Paul Sobey wrote:
Has anybody managed to get the CIFS service joined to a Windows 2008
domain? I'm trying, to no avail. It fails with the rather obscure
(INVALID_PARAMETER) error.
By default, our redirector uses NTLMv2 authentication. Prior to joining
your system to a Windows 2008 domain, please run the following command
on your Solaris system such that NTLM authentication will be used instead:
sharectl set -p lmauth_level=2 smb
This is a known issue with Windows Server 2008 which by default
disallows NTLMv2 authentication if the client doesn't support extended
security. Microsoft is working on a hot fix for this issue. Once it
becomes available, the above workaround will no longer be needed.
I've tried relaxing several of the security options on the Default Domain
Controller GP (LDAP server signing requirements, secure channel
signing/encryption and LAN Manager authentication level), but it hasn't
helped. DNS is good, as far as I can tell (served from Bind, sites and
subnets configured appropriately). For what it's worth, the same machine
has joined the domain using the procedure specified here:
http://www.sun.com/bigadmin/features/articles/kerberos_s10.jsp
Since NTLMv2 authentication is not involved here, it explains why domain
join would work using the domain join utility at the above location.
and I can log on via Kerberos fine. getent passwd user also works for an
AD user. I tried the domain join using the smbadm join command, and then,
worrying that the pre-existing account might have got in the way, deleted
that, to no avail.
Can anyone suggest how I can debug this?
Also, on a related note - I'm fairly new to OpenSolaris having spent the
last few years as an AD/Exchange admin. Most big shops are going to be
rather reluctant to globally relax policies as recommended in the CIFS
admin guide, and even worse, the guide specifically mentions requiring
domain admin privileges to join the domain.
In order to join your system to a domain, the user doesn't necessary
need to possess domain admin privileges but should have sufficient
permission to
1) create child objects in the 'Computers' container if one doesn't
already exist, and
2) modify the attributes of the computer account.
I'm lucky enough to have
domain admin rights at the moment, but I would expect that what automated
build we end up constructing will want to join the domain using an account
with minimal privileges on a particular OU.
Can I suggest that the software and documentation be tweaked to allow the
user to pre-create a computer account in a particular OU,
Pre-creating a computer account would be fine if your system is running
snv_97 or later. But again, the user who joins the system to a domain
should have sufficient permission to modify the pre-created computer
account.
or specify an OU
to create in?
I haven't seen such configuration on any Windows clients either. Unless
there is a compelling reason to make that configurable, the Solaris CIFS
server should behave like Windows.
Natalie
Cheers,
Paul
___
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
___
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
