Victor,
Just a correction, Alan meant to advise you to set the
lmcompatibilitylevel on the Solaris CIFS server as opposed to the domain
controller.
According to the output from cifs-gendiag, the lmauth_level is set to
the default value (i.e. to use NTLMv2 authentication).
Please run the following command on your Solaris system such that NTLM
authentication will be used by our redirector instead:
sharectl set -p lmauth_level=2 smb
This is a known issue with Windows Server 2008 which by default
disallows NTLMv2 authentication if the client doesn't support extended
security.
Microsoft is working on a hot fix for this issue. Once it becomes
available, the above workaround will no longer be needed.
Regards,
Natalie
Alan.M.Wright wrote:
This is actually a Windows 2008 problem.
Set the lmcompatibilitylevel (in the registry) on the domain controller to
2.
Alan
----- Original Message -----
From: "Victor Hooi" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Tuesday, September 23, 2008 1:22 PM
Subject: [cifs-discuss] OpenSolaris 2008.11 snv_96 - LOGON_FAILURE when
joining Windows 2008 Domain
This is Solaris 2008.11 pre-release, SNV_96.
Our domain controller is running Windows 2008, and named win2008-chimera
(192.168.1.5), our domain is rapport.local. The gateway is a little Asus
router/WAP (192.168.1.1).
I'm attempting to join a domain by following the instructions here:
http://blogs.sun.com/timthomas/entry/configuring_the_opensolaris_cifs_server
So far, I've edited the /etc/resolv.conf file
domain rapport.local
nameserver 192.168.1.5
nameserver 192.168.1.1
search rapport.local
I've also edited the /etc/krb5/krb5.conf file
[libdefaults]
default_realm = RAPPORT.LOCAL
[realms]
RAPPORT.LOCAL = {
kdc = win2008-chimera.rapport.local
admin_server = win2008-chimera.rapport.local
kpasswd_protocol = SET_CHANGE
}
[domain_realm]
.rapport.local = RAPPORT.LOCAL
And synchronised the clocks
I installed the CIFS services, based on instructions here:
http://opensolaris.org/jive/thread.jspa?messageID=273775
Namely:
#pkg install SUNWsmbs
#pkg install SUNWsmbskr
#svccfg import /var/svc/manifest/network/smb/server.xml
#rem_drv smbsrv
#add_drv smbsrv
#svcadm enable -r smb/server
Then started the CIFS service.
svcadm enable -r smb/server
I read about a current limitation being that you have to disable SMB
signing.
http://technet.microsoft.com/en-us/library/cc731654.aspx
Hence, on the domain controller, I changed the following:
1. Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options\Microsoft Network Server -
Digitally Sign Communications (always) -> Disable
2. Computer Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options\Domain member - Digital encrypt
or sign secure channel data (always) -> Disable
3. Computer Configuration\Policies\Administrative Templates\System\Net
Logon\Allow Cryptography Algorithms Compatible with Windows NT 4.0 ->
Enabled
I then ran gpupdate /force (and then rebooted, when I first go the
LOGIN_FAILURE errors).
However, when I attempt to run the command to join the domain:
smbadm join -u Administrator rapport.local
Enter domain password:
Joining 'rapport.local' ... this may take a minute ...
failed to joind omain 'rapport.local' (LOGON_FAILURE)
In /var/adm/messages, I get lines like:
smbd[1021]: ]ID 871254 daemon.error] smbd: failed joining rapport.local
(LOGON_FAILURE)
and:
idmap[1919]: [ID 153168 daemon.notice] Couldn't open and SASL bind LDAP
connections to any domain controllers; discovery of some items will fail
I checked a few places that might have some info on similar problems:
http://opensolaris.org/jive/thread.jspa?messageID=205404
http://mail.opensolaris.org/pipermail/storage-discuss/2008-February/005048.html
http://opensolaris.org/jive/thread.jspa?messageID=180643
http://mail.opensolaris.org/pipermail/storage-discuss/2007-December/004241.html
http://mail.opensolaris.org/pipermail/storage-discuss/2007-December/004135.html
But I still can't seem to get this...*shakes head*. Any advice?
(This was originally posted in storage by me, since it was for ZFS, until
somebody pointed out it was probably better in the cifs forum...lol)
--
This message posted from opensolaris.org
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
