Install the Agent in Solaris Zones

Solaris zones are a virtualization technology created to consolidate servers. Primarily used to isolate an application, Solaris zones act as isolated virtual servers running on a single operating system, making each application in a collection of applications seem as though it is running on its own server. A Solaris Container combines system resource controls with the virtual isolation provided by zones.

Every zone server contains a global zone that retains visibility and control in any installed non-global zones. By default, the non-global zones share certain directories, including /usr, which are mounted read-only. The shared directories are writable only for the global zone.

By default, installing AD Bridge in the global zone results in it being installed in all the non-global zones. You can, however, use the following commands to control the zones that you install to.

Install Options for Embedded Scripts

Use the following commands to pass the option to the embedded script.

Help ./adbridge-x.x.x.xxx.solaris.x86_64.pkg.sh -- --help
Install to all zones (default) ./adbridge-x.x.x.xxx.solaris.x86_64.pkg.sh -- --all-zones
Install to only current zone ./adbridge-x.x.x.xxx.solaris.x86_64.pkg.sh -- --current-zone

Post Install

After a new child zone is installed, booted, and configured, you must run the following command as root to complete the installation:

/opt/pbis/bin/postinstall.sh

You cannot join zones to Active Directory as a group. Each zone, including the global zone, must be joined to the domain independently of the other zones.

Caveats

There are some caveats when using AD Bridge with Solaris zones:

When you join a non-global zone to AD, an error occurs when AD Bridge tries to synchronize the Solaris clock with AD.

The error occurs because the root user of the non-global zone does not have root access to the underlying global system and thus cannot set the system clock. If the clocks are within the 5-minute clock skew permitted by Kerberos, the error will not be an issue.

Otherwise, you can resolve the issue by manually setting the clock in the global zone to match AD or by joining the global zone to AD before joining the non-global zone.

Some group policy settings may log PAM errors in the non-global zones even though they function as expected. The cron group policy setting is one example:

Wed Nov 7 16:26:02 PST 2009 Running Cronjob 1 (sh)
Nov 7 16:26:01 zone01 last message repeated 1 time
Nov 7 16:27:00 zone01 cron[19781]: pam_lsass(cron): request failed

Depending on the group policy setting, these errors may result from file access permissions, attempts to write to read-only directories, or both.

By default, Solaris displays auth.notice syslog messages on the system console. Some versions of AD Bridge generate significant authentication traffic on this facility-priority level, which may lead to an undesirable amount of chatter on the console or clutter on the screen.

To redirect the traffic to a file instead of displaying it on the console, edit your /etc/syslog.conf file as follows:

Change this:

*.err;kern.notice;auth.notice /dev/sysmsg

To this:

*.err;kern.notice /dev/sysmsg
auth.notice /var/adm/authlog

 

Make sure that you use tabs, not spaces, to separate the facility.priority information (on the left) from the action field (on the right). Using spaces will cue syslog to ignore the entire line.