JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Sharing Files Between Windows and Oracle Solaris Systems

2.  Setting Up Identity Mapping Between Windows and Oracle Solaris Systems

3.  Setting Up a Oracle Solaris SMB Server to Manage and Share Files

Disabling the Samba Service

How to Disable the Samba Service

Configuring the SMB Server Operation Mode (Task Map)

How to Configure the SMB Server in Domain Mode

How to Configure the SMB Server in Workgroup Mode

Managing SMB Shares

Managing SMB Shares in This Release

Managing SMB Shares (Task Map)

How to Enable Cross-Protocol Locking

How to Create an SMB Share (zfs)

How to Enable Guest Access to an SMB Share

How to Enable Access-Based Enumeration for a Share

How to Modify SMB Share Properties (zfs)

How to Remove an SMB Share (zfs)

How to Create a Specific Autohome Share Rule

How to Restrict Client Host Access to an SMB Share (zfs)

Managing SMB Groups (Task Map)

How to Create an SMB Group

How to Add a Member to an SMB Group

How to Remove a Member From an SMB Group

How to Modify SMB Group Properties

Configuring the WINS Service

How to Configure WINS

Enabling CATIA V4/V5 Character Translations

How to the Enable CATIA Interoperability Feature

Configuring SMB Printing (Task Map)

How to Enable the SMB Print Service

Troubleshooting the SMB Service

Cannot Join a Windows Domain

Checking the DNS Configuration

Ensuring That Kerberos Is Correctly Configured

Ensuring That You Specify the Correct Password for Your Domain User

Ensuring the Firewall Software Does Not Filter Out Required Ports

Viewing Oracle Solaris SMB Service Property Settings

Excluding IP Addresses From WINS Name Resolution

Changes to Windows Group Membership and to User Mapping Do Not Take Effect

Windows Clients Cannot Connect by NetBIOS Name or Are Missing From Browse List or Network Neighborhood

Cannot Set Share Security, All Shares Inherit the Security of the Directory Object

Older Versions of Windows Cannot Copy Files Larger Than Four Gbytes

Cannot Use SMB to Map Drives

Cannot See the Security Tab From Windows Clients

Microsoft Access or SQL Server Sessions Time Out After a Period of Inactivity

Cannot Add Windows Local Groups to Access Control List

SMB Browsing Fails When share.smb=on Is Set on a ZFS Pool

Samba or SMB Service Cannot Bind Various Ports

SMB Shares on a ZFS File System are Inaccessible After a Reboot

Invalid Password Errors Appear When Mapping a Drive or Browsing Computers in the Workgroup

Access Control List Inheritance Issues

Missing Security Tab on Windows XP Clients

4.  Using SMB File Sharing on Client Systems

A.  SMB DTrace Provider

Glossary

Index

Configuring the SMB Server Operation Mode (Task Map)

The following table points to the tasks that you can use to configure the operation mode of the SMB server.

Task
Description
For Instructions
Configure the SMB server in domain mode.
Use the smbadm join -u username [-o organizational-unit] domain-name command to join the domain.
Configure the SMB server in workgroup mode.
Use the smbadm join -w workgroup-name command to join the workgroup.

How to Configure the SMB Server in Domain Mode

This procedure describes how to use the smbadm join command to join an AD domain. To instead use the kclient command to manually join the domain, see How to Configure a Kerberos Client for an Active Directory Server in Oracle Solaris 11.1 Administration: Security Services.

After successfully joining an AD domain, you can enable the SMB server to publish SMB shares in the AD directory. To do so, create or update SMB shares and specify the share container for each share that you want to publish. To create SMB shares, see How to Create an SMB Share (zfs).

Starting with the Oracle Solaris 11 OS, the smbadm join command automatically configures Kerberos. If you are running a version of the Solaris Express OS or the Oracle Solaris 11 Express OS, you must manually configure Kerberos as described in the following Before You Begin section.

Before You Begin

If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.

The Active Directory (AD) service is a Windows 2000 namespace that is integrated with the Domain Name Service (DNS). AD runs only on domain controllers. In addition to storing and making data available, AD protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.

For the SMB server to integrate seamlessly into a Windows AD environment, the following must exist on the network:

The AD and DDNS clients rely on the Kerberos protocol to acquire the Kerberos ticket-granting ticket (TGT) for the specified AD domain. The system must be configured to use DNS for host lookup.

To participate in an AD domain, the system must be configured to use DNS for host lookup. Ensure that the naming service and the DNS service are configured correctly for the appropriate AD domain.

If you are running a version of the Solaris Express OS or the Oracle Solaris 11 Express OS, you must manually configure Kerberos as described in the following paragraphs.

In the /etc/krb5/krb5.conf file, specify the fully qualified AD domain name, in uppercase letters, as the default realm. Also, specify the fully qualified host name of the domain controller as the value for the kdc, admin_server, and kpasswd_server parameters.

The following example /etc/krb5/krb5.conf file is for an AD domain called EXAMPLE.COM that has multiple AD domain controllers. The primary AD domain controller is called dc.example.com. A secondary AD domain controller is called dc2.example.com. The fully qualified names are used for the domain and the domain controller.

[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
       kdc = dc.example.com
       kdc = dc2.example.com
       admin_server = dc.example.com
       kpasswd_server = dc.example.com
       kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

For descriptions of the sections and parameters used in this example file, see the krb5.conf(4) man page and Configuring Kerberos Clients (Task Map) in Oracle Solaris 11.1 Administration: Security Services.

  1. Become an administrator, obtain the solaris.smf.value.shares and solaris.smf.manage.shares RBAC authorizations, or use the SMB Management RBAC profile.

    For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  2. Enable the SMB service.
    # svcadm enable -r smb/server

    When you specify the -r option, all services on which smb/server depends are started if they are not already running.

  3. To successfully complete the join process, ensure that the system clock on the Oracle Solaris system is within five minutes of the system clock of the domain controller (DC).

    You can accomplish this task in one of these ways:

    • Manually adjust the system clock on either the Oracle Solaris system or the DC to match the other.
    • Configure both the Oracle Solaris system and the DC to use the same time source (NTP server).
    • Synchronize the system clock on the Oracle Solaris system with the system clock of the DC by running the following command on the Oracle Solaris system:
      # ntpdate DC-hostname

      For example, to synchronize with the DC called dc.westsales.example.com, type:

      # ntpdate dc.westsales.example.com
  4. Join the Windows domain.
    # smbadm join -u username [-o organizational-unit] domain-name

    where username is an authenticated user account, organizational-unit is an alternative organizational unit in which to create a system's machine trust account, and domain-name is a fully qualified NetBIOS or DNS domain name.

    By default, a machine trust account for a system is automatically created in the default container for computer accounts (cn=Computers) as part of the domain join operation if the account does not already exist in Active Directory.

    For more information about the types of users who are permitted to perform a domain join operation and organizational units, see the smbadm(1M) man page.

Example 3-1 Configuring the SMB Server in Domain Mode

The following examples show how to configure an SMB server in domain mode as a Domain Administrator and as an organizational unit (OU) administrator:

How to Configure the SMB Server in Workgroup Mode

To create SMB shares, see How to Create an SMB Share (zfs).

If you change from workgroup mode to domain mode, or from domain mode to workgroup mode, you must restart the SMB server. To restart the server, run the svcadm restart smb/server command.

Before You Begin

If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.

  1. Become an administrator, obtain the solaris.smf.value.shares and solaris.smf.manage.shares RBAC authorizations, or use the SMB Management RBAC profile.

    For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  2. Enable the SMB service.
    # svcadm enable -r smb/server

    This command enables the SMB server and any service on which it depends, such as the idmap service.

  3. (Optional) Change the SMB server to operate in a different workgroup.

    By default, the SMB server operates in a workgroup called WORKGROUP.

    # smbadm join -w workgroup-name
  4. Edit the /etc/pam.d/other file to support creation of an encrypted version of the user's password for SMB.

    Add the following line to the end of the file:

    password required    pam_smb_passwd.so.1    nowarn

    See the pam_smb_passwd(5) man page.

  5. Specify the password for existing local users.

    The SMB server cannot use the Oracle Solaris encrypted version of the local user's password for authentication. Therefore, you must generate an encrypted version of the local user's password for the SMB server to use. When the SMB PAM module is installed, the passwd command generates such an encrypted version of the password.

    # passwd username

Example 3-2 Configuring the SMB Server in Workgroup Mode

This example shows how to configure the SMB server in workgroup mode. The name of the workgroup being joined is myworkgroup.

# svcadm enable -r smb/server
# smbadm join -w myworkgroup

Then, create a share. See How to Create an SMB Share (zfs).

Finally, install the PAM module and generate the password for user cal.

# passwd cal

Now, you are ready to have SMB clients access the SMB shares on your SMB server.