How to Configure the SMB Server in Domain Mode

Language:

This procedure describes how to use the smbadm join command to join an AD domain. To instead use the kclient command to manually join the domain, see How to Join a Kerberos Client to an Active Directory Server in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 .

Starting with the Oracle Solaris 11 OS, the smbadm join command automatically configures Kerberos.

Before You Begin

If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.

Become an administrator.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .
Enable the SMB service.
```
# svcadm enable -r smb/server
```
When you specify the –r option, all services on which smb/server depends are started if they are not already running.
Ensure that the system clock on the Oracle Solaris system is within five minutes of the system clock of the domain controller (DC) by using following methods:
You can accomplish this task in one of these ways:
- Manually adjust the system clock on either the Oracle Solaris system or the DC to match the other.
- Configure both the Oracle Solaris system and the DC to use the same time source (NTP server).
- Synchronize the system clock on the Oracle Solaris system with the system clock of the DC by running the following command on the Oracle Solaris system:
```
# ntpdate DC-hostname
```
  If the NTP service is already running, then the ntpdate command fails with the following error:
```
no server suitable for synchronization found.
```
  For example, to synchronize with the DC called dc.westsales.example.com, type:
```
# ntpdate dc.westsales.example.com
```
Join the Windows domain.
```
# smbadm join -u username [-o organizational-unit] domain-name
```
username

Specifies an authenticated user account

organizational-unit

Specifies an alternative organizational unit in which to create a system's machine trust account

domain-name

Specifies a fully qualified NetBIOS or DNS domain name

By default, a machine trust account for a system is automatically created in the default container for computer accounts (cn=Computers) as part of the domain join operation if the account does not already exist in Active Directory.

For more information about the types of users who are permitted to perform a domain join operation and organizational units, see the smbadm (1M) man page.

Example 3-1 Configuring the SMB Server in Domain Mode

The following examples show how to configure an SMB server in domain mode as a Domain Administrator and as an organizational unit (OU) administrator:

The following example shows how a user with Domain Administrator privileges configures the SMB server in domain mode. User mary has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.

# svcadm enable -r smb/server
# smbadm join -u mary westsales.example.com
After joining westsales.example.com the smb service will be restarted automatically.
Would you like to continue? [no]:
Enter domain password:
Joining 'westsales.example.com' ... this may take a minute ...
Successfully joined domain 'westsales.example.com'

The following example shows how an OU administrator configures the SMB server in domain mode. An OU administrator does not have domain administrative privileges and can have control over one or more OUs. The name of the domain being joined is westsales.example.com.

Based on the following hierarchy, a delegated administrator can create a machine trust account in one or more of the OUs:
```
dc=com
   dc=example
      dc=westsales
         ou=Departments          
            ou=Engineering       
            ou=Payables,Receivables,and Payroll
...
```
- In the following example, user jan is the designated administrator for the Departments OU. Because, jan has already pre-staged the computer account in the Departments OU, the –o option is not required to add the server to the domain. The following command shows how jan would run the smbadm join command:
```
# smbadm join -u jan westsales.example.com
```
  For information about pre-staging computer accounts on Windows Server 2008, see Pre-Stage Computer Account in Windows Server 2008.
- In the following example, user john is the designated administrator for the Engineering OU. The computer account has not been pre-staged, so john must indicate the OU in which to create the account. The following command shows how john creates the machine trust account in the Engineering OU:
```
# smbadm join -u john -o ou=Engineering,ou=Departments westsales.example.com
```
- In the following example, user sal is the designated administrator for the Payables,Receivables,and Payroll OU. The computer account has not been pre-staged, so sal must indicate the OU in which to create the account. The following command shows how sal creates the machine trust account in the Payables,Receivables,and Payroll OU:
```
# smbadm join -u sal -o 'ou=Payables\,Receivables\,and Payroll,ou=Departments' \
westsales.example.com
```
  Note that the argument to the –o in the previous command has escaped characters and is surrounded by single quotes ('). The following reserved characters must be escaped by using the backslash (\):
```
, + " \ < > ; = #
```
  When you escape these reserved characters, you must also surround the string with single quotes because the backslash itself is a shell special character.

Next Steps

After successfully joining an AD domain, you can enable the SMB server to publish SMB shares in the AD directory. To do so, create or update SMB shares and specify the share container for each share that you want to publish. To create SMB shares, see How to Create an SMB Share (zfs).