Sassy Natan wrote:
Let me to understand if I did it in the right order
I did the following:
I have Windows 2003R2 with rfc2307 extensions installed.
User name XXXX have a windows account in the Active Directory and also a posix
account enable.
This means user name XXXX has a uid,uidNumber, gid, gecos, UnixHomeDirectory,
LoginShell etc... configure.
In the opensolairs machine name Filer I configure the resolve.conf to point to
the Windows 2003 Server.
Configure the kerberos so I can authenticate using the kerberos protocol.
To test it I run the command kinit "[email protected]" or "kinit
Administrator" and this seems to work fine (klist show the active ticket)
It is also working for user XXXX.
Now I configure the ldap client and the dns client under the svcadm to enable state.The
ldap client was configure using the ldapclient command so it could map to the correct
attributes in the AD. It is mostly based on the parameters you can find here:
"http://blog.scottlowe.org/2006/08/15/solaris-10-and-active-directory-integrati
on/"
After this I edit the nsswitch.conf to include the ldap parameters only to the
passwd and shadow map. The hosts have files and dns parameters.
I can ping and resolve the Windows Domain Controller.
In this step I check to see if I can resolve users from the active directory. I
run the command 'getent passwd XXXX' and manage to get the attributes from the
active directory, so ldap client seems to work just fine. I'm getting the
username, UIDm GUI, loginshell, home directory and the gecos parameters.
Just note that the id command also worked.
Now I configured the pam.conf so users can longing to the machine using
kerberos.
I check it and users from active directory can login to the server using there
username and password store in the active directory.
That all sounds good. I can't say that I'm really familiar with setting up
this configuration, but if you can log in that's most of the answer.
(I not sure this is needed to have cifs sever, but just in case u wonder)
Now the hard part: I add the machine to the windows domain using the command
'/usr/sbin/kclient -T ms_ad' or 'smbadm join -u Administrator Domain'
Join was added successfully without the DDNS option. I add to add the machine
IP to the DNS manually.
Now I have started the cifs services on the opensoalris and login to windows XP
machine in the domain using the user XXXX.
When trying to connect to the opensolaris machine using cifs ( Windows ->
Start->Run-->\\opensoalris) I can't get to the share. A popup windows is popup
asking for user and password.
I tried everything and nothing seems to work. rona with password, Domain\rona
with password, DC\rona with password but nothing is working.
Did you try r...@domain with password? [email protected]?
If you use bare "rona", I believe it will find the "local" UNIX user first,
the one that the UNIX system is finding via LDAP. That user does not have
a Windows-style password and so cannot log in. You need to force it to use
the Windows user by specifying the domain.
Here's another question: when you log into your Windows desktop to attempt
this connection, what username are you using?
On the console I notice that user XXXX is consider as guest.
Hmm. Not sure what that means. Afshin?
My question here is what do I need to configure in the idmap?
If you're having problems with login, you probably aren't getting to the
point of having problems with identity mapping. Maybe, but it's a little
unlikely. Normally identity mapping problems manifest as files being owned
by the wrong users or groups, or inability of a UNIX user to access files
created by a Windows user, or inability of a Windows user to access files
created by a UNIX user.
Do I really need to configure the ldap client in the first place? or it is not
necessary?
You do not need to do any ldap client configuration to use Windows file
sharing. You *do* need to do ldap client configuration if you want to use
AD users from UNIX or NFS.
We do not have very much experience with this kind of fully integrated
environment, where you use AD as your UNIX name server. We want to go
there, but haven't yet. I suspect that at least part of the problem you're
having is that it's tricky to get everything to be found in the right place
when the same name exists in both the UNIX world and the Windows world.
Most of our experience so far is in environments where the UNIX world and
the Windows world are separate and we are trying to bridge between the two.
U recommend to use this - but this also doesn't work
svccfg -s svc:/system/idmap setprop config/directory_based_mapping=astring: idmu
That should be roughly equivalent to the idmap rule that was discussed
earlier. Again, I don't think you're to the point of having idmap problems.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
