{"id":1442,"date":"2022-05-25T04:26:43","date_gmt":"2022-05-25T04:26:43","guid":{"rendered":"\/blog\/?p=1442"},"modified":"2022-08-22T13:21:35","modified_gmt":"2022-08-22T13:21:35","slug":"solaris-11-ad-join","status":"publish","type":"post","link":"\/blog\/index.php\/solaris-11-ad-join\/","title":{"rendered":"Solaris 11 AD join"},"content":{"rendered":"\n

Solaris Samba Server Configuration Steps

– Configure DNS Client
Configuration must include Windows AD Servers as DNS Servers and specify the AD Domain as the DNS Domain

\/etc\/resolv.conf

nameserver 10.x.x.x
search example.com

– Configure Kerberos
Create \/etc\/krb5.conf

[libdefaults]
    default_realm = EXAMPLE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = true<\/code>

– Confirm system time is synchronized with AD Servers. NTP is recommended to keep system time accurate.
Difference of 3-5 minutes between the Samba and AD Servers will result in Domain join failures

# ntpdate ad.example.com

– Samba Server local hostname \/ nodename resolution must be a fully qualified hostname.
The \/etc\/hosts entry for the Samba Server needs to be a FQDN to avoid Domain join failures

\/etc\/hosts

10.x.x.x      host.example.com    host

# getent hosts host
10.x.x.x      host.example.com    host

If modified after initial configuration boot up it can be modified with the command:

# svccfg -s svc:\/system\/identity:node setprop config\/nodename =  host.example.com
# svcadm refresh svc:\/system\/identity:node
 
– Create the \/etc\/samba\/smb.conf file.<\/p>\n\n\n\n

[global]\n\n       realm = EXAMPLE.COM\n       workgroup = EXAMPLE\n       security = ADS\n       server string =Solaris Samba Server\n       kerberos method = system keytab\n       include system krb5 conf = no\n       loglevel = 10\n\n      # Winbind configuration:\n\n       winbind separator = \/\n      # set enum=no , this increases performance considerably\n       winbind enum users = no\n       winbind enum groups = no\n       winbind expand groups = no\n\n       template homedir = \/export\/home\/ad\/%D_%U\n       template shell = \/bin\/bash\n\n       idmap config * : backend = autorid\n       idmap config * : range = 100000-4000000000\n       idmap config * : rangesize = 1000000\n\n       allow trusted domains = yes\n       winbind refresh tickets = yes\n\n     # all these are addons\n#winbind use default domain = Yes\nlocal master = No\npreferred master = No\nbind interfaces only = Yes\nname resolve order = bcast lmhosts host wins\ndns proxy = no\nunix extensions = no\ndomain master = no\nsocket options = TCP_NODELAY SO_KEEPALIVE\nclient schannel = no\n<\/code><\/pre>\n\n\n\n

<\/code>
 
– Edit the \/etc\/nsswitch.conf to add winbind to the passwd: and group: entries if AD username and group resolution for files and directories is needed

Solaris 10

passwd: files winbind [ TRYAGAIN = 3 ]
group: files winbind [ TRYAGAIN = 3 ]


Solaris 11

# svccfg -s svc:\/system\/name-service\/switch setprop config\/default = astring: files
# svccfg -s svc:\/system\/name-service\/switch setprop config\/password = astring: “files winbind [ TRYAGAIN = 3 ]”
# svccfg -s svc:\/system\/name-service\/switch setprop config\/group = astring: “files winbind [ TRYAGAIN = 3 ]”
# svccfg -s svc:\/system\/name-service\/switch setprop config\/host = astring: “files dns mdns winbind”
# svccfg -s svc:\/system\/name-service\/switch setprop config\/printer = astring: “user files”
# svcadm refresh svc:\/system\/name-service\/switch


The next steps are to enable the samba and winbind services and join the Samba Server to the Windows Domain,
To join the Domain a system administrator will use a Windows Domain username that had administrator rights, privileges in the Windows AD Domain.

– Enable the Samba service

# svcadm enable samba

Confirm the samba service is online

# svcs samba
STATE          STIME    FMRI
online         15:06:22 svc:\/network\/samba:default

– Join the Samba server to the Domain as a User with Windows Domain Administrator rights

# net ads join -U <USER>
Enter <USER> password:
Using short domain name — <DOMAIN_NAME>
Joined ‘<HOST>’ to realm ‘<DOMAIN_NAME>’

Enable the Winbind service

# svcadm enable winbind

– Wait 2-3 minutes for winbind Service to initialize

– Confirm that the samba and winbind services are online:

# svcs samba winbind
STATE          STIME    FMRI
online         15:06:22 svc:\/network\/samba:default
online         15:09:55 svc:\/network\/winbind:default

– Confirm that winbindd can be communicated with and return ADS usernames and groups with the commands:

wbinfo -p
wbinfo -u
wbinfo -g

– Confirm that the Solaris NSS functions (configured via the \/etc\/nsswitch.conf) can return  Windows ADS user information

getent passwd | grep Windows_Domain_Username

For example:
# getent passwd | grep <USER>
<DOMAIN_NAME>+<USER>:*:<UID>:<GID>:<USER>:\/<PATH>\/<USER>:\/bin\/csh

Once completed a Windows Client system should be able to map a share from the Solaris Samba server and authenticate using the users Windows Domain\/ADS username and password.<\/p>\n\n\n\n
– If it is intended for ADS users to login to the Solaris Samba server via ssh or telnet a pam.conf file with winbind references should be moved into place.Note: Solaris 10 with Samba Patch 119757-20 SPARC \/ 119758-20 X86 or later installed the pam.conf-winbind2 file provided as a attachment in Document 1413786.1<\/a> should be used in the following steps<\/p>\n\n\n\n
# cd \/etc<\/p>\n\n\n\n
# cp pam.conf pam.conf.bak<\/p>\n\n\n\n
# cp pam.conf-winbind pam.confNote: In Solaris 11.1 and later the PAM configuration has been updated. To add the Winbind PAM module to the configuration make the following modifications<\/p>\n\n\n\n
Edit the files located under \/etc\/pam.d\/ and add the line for pam_winbind.so.1 as shown in each one of the following files.


# pwd
\/etc\/pam.d

# cat login<\/p>\n\n\n\n
#\n# Copyright (c) 2012, 2020, Oracle and\/or its affiliates. All rights reserved.\n#\n# PAM configuration\n#\n# console and tty login service\n#\nauth definitive         pam_user_policy.so.1\nauth requisite          pam_authtok_get.so.1\nauth sufficient         pam_winbind.so.1 try_first_pass\nauth sufficient         pam_unix_auth.so.1\nauth required           pam_unix_cred.so.1\n<\/code><\/pre>\n\n\n\n
# cat other<\/p>\n\n\n\n
#\n# Copyright (c) 2012, 2020, Oracle and\/or its affiliates. All rights reserved.\n#\n# PAM configuration\n#\n# Default definitions for Authentication management\n# Used when service name is not explicitly mentioned for authentication\n#\nauth definitive         pam_user_policy.so.1\nauth requisite          pam_authtok_get.so.1\nauth sufficient         pam_unix_auth.so.1\n#auth sufficient         pam_winbind.so.1 try_first_pass\nauth required           pam_unix_cred.so.1\nauth required         pam_winbind.so.1 try_first_pass\n#\n# Default definition for Account management\n# Used when service name is not explicitly mentioned for account management\n# pam_tsol_account(7) returns PAM_IGNORE if the system is not configured\n# with Trusted Extensions (TX) enabled.\n# pam_tsol_account(7) does need to run in the Trusted Path for ensuring remote\n# hosts connecting to the global zone have a CIPSO host type.\n#\naccount requisite       pam_roles.so.1\naccount definitive      pam_user_policy.so.1\naccount sufficient      pam_unix_account.so.1\naccount sufficient      pam_winbind.so.1 try_first_pass\naccount required        pam_tsol_account.so.1\n#\n# Default definition for Session management\n# Used when service name is not explicitly mentioned for session management\n#\nsession definitive      pam_user_policy.so.1\nsession sufficient      pam_unix_session.so.1\nsession sufficient      pam_winbind.so.1 try_first_pass\nsession optional        pam_fm_notify.so.1\n#\n# Default definition for Password management\n# Used when service name is not explicitly mentioned for password management\n#\npassword definitive     pam_user_policy.so.1\n# Password construction requirements apply to all users.\n# Edit \/usr\/lib\/security\/pam_authtok_common and remove force_check\n# to have the traditional authorized administrator bypass of construction\n# requirements.\npassword include        pam_authtok_common\npassword required       pam_authtok_store.so.1\n<\/code><\/pre>\n\n\n\n


# cat sudo<\/p>\n\n\n\n
#\n# Copyright (c) 2016, 2019, Oracle and\/or its affiliates. All rights reserved.\n#\n# PAM configuration for sudo(8) (explicit because we exclude\n# pam_unix_session(7)).\n#\nsession required        pam_allow.so.1\n#\n# sudo service account stack (explicit because of non-usage of pam_roles.so.1)\n#\naccount sufficient      pam_winbind.so.1        try_first_pass\naccount definitive      pam_user_policy.so.1\naccount required        pam_unix_account.so.1\n<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Solaris Samba Server Configuration Steps – Configure DNS ClientConfiguration must include Windows AD Servers as DNS Servers and specify the AD Domain as the DNS Domain \/etc\/resolv.conf nameserver 10.x.x.xsearch example.com – Configure KerberosCreate \/etc\/krb5.conf [libdefaults]    default_realm = EXAMPLE.COM    dns_lookup_realm = false    dns_lookup_kdc = true – Confirm system time is synchronized with AD Servers. NTP is […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1442","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=1442"}],"version-history":[{"count":15,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1442\/revisions"}],"predecessor-version":[{"id":1513,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/posts\/1442\/revisions\/1513"}],"wp:attachment":[{"href":"\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=1442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=1442"},{"taxonomy":"post_tag","embeddable":true,"href":"\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=1442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}