Month: May 2022

automount to make homedirs in solaris

rdircio

http://znogger.blogspot.com/2010/05/solaris-automatic-creation-of-home-dirs.html

add a line to /etc/auto_master

echo "/export/home/ad /etc/auto_homedir" >> /etc/auto_master

create the /etc/auto_homedir script

root@ueq2szsapapt01:~# cat /etc/auto_homedir
#!/bin/bash

(
HOMEDIRPATH=/export/home/ad
PHYSICALDIRPATH=/export/home/.ad
HOMEDIRGROUP=""
hdir=~$1
E=getent passwd $1 |wc -l
if [ $E -e 0 ]; then
exit
fi
sanitized=echo $1 | sed 's/\//_/g'
phdir="$PHYSICALDIRPATH/${sanitized}"
if [ -d "$phdir" ]; then
echo "localhost:$phdir"
exit
fi
mkdir -p $phdir
chown "$1":"$HOMEDIRGROUP" $phdir
echo "localhost:$phdir"
exit
) | tee /tmp/autohome.log

Set sticky bit and execute on the script

chmod +t+x /etc/auto_homedir

Restart the automounter

svcadm restart autofs

Create the base mountpoints

mkdir -p /export/home/ad

mkdir -p /export/home/.ad

clear group info for winbind user

rdircio

root@ueq2szsapapt01:/var/samba/locks# net cache samlogon list

SID Name When cached

S-1-5-21-4076327854-156698110-1354154815-49906 SYLVAMO\RDIRCIO Wed May 25 2:20:29 PM 2022 CDT
root@ueq2szsapapt01:/var/samba/locks# net cache samlogon delete S-1-5-21-4076327854-156698110-1354154815-49906

Restrict pam_winbind user login in Solaris 11

rdircio
  •  Create a /etc/security/pam_winbind.conf file with the following contents:

[global]

require_membership_of = [SID or NAME]

try_first_pass = yes

  • Restart the winbind SMF service:

# svcadm restart winbind

[SID or NAME] is a comma separated list of SID’s and/or AD users and/or AD groups

Example: the AD user jack and the members of the AD group IT-ADMIN are allowed to login in.

[global]

require_membership_of = jack,IT-ADMIN

try_first_pass = yes

Solaris 11 AD join

rdircio

Solaris Samba Server Configuration Steps

– Configure DNS Client
Configuration must include Windows AD Servers as DNS Servers and specify the AD Domain as the DNS Domain

/etc/resolv.conf

nameserver 10.x.x.x
search example.com

– Configure Kerberos
Create /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

– Confirm system time is synchronized with AD Servers. NTP is recommended to keep system time accurate.
Difference of 3-5 minutes between the Samba and AD Servers will result in Domain join failures

# ntpdate ad.example.com

– Samba Server local hostname / nodename resolution must be a fully qualified hostname.
The /etc/hosts entry for the Samba Server needs to be a FQDN to avoid Domain join failures

/etc/hosts

10.x.x.x      host.example.com    host

# getent hosts host
10.x.x.x      host.example.com    host

If modified after initial configuration boot up it can be modified with the command:

# svccfg -s svc:/system/identity:node setprop config/nodename =  host.example.com
# svcadm refresh svc:/system/identity:node
 
– Create the /etc/samba/smb.conf file.

[global]

       realm = EXAMPLE.COM
       workgroup = EXAMPLE
       security = ADS
       server string =Solaris Samba Server
       kerberos method = system keytab
       include system krb5 conf = no
       loglevel = 10

      # Winbind configuration:

       winbind separator = /
      # set enum=no , this increases performance considerably
       winbind enum users = no
       winbind enum groups = no
       winbind expand groups = no

       template homedir = /export/home/ad/%D_%U
       template shell = /bin/bash

       idmap config * : backend = autorid
       idmap config * : range = 100000-4000000000
       idmap config * : rangesize = 1000000

       allow trusted domains = yes
       winbind refresh tickets = yes

     # all these are addons
#winbind use default domain = Yes
local master = No
preferred master = No
bind interfaces only = Yes
name resolve order = bcast lmhosts host wins
dns proxy = no
unix extensions = no
domain master = no
socket options = TCP_NODELAY SO_KEEPALIVE
client schannel = no



 
– Edit the /etc/nsswitch.conf to add winbind to the passwd: and group: entries if AD username and group resolution for files and directories is needed

Solaris 10

passwd: files winbind [ TRYAGAIN = 3 ]
group: files winbind [ TRYAGAIN = 3 ]


Solaris 11

# svccfg -s svc:/system/name-service/switch setprop config/default = astring: files
# svccfg -s svc:/system/name-service/switch setprop config/password = astring: “files winbind [ TRYAGAIN = 3 ]”
# svccfg -s svc:/system/name-service/switch setprop config/group = astring: “files winbind [ TRYAGAIN = 3 ]”
# svccfg -s svc:/system/name-service/switch setprop config/host = astring: “files dns mdns winbind”
# svccfg -s svc:/system/name-service/switch setprop config/printer = astring: “user files”
# svcadm refresh svc:/system/name-service/switch


The next steps are to enable the samba and winbind services and join the Samba Server to the Windows Domain,
To join the Domain a system administrator will use a Windows Domain username that had administrator rights, privileges in the Windows AD Domain.

– Enable the Samba service

# svcadm enable samba

Confirm the samba service is online

# svcs samba
STATE          STIME    FMRI
online         15:06:22 svc:/network/samba:default

– Join the Samba server to the Domain as a User with Windows Domain Administrator rights

# net ads join -U <USER>
Enter <USER> password:
Using short domain name — <DOMAIN_NAME>
Joined ‘<HOST>’ to realm ‘<DOMAIN_NAME>’

Enable the Winbind service

# svcadm enable winbind

– Wait 2-3 minutes for winbind Service to initialize

– Confirm that the samba and winbind services are online:

# svcs samba winbind
STATE          STIME    FMRI
online         15:06:22 svc:/network/samba:default
online         15:09:55 svc:/network/winbind:default

– Confirm that winbindd can be communicated with and return ADS usernames and groups with the commands:

wbinfo -p
wbinfo -u
wbinfo -g

– Confirm that the Solaris NSS functions (configured via the /etc/nsswitch.conf) can return  Windows ADS user information

getent passwd | grep Windows_Domain_Username

For example:
# getent passwd | grep <USER>
<DOMAIN_NAME>+<USER>:*:<UID>:<GID>:<USER>:/<PATH>/<USER>:/bin/csh

Once completed a Windows Client system should be able to map a share from the Solaris Samba server and authenticate using the users Windows Domain/ADS username and password.

– If it is intended for ADS users to login to the Solaris Samba server via ssh or telnet a pam.conf file with winbind references should be moved into place.Note: Solaris 10 with Samba Patch 119757-20 SPARC / 119758-20 X86 or later installed the pam.conf-winbind2 file provided as a attachment in Document 1413786.1 should be used in the following steps

# cd /etc

# cp pam.conf pam.conf.bak

# cp pam.conf-winbind pam.confNote: In Solaris 11.1 and later the PAM configuration has been updated. To add the Winbind PAM module to the configuration make the following modifications

Edit the files located under /etc/pam.d/ and add the line for pam_winbind.so.1 as shown in each one of the following files.


# pwd
/etc/pam.d

# cat login

#
# Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# console and tty login service
#
auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth sufficient         pam_winbind.so.1 try_first_pass
auth sufficient         pam_unix_auth.so.1
auth required           pam_unix_cred.so.1

# cat other

#
# Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth sufficient         pam_unix_auth.so.1
#auth sufficient         pam_winbind.so.1 try_first_pass
auth required           pam_unix_cred.so.1
auth required         pam_winbind.so.1 try_first_pass
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
# pam_tsol_account(7) returns PAM_IGNORE if the system is not configured
# with Trusted Extensions (TX) enabled.
# pam_tsol_account(7) does need to run in the Trusted Path for ensuring remote
# hosts connecting to the global zone have a CIPSO host type.
#
account requisite       pam_roles.so.1
account definitive      pam_user_policy.so.1
account sufficient      pam_unix_account.so.1
account sufficient      pam_winbind.so.1 try_first_pass
account required        pam_tsol_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
session definitive      pam_user_policy.so.1
session sufficient      pam_unix_session.so.1
session sufficient      pam_winbind.so.1 try_first_pass
session optional        pam_fm_notify.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
password definitive     pam_user_policy.so.1
# Password construction requirements apply to all users.
# Edit /usr/lib/security/pam_authtok_common and remove force_check
# to have the traditional authorized administrator bypass of construction
# requirements.
password include        pam_authtok_common
password required       pam_authtok_store.so.1



# cat sudo

#
# Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration for sudo(8) (explicit because we exclude
# pam_unix_session(7)).
#
session required        pam_allow.so.1
#
# sudo service account stack (explicit because of non-usage of pam_roles.so.1)
#
account sufficient      pam_winbind.so.1        try_first_pass
account definitive      pam_user_policy.so.1
account required        pam_unix_account.so.1

Solaris 11 allow root login

rdircio

1. Change the file /etc/ssh/sshd_config PermitRootLogin yes with PermitRootLogin no and save file.

    vi /etc/ssh/sshd_config  

  PermitRootLogin yes

2. Comment out the “CONSOLE=/dev/console” line in /etc/default/login.

    vi /etc/default/login

  #CONSOLE=/dev/console

3.Remove “;type=role” from the root entry in /etc/user_attr or use the below command.

 rolemod -K type=normal root

4. Restart the Services.

#svcadm restart svc:/network/ssh:default

Freeze entire pkg release

rdircio

root@ueq2solp01:~# pkg info entire
Name: entire
Summary: entire incorporation including Support Repository Update
(Oracle Solaris 11.4.42.111.0).
Description: This package constrains system package versions to the same
build. WARNING: Proper system update and correct package
selection depend on the presence of this incorporation.
Removing this package will result in an unsupported system.
For more information see:
https://support.oracle.com/rs?type=doc&id=2433412.1
Category: Meta Packages/Incorporations
State: Installed
Publisher: solaris
Version: 11.4 (Oracle Solaris 11.4.42.111.0)
Branch: 11.4.42.0.0.111.0
Packaging Date: December 3, 2021 at 10:15:58 PM
Last Install Time: December 4, 2021 at 6:33:20 AM
Size: 2.52 kB
FMRI: pkg://solaris/entire@11.4-11.4.42.0.0.111.0:20211203T221558Z
root@ueq2solp01:~# pkg freeze -c “keep at 11.4.42.111.0” entire@0.5.11,11.4-11.4.42.0.0.111.0:20211203T221558Z

pkg freeze: The following patterns attempted to freeze the listed packages
at a version different from the version at which the packages are installed.
entire@0.5.11,11.4-11.4.42.0.0.111.0:20211203T221558Z
root@ueq2solp01:~# pkg freeze
root@ueq2solp01:~# pkg freeze -c “keep at 11.4.42.111.0” entire@11.4-11.4.42.0.0.111.0:20211203T221558Z

entire was frozen at 11.4-11.4.42.0.0.111.0:20211203T221558Z
root@ueq2solp01:~#
root@ueq2solp01:~# pkg freeze
NAME VERSION DATE COMMENT
entire 11.4-11.4.42.0.0.111.0:20211203T221558Z 23 May 2022 22:09:22 CDT keep at 11.4.42.111.0