Solaris / Illumos NAS in a mixed AD - NIS environemnt.

This tutorial demonstrates how to use a NAS based on Solaris or Illumos with SMB and NFS shares.

Environment:

1. Solaris NFS/ SMB Server
2. Windows 2008R2 Domain Controller with AD and NIS
3. Windows clients for SMB access
4. Linux clients for SMB and NFS access.

The windows AD server must have the IDMU and NIS Features installed.

The Users which are supposed to work in this mixed environment must have the Unix Attributes assigned. The UID and GID can be assigned manually, or left to default.

      

The steps will be: 

1. Join the Solaris / Illumos Server to AD and NIS. (not covered in this tutorial, Oracle has free documentation on this subject)
2. Join the Windows clients to AD. (not covered here either)
3. Join the Linux clients to NIS. (Use this tutorial to join NIS: http://linuksovi.blogspot.ca/2015/11/set-up-nis-server-client.html )

Once these steps are completed, make sure the filesystems are shared with smb and nfs:

## zfs set sharesmb=name=newshare pool-01/newshare

## zfs get sharesmb pool-01/newshare

NAME                  PROPERTY     VALUE               SOURCE

pool-01/newshare  sharesmb  name=newshare  local

## zfs set sharenfs=nosuid,rw pool-01/newshare

## zfs get sharenfs pool-01/newshare

NAME                          PROPERTY       VALUE               SOURCE

pool-01/newshare       sharenfs           nosuid,rw    local

In this environment, the share will only be accessible for specific users, so no guest access is allowed, also no root access!

At this point, the share has default ACLs.

### ls -dV testshare/
drwxr-xr-x   3 root     root           3 May 20 12:30 testshare/
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

We need to add permissions: (User will be oviss, group will be "Domain Users")

## chmod -R A+user:oviss:rwxpdDaARWcCos:fd-----:allow,group:"Domain Users"@spdomain.net:rwxpdDaARWcCos:fd-----:allow testshare/

## # ls -dV testshare/

drwxr-xr-x+  3 root     root           3 May 20 12:30 testshare/

             user:oviss:rwxpdDaARWcCos:fd-----:allow

    group:Domain Users@spdoma:rwxpdDaARWcCos:fd-----:allow

                 owner@:rwxp--aARWcCos:-------:allow

                 group@:r-x---a-R-c--s:-------:allow

              everyone@:r-x---a-R-c--s:-------:allow

At this point CIFS/SMB access should work from both Windows and Linux: (if Windows joined AD correctly, and Linux NIS)

On Linux:

[root@archlinux3 /]# smbclient -L NAS-Server -U%

 Sharename       Type      Comment

        ---------       ----      -------

        c$              Disk      Default Share

        testshare       Disk

[root@archlinux3 /]# mount -vvvv -t cifs //172.21.201.233/testshare /testshare/ -o uid=56568942 -o gid=123456 -o credentials=/etc/.smbcreds,sec=ntlmv2

domain=SPDOMAIN

mount.cifs kernel mount options: ip=172.21.201.233,unc=\\172.21.201.233\testshare,sec=ntlmv2,uid=56568942,gid=123456,user=oviss,,domain=SPDOMAIN,pass=********

[root@archlinux3 /]# cd /testshare/

[root@archlinux3 testshare]# su oviss

sh-4.3$ touch created_in_linux

sh-4.3$ ls -ltr

total 0

-rwxr-xr-x 1 oviss Domain Users 0 May 20 12:36 created_in_linux

-rwxr-xr-x 1 oviss Domain Users 0 May 20  2016 created_in_windows.txt

sh-4.3$

So far CIFS/SMB  access works perfectly fine from both Windows and Linux.

NFS access:

On the Solaris / Illumos Server I must add some idmap rules:

### idmap list

add     winuser:*@spdomain.net  unixuser:*

add     "wingroup:Domain Users@localhost" unixgroup:Domain\ Users

add     winname:Guest@localhost   unixuser:nobody

The comands are as follows:

( \ idmap add wingroup:"Domain Users" "Domain Users" \

  \ idmap add winuser:*@spdomain.net  unixuser:* \

  \ idmap add winname:guest unixuser:nobody \ )

To be able to map the users on NFSv4 from the Linux client, I need to  set the domain name and make sure rpc.idmapd works:

sh-4.3$ domainname

spdomain

sh-4.3$ cat /etc/idmapd.conf

[General]

Verbosity = 0

Domain = spdomain.net

[Mapping]

Nobody-User=nobody

Nobody-Group=nobody

[Translation]

Method=nsswitch

Start rpc.idmapd as root:

root@archlinux3 testshare]# rpc.idmapd

[root@archlinux3 testshare]# nfsidmap -d

spdomain.net

[root@archlinux3 /]#  mount -t nfs -vvvv -o vers=4 172.21.201.233:/pool-01/newshare /nfstest

mount.nfs: timeout set for Fri May 20 12:42:25 2016

mount.nfs: trying text-based options 'vers=4,addr=172.21.201.233,clientaddr=172.21.11.111'

[root@archlinux3 /]# su oviss

sh-4.3$ cd /nfstest/

sh-4.3$ ls -ltr

total 1

-rwx------ 1 oviss Domain Users 0 May 20 12:36 created_in_linux

-rwx------ 1 oviss Domain Users 0 May 20 12:37 created_in_windows.txt

sh-4.3$

Easy!

NOTES: on the NAS server best practices are not to use IDMU as directory based mapping for idmap, and to disable netbios support in smbd.

svccfg -s svc:/system/idmap setprop config/directory_based_mapping = astring: none
svccfg -s smb/server setprop smbd/netbios_enable = boolean: false