This is not a "rocket technology" but I am using this guide doing setup of the Samba server in lab to serve as the CIFS volume server authenticating users against the ADS Domain Controller.
Prerequisities
- ADS domain has the name derived from its DNS domain name i.e.
smbsetup.czech.sun.com - Name of the ADS Kerberos realm is the same as the DNS domain name (written in capitals) i.e.
SMBSETUP.CZECH.SUN.COM
Steps to setup:
- Prepare S10 box with naming services set to DNS where the nameserver is the AD server and domain is AD domain:
- upgrade to Solaris 10 update 8/07 and apply all patches above the 119757-08 (sparc) 119758-08 (i386) or install the OpenSolaris based on Nevada build ≥ 72
- DS is using DNS to hostnames resolving so /etc/nsswitch.conf should contain:
... hosts: files dns ipnodes: files dns ...
because the ADS is using DNS to hostnames resolving. - /etc/resolv.conf should have also the search aliases set because the machines are resolved using their short names i.e.:
domain smbsetup.czech.sun.com nameserver 172.16.111.65 search smbsetup.czech.sun.com
- /etc/hosts should contain the full canonical name of the box and also its short name:
127.0.0.1 localhost 172.16.111.13 s10-pc.smbsetup.czech.sun.com s10-pc loghost
- here you should start the dns/client service svcadm enable dns/client ...and most probably reboot. All steps above can be also performed as DNS-namig setup after the sys-unconfig. Also the Kerberos v5 settings can be performed (partialy) in the system setup after the sys-unconfig first boot.
- Info about the realms, kdcs and DNS domain must be set in /etc/krb5/krb5.conf
[libdefaults] default_realm = SMBSETUP.CZECH.SUN.COM [realms] SMBSETUP.CZECH.SUN.COM = { kdc = adsdc.smbsetup.czech.sun.com admin_server = adsdc.smbsetup.czech.sun.com } [domain_realm] smbsetup.czech.sun.com = SMBSETUP.CZECH.SUN.COM
- Setup the DC to accept this node:
- in "Active Directory Users and Computers" add the user account of the same name as the computer's hostname as the user's "Full Name" and set the password and check the "Password Never Expire" flag to it. User name most be the same as the users login and the hostname of the node.
- in "dnsmgmt" create the new dns A-record with the hostname and IP of this box i.e. "s10-pc" and "172.16.111.13". Also check the "Create also the PTR record" for the reverse (IP to hostname) resolving.
- create the key for the computer mapped to user of the same name as the computer is by command line (cmd.exe) utility
ktpass -princ HOST/s10-pc@SMBSETUP.CZECH.SUN.COM -mapuser s10-pc -pass p@sswd -out s10-pc.keytab
please note the "ktpass" utility is the part of the "Windows Support Tools" which are not part of the default W2k3 server installation and have to be manualy installed from the W2k3-server installation CD - transport the created file containing the machine keys to the S10 machine. Do this tranport by secure way because the keys are very sensitive information. Please do not use the /usr/sfw/bin/smbclient -U Administrator '\\ADSserver\cifs_share because the cifs is not a secure protocol in this point.
- Joining the S10 box to the domain
- install keys running the ktutil and issuing the following "ktutil" subcommands:
- rkt s10-pc.keytab read the keys from the
s10-pc.keytabfile - list lists keys read from the file
- wkt /etc/krb5/krb5.keytab write the keys into the system
- '^D' for quit the "ktutil"
- rkt s10-pc.keytab read the keys from the
- remove the original s10-pc.keytab file and make the /etc/krb5/krb5.keytab unreadable for non-root users to prevent to compromite the machine
- synchronize the system time of the samba CIFS server with the "time of the domain" using the ntpdate adsdc command doing the NTP (Network Time Protocol) time synchronization to the time of the domain controller.
- initialize keys to be used by the kerberos services kinit s10-pc@SMBSETUP.CZECH.SUN.COM ...by the password of the user to which the box was mapped to
- test if everythig passed by listing the TGT (Ticket Granting the Tickets) by the klist command
- issuing the command svcs samba swat wins winbind check if all of the samba services are "disabled"
- remove all previous samba "garbage" in /etc/sfw/private/, /var/samba/locks/ and /var/samba/logs/ directories
- create the /etc/sfw/smb.conf i.e. using this template:
[global] realm = SMBSETUP.CZECH.SUN.COM workgroup = SMBSETUP security = ADS use kerberos keytab = true ;password server = adsdc.smbsetup.czech.sun.com encrypt passwords = yes server string = Samba 3.0.x ADS # winbind configuration: winbind separator = + ; winbind enum users = yes template homedir = /samba/pchome/%D/%U idmap domains = SMBSETUP idmap config SMBSETUP:default = yes idmap config SMBSETUP:backend = tdb idmap config SMBSETUP:range = 10000-20000 idmap alloc backend = tdb idmap alloc config:range = 10000-20000 # this tells Samba to use a separate log file for each machine # that connects log file = /var/samba/log/log.%m ;log level = 1 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0 rpc_cli: 0 passdb: 1 sam: 0 auth: 7 winbind: 2 vfs: 0 idmap: 0 quota: 0 acls: 0 locking: 0 msdfs: 0 dmapi: 0 log level = 10 # Put a capping on the size of the log files (in Kb). max log size = 1024 # Most people will find that this option gives better performance. # See the chapter 'Samba performance issues' in the Samba HOWTO Collection # and the manual pages for details. ; socket options = TCP_NODELAY #============================ Share Definitions ============================== [public] path = /samba/public comment = Public data directory read only = no browseable = yes user = @"SMBSETUP+domain users" vfs objects = zfsacl nfs4: mode = special ;[pub] ; path = /sambaufs/public ; comment = Pub ; read only = no ; browseable = yes ; user = @"SMBSETUP+domain users" [printers] printable = no
- change the
/etc/pam.confto the contents of the/etc/pam.conf-winbind - modify the
/etc/nsswitch.confto users/groups lookup into the winbind table:... passwd: files winbind group: files winbind ...
- ensure if the samba volume directories ("/samba/public" in this example) exists and have the appropriate access rights (0777 for instance )
- join into the domain /usr/sfw/sbin/net ads join -U 'Administrator%p@sswd'
- create keytab /usr/sfw/sbin/net ads keytab create -U 'Administrator%p@sswd'
- start the "winbind" service issuing the svcadm enable winbind command
- check if the winbind is able to obtaun the user/group info from DC /usr/sfw/bin/wbinfo -u for users or /usr/sfw/bin/wbinfo -g for groups
- check getent passwd if the Win-domain users are mapped to the POSIX users if the "winbind enum users" option in /etc/sfw/smb.conf is set to "yes" ...do not do it in case of domains having thousands of users ...it can harm the CIFS server's performance
- enable also the other samba services svcadm enable samba wins to allow of the starting of the CIFS session establishing by domain clients
- install keys running the ktutil and issuing the following "ktutil" subcommands:
Hi Jiri, thanks for this. I am sure that many people will find it very helpful. Having a strong SAMBA implementation in Solaris is very important. Are you using SAMBA over ZFS ? Any tips ? I have seen lots of questions about ZFS ACLs and SAMBA. Thanks, Tim
Posted by Tim Thomas on September 01, 2007 at 05:07 PM CEST #
What is "Solaris 10 update 8/07" ??
The latest Solaris released from Sun is Solaris 11/06, as far as I know.
Posted by Hans Almansson on September 01, 2007 at 09:05 PM CEST #
Hi Hans, Jiri is referring to Solaris 10 Update 4 which is (or will be) also known as Solaris 10 8/07. This will become available for download next week with media becoming available late September, according to current schedules. I have no idea why we have two naming schemes for Solaris. Rgds, Tim
Posted by Tim Thomas on September 01, 2007 at 09:59 PM CEST #
Thanks Jiri, this type of "cookbook" write up is always requested by customers.
But I have a question: what should the contents of /etc/pam.conf-winbind
actually be? Is there an example in the updated man pages, as I can't find any reference to that other than this page.
Posted by ML Starkey on September 02, 2007 at 01:10 AM CEST #
Jiri:
Thanks for the write-up. Did you need to do anything on the Windows Active Directory side? I.e. enable RFC 2307 support?
Thanks again!
Posted by Nola Nelson on September 05, 2007 at 10:07 PM CEST #
We have issues with samba on 8/07 where if we try to share out a zfs file system with the zfsacl module, we can't read the filesystem.
From windows, we can browse to the share, but once there can't see any files. It is possible to create new files, but windows claims it can't access them, and thus nothing is ever displayed.
The smb.conf share:
[zfstesting]
comment = Test of zfs stuff
read only = no
browseable = yes
path = /sharedraid/test
vfs objects = zfsacl
nfs4: mode = special
Any ideas?
Posted by Christian on September 15, 2007 at 05:18 AM CEST #
Hi,
you can skip the ktpass and keytab transfer section when you use "net ads join".
this downloads a keytab for you which you can then move into the correct location.
Also you can use other "net ads" commands to download additional service principles from AD... e.g. nfs/host.domain or smtp/host.domain
I'll post details of folks are interested.
Posted by Steve Foster on September 25, 2007 at 06:09 PM CEST #
@Steve Foster
I'd appreciate details...
Posted by Pete on September 27, 2007 at 12:29 AM CEST #
Hello,
I dont undertand several things in this artile, for example :
1)- The article seems to be for Solaris x86 box. Can it be used for Sparc ussing SUN cluster 3.2 ?
2)- "# in "Active Directory Users and Computers" add the user account of the same name as the computer's hostname as the user's "Full Name" and set the password and check the "Password Never Expire" flag to it. User name most be the same as the users login and the hostname of the node.
# in "dnsmgmt" create the new dns A-record with the hostname and IP of this box i.e. "s10-pc" and "172.16.111.13". Also check the "Create also the PTR record" for the reverse (IP to hostname) resolving. "
a) What is behind using "full name" as the same as the computer hostname? And what hostname must be used ? ADS server (i.e. windows 2003) or Solaris machine (i.e. running samba)?
b) If I undertand, the IP :172.16.111.13 is that of Solaris machine running Samba. Then, the DNS running on ADS machine is not related to the Windows machine (i.e. ADS) but Solaris machine (i.e. Samba server). What happen if the windows machine has already a DNS running on it and using the same IP (for exemple : 192.168.3.16).
Thanks for any help.
Posted by Bras on September 30, 2007 at 07:48 PM CEST #
h
Posted by 202.149.210.38 on October 06, 2007 at 08:25 AM CEST #
Great tutorial! Are you able to comment on any potential issues if the AD DNS domain is not the same as my Solaris environment DNS domain? When AD was implemented at my workplace, the AD domain was set up as "company.corp", rather than our proper DNS domain, "company.ca". All my Solaris boxes use "company.ca". Am I going to have problems with Samba or Kerberos?
Thanks,
Mark
Posted by Mark on October 12, 2007 at 03:35 PM CEST #
I just cannot seem to get this to work at all on my 8/07 system. It's all related to DNS resolution (my DNS domain name differs from the AD realm to which we're binding). It's a shame that Sun can't have tools such as Apple uses for OS X that do all the binding for you. Directory Services is a very nice feature, and it goes a long way to making Macs work nice in the AD world. It's the best non-MS implementation thus far.
Posted by Charles Soto on October 30, 2007 at 03:57 PM CET #
Is there any work being done to ship the rfc2307.so nss module for winbind? If we have an active directory 2003r2 domain with the rfc2307 attributes, the sun supplied samba does not seem to work.
Posted by Christian on November 09, 2007 at 09:12 PM CET #
I apologize to all I was not here for some time. Please let me to have several comments:
- skipping of the ktpass/ktutil steps will lead to absence of the private-part of the machine-key. I met with troubles in access to the other realm services like the session to user authentication.
- Samba /w AD is not only for i386 platform. I am testing everything on sparc first than on i386 because of the better remote maintainability for instance but I have no experiences with the samba clustering.
- Kerberos need to run in coincidence of the DNS domain. In other cases the machines are not recognized as the valid realm members.
- idmap backend "ad" should be configured to deploy the rfc2307/SFU schema using. This backend is delivered in the Solaris Expres or applying of the -09 revision of the samba patch
Posted by jurasek on November 13, 2007 at 03:33 PM CET #
Are there any news about the zfs/acl issue, I've the same problem as christian
Posted by Manfred Odenstein on November 19, 2007 at 11:22 AM CET #
Solved zfs/acl issue, patch 119758-09 did the job ;-), i think
Posted by Manfred Odenstein on November 21, 2007 at 09:23 PM CET #
net ads [keytab create|changetrustpw] -Uadmin%pass -d 10
both commands failed with:
[2007/11/27 17:35:27, 2] libads/kerberos_keytab.c:(260)
ads_keytab_add_entry: Using default system keytab: /etc/krb5/krb5.keytab
[2007/11/27 17:35:27, 5] libads/ldap.c:(1422)
ads_get_kvno: Searching for host CENTAURI
[2007/11/27 17:35:27, 5] libads/ldap.c:(1440)
ads_get_kvno: Using: CN=centauri,CN=Computers,DC=nj,DC=invidi,DC=com
[2007/11/27 17:35:27, 5] libads/ldap.c:(1459)
ads_get_kvno: Looked Up KVNO of: 11
[2007/11/27 17:35:27, 3] libads/kerberos_keytab.c:(65)
smb_krb5_kt_add_entry: Will try to delete old keytab entries
[2007/11/27 17:35:27, 5] libads/kerberos_keytab.c:(105)
smb_krb5_kt_add_entry: Found old entry for principal: host/centauri.invidi.com@NJ.INVIDI.COM (kvno 8) - trying to remove it.
[2007/11/27 17:35:27, 1] libads/kerberos_keytab.c:(116)
smb_krb5_kt_add_entry: krb5_kt_remove_entry failed (Cannot write to specified key table)
[2007/11/27 17:35:27, 1] libads/kerberos_keytab.c:(346)
ads_keytab_add_entry: Failed to add entry to keytab file
[2007/11/27 17:35:27, 1] libads/kerberos_keytab.c:(508)
ads_keytab_create_default: ads_keytab_add_entry failed while adding 'host'.
ls -l /etc/krb5/krb5.keytab
-rw------- 1 root root 79 Nov 27 17:26 /etc/krb5/krb5.keytab
Posted by arkadi on November 28, 2007 at 01:40 AM CET #
Mapping spn to both a user and a computer accounts will create a authentication problem, for example, enable kerberos logging on ADC and try to run on solaris:
kinit -k
You will get this error message in ADC event log:
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 11
Date: 11/27/2007
Time: 10:14:52 AM
User: N/A
Computer: ADC
Description:
There are multiple accounts with name host/centauri.invidi.com of type DS_SERVICE_PRINCIPAL_NAME.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
It is possible to map just to a computer account with ktpass -mapuser computer_name$
Posted by Arkadi on November 28, 2007 at 01:56 AM CET #
After putting winbind in nsswitch.conf, I have to use
"passwd -r files username" to change unix user's password. Is it a issue that SUN is going to resolve?
Posted by Junmin on December 19, 2007 at 04:25 AM CET #
I finally traced my problem to a bug in 3.0.25 wherein the "net ads join" step fails if your AD Administrator password is longer than 8 characters! After changing it to exactly 8 characters (fortunately our password policy allows 8 or more). Boy was that not a fun thing to uncover - wasted weeks of potential testing...
Posted by Charles Soto on January 17, 2008 at 10:48 PM CET #
Please remember that when using winbind as a password repository the 'passwd' application will break. This is documented in the man pages for nsswitch.conf. The problem exist for any user who has password aging turned on regardless if the user is a 'files' user (i.e. defined in /etc/passwd) or a 'winbind' user (i.e. defined in AD).
This is much more serious than it sounds.
Imagine root user has password aging turned on and imagine your nsswitch.conf has this line:
passwd: files winbind
When the root user's password has expired you will no longer be able to login as root. (this is because of the broken 'passwd' command). This is regardless of how you login, i.e. from outside, using 'su', etc. Scary isn't ?
I'm not sure but I think this limitation exist only on Solaris on not on Linux.
As it stands this makes the combination of Solaris 10 and winbind an *unacceptable* combo. What SysAdmin will accept a system where he might one day be logged out from the root account ?
Junmin has noted the same problem in his posting above.
Posted by lbruun on April 22, 2008 at 09:19 AM CEST #
I had the same problem as identified by Arkadi but no variation of the ktpass command that I tried would yield a keytab file without a valid username. In the end I just added '_user' to the server name, created the user account and used it in the creation of the keytab file. Then when doing the kinit section I used the servername_user and its password to get the ticket. The Samba server is back up and running allowing access as appropriate without generating the errors in the AD logs.
Posted by Scooter on December 11, 2008 at 03:29 PM CET #
Has anyone been sucessful with integrating Sun CIFS and Apple Xserve PDC?
TIA
Posted by John Fowler on March 30, 2009 at 10:53 PM CEST #
<a href=http://www.shoespaty.com/>cheap-prada-shoes</a>
<a href=http://www.shoespaty.com/>mens-prada-shoes</a>
<a href=http://www.shoespaty.com/>comfortable cheap fashion</a>
<a href=http://www.shoespaty.com/>prada-shoes cheap</a>
<a href=http://www.shoespaty.com/>comfortable</a>
Posted by asde on October 14, 2009 at 04:17 AM CEST #