Solaris / Illumos NAS in a mixed AD - NIS environemnt.

This tutorial demonstrates how to use a NAS based on Solaris or Illumos with SMB and NFS shares.

  1. Solaris NFS/ SMB Server
  2. Windows 2008R2 Domain Controller with AD and NIS
  3. Windows clients for SMB access
  4. Linux clients for SMB and NFS access.

The windows AD server must have the IDMU and NIS Features installed.

The Users which are supposed to work in this mixed environment must have the Unix Attributes assigned. The UID and GID can be assigned manually, or left to default.


The steps will be: 

  1. Join the Solaris / Illumos Server to AD and NIS. (not covered in this tutorial, Oracle has free documentation on this subject)
  2. Join the Windows clients to AD. (not covered here either)
  3. Join the Linux clients to NIS. (Use this tutorial to join NIS: )

Once these steps are completed, make sure the filesystems are shared with smb and nfs:

## zfs set sharesmb=name=newshare pool-01/newshare
## zfs get sharesmb pool-01/newshare
NAME                  PROPERTY     VALUE               SOURCE
pool-01/newshare  sharesmb  name=newshare  local

## zfs set sharenfs=nosuid,rw pool-01/newshare
## zfs get sharenfs pool-01/newshare
NAME                          PROPERTY       VALUE               SOURCE
pool-01/newshare       sharenfs           nosuid,rw    local

In this environment, the share will only be accessible for specific users, so no guest access is allowed, also no root access!

At this point, the share has default ACLs.

### ls -dV testshare/
drwxr-xr-x   3 root     root           3 May 20 12:30 testshare/

We need to add permissions: (User will be oviss, group will be "Domain Users")

## chmod -R A+user:oviss:rwxpdDaARWcCos:fd-----:allow,group:"Domain Users" testshare/

## # ls -dV testshare/
drwxr-xr-x+  3 root     root           3 May 20 12:30 testshare/
    group:Domain Users@spdoma:rwxpdDaARWcCos:fd-----:allow

At this point CIFS/SMB access should work from both Windows and Linux: (if Windows joined AD correctly, and Linux NIS)

On Linux:

[root@archlinux3 /]# smbclient -L NAS-Server -U%

 Sharename       Type      Comment
        ---------       ----      -------
        c$              Disk      Default Share
        testshare       Disk

[root@archlinux3 /]# mount -vvvv -t cifs // /testshare/ -o uid=56568942 -o gid=123456 -o credentials=/etc/.smbcreds,sec=ntlmv2
mount.cifs kernel mount options: ip=,unc=\\\testshare,sec=ntlmv2,uid=56568942,gid=123456,user=oviss,,domain=SPDOMAIN,pass=********
[root@archlinux3 /]# cd /testshare/
[root@archlinux3 testshare]# su oviss
sh-4.3$ touch created_in_linux
sh-4.3$ ls -ltr
total 0
-rwxr-xr-x 1 oviss Domain Users 0 May 20 12:36 created_in_linux
-rwxr-xr-x 1 oviss Domain Users 0 May 20  2016 created_in_windows.txt

So far CIFS/SMB  access works perfectly fine from both Windows and Linux.

NFS access:

On the Solaris / Illumos Server I must add some idmap rules:

### idmap list
add     winuser:*  unixuser:*
add     "wingroup:Domain Users@localhost" unixgroup:Domain\ Users
add     winname:Guest@localhost   unixuser:nobody

The comands are as follows:

( \ idmap add wingroup:"Domain Users" "Domain Users" \
  \ idmap add winuser:*  unixuser:* \
  \ idmap add winname:guest unixuser:nobody \ )

To be able to map the users on NFSv4 from the Linux client, I need to  set the domain name and make sure rpc.idmapd works:

sh-4.3$ domainname

sh-4.3$ cat /etc/idmapd.conf

Verbosity = 0
Domain =


Start rpc.idmapd as root:

root@archlinux3 testshare]# rpc.idmapd
[root@archlinux3 testshare]# nfsidmap -d

[root@archlinux3 /]#  mount -t nfs -vvvv -o vers=4 /nfstest
mount.nfs: timeout set for Fri May 20 12:42:25 2016
mount.nfs: trying text-based options 'vers=4,addr=,clientaddr='

[root@archlinux3 /]# su oviss
sh-4.3$ cd /nfstest/
sh-4.3$ ls -ltr
total 1
-rwx------ 1 oviss Domain Users 0 May 20 12:36 created_in_linux
-rwx------ 1 oviss Domain Users 0 May 20 12:37 created_in_windows.txt


NOTES: on the NAS server best practices are not to use IDMU as directory based mapping for idmap, and to disable netbios support in smbd.

svccfg -s svc:/system/idmap setprop config/directory_based_mapping = astring: none
svccfg -s smb/server setprop smbd/netbios_enable = boolean: false