This procedure describes how to use the smbadm join command to join an AD domain. To instead use the kclient command to manually join the domain, see How to Join a Kerberos Client to an Active Directory Server in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
In the Oracle Solaris 11 OS, the smbadm join command automatically configures Kerberos.
Before You Begin
If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.
For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
# svcadm enable -r smb/server
When you specify the –r option, all services on which smb/server depends are started if they are not already running.
You can accomplish this task in one of these ways:
# ntpdate DC-hostname
If the NTP service is already running, then the ntpdate command fails with the following error:
no server suitable for synchronization found.
For example, to synchronize with the DC called dc.westsales.example.com, type:
# ntpdate dc.westsales.example.com
# smbadm join -u username [-o organizational-unit] domain-name
Specifies an authenticated user account
Specifies an alternative organizational unit in which to create a system's machine trust account
Specifies a fully qualified NetBIOS or DNS domain name
By default, a machine trust account for a system is automatically created in the default container for computer accounts (cn=Computers) as part of the domain join operation if the account does not already exist in Active Directory.
For more information about the types of users who are permitted to perform a domain join operation and organizational units, see the smbadm(1M) man page.
The following examples show how to configure an SMB server in domain mode as a Domain Administrator and as an organizational unit (OU) administrator:
The following example shows how a user with Domain Administrator privileges configures the SMB server in domain mode. User mary has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.
# svcadm enable -r smb/server # smbadm join -u mary westsales.example.com After joining westsales.example.com the smb service will be restarted automatically. Would you like to continue? [no]: Enter domain password: Joining 'westsales.example.com' ... this may take a minute ... Successfully joined domain 'westsales.example.com'
The following example shows how an OU administrator configures the SMB server in domain mode. An OU administrator does not have domain administrative privileges and can have control over one or more OUs. The name of the domain being joined is westsales.example.com.
Based on the following hierarchy, a delegated administrator can create a machine trust account in one or more of the OUs:
dc=com dc=example dc=westsales ou=Departments ou=Engineering ou=Payables,Receivables,and Payroll ...
The following examples show how designated administrators who do not have Domain Administrator privileges can configure an SMB server in a domain.
In the following example, user jan is the designated administrator for the Departments OU. Because, jan has already pre-staged the computer account in the Departments OU, the –o option is not required to add the server to the domain. The following command shows how jan would run the smbadm join command:
# smbadm join -u jan westsales.example.com
For information about pre-staging computer accounts on Windows Server 2008, see Pre-Stage Computer Account in Windows Server 2008.
In the following example, user john is the designated administrator for the Engineering OU. The computer account has not been pre-staged, so john must indicate the OU in which to create the account. The following command shows how john creates the machine trust account in the Engineering OU:
# smbadm join -u john -o ou=Engineering,ou=Departments westsales.example.com
In the following example, user sal is the designated administrator for the Payables,Receivables,and Payroll OU. The computer account has not been pre-staged, so sal must indicate the OU in which to create the account. The following command shows how sal creates the machine trust account in the Payables,Receivables,and Payroll OU:
# smbadm join -u sal -o 'ou=Payables\,Receivables\,and Payroll,ou=Departments' \ westsales.example.com
Note that the argument to the –o in the previous command has escaped characters and is surrounded by single quotes ('). The following reserved characters must be escaped by using the backslash (\):
, + " \ < > ; = #
When you escape these reserved characters, you must also surround the string with single quotes because the backslash itself is a shell special character.
Next Steps
After successfully joining an AD domain, you can enable the SMB server to publish SMB shares in the AD directory. To do so, create or update SMB shares and specify the share container for each share that you want to publish. To create SMB shares, see How to Create an SMB Share (zfs).