Skip to end of metadata
Go to start of metadata

Why would you want to join SmartOS to an AD domain? 

I am using SmartOS as both a file server for Windows clients and as a virtual machine host (hypervisor) running Windows Server and Linux VMs.  The CIFS feature allows SmartOS to serve files to Windows clients from the GZ using just kernel code – no extra software required.  But SmartOS does not support the definition of users, groups, etc., in the GZ, so how can we implement any sort of security?  So it makes sense to utilize an Active Directory for this.  If you join the SmartOS GZ to an AD domain, CIFS can use the AD to authenticate users and check access control lists.

The AD doesn't have to be a Windows Server: it can be Samba4 running in a VM. 

(By the way, an alternative approach for serving files to Windows clients is to install Samba3, in the GZ or in a OS zone.  While that involves another layer of software, it supports the SMB2 protocol [CIFS does not], so it's not clear how that would affect performance – it might improve it.  It also supports shared printers.  That approach is not documented here.)

Only the GZ can be joined to a domain.  And changes made to the GZ are not persistent.  So that complicates things a little.  Here is how to do it.

In the following examples...

  • My domain name is allenlan.net
  • My AD server is hostname samba-ad (samba-ad.allenlan.net), IP address 192.168.0.13
  • My SmartOS GZ is hostname smartos, IP address 192.168.0.94

First we will do everything interactively.

Edit /etc/hosts – insert your AD host (this step is helpful but not essential). Example:

Edit /etc/resolv.conf – insert a 'domain' line with your domain name, and a 'nameserver' line pointing to your AD server. If your AD server is a VM, you may want a secondary 'nameserver' that is always available. Example:

Edit /etc/krb5/krb5.conf. Example:

And then:

Important: Make sure the SmartOS clock is synchronized to your AD server.

Then substitute your AD IP address or hostname in the first command, and your domain or OU administrator username in the last command:

The 'smbadm join' command should return at least 5 lines of information showing that you are joined to the domain.  To further test the join, substitute a domain username in this command:

This should return information about the user.

Once this is working, we need to make all of the above changes persistent.  The /etc/ files will be overwritten by the next boot, and the idmap & smb/server services will start up not joined to a domain.  So copy the modified /etc/ files someplace permanent.  I am saving them in /opt/custom/domain-join/

Let's make sure everything is still working.  Reboot the system, then perform the following commands:

Does it show the system is joined to the domain?  If so, good so far.

Finally we need an SMF service that will perform these steps for us on each boot.  The SMF XML itself is very basic, here is what the script looks like:

If your AD is a VM running on this SmartOS, it's probably a good idea to wait for that VM to be fully up & running before performing the 'svccfg import' command which restarts the smb/server service.

Labels:
None
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.