Example: Create the Kerberos, PAM, and Name Service Switch Configuration for winbind

1. On all zone-cluster nodes, create the Kerberos krb5.conf file.

   zc-node-N# vi /etc/krb5/krb5.conf
   
   [libdefaults]
         default_realm = OSC.EXAMPLE.COM
   
   [realms]
         OSC.EXAMPLE.COM = {
               kdc = 192.168.0.20
               admin_server = 192.168.0.20
         }
   
   [domain_realm]
         .your.domain.name = OSC.EXAMPLE.COM
         your.domain.name = OSC.EXAMPLE.COM
   
   [logging]
         default = FILE:/var/krb5/kdc.log
         kdc = FILE:/var/krb5/kdc.log
         kdc_rotate = {
               period = 1d
               versions = 10
         }
   
   [appdefaults]
         kinit = {
               renewable = true
               forwardable= true
         }

2. Ensure that the global cluster nodes have network time protocol (NTP) configured to be in sync with the time used by the Windows Active Directory server.

   Compare output of the ntpq -p command on all physical cluster nodes and the equivalent on the Windows Active Directory server. Kerberos relies on synchronized time between the systems.

3. On all zone-cluster nodes, activate the PAM configuration file for winbind.

   zc-node-N# cp -p /etc/pam.conf /etc/pam.conf.orig
   zc-node-N# cp /etc/pam.conf-winbind /etc/pam.conf

4. On all zone-cluster nodes, configure the name service switch to resolve user and group from winbind.

   zc-node-N# svccfg -s name-service/switch setprop config/password = \"files winbind\" 
   zc-node-N# svccfg -s name-service/switch setprop config/group = \"files winbind\" 
   zc-node-N# svcadm refresh name-service/switch

5. On all zone-cluster nodes, disable the name service cache daemon.

   zc-node-N# svcadm disable name-service/cache

6. From one zone-cluster node, join the Active Directory domain.

   zc-node-1# net -s /failover/samba/samba-lh/lib/smb.conf ADS JOIN -U Administrator