HP CIFS Server 3.0d Administrator’s Guide version A.02.02 HP-UX 11i v1 and v2 Edition 5 Manufacturing Part Number : B8725-90101 E0406 U.S.A. © Copyright 2006 Hewlett-Packard Company, L.P.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Contents 1. Introduction to the HP CIFS Server Introduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 The Open Source Software (OSS) Samba Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Open Source Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents UNIX File Permissions and POSIX ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing UNIX Permissions From Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . The VxFS POSIX ACL File Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the NT Explorer GUI to Create ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . POSIX ACLs and Windows 2000/XP Clients . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Configuring User Logon Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Running Logon Scripts When Logging On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Home Drive Mapping Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Inter-Domain Trust Relationships . . . .
Contents Configuring the LDAP-UX Client to Use SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring HP CIFS Server to enable SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migrating Your data to the Netscape Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migrating All Your Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Migrating Individual Files . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Verifying idmap_rid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . wbinfo Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Reporting New Security Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 11. Configuring HA HP CIFS Overview of HA HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Recommended Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing Highly Available HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About This Document This document describes how to install, configure, and administer the HP CIFS Server product. It augments The Samba HowTo Collection and Using Samba, 2nd books supplied with the HP CIFS Server product and provides addtional HP-UX endemic variations, features, and recommendations. This document, as well as previously released documents may be found on-line at http://www.docs.hp.com.
Intended Audience This document is intended for users who are already familiar with the HP CIFS Server product. For additional information about the HP CIFS Server, please refer to other HP CIFS Server documentation on-line at http://www.docs.hp.com. New and Changed Documentation in This Edition This edition documents the following changes for HP CIFS Server 3.0d version A.02.02, editon 5: x • Remove obsolete information.
Typographical Conventions Table 1 Documentation Conventions Type of Information Font Examples Representations of what appears on a display, program/script code and command names or parameters. Monotype > user logged in. Emphasis in text, actual document titles. Italics Users should verify that the power is turned off before removing the board. Headings and sub-headings.
Table 2 Publishing History Details (Continued) Document Manufacturing Part Number B8725-900101 Operating Systems Supported 11i v1, v2 Supported Product Versions A.02.02 Publication Date April 2006 What Is in This Document This manual describes how to install, configure, administer and use the HP CIFS Server product.
Chapter 6 LDAP-UX Integration Support Use this chapter to learn how to install, configure and verify the HP Netscape Directory, HP LDAP-UX Integration product and HP CIFS Server software with LDAP feature support. Chapter 7 Winbind Support Use this chapter to learn how to set up and configure the HP CIFS Server with the winbind support.
xiv • The complete title of the manual and the part number. The part number appears on the title page of printed and PDF versions of a manual. • The section numbers and page numbers of the information on which you are commenting. • The version of HP-UX that you are using.
1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which Chapter 1 1
Introduction to the HP CIFS Server the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS.
Introduction to the HP CIFS Server Introduction to HP CIFS Introduction to HP CIFS HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS implements both the server and client components of the CIFS protocol on HP-UX. The current HP CIFS Server (version A.02.01) is based on the well-established open-source software Samba, version 3.0.
Introduction to the HP CIFS Server Introduction to HP CIFS Despite its name, CIFS is not actually a file system unto itself. More accurately, CIFS is a remote file access protocol; it provides access to files on remote systems. It sits on top of and works with the file systems of its host systems. CIFS defines both a server and a client: the CIFS client is used to access files on a CIFS server.
Introduction to the HP CIFS Server The Open Source Software (OSS) Samba Suite The Open Source Software (OSS) Samba Suite The HP CIFS server source is based on Samba, an Open Source Software (OSS) project developed in 1991 by Andrew Tridgell in Australia. This section includes a very brief introduction to the Samba product.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online HP CIFS Server Documentation: Printed and Online The set of documentation that comprises the information you will need to explore the full features and capabilities of the HP CIFS product consists of non-HP books available at most technical bookstores, and this printed and online manual HP CIFS Server Administrator’s Guide available on the following web site: http;//www.docs.hp.
Introduction to the HP CIFS Server HP CIFS Server Documentation: Printed and Online NOTE Chapter 1 Please note that non-HP Samba documentation sometimes includes descriptions of features and functionality planned for future releases of Samba. The authors of these books do not always provide information indicating which features are in existing releases and which features will be available in future Samba releases.
Introduction to the HP CIFS Server HP CIFS Documentation Roadmap HP CIFS Documentation Roadmap Use the following road map to locate the Samba and HP CIFS documentation that provides details of the features and operations of the HP CIFS Server. Table 1-1 HP CIFS Product Server Description Document Title: Chapter: Section HP CIFS Server Administrator’s Guide: Chapter 1, “Introduction to the HP CIFS Server” Samba Meta FAQ No. 2, “General Information about Samba” Samba FAQ No.
Introduction to the HP CIFS Server HP CIFS Documentation Roadmap Table 1-1 (Continued) HP CIFS Product Server Installation Document Title: Chapter: Section HP CIFS Server Administrator’s Guide: Chapter 2. “Installing and Configuring the HP CIFS Server” Samba FAQ: No 2, “Compiling and Installing Samba on a UNIX Host.” Client Installation HP CIFS Client Administrator’s Guide: Chapter 2.
Introduction to the HP CIFS Server HP CIFS Documentation Roadmap Table 1-1 (Continued) HP CIFS Product Server: Starting & Stopping Client: Starting & Stopping Document Title: Chapter: Section HP CIFS Server Administrator’s Guide, Chapter 2 HP CIFS Client Administrator’s Guide, Chapter 2. Server: Samba Scripts Using Samba: Appendix D, “Summary of Samba Daemons and Commands” for detailed information about the command-line parameters for Samba programs such as smbd, nmbd, smbstatus and smbclient.
Introduction to the HP CIFS Server HP CIFS Documentation Roadmap Table 1-1 (Continued) HP CIFS Product Document Title: Chapter: Section Server Security HP CIFS Client Administrator’s Guide: Chapter 12, “Securing CIFS Server”. Server Troubleshooting Part V, Troubleshooting, Samba HOWTO and Reference Guide Using Samba, “Chapter 9, Troubleshooting Samba” Samba FAQs No. 4, “Specific Client Application Problems” and No 5, “Miscellaneous” DIAGNOSIS.
Introduction to the HP CIFS Server HP CIFS Server File and Directory Roadmap HP CIFS Server File and Directory Roadmap The default base installation directory of HP CIFS Server product is /opt/samba. The HP CIFS configuration files are located in the directory /etc/opt/samba. The HP CIFS log files and any temporary files are created in /var/opt/samba. Table 1-2 briefly describes the important directories and files that comprise the CIFS Server.
Introduction to the HP CIFS Server HP CIFS Server File and Directory Roadmap Table 1-2 Files and Directory Description (Continued) File/Directory Chapter 1 Description /opt/samba/script This directory contains various scripts which are utilities for the HP CIFS Server. /opt/samba/swat This directory contains html and image files which the Samba Web Administration Tool (SWAT) needs. /opt/samba/HA This directory contains example High Availability scripts, configuration files, and README files.
Introduction to the HP CIFS Server HP CIFS Server File and Directory Roadmap Table 1-2 Files and Directory Description (Continued) File/Directory 14 Description /opt/samba/COPYING, /opt/samba_src/COPYING, /opt/samba_src/samba/COPYI NG These are copies of the GNU Public License which applies to the HP CIFS Server. /sbin/init.d/samba This is the script that starts HP CIFS Server at boot time and stops it at shutdown (if it is configured to do so). /etc/rc.config.
2 Installing and Configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software.
Installing and Configuring the HP CIFS Server 16 • HP CIFS Server Requirements and Limitations • Step 1: Installing HP CIFS Server Software • Step 2: Running the Configuration Script • Step 3: Modify the Configuration • Step 4: Starting the HP CIFS Server Chapter 2
Installing and Configuring the HP CIFS Server HP CIFS Server Requirements and Limitations HP CIFS Server Requirements and Limitations Prior to installing the HP CIFS product, check that your system can accommodate the following product requirements and limitations. HP-UX Memory and Disc Requirements 32-bit and 64-bit HP-UX 11i v1 systems can boot with as little as 64 MB of RAM and 1GB of disk space. 64-bit HP-UX 11i v2 system can boot with as little as 1GB of RAM and 2 GB of disk space.
Installing and Configuring the HP CIFS Server HP CIFS Server Requirements and Limitations HP CIFS Server A.02 Memory and Disc Requirements Updated HP CIFS Server Memory Requirements for versions A.02.01or Newer As of version A.02.01, you need to have 1000 KB system memory per smbd process. The HP CIFS Server processes increased their base use of system memory by 400 KB from the previous base of 600 KB per smbd process and represents an increase of approximately 70 percent.
Installing and Configuring the HP CIFS Server Step 1: Installing HP CIFS Server Software Step 1: Installing HP CIFS Server Software If the HP CIFS Server software has been pre-installed on your system, you may skip Step 1 and go directly to “Step 2: Running the Configuration Script”. HP CIFS Server Upgrades: If you are upgrading an existing HP CIFS Server configuration, HP recommends that you create a backup copy of your current environment.
Installing and Configuring the HP CIFS Server Step 1: Installing HP CIFS Server Software Domains,” on page 75 and Chapter 5, “Windows 2000/2003 Domains,” on page 101 for details on how to re-join an HP CIFS Server to a Windows domain. Overview: Installation of the HP CIFS Server software includes loading the HP CIFS Server filesets using the swinstall(1M) utility, completing the HP CIFS configuration procedures, and starting Samba using the startsmb script.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script Step 2: Running the Configuration Script The samba_setup configuration script is intended for new installations only. For detailed procedures on how to updating HP CIFS Server A.01 to A.02, see Chapter 8, “Kerberos Support,” on page 179.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script See Chapter 4, “NT Style Domains,” on page 75 for detailed.
Installing and Configuring the HP CIFS Server Step 2: Running the Configuration Script The script will modify the smb.conf file according to the information that you have entered.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Step 3: Modify the Configuration HP CIFS Server requires configuration modifications for the following functionality: • Case Sensitivity for the Client and Server for UNIX Extensions • DOS Attribute Mapping • Print Services for version A.02.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration When using the CIFS Client, you may want to have all three of these parameters turned off. If the map archive parameter is on, any time a user writes to a file, the owner execute permission will be set. This is usually not desired behavior for HP CIFS clients or UNIX clients in general. By default, map system and map hidden are off, and map archive is on. To turn map archive off, modify /etc/opt/samba/smb.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Creating a [printers] share Configure a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [printers] path = /tmp printable = yes browseable = no This share is required if you want the printer’s list to be displayed in SWAT, which is not defined in the smb.conf file, but exists on the HP CIFS Server.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration In this example, the parameter “write list” specifies that administrative lever user accounts will have write access for updating files, on the share. 2. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration 5. Select the printer driver e.g. hp LaserJet 5i. You will be asked for the driver files. Give the path where the driver files are located. The driver files will be uploaded from the disk, and stored into the subdirectories under the [print$] share. Publishing Printers in an MS Windows 2000/2003 ADS Domain Publishing printers makes HP CIFS Server printers searchable in an Microsoft Windows 2000/2003 ADS domain.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration In the above example, the write list parameter specifies that administrative level user account has write access for updating files on this share. The use client driver parameter must be set to No. Step 3. Configure the printer admin parameter to specify a list of domain users that are allowed to connect to an HP CIFS Server. See the following example: [global] printer admin = cifsuser1, cifsuser2 Step 4.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Step 8. Check the list in the directory check-box in the sharing windows screen. See the following screen snapshot for an example: Figure 2-1 Publishing Printer Screen Verifying that the Printer is Published On an HP CIFS Server system, you can run the net ads printer search command to verify that the printer is published.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration On a windows client, you can also use the following steps to verify that the printer is published: Step 1. Log in to your window client as a user who is a member of the printer admin list. For example, the user’s name is cifsuser1. Step 2. Click on start. Step 3. Click on the search tab. Step 4. Click on buttons to find network printers. Step 5. Select the name of the ADS domain in the In box. Step 6. Click on the find now tab.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration objectClass:printQuene printerName:lj1005 serverName:HPSERVERA objectClass:top objectClass:leaf objectClass:connectionPoint objectClass:printQuene printerName:lj3200 serverName:HPSERVERB Removing a Printer To remove a printer from the ADS domain, run the following command: $ net ads printer remove For example, the following command removes the printer lj1005 from the ADS domain: $ net ads printer remove lj1005 Re-
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Setting Up a DFS Tree on a HP CIFS Server After the DFS Tree is set up using this procedure, users on DFS clients can browse the DFS tree located on the HP CIFS Server at \\servername\DFS. 1. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. 2. Configure a HP CIFS server as a DFS server by modifying the smb.conf file to set the global parameter host msdfs to yes.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration 1. Use the ln command to set up the DFS links for “linka” and “linkb” on the /export/dfsroot directory. Both “linka” and “linkb” point to other servers on the network. Example commands: cd /export/dfsroot chown root /export/dfsroot chmod 775 /export/dfsroot ln -S msdfs:serverA\\shareA linka ln -S msdfs:serverB\\shareB serverC\\shareC linkb 2.
Installing and Configuring the HP CIFS Server Step 3: Modify the Configuration Template files for version A.02.02 have been revised to allow any number of cluster nodes and other advantages over previous schemes. Follow the configuration procedures provided in Chapter 11.
Installing and Configuring the HP CIFS Server Step 4: Starting the HP CIFS Server Step 4: Starting the HP CIFS Server Run the script below to start Samba if you do not use winbind support: /opt/samba/bin/startsmb Run the script below to start Samba if you configure HP CIFS Server to use winbind support: /opt/samba/bin/startsmb -w or /opt/samba/bin/startsmb --winbind When the command successfully starts Samba, a message is displayed indicating the specific processes that have been started.
Installing and Configuring the HP CIFS Server Step 4: Starting the HP CIFS Server Starting and stopping Daemons Individually Two new options -n (nmbd only) and -s (smbd only) have been added to startsmb and stopsmb scripts to start and stop the daemons individually. The startsmb -s command starts the smbd daemon. The stopsmb -s command stops the smbd daemon. The -n option starts and stops the nmbd daemon in the same way.
Installing and Configuring the HP CIFS Server Step 4: Starting the HP CIFS Server 38 • interfaces • auth methods • passdb backend • invalid users • valid users • admin users • read list • write list • printer admin • hosts allow • hosts deny • hosts equiv • preload modules • wins server • vfs objects • idmap backend Chapter 2
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues Other Samba Configuration Issues Translate Open-Mode Locks into HP-UX Advisory Locks The HP CIFS Server A.02.* versions can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients. This also means CIFS clients cannot open files that have conflicting advisory locks from HP-UX processes.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues To counteract the possible performance impact, you can control how often Samba scans for changes in the directories it has been requested to monitor. The parameter that controls how often Samba scans for changes is Change Notify Timeout. The parameter value represents the number of seconds between the start of each scanning cycle. The default value is 60.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues • Avoid using HP CIFS Server to share Veritas CFS directories simultaneously on multiple nodes. Since Veritas CFS provides for multiple nodes of a cluster to read and write the same files concurrently, you should use extra caution when configuring HP CIFS Server on multiple nodes of clustered systems. Simultaneous file access can lead to data corruption if multiple producers overwrite each others work. • The smb.
Installing and Configuring the HP CIFS Server Other Samba Configuration Issues 42 Chapter 2
3 Chapter 3 Managing HP-UX File Access Permissions from Windows NT/XP/2000 43
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction Introduction This chapter describes how to use Windows NT, XP and 2000 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs UNIX File Permissions and POSIX ACLs The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, XP or Windows 2000 clients. With this capability most management of UNIX file permissions or POSIX ACLs can be done from the familiar Windows Explorer interface.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs Table 3-1 (Continued) UNIX Permission r-- NT access type Special Access In addition to the permission modes shown above, UNIX file permissions also distinguish between the file owner, the owning group of the file, and other (all other users and group). UNIX File Owner Translation in NT ACL A UNIX file system owner has additional permissions that others users do not have.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs For example, if an owning group named sales on the UNIX file system has read and execute (r-x) permissions on a file, the Windows NT client will display the permissions for group sales as: Special Access(RXO) UNIX Other Permission Translation in NT ACL In UNIX, the other permission entry represents permissions for any user or group that is not the owner, and doesn't belong to the owning group.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs Table 3-2 (Continued) NT access type UNIX Permission Special Access(RW) rw- Read(RX) r-x Special Access(WX) -wx Special Access(RWX) rwx Special Access r-- When mapping to UNIX file permissions from NT, you will not be able to add new NT ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs If you use pre-defined NT access types to set permissions on a Samba share, the permissions that are displayed later will not match what you set in NT. For example, Full Control will become rwx on the Samba server, and when it is displayed on the Windows NT client, it will show up as Special Access (RWX).
Managing HP-UX File Access Permissions from Windows NT/XP/2000 UNIX File Permissions and POSIX ACLs The VxFS POSIX ACL File Permissions VxFS POSIX ACLs are a superset of UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. • VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs Using the NT Explorer GUI to Create ACLs Use the Windows NT Explorer GUI to set new ACLs. This section describes how to add new entries to the ACE list: • Figure 3-3 Chapter 3 Click the add button in the File/Directory Permissions dialog box of the Windows NT GUI to bring up the Add Users and Groups dialog box.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs NOTE Figure 3-4 The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs. Windows NT Explorer List Names From Field Instead, what you need is a list of groups and users that can be recognized by the underlying UNIX file system.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs • Figure 3-5 Windows NT Explorer Add Users and Groups Dialog Box • Chapter 3 Go to the List Names From dropdown list in the Add Users and Groups dialog box. One screen choice is to list names on your Samba server. This is the list HP recommends. Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs • Figure 3-6 Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list. Add UNIX Groups and Users • You can type user and group names into the Add Names text field to add users and groups.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 Using the NT Explorer GUI to Create ACLs To continue the example above, you could create an ACE for the administrator user on the NT client and, on the Samba server, the ACE would be created for the root user. The client will display the corresponding ACE as being for the root user, not the administrator user.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients POSIX ACLs and Windows 2000/XP Clients The HP CIFS Server A.01.07, and subsequent versions, allow Windows 2000/XP clients to view and set POSIX ACL permissions. The information in this section assumes you are familiar with Windows 2000/XP permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Table 3-4 UNIX Permission Maps Windows 2000/XP Client Permissions UNIX Permission Permission Shown on Windows 2000/XP Clients r-x Read and Execute All Read Permissions as in the first cell Execute or Traverse Folder rw- Read, Write All Read Permissions as in the first cell All Write Permissions as in the second cell NOTE rwx Full Control Full Control and All permission bits are ticked --- No b
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Setting Permissions from Windows 2000/XP Clients The following table shows how each Windows 2000/XP client permission is mapped to the UNIX permission when permissions are set from a client: Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions Windows 2000/XP 58 UNIX Permission Full Control rwx Write -w- Modify rwx Read and Execute r-x Read r-- List Folder / Read Data (Advanced) r--
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions Windows 2000/XP Take Ownership (Advanced) UNIX Permission * see explanation following table * The Delete, Change Permissions, and Take Ownership permissions represent the file and group ownership. You can only see these permissions, but you cann’t set them from Windows 2000/XP clients.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 POSIX ACLs and Windows 2000/XP Clients Step 2. Click on the Security tab Displaying the Owner of a File Step 1. Click on Advanced Step 2.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients HP CIFS Server Directory ACLs and Windows 2000/XP Clients Directory ACL Types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 2. Click on the Security tab Figure 3-7 Basic ACL View Viewing Advanced ACLs from Windows 2000 Clients Step 1. Right-click on a file or a directory and select Properties Step 2.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 3. Click on the Advanced button Figure 3-8 Advanced ACL View Mapping Windows 2000/XP Directory Inheritance Values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients • Subfolders and files only • Subfolders only • Files only When a user attempts to change or add a directory ACE from the Windows Advanced ACE screen, the HP CIFS Server maps the Windows Inheritance Values to the corresponding POSIX ACE type.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients You must use the Windows Advanced permission screen (Directory-> Properties->Security Tab->Advanced Button) to view or change POSIX directory ACLs. This section describes how to modify a directory ACE from the Widnows 2000 or XP client: Step 1. Right-click on a directory and select Properties Step 2. Click on the Security tab Step 3. Click on the Advanced button Step 4.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 6. Select the appropriate ACE type from Apply to dropdown list in the dialog box. Choose the selection according to how it will be mapped to POSIX ACEs. Please refer to “Mapping Table for Inheritance Values to POSIX” for detail information Step 7. Click on OK, you will be taken back to the Advanced ACE screen. Repeat the step 4 through step 6 to modify other ACEs Step 8.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server. To prevent a directory owner from losing access, both access and default ACEs for the owner should be set to Full Control permissions.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:r-x access:other:rwx defualt:owner:rwx default:owning group:r-x default:other:r-Example 2: In the example 3, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir # owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients # other group:testgroup access:owner:rwx access:owning group:r-x defualt:owner:rwx default:owning group:r-- Adding Directory ACLs From Windows 2000/XP Clients This section describes how to add a directory ACE from the Widnows 2000 or XP client: Step 1. Right-click on a directory and select Properties Step 2. Click on the Security tab Step 3. Click on the Advanced button Step 4.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients Step 8. You will be taken to the ACE Advanced view screen, click on OK or Apply button to add the new ACE Figure 3-11 Selecting a new ACE user or group IMPORTANT POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 HP CIFS Server Directory ACLs and Windows 2000/XP Clients With HP CIFS Server version A.01.10, the POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group even if the permissions on the access and default ACEs are the same. However, everyone is shown as only one ACE if the access and default permissions are the same.
Managing HP-UX File Access Permissions from Windows NT/XP/2000 In Conclusion In Conclusion Samba ACL support is a feature that enables the manipulation of UNIX file permissions or UNIX ACLs from Windows NT/XP/2000 clients. With this feature, almost any modification you want to make to UNIX permissions or VxFS POSIX ACLs can now be done from an NT/XP/2000 client (with the exception of the class entry for VxFS POSIX ACLs).
Managing HP-UX File Access Permissions from Windows NT/XP/2000 In Conclusion 74 Chapter 3
4 Chapter 4 NT Style Domains 75
NT Style Domains Introduction Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in an NT style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as an NT Domain with a Microsoft NT Primary Domain Controller (PDC). Configuration of Member Servers joining an NT style domain or a Windows 2000/2003 Domain as a pre-Windows 2000 compatible computer is described here.
NT Style Domains Introduction • HP CIFS BDCs may be configured to off load some of the HP CIFS PDC authentication responsibilities and can be promoted to a PDC if the PDC fails or needs to be taken out of services. Primary Domain Controllers The Primary Domain Controller (PDC) is responsible for several tasks within the domain.
NT Style Domains Introduction • HP CIFS Server and MS Windows server can each function as a BDC to its own type of PDC. • HP CIFS Server cannot create Security Account Management (SAM) update delta files. It cannot interoperate with a PDC to synchronize the SAM from delta files that are held by a BDC. • The Samba 3.0 BDC does not support replication to a PDC. Running a Samba 3.0 BDC with a non-LDAP backend can have the difficulty in synchronizing the SAM database. Refer to Table 5.
NT Style Domains Configure the HP CIFS Server as a PDC Configure the HP CIFS Server as a PDC When configured to act as a Primary Domain Controller (PDC), the HP CIFS Server should create machine accounts for Windows Clients (member servers). To enable this feature, choose “Primary Domain Controller” when executing samba_setup, then verify the following: 1. The smb.
NT Style Domains Configure the HP CIFS Server as a PDC 3. /var/opt/samba/netlogon subdirectory for the domain logon service exists. NOTE security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend. domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. domain logon: Set this parameter to yes to provide netlogon services.
NT Style Domains Configure the HP CIFS Server as a BDC Configure the HP CIFS Server as a BDC When configuring HP CIFS Server to act as a Backup Domain Controller (BDC), you need to configure the relative domain controller parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: • The smb.
NT Style Domains Configure the HP CIFS Server as a BDC HP CIFS does not implement a true SAM database and nor its replication. HP CIFS implementation of BDCs is very much like a PDC with one important difference. A BDC is configured like a PDC except the smb.conf parameter, domain master, must be set to no. NOTE security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend.
NT Style Domains Domain Member Server Domain Member Server Configure the HP CIFS Server as a Member Server When configuring HP CIFS Server to act as a domain member server, you need to configure the relative domain parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: • The smb.
NT Style Domains Domain Member Server encrypt passwords: If this parameter is set to yes, the passwords used to authenticate users are encrypted. netbios: Set this parameter to the NetBIOS name by which a member server is known. Join an HP CIFS Server to an NT Domian, Windows 2000/2003 (as a pre-Windows 2000 computer), or Samba Domain This section describes the procedures to join an HP CIFS Server to a NT domain, Windows 2000/2003 (as a pre-Windows 2000 computer) or Samba domain as a member server.
NT Style Domains Domain Member Server “Create a Machine Trust Account.” samba_setup will then perform the “net rpc join -U Administrator%password” command for you.
NT Style Domains Create the Machine Trust Accounts Create the Machine Trust Accounts A Machine Trust Account for a Windows Client (Client=member server) on a HP CIFS Server acting as a PDC is simply a user account entry created for a machine. It is denoted by the machine name followed by "$". For PDCs not using LDAP (default), machine accounts will have entries in both /etc/passwd (unix user accounts) and /var/opt/samba/private/smbpasswd (Windows user accounts).
NT Style Domains Create the Machine Trust Accounts $ /opt/samba/LDAP3/smbldap-tools/smbldap-useradd.
NT Style Domains Create the Machine Trust Accounts For ldapsam backend: $ /opt/samba/bin/smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named “client1” would be: objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1000 gidNumber: 200 homeDirectory: /home/temp loginShell: /bin/false gecos: Samba_Server description: Samba_Server userPassword: {crypt}x pwdLastSet: 1076466492 logonTime: 0 logofftime: 2
NT Style Domains Configure Domain Users Configure Domain Users The following examples show the commands used to configure Domain Users, Domain Administrators and Domain Guests on a HP CIFS Server configured as a PDC. • If you are a root-level user, create a Domain User in the group named “users”, located in the /sbin/sh directory.
NT Style Domains Join a Windows Client to a Samba Domain Join a Windows Client to a Samba Domain 1. Verify the following parameters in the smb.conf file: Set the security parameter to “user.” Set the workgroup parameter to the name of the domain. Set the encrypt passwords parameter to “yes.” [global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2.
NT Style Domains Join a Windows Client to a Samba Domain $ /opt/samba/LDAP/smbldap-tools/smbldap-useradd.
NT Style Domains Join a Windows Client to a Samba Domain $ smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named “client1” would be: objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1002 gidNumber: 202 homeDirectory: /home/temp loginShell: /bin/false gecos: Samba_Server description: Samba_Server userPassword: {crypt}x pwdLastSet: 1076466300 logonTime: 0 logofftime: 2147483650 kickoffTime: 2147483
NT Style Domains Join a Windows Client to a Samba Domain 6. Enter the Samba domain name in the ‘Domain’ field, and click on the ‘Change’ button. Refer to Figure 4-3 below.
NT Style Domains Roaming Profiles Roaming Profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: • A user’s environment, preference settings, desktop settings, etc. are stored on the HP CIFS Server • Roaming Profiles can be created as a share, and be shared between Windows clients • When a user logs on to a workstation in the domain, the roaming profile is downloaded from the share which is on a HP CIFS Server configured as a PDC, to the local machine.
NT Style Domains Roaming Profiles writeable = yes browseable = no guest ok = no Chapter 4 95
NT Style Domains Configuring User Logon Scripts Configuring User Logon Scripts The logon script configuration must meet the following requirements: • User logon scripts should be stored in a file share called [netlogon} on the HP CIFS Server. • Should be set to UNIX executable permission. • Any logon script should contain valid commands recognized by the Windows client. • A logon user should have proper access permissions to execute logon scripts.
NT Style Domains Home Drive Mapping Support Home Drive Mapping Support A HP CIFS Server provides user home directories and home drive mapping functionality by using the following two global parameters in the smb.
NT Style Domains Inter-Domain Trust Relationships Inter-Domain Trust Relationships Trust relationships enable pass-through authentication to users of one domain in other. A trusting domain permits logon authentication to users of a trusted domain. HP CIFS Servers support the following trust relationships: • An HP CIFS PDC Samba Domain may be a trusting, trusted, or bi-directional trust (both trusting and trusted or “two way") domain with an NT Domain.
NT Style Domains Inter-Domain Trust Relationships Logon as root and execute the following steps on the trusted domain PDC: Step 1. Add a trust account for the trusting domain to /etc/passwd. Add the domain name with the "$" using useradd command as follows: $ useradd $ Due to the name length limitation of the useradd command, you may need to edit /etc/passwd to add the trusting domain name account. Step 2.
NT Style Domains Inter-Domain Trust Relationships Trusting a Samba Domain from an NT Domain Logon as root and execute the following steps on the trusted Samba Domain PDC: Step 1. Add a turst account for the trusting NT domain to /etc/passwd. Add the domain name with the “$” using the useradd command as follows: $ useradd $ Due to the name length limitation of the useradd command, you may need to edit /etc/passwd to add the trusting NT domain name account. Step 2.
5 Chapter 5 Windows 2000/2003 Domains 101
Windows 2000/2003 Domains Introduction Introduction This chapter describes the process for joining an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain Member Server” on page 83 in Chapter 4, “NT Style Domains”. By default configuration, Windows 2000/2003 Servers utilize the Kerberos authentication protocol for increased security.
Windows 2000/2003 Domains HP CIFS and Other HP-UX Kerberos Applications Co-existence HP CIFS and Other HP-UX Kerberos Applications Co-existence Because the HP CIFS Server stores the Kerberos secret key in /var/opt/samba/private/secrets.tdb by default, the standard CIFS Kerberos configuration can only be used by HP CIFS Server users. If other HP-UX applications use the /etc/krb5.
Windows 2000/2003 Domains HP-UX Kerberos Client Software and LDAP Integration Software Dependencies HP-UX Kerberos Client Software and LDAP Integration Software Dependencies Kerberos v5 Client with version 1.3.5 or later is required to support HP CIFS Server integration with a Windows 2003 ADS Domain Controller (DC). Kerberos Client version 1.0 was originally bundled on HP-UX 11i v1 and v2. The following lists HP-UX Kerberos Client software dependencies: • Kerberos Client version 1.3.
Windows 2000/2003 Domains Joining an HP CIFS Server to a Windows 2000/2003 Domain Joining an HP CIFS Server to a Windows 2000/2003 Domain HP CIFS Server only supports the following Kerberos encryption types: • DES-CBC-MD5 • DES-CBC-CRC • RC4-HMAC You must configure one of these encryption types in the /etc/krb5.conf file as shown below. HP recommends you set the encrption type to DES-CBC-MD5 in /etc/krb5.
Windows 2000/2003 Domains Joining an HP CIFS Server to a Windows 2000/2003 Domain Configuration Parameters The following is a description of the smb.conf paramters shown in “Step-by-step Procedure” on page 106: realm This parameter specifies the name of the ADS kerberos realm which has the fully qualified domain name. It must be set the same as the kerberos realm value in krb5.conf. workgroup This parameter specifies the name of domain in which the HP CIFS Server is a domain member server.
Windows 2000/2003 Domains Joining an HP CIFS Server to a Windows 2000/2003 Domain If there is no /etc/krb5.conf file in existence at the time that /opt/samba/bin/samba_setup is run, samba_setup will attempt to create and validate an appropriately configured krb5.conf file based on the answers to the questions asked when ’ads member server’ is chosen. The following is an example of /etc/krb5.conf which has the realm MYREALM.XYZ.COM, and machine adsdc.myrealm.xyz.
Windows 2000/2003 Domains Joining an HP CIFS Server to a Windows 2000/2003 Domain NOTE You must configure the port number :88 after the node name specified for the kdc entry in the [realms] section. Kerberos v5 uses the port number 88 for the KDC service. For detailed information on how to configure the /etc/krb5.conf file, refer to the krb5.conf(4) man page. Step 3. Run the following commands to verify Kerberos configuration log in as root kinit (e.g. Administrator@myrealm.xyz.
Windows 2000/2003 Domains Joining an HP CIFS Server to a Windows 2000/2003 Domain [global] workgroup = MYREALM # Domain Name realm = MYREALM.XYZ.COM security = ADS domain master = no encrypt passwords = yes netbios name = MYSERVER password server = adsdc.myrealm.xyz.com • For existing installations, modify smb.conf configuration items as follows: [global] workgroup = MYREALM # Domain Name realm = MYREALM.XYZ.
Windows 2000/2003 Domains Joining an HP CIFS Server to a Windows 2000/2003 Domain 110 Chapter 5
6 LDAP Integration Support This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software.
LDAP Integration Support 112 • “Overview” on page 113 • “Network Environments” on page 115 • “Summary of Installing and Configuring” on page 120 • “Installing and Configuring Your Netscape Directory Server” on page 121 • “Installing LDAP-UX Client Services on an HP CIFS Server” on page 123 • “Configuring the LDAP-UX Client Services” on page 124 • “Enabling Secure Sockets Layer (SSL)” on page 129 • “Migrating Your data to the Netscape Directory” on page 132 • “Extending the Samba Subschema
LDAP Integration Support Overview Overview Lightweight Directory Access Protocol (LDAP) provides a framework for the development of a centralized management infrastructure. LDAP supports directory enabled computing by consolidating applications, services, user accounts, Windows account and configuration information into a central LDAP directory. Samba customer sites with large numbers of users and servers may want to integrate the HP CIFS Server with LDAP support.
LDAP Integration Support Overview You can configure the ldap ssl parameter specified in the smb.conf file to enable the Secure Sockets Layer (SSL) support. With the SSL support, the HP CIFS Server allows you to access an enabled SSL LDAP directory to protect passwords over the network and to ensure confidentiality and data integrity between CIFS servers and SSL enabled LDAP directory server. You can set passdb backend = ldapsam:ldaps:// to enable the SSL support.
LDAP Integration Support Network Environments Network Environments The HP CIFS Server supports many different network environments. Features such as WINS, browser control, domain logons, roaming profiles, and many others continue to be available to support a diverse range of network environments. LDAP integration provides one more alternative solution for Samba user authentication.
LDAP Integration Support Network Environments CIFS Server Acting as Backup Domain Controller (BDC) to Samba PDC Since BDCs are also responsible for Windows authentication, HP CIFS Servers configured as BDCs can access the LDAP directory for user authentication. BDC configuration is vey similar to PDC configuration with the exception that you set both master browser and domain master to no.
LDAP Integration Support Network Environments UNIX User Authentication - /etc/passwd, NIS Migration HP UNIX user authentication is required in addition to Samba (Windows) user authentication for HP CIFS Server logon.You can consolidate Samba and UNIX users into a single LDAP directory server database. However, the /etc/passwd file or NIS database files can continue to be used for UNIX users if desired.
LDAP Integration Support Network Environments The CIFS Authentication with LDAP Integration With LDAP integration, multiple HP CIFS Servers can share a single LDAP directory server for a centralized user database management. The HP CIFS Server can access the LDAP directory and look up the windows user information for user authentication.
LDAP Integration Support Network Environments 5. The CIFS Server receives data attributes including the password information from the LDAP directory server. If the password and challenge information matches with information in the client response package, the Samba user authentication succeeds. 6. If the Samba user is authenticated and is successfully mapped to a valid posix user, the CIFS Server returns a user token session ID to the Windows PC client.
LDAP Integration Support Summary of Installing and Configuring Summary of Installing and Configuring The following summarizes the steps you take when installing, configuring, verifying and activating the HP CIFS Server with the LDAP support: • Install the Netscape Directory Server, if not already installed. See “Installing the Netscape Directory Server” on page 121. • Configure the Netscape Directory Server, if not already configured. See “Configuring the Netscape Directory Server” on page 121.
LDAP Integration Support Installing and Configuring Your Netscape Directory Server Installing and Configuring Your Netscape Directory Server This section describes how to set up and configure your Netscape Directory Server to work with LDAP-UX Client Services and the HP CIFS Server. See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.com/hpux/internet, for more information on directory configuration.
LDAP Integration Support Installing and Configuring Your Netscape Directory Server Step 2. Enter the host name of the Netscape Directory Server where you want to store your user data. Step 3. Enter the port number of the previously specified directory server. The default port number is 389 Step 4. Enter the Distinguished Name (DN) and password of the administrator. This user has operator permissions. For example, you can enter “admin” as the administrator DN. Step 5. Enter the base DN.
LDAP Integration Support Installing LDAP-UX Client Services on an HP CIFS Server Installing LDAP-UX Client Services on an HP CIFS Server Use swinstall(1M) to install the LDAP-UX Client Services software, the NativeLdapClient subproduct, on an HP CIFS Server. See the LDAP-UX Client Services B.03.20 Release Notes for more details on the installation procedures. The LDAP-UX Client Services software is available at http://www.software.hp.com. You must install the LDAP-UX Client Services version B.03.
LDAP Integration Support Configuring the LDAP-UX Client Services Configuring the LDAP-UX Client Services You need to configure the LDAP-UX Client Services if it is not already configured. This section describes major steps to configure LDAP-UX Client Services with the Netscape Directory Server 6.02 or later version. For detailed information on how to configure the LDAP-UX Client Services, see the “Configure the LDAP-UX Client Services” section of LDAP-UX Client Services B.03.
LDAP Integration Support Configuring the LDAP-UX Client Services Quick Configuration You can quickly configure the LDAP-UX Client Services by selecting the default value for most of the configuration parameters as follows: Step 1. To be consistent with the Samba organizational unit defaults, you must edit the /opt/ldapux/migrate/migrate_common.ph file to change the default group objectclass under $RFC2307BIS structure from ou=Group to ou=Groups. Step 2.
LDAP Integration Support Configuring the LDAP-UX Client Services Step 7. If you are creating a new profile, add all parent entries of the profile DN to the directory (if any). If you attempt to create a new profile and any parent entries of the profile do not already exist in the directory, setup will fail. For example, if your profile will be cn=ldapuxprofile, dc=org, dc=hp, dc=com, then the base path, org.hp.com, must exist in the directory or setup will fail.
LDAP Integration Support Configuring the LDAP-UX Client Services Table 6-1 shows the configuration parameters and the default values that they will be configured with.
LDAP Integration Support Configuring the LDAP-UX Client Services $ /opt/ldapux/bin/ldapsearch -T -b “cn=schema” -s base \ “(objectclass=*)”|grep -i posix Ensure that the posixAccount objectclass is displayed in the output when you run the ldapsearch command. The output is as follows: objectClasses: ( 1.3.6.1.1.1.2.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) Enabling Secure Sockets Layer (SSL) The HP CIFS Server provides Secure Sockets Layer (SSL) support to secure communication between CIFS servers and SSL enabled LDAP directory servers. If you plan to use SSL and it is not already in use for LDAP, you need to enable it on the Netscape Directory Server and LDAP-UX clients. When you have enabled the LDAP server and clients, then you can configure the HP CIFS Server to use SSL.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) For detailed instructions on how to configure the administration server to connect to an SSL enabled directory server, see Managing Servers with Netscape Console available at http://docs.hp.com. Configuring the LDAP-UX Client to Use SSL If you plan to use SSL, you need to install the Certification Authority (CA) certificate on your LDAP-UX Client and configure the LDAP-UX Client to enable SSL.
LDAP Integration Support Enabling Secure Sockets Layer (SSL) subsection of the “Installing LDAP-UX Client Services” chapter in LDAP-UX Client Services B.03.20 Administrator’s Guide at http://docs.hp.com.
LDAP Integration Support Migrating Your data to the Netscape Directory Migrating Your data to the Netscape Directory HP recommends that all UNIX user accounts either in the /etc/passwd file or NIS database files are migrated to the Netscape Directory Server. The LDAP-UX Integration product provides migration scripts to accomplish the task in an automated way. These scripts are located in /opt/ldapux/migrate directory. The two shell scripts, migrate_all_online.sh and migrate_all_nis_online.
LDAP Integration Support Migrating Your data to the Netscape Directory NOTE Before you run the migration scripts, you must edit the /opt/ldapux/migrate/migrate_common.ph file to change the default group objectclass under $RFC2307BIS structure from ou=Group to ou=Groups. By doing this, it can match with the Samba organizational unit defaults. An Example The following example shows the necessary steps to import your data into the LDAP directory using the migration script, migrare_all_online.sh: Step 1.
LDAP Integration Support Migrating Your data to the Netscape Directory Migrating Individual Files The following perl scripts migrate each of your source files in the /etc directory to LDIF. These scripts are called by the shell scripts, described in the section “Migrating All Your Files” on page 132. The perl scripts obtain their information from the input source file and output LDIF.
LDAP Integration Support Migrating Your data to the Netscape Directory Table 6-2 Migration Scripts (Continued) (Continued) Script Name Description Migrates groups in the /etc/group file. migrate_group.pl migrate_hosts.pl a Migrates hosts in the /etc/hosts file. migrate_networks.pl Migrates networks in the /etc/networks file. migrate_passwd.plb Migrates users in the /etc/passwd file. migrate_protocols.pl Migrates protocols in the /etc/protocols file. migrate_rpc.
LDAP Integration Support Migrating Your data to the Netscape Directory b. Netgroup - The NIS optimization maps ‘byuser’ and ‘byhost’ are not utilized. -Each triple is stored as a single string. -Each triple must be enclosed by parentheses. For example, “(machine, user, domain)” is a valid triple while “machine, user, domain” is not. c. When migrating services data into the LDAP directory, You keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports.
LDAP Integration Support Extending the Samba Subschema into Your Directory Server Extending the Samba Subschema into Your Directory Server You now need to extend the Netscape Directory Server schema with the Samba subschema from the HP CIFS Server into your Netscape Directory Server. Ensure that you have configured your LDAP directory and LDAP-UX Client Services, and migrated your data to the LDAP directory before extending the schema. The Samba subschema has been enhanced in HP CIFS Server A.02.*.
LDAP Integration Support Extending the Samba Subschema into Your Directory Server New attributes and Objectclass The following is a list of new attributes and objectclass: • sambaAccountPolicyName attribute • sambaAccountPolicyValue attribute • sambaAccountPolicy objectclass The above new attributes and objectcalss are currently not used in HP CIFS Server A.02.02. NOTE The updated Samba subschema is compatible with the subschema available in HP CIFS A.02.01.*.
LDAP Integration Support Extending the Samba Subschema into Your Directory Server Step 2. Login to your Netscape Directory Server and restart the daemon, slapd. This is to ensure that the sambaSamAccount subschema is recognized by the LDAP directory. $ /var/opt/netscape/servers/slapd-/restart-slapd For example: $ /var/opt/netscape/servers/slapd-hostA.hp.com/restart-slapd Step 3.
LDAP Integration Support Configuring the HP CIFS Server Configuring the HP CIFS Server You must set up and configure your HP CIFS Server to enable the LDAP feature support. LDAP Configuration Parameters The following is the list of new global parameters available for you to configure the HP CIFS Server to enable the LDAP feature. These parameters are set in the /etc/opt/samba/smb.conf file under global parameters.
LDAP Integration Support Configuring the HP CIFS Server Table 6-3 Global Parameters (Continued) (Continued) Parameter Description ldap group suffix Specifies the base of the directory tree where you want to add groups information. If you do not specify this parameter, HP CIFS Server uses the value of ldap suffix instead. For example, ldap group suffix = “ou=Groups”. ldap filter Specifies the RPC 2254 compliant LDAP search filter.
LDAP Integration Support Configuring the HP CIFS Server Configuring LDAP Feature Support After installing the HP CIFS Server, the existing configuration continues to operate as currently configured. To enable the LDAP support, you must configure the relative LDAP configuration parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or the editor. NOTE HP recommends that new installation customers run the samba_setup program to set up and configure the HP CIFS Server.
LDAP Integration Support Installing your Samba Users in the Directory Installing your Samba Users in the Directory This section describes how to install and verify your samba users in your LDAP directory. Adding Credentials When you use the HP CIFS Server with the LDAP feature support, the smbpasswd command manipulates user accounts information on the LDAP directory rather than the /var/opt/samba/private/smbpasswd file. You must add the directory manager credentials to the /var/opt/samba/private/secrets.
LDAP Integration Support Installing your Samba Users in the Directory Syntax ldapsearch [option] Option -b search/insert base -s search scope -D directory login -w password of the directory manager Example The following example uses the ldapsearch utility to check that the user entry johnl contains the sambaAccount objectclass: $ /opt/ldapux/bin/ldapsearch -b “dc=org,dc=hp, dc=com” -ssub \ -D “cn=Directory Manager” -w dmpasswd “uid=johnl” The output is shown as the follows: dn: uid=johnl,ou=People
LDAP Integration Support LDAP management Tools LDAP management Tools The HP CIFS Server provides LDAP management tools for you to maintain users, groups and passwords in the Netscape Directory Server. To use perl scripts, perl on HP-UX 11i (PA-RISC) and HP-UX 11i (IA) version 5.6.1.E or greater is required. A free download software is available at http://software.hp.com.
LDAP Integration Support LDAP management Tools Syntax Run the following command to show help messages: $ net help Pdbedit Pdbedit can be used for user management with LDAP directories. Note also that pdbedit can help to migrate from one passdb backend to another including moving from smbpasswd to ldapsam.
LDAP Integration Support LDAP management Tools smbldap-usermod.pl modifies a user data (objectclass: posixAccount, sambaAccount, or both depending on the tool option used) smbldap-usershow.pl views a user data (objectclass: posixAccount, sambaAccont or both depending on the tool option used) smbldap-passwd.pl adds or modifies the samba password, posix password, or both smbldap-migrate-accounts.pl migrates user accounts from the existing smbpasswd file to the LDAP directory. smbldap-migrate-groups.
LDAP Integration Support LDAP management Tools Name (DN), directory manager name and password. First start the samba daemon if it is not already running with startsmb. Set the environment variables throughout your configuration file to appropriate values for your environment, including $SID. The current SID default is SID=’S-1-5-21-3516781642-1962875130-3438800523’. You need to execute the net rpc getsid command and obtain the appropriate SID.
LDAP Integration Support LDAP management Tools The smbldap-groupadd.pl Tool You can use this tool to add a new group entry with the posixGourp objectclass to your Netscape Directory Server. Syntax smbldap-groupadd.
LDAP Integration Support LDAP management Tools -? shows help messages groupname Specify the name of the group. The group data entry will be deleted from the LDAP directory. An Example The following commands delete the group name “group1” from the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-groupdel.pl group1 The smbldap-groupshow.pl Tool You can use this tool to view a group entry with the posixGroup information in the Netscape Directory Server. Syntax smbldap-groupshow.
LDAP Integration Support LDAP management Tools NOTE If you specify the tool option, -a or -W, the sambaAccount information can be added to the LDAP directory in addition to posixAccount information. Without specifying the tool option, -a or -W, only posixAccount information can be added. Syntax smbldap-useradd.pl [options] username where options can be any of the following: Chapter 6 -a specifies a Windows user. With this option, both posixAccont and sambaAccount will be added to the LDAP directory.
LDAP Integration Support LDAP management Tools -C specifies the SMB home share, such as \\PDC-SRC\homes -D specifies the home drive letter associated with home share, such as H: -E specifies the script path (DOS script to execute on login) -F specifies the profile directory -H specifies Samba account control bits -N specifies the canonical name -S specifies the surname -? shows help messages. username Specify the name of the new user.
LDAP Integration Support LDAP management Tools smbldap-usermod.
LDAP Integration Support LDAP management Tools The following commands modify the user name “johnl” with the user id “200” in the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-usermod.pl -u 200 johnl The smbldap-userdel.pl Tool You can use the smbldap-userdel.pl tool to delete a user entry in the Netscape Directory Server. This tool will delete both posixAccout and sambaAccount information from the LDAP directory. Syntax smbldap-userdel.
LDAP Integration Support LDAP management Tools -? shows help messages username Specify name of the user entry. An Example The following commands shows the user entry data of the user “johnl” in the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-usershow.pl johnl The smbldap-migrate-accounts.pl Tool You can use the smbldap-migrate-accounts.pl tool to migrate the user accounts information in the smbpasswd file to the Netscape Directory Server.
LDAP Integration Support LDAP management Tools An Example The following commands migrate all “people” acccounts in the smbpasswd file to the Netscape Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-migrate-accounts.pl -a Migrating Users from a Windows Server to an HP CIFS Server as a PDC Use the following steps to migrate all the users from a Windows server to an HP CIFS Server acting as a PDC: Step 1. Download pwdump.exe from the following web site to the Windows server: http://de.
LDAP Integration Support LDAP management Tools -w specified the LDAP directory manager password Migrating Groups from a Windows Server to an HP CIFS Server as a PDC Use the following steps to migrate all the groups from a Windows server to an HP CIFS Server acting as a PDC: Step 1. Run the net group command on the Windows server and create the file that contains groups data: net group > Step 2.
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* Upgrading LDAP from HP CIFS Server A.01.* to A.02.* When upgrading an existing HP CIFS Server version A.01.* LDAP configuration to version A.02.*, make the following changes to your smb.conf configuration file: • Set the passwd backend = ldapsam_compat://ldaps:< ldap server name> , ldap ssl = yes and ldap port = 636 in smb.conf to enable SSL • Optionally, removes the obsolete parameter, ldap enable .
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* $ /opt/ldapux/bin/ldapsearch -h -p 389 -l \ -b -s sub “objectClass= sanbaAccount” > \ output file For example, the following command finds the schema in the Netscape Directory Server, hostA.org.hp.com, with the sambaAccount subschema and save the output to the /tmp/old.ldif file: $ /opt/ldapux/bin/ldapsearch -h hostA.org.hp.
LDAP Integration Support Upgrading LDAP from HP CIFS Server A.01.* to A.02.* $ /opt/ldapux/bin/ldapmodify -c -h hostA.org.hp.com -D “cn=Directory Manager” -w -f /tmp/mod.ldif Step 7. Change your ldap filter smb.conf parameter to ldap filter= (uid=%u). Since (uid=%u) is the default, you might simply remove the ldap filter entry. Step 8. Change your passdb backend smb.
LDAP Integration Support Limitations with the LDAP Feature Support Limitations with the LDAP Feature Support HP only supports the HP CIFS Server with LDAP integration that works with the HP LDAP-UX Integration product, J4269AA, and the HP Netscape Directory Server, J4258CA.
LDAP Integration Support Limitations with the LDAP Feature Support 162 Chapter 6
7 Winbind Support This chapter describes how to set up and configure the HP CIFS Server with the winbind support.
Winbind Support 164 • “Configuring HP CIFS Server with Winbind” on page 167 • “Starting and Stopping Winbind” on page 171 • “idmap_rid with Winbind Support” on page 173 • “wbinfo Utility” on page 175 Chapter 7
Winbind Support Overview Overview UNIX and Microsoft Windows NT/ADS have different models to represent user and group information and use different technologies for implementing them. Winbind is a component of the Samba suite of programs that resolve Windows users and groups to HP-UX UIDs and GIDs. Winbind uses a UNIX implementation and the Name Services Switch (NSS) to allow Windows NT domain users to appear and operate as UNIX users on a HP-UX system.
Winbind Support Overview How Winbind works Winbind works by using the winbind daemon (/opt/samba/bin/winbindd) that communicates with a Windows Domain Controller, the name services provided by the Name Service Switch (NSS), and configuration options in the smb.conf file. With winbind support, you need to set up the NSS configuration file, /etc/nsswitch.conf, to enable a HP-UX system to look up UID and GID mappings for users and groups that reside exclusively in the Windows domain.
Winbind Support Configuring HP CIFS Server with Winbind Configuring HP CIFS Server with Winbind You must set up and configure your HP CIFS Server to use the winbind feature support. Winbind Configuration Parameters Table 7-1 shows the list of new global parameters used to control the behavior of winbind. These parameters are set in the /etc/opt/samba/smb.conf file in the [global] section.
Winbind Support Configuring HP CIFS Server with Winbind Table 7-1 Global Parameters (Continued) (Continued) Parameter Description winbind cache time Specifies the number of seconds the winbindd daemon caches user and group information before querying a Windows NT server again. By default, this parameter is set to 300. winbind enable local accounts Controls whether or not winbindd acts as a stand in replacement for the various account management hooks in smb.conf (e.g. ’add user script’).
Winbind Support Configuring HP CIFS Server with Winbind idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind cache time = 10 winbind enable local accounts = no winbind use default domain = no ldap idmap suffix = ou=testdir, dc=depart, dc=company, dc=com [shareA] path = /tmp/shareA guest ok = no writable = yes Idmap Backend When multiple CIFS Servers participate in a Windows NT or Windows ADS domain and make use of winbind, you can configure multiple CIF
Winbind Support Configuring HP CIFS Server with Winbind In this example, NSS first checks the files, /etc/passwd and /etc/group, and if no entry is found, it checks winbind. Refer to switch(4) and “Configuring the Name Service Switch” in NFS Services Administrator’s Guide at http://docs.hp.com/hpux/netcom/ for detailed information on how to configure NSS.
Winbind Support Starting and Stopping Winbind Starting and Stopping Winbind This section describes how to start or stop the HP CIFS Server with winbind support.
Winbind Support Starting and Stopping Winbind To configure winbind to start automatically at system startup, set RUN_WINBIND to 1.
Winbind Support idmap_rid with Winbind Support idmap_rid with Winbind Support The idmap_rid facility with winbind provides a unique mapping of Windows SIDs to local UNIX UIDs and GIDs. The idmap_rid facility uses the RID of the user SID to generate the UID and GID by adding the RID number to a configurable base value. Since the RIDs are allocated by the centrally managed Windows Domain Controller, this tool permits the CIFS winbind daemons to generate unique HP-UX UIDs and GIDs across the domain.
Winbind Support idmap_rid with Winbind Support winbind winbind winbind winbind winbind enum users = yes enum groups = yes enable local accounts = no use default domain = no separator = \ Verifying idmap_rid You can run the wbinfo -u and wbinfo -g commands to verify that you have setup and configured idmap_rid properly, and verify if idmap_rid is running.
Winbind Support wbinfo Utility wbinfo Utility You can use the wbinfo tool to get information from the winbind daemon. Running wbinfo requires to configure and to start up the winbind daemon, winbindd. Syntax wbinfo [option] where option can be any of the following: Chapter 7 -l displays path data with Windows user and group names that exceed the HP-UX name limitation of 8 characters.
Winbind Support wbinfo Utility -X deletes a local group. -o adds a user to the group. -O remove a user from the group. -D shows information about the domain. -r Gets the user groups. -V shows winbind version. -? shows the help messages. For detailed information on how to use this tool, refer to the /opt/samba/man/man1/wbinfo.1 file.
Winbind Support wbinfo Utility DOMAIN_DOM\ntuser 10010 DOMAIN_DOM\root 10011 DOMAIN_DOM\pcuser 10012 DOMAIN_DOM\winusr 10016 DOMAIN_DOM\maryw 10017 The following is an example of the output using the wbinfo -g command: $ wbinfo -g DOMAIN_DOM\Domain Admins 10010 DOMAIN_DOM\Domain Guests 10011 DOMAIN_DOM\Domain Users 10012 DOMAIN_DOM\Domain Computers 10013 DOMAIN_DOM\Domain Controllers 10014 DOMAIN_DOM\Schema Admins 10015 DOMAIN_DOM\Enterprise Admins 10016 DOMAIN_DOM\Cert Publishers 10017 DOMAIN_DOM\Account
Winbind Support wbinfo Utility 178 Chapter 7
8 Chapter 8 Kerberos Support 179
Kerberos Support Introduction Introduction The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2000 and 2003 domains (including the Windows 2000 and XP clients that inhabit those domains). For the HP CIFS Server, Kerberos authentication is limited exclusively to server membership in a Windows 2000/2003 domain, and only when the HP CIFS Server is configured with "security = ads".
Kerberos Support Kerberos Overview Kerberos Overview Kerberos is an authentication protocol which utilizes shared secrets and encryption to decode keys between an authenticator, authenticatee, and some resource that the authenticatee requires access to.
Kerberos Support Kerberos Overview Kerberos CIFS Authentication Example Figure 8-1 Kerberos Authentication Environment Authenticator Windows 2000/2003 KDC AS 1 2 TGS 3 4 Windows 2000 or XP Client Authenticatee 5 6 HP CIFS Server Resource The following describes a typical Kerberos logon and share service exchange using Kerberos authentication in an Windows 2000/2003 domain environment shown in Figure 8-1: 1.
Kerberos Support Kerberos Overview 5. The Windows client sends the service ticket to the HP CIFS Server for a share service. 6. The HP CIFS Server verifies the received information and authorizes the Windows client to access the server’s share.
Kerberos Support HP-UX Kerberos Application Co-existence HP-UX Kerberos Application Co-existence Because the HP CIFS Server stores the Kerberos secret key in /var/opt/samba/private/secrets.tdb by default, the standard CIFS Kerberos configuration can only be used by HP CIFS Server users. If other HP-UX applications use the /etc/krb5.keytab file, a mismatch of keys occurs resulting in failure for CIFS or the other applications depending upon which key is the latest.
Kerberos Support HP-UX Kerberos Application Co-existence Table 8-1 Required Patches on HP-UX 11i v1 Patch Number Table 8-2 Description PHCO_24402 libc cumulative header file patch. PHNE_27796 libnsss_dns DNS backend patch. PHSS_29487 GSS-API version 1.0 cumulative patch. PHSS_33384 KRB5-Client version 1.0 cumulative patch. Required Patch on HP-UX 11i v2 Patch Number PHSS_33389 Description KRB5-Client version 1.0 cumulative patch.
Kerberos Support HP-UX Kerberos Application Co-existence • /etc/opt/samba/smb.conf file • /etc/krb5.keytab file • net ads keytab create command The first task is to configure HP CIFS Server for Kerberos authentication and join it to a Windows domain. This configuration will disable HP-UX Internet Services access to the HP-UX system temporarily until all the configuration steps are completed.
Kerberos Support HP-UX Kerberos Application Co-existence Step 3. To configure the HP CIFS Server to read /etc/krb5.keytab, set the use kerberos keytab parameter in /etc/opt/samba/smb.conf to yes. An example of /etc/opt/samba/smb.conf is as follows: [global] workgroup = MYREALM realm = MYREALM.HP.COM netbios name = atcux5 server string = Samba Server interfaces = 15.43.214.58 bind interfaces only = Yes security = ADS password server = HPATCWIN2K4.MYREALM.HP.COM use kerberos keytab = yes Step 4.
Kerberos Support HP-UX Kerberos Application Co-existence [libdefaults] default_realm = MYREALM.HP.COM default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 # default_keytab_name = "WRFILE:/etc/krb5.keytab" (delete or comment out this line) [realms] MYREALM.HP.COM = { kdc = HPWIN2K4.MYREALM.HP.COM:88 admin_server = HPWIN2K4.MYREALM.HP.COM } [domain_realm] .hp.com = MYREALM.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.
9 HP CIFS Deployment Models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference.
HP CIFS Deployment Models 190 • “Introduction” on page 191 • “Samba Domain Model” on page 192 • “Windows Domain Model” on page 206 • “Unified Domain Model” on page 217 Chapter 9
HP CIFS Deployment Models Introduction Introduction HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS server interoperates with Windows NT, Windows 200x, Advanced Server, and other CIFS servers and clients. This chapter provides reference for three deployment models: Samba Domain Model, Windows Domain Model, and Unified Domain Model.
HP CIFS Deployment Models Samba Domain Model Samba Domain Model You can use the Samba Domain Deployment Model in environments with the following characteristics: • A domain consisting of HP CIFS Servers and no Windows domain controllers. • Support for any number of UNIX servers that provide file and print services for corresponding numbers of users. • An HP CIFS server is configured as a Primary Domain Controller (PDC). One or more HP CIFS Servers act as Backup Domain Controllers (BDCs).
HP CIFS Deployment Models Samba Domain Model Figure 9-1 shows a standalone HP CIFS Server as a PDC with the local password database: Figure 9-1 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Chapter 9 193
HP CIFS Deployment Models Samba Domain Model Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 9-2 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat 194 Chapter 9
HP CIFS Deployment Models Samba Domain Model Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: Figure 9-3 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Chapter 9 195
HP CIFS Deployment Models Samba Domain Model Figure 9-4 shows the Samba Domain Model: Figure 9-4 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controller (PDC), and one or more HP CIFS Servers acting as Backup Domain Controllers (BDCs).
HP CIFS Deployment Models Samba Domain Model Samba Domain Components As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See Chapter 6, “LDAP Integration Support,” on page 111 for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments.
HP CIFS Deployment Models Samba Domain Model and Windows user accounts on the LDAP directory. The LDAP database can replace /etc/passwd and smbpasswd, and the PDC can access the LDAP directory for Windows authentication. HP CIFS Server Acting as a BDC The configuration of BDCs is similar to that of the PDC. This enables BDCs to carry much of the network logon processing. A BDC on a local segment handles logon requests and authenticates users when the PDC is busy on the local network.
HP CIFS Deployment Models Samba Domain Model the password server parameter to the names of the PDC and may also add the names of one or more BDCs. Set the domain master parameter to no to let the PDC take control. As with the PDC and BDC, you set the passdb backend parameter to the name of LDAP server to centralize POSIX and Windows account database management.
HP CIFS Deployment Models Samba Domain Model An example of the Samba Domain Model Figure 9-5 shows an example of the Samba Domain Model which has HP CIFS Server machine hostW and IP address 1.13.115.226 acting as a PDC and WINs server, HP CIFS Server machine hostB and IP address 1.13.117.248 acting as a BDC, and Netscape Directory Server machine hptem128. Figure 9-5 An example of the Samba Domain Model HP CIFS PDC and WINs Server “hostW” IP address “1.13.115.226” HP CIFS BDC “hostB” IP address “1.13.117.
HP CIFS Deployment Models Samba Domain Model ###################################### # # Samba config file created using SWAT # from 1.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostW PDC passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd log level = 0 security = user syslog = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Samba Domain Model choose to use the A.01.* versions of backward compatible LDAP account backend, set the passwd backend = ldapsam_compat://ldaps:< ldap server name>, ldap ssl = yes and ldap port = 636 in smb.conf to enable SSL support. Configuration Options • domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. • domain logon: Set this parameter to yes to provide netlogon services.
HP CIFS Deployment Models Samba Domain Model local master = No domain master = No wins server = 1.13.115.
HP CIFS Deployment Models Samba Domain Model The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostC acting as a domain member server in the sample Samba Domain Model shown in Figure 9-5: ###################################### # # Samba config file created using SWAT # from 1.13.129.
HP CIFS Deployment Models Samba Domain Model • security: When the HP CIFS Server joins a domain as a member, you must set this parameter to domain. • WINs Server: If you attempt to use the PDC as the Wins server, set this parameter to the PDC’s machine name. • password server: This parameter defines the NetBIOS names of the PDC and BDC machines that perform the user name authentication and validation. A Sample /etc/nsswich.
HP CIFS Deployment Models Windows Domain Model Windows Domain Model You can use the Windows Domain Model in environments with the following characteristics: • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled). • Support for any number of HP CIFS servers that provide file and print services for corresponding numbers of users. It requires HP-UX LDAP Integration Client software for ADS domain member servers.
HP CIFS Deployment Models Windows Domain Model Figure 9-6 shows the Windows Domain Deployment Model as follows: Figure 9-6 Windows Domain Windows NT or Windows ADS/PDC HP CIFS Member Server LDAP winbind idmaps windows users winbind Windows NT BDC windows users ldap-ux client winbind daemon libnss_winbind idmap.tdb idmap backend = ldap In the Windows Domain Model, HP CIFS Server can join to a Windows domain as a member server with Windows NT or Windows 200x domain controllers.
HP CIFS Deployment Models Windows Domain Model which can be used to avoid explicitly allocating POSIX users and groups for Windows users and groups mapping. Winbind provides UID and GID generation and mapping for Windows users. Set smb.conf parameters to idmap uid = and idmap gid = . See Chapter 7, “Winbind Support,” on page 163 for detailed information on winbind.
HP CIFS Deployment Models Windows Domain Model An Example of the ADS Domain Model Figure 9-7 shows an example of the Windows 2000/2003 ADS Domain Model which has the realm named HPCIF23DOM.ORG.HP.COM, an ADS domain controller machine hpcif23, an HP CIFS Server machine hpcif54 acting as a native member server and the Netscape Directory Server system hptem128. Figure 9-7 An example of the ADS Domain Model Windows ADS/DC “hpcif23” NDS LDAP “hptem128” Realm: HPCIF23DOM. .ORG.HP.
HP CIFS Deployment Models Windows Domain Model [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a domain member of hpcif23_dom realm = HPCIF23DOM.ORG.HP.COM security = ADS netbios name = hpcif54 encrypt passwords = yes password server = * passdb backend =smbpasswd log level = 0 syslog = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Windows Domain Model winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes template homedir = /home/%U template shell = /bin/false # [homes] comment = Home Directory browseable = no writable = yes valid users = %D\%S create mode = 0664 directory mode = 0775 [locshare] path=/tmp read only = no browseable = yes writable = yes [nfsshare] path=/mount/tmp read only = no browseable = yes writable = yes [dfsshare] path=/dfsroot read only =
HP CIFS Deployment Models Windows Domain Model A Sample /etc/krb5.conf File On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the name of the realm, the location of a Key Distribution Center (KDC) server and the logging file names. The following is a sample /etc/krb5.conf used in the sample ADS Domain Model shown in Figure 9-7: # Kerberos Configuration # # # # This krb5.conf file is intended as an example only.
HP CIFS Deployment Models Windows Domain Model A Sample /etc/nsswitch.conf File In the ADS Domain Model, you must configure the /etc/nsswitch.conf file to specify the winbind name service and other name services that you want to use. The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 9-7: # /etc/nsswitch.conf # # This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files.
HP CIFS Deployment Models Windows Domain Model An Example of Windows NT Domain Model Figure 9-8 shows an example of the Windows NT Domain Model which has a Windows NT server named hostP as a PDC, an HP CIFS Server machine hostM acting as a domain member server. The ID maps are saved in the local file, idmap.tdb. Figure 9-8 An example of the Windows NT Domain Model Windows NT Server/ PDC “hostP” windows users HP CIFS Member Server “hostM” winbind daemon libnss_winbind idmap.tdb winbind A Sample smb.
HP CIFS Deployment Models Windows Domain Model [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a member of NT domain netbios name = hostM # For NT specific option workgroup = hostP_dom security = domain encrypt passwords = yes passdb backend = smbpasswd password server = hostP.org.hp.com log level = 0 log fie = /var/opt/samba/log.
HP CIFS Deployment Models Windows Domain Model printer admin = root, admuser create mask = 0600 guest ok = Yes use client driver = Yes [lj810002] path = /tmp printable = yes print command = /usr/bin/lp -d%p %s; /usr/bin/rm %s [locshare1] comment = Local file system service1 for read only path = /tmp admin users = admuser read only = Yes [locshare2] comment = Local file system service2 for writable path = /tmp admin users = admuser read only = No [nfsshare] comment = Remote NFS service path = /mount/public r
HP CIFS Deployment Models Unified Domain Model Unified Domain Model You can use the Unified Domain Deployment Model in environments with the following characteristics: • A domain consisting of Windows 200x servers. • The Windows 2000 or 2003 domain controller maintains the UNIX UID and GID data with Windows Services for Unix (SFU). NOTE SFU Version 3.5 does not support the Windows NT4 Domain. • Support for any number of HP CIFS Servers that provide file and print services for number of users.
HP CIFS Deployment Models Unified Domain Model Figure 9-9 shows the Unified Domain Deployment Model as follows: Figure 9-9 Unified Domain Windows ADS DC/SFU HP-UX Client Windows and UNIX users HP CIFS Member Server The Unified Domain Model consists of a Windows 200x server with Active Directory Services (ADS) configured as a Domain Controller (DC), and a single or multiple HP CIFS member servers.
HP CIFS Deployment Models Unified Domain Model Unified Domain Components HP CIFS Acting as a Windows 200x ADS Member Server The HP CIFS member server operating in a unified domain depends on the ADS to be aided by Services For UNIX (SFU). SFU provides the required management of UNIX UID and GID to Windows SID mappings. SFU and accompanying documentation is available for download at http://www.microsoft.com/windows/sfu.
HP CIFS Deployment Models Unified Domain Model software B.03.20 or later, and configure the LDAP-UX client.This permits the consolidation of Posix and Windows user accounts on the ADS directory. You also need to configure the /etc/krb5.conf file to authenticate users using Kerberos. Installing and Configuring LDAP-UX Client Services on an HP CIFS Server The following summarizes major steps you need to take to install and configure an LDAP-UX Client Services.
HP CIFS Deployment Models Unified Domain Model Configuring /etc/krb5.conf to Authenticate Using Kerberos On your HP CIFS Server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm’s KDC. The following is an example of /etc/krb5.conf which has the realm CIFSW2KSFU.ORG.HP.COM, and machine hostA.org.hp.
HP CIFS Deployment Models Unified Domain Model NOTE You need to install the LDAP-UX Client Services software on an HP CIFS member server before installing SFU on a Windows 2000 or 2003 domain controller. An Example of the Unified Domain Model Figure 9-10 shows an example of the Unified Domain Model which has the realm named HPCIFSW2KSFU.ORG.HP.COM, an ADS domain controller machine hpntcdn, an HP CIFS Server machine hostD acting as a member server and the Windows NT machine with IP address 1.13.112.
HP CIFS Deployment Models Unified Domain Model A sample smb.conf file For an HP CIFS Member Server The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostD acting as an ADS member server in the sample Unified Domain Model shown in Figure 9-10: ###################################################### # # An sample smb.
HP CIFS Deployment Models Unified Domain Model # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace HPCIFSW2KSFU.ORG.HP.COM with your kerberos Realm. # # Replace hpntcdn.org.hp.com with your Windows ADS DC full # # domain name. # # # [libdefaults] default_realm = HPCIFSW2KSFU.ORG.HP.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 [realms] CIFSW2KSFU.ORG.HP.COM = { kdc = hpntcdn.org.hp.
HP CIFS Deployment Models Unified Domain Model passwd: group: hosts: networks: protocols: rpc: publickey: netgroup: automount: aliases: services: Chapter 9 files ldap files ldap dns [NOTFOUND=return] files ldap files ldap files ldap files ldap files files ldap files files files ldap 225
HP CIFS Deployment Models Unified Domain Model 226 Chapter 9
10 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server.
Securing HP CIFS Server • 228 “Automatically Receiving HP Security Bulletins” on page 235 Chapter 10
Securing HP CIFS Server Security Protection Methods Security Protection Methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services. You can secure HP CIFS Server from connections that originate from outside the local network by using host-based protection. You can also use interface-based exclusion, so that SMBD binds only to specifically permitted interfaces.
Securing HP CIFS Server Security Protection Methods Using Interface Protection By default, the HP CIFS Servers accepts connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the internet, then the HP CIFS server can accept connections on those links. You can use the interface configuration options to change the interface behavior.
Securing HP CIFS Server Security Protection Methods For example, you can configure an IPC$ share as follows: [ipc$] hosts allow = 192.168.115.0/24 127.0.0.1 hosts deny = 0.0.0.0/0 This configuration tells the HP CIFS Server that it cannot accept IPC$ connections from anywhere but the two places listed: a local host and a local subnet.
Securing HP CIFS Server Security Protection Methods You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent plain text password transfer with LDAP directories, you can configure Secure Socket Layer (SSL) on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, seeChapter 6, “LDAP Integration Support,” on page 111.
Securing HP CIFS Server Security Protection Methods Table 10-1 Configuration Files (Continued) (Continued) File Description /var/opt/samba/private/smbpasswd Data file containing user name and password information /var/opt/samba/private/passdb.tdb Data file containing user name and password information /opt/samba/LDAP/smbldap-tools/smb ldap_conf.
Securing HP CIFS Server Security Protection Methods Restricting Execute Permission on Stacks A common method of breaking into a system is by maliciously overflowing buffers on a program’s stack, such as passing unusually long command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.
Securing HP CIFS Server Automatically Receiving HP Security Bulletins Automatically Receiving HP Security Bulletins You can subscribe to automatically receive future HP Security Bulletins or other technical digests from the HP IT Resource Center (ITRC) via electronic mail. Use the following steps to register for and subscribe to HP Security Bulletins: Step 1. Use your browser to get to the HP IT Resource Center web site at: http://itrc.hp.com Step 2.
Securing HP CIFS Server Automatically Receiving HP Security Bulletins For detailed information on the Security Patch Check tool, refer to the following web site: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayPr oductInfo.pl?productNumber=B6834AA The security patch matrix is also available via the anonymous ftp site at: ftp://ftp.itrc.hp.
11 Chapter 11 Configuring HA HP CIFS 237
Configuring HA HP CIFS Overview of HA HP CIFS Server Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual.
Configuring HA HP CIFS Overview of HA HP CIFS Server To do so, perform the following: 1. Following the instructions, configure the disk hardware for high availability. 2. Use SAM or LVM commands, or VxVM commands to set up the volume groups, logical volumes, and file systems needed for the data that must be available to the primary and alternate cluster nodes when failover occurs. HA HP CIFS Server Installation 1. Install HP CIFS Server using SD on all cluster nodes.
Configuring HA HP CIFS Overview of HA HP CIFS Server Configure a Highly Available HP CIFS Server Introduction Before configuring the MC/Serviceguard packages, it is important to understand how HP CIFS Server is able to support active-active configurations. The HP CIFS Server permits multiple instances of its NetBIOS and SMB master demons. Each CIFS Server has its own smb.conf file to define its behavior. The NetBIOS name and IP address that the client connects to is used to decide which smb.
Configuring HA HP CIFS Overview of HA HP CIFS Server Instructions The following instructions are for one of the MC/ServiceGuard package. You will have to go through these steps for each CIFS server package (one for each node). You will then need to copy all the files to all nodes in your cluster. When complete, each HP-UX system will have a package using the unique name for each node in the cluster, though only the package corresponding to itself will be active until a failover occurs.
Configuring HA HP CIFS Overview of HA HP CIFS Server /var/opt/samba/ /var/opt/samba//locks /var/opt/samba//logs /var/opt/samba//private where is the name for cluster package for your CIFS server.
Configuring HA HP CIFS Overview of HA HP CIFS Server • Consider whether you need to locate your smbpasswd and private files on a shared volume, etc. You may want to review “Special Notes for HA HP CIFS Server” found at the end of this section, now. If you run SWAT or smbpasswd utilities, keep in mind that they will be operating on smb.conf not your smb.conf. configuration. You may want to copy smb.conf. to smb.conf for this reason.
Configuring HA HP CIFS Overview of HA HP CIFS Server 5. Copy the sample scripts samba.conf, samba.cntl and samba.mon from /opt/samba/HA to /etc/cmcluster/samba/pkg1 (or /etc/cmcluster/samba/pkg2) on the primary node. Make all scripts writeable. cp /opt/samba/HA/samba.* /etc/cmcluster/samba/pkg1 chmod 666 samba.conf samba.cntl samba.mon 6. Customize the sample scripts for your MC/ServiceGuard configuration.
Configuring HA HP CIFS Overview of HA HP CIFS Server RUN_SCRIPT /etc/cmcluster/samba/pkg1/samba.cntl RUN_SCRIPT_TIMEOUT NO_TIMEOUT HALT_SCRIPT /etc/cmcluster/samba/pkg1/samba.cntl HALT_SCRIPT_TIMEOUT NO_TIMEOUT ...for pkg1, and RUN_SCRIPT /etc/cmcluster/samba/pkg2/samba.cntl RUN_SCRIPT_TIMEOUT NO_TIMEOUT HALT_SCRIPT /etc/cmcluster/samba/pkg2/samba.cntl HALT_SCRIPT_TIMEOUT NO_TIMEOUT ...for pkg2, etc. 4.
Configuring HA HP CIFS Overview of HA HP CIFS Server 2. Create a separate LV[n] and FS[n] variable for each volume group and file system that will be mounted on the server.
Configuring HA HP CIFS Overview of HA HP CIFS Server IP[0]=1.13.17.20 SUBNET[0]=1.13.168.0 for pkg1, IP[0]=1.13.17.21 SUBNET[0]=1.13.16.0 ...for pkg2, etc. 4. If you want to use the HP CIFS Server monitor script, set the NFS_SERVICE_NAME variable to the value of the SERVICE_NAME variable in the package configuration file samba.conf. SERVICE_NAME[0]=samba_mon1 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg1/samba.mon for pkg1, and SERVICE_NAME[0]=samba_mon2 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg2/samba.
Configuring HA HP CIFS Overview of HA HP CIFS Server for pkg2: CONF_FILE=/etc/opt/samba/smb.conf.pkg2 LOG_FILE=/var/opt/samba/pkg2/logs SMBD_PID_FILE=/var/opt/samba/pkg2/locks/smbd.pid NMBD_PID_FILE=/var/opt/samba/pkg2/locks/nmbd.pid #WINBIND_PID_FILE=/var/opt/samba/pkg2/locks/winbindd.pid NOTE If you have an smb.conf file which makes use of winbind, you need to uncomment these winbind lines for winbind support.
Configuring HA HP CIFS Overview of HA HP CIFS Server cmcheckconf -C /etc/cmcluster/clucifs.conf \ -P /etc/cmcluster/samba/pkg1/samba.conf \ -P /etc/cmcluster/samba/pkg2/samba.conf 4. Use the cmapplyconf command to copy the binary configuration file to all the nodes in the cluster. cmapplyconf -v -C /etc/cmcluster/clucifs.conf \ -P /etc/cmcluster/samba/pkg1/samba.conf \ -P /etc/cmcluster/samba/pkg2/samba.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server Special Notes for HA HP CIFS Server There are several areas of concern when implementing Samba in the MC/ServiceGuard HA framework. These areas are described below: • Client Applications HA HP CIFS Server cannot guarantee that client applications with open files on a HP CIFS Server share, or, applications launched from HP CIFS Server shares, will transparently recover from a switchover.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server password timeout, 604800 seconds by default), HP recommends that you locate secrets.tdb on a shared logical volume. The location of the secrets.tdb file is defined by the smb.conf parameter, private dir. For example, private dir = /var/opt/samba/shared_vol_1/private will result in the file /var/opt/samba/shared_vol_1/private/secrets.tdb. User authentication is also dependent on several entries in different security files.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server You may want to put the entire /var/opt/samba/locks directory on a logical shared volume but the locking data may not be correctly interpreted after a failover. You may want to add a line to your startup script to remove the locking data file .../locks/locking.tdb.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server If you wish to use an LMHOSTS file to store the static addresses for certain netbios names, HP recommends that you put the LMHOSTS file on a logical shared volume. To do this you will need to specify a different path for the LMHOSTS file using the -H option when invoking nmbd. HP recommends that you put the LMHOSTS file on a logical shared volume so that all the nodes can share it.
Configuring HA HP CIFS Special Notes for HA HP CIFS Server 254 Chapter 11
12 HP-UX Configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server.
HP-UX Configuration for HP CIFS • HP CIFS Server Memory and Disc Requirements • HP CIFS Process Model • Overview of Kernel Configuration Parameters • Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v1 and v2.
HP-UX Configuration for HP CIFS HP CIFS Process Model HP CIFS Process Model The SMB daemon process, smbd, handles all SMB requests from a client. One such process is launched for each connected client. Each SMBD process handles one and only one client. Therefore, if there are 2048 connected clients, there will be 2048 SMBD processes. Such a large number of processes will demand system resources, requiring adjustment of certain kernel configuration parameters.
HP-UX Configuration for HP CIFS Overview of Kernel Configuration Parameters Overview of Kernel Configuration Parameters The kernel configuration parameters, maxuser, nproc, ninode, nflocks and nfile are described below. These are the kernel parameters that you must adjust to support a large number of clients on HP CIFS. 258 • maxusers: the name of this kernel parameter is a misnomer as it does not directly control the number of UNIX users that can logon to HP-UX.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS Configuring Kernel Parameters for HP CIFS The first step in configuring HPUX to be able to support a large number of clients on a HP CIFS server is to adjust the maxusers kernel parameter. The second step involves adjusting nproc, nfile, nflocks and ninode individually so as to allow a large number of users to be connected simultaneously. 1.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS • nfile: when an SMBD process is launched, it will, right at the beginning, take up 28 entries in the system file table. This does not include any other files that the client will open and operate on. At a minimum, therefore, the value of nfile, should be equal to the anticipated number of simultaneous clients times (28 + the anticipated number of files simultaneously opened by each client).
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS Memory Requirements Each smbd process will need approximate 1 MB of memory. For 2048 clients, therefore, the system should have at least 2 GB of physical memory. This is over and above the requirements of other applications that will be running concurrent with HP CIFS.
HP-UX Configuration for HP CIFS Configuring Kernel Parameters for HP CIFS 262 Chapter 12
Glossary A C ACL Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define “access rights.” In this scheme, users typically belong to “groups,” and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights.
Glossary Integrity I S Integrity Integrity ensures that file system data is not modified by an intruder. An intruder can not intercept a file system data packet and modify it without the network file system discovering and rejecting the tampering. Samba An open source product that first appeared in the mid-1990's.
Index Symbols /etc/nsswitch.conf, 127, 220 /etc/nsswitch.ldap, 127 /etc/pam.conf, 220 A Access Control Lists, 43 VxFS, 45 ACLs. See Access Control Lists adding ACE entries, 51 B base DN, 126 boot, 123 C Change Notify, 39 CIFS protocol, 3 CIFS/9000 Server installation requirements, 17 Common Internet File System.
Index O object class posixDUAProfile, 125 posixNamingProfile, 125 obtaining CIFS/9000 software, 16 Open Source Software, 5 OSS.
