmp/sccs.wxaqL2    Fri Jul 18 12:02:09 2008
+++ nsswitch.conf.4.txt Fri Jul 18 12:00:20 2008
@@ -422,6 +422,9 @@
       /etc/nsswitch.ldap           Sample configuration file  that
                                    uses files and ldap.
  
+      /etc/nsswitch.ad             Sample configuration file  that
+                                   uses files and ad.
+ 
       /etc/nsswitch.dns            Sample configuration file  that
                                    uses  files,  dns and mdns (dns
                                    and mdns only for hosts).
@@ -454,7 +457,9 @@
       lookups  on the database may yield different results depend-
       ing on which name service is operational at the time of  the
       request.  The  same applies for using ldap along with nis or
-      nisplus.
+      nisplus.  The  same  applies for  using  ldap  along with ad
+      when  ldap  is  used  with  schema  mapping  with  an Active
+      Directory domain.
  
       Misspelled names of sources and databases will be treated as
       legitimate  names  of  (most likely nonexistent) sources and

More information about the opensolaris-arc mailing list