As Good A Place As Any
Tim Thomas's Blog
Solaris CIFS Windows SID Mapping - A First Look
This follows directly on from where I set up an OpenSolaris CIFS server in Domain Mode. When I mapped the share I was not asked for a user ID and password as I had been in Workgroup mode..so, how are file and folder ownership and permissions handled ?
The Solaris CIFS implementation includes ID Mapping Services. These services let you explicitly map Windows Security IDentifiers to Solaris User IDs and Group IDs if you wish, but if you don't set up explicit mappings then the ID Mapping Service will generate Ephemeral Solaris User IDs and Group IDs for Windows Users. The Solaris CIFS Administrators Guide discusses Identity Mapping strategies.
Permissions on the files and directories created at the end of the previous exersize, when listed from Solaris, look like this...
root@isv-x4500b # pwd
/tank/cifs1
root@isv-x4500b # ls -l
total 10
d---------+ 2 2147483649 2147483650 2 Apr 8 05:49 user1
----------+ 1 2147483649 2147483650 0 Apr 8 05:57 user1.txt
d---------+ 2 2147483650 2147483650 3 Apr 8 05:50 user2
----------+ 1 2147483650 2147483650 0 Apr 8 05:51 user2.txt
This
looks a bit odd because the OpenSolaris CIFS service uses ZFS ACLs, and
they don't show up in the above listing. We can dump the current ID
Mappings, as below...
root@isv-x4500b # idmap dump
usid:S-1-5-21-500772251-2770406677-2360070262-1125 == uid:2147483650
usid:S-1-5-21-500772251-2770406677-2360070262-1113 == uid:2147483649
gsid:S-1-5-21-500772251-2770406677-2360070262-513 == gid:2147483650
gsid:S-1-5-21-500772251-2770406677-2360070262-512 == gid:2147483651
gsid:S-1-5-11 == gid:2147483652
gsid:S-1-5-2 == gid:2147483653
gsid:S-1-5-32-544 == gid:2147483654
We can see that Windows SIDs have been mapped to Solaris User and Group IDs. The mappings for the users have been created on the fly (Ephemeral ID Mapping); the Windows Group SID mappings are generated by system level interactions, you can decode those using the list here. We can see that:
Windows Group SID xxxxxx-513 = Domain Users = Solaris GID 2147483650
Windows Group SID xxxxxx-512 = Domain Admins = Solaris GID 2147483651
Windows Group SID xxxxxx-11 = Authenticated Users = Solaris GID 2147483653
Windows Group SID xxxxxx-2 = Network (Users logged in via the Network) = Solaris GID 2147483651
Windows Group SID xxxxxx-544= Administrators = Solaris GID 2147483654
We now know that the files and directories we created are in the Domain Users group as it was mapped to the Solaris GID of 2147483650.
Sometime soon I am going to dig deeper on all this, this was just a first look.
For More Information
OpenSolaris Project: CIFS Server Home Page
Open Solaris CIFS Documentation including the Solaris CIFS Administrators Guide & Troubleshooting Information
Also, consider joining the Open Solaris Storage Discuss Forum
Posted at 09:20AM Apr 10, 2008 in Storage |
Configuring the OpenSolaris CIFS Server in Domain Mode
[Update July 4th 2008: This article was written prior to the release of OpenSolaris 2008.05, and I used the term OpenSolaris sloppily as I really meant Solaris Express Community Edition, codenamed "Nevada". If you take a look here the different downloads available are explained.
These instructions are equally applicable to both distributions, but depending on what Solaris Express Community Edition package cluster you install you may not have the SMB server packages (I always install everything, so I cannot be more precise than that). In the case of OpenSolaris 2008.05 you will need to add the packages SUNWsmbkr & SUNWsmbs from the repository using Package Manager, or using the pkg install <pkgname> command.]
I recently blogged about configuring the OpenSolaris CIFS Server in Workgroup Mode. I have now gone through the process of doing this in an Active Directory environment.
As before, I am working on a Sun Fire X4500 with Solaris Nevada build 86 installed....
root@isv-x4500b # uname -a
SunOS isv-x4500b 5.11 snv_86 i86pc i386 i86pc
I have mostly presented the commands I have used and actual files from my system as is..but I have occasionally had to edit fields.
1. Configure the OpenSolaris server to be a DNS client of the Active Directory Domain Server
To do this create/modify the file /etc/resolv.conf to do lookups against the Active Directory Domain Controller.
root@isv-x4500b # cat /etc/resolv.conf
domain sspg.central.sun.com
nameserver 192.168.2.1
search sspg.central.sun.com central.sun.com
Now, set up /etc/nsswitch.conf so that hosts are resolved via DNS. You can modify you existing/etc/nsswitch.conf file or just copy /etc/nsswitch.dns to /etc/nsswitch.conf.
To check that DNS is working you can run a few simple tests by looking up a known hosts with nslookup.
2. Set up Kerberos
Edit the file /etc/krb5/krb5.conf and set up the below fields as shown, customized to your environment. Below is just a part of the /etc/krb5/krb5.conf file. The manual covers this step well on pages 42 and 43.
<--snip-->
[libdefaults]
default_realm = SSPG.CENTRAL.SUN.COM
[realms]
SSPG.CENTRAL.SUN.COM = {
kdc = domaincontroller.sspg.central.sun.com
admin_server = domaincontroller.sspg.central.sun.com
kpasswd_server = domaincontroller.sspg.central.sun.com
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
.sspg.central.sun.com = SSPG.CENTRAL.SUN.COM
<--snip-->
3. Synchronise Clocks of your Server with the Domain Controller
This is an easy step to miss..and you may later be unable to join the domain due to Kerberos initialization problems.....that is what happened to me!!!
There are various ways to synchronize the clocks described in the manual on page 43....I did it this way:
root@isv-x4500b # ntpdate domaincontroller.sspg.central.sun.com
4. Start the CIFS Services
root@isv-x4500b # svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.
The message can be ignored.
5. Join the Domain
To complete this step you need to know the user name and password of an Active Directory user (aduser in this case) with Administrator rights for the domain
This is the part of the process that I got stuck with for a while as the manual describes some apparently redundant steps on page 43 using sharectl which did not work..the below worked:
root@isv-x4500b # smbadm join -u aduser sspg.central.sun.com
Enter domain password:
Joining 'sspg.central.sun.com' ... this may take a minute ...
Successfully joined domain 'sspg.central.sun.com'
If this fails, make sure you did not skip Step 3. You will see Kerberos messages in the system log when you try to join
the Domain if the time difference is too great between the servers. If that is not the problem then check the Troubleshooting Guide.
6. Stop and Start the CIFS Server
root@isv-x4500b # svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.
7. Create a ZFS file system
I already have ZFS storage pool called tank.
root@isv-x4500b # zfs create -o casesensitivity=mixed tank/cifs1
8. Share the ZFS File System via SMB and Customise the Share Name
root@isv-x4500b # zfs sharesmb=on tank/cifs1
The default share name would be tank_cifs1..we can change that to cifs1 as follows..
root@isv-x4500b # zfs sharesmb=name=cifs1 tank/cifs1
You can check this using sharemgr:
root@isv-x4500b # sharemgr show -vp
default nfs=()
zfs
zfs/tank/cifs1 smb=()
cifs1=/tank/cifs1
9. Set Permissions on the Shared Directory
I was going to be accessing the share from two Windows clients using Active Directory registered users. I opened up the permissions on the shared directory so that I would not have any access problems.
root@isv-x4500b # chmod 777 /tank/cifs1
I need to experiment with ZFS ACLs and maybe Identity Mapping, as described in the Solaris CIFS Administrators Guide, to handle this more elegantly; those are things that I will explore in the future.
10. Access the Share
I accessed the share from two clients (client 1 and client 2) running Microsoft Windows Server 2003.
Both servers were members of the same Active Directory Domain as the CIFS server. I logged into each server as a different Active Directory registered user: user1 logged into client1; user2 logged into client2.
I mapped the share to both clients.
When I mapped the share I was not asked for a user ID and password as I had been in Workgroup mode, but I could see in the system log that authentication had taken place and rw access to the share had been granted to users [SSPG\user1] and [SSPG\user2]...
Apr 8 05:49:30 isv-x4500b smbsrv: NOTICE: smbd[SSPG\user1]: cifs1 rw access granted
Apr 8 05:49:53 isv-x4500b smbsrv: NOTICE: smbd[SSPG\user2]: cifs1 rw access granted
Both clients could see the same shared directory and I created some files and folders on the share from both clients with no problems.
For More Information
OpenSolaris Project: CIFS Server Home Page
Open Solaris CIFS Documentation including the Solaris CIFS Administrators Guide & Troubleshooting Information
Also, consider joining the Open Solaris Storage Discuss Forum
Posted at 10:29AM Apr 09, 2008 in Storage | Comments[9]
Configuring the OpenSolaris CIFS Server in Workgroup Mode
[Update July 4th 2008: This article was written prior to the release of OpenSolaris 2008.05, and I used the term OpenSolaris sloppily as I really meant Solaris Express Community Edition, codenamed "Nevada". If you take a look here the different downloads available are explained.
These instructions are equally applicable to both distributions, but depending on what Solaris Express Community Edition package cluster you install you may not have the SMB server packages (I always install everything, so I cannot be more precise than that). In the case of OpenSolaris 2008.05 you will need to add the packages SUNWsmbkr & SUNWsmbs from the repository using Package Manager, or using the pkg install <pkgname> command.]
This article documents a quick and simple process showing you how configure the OpenSolaris CIFS Server in Workgroup Mode.
I am working on a Sun Fire X4500 with Solaris Nevada build 86 installed....
root@isv-x4500b # uname -a
SunOS isv-x4500b 5.11 snv_86 i86pc i386 i86pc
I already have a ZFS storage pool called "tank" created, so here goes:
1. Enable the CIFS server
root@isv-x4500b # svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances
This diagnostic message, and it can be ignored.
2. Create the ZFS file system
root@isv-x4500b # zfs create -o casesensitivity=mixed tank/cifs0
3. Share the new file system via SMB and check that status of the operation
root@isv-x4500b # zfs set sharesmb=on tank/cifs0
root@isv-x4500b # sharemgr show -vp
default nfs=()
zfs
zfs/tank/cifs0 smb=()
tank_cifs0=/tank/cifs0
4. Change the name of the Share
I don't like the default name of the share, tank_cifs0, so I will change that to cifs0
root@isv-x4500b # zfs set sharesmb=name=cifs0 tank/cifs0
root@isv-x4500b # sharemgr show -vp
default nfs=()
zfs
zfs/tank/cifs0 smb=()
cifs0=/tank/cifs0
5. Set the name of the Workgroup.
By default the workgroup name is "workgroup" but I want to change that to "solcifs".
root@isv-x4500b # smbadm join -w solcifs
Successfully joined workgroup 'solcifs'
6. Install the SMB PAM module
Add the below line to the end of /etc/pam.conf:
other password required pam_smb_passwd.so.1 nowarn
In this whole process, this is the only time I have to edit a file, and this is a one off.
7. Set/Change the Passwords for any Solaris User That Will be Used to Authenticate when Connecting to a CIFS share
I will user root, but I could use any Solaris user the server knows about.
root@isv-x4500b # passwd root
New Password:
Re-enter new Password:
passwd: password successfully changed for root
With the SMB PAM module installed, this generates passwords that can be used by Windows as well as Solaris. This is a required step.
8. From Windows, Map the Share
From windows, the share is accessed via its UNC path: \\isv-x4500b\cifs0. OpenSolaris CIFS does not support access to shares by unauthenticated users: it does not have an equivalent of SAMBA's "guest mode". In this example, I have authenticated myself as root.
The mapped share looks like this...
Files created from Windows will be owned on the Solaris server by the user you authenticated with. If that user does not have the correct UNIX permissions for the shared directory then some file operations will fail. That is easily fixed using chmod .
I can also browse the OpenSolaris CIFS server from Windows...
For More Information
OpenSolaris Project: CIFS Server Home Page
Open Solaris CIFS Documentation including the Solaris CIFS Administrators Guide & Troubleshooting Information
Also, consider joining the Open Solaris Storage Discuss Forum
Posted at 10:18AM Apr 08, 2008 in Storage | Comments[13]
Great Article - Building A Home Fileserver using ZFS
I just read this series of articles "A Home Fileserver using ZFS". Simon Breden, the author, has done a great job here and doubtless these will be much referenced.
Also, while looking for some help on setting up iSCSI, I came across this very concise tutorial that is worth reading if you want to get the Solaris iSCSI target and initiator configured and working. The initial steps can be performed differently using more recent releases of Solaris Express/OpenSolaris than used in the tutorial.
Posted at 12:41PM Apr 07, 2008 in Storage |
Using the Sun Fire X4500 as Network Attached Archival Storage
A paper about a project I completed recently has been published on BigAdmin. The paper is "Configuring the Sun Fire X4500 Server as Network Attached Archival Storage for Symantec Enterprise Vault". The aim of the project was to see if the Sun Fire X4500 could be used as NAS in a Symantec Enterprise Vault environment. The findings were that this worked very well, and performance was excellent!
Software used on the Sun Fire X4500 was SAMBA, Sun StorageTek Storage Archive Manager, and Solaris ZFS.The project involved functional and performance testing, both of which are part of Symantec's comprehensive Self Certification program for Partners.
I went the extra mile, and wrote a configuration tool for the solution called x4500samconfig. The use of the tool is discussed in the paper, and it is available for download here. If you take an X4500 with Solaris 10 8/07 and the unconfigured Storage Archive Manager 4.6 packages installed, this script will have you up and running in minutes. The script configures ZFS, Storage Archive Manager and SAMBA. Some of what the script does "under the hood" is discussed here.
I am going to take the opportunity here to thank Sun's BigAdmin team: the process of publishing an article like this is quite lengthy. Initially, a paper is written by an Engineer (me in this case) for Sun Internal consumption only...this is pretty straightforward, requiring peer review only. Once the internal version is complete, the paper can be submitted for external publication on BigAdmin, and at this point the document must be legally reviewed and professionally edited which can take some time...and it is the BigAdmin team who do this...so, Thanks BigAdmin Team!
Posted at 11:34AM Jan 14, 2008 in Storage | Comments[1]
Building a SAM File System on a Sun Fire X4500 using a ZFS Volume
The volume management layer of SAM can only stripe data for performance, not availability. When working with the Sun Fire X4500 you need to use a volume manager to create a logical volume or volumes on which to build a SAM file system if you want the file system to survive the failure of a disk.
By far the easiest way to do this in my experience is to create a ZFS storage pool and carve a ZFS Volume (ZVOL) out of it. You can then build the SAM file system on the ZVOL. You could use multiple ZVOLs and have SAM stripe across them, but I prefer to have a single volume and have ZFS take care of the striping rather than have two volume managers fighting with each other.
Here is an example of how to set this up.
1. Create a ZFS storage pool
I will call it samfspool0. I have provided a few recipes for creating ZFS storage pools on the Sun Fire X4500 in the past, the one I default to is this one.
2. Allocate a ZFS Volume from the Storage Pool
You can use the ZFS GUI to do this, but I will show you how to do it on the command line. I want to create a 7 TB volume called samfs0zvol with a block size of 16KB. The block size does not have to be 16KB, that is just what I am using in this example.
root# zfs create -V 7.0TB -b 16KB samfspool0/samfs0zvol
The volume appears as a ZFS file system without a mount point when you list it:
root# zfs list samfspool0/samfs0zvol
NAME USED AVAIL REFER MOUNTPOINT
samfspool0/samfs0zvol 57.0M 7.13T 57.0M -
3. Add an entry in the /etc/opt/SUNWsamfs/mcf file
Note the path to the ZVOL is under /dev/zvol/dsk/<poolname>
#
# Equipment Eq Eq Family Device Additional
# Identifier Ord Type Set State Parameters
# ----------- --- ---- ------ ------ ----------
#
samfs0 1 ms samfs0 on
/dev/zvol/dsk/samfspool0/samfs0zvol 2 md samfs0 on
4 . Reconfigure SAM
Force SAM to read in the configuration file and then make the file system with a DAU of 16KB to align with the blocksize of the ZVOL.
root# samd config
root# sammkfs -a 16K samfs0
sammkfs:
samfs0: One or more partitions exceeds 1 TB in size
sammkfs:
file system samfs0 will not mount on 32 bit Solaris and
sammkfs:
some earlier versions of Solaris
Building
'samfs0' will destroy the contents of devices:
/dev/zvol/dsk/samfspool0/samfs0zvol
Do
you wish to continue? [y/N]y
You are done. Note that File System Manager, supplied with SAM, does not currently allow you to create a SAM file system on a ZVOL.
For an overview of SAM, and File System Manager, look here.
Posted at 01:48PM Nov 13, 2007 in Storage |
