Active Directory Guide

Active Directory Guide with Windows 2003 SBS R2

written/contributed by Eoin

As requested, I have written up a quick run through of joining an EON box to a Windows Active Directory domain. If people are interested, I might try to expand it into a step-by-step guide for Windows admins without Solaris experience to set up an EON-based NAS. The killer feature is surely having ZFS snapshots exposed through the Previous Versions tab in Windows Explorer!

This is tested with Windows 2003 SBS R2. Assuming the Active Directory domain you are joining is called mydomain.local and the IP address of the Windows domain controller is 192.168.1.6, the procedure is:

create a file /etc/resolv.conf, and add these lines to it:

domain mydomain.local

nameserver 192.168.1.6

search mydomain.local

Use the config file which tells EON to use DNS for name resolution:

cp /etc/nsswitch.dns /etc/nsswitch.conf

Join the domain:

smbadm join -u administrator mydomain.local

Accept the warning and enter the administrator password. If the join fails, you may get further details on the console.

Finally, map Windows users and groups on Unix users and group, so share permissions can be granted to your users:

idmap add winuser:*@mydomain.local unixuser:*

idmap add "wingroup:Domain Users@mydomain.local" unixgroup:users

idmap add "wingroup:Domain Admins@mydomain.local" unixgroup:staff

As for setting ACLs and ACL inheritance, I can report that the simplest solution works very well indeed: on the Unix side, start by granting full permissions on the Windows shares to everyone, e.g.:

chmod -R A=everyone@:full_set:fd-----:allow /tank/sharename

Then use Windows Explorer as Administrator to change them to what you really want. Just make sure you create and idmap a Unix group (with "groupadd groupname") corresponding to each Windows group to whom you need to assign specific permissions, though in many SME cases the example above will be sufficient.