> -----Original Message----- > From: Nicolas Williams [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 01, 2008 5:00 PM > To: Natalie Li > Cc: Leopold, Corey; [email protected] > Subject: Re: [storage-discuss] B85 CIFS - Active Directory - Kerberos > > On Tue, Apr 01, 2008 at 10:02:58AM -0700, Natalie Li wrote: > > Logging in your Solaris system as AD users is currently not supported. > > This is outside the scope of the smbadm CLI. > > I'll let Nico Williams comment on that. > > You can log on as users from *one* domain in your forest if you: > > a) setup SFU > b) setup nss_ldap w/ schema mapping (there's now a BigAdmin article on > how to do this) >
Actually on the Windows side Server 2003R2 has the SFU stuff built in, it is no longer a separate product, still needs some setup though. This is essentially what I did. nss_ldap for authorization and kerberos for authentication. The problem I ran into is the way smbadm sets up krb5.keytab seems to be incompatible for host principle checking. If I turn off host principle checking in the krb5.conf it works just fine. I essentially used this page as my guide, except instead of using samba to "join" the domain I used cifs: http://blog.scottlowe.org/2007/04/25/solaris-10-ad-integration-version-3 / > To fully support loging in to Solaris as a user from anywhere in the > forest (and even trusted forests) will require significant amounts of > work. Specifically it will require: > > - nss_ad (a name service module that can resolve user/group names > qualified with a domain name from across a forest) > > - making tmpfs allow ephemeral IDs > - using ZFS for /var/tmp > > - changing/replacing /var/adm/lastlog so it can deal with ephemeral IDs > - changing consumers of /var/adm/lastlog > > - removing username length limits that abound in Solaris > - fixing/replacing utmpx so it can deal with very long usernames > - fixing/extending/replacing archivers that store usernames and have > similar length restrictions > > - adding new / fixing existing system calls for dealing with large SID > lists in access tokens > - allowing use of ephemeral IDs in various system calls > > - ... > > All doable. All yet to be done. This will be very cool when all done!!!!!!!! Corey _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
