Solaris 11: Join AD Domain for Samba

Solaris 11: Join AD Domain for Samba

Configure Kerberos

Make a backup of our original, just in case.

# cp /etc/krb5/krb5.conf /etc/krb5/krb5.original.conf

These sections already exist in the file so you will want to replace them with the correct values for your environment.

# vi /etc/krb5/krb5.conf

[libdefaults]
default_realm = ALLANGLESIT.COM

[realms]
allanglesit.com = {
kdc = dc.allanglesit.com
admin_server = dc.allanglesit.com
kpasswd_server = dc.allanglesit.com
kpasswd_protocol = SET_CHANGE
}

[domain_realm]
.allanglesit.com = ALLANGLESIT.COM

Quick recycle of the services or a start if they aren’t running.

# svcadm disable smb/server; svcadm enable -r smb/server
svcadm: svc:/milestone/network depends on svc:/network/physical, which has multiple instances.

Check Name Resolution Configuration

Your domain and name servers should be configured here.

# cat /etc/resolv.conf
domain  allanglesit.com
nameserver  192.168.100.51
nameserver  192.168.100.52

You need to ensure that dns exists on these two lines as if it does not then Solaris will not even try dns for name resolution.

# cat /etc/nsswitch.conf
.
.
hosts:      files dns
ipnodes:    files dns
.
.

Ensure Proper Time Configuration

You will need to make sure that you have consistent time across the domain for authentication to work.  In this case you can run ntpdate against your NTP server, which should be either your domain controller or an NTP source that your domain controller syncs to.

# ntpdate timeserver.allanglesit.com
24 Mar 11:12:52 ntpdate[1444]: adjust time server 192.168.100.2 offset -0.000204 sec

Join the Domain

# smbadm join -u administrator allanglesit.com
After joining allanglesit.com the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining allanglesit.com ... this may take a minute ...
failed to join allanglesit.com: UNSUCCESSFUL
Please refer to the system log for more information.

I had problems joining the domain at first, I ended up commenting out this line in the file (which I had put in to get samba working as part of a workgroup with the local accounts).

# cat /etc/pam.conf
other password required pam_smb_passwd.so.1 nowarn
# smbadm join -u administrator allanglesit.com
After joining allanglesit.com the smb service will be restarted automatically.
Would you like to continue? [no]: yes
Enter domain password:
Joining allanglesit.com ... this may take a minute ...
Successfully joined allanglesit.com

So you should now have a successfully joined Active Directory samba system.  We will go into much more detail on what needs to be done to make this a practical file sharing platform in an AD environment.

One thought on “Solaris 11: Join AD Domain for Samba

  1. Mike

    Your entry about nsswitch.conf just enabled DNS on my S11 box. I spent non-trivial time searching for that answer. Thanks!