JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Naming and Directory Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information


Part I About Naming and Directory Services

1.  Naming and Directory Services (Overview)

2.  Name Service Switch (Overview)

3.  Managing DNS (Tasks)

4.  Setting Up Oracle Solaris Active Directory Clients (Tasks)

Overview of the nss_ad Naming Service Module

How to Configure the nss_ad Module

Password Updates

How the nss_ad Naming Service Module Retrieves Data From AD

Retrieving passwd Information

Retrieving shadow Information

Retrieving group Information

Part II NIS Setup and Administration

5.  Network Information Service (Overview)

6.  Setting Up and Configuring NIS (Tasks)

7.  Administering NIS (Tasks)

8.  NIS Troubleshooting

Part III LDAP Naming Services

9.  Introduction to LDAP Naming Services (Overview)

10.  Planning Requirements for LDAP Naming Services (Tasks)

11.  Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)

12.  Setting Up LDAP Clients (Tasks)

13.  LDAP Troubleshooting (Reference)

14.  LDAP Naming Service (Reference)

15.  Transitioning From NIS to LDAP (Tasks)



Overview of the nss_ad Naming Service Module

The Oracle Solaris client must be joined to an AD domain before any of the AD interoperability functionality, including nss_ad, can be used. The kclient utility is used to join the client to AD. During the join operation, kclient configures Kerberos v5 on the client. Thereafter, nss_ad can be used to resolve naming service requests by specifying ad as a source in the nsswitch.conf file for the supported databases. The nss_ad module uses host credentials to look up naming service information in AD.

The nss_ad module uses DNS server records to auto-discover AD directory servers, such as domain controllers and global catalog servers. Therefore, DNS must be properly configured on the Oracle Solaris client. The nss_ad module also uses the LDAP v3 protocol to access naming information from AD servers. The AD server schema requires no modification because nss_ad works with the native AD schema.

The nss_ad module does not currently support logins of Windows users onto an Oracle Solaris system. Until such logins are supported, such users should continue to log in by using traditional back ends such as nis and ldap.

The idmap and svc:/system/name-service/cache services must be enabled to use nss_ad. The nss_ad module uses the idmap service to map between Windows security identifiers (SIDs), UNIX user identifiers (UIDs), and group identifiers (GIDs).

Ensure that all AD user and group names are qualified with domain names such as user@domain or group@domain. For example, getpwnam(dana) will fail, but getpwnam(dana@domain) will succeed, provided that dana is a valid Windows user in the domain named domain.

The following additional rules also pertain to the nss_ad module:

How to Configure the nss_ad Module

The nss_ad module requires that the Oracle Solaris client use DNS for host resolution.

  1. Configure the DNS service.

    See How to Enable a DNS Client for instructions.

    Note - The AD domain name must be specified either by means of the domain directive or as the first item in the list specified by the search directive.

    If both directives are specified, then whichever is last takes precedence. This is required for the idmap auto-discovery feature to work properly.

    In the following example, the dig commands verify that the AD server can be resolved by using its name and IP address.

    # dig -x +short
    # dig +short
  2. Add dns to the list of naming services for hosts.
    # svccfg -s svc:/system/name-service/switch
    svc:/system/name-service/switch> setprop config/host = astring: "files dns"
    svc:/system/name-service/switch> select system/name-service/switch:default
    svc:/system/name-service/switch:default> refresh
    svc:/system/name-service/switch:default> quit

    Note - To include additional naming services such as nis or ldap for host resolution, add them after dns.

  3. Verify that the DNS service is enabled and online.

    For example:

    # svcs svc:/network/dns/client
    online Oct_14 svc:/network/dns/client:default
  4. Use the kclient utility to join the system to the AD domain.

    For example:

    # /usr/sbin/kclient -T ms_ad
  5. Add ad to the list of naming services for password and group.
    # svccfg -s svc:/system/name-service/switch
    svc:/system/name-service/switch> setprop config/password = astring: "files nis ad"
    svc:/system/name-service/switch> setprop config/group = astring: "files nis ad"
    svc:/system/name-service/switch> select system/name-service/switch:default
    svc:/system/name-service/switch:default> refresh
    svc:/system/name-service/switch:default> quit
  6. Enable the idmap service.
    # svcadm enable idmap
  7. Update the SMF repository for the name service switch service.
    # svcadm refresh name-service/switch

    Note - The nscd module automatically restarts if necessary, whenever name service switch is refreshed.

  8. Verify that you can access user and group information from AD.

    For example:

    # getent passwd 'test_user@example'
    # getent passwd 2154266625