Solaris10. Active Directory Integration. 16. August 2007

Transcription

1 Solaris10 Active Directory Integration 16. August 2007 Document name: Solaris10_AD_Integration_V1.0.doc Version: V 1.0 Project number: Author(s): Ivan Bütler, Compass Security AG Delivery date: 16. August 2007 Classification: PUBLIC

2 Index Index 1 SOLARIS10 ACTIVE DIRECTORY INTEGRATION Introduction and Objectives Procedure System Identification 6 2 PHASE 1 KERBEROS SETUP Objectives Active Directory: Create the AD-User for the Solaris10 Host Active Directory: Create the Shared Secrets for the Solaris10 Host Safe transmission of the Shared Secret to the Solaris10 Host Active Directory: Configuration DNS Server Solaris10: Configuration /etc/inet/hosts file Solaris10: Analysis of the DNS decomposition Solaris Solaris10: Configuration of Kerberos for the Solaris System Testing of Kerberos between Solaris10 and Active Directory 15 3 PHASE 2 LDAP OVER SSL SETUP Objectives Active Directory: LDAP SSL requests (1) Active Directory: Activation of LDAP over SSL Active Directory: LDAP SSL requests (2) Active Directory: Installation of an LDAP Proxy User Solaris10: Configuration of the CA Certificate Solaris10: Testing of LDAP over SSL through ldapsearch 26 4 PHASE 3: UNIX USERS AND GROUPS IN THE ACTIVE DIRECTORY Objectives Active Directory: Installation of UNIX Service Active Directory: Indexation Active Directory: NIS Maps 34 5 PHASE 4: FINAL SETUP Objectives Solaris10: LDAP Configuration Part2 (ldapclient) Solaris10: Testing of the LDAP Configuration Solaris10: Modification of /etc/nsswitch.conf Solaris10: LDAP Client Restart Solaris10: DNS Check Solaris10: Testing of GETENT PASSWD Solaris10: PAM Configuration Solaris10: Reboot Solaris 40 6 PHASE 5: USER TESTS WITH SSH Objectives Switch User 41 PUBLIC Date: 16 Aug. 2007

3 Index 6.3 SSH Access 1 (Username/Password) SSH Access 2 (SSO with Kerberos under Solaris10) SSH Access 3 (SSO with Kerberos and putty) SSH Access 4 (User in the Active Directory is "disabled") 48 7 MISC Open Issues 49 8 APPENDIX Solaris10: Creation of Solaris10 Non-Global Zone torro Solaris10: DNS and Network Settings for the Zone "torro" Active Directory: Activation of the LDAP over SSL Configuration Tools Ktpass.exe reqdccert.vbs Links 60 PUBLIC Date: 16 Aug. 2007

4 Solaris10 Active Directory Integration Solaris10 Active Directory Integration 1.1 Introduction and Objectives The aim of the instruction in this report is to show the user step-by-step how to realise the integration of a Solaris 10 Host into the Active Directory. The use of Active Directories also for UNIX derivates is of interest because of Utilisation of the existing users (central User Management) Central utilisation of network data (former NIS data) Utilisation of Kerberos services SSO Once you have walked through this report step-by-step, you will be able to use putty.exe from your Windows XP workstation to authenticate into the Solaris10 host using Kerberos without entering your password again, because the Active Directory Kerberos Ticket is accepted by the Solaris10 ssh daemon. The user-id you are using for authentication into Solaris10 is not locally configured, instead, will be looked-up in the Active Directory. 1.2 Procedure Phase 1: Kerberos Setup (Chapter 2) In the first phase Keberos should be configurated for the cooperation of Active Directory and the Solaris10 Host. Creation of a AD-User for the Solaris10 Host Creation of the Shared Secrets (Kerberos Keytab) for the Solaris10 Host Safe transmission of the Shared Secrets from AD to the Solaris10 Host Configuration of the DNS Server Configuration of the Solaris10 Kerberos setups Testing of Kerberos, interaction between Solaris10 Host and AD Phase 2: LDAP over SSL in the Active Directory (Chapter 3) In the second phase LDAP over SSL should be activated in the Active Directory. This is compulsory because the Solaris 10 system will dissolve the users via LDAP over SSL. Plain-LDAP is regarded as insecure and is not recommended. Testing of the LDAP over SSL interface at Active Directory Activation of the LDAP over SSL interface Retesting of the LDAP over SSL Installation of a Lookup Account in Active Directory (proxyuser) Configuration of the SSL CA Certificate in the Solaris10 system PUBLIC page: 4 Date: 16 Aug. 2007

5 Solaris10 Active Directory Integration 1.2 Phase 3: Installation of UNIX Services in Active Directory (Chapter 4) The next step deals with the installation of POSIX schemes in Active Directory. This is compulsory to enable Active Directory to recognise the UNIX characteristics such as uid, uidnumber, gid, gidnumber, etc. Installation of UNIX Services in Active Directory Configuration of the first POSIX Group Configuration of the first POSIX User Adjusting Performance enhancement at the Lookup Phase 4: Final Setup (Chapter 5) After configurating and adjusting all the components "correctly" the fourth phase is concerned with the final setup of the Solaris 10 and Active Directory cooperation. LDAP configuration Solaris10 /etc/nsswitch.conf adjustment in Solaris10 Restart of Services Test whether getent password <user> works Configuration PAM Reboot Solaris Phase 5: User Tests with SSH (Chapter 6) Finally it is tested whether the interaction between Solaris 10 and Active Directory for SSH is operational. For this purpose the following test cases are being carried out: Test Switch User (su) Test SSH with Username/password (Active Directory Username/password) Test SSH with Kerberos under Solaris Test SSH with Kerberos under Windows Test SSH, if the user is deactivated in Active Directory PUBLIC page: 5 Date: 16 Aug. 2007

6 Solaris10 Active Directory Integration System Identification In this report a Solaris 10 and an Active Directory are being applied. The chart below informs about the two systems. Solaris10 System Type Architecture Description OpenSolaris SNV_68 Intel PC IP Address Uname bash-3.00 uname -a SunOS tarribo 5.11 snv_68 i86pc i386 i86pc Hostname Type Torro Non Global Zone Note: The Solaris10 is installed as a Non-Global Zone. The way this zone has been established is described in chapter 8.1 Active Directory System Type Architecture Description Windows 2003 Server R2 (latest patches) Intel PC IP Address PUBLIC page: 6 Date: 16 Aug. 2007

7 Phase 1 Kerberos Setup Phase 1 Kerberos Setup 2.1 Objectives This phase deals with the correct interaction between Solaris 10 and the Active Directory on the basis of Kerberos. It is known from theory that Kerberos is based on disseminated symmetrical keys. Thus it is essential to create the key for Solaris 10 accordingly, then to introduce this key to the Solaris 10 System and finally to configurate the Solaris 10 for Kerberos using AD. Phase 1: Kerberos Setup In the first phase Keberos should be configurated for the cooperation of Active Directory and the Solaris10 Host. Creation of a AD-User for the Solaris10 Host Creation of the Shared Secrets (Kerberos Keytab) for the Solaris10 Host Safe transmission of the Shared Secrets from AD to the Solaris10 Host Configuration of the DNS Server Configuration of the Solaris10 Kerberos setups Testing of Kerberos, interaction between Solaris10 Host and AD 2.2 Active Directory: Create the AD-User for the Solaris10 Host The integration of Solaris 10 requires a user account per Solaris 10 Host. One has to configure a User account in the AD for the Solaris10 host. Attention: NO Computer Account PUBLIC page: 7 Date: 16 Aug. 2007

8 Phase 1 Kerberos Setup 2.2 As the Solaris10 user account is an "internal" user, we have chosen the following name: TYP-OS-HOSTNAME$ Example: host-solaris10-torro$ The $ sign at the end marks the account as a "System Account" For this report, the Solaris10 host will be called torro The password must not "expire" with technical accounts Once the above steps are performed, a user account object is created for the Solaris10 host.this is necessary for the next step to work, where we will create a Kerberos keytab (shared secret) file. PUBLIC page: 8 Date: 16 Aug. 2007

9 Phase 1 Kerberos Setup Active Directory: Create the Shared Secrets for the Solaris10 Host In order to allow the communication between the Solaris 10 machine with the hostname "torro" through KDC, the Shared Secret must now be created, or in the terminology of Kerberos, the keytab-file on the AD must be created. Please note, this is only applicable, if we have previously created a user object for the torro host in advance. C:\kerberos>ktpass.exe -princ host/torro.csnc.ch@csnc.ch -mapuser host-sol10-torro$@csnc.ch -pass gugus -ptype KRB5_NT_PRINCIPAL -out torro.keytab Targeting domain controller: merlin3.csnc.ch Using legacy password setting method Successfully mapped host/torro.csnc.ch to host-sol10-torro$. Key created. Output keytab to torro.keytab: Keytab version: 0x502 keysize 61 host/torro.csnc.ch@csnc.ch ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype 0x17 (RC4- HMAC) keylength 16 (0xa36ff1e30bd943969f66a81d85c8e53f) C:\kerberos> What is the meaning of the above arguments? Argument -princ host/torro.csnc.ch@csnc.ch Meaning Basically it means: user@realm In our context it means that we make the entry for a host (and not a user). In the AD the principle is only an LDAP entry and nothing more. It is no actual user in the real sense (no AD user) -mapuser host-sol10-torro$@csnc.ch With this command we inform the AD that we want to assign to the user "host-sol10-torro$" the Solaris 10 Hostname Principle. PUBLIC page: 9 Date: 16 Aug. 2007

10 Phase 1 Kerberos Setup 2.4 In the LDAP you can easily recognise the impact of the above command. The command inserts an additional PrincipleName into the DN, in order to make the allocation between the Host Account and the Kerberos Credentials. In any case the ktpass.exe results in the Shared Secret of the Solaris 10 Host, which we will need for the next step. C:\kerberos>dir Volume in drive C is System Volume Serial Number is B Directory of C:\kerberos :03 <DIR> :03 <DIR> :46 90'112 ktpass.exe :03 67 torro.keytab 2 File(s) 90'179 bytes 2 Dir(s) 20'123'320'320 bytes free C:\kerberos> 2.4 Safe transmission of the Shared Secret to the Solaris10 Host PUBLIC page: 10 Date: 16 Aug. 2007

11 Phase 1 Kerberos Setup 2.4 The file "torro.keytab" created contains the Shared Secret for the Host "torro.csnc.ch". This Shared Secret must be transmitted in a secured form from the AD to the Host "torro". There are several options Physical transmission using a USB disc, floppy or similar SSH transfer In this example we use "SCP" for the safe transfer from AD to the Solaris 10 host. Afterwards the file host-sol10-torro must be copied into the Kerberos directory. Once this step is performed, both, AD and Solaris10 host know a shared secret, which is mandatory for Kerberos to work. PUBLIC page: 11 Date: 16 Aug. 2007

12 Phase 1 Kerberos Setup Active Directory: Configuration DNS Server For the correct operation of Kerberos it is compulsory that the Forward and Reverse DNS entries are configured properly. Therefore, the next step configures the Solaris10 host to the Microsoft DNS server. If you have another DNS server make sure, you configure a A and PTR record for the Solaris10 host there and skip to the next chapter. It can be seen below how the Solaris 10 host is entered in the Windows Active Directory DNS Server. A new host entry for the Solaris 10 Host "torro" must be created. For the correct operation it is compulsory that there is a PTR record of the Solaris 10 host. PUBLIC page: 12 Date: 16 Aug. 2007

13 Phase 1 Kerberos Setup Solaris10: Configuration /etc/inet/hosts file It is recommended registering the FQDN of the Solaris 10 host in the local Solaris10 file /etc/inet/hosts, in order to avoid problems with the TGT 1 ticket. before: root@torro:/ grep -v ^ /etc/inet/hosts ::1 localhost localhost torro loghost torro after: root@torro:/ grep -v ^ /etc/inet/hosts ::1 localhost localhost torro.csnc.ch torro loghost Checking the settings: root@torro:/ getent hosts torro torro.csnc.ch torro loghost 2.7 Solaris10: Analysis of the DNS decomposition Solaris10 It is mandatory testing the FQDN of the Solaris 10 host in the DNS server to avoid problems with the TGT ticket. Checking the Forward entry for the Solaris 10 Host at the DNS root@torro:/ dig torro.csnc.ch h grep torro ;torro.csnc.ch. IN A torro.csnc.ch IN A ; <<>> DiG <<>> torro.csnc.ch h Checking the PTR entry for the Solaris10 Host at the DNS root@torro:/ dig -x grep torro in-addr.arpa IN PTR torro.csnc.ch. With the two above commands you can "prove" that the Solaris 10 Host is correctly recorded in the DNS. This is compulsory for the operation of Kerberos. 1 TGT = Ticket Granting Ticket PUBLIC page: 13 Date: 16 Aug. 2007

14 Phase 1 Kerberos Setup Solaris10: Configuration of Kerberos for the Solaris System Solaris10 holds the configuration in the /etc/krb5 directory as rkb5.conf. The configuration should be adapted according to the example below (in our example the domain is "CSNC.CH". Align this value to your domain name). [libdefaults] default_realm = CSNC.CH dns_lookup_kdc = true [realms] CSNC.CH = { kdc = merlin3.csnc.ch admin_server = merlin3.csnc.ch } [domain_realm].csnc.ch = CSNC.CH.subdomain.csnc.ch = CSNC.CH [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d version = 10 } [appdefaults] kinit = { renewable = true forwardable= true } Afterwards the file /etc/krb5/cswkrb5.conf must be accommodated. [libdefaults] default_realm = CSNC.CH dns_lookup_kdc = true [realms] CSNC.CH = { kdc = merlin3.csnc.ch admin_server = merlin3.csnc.ch } [domain_realm].csnc.ch = CSNC.CH.subdomain.csnc.ch = CSNC.CH PUBLIC page: 14 Date: 16 Aug. 2007

15 Phase 1 Kerberos Setup Testing of Kerberos between Solaris10 and Active Directory Now we are ready to test out Kerberos. The steps taken so far have been: Creation of the Solaris10 user object in the AD (NO computer object) Generating of the Shared Secret including entry in the LDAP (Principle) for the new host Transmission of the Shared Secret to the Solaris10 Host Ensure the DNS requirements for the interaction at Kerberos Configuration of Solaris10 for the interaction with the AD KDC Step 1: Testing of NGZ Sol10 Host (torro) Because the Solaris10 host is run within an non-global zone, we first need to check whether the NGZ torro is running. The hostname tarribo is the Solaris10 global-zone name, where the hostname torro is the non-global zone. You can read through chapter 8.1 if you are interested in how the non-global zone was setup. root@tarribo:/ zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / native shared 3 torro running /opt/torro native shared root@tarribo:/ zlogin torro [Connected to zone 'torro' pts/10] Last login: Fri Jul 27 09:07:17 on pts/10 Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 root@torro:/ Step 2: Testing of the DNS Setup for the communication with KDC Now we are checking whether the KDS can be dissolved via nslookup or getent. root@torro:/ getent hosts merlin3.csnc.ch merlin3.csnc.ch If the Solaris 10 host cannot dissolve the KDC properly, problems must be expected. See chapter 8.2 for the correct configuration of NGZ torro in respect of the DNS dissolution PUBLIC page: 15 Date: 16 Aug. 2007

16 Phase 1 Kerberos Setup 2.9 Step 3: Testing of Kerberos Testing the Kerberos setup means: A) Using a valid username and password B) Using a valid username and invalid password C) Using a valid username, but all written in small letters D) Using a valid, but locked username A) In this example the "correct" password for the AD user "ibuetler" has been tested. root@torro:/etc/krb5 kinit ibuetler@csnc.ch Password for ibuetler@csnc.ch: A) Now you can test with "klist" whether a ticket is available. root@torro:/etc/krb5 klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ibuetler@csnc.ch Valid starting Expires Service principal 07/27/07 09:44:23 07/27/07 19:40:28 krbtgt/csnc.ch@csnc.ch renew until 08/03/07 09:44:23 root@torro:/etc/krb5 A) Now we are destroying the ticket root@torro:/etc/krb5 kdestroy root@torro:/etc/krb5 klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0) root@torro:/etc/krb5 B) In this example a "faulty" password for the AD user "ibuetler" has been tested. root@torro:/etc/krb5 kinit ibuetler@csnc.ch Password for ibuetler@csnc.ch: kinit(v5): Preauthentication failed while getting initial credentials C) Now we are trying to execute a kinit where the domain has been typed in small letters instead of CAPITAL LETTERS. root@torro:/etc/krb5 kinit ibuetler@csnc.ch Password for ibuetler@csnc.ch: kinit(v5): KDC reply did not match expectations while getting initial credentials D) Now we are trying to execute a kinit whereas the user has not been registered in the AD. root@torro:/etc/krb5 kinit johndoe@csnc.ch kinit(v5): Client not found in Kerberos database while getting initial credentials It can be recognised that the command ibuetler@csnc.ch is also regarded as an invalid user. The correct form is therefore: <aduser>@domain and the indication of the domain must be in capital letters. PUBLIC page: 16 Date: 16 Aug. 2007

17 Phase 2 LDAP over SSL Setup Phase 2 LDAP over SSL Setup 3.1 Objectives For the dissolution of the users and groups without LDAP you normally use the files /etc/passwd and /etc/group. If an Active Directory (or also a NIS) is used the dissolution of the user data is possible through an external entity. Now we are aiming at configurating the Solaris 10 System in such a way that users and groups can be dissoluted in the Active Directory. The interface for the allocation of users and groups is realised via LDAP. For this operation the LDAP interface at the Active Directory must be activated (which corresponds to the default). This report is based on but this report does configure LDAP queries without SSL activated. If you feel like using LDAP without SSL, please skip chapter 3.2, 3.3 and 3.4. Proceed with chapter 3.5. Phase 2: LDAP over SSL in the Active Directory In the second phase LDAP over SSL should be activated in the Active Directory. This is compulsory because the Solaris 10 system will dissolve the users via LDAP over SSL. Plain-LDAP is regarded as insecure and is not recommended. Testing of the LDAP over SSL interface at Active Directory Activation of the LDAP over SSL interface Retesting of the LDAP over SSL Installation of a Lookup Account in Active Directory (proxyuser) Configuration of the SSL CA Certificate in the Solaris10 system PUBLIC page: 17 Date: 16 Aug. 2007

18 Phase 2 LDAP over SSL Setup Active Directory: LDAP SSL requests (1) In a first step it should be tested whether the LDAP over SSL has not been activated yet. For this purpose the Microsoft Resource Kit Tool "ldp.exe" is being used in this example. This test is also feasible using OpenSSL command requests. Start the Microsoft Tool "ldp" and click on "Connect" (ldp is a LDAP browser contained in the Microsoft Resource Kit) Configurate an SSL connection through port 636 to the Active Directory If an error message as shown on the left appears, the LDAP SSL has not been activated. You can also execute this test through OpenSSL using the following syntax: openssl s_client connect HOST:636 PUBLIC page: 18 Date: 16 Aug. 2007

19 Phase 2 LDAP over SSL Setup Active Directory: Activation of LDAP over SSL The activation of LDAP over SSL at the Active Directory is not a core issue of this report. The steps necessary for the activation of LDAP over SSL at the Active Directory in respect of this report are described in detail in chapter Active Directory: LDAP SSL requests (2) After LDAP over SSL has been activated the following test should be feasible successfully without any error messages. Start the Microsoft Tool "ldp" which is meant for the access to the AD. configurate an SSL connection PUBLIC page: 19 Date: 16 Aug. 2007

20 Phase 2 LDAP over SSL Setup 3.4 The request results in at least one response. To be on the safe side we test again using JXplorer, a powerful, freely available LDAP browser. Unless the CA Cert is firstly introduced to the tool, the SSL validation will fail. PUBLIC page: 20 Date: 16 Aug. 2007

21 Phase 2 LDAP over SSL Setup 3.4 1) Delete existing cacerts file 2) "C:\Program Files\Java\jre1.5.0_06\bin\keytool.exe" -import -file "C:\ca.crt" -keystore "S:\Program Files\jxplorer\security\cacerts" After the CA Cert has been imported: Now you can try to realise an LDAP over SSL connection. For this purpose the following profile should be used PUBLIC page: 21 Date: 16 Aug. 2007

22 Phase 2 LDAP over SSL Setup 3.4 The access is possible (if you type in the correct password) PUBLIC page: 22 Date: 16 Aug. 2007

23 Phase 2 LDAP over SSL Setup Active Directory: Installation of an LDAP Proxy User In order to enable the Solaris 10 host to browse the POSIX schemes in the AD, it is necessary to install a Proxy User in the AD. This user is applied for the access by the Unix computers The Proxy User is a member of the «Domain Guests» Identification of the DN CN=proxyuser,OU=Technical,OU=Compass Users,dc=csnc,dc=ch PUBLIC page: 23 Date: 16 Aug. 2007

24 Phase 2 LDAP over SSL Setup 3.6 It should be checked next whether this user can also access AD via LDAP. 3.6 Solaris10: Configuration of the CA Certificate After the Active Directory can be addressed through SSL, the Solaris 10 Host must be instructed to use this interface. Firstly empty Certification Authority Files are created. Step 1: Creation of NSS DB (Don't enter password. Just hit return) root@torro:/var/ldap /usr/sfw/bin/certutil -N -d /var/ldap/ Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: root@torro:/var/ldap ls -lt total 643 -rw root root Jul 31 08:18 key3.db -rw root root Jul 31 08:18 cert8.db -rw root root Jul 31 08:18 secmod.db root@torro:/var/ldap strings * Version 1i1p Hpassword-check global-salt Version NSS Internal PKCS 11 Module Kconfigdir='/var/ldap' certprefix='' keyprefix='' secmod='secmod.db' flags= NSS Internal PKCS 11 Module Step 2: Importing the Certification Authority Certificate /usr/sfw/bin/certutil -A -n "ca-cert" -i ~root/ca.crt -a -t CT -d /var/ldap/ root@torro:/var/ldap ls -lt total 643 -rw root root Jul 31 08:22 key3.db -rw root root Jul 31 08:22 cert8.db -rw root root Jul 31 08:18 secmod.db root@torro:/var/ldap strings * Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch Z Z0f1 Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch0 Fo}A h0f1 Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch elh3q PUBLIC page: 24 Date: 16 Aug. 2007

25 Phase 2 LDAP over SSL Setup 3.6 <!0w6 q,~m 3N-}AI Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch ivan.buetler@csnc.ch Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch h0f1 Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch Version?y?o?y? Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch ivan.buetler@csnc.ch 1i1p Hpassword-check global-salt Version NSS Internal PKCS 11 Module Kconfigdir='/var/ldap' certprefix='' keyprefix='' secmod='secmod.db' flags= NSS Internal PKCS 11 Module Step 3: Checking whether the Solaris Host is accessible as FQDN root@torro:/var/ldap ifconfig -a lo0:1: flags= <up,loopback,running,multicast,ipv4,virtual> mtu 8232 index 1 inet netmask ff e1000g0:1: flags= <up,broadcast,running,multicast,ipv4,cos> mtu 1500 index 2 inet netmask ffffff00 broadcast root@torro:/var/ldap getent hosts torro.csnc.ch torro loghost The above step is a repetition of the step in chapter 2.7 PUBLIC page: 25 Date: 16 Aug. 2007

26 Phase 2 LDAP over SSL Setup Solaris10: Testing of LDAP over SSL through ldapsearch Now it shall be tested whether the Solaris 10 machine can access the Active Directory using LDAP over SSL root@torro:/var/ldap ldapsearch -v -h merlin3.csnc.ch -p 636 -Z -P /var/ldap/cert8.db -b "dc=csnc,dc=ch" -s base "objectclass=*" ldapsearch: started Tue Jul 31 08:32: ldap_init( merlin3.csnc.ch, 636 ) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) ldap_search: Operations error ldap_search: additional info: : LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece 0 matches The above attempt fails because no user has been indicated for the ldap_bind yet. This user has been created in chapter 3.5 and is called "proxyuser" in our example. Try again to access the AD using LDAP over SSL, indicating the user name proxyuser and the password. root@torro:/var/ldap ldapsearch -v -h merlin3.csnc.ch -p 636 -D "CN=proxyuser,OU=Technical,OU=Compass Users,dc=csnc,dc=ch" -Z -P /var/ldap/cert8.db -b "dc=csnc,dc=ch" -s base "objectclass=*" Enter bind password: ldapsearch: started Tue Jul 31 08:40: ldap_init( merlin3.csnc.ch, 636 ) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) version: 1 dn: dc=csnc,dc=ch objectclass: top objectclass: domain objectclass: domaindns distinguishedname: DC=csnc,DC=ch instancetype: 5 whencreated: Z whenchanged: Z subrefs: DC=ForestDnsZones,DC=csnc,DC=ch subrefs: DC=DomainDnsZones,DC=csnc,DC=ch subrefs: CN=Configuration,DC=csnc,DC=ch usncreated: 4098 As can be seen from the above output, the manual access of LDAP over SSL is now possible. PUBLIC page: 26 Date: 16 Aug. 2007

27 Phase 3: UNIX Users and Groups in the Active Directory Phase 3: UNIX Users and Groups in the Active Directory 4.1 Objectives After the Solaris 10 system has successfully been configurated with Kerberos and also the LDAP over SSL access to the Active Directory is working, the next step deals with the migration of the users, groups and other NIS data bases in the Active Directory. In a first step the Active Directory must be configurated in such a way that POSIX values are recognised. These steps need only be carried out once. If other Unix Derivates are already administrated in the Active Directory, these steps have probably been executed before. It is essential to introduce the POSIX Unix account schemes to the User management in Microsoft. Phase 3: Installation of UNIX Services in Active Directory The next step deals with the installation of POSIX schemes in Active Directory. This is compulsory to enable Active Directory to recognise the UNIX characteristics such as uid, uidnumber, gid, gidnumber, etc. Installation of UNIX Services in Active Directory Configuration of the first POSIX Group Configuration of the first POSIX User Adjusting Performance enhancement at the Lookup PUBLIC page: 27 Date: 16 Aug. 2007

28 Phase 3: UNIX Users and Groups in the Active Directory Active Directory: Installation of UNIX Service Link: On the Active Directory server you install the POSIX LDAP schemes via "Identity Management for UNIX" into the Active Directory. The installation requires the CD2 PUBLIC page: 28 Date: 16 Aug. 2007

29 Phase 3: UNIX Users and Groups in the Active Directory 4.2 Then NIS is installed which contains the POSIX LDAP schemes. Now the installation is completed. PUBLIC page: 29 Date: 16 Aug. 2007

30 Phase 3: UNIX Users and Groups in the Active Directory 4.2 A Reboot is necessary. Before the installation the User Properties looked as shown on the left. PUBLIC page: 30 Date: 16 Aug. 2007

31 Phase 3: UNIX Users and Groups in the Active Directory 4.2 After the installation the User properties look as shown on the left. The Unix attributes can be configurated. In our example the Unix attributes for the user "ibuetler" have been configurated as shown. PUBLIC page: 31 Date: 16 Aug. 2007

32 Phase 3: UNIX Users and Groups in the Active Directory 4.3 The groups are also allocated Unix attributes 4.3 Active Directory: Indexation To enable increased speed in the dissolution of UNIX users via LDAP, the most important LDAP attributes can be indexed in the Active Directory. You can enforce the indexation in the Active Directory with the Scheme Management Snap-In. The following command registers the Snap-In which is invisible in the MMC without this registration. REGSVR32 SCHMMGMT PUBLIC page: 32 Date: 16 Aug. 2007

33 Phase 3: UNIX Users and Groups in the Active Directory 4.3 PUBLIC page: 33 Date: 16 Aug. 2007

34 Phase 3: UNIX Users and Groups in the Active Directory Active Directory: NIS Maps Using the "Microsoft Identity Management for UNIX" MMC Snap-In the adjustments for the NIS service can be configurated. PUBLIC page: 34 Date: 16 Aug. 2007

35 Phase 4: Final Setup Phase 4: Final Setup 5.1 Objectives Phase 4: Final Setup After configurating and adjusting all the components "correctly" the fourth phase is concerned with the final setup of the Solaris 10 and Active Directory cooperation. LDAP configuration Solaris10 /etc/nsswitch.conf adjustment in Solaris10 Restart of Services Test whether getent password <user> works Configuration PAM Reboot Solaris 5.2 Solaris10: LDAP Configuration Part2 (ldapclient) After the manual test of chapter 3.7 (LDAP over SSL) has been successful, this step now deals with defining a persistent LDAP over SSL configuration for the Solaris 10. The interface for the installation of a persistent LDAP configuration is "ldapclient". It is recommended to safe a copy of the file /etc/nsswitch.conf before this next step as the programme ldapclient modifies the file /etc/nsswitch.conf. With this script the persistent LDAP connection using LDAP over SSL has been installed. root@torro:/ cat do_ldapclient1.sh ldapclient manual \ -a credentiallevel=proxy \ -a authenticationmethod=tls:simple \ -a proxydn="cn=proxyuser,ou=technical,ou=compass Users,dc=csnc,dc=ch" \ -a proxypassword=mysecret \ -a defaultsearchbase=dc=csnc,dc=ch \ -a domainname=csnc.ch \ -a defaultserverlist= \ -a attributemap=group:userpassword=userpassword \ -a attributemap=group:memberuid=memberuid \ -a attributemap=group:gidnumber=gidnumber \ -a attributemap=passwd:gecos=cn \ -a attributemap=passwd:gidnumber=gidnumber \ -a attributemap=passwd:uidnumber=uidnumber \ -a attributemap=passwd:homedirectory=unixhomedirectory \ -a attributemap=passwd:loginshell=loginshell \ -a attributemap=shadow:shadowflag=shadowflag \ -a attributemap=shadow:userpassword=userpassword \ -a objectclassmap=group:posixgroup=group \ -a objectclassmap=passwd:posixaccount=user \ -a objectclassmap=shadow:shadowaccount=user \ -a servicesearchdescriptor=passwd:dc=csnc,dc=ch?sub \ -a servicesearchdescriptor=group:dc=csnc,dc=ch?sub PUBLIC page: 35 Date: 16 Aug. 2007

36 Phase 4: Final Setup 5.3 Now the script is being executed and results in the following output. bash do_ldapclient1.sh System successfully configured With this command all the relevant Solaris 10 information has been filed in the /var/ldap. 5.3 Solaris10: Testing of the LDAP Configuration After the above command with "ldapclient" has been executed successfully, you can test whether the installation works using ldaplist. ldaplist -l passwd ibuetler dn: gecos=ivan Buetler,OU=Personal,OU=Compass Users,DC=csnc,DC=ch objectclass: top objectclass: person objectclass: organizationalperson objectclass: posixaccount cn: Ivan Buetler sn: Buetler physicaldeliveryofficename: Rapperswil givenname: Ivan distinguishedname: CN=Ivan Buetler,OU=Personal,OU=Compass Users,DC=csnc,DC=ch instancetype: 4 whencreated: Z whenchanged: Z displayname: Ivan Buetler usncreated: uid: ibuetler mail: ivan.buetler@csnc.ch uidnumber: gidnumber: homedirectory: /opt/home/ibuetler loginshell: /bin/bash Please note: the output above was shortened. PUBLIC page: 36 Date: 16 Aug. 2007

37 Phase 4: Final Setup Solaris10: Modification of /etc/nsswitch.conf Now the Solaris 10 system must be instructed to dissolute certain objects such as passwd or group via LDAP. In addition the hosts should be dissoluted via DNS. The nsswitch.conf working for this instruction cat /etc/nsswitch.conf CDDL HEADER START The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. passwd: files ldap group: files ldap hosts: files dns ipnodes: files Commented out by DHCP ipnodes: files dns Added by DHCP networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files At present there isn't a 'files' backend for netgroup; the system will figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files printers: user files auth_attr: files prof_attr: files project: files tnrhtp: tnrhdb: files files 5.5 Solaris10: LDAP Client Restart After the above changes it is compulsory to restart LDAP Client Service under Solaris 10 svcadm restart svc:/network/ldap/client:default PUBLIC page: 37 Date: 16 Aug. 2007

38 Phase 4: Final Setup Solaris10: DNS Check For the proper function of all components it is compulsory that the Solaris 10 DNS Client Service in the SMF is activated. svcs a grep dns If disabled then: svcadm enable svc:/network/dns/client:default If online everything is ok. 5.7 Solaris10: Testing of GETENT PASSWD Now we are testing whether the POSIX account "ibuetler" can be introduced to the Solaris 10 system via Active Directory using the command "getent password ibuetler". The preconditions for this test are: Active Directory and Solaris10 LDAP over SSL is activated (Phase 2) Active Directory extended for POSIX Account Information (Phase 4) User ibuetler has configurated the POSIX values (Phase 4) Solaris10 /etc/nsswitch.conf is activated and configurated (Phase 4) root@torro:/ hostname torro root@torro:/ grep passw /etc/nsswitch.conf passwd: files ldap root@torro:/ grep ibuetler /etc/passwd root@torro:/ getent passwd ibuetler ibuetler:x:10000:10000:ivan Buetler:/opt/home/ibuetler:/bin/bash The data for "ibuetler" originate from the LDAP directory. PUBLIC page: 38 Date: 16 Aug. 2007

39 Phase 4: Final Setup Solaris10: PAM Configuration Solaris 10 does not require a new configuration of pam_ldap, as this was described in older instructions. The existing PAM modules contain the LDAP interface. The following PAM configuration works for Kerberos based SSH Login via GSSAPI putty.exe root@torro:/ cat /etc/pam.conf AUTHENTICATION login service (explicit because of pam_dial_auth) login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 passwd auth required pam_passwd_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 ACCOUNT MANAGEMENT cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 SESSION other session required pam_unix_session.so.1 PASSWORD other password required pam_dhkeys.so. 1 other password sufficient pam_krb5.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 PUBLIC page: 39 Date: 16 Aug. 2007

40 Phase 4: Final Setup Solaris10: Reboot Solaris According to other instructions there have been problems with Solaris setups when no reboot has been carried out. Therefore we recommend executing a reboot at this stage. PUBLIC page: 40 Date: 16 Aug. 2007

41 Phase 5: User Tests with SSH Phase 5: User Tests with SSH 6.1 Objectives In this chapter various tests in connection with Solaris 10 and Active Directory are being performed. All these test cases should be functioning properly after the installation according to these instructions. Phase 5: User Tests with SSH Finally it is tested whether the interaction between Solaris 10 and Active Directory for SSH is operational. For this purpose the following test cases are being carried out: Test Switch User (su) Test SSH with Username/password (Active Directory Username/password) Test SSH with Kerberos under Solaris Test SSH with Kerberos under Windows Test SSH, if the user is deactivated in Active Directory 6.2 Switch User In a first test we check whether a switch user from "root" to an "AD user" can be executed. root@torro:/ grep ibuetler /etc/passwd root@torro:/ getent passwd ibuetler ibuetler:x:10000:10000:ivan Buetler:/opt/home/ibuetler:/bin/bash root@torro:/ su - ibuetler Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 ibuetler@torro:~$ In this example the Switch User is working. What if the SU does not work, because the user does not exist in the AD? root@torro:/ grep johndoe /etc/passwd root@torro:/ getent passwd johndoe root@torro:/ su - johndoe su: Unknown id: johndoe root@torro:/ It can be recognised that the command "getent passwd johndoe" has no response value. This means that the user can NOT be dissoluted via LDAP. PUBLIC page: 41 Date: 16 Aug. 2007

42 Phase 5: User Tests with SSH SSH Access 1 (Username/Password) With this setup an SSH connection to the Solaris machine has been attempted whereas the SSH client has NO valid Kerberos ticked. The configuration of PAM looks as follows: root@tarribo:/opt/torro/root/etc cat pam.conf AUTHENTICATION login service (explicit because of pam_dial_auth) login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 passwd auth required pam_passwd_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so. 1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 ACCOUNT MANAGEMENT cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_ldap.so.1 SESSION other session required pam_unix_session.so.1 PASSWORD other password required pam_dhkeys.so.1 other password sufficient pam_krb5.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 PUBLIC page: 42 Date: 16 Aug. 2007

43 Phase 5: User Tests with SSH 6.3 Evidence: SSH connection from an SSH Client, who has NO Kerberos configurated klist The program 'klist' can be found in the following packages: * heimdal-clients * krb5-user Try: apt-get install <selected package> Make sure you have the 'universe' component enabled -bash: klist: command not found root@xor:~ ssh -l ibuetler Password: Last login: Thu Aug 2 11:57: from medion-renggli. Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 ibuetler@torro:~$ For password the Active Directory password had to be entered to be able to login successfully. The critical configuration in pam.conf is: other auth sufficient pam_krb5.so.1 If this configuration is missing, the successful authentication via SSH will not be possible. PUBLIC page: 43 Date: 16 Aug. 2007

44 Phase 5: User Tests with SSH SSH Access 2 (SSO with Kerberos under Solaris10) With this test case we check whether we can login to the Solaris 10 system without re-entering the user information if a valid ticket is available. ibuetler@torro:~$ id uid=10000(ibuetler) gid=10000(unix) Checking whether a valid ticket is available (YES). ibuetler@torro:~$ klist Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: ibuetler@csnc.ch Valid starting Expires Service principal 08/02/07 11:56:58 08/02/07 21:53:03 krbtgt/csnc.ch@csnc.ch renew until 08/09/07 11:57:15 Establish an SSH connection (with a valid ticket) ibuetler@torro:~$ ssh -l ibuetler torro.csnc.ch Last login: Thu Aug 2 12:00: from medion-renggli. Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 Delete the valid ticket (for testing purpose) ibuetler@torro:~$ kdestroy Establish again an SSH connection (without a valid ticket) ibuetler@torro:~$ ssh -l ibuetler torro.csnc.ch Password: Password: Password: Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). It can be recognised that the SSH access without password is possible (with the Kerberos ticket) provided that the client already has a valid ticket. PUBLIC page: 44 Date: 16 Aug. 2007

45 Phase 5: User Tests with SSH SSH Access 3 (SSO with Kerberos and putty) In this attempt we test whether we can login to the Solaris 10 using a GSSAPI activated putty.exe applying the Windows Kerberos ticket and without entering the password. The installation of special DLL's is compulsory that Putty.exe will collaborate with Kerberos at all. For this purpose MIT Kerberos for Windows 3.2 has been installed on the Windows Computer. PUBLIC page: 45 Date: 16 Aug. 2007

46 Phase 5: User Tests with SSH 6.5 Configuration of the Solaris10 Host in Putty PUBLIC page: 46 Date: 16 Aug. 2007

47 Phase 5: User Tests with SSH 6.5 Configuration of GSSAPI The access is possible without entering the Active Directory password because the user already is in possession of a valid Windows Kerberos ticket through the XP workstation. PUBLIC page: 47 Date: 16 Aug. 2007

48 Phase 5: User Tests with SSH SSH Access 4 (User in the Active Directory is "disabled") In this test the user "ibuetler" has been deactivated in the Active Directory. The login via SSH is afterwards impossible (see below). PUBLIC page: 48 Date: 16 Aug. 2007

49 Misc Misc 7.1 Open Issues 1. The modification of the password via SSH Shell is not possible in the above setup. The password in the KDC (Active Directory) must be amended via Windows XP Change Password Routine. 2. LDAP access from the Solaris 10 system using Kerberos (instead of proxyuser tls:simple user name/password authentication) has not been implemented yet. PUBLIC page: 49 Date: 16 Aug. 2007

50 Appendix Appendix 8.1 Solaris10: Creation of Solaris10 Non-Global Zone torro For this test a Solaris 10 Non-Global Zone has been created, which is being integrated in the AD. zonemgr-1.8.sh -a add -n torro -z "/opt" -P "johndoe" -I " e1000g0 24 torro" Checking to see if the zone IP address ( ) is already in use... IP is available. A ZFS file system has been created for this zone. Preparing to install zone <torro>. Creating list of files to copy from the global zone. Copying <67882> files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize <1244> packages on the zone. Initialized <1244> packages on zone. Zone <torro> is initialized. The file </opt/torro/root/var/sadm/system/logs/install_log> contains a log of the zone installation. Creating the sysidcfg file for automated zone configuration. Booting zone for the first time. Waiting for first boot tasks to complete. Updating netmask information. Updating /etc/inet/hosts of the global zone with the torro IP information. Zone torro is ready. bash-3.00 zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / native shared 2 torro running /opt/torro native shared 8.2 Solaris10: DNS and Network Settings for the Zone "torro" For the proper function of Kerberos, the Solaris 10 host must be able to dissolute the FQDN of the KDC. This means that the KDC must be registered in the DNS. In our example we have configurated the DNS Resolver of the Solaris 10 host in such a way that it communicates with the AD DNS server. root@torro:/ cat /etc/resolv.conf domain csnc.ch nameserver In addition it must be assured that host entries are dissolved via DNS. root@torro:/ grep hosts /etc/nsswitch.conf "hosts:" and "services:" in this file are used only if the hosts: files dns PUBLIC page: 50 Date: 16 Aug. 2007

51 Appendix Active Directory: Activation of the LDAP over SSL Configuration In the laboratory LDAP over SSL has been realised according to the following instruction. More detailed instructions for Certificate Handling: px Execution of: certtmpl.msc and rename these to LDAP Modify the subject to Fully distinguished name. Download of the VBS programme from the above link. Execute the following command on the prompt. Regdccert LDAP A whereas the LDAP complies with the above template. PUBLIC page: 51 Date: 16 Aug. 2007

52 Appendix 8.3 After the double-click on the VBS the structure looks as follows: The file "MERLIN.inf" has still to be edited. Modification of the file MERLIN.inf. Insertion of the Subject Identifier. [Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=MERLIN3,OU=Domain Controllers,dc=csnc,dc=ch" KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID= OID= ; ; The subject alternative name (SAN) can be included in the INF-file ; for a Windows 2003 CA. ; You don't have to specify the SAN when submitting the request. ; [Extensions] =MBGCD21lcmxpbjMuY3NuYy5jaA== Critical= ; ; The template name can be included in the INF-file for any CA. ; You don't have to specify the template when submitting the request. ; ;[RequestAttributes] ;CertificateTemplate=LDAP PUBLIC page: 52 Date: 16 Aug. 2007

53 Appendix 8.3 Subsequently a Certificate Signing Request is being generated. Below the Signing Request is being treated by the CA../sign-req MERLIN3 Using configuration from openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows domaincomponent :IA5STRING:'ch' domaincomponent :IA5STRING:'csnc' organizationalunitname:printable:'domain Controllers' commonname :PRINTABLE:'MERLIN3.CSNC.CH' Certificate is to be certified until Jul 24 14:00: GMT (3650 days) Sign the certificate? [y/n]: ls -lt total 149 -rw-r--r-- 1 root 3830 Jul 27 11:51 MERLIN3.crt -rw-r--r-- 1 root 3830 Jul 27 11:51 17.pem The CA has created the file MERLIN3.crt Integration of the certificate into the Active Directory Start MMC PUBLIC page: 53 Date: 16 Aug. 2007

54 Appendix 8.3 Start the Certificate Snap-In Open the Computer Account Snap-in PUBLIC page: 54 Date: 16 Aug. 2007

55 Appendix 8.3 The certificate is issued as a "Server Authentication". After that a reboot of the server will be requested.. PUBLIC page: 55 Date: 16 Aug. 2007

56 Appendix Tools Ktpass.exe C:\kerberos>ktpass.exe -h Command line options: most useful args [- /] out : Keytab to produce [- /] princ : Principal name (user@realm) [- /] pass : password to use use "*" to prompt for password. [- +] rndpass :... or use +rndpass to generate a random password [- /] minpass : minimum length for random password (def:15) [- /] maxpass : maximum length for random password (def:256) less useful stuff [- /] mapuser : map princ (above) to this user account (default: don't) [- /] mapop : how to set the mapping attribute (default: add it) [- /] mapop : is one of: [- /] mapop : add : add value (default) [- /] mapop : set : set value [- +] DesOnly : Set account for des-only encryption (default:don't) [- /] in : Keytab to read/digest options for key generation [- /] crypto : Cryptosystem to use [- /] crypto : is one of: [- /] crypto : DES-CBC-CRC : for compatibility [- /] crypto : DES-CBC-MD5 : for compatibliity [- /] crypto : RC4-HMAC-NT : default 128-bit encryption [- /] ptype : principal type in question [- /] ptype : is one of: [- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended [- /] ptype : KRB5_NT_SRV_INST : user service instance [- /] ptype : KRB5_NT_SRV_HST : host service instance [- /] kvno : Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Win2K compat. [- +] Answer : +Answer answers YES to prompts. -Answer answers NO. [- /] Target : Which DC to use. Default:detect options for trust attributes (Windows Server 2003 Sp1 Only [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on. [- /] TrustEncryp : Trust Encryption to use; DES is default [- /] TrustEncryp : is one of: [- /] TrustEncryp : RC4 : RC4 Realm Trusts (default) [- /] TrustEncryp : DES : go back to DES C:\kerberos> PUBLIC page: 56 Date: 16 Aug. 2007

57 Appendix reqdccert.vbs This tool originates from: px Set oargs = WScript.Arguments Set oshell = WScript.CreateObject("WScript.Shell") ' ' Parse command line ' if oargs.count < 1 then stemplatename = "DomainController" stype = "E" else if ((oargs(0) = "-?") or (oargs.count < 2)) then Wscript.Echo "Usage: reqdccert.vbs [Templatename] [Type]" Wscript.Echo "[Templatename] is the name of a V2 template" Wscript.Echo "[Type] can be E for and A for Authentication certificate" Wscript.Echo "If no option is specified, the DomainController certificate template is used." Wscript.Quit 1 else stemplatename = oargs(0) stype = oargs(1) end if end if Set ofilesystem = CreateObject("Scripting.FileSystemObject") Set objsysinfo = CreateObject("ADSystemInfo") Set objdc = GetObject("LDAP://" & objsysinfo.computername) sguid = objdc.guid sdnshostname = objdc.dnshostname shostname = objdc.cn ' ' ' Create the ASN.1 file ' ' Dim aasnsubstring(2, 5) Const HEX_DATA_LENGTH = 1 Const ASCIIDATA = 2 Const HEXDATA = 3 Const HEX_BLOB_LENGTH = 4 Const HEX_TYPE = 5 aasnsubstring(0, ASCIIDATA) = sdnshostname aasnsubstring(0, HEX_TYPE) = "82" ' ' Convert DNS name into Hex ' For i = 1 to Len(aASNsubstring(0, ASCIIDATA)) aasnsubstring(0, HEXDATA) = aasnsubstring(0, HEXDATA) & _ Hex(Asc(Mid(aASNsubstring(0, ASCIIDATA), i, 1))) Next aasnsubstring(0, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(0, HEXDATA)) / 2) ' ' Build the ASN.1 blob for DNS name ' sasn = aasnsubstring(0, HEX_TYPE) & _ aasnsubstring(0, HEX_DATA_LENGTH) & _ aasnsubstring(0, HEXDATA) PUBLIC page: 57 Date: 16 Aug. 2007