Re: [OpenIndiana-discuss] Future of OI (was Bash Bug issue)

[The Outsider]

True!

That's why i pay for hard&software support on solaris 11.2. (Prices are 
reasonable when you have Sun hardware)


But 11.2 != openindiana.




On 10 oktober 2014 02:08:00 Dave Pooser  wrote:


On 10/9/14 5:13 PM, "The Outsider"  wrote:

>Hmm i am sorry. I seem to have missed that.
>Last time i installed and tested it i needed to get a registrationkey and
>wasn't allowed to use nexenta for business without paying a quite high
>amount of euros.
>
>But that was 3 years ago.

Open source != free-as-in-beer
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss




___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] is oi still a `safe' os

[Nikola M.]

On 10/ 9/14 08:30 PM, Harry Putnam wrote:

I've been running oi and opensolaris before it, off and on for a few
yrs.  I like having a home lan zfs server


Yeah maybe then this is right moment to contribute something to the 
project. ;)



One or more of those may be wrong or overstated... the problem is I'm
not equipped skill wise to know.

I'd like to hear a few comments from old hands as to whether a
low-skilled admin is still safe using oi for home lan service.

Would I be better off with one of the other branches of solaris OS, or


No it's not 'safe' because defining 'safe' is vague term. But what OS is 
actually 'secure' without Admin knowing what he's doing? One always need 
ipfilter firewall rules and right settings.


Thing is that OI needs manpower to release next /dev and contribution to 
/dev and Hipster.
See what you can contribute yourself, because updates to OI and releases 
doesn't make themselves out.


I suggest including yourself in testing and bug reporting as starting 
contribution point everyone can do.  We have Boot environments (BE's, 
beadm) that is ideal way of doing testing and having dozens of different 
whole OS versions, using all ZFS benefits for great development platform.


Current problem is connecting  Hipster snapshots with new /dev release.
Upgrading from /dev to Hipster snapshot , making Hipster having versions 
of 'entire' and exactly rigorous testing before releasing new /dev.

e.g. - we need you.

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Future of OI (was Bash Bug issue)

[Dave Pooser]

On 10/9/14 5:13 PM, "The Outsider"  wrote:

>Hmm i am sorry. I seem to have missed that.
>Last time i installed and tested it i needed to get a registrationkey and
>wasn't allowed to use nexenta for business without paying a quite high
>amount of euros.
>
>But that was 3 years ago.

Open source != free-as-in-beer
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Future of OI (was Bash Bug issue)

[The Outsider]

Hmm i am sorry. I seem to have missed that.
Last time i installed and tested it i needed to get a registrationkey and 
wasn't allowed to use nexenta for business without paying a quite high 
amount of euros.


But that was 3 years ago.


On 9 oktober 2014 23:18:03 Bayard Bell  wrote:


On 9 October 2014 20:41, openindi...@out-side.nl 
wrote:

> From my limited tunnelview:
>
> Nexenta: closed source, no real root, no zones. IF you want storage with
> support this is the best option.
>

Please define closed source while accounting for this fundamental fact:

https://github.com/nexenta/illumos-nexenta
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss




___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Future of OI (was Bash Bug issue)

[Alexander Pyhalov]

Bayard Bell писал 10.10.2014 01:10:
On 9 October 2014 20:41, openindi...@out-side.nl 


wrote:


From my limited tunnelview:

Nexenta: closed source, no real root, no zones. IF you want storage 
with

support this is the best option.



Please define closed source while accounting for this fundamental fact:

https://github.com/nexenta/illumos-nexenta


Hi.

I'd be more interested in https://github.com/Nexenta/nza-userland/.
I see at least smartmontools, dtrace toolkit patches, dpkg and dpkg zone 
brand which I'd like to borrow.

Why I haven't seen this earlier? :)

BTW, I see that you have clang component. How do you use clang? I mean, 
is it just proof of concept component

or you actually can do something useful with it?

---
System Administrator of Southern Federal University Computer Center


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Future of OI (was Bash Bug issue)

[Bayard Bell]

On 9 October 2014 20:41, openindi...@out-side.nl 
wrote:

> From my limited tunnelview:
>
> Nexenta: closed source, no real root, no zones. IF you want storage with
> support this is the best option.
>

Please define closed source while accounting for this fundamental fact:

https://github.com/nexenta/illumos-nexenta
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Future of OI (was Bash Bug issue)

[openindi...@out-side.nl]

>From my limited tunnelview:

Nexenta: closed source, no real root, no zones. IF you want storage with 
support this is the best option.
OmniOS: nice piece of work, but when your fingers are used to the commands of, 
for example, creating zones it is a disaster
SmartOS: same like OmniOS. 
OI: whatever you need help for (almost) everything can be found on the internet 
when you search for { subject} + solaris 10. Same for the software. Stick as 
good as possible to the illumos sources. 

Every successor of Solaris 10 takes a share of the old userbase, and this 
userbase is also becoming smaller since a lot switch to Linux like systems of 
even Windows. 
Every successor tries to simplify the solaris things that were difficult to 
learn. Like creating zones. 
At the end the successors look a little bit the same, but have differences that 
prevent mixing. 
At some point successors drift away from the illumos kernel, disconnecting 
themselves from the source.

The question is what happens if at some point a real solaris /illumos security 
bug will be found. Which kernel will give you the best options for a cure? Will 
the solution be available on the successor? 
And what if the successor themselves have created a security hole inside 
without knowing? There are very little testers for these relatively small 
successors. 

Br,

Roelof


-Oorspronkelijk bericht-
Van: Dave Pooser [mailto:dave...@pooserville.com] 
Verzonden: donderdag 9 oktober 2014 17:13
Aan: Discussion list for OpenIndiana
Onderwerp: [OpenIndiana-discuss] Future of OI (was Bash Bug issue)

At the risk of sounding like the corporate hack I doubtless am... what's the OI 
"elevator pitch" -- the 10-second explanation of why OI exists, and why I 
should use it vs another Illumos variant?

NexentaStor - "ZFS storage appliances"
OmniOS - "Enterprise server, open and free, with commercial support"
SmartOS - "Cloud OS using zones, DTrace and ZFS"
OI - ???

I have a couple of OI servers because a couple of years ago that looked like 
the natural path forward from OpenSolaris. Now, it's hard to see why I should 
deploy a new server with OI vs OmniOS.
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving safely in 
one pretty and well-preserved piece, but to slide across the finish line 
broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!!" 
-- Bill McKenna





___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss




___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] is oi still a `safe' os

[Alexander Pyhalov]

On 10/09/2014 22:30, Harry Putnam wrote:

Sorry if my subject line seems a bit thin.

I've been running oi and opensolaris before it, off and on for a few
yrs.  I like having a home lan zfs server.

I've seen comments in enough posts lately to cause me to worry about
using OI.  People say it is not kept up to date, that there is no
security updates and that in general there is no careful watchdog
group keeping an eye on it.

One or more of those may be wrong or overstated... the problem is I'm
not equipped skill wise to know.

I'd like to hear a few comments from old hands as to whether a
low-skilled admin is still safe using oi for home lan service.



Hi.
I think that that this depends on your use case. For example, I consider 
running 6-years old SXCE server "safe enough" to run, because it is 
behind corporate firewall and is used as only a terminal server. We were 
running several linux hosts with known CVEs which we couldn't update for 
about a year. If you run it behind NAT and you are a single user, you 
are on safe side. If it's your desktop, you are on the safe side (who 
will write exploit for desktop Solaris ? :) ).
Of course, I wouldn't run something critical service which is available 
from outside on OI. But for other use cases it can suite.

Of course if I run OI, I'd run Hipster. But I'm biased.
--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] is oi still a `safe' os

[Harry Putnam]

Sorry if my subject line seems a bit thin.

I've been running oi and opensolaris before it, off and on for a few
yrs.  I like having a home lan zfs server.

I've seen comments in enough posts lately to cause me to worry about
using OI.  People say it is not kept up to date, that there is no
security updates and that in general there is no careful watchdog
group keeping an eye on it.

One or more of those may be wrong or overstated... the problem is I'm
not equipped skill wise to know.

I'd like to hear a few comments from old hands as to whether a
low-skilled admin is still safe using oi for home lan service.

Would I be better off with one of the other branches of solaris OS, or
even the free oracle version?


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

[Andrew Martin]

- Original Message -
> From: "Andrew Martin" 
> To: "Discussion list for OpenIndiana" 
> Sent: Thursday, October 9, 2014 10:41:58 AM
> Subject: Re: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server
> 
> - Original Message -
> > From: "Andre Kruger" 
> > To: "Discussion list for OpenIndiana" 
> > Sent: Thursday, October 9, 2014 3:51:46 AM
> > Subject: Re: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server
> > 
> > I recently tried to (re)join a OI machine to my companies AD. I had it
> > joined
> > previously but my AD integration broke when the AD admins turned on LDAPS.
> > OI does not have the required libraries to join an AD environment that has
> > LDAPS enabled.
> > 
> > You can troubleshoot this further if you issue the join command yourself
> > and
> > at the same time running it in debug mode:
> > 
> > net ads join -U username -d5
> > 
Also I should mention that I'm using smb/server, not Samba. Therefore, I'm
using "smbadm join" and not "net ads join".

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

[Andrew Martin]

- Original Message -
> From: "Andre Kruger" 
> To: "Discussion list for OpenIndiana" 
> Sent: Thursday, October 9, 2014 3:51:46 AM
> Subject: Re: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server
> 
> I recently tried to (re)join a OI machine to my companies AD. I had it joined
> previously but my AD integration broke when the AD admins turned on LDAPS.
> OI does not have the required libraries to join an AD environment that has
> LDAPS enabled.
> 
> You can troubleshoot this further if you issue the join command yourself and
> at the same time running it in debug mode:
> 
> net ads join -U username -d5
> 
> If the domain you are trying to join does have LDAPS enabled you should see
> this line, "StartTLS not supported by LDAP client libraries!", a few lines
> from the bottom when the join completes. Unless you have other errors that
> first need fixing. Eventually however once you have them all sorted out you
> will get this error.
> 
Thanks for the idea - however in this case I don't think LDAPS is the problem,
since I can simply change these 3 lines to use one of the DCs directly rather
than ad.example.com and the join works:
   kdc = dc0.example.com
   admin_server = dc0.example.com
   kpasswd_server = dc0.example.com

> From: "The Outsider" 
> I think " joining domain failed (c001)" might give you a clue.
> When the NAT translates you computers ip-address to a new local, no dns
> reference will exist for that IP.

Hm... I have a DNS A record for ad.x-es.com, so it should exist when either
the DC or the OI client system try to do a DNS lookup...

Thanks,

Andrew

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] Future of OI (was Bash Bug issue)

[Dave Pooser]

At the risk of sounding like the corporate hack I doubtless am... what's
the OI "elevator pitch" -- the 10-second explanation of why OI exists, and
why I should use it vs another Illumos variant?

NexentaStor - "ZFS storage appliances"
OmniOS - "Enterprise server, open and free, with commercial support"
SmartOS - "Cloud OS using zones, DTrace and ZFS"
OI - ???

I have a couple of OI servers because a couple of years ago that looked
like the natural path forward from OpenSolaris. Now, it's hard to see why
I should deploy a new server with OI vs OmniOS.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna





___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] OI storage sollution

[Alexander Pyhalov]

On 10/09/2014 18:45, Udo Grabowski (IMK) wrote:

On 09/10/2014 15:56, Alexander Pyhalov wrote:

On 10/09/2014 17:41, Udo Grabowski (IMK) wrote:

On 09/10/2014 14:18, Cal Sawyer wrote:
We have 400 TB and are still in...



Hi.

Could you share some specifications of this installation? I'm interested
in hardware specs, zfs pools organization, what do you use for HA,
backup, any other interesting details, how do you share volumes
(iSCSI/FC), etc..


See attached pdf for our current setup. No HA, we rely on NFSv4,

...

Hope that gives you enough details.


Thanks for information. Sounds great :) I've just returned from IBM 
seminar on Storwize V7000 and thought several times: "This great, but 
perhaps I could do it 5-10 times cheaper on OI and something like 
http://www.supermicro.nl/products/nfo/CiB.cfm";.
We have two Storwizes, and they are great, but for now we lack cheap 
storage which we could provide to our clients.

--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] OI storage sollution

[Udo Grabowski (IMK)]

And some interesting statistics here:


On 09/10/2014 16:59, Udo Grabowski (IMK) wrote:

Here are some photos of our installation in its early
stages, the empty spaces therein are now all filled:



On 09/10/2014 16:45, Udo Grabowski (IMK) wrote:

On 09/10/2014 15:56, Alexander Pyhalov wrote:

On 10/09/2014 17:41, Udo Grabowski (IMK) wrote:

On 09/10/2014 14:18, Cal Sawyer wrote:
We have 400 TB and are still in...



Hi.

Could you share some specifications of this installation? I'm interested
in hardware specs, zfs pools organization, what do you use for HA,
backup, any other interesting details, how do you share volumes
(iSCSI/FC), etc..


..



--
Dr.Udo Grabowski   Inst.f.Meteorology & Climate Research IMK-ASF-SAT
http://www.imk-asf.kit.edu/english/sat.php
KIT - Karlsruhe Institute of Technology   http://www.kit.edu
Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] OI storage sollution

[Udo Grabowski (IMK)]

Here are some photos of our installation in its early
stages, the empty spaces therein are now all filled:



On 09/10/2014 16:45, Udo Grabowski (IMK) wrote:

On 09/10/2014 15:56, Alexander Pyhalov wrote:

On 10/09/2014 17:41, Udo Grabowski (IMK) wrote:

On 09/10/2014 14:18, Cal Sawyer wrote:
We have 400 TB and are still in...



Hi.

Could you share some specifications of this installation? I'm interested
in hardware specs, zfs pools organization, what do you use for HA,
backup, any other interesting details, how do you share volumes
(iSCSI/FC), etc..


..



--
Dr.Udo Grabowski   Inst.f.Meteorology & Climate Research IMK-ASF-SAT
http://www.imk-asf.kit.edu/english/sat.php
KIT - Karlsruhe Institute of Technology   http://www.kit.edu
Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] OI storage sollution

[Alexander Pyhalov]

On 10/09/2014 17:41, Udo Grabowski (IMK) wrote:

On 09/10/2014 14:18, Cal Sawyer wrote:
We have 400 TB and are still in...



Hi.

Could you share some specifications of this installation? I'm interested 
in hardware specs, zfs pools organization, what do you use for HA, 
backup, any other interesting details, how do you share volumes 
(iSCSI/FC), etc..


--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Bash bug issue

[Udo Grabowski (IMK)]

On 09/10/2014 14:18, Cal Sawyer wrote:

Thanks very much for the reply and the succinct description of what's
happened to OI development, Udo

Good luck to everyone who's using OI in actual production!  Me and my
65TB need to leave the building :)


We have 400 TB and are still in...

--
Dr.Udo Grabowski   Inst.f.Meteorology & Climate Research IMK-ASF-SAT
http://www.imk-asf.kit.edu/english/sat.php
KIT - Karlsruhe Institute of Technology   http://www.kit.edu
Postfach 3640,76021 Karlsruhe,Germany T:(+49)721 608-26026 F:-926026

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] rbac console permissions on login manager

[Gabriele Bulfon]

I bet you're right! Thanks so much! ;)
--
Da: Alexander Pyhalov
A: Discussion list for OpenIndiana
Cc: Gabriele Bulfon
Data: 9 ottobre 2014 15.00.35 CEST
Oggetto: Re: [OpenIndiana-discuss] rbac console permissions on login manager
On 10/09/2014 14:55, Gabriele Bulfon wrote:
Hi,
anyone can point me to the right direction?
I'm trying to add rbac / console permissions on lightdm for xstreamos desktop, 
to allow for many devices
to be available to a desktop user when he's detected to be on the console.
I looked at the gdm patches on OI, but I can't find what is the code doing this.
Any help?
Hi. I'm not sure, but I have feeling that it's
https://github.com/OpenIndiana/oi-userland/blob/oi/hipster/components/gdm/patches/gdm-28-logindevperm.patch
.
--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] rbac console permissions on login manager

[Alexander Pyhalov]

On 10/09/2014 14:55, Gabriele Bulfon wrote:

Hi,
anyone can point me to the right direction?
I'm trying to add rbac / console permissions on lightdm for xstreamos desktop, 
to allow for many devices
to be available to a desktop user when he's detected to be on the console.
I looked at the gdm patches on OI, but I can't find what is the code doing this.
Any help?


Hi. I'm not sure, but I have feeling that it's 
https://github.com/OpenIndiana/oi-userland/blob/oi/hipster/components/gdm/patches/gdm-28-logindevperm.patch 
.

--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Bash bug issue

[Cal Sawyer]

Thanks very much for the reply and the succinct description of what's 
happened to OI development, Udo


Good luck to everyone who's using OI in actual production!  Me and my 
65TB need to leave the building :)


best regards,

- cal sawyer

On 06/10/14 14:30, Udo Grabowski (IMK) wrote:

On 06/10/2014 14:54, Cal Sawyer wrote:

...
If the only solutions being offered after nearly 2 weeks are a) use 
ksh because bash is somehow inferior (shades of 
"csh-is-deterimental") or 2. rebuild bash youself from source, i'd 
have to say that imho it's the polar opposite and this appears to be 
confirmed in Andreas's post.



The simple fact is: The /dev maintainer(s?) seem to have silently
resigned without handing over the keys
So no one is left who actually can apply and distribute the
patch (which shouldn't be that difficult, as it's only one package);
the /hipster community up to now has served only itself for the
purpose of porting the complete OI userland to gcc, and now, as
the pressure is rising, is trying to reorganise to take over /dev
to actually make stable and useable production releases.
This will take time, but I'm completely with you that a patch
for /dev/ should be made available as fast as possible, so the very
first task is to actually get access to the /dev/ infrastructure
to get at least something started.



___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] rbac console permissions on login manager

[Gabriele Bulfon]

Hi,
anyone can point me to the right direction?
I'm trying to add rbac / console permissions on lightdm for xstreamos desktop, 
to allow for many devices
to be available to a desktop user when he's detected to be on the console.
I looked at the gdm patches on OI, but I can't find what is the code doing this.
Any help?
Gabriele.
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

[Andre Kruger]

I recently tried to (re)join a OI machine to my companies AD. I had it joined 
previously but my AD integration broke when the AD admins turned on LDAPS. OI 
does not have the required libraries to join an AD environment that has LDAPS 
enabled.

You can troubleshoot this further if you issue the join command yourself and at 
the same time running it in debug mode:

net ads join -U username -d5

If the domain you are trying to join does have LDAPS enabled you should see 
this line, "StartTLS not supported by LDAP client libraries!", a few lines from 
the bottom when the join completes. Unless you have other errors that first 
need fixing. Eventually however once you have them all sorted out you will get 
this error.



-Original Message-
From: Andrew Martin [mailto:amar...@xes-inc.com] 
Sent: 08 October 2014 20:56
To: Discussion list for OpenIndiana
Subject: [OpenIndiana-discuss] Join to AD Domain with HA kpasswd server

Hello,

I am attempting to join an OpenIndiana server to an Active Directory domain for 
authenticating smb/server following this guide:
http://docs.oracle.com/cd/E19120-01/open.solaris/820-2429/configuredomainmodetask/index.html

However, I do not want to specify just a single domain controller in the kdc, 
admin_server, and kpasswd_server fields since that would be a single point of 
failure. I have a pair of forwarding servers that host a VIP (ad.example.com) 
and NAT traffic to any of the available DCs, so I'd prefer to put the hostname 
of this VIP in these fields instead:

[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
   kdc = ad.example.com
   admin_server = ad.example.com
   kpasswd_server = ad.example.com
   kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

However, this doesn't work when I run "smbadm join":
Tree Connection SUCCEEDED (0)
Authentication SUCCEEDED (0) for administra...@example.com by dc0 Using 
ad.example.com (dc0) as DC for domain example.com (example) Tree Connection 
SUCCEEDED (0) Authentication SUCCEEDED (0) for administra...@example.com by dc0 
getting initial credentials (Incorrect net address) getting initial credentials 
(Incorrect net address) Joining domain to alter computer account FAILED (1) 
using administra...@example.com credentials.
Failed to connect to an Active Directory server.
Joining domain failed (c001)

I think this "Incorrect net address" error is occurring because the address 
list provided to Kerberos contains the IP addresses of the OpenIndiana server, 
not the NAT server (ad.example.com). According to the manpage, I should be able 
to add no_addresses to the [appdefaults] section to request an address-less
ticket:


[libdefaults]
   default_realm = EXAMPLE.COM

[realms]
   EXAMPLE.COM = {
   kdc = ad.example.com
   admin_server = ad.example.com
   kpasswd_server = ad.example.com
   kpasswd_protocol = SET_CHANGE
   }

[domain_realm]
   .example.com = EXAMPLE.COM

[appdefaults]
kinit = {
renewable = true
forwardable = true
no_addresses = true
}

However, doing this does not improve the situation when running "smbadm join".
This DOES work when running "kinit" manually. Changing the kdc, admin_server, 
and kpasswd_server to use one of the DCs directly, e.g dc0.example.com, makes 
"smbadm join" work successfully. What can I do to successfully join the domain 
using this NAT server for HA?

Thanks,

Andrew Martin

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss