HP CIFS Server 3.0f Administrator's Guide verison A.02.03
5 Windows 2000/2003 Domains
Introduction
This chapter describes the process for joining an HP CIFS Server to a Windows 2000/2003 Domain as an
ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain Member Server” in Chapter
4, "NT Style Domains".
By default configuration, Windows 2000/2003 Servers utilize the Kerberos authentication protocol for
increased security. By joining an HP CIFS Server to the Windows 2000/2003 ADS domain as a Member
Server, HP CIFS Server can also participate in the increased security. The HP-UX Kerberos Client software
and LDAP-UX Integration software are required to enable HP CIFS Server Windows 2000/2003 ADS domain
member capability.
This chapter describes instructions for joining an HP CIFS Server to a Windows 2000/2003 ADS Domain.
For detailed information about Kerberos, see Chapter 8 “Kerberos Support” and white paper, "
HP CIFS
Server and Kerberos
" available at the following web site:
http://docs.hp.com/en/netcom.html#CIFS%20%28Common%20Internet%20File%20System%29
For detailed information about LDAP, see Chapter 6 “LDAP Integration Support”.
HP CIFS and Other HP-UX Kerberos Applications Co-existence
Because the HP CIFS Server stores the Kerberos secret key in /var/opt/samba/private/secrets.tdb
by default, the standard CIFS Kerberos configuration can only be used by HP CIFS Server users. If other
HP-UX applications use the /etc/krb5.keytab file, a mismatch of keys occurs resulting in failure for CIFS
or the other applications depending upon which key is the latest. Moreover, HP-UX Internet Services users
cannot use system Kerberos libraries to access system resources because of a mismatch in Kerberos libraries
on the system. The Internet Services (IS) suite utilizes its own Kerberos library set which is delivered with the
Internet Services product.
If you wish to use Kerberos in your network for other products as well as HP CIFS Server, you may generate
an /etc/krb5.keytab file from an HP CIFS Server and configure HP CIFS Server to access the secret key
from the /etc/krb5.keytab file instead of the /var/opt/samba/private/secrets.tdb file. This feature
provides Kerberos interoperability between HP CIFS Server users and HP-UX Internet Services users. See
Chapter 8 “Kerberos Support”, for proper configuration.
HP-UX Kerberos Client Software and LDAP Integration Software
Dependencies
Kerberos v5 Client with version 1.3.5 or later is required to support HP CIFS Server integration with a
Windows 2003 ADS Domain Controller (DC). Kerberos Client version 1.0 was originally bundled on HP-UX
11i v1 and v2.
The following lists HP-UX Kerberos Client software dependencies:
• Kerberos Client version 1.3.5 or later is required for keytab file support.
• Kerberos Client version 1.3.5 or later is required for the encryption type RC4-HMAC support.
• Kerberos Client version 1.3.5.03 requires Service Pack 1 on Windows 2003.
You can download the Kerberos v5 Client (KRB5CLIENT) product from the following Software Depot web
site:
http://www.hp.com/go/softwaredepot
Enter KRB5CLIENT in the search field.
The Kerberos v5 Client product requires that you install the patches on your HP-UX 11i v1 and v2 systems.
Refer to
HP CIFS Server 3.0d Release Notes version A.02.02
for detailed patch information.
For the latest LDAP Integration software, download the product from the following web site:
http://www.hp.com/go/softwaredepot
Enter LDAP-UX Integration for HP-UX in the search field.
Introduction 71