| Skip Navigation Links | |
| Exit Print View | |
|
Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Sharing Files Between Windows and Oracle Solaris Systems
2. Setting Up Identity Mapping Between Windows and Oracle Solaris Systems
3. Setting Up a Oracle Solaris SMB Server to Manage and Share Files
How to Disable the Samba Service
Configuring the SMB Server Operation Mode (Task Map)
How to Configure the SMB Server in Domain Mode
How to Configure the SMB Server in Workgroup Mode
Managing SMB Shares in This Release
Managing SMB Shares (Task Map)
How to Enable Cross-Protocol Locking
How to Create an SMB Share (zfs)
How to Enable Guest Access to an SMB Share
How to Enable Access-Based Enumeration for a Share
How to Modify SMB Share Properties (zfs)
How to Remove an SMB Share (zfs)
How to Create a Specific Autohome Share Rule
How to Restrict Client Host Access to an SMB Share (zfs)
Managing SMB Groups (Task Map)
How to Add a Member to an SMB Group
How to Remove a Member From an SMB Group
How to Modify SMB Group Properties
Enabling CATIA V4/V5 Character Translations
How to the Enable CATIA Interoperability Feature
Configuring SMB Printing (Task Map)
How to Enable the SMB Print Service
Troubleshooting the SMB Service
Checking the DNS Configuration
Ensuring That Kerberos Is Correctly Configured
Ensuring That You Specify the Correct Password for Your Domain User
Ensuring the Firewall Software Does Not Filter Out Required Ports
Viewing Oracle Solaris SMB Service Property Settings
Excluding IP Addresses From WINS Name Resolution
Changes to Windows Group Membership and to User Mapping Do Not Take Effect
Cannot Set Share Security, All Shares Inherit the Security of the Directory Object
Older Versions of Windows Cannot Copy Files Larger Than Four Gbytes
Cannot See the Security Tab From Windows Clients
Microsoft Access or SQL Server Sessions Time Out After a Period of Inactivity
Cannot Add Windows Local Groups to Access Control List
SMB Browsing Fails When share.smb=on Is Set on a ZFS Pool
Samba or SMB Service Cannot Bind Various Ports
SMB Shares on a ZFS File System are Inaccessible After a Reboot
Invalid Password Errors Appear When Mapping a Drive or Browsing Computers in the Workgroup
The following are troubleshooting issues for the Oracle Solaris SMB service. For related troubleshooting information, see the following:
To authenticate users from a Windows domain, the Oracle Solaris SMB service must locate a domain controller, authenticate, and then add a computer account to the domain.
Users from the domain are not able to establish a connection to the Oracle Solaris SMB service unless this process succeeds.
The Oracle Solaris SMB service must be running for the smbadm join command to succeed.
If Active Directory (AD) is configured, the Oracle Solaris SMB service attempts to locate the domain controller by means of DNS. If the service cannot locate the domain controller, you must use SMF to configure DNS properly.
The following configuration issues might prevent you from configuring the Oracle Solaris SMB service in domain mode:
Missing DNS domain. Ensure that the fully qualified AD domain name has been added to the search list or as the local domain.
If your configuration is incorrect, you might see the failed to join domain domain-name (INVALID_PARAMETER) error when attempting to join the domain.
Missing DNS server. Ensure that the IP address of the AD DNS server is added as the name server.
If your configuration is incorrect, you might see the failed to find any domain controllers error when attempting to join the domain.
DNS host lookup not used. Ensure that DNS is used for host lookup.
Use the svccfg command to update properties for system/name-service/switch and network/dns/client. See the svccfg(1M) man page.
You might see the following error messages, which indicate that Kerberos is not correctly configured:
k5_kinit: KDC has no support for encryption type
When this error occurs, you must reset the Domain Administrator password by re-entering the original password.
This error is a known issue on Windows where DES encryption keys are not created for the administrator under certain circumstances. For more information, see Microsoft knowledge base article 248808.
k5_kinit: getting initial credentials (KDC reply did not match expectations)
Ensure that the Kerberos Realm specified in the /etc/krb5/krb5.conf uses uppercase characters.
k5_kinit: getting initial credentials (Cannot resolve network address for KDC in requested realm)
This problem can be corrected by ensuring that the configuration is correct in one of these ways:
Ensure that DNS is used for host lookup.
Ensure that the IP address of the DNS server is added as the name server if you see log entries that are similar to the following:
smbd[101148]: [ID 290708 daemon.debug] NS Found 10.1.98.13 name server smbd[101148]: [ID 290708 daemon.debug] NS Found 10.1.98.12 name server smbd[101148]: [ID 327122 daemon.debug] NS Found 2 name servers smbd[101148]: [ID 995127 daemon.error] dyndns: UDP send error (Bad file number) smbd[101148]: [ID 342079 daemon.error] smb_ads: send/receive error smbd[101148]: [ID 995127 daemon.error] dyndns: UDP send error (Bad file number) smbd[101148]: [ID 342079 daemon.error] smb_ads: send/receive error smbd[101148]: [ID 327097 daemon.error] smb_ads: No ADS host found from configured nameservers
Use the svccfg command to update properties for system/name-service/switch and network/dns/client. See the svccfg(1M) man page.
The user that you specify on the smbadm join command line must have the correct password and the authority to create computer accounts.
The following error message only appears if you supply the wrong password for the administrative user:
failed to find any domain controller s for domain-name
Some firewall software might filter out certain ports that will prevent a Oracle Solaris SMB server from successfully joining a domain.
For example, the following error message appears if the Kerberos Change & Set Password port is filtered out:
smbd[446]: [daemon.error] smbns_kpasswd: KPASSWD protocol exchange failed ...
The following network protocols are used by the smbd service during a domain join operation, and must be available for the Oracle Solaris SMB service:
53
88
464
749
389
138
137
139
445
Port assignment settings appear in the /etc/services file. For more information, see the services(4) man page.
Much of the Oracle Solaris SMB service configuration uses the sharectl(1M) command to set properties. Before you change property values, you should view the current property settings by running the sharectl get smb command.
When using WINS/NetBIOS, Windows domain controllers (DC) do not automatically respond to the host from which they received a request. They perform a WINS or NetBIOS cache lookup and for multihomed servers, the DC can respond to different network interfaces belonging to the server. If the IP address is not accessible to the DC, it will appear as if the DC has not responded to the server. Thus, it may be necessary to exclude specific network interfaces from WINS registration.
The following example shows how to configure the Oracle Solaris SMB service as a WINS client. The primary WINS server is set to IP address 172.16.48.20, the secondary WINS server is set to IP address 172.16.48.21, and network interfaces bge0 and bge1 are excluded from WINS resolution.
# sharectl set -p wins_server_1=172.16.48.20 smb # sharectl set -p wins_server_2=172.16.48.21 smb # sharectl set -p wins_exclude=bge0,bge1 smb
Windows clients use an access token to assign user data and group membership. This token is assigned when the client connects to the SMB service. Any changes made to this token are not reflected until the next time the user connects.
To force changes to take effect immediately, the user must disconnect from the SMB service by logging out of all connected workstations.
A master browser is a server that is configured to manage SMB browse lists and to respond to client requests for them. A Windows server is configured as a master browser by default.
The Oracle Solaris SMB service is not configured as a master browser. The Oracle Solaris SMB service dedicates all of its resources to file sharing.
For browsing to function correctly, each subnet or physical network segment must have a master browser. To make the Oracle Solaris SMB service available through browse lists, the system on which it runs should be located on the same segment and subnet as a Windows server.
Configuring a Windows server improves the performance of browsing and might compensate for the lack of a master browser on some segments.
The security implementation of the Oracle Solaris SMB service only secures files and directories. The effective security of a SMB share is always the security of the directory to which it points.
You might see this problem if your client is running Windows 2000 or an older version of Windows.
If you are running a Windows 2000 client, apply the latest service pack.
If you are running a version older than Windows 2000, you might be able to work around the problem by using the Windows backup utility or by using a similar third-party product.
To map a drive or to connect to a share, you must have read access to the directory to which the share points.
If the Oracle Solaris SMB service is in domain mode, you must also be logged in to the domain.
To ensure that a user can connect to a share, do the following to check and modify permissions:
Log in to the system that is running the Oracle Solaris SMB service.
Become superuser.
Obtain the user name and group name of the owner.
# ls -l pathname
For example, the following output indicates that the share is a directory with 750 permissions. The owner is root and the group is sys.
# ls -ld /vol1/data drwxr-x--- 41 root sys 1024 Jan 2 23:19 /vol1/data
Determine the permissions necessary for the user to access the directory.
Use the chmod command to change the permissions of the directory.
Some Windows clients do not show the security tab unless you have permission to view or change security.
For information about how to view and modify share permissions, see Cannot Use SMB to Map Drives.
Applications can send SMB echo requests periodically to keep idle sessions open or to reconnect, as required, if a session times out due to inactivity. If an application appears unable to deal with an idle session timeout, the SMB service keep_alive property can be set to 0 to disable the session inactivity timer.
# sharectl set -p keep_alive=0 smb
Windows local groups cannot be used to assign security on remote systems. A local group can only be used on the individual computer on which it is created. A local group is not stored in the domain SAM database.
Windows domain controllers are an exception to this behavior. Domain controllers share a set of local groups that can only be shared with other domain controllers. To make security assignments to the Oracle Solaris SMB service, use global groups.
The Oracle Solaris SMB service has its own set of local groups that are provided for Windows compatibility purposes. These local groups permit a limited set of privileges, and they can also be used for security assignments to individual files and folders.
Note - Windows domain local groups are not supported.
If you have a ZFS pool with datasets and you run the zfs set share.smb=on command on the pool, the pool and all its datasets are shared, but unavailable for browsing by Windows systems.
To work around this problem, do the following:
Determine whether your ZFS pool and dataset versions support SMB shares.
# zpool get version pool # zfs get version dataset
Support for SMB shares requires that ZFS pools be at least Version 9 and that ZFS datasets be at least Version 3.
(Optional) Upgrade your ZFS pools and datashares.
# zpool upgrade pool # zfs upgrade dataset
For more information, see the zpool(1M) and zfs(1M) man pages.
Map the shares in one of the following ways:
Run the zfs set share.smb=on command on any of the lower-level datasets instead of the pool.
Map the shares directly.
You will see errors if you attempt to run both the Samba service, svc:/network/samba:default, and the Oracle Solaris SMB service, svc:/network/smb/server:default simultaneously.
The Samba and Oracle Solaris SMB services are mutually exclusive because they both attempt to listen on the same ports. Only one service should be enabled at any time.
To disable either the Samba or Oracle Solaris SMB service, do one of the following:
Disable the Samba service. Use the svcadm disable svc:/network/samba command.
Disable the Oracle Solaris SMB service. Use the svcadm disable smb/server command.
SMB shares on a ZFS file system might be inaccessible to SMB clients if you reboot the Oracle Solaris SMB server.
Run the following command to reshare the ZFS shares:
# sharemgr start -P smb zfs
When you map a drive or browse computers in your workgroup, you might see invalid password errors. If you see these errors, check to see that the /var/smb/smbpasswd file includes information for the appropriate users.
Also, ensure that the pam_smb_passwd.so.1 entry is in the /etc/pam.d/other file and that you use the passwd command to set your password.
For more information, see How to Configure the SMB Server in Workgroup Mode.
Access control list (ACL) behavior differs between Windows systems and ZFS file systems on Oracle Solaris systems. You might experience Windows ACL inheritance problems because of the access control entry (ACE) ordering used by the default ZFS ACL.
The default ZFS ACL is designed to comply with POSIX, which results in the interleaving of allow and deny ACEs. Windows expects all deny ACEs to precede all allow ACEs.
You can override the default ZFS behavior by changing the ACL on the root directory to provide the equivalent of Everyone:FullControl as follows:
# chmod 777 /pool-name # chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/dataset
For information about the chmod options, see the chmod(1) man page.
You can verify the ACL by viewing it on Windows or by running the following command on an Oracle Solaris system:
# ls -V -d /pool/dataset
You can apply this ACL recursively to all subdirectories and files for existing file systems from Windows or from the Oracle Solaris OS.
If you apply the ACL when the file system is first created, the ACL will be propagated according to the normal inheritance rules.
If a directory has a default ZFS ACL, when a file or folder is created under this directory from Windows, it has two ACEs: one for the owner and one for SYSTEM. To change this behavior, update the root directory's ACL by running the chmod commands shown previously.
You might not see the security tab for a file or folder when using an XP client for the following reasons:
You do not have enough permissions to see the security settings of the file or folder
Simplified file sharing is enabled on your client
To disable simplified file sharing, go to Control Panel->Folder Options->View, and unselect Use Simple File Sharing (Recommended), and click Apply.
For more information about disabling simplified file sharing and setting permissions on a shared folder, see Microsoft knowledge base article 307874.
|