Configuring the OpenSolaris CIFS Server in Domain Mode

[Update July 4th 2008: This article was written prior to the release of OpenSolaris 2008.05, and I used the term OpenSolaris sloppily as I really meant Solaris Express Community Edition, codenamed "Nevada". If you take a look here the different downloads available are explained.

These instructions are equally applicable to both distributions, but depending on what Solaris Express Community Edition package cluster you install you may not have the SMB server packages (I always install everything, so I cannot be more precise than that). In the case of OpenSolaris 2008.05 you will need to add the packages SUNWsmbkr & SUNWsmbs from the repository using Package Manager, or using the pkg install <pkgname> command.]

I recently blogged about configuring the OpenSolaris CIFS Server in Workgroup Mode. I have now gone through the process of doing this in an Active Directory environment. 

As before, I am working on a Sun Fire X4500 with Solaris Nevada build 86 installed....

root@isv-x4500b # uname -a
SunOS isv-x4500b 5.11 snv_86 i86pc i386 i86pc

I have mostly presented the commands I have used and actual files from my system as is..but I have occasionally had to edit fields.

1. Configure the OpenSolaris server to be a DNS client of the Active Directory Domain Server

To do this create/modify the file /etc/resolv.conf to do lookups against the Active Directory Domain Controller.

root@isv-x4500b # cat /etc/resolv.conf
domain sspg.central.sun.com
nameserver 192.168.2.1
search sspg.central.sun.com central.sun.com

Now, set up /etc/nsswitch.conf so that hosts are resolved via DNS. You can modify you existing/etc/nsswitch.conf file or just copy /etc/nsswitch.dns to /etc/nsswitch.conf.

To check that DNS is working you can run a few simple tests by looking up a known hosts with nslookup.

2. Set up Kerberos

Edit the file /etc/krb5/krb5.conf and set up the below fields as shown, customized to your environment. Below is just a part of the /etc/krb5/krb5.conf file. The manual covers this step well on pages 42 and 43.

<--snip-->
[libdefaults]
        default_realm = SSPG.CENTRAL.SUN.COM

[realms]
        SSPG.CENTRAL.SUN.COM = {
                kdc = domaincontroller.sspg.central.sun.com
                admin_server = domaincontroller.sspg.central.sun.com
                kpasswd_server = domaincontroller.sspg.central.sun.com
                kpasswd_protocol = SET_CHANGE
        }

[domain_realm]
        .sspg.central.sun.com = SSPG.CENTRAL.SUN.COM
<--snip-->

3. Synchronise Clocks of your Server with the Domain Controller

This is an easy step to miss..and you may later be unable to join the domain due to Kerberos initialization problems.....that is what happened to me!!!

There are various ways to synchronize the clocks described in the manual on page 43....I did it this way:

root@isv-x4500b # ntpdate domaincontroller.sspg.central.sun.com

4. Start the CIFS Services

root@isv-x4500b # svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.

The message can be ignored.

5. Join the Domain

To complete this step you need to know the user name and password of an Active Directory user (aduser in this case) with Administrator rights for the domain 

This is the part of the process that I got stuck with for a while as the manual describes some apparently redundant steps on page 43 using sharectl which did not work..the below worked:

root@isv-x4500b # smbadm join -u aduser sspg.central.sun.com
Enter domain password:
Joining 'sspg.central.sun.com' ... this may take a minute ...
Successfully joined domain 'sspg.central.sun.com'

If this fails, make sure you did not skip Step 3. You will see Kerberos messages in the system log when you try to join the Domain if the time difference is too great between the servers. If that is not the problem then check the Troubleshooting Guide.

6. Stop and Start the CIFS Server

root@isv-x4500b # svcadm disable smb/server
root@isv-x4500b # svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.

7. Create a ZFS file system

I already have ZFS storage pool called tank.

root@isv-x4500b # zfs create -o casesensitivity=mixed tank/cifs1

8. Share the ZFS File System via SMB and Customise the Share Name

root@isv-x4500b # zfs sharesmb=on tank/cifs1

The default share name would be tank_cifs1..we can change that to cifs1 as follows..

root@isv-x4500b # zfs sharesmb=name=cifs1 tank/cifs1

You can check this using sharemgr:

root@isv-x4500b # sharemgr show -vp
default nfs=()
zfs
    zfs/tank/cifs1 smb=()
          cifs1=/tank/cifs1

9. Set Permissions on the Shared Directory

I was going to be accessing the share from two Windows clients using Active Directory registered users. I opened up the permissions on the shared directory so that I would not have any access problems.

root@isv-x4500b # chmod 777 /tank/cifs1

I need to experiment with ZFS ACLs and maybe Identity Mapping, as described in the Solaris CIFS Administrators Guide, to handle this more elegantly; those are things that I will  explore in the future.

10. Access the Share

I accessed the share from two clients (client 1 and client 2) running Microsoft Windows Server 2003.

Both servers were members of the same Active Directory Domain as the CIFS server. I logged into each server as a different Active Directory registered user: user1 logged into client1; user2 logged into client2.

I mapped the share to both clients.

Map Share

When I mapped the share I was not asked for a user ID and password as I had been in Workgroup mode, but I could see in the system log that authentication had taken place and rw access to the share had been granted to users [SSPG\\user1] and [SSPG\\user2]...

Apr  8 05:49:30 isv-x4500b smbsrv: NOTICE: smbd[SSPG\\user1]: cifs1 rw access granted
Apr  8 05:49:53 isv-x4500b smbsrv: NOTICE: smbd[SSPG\\user2]: cifs1 rw access granted

Both clients could see the same shared directory and I created some files and folders on the share from both clients with no problems.

For More Information

OpenSolaris Project: CIFS Server Home Page

Open Solaris CIFS Documentation including the Solaris CIFS Administrators Guide & Troubleshooting Information

Also, consider joining the Open Solaris Storage Discuss Forum

Comments:

Hi Dave. I never did follow up on the ZFS ACL stuff other than what I found in the ZFS Admin Manual ( http://docs.sun.com/app/docs/doc/819-5461 ). The best forum for a detailed discussion on this topic is the cifs-discuss forum at opensolaris.org. Rgds, Tim

Posted by Tim Thomas on May 17, 2008 at 04:13 PM BST #

Hi Tim, I've got a basic wildcard mapping up and running using idmap. Great how easy this all is. I'll post to the CIFS discussion list as suggested.

Thanks again for the guide.

Posted by Dave on May 20, 2008 at 05:36 PM BST #

Hi Tim!
I have configured Opensolaris CIFS server in Domain mode as you did. But after that i try to list shares from Domain controller (try to open my CIFS server in the Microsoft network tree) and got login screen. I tried to login under Administrator - but login was failed. So i couldn't get access to the CIFS server.
I switched on restrict_anonymous=true and after that i had got access. I seems not wright method to give anonymous access. Could you please advice whta might be wrong and where can i see logs to check why u cannot get access to my CIFS server?

Posted by Evgeny Chumak on May 23, 2008 at 08:06 AM BST #

Hi Evgeny. Your questions are beyond my knowledge. You should join the cifs-discuss forum on opensolaris.org. Questions to that alias get answered very quickly by the Sun CIFS Engineering team. Rgds, Tim

Posted by Tim Thomas on May 26, 2008 at 02:15 AM BST #

A good way to handle the permissions in cifs share is to configure the ZFS ACL's to handle permissions inheritance correctly for windows.
The following example gives the owner full access rights, group and others readonly+execute and any new file/dir created in the share inherits the same permission.

chmod -R A=owner@:full_set:file_inherit/dir_inherit:allow <sharetopdir>
chmod -R A+group@:read_set/execute:file_inherit/dir_inherit:allow <sharetopdir>
chmod -R A+everyone@:read_set/execute:file_inherit/dir_inherit:allow <sharetopdir>

Posted by Peter Brouwer on January 15, 2009 at 03:57 AM GMT #

I have followed all of the instructions to a "t" however each time I try to connect to my domain, I get the message "(unsuccessful)" I saw comments suggesting the discussion groups but I can not figure out how to join them. I also don't know how to contact the Sun Engineers even though I purchased the support.

Any help would be appreciated

Posted by David Wilson on January 22, 2009 at 08:58 PM GMT #

David, is the name of your domain realm in UPPER case?

Had the same trouble until changed domain name in krb5.conf

Here is the example:
[libdefaults]
default_realm = MYDOMAIN.COM

[realms]
MYDOMAIN.COM = {
kdc = dc1.mydomain.com
kdc = dc2.mydomain.com
admin_server = dc1.mydomain.com
kpasswd_server = dc1.mydomain.com
kpasswd_protocol = SET_CHANGE
}

[domain_realm]
.mydomain.com = MYDOMAIN.COM
dc1.mydomain.com = MYDOMAIN.COM

Posted by iura on January 28, 2009 at 12:03 AM GMT #

Good Day,
IHAC who is looking at pair of 7210's to work with their Apple servers. Has anyone been sucessful with integrating Sun CIFS and Apple Xserve PDC?

They see the following "The appliance could not find the appropriate SRV record (_kerberos._tcp.SIODIR) for the Active Directory domain in any DNS servers. The DNS server(s) must be configured with an appropriate DNS SRV record. After checking that the Active Directory domain is correct, ensure the appropriate DNS SRC record is exported by the DNS server(s)."

TIA

Posted by John Fowler on March 30, 2009 at 02:56 PM BST #

Hi

We tried joining an opensolaris server to our windows domain only to be thwarted by an Logon failure message every time we tried joing via smbadm join.

We found that the problem lay not on the opensolaris machine but on the fact we are running the DC on server 2008. We resolved the problem by running:

sharectl set -p lmauth_level=2 smb

This is set to level 4 by default see this thread for reference:

opensolaris.org/jive/thread.jspa?messageID=315578

Posted by Matt Smith on May 20, 2009 at 04:00 AM BST #

Post a Comment:
Comments are closed for this entry.
About

Tim Thomas

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today