How to Configure the Solaris CIFS Service in Domain Mode (Solaris CIFS Administration Guide)

Skip to ContentSun and Oracle Channel Sun How to Buy Log In

Solaris CIFS Administration Guide

Contained Within

Find More Documentation

Featured Support Resources

Download this book in PDF (1120 KB)

How to Configure the Solaris CIFS Service in Domain Mode

After successfully joining an AD domain, you can enable the Solaris CIFS service to publish CIFS shares in the AD directory. To do so, create or update CIFS shares and specify the share container for each share that you want to publish. To create CIFS shares, see How to Create a CIFS Share (zfs) and How to Create a CIFS Share (sharemgr).

Before You Begin

If the Samba service is running on the Solaris system, you must disable it. See How to Disable the Samba Service.

If you change from workgroup mode to domain mode, or from domain mode to workgroup mode, you must restart the Solaris CIFS service. To restart the service, run the svcadm restart smb/server command.

The Active Directory (AD) service is a Windows 2000 namespace that is integrated with the Domain Name Service (DNS). AD runs only on domain controllers. In addition to storing and making data available, AD protects network objects from unauthorized access and replicates objects across a network so that data is not lost if one domain controller fails.

For the Solaris CIFS service to integrate seamlessly into a Windows AD environment, the following must exist on the network:

A Windows AD domain controller
An optional Active Directory DNS server that permits dynamic updates to use the dynamic DNS (DDNS) capability

The AD and DDNS clients rely on the Kerberos protocol to acquire the Kerberos ticket-granting ticket (TGT) for the specified AD domain. The system must be configured to use DNS for host lookup.

In order to participate in an AD domain, the system must be configured to use DNS for host lookup. Ensure that the /etc/nsswitch.conf and /etc/resolv.conf files are configured correctly for the appropriate AD domain.

In the /etc/krb5/krb5.conf file, specify the fully qualified AD domain name, in uppercase characters, as the default realm. Also, specify the fully qualified host name of the domain controller as the value for the kdc, admin_server, and kpasswd_server parameters.

The following example /etc/krb5/krb5.conf file is for an AD domain called EXAMPLE.COM, and the AD domain controller system is called dc.example.com. The fully qualified names are used for the domain and the domain controller.

[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
       kdc = dc.example.com
       admin_server = dc.example.com
       kpasswd_server = dc.example.com
       kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

For descriptions of the sections and parameters used in this sample file, see the krb5.conf(4) man page and Configuring Kerberos Clients (Task Map) in System Administration Guide: Security Services.

Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

Enable the Solaris CIFS service.
# svcadm enable -r smb/server
When you specify the -r option, all services on which smb/server depends are started if they are not already running.

To successfully complete the join process, ensure that the system clock on the Solaris system is within five minutes of the system clock of the domain controller (DC).

You can accomplish this task in one of these ways:
- Manually adjust the system clock on either the Solaris system or the DC to match the other.
- Configure both the Solaris system and the DC to use the same time source (NTP server).
- Synchronize the system clock on the Solaris system with the system clock of the DC by running the following command on the Solaris system:
  # ntpdate DC-hostname
  For example, to synchronize with the DC called dc.westsales.example.com, type:
  # ntpdate dc.westsales.example.com

Join the Windows domain.
# smbadm join -u username domain-name
where username is the domain administrator or a user with Domain Administrator privileges, and domain-name is a fully qualified NetBIOS or DNS domain name.

Example 3–1 Configuring the Solaris CIFS Service in Domain Mode

This example shows the steps taken to configure the Solaris CIFS service in domain mode. User dana has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.

# svcadm enable -r smb/server
# smbadm join -u dana westsales.example.com
Enter domain password:
Joining 'westsales.example.com' ... this may take a minute ...
Successfully joined domain 'westsales.example.com'

News Center
About Sun
Contact Sun
Terms of Use
Privacy