Sorry, I just caught the end of this- but don't you have to be on a newer snv 
release for the win2k8 workaround? Something like >snv96?

Sent from my BlackBerry

----- Original Message -----
To: Natalie Li <[EMAIL PROTECTED]>
Cc: <>
Sent: Thu Oct 23 05:10:06 2008
Subject: Re: [cifs-discuss] OpenSolaris CIFS -> Windows 2008 Domain

Thanks for such a fast a comprehensive and speedy reply! Apologies if the 
tone of my message came across as a bit disgruntled, it had been a long 
day. Comments inline...

On Wed, 22 Oct 2008, Natalie Li wrote:

> Paul Sobey wrote:
> By default, our redirector uses NTLMv2 authentication.  Prior to joining your 
> system to a Windows 2008 domain, please run the following command on your 
> Solaris system such that NTLM authentication will be used instead:
> sharectl set -p lmauth_level=2 smb
> This is a known issue with Windows Server 2008 which by default disallows 
> NTLMv2 authentication if the client doesn't support extended security. 
> Microsoft is working on a hot fix for this issue.  Once it becomes available, 
> the above workaround will no longer be needed.

Tried - didn't help. Any other suggestions? Anything I can look for in the 
event logs of the DC or logs on the Solaris machine?

> Since NTLMv2 authentication is not involved here, it explains why domain join 
> would work using the domain join utility at the above location.

Agreed - and fair enough. I wasn't sure how far Windows had come with 
regard to reliance on NTLM vs Kerberos - they trumpet Kerberos a lot but 
I'm aware it uses NTLM silently in places, and will fall back silently to 
it if Kerberos places.

> In order to join your system to a domain, the user doesn't necessary need to 
> possess domain admin privileges but should have sufficient permission to
> 1) create child objects in the 'Computers' container if one doesn't already 
> exist, and
> 2) modify the attributes of the computer account.

That's exactly what I was looking for, and the documentation, the CIFS 
guide in particular, wasn't very clear on it. I think it would be worth 
ammending the docs to clarify, and in particular removing the dreaded 
phrase domain admin rights - the Windows world is full of apps which 
'require' this, and they set alarm bells ringing. Any business that has 
followed the AD implementation guide even a little will be putting 
machines in OUs, not the Computers container.

>>  or specify an OU to create in?
> I haven't seen such configuration on any Windows clients either.  Unless 
> there is a compelling reason to make that configurable, the Solaris CIFS 
> server should behave like Windows.

The Windows Resource Kit utility netdom provides this functionality, 
precisely because MS clients asked for it for scripted builds and the 
like. Since it's a command line way to join a domain, it's probably the 
closest analogue Windows has to your CIFS server join command - therefore 
you could reasonably assert that Solaris should emulate a little of its 

Besides - it strikes me as amusing that you would cite 'Windows doesn't do 
it so Solaris shouldn't' as an argument - if that is a strategy you wish 
to follow you probably want to remove some other functionality from 
Solaris - maybe knock the performance down, reduce stability, make zfs a 
little less friendly, etc.. :)


cifs-discuss mailing list
cifs-discuss mailing list

Reply via email to