When I recently started getting back into Solaris, one of the things I wanted to get working was LDAP authentication, so that I can log into systems with the same set of credentials like in a business environment. As with most Solaris tasks, the information on how to set this up is scarce on the Internet, especially for Solaris 8 and 9.

I already had three LDAP instances set up in my lab environment: a primary instance and two replicas. This post will not cover the setup of these, but all three are AlmaLinux 9 containers running OpenLDAP 2.6. The replicas have been configured to allow non-SSL connections to them, for the purpose of authenticating legacy operating systems such as Solaris. I don’t recommend allowing this in a production environment of course. Perhaps at a later date I will work on configuring Solaris to connect to OpenLDAP via SSL, but even this will require allowing insecure versions of SSL/TLS.

Updating nsswitch.conf

When the LDAP client is initialized on a Solaris system, the file /etc/nsswitch.ldap is copied to /etc/nsswitch.conf. Prior to initializing the client, I recommend editing /etc/nsswitch.ldap and change the hosts line to:

hosts: files dns

Otherwise, after the LDAP client is initialized, DNS resolution will stop working. This tripped me up the first time I initialized the LDAP client, as I had used the DNS names for my LDAP servers, and they were unable to be resolved. I guess Sun expected everyone to store all of their host information in LDAP? I don’t understand why they made this decision, but it’s present in Solaris 8 through 10.

Automounting home directories

I chose to auto-mount the home directories for the LDAP users over NFS. Solaris comes configured for this already, as Sun obviously wanted its customers to use this feature. It is relatively easy to set up and saves you the trouble of creating home directories on each system (I’m not aware of Solaris having a pam_mkhomedir.so module like Linux, but I could be wrong).

To set up automounted home directories, first export a directory containing the home directories on another *nix host. Ensure that the UIDs and GIDs match what is in LDAP. Then on the Solaris host, edit /etc/auto_home, comment out +auto_home, then enter your NFS information similar to below:

Next, restart autofs. On Solaris 8 and 9 issue /etc/init.d/autofs stop && /etc/init.d/autofs start (or I guess kill -HUP <PID>? I prefer to restart things instead of reloading them). On Solaris 10, issue svcadm restart autofs.

It is optional to use automounted home directories. You might want to comment out the /home line in /etc/auto_master before creating directories in /home.

Initializing LDAP on Solaris 9 and 10

I used the below command to initialize the LDAP client on Solaris 9 and 10. Your bind DN should be a read-only account that can look up public user and group attributes. I would not advise using the root account for this purpose.

ldapclient manual -a credentialLevel=proxy \
-a authenticationMethod=simple \
-a "proxyPassword=bind_dn_pw" \
-a "proxyDN=uid=authagent,ou=backend,dc=example,dc=com" \
-a defaultSearchBase=dc=example,dc=com \
-a serviceSearchDescriptor=passwd:ou=people,dc=example,dc=com \
-a serviceSearchDescriptor=group:ou=groups,dc=example,dc=com \
-a serviceAuthenticationMethod=pam_ldap:simple \
-a "preferredServerList=server1 server2"

Now you should be able to su – user if everything was set up correctly.

Initializing LDAP on Solaris 8

The arguments for ldapclient in Solaris 8 are a little different than 9 and 10. I used the below command to join my Solaris 8 system to LDAP:

ldapclient -i -A "pam_ldap:simple" -a simple -c proxy \
-b "dc=example,dc=com" \
-D "uid=authagent,ou=backend,dc=example,dc=com" \
-w "bind_dn_pw" -p "server1 server2" \
-S "serviceSearchDescriptor=passwd:ou=people,dc=example,dc=com" \
-S "serviceSearchDescriptor=group:ou=groups,dc=example,dc=com"

Configuring /etc/pam.conf

After initializing the LDAP client, I was still unable to login in with my password. This stumped me for a while. Finally (don’t ask me how), I found that I had missed a step: I needed to add pam_ldap.so.1 entries to /etc/pam.conf. Prior to doing this, I recommend making a backup of /etc/pam.conf that can be quickly restored in single user mode. I used the guide from Oracle for Solaris 11 found here: https://docs.oracle.com/cd/E53394_01/html/E54912/clientsetup-89.html. However, as the pam.conf was different for each version of Solaris, I edited the files manually.

Below are the /etc/pam.conf files I used for each Solaris version. Feel free to use these on your systems, although I recommend backing up your current configuration and comparing it to these first. You will need to reboot in order to log into the desktop, but not to log in with SSH.

pam.conf_ldap_sol10 pam.conf_ldap_sol8 pam.conf_ldap_sol9

Once I added the appropriate lines to /etc/pam.conf, I was able to SSH and log in to the desktop on my Solaris 8/9/10 systems.

UPDATE

• I recommend setting the hosts line in /etc/nsswitch.ldap to hosts: files dns prior to initialization.

As mentioned in a previous post, I recently purchased a SunBlade 100 workstation off eBay. The first operating system I installed on it was Solaris 8, as this was the only version of Solaris I had CD ISOs for and it only has a CD-ROM drive (later I was able to install Solaris 9 on it over the network). I was disappointed to find out that Solaris 8 didn’t come with OpenSSH preinstalled; it wasn’t until Solaris 9 that SSH was installed with the base OS. I also had an x86 Solaris 8 virtual machine running in VirtualBox that I wanted to be able to access from my Linux systems (installed using the steps here: https://github.com/mac-65/Solaris_8_x86_VM). I decided to try installing OpenSSH on the VM first, as I could take snapshots and revert to a working state if a step failed. Prior to starting these steps, I applied the below patches per mac-65’s guide:

• The Solaris 8 x86 recommended patch cluster, found here.
• Patch 112439-02, which provides /dev/random and /dev/urandom (needed to generate SSH keys), found here.

I didn’t have to apply any patches to my SunBlade 100.

As is the case with anything I’ve tried to do with Solaris 8, there isn’t a detailed guide out there for installing OpenSSH on it. I’ve had to piece together fragments of information from old pages and forum posts. First, I needed to find the packages for OpenSSH and any dependencies. Per this guide, the packages can be found in the OpenCSW Solaris package archive. Knowing the tendency for stuff like this to disappear, I rsync’d down all of the packages and shared them out on my local network with an Nginx web server (running in a Docker container, no less; old meets new!) I downloaded the OpenCSW pkgutil (found here) and copied it to an NFS share, which I was able to mount on the Solaris 8 VM. I then changed directories to the NFS mount (I mounted it to /mnt) and installed pkgutil with: pkgadd -d pkgutil.pkg.

After installing pkgutil, I needed to update the configuration to point to my local mirror and specify the release version. This is done in /etc/opt/csw/pkgutil.conf. Note: you don’t need to mirror the packages locally like I did, but you will need to uncomment out the below line and change the release name to dublin, the latest available release of OpenCSW Solaris 8 packages. Your system will also need to be able to connect out to the Internet, which is something I avoided by mirroring the packages locally.

After this was done, I tried installing OpenSSH with /opt/csw/bin/pkgutil -y -i openssh.

And … it failed. The dependency CSWcommon requires the patch 112757 for libm to be installed.

I Googled “Solaris patch 112757” and “Solaris 8 libm patch.” I found a few pages referencing this patch, but no downloads for it. Finally, on a hunch, I decided to browse the Latvian FTP site from which I downloaded the 112439-02 patch, http://ftp.lanet.lv/ftp/unix/sun-info/sun-patches/. I then searched the page and there it was!

Thank you to the person hosting these historic files out on the Internet! I copied the patch to my NFS share and installed it on the VM with patchadd 112757-01:

/opt/csw/bin/pkgutil -y -i openssh now completes successfully.

In order to be able to SSH to a Solaris system from a modern Linux system, you will likely need to add the following to your ~/.ssh/config file:

Host *
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

Or add it on a per-host base if you are uncomfortable with allowing this for all hosts:

Host sol8vm1
  HostKeyAlgorithms +ssh-rsa
  PubkeyAcceptedKeyTypes +ssh-rsa

Once this has been added, you should be able to SSH into your Solaris system:

If you get errors about xterm-256color: Unknown terminal type, SSH with TERM=xterm ssh user@host. Of course you may find it a good idea to disable root login. All configuration changes are made in /opt/csw/etc/ssh/sshd_config and require restarting the service with /etc/init.d/cswopenssh restart. I didn’t bother with this, as this is 15-year-old software running on a 25-year-old OS.

It’s been nearly four years since I’ve posted anything to this blog. In that span of time, I have learned so many new skills and systems administrator “hacks”, to the point that this blog seems to represent a version of myself several major releases old.

Back when I last posted to this blog, I was still new to Ansible, while still clinging to and believing in the superiority of Puppet. I’ve since warmed to Ansible and now use it for practically all of my configuration management, even having passed the RHCE, which tests primary on one’s Ansible knowledge. Meanwhile, I haven’t written Puppet code in at least three years.

I’ve also recently gained an interest in “retro” server computing, that is Unix and Linux (and possibly some Windows) from the late 90s to the late 2000s. The first job I had where I interacted with *nix systems had a mixture of RedHat Enterprise Linux 5 and Solaris 8/10 systems. Being a 24-year-old who had mostly experimented with Ubuntu and Fedora, I hated working on the Solaris systems, particularly the SunBlade 150 workstation I was given in a broken state and told to fix before I could “graduate” to the Unix support team. After fixing it, I was told to use it as my secondary desktop. I hated it: the ugly gray and purple case, the dated Window 3.1-like CDE UI, and the out-of-date software, having to compile many tools I wanted from source. When I had a chance to inherit a departing coworker’s x86 desktop running RHEL 5 (which I also found dated), I wasted no time in kicking the SB-150 out of my cubicle.

It would probably come as a surprise to my past self, then, that at age 37 I would willingly purchase another SunBlade workstation off eBay, an SB-100 with 50 less Mhz. Why would I willingly subject myself to such pain, when Solaris has become almost a memory? I suppose after a certain period of time, maybe 20 years or so, old and slow becomes cool again, sort of like 80s and 90s cars (well, for some people anyway). For me, getting old stuff to work has always been a delightful and brain-stimulating challenge.

What I’ve found, however, is that information on how to get things working on Solaris is scarce and scattered througout the Internet, and mostly pertains to Solaris 10 or newer. In this blog I’d like to—attempt to at least—share what I’ve learned. It will probably be of use to very few people, but there is always the chance it might help someone.

In sum: going forward, this blog might contain some posts on new stuff, old stuff, or I may just stop posting to it altogether like I usually do.

Warmly,
Matt Ridpath