Solaris / Illumos NAS in a mixed AD - NIS environemnt.

This tutorial demonstrates how to use a NAS based on Solaris or Illumos with SMB and NFS shares.


Environment:
  1. Solaris NFS/ SMB Server
  2. Windows 2008R2 Domain Controller with AD and NIS
  3. Windows clients for SMB access
  4. Linux clients for SMB and NFS access.


The windows AD server must have the IDMU and NIS Features installed.


The Users which are supposed to work in this mixed environment must have the Unix Attributes assigned. The UID and GID can be assigned manually, or left to default.



      


The steps will be: 


  1. Join the Solaris / Illumos Server to AD and NIS. (not covered in this tutorial, Oracle has free documentation on this subject)
  2. Join the Windows clients to AD. (not covered here either)
  3. Join the Linux clients to NIS. (Use this tutorial to join NIS: http://linuksovi.blogspot.ca/2015/11/set-up-nis-server-client.html )

Once these steps are completed, make sure the filesystems are shared with smb and nfs:

## zfs set sharesmb=name=newshare pool-01/newshare
## zfs get sharesmb pool-01/newshare
NAME                  PROPERTY     VALUE               SOURCE
pool-01/newshare  sharesmb  name=newshare  local

## zfs set sharenfs=nosuid,rw pool-01/newshare
## zfs get sharenfs pool-01/newshare
NAME                          PROPERTY       VALUE               SOURCE
pool-01/newshare       sharenfs           nosuid,rw    local


In this environment, the share will only be accessible for specific users, so no guest access is allowed, also no root access!

At this point, the share has default ACLs.

### ls -dV testshare/
drwxr-xr-x   3 root     root           3 May 20 12:30 testshare/
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow


We need to add permissions: (User will be oviss, group will be "Domain Users")

## chmod -R A+user:oviss:rwxpdDaARWcCos:fd-----:allow,group:"Domain Users"@spdomain.net:rwxpdDaARWcCos:fd-----:allow testshare/

## # ls -dV testshare/
drwxr-xr-x+  3 root     root           3 May 20 12:30 testshare/
             user:oviss:rwxpdDaARWcCos:fd-----:allow
    group:Domain Users@spdoma:rwxpdDaARWcCos:fd-----:allow
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow


At this point CIFS/SMB access should work from both Windows and Linux: (if Windows joined AD correctly, and Linux NIS)





On Linux:

[root@archlinux3 /]# smbclient -L NAS-Server -U%

 Sharename       Type      Comment
        ---------       ----      -------
        c$              Disk      Default Share
        testshare       Disk

[root@archlinux3 /]# mount -vvvv -t cifs //172.21.201.233/testshare /testshare/ -o uid=56568942 -o gid=123456 -o credentials=/etc/.smbcreds,sec=ntlmv2
domain=SPDOMAIN
mount.cifs kernel mount options: ip=172.21.201.233,unc=\\172.21.201.233\testshare,sec=ntlmv2,uid=56568942,gid=123456,user=oviss,,domain=SPDOMAIN,pass=********
[root@archlinux3 /]# cd /testshare/
[root@archlinux3 testshare]# su oviss
sh-4.3$ touch created_in_linux
sh-4.3$ ls -ltr
total 0
-rwxr-xr-x 1 oviss Domain Users 0 May 20 12:36 created_in_linux
-rwxr-xr-x 1 oviss Domain Users 0 May 20  2016 created_in_windows.txt
sh-4.3$

So far CIFS/SMB  access works perfectly fine from both Windows and Linux.


NFS access:

On the Solaris / Illumos Server I must add some idmap rules:

### idmap list
add     winuser:*@spdomain.net  unixuser:*
add     "wingroup:Domain Users@localhost" unixgroup:Domain\ Users
add     winname:Guest@localhost   unixuser:nobody

The comands are as follows:

( \ idmap add wingroup:"Domain Users" "Domain Users" \
  \ idmap add winuser:*@spdomain.net  unixuser:* \
  \ idmap add winname:guest unixuser:nobody \ )


To be able to map the users on NFSv4 from the Linux client, I need to  set the domain name and make sure rpc.idmapd works:

sh-4.3$ domainname
spdomain

sh-4.3$ cat /etc/idmapd.conf
[General]

Verbosity = 0
Domain = spdomain.net
[Mapping]
Nobody-User=nobody
Nobody-Group=nobody

[Translation]
Method=nsswitch

Start rpc.idmapd as root:

root@archlinux3 testshare]# rpc.idmapd
[root@archlinux3 testshare]# nfsidmap -d
spdomain.net

[root@archlinux3 /]#  mount -t nfs -vvvv -o vers=4 172.21.201.233:/pool-01/newshare /nfstest
mount.nfs: timeout set for Fri May 20 12:42:25 2016
mount.nfs: trying text-based options 'vers=4,addr=172.21.201.233,clientaddr=172.21.11.111'


[root@archlinux3 /]# su oviss
sh-4.3$ cd /nfstest/
sh-4.3$ ls -ltr
total 1
-rwx------ 1 oviss Domain Users 0 May 20 12:36 created_in_linux
-rwx------ 1 oviss Domain Users 0 May 20 12:37 created_in_windows.txt
sh-4.3$



Easy!

NOTES: on the NAS server best practices are not to use IDMU as directory based mapping for idmap, and to disable netbios support in smbd.

svccfg -s svc:/system/idmap setprop config/directory_based_mapping = astring: none
svccfg -s smb/server setprop smbd/netbios_enable = boolean: false