Configuring the nss_ad Naming Service Module

The nss_ad module requires that the Solaris client use DNS for host resolution.

How to Configure the nss_ad Module

1. Edit the /etc/resolv.conf file to point to the correct domain, using the correct search order.

   Pointing to the correct DNS domain and servers in the /etc/resolv.conf file usually involves specifying the domain controller as the DNS server.

   ---

   Note –

   The AD domain name must be specified in /etc/resolv.conf either by means of the domain directive or as the first item in the list specified by the search directive.

   If both directives are specified, then whichever is last takes precedence. This is required for the idmap auto-discovery feature to work properly.

   ---

   In the following example, the AD domain, ad.example, is specified by the domain directive. The dig commands verify that the AD server, which is specified by the nameserver directive, can be resolved by using its name and IP address.

   % cat /etc/resolv.conf domain ad.example nameserver 192.168.11.22 % dig -x 192.168.11.22 +short myserver.ad.example % dig myserver.ad.example +short 192.168.11.22

2. Edit the etc/nsswitch.conf file, and add dns to the list of naming services for hosts and ipnodes.

   For example, the file might look like the following:

   % egrep '^hosts|^ipnodes' /etc/nsswitch.conf hosts: files dns ipnodes: files dns

   ---

   Note –

   To include additional naming services such as nis or ldap for host resolution, add them after dns in the /etc/nsswitch.conf file.

   ---

3. Verify that the DNS service is enabled and online.

   For example:

   % svcs svc:/network/dns/client STATE STIME FMRI online Oct_14 svc:/network/dns/client:default

4. Use the kclient utility to join the system to the AD domain.

   For example:

   % /usr/sbin/kclient -T ms_ad

5. Edit the nsswitch.conf file by adding ad to passwd and group.

   For example:

   % egrep '^passwd|^group' /etc/nsswitch.conf passwd: files nis ad group: files nis ad

   ---

   Note –

   /etc/nsswitch.ad is a sample configuration file that can be copied to /etc/nsswitch.conf. It uses AD for passwd and group, DNS for host lookups, and files for the remaining databases. Because the AD naming service is not yet a complete Solaris solution, add other naming services as appropriate to the nsswitch.conf file.

   ---

6. Enable the idmap service.

   % svcadm enable idmap

7. Enable the nscd service.

   % svcs name-service-cache STATE STIME FMRI disabled 13:15:48 svc:/system/name-service-cache:default % svcadm enable name-service-cache

   ---

   Note –

   The nscd module automatically restarts whenever /etc/nsswitch.conf is changed.

   ---

8. Verify that you can access user and group information from AD.

   For example:

   % getent passwd 'test_user@example' test_user@example:x:2154266625:2154266626:test_user:: % getent passwd 2154266625 test_user@example:x:2154266625:2154266626:test_user::