I had to refresh Solaris on one of our old servers. After clean install on the first drive c1t0d0 with ZFS filesystem, I had to create root pool mirror by second drive c1t1d0 using zpool attach:

# zpool attach rpool c1t0d0s0 c1t1d0s0
invalid vdev specification
use '-f' to override the following errors:
/dev/dsk/c1t1d0s0 contains a ufs filesystem.

As c1t1d0 had a ufs filesystem from previous installation, I tried to force:

# zpool attach -f rpool c1t0d0s0 c1t1d0s0
cannot attach c1t1d0s0 to c1t0d0s0: device is too small

I realized that an old disk slice c1t1d0s0 can be smaller than c1t0d0s0 as c1t0d0s0 was reinitialized by installer and expanded to whole disk. I could check it using prtvtoc:

# prtvtoc /dev/dsk/c1t0d0s2
* /dev/dsk/c1t0d0s2 partition map
*
* Dimensions:
* 512 bytes/sector
* 848 sectors/track
* 24 tracks/cylinder
* 20352 sectors/cylinder
* 14089 cylinders
* 14087 accessible cylinders
*
* Flags:
* 1: unmountable
* 10: read-only
*
* First Sector Last
* Partition Tag Flags Sector Count Sector Mount Directory
0 2 00 0 286698624 286698623
2 5 00 0 286698624 286698623
#

I decided to save this map into a file and write to my second drive using fmthard then:

# prtvtoc /dev/dsk/c1t0d0s2 > /tmp/vtoc_root.out
# fmthard -s /tmp/vtoc_root.out /dev/rdsk/c1t1d0s2
fmthard: New volume table of contents now in place.

Now zpool attach works much better:

# zpool attach rpool c1t0d0s0 c1t1d0s0
Please be sure to invoke installboot(1M) to make 'c1t1d0s0' bootable.
Make sure to wait until resilver is done before rebooting.


# zpool status rpool
pool: rpool
state: ONLINE
status: One or more devices is currently being resilvered. The pool will
continue to function, possibly in a degraded state.
action: Wait for the resilver to complete.
scrub: resilver in progress for 0h0m, 37.79% done, 0h1m to go
config:
NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
c1t0d0s0 ONLINE 0 0 0
c1t1d0s0 ONLINE 0 0 0 2.44G resilvered
errors: No known data errors

Last but not least step was to make c1t1d0s0 bootable using installboot:

# installboot -F zfs /usr/platform/`uname -i`/lib/fs/zfs/bootblk /dev/rdsk/c1t1d0s0

Often it is necessary to send all outgoing mail via the relay host from the corporate network. This is not so difficult to specify that for Solaris’ sendmail.

cd /usr/lib/mail/cf
vi sendmail.mc


Find this row in sendmail.mc and specify your relay host name or IP instead of relay.sun.com in my example:
define(`confFALLBACK_SMARTHOST', `relay.sun.com')dnl

Then do:
make sendmail.cf
cp sendmail.cf /etc/mail/sendmail.cf
svcadm restart svc:/network/smtp:sendmail


that’s all. To test you can use mailx:
echo "This is the body."| mailx -s "Test subject" mail@mail.com

Here are my notes applicable for Solaris 10. First of all install latest patches – a lot of related things fixed (but new bugs may appear :))

1. Synchronize the system clock with AD server
   domain ntp server(s) must be in /etc/inet/ntp.conf
   then restart ntp daemon svcadm restart /network/ntp
2. Solaris server must have a record in the DNS
3. Domain name and name servers (DNS servers) must be in /etc/resolv.conf
4. In the /etc/nsswitch.conf file dns and files must be specified for hosts and ipnodes
   ...
hosts: dns files
ipnodes: dns files
...
5. In the /etc/nodename and /etc/hostname.<nic> files host name must be specified only, not a fully qualified domain name
6. Run adjoin script. You can find it here. It will:
   • auto-detects the Active Directory domain controllers
   • creates a machine account (also called a Computer object) for the Solaris host in Active Directory and generates a random password for this account
   • configures the Solaris host as a Kerberos client of the Active Directory domain controller by using the /etc/krb5/krb5.conf file
   • configures the /etc/krb5/krb5.keytab file on the Solaris host by using the keys for the machine account (also called host credentials)

   Execute adjoin script with following options:
   ./adjoin -d <domain_name> -p <administrator_principal> -f -x
   where -f to delete any pre-existing computer account for this host and -x to debug output.

   If your domain if geographically distributed with a lot of domain controllers (DC), script can detect inappropriate controllers. Just before entering admin password, check prepared adjoin-krb5.conf.XXXXXX file in the /tmp folder and remove unnecessary controllers from it.

   Adjoin script can stop work with pkcs11_kernel.so syntax error on some SUN servers:
   + ./adjoin[859]: /usr/lib/security/$ISA/pkcs11_kernel.so:: syntax error
   Then all you need is just to temporary rename this file and execute adjoin again
   mv /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_kernel.so.orig
   when adjoin finished successfully, rename it back

7. Run ldapsearch and klist to check Kerberos
   ldapsearch -R -T -h dc1.xxxxxx.com -o authzid= -o mech=gssapi -b CN=Computers,DC=xxxxxx,DC=com -s sub cn=<computer_name>
klist
klist -e -k /etc/krb5/krb5.keytab
8. Enable dns client and cache daemons
   svcadm enable /network/dns/client
svcadm enable /system/name-service-cache
9. In the /etc/nsswitch.ldap file dns and files must be specified for hosts and ipnodes
   ...
hosts: dns files
ipnodes: dns files
...
10. Set up a server as a client of an LDAP. Execute ldapclient
    ldapclient -v manual \
-a credentialLevel=self \
-a authenticationMethod=sasl/gssapi \
-a defaultSearchBase=dc=xxxxxx,dc=com \
-a defaultSearchScope=sub \
-a domainName=xxxxxx.com \
-a defaultServerList="dc1.xxxxxx.com dc2.xxxxxx.com dc3.xxxxxx.com" \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor="passwd:ou=Accounts,ou=European office,dc=xxxxxx,dc=com?sub;ou=Accounts,ou=American Office,dc=xxxxxx,dc=com?sub" \
-a serviceSearchDescriptor=group:ou=Groups,dc=xxxxxx,dc=com?sub
    ldapclient should finish without errors. To check use ldapclient list
11. Edit the /etc/nsswitch.conf file: files and ldap must be specified for passwd and group only
    ...
passwd: files ldap
group: files ldap
hosts: dns files
ipnodes: dns files
networks: files
protocols: files
...
    remove ldap from everywhere else
12. Restart LDAP client
    svcadm restart /network/ldap/client
13. Add pam_krb5.so.1 in the /etc/pam.conf file
    ...
login auth sufficient pam_krb5.so.1
krlogin auth required pam_krb5.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_krb5.so.1
other auth sufficient pam_krb5.so.1
other account required pam_krb5.so.1
other password sufficient pam_krb5.so.1
...

To ensure that users could login on the host under their AD accounts, accounts in AD must have following additional attributes:
uid the same as sAMAccountName
uidNumber unique number
gidNumber number
unixHomeDirectory for example /tmp
loginShell for example /usr/bin/bash or /bin/false

To check it use getent or ldapsearch
getent passwd <uid>
ldapsearch -R -T -h dc1.xxxxxx.com -b "ou=Accounts,ou=American Office,dc=xxxxxx,dc=com" -o mech=gssapi -o authzid='' "uid=<uid>"

If you would like read more: link to SUN’s article “Using Kerberos to Authenticate a Solaris 10 OS LDAP Client With Microsoft Active Directory”.