The following is a summary detailing step-by-step how to setup Solaris 11 as an active directory integrated file server using Samba and ZFS. Most of this configuration comes from a tested configuration on Solaris 10 as well as Linux, but with the release of Solaris 11 and some changes in ZFS my previous instructions needed to be updated. The configuration has currently only been built and tested in a virtualized environment and though I do try and test as vigorously as possible please make sure to test before putting into production. As of Solaris 10 08/11 and Solaris 11, the Solaris kernel allows a user to be a member of 1024 groups. If you do not set this the default maximum will be 16 and if a user is over this amount he or she will be denied access to all share points.

1. Sun Explorer Download

Today Oracle released its latest version of Solaris technology, the Oracle Solaris 11 Express 2010.11 release. It includes a large number of new features not found in either Oracle Solaris 10 or previous OpenSolaris releases including ZFS encryption and deduplication, network-based packaging and provisioning systems, network virtualization, optimized I/O for NUMA platforms and optimized.

Unfortunately nesting groups does not cut down on this number since the system will still see the user as a member of each nested group. CAUTION – This will create NFS server incompatibilities. Edit /etc/system and make sure there are no spaces after the = sign and everything is spelled correctly.

Set ngroupsmax=1024 Note -If you make a mistake and your system fails to boot just boot interactively and point to /dev/null when it asks for the location of your /etc/system file. Setup NTP to stay in sync with your domain controllers. Create the ntp file cd /etc/inet cp ntp.client ntp.conf Edit the file taking out the multicast option and setting up your DC as the server to sync with.

# ident '@(#)ntp.client 1.3 00/07/17 SMI' # # /etc/inet/ntp.client # # An example file that could be copied over to /etc/inet/ntp.conf; it # provides a configuration for a host that passively waits for a server # to provide NTP packets on the ntp multicast net. # server #multicastclient 224.0.1.1 Start the xntpd service svcadm enable network/ntp Update your hosts file and enter mappings for all domain controllers as well as server. Edit the hosts file vi /etc/inet/hosts Setup host and alias entries for both of your DC’s and for your system. The host entries for your DC’s may not be completely necessary as long as you have DNS setup properly. I just always do this just in case. # # Internet host table #::1 fs0 localhost 127.0.0.1 fs0 localhost loghost 192.168.5.50 fs0 fs0.domain.local # Network Domain Controllers 192.168.5.10 dc0 dc0.domain.local 192.168.5.11 dc1 dc1.domain.local 192.168.6.10 child-dc0 child-dc0.child.domain.local Make sure that /etc/resolv.conf contains nameserver entries for each of your Active Directory DNS servers as well as a domain and search field. This file is now auto generated from SMF, if you need to edit it use the appropriate svccfg -s dns/client commands to adjust your name server settings.

Sun Explorer Download

• Apparently, Solaris 11 has 2 new funcionalities on this front. I believe #1 existed in OpenSolaris 2008. Oracle Solaris 11 Downloads copy the bootable ISO image to a USB flash drive. This utility is available on Oracle Solaris 11 Express What is the Distribution Constructor? (Oracle Solaris 11 Express Distribution Constructor Guide).
• Nov 17, 2013  This is the first article about Sun cluster aka oracle Solaris cluster on UnixArena. This Oracle Solaris cluster series articles will cover the build of a two-node cluster running Solaris Cluster 4.1 on Solaris 11.The intention of making the cluster will be configuring High availability local zone aka failover local zones.We have done the same setup on veritas cluster quite long time back.In.

Domain domain.local search domain.local nameserver 192.168.5.10 nameserver 192.168.5.11 Setup Kerberos. Here we are going to enable the use of winbind through PAM.

This will give us the capability of using active directory users and groups when assigning permissions on files and directories. We could also use this for other authentication methods that use PAM such as apache web sites (but that is another discussion). Enable winbind in pam.conf cp /etc/pam.conf /etc/pam.conf-OLD cp /etc/pam.conf-winbind /etc/pam.conf Enable winbind in nsswitch.conf to set up the search order for all authentication. The system will now look at the local files followed by a check against winbind. # svccfg -s name-service/switch setprop config/password = 'files winbind' setprop config/group = 'files winbind' exit # svcadm refresh name-service/switch Make sure the entries were adjusted in nsswitch by: cat /etc/nsswitch.conf You should see the following entries in passwd and group: passwd: files winbind group: files winbind Testing the configuration and starting services. Before starting anything we should do a reconfiguration reboot to ensure the kernel entries that were entered in the beginning are being seen.

Touch /reconfigure init 6 Before starting winbind we will perform a test so you can see what the nsswitch / pam changes did: getent passwd getent group You should see a list of ONLY the users and groups in your Solaris /etc/passwd and /etc/groups files. So now lets enable services and run the commands again: svcadm enable winbind svcadm enable samba getent passwd getent group If everything worked you should see all of your local users and groups plus all the users and groups from Active Directory. Winbind downloads this list from active directory maintaining a local cache in tdb files located /var/samba/locks on your system. Setup ZFS Storage For Samba Shares.

Corporate-department-all – Access to ALL department folders (used for VP’s and privileged users). I use the naming strategy shown above to help keep my groups organized. Notice that corporate is the share name and department is going to be the departmental folder name.

This helps make it easy associating shares / folders / sub-folders to groups. You do not need to setup your groups this way but I provide this example to help the ACL‘s make sense. Before we get started we need to create our ZFS file system. You may have already noticed that I am creating the file system in export. If you already have a file system loaded in export (Which looks like the default in Solaris 11) you will need to backup your existing files/directories, remove your vfstab entry for export and create your zpool with the -f option or you can create your file system elsewhere and redefine the paths in this example. The following zpool shows a smaller system with only six disks. Your configuration will probably be different.

Zpool create export raidz2 c0t0d0 c1t0d0 c4t0d0 c6t0d0 c7t0d0 c0t1d0 Now that the pool is created I am going to create my top-level shared folders. Zfs create export/Corporate zfs create export/Corporate/Users zfs create export/Corporate/Users/jdoe zfs create export/Corporate/Sales zfs create export/Corporate/Accounting Set ZFS ACL inheritance to control how ACL‘s are inherited between file systems. Zfs set aclmode=passthrough export/Corporate zfs set aclinherit=passthrough export/Corporate Ok now we are ready to lay down our ACL‘s on our Corporate folder. By looking at this ACL you should notice I am first deleting any existing ACL‘s (Important when testing ACL‘s), then I am setting trivial permissions for user and group as rwx and telling the user and group permissions to inherit. I am then adding Domain Users to the ACL and allowing them to read the directory and list its contents. I always setup the root directories so users cannot add or remove files. This way Administrators can maintain organization by creating new departmental shares.

Chmod A- /export/Corporate chmod 770 /export/Corporate chmod A0=owner@:rwxpdDaARWc-:fd-n-:allow /export/Corporate chmod A1=group@:rwxpdDaARWc-:fd-n-:allow /export/Corporate chmod A2=everyone@::fdi-:allow /export/Corporate chmod A+group:domain+domain users:rxcaR:fdn:allow /export/Corporate Here we will define the permissions on the Sales and Accounting Folders. In this example I am defining the same permissions and inheritance for user and group, giving each rwx while disabling access for everyone. Then I am giving Domain Admins the ability to manage ACL‘s and the departmental groups rwx access to the directories and files created within it. As I am wiping my permissions, I am also resetting the inherited permissions for domain users on the folder. You should be able to manage the ACL’s through windows but I have never had much luck with it. From what I understand the permissions need to be set in a specific order or you will get all kinds of errors viewing it through the windows permissions dialog.

One thing I can do for you if you like is send you some find/replace scripts that I use when I need to re-write permissions on a zfs file system? I will probably put them up here soon as they are pretty useful but if you want them sooner just send my your email through the site.

Andrew quoteGuru! I have 2 questions: Is there any interface to manage the new ZFS ACL’s? As I know the new ACL’s are Windows compatible: this means that Windows users will be able to set permissions from the Security tab? Setting permissions frmo Windows with POSIX ACL and Samba can be hell sometimes./quote. Thanks for the reply It is stil not working for me:-). But I noticed I am using different packages than you are.

I use smb service instead of samba service. I had this from Oracle docs My config file is quite similar to yours: Is it normal that the realm of your smb.conf.master is in lower case? I am working with an aggregated interface so I had to add aggr. to interfaces (otherwise I got error that it couldn’t bind to interface). I also removed the line of winbind separator since I want to use the default.

Because we need group support. I will probably try with the smb package later on. The strange thing is that everything seems to work: smb - with local accounts I can connect. Winbind - getent works as expected + I can logon using SSH and Domain account Kerberos - I can get tickets for domainusers using kinit Only when I want to authenticate with a Domain user to the share it goes wrong.

(Now it states: The specified network password is not correct but the same password works for SSH (using the same account ofcourse).