HP CIFS Server 3.0a Administrator’s Guide version A.02.01 HP-UX 11i v1 and v2 Edition 2 Manufacturing Part Number : B8725-90074 E1204 U.S.A. © Copyright 2004 Hewlett-Packard Company..
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Contents 1. Introduction to the HP CIFS Server Introduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Open Source Software (OSS) Samba Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Open Source Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Performance Tuning using Change Notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 3. Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UNIX File Permissions and POSIX ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing UNIX Permissions From Windows NT . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring User Logon Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Running Logon Scripts When Logging On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Home Drive Mapping Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 90 90 91 5.
Contents Installing LDAP-UX Client Services on an HP CIFS Server . . . . . . . . . . . . . . . . . . . Configuring the LDAP-UX Client Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Netscape Directory Server to enable SSL . . . . . . . .
Contents HP CIFS Server A.02.* Added Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Parameters Changes in smb.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Behavior Differences Between HP CIFS Server A.01.* and A.02.* . . . . . . . . . . . . . . Updating HP CIFS Server A.01.* to A.02.* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 177 180 183 11. HP CIFS Deployment Models Introduction . . . . . . . . . . . .
Contents HP CIFS Process Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview of Kernel Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Kernel Parameters for HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Swap Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Memory Requirements . . . . . . . . . . . . . . . . . . . . .
Contents ix
Contents x
About This Document This document describes how to install, configure, and administer the HP CIFS Server product. It augments The Samba HowTo Collection and Using Samba, 2nd books supplied with the HP CIFS Server product and provides addtional HP-UX endemic variations, features, and recommendations. This document, as well as previously released documents may be found on-line at http://www.docs.hp.com.
Intended Audience This document is intended for users who are already familiar with the HP CIFS Server product. For additional information about the HP CIFS Server, please refer to other HP CIFS Server documentation on-line at http://www.docs.hp.com. New and Changed Documentation in This Edition The edition documents the following enhancements for the HP CIFS Server 3.0a version A.02.01: xii • Support for Active Directory Server (ADS).
Typographical Conventions Table 1 Documentation Conventions Type of Information Font Examples Representations of what appears on a display, program/script code and command names or parameters. Monotype > user logged in. Emphasis in text, actual document titles. Italics Users should verify that the power is turned off before removing the board. Headings and sub-headings.
What Is in This Document This manual describes how to install, configure, administer and use the HP CIFS Server product. The organization of this manual is as follows: Table 3 Document Organization Chapter xiv Description Introduction to the HP CIFS Server Use this chapter to know about HP CIFS Server, Samba, the open source software suite which the HP CIFS Server is based. Installing and Configuring the HP CIFS Server Use this chapter to learn how to install and configure the HP CIFS Server product.
Table 3 Document Organization (Continued) Chapter Description LDAP Integration Support Use this chapter to learn how to install, configure and verify the HP Netscape Directory, HP LDAP-UX Integration product and HP CIFS Server software with LDAP feature support. Winbind Support Use this chapter to learn how to set up and configure the HP CIFS Server with the winbind support. Updating HP CIFS Server A.01 to A.02 Use this chapter to understand differences between HP CIFS Server A.01.
HP Welcomes Your Comments HP welcomes your comments and suggestions on this document. We are truly committed to provide documentation that meets your needs. You can send comments to: netinfo_feedback@cup.hp.com Please include the following information along with your comments: xvi • The complete title of the manual and the part number. The part number appears on the title page of printed and PDF versions of a manual. • The section numbers and page numbers of the information on which you are commenting.
1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which Chapter 1 1
Introduction to the HP CIFS Server the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS.
Introduction to the HP CIFS Server Introduction to HP CIFS Introduction to HP CIFS HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS implements both the server and client components of the CIFS protocol on HP-UX. The current HP CIFS Server (version A.02.01) is based on the well-established open-source software Samba, version 3.0.
Introduction to the HP CIFS Server Introduction to HP CIFS Despite its name, CIFS is not actually a file system unto itself. More accurately, CIFS is a remote file access protocol; it provides access to files on remote systems. It sits on top of and works with the file systems of its host systems. CIFS defines both a server and a client: the CIFS client is used to access files on a CIFS server.
Introduction to the HP CIFS Server The Open Source Software (OSS) Samba Suite The Open Source Software (OSS) Samba Suite The HP CIFS server source is based on Samba, an Open Source Software (OSS) project developed in 1991 by Andrew Tridgell in Australia. This section includes a very brief introduction to the Samba product.
Introduction to the HP CIFS Server The Open Source Software (OSS) Samba Suite Samba Documentation: Printed and Online When using the HP CIFS product, HP recommends that you refer to The Samba HOWTO Collection and Samba-3 by Example, shipped with the product in the /opt/samba/docs directory. The book, Using Samba, 2nd Edition, can also be found in /opt/samba/swat/using_samba. All three books are available through Samba Web Administration Tool (SWAT).
Introduction to the HP CIFS Server HP CIFS Server Enhancements HP CIFS Server Enhancements The HP CIFS Server A.02.01 incorporates a variety of functional enhancements. The sections that follow will provide an overview of each of these enhancements. The sections are: NOTE • Backup Domain Controller (BDC) Functionality (new for version A.02.01). • Winbind Functionality (new for version A.02.01). • HP CIFS Deployment Models (new for version A.02.01).
Introduction to the HP CIFS Server HP CIFS Server Enhancements Winbind Funtionality (version A.02.01) Winbind is a component of the Samba suite of programs that resolve Windows users and groups to HP-UX UIDs and GIDs. Winbind provides the NSS routine, /etc/lib/libnss_winbind.1, which interfaces to the winbind daemon, winbindd, to resolve ID mappings. Winbind maintains a database called winbind_idmap.tdb where it stores mapping data between HP-UX UIDs/GIDs and Windows SIDs (Security Identifiers).
Introduction to the HP CIFS Server HP CIFS Server Enhancements • ldapsam: Attribute rich account storage and retrieval backend utilizing an LDAP directory. This makes use of a different schema than what had been provided with A.01.* versions. • ldapsam_compat : An LDAP storage and retrieval backend utilizing an LDAP directory and is compatible with A.01.* versions. This backend makes use of the same schema provided with A.01.* versions. New Account Management Tools (version A.02.01) HP CIFS Server A.02.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online HP CIFS Server Documentation: Printed and Online The full set of HP CIFS server documentation consists of three non-HP book available at most technical bookstores, and this printed and online HP CIFS server manual. The HP manual is HP CIFS Server Administrator’s Guide. The Samba-3 HOWTO and Reference Guide and Samba-3 by Example are shipped with the product and can be found in the /opt/samba/docs directory.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Location of Files on the Server The default location of HP CIFS is /opt/samba. In this case, the following directories should exist in the Samba directory: bin/, docs/, script/, examples /, HA/, man/, and swat/. Refer to the complete listing of HP CIFS Server files and directories in the Overview section in chapter 2. The HP CIFS configuration files are in /etc/opt/samba.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online or /opt/samba/bin/startsmb --winbind /opt/samba/bin/stopsmb -w or /opt/samba/bin/stopsmb --winbind Winbind execution may be controlled without affecting the execution of smbd and nmbd with the following commands. Run the following command to start winbind alone: /opt/samba/bin/startwinbind Run the following command to stop winbind alone: /opt/samba/bin/stopwinbind These commands are described in chapter 2 in this manual.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online "For information about SWAT, refer to chapter 30, "SWAT - The Samba Web Administration Tool" in Samba HOWTO and Reference Guide.. Browsing Browsing gives you the ability to view the servers and shares on your network. Samba provides over fourteen different browsing options. HP, however, recommends that you start with the default values.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online HP CIFS Documentation Roadmap Use the following road map to locate the Samba and HP CIFS documentation that you need. Table 1-1 HP CIFS Product Server Description Document Title: Chapter: Section Installing and Administering the HP CIFS Server: Chapter 1, “Introduction to the HP CIFS Server” Samba Meta FAQ No. 2, “General Information about Samba” Samba FAQ No. 1, “General Information” Samba Server FAQ: No.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-1 (Continued) HP CIFS Product Server Installation Document Title: Chapter: Section Installing and Administering the HP CIFS Server: Chapter 2. “Installing and Configuring the HP CIFS Server” Samba FAQ: No 2, “Compiling and Installing Samba on a UNIX Host.” Client Installation Installing and Administering the HP CIFS Client: Chapter 2.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-1 (Continued) HP CIFS Product Document Title: Chapter: Section Server: Samba Scripts Using Samba: Appendix D, “Summary of Samba Daemons and Commands” SMB & CIFS File Protocols Chapter 11, “HP CIFS Deployment Domain Models” in this document SMB & CIFS Network Design Using Samba: Chapter 1, “Learning the Samba” Samba Meta FAQ No.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-1 (Continued) HP CIFS Product Document Title: Chapter: Section Server Troubleshooting Installing and Administering the HP CIFS Server: Chapter 3, “Troubleshooting the HP CIFS Server” Using Samba, “Chapter 9, Troubleshooting Samba” Samba FAQs No. 4, “Specific Client Application Problems” and No 5, “Miscellaneous” DIAGNOSIS.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-2 HP CIFS Server Files and Directories (Continued) File/Directory 18 Description /opt/samba/bin This is the directory that contains the binaries for HP CIFS Server, including the daemons and utilities. /opt/samba/docs This is the directory that contains documentation in various formats including html (htmldocs) and text (textdocs). /opt/samba/examples This directory contains example smb.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-2 HP CIFS Server Files and Directories (Continued) File/Directory Chapter 1 Description /etc/opt/samba This directory contains configuration files which the HP CIFS Server uses, primarily the smb.conf file. /etc/opt/samba/smb.conf This is the main configuration file for the HP CIFS Server which is discussed in great detail elsewhere. /etc/opt/samba/smb.conf.default This is the default smb.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online 20 Chapter 1
2 Installing and Configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software.
Installing and Configuring the HP CIFS Server • HP CIFS Server Requirements and Limitations • Step 1: Installing HP CIFS Server Software • Step 2: Running the Configuration Script • Step 3: Modify the Configuration • Step 4: Starting the HP CIFS Server IMPORTANT HP CIFS Server A.02.01 or later requires LDAP-UX Integration product , J4269AA, to be installed.
Installing and Configuring the HP CIFS Server HP CIFS Server Requirements and Limitations HP CIFS Server Requirements and Limitations Prior to installing the HP CIFS product, check that your system can accommodate the following product requirements and limitations. HP-UX 11.x Memory and Disc Requirements Although an 11.x 32-bit and 64-bit HP-UX system can boot with as little as 64MB RAM and 1GB of disc space, the performance of such a configuration would be prohibitive.
Installing and Configuring the HP CIFS Server HP CIFS Server Requirements and Limitations smbd process and represents an increase of approximately 70 percent. The increased memory footprint is the result of adding new features. In addition to the base memory increase, the smbd process may now also allocate memory for specialized caching requirements as needed. The size and timing of these memory allocations vary widely depending on the client type and the resources being accessed.
Installing and Configuring the HP CIFS Server Step 1: Installing HP CIFS Server Software Step 1: Installing HP CIFS Server Software HP CIFS Server Upgrades: If you are upgrading an existing HP CIFS Server configuration, HP recommends that you create a backup copy of your current environment. The SD install procedure may alter or replace your current configuration files.
Installing and Configuring the HP CIFS Server Step 1: Installing HP CIFS Server Software 1. Log in as root. 2. Insert the software media (disk) into the appropriate drive. 3. Run the swinstall program using the command: swinstall This opens the Software Selection Window and Specify Source Window. 4. Change the Source Host Name if necessary, enter the mount point of the drive in the Source Depot Path field, and activate the OK button to return to the Software Selection Window.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script Step 2: Running the Configuration Script The samba_setup configuration script is intended for new installations only. For detailed procedures on how to updating HP CIFS Server A.01 to A.02, see Chapter 10, “Updating HP CIFS Server A.01 to A.02,” on page 173.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script — administrator user name and password See Chapter 4, “Primary Domain Controller (PDC) Support,” on page 77, or Chapter 5, “Backup Domain Controller Support,” on page 93, or Chapter 6, “Domain Member Server Support,” on page 103 for detailed.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script The script will modify the smb.conf file according to the information that you have entered.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Step 3: Modify the Configuration HP CIFS Server requires configuration modifications for the following functionality: • ACL Support • Case Sensitivity for the Client and Server for UNIX Extensions • DOS Attribute Mapping • Print Services for version A.02.01 (current version) • Distributed File System (DFS) Support • Configure MC/ServiceGuard High Availability (HA) Configure ACL Support (for version A.01.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration • Example four: acl schemes = hpux_posix unix HP CIFS will attempt to use VxFS POSIX ACLs. If ACLs are not present, it will use UNIX permissions. Configure ACL Support (for version A.01.08) HP CIFS Server, version A.01.08, provides a share level variable called “nt acl support.” The possible values for this variable are “yes” and “no.” This variable defaults to “yes.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration When using the CIFS Client, you may want to have all three of these parameters turned off. If the map archive parameter is on, any time a user writes to a file, the owner execute permission will be set. This is usually not desired behavior for HP CIFS clients or UNIX clients in general. By default, map system and map hidden are off, and map archive is on. To turn map archive off, modify /etc/opt/samba/smb.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Creating a [printers] share Configure a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [printers] path = /tmp printable = yes browseable = no This share is required if you want the printer’s list to be displayed in SWAT, which is not defined in the smb.conf file, but exists on the HP CIFS Server.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration In this example, the parameter “write list” specifies that administrative lever user accounts will have write access for updating files, on the share. 2. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration 5. Select the printer driver e.g. hp LaserJet 5i. You will be asked for the driver files. Give the path where the driver files are located. The driver files will be uploaded from the disk, and stored into the subdirectories under the [print$] share. Migrating Printing Services From version A.01.08 to A.02.01 • The smb.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration 1. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. 2. Configure a HP CIFS server as a DFS server by modifying the smb.conf file to set the global parameter host msdfs to yes. Example: [global] host msdfs = yes 3. Create a directory to act as a DFS root on the HP CIFS Distributed File System (DFS) Server. 4. Create a share and define it with the parameter path = directory of DFS root in the smb.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration cd /export/dfsroot chown root /export/dfsroot chmod 775 /export/dfsroot ln -S msdfs:serverA\\shareA linka ln -S msdfs:serverB\\shareB serverC\\shareC linkb 2.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Follow the configuration procedures provided in Chapter 6.
Installing and Configuring the HP CIFS Server Step 4: Starting the HP CIFS Server Step 4: Starting the HP CIFS Server Run the script below to start Samba if you do not use winbind support: /opt/samba/bin/startsmb Run the script below to start Samba if you configure HP CIFS Server to use winbind support: /opt/samba/bin/startsmb -w or /opt/samba/bin/startsmb --winbind When the command successfully starts Samba, a message is displayed indicating the specific processes that have been started.
Installing and Configuring the HP CIFS Server Step 4: Starting the HP CIFS Server Automatically Starting the HP CIFS Server When the HP CIFS Server is installed, by default it will not be configured to automatically start when the system boots up and stop when the system shuts down. You can enable this feature by doing the following: 1. Edit the /etc/rc.config.d/samba file. 2. Change the last line of the file to: RUN_SAMBA=1. 3. Save the file.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues Other Samba Configuration Issues Translate Open-Mode Locks into HP-UX Advisory Locks The HP CIFS Server A.01.07, and subsequent versions, can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues To counteract the possible performance impact, you can control how often Samba scans for changes in the directories it has been requested to monitor. The parameter that controls how often Samba scans for changes is Change Notify Timeout. The parameter value represents the number of seconds between the start of each scanning cycle. The default value is 60.
3 Chapter 3 Managing HP-UX File Access Permissions from Windows NT/XP/2000 43
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction Introduction This chapter describes how to use Windows NT, XP and 2000 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs UNIX File Permissions and POSIX ACLs The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, XP or Windows 2000 clients. With this capability most management of UNIX file permissions or POSIX ACLs can be done from the familiar Windows Explorer interface.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs Table 3-1 (Continued) UNIX Permission r-- NT access type Special Access In addition to the permission modes shown above, UNIX file permissions also distinguish between the file owner, the owning group of the file, and other (all other users and group). UNIX File Owner Translation in NT ACL A UNIX file system owner has additional permissions that others users do not have.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs For example, if an owning group named sales on the UNIX file system has read and execute (r-x) permissions on a file, the Windows NT client will display the permissions for group sales as: Special Access(RXO) UNIX Other Permission Translation in NT ACL In UNIX, the other permission entry represents permissions for any user or group that is not the owner, and doesn't belong to the owning group.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs Table 3-2 (Continued) NT access type UNIX Permission Special Access(RW) rw- Read(RX) r-x Special Access(WX) -wx Special Access(RWX) rwx Special Access r-- When mapping to UNIX file permissions from NT, you will not be able to add new NT ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs If you use pre-defined NT access types to set permissions on a Samba share, the permissions that are displayed later will not match what you set in NT. For example, Full Control will become rwx on the Samba server, and when it is displayed on the Windows NT client, it will show up as Special Access (RWX).
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs The VxFS POSIX ACL File Permissions VxFS POSIX ACLs are a superset of UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. • VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs Using the NT Explorer GUI to Create ACLs Use the Windows NT Explorer GUI to set new ACLs. This section describes how to add new entries to the ACE list: • Figure 3-3 Chapter 3 Click the add button in the File/Directory Permissions dialog box of the Windows NT GUI to bring up the Add Users and Groups dialog box.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs NOTE Figure 3-4 The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs. Windows NT Explorer List Names From Field Instead, what you need is a list of groups and users that can be recognized by the underlying UNIX file system.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs • Figure 3-5 Windows NT Explorer Add Users and Groups Dialog Box • Chapter 3 Go to the List Names From dropdown list in the Add Users and Groups dialog box. One screen choice is to list names on your Samba server. This is the list HP recommends. Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs • Figure 3-6 Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list. Add UNIX Groups and Users • You can type user and group names into the Add Names text field to add users and groups.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs To continue the example above, you could create an ACE for the administrator user on the NT client and, on the Samba server, the ACE would be created for the root user. The client will display the corresponding ACE as being for the root user, not the administrator user.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients POSIX ACLs and Windows 2000/XP Clients The HP CIFS Server A.01.07, and subsequent versions, allow Windows 2000/XP clients to view and set POSIX ACL permissions. The information in this section assumes you are familiar with Windows 2000/XP permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Table 3-4 UNIX Permission Maps Windows 2000/XP Client Permissions UNIX Permission Permission Shown on Windows 2000/XP Clients r-x Read and Execute All Read Permissions as in the first cell Execute or Traverse Folder rw- Read, Write All Read Permissions as in the first cell All Write Permissions as in the second cell NOTE rwx Full Control Full Control and All permission bits are ticked --- No b
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Setting Permissions from Windows 2000/XP Clients The following table shows how each Windows 2000/XP client permission is mapped to the UNIX permission when permissions are set from a client: Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions Windows 2000/XP 58 UNIX Permission Full Control rwx Write -w- Modify rwx Read and Execute r-x Read r-- List Folder / Read Data (Advanced) r--
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions Windows 2000/XP Take Ownership (Advanced) UNIX Permission * see explanation following table * The Delete, Change Permissions, and Take Ownership permissions represent the file and group ownership. You can only see these permissions, but you cann’t set them from Windows 2000/XP clients.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Step 2. Click on the Security tab Displaying the Owner of a File Step 1. Click on Advanced Step 2.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients HP CIFS Server Directory ACLs and Windows 2000/XP Clients Directory ACL Types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 2. Click on the Security tab Figure 3-7 Basic ACL View Viewing Advanced ACLs from Windows 2000 Clients Step 1. Right-click on a file or a directory and select Properties Step 2.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 3. Click on the Advanced button Figure 3-8 Advanced ACL View Mapping Windows 2000/XP Directory Inheritance Values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients • Subfolders and files only • Subfolders only • Files only When a user attempts to change or add a directory ACE from the Windows Advanced ACE screen, the HP CIFS Server maps the Windows Inheritance Values to the corresponding POSIX ACE type.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients You must use the Windows Advanced permission screen (Directory-> Properties->Security Tab->Advanced Button) to view or change POSIX directory ACLs. This section describes how to modify a directory ACE from the Widnows 2000 or XP client: Step 1. Right-click on a directory and select Properties Step 2. Click on the Security tab Step 3. Click on the Advanced button Step 4.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 6. Select the appropriate ACE type from Apply to dropdown list in the dialog box. Choose the selection according to how it will be mapped to POSIX ACEs. Please refer to “Mapping Table for Inheritance Values to POSIX” for detail information Step 7. Click on OK, you will be taken back to the Advanced ACE screen. Repeat the step 4 through step 6 to modify other ACEs Step 8.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server. To prevent a directory owner from losing access, both access and default ACEs for the owner should be set to Full Control permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:r-x access:other:rwx defualt:owner:rwx default:owning group:r-x default:other:r-Example 2: In the example 3, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir # owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients # other group:testgroup access:owner:rwx access:owning group:r-x defualt:owner:rwx default:owning group:r-- Adding Directory ACLs From Windows 2000/XP Clients This section describes how to add a directory ACE from the Widnows 2000 or XP client: Step 1. Right-click on a directory and select Properties Step 2. Click on the Security tab Step 3. Click on the Advanced button Step 4.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 8. You will be taken to the ACE Advanced view screen, click on OK or Apply button to add the new ACE Figure 3-11 Selecting a new ACE user or group IMPORTANT POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients With HP CIFS Server version A.01.10, the POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group even if the permissions on the access and default ACEs are the same. However, everyone is shown as only one ACE if the access and default permissions are the same.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Configuring Samba ACL Support Configuring Samba ACL Support For HP CIFS Version A.01.07 In non-HP Samba versions, you could only turn Samba's NT ACL Support on or off on a serverwide basis. When turned on, UNIX file permission support was enabled for all Samba shares. There was no support for any ACL scheme, including VxFS POSIX ACLs. Instead, you configured the old NT ACL support through the smb.conf variable nt acl support.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Configuring Samba ACL Support If a Windows client makes a request to see the ACL for a file on an HFS file system in that share, Samba attempts to use the POSIX ACL system call. It will fail and return an error indicating that the ACL scheme is not supported on that file. Then Samba would try the HFS ACL system call and it would succeed. The user would not see the initial failure described in this example.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Configuring Samba ACL Support on the ACL scheme list for that share. Otherwise, Samba will make many system calls for other ACL schemes before it locates the right one. This prioritization will become even more important in the future when Samba supports more and more ACL types. For HP CIFS Version A.01.08 With HP CIFS Server version A.01.08, the “nt acl support” configuration variable is made share level.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 In Conclusion In Conclusion Samba ACL support is a feature that enables the manipulation of UNIX file permissions or UNIX ACLs from Windows NT/XP/2000 clients. With this feature, almost any modification you want to make to UNIX permissions or VxFS POSIX ACLs can now be done from an NT/XP/2000 client (with the exception of the class entry for VxFS POSIX ACLs).
4 Chapter 4 Primary Domain Controller (PDC) Support 77
Primary Domain Controller (PDC) Support Introduction Introduction This chapter describes how to set up, and configure, a HP CIFS Server as a Primary Domain Controller (PDC). The following is a list of enhancements for the HP CIFS Server to support PDC: NOTE • Provide the ability to act as a Primary Domain Controller (PDC) for Windows clients which include Windows XP and 2000 • Provide Domain login feature for Windows NT 4.
Primary Domain Controller (PDC) Support Introduction make one password change which will affect multiple systems accessed by that user. Another benefit is that IT administration work is reduced, since there is no longer a need for individual accounts to be administered on each system Primary Domain Controllers The Primary Domain Controller (PDC) is responsible for several tasks within the domain.
Primary Domain Controller (PDC) Support Create the Machine Trust Accounts Create the Machine Trust Accounts A Machine Trust Account for a Windows Client (Client=member server) on a HP CIFS Server acting as a PDC is simply a user account entry created for a machine. It is denoted by the machine name followed by "$". For PDCs not using LDAP (default), machine accounts will have entries in both /etc/passwd (unix user accounts) and /var/opt/samba/private/smbpasswd (Windows user accounts).
Primary Domain Controller (PDC) Support Create the Machine Trust Accounts $ /opt/samba/LDAP3/smbldap-tools/smbldap-useradd.
Primary Domain Controller (PDC) Support Create the Machine Trust Accounts For ldapsam backend: $ /opt/samba/bin/smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named “client1” would be: objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1000 gidNumber: 200 homeDirectory: /home/temp loginShell: /bin/false gecos: Samba_Server description: Samba_Server userPassword: {crypt}x pwdLastSet: 1076466492 log
Primary Domain Controller (PDC) Support Configure Domain Users Configure Domain Users The following examples show the commands used to configure Domain Users, Domain Administrators and Domain Guests on a HP CIFS Server configured as a PDC. • If you are a root-level user, create a Domain User in the group named “users”, located in the /sbin/sh directory.
Primary Domain Controller (PDC) Support Configure the HP CIFS Server as a PDC Configure the HP CIFS Server as a PDC When configured to act as a Primary Domain Controller (PDC), the HP CIFS Server should create machine accounts for Windows Clients (member servers). To enable this feature, choose “Primary Domain Controller” when executing samba_setup, then verify the following: 1. The smb.
Primary Domain Controller (PDC) Support Join a Windows Client to a Samba Domain Join a Windows Client to a Samba Domain 1. Verify the following parameters in the smb.conf file: Set the security parameter to “user.” Set the workgroup parameter to the name of the domain. Set the encrypt passwords parameter to “yes.” [global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2.
Primary Domain Controller (PDC) Support Join a Windows Client to a Samba Domain $ /opt/samba/LDAP/smbldap-tools/smbldap-useradd.
Primary Domain Controller (PDC) Support Join a Windows Client to a Samba Domain $ smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named “client1” would be: objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1002 gidNumber: 202 homeDirectory: /home/temp loginShell: /bin/false gecos: Samba_Server description: Samba_Server userPassword: {crypt}x pwdLastSet: 1076466300 logonTime: 0 logofftime: 21474836
Primary Domain Controller (PDC) Support Join a Windows Client to a Samba Domain 6. Enter the Samba domain name in the ‘Domain’ field, and click on the ‘Change’ button. Refer to Figure 4-3 below.
Primary Domain Controller (PDC) Support Roaming Profiles Roaming Profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: • A user’s environment, preference settings, desktop settings, etc.
Primary Domain Controller (PDC) Support Configuring User Logon Scripts Configuring User Logon Scripts The logon script configuration must meet the following requirements: • User logon scripts should be stored in a file share called [netlogon} on the HP CIFS Server. • Should be set to UNIX executable permission. • Any logon script should contain valid commands recognized by the Windows client. • A logon user should have proper access permissions to execute logon scripts.
Primary Domain Controller (PDC) Support Home Drive Mapping Support Home Drive Mapping Support A HP CIFS Server provides user home directories and home drive mapping functionality by using the following two global parameters in the smb.
Primary Domain Controller (PDC) Support Home Drive Mapping Support 92 Chapter 4
5 Backup Domain Controller Support This chapter describes how to set up and configure HP CIFS Server as a Backup Domain Controller (BDC).
Backup Domain Controller Support Introduction Introduction HP CIFS Server version A.02.
Backup Domain Controller Support Introduction Chapter 5 • HP CIFS Server and MS Windows server can each function as a BDC to its own type of PDC. • HP CIFS Server cannot create Security Account Management (SAM) update delta files. It cannot interoperate with a PDC to synchronize the SAM from delta files that are held by a BDC. • The Samba 3.0 BDC does not support replication to a PDC. Running a Samba 3.0 BDC with a non-LDAP backend can have the difficulty in synchronizing the SAM database.
Backup Domain Controller Support Configuring HP CIFS Server as a BDC Configuring HP CIFS Server as a BDC When configuring HP CIFS Server to act as a Backup Domain Controller (BDC), You need to configure the relative domain controller parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: • The smb.
Backup Domain Controller Support Configuring HP CIFS Server as a BDC NOTE security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend. domain master: Set this parameter to no in order for the HP CIFS Server to act as a BDC. domain logon: Set this parameter to yes to provide netlogon services. Encrypt passwords: You set this parameter to yes, the passwords used to authenticate users are encrypted.
Backup Domain Controller Support Roaming Profiles Roaming Profiles HP CIFS Server, configured as a BDC, supports roaming profiles with the following features: • A user’s environment, preference settings, desktop settings, and so on, are stored on HP CIFS Server. • Roaming profiles can be created as a share, and be shared between Windows clients.
Backup Domain Controller Support Roaming Profiles NOTE Chapter 5 logon path: Set this parameter to the same server\share as the PDC does.
Backup Domain Controller Support Configuring User Logon Scripts Configuring User Logon Scripts The logon script configuration must meet the following requirements: • User logon scripts should be stored in a file share called [netlogon} on the HP CIFS Server. • Should be set to UNIX executable permission. • Any logon script should contain valid commands recognized by the Windows client. • A logon user should have proper access permissions to execute logon scripts.
Backup Domain Controller Support Home Drive Mapping Support Home Drive Mapping Support The HP CIFS Server, configured as a BDC, provides user home directories and home drive mapping functionality by using the following two global parameters in the smb.conf file: • logon home • logon drive Example: [global] logon drive = H: logon home = \\%PDCNAME\%U NOTE logon drive: This drive letter is mapped to the share referenced by the logon home configuration parameter.
Backup Domain Controller Support Home Drive Mapping Support 102 Chapter 5
6 Domain Member Server Support This chapter describes the process for joining an HP CIFS Server to a Chapter 6 103
Domain Member Server Support Windows NT, Windows 200x, or Samba domain (as a pre-Windows 2000 compatible computer). To add an HP CIFS Server as an Active Directory Service (ADS) Member Server, see Chapter 7, “Active Directory Service Member Server Support,” on page 107 for details.
Domain Member Server Support Join a HP CIFS Server to a Windows NT, Windows 2000 or Samba Domain Join a HP CIFS Server to a Windows NT, Windows 2000 or Samba Domain Step-by-step Procedure 1. Choose “Domain Member Server” when executing samba_setup. When prompted, you will need to add your domain Member Server machine account to the PDC. For Windows NT: Go to the Windows NT PDC and create a machine account for the HP CIFS Member Server by performing the following steps: a.
Domain Member Server Support Join a HP CIFS Server to a Windows NT, Windows 2000 or Samba Domain password server = DOMPDC encrypt passwords = yes netbios name = MYSERVER NOTE workgroup: This parameter specifies the domain name of which the HP CIFS Server is a member. security: When the HP CIFS Server joins a domain as a member, this parameter must be set to “domain”. password server: This parameter defines the NetBIOS name of the PDC machine which performs the username authentication and validation.
7 Active Directory Service Member Server Support Windows 2000/2003 domains provide a centrally managed directory for management of user identities and computer objects distributed Chapter 7 107
Active Directory Service Member Server Support throughout a network. This chapter describes the process for joining an HP CIFS Server to a Windows 2000/2003 Domain as an Active Directory Service (ADS) member server. see Chapter 6, “Domain Member Server Support,” on page 103.
Active Directory Service Member Server Support Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server Step-by-step Procedure Use the following procedures to join an HP CIFS Server to a Windows 200x domain as an ADS native member server: NOTE HP CIFS Server only supports the following Kerberos encryption types: • DES-CBC-CRC • DES-CBC-MD5 You must configure one of these encryption types in the /etc/krb5.
Active Directory Service Member Server Support Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server # domain name. # [libdefaults] default_realm = MYREALM.XYZ.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 # # [realms] MYREALM.XYZ.COM = { kdc = adsdc.myrealm.xyz.com:88 admin_server = adsdc.myrealm.xyz.com } [domain_realm] .xyz.com = MYREALM.XYZ.COM NOTE :88 is required on the server field. [logging] kdc = FILE:/var/log/krb5kdc.
Active Directory Service Member Server Support Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server • You may see the warning message, KDC has no support for encryption type. Change your administrator password to correct this type of error. • Other errors are likely to be errors in the /etc/krb5.conf file (Remember you need to add :88 to the server field in /etc/krb5.conf file.) Step 4.
Active Directory Service Member Server Support Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server NOTE If an HP CIFS Server is currently joined to the domain as a pre-Windows 2000 member server, please first remove the server from the domain before adding an HP CIFS Server to a Windows domain as a ADS member server. NOTE realm: This parameter specifies tthe name of he ADS kerberos realm which has the fully qualified domain name.
8 LDAP Integration Support This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software.
LDAP Integration Support 114 • “Overview” on page 115 • “Network Environments” on page 117 • “Summary of Installing and Configuring” on page 122 • “Installing and Configuring Your Netscape Directory Server” on page 123 • “Installing LDAP-UX Client Services on an HP CIFS Server” on page 125 • “Configuring the LDAP-UX Client Services” on page 126 • “Enabling Secure Sockets Layer (SSL)” on page 131 • “Migrating Your data to the Netscape Directory” on page 134 • “Extending Samba subschema int
LDAP Integration Support Overview Overview Lightweight Directory Access Protocol (LDAP) provides a framework for the development of a centralized management infrastructure. LDAP supports directory enabled computing by consolidating applications, services, user accounts, Windows account and configuration information into a central LDAP directory. Samba customer sites with large numbers of users and servers may want to integrate the HP CIFS Server with LDAP support.
LDAP Integration Support Overview You can configure the ldap ssl parameter specified in the smb.conf file to enable the Secure Sockets Layer (SSL) support. With the SSL support, the HP CIFS Server allows you to access an enabled SSL LDAP directory to protect passwords over the network and to ensure confidentiality and data integrity between CIFS servers and SSL enabled LDAP directory server. You can set passdb backend = ldapsam:ldaps:// to enable the SSL support.
LDAP Integration Support Network Environments Network Environments The HP CIFS Server supports many different network environments. Features such as WINS, browser control, domain logons, roaming profiles, and many others continue to be available to support a diverse range of network environments. LDAP integration provides one more alternative solution for Samba user authentication.
LDAP Integration Support Network Environments CIFS Server Acting as Backup Domain Controller (BDC) Since BDCs are also responsible for Windows authentication, HP CIFS Servers configured as BDCs can access the LDAP directory for user authentication. BDC configuration is vey similar to PDC configuration with the exception that you set both master browser and domain master to no.
LDAP Integration Support Network Environments UNIX User Authentication - /etc/passwd, NIS Migration HP UNIX user authentication is required in addition to Samba (Windows) user authentication for HP CIFS Server logon.You can consolidate Samba and UNIX users into a single LDAP directory server database. However, the /etc/passwd file or NIS database files can continue to be used for UNIX users if desired.
LDAP Integration Support Network Environments The CIFS Authentication with LDAP Integration With LDAP integration, multiple HP CIFS Servers can share a single LDAP directory server for a centralized user database management. The HP CIFS Server can access the LDAP directory and look up the windows user information for user authentication.
LDAP Integration Support Network Environments 5. The CIFS Server receives data attributes including the password information from the LDAP directory server. If the password and challenge information matches with information in the client response package, the Samba user authentication succeeds. 6. If the Samba user is authenticated and is successfully mapped to a valid posix user, the CIFS Server returns a user token session ID to the Windows PC client.
LDAP Integration Support Summary of Installing and Configuring Summary of Installing and Configuring The following summarizes the steps you take when installing, configuring, verifying and activating the HP CIFS Server with the LDAP support: • Install the Netscape Directory Server, if not already installed. See “Installing the Netscape Directory Server” on page 123. • Configure the Netscape Directory Server, if not already configured. See “Configuring the Netscape Directory Server” on page 123.
LDAP Integration Support Installing and Configuring Your Netscape Directory Server Installing and Configuring Your Netscape Directory Server This section describes how to set up and configure your Netscape Directory Server to work with LDAP-UX Client Services and the HP CIFS Server. See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.com/hpux/internet, for more information on directory configuration.
LDAP Integration Support Installing and Configuring Your Netscape Directory Server Step 2. Enter the host name of the Netscape Directory Server where you want to store your user data. Step 3. Enter the port number of the previously specified directory server. The default port number is 389 Step 4. Enter the Distinguished Name (DN) and password of the administrator. This user has operator permissions. For example, you can enter “admin” as the administrator DN. Step 5. Enter the base DN.
LDAP Integration Support Installing LDAP-UX Client Services on an HP CIFS Server Installing LDAP-UX Client Services on an HP CIFS Server Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient subproduct, on an HP CIFS Server. See the LDAP-UX Client Services B.03.20 Release Notes for more details on the installation procedures. The LDAP-UX Client Services software is available at http://www.software.hp.com. You must install the LDAP-UX Client Services version B.03.
LDAP Integration Support Configuring the LDAP-UX Client Services Configuring the LDAP-UX Client Services You need to configure the LDAP-UX Client Services if it is not already configured. This section describes major steps to configure LDAP-UX Client Services with the Netscape Directory Server 6.02 or later version. For detailed information on how to configure the LDAP-UX Client Services, see the “Configure the LDAP-UX Client Services” section of LDAP-UX Client Services B.03.
LDAP Integration Support Configuring the LDAP-UX Client Services Quick Configuration You can quickly configure the LDAP-UX Client Services by selecting the default value for most of the configuration parameters as follows: Step 1. To be consistent with the Samba organizational unit defaults, you must edit the /opt/ldapux/migrate/migrate_common.ph file to change the default group objectclass under $RFC2307BIS structure from ou=Group to ou=Groups. Step 2.
LDAP Integration Support Configuring the LDAP-UX Client Services Step 7. If you are creating a new profile, add all parent entries of the profile DN to the directory (if any). If you attempt to create a new profile and any parent entries of the profile do not already exist in the directory, setup will fail. For example, if your profile will be cn=ldapuxprofile, dc=cup, dc=hp, dc=com, then the base path, cup.hp.com, must exist in the directory or setup will fail.
LDAP Integration Support Configuring the LDAP-UX Client Services Table 8-1 shows the configuration parameters and the default values that they will be configured with.
LDAP Integration Support Configuring the LDAP-UX Client Services $ /opt/ldapux/bin/ldapsearch -T -b “cn=schema” -s base \ “(objectclass=*)”|grep -i posix Ensure that the posixAccount objectclass is displayed in the output when you run the ldapsearch command. The output is as follows: objectClasses: ( 1.3.6.1.1.1.2.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) Enabling Secure Sockets Layer (SSL) The HP CIFS Server provides Secure Sockets Layer (SSL) support to secure communication between CIFS servers and SSL enabled LDAP directory servers. If you plan to use SSL and it is not already in use for LDAP, you need to enable it on the Netscape Directory Server and LDAP-UX clients. When you have enabled the LDAP server and clients, then you can configure the HP CIFS Server to use SSL.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) For detailed instructions on how to configure the administration server to connect to an SSL enabled directory server, see Managing Servers with Netscape Console available at http://docs.hp.com. Configuring the LDAP-UX Client to Use SSL If you plan to use SSL, you need to install the Certification Authority (CA) certificate on your LDAP-UX Client and configure the LDAP-UX Client to enable SSL.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) subsection of the “Installing LDAP-UX Client Services” chapter in LDAP-UX Client Services B.03.20 Administrator’s Guide at http://docs.hp.com.
LDAP Integration Support Migrating Your data to the Netscape Directory Migrating Your data to the Netscape Directory HP recommends that all UNIX user accounts either in the /etc/passwd file or NIS database files are migrated to the Netscape Directory Server. The LDAP-UX Integration product provides migration scripts to accomplish the task in an automated way. These scripts are located in /opt/ldapux/migrate directory. The two shell scripts, migrate_all_online.sh and migrate_all_nis_online.
LDAP Integration Support Migrating Your data to the Netscape Directory NOTE Before you run the migration scripts, you must edit the /opt/ldapux/migrate/migrate_common.ph file to change the default group objectclass under $RFC2307BIS structure from ou=Group to ou=Groups. By doing this, it can match with the Samba organizational unit defaults. An Example The following example shows the necessary steps to import your data into the LDAP directory using the migration script, migrare_all_online.sh: Step 1.
LDAP Integration Support Migrating Your data to the Netscape Directory Migrating Individual Files The following perl scripts migrate each of your source files in the /etc directory to LDIF. These scripts are called by the shell scripts, described in the section “Migrating All Your Files” on page 134. The perl scripts obtain their information from the input source file and output LDIF.
LDAP Integration Support Migrating Your data to the Netscape Directory Table 8-2 Migration Scripts (Continued) (Continued) Script Name Description Migrates groups in the /etc/group file. migrate_group.pl migrate_hosts.pl a Migrates hosts in the /etc/hosts file. migrate_networks.pl Migrates networks in the /etc/networks file. migrate_passwd.plb Migrates users in the /etc/passwd file. migrate_protocols.pl Migrates protocols in the /etc/protocols file. migrate_rpc.
LDAP Integration Support Migrating Your data to the Netscape Directory b. Netgroup - The NIS optimization maps ‘byuser’ and ‘byhost’ are not utilized. -Each triple is stored as a single string. -Each triple must be enclosed by parentheses. For example, “(machine, user, domain)” is a valid triple while “machine, user, domain” is not. c. When migrating services data into the LDAP directory, You keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports.
LDAP Integration Support Extending Samba subschema into Your Directory Server Extending Samba subschema into Your Directory Server You now need to extend the Netscape Directory Server schema with the sambaSamAccount subschema from the HP CIFS Server to your Netscape Directory Server. Ensure that you have configured your LDAP directory and LDAP-UX Client Services, and migrated your data to the LDAP directory before extending the schema. The sambaAccount subschema is the /opt/samba/LDAP/98samba.
LDAP Integration Support Extending Samba subschema into Your Directory Server Step 3. Use the following ldapsearch command to verify that you have updated the schema in the Netscape Directory Server with the sambaSamAccount subschema: $ /opt/ldapux/bin/ldapsearch -T -b “cn=schema” -s base \ “(objectclass=*)”|grep -i samb You need to ensure that the output displays the sambaAccount objectclass when you run the ldapsearch command. The output is shown as follows: objectClasses: ( 1.3.1.5.1.4.1.7165.2.2.
LDAP Integration Support Configuring the HP CIFS Server Configuring the HP CIFS Server You must set up and configure your HP CIFS Server to enable the LDAP feature support. LDAP Configuration Parameters The following is the list of new global parameters available for you to configure the HP CIFS Server to enable the LDAP feature. These parameters are set in the /etc/opt/samba/smb.conf file under global parameters.
LDAP Integration Support Configuring the HP CIFS Server Table 8-3 Global Parameters (Continued) (Continued) Parameter Description ldap group suffix Specifies the base of the directory tree where you want to add groups information. If you do not specify this parameter, HP CIFS Server uses the value of ldap suffix instead. For example, ldap group suffix = “ou=Groups”. ldap filter Specifies the RPC 2254 compliant LDAP search filter.
LDAP Integration Support Configuring the HP CIFS Server Configuring LDAP Feature Support After installing the HP CIFS Server, the existing configuration continues to operate as currently configured. To enable the LDAP support, you must configure the relative LDAP configuration parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or the editor. NOTE HP recommends that new installation customers run the samba_setup program to set up and configure the HP CIFS Server.
LDAP Integration Support Installing your Samba Users in the Directory Installing your Samba Users in the Directory This section describes how to install and verify your samba users in your LDAP directory. Adding Credentials When you use the HP CIFS Server with the LDAP feature support, the smbpasswd command manipulates user accounts information on the LDAP directory rather than the /var/opt/samba/private/smbpasswd file. You must add the directory manager credentials to the /var/opt/samba/private/secrets.
LDAP Integration Support Installing your Samba Users in the Directory Syntax ldapsearch [option] Option -b search/insert base -s search scope -D directory login -w password of the directory manager Example The following example uses the ldapsearch utility to check that the user entry johnl contains the sambaAccount objectclass: $ /opt/ldapux/bin/ldapsearch -b “dc=cup,dc=hp, dc=com” -ssub \ -D “cn=Directory Manager” -w dmpasswd “uid=johnl” The output is shown as the follows: dn: uid=johnl,ou=People
LDAP Integration Support LDAP management Tools LDAP management Tools The HP CIFS Server provides LDAP management tools for you to maintain users, groups and passwords in the Netscape Directory Server. To use perl scripts, perl on HP-UX 11i (PA-RISC) and HP-UX 11i (IA) version 5.6.1.E or greater is required. A free download software is available at http://software.hp.com.
LDAP Integration Support LDAP management Tools Syntax Run the following command to show help messages: $ net help Pdbedit Pdbedit can be used for user management with LDAP directories. Note also that pdbedit can help to migrate from one passdb backend to another including moving from smbpasswd to ldapsam.
LDAP Integration Support LDAP management Tools smbldap-usermod.pl modifies a user data (objectclass: posixAccount, sambaAccount, or both depending on the tool option used) smbldap-usershow.pl views a user data (objectclass: posixAccount, sambaAccont or both depending on the tool option used) smbldap-passwd.pl adds or modifies the samba password, posix password, or both smbldap-migrate-accounts.pl migrates user accounts from the existing smbpasswd file to the LDAP directory. smbldap-migrate-groups.
LDAP Integration Support LDAP management Tools Name (DN), directory manager name and password. First start the samba daemon if it is not already running with startsmb. Set the environment variables throughout your configuration file to appropriate values for your environment, including $SID. The current SID default is SID=’S-1-5-21-3516781642-1962875130-3438800523’. You need to execute the net rpc getsid command and obtain the appropriate SID.
LDAP Integration Support LDAP management Tools The smbldap-groupadd.pl Tool You can use this tool to add a new group entry with the posixGourp objectclass to your Netscape Directory Server. Syntax smbldap-groupadd.
LDAP Integration Support LDAP management Tools -? shows help messages groupname Specify the name of the group. The group data entry will be deleted from the LDAP directory. An Example The following commands delete the group name “group1” from the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-groupdel.pl group1 The smbldap-groupshow.pl Tool You can use this tool to view a group entry with the posixGroup information in the Netscape Directory Server. Syntax smbldap-groupshow.
LDAP Integration Support LDAP management Tools NOTE If you specify the tool option, -a or -W, the sambaAccount information can be added to the LDAP directory in addition to posixAccount information. Without specifying the tool option, -a or -W, only posixAccount information can be added. Syntax smbldap-useradd.pl [options] username where options can be any of the following: 152 -a specifies a Windows user. With this option, both posixAccont and sambaAccount will be added to the LDAP directory.
LDAP Integration Support LDAP management Tools -C specifies the SMB home share, such as \\PDC-SRC\homes -D specifies the home drive letter associated with home share, such as H: -E specifies the script path (DOS script to execute on login) -F specifies the profile directory -H specifies Samba account control bits -N specifies the canonical name -S specifies the surname -? shows help messages. username Specify the name of the new user.
LDAP Integration Support LDAP management Tools smbldap-usermod.
LDAP Integration Support LDAP management Tools The following commands modify the user name “johnl” with the user id “200” in the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-usermod.pl -u 200 johnl The smbldap-userdel.pl Tool You can use the smbldap-userdel.pl tool to delete a user entry in the Netscape Directory Server. This tool will delete both posixAccout and sambaAccount information from the LDAP directory. Syntax smbldap-userdel.
LDAP Integration Support LDAP management Tools -? shows help messages username Specify name of the user entry. An Example The following commands shows the user entry data of the user “johnl” in the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-usershow.pl johnl The smbldap-migrate-accounts.pl Tool You can use the smbldap-migrate-accounts.pl tool to migrate the user accounts information in the smbpasswd file to the Netscape Directory Server. Syntax smbldap-migrate-accounts.
LDAP Integration Support LDAP management Tools cd /opt/samba/LDAP3/smbldap-tools ./smbldap-migrate-accounts.pl -a The smbldap-migrate-groups.pl Tool You can use the smbldap-migrate-groups.pl tool to migrate the Windows NT groups information to the Netscape Directory Server. Syntax smbldap-migrate-groups.
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* Upgrading LDAP from HP CIFS Server A.01.* to A.02.* When upgrading an existing HP CIFS Server version A.01.* LDAP configuration to version A.02.*, make the following changes to your smb.conf configuration file: • Set the passwd backend = ldapsam_compat://ldaps:< ldap server name> , ldap ssl = yes and ldap port = 636 in smb.conf to enable SSL • Optionally, removes the obsolete parameter, ldap enable .
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* $ /opt/ldapux/bin/ldapsearch -h -p 389 -l \ -b -s sub “objectClass= sanbaAccount” > \ output file For example, the following command finds the schema in the Netscape Directory Server, hostA.cup.hp.com, with the sambaAccount subschema and save the output to the /tmp/old.ldif file: $ /opt/ldapux/bin/ldapsearch -h hostA.cup.hp.
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* $ /opt/ldapux/bin/ldapmodify -c -h hostA.cup.hp.com -D “cn=Directory Manager” -w -f /tmp/mod.ldif Step 7. Change your ldap filter smb.conf parameter to ldap filter= (uid=%u). Since (uid=%u) is the default, you might simply remove the ldap filter entry. Step 8. Change your passdb backend smb.
LDAP Integration Support Limitations with the LDAP Feature Support Limitations with the LDAP Feature Support HP only supports the HP CIFS Server with LDAP integration that works with the HP LDAP-UX Integration product, J4269AA, and the HP Netscape Directory Server, J4258CA.
LDAP Integration Support Limitations with the LDAP Feature Support 162 Chapter 8
9 Winbind Support This chapter describes how to set up and configure the HP CIFS Server with the winbind support.
Winbind Support • 164 “Configuring HP CIFS Server with Winbind” on page 167 Chapter 9
Winbind Support Overview Overview UNIX and Microsoft Windows NT have different models to represent user and group information and use different technologies for implementing them. Winbind is a component of the Samba suite of programs that resolve Windows users and groups to HP-UX UIDs and GIDs. Winbind uses a UNIX implementation and the Name Services Switch (NSS) to allow Windows NT domain users to appear and operate as UNIX users on a HP-UX system.
Winbind Support Overview How Winbind works Winbind works by using the winbind daemon (/opt/samba/bin/winbindd) that communicates with a Windows Domain Controller, the name services provided by the Name Service Switch (NSS), and configuration options in the smb.conf file. With winbind support, you need to set up the NSS configuration file, /etc/nsswitch.conf, to enable a HP-UX system to look up UID and GID mappings for users and groups that reside exclusively in the Windows domain.
Winbind Support Configuring HP CIFS Server with Winbind Configuring HP CIFS Server with Winbind You must set up and configure your HP CIFS Server to use the winbind feature support. Winbind Configuration Parameters The following is the list of new global parameters used to control the behavior of winbind. These parameters are set in the /etc/opt/samba/smb.conf file under gloabal section. [global] Table 9-1 Chapter 9 Any global setting defined here is used by the HP CIFS Server with the winbind support.
Winbind Support Configuring HP CIFS Server with Winbind Table 9-1 Global Parameters (Continued) (Continued) Parameter Description winbind cache time Specifies the number of seconds the winbindd daemon caches user and group information before querying a Windows NT server again. By default, this parameter is set to 300. winbind enable local accounts Controls whether or not winbindd acts as a stand in replacement for the various account management hooks in smb.conf (e.g. ’add user script’).
Winbind Support Configuring HP CIFS Server with Winbind idmap gid = 1500-2500 winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind enable local accounts = no winbind use default domain = no idmap backend = ldap:ldap://ldaphost1.hp.
Winbind Support Configuring HP CIFS Server with Winbind publickey: netgroup: rpc: files files files In above example, you confiugre the winbind service for the passwd and group service types, the NSS first checks files, /etc/passwd and /etc/group, then winbind. Refer to switch(4) and “Configuring the Name Service Switch” in NFS Services Administrator’s Guide at http://docs/hp.com/hpux/netcom/ for detailed information on how to configure NSS.
Winbind Support Configuring HP CIFS Server with Winbind When you run the ll -n command, the UID, 1002, and GID, 1505, are displayed in the output. Both UID and GID are in the range of values that we specify in the smb.conf file for winbind to use. Starting and Stopping Winbind This section describes how to start or stop the HP CIFS Server with winbind support.
Winbind Support Configuring HP CIFS Server with Winbind 172 Chapter 9
10 Updating HP CIFS Server A.01 to A.02 HP CIFS Server A.02.* provides support for A.01.* features and requires minimal or no configuration changes to update in most cases.
Updating HP CIFS Server A.01 to A.02 there are many differences between HP CIFS Server A.01.* versions, which are based on Samba 2.2, and HP CIFS Server A.02.* versions, which are based on Samba 3.0. HP CIFS Server versions A.02.* provide many additional features, which can be deployed to simplify management of expansive networks. This chapter describes these differences and provides update procedures so that you can plan and upgrade your CIFS enabled networks.
Updating HP CIFS Server A.01 to A.02 Documentation Documentation HP CIFS Server A.02.* versions provide the following documents, which are not provided with A.01.* versions: • Samba book, The Official Samba HOWTO and Reference Guide • Samba book, Samba 3 by Example • Updated help text on configuration paramenters, utilities, and tools • HP CIFS Server Administrator’s Guide updates reflecting A.02.* features and differences with A.01.*.
Updating HP CIFS Server A.01 to A.02 HP CIFS Server A.02.* Added Features HP CIFS Server A.02.* Added Features Beginning with HP CIFS Server version A.02.01, many new features are available for use. The following describes these new features: • Active Directory Server support HP CIFS Server can join an ADS realm as a member server and authenticate users using LDAP with Kerberos security. See Chapter 7, “Active Directory Service Member Server Support,” on page 107 before joining a Windows 200x domain.
Updating HP CIFS Server A.01 to A.02 Parameters Changes in smb.conf Parameters Changes in smb.conf Table 10-1 describles a list of new parameters and removed parameters in the smb.conf file for HP CIFS Server A.02.01.
Updating HP CIFS Server A.01 to A.02 Parameters Changes in smb.conf Table 10-1 Parameters Changes in smb.
Updating HP CIFS Server A.01 to A.02 Parameters Changes in smb.conf Table 10-1 Parameters Changes in smb.
Updating HP CIFS Server A.01 to A.02 Behavior Differences Between HP CIFS Server A.01.* and A.02.* Behavior Differences Between HP CIFS Server A.01.* and A.02.* Many known changes in behavior between HP CIFS Server A.01.*, based on Samba 2.2, and HP CIFS Server A.02.*, based on Samba 3.0, might affect your HP CIFS Server operation. This section describes significant changes in behaviors for HP CIFS Server A.02.*. For additional changes and details, refer to /opt/samba/SAMBA_WHATSNEW.txt.
Updating HP CIFS Server A.01 to A.02 Behavior Differences Between HP CIFS Server A.01.* and A.02.* that must be specified for this purpose. A.02.* does not fall back to use the add user script option in the absence of an add machine script option. • The join domain command In A.02.*, the "smbpasswd -j domain_name -r PDC_hostname -U administrator%passwd"command used to join a domain has been replaced by net commands.
Updating HP CIFS Server A.01 to A.02 Behavior Differences Between HP CIFS Server A.01.* and A.02.
Updating HP CIFS Server A.01 to A.02 Updating HP CIFS Server A.01.* to A.02.* Updating HP CIFS Server A.01.* to A.02.* The installation and configuration procedures in Chapter 2, "Installing and Configuring the HP CIFS Server" apply to HP CIFS Server A.02.* versions as well as to A.01.* versions. However, you must consider the following additional concerns and apply these procedures when updating from an A.01.* version to an A.02.* version of HP CIFS Server: • HP CIFS Server A.02.
Updating HP CIFS Server A.01 to A.02 Updating HP CIFS Server A.01.* to A.02.* — ldapsam_compat : An HP CIFS Server A.01.* version of backward compatible LDAP account backend. You might also specify a combination of passdb backends. You can specify alternative backends. For example, the working sequence follows the smb.conf keyword sequence of authentication methods: passdb backend = smbpasswd tdbsam ldapsam ldapsam_compat • Update A.01.
11 HP CIFS Deployment Models This chapter describes the procedures to install, set up, and configure three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain.
HP CIFS Deployment Models 186 • “Introduction” on page 187 • “Samba Domain Model” on page 188 • “Windows Domain Model” on page 202 • “Unified Domain Model” on page 213 Chapter 11
HP CIFS Deployment Models Introduction Introduction HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS server interoperates with Windows NT, Windows 200x, Advanced Server, and other CIFS servers and clients. This chapter provides reference for three deployment models: Samba Domain Model, Windows Domain Model, and Unified Domain Model.
HP CIFS Deployment Models Samba Domain Model Samba Domain Model You can use the Samba Domain Deployment Model in environments with the following characteristics: • A domain consisting of HP CIFS Servers and no Windows domain controllers. • Support for any number of UNIX servers that provide file and print services for corresponding numbers of users. • An HP CIFS server is configured as a Primary Domain Controller (PDC). One or more HP CIFS Servers act as Backup Domain Controllers (BDCs).
HP CIFS Deployment Models Samba Domain Model Figure 11-1 shows a standalone HP CIFS Server as a PDC with the local password database: Figure 11-1 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Chapter 11 189
HP CIFS Deployment Models Samba Domain Model Figure 11-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 11-2 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat 190 Chapter 11
HP CIFS Deployment Models Samba Domain Model Figure 11-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: Figure 11-3 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Chapter 11 191
HP CIFS Deployment Models Samba Domain Model Figure 11-4 shows the Samba Domain Model: Figure 11-4 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP-UX and Windows Clients HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controller (PDC), and one or more HP CIFS Servers acting as Backup Domain Controllers (BDCs).
HP CIFS Deployment Models Samba Domain Model Samba Domain Components As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See Chapter 8, “LDAP Integration Support,” on page 113 for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments.
HP CIFS Deployment Models Samba Domain Model and Windows user accounts on the LDAP directory. The LDAP database can replace /etc/passwd and smbpasswd, and the PDC can access the LDAP directory for Windows authentication. HP CIFS Server Acting as a BDC The configuration of BDCs is similar to that of the PDC. This enables BDCs to carry much of the network logon processing. A BDC on a local segment handles logon requests and authenticates users when the PDC is busy on the local network.
HP CIFS Deployment Models Samba Domain Model the password server parameter to the names of the PDC and may also add the names of one or more BDCs. Set the domain master parameter to no to let the PDC take control. As with the PDC and BDC, you set the passdb backend parameter to the name of LDAP server to centralize POSIX and Windows account database management.
HP CIFS Deployment Models Samba Domain Model An example of the Samba Domain Model Figure 11-5 shows an example of the Samba Domain Model which has HP CIFS Server machine hpntc3w and IP address 15.13.115.226 acting as a PDC and WINs server, HP CIFS Server machine hpntc05 and IP address 15.13.117.248 acting as a BDC, and Netscape Directory Server machine hptem128. Figure 11-5 An example of the Samba Domain Model HP CIFS PDC and WINs Server “hpntc3w” IP address “15.13.115.
HP CIFS Deployment Models Samba Domain Model ###################################### # # Samba config file created using SWAT # from 15.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server HPNTC3W PDC passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd log level = 0 security = user syslog = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Samba Domain Model choose to use the A.01.* versions of backward compatible LDAP account backend, set the passwd backend = ldapsam_compat://ldaps:< ldap server name>, ldap ssl = yes and ldap port = 636 in smb.conf to enable SSL support. Configuration Options • domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. • domain logon: Set this parameter to yes to provide netlogon services.
HP CIFS Deployment Models Samba Domain Model local master = No domain master = No wins server = 15.13.115.
HP CIFS Deployment Models Samba Domain Model The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hpntcl27 acting as a domain member server in the sample Samba Domain Model shown in Figure 11-5: ###################################### # # Samba config file created using SWAT # from 15.13.129.
HP CIFS Deployment Models Samba Domain Model • security: When the HP CIFS Server joins a domain as a member, you must set this parameter to domain. • WINs Server: If you attempt to use the PDC as the Wins server, set this parameter to the PDC’s machine name. • password server: This parameter defines the NetBIOS names of the PDC and BDC machines that perform the user name authentication and validation. A Sample /etc/nsswich.
HP CIFS Deployment Models Windows Domain Model Windows Domain Model You can use the Windows Domain Model in environments with the following characteristics: • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled). • Support for any number of HP CIFS servers that provide file and print services for corresponding numbers of users. It requires HP-UX LDAP Integration Client software for ADS domain member servers.
HP CIFS Deployment Models Windows Domain Model Figure 11-6 shows the Windows Domain Deployment Model as follows: Figure 11-6 Windows Domain Windows NT or Windows ADS/PDC HP CIFS Member Server LDAP winbind idmaps windows users winbind Windows NT BDC windows users ldap-ux client winbind daemon libnss_winbind idmap.tdb idmap backend = ldap In the Windows Domain Model, HP CIFS Server can join to a Windows domain as a member server with Windows NT or Windows 200x domain controllers.
HP CIFS Deployment Models Windows Domain Model which can be used to avoid explicitly allocating POSIX users and groups for Windows users and groups mapping. Winbind provides UID and GID generation and mapping for Windows users. Set smb.conf parameters to idmap uid = and idmap gid = . See Chapter 9, “Winbind Support,” on page 163 for detailed information on winbind.
HP CIFS Deployment Models Windows Domain Model An Example of the ADS Domain Model Figure 11-7 shows an example of the Windows 2000/2003 ADS Domain Model which has the realm named HPCIF23DOM.CUP.HP.COM, an ADS domain controller machine hpcif23, an HP CIFS Server machine hpcif54 acting as a native member server and the Netscape Directory Server system hptem128. Figure 11-7 An example of the ADS Domain Model Windows ADS/DC “hpcif23” NDS LDAP “hptem128” Realm: HPCIF23DOM. .CUP.HP.
HP CIFS Deployment Models Windows Domain Model [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a domain member of hpcif23_dom realm = HPCIF23DOM.CUP.HP.COM security = ADS netbios name = hpcif54 encrypt passwords = yes password server = * passdb backend =smbpasswd log level = 0 syslog = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Windows Domain Model winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/false # [homes] comment = Home Directory browseable = no writable = yes valid users = %D\%S create mode = 0664 directory mode = 0775 [locshare] path=/tmp read only = no browseable = yes writable = yes [nfsshare] path=/mount/tmp read only = no browseable = yes writable = yes [dfsshare] path=/dfsroot read only =
HP CIFS Deployment Models Windows Domain Model A Sample /etc/krb5.conf File On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the name of the realm, the location of a Key Distribution Center (KDC) server and the logging file names. The following is a sample /etc/krb5.conf used in the sample ADS Domain Model shown in Figure 11-7: # Kerberos Configuration # # # # This krb5.conf file is intended as an example only.
HP CIFS Deployment Models Windows Domain Model A Sample /etc/nsswitch.conf File In the ADS Domain Model, you must configure the /etc/nsswitch.conf file to specify the winbind name service and other name services that you want to use. The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 11-7: # /etc/nsswitch.conf # # This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files.
HP CIFS Deployment Models Windows Domain Model An Example of Windows NT Domain Model Figure 11-8 shows an example of the Windows NT Domain Model which has a Windows NT server named hpcif43 as a PDC, an HP CIFS Server machine hpcif61 acting as a domain member server. The ID maps are saved in the local file, idmap.tdb. Figure 11-8 An example of the Windows NT Domain Model Windows NT Server/ PDC “hpcif43” windows users HP CIFS Member Server “hpcif61” winbind daemon libnss_winbind idmap.
HP CIFS Deployment Models Windows Domain Model [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a member of NT domain netbios name = hpcif61 # For NT specific option workgroup = hpcif43_dom security = domain encrypt passwords = yes passdb backend = smbpasswd password server = hpcif43.cup.hp.com log level = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Windows Domain Model printer admin = root, admuser create mask = 0600 guest ok = Yes use client driver = Yes [lj810002] path = /tmp printable = yes print command = /usr/bin/lp -d%p %s; /usr/bin/rm %s [locshare1] comment = Local file system service1 for read only path = /tmp admin users = admuser read only = Yes [locshare2] comment = Local file system service2 for writable path = /tmp admin users = admuser read only = No [nfsshare] comment = Remote NFS service path = /mount/public r
HP CIFS Deployment Models Unified Domain Model Unified Domain Model You can use the Unified Domain Deployment Model in environments with the following characteristics: • A domain consisting of Windows 200x servers. • The Windows 2000 or 2003 domain controller maintains the UNIX UID and GID data with Windows Services for Unix (SFU). NOTE SFU Version 3.5 does not support the Windows NT4 Domain. • Support for any number of HP CIFS Servers that provide file and print services for number of users.
HP CIFS Deployment Models Unified Domain Model Figure 11-9 shows the Unified Domain Deployment Model as follows: Figure 11-9 Unified Domain Windows ADS DC/SFU HP-UX Client Windows and UNIX users HP CIFS Member Server The Unified Domain Model consists of a Windows 200x server with Active Directory Services (ADS) configured as a Domain Controller (DC), and a single or multiple HP CIFS member servers.
HP CIFS Deployment Models Unified Domain Model Unified Domain Components HP CIFS Acting as a Windows 200x ADS Member Server The HP CIFS member server operating in a unified domain depends on the ADS to be aided by Services For UNIX (SFU). SFU provides the required management of UNIX UID and GID to Windows SID mappings. SFU and accompanying documentation is available for download at http://www.microsoft.com/windows/sfu.
HP CIFS Deployment Models Unified Domain Model software B.03.20 or later, and configure the LDAP-UX client.This permits the consolidation of Posix and Windows user accounts on the ADS directory. You also need to configure the /etc/krb5.conf file to authenticate users using Kerberos. Installing and Configuring LDAP-UX Client Services on an HP CIFS Server The following summarizes major steps you need to take to install and configure an LDAP-UX Client Services.
HP CIFS Deployment Models Unified Domain Model Configuring /etc/krb5.conf to Authenticate Using Kerberos On your HP CIFS Server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm’s KDC. The following is an example of /etc/krb5.conf which has the realm CIFSW2KSFU.CUP.HP.COM, and machine hostA.cup.hp.
HP CIFS Deployment Models Unified Domain Model NOTE You need to install the LDAP-UX Client Services software on an HP CIFS member server before installing SFU on a Windows 2000 or 2003 domain controller. An Example of the Unified Domain Model Figure 11-10 shows an example of the Unified Domain Model which has the realm named HPCIFSW2KSFU.CUP.HP.COM, an ADS domain controller machine hpntcdn, an HP CIFS Server machine hpntcot acting as a member server and the Windows NT machine with IP address 15.13.112.
HP CIFS Deployment Models Unified Domain Model A sample smb.conf file For an HP CIFS Member Server The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hpntcot acting as an ADS member server in the sample Unified Domain Model shown in Figure 11-10: ###################################################### # # An sample smb.
HP CIFS Deployment Models Unified Domain Model # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace HPCIFSW2KSFU.CUP.HP.COM with your kerberos Realm. # # Replace hpntcdn.cup.hp.com with your Windows ADS DC full # # domain name. # # # [libdefaults] default_realm = HPCIFSW2KSFU.CUP.HP.
HP CIFS Deployment Models Unified Domain Model # Protocol(LDAP) in conjunction with dns and files.
HP CIFS Deployment Models Unified Domain Model 222 Chapter 11
12 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server.
Securing HP CIFS Server • 224 “Automatically Receiving HP Security Bulletins” on page 231 Chapter 12
Securing HP CIFS Server Security Protection Methods Security Protection Methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services. You can secure HP CIFS Server from connections that originate from outside the local network by using host-based protection. You can also use interface-based exclusion, so that SMBD binds only to specifically permitted interfaces.
Securing HP CIFS Server Security Protection Methods Using Interface Protection By default, the HP CIFS Servers accepts connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the internet, then the HP CIFS server can accept connections on those links. You can use the interface configuration options to change the interface behavior.
Securing HP CIFS Server Security Protection Methods For example, you can configure an IPC$ share as follows: [ipc$] hosts allow = 192.168.115.0/24 127.0.0.1 hosts deny = 0.0.0.0/0 This configuration tells the HP CIFS Server that it cannot accept IPC$ connections from anywhere but the two places listed: a local host and a local subnet.
Securing HP CIFS Server Security Protection Methods You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent plain text password transfer with LDAP directories, you can configure Secure Socket Layer (SSL) on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, see Chapter 8, “LDAP Integration Support,” on page 113.
Securing HP CIFS Server Security Protection Methods Table 12-1 Configuration Files (Continued) (Continued) File Description /var/opt/samba/private/smbpasswd Data file containing user name and password information /var/opt/samba/private/passdb.tdb Data file containing user name and password information /opt/samba/LDAP/smbldap-tools/smb ldap_conf.
Securing HP CIFS Server Security Protection Methods server. You can configure the admin users parameter to provide administration capabilities only to the users listed with this parameter, to restrict its use. For example, you can configure the valid users option in the smb.conf file as follows: [global] valid users = @smbusers, jack This restricts all server access to either the user, jack, and to members of the system group, smbusers.
Securing HP CIFS Server Automatically Receiving HP Security Bulletins Automatically Receiving HP Security Bulletins You can subscribe to automatically receive future HP Security Bulletins or other technical digests from the HP IT Resource Center (ITRC) via electronic mail. Use the following steps to register for and subscribe to HP Security Bulletins: Step 1. Use your browser to get to the HP IT Resource Center web site at: http://itrc.hp.com Step 2.
Securing HP CIFS Server Automatically Receiving HP Security Bulletins For detailed information on the Security Patch Check tool, refer to the following web site: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayPr oductInfo.pl?productNumber=B6834AA The security patch matrix is also available via the anonymous ftp site at: ftp://ftp.itrc.hp.
13 Chapter 13 Configuring HA HP CIFS 233
Configuring HA HP CIFS Overview of HA HP CIFS Server Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. C/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual.
Configuring HA HP CIFS Overview of HA HP CIFS Server 2. Use SAM or LVM commands to set up the volume groups, logical volumes, and file systems needed for the data that must be available to the primary and alternate cluster nodes when failover occurs. HA HP CIFS Server Installation 1. Install HP CIFS Server using SD on all cluster nodes. If HP CIFS Server is already installed and configured on either node, simply stop it with the /opt/samba/bin/stopsmb command and skip to step 4. 2.
Configuring HA HP CIFS Overview of HA HP CIFS Server Each CIFS Server has its own smb.conf file to define its behavior. The NetBIOS name and IP address that the client connects to is used to decide which smb.conf file is used for the connection. This multiple CIFS master demon configuration allows HP CIFS to run multiple MC/ServiceGuard packages simultaneously. When a failover occurs, MC/ServiceGuard transfers the IP address from the failing cluster node to another node.
Configuring HA HP CIFS Overview of HA HP CIFS Server 3. /etc/opt/samba/smb.conf.ha_server3. There will be three directories: 1. /var/opt/samba/ha_server1 2. /var/opt/samba/ha_server2 3. /var/opt/samba/ha_server3 ...where the locks and log files will reside. Complete the following for each CIFS package of your MC/ServiceGuard cluster: 1.
Configuring HA HP CIFS Overview of HA HP CIFS Server If /opt/samba/bin/samba_setup was run during installation as suggested: • Take the workgroup line from the /etc/opt/samba/smb.conf file. Add in the rest of your desired configuration items. • Take the NetBIOS name line from the same file, or, if there is no NetBIOS name line, put in the UNIX host name for the server on the NetBIOS name line. • Consider load balancing when creating the share paths.
Configuring HA HP CIFS Overview of HA HP CIFS Server mkdir /etc/cmcluster/samba mkdir /etc/cmcluster/samba/sambapkg1 5. Copy the sample scripts samba.conf, samba.cntl and samba.mon from /opt/samba/HA to /etc/cmcluster/sambapkg1 (or /etc/cmcluster/sambapkg2) on the primary node. Make all scripts writeable. cp /opt/samba/HA/samba.* /etc/cmcluster/sambapkg1 chmod 666 samba.conf samba.cntl samba.mon 6. Customize the sample scripts for your MC/ServiceGuard configuration.
Configuring HA HP CIFS Overview of HA HP CIFS Server 3. Set the RUN_SCRIPT and HALT_SCRIPT variables to the full path name of the control script. RUN_SCRIPT /etc/cmcluster/sambapkg1/samba.cntl RUN_SCRIPT_TIMEOUT NO_TIMEOUT HALT_SCRIPT /etc/cmcluster/sambapkg1/samba.cntl HALT_SCRIPT_TIMEOUT NO_TIMEOUT ...for sambapkg1, and RUN_SCRIPT /etc/cmcluster/sambapkg2/samba.cntl RUN_SCRIPT_TIMEOUT NO_TIMEOUT HALT_SCRIPT /etc/cmcluster/sambapkg2/samba.cntl HALT_SCRIPT_TIMEOUT NO_TIMEOUT ...for sambapkg2, etc. 4.
Configuring HA HP CIFS Overview of HA HP CIFS Server Edit the samba.cntl Control Script To configure the samba.cntl Control Script file, you must complete the following tasks: 1. Set the NETBIOS_NAME variable to your NetBIOS name. NETBIOS_NAME=ha_server1 ...for sambapkg1 and NETBIOS_NAME=ha_server2 ...for sambapkg2, etc. 2. Create a volume group for the HP CIFS Server directories: VG[0]=/dev/vgsambapkg1 ...for sambapkg1, and VG[0]=/dev/vgsambapkg2 ...for sambapkg2, etc. 3.
Configuring HA HP CIFS Overview of HA HP CIFS Server 5. If you want to use the HP CIFS Server monitor script, set the NFS_SERVICE_NAME variable to the value of the SERVICE_NAME variable in the package configuration file samba.conf. SERVICE_NAME[0]=samba_mon1 SERVICE_CMD[0]=/etc/cmcluster/sambapkg1/samba.mon 6. Use the following as a template for customer_defined_run_cmds. NETBIOS_NAME=ha_server1 CONF_FILE=/etc/opt/samba/smb.conf.
Configuring HA HP CIFS Overview of HA HP CIFS Server # # Use the following for Winbind Configurations /opt/samba/bin/startwinbind test_return 51 } 7. Use the following as a template for customer_defined_halt_cmds: function customer_defined_halt_cmds { #ADD customer defined halt commands. if [ ! -f ${SMBD_PID_FILE} ] then print "\tERROR: Kill of smbd.pid failed." print "\tERROR: ${SMBD_PID_FILE} could not be found.
Configuring HA HP CIFS Overview of HA HP CIFS Server fi fi ###################################################### # Use the following for Winbind Configurations # # if [ ! -f ${WINBIND_PID_FILE} ] # then # print "ERROR: Kill of smbd.pid failed." # print "ERROR: ${WINBIND_PID_FILE} could not be # found." # else # WINBIND_PID=‘cat ${WINBIND_PID_FILE}‘ # findwbproc $WINBIND_PID # if [ "$wbpid" = "" ] # then # print "ERROR: Kill of winbindd.pid failed." # print "ERROR: ${WINBIND_PID} could not be found.
Configuring HA HP CIFS Overview of HA HP CIFS Server ...and sambapkg1, NETBIOS_NAME=ha_server2 ...for sambapkg2, etc. 2. Use the following template provided with samba.mon. CONF_FILE=/etc/opt/samba/smb.conf.${NETBIOS_NAME} LOG_FILE=/var/opt/samba/${NETBIOS_NAME}/log SMBD_PID_FILE=/var/opt/samba/${NETBIOS_NAME}/locks/smbd. pid NMBD_PID_FILE=/var/opt/samba/${NETBIOS_NAME}/locks/nmbd.
Configuring HA HP CIFS Overview of HA HP CIFS Server # process(es) # wbpid=‘/usr/bin/ps -e | # /usr/bin/grep " $1 " | grep "winbindd" | # /usr/bin/sed -e ’s/^ *//’ -e ’s/ .*//’‘ # } # # Function startnmbd # startnmbd() { # start the nmbd logger -t "${NETBIOS_NAME}.mon" "${NETBIOS_NAME} nmbd daemon is not running. Restarting daemon." nmbd -D -l ${LOG_FILE} -s ${CONF_FILE} } startsmbd() { # start the nmbd logger -t "${NETBIOS_NAME}.mon" "${NETBIOS_NAME} smbd daemon is not running. Restarting daemon.
Configuring HA HP CIFS Overview of HA HP CIFS Server exit 1 fi fi fi if [ ! -f ${SMBD_PID_FILE} ] then sleep 1 print "\tERROR: ${SMBD_PID_FILE} could not be found!" exit 1 else SMBD_PID=`cat ${SMBD_PID_FILE}` findproc $SMBD_PID if [ "$pid" = "" ] ; then if [ "$MAX_SMBD_RETRYS" -gt 0 ] ; then startsmbd if [ "$MAX_SMBD_RETRYS" -ge 1 ] ; then (( MAX_SMBD_RETRYS = MAX_SMBD_RETRYS - 1 )) fi else sleep 1 echo "ERROR: ${NETBIOS_NAME} smbd not running!" exit 1 fi fi fi # ############################################
Configuring HA HP CIFS Overview of HA HP CIFS Server # # # # # # # # # # # # # /opt/samba/bin/startwinbind if [ "$MAX_WINBIND_RETRYS" -ge 1 ] ; then (( MAX_WINBIND_RETRYS = MAX_WINBIND_RETRYS - 1 )) fi else sleep 1 echo "ERROR: ${NETBIOS_NAME} winbindd not running!" exit 1 fi fi fi sleep $INTERVAL done Create the MC/ServiceGuard Binary Configuration File NOTE In the following example, the cluster configuration file will be assigned the name / etc/cmcluster/cluster.
Configuring HA HP CIFS Overview of HA HP CIFS Server cmcheckconf -C /etc/cmcluster/cmclconf.ascii \ -P /etc/cmcluster/samba/sambapkg1/samba.conf \ -P /etc/cmcluster/samba/sambapkg2/samba.conf 3. Use the cmapplyconf command to copy the binary configuration file to all the nodes in the cluster. cmapplyconf -v -C /etc/cmcluster/cmclconf.ascii \ -P /etc/cmcluster/samba/sambapkg1/samba.conf \ -P /etc/cmcluster/samba/sambapkg2/samba.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server Special Notes for HA HP CIFS Server There are several areas of concern when implementing Samba in the MC/ServiceGuard HA framework. These areas are described below: • Client Applications HA HP CIFS Server cannot guarantee that client applications with open files on a HP CIFS Server share, or, applications launched from HP CIFS Server shares, will transparently recover from a switchover.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server set to yes, then you have to use an smbpasswd file. By default, this file is located in the path /var/opt/samba/private but you may specify a different path with the smb passwd file parameter. Another important security file used with domain level security is the machine account file, .mac. Since this file will be updated periodically (as defined in smb.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server If you configure your Samba server to be a WINS server by setting the wins support parameter to yes, it will store the WINS database in the file /var/opt/samba/locks/WINS.DAT. If this file is not on a logical shared volume, when a failover occurs, there will be a short period of time when all the WINS clients update the Samba WINS server with their address.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server You will need to edit the MC/ServiceGuard scripts to add the -H options to the places where nmbd is invoked directly. You will also need to edit the /opt/samba/bin/startsmb script to add the -H option to the places where nmbd is started.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server 254 Chapter 13
14 HP-UX Configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server.
HP-UX Configuration for HP CIFS • HP CIFS Server Memory and Disc Requirements • HP CIFS Process Model • Overview of Kernel Configuration Parameters • Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v1 and v2.
HP-UX Configuration for HP CIFS HP CIFS Process Model HP CIFS Process Model The SMB daemon process, smbd, handles all SMB requests from a client. One such process is launched for each connected client. Each SMBD process handles one and only one client. Therefore, if there are 2048 connected clients, there will be 2048 SMBD processes. Such a large number of processes will demand system resources, requiring adjustment of certain kernel configuration parameters.
HP-UX Configuration for HP CIFS Overview of Kernel Configuration Parameters Overview of Kernel Configuration Parameters The kernel configuration parameters, maxuser, nproc, ninode, nflocks and nfile are described below. These are the kernel parameters that you must adjust to support a large number of clients on HP CIFS. 258 • maxusers: the name of this kernel parameter is a misnomer as it does not directly control the number of UNIX users that can logon to HP-UX.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS Configuring Kernel Parameters for HP CIFS The first step in configuring HPUX to be able to support a large number of clients on a HP CIFS server is to adjust the maxusers kernel parameter. The second step involves adjusting nproc, nfile, nflocks and ninode individually so as to allow a large number of users to be connected simultaneously. 1.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS • nfile: when an SMBD process is launched, it will, right at the beginning, take up 28 entries in the system file table. This does not include any other files that the client will open and operate on. At a minimum, therefore, the value of nfile, should be equal to the anticipated number of simultaneous clients times (28 + the anticipated number of files simultaneously opened by each client).
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS Memory Requirements Each smbd process will need approximate 1 MB of memory. For 2048 clients, therefore, the system should have at least 2 GB of physical memory. This is over and above the requirements of other applications that will be running concurrent with HP CIFS.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS 262 Chapter 14
Glossary A C ACL Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define “access rights.” In this scheme, users typically belong to “groups,” and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights.
Glossary Integrity I S Integrity Integrity ensures that file system data is not modified by an intruder. An intruder can not intercept a file system data packet and modify it without the network file system discovering and rejecting the tampering. Samba An open source product that first appeared in the mid-1990's.
Index Symbols /etc/nsswitch.conf, 129, 216 /etc/nsswitch.ldap, 129 /etc/pam.conf, 216 A Access Control Lists, 43 configuring, 73 VxFS, 45 ACLs. See Access Control Lists adding ACE entries, 51 B base DN, 128 boot, 125 browsing description, 13 documentation, 13 C Change Notify, 41 CIFS protocol, 3 client start-up file ldapux_client.conf, 178 Common Internet File System. See CIFS configuration client, 125 directory, 123 quick, 127 start-up file ldapux_client.
Index M maxusers, 258 N name service, 129 NativeLdapClient subproduct, 125 nfile, 258 nflocks, 258 ninode, 258 NIS and Samba documentation, 13 nproc, 258 NSS, 129 NT ACLs, 45 directory translations, 47 file permission translations, 47 O object class posixDUAProfile, 127 posixNamingProfile, 127 obtaining CIFS/9000 software, 22 Open Source Software, 5 OSS.
Index 267
