Flag Day: Joining a Windows 2008 domain
http://hub.opensolaris.org/bin/view/Community+Group+on/2009080701
Also, we recommend upgrading from opensolaris 2009.06 to the latest
dev release for SMB/CIFS. 2009.06 was DOA for CIFS.
OpenSolaris Development Release Packaging Repository
http://pkg.opensolaris.org/dev/en/index.shtml
Alan
On 01/07/10 20:04, Frank Cusack wrote:
This problem is really kicking my butt.
I've just installed opensolaris 2009.06 solely to try this cifs thing out.
I've been able to get older versions of samba (e.g. 3.0.25 that ships with
solaris 10_u8) to join the domain, but not able to authenticate clients.
For newer versions of samba (3.4.3 anyway) I have not been able to join
the domain at all. I've tried linking sasl with both MIT krb5 and Sun
krb5 and neither way yields a successful domain join.
For opensolaris 2009.06 I have also not been able to join the domain. I
found
<http://wiki.genunix.org/wiki/index.php/CIFS_Service_Troubleshooting#Joining_a_Windows_2008_Domain>
which helped me progress a little but still not quite there.
Is OpenSolaris 2009.06 > SXCE Build 94? If not then no wonder I am not
making progress.
The LMCompatibilityLevel registry key is not present, and so I infer from
the genunix wiki that LMCompatibilityLevel would be 3 (the wiki doesn't
say that an absent key means the default setting is used, but it seems
a reasonable assumption), and also that this means NTMLv2 auth is *not*
mandatory. In which case, "do *one* of the following".
I tried setting lmauth_level=2 but then I just get a different error
when trying to join (INTERNAL_ERROR instead of whatever it was before).
I didn't try the alternative suggestion of installing the hotfix.
In the other half of the instructions (if NTMLv2 auth *is* mandatory),
I would apply the hot fix but I am running 2008R2 and I'm not sure from
the wiki or from the MS website that the hotfix applies to 2008R2. I
mean, I would tend to think they would have rolled it in. My 2008R2
server is not in production yet, but I would prefer not to run that kind
of experiment without some more verification. I did try adding the
AllowLegacySrvCall registry key but that didn't do anything different,
I assume because I did not install the hotfix.
Now, I will note that the wiki page is in direct conflict to MS' hotfix
page, in that the wiki says the default LMCompatibilityLevel of 3 means
that NTLMv2 auth is *not* mandatory. In the "More Information" section
the MS hotfix page it seems to says the opposite -- that an [explicit]
LMCompatibilityLevel of 3 means NTLMv2 auth *is* mandatory, which is also
consistent with the full description of LMCompatibilityLevel found on
other support.microsoft.com web pages. Well almost; the value of 3 is
documented as "*Send* NTLMv2 response only" although "domain controllers
*accept* LM, NTLM and NTLM 2 authentication". I'm not sure what the
relationship is between "accept" and "send response" is, but the hotfix
is documented as specifically for the case where "Send NTMLv2 response
only" is on.
I also tried lmauth_level=2 on the opensolaris server along with
LMCompatibilityLevel=2 (domain controllers accept all auth types, send
ntlm only) on the 2008R2 server which didn't work.
Does opensolaris need to be rebooted for lmauth_level changes to take
effect? It doesn't seem so since I get different error messages for
lmauth_level=2 vs lmauth_level=4.
Does 2008R2 need to be rebooted for different LMCompatibilityLevel
settings to take effect?
I mentioned this above, but to be clear: does the hotfix apply to 2008R2
as well as 2008?
I gotta say, if I knew what I know now I would have gone with a netapp,
however I have too much invested in the opensolaris hardware now to turn
back. I don't have a previous version of Windows Server to try but if
I had to I could do that. I'd rather exhaust all avenues with 2008R2
first though.
thanks for drudging through this message!
-frank
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
