• CIFS availability
• OpenSolaris 2008.11
• SXDE, SXCE
• not Solaris 10
  
• workgroup mode demo
  
• installation on opensolaris
• updating pam.conf & passwd
  
• start service
• create a new filesystem and share
• share an existing filesystem
• show in network places
• copy files to/from
  
• id mapper
• the need to map IDs
• how Solaris & Windows handle ids
• define SID
• algorithmic mapping
  
• static rules
• ephemeral mappings
• persistent across service restarts, not reboots
  
• uid_t & gid_t changes
• implicit v explicit permissions
  
• filesystem support
• ZFS changes, FUIDs
• mandatory v advisory locking
  
• changes to VFS for legacy FS
• NFSv3 implementation
• NFSv4 implementation
  
• workgroup mode
• domain mode
• ephemeral mapping in use
  
• VSCAN
• the problem VSCAN is designed to solve (viruses)
• how VSCAN has been implemented in Solaris
• brief description of ICAP; specifically how it is used for VSCAN as well as other uses
• commands and processes involves (vscand & vscanadm)
  
• vscanadm syntax
  
• demonstration using VirtualBox and EICAR test virus

did this get done? if so, what is the range?

(d) The ability for kernel code such as FUID-aware filesystems to upcall the
    mapping service via a door to convert SIDs to UIDs/GIDs, and some
    appropriate caching of the results, as determined by performance analysis.

what does this mean?  FUID-aware FS?  upcall mapping?

(i) The project proposes to store its mappings in a persistent database.
    Although such mappings need to be persisted, with ephemeral IDs they only
    need to be persisted across service restart, and not reboots, implying that
    tmpfs can be used to back the cache.  This property may significantly
    simplify the design and implementation of the persistence mechanism.

 why do the emphemeral id mappings not need to be persistent across reboots?

Enable SMB sharing for the ZFS file system.

# zfs set sharesmb=on fsname

The resource name for the share is automatically constructed by the zfs command when the share is created. The resource name is based on the dataset name, unless you specify a resource name. Any characters that are illegal for resource names are replaced by an underscore character (_).

To specify a resource name for the share, specify a name for the sharesmb property, sharesmb=name=resource-name.

zfs set sharesmb=on FSNAME
zfs set sharesmb=name=LEWISVIDEO FSNAME

"zfs create -o nbmand=on fsname" to create a ZFS with mandatory locking

Example 3–1 Configuring the Solaris CIFS Service in Domain Mode

This example shows the steps taken to configure the Solaris CIFS service in domain mode. User dana has Domain Administrator privileges. The name of the domain being joined is westsales.example.com.

# svcadm enable -r smb/server
# smbadm join -u dana westsales.example.com
Enter domain password:
Joining 'westsales.example.com' ... this may take a minute ...
Successfully joined domain 'westsales.example.com'

svcadm enable -r enables all services which smb/server depends upon

Configuring the Solaris CIFS Service Operation Mode (Task Map)

The following table points to the tasks that you can use to configure the operation mode of the Solaris CIFS server.

Solaris CIFS services can operate in two modes: domain and workgroup. These modes are mutually exclusive. Choose one or the other based on your environment and authentication needs.

• If you have an Active Directory (AD) domain and want to give domain users access to the Solaris CIFS service, choose domain mode by joining that domain.

• If you have no AD domains or have no need to support domain users, and you want to use local Solaris users to access the CIFS service, choose workgroup mode by joining the workgroup.

The solution proposed for Solaris is fundamentally to do the following:

(a) Modify ZFS to support SIDs directly in the filesystem, using an encoding
    that can be generalized to other forms of SIDs, generalized to other on-
    disk filesystems should that be required, and efficiently encode POSIX IDs.

(b) Modify the kernel to support SIDs as part of credentials (cred_t, ucred_t)
    so that the new Solaris CIFS server can establish such credentials in a 
    generic fashion and have them be passed through the VOP layer to ZFS.

(c) Deliver an ID mapping service to perform POSIX ID <-> SID mapping, and
    make this available to both user and kernel clients (i.e. via door upcall).
    This service is the Winchester project, with some minor modifications.

(d) Change Solaris uid_t and gid_t to be unsigned 32-bit types, and partition
    the ID space into half reserved for standard POSIX identifiers (the current
    range supported by Solaris, 0-0x7fffffff), and half reserved for ephemeral
    mappings associated with SIDs (the new range 0x80000000-0xfffffffe).

A Windows SID typically looks something like this:

S-1-5-12-7623811015-3361044348-030300820-1013

and decomposes into the following pieces:

S - The string is a SID
1 - The revision level (1 is the only value in present use)
5 - 48-bit identifier authority value (5 refers to "Windows NT")
12-7623811015-3361044348-030300820 - Identifier for domain or local computer
1013 - 32-bit Relative ID (RID) within the previously described domain

In other words, an SID is a universally unique identifier for a user
or group.

SID is equivalent of user@FQDN

Windows grants or denies access and privileges to resources based on access control lists (ACLs), which use SIDs to uniquely identify users and their group memberships. When a user logs into a computer, an access token is generated that contains user and group SIDs and user privilege level. When a user requests access to a resource, the access token is checked by the ACL to permit or deny particular action on a particular object.

SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.

SID has format as follows: S-1-5-21-7623811015-3361044348-030300820-1013

S - The string is a SID.

1 - The revision level.

5 - The identifier authority value.

21-7623811015-3361044348-030300820 - domain or local computer identifier

1013 – a Relative ID (RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Possible identifier authority values are:

• 0 - Null Authority
• 1 - World Authority
• 2 - Local Authority
• 3 - Creator Authority
• 4 - Non-unique Authority
• 5 - NT Authority

On Windows and Solaris systems, files have an owner attribute and a group attribute. A Solaris file owner attribute must be a UID, and the group attribute must be a GID. Unlike the Solaris OS, Windows has no such restrictions. Windows permits either a user SID or a group SID to be a file owner or a file group. In fact, Windows uses the Administrator Group as a file owner in many instances, and any Windows application can set the file owner and group attributes to any SID.

The Solaris system cannot interchange UIDs and GIDs like Windows can. Therefore, the Solaris system must be able to perform the following types of mappings:

• Map a group SID to a UID when the group SID occurs in an owner field

• Map a user SID to a GID when the user SID occurs in group field

These are called diagonal mappings, which use naming rules to set up the mappings.

As specified, Winchester resembles the Samba ID mapping component, in that
it offers an ID mapping service with pluggable mapping models, independent
of any underlying capability of the operating system to support SIDs.
Winchester proposes to implement features beyond (a-c), including:

- Algorithmic Mapping from Section 3b, similar to Samba
- A plug-in interface for other mapping schemes, e.g. Apple Open Directory

With uid_t and gid_t now extended to 32-bit unsigned types, we now propose to
partition the ID space in half, reserving the upper 2 billion values for so-
called ephemeral IDs.  These ID values would be reserved for transient mappings
of SIDs introduced into the system for which no name-based mapping rule between
the SID and a POSIX ID in the existing range [0, INT_MAX] applies.  A central
mapping service (the Winchester project, discussed further in Section 11),
will establish the reservation of an ephemeral ID and its connection to an SID,
and will hold the reservation until a Solaris instance reboots.  That is, when
the forthcoming SMB server for CIFS establishes a session, it will take the SID
over the wire, look up the Windows AD name, and contact the ID mapper to see if
a name-based mapping applies; if so, a POSIX ID in the existing range will be
assigned to the credential in addition to storing the SID there.  If not, an
ephemeral ID above INT_MAX will be assigned.  In either case, every credential
will always contain both uid_t/gid_t values and an SID simultaneously.

(b) Algorithmic Mapping

Administrators can manually partition the POSIX UID space by creating a set of
algorithmic mapping rules for SIDs (based on the encoded RID) to a portion of
the POSIX UID space.  For example, an administrator can configure:

idmap backend = idmap_rid:SUN=70000-80000

indicating that the "SUN" domain should be mapped to UIDs [70,000-80,000].
When Samba encounters the SID S-1-5-21-34567898-12529001-32973135-1234 from
this domain, the resulting POSIX UID will be 70000 + 1234 = 71234.

SIDs are stored in ZFS ACLs so if ephemeral mappings are lost (reboot) the ACL's SID is used to allow access

13. NFSv3 Implementation

Thus NFSv3 would map any ephemeral IDs that have no POSIX equivalent
to *ID_NOBODY.

1. To open GPMC, click Start, click Run, type gpmc.msc, and then click OK.

2. In the console tree, right-click Default Domain Controllers Policy in Domains\Current Domain Name\Group Policy objects\Default Domain Controllers Policy, and then click Edit.

3. In the Group Policy Management Editor window, in the console tree, go to Computer Configuration/Policies/Windows Settings/Security Settings/Local Policies/Security Options.

4. In the details pane, double-click Microsoft network server: Digitally sign communications (always).

5. Verify that the Define this policy setting check box is selected, click Disabled to prevent SMB packet signing from being required, and then click OK.

   To apply the Group Policy change immediately, either restart the domain controller or open a command prompt, type the following command, and then press ENTER:

   gpupdate /force

The following error message only appears if you supply the wrong password for the administrative user:

failed to join domain-name (LOGON_FAILURE)

This error message might also appear if packet signing is enabled on the domain controller. So, you must disable packet signing on the domain controller before you can successfully join a domain.

Missing DNS domain. Ensure that the fully qualified AD domain name has been added to the search list or as the local domain in /etc/resolv.conf.

If your configuration is incorrect, you might see the failed to join domain domain-name (INVALID_PARAMETER) error when attempting to join the domain.

Joining a Windows 2008 Domain

To join a Windows 2008 domain, your Solaris system must be running at least SXCE Build 94.

NTLMv2 authentication is mandatory only when LMCompatibilityLevel is set to 5 on your Windows 2008 domain controller. A value of 0-4 for LMCompatibilityLevel means that NTLMv2 authentication is not mandatory. By default, LMCompatibilityLevel is set to 3.

Depending on whether NTLMv2 authentication is mandatory on your Windows 2008 domain controller, do one of the following:

• If NTLMv2 authentication is mandatory on your Windows 2008 domain controller, install the following Microsoft hot fix:

  http://support.microsoft.com/kb/957441/

  Also, set the new AllowLegacySrvCall registry key to 1 because the Solaris CIFS service does not yet support extended security.

• If NTLMv2 authentication is not mandatory on your Windows 2008 domain controller, you can do one of the following:

  • Install the Microsoft hot fix.

  • Set the LAN manager authentication level on your Solaris system as follows prior to joining the domain:

    # sharectl set -p lmauth_level=2 smb