nss_ad in OmniOSCE r151030?

AveryFreeman

ESXi + ( ILLUMOS / ZFS ) = HAPPY
Mar 17, 2017
165
19
18
39
Near Seattle
averyfreeman.com
Hello

I'm trying to find the best way to join my OmniOS server to my AD domain network

I came across this Oracle page and I was wondering if anything similar exists for OmniOS r151030, etc.?

Overview of the nss_ad Naming Service Module - Oracle Solaris Administration: Naming and Directory Services

Thank you :)
Avery

Edit: I thought I would flesh out my post with where I'm at in the process right now:

I try to enable kclient, but this is what I get:

Code:
root@napp-it01:/usr/lib/ldap# kclient -T ms_ad

Starting client setup

---------------------------------------------------

Setting up /etc/krb5/krb5.conf.

Attempting to join 'NAPP-IT01' to the 'DOMAIN.COM' domain.

Password for Administrator@DOMAIN.COM:

Forest name found: domain.com

Site name not found.  Local DCs/GCs will not be discovered.

Creating the machine account in AD via LDAP.

Failed to create the AD object via LDAP.
---------------------------------------------------
Setup FAILED.
My /etc/nsswitch.conf:

Code:
passwd:     files ldap
group:      files ldap

# consult /etc "files" only if ldap is down.
hosts:      files [SUCCESS=return] dns

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    files [SUCCESS=return] dns

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files

netgroup:   files

automount:  files ldap
aliases:    files

# for efficient getservbyname() avoid ldap
services:   files

printers:   user files

auth_attr:  files
prof_attr:  files

project:    files

tnrhtp:     files
tnrhdb:     files
And my /etc/krb5/krb5.conf:

Code:
[libdefaults]
        default_realm = DOMAIN.COM
        dns_lookup_kdc = true
        verify_ap_req_nofail = false


[realms]
        DOMAIN.COM = {
                kdc = 2012dc01.domain.com
                kdc = 2012dc02.domain.com
                admin_server = 2012dc01.domain.com
                kpasswd_server = 2012dc01.domain.com
        }

[domain_realm]
        .domain.com = DOMAIN.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
Current SMB properties: sharectl get smb:

Code:
system_comment=
max_workers=1024
netbios_enable=true
netbios_scope=
lmauth_level=4
keep_alive=5400
wins_server_1=
wins_server_2=
wins_exclude=
signing_enabled=true
signing_required=false
restrict_anonymous=false
pdc=
ads_site=192.168.1.2
ddns_enable=true
autohome_map=/etc
ipv6_enable=false
print_enable=false
traverse_mounts=true
map=
unmap=
disposition=
max_protocol=
Any ideas?
 
Last edited:

gea

Well-Known Member
Dec 31, 2010
2,519
852
113
DE
If you only want to join a Windows AD domain:

1. use dns in nsswitch.conf
There are different nsswitch templates in /etc.
"cp /etc/nsswitch.dns /etc/nsswitch.conf" activates the correct one for dns/ad

2. join the domain
ex via napp-it menu SMB > Services > Active Directory
 
  • Like
Reactions: AveryFreeman

AveryFreeman

ESXi + ( ILLUMOS / ZFS ) = HAPPY
Mar 17, 2017
165
19
18
39
Near Seattle
averyfreeman.com
If you only want to join a Windows AD domain:

1. use dns in nsswitch.conf
There are different nsswitch templates in /etc.
"cp /etc/nsswitch.dns /etc/nsswitch.conf" activates the correct one for dns/ad

2. join the domain
ex via napp-it menu SMB > Services > Active Directory
Ohh, interesting

But is the connection adequate for logging in using domain users? I have file sharing working fine, I was hoping there'd be a way I could log in using a domain user.

# kclient -T ms_ad fails, unfortunately.

Thanks for your help

Edit: nsswitch.dns and nsswitch.conf are basically the same in my case (except 'ad' is after 'files' for passwd and group)
 

AveryFreeman

ESXi + ( ILLUMOS / ZFS ) = HAPPY
Mar 17, 2017
165
19
18
39
Near Seattle
averyfreeman.com
It looks like there's another issue with NTP that's complicating things

I'm noticing these error messages when I try to log in with an idmapped domain user:

upload_2020-1-2_8-34-27.png

You can see ntp is trying to run but doesn't appear to be able to - if I enable it, it still says its offline

Code:
root@napp-it01:~# svcs -v ntp
STATE          NSTATE        STIME    CTID   FMRI
offline        -             10:35:46      - svc:/network/ntp:default

root@napp-it01:~# svcadm -v enable ntp
svc:/network/ntp:default enabled.

root@napp-it01:~# svcs -v ntp
STATE          NSTATE        STIME    CTID   FMRI
offline        -             10:35:46      - svc:/network/ntp:default
my ntp.conf:

Code:
## NTP daemon configuration file. See ntp.conf(4) for full documentation.

## Always configure the drift file. It can take days for ntpd to completely
## stabilize and without the drift file, it has to start over on a reboot
## of if ntpd restarts.
driftfile /var/ntp/ntp.drift

## It is always wise to configure at least the loopstats and peerstats files.
## Otherwise when ntpd does something you don't expect there is no way to
## find out why.
statsdir /var/ntp/ntpstats/

## To track the events regarding the system clock, the protostats file can be useful
## as well.
filegen protostats file protostats type day enable

## The sysstats and rawstats output might be useful in debugging, but are
## not important otherwise.
filegen sysstats file sysstats type day enable
filegen rawstats file rawstats type day enable

## Default to ignore all for safety -- no incoming packets are trusted.
restrict default ignore
restrict -6 default ignore

## Permit localhost to connect to and manage ntpd
restrict 127.0.0.1      # Allow localhost full access
restrict -6 ::1         # Same, for IPv6

## Permit ntp server to reply to our queries
restrict source nomodify noquery notrap

# From Samba wiki - not sure if works.  Local clock. Note that is not the "localhost" address!
#server 127.127.1.0
#fudge  127.127.1.0 stratum 10

# Where to retrieve the time from
pool 192.168.1.2     burst iburst prefer minpoll 4
pool 192.168.1.3     burst iburst minpoll 4

# Enable the time sources only to only provide time to this host
restrict 192.168.1.2   mask 255.255.255.255    nomodify notrap nopeer noquery
restrict 192.168.1.3   mask 255.255.255.255    nomodify notrap nopeer noquery
/var/ntp/ntpstats is empty :(

I'm stumped.
 

EffrafaxOfWug

Radioactive Member
Feb 12, 2015
1,266
428
83
Don't know about whether or not this has ntpdate available or not, but if you run ntpdate against your 192.168.1.[2|3] NTP servers what happens? Otherwise check the logs for the NTP service and see why it's failing. Here's what it should look like when being run against a working NTP server.

Code:
root@wug:~# ntpdate -d 10.1.0.1
 2 Jan 17:33:38 ntpdate[16977]: ntpdate 4.2.8p10@1.3728-o Sun Feb 25 21:22:56 UTC 2018 (1)
transmit(10.1.0.1)
receive(10.1.0.1)
transmit(10.1.0.1)
receive(10.1.0.1)
transmit(10.1.0.1)
receive(10.1.0.1)
transmit(10.1.0.1)
receive(10.1.0.1)
server 10.1.0.1, port 123
stratum 2, precision -24, leap 00, trust 000
refid [10.1.0.1], delay 0.02568, dispersion 0.00000
transmitted 4, in filter 4
reference time:    e1b8a10f.0a4dab8f  Thu, Jan  2 2020 17:04:15.040
originate timestamp: e1b8a7f8.ab49af93  Thu, Jan  2 2020 17:33:44.669
transmit timestamp:  e1b8a7f8.ab438ef6  Thu, Jan  2 2020 17:33:44.668
filter delay:  0.02576  0.02568  0.02568  0.02568
         0.00000  0.00000  0.00000  0.00000
filter offset: -0.00000 -0.00000 -0.00000 -0.00000
         0.000000 0.000000 0.000000 0.000000
delay 0.02568, dispersion 0.00000
offset -0.000007

 2 Jan 17:33:44 ntpdate[16977]: adjust time server 10.1.0.1 offset -0.000007 sec
 
  • Like
Reactions: AveryFreeman

AveryFreeman

ESXi + ( ILLUMOS / ZFS ) = HAPPY
Mar 17, 2017
165
19
18
39
Near Seattle
averyfreeman.com
Don't know about whether or not this has ntpdate available or not, but if you run ntpdate against your 192.168.1.[2|3] NTP servers what happens? Otherwise check the logs for the NTP service and see why it's failing. Here's what it should look like when being run against a working NTP server.

Code:
root@wug:~# ntpdate -d 10.1.0.1
 2 Jan 17:33:38 ntpdate[16977]: ntpdate 4.2.8p10@1.3728-o Sun Feb 25 21:22:56 UTC 2018 (1)
transmit(10.1.0.1)
receive(10.1.0.1)
transmit(10.1.0.1)
receive(10.1.0.1)
transmit(10.1.0.1)
receive(10.1.0.1)
transmit(10.1.0.1)
receive(10.1.0.1)
server 10.1.0.1, port 123
stratum 2, precision -24, leap 00, trust 000
refid [10.1.0.1], delay 0.02568, dispersion 0.00000
transmitted 4, in filter 4
reference time:    e1b8a10f.0a4dab8f  Thu, Jan  2 2020 17:04:15.040
originate timestamp: e1b8a7f8.ab49af93  Thu, Jan  2 2020 17:33:44.669
transmit timestamp:  e1b8a7f8.ab438ef6  Thu, Jan  2 2020 17:33:44.668
filter delay:  0.02576  0.02568  0.02568  0.02568
         0.00000  0.00000  0.00000  0.00000
filter offset: -0.00000 -0.00000 -0.00000 -0.00000
         0.000000 0.000000 0.000000 0.000000
delay 0.02568, dispersion 0.00000
offset -0.000007

 2 Jan 17:33:44 ntpdate[16977]: adjust time server 10.1.0.1 offset -0.000007 sec

It looks very similar:

Code:
Last login: Mon Jan  6 07:53:35 2020 from 192.168.1.122
OmniOS 5.11     omnios-r151030-77face1d15       November 2019
You have new mail.
root@napp-it01:~# ntpdate
 6 Jan 08:33:08 ntpdate[18956]: no servers can be used, exiting
root@napp-it01:~# ntpdate -d 192.168.1.2
 6 Jan 08:33:16 ntpdate[18962]: ntpdate 4.2.8p13@1.3847-o Fri Apr 26 23:10:11 UTC 2019 (1)
Looking for host 192.168.1.2 and service ntp
192.168.1.2 reversed to 2012dc01.webtool.space
host found : 2012dc01.webtool.space
transmit(192.168.1.2)
receive(192.168.1.2)
transmit(192.168.1.2)
receive(192.168.1.2)
transmit(192.168.1.2)
receive(192.168.1.2)
transmit(192.168.1.2)
receive(192.168.1.2)

server 192.168.1.2, port 123
stratum 3, precision -6, leap 00, trust 000
refid [74.6.168.72], root delay 0.031342, root dispersion 0.056503
reference time:      e1bdde4d.9ad72e4f  Mon, Jan  6 2020  8:26:53.604
originate timestamp: e1bddfd2.12e7909d  Mon, Jan  6 2020  8:33:22.073
transmit timestamp:  e1bddfd3.0007ee50  Mon, Jan  6 2020  8:33:23.000
filter delay:  0.04324    0.04181    0.04163    0.04184
               ----       ----       ----       ----
filter offset: -0.927310  -0.926571  -0.926497  -0.926575
               ----       ----       ----       ----
delay 0.04163, dispersion 0.00014, offset -0.926497

 6 Jan 08:33:23 ntpdate[18962]: step time server 192.168.1.2 offset -0.926497 sec

root@napp-it01:~# date
January  6, 2020 at 08:34:38 AM PST
It looks like date/time matches my domain.

Now console complaining of botched LDAP config. Does anyone know how to clear LDAP cache? I do not know of any config files.

I am going to try this in the near future, does anyone know anything about it? idodeclare/adjoin-illumos
 
Last edited: