[[Mathias Chauvin]] - IT stuff

The following is a documentation that can be usefull for those who want to access their Unix data from a Windows workstation (Why don’t you use Linux/Mac OS workstations?)

Let start with this:

• The ADS domain name is the same as the DNS name: nulldom.com
• The ADS Kerberos realm is the same as the DNS domain name (written in capitals): NULLDOM.COM

In the following step-by-step the server that will join the domain is named sol10svr.nulldom.com, and is installed with Solaris 10u8 (running on x86).

Don’t loose a sec, click here to

Follow up:

1/ DNS
As one of the most important infrastructure service on which ADS relies is the DNS, the NS settings on the server are very important.

• Check the /etc/nsswitch.conf file, and make sure that it contains the following entries:

  [...]
               hosts: files dns
               ipnodes: files dns
  [...]

• Edit the /etc/resolv.conf file and make sure that the primary nameserver is the AD server itself (actually, the same nameserver as the one used by the AD server)

  root@sol10svr:/# cat /etc/resolv.conf 
  nameserver ip.of.addns.svr
  domain nulldom.com
  search nulldom.com
  options ndots:10

• The /etc/hosts file will contain the following:

  root@sol10svr:/# cat /etc/hosts 
  #
  # Internet host table
  #
  ::1     localhost       
  127.0.0.1       localhost       
  ip.fr.smb.svr      sol10svr.nulldom.com       sol10svr   loghost

• At this point, the dns/client service can (must? ;-)) be restarted

  root@sol10svr:/# svcadm disable dns/client
  root@sol10svr:/# svcadm enable dns/client

2/ Kerberos
Kerberos is essential when it comes to AD authentication.
Therefore, the /etc/krb5/krb5.conf must be configured to match the AD domain.

root@sol10svr:/# cat /etc/krb5/krb5.conf 
# 
# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident "@(#)krb5.conf  1.4     07/11/14 SMI"
#

[libdefaults]
        default_realm = NULLDOM.COM

[realms]
        NULLDOM.COM = {
                kdc = ads01.nulldom.com
                kdc = ads02.nulldom.com
                admin_server = ads01.nulldom.com
        }

[domain_realm]
        nulldom.com = NULLDOM.COM

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {

# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.

                period = 1d

# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)

                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
        gkadmin = {
                help_url = http://docs.sun.com:80/ab2/coll.384.1/SEAM/@AB2PageView/1195
        }

3/ Windows Active Directory configuration
AD must be prepared to allow the Solaris 10 server joining the domain.

• First, a user account must be created (using the Active Directory Users and Computers. This user account must have the same name Full Name, user name, login name as the server hostname (short hostname, not FQDN). It is always a good idea for this kind of user to check the Password Never Expire
• Then create an A-record in the MS DNS (using the dnsmgmt MMC snap-in) for the SAMBA server - in our case, sol10svr.nulldom.com with the IP address ip.of.smb.svr.

• The next step is to create an authentication key to be used for Kerberos communications between the ADS seerver and the SAMBA server.
  At this stage, it is always a good idea to have something else to do and/or wait for a couple of hours for what just has been done in AD to be synced over the whole ADS domain.
  On the ADS server, run the following from the command line

  ktpass -princ HOST/sol10svr@NULLDOM.COM -mapuser sol10svr@NULLDOM.com -pass TheUnknownP@sswd -out sol10svr.keytab

  Ooops, I’ve forgotten to mention that ktpass is available from the Windows Support Tools (not installed by default).
  The resulting file (sol10svr.keytab) must then be copied over to the SAMBA server (in /etc/krb5 for instance)

4/ Joining the domain
It is now time to join the SAMBA server to the domain.

• Now that a Kerberos key has been created, it will be installed on the server

  root@sol10svr:/# ktutil
  ktutil: rkt /etc/krb5/sol10svr.keytab
  ktutil: list
  ktutil: wkt /etc/krb5/krb5.keytab
  ktutil: (CTRL-D)
  

  This will read the keys from the sol10svr.keytab file, then list the read keys and finally write the keys to the /etc/krb5/krb5.keytab file. (CTRL-D) is used to exit the ktutil tool.

• It is for security reasons a good idea to delete the sol10svr.keytab file and make sure that only root has access to the /etc/krb5/krb5.conf
• Make sure that date and time are in sync on the SAMBA server and the ADS server (use ntpdate).

• Kerberos services are then initialized (remember the password you’ve set for the sol10svr ADS user):

  root@sol10svr:/# kinit sol10svr@NULLDOM.COM

  The use of the kerberos utils helps testing the Kerberbos configuration:

  root@sol10svr:/# klist
  Ticket cache: FILE:/tmp/krb5cc_0
  Default principal: sol10svr@NULLDOM.COM
  
  Valid starting                Expires                Service principal
  12/07/09 14:52:48  12/08/09 00:52:52  krbtgt/NULLDOM.COM@NULLDOM.COM
          renew until 12/14/09 14:52:48
  

5/ Configuring samba
At this stage of the configuration, the Unix server is know as a member of the ADS domain.
SAMBA and Winbind will need to be setup to fully integrate with the ADS domain, and allow access to the server to ADS domain users.

• First, check that the SAMBA and Winbind services are disabled:

  root@sol10svr:/# svcs samba swat wins winbind
  STATE          STIME    FMRI
  disabled       14:18:57 svc:/network/swat:default
  disabled       16:14:56 svc:/network/winbind:default
  disabled       16:22:10 svc:/network/wins:default
  disabled       16:22:11 svc:/network/samba:default

  and make sure that the SAMBA installation is fresh and clean, by removing any stuff in /etc/sfw/private/, /var/samba/locks/ and /var/samba/logs/ directories.

• Then, fill in the /etc/sfw/smb.conf file to match your needs. On sol10svr.nulldom.com, the configuration file is:

  #======================= Global Settings =====================================
  [global]
  
  # workgroup = NT-Domain-Name or Workgroup-Name, eg: MIDEARTH
     workgroup = NULLDOM
  
  # server string is the equivalent of the NT Description field
     server string = Users data (tech) samba server
  
  # Security mode. Defines in which mode Samba will operate. Possible 
  # values are share, user, server, domain and ads. Most people will want 
  # user level security. See the Samba-HOWTO-Collection for details.
     security = ads
  
  # If you want to automatically load your printer list rather
  # than setting them up individually then you'll need this
     load printers = no
  
  # this tells Samba to use a separate log file for each machine
  # that connects
     log file = /var/samba/log/log.%m
  
  # Put a capping on the size of the log files (in Kb).
     max log size = 50
  
  # Use password server option only with security = server
  # The argument list may include:
  #   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
  # or to auto-locate the domain controller/s
  #   password server = *
     password server = ads01.nulldom.com ads02.nulldom.com
     encrypt passwords = yes
  
  # Use the realm option only with security = ads
  # Specifies the Active Directory realm the host is part of
     realm = NULLDOM.COM
  
  # winbind configuration: 
  
     winbind separator = +
     winbind enum users = yes
     template homedir = /tech/%U
     template shell = /bin/bash
  
     idmap domains = NULLDOM
     idmap config NULLDOM:default = yes
     idmap config NULLDOM:backend = tdb
     idmap config NULLDOM:range = 10000-20000
  
     idmap alloc backend = tdb
     idmap alloc config:range = 10000-20000
  
  # this tells Samba to use a separate log file for each machine
  # that connects
     log file = /var/samba/log/log.%m
     ;log level = 1 printdrivers: 0 lanman: 0 smb: 1 rpc_parse: 0 rpc_srv: 0 rpc_cli: 0 passdb: 1 sam: 0 auth: 7 winbind: 2 vfs: 0 idmap: 0 quota: 0 acls: 0 locking: 0 msdfs: 0 dmapi: 0
     log level = 10
  # Put a capping on the size of the log files (in Kb).
     max log size = 1024
  
  # Most people will find that this option gives better performance.
  # See the chapter 'Samba performance issues' in the Samba HOWTO Collection
  # and the manual pages for details.
  ;   socket options = TCP_NODELAY 
     use kerberos keytab = true
  
  #============================ Share Definitions ==============================
  [homes]
     comment = Your tech directory
     browseable = no
     writable = yes
     create mode = 0666
     directory mode = 0777
     vfs objects = zfsacl
     nt acl support = true
     force user = %U
     read only = no

• Copy the /etc/pam.conf-winbind to /etc/pam.conf

• Add winbind to the passwd and group lines in /etc/nsswitch.conf:

  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd:     files ldap winbind
  group:      files ldap winbind

• This is now time for effectively join the SAMBA server to the domain:

  root@sol10svr:/# /usr/sfw/bin/net ads join -U 'user_admin%useradminp@sswd'
  root@sol10svr:/# /usr/sfw/bin/net ads keytab create -U 'user_admin%useradminp@sswd'

• Start the winbind service:

  root@sol10svr:/# svcadm enable winbind

  You can check that the service is running and propelry configured by using the following to list groups and users:

  root@sol10svr:/# wbinfo -g
  root@sol10svr:/# wbinfo -u

  You can even check this using getent utility:

  root@sol10svr:/# getent passwd NULLDOM+yourusername
  NULLDOM+yourusername:*:10057:10000:Your UserName:/tech/yourusername:/bin/bash

• Then enable the samba services:

  root@sol10svr:/# svcadm enable samba wins

6/ Conclusion
Tin-din! Here you are… able to browse the Unix file server content (at least what you’ve shared using SAMBA) from your favorite (hum-hum) Windows workstation…