Solaris 10 Samba 3.0.x

Solaris 10 Samba Setup / Walkthrough

The following is a summary detailing step-by-step how to setup Solaris 10 as an active directory integrated file server using Samba and ZFS. The following example comes from a production configuration on an x4500 and previously a similar configuration was used on a production Linux file server for three years. I will update this web site as I test my final configurations.

I make no promises/warranties regarding any of this information. The following information contains my opinions from my own experience with Solaris/Samba/ZFS. The following documentation is provided for educational purposes only and should be used at your own risk.

Solaris 10 08/07 w/ Samba 3.0.25a

If you are running this version of Samba your child domains will not work and you need to disable the zfsacl module or you will have issues.

Solaris 10 08/07 w/ Samba 3.0.28

So far I have not found any issues and everything seems to be working correctly with Windows XP, Macintosh 10.5/10.4 and Linux.

Solaris 10 08/07 w/ Samba 3.0.28

Recently I noticed that Office 2007 clients could create a document but when the document was edited and saved back to the share users would recieve an access denied.

To resolve this I set “file acls = yes” and “nt acl support = no”

Generic Version

 

Set maximum groups to 32

By default the Solaris kernel only allows a user to be a member of 32 groups. If you do not set this the default maximum will be 16 and if a user is over this amount he or she will be denied access to all share points. Unfortunately nesting groups does not cut down on this number since the system will still see the user as a member of each nested group. CAUTION - This will create NFS server incompatibilities.

Edit /etc/system and make sure there are no spaces after the = sign and everything is spelled correctly.

set ngroups_max=32

Note -If you make a mistake and your system fails to boot just boot interactively and point to/dev/null when it asks for the location of your /etc/system file.

Update 09/15/2011 - I just read that Solaris 08/11 has fixed this issue! You can read the release notes at the Oracle Web Site. I will write an update as soon as I test this new release

Setup NTP to stay in sync with your domain controllers

Create the ntp file

cd /etc/inet

cp ntp.client ntp.conf

Edit the file taking out the multicast option and setting up your DC as the server to sync with.

# ident "@(#)ntp.client 1.3     00/07/17 SMI"

#
# /etc/inet/ntp.client
#
# An example file that could be copied over to /etc/inet/ntp.conf; it
# provides a configuration for a host that passively waits for a server
# to provide NTP packets on the ntp multicast net.
#

server <INSERT YOUR PDC EMULATOR AD DC IP ADDRESS>

#multicastclient 224.0.1.1

Start the xntpd service

svcadm enable network/ntp

Update your hosts file and enter mappings for all domain controllers as well as server

For consistency I will rename the ipnodes file and link it to /etc/inet/hosts so I dont need to update two files

mv /etc/inet/ipnodes /etc/inet/ipnodes.old
ln -s /etc/inet/hosts /etc/inet/ipnodes

Edit the hosts file

vi /etc/inet/hosts

Setup host and alias entries for both of your DC's and for your system. The host entries for your DC's may not be completely necessary as long as you have DNS setup properly. I just always do this just in case.

#
# Internet host table
#
#
# Merged entries from ipnodes into hosts on
# Backup files saved in /etc/inet/ directory: hosts.premerge, ipnodes.premerge
#
127.0.0.1 localhost
::1 localhost

192.168.5.50 fs0 fs0.domain.local loghost

# Network Domain Controllers
192.168.5.10 dc0 dc0.domain.local
192.168.5.11 dc1 dc1.domain.local
192.168.6.10 child-dc0 child-dc0.child.domain.local

Check your /etc/hostname.<INTERFACE> to make sure you have your IP or host name properly configured. If you are using a host name it must also be defined in /etc/inet/hosts

fs0

Check your /etc/defaultdomain and make sure that you have you active directory domain defined here (This must also correspond to what you have in /etc/inet/hosts)

domain.local

Make sure that /etc/resolv.conf contains nameserver entries for each of your Active DirectoryDNS servers as well as a domain and search field.

domain domain.local
search domain.local
nameserver 192.168.5.10
nameserver 192.168.5.11

Setup Kerberos

WEIRDNESS - Not sure why but you need to create a keystore file otherwise you will get login errors when accessing your samba share via a host name (As of Solaris 08/07)

touch /etc/krb5/krb5.keytab

Setup your /etc/krb5/krb5.conf with your domain controllers

[libdefaults]
default_realm = DOMAIN.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = false

[realms]
DOMAIN.LOCAL = {
kdc = dc0.domain.local:88
kdc = dc1.domain.local:88
default_domain = domain.local
}

CHILD.DOMAIN.LOCAL = {
kdc = child-dc0.child.domain.local:88
default_domain = child.domain.local
}

[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
.child.domain.local = CHILD.DOMAIN.LOCAL
child.domain.local = CHILD.DOMAIN.LOCAL

[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log

kdc_rotate = {
# How often to rotate kdc.log. Logs will get rotated no more
# often than the period, and less often if the KDC is not used
# frequently.
period = 1d
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)
versions = 10
}

[appdefaults]
kinit = {
renewable = true
forwardable= true
}

Test your file using kinit. No response is a good response, otherwise you will receive an error

kinit user@DOMAIN.LOCAL

Configure Samba

Create a new /etc/sfw/smb.conf

# Logging
log level = 2
syslog only = no
max log size = 50
log file = /var/samba/log/%m.log

realm = domain.local
workgroup = DOMAIN
security = ADS
encrypt passwords = true
unix extensions = no
password server = dc0.domain.local dc1.domain.local
server string = Corporate File Server
wins server = 192.168.5.10 192.168.5.11
domain master = no
socket options = TCP_NODELAY SO_KEEPALIVE
client schannel = no
client use spnego = yes
interfaces = aggr1*,lo
bind interfaces only = yes

kernel oplocks = yes
oplocks = yes
veto oplock files = /*.doc/*.DOC/*.docx/*.DOCX/*.docm/*.DOCM/*.dotm/*.DOTM/*.xltm/*.XLTM/*.xltx/*.XLTX/*.xlsx/*.XLSX/
*.xlsm/*.XLSM/*.xlsb/*.XLSB/*.xls/*.XLS/*.ppt/*.PPT/*.pst/*.PST/*.mdb/*.MDB/*.ldb/*.LDB/*.vsd/*.VSD/*.mpp/*.MPP/*.qbw/
*.QBW/*.qbb/*.QBB/*.qbI/*.qbl/*.dxf/*.DXF/*.dwg/*.DWG/*.cdr/*.CDR/*.bak/*.BAK/*.ord/*.xlo/*.igs/*.ipt/*.ipj/*.slp/*.stp/
*.opt/*.xli/*.stl/*.cur/*.sjb/*.log/*.LOG/*.sbs/*.iam/*.idv/*.pcbdoc/*.PcbDoc/*.PCBDOC/

# DFS
# host msdfs = yes
# strict locking
# strict sync

# winbind
winbind separator = +
idmap uid = 11000-19000
idmap gid = 11000-19000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
allow trusted domains = yes
template homedir = /export/Corporate/Users/%U/Private

printcap name = /dev/null
load printers = no

[Corporate]
comment = Corporate Share
path = /export/Corporate
#Disabled acl check permissions and zfsacl due to zfsacl issues encountered Solaris 08/07 w/ Samba 3.0.25
# acl check permissions = False
vfs objects = zfsacl
nfs4: mode = special
create mask = 0770
directory mask = 0770
public = yes
writable = yes
file acls = yes
nt acl support = no

#[Dfs]
# path = /export/dfsroot
# msdfs root = Yes

Test your configuration file for errors.

/usr/sfw/bin/testparm

We are now ready to join this box to the domain. If successful you should see “Joined 'FS0' to realm 'DOMAIN.LOCAL”

/usr/sfw/bin/net ads join -U Administrator

Setup PAM and nsswitch

Here we are going to enable the use of winbind through PAM. This will give us the capability of using active directory users and groups when assigning permissions on files and directories. We could also use this for other authentication methods that use PAM such as apache web sites (but that is another discussion).

Enable winbind in pam.conf

cp /etc/pam.conf /etc/pam.conf-OLD
cp /etc/pam.conf-winbind /etc/pam.conf

Enable winbind in nsswitch.conf to set up the search order for all authentication. The system will now look at the local files followed by a check against winbind.

vi /etc/nsswitch.conf

Edit the following lines so they read:

passwd:     files winbind
group: files winbind

Testing the configuration and starting services

Before starting winbind we will perform a test so you can see what the nsswitch / pam changes did:

getent passwd
getent group

You should see a list of ONLY the users and groups in your Solaris /etc/passwd and/etc/groups files. So now lets enable services and run the commands again:

svcadm enable winbind
svcadm enable samba

getent passwd
getent group

If everything worked you should see all of your local users and groups plus all the users and groups from Active Directory. Winbind downloads this list from active directory maintaining a local cache in tdb files on your system.