Solaris10 Active Directory Integration 16. August 2007 Document name: Solaris10_AD_Integration_V1.0.doc Version: V 1.0 Project number: 19-5387-10 Author(s): Ivan Bütler, Compass Security AG Delivery date: 16. August 2007 Classification: PUBLIC
Index Index 1 SOLARIS10 ACTIVE DIRECTORY INTEGRATION...4 1.1 Introduction and Objectives 4 1.2 Procedure 4 1.3 System Identification 6 2 PHASE 1 KERBEROS SETUP...7 2.1 Objectives 7 2.2 Active Directory: Create the AD-User for the Solaris10 Host 7 2.3 Active Directory: Create the Shared Secrets for the Solaris10 Host 9 2.4 Safe transmission of the Shared Secret to the Solaris10 Host 10 2.5 Active Directory: Configuration DNS Server 12 2.6 Solaris10: Configuration /etc/inet/hosts file 13 2.7 Solaris10: Analysis of the DNS decomposition Solaris10 13 2.8 Solaris10: Configuration of Kerberos for the Solaris System 14 2.9 Testing of Kerberos between Solaris10 and Active Directory 15 3 PHASE 2 LDAP OVER SSL SETUP...17 3.1 Objectives 17 3.2 Active Directory: LDAP SSL requests (1) 18 3.3 Active Directory: Activation of LDAP over SSL 19 3.4 Active Directory: LDAP SSL requests (2) 19 3.5 Active Directory: Installation of an LDAP Proxy User 23 3.6 Solaris10: Configuration of the CA Certificate 24 3.7 Solaris10: Testing of LDAP over SSL through ldapsearch 26 4 PHASE 3: UNIX USERS AND GROUPS IN THE ACTIVE DIRECTORY...27 4.1 Objectives 27 4.2 Active Directory: Installation of UNIX Service 28 4.3 Active Directory: Indexation 32 4.4 Active Directory: NIS Maps 34 5 PHASE 4: FINAL SETUP...35 5.1 Objectives 35 5.2 Solaris10: LDAP Configuration Part2 (ldapclient) 35 5.3 Solaris10: Testing of the LDAP Configuration 36 5.4 Solaris10: Modification of /etc/nsswitch.conf 37 5.5 Solaris10: LDAP Client Restart 37 5.6 Solaris10: DNS Check 38 5.7 Solaris10: Testing of GETENT PASSWD 38 5.8 Solaris10: PAM Configuration 39 5.9 Solaris10: Reboot Solaris 40 6 PHASE 5: USER TESTS WITH SSH...41 6.1 Objectives 41 6.2 Switch User 41 PUBLIC Date: 16 Aug. 2007
Index 6.3 SSH Access 1 (Username/Password) 42 6.4 SSH Access 2 (SSO with Kerberos under Solaris10) 44 6.5 SSH Access 3 (SSO with Kerberos and putty) 45 6.6 SSH Access 4 (User in the Active Directory is "disabled") 48 7 MISC...49 7.1 Open Issues 49 8 APPENDIX...50 8.1 Solaris10: Creation of Solaris10 Non-Global Zone torro 50 8.2 Solaris10: DNS and Network Settings for the Zone "torro" 50 8.3 Active Directory: Activation of the LDAP over SSL Configuration 51 8.4 Tools 56 8.4.1 Ktpass.exe 56 8.4.2 reqdccert.vbs 57 8.5 Links 60 PUBLIC Date: 16 Aug. 2007
Solaris10 Active Directory Integration 1.1 1 Solaris10 Active Directory Integration 1.1 Introduction and Objectives The aim of the instruction in this report is to show the user step-by-step how to realise the integration of a Solaris 10 Host into the Active Directory. The use of Active Directories also for UNIX derivates is of interest because of Utilisation of the existing users (central User Management) Central utilisation of network data (former NIS data) Utilisation of Kerberos services SSO Once you have walked through this report step-by-step, you will be able to use putty.exe from your Windows XP workstation to authenticate into the Solaris10 host using Kerberos without entering your password again, because the Active Directory Kerberos Ticket is accepted by the Solaris10 ssh daemon. The user-id you are using for authentication into Solaris10 is not locally configured, instead, will be looked-up in the Active Directory. 1.2 Procedure Phase 1: Kerberos Setup (Chapter 2) In the first phase Keberos should be configurated for the cooperation of Active Directory and the Solaris10 Host. Creation of a AD-User for the Solaris10 Host Creation of the Shared Secrets (Kerberos Keytab) for the Solaris10 Host Safe transmission of the Shared Secrets from AD to the Solaris10 Host Configuration of the DNS Server Configuration of the Solaris10 Kerberos setups Testing of Kerberos, interaction between Solaris10 Host and AD Phase 2: LDAP over SSL in the Active Directory (Chapter 3) In the second phase LDAP over SSL should be activated in the Active Directory. This is compulsory because the Solaris 10 system will dissolve the users via LDAP over SSL. Plain-LDAP is regarded as insecure and is not recommended. Testing of the LDAP over SSL interface at Active Directory Activation of the LDAP over SSL interface Retesting of the LDAP over SSL Installation of a Lookup Account in Active Directory (proxyuser) Configuration of the SSL CA Certificate in the Solaris10 system PUBLIC page: 4 Date: 16 Aug. 2007
Solaris10 Active Directory Integration 1.2 Phase 3: Installation of UNIX Services in Active Directory (Chapter 4) The next step deals with the installation of POSIX schemes in Active Directory. This is compulsory to enable Active Directory to recognise the UNIX characteristics such as uid, uidnumber, gid, gidnumber, etc. Installation of UNIX Services in Active Directory Configuration of the first POSIX Group Configuration of the first POSIX User Adjusting Performance enhancement at the Lookup Phase 4: Final Setup (Chapter 5) After configurating and adjusting all the components "correctly" the fourth phase is concerned with the final setup of the Solaris 10 and Active Directory cooperation. LDAP configuration Solaris10 /etc/nsswitch.conf adjustment in Solaris10 Restart of Services Test whether getent password <user> works Configuration PAM Reboot Solaris Phase 5: User Tests with SSH (Chapter 6) Finally it is tested whether the interaction between Solaris 10 and Active Directory for SSH is operational. For this purpose the following test cases are being carried out: Test Switch User (su) Test SSH with Username/password (Active Directory Username/password) Test SSH with Kerberos under Solaris Test SSH with Kerberos under Windows Test SSH, if the user is deactivated in Active Directory PUBLIC page: 5 Date: 16 Aug. 2007
Solaris10 Active Directory Integration 1.3 1.3 System Identification In this report a Solaris 10 and an Active Directory are being applied. The chart below informs about the two systems. Solaris10 System Type Architecture Description OpenSolaris SNV_68 Intel PC IP Address 192.168.100.197 Uname bash-3.00 uname -a SunOS tarribo 5.11 snv_68 i86pc i386 i86pc Hostname Type Torro Non Global Zone Note: The Solaris10 is installed as a Non-Global Zone. The way this zone has been established is described in chapter 8.1 Active Directory System Type Architecture Description Windows 2003 Server R2 (latest patches) Intel PC IP Address 192.168.100.46 PUBLIC page: 6 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.1 2 Phase 1 Kerberos Setup 2.1 Objectives This phase deals with the correct interaction between Solaris 10 and the Active Directory on the basis of Kerberos. It is known from theory that Kerberos is based on disseminated symmetrical keys. Thus it is essential to create the key for Solaris 10 accordingly, then to introduce this key to the Solaris 10 System and finally to configurate the Solaris 10 for Kerberos using AD. Phase 1: Kerberos Setup In the first phase Keberos should be configurated for the cooperation of Active Directory and the Solaris10 Host. Creation of a AD-User for the Solaris10 Host Creation of the Shared Secrets (Kerberos Keytab) for the Solaris10 Host Safe transmission of the Shared Secrets from AD to the Solaris10 Host Configuration of the DNS Server Configuration of the Solaris10 Kerberos setups Testing of Kerberos, interaction between Solaris10 Host and AD 2.2 Active Directory: Create the AD-User for the Solaris10 Host The integration of Solaris 10 requires a user account per Solaris 10 Host. One has to configure a User account in the AD for the Solaris10 host. Attention: NO Computer Account PUBLIC page: 7 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.2 As the Solaris10 user account is an "internal" user, we have chosen the following name: TYP-OS-HOSTNAME$ Example: host-solaris10-torro$ The $ sign at the end marks the account as a "System Account" For this report, the Solaris10 host will be called torro The password must not "expire" with technical accounts Once the above steps are performed, a user account object is created for the Solaris10 host.this is necessary for the next step to work, where we will create a Kerberos keytab (shared secret) file. PUBLIC page: 8 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.3 2.3 Active Directory: Create the Shared Secrets for the Solaris10 Host In order to allow the communication between the Solaris 10 machine with the hostname "torro" through KDC, the Shared Secret must now be created, or in the terminology of Kerberos, the keytab-file on the AD must be created. Please note, this is only applicable, if we have previously created a user object for the torro host in advance. C:\kerberos>ktpass.exe -princ host/torro.csnc.ch@csnc.ch -mapuser host-sol10-torro$@csnc.ch -pass gugus -ptype KRB5_NT_PRINCIPAL -out torro.keytab Targeting domain controller: merlin3.csnc.ch Using legacy password setting method Successfully mapped host/torro.csnc.ch to host-sol10-torro$. Key created. Output keytab to torro.keytab: Keytab version: 0x502 keysize 61 host/torro.csnc.ch@csnc.ch ptype 1 (KRB5_NT_PRINCIPAL) vno 6 etype 0x17 (RC4- HMAC) keylength 16 (0xa36ff1e30bd943969f66a81d85c8e53f) C:\kerberos> What is the meaning of the above arguments? Argument -princ host/torro.csnc.ch@csnc.ch Meaning Basically it means: user@realm In our context it means that we make the entry for a host (and not a user). In the AD the principle is only an LDAP entry and nothing more. It is no actual user in the real sense (no AD user) -mapuser host-sol10-torro$@csnc.ch With this command we inform the AD that we want to assign to the user "host-sol10-torro$" the Solaris 10 Hostname Principle. PUBLIC page: 9 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.4 In the LDAP you can easily recognise the impact of the above command. The command inserts an additional PrincipleName into the DN, in order to make the allocation between the Host Account and the Kerberos Credentials. In any case the ktpass.exe results in the Shared Secret of the Solaris 10 Host, which we will need for the next step. C:\kerberos>dir Volume in drive C is System Volume Serial Number is B840-2043 Directory of C:\kerberos 27.07.2007 08:03 <DIR>. 27.07.2007 08:03 <DIR>.. 24.03.2005 19:46 90'112 ktpass.exe 27.07.2007 08:03 67 torro.keytab 2 File(s) 90'179 bytes 2 Dir(s) 20'123'320'320 bytes free C:\kerberos> 2.4 Safe transmission of the Shared Secret to the Solaris10 Host PUBLIC page: 10 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.4 The file "torro.keytab" created contains the Shared Secret for the Host "torro.csnc.ch". This Shared Secret must be transmitted in a secured form from the AD to the Host "torro". There are several options Physical transmission using a USB disc, floppy or similar SSH transfer In this example we use "SCP" for the safe transfer from AD to the Solaris 10 host. Afterwards the file host-sol10-torro must be copied into the Kerberos directory. Once this step is performed, both, AD and Solaris10 host know a shared secret, which is mandatory for Kerberos to work. PUBLIC page: 11 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.5 2.5 Active Directory: Configuration DNS Server For the correct operation of Kerberos it is compulsory that the Forward and Reverse DNS entries are configured properly. Therefore, the next step configures the Solaris10 host to the Microsoft DNS server. If you have another DNS server make sure, you configure a A and PTR record for the Solaris10 host there and skip to the next chapter. It can be seen below how the Solaris 10 host is entered in the Windows Active Directory DNS Server. A new host entry for the Solaris 10 Host "torro" must be created. For the correct operation it is compulsory that there is a PTR record of the Solaris 10 host. PUBLIC page: 12 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.6 2.6 Solaris10: Configuration /etc/inet/hosts file It is recommended registering the FQDN of the Solaris 10 host in the local Solaris10 file /etc/inet/hosts, in order to avoid problems with the TGT 1 ticket. before: root@torro:/ grep -v ^ /etc/inet/hosts ::1 localhost 127.0.0.1 localhost 192.168.100.197 torro loghost torro after: root@torro:/ grep -v ^ /etc/inet/hosts ::1 localhost 127.0.0.1 localhost 192.168.100.197 torro.csnc.ch torro loghost Checking the settings: root@torro:/ getent hosts torro 192.168.100.197 torro.csnc.ch torro loghost 2.7 Solaris10: Analysis of the DNS decomposition Solaris10 It is mandatory testing the FQDN of the Solaris 10 host in the DNS server to avoid problems with the TGT ticket. Checking the Forward entry for the Solaris 10 Host at the DNS root@torro:/ dig torro.csnc.ch h grep torro ;torro.csnc.ch. IN A torro.csnc.ch. 3600 IN A 192.168.100.197 ; <<>> DiG 9.3.4 <<>> torro.csnc.ch h Checking the PTR entry for the Solaris10 Host at the DNS root@torro:/ dig -x 192.168.100.197 grep torro 197.100.168.192.in-addr.arpa. 3600 IN PTR torro.csnc.ch. With the two above commands you can "prove" that the Solaris 10 Host is correctly recorded in the DNS. This is compulsory for the operation of Kerberos. 1 TGT = Ticket Granting Ticket PUBLIC page: 13 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.8 2.8 Solaris10: Configuration of Kerberos for the Solaris System Solaris10 holds the configuration in the /etc/krb5 directory as rkb5.conf. The configuration should be adapted according to the example below (in our example the domain is "CSNC.CH". Align this value to your domain name). [libdefaults] default_realm = CSNC.CH dns_lookup_kdc = true [realms] CSNC.CH = { kdc = merlin3.csnc.ch admin_server = merlin3.csnc.ch } [domain_realm].csnc.ch = CSNC.CH.subdomain.csnc.ch = CSNC.CH [logging] default = FILE:/var/krb5/kdc.log kdc = FILE:/var/krb5/kdc.log kdc_rotate = { period = 1d version = 10 } [appdefaults] kinit = { renewable = true forwardable= true } Afterwards the file /etc/krb5/cswkrb5.conf must be accommodated. [libdefaults] default_realm = CSNC.CH dns_lookup_kdc = true [realms] CSNC.CH = { kdc = merlin3.csnc.ch admin_server = merlin3.csnc.ch } [domain_realm].csnc.ch = CSNC.CH.subdomain.csnc.ch = CSNC.CH PUBLIC page: 14 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.9 2.9 Testing of Kerberos between Solaris10 and Active Directory Now we are ready to test out Kerberos. The steps taken so far have been: Creation of the Solaris10 user object in the AD (NO computer object) Generating of the Shared Secret including entry in the LDAP (Principle) for the new host Transmission of the Shared Secret to the Solaris10 Host Ensure the DNS requirements for the interaction at Kerberos Configuration of Solaris10 for the interaction with the AD KDC Step 1: Testing of NGZ Sol10 Host (torro) Because the Solaris10 host is run within an non-global zone, we first need to check whether the NGZ torro is running. The hostname tarribo is the Solaris10 global-zone name, where the hostname torro is the non-global zone. You can read through chapter 8.1 if you are interested in how the non-global zone was setup. root@tarribo:/ zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / native shared 3 torro running /opt/torro native shared root@tarribo:/ zlogin torro [Connected to zone 'torro' pts/10] Last login: Fri Jul 27 09:07:17 on pts/10 Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 root@torro:/ Step 2: Testing of the DNS Setup for the communication with KDC Now we are checking whether the KDS can be dissolved via nslookup or getent. root@torro:/ getent hosts merlin3.csnc.ch 192.168.100.46 merlin3.csnc.ch If the Solaris 10 host cannot dissolve the KDC properly, problems must be expected. See chapter 8.2 for the correct configuration of NGZ torro in respect of the DNS dissolution PUBLIC page: 15 Date: 16 Aug. 2007
Phase 1 Kerberos Setup 2.9 Step 3: Testing of Kerberos Testing the Kerberos setup means: A) Using a valid username and password B) Using a valid username and invalid password C) Using a valid username, but all written in small letters D) Using a valid, but locked username A) In this example the "correct" password for the AD user "ibuetler" has been tested. root@torro:/etc/krb5 kinit ibuetler@csnc.ch Password for ibuetler@csnc.ch: A) Now you can test with "klist" whether a ticket is available. root@torro:/etc/krb5 klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ibuetler@csnc.ch Valid starting Expires Service principal 07/27/07 09:44:23 07/27/07 19:40:28 krbtgt/csnc.ch@csnc.ch renew until 08/03/07 09:44:23 root@torro:/etc/krb5 A) Now we are destroying the ticket root@torro:/etc/krb5 kdestroy root@torro:/etc/krb5 klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_0) root@torro:/etc/krb5 B) In this example a "faulty" password for the AD user "ibuetler" has been tested. root@torro:/etc/krb5 kinit ibuetler@csnc.ch Password for ibuetler@csnc.ch: kinit(v5): Preauthentication failed while getting initial credentials C) Now we are trying to execute a kinit where the domain has been typed in small letters instead of CAPITAL LETTERS. root@torro:/etc/krb5 kinit ibuetler@csnc.ch Password for ibuetler@csnc.ch: kinit(v5): KDC reply did not match expectations while getting initial credentials D) Now we are trying to execute a kinit whereas the user has not been registered in the AD. root@torro:/etc/krb5 kinit johndoe@csnc.ch kinit(v5): Client not found in Kerberos database while getting initial credentials It can be recognised that the command ibuetler@csnc.ch is also regarded as an invalid user. The correct form is therefore: <aduser>@domain and the indication of the domain must be in capital letters. PUBLIC page: 16 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.1 3 Phase 2 LDAP over SSL Setup 3.1 Objectives For the dissolution of the users and groups without LDAP you normally use the files /etc/passwd and /etc/group. If an Active Directory (or also a NIS) is used the dissolution of the user data is possible through an external entity. Now we are aiming at configurating the Solaris 10 System in such a way that users and groups can be dissoluted in the Active Directory. The interface for the allocation of users and groups is realised via LDAP. For this operation the LDAP interface at the Active Directory must be activated (which corresponds to the default). This report is based on http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/, but this report does configure LDAP queries without SSL activated. If you feel like using LDAP without SSL, please skip chapter 3.2, 3.3 and 3.4. Proceed with chapter 3.5. Phase 2: LDAP over SSL in the Active Directory In the second phase LDAP over SSL should be activated in the Active Directory. This is compulsory because the Solaris 10 system will dissolve the users via LDAP over SSL. Plain-LDAP is regarded as insecure and is not recommended. Testing of the LDAP over SSL interface at Active Directory Activation of the LDAP over SSL interface Retesting of the LDAP over SSL Installation of a Lookup Account in Active Directory (proxyuser) Configuration of the SSL CA Certificate in the Solaris10 system PUBLIC page: 17 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.2 3.2 Active Directory: LDAP SSL requests (1) In a first step it should be tested whether the LDAP over SSL has not been activated yet. For this purpose the Microsoft Resource Kit Tool "ldp.exe" is being used in this example. This test is also feasible using OpenSSL command requests. Start the Microsoft Tool "ldp" and click on "Connect" (ldp is a LDAP browser contained in the Microsoft Resource Kit) Configurate an SSL connection through port 636 to the Active Directory If an error message as shown on the left appears, the LDAP SSL has not been activated. You can also execute this test through OpenSSL using the following syntax: openssl s_client connect HOST:636 PUBLIC page: 18 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.3 3.3 Active Directory: Activation of LDAP over SSL The activation of LDAP over SSL at the Active Directory is not a core issue of this report. The steps necessary for the activation of LDAP over SSL at the Active Directory in respect of this report are described in detail in chapter 8.3. 3.4 Active Directory: LDAP SSL requests (2) After LDAP over SSL has been activated the following test should be feasible successfully without any error messages. Start the Microsoft Tool "ldp" which is meant for the access to the AD. configurate an SSL connection PUBLIC page: 19 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.4 The request results in at least one response. To be on the safe side we test again using JXplorer, a powerful, freely available LDAP browser. Unless the CA Cert is firstly introduced to the tool, the SSL validation will fail. PUBLIC page: 20 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.4 1) Delete existing cacerts file 2) "C:\Program Files\Java\jre1.5.0_06\bin\keytool.exe" -import -file "C:\ca.crt" -keystore "S:\Program Files\jxplorer\security\cacerts" After the CA Cert has been imported: Now you can try to realise an LDAP over SSL connection. For this purpose the following profile should be used PUBLIC page: 21 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.4 The access is possible (if you type in the correct password) PUBLIC page: 22 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.5 3.5 Active Directory: Installation of an LDAP Proxy User In order to enable the Solaris 10 host to browse the POSIX schemes in the AD, it is necessary to install a Proxy User in the AD. This user is applied for the access by the Unix computers The Proxy User is a member of the «Domain Guests» Identification of the DN CN=proxyuser,OU=Technical,OU=Compass Users,dc=csnc,dc=ch PUBLIC page: 23 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.6 It should be checked next whether this user can also access AD via LDAP. 3.6 Solaris10: Configuration of the CA Certificate After the Active Directory can be addressed through SSL, the Solaris 10 Host must be instructed to use this interface. Firstly empty Certification Authority Files are created. Step 1: Creation of NSS DB (Don't enter password. Just hit return) root@torro:/var/ldap /usr/sfw/bin/certutil -N -d /var/ldap/ Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: root@torro:/var/ldap ls -lt total 643 -rw------- 1 root root 131072 Jul 31 08:18 key3.db -rw------- 1 root root 65536 Jul 31 08:18 cert8.db -rw------- 1 root root 131072 Jul 31 08:18 secmod.db root@torro:/var/ldap strings * Version 1i1p Hpassword-check global-salt Version NSS Internal PKCS 11 Module Kconfigdir='/var/ldap' certprefix='' keyprefix='' secmod='secmod.db' flags= NSS Internal PKCS 11 Module Step 2: Importing the Certification Authority Certificate /usr/sfw/bin/certutil -A -n "ca-cert" -i ~root/ca.crt -a -t CT -d /var/ldap/ root@torro:/var/ldap ls -lt total 643 -rw------- 1 root root 131072 Jul 31 08:22 key3.db -rw------- 1 root root 65536 Jul 31 08:22 cert8.db -rw------- 1 root root 131072 Jul 31 08:18 secmod.db root@torro:/var/ldap strings * Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch0 070305191920Z 170302191920Z0f1 Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch0 Fo}A h0f1 Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch elh3q PUBLIC page: 24 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.6 <!0w6 q,~m 3N-}AI Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch ivan.buetler@csnc.ch Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch h0f1 Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch Version?y?o?y? Rapperswil1 CSNC CA10! ivan.buetler@csnc.ch ivan.buetler@csnc.ch 1i1p Hpassword-check global-salt Version NSS Internal PKCS 11 Module Kconfigdir='/var/ldap' certprefix='' keyprefix='' secmod='secmod.db' flags= NSS Internal PKCS 11 Module Step 3: Checking whether the Solaris Host is accessible as FQDN root@torro:/var/ldap ifconfig -a lo0:1: flags=2001000849<up,loopback,running,multicast,ipv4,virtual> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 e1000g0:1: flags=201000843<up,broadcast,running,multicast,ipv4,cos> mtu 1500 index 2 inet 192.168.100.197 netmask ffffff00 broadcast 192.168.100.255 root@torro:/var/ldap getent hosts 192.168.100.197 192.168.100.197 torro.csnc.ch torro loghost The above step is a repetition of the step in chapter 2.7 PUBLIC page: 25 Date: 16 Aug. 2007
Phase 2 LDAP over SSL Setup 3.7 3.7 Solaris10: Testing of LDAP over SSL through ldapsearch Now it shall be tested whether the Solaris 10 machine can access the Active Directory using LDAP over SSL root@torro:/var/ldap ldapsearch -v -h merlin3.csnc.ch -p 636 -Z -P /var/ldap/cert8.db -b "dc=csnc,dc=ch" -s base "objectclass=*" ldapsearch: started Tue Jul 31 08:32:03 2007 ldap_init( merlin3.csnc.ch, 636 ) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) ldap_search: Operations error ldap_search: additional info: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece 0 matches The above attempt fails because no user has been indicated for the ldap_bind yet. This user has been created in chapter 3.5 and is called "proxyuser" in our example. Try again to access the AD using LDAP over SSL, indicating the user name proxyuser and the password. root@torro:/var/ldap ldapsearch -v -h merlin3.csnc.ch -p 636 -D "CN=proxyuser,OU=Technical,OU=Compass Users,dc=csnc,dc=ch" -Z -P /var/ldap/cert8.db -b "dc=csnc,dc=ch" -s base "objectclass=*" Enter bind password: ldapsearch: started Tue Jul 31 08:40:44 2007 ldap_init( merlin3.csnc.ch, 636 ) filter pattern: objectclass=* returning: ALL filter is: (objectclass=*) version: 1 dn: dc=csnc,dc=ch objectclass: top objectclass: domain objectclass: domaindns distinguishedname: DC=csnc,DC=ch instancetype: 5 whencreated: 20060524084315.0Z whenchanged: 20070209084341.0Z subrefs: DC=ForestDnsZones,DC=csnc,DC=ch subrefs: DC=DomainDnsZones,DC=csnc,DC=ch subrefs: CN=Configuration,DC=csnc,DC=ch usncreated: 4098 As can be seen from the above output, the manual access of LDAP over SSL is now possible. PUBLIC page: 26 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.1 4 Phase 3: UNIX Users and Groups in the Active Directory 4.1 Objectives After the Solaris 10 system has successfully been configurated with Kerberos and also the LDAP over SSL access to the Active Directory is working, the next step deals with the migration of the users, groups and other NIS data bases in the Active Directory. In a first step the Active Directory must be configurated in such a way that POSIX values are recognised. These steps need only be carried out once. If other Unix Derivates are already administrated in the Active Directory, these steps have probably been executed before. It is essential to introduce the POSIX Unix account schemes to the User management in Microsoft. Phase 3: Installation of UNIX Services in Active Directory The next step deals with the installation of POSIX schemes in Active Directory. This is compulsory to enable Active Directory to recognise the UNIX characteristics such as uid, uidnumber, gid, gidnumber, etc. Installation of UNIX Services in Active Directory Configuration of the first POSIX Group Configuration of the first POSIX User Adjusting Performance enhancement at the Lookup PUBLIC page: 27 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.2 4.2 Active Directory: Installation of UNIX Service Link: http://technet2.microsoft.com/windowsserver/en/library/b79e7a8f-b7d3-49f2-a963-69b92d908a3b1033.mspx?mfr=true On the Active Directory server you install the POSIX LDAP schemes via "Identity Management for UNIX" into the Active Directory. The installation requires the CD2 PUBLIC page: 28 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.2 Then NIS is installed which contains the POSIX LDAP schemes. Now the installation is completed. PUBLIC page: 29 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.2 A Reboot is necessary. Before the installation the User Properties looked as shown on the left. PUBLIC page: 30 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.2 After the installation the User properties look as shown on the left. The Unix attributes can be configurated. In our example the Unix attributes for the user "ibuetler" have been configurated as shown. PUBLIC page: 31 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.3 The groups are also allocated Unix attributes 4.3 Active Directory: Indexation To enable increased speed in the dissolution of UNIX users via LDAP, the most important LDAP attributes can be indexed in the Active Directory. You can enforce the indexation in the Active Directory with the Scheme Management Snap-In. The following command registers the Snap-In which is invisible in the MMC without this registration. REGSVR32 SCHMMGMT PUBLIC page: 32 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.3 PUBLIC page: 33 Date: 16 Aug. 2007
Phase 3: UNIX Users and Groups in the Active Directory 4.4 4.4 Active Directory: NIS Maps Using the "Microsoft Identity Management for UNIX" MMC Snap-In the adjustments for the NIS service can be configurated. PUBLIC page: 34 Date: 16 Aug. 2007
Phase 4: Final Setup 5.1 5 Phase 4: Final Setup 5.1 Objectives Phase 4: Final Setup After configurating and adjusting all the components "correctly" the fourth phase is concerned with the final setup of the Solaris 10 and Active Directory cooperation. LDAP configuration Solaris10 /etc/nsswitch.conf adjustment in Solaris10 Restart of Services Test whether getent password <user> works Configuration PAM Reboot Solaris 5.2 Solaris10: LDAP Configuration Part2 (ldapclient) After the manual test of chapter 3.7 (LDAP over SSL) has been successful, this step now deals with defining a persistent LDAP over SSL configuration for the Solaris 10. The interface for the installation of a persistent LDAP configuration is "ldapclient". It is recommended to safe a copy of the file /etc/nsswitch.conf before this next step as the programme ldapclient modifies the file /etc/nsswitch.conf. With this script the persistent LDAP connection using LDAP over SSL has been installed. root@torro:/ cat do_ldapclient1.sh ldapclient manual \ -a credentiallevel=proxy \ -a authenticationmethod=tls:simple \ -a proxydn="cn=proxyuser,ou=technical,ou=compass Users,dc=csnc,dc=ch" \ -a proxypassword=mysecret \ -a defaultsearchbase=dc=csnc,dc=ch \ -a domainname=csnc.ch \ -a defaultserverlist=192.168.100.46 \ -a attributemap=group:userpassword=userpassword \ -a attributemap=group:memberuid=memberuid \ -a attributemap=group:gidnumber=gidnumber \ -a attributemap=passwd:gecos=cn \ -a attributemap=passwd:gidnumber=gidnumber \ -a attributemap=passwd:uidnumber=uidnumber \ -a attributemap=passwd:homedirectory=unixhomedirectory \ -a attributemap=passwd:loginshell=loginshell \ -a attributemap=shadow:shadowflag=shadowflag \ -a attributemap=shadow:userpassword=userpassword \ -a objectclassmap=group:posixgroup=group \ -a objectclassmap=passwd:posixaccount=user \ -a objectclassmap=shadow:shadowaccount=user \ -a servicesearchdescriptor=passwd:dc=csnc,dc=ch?sub \ -a servicesearchdescriptor=group:dc=csnc,dc=ch?sub PUBLIC page: 35 Date: 16 Aug. 2007
Phase 4: Final Setup 5.3 Now the script is being executed and results in the following output. root@torro:/ bash do_ldapclient1.sh System successfully configured root@torro:/ With this command all the relevant Solaris 10 information has been filed in the /var/ldap. 5.3 Solaris10: Testing of the LDAP Configuration After the above command with "ldapclient" has been executed successfully, you can test whether the installation works using ldaplist. root@torro:/ ldaplist -l passwd ibuetler dn: gecos=ivan Buetler,OU=Personal,OU=Compass Users,DC=csnc,DC=ch objectclass: top objectclass: person objectclass: organizationalperson objectclass: posixaccount cn: Ivan Buetler sn: Buetler physicaldeliveryofficename: Rapperswil givenname: Ivan distinguishedname: CN=Ivan Buetler,OU=Personal,OU=Compass Users,DC=csnc,DC=ch instancetype: 4 whencreated: 20060524125115.0Z whenchanged: 20070802073738.0Z displayname: Ivan Buetler usncreated: 13939 uid: ibuetler mail: ivan.buetler@csnc.ch uidnumber: 10000 gidnumber: 10000 homedirectory: /opt/home/ibuetler loginshell: /bin/bash Please note: the output above was shortened. PUBLIC page: 36 Date: 16 Aug. 2007
Phase 4: Final Setup 5.4 5.4 Solaris10: Modification of /etc/nsswitch.conf Now the Solaris 10 system must be instructed to dissolute certain objects such as passwd or group via LDAP. In addition the hosts should be dissoluted via DNS. The nsswitch.conf working for this instruction root@torro:/ cat /etc/nsswitch.conf CDDL HEADER START The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. passwd: files ldap group: files ldap hosts: files dns ipnodes: files Commented out by DHCP ipnodes: files dns Added by DHCP networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files At present there isn't a 'files' backend for netgroup; the system will figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files printers: user files auth_attr: files prof_attr: files project: files tnrhtp: tnrhdb: files files 5.5 Solaris10: LDAP Client Restart After the above changes it is compulsory to restart LDAP Client Service under Solaris 10 svcadm restart svc:/network/ldap/client:default PUBLIC page: 37 Date: 16 Aug. 2007
Phase 4: Final Setup 5.6 5.6 Solaris10: DNS Check For the proper function of all components it is compulsory that the Solaris 10 DNS Client Service in the SMF is activated. svcs a grep dns If disabled then: svcadm enable svc:/network/dns/client:default If online everything is ok. 5.7 Solaris10: Testing of GETENT PASSWD Now we are testing whether the POSIX account "ibuetler" can be introduced to the Solaris 10 system via Active Directory using the command "getent password ibuetler". The preconditions for this test are: Active Directory and Solaris10 LDAP over SSL is activated (Phase 2) Active Directory extended for POSIX Account Information (Phase 4) User ibuetler has configurated the POSIX values (Phase 4) Solaris10 /etc/nsswitch.conf is activated and configurated (Phase 4) root@torro:/ hostname torro root@torro:/ grep passw /etc/nsswitch.conf passwd: files ldap root@torro:/ grep ibuetler /etc/passwd root@torro:/ getent passwd ibuetler ibuetler:x:10000:10000:ivan Buetler:/opt/home/ibuetler:/bin/bash The data for "ibuetler" originate from the LDAP directory. PUBLIC page: 38 Date: 16 Aug. 2007
Phase 4: Final Setup 5.8 5.8 Solaris10: PAM Configuration Solaris 10 does not require a new configuration of pam_ldap, as this was described in older instructions. The existing PAM modules contain the LDAP interface. The following PAM configuration works for Kerberos based SSH Login via GSSAPI putty.exe root@torro:/ cat /etc/pam.conf AUTHENTICATION login service (explicit because of pam_dial_auth) login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 passwd auth required pam_passwd_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 ACCOUNT MANAGEMENT cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 SESSION other session required pam_unix_session.so.1 PASSWORD other password required pam_dhkeys.so. 1 other password sufficient pam_krb5.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 PUBLIC page: 39 Date: 16 Aug. 2007
Phase 4: Final Setup 5.9 5.9 Solaris10: Reboot Solaris According to other instructions there have been problems with Solaris setups when no reboot has been carried out. Therefore we recommend executing a reboot at this stage. PUBLIC page: 40 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.1 6 Phase 5: User Tests with SSH 6.1 Objectives In this chapter various tests in connection with Solaris 10 and Active Directory are being performed. All these test cases should be functioning properly after the installation according to these instructions. Phase 5: User Tests with SSH Finally it is tested whether the interaction between Solaris 10 and Active Directory for SSH is operational. For this purpose the following test cases are being carried out: Test Switch User (su) Test SSH with Username/password (Active Directory Username/password) Test SSH with Kerberos under Solaris Test SSH with Kerberos under Windows Test SSH, if the user is deactivated in Active Directory 6.2 Switch User In a first test we check whether a switch user from "root" to an "AD user" can be executed. root@torro:/ grep ibuetler /etc/passwd root@torro:/ getent passwd ibuetler ibuetler:x:10000:10000:ivan Buetler:/opt/home/ibuetler:/bin/bash root@torro:/ su - ibuetler Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 ibuetler@torro:~$ In this example the Switch User is working. What if the SU does not work, because the user does not exist in the AD? root@torro:/ grep johndoe /etc/passwd root@torro:/ getent passwd johndoe root@torro:/ su - johndoe su: Unknown id: johndoe root@torro:/ It can be recognised that the command "getent passwd johndoe" has no response value. This means that the user can NOT be dissoluted via LDAP. PUBLIC page: 41 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.3 6.3 SSH Access 1 (Username/Password) With this setup an SSH connection to the Solaris machine has been attempted whereas the SSH client has NO valid Kerberos ticked. The configuration of PAM looks as follows: root@tarribo:/opt/torro/root/etc cat pam.conf AUTHENTICATION login service (explicit because of pam_dial_auth) login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 passwd auth required pam_passwd_auth.so.1 other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so. 1 other auth sufficient pam_krb5.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 ACCOUNT MANAGEMENT cron account required pam_unix_account.so.1 other account requisite pam_roles.so.1 other account required pam_unix_account.so.1 other account required pam_ldap.so.1 SESSION other session required pam_unix_session.so.1 PASSWORD other password required pam_dhkeys.so.1 other password sufficient pam_krb5.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 PUBLIC page: 42 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.3 Evidence: SSH connection from an SSH Client, who has NO Kerberos configurated root@xor:~ klist The program 'klist' can be found in the following packages: * heimdal-clients * krb5-user Try: apt-get install <selected package> Make sure you have the 'universe' component enabled -bash: klist: command not found root@xor:~ ssh -l ibuetler 192.168.100.197 Password: Last login: Thu Aug 2 11:57:16 2007 from medion-renggli. Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 ibuetler@torro:~$ For password the Active Directory password had to be entered to be able to login successfully. The critical configuration in pam.conf is: other auth sufficient pam_krb5.so.1 If this configuration is missing, the successful authentication via SSH will not be possible. PUBLIC page: 43 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.4 6.4 SSH Access 2 (SSO with Kerberos under Solaris10) With this test case we check whether we can login to the Solaris 10 system without re-entering the user information if a valid ticket is available. ibuetler@torro:~$ id uid=10000(ibuetler) gid=10000(unix) Checking whether a valid ticket is available (YES). ibuetler@torro:~$ klist Ticket cache: FILE:/tmp/krb5cc_10000 Default principal: ibuetler@csnc.ch Valid starting Expires Service principal 08/02/07 11:56:58 08/02/07 21:53:03 krbtgt/csnc.ch@csnc.ch renew until 08/09/07 11:57:15 Establish an SSH connection (with a valid ticket) ibuetler@torro:~$ ssh -l ibuetler torro.csnc.ch Last login: Thu Aug 2 12:00:54 2007 from medion-renggli. Sun Microsystems Inc. SunOS 5.11 snv_68 October 2007 Delete the valid ticket (for testing purpose) ibuetler@torro:~$ kdestroy Establish again an SSH connection (without a valid ticket) ibuetler@torro:~$ ssh -l ibuetler torro.csnc.ch Password: Password: Password: Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive). It can be recognised that the SSH access without password is possible (with the Kerberos ticket) provided that the client already has a valid ticket. PUBLIC page: 44 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.5 6.5 SSH Access 3 (SSO with Kerberos and putty) In this attempt we test whether we can login to the Solaris 10 using a GSSAPI activated putty.exe applying the Windows Kerberos ticket and without entering the password. The installation of special DLL's is compulsory that Putty.exe will collaborate with Kerberos at all. For this purpose MIT Kerberos for Windows 3.2 has been installed on the Windows Computer. http://web.mit.edu/kerberos/www/dist/index.html PUBLIC page: 45 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.5 Configuration of the Solaris10 Host in Putty PUBLIC page: 46 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.5 Configuration of GSSAPI The access is possible without entering the Active Directory password because the user already is in possession of a valid Windows Kerberos ticket through the XP workstation. PUBLIC page: 47 Date: 16 Aug. 2007
Phase 5: User Tests with SSH 6.6 6.6 SSH Access 4 (User in the Active Directory is "disabled") In this test the user "ibuetler" has been deactivated in the Active Directory. The login via SSH is afterwards impossible (see below). PUBLIC page: 48 Date: 16 Aug. 2007
Misc 7.1 7 Misc 7.1 Open Issues 1. The modification of the password via SSH Shell is not possible in the above setup. The password in the KDC (Active Directory) must be amended via Windows XP Change Password Routine. 2. LDAP access from the Solaris 10 system using Kerberos (instead of proxyuser tls:simple user name/password authentication) has not been implemented yet. PUBLIC page: 49 Date: 16 Aug. 2007
Appendix 8.1 8 Appendix 8.1 Solaris10: Creation of Solaris10 Non-Global Zone torro For this test a Solaris 10 Non-Global Zone has been created, which is being integrated in the AD. zonemgr-1.8.sh -a add -n torro -z "/opt" -P "johndoe" -I "192.168.100.197 e1000g0 24 torro" Checking to see if the zone IP address (192.168.100.197) is already in use... IP is available. A ZFS file system has been created for this zone. Preparing to install zone <torro>. Creating list of files to copy from the global zone. Copying <67882> files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize <1244> packages on the zone. Initialized <1244> packages on zone. Zone <torro> is initialized. The file </opt/torro/root/var/sadm/system/logs/install_log> contains a log of the zone installation. Creating the sysidcfg file for automated zone configuration. Booting zone for the first time. Waiting for first boot tasks to complete. Updating netmask information. Updating /etc/inet/hosts of the global zone with the torro IP information. Zone torro is ready. bash-3.00 zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / native shared 2 torro running /opt/torro native shared 8.2 Solaris10: DNS and Network Settings for the Zone "torro" For the proper function of Kerberos, the Solaris 10 host must be able to dissolute the FQDN of the KDC. This means that the KDC must be registered in the DNS. In our example we have configurated the DNS Resolver of the Solaris 10 host in such a way that it communicates with the AD DNS server. root@torro:/ cat /etc/resolv.conf domain csnc.ch nameserver 192.168.100.43 In addition it must be assured that host entries are dissolved via DNS. root@torro:/ grep hosts /etc/nsswitch.conf "hosts:" and "services:" in this file are used only if the hosts: files dns PUBLIC page: 50 Date: 16 Aug. 2007
Appendix 8.3 8.3 Active Directory: Activation of the LDAP over SSL Configuration In the laboratory LDAP over SSL has been realised according to the following instruction. http://support.microsoft.com/kb/321051 More detailed instructions for Certificate Handling: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.ms px Execution of: certtmpl.msc and rename these to LDAP Modify the subject to Fully distinguished name. Download of the VBS programme from the above link. Execute the following command on the prompt. Regdccert LDAP A whereas the LDAP complies with the above template. PUBLIC page: 51 Date: 16 Aug. 2007
Appendix 8.3 After the double-click on the VBS the structure looks as follows: The file "MERLIN.inf" has still to be edited. Modification of the file MERLIN.inf. Insertion of the Subject Identifier. [Version] Signature= "$Windows NT$" [NewRequest] Subject = "CN=MERLIN3,OU=Domain Controllers,dc=csnc,dc=ch" KeySpec = 1 KeyLength = 1024 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 OID=1.3.6.1.5.5.7.3.2 ; ; The subject alternative name (SAN) can be included in the INF-file ; for a Windows 2003 CA. ; You don't have to specify the SAN when submitting the request. ; [Extensions] 2.5.29.17=MBGCD21lcmxpbjMuY3NuYy5jaA== Critical=2.5.29.17 ; ; The template name can be included in the INF-file for any CA. ; You don't have to specify the template when submitting the request. ; ;[RequestAttributes] ;CertificateTemplate=LDAP PUBLIC page: 52 Date: 16 Aug. 2007
Appendix 8.3 Subsequently a Certificate Signing Request is being generated. Below the Signing Request is being treated by the CA../sign-req MERLIN3 Using configuration from openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows domaincomponent :IA5STRING:'ch' domaincomponent :IA5STRING:'csnc' organizationalunitname:printable:'domain Controllers' commonname :PRINTABLE:'MERLIN3.CSNC.CH' Certificate is to be certified until Jul 24 14:00:14 2017 GMT (3650 days) Sign the certificate? [y/n]: ls -lt total 149 -rw-r--r-- 1 root 3830 Jul 27 11:51 MERLIN3.crt -rw-r--r-- 1 root 3830 Jul 27 11:51 17.pem The CA has created the file MERLIN3.crt Integration of the certificate into the Active Directory Start MMC PUBLIC page: 53 Date: 16 Aug. 2007
Appendix 8.3 Start the Certificate Snap-In Open the Computer Account Snap-in PUBLIC page: 54 Date: 16 Aug. 2007
Appendix 8.3 The certificate is issued as a "Server Authentication". After that a reboot of the server will be requested.. PUBLIC page: 55 Date: 16 Aug. 2007
Appendix 8.4 8.4 Tools 8.4.1 Ktpass.exe C:\kerberos>ktpass.exe -h Command line options: ---------------------most useful args [- /] out : Keytab to produce [- /] princ : Principal name (user@realm) [- /] pass : password to use use "*" to prompt for password. [- +] rndpass :... or use +rndpass to generate a random password [- /] minpass : minimum length for random password (def:15) [- /] maxpass : maximum length for random password (def:256) ---------------------less useful stuff [- /] mapuser : map princ (above) to this user account (default: don't) [- /] mapop : how to set the mapping attribute (default: add it) [- /] mapop : is one of: [- /] mapop : add : add value (default) [- /] mapop : set : set value [- +] DesOnly : Set account for des-only encryption (default:don't) [- /] in : Keytab to read/digest ---------------------options for key generation [- /] crypto : Cryptosystem to use [- /] crypto : is one of: [- /] crypto : DES-CBC-CRC : for compatibility [- /] crypto : DES-CBC-MD5 : for compatibliity [- /] crypto : RC4-HMAC-NT : default 128-bit encryption [- /] ptype : principal type in question [- /] ptype : is one of: [- /] ptype : KRB5_NT_PRINCIPAL : The general ptype-- recommended [- /] ptype : KRB5_NT_SRV_INST : user service instance [- /] ptype : KRB5_NT_SRV_HST : host service instance [- /] kvno : Override Key Version Number Default: query DC for kvno. Use /kvno 1 for Win2K compat. [- +] Answer : +Answer answers YES to prompts. -Answer answers NO. [- /] Target : Which DC to use. Default:detect ---------------------options for trust attributes (Windows Server 2003 Sp1 Only [- /] MitRealmName : MIT Realm which we want to enable RC4 trust on. [- /] TrustEncryp : Trust Encryption to use; DES is default [- /] TrustEncryp : is one of: [- /] TrustEncryp : RC4 : RC4 Realm Trusts (default) [- /] TrustEncryp : DES : go back to DES C:\kerberos> PUBLIC page: 56 Date: 16 Aug. 2007
Appendix 8.4 8.4.2 reqdccert.vbs This tool originates from: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.ms px Set oargs = WScript.Arguments Set oshell = WScript.CreateObject("WScript.Shell") ' ' Parse command line ' if oargs.count < 1 then stemplatename = "DomainController" stype = "E" else if ((oargs(0) = "-?") or (oargs.count < 2)) then Wscript.Echo "Usage: reqdccert.vbs [Templatename] [Type]" Wscript.Echo "[Templatename] is the name of a V2 template" Wscript.Echo "[Type] can be E for Email and A for Authentication certificate" Wscript.Echo "If no option is specified, the DomainController certificate template is used." Wscript.Quit 1 else stemplatename = oargs(0) stype = oargs(1) end if end if Set ofilesystem = CreateObject("Scripting.FileSystemObject") Set objsysinfo = CreateObject("ADSystemInfo") Set objdc = GetObject("LDAP://" & objsysinfo.computername) sguid = objdc.guid sdnshostname = objdc.dnshostname shostname = objdc.cn ' ' ' Create the ASN.1 file ' ' Dim aasnsubstring(2, 5) Const HEX_DATA_LENGTH = 1 Const ASCIIDATA = 2 Const HEXDATA = 3 Const HEX_BLOB_LENGTH = 4 Const HEX_TYPE = 5 aasnsubstring(0, ASCIIDATA) = sdnshostname aasnsubstring(0, HEX_TYPE) = "82" ' ' Convert DNS name into Hex ' For i = 1 to Len(aASNsubstring(0, ASCIIDATA)) aasnsubstring(0, HEXDATA) = aasnsubstring(0, HEXDATA) & _ Hex(Asc(Mid(aASNsubstring(0, ASCIIDATA), i, 1))) Next aasnsubstring(0, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(0, HEXDATA)) / 2) ' ' Build the ASN.1 blob for DNS name ' sasn = aasnsubstring(0, HEX_TYPE) & _ aasnsubstring(0, HEX_DATA_LENGTH) & _ aasnsubstring(0, HEXDATA) PUBLIC page: 57 Date: 16 Aug. 2007
Appendix 8.4 ' ' Append the GUID as other name ' if (stype = "E") then aasnsubstring(1, HEXDATA) = sguid aasnsubstring(1, HEX_TYPE) = "A0" aasnsubstring(1, HEX_DATA_LENGTH) = ComputeASN1 (Len(aASNsubstring(1, HEXDATA)) / 2) sasn = sasn & _ "A01F06092B0601040182371901" & _ aasnsubstring(1, HEX_TYPE) & _ "120410" & _ aasnsubstring(1, HEXDATA) end if ' ' Write the ASN.1 blob into a file ' Set ofile = ofilesystem.createtextfile(shostname & ".asn") ' ' Put sequence, total length and ASN1 blob into the file ' ofile.writeline "30" & ComputeASN1 (Len(sASN) / 2) & sasn ofile.close ' ' Use certutil to convert the hex string into bin ' oshell.run "certutil -f -decodehex " & shostname & ".asn " & _ shostname & ".bin", 0, True ' ' Use certutil to convert the bin into base64 ' oshell.run "certutil -f -encode " & shostname & ".bin " & _ shostname & ".b64", 0, True ' ' ' Create the INF file ' ' Set ifile = ofilesystem.opentextfile(shostname & ".b64") Set ofile = ofilesystem.createtextfile(shostname & ".inf") ofile.writeline "[Version]" ofile.writeline "Signature= " & Chr(34) & "$Windows NT$" & Chr(34) ofile.writeline "" ofile.writeline "[NewRequest]" ofile.writeline "KeySpec = 1" ofile.writeline "KeyLength = 1024" ofile.writeline "Exportable = TRUE" ofile.writeline "MachineKeySet = TRUE" ofile.writeline "SMIME = FALSE" ofile.writeline "PrivateKeyArchive = FALSE" ofile.writeline "UserProtected = FALSE" ofile.writeline "UseExistingKeySet = FALSE" ofile.writeline "ProviderName = " & Chr(34) & _ "Microsoft RSA SChannel Cryptographic Provider" & Chr(34) ofile.writeline "ProviderType = 12" ofile.writeline "RequestType = PKCS10" ofile.writeline "KeyUsage = 0xa0" ofile.writeline "" ofile.writeline "[EnhancedKeyUsageExtension]" ofile.writeline "OID=1.3.6.1.5.5.7.3.1" ofile.writeline "OID=1.3.6.1.5.5.7.3.2" ofile.writeline ";" ofile.writeline "; The subject alternative name (SAN) can be included in the INF-file" ofile.writeline "; for a Windows 2003 CA." ofile.writeline "; You don't have to specify the SAN when submitting the request." ofile.writeline ";" ofile.writeline "[Extensions]" iline = 0 PUBLIC page: 58 Date: 16 Aug. 2007
Appendix 8.4 Do While ifile.atendofstream <> True sline = ifile.readline If sline = "-----END CERTIFICATE-----" then Exit Do end if if sline <> "-----BEGIN CERTIFICATE-----" then if iline = 0 then ofile.writeline "2.5.29.17=" & sline else ofile.writeline "_continue_=" & sline end if iline = iline + 1 end if Loop ofile.writeline "Critical=2.5.29.17" ofile.writeline ";" ofile.writeline "; The template name can be included in the INF-file for any CA." ofile.writeline "; You don't have to specify the template when submitting the request." ofile.writeline ";" ofile.writeline ";[RequestAttributes]" ofile.writeline ";CertificateTemplate=" & stemplatename ofile.close ifile.close ' ' ' Create the certreq.exe command-line to submit the certificate request ' ' Set ofile = ofilesystem.createtextfile(shostname & "-req.bat") ofile.writeline "CERTREQ -attrib " _ & Chr(34) & "CertificateTemplate:" & stemplatename _ & Chr(34) & " " & shostname & ".req" ' ' The GUID structure needs to be reconstructed. The GUID is read ' as a string like f4aaa8576e6828418712b6ca89fbf5bc however the ' format that is required for the certreq command looks like ' 57a8aaf4-686e-4128-8712-b6ca89fbf5bc. The bytes are reordered ' in the following way: ' ' 11111111112222222222333 ' Position 12345678901234567890123456789012 ' ------ -- -- -- -------------- ' Original GUID: f4aaa8576e6828418712b6ca89fbf5bc ' ' 11 1 1111 1112 222222222333 ' Position 78563412 1290 5634 7890 123456789012 ' ------- --- --- --- ---------- ' Reformatted GUID: 57a8aaf4-686e-4128-8712-b6ca89fbf5bc ' ofile.writeline "REM " ofile.writeline "REM!!! Only valid for Windows 2003 or later versions!!!" ofile.writeline "REM If you do not specify certificate extensions in the *.INF file" ofile.writeline "REM they can be specified here like the following example" ofile.writeline "REM " ofile.writeline "REM CERTREQ -submit -attrib " _ & Chr(34) & "CertificateTemplate:" & stemplatename _ & "\n" _ & "SAN:guid=" _ & Mid(sGUID, 7, 2) _ & Mid(sGUID, 5, 2) _ & Mid(sGUID, 3, 2) _ & Mid(sGUID, 1, 2) & "-" _ & Mid(sGUID, 11, 2) _ & Mid(sGUID, 9, 2) & "-" _ & Mid(sGUID, 15, 2) _ & Mid(sGUID, 13, 2) & "-" _ & Mid(sGUID, 17, 4) & "-" _ PUBLIC page: 59 Date: 16 Aug. 2007
Appendix 8.5 & Mid(sGUID, 21, 12) _ & "&DNS=" & sdnshostname & Chr(34) & " " & shostname & ".req" ofile.close ' ' ' Create the certificate verification script ' ' Set ofile = ofilesystem.createtextfile(shostname & "-vfy.bat") ofile.writeline "certutil -viewstore " & Chr(34) & objdc.distinguishedname & _ "?usercertificate" & chr(34) ofile.close ' ' ' Compute the ASN1 string ' ' Function ComputeASN1 (istrlen) If Len(Hex(iStrLen)) Mod 2 = 0 then slength = Hex(iStrLen) else slength = "0" & Hex(iStrLen) end if if istrlen > 127 then ComputeASN1 = Hex (128 + (Len(sLength) / 2)) & slength else ComputeASN1 = slength End If End Function 8.5 Links The following report was of great help setting up the Solaris10 into Active Directory Integration http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integration/ http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/ http://forum.java.sun.com/thread.jspa?threadid=5111474&messageid=9379065 PUBLIC page: 60 Date: 16 Aug. 2007