eter,

Solaris 11 Server unable to Join Windows 2008 Domain

Sorry for the delay. I'm not on this site very often. If you want more
information, please let me know. I have to do things a little different because my
systems sit on stand-alone networks. So I actually have to setup a local Solaris
repository to get the packages, but once it is setup I still use package manager to
install the two packages listed below. Also, I disable the "auto" network because
I aggregate multiple NICs.

1. Install Solaris 11 11/11 from live CD

2. Edit /etc/hosts file

a. # Add entries for domain controllers (i.e. - 192.168.0.1
domainController1.myDomain.com domainController1)
b. # Add entry for self (i.e - 192.168.0.5 solaris11r1.myDomain.com
solaris11r1)

3. Set DNS
a. # svccfg
b. # svc:> select dns/client
c. # svc:/ network/dns/client> setprop config/nameserver=(192.168.0.1
192.168.0.2)
d. # svc:/ network/dns/client> setprop config/domain=myDomain.com
e. # svc:/ network/dns/client> setprop config/search=myDomain.com
f. # svc:/ network/dns/client> select dns/client:default
g. # svc:/ network/dns/client:default> refresh
h. # svc:/ network/dns/client:default> validate
i. # svc:/ network/dns/client:default> exit
j. # svcadm enable -r dns/client
4. Jo 4. Joining System to Windows 2008 Domain
a. # Need to install the following packages (Use Package Manager)
# system/security/kerberos-5
# service/file-system/smb (SMB/CIFS Server)
b. # cp /etc/nsswitch.dns /etc/nsswitch.conf
c. # Edit /etc/nsswitch.conf and add �ad� after �files� on the following two
lines (The reason for doing this is so you get user names instead of UIDs)
# passwd: files ad
# group: files ad
d. # Ensure time is accurate to a domain controller
# ntpdate 192.168.0.1
e. # kclient -a adminName -T ms_ad (This should create the
/etc/krb5/krb5.conf file with all the correct parameters and creates a computer
account in active directory)
Follow instructions
f. # svcadm enable -r smb/server
g. # smbadm join -u adminName myDomain.com (This actually joins the
system to the domain)

SAMBA Product Page (Doc ID 1400505.1) To BottomTo Bottom

In this Document
Purpose
Details
Product Support Team
Alerts
Description
 Versions
Compatibility/Patches
Configuration
FAQ
Information Gathering
Installation
De-installation
Troubleshooting
Performance
Lab
References
Proactive
References

APPLIES TO:

Solaris SPARC Operating System - Version 9 GA to 10 8/11 U10 [Release 9.0 to 10.0]
Solaris x64/x86 Operating System - Version 9 GA to 10 8/11 U10 [Release 9.0 to
10.0]
Information in this document applies to any platform.
PURPOSE

This document contains the Samba Product Page.

DETAILS

Product Support Team

SN-SND: Sun Network PC File Systems

Alerts

To retrieve Alerts specific to Samba, perform a keyword search under the filter
"Sun Products" using the word "samba". Sort by "All Document Types - Alert Notice"
using the "Refine Results" side menu.

Description

Samba is a suite of Unix applications that speak the SMB (Server Message Block)
protocol. Many operating systems, including Windows and OS/2, use SMB to perform
client-server networking. By supporting this protocol, Samba allows Unix servers to
get in on the action, communicating with the same networking protocol as Microsoft
Windows products.

Supported clients:

* LAN Manager
* Windows for Workgroups, Windows 95, 98, and ME
* Windows NT, 2000, XP, Vista
* Linux
* OS/2
Samba is considered Open Source software (OSS) by its authors, and is distributed
under the GNU General Public License (GPL).

Purpose of this product is ...

* Share one or more filesystems

* Share printers installed on both the server and its clients
* Assist clients with Network Neighborhood browsing
* Authenticate clients logging onto a Windows domain
* Provide or assist with WINS name server resolution

Common Standards

* Net BIOS over TCP/IP(NBT) (RFC 1001/1002) includes: -Name service -Datagrams
-Sessions

Abbreviations/Acronyms

* Net BIOS - Network Basic Input/Output System

* SMB - Server Message Block
* CIFS - Common Internet File System (MS future version of SMB)
* WINS - Windows Internet Name Service
* PDC - Primary Domain Controller
* BDC - Backup Domain Controller
* DMB - Domain Master Browser
* PAM - Pluggable Authentication Modules
* SAM - Security Account Manager
* UNC - Universal Naming Convention
* AD - Active Directory

Versions

As Samba is an open source project, there exist many self-compiled versions of this
software on the Internet, and in our customers' systems, as well as Solaris
packages delivering Samba that have been built by third parties (e.g. samba.org, or
sunfreeware.org). Sun cannot investigate (and officially does not support) third
party Samba builds.

Please do check that the Samba running on a customer system is indeed the Solaris
bundled Samba. This can be done by e.g. grep mbd <explorerdir>/sysconfig/ps-ef.out

The output should include smbd and nmbd binaries running from /usr/sfw/sbin/.
In any other case, this is worth a double-check on the origin of those binaries.

Listing of samba versions in patches:

119757-01 Version 3.0.11

119757-04 Version 3.0.21b
119757-08 Version 3.0.25a
119757-09 Version 3.0.25c
119757-12 Version 3.0.28
119757-13 Version 3.0.32
119757-14 Version 3.0.33
119757-15 Version 3.0.34
119757-16 Version 3.0.35
119757-19 Version 3.0.37
146363-01 Version 3.5.5 ( http://www.samba.org/samba/history/samba-3.5.5.html )
119757-20 Version 3.5.8 ( http://www.samba.org/samba/history/samba-3.5.8.html )
119757-21 Version 3.5.10 ( http://www.samba.org/samba/history/samba-3.5.10.html )
119757-22 Version 3.6.4 ( http://www.samba.org/samba/history/samba-3.6.4.html )
119757-23 Version 3.6.5 ( http://www.samba.org/samba/history/samba-3.6.5.html )
119757-24 Version 3.6.6 ( http://www.samba.org/samba/history/samba-3.6.6.html )
119757-25 Version 3.6.6 ( http://www.samba.org/samba/history/samba-3.6.6.html )
119757-26 Version 3.6.8 ( http://www.samba.org/samba/history/samba-3.6.8.html )
119757-27 Version 3.6.12 ( http://www.samba.org/samba/history/samba-3.6.12.html )
119757-28 Version 3.6.15 ( http://www.samba.org/samba/history/samba-3.6.15.html )
119757-29 Version 3.6.18 ( http://www.samba.org/samba/history/samba-3.6.18.html )
119757-30 Version 3.6.20 ( http://www.samba.org/samba/history/samba-3.6.20.html )
119757-31 Version 3.6.22 ( http://www.samba.org/samba/history/samba-3.6.22.html )
119757-32 Version 3.6.23 ( http://www.samba.org/samba/history/samba-3.6.23.html )
Note: the latest stable release of Samba from samba.org is 3.6.23
Only the Solaris patch releases of samba are supported - Patch-ID# 119757-32
(Sparc) 119758-32 (x86)

Compatibility/Patches

Date: July 2013 : The following Soalris 10 Patch is Samba Version 3.6.23

*Patch-ID 119757-32 (Sparc)

*Patch-ID 119758-32 (x86)

Date: July/22/2013 : The following Soalris 10 Patch is Samba Version 3.6.15

*Patch-ID# 119757-28 (Sparc)

*Patch-ID# 119758-28 (x86)

Nov/26/2012 : The following Solaris 10 patches brought Samba to version 3.6.8

*Patch-ID# 119757-26 (Sparc)

*Patch-ID# 119758-26 (x86)

For Sun Cluster the latest supported is with Cluster is 119757-19 until 126077-03
(HA-Samba) is released

Please read the README file!

NOTE 1: If you are updating Samba from release 3.0.37, you should pay special
attention. The version of the current installed Samba can be obtained
by using the command:

/usr/sfw/sbin/smbd -V

...in case the latest patch applied is 119758-19 or previous,

or:

/usr/sbin/smbd -V

with 146364-01 or 119757-20 and above

NOTE: with the latest patch 119757-26 the version should display 3.6.8

NOTE 2: Please ensure all Samba services are disabled before installing
this patch:

svcs samba winbind wins swat

if not, please stop the running services:

svcadm disable samba winbind wins swat

NOTE 3: Configuration changes may be required. The smb.conf file has moved
from /etc/sfw to /etc/samba to avoid unintentional launch of Samba
services without a manual check of the smb.conf file.

NOTE 4: In case of trouble after the patch install, the original .tdb-files
may also need to be purged:

rm -fr /var/samba/lo*/*

but be careful i.e. in case of the idmap tdb-backend. In this case

the idmap database will be lost by purging the .tdb's. Transferring
the .tdb info between the previous and current version needs some
scripting in case the .tdb-structure has changed. Utilities tdbdump
and tdbtool can help in this effort.

NOTE 5: The configuration option for SAM-QFS offline files support has
changed. Please replace the original [share] option:

samfs share = yes

by the [share] option for loading the VFS-module:

vfs objects = samfs

The "samfs.so" module also supports making files offline from the
SMB-client's side. Such operation was not originally supported by
the previous solution.

April, 2011: The following Solaris 10 patches, brought Samba to version 3.5.5

* PATCHID:146363-01 - SunOS 5.10: Samba patch (SPARC)

* PATCHID:146364-01 - SunOS 5.10: Samba patch (x86)

Please read the README file !

NOTE 1: This patch updates Samba from release 3.0.37 to 3.5.5.

NOTE 2: Please ensure all Samba services are disabled before installing this patch:

svcs samba winbind wins swat

if not, please stop the running services:

svcadm disable samba winbind wins swat

NOTE 3: Configuration changes may be required. The smb.conf file has moved from
/etc/sfw to /etc/samba to avoid unintentional launch of Samba services without a
manual check of the smb.conf file.

NOTE 4: In case of trouble after the patch install, the original .tdb-files may
also need to be purged:

rm -fr /var/samba/lo*/*

but be careful i.e. in case of the idmap tdb-backend.

NOTE 5: The configuration option for SAM-QFS offline files support has changed.
Please replace the original [share] option:

samfs share = yes

by the [share] option for loading the VFS-module:

vfs objects = samfs

The "samfs.so" module also supports making files offline from the SMB-client's
side. Such operation was not originally supported by the previous solution.

Sun Cluster HA-Samba patches:

Use the "Patches and Updates" tab to perform a "Product or Family (Advanced)"
search using the following parameters:

Product: Sun Cluster

Release: 3.0, 3.1, 3.2, 3.3
Platform: sparc and/or x86
Description contains samba

Configuration

Configuration Files Location

PRIOR TO patch 146363-01 /119757-20 :

* /etc/sfw
* /etc/sfw/smb.conf: main configuration file,see man smb.conf
* /etc/sfw/private/smbpasswd: password file for the samba users (change with
smbpasswd)
* /etc/sfw/usermap.txt: location depends on the entry in smb.conf, maps unix user
names to samba users

As of 146363-01 (Sparc) / 146364-01 (x86) / 119757-20 or above the configuration

file location has been changed from from /etc/sfw to /etc/samba

To run Samba the /etc/sfw/smb.conf must be in place and properly configured (after
the installation there is only a smb.conf-example file)

SOLARIS 9: Start Samba using the rc.initd scripts

The start script is: /etc/init.d/samba { start | stop }

Samba will start in Runlevel3 :/etc/rc3.d/S90samba and stop in Runlevel 2:

/etc/rc2.d/K03samba
SOLARIS 10: Start Samba using the Service Management Facility (SMF) (Solaris 10
Update 4 or later)

* start: # svcadm enable samba wins

* stop: # svcadm disable samba wins
* check: # svcs samba wins

* using SWAT: # svcadm enable swat

* check SWAT: # svcs swat

Reference : How to Create a Basic Samba Configuration in the Solaris[TM] 9

Operating System and Solaris[TM] 10 Operating System Document 1002126.1

FAQ

QUESTION: Is there a patch to allow Samba to properly inter-operate with Windows

Server 2008 R2?

ANSWER: Yes, See: 146363-01 (Sparc) and 146364-01 (x86) or 119757-20 and above
==================

QUESTION: I have configured samba on a solaris10 server. I am using the samba that
comes with solaris10. I am attempting to use winbind and AD from a Windows 2003 AD
domain. When I put ACL's on a share to allow specific AD group write or create
privileges they are denied unless I remove the user from AD groups until it is
below 16 group. Then everything works OK. I found some stuff on Sunsolve about the
parameter ngroups_max and being able to set it to 32 instead of the default 16. I
did this but it didn't seem to affect the way that samba works. Am I missing
something or will Samba not use this value?

ANSWER: According to this CR, the ability to have a user in more than 16 groups has
been implemented in Open Solaris and will be backported to Solaris 10u10.
==============================

QUESTION: How to create a public share in Samba which will be open to anyone?

ANSWER: With samba, all shares are public essentially public till you limit them.
Public means that the shares are visible but you may or may not be able to access
the data in them. A non public share is not visible to anyone, but can be accessed
if you know where it lives.

It appears that your customer is looking for a public share with generic access.
(not only can everyone see the share but anyone can access it)

The customer's share is fine for being a read-only public share.

[ttrace_dev]
path = /omarcsdv/tektrace
guest ok = Yes
read only = Yes

However, this is only half of the story.

When PC users access this share, they will be authenticated via the passwd server
in the [global] section.The process is something like this:
user on PC----password server----samba now looks up a unix user associated to the
PC user --->if no match, pop-up a login window

Keep in mind that there are PC users (with PC permissions/ownership) and unix users
(with unix permissions/ownership). Something has to map between these. It can be
the smbpasswd file, it could be Active Directory, or it can me a samba map. Note
that unless instructed otherwise, (i.e., a guest connection), Samba will expect
both the client and the server user to have the same password. The [global] section
of this smb.conf file shows;

username map = /etc/sfw/users.map.%L

So this customer will probably needs to add an entry in this map to map all
authenticated PC users to a valid unix user (i.e. a user in /etc/passwd). I would
suggest, create a unix user called "guest" (this user must be the owner of the
shared directory (/omarcsdv/tektrace). Now map this unix user to all authenticated
PC users. Add the following line to the /etc/sfw/users.map.%L file;

guest = *

There is another way to configure a public any access share. This is done in the
[share] section of the smb.conf file.

[sales]
path = /home/sales
comment = Fiction Corp Sales Data
writeable = yes
guest ok = yes
guest account =
guest only = yes

There is a very good writeup on this in the O'reilly Samba book. Here is the
section;

http://oreilly.com/catalog/samba/chapter/book/ch06_02.html

====================================

QUESTION: Solaria 10: Why is smbd in maintenance?

ANSWER: SMF(5) stability is OK but it fails if you start to combine manual

(scripted) run of daemons together with the SMF(5). Also if you forgot to disable
all services before the patching and you will not do the reboot after patchadd
there could be running the old instances of the daemons having modload-ed the old
libraries.

old run daemons are blocking the binded port for listen so the newly started
instance of daemon (performed by SMF(5)) will fail on bind(). I am doing the
following cleanup in such case:

svcadm disable samba wins winbind swat svcs samba wins winbind swat ...repeat
disable for the services which can not disable for the first "call"

pkill smbd pkill nmbd

check the daemons remains running: ps -ef | grep mbd # for smbd and nmbd ps -ef |
grep win # for winbindd

kill -9 # for daemons which can not stop

check the /etc/sfw/smb.conf

svcadm enable

PATCHID:119757 update -05 incorporated BUGSTER:6310561 "smbd should be converted to

an smf(5) service."

================================

SYMPTOM: Some users cannot delete files anymore (filesystem is UFS, no ACL's used.)

ANSWER: in the smb.conf profile acl was set to "YES". After changing it to "NO" all
users were able to delete files.

====================================

QUESTION: Where do I find the adjoin script that automates process of joining
Solaris client to a
AD domain, that is discussed in some internet references.

ANSWER:

There is a adjoin script package ( see attachments to this KM DOC )

DISCLAIMER:
THIS ADJOIN TOOL IS NOT SUPPORTED BY SUN. IT SHOULD BE CONSIDERED AS PROOF
OF CONCEPT/TECHNOLOGY AND SHOULD NOT BE USED FOR PRODUCTION.

Information Gathering

Things to get:

* /etc/sfw/smb.conf
* explorer
* ps -ef | grep mbd
* /var/adm/messages
* /var/samba/log (or the directory specified in the smb.conf file, eventually
increase the debug level before)

Things to try on the server:

* ping
* /usr/sfw/bin/smbclient -U% -L localhost

Things to try on the client:

* ping
* nbtstat -A
* nbtstat -a
* net use d: \\servername\service
Information needed to assign to an other support group:

* Short failure description including error or warning messages

* Short customer situation including timeframes and business impact
* Platform (x86 or SPARC)
* Explorer output (or path to it's location)
* Product gather script output (or path to location, if exists)
* Special commands output (see above, if no explorer is available and/or
information is not collected by explorer or scripts)
* Network overview (detailed sketch, cable lengths, networking hardware)
* Where is a test machine connected (e.g. a "slow" client)
* Short description of your measures to find and solve the problem before the
handover
* Use handover template to assign to Product Support

Installation

De-installation

Troubleshooting

Chapter 9.1 The Tool Bag of the O'Reilly "Using Samba" book outlines debug options:

9.1.1 Samba Logs

9.1.1.1 Log levels
9.1.1.2 Activating and deactivating logging
9.1.1.3 Logging by individual client machines or users

Use /usr/sfw/bin/testparm to check for "internal correctness" of the smb.conf file

Performance

Lab

References

samba.org
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/FastStart.html

Tim Thomas's Blog

Jiri's Blogs:
http://blogs.oracle.com/jurasek/entry/ads_domain_member_server1
http://blogs.oracle.com/jurasek/entry/even_more_simple_configuration
Email:
SAMBA-SUPPORT_WW_GRP@oracle.com
mailfinder archive at mailfinder.us.oracle.com

External links:
http://www.nineproductions.com/sun-solaris.html for articles on:
Solaris 11 Samba/ZFS Configuration
Solaris 10 Samba/ZFS Configuration

Proactive

Samba Bug listing:

http://monaco.sfbay.sun.com/list.jsf?
product=solaris&categoryt=utility&subcategory=samba&csort=age

REFERENCES

NOTE:1360695.1 - Solaris 10 Samba service may enter maintenance mode due to Solaris
print services failures
NOTE:1390259.1 - Windows 7 client cannot access Samba share from Solaris 10 server
NOTE:1390849.1 - After Patch Cluster Installation that Includes 119757-20, Samba
Failed to Login with Windows ADS (Active Directory Server)
NOTE:1400605.1 - TSC Network Product Home
NOTE:1000738.1 - Security Vulnerabilities in Samba May Allow Unauthorized Root
Privileges

NOTE:416921.1 - Enterprise Linux: Samba HowTo

NOTE:1309450.1 - Samba Fails To Start Following Solaris Patch 146363-01(sparc) /
146364-01(x86) - 119757-20(sparc) /119757-20(x86)
NOTE:1006322.1 - Solaris Cluster 3.x Troubleshooting and Debug Samba in HA-Samba
NOTE:1000350.1 - Security Vulnerability in Samba(7) Versions Prior to 3.0.10 May
Allow Unauthorized Root Privileges
NOTE:1007294.1 - Sun Cobalt[TM]: Samba on a RaQ4
NOTE:1008976.1 - Sun Cobalt[TM]: Troubleshooting Samba
NOTE:1019254.1 - Two Security Vulnerabilities in samba(7) WINS Server Daemon (nmbd)
May Allow Execution of Arbitrary Code or Lead to a Denial of Service (DoS)
Condition
NOTE:1020936.1 - Security Vulnerability in Samba (SAMBA(7)) May Allow Unauthorized
Changes to Access Control Lists (ACL)
NOTE:1021111.1 - Two Security Vulnerabilities in SAMBA(7) May Allow Unauthorized
Access to the Remote Root Filesystem or May Lead to a Denial of Service (DoS)
Condition
NOTE:1309119.1 - New version of Samba no longer allows netgroups or hostnames for
hosts allow
NOTE:1321414.1 - How To Configure Samba Shares In Combination With ZFS As Backend
Filesystem
NOTE:1337414.1 - Local Samba Users Are Not Able To Access the Samba Shares
NOTE:1349321.1 - Samba configured for security = domain will have net join timeout
after 15 minutes of inactivity
NOTE:1314781.1 - After installation of Samba patch 146363-01, shares with symbolic
links outside the shared directory doesn't work anymore.

Document Details
Email link to this documentOpen document in new windowPrintable Page

Type:
Status:
Last Major Update:
Last Update:
REFERENCE
PUBLISHED
29/07/2014
29/07/2014

Related Products

Solaris SPARC Operating System

Solaris x64/x86 Operating System

Information Centers

Information Center: Overview of the Oracle Solaris 11 Operating System [1559480.2]

Information Center: Overview of the Oracle Solaris 10 Operating System [1372665.2]

Information Center: Overview of Oracle VM Server for SPARC (LDoms) [1589473.2]

Information Center: Overview of the Oracle Explorer Data Collector (STB)

[1589529.2]

??????: SPARC??Oracle VM Server (LDoms)?? [1592337.2]

Show More

Document References

Solaris 10 Samba service may enter maintenance mode due to Solaris print services
failures [1360695.1]

Windows 7 client cannot access Samba share from Solaris 10 server [1390259.1]

After Patch Cluster Installation that Includes 119757-20, Samba Failed to Login
with Windows ADS (Active Directory Server) [1390849.1]

TSC Network Product Home [1400605.1]

Security Vulnerabilities in Samba May Allow Unauthorized Root Privileges

[1000738.1]

Show More

Recently Viewed

E-PUM: Unable to Connect to Samba Shared Folders of the PUM Image Using
Windows 7 [1612282.1]

How to configure Solaris Samba to authenticate to and join a Windows Active

Directory Server (ADS) Domain [1494126.1]

Oracle Solaris 11 Support Repository Update (SRU) 13.4 ReadMe [1506900.1]

Oracle Services Tools Bundle (STB) - RDA/Explorer, SNEEP, ACT [1153444.1]

Sun Storage 7000 Unified Storage System: AKD (Appliance Kit Daemon) fails to
restart when a cache device is faulted [1553271.1]

Show More

Attachments

ZIPadjoin script - ADJOIN TOOL IS NOT SUPPORTED BY SUN. IT SHOULD BE CONSIDERED AS

PROOF OF CONCEPT/TECHNOLOGY AND SHOULD NOT BE USED FOR PRODUCTION.(21.8 KB)

Related

Products

Sun Microsystems > Operating Systems > Solaris Operating System > Solaris SPARC
Operating System > Windows Connectivity (samba, cifs) > samba smb
Sun Microsystems > Operating Systems > Solaris Operating System > Solaris x64/x86
Operating System > Windows Connectivity (samba, cifs) > samba smb

Keywords

BACKUP DOMAIN CONTROLLER;CONTROLLER;DOMAIN CONTROLLER;MICROSOFT;PRIMARY DOMAIN

CONTROLLER;SAMBA;SERVER MESSAGE BLOCK;SOLARIS

Errors

RFC-1001