JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Sun ZFS Storage 7000 System Administration Guide
search filter icon
search icon

Document Information

Preface

1.  Introduction

2.  Status

3.  Configuration

4.  Services

Services

Introduction

Data Services

Directory Services

System Settings

Remote Access

Security

BUI

Viewing a Specific Service Screen

Enabling a Service

Disabling a Service

Defining Properties

Viewing Service Logs

CLI

Selecting a Service

Viewing a Service's State

Enabling a Service

Disabling a Service

Setting Properties

Viewing Service Logs

Service Help

NFS

Introduction

Properties

Kerberos Realms

Logs

Analytics

CLI

Tasks

NFS Tasks

iSCSI

Introduction

Properties

Authentication

Authorization

Targets and Initiators

CLI

Tips

Troubleshooting

SMB

Introduction

Properties

Share Properties

NFS/SMB Interoperability

DFS Namespaces

Autohome Rules

Local Groups

Local Accounts

MMC Integration

Event Viewer

Share Management

Users, Groups and Connections

Services

CLI

Adding autohome rules

Adding a user to a local group

Tasks

SMB Tasks

FTP

Introduction

Properties

FTP Properties

General Settings

Security Settings

Logs

Tasks

FTP Tasks

HTTP

Introduction

Properties

Authentication and Access Control

Logs

Tasks

HTTP Tasks

NDMP

Introduction

Local vs. Remote Configurations

Backup Formats and Types

Backing up with "dump" and "tar"

Backing up with "zfs"

Incremental backups

Properties

Logs

SFTP

Introduction

Properties

SFTP Port

Logs

Tasks

SFTP Tasks

Virus Scan

Introduction

Properties

File Extensions

Scanning Engines

Logs

Tasks

Virus Scan Tasks

NIS

Introduction

Properties

Logs

Tasks

NIS Tasks

LDAP

Introduction

Properties

Custom Mappings

Logs

Tasks

LDAP Tasks

Active Directory

Introduction

Properties

Join Domain

Join Workgroup

Domains and Workgroups

LDAP Signing

Windows Server 2008 Support

Section A: Kerberos issue (KB951191)

Section B: NTLMv2 issue (KB957441)

Section C: Note on NTLMv2

BUI

CLI

Tasks

Active Directory Tasks

Identity Mapping

Concepts

Identity Mapping Concepts

Mapping Modes

IDMU

Directory-based Mapping

Identity Mapping Directory-based Mapping

Properties

Name-based Mapping

Identity Mapping Name-based Mapping

Name-based Mapping Rules

Case Sensitivity

Mapping Persistence

Domain-Wide Rules

Deny Mappings

Mapping Rule Directional Symbols

Ephemeral Mapping

Best Practices

Testing Mappings

Examples

Tasks

Identity Mapping Tasks

DNS

Introduction

Properties

CLI

Logs

Active Directory and DNS

Non-DNS Resolution

DNS-Less Operation

IPMP

Introduction

Properties

Logs

Tasks

NTP

Introduction

Properties

Validation

Authentication

BUI

CLI

BUI Clock

Tips

Tasks

NTP Tasks

Remote Replication

Introduction

Dynamic Routing

RIP and RIPng Dynamic Routing Protocols

Logs

Phone Home

Introduction

Oracle Single Sign-On Account

Properties

Web Proxy

Registration

Status

Service state

Logs

SNMP

Introduction

Properties

MIBs

Sun FM MIB

Sun AK MIB

Tasks

SNMP Tasks

SMTP

Introduction

Properties

Logs

Service Tags

Introduction

Properties

System Identity

Introduction

Properties

Logs

SSH

Introduction

Properties

Logs

Tasks

SSH Tasks

Shadow Migration

Introduction

Properties

Managing Shadow Migration

Syslog

Introduction

Properties

Classic Syslog: RFC 3164

Updated Syslog: RFC 5424

Message Format

Alert Message Format

Receiver Configuration Examples

Configuring a Solaris Receiver

Configuring a Linux Receiver

5.  Shares

6.  Analytics

7.  Integration

Glossary

Active Directory

Introduction

The Active Directory service provides access to a Microsoft Active Directory database, which stores information about users, groups, shares, and other shared objects. This service has two modes: domain and workgroup mode, which dictate how SMB users are authenticated. When operating in domain mode, SMB clients are authenticated through the AD domain controller. In workgroup mode, SMB clients are authenticated locally as local users. See Users for more information on local users.

Properties

Join Domain

The following table describes properties associated with joining an Active Directory domain.

Property
Description
Active Directory Domain
An Active Directory domain
Administrative User
An AD user who has credentials to create a computer account in Active Directory
Administrative Password
The administrative user's password
Additional DNS Search Path
When this optional property is specified, DNS queries are resolved against this domain, in addition to the primary DNS domain and the Active Directory domain.

Join Workgroup

The following table describes the configurable property for joining a workgroup.

Property
Description
Windows Workgroup
A workgroup

Changing services properties is documented in the BUI and CLI sections of services. The CLI property names are shorter versions of those listed above.

Domains and Workgroups

Instead of enabling and disabling the service directly, the service is modified by joining a domain or a workgroup. Joining a domain involves creating an account for the appliance in the given Active Directory domain. After the computer account has been established, the appliance can securely query the database for information about users, groups, and shares.

Joining a workgroup implicitly leaves an Active Directory domain, and SMB clients who are stored in the Active Directory database will be unable to connect to shares.

If a Kerberos realm is configured to support Kerberized NFS, the system cannot be configured to join an Active Directory domain.

LDAP Signing

There is no configuration option for LDAP signing, as that option is negotiated automatically when communicating with a domain controller. LDAP signing operates on communication between the storage appliance and the domain controller, whereas SMB signing operations on communication between SMB clients and the storage appliance.

Windows Server 2008 Support

Windows Version
Supported Software Versions
Workarounds
Windows Server 2003
all
none
Windows Server 2008 SP1
2009.Q2 3.1 and earlier
Apply hotfix for KB957441 as needed. (See section B.)
Windows Server 2008 SP1
2009.Q2 4.0 and later
Must apply hotfix for KB951191; apply hotfix for KB957441 as needed. (See sections A and B.)
Windows Server 2008 SP2
2009.Q2 4.0 and later
See Section C.
Windows Server 2008 R2
2009.Q2 4.0 and later
See Section C.

Section A: Kerberos issue (KB951191)

As originally shipped the appliance could interoperate with a Windows Server 2008 SP1 domain controller but it relied on a software workaround. This workaround dealt with a Windows Server 2008 SP1 Kerberos issue which was subsequently fixed by KB951191 (http://support.microsoft.com/default.aspx/kb/951191). This fix was also incorporated into the Windows Server 2008 SP2 and R2 release.

If you upgrade to 2009.Q2.4.0 or later and your Windows 2008 domain controller is running Windows Server 2008 SP2 or R2, no action is required.

If you upgrade to 2009.Q2.4.0 or later and your Windows 2008 domain controller is running Windows Server 2008 SP1, you must apply the hotfix described in KB951191 or install Windows 2008 SP2.

Section B: NTLMv2 issue (KB957441)

If your Domain Controller is running Windows Server 2008 SP1 you should also apply the hotfix for http://support.microsoft.com/kb/957441/ which resolves an NTLMv2 issue that prevents the appliance from joining the domain with its default LMCompatibilityLevel setting. If the LMCompatibilityLevel on the Windows 2008 SP1 domain controller is set to 5, this hot fix must be installed. After applying the hotfix you must create and set a new registry key as described in KB957441.

Section C: Note on NTLMv2

If your Domain Controller is running Windows Server 2008 SP2 or R2 you do not need to apply the hotfix but you must apply the registry setting as described in KB957441.

BUI

Use the "JOIN DOMAIN" button to join a domain, and the "JOIN WORKGROUP" button to join a workgroup.

CLI

To demonstrate the CLI interface, the following example will view the existing configuration, join a workgroup, and then join a domain.

twofish:> configuration services ad
twofish:configuration services ad> show
Properties:
                     <status> = online
                         mode = domain
                       domain = eng.fishworks.com

Children:
                          domain => Join an Active Directory domain
                       workgroup => Join a Windows workgroup

Observe that the appliance is currently operating in the domain "eng.fishworks.com". Following is an example of leaving that domain and joining a workgroup.

twofish:configuration services ad> workgroup
twofish:configuration services ad workgroup> set workgroup=WORKGROUP
twofish:configuration services ad workgroup> commit
twofish:configuration services ad workgroup> done
twofish:configuration services ad> show
Properties:
                     <status> = disabled
                         mode = workgroup
                    workgroup = WORKGROUP

Following is an example of configuring the site and preferred domain controller in preparation for joining another domain.

twofish:configuration services ad> done
twofish:> configuration services smb
twofish:configuration services smb> set ads_site=sf
twofish:configuration services smb> set pdc=192.168.3.21
twofish:configuration services smb> commit
twofish:configuration services smb> show
Properties:
                     <status> = online
                 lmauth_level = 4
                          pdc = 192.168.3.21
                     ads_site = sf
twofish:configuration services smb> done

Following is an example of joining the new domain after the properties are configured.

twofish:> configuration services ad
twofish:configuration services ad> domain 
twofish:configuration services ad domain> set domain=fishworks.com
twofish:configuration services ad domain> set user=Administrator
twofish:configuration services ad domain> set password=*******
twofish:configuration services ad domain> set searchdomain=it.fishworks.com
twofish:configuration services ad domain> commit
twofish:configuration services ad domain> done
twofish:configuration services ad> show
Properties:
                     <status> = online
                         mode = domain
                       domain = fishworks.com

Tasks

See the BUI and CLI sections for how these tasks apply to each interface method.

Active Directory Tasks

Joining a Domain

  1. Configure an Active Directory site in the SMB context. (optional)
  2. Configure a preferred domain controller in the SMB context. (optional)
  3. Enable NTP, or ensure that the clocks of the appliance and domain controller are synchronized to within five minutes.
  4. Ensure that your DNS infrastructure correctly delegates to the Active Directory domain, or add your domain contoller's IP address as an additional name server in the DNS context.
  5. Configure the Active Directory domain, administrative user, and administrative password.
  6. Apply/commit the configuration.

Joining a Workgroup

  1. Configure the workgroup name.
  2. Apply/commit the configuration.