|
Description
|
Currently, Kerberos TGT and LDAP/DNS service tickets are acquired for Administrator to perform share publishing and DynDNS update. It will be changed to host principal.
Currently, SMB redirector establishes an authenticated IPC channel with the domain controller using domain administrator credential which will be modified to use the SNAS workstation trust account.
Please note the following setup requirements (Part A) and behavioral changes (Part B) introduced by the fix for this CR:
Part A) Setup Requirements (Before you bfu your system)
==========================================================
1) If you've been using the dynamic DNS update, please remove the A and PTR records of your Solaris host from "Forward Lookup Zone" and "Reverse Lookup Zone" of your DNS server, respectively.
2) Please remove shares that have previously been published to the AD to avoid any unnecessary permission issues. If your system is already in domain mode, you must edit the ACL of all the in-use share containers to grant your Solaris host sufficient rights to create & delete volume objects.
For example, a share named 'zv1' is set to be published to the organizational unit "test" of the AD. The ACL's of the "test" ou must be modified via "Active Directory Users and Computers" GUI.
-bash-3.00# sharemgr show -vp
default nfs=()
smb smb=()
zgroup1 smb=() nfs=()
/zpool1/zvol1
zv1=/zpool1/zvol1 smb=(ad-container="ou=test")
Same for autohome share containers. Alternatively, publish shares below your host DN (i.e the default container) to avoid changing ACL.
e.g) sharemgr set -P smb -p ad-container="cn=pb-49,cn=Computers" -r myshare mygrp <---- pb-49 is the Solaris hostname
You can also set the ad-container field of the group. All the shares that belong to that group will inherit that setting.
e.g) sharemgr set -P smb -p ad-container="cn=pb-49,cn=Computers" mygrp
3) The AD join operation no longer sets the config/mapping_domain and config/global_catalog properties for IDMAP daemon.
config/mapping_domain - is now obsolete. AD join will only set config/domain_name upon success.
config/global_catalog - will be discovered by IDMAP daemon on refresh (triggered by the AD join operation).
If you are doing a fresh install, please ignore the following instructions.
If you are upgrading to CIFS build 25/ONNV build 79 from CIFS build 24/ONNV build 77/78, please remove those properties and refresh IDMAP daemon before performing any of your tests.
svccfg -s idmap
> delprop config/mapping_domain
> delprop config/global_catalog
svcadm refresh idmap
Part B) Behavior Changes
====================================================
Part A) Workgroup mode
-----------------------------
1)In workgroup mode, the Solaris system running the latest bits will only perform non-secure dynamic DNS update (just like Windows systems). The ads_domain property would be used as the DNS suffix.
Part B) Domain mode
-----------------------
1) With the use of host principal, you must re-join your system to the domain again whenever the hostname has changed. This is true for other kerberized services such as NFS, sshd, ...
2) ads_domain property can only be set via sharectl when SMB service is online. (service isn't running error if SMB is offline)
3) ads_domain should only be set via sharectl CLI, which will trigger certain events such as clear the ads_host_info cache and remove invalid keytab entries. Please avoid setting it via svccfg. The behavior is undefined if such property value is directly set via svccfg.
4) Don't need to set ADS user, user container, and password via sharectl for joining the domain or publishing shares to the AD.
5) No configuration for IPC mode. The system will always establish authenticated IPC connection with the administrator credentials (obtainaed via smbadm join CLI) during domain join. Domain controller will tear down the above IPC connection if the connection has been idle for more than 15 minutes. Any authenticated IPC connection established afterwards will use host credentials.
6) Auth IPC changes: Fallback/Restore mechanism has been removed since the computer account password can not be changed via the "Active Directory Users and Computers" GUI of the domain controller. It is quite common for any user accounts to be updated every few months for security reasons. It was necessary in the past to account for any possibility that the administrator s password has been reset from the domain controller and it is not being updated (i.e. via re-joining the domain) in the Solaris system, the "fallback to anonymous IPC connection mechanism would allow CIFS clients to continue to connect to the Solaris system if they are in a domain where the authenticated IPC connection is optional.
Verified this fix on x86 system running 5.11 cifs-nightly-build-11-19-2007 in domain mode.
Steps taken to verify this fix
Domain mode
- Remove all records of Snas host from "Forward and Reverse Lookup Zone"
-bash-3.2# kdestroy -c /var/run/smb/ccache
-bash-3.2# klist /var/run/smb/ccache
klist: No credentials cache file found (ticket cache FILE:/var/run/smb/ccache)
-bash-3.2# svcadm disable smb/server
-bash-3.2# pgrep smbd
100920
-bash-3.2# kill 100920
-bash-3.2# pgrep smbd
-bash-3.2# svcadm disable smb/server
-bash-3.2# svcs -a |grep smb/server
disabled 13:27:51 svc:/network/smb/server:default
-bash-3.2# svcadm enable smb/server
-bash-3.2# klist /var/run/smb/ccache
Ticket cache: FILE:/var/run/smb/ccache
Default principal: host/nevx86-243.w2k3ads-3.sun.com@W2K3ADS-3.SUN.COM
Valid starting Expires Service principal
20/11/2007 13:28 20/11/2007 23:28 krbtgt/W2K3ADS-3.SUN.COM@W2K3ADS-3.SUN.COM
20/11/2007 13:29 20/11/2007 23:28 DNS/w2k3-p1.w2k3ads-3.sun.com@W2K3ADS-3.SUN
- Check to make sure Snas hostname gets updated on DNS server
Workgroup mode
-bash-3.2# svcadm disable smb/server
-bash-3.2# svcadm enable smb/server
-bash-3.2# klist /var/run/smb/ccache
klist: No credentials cache file found (ticket cache FILE:/var/run/smb/ccache)
- Check to make sure Snas hostname gets updated on DNS server
Test case used :
26663-01 Dynamic DNS Support
https://futureworld.central/signup/server?t=tce&a=view&id$ver=26663$1&w=sec
|
