NAME
     ad - Active Directory as a naming repository

DESCRIPTION
     Solaris clients can obtain naming information from Microsoft's
     Active Directory (AD) servers by first joining the Solaris system
     to an AD domain and using the keyword ad in the nsswitch.conf(4)
     file. AD domain join can be executed using the kclient(1) utility.
     The naming databases currently supported by AD name service are
     passwd and group.  Logins by Windows users are not yet supported
     however: the user_attr(4) database currently has no entries for
     Windows users, and the passwd(1) command does not support
     synchronizing user passwords with AD.

     The Solaris AD client auto-discovers AD directory servers ("domain
     controllers" and "global catalog" servers) and uses LDAP v3
     protocol to access naming information from the AD servers.  No
     schema modification is needed on the AD servers because the Solaris
     client works with native AD schema. The Solaris AD client uses
     idmap(1M) service to map Windows SIDs to POSIX UIDs/GIDs and
     vice-versa.  User and group names are taken from the sAMAccountName
     attribute of user and group objects in AD, and are then suffixed
     with '@' and the name of the AD domain where the objects reside.

     The security model used by the client is SASL/GSSAPI/KRB5.
     Kerberos v5 must be configured on the client at the time of domain
     join; see kclient(1M).


FILES
     /etc/nsswitch.conf            Configuration  file  for   the
                                   name-service switch.

     /etc/nsswitch.ad              Sample configuration file  for
                                   the  name-service  switch con-
                                   figured with ad, dns and files.


     /usr/lib/nss_ad.so.1          Name service switch module for
                                   AD.

SEE ALSO
     svcs(1), idmap(1M), idmapd(1M), kclient(1M), svcadm(1M),
     svccfg(1M), attributes(5), smf(5)