As Good A Place As Any

Configuring the OpenSolaris CIFS Server in Domain Mode

I recently blogged about configuring the OpenSolaris CIFS Server in Workgroup Mode. I have now gone through the process of doing this in an Active Directory environment. 

As before, I am working on a Sun Fire X4500 with Solaris Nevada build 86 installed....

root@isv-x4500b # uname -a
SunOS isv-x4500b 5.11 snv_86 i86pc i386 i86pc

I have mostly presented the commands I have used and actual files from my system as is..but I have occasionally had to edit fields.

1. Configure the OpenSolaris server to be a DNS client of the Active Directory Domain Server

To do this create/modify the file /etc/resolv.conf to do lookups against the Active Directory Domain Controller.

root@isv-x4500b # cat /etc/resolv.conf
domain sspg.central.sun.com
nameserver 192.168.2.1
search sspg.central.sun.com central.sun.com

Now, set up /etc/nsswitch.conf so that hosts are resolved via DNS. You can modify you existing/etc/nsswitch.conf file or just copy /etc/nsswitch.dns to /etc/nsswitch.conf.

To check that DNS is working you can run a few simple tests by looking up a known hosts with nslookup.

2. Set up Kerberos

Edit the file /etc/krb5/krb5.conf and set up the below fields as shown, customized to your environment. Below is just a part of the /etc/krb5/krb5.conf file. The manual covers this step well on pages 42 and 43.

<--snip-->
[libdefaults]
        default_realm = SSPG.CENTRAL.SUN.COM

[realms]
        SSPG.CENTRAL.SUN.COM = {
                kdc = domaincontroller.sspg.central.sun.com
                admin_server = domaincontroller.sspg.central.sun.com
                kpasswd_server = domaincontroller.sspg.central.sun.com
                kpasswd_protocol = SET_CHANGE
        }

[domain_realm]
        .sspg.central.sun.com = SSPG.CENTRAL.SUN.COM
<--snip-->

3. Synchronise Clocks of your Server with the Domain Controller

This is an easy step to miss..and you may later be unable to join the domain due to Kerberos initialization problems.....that is what happened to me!!!

There are various ways to synchronize the clocks described in the manual on page 43....I did it this way:

root@isv-x4500b # ntpdate domaincontroller.sspg.central.sun.com

4. Start the CIFS Services

root@isv-x4500b # svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.

The message can be ignored.

5. Join the Domain

To complete this step you need to know the user name and password of an Active Directory user (aduser in this case) with Administrator rights for the domain 

This is the part of the process that I got stuck with for a while as the manual describes some apparently redundant steps on page 43 using sharectl which did not work..the below worked:

root@isv-x4500b # smbadm join -u aduser sspg.central.sun.com
Enter domain password:
Joining 'sspg.central.sun.com' ... this may take a minute ...
Successfully joined domain 'sspg.central.sun.com'

If this fails, make sure you did not skip Step 3. You will see Kerberos messages in the system log when you try to join the Domain if the time difference is too great between the servers. If that is not the problem then check the Troubleshooting Guide.

6. Stop and Start the CIFS Server

root@isv-x4500b # svcadm disable smb/server
root@isv-x4500b # svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.

7. Create a ZFS file system

I already have ZFS storage pool called tank.

root@isv-x4500b # zfs create -o casesensitivity=mixed tank/cifs1

8. Share the ZFS File System via SMB and Customise the Share Name

root@isv-x4500b # zfs sharesmb=on tank/cifs1

The default share name would be tank_cifs1..we can change that to cifs1 as follows..

root@isv-x4500b # zfs sharesmb=name=cifs1 tank/cifs1

You can check this using sharemgr:

root@isv-x4500b # sharemgr show -vp
default nfs=()
zfs
    zfs/tank/cifs1 smb=()
          cifs1=/tank/cifs1

9. Set Permissions on the Shared Directory

I was going to be accessing the share from two Windows clients using Active Directory registered users. I opened up the permissions on the shared directory so that I would not have any access problems.

root@isv-x4500b # chmod 777 /tank/cifs1

I need to experiment with ZFS ACLs and maybe Identity Mapping, as described in the Solaris CIFS Administrators Guide, to handle this more elegantly; those are things that I will  explore in the future.

10. Access the Share

I accessed the share from two clients (client 1 and client 2) running Microsoft Windows Server 2003.

Both servers were members of the same Active Directory Domain as the CIFS server. I logged into each server as a different Active Directory registered user: user1 logged into client1; user2 logged into client2.

I mapped the share to both clients.

 

When I mapped the share I was not asked for a user ID and password as I had been in Workgroup mode, but I could see in the system log that authentication had taken place and rw access to the share had been granted to users [SSPG\user1] and [SSPG\user2]...

Apr  8 05:49:30 isv-x4500b smbsrv: NOTICE: smbd[SSPG\user1]: cifs1 rw access granted
Apr  8 05:49:53 isv-x4500b smbsrv: NOTICE: smbd[SSPG\user2]: cifs1 rw access granted

Both clients could see the same shared directory and I created some files and folders on the share from both clients with no problems.

For More Information

OpenSolaris Project: CIFS Server Home Page

Open Solaris CIFS Documentation including the Solaris CIFS Administrators Guide & Troubleshooting Information

Also, consider joining the Open Solaris Storage Discuss Forum

Posted at 10:29AM Apr 09, 2008 in OpenSolaris  |  Comments[1]