HP CIFS Server 3.0b Administrator’s Guide version A.02.01.01 HP-UX 11i v1 and v2 Edition 3 Manufacturing Part Number : B8725-90079 E0205 U.S.A. © Copyright 2005 Hewlett-Packard Company..
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
Contents 1. Introduction to the HP CIFS Server Introduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Open Source Software (OSS) Samba Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Open Source Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Performance Tuning using Change Notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 3. Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . UNIX File Permissions and POSIX ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing UNIX Permissions From Windows NT . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configure the HP CIFS Server as a Member Server . . . . . . . . . . . . . . . . . . . . . . . . . 85 Join an HP CIFS Server to an NT Domian, Windows 2000/2003 (as a pre-Windows 2000 computer), or Samba Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 Create the Machine Trust Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Configure Domain Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Enabling Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the Netscape Directory Server to enable SSL . . . . . . . . . . . . . . . . . . . Configuring the LDAP-UX Client to Use SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring HP CIFS Server to enable SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migrating Your data to the Netscape Directory . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Updating HP CIFS Server A.01.* to A.02.* . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 9. HP CIFS Deployment Models Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Samba Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Samba Domain Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring Kernel Parameters for HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Swap Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Index . . . . . . . . . . . . . .
About This Document This document describes how to install, configure, and administer the HP CIFS Server product. It augments The Samba HowTo Collection and Using Samba, 2nd books supplied with the HP CIFS Server product and provides addtional HP-UX endemic variations, features, and recommendations. This document, as well as previously released documents may be found on-line at http://www.docs.hp.com.
Intended Audience This document is intended for users who are already familiar with the HP CIFS Server product. For additional information about the HP CIFS Server, please refer to other HP CIFS Server documentation on-line at http://www.docs.hp.com. New and Changed Documentation in This Edition The edition documents the following enhancements for the HP CIFS Server 3.0b version A.02.01.01: x • Support for Active Directory Server (ADS).
Typographical Conventions Table 1 Documentation Conventions Type of Information Font Examples Representations of what appears on a display, program/script code and command names or parameters. Monotype > user logged in. Emphasis in text, actual document titles. Italics Users should verify that the power is turned off before removing the board. Headings and sub-headings.
What Is in This Document This manual describes how to install, configure, administer and use the HP CIFS Server product. The organization of this manual is as follows: Table 3 Document Organization Chapter xii Description Introduction to the HP CIFS Server Use this chapter to know about HP CIFS Server, Samba, the open source software suite which the HP CIFS Server is based. Installing and Configuring the HP CIFS Server Use this chapter to learn how to install and configure the HP CIFS Server product.
Table 3 Document Organization (Continued) Chapter Description Updating HP CIFS Server A.01 to A.02 Use this chapter to understand differences between HP CIFS Server A.01.* versions, which are based on Samba 2.2, and HP CIFS Server A.02.* versions, which are based on Samba 3.0. Use this chapter to learn update procedures so that you can plan and upgrade your CIFS enabled networks.
xiv • The section numbers and page numbers of the information on which you are commenting. • The version of HP-UX that you are using.
1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which Chapter 1 1
Introduction to the HP CIFS Server the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS.
Introduction to the HP CIFS Server Introduction to HP CIFS Introduction to HP CIFS HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS implements both the server and client components of the CIFS protocol on HP-UX. The current HP CIFS Server (version A.02.01) is based on the well-established open-source software Samba, version 3.0.
Introduction to the HP CIFS Server Introduction to HP CIFS Despite its name, CIFS is not actually a file system unto itself. More accurately, CIFS is a remote file access protocol; it provides access to files on remote systems. It sits on top of and works with the file systems of its host systems. CIFS defines both a server and a client: the CIFS client is used to access files on a CIFS server.
Introduction to the HP CIFS Server The Open Source Software (OSS) Samba Suite The Open Source Software (OSS) Samba Suite The HP CIFS server source is based on Samba, an Open Source Software (OSS) project developed in 1991 by Andrew Tridgell in Australia. This section includes a very brief introduction to the Samba product.
Introduction to the HP CIFS Server The Open Source Software (OSS) Samba Suite Samba Documentation: Printed and Online When using the HP CIFS product, HP recommends that you refer to The Samba HOWTO Collection and Samba-3 by Example, shipped with the product in the /opt/samba/docs directory. The book, Using Samba, 2nd Edition, can also be found in /opt/samba/swat/using_samba. All three books are available through Samba Web Administration Tool (SWAT).
Introduction to the HP CIFS Server HP CIFS Server Enhancements HP CIFS Server Enhancements The HP CIFS Server A.02.01 incorporates a variety of functional enhancements. The sections that follow will provide an overview of each of these enhancements. The sections are: NOTE • Backup Domain Controller (BDC) Functionality (new for version A.02.01). • Winbind Functionality (new for version A.02.01). • HP CIFS Deployment Models (new for version A.02.01).
Introduction to the HP CIFS Server HP CIFS Server Enhancements Winbind Funtionality (version A.02.01) Winbind is a component of the Samba suite of programs that resolve Windows users and groups to HP-UX UIDs and GIDs. Winbind provides the NSS routine, /etc/lib/libnss_winbind.1, which interfaces to the winbind daemon, winbindd, to resolve ID mappings. Winbind maintains a database called winbind_idmap.tdb where it stores mapping data between HP-UX UIDs/GIDs and Windows SIDs (Security Identifiers).
Introduction to the HP CIFS Server HP CIFS Server Enhancements • ldapsam: Attribute rich account storage and retrieval backend utilizing an LDAP directory. This makes use of a different schema than what had been provided with A.01.* versions. • ldapsam_compat : An LDAP storage and retrieval backend utilizing an LDAP directory and is compatible with A.01.* versions. This backend makes use of the same schema provided with A.01.* versions. New Account Management Tools (version A.02.01) HP CIFS Server A.02.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online HP CIFS Server Documentation: Printed and Online The full set of HP CIFS server documentation consists of three non-HP book available at most technical bookstores, and this printed and online HP CIFS server manual. The HP manual is HP CIFS Server Administrator’s Guide. The Samba-3 HOWTO and Reference Guide and Samba-3 by Example are shipped with the product and can be found in the /opt/samba/docs directory.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Location of Files on the Server The default location of HP CIFS is /opt/samba. In this case, the following directories should exist in the Samba directory: bin/, docs/, script/, examples /, HA/, man/, and swat/. Refer to the complete listing of HP CIFS Server files and directories in the Overview section in chapter 2. The HP CIFS configuration files are in /etc/opt/samba.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online or /opt/samba/bin/startsmb --winbind /opt/samba/bin/stopsmb -w or /opt/samba/bin/stopsmb --winbind Winbind execution may be controlled without affecting the execution of smbd and nmbd with the following commands. Run the following command to start winbind alone: /opt/samba/bin/startwinbind Run the following command to stop winbind alone: /opt/samba/bin/stopwinbind These commands are described in chapter 2 in this manual.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online "For information about SWAT, refer to chapter 30, "SWAT - The Samba Web Administration Tool" in Samba HOWTO and Reference Guide.. Browsing Browsing gives you the ability to view the servers and shares on your network. Samba provides over fourteen different browsing options. HP, however, recommends that you start with the default values.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online HP CIFS Documentation Roadmap Use the following road map to locate the Samba and HP CIFS documentation that you need. Table 1-1 HP CIFS Product Server Description Document Title: Chapter: Section Installing and Administering the HP CIFS Server: Chapter 1, “Introduction to the HP CIFS Server” Samba Meta FAQ No. 2, “General Information about Samba” Samba FAQ No. 1, “General Information” Samba Server FAQ: No.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-1 (Continued) HP CIFS Product Server Installation Document Title: Chapter: Section Installing and Administering the HP CIFS Server: Chapter 2. “Installing and Configuring the HP CIFS Server” Samba FAQ: No 2, “Compiling and Installing Samba on a UNIX Host.” Client Installation Installing and Administering the HP CIFS Client: Chapter 2.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-1 (Continued) HP CIFS Product Document Title: Chapter: Section Server: Samba Scripts Using Samba: Appendix D, “Summary of Samba Daemons and Commands” SMB & CIFS File Protocols Chapter 11, “HP CIFS Deployment Domain Models” in this document SMB & CIFS Network Design Using Samba: Chapter 1, “Learning the Samba” Samba Meta FAQ No.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-1 (Continued) HP CIFS Product Document Title: Chapter: Section Server Troubleshooting Installing and Administering the HP CIFS Server: Chapter 3, “Troubleshooting the HP CIFS Server” Part V, Troubleshooting, Samba HOWTO and Reference Guide Using Samba, “Chapter 9, Troubleshooting Samba” Samba FAQs No. 4, “Specific Client Application Problems” and No 5, “Miscellaneous” Client Troubleshooting: DIAGNOSIS.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-2 HP CIFS Server Files and Directories (Continued) File/Directory 18 Description /opt/samba_src This is the directory that contains the source code for the HP CIFS Server (if the source bundle was installed). /opt/samba/bin This is the directory that contains the binaries for HP CIFS Server, including the daemons and utilities.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-2 HP CIFS Server Files and Directories (Continued) File/Directory Chapter 1 Description /var/opt/samba This directory contains the HP CIFS Server log files as well as other dynamic files that the HP CIFS Server uses, such as lock files. /etc/opt/samba This directory contains configuration files which the HP CIFS Server uses, primarily the smb.conf file. /etc/opt/samba/smb.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online Table 1-2 HP CIFS Server Files and Directories (Continued) File/Directory /sbin/rc2.d/S900samba, /sbin/rc1.d/K100samba 20 Description These are links to /sbin/init.d/samba which are actually executed at boot time and shutdown time to start and stop the HP CIFS Server, (if it is configured to do so).
2 Installing and Configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software.
Installing and Configuring the HP CIFS Server • HP CIFS Server Requirements and Limitations • Step 1: Installing HP CIFS Server Software • Step 2: Running the Configuration Script • Step 3: Modify the Configuration • Step 4: Starting the HP CIFS Server IMPORTANT HP CIFS Server A.02.01 or later requires LDAP-UX Integration product , J4269AA, to be installed.
Installing and Configuring the HP CIFS Server HP CIFS Server Requirements and Limitations HP CIFS Server Requirements and Limitations Prior to installing the HP CIFS product, check that your system can accommodate the following product requirements and limitations. HP-UX 11.x Memory and Disc Requirements Although an 11.x 32-bit and 64-bit HP-UX system can boot with as little as 64MB RAM and 1GB of disc space, the performance of such a configuration would be prohibitive.
Installing and Configuring the HP CIFS Server HP CIFS Server Requirements and Limitations smbd process and represents an increase of approximately 70 percent. The increased memory footprint is the result of adding new features. In addition to the base memory increase, the smbd process may now also allocate memory for specialized caching requirements as needed. The size and timing of these memory allocations vary widely depending on the client type and the resources being accessed.
Installing and Configuring the HP CIFS Server Step 1: Installing HP CIFS Server Software Step 1: Installing HP CIFS Server Software HP CIFS Server Upgrades: If you are upgrading an existing HP CIFS Server configuration, HP recommends that you create a backup copy of your current environment. The SD install procedure may alter or replace your current configuration files.
Installing and Configuring the HP CIFS Server Step 1: Installing HP CIFS Server Software 1. Log in as root. 2. Insert the software media (disk) into the appropriate drive. 3. Run the swinstall program using the command: swinstall This opens the Software Selection Window and Specify Source Window. 4. Change the Source Host Name if necessary, enter the mount point of the drive in the Source Depot Path field, and activate the OK button to return to the Software Selection Window.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script Step 2: Running the Configuration Script The samba_setup configuration script is intended for new installations only. For detailed procedures on how to updating HP CIFS Server A.01 to A.02, see Chapter 8, “Updating HP CIFS Server A.01 to A.02,” on page 169.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script — administrator user name and password See Chapter 4, “NT Style Domains,” on page 77 for detailed.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Step 3: Modify the Configuration HP CIFS Server requires configuration modifications for the following functionality: • ACL Support • Case Sensitivity for the Client and Server for UNIX Extensions • DOS Attribute Mapping • Print Services for version A.02.01 (current version) • Distributed File System (DFS) Support • Configure MC/ServiceGuard High Availability (HA) Configure ACL Support (for version A.01.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration • Example four: acl schemes = hpux_posix unix HP CIFS will attempt to use VxFS POSIX ACLs. If ACLs are not present, it will use UNIX permissions. Configure ACL Support (for version A.01.08) HP CIFS Server, version A.01.08, provides a share level variable called “nt acl support.” The possible values for this variable are “yes” and “no.” This variable defaults to “yes.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration When using the CIFS Client, you may want to have all three of these parameters turned off. If the map archive parameter is on, any time a user writes to a file, the owner execute permission will be set. This is usually not desired behavior for HP CIFS clients or UNIX clients in general. By default, map system and map hidden are off, and map archive is on. To turn map archive off, modify /etc/opt/samba/smb.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Creating a [printers] share Configure a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [printers] path = /tmp printable = yes browseable = no This share is required if you want the printer’s list to be displayed in SWAT, which is not defined in the smb.conf file, but exists on the HP CIFS Server.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration In this example, the parameter “write list” specifies that administrative lever user accounts will have write access for updating files, on the share. 2. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration 5. Select the printer driver e.g. hp LaserJet 5i. You will be asked for the driver files. Give the path where the driver files are located. The driver files will be uploaded from the disk, and stored into the subdirectories under the [print$] share. Migrating Printing Services From version A.01.08 to A.02.01 • The smb.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration 1. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. 2. Configure a HP CIFS server as a DFS server by modifying the smb.conf file to set the global parameter host msdfs to yes. Example: [global] host msdfs = yes 3. Create a directory to act as a DFS root on the HP CIFS Distributed File System (DFS) Server. 4. Create a share and define it with the parameter path = directory of DFS root in the smb.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration cd /export/dfsroot chown root /export/dfsroot chmod 775 /export/dfsroot ln -S msdfs:serverA\\shareA linka ln -S msdfs:serverB\\shareB serverC\\shareC linkb 2.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Follow the configuration procedures provided in Chapter 6.
Installing and Configuring the HP CIFS Server Step 4: Starting the HP CIFS Server Step 4: Starting the HP CIFS Server Run the script below to start Samba if you do not use winbind support: /opt/samba/bin/startsmb Run the script below to start Samba if you configure HP CIFS Server to use winbind support: /opt/samba/bin/startsmb -w or /opt/samba/bin/startsmb --winbind When the command successfully starts Samba, a message is displayed indicating the specific processes that have been started.
Installing and Configuring the HP CIFS Server Step 4: Starting the HP CIFS Server Automatically Starting the HP CIFS Server When the HP CIFS Server is installed, by default it will not be configured to automatically start when the system boots up and stop when the system shuts down. You can enable this feature by doing the following: 1. Edit the /etc/rc.config.d/samba file. 2. Change the last line of the file to: RUN_SAMBA=1. 3. Save the file.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues Other Samba Configuration Issues Translate Open-Mode Locks into HP-UX Advisory Locks The HP CIFS Server A.01.07, and subsequent versions, can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues To counteract the possible performance impact, you can control how often Samba scans for changes in the directories it has been requested to monitor. The parameter that controls how often Samba scans for changes is Change Notify Timeout. The parameter value represents the number of seconds between the start of each scanning cycle. The default value is 60.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues 42 Chapter 2
3 Chapter 3 Managing HP-UX File Access Permissions from Windows NT/XP/2000 43
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction Introduction This chapter describes how to use Windows NT, XP and 2000 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs UNIX File Permissions and POSIX ACLs The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, XP or Windows 2000 clients. With this capability most management of UNIX file permissions or POSIX ACLs can be done from the familiar Windows Explorer interface.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs Table 3-1 (Continued) UNIX Permission r-- NT access type Special Access In addition to the permission modes shown above, UNIX file permissions also distinguish between the file owner, the owning group of the file, and other (all other users and group). UNIX File Owner Translation in NT ACL A UNIX file system owner has additional permissions that others users do not have.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs For example, if an owning group named sales on the UNIX file system has read and execute (r-x) permissions on a file, the Windows NT client will display the permissions for group sales as: Special Access(RXO) UNIX Other Permission Translation in NT ACL In UNIX, the other permission entry represents permissions for any user or group that is not the owner, and doesn't belong to the owning group.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs Table 3-2 (Continued) NT access type UNIX Permission Special Access(RW) rw- Read(RX) r-x Special Access(WX) -wx Special Access(RWX) rwx Special Access r-- When mapping to UNIX file permissions from NT, you will not be able to add new NT ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs If you use pre-defined NT access types to set permissions on a Samba share, the permissions that are displayed later will not match what you set in NT. For example, Full Control will become rwx on the Samba server, and when it is displayed on the Windows NT client, it will show up as Special Access (RWX).
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs The VxFS POSIX ACL File Permissions VxFS POSIX ACLs are a superset of UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. • VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs Using the NT Explorer GUI to Create ACLs Use the Windows NT Explorer GUI to set new ACLs. This section describes how to add new entries to the ACE list: • Figure 3-3 Chapter 3 Click the add button in the File/Directory Permissions dialog box of the Windows NT GUI to bring up the Add Users and Groups dialog box.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs NOTE Figure 3-4 The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs. Windows NT Explorer List Names From Field Instead, what you need is a list of groups and users that can be recognized by the underlying UNIX file system.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs • Figure 3-5 Windows NT Explorer Add Users and Groups Dialog Box • Chapter 3 Go to the List Names From dropdown list in the Add Users and Groups dialog box. One screen choice is to list names on your Samba server. This is the list HP recommends. Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs • Figure 3-6 Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list. Add UNIX Groups and Users • You can type user and group names into the Add Names text field to add users and groups.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs To continue the example above, you could create an ACE for the administrator user on the NT client and, on the Samba server, the ACE would be created for the root user. The client will display the corresponding ACE as being for the root user, not the administrator user.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients POSIX ACLs and Windows 2000/XP Clients The HP CIFS Server A.01.07, and subsequent versions, allow Windows 2000/XP clients to view and set POSIX ACL permissions. The information in this section assumes you are familiar with Windows 2000/XP permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Table 3-4 UNIX Permission Maps Windows 2000/XP Client Permissions UNIX Permission Permission Shown on Windows 2000/XP Clients r-x Read and Execute All Read Permissions as in the first cell Execute or Traverse Folder rw- Read, Write All Read Permissions as in the first cell All Write Permissions as in the second cell NOTE rwx Full Control Full Control and All permission bits are ticked --- No b
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Setting Permissions from Windows 2000/XP Clients The following table shows how each Windows 2000/XP client permission is mapped to the UNIX permission when permissions are set from a client: Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions Windows 2000/XP 58 UNIX Permission Full Control rwx Write -w- Modify rwx Read and Execute r-x Read r-- List Folder / Read Data (Advanced) r--
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions Windows 2000/XP Take Ownership (Advanced) UNIX Permission * see explanation following table * The Delete, Change Permissions, and Take Ownership permissions represent the file and group ownership. You can only see these permissions, but you cann’t set them from Windows 2000/XP clients.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Step 2. Click on the Security tab Displaying the Owner of a File Step 1. Click on Advanced Step 2.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients HP CIFS Server Directory ACLs and Windows 2000/XP Clients Directory ACL Types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 2. Click on the Security tab Figure 3-7 Basic ACL View Viewing Advanced ACLs from Windows 2000 Clients Step 1. Right-click on a file or a directory and select Properties Step 2.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 3. Click on the Advanced button Figure 3-8 Advanced ACL View Mapping Windows 2000/XP Directory Inheritance Values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients • Subfolders and files only • Subfolders only • Files only When a user attempts to change or add a directory ACE from the Windows Advanced ACE screen, the HP CIFS Server maps the Windows Inheritance Values to the corresponding POSIX ACE type.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients You must use the Windows Advanced permission screen (Directory-> Properties->Security Tab->Advanced Button) to view or change POSIX directory ACLs. This section describes how to modify a directory ACE from the Widnows 2000 or XP client: Step 1. Right-click on a directory and select Properties Step 2. Click on the Security tab Step 3. Click on the Advanced button Step 4.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 6. Select the appropriate ACE type from Apply to dropdown list in the dialog box. Choose the selection according to how it will be mapped to POSIX ACEs. Please refer to “Mapping Table for Inheritance Values to POSIX” for detail information Step 7. Click on OK, you will be taken back to the Advanced ACE screen. Repeat the step 4 through step 6 to modify other ACEs Step 8.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server. To prevent a directory owner from losing access, both access and default ACEs for the owner should be set to Full Control permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:r-x access:other:rwx defualt:owner:rwx default:owning group:r-x default:other:r-Example 2: In the example 3, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir # owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients # other group:testgroup access:owner:rwx access:owning group:r-x defualt:owner:rwx default:owning group:r-- Adding Directory ACLs From Windows 2000/XP Clients This section describes how to add a directory ACE from the Widnows 2000 or XP client: Step 1. Right-click on a directory and select Properties Step 2. Click on the Security tab Step 3. Click on the Advanced button Step 4.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 8. You will be taken to the ACE Advanced view screen, click on OK or Apply button to add the new ACE Figure 3-11 Selecting a new ACE user or group IMPORTANT POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients With HP CIFS Server version A.01.10, the POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group even if the permissions on the access and default ACEs are the same. However, everyone is shown as only one ACE if the access and default permissions are the same.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Configuring Samba ACL Support Configuring Samba ACL Support For HP CIFS Version A.01.07 In non-HP Samba versions, you could only turn Samba's NT ACL Support on or off on a serverwide basis. When turned on, UNIX file permission support was enabled for all Samba shares. There was no support for any ACL scheme, including VxFS POSIX ACLs. Instead, you configured the old NT ACL support through the smb.conf variable nt acl support.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Configuring Samba ACL Support If a Windows client makes a request to see the ACL for a file on an HFS file system in that share, Samba attempts to use the POSIX ACL system call. It will fail and return an error indicating that the ACL scheme is not supported on that file. Then Samba would try the HFS ACL system call and it would succeed. The user would not see the initial failure described in this example.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Configuring Samba ACL Support on the ACL scheme list for that share. Otherwise, Samba will make many system calls for other ACL schemes before it locates the right one. This prioritization will become even more important in the future when Samba supports more and more ACL types. For HP CIFS Version A.01.08 With HP CIFS Server version A.01.08, the “nt acl support” configuration variable is made share level.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 In Conclusion In Conclusion Samba ACL support is a feature that enables the manipulation of UNIX file permissions or UNIX ACLs from Windows NT/XP/2000 clients. With this feature, almost any modification you want to make to UNIX permissions or VxFS POSIX ACLs can now be done from an NT/XP/2000 client (with the exception of the class entry for VxFS POSIX ACLs).
4 Chapter 4 NT Style Domains 77
NT Style Domains Introduction Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in an NT style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as an NT Domain with a Microsoft NT Primary Domain Controller (PDC). Configuration of Member Servers joining an NT style domain or a Windows 2000/2003 Domain as a pre-Windows 2000 compatible computer is described here.
NT Style Domains Introduction • HP CIFS BDCs may be configured to off load some of the HP CIFS PDC authentication responsibilities and can be promoted to a PDC if the PDC fails or needs to be taken out of services. Primary Domain Controllers The Primary Domain Controller (PDC) is responsible for several tasks within the domain.
NT Style Domains Introduction • HP CIFS Server and MS Windows server can each function as a BDC to its own type of PDC. • HP CIFS Server cannot create Security Account Management (SAM) update delta files. It cannot interoperate with a PDC to synchronize the SAM from delta files that are held by a BDC. • The Samba 3.0 BDC does not support replication to a PDC. Running a Samba 3.0 BDC with a non-LDAP backend can have the difficulty in synchronizing the SAM database. Refer to Table 5.
NT Style Domains Configure the HP CIFS Server as a PDC Configure the HP CIFS Server as a PDC When configured to act as a Primary Domain Controller (PDC), the HP CIFS Server should create machine accounts for Windows Clients (member servers). To enable this feature, choose “Primary Domain Controller” when executing samba_setup, then verify the following: 1. The smb.
NT Style Domains Configure the HP CIFS Server as a PDC 3. /var/opt/samba/netlogon subdirectory for the domain logon service exists. NOTE security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend. domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. domain logon: Set this parameter to yes to provide netlogon services.
NT Style Domains Configure the HP CIFS Server as a BDC Configure the HP CIFS Server as a BDC When configuring HP CIFS Server to act as a Backup Domain Controller (BDC), you need to configure the relative domain controller parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: • The smb.
NT Style Domains Configure the HP CIFS Server as a BDC HP CIFS does not implement a true SAM database and nor its replication. HP CIFS implementation of BDCs is very much like a PDC with one important difference. A BDC is configured like a PDC except the smb.conf parameter, domain master, must be set to no. NOTE security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend.
NT Style Domains Domain Member Server Domain Member Server Configure the HP CIFS Server as a Member Server When configuring HP CIFS Server to act as a domain member server, you need to configure the relative domain parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: • The smb.
NT Style Domains Domain Member Server encrypt passwords: If this parameter is set to yes, the passwords used to authenticate users are encrypted. netbios: Set this parameter to the NetBIOS name by which a member server is known. Join an HP CIFS Server to an NT Domian, Windows 2000/2003 (as a pre-Windows 2000 computer), or Samba Domain This section describes the procedures to join an HP CIFS Server to a NT domain, Windows 2000/2003 (as a pre-Windows 2000 computer) or Samba domain as a member server.
NT Style Domains Domain Member Server “Create a Machine Trust Account.” samba_setup will then perform the “net rpc join -U Administrator%password” command for you.
NT Style Domains Create the Machine Trust Accounts Create the Machine Trust Accounts A Machine Trust Account for a Windows Client (Client=member server) on a HP CIFS Server acting as a PDC is simply a user account entry created for a machine. It is denoted by the machine name followed by "$". For PDCs not using LDAP (default), machine accounts will have entries in both /etc/passwd (unix user accounts) and /var/opt/samba/private/smbpasswd (Windows user accounts).
NT Style Domains Create the Machine Trust Accounts $ /opt/samba/LDAP3/smbldap-tools/smbldap-useradd.
NT Style Domains Create the Machine Trust Accounts For ldapsam backend: $ /opt/samba/bin/smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named “client1” would be: objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1000 gidNumber: 200 homeDirectory: /home/temp loginShell: /bin/false gecos: Samba_Server description: Samba_Server userPassword: {crypt}x pwdLastSet: 1076466492 logonTime: 0 logofftime: 2
NT Style Domains Configure Domain Users Configure Domain Users The following examples show the commands used to configure Domain Users, Domain Administrators and Domain Guests on a HP CIFS Server configured as a PDC. • If you are a root-level user, create a Domain User in the group named “users”, located in the /sbin/sh directory.
NT Style Domains Join a Windows Client to a Samba Domain Join a Windows Client to a Samba Domain 1. Verify the following parameters in the smb.conf file: Set the security parameter to “user.” Set the workgroup parameter to the name of the domain. Set the encrypt passwords parameter to “yes.” [global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2.
NT Style Domains Join a Windows Client to a Samba Domain $ /opt/samba/LDAP/smbldap-tools/smbldap-useradd.
NT Style Domains Join a Windows Client to a Samba Domain $ smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named “client1” would be: objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1002 gidNumber: 202 homeDirectory: /home/temp loginShell: /bin/false gecos: Samba_Server description: Samba_Server userPassword: {crypt}x pwdLastSet: 1076466300 logonTime: 0 logofftime: 2147483650 kickoffTime: 2147483
NT Style Domains Join a Windows Client to a Samba Domain 6. Enter the Samba domain name in the ‘Domain’ field, and click on the ‘Change’ button. Refer to Figure 4-3 below.
NT Style Domains Roaming Profiles Roaming Profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: • A user’s environment, preference settings, desktop settings, etc. are stored on the HP CIFS Server • Roaming Profiles can be created as a share, and be shared between Windows clients • When a user logs on to a workstation in the domain, the roaming profile is downloaded from the share which is on a HP CIFS Server configured as a PDC, to the local machine.
NT Style Domains Configuring User Logon Scripts Configuring User Logon Scripts The logon script configuration must meet the following requirements: • User logon scripts should be stored in a file share called [netlogon} on the HP CIFS Server. • Should be set to UNIX executable permission. • Any logon script should contain valid commands recognized by the Windows client. • A logon user should have proper access permissions to execute logon scripts.
NT Style Domains Home Drive Mapping Support Home Drive Mapping Support A HP CIFS Server provides user home directories and home drive mapping functionality by using the following two global parameters in the smb.
NT Style Domains Inter-Domain Trust Relationships Inter-Domain Trust Relationships Trust relationships enable pass-through authentication to users of one domain in other. A trusting domain permits logon authentication to users of a trusted domain. HP CIFS Servers support the following trust relationships: • An HP CIFS PDC Samba Domain may be a trusting, trusted, or bi-directional trust (both trusting and trusted or “two way") domain with an NT Domain.
NT Style Domains Inter-Domain Trust Relationships Logon as root and execute the following steps on the trusted domain PDC: Step 1. Add a trust account for the trusting domain to /etc/passwd. Add the domain name with the "$" using useradd command as follows: $ useradd $ Due to the name length limitation of the useradd command, you may need to edit /etc/passwd to add the trusting domain name account. Step 2.
NT Style Domains Inter-Domain Trust Relationships Trusting a Samba Domain from an NT Domain Logon as root and execute the following steps on the trusted Samba Domain PDC: Step 1. Add a turst account for the trusting NT domain to /etc/passwd. Add the domain name with the “$” using the useradd command as follows: $ useradd $ Due to the name length limitation of the useradd command, you may need to edit /etc/passwd to add the trusting NT domain name account. Step 2.
NT Style Domains Inter-Domain Trust Relationships 102 Chapter 4
5 Windows 2000/2003 Domains This chapter describes the process for joining an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain Member Server” on page 85 in Chapter 4, “NT Style Domains”.
Windows 2000/2003 Domains Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server Step-by-step Procedure Use the following procedures to join an HP CIFS Server to a Windows 200x domain as an ADS native member server: NOTE HP CIFS Server only supports the following Kerberos encryption types: • DES-CBC-CRC •DES-CBC-MD5 You must configure one of these encryption types in the /etc/krb5.conf file. Step 1.
Windows 2000/2003 Domains Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server # Replace adsdc.myrealm.xyz.com with your Windows ADS DC full# # domain name. # # # [libdefaults] default_realm = MYREALM.XYZ.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 [realms] MYREALM.XYZ.COM = { kdc = adsdc.myrealm.xyz.com:88 admin_server = adsdc.myrealm.xyz.com } [domain_realm] .xyz.com = MYREALM.XYZ.COM NOTE :88 is required on the server field.
Windows 2000/2003 Domains Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server • You may see the warning message, kinit: KDC has no support for encryption type while getting initial credentials. You must change your Administrator password at least once from the original password that you used for Administrator when installing your Windows 2000/2003 Domain. • Other errors are likely to be errors in the /etc/krb5.
Windows 2000/2003 Domains Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server NOTE If an HP CIFS Server is currently joined to the domain as a pre-Windows 2000 member server, please first remove the server from the domain before adding an HP CIFS Server to a Windows domain as a ADS member server. NOTE realm: This parameter specifies tthe name of he ADS kerberos realm which has the fully qualified domain name. It must be set the same as the kerberos realm value in krb5.conf.
Windows 2000/2003 Domains Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server 108 Chapter 5
6 LDAP Integration Support This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software.
LDAP Integration Support 110 • “Overview” on page 111 • “Network Environments” on page 113 • “Summary of Installing and Configuring” on page 118 • “Installing and Configuring Your Netscape Directory Server” on page 119 • “Installing LDAP-UX Client Services on an HP CIFS Server” on page 121 • “Configuring the LDAP-UX Client Services” on page 122 • “Enabling Secure Sockets Layer (SSL)” on page 127 • “Migrating Your data to the Netscape Directory” on page 130 • “Extending Samba subschema int
LDAP Integration Support Overview Overview Lightweight Directory Access Protocol (LDAP) provides a framework for the development of a centralized management infrastructure. LDAP supports directory enabled computing by consolidating applications, services, user accounts, Windows account and configuration information into a central LDAP directory. Samba customer sites with large numbers of users and servers may want to integrate the HP CIFS Server with LDAP support.
LDAP Integration Support Overview You can configure the ldap ssl parameter specified in the smb.conf file to enable the Secure Sockets Layer (SSL) support. With the SSL support, the HP CIFS Server allows you to access an enabled SSL LDAP directory to protect passwords over the network and to ensure confidentiality and data integrity between CIFS servers and SSL enabled LDAP directory server. You can set passdb backend = ldapsam:ldaps:// to enable the SSL support.
LDAP Integration Support Network Environments Network Environments The HP CIFS Server supports many different network environments. Features such as WINS, browser control, domain logons, roaming profiles, and many others continue to be available to support a diverse range of network environments. LDAP integration provides one more alternative solution for Samba user authentication.
LDAP Integration Support Network Environments CIFS Server Acting as Backup Domain Controller (BDC) Since BDCs are also responsible for Windows authentication, HP CIFS Servers configured as BDCs can access the LDAP directory for user authentication. BDC configuration is vey similar to PDC configuration with the exception that you set both master browser and domain master to no.
LDAP Integration Support Network Environments UNIX User Authentication - /etc/passwd, NIS Migration HP UNIX user authentication is required in addition to Samba (Windows) user authentication for HP CIFS Server logon.You can consolidate Samba and UNIX users into a single LDAP directory server database. However, the /etc/passwd file or NIS database files can continue to be used for UNIX users if desired.
LDAP Integration Support Network Environments The CIFS Authentication with LDAP Integration With LDAP integration, multiple HP CIFS Servers can share a single LDAP directory server for a centralized user database management. The HP CIFS Server can access the LDAP directory and look up the windows user information for user authentication.
LDAP Integration Support Network Environments 5. The CIFS Server receives data attributes including the password information from the LDAP directory server. If the password and challenge information matches with information in the client response package, the Samba user authentication succeeds. 6. If the Samba user is authenticated and is successfully mapped to a valid posix user, the CIFS Server returns a user token session ID to the Windows PC client.
LDAP Integration Support Summary of Installing and Configuring Summary of Installing and Configuring The following summarizes the steps you take when installing, configuring, verifying and activating the HP CIFS Server with the LDAP support: • Install the Netscape Directory Server, if not already installed. See “Installing the Netscape Directory Server” on page 119. • Configure the Netscape Directory Server, if not already configured. See “Configuring the Netscape Directory Server” on page 119.
LDAP Integration Support Installing and Configuring Your Netscape Directory Server Installing and Configuring Your Netscape Directory Server This section describes how to set up and configure your Netscape Directory Server to work with LDAP-UX Client Services and the HP CIFS Server. See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.com/hpux/internet, for more information on directory configuration.
LDAP Integration Support Installing and Configuring Your Netscape Directory Server Step 2. Enter the host name of the Netscape Directory Server where you want to store your user data. Step 3. Enter the port number of the previously specified directory server. The default port number is 389 Step 4. Enter the Distinguished Name (DN) and password of the administrator. This user has operator permissions. For example, you can enter “admin” as the administrator DN. Step 5. Enter the base DN.
LDAP Integration Support Installing LDAP-UX Client Services on an HP CIFS Server Installing LDAP-UX Client Services on an HP CIFS Server Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient subproduct, on an HP CIFS Server. See the LDAP-UX Client Services B.03.20 Release Notes for more details on the installation procedures. The LDAP-UX Client Services software is available at http://www.software.hp.com. You must install the LDAP-UX Client Services version B.03.
LDAP Integration Support Configuring the LDAP-UX Client Services Configuring the LDAP-UX Client Services You need to configure the LDAP-UX Client Services if it is not already configured. This section describes major steps to configure LDAP-UX Client Services with the Netscape Directory Server 6.02 or later version. For detailed information on how to configure the LDAP-UX Client Services, see the “Configure the LDAP-UX Client Services” section of LDAP-UX Client Services B.03.
LDAP Integration Support Configuring the LDAP-UX Client Services Quick Configuration You can quickly configure the LDAP-UX Client Services by selecting the default value for most of the configuration parameters as follows: Step 1. To be consistent with the Samba organizational unit defaults, you must edit the /opt/ldapux/migrate/migrate_common.ph file to change the default group objectclass under $RFC2307BIS structure from ou=Group to ou=Groups. Step 2.
LDAP Integration Support Configuring the LDAP-UX Client Services Step 7. If you are creating a new profile, add all parent entries of the profile DN to the directory (if any). If you attempt to create a new profile and any parent entries of the profile do not already exist in the directory, setup will fail. For example, if your profile will be cn=ldapuxprofile, dc=cup, dc=hp, dc=com, then the base path, cup.hp.com, must exist in the directory or setup will fail.
LDAP Integration Support Configuring the LDAP-UX Client Services Table 6-1 shows the configuration parameters and the default values that they will be configured with.
LDAP Integration Support Configuring the LDAP-UX Client Services $ /opt/ldapux/bin/ldapsearch -T -b “cn=schema” -s base \ “(objectclass=*)”|grep -i posix Ensure that the posixAccount objectclass is displayed in the output when you run the ldapsearch command. The output is as follows: objectClasses: ( 1.3.6.1.1.1.2.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) Enabling Secure Sockets Layer (SSL) The HP CIFS Server provides Secure Sockets Layer (SSL) support to secure communication between CIFS servers and SSL enabled LDAP directory servers. If you plan to use SSL and it is not already in use for LDAP, you need to enable it on the Netscape Directory Server and LDAP-UX clients. When you have enabled the LDAP server and clients, then you can configure the HP CIFS Server to use SSL.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) For detailed instructions on how to configure the administration server to connect to an SSL enabled directory server, see Managing Servers with Netscape Console available at http://docs.hp.com. Configuring the LDAP-UX Client to Use SSL If you plan to use SSL, you need to install the Certification Authority (CA) certificate on your LDAP-UX Client and configure the LDAP-UX Client to enable SSL.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) subsection of the “Installing LDAP-UX Client Services” chapter in LDAP-UX Client Services B.03.20 Administrator’s Guide at http://docs.hp.com.
LDAP Integration Support Migrating Your data to the Netscape Directory Migrating Your data to the Netscape Directory HP recommends that all UNIX user accounts either in the /etc/passwd file or NIS database files are migrated to the Netscape Directory Server. The LDAP-UX Integration product provides migration scripts to accomplish the task in an automated way. These scripts are located in /opt/ldapux/migrate directory. The two shell scripts, migrate_all_online.sh and migrate_all_nis_online.
LDAP Integration Support Migrating Your data to the Netscape Directory NOTE Before you run the migration scripts, you must edit the /opt/ldapux/migrate/migrate_common.ph file to change the default group objectclass under $RFC2307BIS structure from ou=Group to ou=Groups. By doing this, it can match with the Samba organizational unit defaults. An Example The following example shows the necessary steps to import your data into the LDAP directory using the migration script, migrare_all_online.sh: Step 1.
LDAP Integration Support Migrating Your data to the Netscape Directory Migrating Individual Files The following perl scripts migrate each of your source files in the /etc directory to LDIF. These scripts are called by the shell scripts, described in the section “Migrating All Your Files” on page 130. The perl scripts obtain their information from the input source file and output LDIF.
LDAP Integration Support Migrating Your data to the Netscape Directory Table 6-2 Migration Scripts (Continued) (Continued) Script Name Description Migrates groups in the /etc/group file. migrate_group.pl migrate_hosts.pl a Migrates hosts in the /etc/hosts file. migrate_networks.pl Migrates networks in the /etc/networks file. migrate_passwd.plb Migrates users in the /etc/passwd file. migrate_protocols.pl Migrates protocols in the /etc/protocols file. migrate_rpc.
LDAP Integration Support Migrating Your data to the Netscape Directory b. Netgroup - The NIS optimization maps ‘byuser’ and ‘byhost’ are not utilized. -Each triple is stored as a single string. -Each triple must be enclosed by parentheses. For example, “(machine, user, domain)” is a valid triple while “machine, user, domain” is not. c. When migrating services data into the LDAP directory, You keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports.
LDAP Integration Support Extending Samba subschema into Your Directory Server Extending Samba subschema into Your Directory Server You now need to extend the Netscape Directory Server schema with the sambaSamAccount subschema from the HP CIFS Server to your Netscape Directory Server. Ensure that you have configured your LDAP directory and LDAP-UX Client Services, and migrated your data to the LDAP directory before extending the schema. The sambaAccount subschema is the /opt/samba/LDAP/98samba.
LDAP Integration Support Extending Samba subschema into Your Directory Server Step 3. Use the following ldapsearch command to verify that you have updated the schema in the Netscape Directory Server with the sambaSamAccount subschema: $ /opt/ldapux/bin/ldapsearch -T -b “cn=schema” -s base \ “(objectclass=*)”|grep -i samb You need to ensure that the output displays the sambaAccount objectclass when you run the ldapsearch command. The output is shown as follows: objectClasses: ( 1.3.1.5.1.4.1.7165.2.2.
LDAP Integration Support Configuring the HP CIFS Server Configuring the HP CIFS Server You must set up and configure your HP CIFS Server to enable the LDAP feature support. LDAP Configuration Parameters The following is the list of new global parameters available for you to configure the HP CIFS Server to enable the LDAP feature. These parameters are set in the /etc/opt/samba/smb.conf file under global parameters.
LDAP Integration Support Configuring the HP CIFS Server Table 6-3 Global Parameters (Continued) (Continued) Parameter Description ldap group suffix Specifies the base of the directory tree where you want to add groups information. If you do not specify this parameter, HP CIFS Server uses the value of ldap suffix instead. For example, ldap group suffix = “ou=Groups”. ldap filter Specifies the RPC 2254 compliant LDAP search filter.
LDAP Integration Support Configuring the HP CIFS Server Configuring LDAP Feature Support After installing the HP CIFS Server, the existing configuration continues to operate as currently configured. To enable the LDAP support, you must configure the relative LDAP configuration parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or the editor. NOTE HP recommends that new installation customers run the samba_setup program to set up and configure the HP CIFS Server.
LDAP Integration Support Installing your Samba Users in the Directory Installing your Samba Users in the Directory This section describes how to install and verify your samba users in your LDAP directory. Adding Credentials When you use the HP CIFS Server with the LDAP feature support, the smbpasswd command manipulates user accounts information on the LDAP directory rather than the /var/opt/samba/private/smbpasswd file. You must add the directory manager credentials to the /var/opt/samba/private/secrets.
LDAP Integration Support Installing your Samba Users in the Directory Syntax ldapsearch [option] Option -b search/insert base -s search scope -D directory login -w password of the directory manager Example The following example uses the ldapsearch utility to check that the user entry johnl contains the sambaAccount objectclass: $ /opt/ldapux/bin/ldapsearch -b “dc=cup,dc=hp, dc=com” -ssub \ -D “cn=Directory Manager” -w dmpasswd “uid=johnl” The output is shown as the follows: dn: uid=johnl,ou=People
LDAP Integration Support LDAP management Tools LDAP management Tools The HP CIFS Server provides LDAP management tools for you to maintain users, groups and passwords in the Netscape Directory Server. To use perl scripts, perl on HP-UX 11i (PA-RISC) and HP-UX 11i (IA) version 5.6.1.E or greater is required. A free download software is available at http://software.hp.com.
LDAP Integration Support LDAP management Tools Syntax Run the following command to show help messages: $ net help Pdbedit Pdbedit can be used for user management with LDAP directories. Note also that pdbedit can help to migrate from one passdb backend to another including moving from smbpasswd to ldapsam.
LDAP Integration Support LDAP management Tools smbldap-usermod.pl modifies a user data (objectclass: posixAccount, sambaAccount, or both depending on the tool option used) smbldap-usershow.pl views a user data (objectclass: posixAccount, sambaAccont or both depending on the tool option used) smbldap-passwd.pl adds or modifies the samba password, posix password, or both smbldap-migrate-accounts.pl migrates user accounts from the existing smbpasswd file to the LDAP directory. smbldap-migrate-groups.
LDAP Integration Support LDAP management Tools Name (DN), directory manager name and password. First start the samba daemon if it is not already running with startsmb. Set the environment variables throughout your configuration file to appropriate values for your environment, including $SID. The current SID default is SID=’S-1-5-21-3516781642-1962875130-3438800523’. You need to execute the net rpc getsid command and obtain the appropriate SID.
LDAP Integration Support LDAP management Tools The smbldap-groupadd.pl Tool You can use this tool to add a new group entry with the posixGourp objectclass to your Netscape Directory Server. Syntax smbldap-groupadd.
LDAP Integration Support LDAP management Tools -? shows help messages groupname Specify the name of the group. The group data entry will be deleted from the LDAP directory. An Example The following commands delete the group name “group1” from the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-groupdel.pl group1 The smbldap-groupshow.pl Tool You can use this tool to view a group entry with the posixGroup information in the Netscape Directory Server. Syntax smbldap-groupshow.
LDAP Integration Support LDAP management Tools NOTE If you specify the tool option, -a or -W, the sambaAccount information can be added to the LDAP directory in addition to posixAccount information. Without specifying the tool option, -a or -W, only posixAccount information can be added. Syntax smbldap-useradd.pl [options] username where options can be any of the following: 148 -a specifies a Windows user. With this option, both posixAccont and sambaAccount will be added to the LDAP directory.
LDAP Integration Support LDAP management Tools -C specifies the SMB home share, such as \\PDC-SRC\homes -D specifies the home drive letter associated with home share, such as H: -E specifies the script path (DOS script to execute on login) -F specifies the profile directory -H specifies Samba account control bits -N specifies the canonical name -S specifies the surname -? shows help messages. username Specify the name of the new user.
LDAP Integration Support LDAP management Tools smbldap-usermod.
LDAP Integration Support LDAP management Tools The following commands modify the user name “johnl” with the user id “200” in the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-usermod.pl -u 200 johnl The smbldap-userdel.pl Tool You can use the smbldap-userdel.pl tool to delete a user entry in the Netscape Directory Server. This tool will delete both posixAccout and sambaAccount information from the LDAP directory. Syntax smbldap-userdel.
LDAP Integration Support LDAP management Tools -? shows help messages username Specify name of the user entry. An Example The following commands shows the user entry data of the user “johnl” in the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-usershow.pl johnl The smbldap-migrate-accounts.pl Tool You can use the smbldap-migrate-accounts.pl tool to migrate the user accounts information in the smbpasswd file to the Netscape Directory Server. Syntax smbldap-migrate-accounts.
LDAP Integration Support LDAP management Tools cd /opt/samba/LDAP3/smbldap-tools ./smbldap-migrate-accounts.pl -a The smbldap-migrate-groups.pl Tool You can use the smbldap-migrate-groups.pl tool to migrate the Windows NT groups information to the Netscape Directory Server. Syntax smbldap-migrate-groups.
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* Upgrading LDAP from HP CIFS Server A.01.* to A.02.* When upgrading an existing HP CIFS Server version A.01.* LDAP configuration to version A.02.*, make the following changes to your smb.conf configuration file: • Set the passwd backend = ldapsam_compat://ldaps:< ldap server name> , ldap ssl = yes and ldap port = 636 in smb.conf to enable SSL • Optionally, removes the obsolete parameter, ldap enable .
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* $ /opt/ldapux/bin/ldapsearch -h -p 389 -l \ -b -s sub “objectClass= sanbaAccount” > \ output file For example, the following command finds the schema in the Netscape Directory Server, hostA.cup.hp.com, with the sambaAccount subschema and save the output to the /tmp/old.ldif file: $ /opt/ldapux/bin/ldapsearch -h hostA.cup.hp.
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* $ /opt/ldapux/bin/ldapmodify -c -h hostA.cup.hp.com -D “cn=Directory Manager” -w -f /tmp/mod.ldif Step 7. Change your ldap filter smb.conf parameter to ldap filter= (uid=%u). Since (uid=%u) is the default, you might simply remove the ldap filter entry. Step 8. Change your passdb backend smb.
LDAP Integration Support Limitations with the LDAP Feature Support Limitations with the LDAP Feature Support HP only supports the HP CIFS Server with LDAP integration that works with the HP LDAP-UX Integration product, J4269AA, and the HP Netscape Directory Server, J4258CA.
LDAP Integration Support Limitations with the LDAP Feature Support 158 Chapter 6
7 Winbind Support This chapter describes how to set up and configure the HP CIFS Server with the winbind support.
Winbind Support • 160 “Configuring HP CIFS Server with Winbind” on page 163 Chapter 7
Winbind Support Overview Overview UNIX and Microsoft Windows NT have different models to represent user and group information and use different technologies for implementing them. Winbind is a component of the Samba suite of programs that resolve Windows users and groups to HP-UX UIDs and GIDs. Winbind uses a UNIX implementation and the Name Services Switch (NSS) to allow Windows NT domain users to appear and operate as UNIX users on a HP-UX system.
Winbind Support Overview How Winbind works Winbind works by using the winbind daemon (/opt/samba/bin/winbindd) that communicates with a Windows Domain Controller, the name services provided by the Name Service Switch (NSS), and configuration options in the smb.conf file. With winbind support, you need to set up the NSS configuration file, /etc/nsswitch.conf, to enable a HP-UX system to look up UID and GID mappings for users and groups that reside exclusively in the Windows domain.
Winbind Support Configuring HP CIFS Server with Winbind Configuring HP CIFS Server with Winbind You must set up and configure your HP CIFS Server to use the winbind feature support. Winbind Configuration Parameters The following is the list of new global parameters used to control the behavior of winbind. These parameters are set in the /etc/opt/samba/smb.conf file under gloabal section. [global] Table 7-1 Chapter 7 Any global setting defined here is used by the HP CIFS Server with the winbind support.
Winbind Support Configuring HP CIFS Server with Winbind Table 7-1 Global Parameters (Continued) (Continued) Parameter Description winbind cache time Specifies the number of seconds the winbindd daemon caches user and group information before querying a Windows NT server again. By default, this parameter is set to 300. winbind enable local accounts Controls whether or not winbindd acts as a stand in replacement for the various account management hooks in smb.conf (e.g. ’add user script’).
Winbind Support Configuring HP CIFS Server with Winbind idmap gid = 1500-2500 winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind enable local accounts = no winbind use default domain = no idmap backend = ldap:ldap://ldaphost1.hp.
Winbind Support Configuring HP CIFS Server with Winbind publickey: netgroup: rpc: files files files In above example, you confiugre the winbind service for the passwd and group service types, the NSS first checks files, /etc/passwd and /etc/group, then winbind. Refer to switch(4) and “Configuring the Name Service Switch” in NFS Services Administrator’s Guide at http://docs/hp.com/hpux/netcom/ for detailed information on how to configure NSS.
Winbind Support Configuring HP CIFS Server with Winbind When you run the ll -n command, the UID, 1002, and GID, 1505, are displayed in the output. Both UID and GID are in the range of values that we specify in the smb.conf file for winbind to use. Starting and Stopping Winbind This section describes how to start or stop the HP CIFS Server with winbind support.
Winbind Support Configuring HP CIFS Server with Winbind 168 Chapter 7
8 Updating HP CIFS Server A.01 to A.02 HP CIFS Server A.02.* provides support for A.01.* features and requires minimal or no configuration changes to update in most cases.
Updating HP CIFS Server A.01 to A.02 there are many differences between HP CIFS Server A.01.* versions, which are based on Samba 2.2, and HP CIFS Server A.02.* versions, which are based on Samba 3.0. HP CIFS Server versions A.02.* provide many additional features, which can be deployed to simplify management of expansive networks. This chapter describes these differences and provides update procedures so that you can plan and upgrade your CIFS enabled networks.
Updating HP CIFS Server A.01 to A.02 Documentation Documentation HP CIFS Server A.02.* versions provide the following documents, which are not provided with A.01.* versions: • Samba book, The Official Samba HOWTO and Reference Guide • Samba book, Samba 3 by Example • Updated help text on configuration paramenters, utilities, and tools • HP CIFS Server Administrator’s Guide updates reflecting A.02.* features and differences with A.01.*.
Updating HP CIFS Server A.01 to A.02 HP CIFS Server A.02.* Added Features HP CIFS Server A.02.* Added Features Beginning with HP CIFS Server version A.02.01, many new features are available for use. The following describes these new features: • Active Directory Server support HP CIFS Server can join an ADS realm as a member server and authenticate users using LDAP with Kerberos security. See Chapter 5, “Windows 2000/2003 Domains,” on page 103 before joining a Windows 200x domain.
Updating HP CIFS Server A.01 to A.02 Parameters Changes in smb.conf Parameters Changes in smb.conf Table 10-1 describles a list of new parameters and removed parameters in the smb.conf file for HP CIFS Server A.02.01.
Updating HP CIFS Server A.01 to A.02 Parameters Changes in smb.conf Table 8-1 Parameters Changes in smb.
Updating HP CIFS Server A.01 to A.02 Parameters Changes in smb.conf Table 8-1 Parameters Changes in smb.
Updating HP CIFS Server A.01 to A.02 Behavior Differences Between HP CIFS Server A.01.* and A.02.* Behavior Differences Between HP CIFS Server A.01.* and A.02.* Many known changes in behavior between HP CIFS Server A.01.*, based on Samba 2.2, and HP CIFS Server A.02.*, based on Samba 3.0, might affect your HP CIFS Server operation. This section describes significant changes in behaviors for HP CIFS Server A.02.*. For additional changes and details, refer to /opt/samba/SAMBA_WHATSNEW.txt.
Updating HP CIFS Server A.01 to A.02 Behavior Differences Between HP CIFS Server A.01.* and A.02.* that must be specified for this purpose. A.02.* does not fall back to use the add user script option in the absence of an add machine script option. • The join domain command In A.02.*, the "smbpasswd -j domain_name -r PDC_hostname -U administrator%passwd"command used to join a domain has been replaced by net commands.
Updating HP CIFS Server A.01 to A.02 Behavior Differences Between HP CIFS Server A.01.* and A.02.
Updating HP CIFS Server A.01 to A.02 Updating HP CIFS Server A.01.* to A.02.* Updating HP CIFS Server A.01.* to A.02.* The installation and configuration procedures in Chapter 2, "Installing and Configuring the HP CIFS Server" apply to HP CIFS Server A.02.* versions as well as to A.01.* versions. However, you must consider the following additional concerns and apply these procedures when updating from an A.01.* version to an A.02.* version of HP CIFS Server: • HP CIFS Server A.02.
Updating HP CIFS Server A.01 to A.02 Updating HP CIFS Server A.01.* to A.02.* — ldapsam_compat : An HP CIFS Server A.01.* version of backward compatible LDAP account backend. You might also specify a combination of passdb backends. You can specify alternative backends. For example, the working sequence follows the smb.conf keyword sequence of authentication methods: passdb backend = smbpasswd tdbsam ldapsam ldapsam_compat • Update A.01.
9 HP CIFS Deployment Models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference.
HP CIFS Deployment Models 182 • “Introduction” on page 183 • “Samba Domain Model” on page 184 • “Windows Domain Model” on page 198 • “Unified Domain Model” on page 209 Chapter 9
HP CIFS Deployment Models Introduction Introduction HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS server interoperates with Windows NT, Windows 200x, Advanced Server, and other CIFS servers and clients. This chapter provides reference for three deployment models: Samba Domain Model, Windows Domain Model, and Unified Domain Model.
HP CIFS Deployment Models Samba Domain Model Samba Domain Model You can use the Samba Domain Deployment Model in environments with the following characteristics: • A domain consisting of HP CIFS Servers and no Windows domain controllers. • Support for any number of UNIX servers that provide file and print services for corresponding numbers of users. • An HP CIFS server is configured as a Primary Domain Controller (PDC). One or more HP CIFS Servers act as Backup Domain Controllers (BDCs).
HP CIFS Deployment Models Samba Domain Model Figure 9-1 shows a standalone HP CIFS Server as a PDC with the local password database: Figure 9-1 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Chapter 9 185
HP CIFS Deployment Models Samba Domain Model Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 9-2 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat 186 Chapter 9
HP CIFS Deployment Models Samba Domain Model Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: Figure 9-3 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Chapter 9 187
HP CIFS Deployment Models Samba Domain Model Figure 9-4 shows the Samba Domain Model: Figure 9-4 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controller (PDC), and one or more HP CIFS Servers acting as Backup Domain Controllers (BDCs).
HP CIFS Deployment Models Samba Domain Model Samba Domain Components As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See Chapter 6, “LDAP Integration Support,” on page 109 for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments.
HP CIFS Deployment Models Samba Domain Model and Windows user accounts on the LDAP directory. The LDAP database can replace /etc/passwd and smbpasswd, and the PDC can access the LDAP directory for Windows authentication. HP CIFS Server Acting as a BDC The configuration of BDCs is similar to that of the PDC. This enables BDCs to carry much of the network logon processing. A BDC on a local segment handles logon requests and authenticates users when the PDC is busy on the local network.
HP CIFS Deployment Models Samba Domain Model the password server parameter to the names of the PDC and may also add the names of one or more BDCs. Set the domain master parameter to no to let the PDC take control. As with the PDC and BDC, you set the passdb backend parameter to the name of LDAP server to centralize POSIX and Windows account database management.
HP CIFS Deployment Models Samba Domain Model An example of the Samba Domain Model Figure 9-5 shows an example of the Samba Domain Model which has HP CIFS Server machine hpntc3w and IP address 15.13.115.226 acting as a PDC and WINs server, HP CIFS Server machine hpntc05 and IP address 15.13.117.248 acting as a BDC, and Netscape Directory Server machine hptem128. Figure 9-5 An example of the Samba Domain Model HP CIFS PDC and WINs Server “hpntc3w” IP address “15.13.115.
HP CIFS Deployment Models Samba Domain Model ###################################### # # Samba config file created using SWAT # from 15.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server HPNTC3W PDC passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd log level = 0 security = user syslog = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Samba Domain Model choose to use the A.01.* versions of backward compatible LDAP account backend, set the passwd backend = ldapsam_compat://ldaps:< ldap server name>, ldap ssl = yes and ldap port = 636 in smb.conf to enable SSL support. Configuration Options • domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. • domain logon: Set this parameter to yes to provide netlogon services.
HP CIFS Deployment Models Samba Domain Model local master = No domain master = No wins server = 15.13.115.
HP CIFS Deployment Models Samba Domain Model The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hpntcl27 acting as a domain member server in the sample Samba Domain Model shown in Figure 9-5: ###################################### # # Samba config file created using SWAT # from 15.13.129.
HP CIFS Deployment Models Samba Domain Model • security: When the HP CIFS Server joins a domain as a member, you must set this parameter to domain. • WINs Server: If you attempt to use the PDC as the Wins server, set this parameter to the PDC’s machine name. • password server: This parameter defines the NetBIOS names of the PDC and BDC machines that perform the user name authentication and validation. A Sample /etc/nsswich.
HP CIFS Deployment Models Windows Domain Model Windows Domain Model You can use the Windows Domain Model in environments with the following characteristics: • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled). • Support for any number of HP CIFS servers that provide file and print services for corresponding numbers of users. It requires HP-UX LDAP Integration Client software for ADS domain member servers.
HP CIFS Deployment Models Windows Domain Model Figure 9-6 shows the Windows Domain Deployment Model as follows: Figure 9-6 Windows Domain Windows NT or Windows ADS/PDC HP CIFS Member Server LDAP winbind idmaps windows users winbind Windows NT BDC windows users ldap-ux client winbind daemon libnss_winbind idmap.tdb idmap backend = ldap In the Windows Domain Model, HP CIFS Server can join to a Windows domain as a member server with Windows NT or Windows 200x domain controllers.
HP CIFS Deployment Models Windows Domain Model which can be used to avoid explicitly allocating POSIX users and groups for Windows users and groups mapping. Winbind provides UID and GID generation and mapping for Windows users. Set smb.conf parameters to idmap uid = and idmap gid = . See Chapter 7, “Winbind Support,” on page 159 for detailed information on winbind.
HP CIFS Deployment Models Windows Domain Model An Example of the ADS Domain Model Figure 9-7 shows an example of the Windows 2000/2003 ADS Domain Model which has the realm named HPCIF23DOM.CUP.HP.COM, an ADS domain controller machine hpcif23, an HP CIFS Server machine hpcif54 acting as a native member server and the Netscape Directory Server system hptem128. Figure 9-7 An example of the ADS Domain Model Windows ADS/DC “hpcif23” NDS LDAP “hptem128” Realm: HPCIF23DOM. .CUP.HP.
HP CIFS Deployment Models Windows Domain Model [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a domain member of hpcif23_dom realm = HPCIF23DOM.CUP.HP.COM security = ADS netbios name = hpcif54 encrypt passwords = yes password server = * passdb backend =smbpasswd log level = 0 syslog = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Windows Domain Model winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/false # [homes] comment = Home Directory browseable = no writable = yes valid users = %D\%S create mode = 0664 directory mode = 0775 [locshare] path=/tmp read only = no browseable = yes writable = yes [nfsshare] path=/mount/tmp read only = no browseable = yes writable = yes [dfsshare] path=/dfsroot read only =
HP CIFS Deployment Models Windows Domain Model A Sample /etc/krb5.conf File On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the name of the realm, the location of a Key Distribution Center (KDC) server and the logging file names. The following is a sample /etc/krb5.conf used in the sample ADS Domain Model shown in Figure 9-7: # Kerberos Configuration # # # # This krb5.conf file is intended as an example only.
HP CIFS Deployment Models Windows Domain Model A Sample /etc/nsswitch.conf File In the ADS Domain Model, you must configure the /etc/nsswitch.conf file to specify the winbind name service and other name services that you want to use. The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 9-7: # /etc/nsswitch.conf # # This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files.
HP CIFS Deployment Models Windows Domain Model An Example of Windows NT Domain Model Figure 11-8 shows an example of the Windows NT Domain Model which has a Windows NT server named hpcif43 as a PDC, an HP CIFS Server machine hpcif61 acting as a domain member server. The ID maps are saved in the local file, idmap.tdb. Figure 9-8 An example of the Windows NT Domain Model Windows NT Server/ PDC “hpcif43” windows users HP CIFS Member Server “hpcif61” winbind daemon libnss_winbind idmap.
HP CIFS Deployment Models Windows Domain Model [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a member of NT domain netbios name = hpcif61 # For NT specific option workgroup = hpcif43_dom security = domain encrypt passwords = yes passdb backend = smbpasswd password server = hpcif43.cup.hp.com log level = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Windows Domain Model printer admin = root, admuser create mask = 0600 guest ok = Yes use client driver = Yes [lj810002] path = /tmp printable = yes print command = /usr/bin/lp -d%p %s; /usr/bin/rm %s [locshare1] comment = Local file system service1 for read only path = /tmp admin users = admuser read only = Yes [locshare2] comment = Local file system service2 for writable path = /tmp admin users = admuser read only = No [nfsshare] comment = Remote NFS service path = /mount/public r
HP CIFS Deployment Models Unified Domain Model Unified Domain Model You can use the Unified Domain Deployment Model in environments with the following characteristics: • A domain consisting of Windows 200x servers. • The Windows 2000 or 2003 domain controller maintains the UNIX UID and GID data with Windows Services for Unix (SFU). NOTE SFU Version 3.5 does not support the Windows NT4 Domain. • Support for any number of HP CIFS Servers that provide file and print services for number of users.
HP CIFS Deployment Models Unified Domain Model Figure 11-9 shows the Unified Domain Deployment Model as follows: Figure 9-9 Unified Domain Windows ADS DC/SFU HP-UX Client Windows and UNIX users HP CIFS Member Server The Unified Domain Model consists of a Windows 200x server with Active Directory Services (ADS) configured as a Domain Controller (DC), and a single or multiple HP CIFS member servers.
HP CIFS Deployment Models Unified Domain Model Unified Domain Components HP CIFS Acting as a Windows 200x ADS Member Server The HP CIFS member server operating in a unified domain depends on the ADS to be aided by Services For UNIX (SFU). SFU provides the required management of UNIX UID and GID to Windows SID mappings. SFU and accompanying documentation is available for download at http://www.microsoft.com/windows/sfu.
HP CIFS Deployment Models Unified Domain Model software B.03.20 or later, and configure the LDAP-UX client.This permits the consolidation of Posix and Windows user accounts on the ADS directory. You also need to configure the /etc/krb5.conf file to authenticate users using Kerberos. Installing and Configuring LDAP-UX Client Services on an HP CIFS Server The following summarizes major steps you need to take to install and configure an LDAP-UX Client Services.
HP CIFS Deployment Models Unified Domain Model Configuring /etc/krb5.conf to Authenticate Using Kerberos On your HP CIFS Server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm’s KDC. The following is an example of /etc/krb5.conf which has the realm CIFSW2KSFU.CUP.HP.COM, and machine hostA.cup.hp.
HP CIFS Deployment Models Unified Domain Model NOTE You need to install the LDAP-UX Client Services software on an HP CIFS member server before installing SFU on a Windows 2000 or 2003 domain controller. An Example of the Unified Domain Model Figure 9-10 shows an example of the Unified Domain Model which has the realm named HPCIFSW2KSFU.CUP.HP.COM, an ADS domain controller machine hpntcdn, an HP CIFS Server machine hpntcot acting as a member server and the Windows NT machine with IP address 15.13.112.
HP CIFS Deployment Models Unified Domain Model A sample smb.conf file For an HP CIFS Member Server The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hpntcot acting as an ADS member server in the sample Unified Domain Model shown in Figure 9-10: ###################################################### # # An sample smb.
HP CIFS Deployment Models Unified Domain Model # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace HPCIFSW2KSFU.CUP.HP.COM with your kerberos Realm. # # Replace hpntcdn.cup.hp.com with your Windows ADS DC full # # domain name. # # # [libdefaults] default_realm = HPCIFSW2KSFU.CUP.HP.
HP CIFS Deployment Models Unified Domain Model # Protocol(LDAP) in conjunction with dns and files.
HP CIFS Deployment Models Unified Domain Model 218 Chapter 9
10 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server.
Securing HP CIFS Server • 220 “Automatically Receiving HP Security Bulletins” on page 227 Chapter 10
Securing HP CIFS Server Security Protection Methods Security Protection Methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services. You can secure HP CIFS Server from connections that originate from outside the local network by using host-based protection. You can also use interface-based exclusion, so that SMBD binds only to specifically permitted interfaces.
Securing HP CIFS Server Security Protection Methods Using Interface Protection By default, the HP CIFS Servers accepts connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the internet, then the HP CIFS server can accept connections on those links. You can use the interface configuration options to change the interface behavior.
Securing HP CIFS Server Security Protection Methods For example, you can configure an IPC$ share as follows: [ipc$] hosts allow = 192.168.115.0/24 127.0.0.1 hosts deny = 0.0.0.0/0 This configuration tells the HP CIFS Server that it cannot accept IPC$ connections from anywhere but the two places listed: a local host and a local subnet.
Securing HP CIFS Server Security Protection Methods You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent plain text password transfer with LDAP directories, you can configure Secure Socket Layer (SSL) on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, seeChapter 6, “LDAP Integration Support,” on page 109.
Securing HP CIFS Server Security Protection Methods Table 10-1 Configuration Files (Continued) (Continued) File Description /var/opt/samba/private/smbpasswd Data file containing user name and password information /var/opt/samba/private/passdb.tdb Data file containing user name and password information /opt/samba/LDAP/smbldap-tools/smb ldap_conf.
Securing HP CIFS Server Security Protection Methods Restricting Execute Permission on Stacks A common method of breaking into a system is by maliciously overflowing buffers on a program’s stack, such as passing unusually long command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.
Securing HP CIFS Server Automatically Receiving HP Security Bulletins Automatically Receiving HP Security Bulletins You can subscribe to automatically receive future HP Security Bulletins or other technical digests from the HP IT Resource Center (ITRC) via electronic mail. Use the following steps to register for and subscribe to HP Security Bulletins: Step 1. Use your browser to get to the HP IT Resource Center web site at: http://itrc.hp.com Step 2.
Securing HP CIFS Server Automatically Receiving HP Security Bulletins For detailed information on the Security Patch Check tool, refer to the following web site: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayPr oductInfo.pl?productNumber=B6834AA The security patch matrix is also available via the anonymous ftp site at: ftp://ftp.itrc.hp.
11 Chapter 11 Configuring HA HP CIFS 229
Configuring HA HP CIFS Overview of HA HP CIFS Server Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual.
Configuring HA HP CIFS Overview of HA HP CIFS Server To do so, perform the following: 1. Following the instructions, configure the disk hardware for high availability. 2. Use SAM or LVM commands to set up the volume groups, logical volumes, and file systems needed for the data that must be available to the primary and alternate cluster nodes when failover occurs. HA HP CIFS Server Installation 1. Install HP CIFS Server using SD on all cluster nodes.
Configuring HA HP CIFS Overview of HA HP CIFS Server Configure a Highly Available HP CIFS Server Introduction Before configuring the MC/Serviceguard packages, it is important to understand how HP CIFS Server is able to support active-active configurations. The HP CIFS Server permits multiple instances of its NetBIOS and SMB master demons. Each CIFS Server has its own smb.conf file to define its behavior. The NetBIOS name and IP address that the client connects to is used to decide which smb.
Configuring HA HP CIFS Overview of HA HP CIFS Server 1. /etc/cmcluster/samba/sambapkg1 2. /etc/cmcluster/samba/sambapkg2 3. /etc/cmcluster/samba/sambapkg3. There will be three configuration files: 1. /etc/opt/samba/smb.conf.ha_server1, 2. /etc/opt/samba/smb.conf.ha_server2 3. /etc/opt/samba/smb.conf.ha_server3. There will be three directories: 1. /var/opt/samba/ha_server1 2. /var/opt/samba/ha_server2 3. /var/opt/samba/ha_server3 ...where the locks and log files will reside.
Configuring HA HP CIFS Overview of HA HP CIFS Server [global] workgroup = ha_domain netbios name = ha_server1 interfaces = XXX.XXX.XXX.XXX/xxx.xxx.xxx.xxx bind interfaces only = yes # Make sure there are no directories named starting # with “log.” if you plan to use “%m” this way log file = /var/opt/samba/ha_server1/logs/log.%m lock directory = /var/opt/samba/ha_server1/locks Replace the "XXX.XXX.XXX.XXX/xxx.xxx.xxx.
Configuring HA HP CIFS Overview of HA HP CIFS Server Below is an example of copied data from the required HP CIFS Server directories to the logical volumes in the volume group vgsamba. The same can be done for vgasambapkg2.
Configuring HA HP CIFS Overview of HA HP CIFS Server 2. Create a NODE_NAME variable for each node that will run the package. The first NODE_NAME should specify the primary node. All other NODE_NAME variables should specify the alternate nodes in the order in which they will be tried. NODE_NAME NODE_NAME ha_server1 ha_server2 ...for Sambapkg1, NODE_NAME NODE_NAME ha_server2 ha_server1 ...for Sambapkg2, etc. 3. Set the RUN_SCRIPT and HALT_SCRIPT variables to the full path name of the control script.
Configuring HA HP CIFS Overview of HA HP CIFS Server 6. The following initialization will cause package failover to occur if there is a node or network failure, even if the HP CIFS Server monitor script is not being used. PKG_SWITCHING_ENABLED NET_SWITCHING_ENABLED YES YES 7. If NODE_FAIL_FAST_ENABLE is set to NO, the node is not brought down when the package goes down. NODE_FAIL_FAST_ENABLED NO Edit the samba.cntl Control Script To configure the samba.
Configuring HA HP CIFS Overview of HA HP CIFS Server IP[0]=15.13.171.20 SUBNET[0]=15.13.168.0 for sambapkg1, IP[0]=15.13.171.21 SUBNET[0]=15.13.168.0 ...for sambapkg2, etc. 5. If you want to use the HP CIFS Server monitor script, set the NFS_SERVICE_NAME variable to the value of the SERVICE_NAME variable in the package configuration file samba.conf. SERVICE_NAME[0]=samba_mon1 SERVICE_CMD[0]=/etc/cmcluster/sambapkg1/samba.mon 6. Use the following as a template for customer_defined_run_cmds.
Configuring HA HP CIFS Overview of HA HP CIFS Server # # } /usr/bin/sed -e ’s/^ *//’ -e ’s/ .*//’‘ function customer_defined_run_cmds { # ADD customer defined run commands. nmbd -D -l ${LOG_FILE} -s ${CONF_FILE} smbd -D -s ${CONF_FILE} ######################################################### # # Use the following for Winbind Configurations /opt/samba/bin/startwinbind test_return 51 } 7.
Configuring HA HP CIFS Overview of HA HP CIFS Server else NMBD_PID=`cat ${NMBD_PID_FILE}` findproc $NMBD_PID if [ "$pid" = "" ] then print "\tERROR: Kill of nmbd.pid failed." print "\tERROR: ${NMBD_PID} could not be found." else kill ${NMBD_PID} fi fi ###################################################### # Use the following for Winbind Configurations # # if [ ! -f ${WINBIND_PID_FILE} ] # then # print "ERROR: Kill of smbd.pid failed." # print "ERROR: ${WINBIND_PID_FILE} could not be # found.
Configuring HA HP CIFS Overview of HA HP CIFS Server filesystems to be unmounted and failed over to the adoptive node. Package failover may not occur if any of the filesystems mounted by the sambapkg cannot be unmounted. Edit the samba.mon Monitor Script To configure the samba.mon Monitor Script file, you must complete the following tasks: 1. Set the NETBIOS_NAME variable to your NetBIOS name. NETBIOS_NAME=ha_server1 ...and sambapkg1, NETBIOS_NAME=ha_server2 ...for sambapkg2, etc. 2.
Configuring HA HP CIFS Overview of HA HP CIFS Server # # Function findproc # findproc() { # return pid of the named process(es) pid=`/usr/bin/ps -e | /usr/bin/grep "$1" | grep "mbd" | /usr/bin/sed -e 's/^ *//' -e 's/ .*//'` } ######################################################### # Winbind Configurations # findwbproc() { # return pid of the named # process(es) # wbpid=‘/usr/bin/ps -e | # /usr/bin/grep " $1 " | grep "winbindd" | # /usr/bin/sed -e ’s/^ *//’ -e ’s/ .
Configuring HA HP CIFS Overview of HA HP CIFS Server exit 1 else NMBD_PID=`cat ${NMBD_PID_FILE}` findproc $NMBD_PID if [ "$pid" = "" ] ; then if [ "$MAX_NMBD_RETRYS" -gt 0 ] ; then startnmbd if [ "$MAX_NMBD_RETRYS" -ge 1 ] ; then (( MAX_NMBD_RETRYS = MAX_NMBD_RETRYS - 1 )) fi else sleep 1 echo "ERROR: ${NETBIOS_NAME} nmbd not running!" exit 1 fi fi fi if [ ! -f ${SMBD_PID_FILE} ] then sleep 1 print "\tERROR: ${SMBD_PID_FILE} could not be found!" exit 1 else SMBD_PID=`cat ${SMBD_PID_FILE}` findproc $SMBD_PID
Configuring HA HP CIFS Overview of HA HP CIFS Server # if [ ! -f ${WINBIND_PID_FILE} ] # then # sleep 1 # print "ERROR: ${WINBIND_PID_FILE} could not be # found!" # exit 1 # else # WINBIND_PID=‘cat ${WINBIND_PID_FILE}‘ # findwbproc $WINBIND_PID # if [ "$wbpid" = "" ] ; then # if [ "$MAX_WINBIND_RETRYS" -gt 0 ] ; then # logger -t "${NETBIOS_NAME}.mon" "${NETBIOS_NAME} winbind daemon is not running. Restarting daemon.
Configuring HA HP CIFS Overview of HA HP CIFS Server 1. On alternate nodes create a cluster package directory: mkdir /etc/cmcluster/samba/sambapkg1 or sambapkg2, sambapkg3..n Copy the package scripts from the primary node. rcp primary_node:/etc/cmcluster/samba/sambapkg1/* \ /etc/cmcluster/samba/sambapkg1 2. Use the cmcheckconf command to verify the contents of your cluster and package configuration. At this point it is assumed that you have created your MCServiceGuard cluster configuration file (cmclconf.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server Special Notes for HA HP CIFS Server There are several areas of concern when implementing Samba in the MC/ServiceGuard HA framework. These areas are described below: • Client Applications HA HP CIFS Server cannot guarantee that client applications with open files on a HP CIFS Server share, or, applications launched from HP CIFS Server shares, will transparently recover from a switchover.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server password timeout, 604800 seconds by default), HP recommends that you locate secrets.tdb on a shared logical volume. The location of the secrets.tdb file is defined by the smb.conf parameter, private dir. For example, private dir = /var/opt/samba/shared_vol_1/private will result in the file /var/opt/samba/shared_vol_1/private/secrets.tdb. User authentication is also dependent on several entries in different security files.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server You may want to put the entire /var/opt/samba/locks directory on a logical shared volume but the locking data may not be correctly interpreted after a failover. You may want to add a line to your startup script to remove the locking data file .../locks/locking.tdb.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server If you wish to use an LMHOSTS file to store the static addresses for certain netbios names, HP recommends that you put the LMHOSTS file on a logical shared volume. To do this you will need to specify a different path for the LMHOSTS file using the -H option when invoking nmbd. HP recommends that you put the LMHOSTS file on a logical shared volume so that all the nodes can share it.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server 250 Chapter 11
12 HP-UX Configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server.
HP-UX Configuration for HP CIFS • HP CIFS Server Memory and Disc Requirements • HP CIFS Process Model • Overview of Kernel Configuration Parameters • Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v1 and v2.
HP-UX Configuration for HP CIFS HP CIFS Process Model HP CIFS Process Model The SMB daemon process, smbd, handles all SMB requests from a client. One such process is launched for each connected client. Each SMBD process handles one and only one client. Therefore, if there are 2048 connected clients, there will be 2048 SMBD processes. Such a large number of processes will demand system resources, requiring adjustment of certain kernel configuration parameters.
HP-UX Configuration for HP CIFS Overview of Kernel Configuration Parameters Overview of Kernel Configuration Parameters The kernel configuration parameters, maxuser, nproc, ninode, nflocks and nfile are described below. These are the kernel parameters that you must adjust to support a large number of clients on HP CIFS. 254 • maxusers: the name of this kernel parameter is a misnomer as it does not directly control the number of UNIX users that can logon to HP-UX.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS Configuring Kernel Parameters for HP CIFS The first step in configuring HPUX to be able to support a large number of clients on a HP CIFS server is to adjust the maxusers kernel parameter. The second step involves adjusting nproc, nfile, nflocks and ninode individually so as to allow a large number of users to be connected simultaneously. 1.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS • nfile: when an SMBD process is launched, it will, right at the beginning, take up 28 entries in the system file table. This does not include any other files that the client will open and operate on. At a minimum, therefore, the value of nfile, should be equal to the anticipated number of simultaneous clients times (28 + the anticipated number of files simultaneously opened by each client).
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS Memory Requirements Each smbd process will need approximate 1 MB of memory. For 2048 clients, therefore, the system should have at least 2 GB of physical memory. This is over and above the requirements of other applications that will be running concurrent with HP CIFS.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS 258 Chapter 12
Glossary A C ACL Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define “access rights.” In this scheme, users typically belong to “groups,” and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights.
Glossary Integrity I S Integrity Integrity ensures that file system data is not modified by an intruder. An intruder can not intercept a file system data packet and modify it without the network file system discovering and rejecting the tampering. Samba An open source product that first appeared in the mid-1990's.
Index Symbols /etc/nsswitch.conf, 125, 212 /etc/nsswitch.ldap, 125 /etc/pam.conf, 212 A Access Control Lists, 43 configuring, 73 VxFS, 45 ACLs. See Access Control Lists adding ACE entries, 51 B base DN, 124 boot, 121 browsing description, 13 documentation, 13 C Change Notify, 40 CIFS protocol, 3 client start-up file ldapux_client.conf, 174 Common Internet File System. See CIFS configuration client, 121 directory, 119 quick, 123 start-up file ldapux_client.
Index M maxusers, 254 N name service, 125 NativeLdapClient subproduct, 121 nfile, 254 nflocks, 254 ninode, 254 NIS and Samba documentation, 13 nproc, 254 NSS, 125 NT ACLs, 45 directory translations, 47 file permission translations, 47 O object class posixDUAProfile, 123 posixNamingProfile, 123 obtaining CIFS/9000 software, 22 Open Source Software, 5 OSS.
