Paul Sobey wrote: > Has anybody managed to get the CIFS service joined to a Windows 2008 > domain? I'm trying, to no avail. It fails with the rather obscure > (INVALID_PARAMETER) error. > > By default, our redirector uses NTLMv2 authentication. Prior to joining your system to a Windows 2008 domain, please run the following command on your Solaris system such that NTLM authentication will be used instead:
sharectl set -p lmauth_level=2 smb This is a known issue with Windows Server 2008 which by default disallows NTLMv2 authentication if the client doesn't support extended security. Microsoft is working on a hot fix for this issue. Once it becomes available, the above workaround will no longer be needed. > I've tried relaxing several of the security options on the Default Domain > Controller GP (LDAP server signing requirements, secure channel > signing/encryption and LAN Manager authentication level), but it hasn't > helped. DNS is good, as far as I can tell (served from Bind, sites and > subnets configured appropriately). For what it's worth, the same machine > has joined the domain using the procedure specified here: > > http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp > > Since NTLMv2 authentication is not involved here, it explains why domain join would work using the domain join utility at the above location. > and I can log on via Kerberos fine. getent passwd <user> also works for an > AD user. I tried the domain join using the smbadm join command, and then, > worrying that the pre-existing account might have got in the way, deleted > that, to no avail. > > Can anyone suggest how I can debug this? > > Also, on a related note - I'm fairly new to OpenSolaris having spent the > last few years as an AD/Exchange admin. Most big shops are going to be > rather reluctant to globally relax policies as recommended in the CIFS > admin guide, and even worse, the guide specifically mentions requiring > domain admin privileges to join the domain. In order to join your system to a domain, the user doesn't necessary need to possess domain admin privileges but should have sufficient permission to 1) create child objects in the 'Computers' container if one doesn't already exist, and 2) modify the attributes of the computer account. > I'm lucky enough to have > domain admin rights at the moment, but I would expect that what automated > build we end up constructing will want to join the domain using an account > with minimal privileges on a particular OU. > > Can I suggest that the software and documentation be tweaked to allow the > user to pre-create a computer account in a particular OU, Pre-creating a computer account would be fine if your system is running snv_97 or later. But again, the user who joins the system to a domain should have sufficient permission to modify the pre-created computer account. > or specify an OU > to create in? > > I haven't seen such configuration on any Windows clients either. Unless there is a compelling reason to make that configurable, the Solaris CIFS server should behave like Windows. Natalie > Cheers, > Paul > > _______________________________________________ > cifs-discuss mailing list > cifs-discuss@opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/cifs-discuss > _______________________________________________ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
