HP CIFS Server 3.0f Administrator's Guide version A.02.
© Copyright 2006 Hewlett-Packard Company, L.P Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Table of Contents About This Document...................................................................................15 Intended Audience................................................................................................................................15 New and Changed Documentation in This Edition.....................................................................................15 Typographical Conventions...................................................................................
Other Samba Configuration Issues..........................................................................................................38 Translate Open-Mode Locks into HP-UX Advisory Locks.........................................................................38 Performance Tuning using Change Notify...........................................................................................38 Special Concerns when Using HP CIFS Server on a Network File System (NFS) or a Clustered File System (CFS)......
Establishing a Trust Relationship on an HP CIFS PDC With Another Samba Domain..................................68 Establishing a Trust Relationship on an HP CIFS PDC With an NT Domain...............................................68 Trusting an NT Domain from a Samba Domain...............................................................................68 Trusting a Samba Domain from an NT Domain...............................................................................
Verifying Samba Users.....................................................................................................................94 Syntax.......................................................................................................................................94 Option......................................................................................................................................94 Example.............................................................................
idmap Backend Support in Winbind......................................................................................................111 idmap_rid Backend Support ...........................................................................................................111 Limitations Using idmap_rid............................................................................................................111 Configuring and Using idmap_rid...................................................................
Restricting Network Access..............................................................................................................141 Using Host Restrictions...............................................................................................................141 An Example........................................................................................................................141 Using Interface Protection..........................................................................
What to Do if You Encounter Memory Map Error Messages................................................................168 Constraints....................................................................................................................................169 Overview of Kernel Configuration Parameters.........................................................................................170 Configuring Kernel Parameters for HP CIFS...................................................................
List of Figures 2-1 2-2 3-1 3-2 3-3 3-4 3-5 3-6 3-7 3-8 3-9 3-10 3-11 4-1 6-1 8-1 9-1 9-2 9-3 9-4 9-5 9-6 9-7 9-8 9-9 9-10 Publishing Printer Screen..................................................................................................................33 Link Share Names Example..............................................................................................................36 Windows NT Explorer ACL Interface............................................................................
List of Tables 1 Documentation Conventions..................................................................................................................15 2 Publishing History Details.....................................................................................................................15 1-1 Documentation Roadmap.................................................................................................................21 1-2 Files and Directory Description.............................
About This Document This document describes how to install, configure, and administer the HP CIFS Server product. It augments The Samba HowTo Collection and Using Samba, 2nd books supplied with the HP CIFS Server product and provides addtional HP-UX endemic variations, features, and recommendations. This document, as well as previously released documents may be found on-line at http://www.docs.hp.com.
What Is in This Document This manual describes how to install, configure, administer and use the HP CIFS Server product. The manual is organized as follows: Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Introduction to the HP CIFS Server Use this chapter to obtain a summary and an introduction of HP CIFS Server architecture, available documentation resources and product organization roadmap.
1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS. Introduction to HP CIFS HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols.
The Open Source Software (OSS) Samba Suite The HP CIFS server source is based on Samba, an Open Source Software (OSS) project developed in 1991 by Andrew Tridgell in Australia. This section includes a very brief introduction to the Samba product. As there are many publications about Samba available online and in most bookstores, HP recommends that you use these source materials, some of which were written by Samba team members, for more detailed information about this product.
Samba Server Description and Features With the Samba suite of programs, systems running UNIX and UNIX-like OSs are able to provide services using the Microsoft networking protocol. This capability makes it possible for DOS and Windows machines using native networking clients supplied by Microsoft to access a UNIX file system and/or printers.
HP CIFS Server Documentation: Printed and Online The set of documentation that comprises the information you will need to explore the full features and capabilities of the HP CIFS product consists of non-HP books available at most technical bookstores, and this printed and online manual HP CIFS Server Administrator's Guide available on the following web site: http;//www.docs.hp.com A list of current recommended non-HP Samba documentation is: • The Official Samb-3 HOWTO and Reference Guide by John H.
HP CIFS Documentation Roadmap Use the following road map to locate the Samba and HP CIFS documentation that provides details of the features and operations of the HP CIFS Server. Table 1-1 Documentation Roadmap HP CIFS Product Document Title: Chapter: Section Server Description HP CIFS Server Administrator's Guide: Chapter 1, "Introduction to the HP CIFS Server" Samba Meta FAQ No. 2, "General Information about Samba" Samba FAQ No. 1, "General Information" Samba Server FAQ: No.
HP CIFS Product Document Title: Chapter: Section Server Browsing Refer to Chapter 9, "Network Browsing" in Samba HOWTO and Reference Guide for a description of browsing functionality and all browing options. Server Security HP CIFS Client Administrator's Guide: Chapter 12, "Securing CIFS Server". Server Troubleshooting Part V, Troubleshooting, Samba HOWTO and Reference Guide Using Samba, "Chapter 9, Troubleshooting Samba" Samba FAQs No.
HP CIFS Server File and Directory Roadmap The default base installation directory of HP CIFS Server product is /opt/samba. The HP CIFS configuration files are located in the directory /etc/opt/samba. The HP CIFS log files and any temporary files are created in /var/opt/samba. Table 1-2 briefly describes the important directories and files that comprise the CIFS Server.
2 Installing and Configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software.
need to adjust HP-UX server memory configurations to accommodate these changes when upgrading from previous versions Refer to Chapter 13, "HP-UX Configuration for HP CIFS" in this manual for more detailed information. Software Requirements The following describes software requirements: • HP CIFS Server A.02.01 or later requires LDAP-UX Integration product, J4269AA, to be installed. • Kerberos v5 Client with version 1.3.
$ tar -xvf /tmp/cifs_save/var_backup.tar $ tar -xvf /tmp/cifs_save/etc_backup.tar $ tar -xvf /tmp/cifs_save/optsamba_backup.tar This procedure is not intended to replace a comprehensive backup strategy that includes user data files. If you are in security = domain, or security = ads mode, it will probably be necessary to re-join an HP CIFS Server to the domain once you restore your previous backup version.
kcmodule cfsm = auto 2. Execute the mount command with the "-o stackfs=cfsmtemplate" option to stack and mount the file system. For example, the following command stacks CFSM onto the physical file system using the cfsmtemplate template, when mounting the physical file system mounted on /mnt: mount -F vxfs -o stackfs=cfsmtemplate /dev/dsk/c1t2d3 /mnt Step 2: Running the Configuration Script The samba_setup configuration script is intended for new installations only.
NOTE: HP does not recommend you use the server-level security type, this security type will be unavailable in the future. • • User-level security: When this security type is specified, each share is assigned specific users. When a request is made for access, Samba checks the user's user name and password against a local list of authorized users and only gives access if a match is made.
Configuring Print Services for HP CIFS Version A.02.02 This section provides information about configuring Print Services on systems running HP CIFS version A.02.02.
guest ok = yes read only = yes write list = netadmin In this example, the parameter "write list" specifies that administrative lever user accounts will have write access for updating files, on the share. 2. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported.
[lj1005] path = /tmp printable = yes 2. Create a [print$] share in the smb.conf file and set the path parameter to a directory named /etc/opt/samba/printers. See the following example: [print$] path = /etc/opt/samba/printers use client driver = no browseable = yes guest ok = yes read only = yes write list = netadmin In the above example, the write list parameter specifies that administrative level user account has write access for updating files on this share.
Figure 2-1 Publishing Printer Screen Verifying that the Printer is Published On an HP CIFS Server system, you can run the net ads printer search command to verify that the printer is published.
Commands Used for Publishing Printers This section describes the net ads printer command used for publishing printers support on an HP CIFS Server. Searching Printers To search a printer across the entire Windows 2000/2003 ADS domain, run the following command: $ net ads printer search Without specifying the printer name, the command searches all printers available on the ADS domain.
NOTE: HP does not recommend filesharing of the root directory. Only subdirectories under the root should be set up for filesharing. Setting Up a DFS Tree on a HP CIFS Server After the DFS Tree is set up using this procedure, users on DFS clients can browse the DFS tree located on the HP CIFS Server at \\servername\DFS. 1. 2. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. Configure a HP CIFS server as a DFS server by modifying the smb.
Figure 2-2 Link Share Names Example MC/ServiceGuard High Availability Support Highly Available HP CIFS Server allows the HP CIFS Server product to run on an MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 server computers. Template files for version A.02.02 have been revised to allow any number of cluster nodes and other advantages over previous schemes. Follow the configuration procedures provided in Chapter 11.
NOTE: HP does not support the inetd configuration to start the HP CIFS Server. Starting and stopping Daemons Individually Two new options -n (nmbd only) and -s (smbd only) have been added to startsmb andstopsmb scripts to start and stop the daemons individually. The startsmb -scommand starts the smbd daemon. The stopsmb -s command stops the smbd daemon. The -n option starts and stops the nmbd daemon in the same way.
• vfs objects • idmap backend Other Samba Configuration Issues Translate Open-Mode Locks into HP-UX Advisory Locks The HP CIFS Server A.02.* versions can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients. This also means CIFS clients cannot open files that have conflicting advisory locks from HP-UX processes. You must change the map share modes setting in smb.
/var/opt/samba/lock path). CIFS does this to prevent the problems with sharing the CIFS Server configuration as discussed above. • Avoid using HP CIFS Server to share Veritas CFS directories simultaneously on multiple nodes. Since NFS and Veritas CFS provides for multiple nodes to read and write the same files concurrently, you should use extra caution when configuring HP CIFS Server on multiple nodes since most locking mechanisms do not span across multiple nodes.
3 Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction This chapter describes how to use Windows NT, XP and 2000 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced. UNIX File Permissions and POSIX ACLs The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, XP or Windows 2000 clients.
UNIX Owning Group Translation in NT ACL The owning group on a UNIX file system is represented on the Windows NT client with the take ownership (O) permission. While the meaning of the take ownership permission on NT doesn't exactly match the meaning of an owning group on the UNIX file system, this permission is still translated into the take ownership permission.
Figure 3-1 Windows NT Explorer ACL Interface If you use pre-defined NT access types to set permissions on a Samba share, the permissions that are displayed later will not match what you set in NT. For example, Full Control will become rwx on the Samba server, and when it is displayed on the Windows NT client, it will show up as Special Access (RWX).
The VxFS POSIX ACL File Permissions VxFS POSIX ACLs are a superset of UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. • VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions. This means that any files created in that directory will automatically inherit the default ACEs of the parent directory.
NOTE: The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs. Figure 3-4 Windows NT Explorer List Names From Field Instead, what you need is a list of groups and users that can be recognized by the underlying UNIX file system.
Figure 3-6 Add UNIX Groups and Users • You can type user and group names into the Add Names text field to add users and groups. If the names are valid UNIX group or user names, the users and groups will be added. • Optionally, add the Samba server name and a backslash to the beginning of the user or group name and it will be added (for example, server1\users1). When you select names off the name list, the GUI will put that name in the text list and automatically add the server name as well.
POSIX ACLs and Windows 2000/XP Clients The HP CIFS Server A.01.07, and subsequent versions, allow Windows 2000/XP clients to view and set POSIX ACL permissions. The information in this section assumes you are familiar with Windows 2000/XP permissions. The purpose of this section is to explain how the HP CIFS Server interprets Windows 2000/XP permissions, and how Windows 2000/XP clients interpret and display HP-UX permissions.
Windows 2000/XP UNIX Permission Read Extended Attributes (Advanced) r-- Read Permissions (Advanced) r-- Create Files / Write Data (Advanced) -w- Create Folder / Append Data (Advanced) -w- Write Attributes (Advanced) -w- Write Extended Attributes (Advanced) -w- Traverse Folder / Execute File (Advanced) --x Delete Subfolders and Files (Advanced) No meaning on HP-UX Delete (Advanced) * see explanation following table Change Permissions (Advanced) * see explanation following table Take Own
Viewing ACLs from Windows 2000 Clients 1. 2. Right-click on a file and select Properties Click on the Security tab Displaying the Owner of a File 1. 2. Click on Advanced Click on the Owner tab on the Access Control Settings dialog box HP CIFS Server Directory ACLs and Windows 2000/XP Clients Directory ACL Types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself.
Viewing Basic ACLs from Windows 2000 Clients 1. 2.
Viewing Advanced ACLs from Windows 2000 Clients 1. 2. 3. Right-click on a file or a directory and select Properties Click on the Security tab Click on the Advanced button Figure 3-8 Advanced ACL View Mapping Windows 2000/XP Directory Inheritance Values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories.
Inheritance Value POSIX Mapping by HP CIFS Server Files only This type is not supported and any ACE with this type is ignored by the HP CIFS Server. Modifying Directory ACLs From Windows 2000/XP Clients NOTE: HP-UX directory ACLs are set inconsistently using the ACL Basic permission screen from the Windows 2000 or XP client. You must use the Windows Advanced permission screen (Directory-> Properties->Security Tab->Advanced Button) to view or change POSIX directory ACLs.
Figure 3-10 Modifying an ACE Type With Apply To value IMPORTANT: If you want different permissions on default and access ACEs for the same user or group , you must select two different ACE entries in the advanced ACE view dialog box before you click on the OK button. If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server.
In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:othere:rwx defualt:owner:rwx default:owning group:rwx default:other:r-x Example 2: In the
defualt:owner:rwx default:owning group:r-default:other group:r-w In the example 3, if both access other gorup ACE entry, rw-, and defaut other group ACE entry, r--x, are removed from the Advanced Windows ACE screen, the HP CIFS Server will remove both access other group and default other group ACE entries.
POSIX Default Owner and Owning Group ACLs With HP CIFS Server version A.01.10, the POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group. The HP CIFS Server versions A.01.09 and below, only one ACE each for owner, owning group and everyone is shown if the permissions are the same on corresponding access and default ACEs. With HP CIFS Server version A.01.
4 NT Style Domains Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in an NT style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as an NT Domain with a Microsoft NT Primary Domain Controller (PDC). Configuration of Member Servers joining an NT style domain or a Windows 2000/2003 Domain as a pre-Windows 2000 compatible computer is described here.
Limitations The following is a list of limitations for the BDC support: • HP CIFS Server can only function as a BDC to an HP CIFS PDC. • HP CIFS Server and MS Windows server can each function as a BDC to its own type of PDC. • HP CIFS Server cannot create Security Account Management (SAM) update delta files. It cannot interoperate with a PDC to synchronize the SAM from delta files that are held by a BDC. • The Samba 3.0 BDC does not support replication to a PDC. Running a Samba 3.
directory mode = 770 2. The smb.conf file is as shown if the HP CIFS Server acting as a PDC uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = SAMBADOM #Samba Domain security = user domain logon = yes domain master = yes encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 3. /var/opt/samba/netlogon subdirectory for the domain logon service exists.
passdb backend = ldapsam:ldap://ldapserver:389 • When you configure the relative domain controller parameters, ensure that the /var/opt/samba/netlogon subdirectory for the domain logon service exists. HP CIFS does not implement a true SAM database and nor its replication. HP CIFS implementation of BDCs is very much like a PDC with one important difference. A BDC is configured like a PDC except the smb.conf parameter, domain master, must be set to no.
Join an HP CIFS Server to an NT Domian, Windows 2000/2003 (as a pre-Windows 2000 computer), or Samba Domain This section describes the procedures to join an HP CIFS Server to a NT domain, Windows 2000/2003 (as a pre-Windows 2000 computer) or Samba domain as a member server. Step-by-step Procedure 1. Choose "Domain Member Server" when executing samba_setup. When prompted, you will need to add your domain Member Server machine account to the PDC.
As an example, the resulting entry in the LDAP directory server for a client machine named "client1" would be: objectClass: posixAccount cn: client1$ uid: client1$ uidNumber: 1000 gidNumber: 200 homeDirectory: /home/temp loginShell: /bin/false userPassword: {crypt}x pwdLastSet: 1076466492 logonTime: 0 logofftime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 rid: 1206 primaryGroupID: 1041 acctFlags: [W ] displayName: client1$ 2.
primaryGroupID: 1041 lmPassword: E0AFF63989B8FA6576549A685C6AFAF1 ntPassword: E0AFF63989B8FA6576549A685C6AFAF1 acctFlags: [W ] displayName: client1$ NOTE: You can also use utilities including pdbedit, net commands to create the machine trust accounts. The net commands provide numerous new utility operations. For more information on how to create machine trust accounts using pdbedit and net commands, see SWAT help text forpdbedit, net commands.
domain logon = yes encrypt passwords = yes 2.
ABEEFE10EC431B9BBFF1A1C0C047:[W ]:LCT-0000000: • Use the following command to add the sambaSamAccount entry for a Windows client to the LDAP directory server if the passdb backend option is set to ldapsam or ldapsam_compat: $ smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named "client1" would be: objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1002 gidNumber: 202 homeDirectory: /home/temp log
Figure 4-1 Entering A Samba PDC Domain Name Roaming Profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: • A user's environment, preference settings, desktop settings, etc.
read only = no create mode = 600 directory mode = 770 writeable = yes browseable = no guest ok = no Configuring User Logon Scripts The logon script configuration must meet the following requirements: • User logon scripts should be stored in a file share called [netlogon] on the HP CIFS Server. • Should be set to UNIX executable permission. • Any logon script should contain valid commands recognized by the Windows client. • A logon user should have proper access permissions to execute logon scripts.
the domain type and Windows 2000/2003 Domain trusts differ from NT Domain trusts. For more information on trusts, consult the MS TechNet papers at http://technet.microsoft.com. For information on HP CIFS Server trust relationships with Windows 2000/2003, see Chapter 5 “Windows 2000/2003 Domains”. HP CIFS Server supports the following external trust relationships with NT Style Domains: • HP CIFS PDCs support external trusts between a Samba and an NT Domain.
Trusting a Samba Domain from an NT Domain Logon as root and execute the following steps on the trusted Samba Domain PDC: 1. Add a turst account for the trusting NT domain to /etc/passwd. Add the domain name with the "$" using the useradd command as follows: $ useradd $ Due to the name length limitation of the useradd command, you may need to edit /etc/passwd to add the trusting NT domain name account. 2.
5 Windows 2000/2003 Domains Introduction This chapter describes the process for joining an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain Member Server” in Chapter 4, "NT Style Domains". By default configuration, Windows 2000/2003 Servers utilize the Kerberos authentication protocol for increased security.
Joining an HP CIFS Server to a Windows 2000/2003 Domain HP CIFS Server only supports the following Kerberos encryption types: • DES-CBC-MD5 • DES-CBC-CRC • RC4-HMAC You must configure one of these encryption types in the /etc/krb5.conf file as shown below. HP recommends you set the encrption type to DES-CBC-MD5 in /etc/krb5.conf unless you have other kerberos enabled applications on the HP server that require one of the other supported encryption types.
The following is an example of /etc/krb5.conf which has the realm MYREALM.XYZ.COM, and machine adsdc.myrealm.xyz.com as a KDC: # Kerberos Configuration # # # # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace MYREALM.XYZ.COM with your kerberos Realm. # # Replace adsdc.myrealm.xyz.com with your Windows ADS DC full# # domain name. # # # [libdefaults] default_realm = MYREALM.XYZ.
4. Use the following procedures to configure the HP CIFS Server: • For new installations, you can run /opt/samba/bin/samba_setup and choose ADS Member Server. For new installations, finishsamba_setup commands and verify the following smb.confconfiguration items. samba_setup will then perform the "net ads join -U Administrator%password" command to join the ADS domain for you. [global] workgroup = MYREALM # Domain Name realm = MYREALM.XYZ.
Shortcut trusts can be established explicitly between Windows 2000/2003 domains to ensure HP CIFS Servers recognized forest configurations where necessary. Transitive trusts, in which domain A trusts domain B which trusts domain C thereby domain A trusts domain C, are not respected by HP CIFS Servers.
startsmb -winbind 2. Add a trust account for the trusting Windows domain to /etc/passwd. Add the trusting domain name with the “$” using the useradd command. For example, the following command adds a trust account for the trusting Windows domain name, windomainA, to /etc/passwd: useradd windomainA$ Due to the maximum name length of 8 for the useradd command, you may need to edit /etc/passwd to add the trusting Windows domain name account. 3.
6 LDAP Integration Support This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software.
NOTE: While the HP CIFS Server may operate satisfactorily with other LDAP products, HP only provides LDAP support for the HP CIFS Server with HP LDAP-UX Integration, J4269AA, HP Netscape Directory Server, J4258CA, or HP Red Hat Directory Server, NSDirSvr7, product configurations.
Advance Server for UNIX/9000 (ASU) Servers With LDAP integration, the centralized management of user data helps you to migrate ASU to CIFS Server. ASU PDC servers can migrate users to /etc/passwd entries using the migration help package available at http:// software.hp.com. The HP CIFS Server provides the /opt/samba/bin/syncsmbpasswd tool to create entries in the smbpasswd file.
The CIFS Authentication with LDAP Integration With LDAP integration, multiple HP CIFS Servers can share a single LDAP directory server for a centralized user database management. The HP CIFS Server can access the LDAP directory and look up the windows user information for user authentication.
Summary of Installing and Configuring The following summarizes the steps you take when installing, configuring, verifying and activating the HP CIFS Server with the LDAP support: • Install Directory Server, if not already installed. See “Installing the Directory Server”. • Configure Directory Server, if not already configured. See “Configuring Your Directory Server”. • Install the LDAP-UX Client Services on an HP CIFS Server, if not already installed.
Installing and Configuring Your Directory Server This section describes how to set up and configure your Netscape/Red Hat Directory Server to work with LDAP-UX Client Services and the HP CIFS Server. See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.com/hpux/internet, for more information on directory configuration. Installing the Directory Server You need to set up the Netscape/Red Hat Directory Server if it is not already installed.
Configuring the LDAP-UX Client Services You need to configure the LDAP-UX Client Services if it is not already configured. This section describes major steps to configure LDAP-UX Client Services with the Netscape Directory Server 6.11/6.21 or Red Hat Directory Server 7.0/7.1. For detailed information on how to configure the LDAP-UX Client Services, see the "Configure the LDAP-UX Client Services" section of LDAP-UX Client Services Administrator's Guide at http://www.docs.hp.com.
1. 2. 7. Enter the DN of the directory user. The default value is displayed. To use the default, press the Enter key; otherwise, enter you DN name. Enter the password. If you are creating a new profile, add all parent entries of the profile DN to the directory (if any). If you attempt to create a new profile and any parent entries of the profile do not already exist in the directory, setup will fail. For example, if your profile will be cn=ldapuxprofile, dc=org, dc=hp, dc=com, then the base path, org.hp.
$ /opt/ldapux/bin/ldapsearch -T -b "cn=schema" -s base \ "(objectclass=*)"|grep -i posix Ensure that the posixAccount objectclass is displayed in the output when you run the ldapsearch command. The output is as follows: objectClasses: ( 1.3.6.1.1.1.2.0 NAME 'posixAccount' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory) MAY ( userPassword $ loginShell $ gecos $ description ) X-ORIGIN 'RFC 2307' ) objectClasses: ( 1.3.6.1.1.1.2.
Enabling Secure Sockets Layer (SSL) The HP CIFS Server provides Secure Sockets Layer (SSL) support to secure communication between CIFS servers and SSL enabled LDAP directory servers. If you plan to use SSL and it is not already in use for LDAP, you need to enable it on the Directory Server and LDAP-UX clients. When you have enabled the LDAP server and clients, then you can configure the HP CIFS Server to use SSL.
subsection of the "Installing LDAP-UX Client Services" chapter in LDAP-UX Client Services B.03.20 Administrator's Guide at http://docs.hp.com. If the LDAP-UX client services has already been set up, modify the authenticationMethod and preferredServerList attributes in the /etc/opt/ldapux/ldapux_profile file as follows: • Modify the authenticationMethod attribute to add the transport layer security authentication method, tls:, in front of the original authentication method, simple.
Migrating Your data to the Directory Server HP recommends that all UNIX user accounts either in the /etc/passwd file or NIS database files are migrated to the Directory Server. The LDAP-UX Integration product provides migration scripts to accomplish the task in an automated way. These scripts are located in /opt/ldapux/migrate directory. The two shell scripts, migrate_all_online.sh and migrate_all_nis_online.
Environment Variables When using the perl scripts to migrate individual files, you need to set the following environment variables: LDAP_BASEDN The base distinguished name where you want to store your data.
3 When migrating services data into the LDAP directory, You keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports. Examples Complete the following steps to migrate the /etc/passwd file to the LDIF file: 1. Set the environment variable, LDAP_BASEDN, to specify where you want to store your data. For example, the following command sets the LDAP base DN to org.hp.com: $ export LDAP_BASEDN="dc=org, dc=hp, dc=com" 2.
Extending the Samba Subschema into Your Directory Server You now need to extend the Directory Server schema with the Samba subschema from the HP CIFS Server into your Directory Server. Ensure that you have configured your LDAP directory and LDAP-UX Client Services, and migrated your data to the LDAP directory before extending the schema. Set the passwd backend parameter to ldapsam:ldap://.
Configuring the HP CIFS Server You must set up and configure your HP CIFS Server to enable the LDAP feature support. LDAP Configuration Parameters The following is the list of new global parameters available for you to configure the HP CIFS Server to enable the LDAP feature. These parameters are set in the /etc/opt/samba/smb.conf file under global parameters. [global] Any global setting defined here will be used by the HP CIFS Server with the LDAP support.
NOTE: HP recommends that new installation customers run the samba_setup program to set up and configure the HP CIFS Server. You can quickly run the samba_setup program to configure the HP CIFS Server with the LDAP feature support as follows: 1. Run the following commands to enable the LDAP feature: $ export PATH=$PATH:/opt/samba/bin $ samba_setup When running the samba_setup program, you will be asked whether you want to use LDAP or not. Press Yes to use LDAP, and press No to disable LDAP. 2.
Installing your Samba Users in the Directory This section describes how to install and verify your samba users in your LDAP directory. Adding Credentials When you use the HP CIFS Server with the LDAP feature support, the smbpasswd command manipulates user accounts information on the LDAP directory rather than the /var/opt/samba/private/smbpasswd file. You must add the directory manager credentials to the /var/opt/samba/private/secrets.tdb file before installing Samba users to the LDAP directory.
homeDirectory: /home/johnl gecos: John Louie, 48S-020, 447-1890 userPassword: {crypt}aOACGvt0T, 1fo lmPassword: 0AED71B7494489AG2ED50F26D3C5EB07 NTPassword: 7C46DE22B8963EAA3F9F90BE4E0F661 acctFlags: UX pwdLastSet: 1063301239 Installing your Samba Users in the Directory 95
LDAP management Tools The HP CIFS Server provides LDAP management tools for you to maintain users, groups and passwords in the Directory Server. To use perl scripts, perl on HP-UX 11i (PA-RISC) and HP-UX 11i (IA) version 5.6.1.E or greater is required. A free download software is available at http://software.hp.com.
Smbldap Tools The following lists HP CIFS Server smbldap tools available for you to maintain users and groups data in the Directory Server. For HP CIFS Server A.01.* versions, these tools are located in the /opt/samba/LDAP/smbldap-tools directory. For HP CIFS Server A.02.* versions, these tools are located in the /opt/samba/LDAP3/smbldap-tools directory : smbldap-groupadd.pl smbldap-groupdel.pl smbldap-groupmod.pl smbldap-groupshow.pl smbldap_conf.pm smbldap-useradd.pl smbldap-userdel.pl smbldap-usermod.
Consider the following example which sets the LDAP directory server name to "hostA.org.hp.com", the SID to "S-1-5-21-1415721273-4291299877-1153850723", the LDAP base DN to "org.hp.com", the directory manager name to "Directory Manager", and the password to "dmpasswd": • $SID="S-1-5-21-1415721273-4291299877-1153850723" • $masterLDAP="dc=org, dc=hp, dc=com" • $suffix="org.hp.
Specify the name of the group. The group data entry will be deleted from the LDAP directory. An Example The following commands delete the group name "group1" from the Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-groupdel.pl group1 The smbldap-groupshow.pl Tool You can use this tool to view a group entry with the posixGroup information in the Directory Server. Syntax smbldap-groupshow.
-w -P -A -B -C -D -E -F -H -N -S -? specifies the LDAP directory manager password invokes the smbldap-passwd.
-J -N -P -? enables a user specifies the canonical name ends by invoking smbldap-passwd.pl shows help messages username Specify the name of the user. The user information in the LDAP directory will be modified. An Example The following commands modify the user name "johnl" with the user id "200" in the Directory Server: cd /opt/samba/LDAP3/smbldap-tools ./smbldap-usermod.pl -u 200 johnl The smbldap-userdel.pl Tool You can use the smbldap-userdel.pl tool to delete a user entry in the Directory Server.
The smbldap-migrate-accounts.pl Tool You can use the smbldap-migrate-accounts.pl tool to migrate the user accounts information in the smbpasswd file to the Directory Server. This tool can use the pwdump utility to migrate all the users from a Windows server to the HP CIFS Server acting as a PDC. See "Migrating Users from a Windows Server to an HP CIFS Server as a PDC" for details. Syntax smbldap-migrate-accounts.
-r -w recursively process groups specified the LDAP directory manager password Migrating Groups from a Windows Server to an HP CIFS Server as a PDC Use the following steps to migrate all the groups from a Windows server to an HP CIFS Server acting as a PDC: 1. Run the net group command on the Windows server and create the file that contains groups data: net group > 2. 3. Transfer the groupdump file created in step 1 to the HP CIFS server system acting as a PDC.
7 Winbind Support This chapter describes how to set up and configure the HP CIFS Server with the winbind support.
These routines in turn use the entries in the /etc/nsswitch.conf file to determine which name services backend to use to obtain the information. When the winbind entry is specified in the /etc/nsswitch.conf file, the /usr/lib/libnss_winbind.1 routine is called which interfaces with the winbind daemon, winbindd, to translate the UID and GID back into the Windows SID, and then query the password server for the user name associated with this SID.
Configuring HP CIFS Server with Winbind You must set up and configure your HP CIFS Server to use the winbind feature support. Winbind Configuration Parameters Table 7-1 shows the list of global parameters used to control the behavior of winbind. These parameters are set in the /etc/opt/samba/smb.conf file in the [global] section. Table 7-1 Global Parameters Parameter Description winbind separator This string variable specifies the separator to separate domain name and user name.
A smb.conf Example An example of smb.
An Example for File Ownership by Winbind Users In the following example, use /opt/samba/bin/smbclient to connect to a share, shareA, on the HP CIFS Server, Server1, as the user, John, from the domain, DomA: $ cd /opt/samba/bin $ ./smbclient //Server1/shareA -U DomA\\John The output is as follows: Domain=[DomainA] OS=[Unix] Server=[Samba 3.0.7 based HP CIFS Server A.02.
Starting and Stopping Winbind This section describes how to start or stop the HP CIFS Server with winbind support. Starting Winbind Use the startsmb -winbind or startsmb -w command to start the winbind daemon on the HP CIFS server as follows: $ startsmb -winbind or $ startsmb -w The startsmb command without specifying any option will start both smbd and nmbd daemons only.
idmap Backend Support in Winbind This section describe the idmap_rid backend and LDAP backend for idmap support when using winbind. Examples of configuration files for each backend are provided. idmap_rid Backend Support The idmap_rid facility with winbind provides a unique mapping of Windows SIDs to local UNIX UIDs and GIDs. The idmap_rid facility uses the RID of the user SID to generate the UID and GID by adding the RID number to a configurable base value.
LDAP Backend Support When multiple CIFS Servers participate in a Windows NT or Windows ADS domain and make use of winbind, you can configure multiple CIFS Servers to store ID maps in an LDAP directory. Making use of an LDAP server and configuring CIFS servers with the idmap backend parameter in smb.conf will ensure that all UIDs and GIDs are unique across the domain. This is important in order to support Windows access to NFS shares. HP CIFS Server does not support the ad option for idmap backend.
wbinfo Utility You can use the wbinfo tool to get information from the winbind daemon. Running wbinfo requires to configure and to start up the winbind daemon, winbindd. Syntax wbinfo [option] where option can be any of the following: Displays path data with Windows user and group names that exceed the HP-UX name limitation of 8 characters. Displays path data with the fully qualified Windows domain name appended to the Windows user and group names that exceed the HP-UX name limitation of 8 characters.
The following is an example of the output using the wbinfo -u command: $ wbinfo -u DOMAIN_DOM\johnb 50003 DOMAIN_DOM\user1 50004 DOMAIN_DOM\user2 50005 DOMAIN_DOM\user3 50006 DOMAIN_DOM\user4 50007 DOMAIN_DOM\Guest 50008 DOMAIN_DOM\user5 50009 DOMAIN_DOM\ntuser 50010 DOMAIN_DOM\root 50011 DOMAIN_DOM\pcuser 50012 DOMAIN_DOM\winusr 50016 DOMAIN_DOM\maryw 50017 The following is an example of the output using the wbinfo -g command: $ wbinfo -g DOMAIN_DOM\Domain Admins 50010 DOMAIN_DOM\Domain Guests 50011 DOMAIN
8 Kerberos Support Introduction The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2000 and 2003 domains (including the Windows 2000 and XP clients that inhabit those domains). For the HP CIFS Server, Kerberos authentication is limited exclusively to server membership in a Windows 2000/2003 domain, and only when the HP CIFS Server is configured with "security = ads".
Kerberos CIFS Authentication Example Figure 8-1 Kerberos Authentication Environment Authenticator Windows 2000/2003 KDC AS 1 2 TGS 3 4 Windows 2000 or XP Client Authenticatee 5 6 HP CIFS Server Resource The following describes a typical Kerberos logon and share service exchange using Kerberos authentication in an Windows 2000/2003 domain environment shown in Figure 8-1: 1.
Components for Kerberos Configuration The following is a list of the various components that are necessary to configure HP CIFS Server for Kerberos authentication: • HP CIFS Server: Version A.02.01 and later (Based upon Samba 3.0.7 and later) • HP-UX 11i v1 or HP-UX 11i v2 • HP-UX Kerberos Client • • Version 1.3.5 (required for newer Windows 2000/2003 versions, keytab feature) Patches required for HP-UX Kerberos Client version 1.3.5 for HP-UX 11i v1 are shown in table 8-1.
# Kerberos configuration [libdefaults] default_realm = MYREALM.HP.COM default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 default_keytab_name = "WRFILE:/etc/krb5.keytab" [realms] MYREALM.HP.COM = { kdc = HPWIN2K4.MYREALM.HP.COM:88 admin_server = HPWIN2K4.MYREALM.HP.COM } [domain_realm] .hp.com = MYREALM.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log 2. 3.
Kerberos Modification for Internet Services The Internet Services product utilizes its own Kerberos library set that is delivered with the product. This library set does not recognize the WRFILE attribute in the /etc/krb5.conf file as a valid attribute. Therefore, the default_keytab_name parameter is invalid, and the Internet Services application cannot find the Kerberos keytab file to access the secret key.
9 HP CIFS Deployment Models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference. It contains the following sections: • “Introduction” • “Samba Domain Model” • “Windows Domain Model” • “Unified Domain Model” Introduction HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols.
Figure 9-1 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 9-2 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: 122 HP CIFS Deployment
Figure 9-3 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-4 shows the Samba Domain Model: Figure 9-4 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controll
Windows user data. See Chapter 6 “LDAP Integration Support” for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments. Multi-subnetted environments require name-to-IP-address mapping to go beyond broadcast limits of a single LAN segment. HP CIFS Server provides WINS server capabilities, which can be enabled on one node (usually the PDC) for the domain and whose address needs to be specified in the configuration of the remaining nodes (usually BDCs and member servers).
database management. Using LDAP requires to install the HP LDAP-UX Integration software and configures the LDAP client to consolidate POSIX and Windows users on the LDAP directory. An example of the Samba Domain Model Figure 9-5 shows an example of the Samba Domain Model which has HP CIFS Server machine hostW and IP address 1.13.115.226 acting as a PDC and WINs server, HP CIFS Server machine hostB and IP address 1.13.117.248 acting as a BDC, and Netscape Directory Server machine hptem128.
wins support = yes ldap admin dn = cn=Directory Manager ldap group suffix = ou=Groups ldap machine suffix = ou= Computers ldap suffix = dc=org, dc=hp, dc=com ldap user suffix = ou= People read only = No short preserve case = No dos filetime resolution = Yes # [homes] comment = Home Directory browseable = No [tmp] comment = Temporary file space path = /tmp [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon read only = Yes NOTE: Set passdb backend = ldapsam:ldaps://
max log size = 1000 domain logons = Yes security = user local master = No domain master = No wins server = 1.13.115.
preferred master = No domain master = No wins server = 1.13.115.
Windows Domain Model You can use the Windows Domain Model in environments with the following characteristics: • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled). • Support for any number of HP CIFS servers that provide file and print services for corresponding numbers of users. It requires HP-UX LDAP Integration Client software for ADS domain member servers.
using NFS shares mounted on HP CIFS Servers. To centralize management of ID maps in an LDAP directory, set the idmap backend parameter to ldapsam:ldap:// in the smb.conf file . You can use wins server = smb.conf parameter for access throughout a multi-subnetted network. Avoid using the WINS server supplied by HP CIFS if Windows or NT WINS servers are available, because HP CIFS WINS servers cannot replicate the WINS data.
log fie = /var/opt/samba/log.
user or group force user = localusr force group = localgrp [tmp] path=/tmp read only = no browseable = yes writable = yes A Sample /etc/krb5.conf File On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the name of the realm, the location of a Key Distribution Center (KDC) server and the logging file names. The following is a sample /etc/krb5.
# This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files. passwd: files winbind [NOTFOUND=return] ldap group: files winbind [NOTFOUND=return] ldap hosts: files dns [NOTFOUND=return] networks: files protocols: files rpc: files publickey: files netgroup: files automount: files aliases: files services: files # # NOTE: HP CIFS Server supports several ways to allocate and map POSIX users and groups.
An Example of Windows NT Domain Model Figure 9-8 shows an example of the Windows NT Domain Model which has a Windows NT server named hostP as a PDC, an HP CIFS Server machine hostM acting as a domain member server. The ID maps are saved in the local file, idmap.tdb. Figure 9-8 An example of the Windows NT Domain Model Windows NT Server/ PDC “hostP” windows users HP CIFS Member Server “hostM” winbind daemon libnss_winbind idmap.tdb winbind A Sample smb.
winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind cache time = 10 template homedir = /home/%D/%U template shell = /bin/false # [homes] comment = Home Directory create mode = 0664 directory mode = 0775 valid users = /home/%D/%U browseable = No read only = No writable = yes [print$] comment = For Printer share browseable = yes [printers] comment = All Printers path =/tmp printable = yes browseable = yes printer admin = root, admuser create mask = 0600 guest ok = Yes use clie
Unified Domain Model You can use the Unified Domain Deployment Model in environments with the following characteristics: • A domain consisting of Windows 200x servers. • The Windows 2000 or 2003 domain controller maintains the UNIX UID and GID data with Windows Services for Unix (SFU). NOTE: • SFU Version 3.5 does not support the Windows NT4 Domain. Support for any number of HP CIFS Servers that provide file and print services for number of users.
HP CIFS Server uses Kerberos security in a Windows Unified Domain setup. For more information on how to join an HP CIFS Server to a Windows 200x Domain using Kerberos security, see Chapter 5 “Windows 2000/2003 Domains”. Setting up the Unified Domain Model You need to set up and configure the following components to deploy an Unified Domain Model using Windows Services For UNIX (SFU): • Windows 2000 or 2003 domain controller with Active Directory Service (ADS) • LDAP-UX Integration software B.03.
[realms] CIFSW2KSFU.ORG.HP.COM = { kdc = hostA.org.hp.com:88 admin_server = hostA.org.hp.com } [domain_realm] .org.hp.com = CIFSW2KSFU.ORG.HP.COM [logging] kdc = FILE: /var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/opt/KRB5lib.log Installing SFU 3.5 on a Window 2000 or 2003 Domain Controller POSIX accounts have some attributes, such as user ID, login shell, and home directory, which are not used by Windows 2000 or 2003.
###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = CIFSW2KSFU # Domain Name server string = CIFS Server as a domain member realm = CIFSW2KSFU.ORG.HP.COM security = ADS netbios name = hostD security = ads local master = no wins server = 1.12.112.166 log fie = /var/opt/samba/log.
[domain_realm] .org.hp.com = CIFSW2KSFU.ORG.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log NOTE: :88 is required on the server field. A Sample /etc/nsswitch.conf File In the Unified Domain Model, you must configure the /etc/nsswitch.conf file to specify the LDAPname service and other name services you want to use . The following is a sample /etc/nsswitch.
10 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server. It includes the following sections: • “Security Protection Methods” • “Automatically Receiving HP Security Bulletins” Security Protection Methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services.
Using a Firewall You can use a firewall to deny access to services that you do not want exposed outside your network. This can be a very good protection method, although the methods mentioned above can also be used in case the firewall is not active for some reasons. When you set up a firewall, you need to know which TCP and UDP ports to allow.
enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, see Chapter 6 “LDAP Integration Support”. The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory configurations. Protecting Sensitive Configuration Files The default permissions for HP CIFS Server configuration files have been carefully selected to ensure security while providing appropriate accessibility.
One effective way to reduce the risk from this type of attack is to remove the execute permission from the program's stack pages. This improves system security without impacting performance and has no negative effects on the majority of legitimate applications. The HP CIFS Server does not require execution on the stack.
11 CIFS File System Module (CFSM) Support This chapter describes the CIFS File System Module (CFSM) support, it contains the following sections: • Using the CIFS File System Module (CFSM) for Concurrent NFS Client Access • Stacking CFSM • Using CFSM with Other Stackable File System Modules • CFSM Implemented as Dynamically Loadable Kernel Modules (DLKMs) • Special Issues When Using CFSM • CFSM Tracing Using the CIFS File System Module (CFSM) for Concurrent NFS Client Access Due to differences in
Stacking CFSM CFSM is stacked onto the file system based on the contents of a template file. This template is managed and defined through the use of the fstadm command described below. The predefined CFSM template, cfsmtemplate, is automatically created when the HP CIFS product is installed. The template that is provided with HP CIFS Server is usable on the specific file system that is supported with CFSM.
If the above parameters are not configured properly with CFSM, the concurrent file accesses from NFS or other local programs may cause file corruption. You should configure CFSM for file systems where files may be concurrently accessed by CIFS clients and NFS clients or local processes. CFSM may be configured for all file systems with files shared through CIFS Server.
Using CFSM with Other Stackable File System Modules The CIFS File System Module (CFSM) is a stackable file system module that can be stacked with other file system modules on physical file systems (like VxFS, HFS). The file system modules are stacked onto the file system based on the order specified in an stack template file. The templates are managed and defined through the use of the fstadm command.
-f filename Specifies the name of a text file that describes the contents of a stack template. Information in the text file will be used as a guide to construct the desired stack template. The format of each line in the text file is: module options Each line of the text file describes one level of the desired stack. Within each line, a module and its mount options are specified and separated by a single space character. -t template_string Specifies the contents of a stack template.
CFSM Implemented as Dynamically Loadable Kernel Modules (DLKMs) CFSM is implemented as two Dynamically Loadable Kernel Modules (DLKMs). The main one is “cfsm”. The "cfsm" DLKM has a dependency on a second DLKM, "cfsmdr", the CFSM driver module. The "cfsmdr" module is the one that supports tracing functionality, including the cfsmutil command support. Upon loading, the "cfsmdr" module creates a device file, "/dev/cfsmdr", that the cfsmutil command uses.
Special Issues When Using CFSM This section describes special issues when using CFSM. NFS delayed write errors with CFSM Due to the way NFS is designed and the caching it does for improved performance, NFS clients may get "delayed write errors" in various situations. This means that a write to a file on an NFS mounted file system may appear to succeed, when in reality it has failed.
CFSM Tracing The CIFS File System Module provides diagnostic functionality to trace the CFSM activities by sending trace messages to a log file. All of CFSM tracing are controlled through the cfsmutil command. NOTE: If the CIFS File System Module is not used by any file systems then it will not be loaded, cfsmutil will not function, except for the help (-h) option. cfsmutil Command Use the cfsmutil command to control and retrieve various CIFS File System Module tracing parameters.
12 Configuring HA HP CIFS Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual.
Installing Highly Available HP CIFS Server HA HP CIFS Servers must be installed and configured on all cluster nodes in the configuration. All cluster nodes may (but are not required to) act as "primary" nodes and, at the same time, as "alternate" nodes for others. If there is no failover, each cluster node runs one of the packages. If a failover occurs, a cluster node will pick up the failed package in addition to its original package.
product. These tools are found in /opt/ldapux/migrate and documented in the LDAP-UX Client Services Administrator's Guide available at http://docs.hp.com/hpux/internet. Instructions The following instructions are for one of the MC/ServiceGuard package. You will have to go through these steps for each CIFS server package (one for each node). You will then need to copy all the files to all nodes in your cluster.
# with "log." if you plan to use "%m" this way log file = /var/opt/samba/pkg1/logs/log.%m lock directory = /var/opt/samba/pkg1/locks pid directory = /var/opt/samba/pkg1/locks smbpasswd file = /var/opt/samba/pkg1/private/smbpasswd Replace the "XXX.XXX.XXX.XXX/xxx.xxx.xxx.xxx" with one relocatable IP address and subnet mask for the MC ServiceGuard package. If /opt/samba/bin/samba_setup was run during installation as suggested: • Take the workgroup line from the /etc/opt/samba/smb.conf file.
6. 7. Customize the sample scripts for your MC/ServiceGuard configuration. A sample customization of the HA HP CIFS Server package configuration, control and monitor scripts are shown below. Ensure that the control (samba.cntl) and monitor (samba.mon) scripts are executable. chmod 750 samba.cntl samba.mon Edit the package configuration file samba.conf To configure the samba.conf configuration file, complete the following tasks below: 1. Set the PACKAGE_NAME variable.
Edit the samba.cntl Control Script To configure the samba.cntl Control Script file, you must complete the following tasks: 1. Create a volume group of either logical volume groups or VxVM volume groups for the HP CIFS Server directories. For example, VG[0]=/dev/vg01 # for LVM volume group DG[0]=/dev/vx/dg01 # for VxVM volume group ...for pkg1, and VG[0]=/dev/vg02 # for LVM volume group DG[0]=/dev/vx/dg02 # for VxVM volume group ...for pkg2, etc. 2.
for pkg1, IP[0]=1.13.17.21 SUBNET[0]=1.13.16.0 ...for pkg2, etc. 4. If you want to use the HP CIFS Server monitor script, set the SERVICE_NAME variable to the value of the SERVICE_NAME variable in the package configuration file samba.conf. SERVICE_NAME[0]=samba_mon1 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg1/samba.mon for pkg1, and SERVICE_NAME[0]=samba_mon2 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg2/samba.mon for pkg2. 5. If you have an smb.
alternate_node:/etc/cmcluster/samba 2. Use the cmquerycl command to create a cluster configuration file for the CIFS server: cmquerycl -v -C clucifs.conf -n primary_node -n alternate_node 3. Use the cmcheckconf command to verify the contents of your cluster and package configuration. At this point it is assumed that you have created your MCServiceGuard cluster configuration file (clucifs.conf) through MCServiceGuard procedures. cmcheckconf -C /etc/cmcluster/clucifs.
Special Notes for HA HP CIFS Server There are several areas of concern when implementing Samba in the MC/ServiceGuard HA framework. These areas are described below: • Client Applications HA HP CIFS Server cannot guarantee that client applications with open files on a HP CIFS Server share, or, applications launched from HP CIFS Server shares, will transparently recover from a switchover.
Winbind makes use of several files winbindd.pid, winbindd_cache.tdb, winbindd_idmap.tdb, and directory winbindd_privileged, in the /var/opt/samba/locks directory. You may want to put the entire /var/opt/samba/locks directory on a logical shared volume but the locking data may not be correctly interpreted after a failover. You may want to add a line to your startup script to remove the locking data file .../locks/locking.tdb.
Caution should be used when using NFS or CFS to share the locks and private directory files, only one CIFS instance should be active at any given time. CIFS may prevent multiple instances from starting if they share the CIFS configured PID files. • Using NFS to Share the Locks and Private Directory Files If NFS is used to share to the locks and private directory files from multiple nodes as single instances, the following procedures may help to prevent configuration errors.
Example: vxdg -s init dgha c4t2d3 See diskgroup created: vxdg list Add diskgroup to cluster: cfsdgadm add all=sw Example: cfsdgadm add dgha all=sw Activate diskgroup: cfsdgadm activate Example: cfsdgadm activate dgha Create volumn: vxassist g make Example: vxassist -g dgha make lvol1 1024M vxassist -g dgha make lvol2 2048M newfs -F vxfs /dev/vx/rdsk/dgha/lvol1 newfs -F vxfs /dev/vx/rdsk/dgha/lvol2 Add volumn: cfsmntadm add
Use of any CFS mount points should be declared as depencencies in the samba.conf file to ensure that the resource is available before the package is started and to monitor the resource's availability. See the following example of samba.conf. The samba.conf file: The samba.
13 HP-UX Configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server. It contains the following sections: • HP CIFS Process Model • TDB Memory Map for HP CIFS Server • Overview of Kernel Configuration Parameters • Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v1 and v2.
CIFS Server processes. It is not safe to modify the memory map settings using a procedure other than the one mentioned above. Mostly Private Address Space (MPAS) Support on HP-UX 11i v2 IA and 11i v3 IA systems HP CIFS Server A.02.03 provides MPAS enhancement to support memory-mapped access of all TDB files on HP-UX 11i v2 IA amd 11i v3 IA systems. With this functionality, each process uses a private, process-specific address.
Constraints The HP CIFS Server TDB memory map support has the following constraints: • NOTE: Do not have binaries from mixed versions of mmap and non-mmap daemons/utilities of CIFS Server in the /opt/samba/bin subdirectory. • You must use the tdbbackup utility to backup TDB files, do not use the cp command to backup TDB files.
Overview of Kernel Configuration Parameters The kernel configuration parameters, maxuser, nproc, ninode, nflocks and nfile are described below. These are the kernel parameters that you must adjust to support a large number of clients on HP CIFS. • maxusers: the name of this kernel parameter is a misnomer as it does not directly control the number of UNIX users that can logon to HP-UX. However, this kernel parameter is used in various formulae throughout the kernel.
Configuring Kernel Parameters for HP CIFS The first step in configuring HPUX to be able to support a large number of clients on a HP CIFS server is to adjust the maxusers kernel parameter. The second step involves adjusting nproc, nfile, nflocks and ninode individually so as to allow a large number of users to be connected simultaneously. 1. Configuring maxusers Determine the maximum number of simultaneous clients that will be connected and add this number to the current value of maxusers.
Memory Requirements Each smbd process will need approximate 2 MB of memory on 11i v1 and 4 MB on 11i v2. For 2048 clients, therefore, the system should have at least 4 GB of physical memory on 11i v1 and 8 GB on 11i v2. This is over and above the requirements of other applications that will be running concurrent with HP CIFS.
Glossary A ACL Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define "access rights." In this scheme, users typically belong to "groups," and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights.
P Public Key An encryption method by which two users exchange data securely, but in one direction only. A user, who has a private key, creates a corresponding public key. This public key can be given to anyone. Anyone who wishes to send encrypted data to the user may encrypt the data using the public key. Only the user who possesses the private key can decrypt the data. Public Key Infrastructure Method of managing public key encryption.
Index Symbols /etc/nsswitch.conf, 84, 137 /etc/nsswitch.ldap, 84 /etc/pam.conf, 137 A Access Control Lists, 41 VxFS, 41 ACLs. See Access Control Lists, 41 adding ACE entries, 44 B base DN, 84 boot, 82 C Change Notify, 38 CIFS protocol, 17 CIFS/9000 Server installation requirements, 25 Common Internet File System.
Q quick configuration, 83 R reboot, 82 S Samba server description, 19 features, 19 name list, 46 requirements and limitations, 25, 81, 167 schema, posix, RFC 2307, 83 Server Message Block, 17, 19 setting new ACLs, 44 setup program, 83, 137 SMB.
