Thanks for such a fast a comprehensive and speedy reply! Apologies if the tone of my message came across as a bit disgruntled, it had been a long day. Comments inline...
On Wed, 22 Oct 2008, Natalie Li wrote: > Paul Sobey wrote: > By default, our redirector uses NTLMv2 authentication. Prior to joining your > system to a Windows 2008 domain, please run the following command on your > Solaris system such that NTLM authentication will be used instead: > > sharectl set -p lmauth_level=2 smb > > This is a known issue with Windows Server 2008 which by default disallows > NTLMv2 authentication if the client doesn't support extended security. > Microsoft is working on a hot fix for this issue. Once it becomes available, > the above workaround will no longer be needed. Tried - didn't help. Any other suggestions? Anything I can look for in the event logs of the DC or logs on the Solaris machine? > Since NTLMv2 authentication is not involved here, it explains why domain join > would work using the domain join utility at the above location. Agreed - and fair enough. I wasn't sure how far Windows had come with regard to reliance on NTLM vs Kerberos - they trumpet Kerberos a lot but I'm aware it uses NTLM silently in places, and will fall back silently to it if Kerberos places. > In order to join your system to a domain, the user doesn't necessary need to > possess domain admin privileges but should have sufficient permission to > 1) create child objects in the 'Computers' container if one doesn't already > exist, and > 2) modify the attributes of the computer account. That's exactly what I was looking for, and the documentation, the CIFS guide in particular, wasn't very clear on it. I think it would be worth ammending the docs to clarify, and in particular removing the dreaded phrase domain admin rights - the Windows world is full of apps which 'require' this, and they set alarm bells ringing. Any business that has followed the AD implementation guide even a little will be putting machines in OUs, not the Computers container. >> or specify an OU to create in? >> > I haven't seen such configuration on any Windows clients either. Unless > there is a compelling reason to make that configurable, the Solaris CIFS > server should behave like Windows. The Windows Resource Kit utility netdom provides this functionality, precisely because MS clients asked for it for scripted builds and the like. Since it's a command line way to join a domain, it's probably the closest analogue Windows has to your CIFS server join command - therefore you could reasonably assert that Solaris should emulate a little of its functionality... Besides - it strikes me as amusing that you would cite 'Windows doesn't do it so Solaris shouldn't' as an argument - if that is a strategy you wish to follow you probably want to remove some other functionality from Solaris - maybe knock the performance down, reduce stability, make zfs a little less friendly, etc.. :) Paul _______________________________________________ cifs-discuss mailing list cifs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
