| Skip Navigation Links | |
| Exit Print View | |
|
Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Sharing Files Between Windows and Oracle Solaris Systems
2. Setting Up Identity Mapping Between Windows and Oracle Solaris Systems
3. Setting Up a Oracle Solaris SMB Server to Manage and Share Files
How to Disable the Samba Service
Managing SMB Shares in This Release
Managing SMB Shares (Task Map)
How to Enable Cross-Protocol Locking
How to Create an SMB Share (zfs)
How to Enable Guest Access to an SMB Share
How to Enable Access-Based Enumeration for a Share
How to Modify SMB Share Properties (zfs)
How to Remove an SMB Share (zfs)
How to Create a Specific Autohome Share Rule
How to Restrict Client Host Access to an SMB Share (zfs)
Managing SMB Groups (Task Map)
How to Add a Member to an SMB Group
How to Remove a Member From an SMB Group
How to Modify SMB Group Properties
Enabling CATIA V4/V5 Character Translations
How to the Enable CATIA Interoperability Feature
Configuring SMB Printing (Task Map)
How to Enable the SMB Print Service
Troubleshooting the SMB Service
Checking the DNS Configuration
Ensuring That Kerberos Is Correctly Configured
Ensuring That You Specify the Correct Password for Your Domain User
Ensuring the Firewall Software Does Not Filter Out Required Ports
Viewing Oracle Solaris SMB Service Property Settings
Excluding IP Addresses From WINS Name Resolution
Changes to Windows Group Membership and to User Mapping Do Not Take Effect
Cannot Set Share Security, All Shares Inherit the Security of the Directory Object
Older Versions of Windows Cannot Copy Files Larger Than Four Gbytes
Cannot See the Security Tab From Windows Clients
Microsoft Access or SQL Server Sessions Time Out After a Period of Inactivity
Cannot Add Windows Local Groups to Access Control List
SMB Browsing Fails When share.smb=on Is Set on a ZFS Pool
Samba or SMB Service Cannot Bind Various Ports
SMB Shares on a ZFS File System are Inaccessible After a Reboot
Invalid Password Errors Appear When Mapping a Drive or Browsing Computers in the Workgroup
Access Control List Inheritance Issues
Missing Security Tab on Windows XP Clients
The following table points to the tasks that you can use to configure the operation mode of the SMB server.
|
This procedure describes how to use the smbadm join command to join an AD domain. To instead use the kclient command to manually join the domain, see How to Configure a Kerberos Client for an Active Directory Server in Oracle Solaris 11.1 Administration: Security Services.
After successfully joining an AD domain, you can enable the SMB server to publish SMB shares in the AD directory. To do so, create or update SMB shares and specify the share container for each share that you want to publish. To create SMB shares, see How to Create an SMB Share (zfs).
Starting with the Oracle Solaris 11 OS, the smbadm join command automatically configures Kerberos. If you are running a version of the Solaris Express OS or the Oracle Solaris 11 Express OS, you must manually configure Kerberos as described in the following Before You Begin section.
Before You Begin
If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.
The Active Directory (AD) service is a Windows 2000 namespace that is integrated with the Domain Name Service (DNS). AD runs only on domain controllers. In addition to storing and making data available, AD protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.
For the SMB server to integrate seamlessly into a Windows AD environment, the following must exist on the network:
A Windows AD domain controller
An optional Active Directory DNS server that permits dynamic updates to use the dynamic DNS (DDNS) capability
The AD and DDNS clients rely on the Kerberos protocol to acquire the Kerberos ticket-granting ticket (TGT) for the specified AD domain. The system must be configured to use DNS for host lookup.
To participate in an AD domain, the system must be configured to use DNS for host lookup. Ensure that the naming service and the DNS service are configured correctly for the appropriate AD domain.
If you are running a version of the Solaris Express OS or the Oracle Solaris 11 Express OS, you must manually configure Kerberos as described in the following paragraphs.
In the /etc/krb5/krb5.conf file, specify the fully qualified AD domain name, in uppercase letters, as the default realm. Also, specify the fully qualified host name of the domain controller as the value for the kdc, admin_server, and kpasswd_server parameters.
The following example /etc/krb5/krb5.conf file is for an AD domain called EXAMPLE.COM that has multiple AD domain controllers. The primary AD domain controller is called dc.example.com. A secondary AD domain controller is called dc2.example.com. The fully qualified names are used for the domain and the domain controller.
[libdefaults]
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
kdc = dc.example.com
kdc = dc2.example.com
admin_server = dc.example.com
kpasswd_server = dc.example.com
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
.example.com = EXAMPLE.COM
For descriptions of the sections and parameters used in this example file, see the krb5.conf(4) man page and Configuring Kerberos Clients (Task Map) in Oracle Solaris 11.1 Administration: Security Services.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
# svcadm enable -r smb/server
When you specify the -r option, all services on which smb/server depends are started if they are not already running.
You can accomplish this task in one of these ways:
# ntpdate DC-hostname
For example, to synchronize with the DC called dc.westsales.example.com, type:
# ntpdate dc.westsales.example.com
# smbadm join -u username [-o organizational-unit] domain-name
where username is an authenticated user account, organizational-unit is an alternative organizational unit in which to create a system's machine trust account, and domain-name is a fully qualified NetBIOS or DNS domain name.
By default, a machine trust account for a system is automatically created in the default container for computer accounts (cn=Computers) as part of the domain join operation if the account does not already exist in Active Directory.
For more information about the types of users who are permitted to perform a domain join operation and organizational units, see the smbadm(1M) man page.
Example 3-1 Configuring the SMB Server in Domain Mode
The following examples show how to configure an SMB server in domain mode as a Domain Administrator and as an organizational unit (OU) administrator:
This example shows how a user with Domain Administrator privileges configures the SMB server in domain mode. User dana has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.
# svcadm enable -r smb/server # smbadm join -u dana westsales.example.com After joining westsales.example.com the smb service will be restarted automatically. Would you like to continue? [no]: Enter domain password: Joining 'westsales.example.com' ... this may take a minute ... Successfully joined domain 'westsales.example.com'
This example shows how an OU administrator configures the SMB server in domain mode. An OU administrator does not have domain administrative privileges and can have control over one or more OUs. The name of the domain being joined is westsales.example.com.
Based on the following hierarchy, a delegated administrator can create a machine trust account in one or more of the OUs:
dc=com
dc=example
dc=westsales
ou=Departments
ou=Engineering
ou=Payables,Receivables,and Payroll
...
The following examples show how designated administrators, who do not have Domain Administrator privileges, can configure an SMB server in a domain.
In this example, user jan is the designated administrator for the Departments OU. Prior to adding the SMB server to the domain, jan pre-staged the computer account in the Departments OU. So, the -o option is not required to add the server to the domain. The following command shows how jan would run the smbadm join command:
# smbadm join -u jan westsales.example.com
For information about pre-staging computer accounts on Windows Server 2008, see Pre-Stage Computer Account in Windows Server 2008.
In this example, user terry is the designated administrator for the Engineering OU. The computer account has not been pre-staged, so terry must indicate the OU in which to create the account. The following command shows how terry creates the machine trust account in the Engineering OU:
# smbadm join -u terry -o ou=Engineering,ou=Departments westsales.example.com
In this example, user sal is the designated administrator for the Payables,Receivables,and Payroll OU. The computer account has not been pre-staged, so sal must indicate the OU in which to create the account. The following command shows how sal creates the machine trust account in the Payables,Receivables,and Payroll OU:
# smbadm join -u sal -o 'ou=Payables\,Receivables\,and Payroll,ou=Departments' \ westsales.example.com
Note that the argument to the -o in the previous command has escaped characters and is surrounded by single quotes ('). This is required because the following reserved characters must be escaped by using the backslash (\):
, + " \ < > ; = #
When you escape these reserved characters, you must also surround the string with single quotes because the backslash itself is a shell special character.
To create SMB shares, see How to Create an SMB Share (zfs).
If you change from workgroup mode to domain mode, or from domain mode to workgroup mode, you must restart the SMB server. To restart the server, run the svcadm restart smb/server command.
Before You Begin
If the Samba service is running on the Oracle Solaris system, you must disable it. See How to Disable the Samba Service.
For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
# svcadm enable -r smb/server
This command enables the SMB server and any service on which it depends, such as the idmap service.
By default, the SMB server operates in a workgroup called WORKGROUP.
# smbadm join -w workgroup-name
Add the following line to the end of the file:
password required pam_smb_passwd.so.1 nowarn
See the pam_smb_passwd(5) man page.
The SMB server cannot use the Oracle Solaris encrypted version of the local user's password for authentication. Therefore, you must generate an encrypted version of the local user's password for the SMB server to use. When the SMB PAM module is installed, the passwd command generates such an encrypted version of the password.
# passwd username
Example 3-2 Configuring the SMB Server in Workgroup Mode
This example shows how to configure the SMB server in workgroup mode. The name of the workgroup being joined is myworkgroup.
# svcadm enable -r smb/server # smbadm join -w myworkgroup
Then, create a share. See How to Create an SMB Share (zfs).
Finally, install the PAM module and generate the password for user cal.
# passwd cal
Now, you are ready to have SMB clients access the SMB shares on your SMB server.
|