Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: SMB and Windows Interoperability Oracle Solaris 11 Information Library |
1. Windows Interoperability (Overview)
2. Identity Mapping Administration (Tasks)
3. SMB Server Administration (Tasks)
How to Disable the Samba Service
Managing SMB Shares in This Release
Managing SMB Shares (Task Map)
How to Enable Cross-Protocol Locking
How to Create an SMB Share (zfs)
How to Enable Guest Access to an SMB Share
How to Enable Access-Based Enumeration for a Share
How to Modify SMB Share Properties (zfs)
How to Remove an SMB Share (zfs)
How to Create a Specific Autohome Share Rule
How to Restrict Client Host Access to an SMB Share (zfs)
Managing SMB Groups (Task Map)
How to Add a Member to an SMB Group
How to Remove a Member From an SMB Group
How to Modify SMB Group Properties
Enabling CATIA V4/V5 Character Translations
How to the Enable CATIA Interoperability Feature
Configuring SMB Printing (Task Map)
How to Enable the SMB Print Service
The following table points to the tasks that you can use to configure the operation mode of the SMB server.
|
This procedure describes how to use the smbadm join command to join an AD domain. To instead use the kclient command to manually join the domain, see How to Configure a Kerberos Client for an Active Directory Server in Oracle Solaris Administration: Security Services.
After successfully joining an AD domain, you can enable the SMB server to publish SMB shares in the AD directory. To do so, create or update SMB shares and specify the share container for each share that you want to publish. To create SMB shares, see How to Create an SMB Share (zfs).
Starting with the Oracle Solaris 11 OS, the smbadm join command automatically configures Kerberos. If you are running a version of the Solaris Express OS or the Oracle Solaris 11 Express OS, you must manually configure Kerberos as described in the following Before You Begin section.
Before You Begin
If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.
The Active Directory (AD) service is a Windows 2000 namespace that is integrated with the Domain Name Service (DNS). AD runs only on domain controllers. In addition to storing and making data available, AD protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.
For the SMB server to integrate seamlessly into a Windows AD environment, the following must exist on the network:
A Windows AD domain controller
An optional Active Directory DNS server that permits dynamic updates to use the dynamic DNS (DDNS) capability
The AD and DDNS clients rely on the Kerberos protocol to acquire the Kerberos ticket-granting ticket (TGT) for the specified AD domain. The system must be configured to use DNS for host lookup.
To participate in an AD domain, the system must be configured to use DNS for host lookup. Ensure that the naming service and the DNS service are configured correctly for the appropriate AD domain.
If you are running a version of the Solaris Express OS or the Oracle Solaris 11 Express OS, you must manually configure Kerberos as described in the following paragraphs.
In the /etc/krb5/krb5.conf file, specify the fully qualified AD domain name, in uppercase letters, as the default realm. Also, specify the fully qualified host name of the domain controller as the value for the kdc, admin_server, and kpasswd_server parameters.
The following example /etc/krb5/krb5.conf file is for an AD domain called EXAMPLE.COM that has multiple AD domain controllers. The primary AD domain controller is called dc.example.com. A secondary AD domain controller is called dc2.example.com. The fully qualified names are used for the domain and the domain controller.
[libdefaults] default_realm = EXAMPLE.COM [realms] EXAMPLE.COM = { kdc = dc.example.com kdc = dc2.example.com admin_server = dc.example.com kpasswd_server = dc.example.com kpasswd_protocol = SET_CHANGE } [domain_realm] .example.com = EXAMPLE.COM
For descriptions of the sections and parameters used in this example file, see the krb5.conf(4) man page and Configuring Kerberos Clients (Task Map) in Oracle Solaris Administration: Security Services.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# svcadm enable -r smb/server
When you specify the -r option, all services on which smb/server depends are started if they are not already running.
You can accomplish this task in one of these ways:
# ntpdate DC-hostname
For example, to synchronize with the DC called dc.westsales.example.com, type:
# ntpdate dc.westsales.example.com
# smbadm join -u username domain-name
where username is the domain administrator or a user with Domain Administrator privileges, and domain-name is a fully qualified NetBIOS or DNS domain name.
Example 3-1 Configuring the SMB Server in Domain Mode
This example shows the steps taken to configure the SMB server in domain mode. User dana has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.
# svcadm enable -r smb/server # smbadm join -u dana westsales.example.com After joining westsales.example.com the smb service will be restarted automatically. Would you like to continue? [no]: Enter domain password: Joining 'westsales.example.com' ... this may take a minute ... Successfully joined domain 'westsales.example.com'
To create SMB shares, see How to Create an SMB Share (zfs).
If you change from workgroup mode to domain mode, or from domain mode to workgroup mode, you must restart the SMB server. To restart the server, run the svcadm restart smb/server command.
Before You Begin
If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# svcadm enable -r smb/server
This command enables the SMB server and any service on which it depends, such as the idmap service.
By default, the SMB server operates in a workgroup called WORKGROUP.
# smbadm join -w workgroup-name
Add the following line to the end of the file:
other password required pam_smb_passwd.so.1 nowarn
See the pam_smb_passwd(5) man page.
The SMB server cannot use the Oracle Solaris encrypted version of the local user's password for authentication. Therefore, you must generate an encrypted version of the local user's password for the SMB server to use. When the SMB PAM module is installed, the passwd command generates such an encrypted version of the password.
# passwd username
Example 3-2 Configuring the SMB Server in Workgroup Mode
This example shows how to configure the SMB server in workgroup mode. The name of the workgroup being joined is myworkgroup.
# svcadm enable -r smb/server # smbadm join -w myworkgroup
Then, create a share. See How to Create an SMB Share (zfs).
Finally, install the PAM module and generate the password for user cal.
# passwd cal
Now, you are ready to have SMB clients access the SMB shares on your SMB server.