Joining A Network Appliance (NetApp) to Samba

(William Jojo)
Introduction
Contrary to popular wisdom, it is possible to join a Filer to Samba. In fact, once joined you can actually
enumerate users and groups by name or SID. Keep in mind that this document was created using Data
O!"# $.%.&.&, "I' (.% and the p)are distribution of Samba, howe*er, e*erything in here will wor+
for any site combination.
,owe*er, to master this particular feat, you will need one little patch from the Samba !eam.
It is li+ely that %.-.. series is just fine. /ut a bug introduced in %.0.- and carried through until at least
%.%.1 has made it impossible to enumerate users. 2ou can join 3 you just can4t use any user or group
data for permissions. !his bug manifest in the Filer by *irtue of SID loo+ups wor+ing, but user5group
loo+ups did not. !hen, once cached, the user or group could be added to a CIFS managed share.
!he patch is based on bug 61787 9https:55bug;illa.samba.org5show<bug.cgi=id>1787? that has to do
with @Subject: [PATCH] s3-lsa: Fix _lsa_LookupNames!" se#$e# impleme%tatio% &'ic' al&a(s
#etu#%e) a N*LL si)_a##a( si%ce 3++,+A
O!B: If you are using a specific distribution4s Samba 9li+e Cbuntu, Ded,at, Suse? you may need to
build your own Samba to fi. this problem 3 which is way beyond the scope of this document. 9Samba
%.%.( was just accepted on Cbuntu Karmic Koala, but doesn4t seem to ha*e this patch?.
"I' users can use Samba %.0.&%, %.%.1 or %.7.- released at http:55pware.h*cc.edu. !hese pac+ages
contain the specified patch.
The Setup
First, create a machine account in Samba for the et"pp Filer. In our e.ample, the filer will be called
B!"##. So the first step is to create the user account in Cni., then a Samba account.
"ssuming the machine account is in the standard Cni. passwd file and you do not ha*e any automated
account creation scripts in the Samba configuration file, run the follow two commands as the root user:
!he Cbuntu adduser command would be something li+e:
# adduser --home /home/NETAPP$ --gecos NETAPP Machine Account NETAPP$
"n "I' *ersion of the command is something li+e:
# mkuser gecos=NETAPP Machine Account NETAPP$
-oi%i%. NetApp to Samba !,,/,0/" 1 o2
One you4*e creates the Cni. account with something resembling the abo*e create the Samba account
with:
# smbpasswd -m -a -s NETAPP$ <<EOF
> netapp
> netapp
> EOF
O!B: !he @6A signs are prompts and the @EA are the secondary prompts for the hereFdocument.
!he first command creates the machine account as a Cni. account. !he second command creates a
Samba account tied to the Cni. account as a machine trust account with the password set to the lower
case eGui*alent of the machine account name mi%us the @HA.
Joining the Filer
If you are using the ICI or the command line to do the CIFS Setup, all you need to +now is the
following before you get started:
Filer name.
)IS Ser*ers 9if any?
"uthentication is NT 4 domain 3 oh yes
Domain ame
Security mode 3 either ulti!protocol or NTFS onl".
Chec+ your settings prior to committing the changes.
!hat4s it. If e*erything was done correctly you should now ha*e the Filer joined to the Samba domain
controller. Otherwise, bump the Samba log le*el and chec+ log.smbd and the filer for hints as to what
went wrong.
CheersJ
/ill
-oi%i%. NetApp to Samba !,,/,0/" o2