Configuring DNS for Identity Mapping in Domain Mode
The idmap service requires that DNS be configured properly before you join a Solaris system to an AD domain.
Note –
This DNS configuration is only required for domain mode though the idmap service operates in workgroup mode as well. When in workgroup mode, domain name-based mapping is not performed.
The idmapd daemon uses DNS information that is specified in the /etc/resolv.conf configuration file to discover its domain.
The domain is specified by the value of the domain or search configuration directive.
-
domain – The value specifies the domain to use for auto-discovery. The following example specifies the sales.example.com domain:
domain sales.example.com
-
search – The first domain name listed specifies the domain to use for auto-discovery. The following example specifies the sales.example.com domain:
search sales.example.com example.com
If both the domain and search directives are used, the last directive that is specified determines the domain to be used for auto-discovery.
The idmapd daemon discovers the domain controller and the global catalog by performing DNS lookups for SRV records. These SRV records are generated by the DNS server that is part of AD on the Windows domain controller. Therefore, the simplest way to configure DNS is to point to the DNS server on the Windows domain controller.
The idmap service looks for the following SRV records:
_ldap._tcp.dc._msdcs.domain-name _ldap._tcp.site-name._sites.dc._msdcs.domain-name _ldap._tcp.gc._msdcs.forest-name _ldap._tcp.site-name._sites.gc._msdcs.forest-name |
You can verify that the configuration is working properly by running the following, which should return the name of the Windows domain controller:
# dig _ldap._tcp.domain-name SRV +short |
For example, the following returns the domain controller for the sales.example.com domain:
# dig _ldap._tcp.sales.example.com SRV +short 0 100 389 test-win2k3.sales.example.com. |
After DNS is correctly configured, you can join the Solaris system to an AD domain by using the smbadm or kclient utility. For more information about using the smbadm command see, How to Configure the Solaris CIFS Service in Domain Mode and the smbadm(1M) man page. For information about the kclient command, see the kclient(1M) man page.
Note –
If the idmap service is unable to discover an AD server, the service only handles mappings for well-known SIDs and local SIDs.
- © 2010, Oracle Corporation and/or its affiliates