| Skip Navigation Links | |
| Exit Print View | |
|
Sun ZFS Storage 7000 System Administration Guide |
Adding a user to a local group
Authentication and Access Control
Local vs. Remote Configurations
Backing up with "dump" and "tar"
Identity Mapping Directory-based Mapping
Identity Mapping Name-based Mapping
Mapping Rule Directional Symbols
RIP and RIPng Dynamic Routing Protocols
Receiver Configuration Examples
The Active Directory service provides access to a Microsoft Active Directory database, which stores information about users, groups, shares, and other shared objects. This service has two modes: domain and workgroup mode, which dictate how SMB users are authenticated. When operating in domain mode, SMB clients are authenticated through the AD domain controller. In workgroup mode, SMB clients are authenticated locally as local users. See Users for more information on local users.
The following table describes properties associated with joining an Active Directory domain.
|
The following table describes the configurable property for joining a workgroup.
|
Changing services properties is documented in the BUI and CLI sections of services. The CLI property names are shorter versions of those listed above.
Instead of enabling and disabling the service directly, the service is modified by joining a domain or a workgroup. Joining a domain involves creating an account for the appliance in the given Active Directory domain. After the computer account has been established, the appliance can securely query the database for information about users, groups, and shares.
Joining a workgroup implicitly leaves an Active Directory domain, and SMB clients who are stored in the Active Directory database will be unable to connect to shares.
If a Kerberos realm is configured to support Kerberized NFS, the system cannot be configured to join an Active Directory domain.
There is no configuration option for LDAP signing, as that option is negotiated automatically when communicating with a domain controller. LDAP signing operates on communication between the storage appliance and the domain controller, whereas SMB signing operations on communication between SMB clients and the storage appliance.
|
As originally shipped the appliance could interoperate with a Windows Server 2008 SP1 domain controller but it relied on a software workaround. This workaround dealt with a Windows Server 2008 SP1 Kerberos issue which was subsequently fixed by KB951191 (http://support.microsoft.com/default.aspx/kb/951191). This fix was also incorporated into the Windows Server 2008 SP2 and R2 release.
If you upgrade to 2009.Q2.4.0 or later and your Windows 2008 domain controller is running Windows Server 2008 SP2 or R2, no action is required.
If you upgrade to 2009.Q2.4.0 or later and your Windows 2008 domain controller is running Windows Server 2008 SP1, you must apply the hotfix described in KB951191 or install Windows 2008 SP2.
If your Domain Controller is running Windows Server 2008 SP1 you should also apply the hotfix for http://support.microsoft.com/kb/957441/ which resolves an NTLMv2 issue that prevents the appliance from joining the domain with its default LMCompatibilityLevel setting. If the LMCompatibilityLevel on the Windows 2008 SP1 domain controller is set to 5, this hot fix must be installed. After applying the hotfix you must create and set a new registry key as described in KB957441.
If your Domain Controller is running Windows Server 2008 SP2 or R2 you do not need to apply the hotfix but you must apply the registry setting as described in KB957441.
Use the "JOIN DOMAIN" button to join a domain, and the "JOIN WORKGROUP" button to join a workgroup.
To demonstrate the CLI interface, the following example will view the existing configuration, join a workgroup, and then join a domain.
twofish:> configuration services ad
twofish:configuration services ad> show
Properties:
<status> = online
mode = domain
domain = eng.fishworks.com
Children:
domain => Join an Active Directory domain
workgroup => Join a Windows workgroup
Observe that the appliance is currently operating in the domain "eng.fishworks.com". Following is an example of leaving that domain and joining a workgroup.
twofish:configuration services ad> workgroup
twofish:configuration services ad workgroup> set workgroup=WORKGROUP
twofish:configuration services ad workgroup> commit
twofish:configuration services ad workgroup> done
twofish:configuration services ad> show
Properties:
<status> = disabled
mode = workgroup
workgroup = WORKGROUP
Following is an example of configuring the site and preferred domain controller in preparation for joining another domain.
twofish:configuration services ad> done
twofish:> configuration services smb
twofish:configuration services smb> set ads_site=sf
twofish:configuration services smb> set pdc=192.168.3.21
twofish:configuration services smb> commit
twofish:configuration services smb> show
Properties:
<status> = online
lmauth_level = 4
pdc = 192.168.3.21
ads_site = sf
twofish:configuration services smb> done
Following is an example of joining the new domain after the properties are configured.
twofish:> configuration services ad
twofish:configuration services ad> domain
twofish:configuration services ad domain> set domain=fishworks.com
twofish:configuration services ad domain> set user=Administrator
twofish:configuration services ad domain> set password=*******
twofish:configuration services ad domain> set searchdomain=it.fishworks.com
twofish:configuration services ad domain> commit
twofish:configuration services ad domain> done
twofish:configuration services ad> show
Properties:
<status> = online
mode = domain
domain = fishworks.com
See the BUI and CLI sections for how these tasks apply to each interface method.
|