Friday, September 13, 2013

Setup Samba in a zone with Oracle Solaris 11.1 and join a Windows Active Directory Server (ADS)

I have been running Samba on Solaris 11 zone for a while now and I thought I would finally write the instructions up. First, why am I using samba and not the CIFS server which comes with Solaris now. Well, one reason.... CIFS does not work in a zone and Samba does. I have our NFS file-server in a zone so I needs SMB access to those files.

Before we can start you need change the "Maximum number of supplementary groups (groups that a user can be in, additionally to the primary group)".
I have just spotted that this has changed or at least documented in Solaris 11.1,  but is still required in /etc/system ref: http://docs.oracle.com/cd/E26502_01/html/E29022/chapter2-4.html#gjmtw & http://www.c0t0d0s0.org/archives/7634-Less-known-Solaris-11.1-features-A-user-in-1024-groups-and-a-workaround-for-a-25-year-old-problem.html

# echo "set ngroups_max=512" >> /etc/system 

Reboot the server.



samba solaris zone:
DNS domain: dcs.bbk.ac.uk
Windows DOMAIN name = MYDOMAIN
Active Domain Controllers = ads1.dcs.bbk.ac.uk & ads2.dcs.bbk.ac.uk
# pkg install samba 
# svcs samba swat wins winbind 
STATE       STIME  FMRI 
disabled    Sep_04  svc:/network/wins:default 
disabled    Sep_04  svc:/network/swat:default 
disabled    Sep_04  svc:/network/samba:default 
disabled    Sep_04  svc:/network/winbind:default 

Check you can resolve hosts
# cat /etc/resolv.conf 
domain dcs.bbk.ac.uk 
search dcs.bbk.ac.uk 
nameserver 194.10.2.1 
nameserver 194.10.2.2 

# egrep "hosts|ipnode" /etc/nsswitch.conf 
hosts: files [SUCCESS=return] dns 
ipnodes: files [SUCCESS=return] dns 
Create Samba configuration file. There is an example one installed /etc/samba/smb.conf-example which you can have a look at.
Here is the one I use, so please replace:

Windows DOMAIN name = MYDOMAIN 
Windows REALM/DNS name = DCS.BBK.AC.UK

# cat /etc/samba/smb.conf
[global]
    workgroup = MYDOMAIN
    realm = DCS.BBK.AC.UK
    server string = Samba Server
    security = ADS
    log level = 2
    log file = /var/samba/log/log.%m
    max log size = 50
    unix extensions = No
    client signing = Yes
    local master = No
    domain master = No
    dns proxy = No
    winbind enum users = Yes
    winbind enum groups = Yes
    # So we remove the "MYDOMAIN\" part from MYDOMAIN\userid
    winbind trusted domains only = Yes
    idmap config * :backend = tdb
    idmap config * : range = 1000000-1999999
    idmap config MYDOMAIN : backend = ad
    idmap config MYDOMAIN : range = 100-999999
    idmap config MYDOMAIN : schema_mode = rfc2307
    winbind nss info = rfc2307
    inherit permissions = Yes
    map acl inherit = Yes
    # We do not run NETBIOS
    disable netbios = Yes   
    # Printers
    load printers = no

# Set up our ZFS shares so that ACL work correctly from Windows
[homes]
    comment = Home Directories
    read only = No
    inherit acls = Yes
    map archive = No
    map readonly = no
    vfs objects = zfsacl
    zfsacl: acesort = dontcare
    nfs4:chown = yes
    nfs4:acedup = merge
    nfs4:mode = special

Alter the nsswitch.conf file so that Solaris can find users details
# svccfg -s name-service/switch 
svc:/.../switch> setprop config/password = "files ldap [SUCCESS=return] winbind" 
svc:/.../switch> setprop config/group = "files ldap [SUCCESS=return] winbind" 
svc:/.../switch> select system/name-service/switch:default 
svc:/.../switch:default> refresh 
svc:/.../switch:default> validate 
svc:/.../switch:default> exit 

# svcadm refresh svc:/system/name-service/switch:default 
# egrep "passwd|group" /etc/nsswitch.conf 
passwd: files ldap [SUCCESS=return] winbind 
group: files ldap [SUCCESS=return] winbind 
Time to set up the Kerberos. Edit /etc/krb5/krb5.conf add add your domain information:  
[libdefaults]
default_realm = DCS.BBK.AC.UK 
dns_lookup_kdc = true 
verify_ap_req_nofail = false 

[realms] DCS.BBK.AC.UK = { 
        kdc = ads1.dcs.bbk.ac.uk 
        kdc = ads2.dcs.bbk.ac.uk 
        admin_server = ads1.dcs.bbk.ac.uk 
        default_domain = dcs.bbk.ac.uk 
        } 

[domain_realm] 
        .dcs.bbk.ac.uk = DCS.BBK.AC.UK 
        dcs.bbk.ac.uk = DCS.BBK.AC.UK 
In our set up I am not going to use /etc/krb5/krb5.keytab file. This seems to work. To be honest I not sure what the krb5.keytab section does except add that extra layer of security. (I will look into it some day). Check Kerberos can connect to the AD.
# kinit -V Admininstrator@DCS.BBK.AC.UK 
Password for Administrator@DCS.BBK.AC.UK: 
Authenticated to Kerberos v5 

Now if all is well test and join the domain.
# /usr/bin/testparm 
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[homes]" 
Loaded services file OK. 
Server role: ROLE_DOMAIN_MEMBER 
Press enter to see a dump of your service definitions 
[global] 
.... 

# net join -w MYDOMAIN -U Admininstrator -S ads1.dcs.bbk.ac.uk 
Enter Administrator's password: 
Using short domain name -- MYDOMAIN 
Joined 'MYHOST' to dns domain 'dcs.bbk.ac.uk' 

# svcadm enable winbind samba 
# svcs samba swat wins winbind 
STATE      STIME     FMRI 
disabled   Sep_04    svc:/network/wins:default 
disabled   Sep_04    svc:/network/swat:default 
online     12:43:08  svc:/network/samba:default 
online     12:43:10  svc:/network/winbind:default 
Test if it has all worked!
# wbinfo -n andrew 
S-1-5-21-1984182827-583073959-8547516-2056 SID_USER (1) 
# wbinfo -s S-1-5-21-1954182827-583074959-8547516-3056 
DCSNT\andrew 1 
# wbinfo -S S-1-5-21-1954182827-583074959-8547516-3056 
907
Check you see all the AD groups and Users
# wbinfo -g 
# getent group 
# getent passwd 

That is it. You have samba running on your system.

No comments: