Hi,
I am trying to make use of the internal cifs shares in Solaris 11.1 but I am running into road blocks - can anyone shed light on this for me?
I won't bore you with my first and abortive attempt at configuring auth with native kerperos and simply say that have decided to go with the third party product PBIS Open for the authentication.
setup is a breeze and I can see the shares from elsewhere but for the life of me I cannot mount the shares. For the record the setup that was most successful went in this order:
SAMBA
pkg install service/file-system/smb
zpool create xpool /var/tmp/xpool
zfs set sharesmb=on xpool
zfs create -o nbmand=on xpool/fs1
zfs get -r share xpool
svcadm enable -r smb/server
smbadm show-shares host
smbadm enable-user AD.DOMAIN\\user
WORKAROUND to point to a working test DC:
xx.xx.xx.xx AD.DOMAIN >> /etc/hosts
smbadm join -u user AD.Domain
PBIS:
cd /var/tmp/pbis-open-7.5.3.1536.solaris.sparcv9.pkg/
./install.sh
svccfg -s system/name-service/switch
setprop config/password = astring: "files lsass"
setprop config/group = astring: "files lsass"
setprop config/host = astring: "files dns mdns4_minimal [NOTFOUND=return] mdns4"
svcadm refresh name-service/switch
domainjoin-cli join AD.DOMAIN user
After which I can ssh into the host as an ad user but I can't mount (get permission denied).
/var/adm/messages shows:
Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\srvsvc: smb/client authentication failed (114)
Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\lsarpc: smb/client authentication failed (114)
Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\srvsvc: smb/client authentication failed (114)
Jan 22 15:52:14 host smbd[1635]: [ID 649633 daemon.notice] ndr_rpc_bind[tid=8]: \\ADDC.fqdn\PIPE\lsarpc: smb/client authentication failed (114)
Jan 22 15:52:14 host smbd[1635]: [ID 702911 daemon.notice] smbd_dc_monitor: domain service not responding
and the DC logs show:
Log Name: System
Source: Microsoft-Windows-Security-Kerberos
Date: 22/01/2014 3:46:54 PM
Event ID: 3
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: ADDC.fqdn
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 5:46:54.0000 1/22/2014 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: AD.DOMAIN
Server Name: ADDC$@AD.DOMAIN
Target Name: ADDC$@AD.DOMAIN@AD.DOMAIN
Error Text:
File: 9
Line: f09
Error Data is in record data.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" />
<EventID Qualifiers="32768">3</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-01-22T05:46:54.000000000Z" />
<EventRecordID>476941</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>System</Channel>
<Computer>ADDC.fqdn</Computer>
<Security />
</System>
<EventData>
<Data Name="LogonSession">
</Data>
<Data Name="ClientTime">
</Data>
<Data Name="ServerTime">5:46:54.0000 1/22/2014 Z</Data>
<Data Name="ErrorCode">0xd</Data>
<Data Name="ErrorMessage">KDC_ERR_BADOPTION</Data>
<Data Name="ExtendedError">0xc00000bb KLIN(0)</Data>
<Data Name="ClientRealm">
</Data>
<Data Name="ClientName">
</Data>
<Data Name="ServerRealm">STAFF-TEST.AD.GRIFFITH.EDU.AU</Data>
<Data Name="ServerName">ADDC$@AD.DOMAIN</Data>
<Data Name="TargetName">ADDC$@AD.DOMAIN@AD.DOMAIN</Data>
<Data Name="ErrorText">
</Data>
<Data Name="File">9</Data>
<Data Name="Line">f09</Data>
<Binary>3015A103020103A20E040CBB0000C00000000003000000</Binary>
</EventData>
</Event>