John Connett wrote: >On Fri, 2008-02-29 at 07:10 -0800, Ross wrote: > > >>Update: It appears it's not even that, testing the CIFS server on another >>machine, it looks like you just need a reboot after setting it up. So the >>whole process to enable CIFS on a brand new b82 box is: >> >>- Install snv_82. Configure kerberos, networking and DNC when prompted. >>- Once installed, start the CIFS server and join the domain: >> # svcadm enable -r smb/server >> # smbadm join -u domain-user domain-name >>- Reboot server >> >>And then just create zfs filesystems and set sharesmb=on as needed. >> >> > >I have been trying to join a snv 83a SPARC system to a domain, so far >without success. > Did you see any error messages in the syslog after you ran the smbadm join CLI? Is it a multiple domain controllers environment?
> The system had a text mode initial install just >preserving the slice that holds a zpool. Networking and kerberos were >configured during the install. What is DNC? > > > I'm not so sure if the domain join failure has anything to do with the installation. As long as you configure your DNS and Kerberos similar to what mentioned in the Admin Guide prior to joining your system to a domain, you should be good to go. The "How to Configure an AD Client" section of the CIFS admin guide might be helpful. http://docs.sun.com/app/docs/doc/820-2429/configureadtask?a=view Note that both 'ads_domain' and 'ads_enable' properties are obsolete as of snv_81. Thus, you don't have to set those via sharectl. >Do I need to modify the kerberos configuration post-installation? > Yes. See above. > How >about NTP, LDAP or PAM? > > I'm not sure what the question here is. You can always use NTP for time synchronization. You won't be able to acquire a Kerberos TGT ticket if your time is off by 5 minutes or so. >How does it compare with Scott Lowe's "Solaris 10-AD Integration"? > >http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3/ > >I'm guessing that the LDAP configuration would need to be modified to >specify the account in Active Directory that will be used to bind to >Active Directory for LDAP queries. > > Yes. During domain join, a security context to an LDAP service on the specified AD server is established for the user account (i.e. the username argument of the smbadm join CLI). After the system is joined to a domain, the computer account will be used to bind to AD for any subsequent LDAP requests. >Does idmap support using LDAP queries to extract UNIX attributes from >Active Directory? > > I'll let the Winchester folks to answer any idmap related questions. Natalie >Thanks in anticipation >-- >John Connett > >_______________________________________________ >storage-discuss mailing list >[email protected] >http://mail.opensolaris.org/mailman/listinfo/storage-discuss > > _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
