Paul Sobey wrote:
> Has anybody managed to get the CIFS service joined to a Windows 2008 
> domain? I'm trying, to no avail. It fails with the rather obscure 
By default, our redirector uses NTLMv2 authentication.  Prior to joining 
your system to a Windows 2008 domain, please run the following command 
on your Solaris system such that NTLM authentication will be used instead:

sharectl set -p lmauth_level=2 smb

This is a known issue with Windows Server 2008 which by default 
disallows NTLMv2 authentication if the client doesn't support extended 
security.  Microsoft is working on a hot fix for this issue.  Once it 
becomes available, the above workaround will no longer be needed.

> I've tried relaxing several of the security options on the Default Domain 
> Controller GP (LDAP server signing requirements, secure channel 
> signing/encryption and LAN Manager authentication level), but it hasn't 
> helped. DNS is good, as far as I can tell (served from Bind, sites and 
> subnets configured appropriately). For what it's worth, the same machine 
> has joined the domain using the procedure specified here:
Since NTLMv2 authentication is not involved here, it explains why domain 
join would work using the domain join utility at the above location.

> and I can log on via Kerberos fine. getent passwd <user> also works for an 
> AD user. I tried the domain join using the smbadm join command, and then, 
> worrying that the pre-existing account might have got in the way, deleted 
> that, to no avail.
> Can anyone suggest how I can debug this?
> Also, on a related note - I'm fairly new to OpenSolaris having spent the 
> last few years as an AD/Exchange admin. Most big shops are going to be 
> rather reluctant to globally relax policies as recommended in the CIFS 
> admin guide, and even worse, the guide specifically mentions requiring 
> domain admin privileges to join the domain.
In order to join your system to a domain, the user doesn't necessary 
need to possess domain admin privileges but should have sufficient 
permission to
1) create child objects in the 'Computers' container if one doesn't 
already exist, and
2) modify the attributes of the computer account.

>  I'm lucky enough to have 
> domain admin rights at the moment, but I would expect that what automated 
> build we end up constructing will want to join the domain using an account 
> with minimal privileges on a particular OU.
> Can I suggest that the software and documentation be tweaked to allow the 
> user to pre-create a computer account in a particular OU,
Pre-creating a computer account would be fine if your system is running 
snv_97 or later.  But again,  the user who joins the system to a domain 
should have sufficient permission to modify the pre-created computer 

>  or specify an OU 
> to create in?
I haven't seen such configuration on any Windows clients either.  Unless 
there is a compelling reason to make that configurable, the Solaris CIFS 
server should behave like Windows.


> Cheers,
> Paul
> _______________________________________________
> cifs-discuss mailing list

cifs-discuss mailing list

Reply via email to