How to Configure the SMB Server in Domain Mode

Before You Begin

If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.

This procedure describes how to use the smbadm join command to join an AD domain. To instead use the kclient command to manually join the domain, see How to Join a Kerberos Client to an Active Directory Server in Managing Kerberos in Oracle Solaris 11.4.

Starting with the Oracle Solaris 11 OS, the smbadm join command automatically configures Kerberos.

1. Become an administrator.

   For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

2. Enable the SMB service.

   $ svcadm enable -r smb/server

   When you specify the -r option, all services on which smb/server depends are started if they are not already running.

3. Ensure that the system clock on the Oracle Solaris system is within five minutes of the system clock of the domain controller (DC) by using following methods:

   You can accomplish this task in one of these ways:

   • Manually adjust the system clock on either the Oracle Solaris system or the DC to match the other.

   • Configure both the Oracle Solaris system and the DC to use the same time source (NTP server).

   • Synchronize the system clock on the Oracle Solaris system with the system clock of the DC by running the following command on the Oracle Solaris system:

     $ ntpdate DC-hostname

     If the NTP service is already running, then the ntpdate command fails with the following error:

     no server suitable for synchronization found.

     For example, to synchronize with the DC called dc.westsales.example.com, type:

     $ ntpdate dc.westsales.example.com

4. Join the Windows domain.

   $ smbadm join -u username [-o organizational-unit] domain-name

   username

   Specifies an authenticated user account

   organizational-unit

   Specifies an alternative organizational unit in which to create a system's machine trust account

   domain-name

   Specifies a fully qualified NetBIOS or DNS domain name

   Note:

   NetBIOS-based discovery is disabled if NetBIOS is disabled. See Disabling and Re-enabling NetBIOS.

   By default, a machine trust account for a system is automatically created in the default container for computer accounts (cn=Computers) as part of the domain join operation if the account does not already exist in Active Directory.

   For more information about the types of users who are permitted to perform a domain join operation and organizational units, see the smbadm(8) man page.

Example 3-1 Configuring the SMB Server in Domain Mode

The following examples show how to configure an SMB server in domain mode as a Domain Administrator and as an organizational unit (OU) administrator:

• The following example shows how a user with Domain Administrator privileges configures the SMB server in domain mode. User domadmin has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.

  $ svcadm enable -r smb/server
  $ smbadm join -u domadmin westsales.example.com
  After joining westsales.example.com the smb service will be restarted automatically.
  Would you like to continue? [no]:
  Enter domain password:
  Joining 'westsales.example.com' ... this may take a minute ...
  Successfully joined domain 'westsales.example.com'

• The following example shows how an OU administrator configures the SMB server in domain mode. An OU administrator does not have domain administrative privileges and can have control over one or more OUs. The name of the domain being joined is westsales.example.com.

  Based on the following hierarchy, a delegated administrator can create a machine trust account in one or more of the OUs:

  dc=com
     dc=example
        dc=westsales
           ou=Departments          
              ou=Engineering       
              ou=Payables,Receivables,and Payroll
  ...

  The following examples show how designated administrators who do not have Domain Administrator privileges can configure an SMB server in a domain.

  • In the following example, user deptadmin is the designated administrator for the Departments OU. Because, deptadmin has already pre-staged the computer account in the Departments OU, the -o option is not required to add the server to the domain. The following command shows how deptadmin would run the smbadm join command:

    $ smbadm join -u deptadmin westsales.example.com

  • In the following example, user engadmin is the designated administrator for the Engineering OU. The computer account has not been pre-staged, so engadmin must indicate the OU in which to create the account. The following command shows how engadmin creates the machine trust account in the Engineering OU:

    $ smbadm join -u engadmin -o ou=Engineering,ou=Departments westsales.example.com

  • In the following example, user payadmin is the designated administrator for the Payables,Receivables,and Payroll OU. The computer account has not been pre-staged, so payadmin must indicate the OU in which to create the account. The following command shows how payadmin creates the machine trust account in the Payables,Receivables,and Payroll OU:

    $ smbadm join -u payadmin -o 'ou=Payables\,Receivables\,and Payroll,ou=Departments' \
    westsales.example.com

    Note that the argument to the -o in the preceding command has escaped characters and is surrounded by single quotes ('). The following reserved characters must be escaped by using the backslash (\):

    , + " \ < > ; = $

    When you escape these reserved characters, you must also surround the string with single quotes because the backslash itself is a shell special character.

Additional Action

After successfully joining an AD domain, you can enable the SMB server to publish SMB shares in the AD directory. To do so, create or update SMB shares and specify the share container for each share that you want to publish. To create SMB shares, see How to Create an SMB Share (zfs).