quick notes

ps -eo user,pid,ppid,project,args
projects -l $(projects -d )
prctl $$

The configuration file is kept in /etc/firewall/pf.conf

search sylvamo.com
nameserver 10.177.0.13
nameserver 10.176.0.4

ipadm create-ip vnic28
ipadm create-addr -T static -a local=10.181.20.87/24 vnic28/v4
route -p add default 10.181.20.1

> /etc/firewall/pf.conf
vi /etc/firewall/pf.conf
svcadm enable firewall
svcs -x firewall

block out all
block in all
pass in from 10.177.0.0/24 #----vdi
pass in from  10.181.20.0/24  #----- local colo
pass out to 10.181.20.0/24 #----- local colo
#----- all below are AD DC
pass out to 10.177.0.13
pass out to 10.140.164.157
pass out to 10.177.0.13
pass out to 10.176.0.5
pass out to 10.179.0.12
pass out to 10.140.168.137
pass out to 10.179.0.11
pass out to 10.140.12.73
pass out to 10.178.0.5
pass out to 10.177.0.14
pass out to 10.178.0.4
pass out to 10.21.34.11
pass out to 10.21.155.11
pass out to 10.20.90.10
pass out to 10.21.155.10
pass out to 10.176.0.4
pass out to 10.140.64.39
pass out to 10.140.76.71
pass out to 10.21.34.10

rsync -av -f”+ */” -f”- *” /local/dir/ root@someserver:/remote/dir/

projects are defined per user, they are defined in /etc/user_attr and /etc/project

/etc/project
DAA_ADM:220:DAA System Administrator:daaadm::process.max-sem-nsems=(priv,2048,deny);project.max-sem-ids=(priv,1024,deny);project.max-shm-ids=(priv,1024,deny);project.max-shm-memory=(priv,18446744073709551615,deny);process.max-file-descriptor=(basic,65536,deny);

/etc/user_attr

:daaadm::::project=DAA_ADM

http://znogger.blogspot.com/2010/05/solaris-automatic-creation-of-home-dirs.html

add a line to /etc/auto_master

echo "/export/home/ad /etc/auto_homedir" >> /etc/auto_master

create the /etc/auto_homedir script

Set sticky bit and execute on the script

chmod +t+x /etc/auto_homedir

Restart the automounter

svcadm restart autofs

Create the base mountpoints

root@ueq2szsapapt01:/var/samba/locks# net cache samlogon list

SID Name When cached

S-1-5-21-4076327854-156698110-1354154815-49906 SYLVAMO\RDIRCIO Wed May 25 2:20:29 PM 2022 CDT
root@ueq2szsapapt01:/var/samba/locks# net cache samlogon delete S-1-5-21-4076327854-156698110-1354154815-49906

•  Create a /etc/security/pam_winbind.conf file with the following contents:

[global]

require_membership_of = [SID or NAME]

try_first_pass = yes

• Restart the winbind SMF service:

# svcadm restart winbind

[SID or NAME] is a comma separated list of SID’s and/or AD users and/or AD groups

Example: the AD user jack and the members of the AD group IT-ADMIN are allowed to login in.

[global]

require_membership_of = jack,IT-ADMIN

try_first_pass = yes

Solaris Samba Server Configuration Steps

– Configure DNS Client
Configuration must include Windows AD Servers as DNS Servers and specify the AD Domain as the DNS Domain

/etc/resolv.conf

nameserver 10.x.x.x
search example.com

– Configure Kerberos
Create /etc/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true

– Confirm system time is synchronized with AD Servers. NTP is recommended to keep system time accurate.
Difference of 3-5 minutes between the Samba and AD Servers will result in Domain join failures

# ntpdate ad.example.com

– Samba Server local hostname / nodename resolution must be a fully qualified hostname.
The /etc/hosts entry for the Samba Server needs to be a FQDN to avoid Domain join failures

/etc/hosts

10.x.x.x      host.example.com    host

# getent hosts host
10.x.x.x      host.example.com    host

If modified after initial configuration boot up it can be modified with the command:

# svccfg -s svc:/system/identity:node setprop config/nodename =  host.example.com
# svcadm refresh svc:/system/identity:node
 
– Create the /etc/samba/smb.conf file.

[global]

       realm = EXAMPLE.COM
       workgroup = EXAMPLE
       security = ADS
       server string =Solaris Samba Server
       kerberos method = system keytab
       include system krb5 conf = no
       loglevel = 10

      # Winbind configuration:

       winbind separator = /
      # set enum=no , this increases performance considerably
       winbind enum users = no
       winbind enum groups = no
       winbind expand groups = no

       template homedir = /export/home/ad/%D_%U
       template shell = /bin/bash

       idmap config * : backend = autorid
       idmap config * : range = 100000-4000000000
       idmap config * : rangesize = 1000000

       allow trusted domains = yes
       winbind refresh tickets = yes

     # all these are addons
#winbind use default domain = Yes
local master = No
preferred master = No
bind interfaces only = Yes
name resolve order = bcast lmhosts host wins
dns proxy = no
unix extensions = no
domain master = no
socket options = TCP_NODELAY SO_KEEPALIVE
client schannel = no



 
– Edit the /etc/nsswitch.conf to add winbind to the passwd: and group: entries if AD username and group resolution for files and directories is needed

Solaris 10

passwd: files winbind [ TRYAGAIN = 3 ]
group: files winbind [ TRYAGAIN = 3 ]


Solaris 11

# svccfg -s svc:/system/name-service/switch setprop config/default = astring: files
# svccfg -s svc:/system/name-service/switch setprop config/password = astring: “files winbind [ TRYAGAIN = 3 ]”
# svccfg -s svc:/system/name-service/switch setprop config/group = astring: “files winbind [ TRYAGAIN = 3 ]”
# svccfg -s svc:/system/name-service/switch setprop config/host = astring: “files dns mdns winbind”
# svccfg -s svc:/system/name-service/switch setprop config/printer = astring: “user files”
# svcadm refresh svc:/system/name-service/switch


The next steps are to enable the samba and winbind services and join the Samba Server to the Windows Domain,
To join the Domain a system administrator will use a Windows Domain username that had administrator rights, privileges in the Windows AD Domain.

– Enable the Samba service

# svcadm enable samba

Confirm the samba service is online

# svcs samba
STATE          STIME    FMRI
online         15:06:22 svc:/network/samba:default

– Join the Samba server to the Domain as a User with Windows Domain Administrator rights

# net ads join -U <USER>
Enter <USER> password:
Using short domain name — <DOMAIN_NAME>
Joined ‘<HOST>’ to realm ‘<DOMAIN_NAME>’

Enable the Winbind service

# svcadm enable winbind

– Wait 2-3 minutes for winbind Service to initialize

– Confirm that the samba and winbind services are online:

# svcs samba winbind
STATE          STIME    FMRI
online         15:06:22 svc:/network/samba:default
online         15:09:55 svc:/network/winbind:default

– Confirm that winbindd can be communicated with and return ADS usernames and groups with the commands:

wbinfo -p
wbinfo -u
wbinfo -g

– Confirm that the Solaris NSS functions (configured via the /etc/nsswitch.conf) can return  Windows ADS user information

getent passwd | grep Windows_Domain_Username

For example:
# getent passwd | grep <USER>
<DOMAIN_NAME>+<USER>:*:<UID>:<GID>:<USER>:/<PATH>/<USER>:/bin/csh

Once completed a Windows Client system should be able to map a share from the Solaris Samba server and authenticate using the users Windows Domain/ADS username and password.

– If it is intended for ADS users to login to the Solaris Samba server via ssh or telnet a pam.conf file with winbind references should be moved into place.Note: Solaris 10 with Samba Patch 119757-20 SPARC / 119758-20 X86 or later installed the pam.conf-winbind2 file provided as a attachment in Document 1413786.1 should be used in the following steps

# cd /etc

# cp pam.conf pam.conf.bak

# cp pam.conf-winbind pam.confNote: In Solaris 11.1 and later the PAM configuration has been updated. To add the Winbind PAM module to the configuration make the following modifications

Edit the files located under /etc/pam.d/ and add the line for pam_winbind.so.1 as shown in each one of the following files.


# pwd
/etc/pam.d

# cat login

#
# Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# console and tty login service
#
auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth sufficient         pam_winbind.so.1 try_first_pass
auth sufficient         pam_unix_auth.so.1
auth required           pam_unix_cred.so.1

# cat other

#
# Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
auth definitive         pam_user_policy.so.1
auth requisite          pam_authtok_get.so.1
auth sufficient         pam_unix_auth.so.1
#auth sufficient         pam_winbind.so.1 try_first_pass
auth required           pam_unix_cred.so.1
auth required         pam_winbind.so.1 try_first_pass
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
# pam_tsol_account(7) returns PAM_IGNORE if the system is not configured
# with Trusted Extensions (TX) enabled.
# pam_tsol_account(7) does need to run in the Trusted Path for ensuring remote
# hosts connecting to the global zone have a CIPSO host type.
#
account requisite       pam_roles.so.1
account definitive      pam_user_policy.so.1
account sufficient      pam_unix_account.so.1
account sufficient      pam_winbind.so.1 try_first_pass
account required        pam_tsol_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
session definitive      pam_user_policy.so.1
session sufficient      pam_unix_session.so.1
session sufficient      pam_winbind.so.1 try_first_pass
session optional        pam_fm_notify.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
#
password definitive     pam_user_policy.so.1
# Password construction requirements apply to all users.
# Edit /usr/lib/security/pam_authtok_common and remove force_check
# to have the traditional authorized administrator bypass of construction
# requirements.
password include        pam_authtok_common
password required       pam_authtok_store.so.1

# cat sudo

#
# Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
#
# PAM configuration for sudo(8) (explicit because we exclude
# pam_unix_session(7)).
#
session required        pam_allow.so.1
#
# sudo service account stack (explicit because of non-usage of pam_roles.so.1)
#
account sufficient      pam_winbind.so.1        try_first_pass
account definitive      pam_user_policy.so.1
account required        pam_unix_account.so.1

Get root DSE

# ldapsearch -x -H ldap://192.168.5.24 -b “” -s base

/etc/defaultrouter is deprecated, now we need to use the “-p” flag to make it permanent

# route -p add default ip-address