openSolaris 2008 - Configuring the Solaris CIFS Service Operation Mode (Task Map)

Configuring the Solaris CIFS Service Operation Mode (Task Map)

The following table points to the tasks that you can use to configure the operation mode of the Solaris CIFS server.

Task	Description	For Instructions
Configure the Solaris CIFS service in domain mode.	Use the `smbadm join -u username domain-name` command to join the domain.	How to Configure the Solaris CIFS Service in Domain Mode
Configure the Solaris CIFS service in workgroup mode.	Use the `smbadm join -w workgroup-name` command to join the workgroup.	How to Configure the Solaris CIFS Service in Workgroup Mode

How to Configure the Solaris CIFS Service in Domain Mode

After successfully joining an AD domain, you can enable the Solaris CIFS service to publish CIFS shares in the AD directory. To do so, create or update CIFS shares and specify the share container for each share that you want to publish. To create CIFS shares, see How to Create a CIFS Share (zfs) and How to Create a CIFS Share (sharemgr).

Before You Begin

If the Samba service is running on the Solaris system, you must disable it. See How to Disable the Samba Service.

If you change from workgroup mode to domain mode, or from domain mode to workgroup mode, you must restart the Solaris CIFS service. To restart the service, run the svcadm restart smb/server command.

The Active Directory (AD) service is a Windows 2000 namespace that is integrated with the Domain Name Service (DNS). AD runs only on domain controllers. In addition to storing and making data available, AD protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.

For the Solaris CIFS service to integrate seamlessly into a Windows AD environment, the following must exist on the network:

A Windows AD domain controller
An optional Active Directory DNS server that permits dynamic updates to use the dynamic DNS (DDNS) capability

The AD and DDNS clients rely on the Kerberos protocol to acquire the Kerberos ticket-granting ticket (TGT) for the specified AD domain. The system must be configured to use DNS for host lookup.

In order to participate in an AD domain, the system must be configured to use DNS for host lookup. Ensure that the /etc/nsswitch.conf and /etc/resolv.conf files are configured correctly for the appropriate AD domain.

In the /etc/krb5/krb5.conf file, specify the fully qualified AD domain name, in uppercase characters, as the default realm. Also, specify the fully qualified host name of the domain controller as the value for the kdc, admin_server, and kpasswd_server parameters.

The following example /etc/krb5/krb5.conf file is for an AD domain called EXAMPLE.COM, and the AD domain controller system is called dc.example.com. The fully qualified names are used for the domain and the domain controller.

[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
       kdc = dc.example.com
       admin_server = dc.example.com
       kpasswd_server = dc.example.com
       kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

For descriptions of the sections and parameters used in this sample file, see the krb5.conf(4) man page and Configuring Kerberos Clients (Task Map) in System Administration Guide: Security Services.

Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Enable the Solaris CIFS service.
```
# svcadm enable -r smb/server
```
When you specify the -r option, all services on which smb/server depends are started if they are not already running.
To successfully complete the join process, ensure that the system clock on the Solaris system is within five minutes of the system clock of the domain controller (DC).
You can accomplish this task in one of these ways:
- Manually adjust the system clock on either the Solaris system or the DC to match the other.
- Configure both the Solaris system and the DC to use the same time source (NTP server).
- Synchronize the system clock on the Solaris system with the system clock of the DC by running the following command on the Solaris system:
```
# ntpdate DC-hostname
```
  For example, to synchronize with the DC called dc.westsales.example.com, type:
```
# ntpdate dc.westsales.example.com
```
Join the Windows domain.
```
# smbadm join -u username domain-name
```
where username is the domain administrator or a user with Domain Administrator privileges, and domain-name is a fully qualified domain name.

Example 3-1 Configuring the Solaris CIFS Service in Domain Mode

This example shows the steps taken to configure the Solaris CIFS service in domain mode. User dana has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.

# svcadm enable -r smb/server
# smbadm join -u dana westsales.example.com
Enter domain password:
Joining 'westsales.example.com' ... this may take a minute ...
Successfully joined domain 'westsales.example.com'

How to Configure the Solaris CIFS Service in Workgroup Mode

After you join a workgroup, you can access CIFS shares. To create CIFS shares, see How to Create a CIFS Share (zfs) and How to Create a CIFS Share (sharemgr).

Before You Begin

If the Samba service is running on the Solaris system, you must disable it. See How to Disable the Samba Service.

Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Enable the Solaris CIFS service.
```
# svcadm enable -r smb/server
```
This command enables the Solaris CIFS service and any service on which it depends, such as the idmap service.
(Optional) Change the Solaris CIFS service to operate in a different workgroup.
By default, the Solaris CIFS service operates in a workgroup called WORKGROUP.
```
# smbadm join -w workgroup-name
```
Edit the /etc/pam.conf file to support creation of an encrypted version of the user's password for CIFS.
Add the following line to the end of the file:
```
other    password required    pam_smb_passwd.so.1    nowarn
```
See the pam_smb_passwd(5) man page.
Specify the password for existing local users.
The Solaris CIFS service cannot use the Solaris encrypted version of the local user's password for authentication. Therefore, you must generate an encrypted version of the local user's password for the Solaris CIFS service to use. When the SMB PAM module is installed, the passwd command generates such an encrypted version of the password.
```
# passwd username
```

Example 3-2 Configuring the Solaris CIFS Service in Workgroup Mode

This example shows how to configure the Solaris CIFS service in workgroup mode. The name of the workgroup being joined is myworkgroup.

# svcadm enable -r smb/server
# smbadm join -w myworkgroup

Then, use the sharesmb property to configure CIFS sharing for an existing ZFS dataset called ztank/myfs.

# zfs set sharesmb=on ztank/myfs

Finally, install the PAM module and generate the password for user cal.

# passwd cal

Now, you are ready to have CIFS clients access the CIFS shares on your Solaris CIFS service.