Paul Sobey wrote: > Thanks for such a fast a comprehensive and speedy reply! Apologies if > the tone of my message came across as a bit disgruntled, it had been a > long day. Comments inline... > > On Wed, 22 Oct 2008, Natalie Li wrote: > >> Paul Sobey wrote: >> By default, our redirector uses NTLMv2 authentication. Prior to >> joining your system to a Windows 2008 domain, please run the >> following command on your Solaris system such that NTLM >> authentication will be used instead: >> >> sharectl set -p lmauth_level=2 smb >> >> This is a known issue with Windows Server 2008 which by default >> disallows NTLMv2 authentication if the client doesn't support >> extended security. Microsoft is working on a hot fix for this issue. >> Once it becomes available, the above workaround will no longer be >> needed. > > Tried - didn't help. Any other suggestions? Anything I can look for in > the event logs of the DC or logs on the Solaris machine? Please send us the network trace (capturing traffic between the domain controller and the Solaris CIFS server) along with the output from the following script.
http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag > >> Since NTLMv2 authentication is not involved here, it explains why >> domain join would work using the domain join utility at the above >> location. > > Agreed - and fair enough. I wasn't sure how far Windows had come with > regard to reliance on NTLM vs Kerberos - they trumpet Kerberos a lot > but I'm aware it uses NTLM silently in places, and will fall back > silently to it if Kerberos places. > >> In order to join your system to a domain, the user doesn't necessary >> need to possess domain admin privileges but should have sufficient >> permission to >> 1) create child objects in the 'Computers' container if one doesn't >> already exist, and >> 2) modify the attributes of the computer account. > > That's exactly what I was looking for, and the documentation, the CIFS > guide in particular, wasn't very clear on it. I think it would be > worth ammending the docs to clarify, and in particular removing the > dreaded phrase domain admin rights - the Windows world is full of apps > which 'require' this, and they set alarm bells ringing. Any business > that has followed the AD implementation guide even a little will be > putting machines in OUs, not the Computers container. I'll request for an update on that in the CIFS admin guide. > >>> or specify an OU to create in? >>> >> I haven't seen such configuration on any Windows clients either. >> Unless there is a compelling reason to make that configurable, the >> Solaris CIFS server should behave like Windows. > > The Windows Resource Kit utility netdom provides this functionality, > precisely because MS clients asked for it for scripted builds and the > like. Since it's a command line way to join a domain, it's probably > the closest analogue Windows has to your CIFS server join command - > therefore you could reasonably assert that Solaris should emulate a > little of its functionality... I haven't heard of the netdom utility until now properly because it doesn't come preinstalled on any Windows OS. Thanks for the pointer. The following CR has been filed: 6763073 Provide an option to specify the organizational unit for the computer account > > Besides - it strikes me as amusing that you would cite 'Windows > doesn't do it so Solaris shouldn't' as an argument - if that is a > strategy you wish to follow you probably want to remove some other > functionality from Solaris - maybe knock the performance down, reduce > stability, make zfs a little less friendly, etc.. :) > I'm glad that you like Solaris better than Windows! :-) Natalie > Paul > _______________________________________________ cifs-discuss mailing list firstname.lastname@example.org http://mail.opensolaris.org/mailman/listinfo/cifs-discuss