HP CIFS Client A.02.01 Administrator’s Guide HP-UX 11i v1 and v2 Manufacturing Part Number : B8724-90067 April, 2005 U.S.A. © Copyright 2005 Hewlett-Packard Company. .
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Trademark Notices. UNIX is a registered trademark of The Open Group.
Contents 1. Introduction to the HP CIFS Client Introduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP CIFS Client Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP CIFS Client Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Requirements and Limitations Using Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Kerberos with the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1. Review fundamental Kerberos Operating Principals. . . . . . . . . . . . . . . . . . . Step 2. Set Up and Verify the Kerberos Infrastructure . . . . . . . . . . . . . . . . . . . . . . . Step 3. Configure Kerberos on the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifslogin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents How to Shutdown the Daemon with cifsclient stop . . . . . . . . . . . . . . . . . . . . . . . . . . What to Do if the Daemon Terminates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting Kerberos in the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CIFS Client Log File and Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 93 94 96 7. Configuration File General Structure . . . . . . . . . . .
Preface: About This Document The latest version of this document can be found on line at: http://www.docs.hp.com This document describes how to install, configure, and troubleshoot HP CIFS Client on HP-UX platforms. The document printing date and part number indicate the document’s current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made.
Publishing History Table 1 Publishing History Details Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date B8724-90067 11i v1 and v2 A.02.01 April 2005 B8724-90044 11.0, 11i v1 and v2 A.01.09 August 2003 B8724-90022 IA 11.22 A.01.08 June 2002 B8724-90011 11.0, 11i v1 and v2 A.01.06 June 2001 What’s in This document This manual describes how to install, configure and troubleshoot the HP CIFS Client software product.
A.01.* and A.02.*. This chapter also provides the update procedures so that you can plan and upgrade your CIFS Client. Chapter 5 Commandline Utilities Use this chapter to learn about UNIX man pages for all HP CIFS Client utilities. Chapter 6 Troubleshooting the HP CIFS Client Use this chapter to understand the detailed procedures to help diagnose HP CIFS Client problems.
1 Introduction to the HP CIFS Client This chapter provides a HP CIFS Client description.
Introduction to the HP CIFS Client It contains the following sections: 14 • Introduction to HP CIFS. • HP CIFS Client Description. • HP CIFS Client Features.
Introduction to the HP CIFS Client Introduction to HP CIFS Introduction to HP CIFS HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS implements both the server and client components of the CIFS protocol on HP-UX.
Introduction to the HP CIFS Client Introduction to HP CIFS PAM NTLM The HP-UX PAM subsystem gives system administrators the flexibility of choosing any authentication service available on the system to perform authentication. The framework also allows new authentication service modules to be plugged in and made available without modifying the applications. The PAM framework, libpam, consists of an interface library and multiple authentication service modules.
Introduction to the HP CIFS Client HP CIFS Client Description HP CIFS Client Description HP CIFS Client implements the CIFS protocols on HP-UX so that HP-UX users may mount shares from CIFS servers as UNIX file systems.
Introduction to the HP CIFS Client HP CIFS Client Features HP CIFS Client Features Following is a list of the HP CIFS Client major features: • CIFS UNIX Extensions • NTLM PAM Integration • Kerberos Authentication, Integration with System Kerberos Cache • ONC AutoFS 2.
Introduction to the HP CIFS Client HP CIFS Client Features users who log in to an HP-UX system will have access automatically to CIFS-mounted file systems provided that PAM NTLM and the CIFS server are using the same database. Kerberos Authentication: Integration with System Kerberos Cache The CIFS Client supports the Kerberos authentication mechanism. Kerberos is a secure, industry-standard authentication protocol.
Introduction to the HP CIFS Client HP CIFS Client Features NOTE Automounting a CIFS filesystem using the HP ONC+ AutoFS service is only supported on HP-UX release 11i v1 and v2. If you have the HP-UX 11i v1 system, you must install the ONC software package, Enhanced AutoFS, available at http://software.hp.com to enable the AutoFS 2.3 support. AutoFS doesn’t support HP CIFS Client on HP-UX release 11.0.
Introduction to the HP CIFS Client HP CIFS Client Features NetBIOS Name Services, WINS, and DNS Support HP CIFS Client A.02.01 supports DNS and the NetBIOS Name Services, including WINS, a Windows name resolution service similar to DNS. The configuration parameters lookupTryNetbios, lookupTryDns and nbnsWinsIP are used to configure which lookup mechanisms are used. For detailed information, see “Name Resolution: NetBIOS Name Service, WINS, DNS, IP Configuration” on page 37.
Introduction to the HP CIFS Client HP CIFS Client Features 22 Chapter 1
2 Installing, Configuring, and Using the HP CIFS Client This chapter describes the procedures for installing HP CIFS Client software on your system.
Installing, Configuring, and Using the HP CIFS Client It contains the following sections: 24 • “Overview of HP CIFS Client Installation and Configuration” on page 25. • “Step 1: Checking HP CIFS Client Installation Prerequisites” on page 26. • “Step 2: Installing HP CIFS Client and PAM Software” on page 27. • “Step 3: Configuring the HP CIFS Client” on page 28. • “Step 4: Starting and Stopping the HP CIFS Client Daemon” on page 30. • “Using the HP CIFS Client” on page 31.
Installing, Configuring, and Using the HP CIFS Client Overview of HP CIFS Client Installation and Configuration Overview of HP CIFS Client Installation and Configuration Installation of the HP CIFS Client includes checking installation prerequisites, loading the HP CIFS Client filesets using the swinstall(1M) utility, and completing HP CIFS configuration procedures. The CIFS Client and PAM NTLM products are delivered in the same bundle, packaged for installation via HP Software Distributor (SD).
Installing, Configuring, and Using the HP CIFS Client Step 1: Checking HP CIFS Client Installation Prerequisites Step 1: Checking HP CIFS Client Installation Prerequisites Prior to loading the HP CIFS Client software onto your system, check that you have met the following hardware and software prerequisites: 1. The HP CIFS client runs on all HP workstations and Servers that are capable of running HP-UX version 11.11 or later, in either 32-bit or 64-bit mode.
Installing, Configuring, and Using the HP CIFS Client Step 2: Installing HP CIFS Client and PAM Software Step 2: Installing HP CIFS Client and PAM Software You must have root privileges to install software on your HP-UX system. Because the CIFS Client contains a kernel module, the installation reboots the system upon completion. Installing From CD If you are installing HP CIFS Client and PAM software from CD, run swinstall, and select HP CIFS Client or PAM NTLM (or both) from the CD ROM depot path.
Installing, Configuring, and Using the HP CIFS Client Step 3: Configuring the HP CIFS Client Step 3: Configuring the HP CIFS Client The configuration file for the HP CIFS Client, /etc/opt/cifsclient/cifsclient.cfg, can be used as delivered, with no modification of its default values. Editing cifsclient.cfg The file /etc/opt/cifsclient/cifsclient.cfg.default contains factory default settings. The user is urged not to modify this file but to save it as a reference.
Installing, Configuring, and Using the HP CIFS Client Step 3: Configuring the HP CIFS Client If, for example, your CIFS Client is configured as a Japanese system using the Shift-JIS locale, and it is connected to a Japanese CIFS Server that also uses Shift-JIS, you would configure the following: serverCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg"; clientCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg"; 3.
Installing, Configuring, and Using the HP CIFS Client Step 4: Starting and Stopping the HP CIFS Client Daemon Step 4: Starting and Stopping the HP CIFS Client Daemon Use the cifsclient command to start and stop the HP CIFS client. The syntax is: cifsclient {start|stop} cifsclient with no argument is equivalent to cifsclient start. If the HP CIFS client is already running when you execute the command, you will get a message indicating it is already up.
Installing, Configuring, and Using the HP CIFS Client Using the HP CIFS Client Using the HP CIFS Client This section presents summary of how the HP CIFS Client can be used. The basic procedure is (1) start the daemon, (2) mount shared directories, (3) log in to CIFS Servers. Following are examples of these steps and some additional useful tips: 1. Start the daemon.
Installing, Configuring, and Using the HP CIFS Client Using the HP CIFS Client To mount: $ mount -F cifs buildsys:/source /home/devl/source To unmount, specify only the mout point: $ umount /home/devl/source 3. Access the shared directory via the mount point on the Client. The CIFS protocol allows access to mounted directories only to users who have been authenticated by the server or a domain controller. This is accomplished through the cifslogin command.
Installing, Configuring, and Using the HP CIFS Client Using the HP CIFS Client This succeeds. you can use cifslist command to verify the results. The cifslist command without any option displays servers with shares and mountpoints information, it uses the \\server\share format for mounted objects.
Installing, Configuring, and Using the HP CIFS Client Using the HP CIFS Client $ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\BUILDSYS\source /home/devl/source M ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------buildsys joe joe L buildsys lucy lucy L Note that the Local User (the HP-UX account name) does not need to be the same as the
Installing, Configuring, and Using the HP CIFS Client Using the HP CIFS Client Mounting and Logging in in One Step The root user has the option to mount a CIFS filesystem and log in to the CIFS Server in one step, eliminating the need to explicitly issue the cifslogin command. Using the names from the examples above: $ mount -F cifs -o username=x,password=y buildsys:/source /home/dev1/source where x and y are the name and password pair recognized by the server.
Installing, Configuring, and Using the HP CIFS Client Automatic Mounting of CIFS Filesystems Automatic Mounting of CIFS Filesystems In addition to the mount command discussed in the previous section, which was used to explicitly create a single mount, there are other methods to manage the mounting of CIFS file systems. See the reference for mount_cifs and umount_cifs in Chapter 5 for syntax details not contained in this section.
Installing, Configuring, and Using the HP CIFS Client Name Resolution: NetBIOS Name Service, WINS, DNS, IP Configuration Name Resolution: NetBIOS Name Service, WINS, DNS, IP Configuration When the CIFS Client attempts to mount a CIFS server, it must first establish a NetBIOS connection to the server, hence the server specified in the mount or cifsmount command must be the CIFS server’s NetBIOS (Windows) name.
Installing, Configuring, and Using the HP CIFS Client Name Resolution: NetBIOS Name Service, WINS, DNS, IP Configuration • If the server’s NetBIOS name differs from its DNS name (DNS cannot resolve it), and it is on a different subnet from the CIFS Client (NetBIOS broadcast cannot resolve it), and its address is not resolved by WINS, then you need to create a server entry for the IP address in the CIFS Client configuration file.
Installing, Configuring, and Using the HP CIFS Client HP CIFS Client Files and Directories HP CIFS Client Files and Directories This section lists the important files that comprise the HP CIFS Client. Table 2-1 HP CIFS Client Files and Directories File/Directory Chapter 2 Description /opt/cifsclient/ Base directory for all CIFS Client core files and administrative files. /opt/cifsclient/bin/ CIFS Binaries. cifsmount Mounts CIFS Shares from CIFS Servers. Can only be used by root user.
Installing, Configuring, and Using the HP CIFS Client HP CIFS Client Files and Directories Table 2-1 HP CIFS Client Files and Directories (Continued) File/Directory 40 Description cifsdb adds, modifies and deletes entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically. /opt/cifsclient/pam HP CIFS PAM files. /opt/cifsclient/sbin CIFS Clients for use by the administrator or root user. The CIFS Client daemon is contained in this directory.
3 CIFS Security and Authentication This chapter provides a description for CIFS Security and Authentication Methods using Windows NT LanManager (NTLM), Chapter 3 41
CIFS Security and Authentication NTLMv2 and Kerberos. It contains the following sections: 42 • “Introduction” on page 43. • “User Login Procedures” on page 45. • “Introduction To Kerberos” on page 47. • “Using Kerberos with the HP CIFS Client” on page 48. • “CIFS Client Kerberos Authentication Policies” on page 52. • “Packet Signing” on page 53.
CIFS Security and Authentication Introduction Introduction One of the important characteristics of the CIFS file-sharing protocol is its security model. Before a user on a CIFS client can access the mountpoint of a CIFS server, the user must be authenticated by the server (the user must login to the server). Four login methods are available; they are explained in the following pages. Restrictions at the file or directory level on the server’s filesystem are also enforced by the server.
CIFS Security and Authentication Introduction Server-Specific configuration section below. These parameters are used to select which mechanisms are used by the CIFS Client to authenticate users to CIFS servers. Legal entries for the authenticationMethod parameter are ntlm or kerberos.The default value of this parameter is ntlm.
CIFS Security and Authentication User Login Procedures User Login Procedures • Explicit Login (cifslogin) Users on the CIFS Client can authenticate themselves to CIFS servers explicitly with the cifslogin command. Please see the cifslogin man page in Commandline Utilities Chapter. • Automatic Login The CIFS Client provides methods for accessing mounted CIFS file servers automatically. The initial request for access to a CIFS mountpoint (cd, ls, etc.
CIFS Security and Authentication User Login Procedures perform a manual login in order to store the encrypted passsword. You can use the cifslogin -s or cifsdb command to save an entry in the user database or use the cifsdb -d command to delete an entry from the user database. Please see man pages cifslogin, cifsdb in Chapter 5, “Commandline Utilities,” on page 69 for details. NOTE Automatic login using user database is not supported with Kerberos 4.
CIFS Security and Authentication Introduction To Kerberos Introduction To Kerberos Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verifier (an application server, or only a server) without sending data across the network that might allow an attacker or the verifier to subsequently impersonate the principal.
CIFS Security and Authentication Using Kerberos with the HP CIFS Client Using Kerberos with the HP CIFS Client These procedures should be followed to use Kerberos with the HP CIFS Client: Step 1. Review fundamental Kerberos operating principals Step 2. Set up and verify the Kerberos infrastructure Step 3. Configure Kerberos in the HP CIFS Client Step 1.
CIFS Security and Authentication Using Kerberos with the HP CIFS Client http://www.isi.edu/gost/publications/kerberos-neuman-tso.html • The documentation repository at Massachusetts Institute of Technology (the developer of Kerberos): http://web.mit.edu/kerberos • The Kerberos specification, RFC 1510. An excellent introduction (section 1) and descriptions of message exchanges (section 3): http://ftp.rfc-editor.org/in-notes/rfc1510.
CIFS Security and Authentication Using Kerberos with the HP CIFS Client The CIFS servers to which you want to connect via Kerberos with the CIFS client must be joined to the Windows Domain. For more information, refer to Windows online help or the HP CIFS Server Administrator’s Guide. For information on setting up user accounts on a Windows KDC, consult online help for managing user Domain accounts. To set up the HP-UX Kerberos client, consult the Configuration Guide cited above in step 1.
CIFS Security and Authentication Using Kerberos with the HP CIFS Client Step 3. Configure Kerberos on the HP CIFS Client Set the configuration parameter authenticationMethod to kerberos. The configuration setting is: authenticationMethod = kerberos; Ensure there are no active CIFS mounts or logins at the server, and then login as illustrated in “User Login Procedures” on page 45.
CIFS Security and Authentication CIFS Client Kerberos Authentication Policies CIFS Client Kerberos Authentication Policies This section assumes that the CIFS server and client have negotiated the use of Kerberos. Explicit login: cifslogin Kerberos authentication is implemented transparently in this command. Required Kerberos credentials (TGT and ST) are acquired from the KDC on behalf of the user and the Service Ticket (ST) is sent to the CIFS server within a SESSION_SETUP request.
CIFS Security and Authentication Packet Signing Packet Signing The purpose of the CIFS packet signatures is prevention of man-in-the middle attacks: the client and server are mutually assured of the other’s identity by requiring an unique signature on each SMB packet.
CIFS Security and Authentication Packet Signing Table 3-1 Configuration Options For smbPacketSigning Valid Option 54 Description enabled HP CIFS Client connects with the CIFS server and signs packets if the server supports signing. HP CIFS Client connects with the CIFS server, but does not sign packets if the CIFS server does not support signing. required The CIFS server must support signing.
4 Migrating From HP CIFS Client A.01 to A.02 HP CIFS Client A.02.* provides new features and requires only minimal configuration changes to update in most cases.
Migrating From HP CIFS Client A.01 to A.02 there are some configuration parameter and command option differences between HP CIFS Client A.01.* versions and HP CIFS Client A.02.* versions. This chapter describes these differences and provides update procedures so that you can plan and upgrade your CIFS Client. This chapter contains the following sections: 56 • “Migrating from version A.01.* to A.02.* of HP CIFS Client” on page 57. • “Funtionality Differences Between HP CIFS Client A.01.* and A.02.
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client Migrating from version A.01.* to A.02.* of HP CIFS Client Special Instructions For Users of HP CIFS Client Versions A.01.* NOTE These migration procedures are recommended for users who: • may want to revert to an A.01.
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client Step 2. Save configuration file to the backup directory. If you do not use a modified version of the configuration file, you may skip this step. $ cp /etc/opt/cifsclient/cifsclient.cfg A.01_migration_files/A.01.cfg Step 3. Use the cifslist -U command to generate an ascii listing of saved user records in database and to save it to the backup directory.
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client Step 1. Remove version A.02 (a system reboot will occur after the removal is completed): $ swremove -x autoreboot=true -x mount_all_filesystems=false B8724AA Step 2. Download the most recent release of version A.01 of the CIFS Client from http://software.hp.com. Step 3. Install the downloaded CIFS Client depot.
Migrating From HP CIFS Client A.01 to A.02 Funtionality Differences Between HP CIFS Client A.01.* and A.02.* Funtionality Differences Between HP CIFS Client A.01.* and A.02.* The following describes functionality differences between HP CIFS Client A.01.* and A.02.*: • In HP CIFS Sever A.02.01, unmounting the last mount to a server does not logout any of the users logged in at the server. The HP CIFS Client A.01.x or earlier versions log out the users when the last share is unmounted.
Migrating From HP CIFS Client A.01 to A.02 Configuration Differences Between HP CIFS Client A.01.* and A.02.* Configuration Differences Between HP CIFS Client A.01.* and A.02.* Comments in Configuration File In HP CIFS Client A.01.*, multiple comment tags were recognized. In HP CIFS Client A.02.*, the # character starts a comment; any text between a # character and the end of a line is a comment.
Migrating From HP CIFS Client A.01 to A.02 Configuration Differences Between HP CIFS Client A.01.* and A.02.* Removed Configuration Parameters The following is a list of A.01.* configuration parameters which are no longer used in the HP CIFS Client A.02.*: • runAsUser • databaseFile • mtabName • maxOpenFiles Parameter Name Changes Table 4-1 shows a list of A.01.* configuration parameters which have been renamed in the HP CIFS Client A.02.*: Table 4-1 Parameter Name Changes A.01.* A.02.
Migrating From HP CIFS Client A.01 to A.02 Configuration Differences Between HP CIFS Client A.01.* and A.02.* The following is a list of new configuration parameters for the Global section in HP CIFS Client A.02.*: • corefileLimit • networkInterfaces • bindUdpExplicitly • pagePoolInitialSize The following is a list of new configuration parameters for the nfs3 specific basis in HP CIFS Client A.02.
Migrating From HP CIFS Client A.01 to A.02 Configuration Differences Between HP CIFS Client A.01.* and A.02.
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.* Command Option Differences Between HP CIFS Client A.01.* and A.02.* This section describes command option differences between HP CIFS Client A.01.* and A.02.* shown in the following tables. These tables do not show command options that have not changed between versions A.01.* and A.02.*. For detailed information on the commands, see Chapter 5, “Commandline Utilities,” on page 69.
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.* Table 4-3 shows a list of mount -F cifs command option differences between A.01.* and A.02.*. Table 4-3 mount_cifs A.01.* A.02.* comments -o nbname= Moved to configuration file in A.02.* -o port= Moved to configuration file in A.02.* -o domain= New option in A.02.* Removed in HP CIFS Client A.02.
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.* Table 4-5 shows a list of cifslogin command option differences between A.01.* and A.02.*. Table 4-5 cifslogin A.01.* Username given in the command line A.02.* comments -U username Can specify the username with or without -U option in A.02.*. -D domain New parameter in A.02.*, overrides the configured value. Table 4-6 shows a new cifsdb command implemented in A.02.*. Table 4-6 cifsdb A.01.
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.
5 Commandline Utilities This chapter provides details for the CIFS Client Commandline Utilities.
Commandline Utilities cifsclient Stop and start the CIFS client. cifsmount Mount a directory from a remote server. cifslogin Authenticates a user to the remote server. cifsumount Disconnect a local mountpoint from the server, if it is not mounted elsewhere. cifslogout Disconnect a user login session and disconnect the server shares from the specified server. After logging out, the user cannot access any files from that server. cifslist Lists connected servers, mountpoints, mounted shares, etc.
Commandline Utilities cifsclient cifsclient Synopsis cifsclient {command} cifsclient fuser [-v] mountpoint [...] cifsclient force_umount {mountpoint [...]| -a} Description This shell script is used to start and stop the HP CIFS Client, and perform other useful tasks. Only users with root capabilities can invoke start, stop, restart, fuser, and force_umount (see also the -a option to klist and kdestroy). Any user can invoke status, klist, kdestroy, and ver.
Commandline Utilities cifsclient directly, specifying the -c {filename} option. CIFS Client Kerberos credentials files are located in /var/opt/cifsclient/krb5_tmp. These files will be present on the system only if the configuration parameter, rmTmpKerbCredFiles, has been set to no. -a (recognized only for root) destroys all files for all users. ver [-v] Report version information. The following modifiers are also recognized: -v Verbose: display what(1) strings for binaries, scripts and configuration files.
Commandline Utilities cifsclient This file contains run-time configuration options for the HP CIFS Client. For detailed information see Chapter 7. /var/opt/cifsclient/krb5_tmp/krb5cc__ Temporary CIFS Client Kerberos credentials file. is the name of the CIFS server to which the user has been authenticated, is the decimal UID of the user.
Commandline Utilities cifsmount cifsmount You can use the mount command to execute the cifsmount command. Both commands are shown below. Synopsis cifsmount [] /// Description The cifsmount command is used to mount remote shares on the local file system. It mounts the share from server in the local file system at . The mountpoint must exist.
Commandline Utilities cifsmount the possibility to pass a dynamically generated password to the server. The password is ignored if the user is already logged in at the server. -S Reads the password from stdin. This option may be useful if you want to use cifsmount from a shell script or another program. The -P option is insecure for this purpose because the UNIX command ps can show the commandline parameters of running processes. -N Do not prompt for a password.
Commandline Utilities cifsmount You can use this option safely only if you are the only one who has physical or root access to your machine or if you trust everyone who has this access. The HP CIFS Client does not store unencrypted passwords in the user database. If your server does not support encrypted passwords, you cannot use this option. Examples The following command mounts the share entiredisk from the server bigserver at the local mountpoint /mounts/bigserver and mounts as read-only filesystem.
Commandline Utilities cifslogin cifslogin Synopsis cifslogin [] [] cifslogin [] /// Description The cifslogin command is used to authenticate additional users at a server. Only authenticated users may access mounted files. Each user accesses the file at the server with his or her privilege status at that server.
Commandline Utilities cifslogin -N Do not prompt for a password. This option may be used to avoid prompting for a password if you are already logged in at the server or if the user does not have a password. -u Enables plain text passwords. The HP CIFS Client refuses to send passwords in plain text to the server by default because this is a security risk. There are tools available that sniff the network for plain text passwords. If you really must send the password in plain text (e.g.
Commandline Utilities cifslogin Examples If local user steve has mounted a share from server bigserver, local user bill has no access to the mounted files because he is not logged in at the server. Bill, who has an account on bigserver under his real name miller, can do the following to gain access: cifslogin bigserver -U miller Bill will be prompted for a password and if it is correct, he will be given access to the share with the same privileges that user miller has on bigserver.
Commandline Utilities cifsumount cifsumount You can use the umount command to execute the cifsumount command. Both commands are shown below. Synopsis cifsumount [] cifsumount -a Description The cifsumount command is used to unmount any shares mounted with cifsmount. Shares can only be unmounted by the user that mounted the share at the given mountpoint or the superuser. The second variant (with the -a option) unmounts all mounts that are currently served. In HP CIFS Sever A.02.
Commandline Utilities cifslogout cifslogout Synopsis cifslogout Description The cifslogout command is used to log the user who uses the command out of the server specified. After issuing cifslogout, the user cannot access any files from that server unless he or she is still stored in the user database.
Commandline Utilities cifslist cifslist Synopsis cifslist [] Description The cifslist command is used to view internal tables of HP CIFS Client. In HP CIFS Client A.02.*, the cifslist command without options will list all connected servers with shares and mountpoints information. Options -h Prints short help and exits. -u Lists users only. -m Lists mounts only. -x Displays mounted objects using UNIX style format: server:/share. -r Prints raw output format.
Commandline Utilities cifslist The sample output of the cifslist command is shown as follows: $ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\er721142\pub /mnt/cifs_linux/00 M \\er721141\pub /mnt/cifs_nt/00 M \\hpntc43\pub /mnt/cifs_nt/01 MS ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------er721141 root cifsuser L er721142 root john L
Commandline Utilities cifslist hpntc43 root cifsuser WORKGROUP LS In the above exmaple, HP CIFS Client displays servers with shares and mountpoints information, it uses the UNIX format: server:/share for mounted objects.
Commandline Utilities cifsdb cifsdb Synopsis cifsdb [-d] {} Description The cifsdb command is used to add, modify and delete entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically, as described below.
Commandline Utilities cifsdb For CIFS logins that have been authenticated with Kerberos, users’ NTLM password hashes are not saved in the CIFS Client user database. You can establish automatic CIFS logins with Kerberos through kinit(1) or PAM-KERBEROS, as described in the Chapter 3, “CIFS Security and Authentication,” on page 41. Options -d {} Delete the corresponding entry for this mount_point or server from the database.
Commandline Utilities mount_cifs, umount_cifs mount_cifs, umount_cifs Mounts and unmounts CIFS file systems. Synopsis mount -F cifs [-ar] [-o option[,option...]] [server:/share mount_point] umount -aF cifs | mount_point Description The mount command mounts file systems. Only a superuser can mount file systems. Other users can use mount to list mounted file systems. Use cifslist to view CIFS-specific mounts and user connections. The mount command attaches server:/share to mount_point.
Commandline Utilities mount_cifs, umount_cifs -r Mounts as read-only. -o This class of options is specified with the following syntax: -o keywrd[,keywrd...],keywrd=value[,keywrd=va lue...] Some keywords are specified as keyword/value pairs, some are not. -o options must be delimited by commas; no white space is allowed.
Commandline Utilities mount_cifs, umount_cifs Files /etc/mnttab /etc/fstab Table of mounted file systems. List of default parameters for each CIFS file system.
Commandline Utilities mount_cifs, umount_cifs 90 Chapter 5
6 Troubleshooting and Error Messages This chapter includes information about problems that you may encounter when using the HP CIFS client and explanations of error Chapter 6 91
Troubleshooting and Error Messages messages that might occur with HP CIFS commands. 92 • “Troubleshooting FAQs” on page 93. • “Troubleshooting Kerberos in the HP CIFS Client” on page 94. • “CIFS Client Log File and Log Levels” on page 96.
Troubleshooting and Error Messages Troubleshooting FAQs Troubleshooting FAQs This section includes commonly asked questions about HP CIFS. How to Shutdown the Daemon with cifsclient stop You should never kill the daemon process directly. Although HP CIFS tries to unmount all mounted shares, it may not be successful and the stale mounts will become unusable and cause problems. The correct way to do it is with cifsclient stop.
Troubleshooting and Error Messages Troubleshooting Kerberos in the HP CIFS Client Troubleshooting Kerberos in the HP CIFS Client • cifsTrace, authentication log levels Informative log messages will be produced by Kerberos processing in the HP CIFS Client log file if the cifsTrace and authentication log levels are enabled. • Temporary credentials files When Kerberos authentication is used, the HP CIFS Client utilizes a temporary file to store users’ credentials during login processing.
Troubleshooting and Error Messages Troubleshooting Kerberos in the HP CIFS Client in the servers section. The servers section of the configuration file is discussed near the end of Chapter 7, and the configuration file itself contains a sample servers entry.
Troubleshooting and Error Messages CIFS Client Log File and Log Levels CIFS Client Log File and Log Levels The CIFS Client produces a log file of its activities, in the directory /var/opt/cifsclient/debug. Each time the client starts, it creates a new log file, named client-log.pid, where pid is the HP-UX process id of the CIFS Client daemon, cifsclientd. Normally, the log file records only errors or warnings.
7 Configuration File The default configuration file should work without modifications. Do not modify the configuration file unless you are sure you know what you are doing.
Configuration File The configuration file is parsed by the HP CIFS Client daemon at startup and when edited. Although it is re-read by the running daemon, not all configuration changes will work immediately. Most options are read into internal variables when they are used. The server configuration, for instance, is transferred into internal structures when a connection to the server is opened.
Configuration File General Structure General Structure Configuration files are built from the following simple syntactic structures: • remarks • strings • arrays • dictionaries Strings, arrays and dictionaries are classified by the generic term "property". The # character starts a comment; any text between a # character and the end of a line is a comment. # remark to end of line Strings are sequences of alphanumeric characters, including the underscore.
Configuration File General Structure property3 = { firstWord = value; secondWord = of; thirdWord = property3; }; } The configuration file itself is a dictionary (the surrounding curly braces are optional because other properties are not allowed). The keys at the top level are the names of the configuration variables. Properties that have been parsed as strings may be interpreted in one of the following ways: • string • number • enumeration • boolean String needs no further explanation.
Configuration File Configuration Parameters Configuration Parameters The following is a list of all variables that may be configured for the top 5 basis: loglevels, global, nfs, cifs and server. logLevels The value of this variable is an array enumerating all logging modes that are active. the number in the bracket indicates the type of the logging messages in the log file. A logging mode is a string out of the following set: info [0] Logging of informational messages. Should be turned on.
Configuration File Configuration Parameters [6] Generates hex-dumps of all outgoing and incoming Netbios traffic. This is very useful during debugging but should be turned off for normal operation. nfsTrace [7] Provides detailed information about all NFS requests done by the kernel and the respective return values. It is very useful for debugging NFS but should be turned off for normal operation. rare [8] Logging of rare conditions. Used only during debugging.
Configuration File Configuration Parameters The numbers in square brackets which precede the descriptions are used to denote messages of the respective logging mode in the logging output. smbConnect [16] Debugging of server connection and disconnection messages for NetBIOS. Useful only during debugging. uiTrace [17] Generates hex-dumps of the communication with user interface. This is useful during debugging but should be turned off for normal operation.
Configuration File Configuration Parameters prefixed with a leading 0x; or in decimal notation if not prefixed with any of the above. Owner and group may be given by name or as numeric id. Do not set these values to anything other than mode=0600 and owner=root unless you really know what you are doing. The file access modes of this UNIX domain socket are used to provide secure authentication of the user that requests a service to the daemon.
Configuration File Configuration Parameters defines the mapping from the internal Unicode representation to the ASCII strings sent to the server (and vice versa). The default is a codepage 437 mapping, which is the US-Latin DOS character set. Mapping files for various character sets are distributed with HP CIFS Client in the directory unitables. clientCharMapFile This variable configures the path to the character mapping file for the client.
Configuration File Configuration Parameters If this variable is set to yes, HP CIFS Client binds UDP ports to all networks explicitly. Otherwise, it binds to address 0.0.0.0, a wildcard for all network interfaces installed. Binding explicitly may be required on operating systems which do not handle the source IP address of broadcasts correctly if there are multiple network interfaces.
Configuration File Configuration Parameters nfs3 This section defines a default behavior which can be overridden by specific configurations. The NFS3 section contains the following parameters: cacheFiles This variable defines the number of files cached by NFS handle. The default is 500. cacheOpenFiles This variable defines the number of files that can be kept open even if they are not currently accessed. The default is 20.
Configuration File Configuration Parameters This strategy derives the NFS file handle as a hash value from the path. The hash is chosen in a way that makes efficient lookups possible, as long as the depth of the file in the directory hierarchy is lower than 27. The advantage of this strategy is the low memory consumption: Files can be looked up on demand, nothing has to be stored. The main disadvantage is that NFS file handles change when files are renamed.
Configuration File Configuration Parameters requests. However, if your system's NFS client puts high loads on NFS servers and has small maximum socket buffer sizes, requests can get lost due to buffer overflows. A value of 5 (which is also the default) should be a good choice. You may want to experiment with nfsTimeout to get the optimum performance even with frequent buffer overflows. nfsSockRxBuf This integer variable sets the receive buffer size of the socket used to communicate with the kernel.
Configuration File Configuration Parameters cifs The structure of CIFS has its mirror in the multitude of options for CIFS configurations. This section defines a default behavior which can be overridden by specific configurations. The CIFS section contains the following parameters: dataCacheSize This integer variable defines the number of bytes spent for per data cache. The value of this variable should be a multiple of 8k. databaseFile This variable configures the path to the user database file.
Configuration File Configuration Parameters This boolean variable configures whether NetBIOS broadcast is enabled. WINS is feature of the NetBIOS name server. To enable WINS lookup, you must set this variable to yes and specify the nbnsWinsIp variable with the IP address of the WINS server. The CIFS servers to which you want to connect must be registered with the WINS server. By default, this parameter is set to yes. lookupTryDns This variable configures whether Domain Name Server (DNS) lookup is enabled.
Configuration File Configuration Parameters preserved by setting this variable to no. The files are located in /var/opt/cifsclient/krb5_tmp. The default is yes.
Configuration File Configuration Parameters cifs.server.”.default” The baroque structure of CIFS has its mirror in the multitude of configuration options for CIFS connections. This variable defines a default behavior which can be overridden by specific configurations for each server. The value is a dictionary with the following parameters: localNetbiosName This entry can be used to set the Netbios name for the client that is sent to the server.
Configuration File Configuration Parameters is used for logins to the server. If the value is set to ntlmv2,then NTLMv2 is used. The default setting is ntlm. smbPacketSigning This string variable specifies which option is used by the HP CIFS Client to perform packet signing. The valid entries for this parameter are enbled, required and disabled. By default, this parameter is set to enabled.
Configuration File Configuration Parameters guestRemoteUser The guestRemoteUser configuration solves the following problem: each UNIX user must be logged in at the server (be mapped to a CIFS username/password pair) in order to access anything, even if the share is public. It may be impractical to log in each user if there is a large number of Unix users who want to access a public share where access permissions are not important.
Configuration File Configuration Parameters following keywords are valid: archive, system, hidden, on, or off. Default is on. A side-effect of execMapping is that if the configured attribute is set on the server, the file will be listed on the UNIX Client with the execute bit set for all users (owner, group, and other). WARNING If you plan to store UNIX executables on an CIFS server and invoke them on a UNIX Client, then the default setting execMapping = on is required.
Configuration File Configuration Parameters actual state that these attributes must have. It is 6 by default, which means that hidden and system must be set, but not read-only. The configuration value is calculated as the sum of the following components: Table 7-1 1 read-only 2 hidden 4 system 32 archive linksAreUnicode If this boolean variable is set to yes, the HP CIFS Client stores faked links in Unicode format on the server.
Configuration File Configuration Parameters The keep-open time in milliseconds if an exclusive oplock has been acquired. batchLock The keep-open time in milliseconds if a batch oplock has been acquired. noLock The keep-open time in milliseconds if no lock has been granted. dataCacheTimeNoLock If no oplock has been granted, no caching should be done. This might result in bad performance on servers that do not support oplocks.
Configuration File Configuration Parameters If you care about reliability, always leave these options off. This configuration variable is also passed to the server. There are server/OS combinations (notably Samba/Linux) which become very slow in writethrough mode. You may want to configure write back for these. requestOplock This boolean variable defines whether oplocks should be requested from the server.
Configuration File Configuration Parameters setattrTrans2SetFile Suppresses the command trans2/setfileinfo to be used for setting file attributes. This SMB command does not work properly on Windows. setattrTrans2SetPath Suppresses the command trans2/setpathinfo to be used for setting file attributes. This SMB command does not work properly on Windows. setattrSetFile2 Suppresses the use of SET_INFORMATION2 for setting attributes.
Configuration File Configuration Parameters Suppresses the use of SMB_COM_OPEN_ANDX batched with SMB_COM_WRITE_ANDX for writing files. findUnix Disables the CIFS UNIX extensions for reading directories. findTrans2 Disables the use of trans2/find for reading directories. fsinfoTrans2 Suppresses the use of trans2/query_fs_info for reading file system infos. sessionSetup Suppresses the session setup command (only used for core dialect).
Configuration File Configuration Parameters not. They are relevant, however, after files are copied from a CIFS share to the local disk because the cp operation preserves file attributes.
Configuration File Configuration Parameters Chapter 7 cifs.servers This variable may modify the values configured with cifs.server.default for specific servers. It consists of a dictionary where the keys are the Netbios names of servers. The value for each server key is also a dictionary. This dictionary has the same structure as the defaultServer dictionary. In addition, the following keys may be used: ipAddress This entry may contain an IP address or a DNS name for the server.
Configuration File Configuration Parameters cifs.serverClasses This variable may modify the values configured with cifs.server.default and servers after the connection has been established based on the information derived from session setup. The decision can depend on the server's operating system and LAN manager type. The format for this variable is an array of dictionaries.
8 PAM NTLM This chapter provides a description of PAM NTLM.
PAM NTLM Introduction Introduction PAM NTLM ( NT Lan Manager) is a Pluggable Authentication Module (PAM) that enables HP-UX users to be authenticated against Windows servers during system login. PAM is an authentication framework in UNIX, used to authenticate users logging into a UNIX system. PAM loads a dynamically loadable module (shared library) that performs the actual authentication. PAM can also be configured to use multiple shared library modules.
PAM NTLM Introduction Configuring PAM NTLM requires you to understand the PAM framework in general. Refer to pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for more information about PAM.
PAM NTLM PAM NTLM PAM NTLM This section provides a list of PAM NTLM features and a description of the User Map File. PAM NTLM Features • PAM NTLM supports authentication and password management. • PAM NTLM uses a subset of the Samba smb.conf file as its configuration file. See the PAM NTLM Post-installation Instructions below for further information. • PAM NTLM supports username mapping to map a local UNIX user name to a remote CIFS domain user name to use for authentication.
PAM NTLM PAM NTLM Configuration PAM NTLM Configuration Configure the following to set up PAM-NTLM: • The PAM-NTLM module • The system file /etc/pam.conf to use the PAM-NTLM module • A usermap file (optional) Configuring the PAM NTLM Module The PAM-NTLM configuration file is /etc/opt/cifsclient/pam/smb.conf. A default configuration file is also provided (smb.conf.default). Do not change the default configuration file because you may need to refer to it in the future. Table 8-1 ## ## Name: smb.
PAM NTLM PAM NTLM Configuration Configuring the system to use the PAM NTLM Module This task consists of editing the global HP-UX PAM configuration file /etc/pam.conf. IMPORTANT You may not be able to log into the system if PAM is not correctly configured. Make sure that you understand the PAM framework before you modify pam.conf. For information on PAM, see these sections of HP-UX manpages: pam.conf(4), pam_unix(5).
PAM NTLM PAM NTLM Configuration The following are sample pam.conf files with all three PAM NTLM services configured. Each PAM NTLM entry consistes of a line that refers to the shared library libpam_ntlm.1. In the authentication management section, when PAM NTLM is used in conjunction with PAM UNIX, it is recommended that the option try_first_pass be specified with the PAM-UNIX entry, as shown. WARNING If incorrect paths are used in pam.conf, it can become impossible to login to the system.
PAM NTLM PAM NTLM Configuration # login session required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin session required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction session required /usr/lib/security/$ISA/libpam_unix.so.1 OTHER session required /usr/lib/security/$ISA/libpam_unix.so.1 # # Password management # login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1 login password required /usr/lib/security/$ISA/libpam_unix.so.1 passwd password required /usr/lib/security/$ISA/libpam_unix.so.
PAM NTLM PAM NTLM Configuration # login login passwd dtlogin dtaction OTHER password password password password password password sufficient required required required required required /usr/lib/security/libpam_ntlm.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_ntlm.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.
PAM NTLM PAM NTLM Configuration NOTE The NIS map file name domainusermap.byname is the default name that PAM NTLM uses for the NIS map file. You can configure a different NIS user map name in the PAM NTLM configuration file (/etc/opt/cifsclient/pam/smb.conf) of each NIS client. The configuration option is: nis ntuser mapname = 2. In the user map file of each NIS client that will receive the distributed map file, add an entry with the plus sign (+) in the first column of the line.
Index C CIFS description, 15 protocol, 15 cifsclient, 31, 71 cifsclient.cfg, 28 cifslist, 70, 82 cifslogin, 70, 77 cifslogout, 70, 81 cifsmount, 70, 74, 87 cifsumount, 70, 80 Common Internet File System.
Index 136
