HP CIFS Server 3.0i Administrator's Guide version A.02.03.
© Copyright 2007 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Table of Contents About This Document.......................................................................................................13 Intended Audience................................................................................................................................13 New and Changed Documentation in This Edition.............................................................................13 Typographical Conventions.......................................................................
Step 4: Starting the HP CIFS Server......................................................................................................35 Starting and stopping Daemons Individually.................................................................................36 Configuring Automatic Start at System Boot..................................................................................36 Stopping and Re-starting Daemons to Apply New Settings...........................................................
Configure Domain Users......................................................................................................................64 Join a Windows Client to a Samba Domain..........................................................................................65 Roaming Profiles...................................................................................................................................67 Configuring Roaming Profiles...........................................................
Configuring the LDAP-UX Client Services..........................................................................................87 Quick Configuration........................................................................................................................87 Enabling Secure Sockets Layer (SSL)....................................................................................................90 Configuring the Directory Server to enable SSL......................................................
wbinfo Utility......................................................................................................................................121 8 Kerberos Support.......................................................................................................123 Introduction........................................................................................................................................123 Kerberos Overview.................................................................
Interface Protection Example..............................................................................................149 Using a Firewall........................................................................................................................150 Using an IPC$ Share-Based Denial..........................................................................................150 Protecting Sensitive Information........................................................................................
What to Do if You Encounter Memory Map Error Messages........................................................180 Constraints.....................................................................................................................................181 Overview of Kernel Configuration Parameters..................................................................................182 Configuring Kernel Parameters for HP CIFS.................................................................................
List of Figures 2-1 2-2 3-1 3-2 3-3 3-4 3-5 3-6 3-7 3-8 3-9 3-10 3-11 4-1 6-1 7-1 8-1 9-1 9-2 9-3 9-4 9-5 9-6 9-7 9-8 9-9 9-10 10 Publishing Printer Screen..............................................................................................................32 Link Share Names Example..........................................................................................................35 Windows NT Explorer ACL Interface............................................................................
List of Tables 1 2 1-1 1-2 3-1 3-2 3-3 3-4 3-5 3-6 6-1 6-2 6-3 7-1 7-2 8-1 8-2 10-1 Documentation Conventions.........................................................................................................13 Publishing History Details............................................................................................................13 Documentation Roadmap.............................................................................................................
About This Document This document describes how to install, configure, and administer the HP CIFS Server product. It augments The Samba HowTo Collection and Using Samba, 2nd books supplied with the HP CIFS Server product and provides addtional HP-UX endemic variations, features, and recommendations. This document, as well as previously released documents may be found on-line at http://www.docs.hp.com.
Table 2 Publishing History Details (continued) Document Manufacturing Part Operating Systems Number Supported Supported Product Versions Publication Date B8725-90118 11i v2 and v3 A.02.03.01 June 2007 B8725-90133 11i v1, v2 and v3 A.02.03.03 January 2008 Document Organization This manual describes how to install, configure, administer and use the HP CIFS Server product.
HP Welcomes Your Comments HP welcomes your comments and suggestions on this document. We are truly committed to provide documentation that meets your needs. You can send comments to: netinfo_feedback@cup.hp.com Please include the following information along with your comments: • • • The complete title of the manual and the part number. The part number appears on the title page of printed and PDF versions of a manual. The section numbers and page numbers of the information on which you are commenting.
1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS. HP CIFS Server Description and Features The HP CIFS Server product implements many Windows Servers features on HP-UX.
Samba Open Source Software and HP CIFS Server Since the HP CIFS Server source is based on Samba open source software, it gains the advantages of the evolutionary growth and improvement efforts of Samba developers around the world. In addition, HP CIFS Server also provides the following support: • • • • • Includes Samba defect fixes and features only when they meet expectations for enterprise reliability. Provides HP developed defect fixes and enhancement requests for HP customers.
HP CIFS Server Documentation: Printed and Online The set of documentation that comprises the information you will need to explore the full features and capabilities of the HP CIFS product consists of non-HP books available at most technical bookstores, and this printed and online manual HP CIFS Server Administrator's Guide available on the following web site: http://www.docs.hp.
HP CIFS Documentation Roadmap Use the following road map to locate the Samba and HP CIFS documentation that provides details of the features and operations of the HP CIFS Server. Table 1-1 Documentation Roadmap HP CIFS Product Document Title: Chapter: Section Server Description HP CIFS Server Administrator's Guide: Chapter 1, "Introduction to the HP CIFS Server" Samba Meta FAQ No. 2, "General Information about Samba" Samba FAQ No. 1, "General Information" Samba Server FAQ: No.
Table 1-1 Documentation Roadmap (continued) HP CIFS Product Document Title: Chapter: Section SMB & CIFS Network Design Using Samba: Chapter 1, "Learning the Samba" Samba Meta FAQ No.
HP CIFS Server File and Directory Roadmap The default base installation directory of HP CIFS Server product is /opt/samba. The HP CIFS configuration files are located in the directory /etc/opt/samba. The HP CIFS log files and any temporary files are created in /var/opt/samba. Table 1-2 briefly describes the important directories and files that comprise the CIFS Server.
2 Installing and Configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software.
Refer to Chapter 13, "HP-UX Configuration for HP CIFS" in this manual for more detailed information. Software Requirements The following describes software requirements: • • • HP CIFS Server A.02.01 or later requires LDAP-UX Integration product, J4269AA, to be installed. Kerberos v5 Client with version 1.3.5 or later is required to support HP CIFS Server integration with a Windows 2003 ADS Domain Controller (DC).
$ tar -cvf /tmp/cifs_save/etc_backup.tar /etc/opt/samba $ tar -cvf /tmp/cifs_save/optsamba_backup.tar /opt/samba Do not use the -o option with the tar command. This will ensure proper file ownership. If a problem with the upgrade does occur, use SD to remove the entire HP CIFS Server product and restore your previous backup version. Once this is done, you may restore the saved configuration files and the HP CIFS Server. For example: $ tar -xvf /tmp/cifs_save/var_backup.
1. Use the umount command to unstack CFSM from any file system where it is stacked. For example, the following command unstacks CFSM when unmounting the physical file system mounted on /mnt: umount /mnt 2. Use the following commands to set both cfsm and cfsmdr modules to the unused state: kcmodule cfsmdr = unused kcmodule cfsm = unused Steps After Updating the HP CIFS Server Use the following steps after the update of the HP CIFS Server is complete: 1.
• Provide the following information if you choose to use the Windows Active Directory Server (ADS) realm: — the name of your realm — the name of your Domain Controller — administrator user name and password — LDAP-UX Integration product is installed — Ensure that the most recent Kerberos client product is installed For detailed information on how to join an HP CIFS Server to a Windows 2000/2003 Domain using Kerberos security, see Chapter 5 “Windows 2000/2003 Domains”.
For the CIFS Client configuration, in the /etc/opt/cifsclient/cifsclient.cfg file, ensure the following default is set: caseSensitive = yes Configure DOS Attribute Mapping map system, map hidden and map archive Attributes There are three parameters, map system, map hidden, and map archive, that can be configured in Samba to map DOS file attributes to owner, group, and other execute bits in the UNIX file system. When using the CIFS Client, you may want to have all three of these parameters turned off.
Information about setting up and configuring each of the Print Services (except ACLs) is shown in the following sections. Information about configuring ACL Support is discussed in a previous section. Configuring a [printers] share The following is a minimal printing setup. Use either one of the following two procedures to create a [printers] share: 1. SWAT (Samba Administration Tool) -or- 2. Create a [printers] share in the /etc/opt/samba/smb.conf file.
In this example, the parameter "write list" specifies that administrative lever user accounts will have write access for updating files, on the share. 2. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported.
1. Create the printer shares for each printer and a [printers] share in the smb.conf file. The following is an example of a [printers] share: [printers] path = /tmp printable = yes browseable = yes See the following example for settng up a specific printer share, where lj1005 is the name of the printer: [lj1005] path = /tmp printable = yes 2. Create a [print$] share in the smb.conf file and set the path parameter to a directory named /etc/opt/samba/printers.
Figure 2-1 Publishing Printer Screen Verifying that the Printer is Published On an HP CIFS Server system, you can run the net ads printer search command to verify that the printer is published.
Commands Used for Publishing Printers This section describes the net ads printer command used for publishing printers support on an HP CIFS Server. Searching Printers To search a printer across the entire Windows 2000/2003 ADS domain, run the following command: $ net ads printer search Without specifying the printer name, the command searches all printers available on the ADS domain.
NOTE: HP does not recommend filesharing of the root directory. Only subdirectories under the root should be set up for filesharing. Setting Up a DFS Tree on a HP CIFS Server After the DFS Tree is set up using this procedure, users on DFS clients can browse the DFS tree located on the HP CIFS Server at \\servername\DFS. 1. 2. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. Configure a HP CIFS server as a DFS server by modifying the smb.
In this example, "serverC" is the alternate path for "linkb". Because of this, if "serverB" goes down, "linkb" can still be accessed from "serverC". "linka" and "linkb" are share names. Accessing either one will take users directly to the appropriate share on the network.
Winbind execution may be controlled without affecting the execution of smbd and nmbd with the following commands. Run the following command to start winbind alone: /opt/samba/bin/startwinbind Run the following command to stop winbind alone: /opt/samba/bin/stopwinbind NOTE: HP does not support the inetd configuration to start the HP CIFS Server.
• • • • • • • hosts allow hosts deny hosts equiv preload modules wins server vfs objects idmap backend Other Samba Configuration Issues Translate Open-Mode Locks into HP-UX Advisory Locks The HP CIFS Server A.02.* versions can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients.
not be able to make use of locking mechanisms when multiple systems are involved. You need to be aware of the following things when using HP CIFS Server in either an NFS or a Veritas CFS environment: • CIFS Server running simultaneously on multiple nodes should not use either NFS or Veritas CFS to concurrently share the smb.conf configuration and its subordinate CIFS system files in /var/opt/samba/locks and /var/opt/samba/private.
3 Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction This chapter describes how to use Windows NT, XP and 2000 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced. UNIX File Permissions and POSIX ACLs The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, XP or Windows 2000 clients.
Special Access(RWDPO) You can also display the UNIX owner in the Windows NT Explorer interface. If you are in the File Properties dialog box with the Security tab selected and you press the Ownership button, the owning UNIX user's name will be displayed. UNIX Owning Group Translation in NT ACL The owning group on a UNIX file system is represented on the Windows NT client with the take ownership (O) permission.
Table 3-2 NT Access Type Maps to UNIX Permission (continued) NT access type UNIX Permission Special Access(WX) -wx Special Access(RWX) rwx Special Access r-- When mapping to UNIX file permissions from NT, you will not be able to add new NT ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries. Conversely, you cannot delete any of the three entries listed above as these entries are required by UNIX.
Figure 3-2 Windows NT Special Access Permissions The VxFS POSIX ACL File Permissions VxFS POSIX ACLs are a superset of UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. • • • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions.
This section describes how to add new entries to the ACE list: • Click the add button in the File/Directory Permissions dialog box of the Windows NT GUI to bring up the Add Users and Groups dialog box. Figure 3-3 Windows NT Explorer File Permissions NOTE: The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs.
Figure 3-5 Windows NT Explorer Add Users and Groups Dialog Box • • Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server. Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list.
administrator and admin to the UNIX user name root. The mapping can be either one-to-one or many-to-one. Samba supports the creation of ACEs with NT user names that are mapped to UNIX user names. To continue the example above, you could create an ACE for the administrator user on the NT client and, on the Samba server, the ACE would be created for the root user. The client will display the corresponding ACE as being for the root user, not the administrator user.
Table 3-4 UNIX Permission Maps Windows 2000/XP Client Permissions (continued) UNIX Permission Permission Shown on Windows 2000/XP Clients -w- Write Write Attributes Write Extended Attributes, Append Data, Write Data, Read Permissions --x None Execute or Traverse Folder, Read Attributes, Read Permissions r-x Read and Execute All Read Permissions as in the first cell Execute or Traverse Folder rw- Read, Write All Read Permissions as in the first cell All Write Permissions as in the second cell r
Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions (continued) Windows 2000/XP UNIX Permission Delete (Advanced) * see explanation following table Change Permissions (Advanced) * see explanation following table Take Ownership (Advanced) * see explanation following table * The Delete, Change Permissions, and Take Ownership permissions represent the file and group ownership. You can only see these permissions, but you cann't set them from Windows 2000/XP clients.
Viewing ACLs from Windows 2000 Clients 1. 2. Right-click on a file and select Properties Click on the Security tab Displaying the Owner of a File 1. 2. Click on Advanced Click on the Owner tab on the Access Control Settings dialog box HP CIFS Server Directory ACLs and Windows 2000/XP Clients Directory ACL Types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself.
Viewing Basic ACLs from Windows 2000 Clients 1. 2.
Viewing Advanced ACLs from Windows 2000 Clients 1. 2. 3. Right-click on a file or a directory and select Properties Click on the Security tab Click on the Advanced button Figure 3-8 Advanced ACL View Mapping Windows 2000/XP Directory Inheritance Values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories.
Table 3-6 Mapping Table for Inheritance Values to POSIX (continued) Inheritance Value POSIX Mapping by HP CIFS Server Subfolders and Files only Maps to default ACE for this directory. Subfolders only This type is not supported and any ACE with this type is ignored by the HP CIFS Server. Files only This type is not supported and any ACE with this type is ignored by the HP CIFS Server.
Figure 3-10 Modifying an ACE Type With Apply To value IMPORTANT: If you want different permissions on default and access ACEs for the same user or group , you must select two different ACE entries in the advanced ACE view dialog box before you click on the OK button. If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server.
default:owning group:r-x default:other:r-x In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:othere:rwx defualt:owner:rwx default:owning gro
# owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group:r-x access:other group:rwdefualt:owner:rwx default:owning group:r-default:other group:r-w In the example 3, if both access other gorup ACE entry, rw-, and defaut other group ACE entry, r--x, are removed from the Advanced Windows ACE screen, the HP CIFS Server will remove both access other group and default other group ACE entries.
Figure 3-11 Selecting a new ACE user or group IMPORTANT: POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface.
POSIX Default Owner and Owning Group ACLs With HP CIFS Server version A.01.10, the POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group. The HP CIFS Server versions A.01.09 and below, only one ACE each for owner, owning group and everyone is shown if the permissions are the same on corresponding access and default ACEs. With HP CIFS Server version A.01.
4 NT Style Domains Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in an NT style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as an NT Domain with a Microsoft NT Primary Domain Controller (PDC). Configuration of Member Servers joining an NT style domain or a Windows 2000/2003 Domain as a pre-Windows 2000 compatible computer is described here.
Backup Domain Controllers Advantages of Backup Domain Controllers HP CIFS Server with BDC support provides the following benefits to the customer: • • • The BDC can authenticate user logons for users and workstations that are members of the domain when the wide area network link to a PDC is down. A BDC plays an important role in both domain seurity and network integrity. The BDC can pick up network logon requests and authenticate users while the PDC is very busy on the local network.
encrypt passwords = yes [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no [profiles] comment = profiles Service path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = 770 2. The smb.
security = user [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no • The smb.
encrypt passwords = yes netbios name = myserver • The smb.conf file is as shown if the HP CIFS Server acting as a member server uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = NTDOM security = domain encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 netbios name = myserver NOTE: workgroup: This parameter specifies the domain name of which the HP CIFS Server is a member.
Join an HP CIFS Server to an NT Domian, Windows 2000/2003 (as a pre-Windows 2000 computer), or Samba Domain This section describes the procedures to join an HP CIFS Server to a NT domain, Windows 2000/2003 (as a pre-Windows 2000 computer) or Samba domain as a member server. Step-by-step Procedure 1. Choose "Domain Member Server" when executing samba_setup. When prompted, you will need to add your domain Member Server machine account to the PDC.
The machine account is the machine's name with a dollar sign character ("$") appended to it. The home directory can be set to /home/temp. The shell field in the /etc/passwd file is not used and can be set to /bin/false. • Use the following command to create the posixAccount entry for a Windows client in the LDAP directory if LDAP is enabled: $ /opt/ldapux/bin/ldapmodify –a –D “cn=Directory Manager” –w dmpasswd –h ldaphostA –f new.ldif $ Where LDIF update statements specified in the new.
objectClass: posixAccount objectClass: sambaSamAccount cn: client1$ uid: client1$ uidNumber: 1000 gidNumber: 200 homeDirectory: /home/temp loginShell: /bin/false gecos: Samba_Server description: Samba_Server userPassword: {crypt}x pwdLastSet: 1076466492 logonTime: 0 logofftime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 rid: 1206 primaryGroupID: 1041 lmPassword: E0AFF63989B8FA6576549A685C6AFAF1 ntPassword: E0AFF63989B8FA6576549A685C6AFAF1 acctFlags: [W ] displayName: client
where domguest is the name of a Domain Guest. Be sure that all of the users that were created (see the example above) have been added to the /etc/passwd file. Join a Windows Client to a Samba Domain 1. Verify the following parameters in the smb.conf file: Set the security parameter to "user." Set the workgroup parameter to the name of the domain. Set the encrypt passwords parameter to "yes." [global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2.
sn: client1$ uid: client1$ uidNumber: 1002 gidNumber: 202 homeDirectory: /home/client1$ loginShell: /bin/false userPassword: {crypt}x pwdLastSet: 1076466300 logonTime: 0 logofftime: 2147483650 kickoffTime: 2147483650 pwdCanChange: 0 pwdMustChange: 2147483650 rid: 1206 primaryGroupID: 1041 acctFlags: [W ] displayName: client1$ 3.
5. 6. From the Windows NT desktop, click 'Start', 'Settings' and 'Control Panel'. When the Control Panel window opens, double-click on the 'Network' icon. When the 'Network' window opens, click the 'Identification' tab. Refer to Figure 4-1 below. Enter the Samba domain name in the 'Domain' field, and click on the 'Change' button. Refer to Figure 4-3 below.
domain logon = yes 2. Create a [profiles] share for roaming profiles. Set profile acls = yes for the profile share used for the user profile files. Do not set profile acls = yes on normal shares as this will result in incorrect ownership of the files created on those shares.
Home Drive Mapping Support A HP CIFS Server provides user home directories and home drive mapping functionality by using the following two global parameters in the smb.conf file: • • login home logon drive Example: [global] logon drive = H: logon home = \\%L\%U Trust Relationships Trust relationships enable pass-through authentication to users of one domain in another. A trusting domain permits logon authentication to users of a trusted domain.
2. Run smbpasswd to add a trusting domain Samba account to your trusted domain backend database and create a password for the trusting account. This password is used by the trusting domain when it establishes the trust relationship. $ smbpasswd -a -i Logon as root and execute the following steps on the trusting domain PDC: • Run net rpc trustdom to establish the trust and type the passoword that was created with the smbpasswd command on the trusted domain PDC.
5 Windows 2000/2003 Domains Introduction This chapter describes the process for joining an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain Member Server” in Chapter 4, "NT Style Domains". By default configuration, Windows 2000/2003 Servers utilize the Kerberos authentication protocol for increased security.
The Kerberos v5 Client product requires that you install the patches on your HP-UX 11i v1 and v2 systems. Refer to HP CIFS Server 3.0d Release Notes version A.02.02 for detailed patch information. For the latest LDAP Integration software, download the product from the following web site: http://www.hp.com/go/softwaredepot Enter LDAP-UX Integration for HP-UX in the search field.
10. Access web browser at: http://ads_CA_server/certsrv Steps to Download the CA Certificates From Windows CA Server Use the following steps to download the Certificate Authority certificates from a Windows 2003 CA Server using Mozilla browser 1.6.0.01.00: 1. 2. 3. You must install Mozilla browser on your HP-UX system. Log in your HP CIFS Server machine as root. Use the following command to setup your DISPLAY environment variable on your HP CIFS Server machine: export DISPLAY = your_machine_IP:0.0 4.
Configuring HP CIFS Server to Enable startTLS To configure HP CIFS Server to enable startTLS in a Windows 2000/2003 domain, you must configure the smb.conf file which specifies the name of ADS Kerberos realm, ADS security, startTLS enabled, the NetBIOS name or IP address of the Windows ADS PDC machine, LDAP port number and the location of the certificate database files, cert8.db and key8.db. The following is an example for the [Global] section of the /etc/opt/samba/smb.
ldap server This string parameter specifies the host name of the LDAP ADS PDC Server where you want to store your data. ldap ssl This parameter specifies the SSL/TLS support. SpecifyYes to enable SSL feature using the encrypted port number 636 to connect to the LDAP ADS server. If you choose to use startTLS, set this parameter to start_tls using the un-encrypted port number 389 to connect to the LDAP ADS server. To disable SSL, set it to No. The default value is No.
5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. In the permission entries list, select Account operators(YOURADS_DOMAIN\Account operators) with Create/Delete Computer Objects permission. Click on the Add button. Click on the Advanced button. Click on “Object Type" for specifying search scope to "Users" only. You may need to remain the check box on "Users" only, remove all others of check boxes. And then click on the OK button. Click on the Find Now button to look for normal user names.
[realms] MYREALM.XYZ.COM = { kdc = adsdc.myrealm.xyz.com:88 admin_server = adsdc.myrealm.xyz.com } [domain_realm] .xyz.com = MYREALM.XYZ.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log NOTE: You must configure the port number :88 after the node name specified for the kdc entry in the [realms]section. Kerberos v5 uses the port number 88 for the KDC service. For detailed information on how to configure the /etc/krb5.
workgroup = MYREALM # Domain Name realm = MYREALM.XYZ.COM security = ADS domain master = no encrypt passwords = yes password server = adsdc.myrealm.xyz.com netbios name = MYSERVER Then join the ADS domain by manually executing the "net ads join -U Administrator%password" command. NOTE: If you use the startTLS feature for strong authentication support, see “Configuring HP CIFS Server to Enable startTLS” section for more information about smb.conf configuration. 5.
1. 2. 3. 4. 5. 6. 7. From the Start menu, select Programs -> Administrative Tools -> Active Directory Domains and Trusts Right click on the desired Windows domain name, and select Properties Select the tab Trusts Perform one of the following actions as desired: • To add Windows 2000 as a trusting domain, click the Add button next to the box titled “Domains trusted by this domain”. For “Trusted Domain”, enter the Samba PDC domain name.
3. Run smbpasswd to add a trusting Windows domain Samba account to your trusted Samba domain database and create a password for the trusting account. Use the same trusting Windows domain name specified in step 1. This password is used by the trusting Windows domain when it establishes the trust relationship. For example, the following command adds the trusting Windows domain account, windomainA, to the Samba domain database: smbpasswd -a -i windomainA$ 4.
6 LDAP Integration Support This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software.
NOTE: While the HP CIFS Server may operate satisfactorily with other LDAP products, HP only provides LDAP support for the HP CIFS Server with HP LDAP-UX Integration, J4269AA, HP Netscape Directory Server, J4258CA, or HP Red Hat Directory Server, NSDirSvr7, product configurations.
to PDC configuration with the exception that you set both master browser and domain master to no. CIFS Server acting as an Active Directory Service (ADS) Member Server ADS Member Servers use LDAP libriaries and Kerberos security to access ADS Domain Controllers' authentication services. Therefore, LDAP-UX Integration and HP Kerberos Client Library products are required. See Chapter 5 “Windows 2000/2003 Domains” for details.
The CIFS Authentication with LDAP Integration With LDAP integration, multiple HP CIFS Servers can share a single LDAP directory server for a centralized user database management. The HP CIFS Server can access the LDAP directory and look up the windows user information for user authentication.
Summary of Installing and Configuring The following summarizes the steps you take when installing, configuring, verifying and activating the HP CIFS Server with the LDAP support: • • • • • • • • • Install Directory Server, if not already installed. See “Installing the Directory Server”. Configure Directory Server, if not already configured. See “Configuring Your Directory Server”. Install the LDAP-UX Client Services on an HP CIFS Server, if not already installed.
Installing and Configuring Your Directory Server This section describes how to set up and configure your Netscape/Red Hat Directory Server to work with LDAP-UX Client Services and the HP CIFS Server. See Preparing Your LDAP Directory for HP-UX Integration at http://docs.hp.com/hpux/internet, for more information on directory configuration. Installing the Directory Server You need to set up the Netscape/Red Hat Directory Server if it is not already installed.
Configuring the LDAP-UX Client Services You need to configure the LDAP-UX Client Services if it is not already configured. This section describes major steps to configure LDAP-UX Client Services with the Netscape Directory Server 6.11/6.21 or Red Hat Directory Server 7.0/7.1. For detailed information on how to configure the LDAP-UX Client Services, see the "Configure the LDAP-UX Client Services" section of LDAP-UX Client Services Administrator's Guide at http://www.docs.hp.com.
1. 2. 7. 8. Enter the DN of the directory user. The default value is displayed. To use the default, press the Enter key; otherwise, enter you DN name. Enter the password. If you are creating a new profile, add all parent entries of the profile DN to the directory (if any). If you attempt to create a new profile and any parent entries of the profile do not already exist in the directory, setup will fail. For example, if your profile will be cn=ldapuxprofile, dc=org, dc=hp, dc=com, then the base path, org.
16. Run the following command to verify your configuration: $ /opt/ldapux/bin/ldapsearch -T -b "cn=schema" -s base \ "(objectclass=*)"|grep -i posix Ensure that the posixAccount objectclass is displayed in the output when you run the ldapsearch command. The output is as follows: objectClasses: ( 1.3.6.1.1.1.2.
Enabling Secure Sockets Layer (SSL) The HP CIFS Server provides Secure Sockets Layer (SSL) support to secure communication between CIFS servers and SSL enabled LDAP directory servers. If you plan to use SSL and it is not already in use for LDAP, you need to enable it on the Directory Server and LDAP-UX clients. When you have enabled the LDAP server and clients, then you can configure the HP CIFS Server to use SSL.
1. Optionally, ensure that each user of the directory server obtains and installs a personal certificate for all LDAP clients that will authenticate with SSL. Downloading the certificate database from the Netscape Communicator is one way to set up the certificate database into your LDAP-UX Client. The certificate database files, cert7.db and key3.db, will be downloaded to either /.netscapeor /.mozilla/default/*.
ldap port = 636 If you choose to use the Start TLS option with port 389 set: ldap ssl = start_tls ldap port = 389 For detailed information on how to enable SSL on the HP CIFS Server, see “LDAP Configuration Parameters”.
Extending the Samba Subschema into Your Directory Server You now need to extend the Directory Server schema with the Samba subschema from the HP CIFS Server into your Directory Server. Ensure that you have configured your LDAP directory and LDAP-UX Client Services before extending the schema. Set the passwd backend parameter to ldapsam:ldap://.
Migrating Your data to the Directory Server HP recommends that all UNIX user accounts either in the /etc/passwd file or NIS database files are migrated to the Directory Server. The LDAP-UX Integration product provides migration scripts to accomplish the task in an automated way. These scripts are located in /opt/ldapux/ migrate directory. The two shell scripts, migrate_all_online.sh and migrate_all_nis_online.
Environment Variables When using the perl scripts to migrate individual files, you need to set the following environment variables: LDAP_BASEDN The base distinguished name where you want to store your data.
1 2 3 Systems have been configured with the same host name, then the migration script migrate_host.pl will create multiple entries in its resulting LDIF file with the same distinguished name for the host name for each of the IP addresses. Since distinguished names need to be unique in an LDAP directory, you need to first manually merge the IP addresses with one designated host record and delete the duplicated records in your LDIF file. A resulting merge might look as follows: ....
1. Configure the passdb backend parameter in smb.conf: $ passdb backend = ldapsam:ldap://ldaphostA.example.hp.com 2.
Configuring the HP CIFS Server You must set up and configure your HP CIFS Server to enable the LDAP feature support. LDAP Configuration Parameters The following is the list of new global parameters available for you to configure the HP CIFS Server to enable the LDAP feature. These parameters are set in the /etc/opt/samba/smb.conf file under global parameters. [global] Any global setting defined here will be used by the HP CIFS Server with the LDAP support.
Table 6-3 Global Parameters (continued) Parameter Description ldap replication sleep When Samba is requested to write to a read-only LDAP replica, it is redirected to talk to the read-write master server. This server then replicates the changes back to the local server. The replication might take some seconds, especially over slow links. Certain client activities can become confused by the 'success' that does not immediately change the LDAP back-end's data.
2. Reply to the samba_setup program to configure the following global LDAP parameters in the /etc/opt/samba/smb.conf file: • ldap server • ldap port • ldap suffix • ldap admin dn • ldap ssl • ldap user suffix • ldap group suffix • ldap idmap suffix • ldap machine suffix • ldap delete dn • ldap passwd sync • ldap replication sleep • ldap timeout See “LDAP Configuration Parameters”, for detailed information on how to configure these new parameters.
Creating Samba Users in the Directory This section describes how to create and verify your Samba users in your LDAP directory. Adding Credentials When you use the HP CIFS Server with the LDAP feature support, the smbpasswd command manipulates user accounts information on the LDAP directory rather than the /var/opt/samba/ private/smbpasswd file. You must add the directory manager credentials to the /var/opt/ samba/private/secrets.tdb file before creating Samba users to the LDAP directory.
2. Run the smbpasswd -a command to add the sambaSamAccount information for a user to the LDAP directory server if the smb.conf parameter, passwd_backend, is set to ldapsam: smbpasswd -a For example, the following command creates the Samba account for the user, cifsuser1: smbpasswd -a cifsuser1 Verifying Samba Users You can use the ldapsearch command-line utility to locate and retrieve LDAP directory entries.
Management Tools HP no longer maintains the LDAP management scripts smbldap-tools which exist in the /opt/samba/LDAP3/smbldap-tools directory. The latest versions of these smbldap-tools scripts are maintained by IDEALX Open Source Security Software and are available for download at the following web site: http://samba.idealx.
7 Winbind Support This chapter describes the HP CIFS winbind feature and explains when to use it and how best to configure its use.
Winbind provides a library routine, /usr/lib/libnss_winbind.1, that NSS can use to interface to the winbind daemon to resolve ID mappings. • User and group ID allocation When winbind is presented with a Windows SID for which there is no corresponding UID and GID, winbind generates a UID and GID.
below to customers who have multiple CIFS member servers connected to a Windows Active Directory Server (ADS) environment. Advantages The advantages of using the shared sambaUnixIDPool method are as follows: ◦ ◦ ◦ ◦ • UIDs and GIDs are unique across all domain member servers that access this LDAP database. Native non-winbind users can be authorized using the POSIX objectclass and LDAP PAM module from the same LDAP database. The database can be replicated.
Winbind Process Flow Figure 7–1 shows winbind process flow in a Windows ADS Domain environment.
Winbind Supports Non-blocking, Asynchronous Functionality For HP CIFS Server A.02.03 or later, winbind supports an almost completely non-blocking, asynchronous request/reply implementation (with the exception of user and group enumeration). With this new enhancement, winbind provides better scalability in large domain environments and on high-latency networks. Winbind uses the blocking, synchronous behavior when enumerating users and groups.
When and How to Deploy Winbind Commonly Asked Questions The section describes a couple of common questions asked when deciding to use winbind as follows: How do I control the access that all these winbind generated identities have? The most common ways to control access to resources are as follows: • Control access to the HP CIFS shares by using the valid users = [user/group name list] parameter in the smb.conf file.
Why can’t I use the net groupmap utility to map a windows group to a UNIX group, then add UNIX members to this group? The net groupmap feature allows administrators to assign Windows group RIDs to UNIX groups, so they can be recognized by Windows clients allowing them to be used when setting permissions on the local server resources. A complete SID is generated by appending the entered RID to the SID of the server, making local groups on CIFS member servers.
inter-operability including sharing identity credentials. SFU downloads and technical papers are available from Microsoft’s TechNet at the following web site: http://technet.microsoft.com SFU features are incorporated into Windows Active Directory Server 2003 Release 2 (R2), so no download is necessary for this version. There are two approaches to integrate HP-UX account management and authentication with Windows SFU: — NIS One of the SFU tools, Server for NIS, enables Windows to serve as a NIS server.
unique ID maps across multiple HP CIFS member servers. You can deploy Winbind with the idmap rid method when your environment does not require domain trusts. • Unified Domain Model In the Unified Domain environment, the Windows 2000 or 2003 Domain Controller maintains the unique user UID and GID data with Windows Services for UNIX (SFU). So that it is not necessary to deploy winbind.
Configuring HP CIFS Server with Winbind You must set up and configure your HP CIFS Server to use the winbind feature support. Winbind Configuration Parameters Table 7-1 shows the list of global parameters used to control the behavior of winbind. These parameters are set in the /etc/opt/samba/smb.conf file in the [global] section. Refer to the smb.conf man page for more details.
Table 7-1 Global Parameters (continued) Parameter Description template homedir This string variable specifies the winbind users a home direcotry. For example, template homedir = /home/%U template shell This string variable specifies the winbind users a login shell. For example, template shell = /shin/ksh. NOTE: If you want to use the default value "\" of the winbind separator parameter in smb.conf, you should comment out this parameter.
[shareA] path = /tmp/shareA guest ok = no writable = yes 116 Winbind Support
Configuring Name Service Switch To use winbind support, you need to configure the Name Service Switch control file,/etc/nsswitch.conf, to use winbind as the name services for user or group name lookup. For example, you can set up the /etc/nsswitch.conf file as follows: passwd: group: files winbind files winbind In this example, NSS first checks the files, /etc/passwd and /etc/group, and if no entry is found, it checks winbind.
idmap Backend Support in Winbind This section describe the idmap rid backend and LDAP backend for idmap support when using winbind. Examples of configuration files for each backend are provided. idmap rid Backend Support The idmap rid facility with winbind provides a unique mapping of Windows SIDs to local UNIX UIDs and GIDs. The idmap rid facility uses the RID of the user SID to generate the UID and GID by adding the RID number to a configurable base value.
LDAP Backend Support When multiple CIFS Servers participate in a Windows NT or Windows ADS domain and make use of winbind, you can configure multiple CIFS Servers to store ID maps in an LDAP directory. Making use of an LDAP server and configuring CIFS servers with the idmap backend parameter in smb.conf will ensure that all UIDs and GIDs are unique across the domain. This is important in order to support Windows access to NFS shares. NOTE: The HP CIFS Server does not support the ad option for idmap backend.
Starting and Stopping Winbind This section describes how to start or stop the HP CIFS Server with winbind support. Starting Winbind Use the startsmb -winbind or startsmb -w command to start the winbind daemon on the HP CIFS server as follows: $ startsmb -winbind or $ startsmb -w The startsmb command without specifying any option will start both smbd and nmbd daemons only.
An Example for File Ownership by Winbind Users In the following example, use /opt/samba/bin/smbclient to connect to a share, shareA, on the HP CIFS Server, Server1, as the user, John, from the domain, DomA: $ cd /opt/samba/bin $ ./smbclient //Server1/shareA -U DomA\\John The output is as follows: Domain=[DomainA] OS=[Unix] Server=[Samba 3.0.7 based HP CIFS Server A.02.
8 Kerberos Support Introduction The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2000 and 2003 domains (including the Windows 2000 and XP clients that inhabit those domains). For the HP CIFS Server, Kerberos authentication is limited exclusively to server membership in a Windows 2000/2003 domain, and only when the HP CIFS Server is configured with "security = ads".
Kerberos CIFS Authentication Example Figure 8-1 Kerberos Authentication Environment Authenticator Windows 2000/2003 KDC AS 1 2 TGS 3 4 Windows 2000 or XP Client Authenticatee 5 HP CIFS Server 6 Resource The following describes a typical Kerberos logon and share service exchange using Kerberos authentication in an Windows 2000/2003 domain environment shown in Figure 8-1: 1.
Components for Kerberos Configuration The following is a list of the various components that are necessary to configure HP CIFS Server for Kerberos authentication: • • • HP CIFS Server: Version A.02.01 and later (Based upon Samba 3.0.7 and later) HP-UX 11i v1 or HP-UX 11i v2 HP-UX Kerberos Client — Version 1.3.5 (required for newer Windows 2000/2003 versions, keytab feature) • Patches required for HP-UX Kerberos Client version 1.3.5 for HP-UX 11i v1 are shown in table 8-1.
1. Add the default_keytab_name parameter with the WRFILE attribute in the /etc/krb5.conf file. HP-UX Kerberos Client version 1.3.5 is required for WRFILE. An example of /etc/krb5.conf for HP CIFS Server keytab creation is as follows: # Kerberos configuration [libdefaults] default_realm = MYREALM.HP.COM default_tkt_enctypes = DES-CBC-MD5 default_tgs_enctypes = DES-CBC-MD5 default_keytab_name = "WRFILE:/etc/krb5.keytab" [realms] MYREALM.HP.COM = { kdc = HPWIN2K4.MYREALM.HP.COM:88 admin_server = HPWIN2K4.
Kerberos Modification for Internet Services The Internet Services product utilizes its own Kerberos library set that is delivered with the product. This library set does not recognize the WRFILE attribute in the /etc/krb5.conf file as a valid attribute. Therefore, the default_keytab_name parameter is invalid, and the Internet Services application cannot find the Kerberos keytab file to access the secret key.
9 HP CIFS Deployment Models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference. It contains the following sections: • • • • “Introduction” “Samba Domain Model” “Windows Domain Model” “Unified Domain Model” Introduction HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols.
Figure 9-1 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 9-2 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: 130 HP CIFS Deploymen
Figure 9-3 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-4 shows the Samba Domain Model: Figure 9-4 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controll
Samba Domain Components As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See Chapter 6 “LDAP Integration Support” for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments. Multi-subnetted environments require name-to-IP-address mapping to go beyond broadcast limits of a single LAN segment.
HP CIFS Acting as the Member Server To ensure that there are always sufficient domain controllers to handle authentication and logon requests, in general, configure BDCs rather than member servers unless there are fewer than about 30 Windows clients per BDC. You can join an HP CIFS Server to the Samba Domain.The Windows authentication requests are managed by the PDC or BDCs using LDAP, smbpasswd or other backend.
###################################### # # Samba config file created using SWAT # from 1.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostW PDC passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd log level = 0 security = user syslog = 0 log fie = /var/opt/samba/log.
A Sample smb.conf File For a BDC The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostB acting as a BDC in the sample Samba Domain Model shown in Figure 9-5: ###################################### # # Samba config file created using SWAT # from 1.13.129.
###################################### # # Samba config file created using SWAT # from 1.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostC Domian Member Server password server = hostW hostB security = Domain netbios aliases = MOONEY log level = 0 syslog = 0 log fie = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes preferred master = No domain master = No wins server = 1.13.115.
group: hosts: networks: protocols: rpc: publickey: netgroup: automount: aliases: services: files ldap dns [NOTFOUND=return] files ldap files ldap files ldap files ldap files files ldap files files files ldap Windows Domain Model You can use the Windows Domain Model in environments with the following characteristics: • • • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled).
Components for Windows Domain Model HP CIFS Server supports the NTLMv1/NTLMv2 security used for NT domain membership and Kerberos security used for Windows 2000/2003 native membership, so HP CIFS Servers can be managed in any Windows 2000/2003 ADS, Windows 200x mixed mode, or NT environment. HP CIFS Server does not support a true SAM database and can not participate as a domain controller in an Windows NT, Windows 2000 or Windows 2003 domain.
A sample smb.conf file For an HP CIFS ADS Member Server The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hpcif54 acting as a ADS member server in the sample ADS Domain Model shown in Figure 9-7: ###################################################### # # An sample smb.
comment = Home Directory browseable = no writable = yes valid users = /home/%D/%U create mode = 0664 directory mode = 0775 [share1] path = /tmp read only = no valid users = %D\%U [share2] path = /tmp read only = no # Specify values of force user and force group to a valid domain user or group force user = localusr force group = localgrp [tmp] path=/tmp read only = no browseable = yes writable = yes A Sample /etc/krb5.
NOTE: :88 is required on the server field. A Sample /etc/nsswitch.conf File In the ADS Domain Model, you must configure the /etc/nsswitch.conf file to specify the winbindname service and other name services that you want to use. The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 9-7: # /etc/nsswitch.conf # # This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files.
An Example of Windows NT Domain Model Figure 9-8 shows an example of the Windows NT Domain Model which has a Windows NT server named hostP as a PDC, an HP CIFS Server machine hostM acting as a domain member server. The ID maps are saved in the local file, idmap.tdb. Figure 9-8 An example of the Windows NT Domain Model Windows NT Server/ PDC “hostP” windows users HP CIFS Member Server “hostM” winbind daemon libnss_winbind idmap.tdb winbind A Sample smb.
winbind cache time = 300 template homedir = /home/%D/%U template shell = /bin/false # [homes] comment = Home Directory create mode = 0664 directory mode = 0775 valid users = /home/%D/%U browseable = No read only = No writable = yes [print$] comment = For Printer share browseable = yes [printers] comment = All Printers path =/tmp printable = yes browseable = yes printer admin = root, admuser create mask = 0600 guest ok = Yes use client driver = Yes [lj810002] path = /tmp printable = yes print command = /usr/
Figure 9-9 shows the Unified Domain Deployment Model as follows: Figure 9-9 Unified Domain Windows ADS DC/SFU HP-UX Client Windows and UNIX users HP CIFS Member Server The Unified Domain Model consists of a Windows 200x server with Active Directory Services (ADS) configured as a Domain Controller (DC), and a single or multiple HP CIFS member servers.
• • SFU 3.5 on Windows 2000 or 2003 Domain Controller Install, Configure and Join the HP CIFS Server to the SFU enabled Windows 200x domain. See Chapter 5 “Windows 2000/2003 Domains” for details on configuting and joining the HP CIFS Server to the Windows domain. Setting up LDAP-UX Client Services on an HP CIFS Server In the Unified domain model, you integrate HP CIFS domain member servers with the Windows 200x ADS to centralize managemnt of user accounts databases.
.org.hp.com = CIFSW2KSFU.ORG.HP.COM [logging] kdc = FILE: /var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/opt/KRB5lib.log Installing SFU 3.5 on a Window 2000 or 2003 Domain Controller POSIX accounts have some attributes, such as user ID, login shell, and home directory, which are not used by Windows 2000 or 2003. To use Active Directory as a data repository for HP-UX users, you must install SFU Version 3.5 on a Windows 2000 or 2003 doman controller.
# Global Parameters [global] workgroup = CIFSW2KSFU # Domain Name server string = CIFS Server as a domain member realm = CIFSW2KSFU.ORG.HP.COM security = ADS netbios name = hostD security = ads local master = no wins server = 1.12.112.166 log fie = /var/opt/samba/log.%m short preserve case = no dos filetime resolution = yes read only = no # [homes] comment = Home Directory browseable = No # [tmp] comment = temporary file space path = /tmp A Sample /etc/krb5.
NOTE: :88 is required on the server field. A Sample /etc/nsswitch.conf File In the Unified Domain Model, you must configure the /etc/nsswitch.conf file to specify the LDAPname service and other name services you want to use . The following is a sample /etc/nsswitch.conf used in the sample Unified Domain Model shown in Figure 9-10: # /etc/nsswitch.conf # # This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files.
10 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server. It includes the following sections: • • “Security Protection Methods” “Automatically Receiving HP Security Bulletins” Security Protection Methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services.
tries to make an SMB connection to your host over a PPP interface called 'ppp0', he or she gets a TCP connection refused reply. Using a Firewall You can use a firewall to deny access to services that you do not want exposed outside your network. This can be a very good protection method, although the methods mentioned above can also be used in case the firewall is not active for some reasons. When you set up a firewall, you need to know which TCP and UDP ports to allow.
on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, see Chapter 6 “LDAP Integration Support”. The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory configurations. Protecting Sensitive Configuration Files The default permissions for HP CIFS Server configuration files have been carefully selected to ensure security while providing appropriate accessibility.
Restricting Execute Permission on Stacks A common method of breaking into a system is by maliciously overflowing buffers on a program's stack, such as passing unusually long command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.
5. To gain access to the Security Patch Matrix, choose the link for "The Security Bulletins Archive". In the archive, the third link is to the current Security Patch Matrix. This matrix categorizes security patches by the platform/OS release, and by the bulletin topic. The Security Patch Check tool completely automates the process of reviewing the patch matrix for HP-UX 11i v1 and v2 systems.
11 CIFS File System Module (CFSM) Support This chapter describes the CIFS File System Module (CFSM) support, it contains the following sections: • • • • • • Using the CIFS File System Module (CFSM) for Concurrent NFS Client Access Stacking CFSM Using CFSM with Other Stackable File System Modules CFSM Implemented as Dynamically Loadable Kernel Modules (DLKMs) Special Issues When Using CFSM CFSM Tracing Using the CIFS File System Module (CFSM) for Concurrent NFS Client Access Due to differences in file lock
Stacking CFSM CFSM is stacked onto the file system based on the contents of a template file. This template is managed and defined through the use of the fstadm command described below. The predefined CFSM template, cfsmtemplate, is automatically created when the HP CIFS product is installed. The template that is provided with HP CIFS Server is usable on the specific file system that is supported with CFSM.
• • share modes: This boolean parameter controls whether to enable or disable the honoring of the share modes during a file open. These modes are used by clients to gain exclusive read or write access to a file. You must set this option to yes (the default setting). kernel oplocks: It is a boolean variable. If set it to yes, HP-UX processes and NFS clients can concurrently access files with CIFS clients with no risk of file corruption when opportunistic locking is turned on.
Using CFSM with Other Stackable File System Modules The CIFS File System Module (CFSM) is a stackable file system module that can be stacked with other file system modules on physical file systems (like VxFS, HFS). The file system modules are stacked onto the file system based on the order specified in an stack template file. The templates are managed and defined through the use of the fstadm command.
-f filename Specifies the name of a text file that describes the contents of a stack template. Information in the text file will be used as a guide to construct the desired stack template. The format of each line in the text file is: module options Each line of the text file describes one level of the desired stack. Within each line, a module and its mount options are specified and separated by a single space character. -t template_string Specifies the contents of a stack template.
help 160 CIFS File System Module (CFSM) Support Displays basic information about the various fstadm command keywords.
CFSM Implemented as Dynamically Loadable Kernel Modules (DLKMs) CFSM is implemented as two Dynamically Loadable Kernel Modules (DLKMs). The main one is “cfsm”. The "cfsm" DLKM has a dependency on a second DLKM, "cfsmdr", the CFSM driver module. The "cfsmdr" module is the one that supports tracing functionality, including the cfsmutil command support. Upon loading, the "cfsmdr" module creates a device file, "/dev/cfsmdr", that the cfsmutil command uses.
Special Issues When Using CFSM This section describes special issues when using CFSM. NFS delayed write errors with CFSM Due to the way NFS is designed and the caching it does for improved performance, NFS clients may get "delayed write errors" in various situations. This means that a write to a file on an NFS mounted file system may appear to succeed, when in reality it has failed.
CFSM Tracing The CIFS File System Module provides diagnostic functionality to trace the CFSM activities by sending trace messages to a log file. All of CFSM tracing are controlled through the cfsmutil command. NOTE: If the CIFS File System Module is not used by any file systems then it will not be loaded, cfsmutil will not function, except for the help (-h) option. cfsmutil Command Use the cfsmutil command to control and retrieve various CIFS File System Module tracing parameters.
12 Configuring HA HP CIFS Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual.
Installing Highly Available HP CIFS Server HA HP CIFS Servers must be installed and configured on all cluster nodes in the configuration. All cluster nodes may (but are not required to) act as "primary" nodes and, at the same time, as "alternate" nodes for others. If there is no failover, each cluster node runs one of the packages. If a failover occurs, a cluster node will pick up the failed package in addition to its original package.
key is to have a CIFS Server configured to look and act just like the CIFS Server that was running on the original node. Load balancing between systems while all systems are up can be achieved by having the CIFS shares accessible only through certain CIFS Server names (NetBIOS names). Keep this in mind when you associate the CIFS shares and directories with logical volumes during server configuration. Note that each cluster node needs to know all the UNIX users that connect to the samba servers (packages).
$mkdir /var/opt/samba/pkg1/locks $mkdir /var/opt/samba/pkg1/logs $mkdir /var/opt/samba/pkg1/private This step is IMPORTANT because these paths are referenced by the MCServiceGuard cluster scripts, samba.cntl and samba.mon. 2. Create a file /etc/opt/samba/smb.conf. (For example, /etc/opt/samba/smb.conf.pkg1) with the following lines: [global] workgroup = ha_domain netbios name = ha_server1 interfaces = XXX.XXX.XXX.XXX/xxx.xxx.xxx.
mount /dev/vg01/lvol1 /tmp/share1 mount /dev/vg01/lvol2 /tmp/share2 cp -r /your/data1/* /tmp/share1 cp -r /your/data2/* /tmp/share2 umount /tmp/share1 umount /tmp/share2 rm -rf /tmp/share1 /tmp/share2 4. Create a directory for HP CIFS Server cluster package: mkdir /etc/cmcluster/samba/pkg1 5. Copy the sample scripts samba.conf, samba.cntl and samba.mon from /opt/samba/HA to /etc/cmcluster/samba/pkg1 (or /etc/cmcluster/samba/pkg2) on the primary node. Make all scripts writeable. cp /opt/samba/HA/samba.
RUN_SCRIPT_TIMEOUT NO_TIMEOUT HALT_SCRIPT /etc/cmcluster/samba/pkg2/samba.cntl HALT_SCRIPT_TIMEOUT NO_TIMEOUT ...for pkg2, etc. 4. Set the SERVICE_NAME variable to samba_mon SERVICE_NAME samba_mon1 SERVICE_FAIL_FAST_ENABLED NO SERVICE_HALT_TIMEOUT 300 ...for pkg1, and SERVICE_NAME samba_mon2 SERVICE_FAIL_FAST_ENABLED NO SERVICE_HALT_TIMEOUT 300 ...for pkg2, etc. 5. Set the SUBNET variable to the subnet that will be monitored for the package, as in the following example: SUBNET 1.13.2.0 Edit the samba.
FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" for pkg2: for LVM volume group LV[0]=/dev/vg02/lvol1;FS[0]=/halvm/2a; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" LV[1]=/dev/vg02/lvol2;FS[1]=/halvm/2b;FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" for VxVM volume group LV[0]=/dev/vx/dg02/lvol1;FS[0]=/your/data3; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" LV[1]=/dev
Edit the samba.mon Monitor Script To configure the samba.mon Monitor Script file, you must complete the following tasks: 1. Use the following template provided with samba.mon. for pkg1: CONF_FILE=/etc/opt/samba/smb.conf.pkg1 LOG_FILE=/var/opt/samba/pkg1/logs SMBD_PID_FILE=/var/opt/samba/pkg1/locks/smbd.pid NMBD_PID_FILE=/var/opt/samba/pkg1/locks/nmbd.pid #WINBIND_PID_FILE=/var/opt/samba/pkg1/locks/winbindd.pid for pkg2: CONF_FILE=/etc/opt/samba/smb.conf.
-P /etc/cmcluster/samba/pkg1/samba.conf \ -P /etc/cmcluster/samba/pkg2/samba.conf This command will distribute the updated cluster binary configuration file to all of the nodes of the cluster. You are ready to start the HA HP CIFS Server packages. The configuration of the HA HP CIFS Server is now complete.
Special Notes for HA HP CIFS Server There are several areas of concern when implementing Samba in the MC/ServiceGuard HA framework. These areas are described below: • Client Applications HA HP CIFS Server cannot guarantee that client applications with open files on a HP CIFS Server share, or, applications launched from HP CIFS Server shares, will transparently recover from a switchover.
smb.conf by the parameter username map, e.g. username map = /var/opt/samba/shared_vol_1/username.map. There is no username map file by default. • Winbind Configurations Add the commented winbind lines in samba.mon and samba.cntl as reviously described. Winbind makes use of several files winbindd.pid, winbindd_cache.tdb, winbindd_idmap.tdb, and directory winbindd_privileged, in the /var/opt/samba/locks directory.
smbpasswd -c /etc/opt/samba/pkg1/smb.conf.pkg1 -a username smbclient -s /etc/opt/samba/pkg1/smb.conf.pkg1 //ha_server1/lvm1a -c ls testparm -s /etc/opt/samba/pkg1/smb.conf.pkg1 smbstatus -s /etc/opt/samba/pkg1/smb.conf.pkg1 • Network File System (NFS) and Veritas Cluster File System (CFS) NFS and Veritas CFS permits concurrent file access from multiple nodes.
cmruncl -v On both nodes: Run /opt/VRTS/bin/vxinstall Run the cfscluster config command to configure multinode package Run the cfscluster start command to start CVM package Run the cfscluster status command to see status and node master On CFS master node: /etc/vx/bin/vxdisksetup -i Example: /etc/vx/bin/vxdisksetup -i c4t2d3 Create diskgroup: (vxdg -s init ) Example: vxdg -s init dgha c4t2d3 See diskgroup created: vxdg list Add diskgroup to cluster: cfsdgadm add
The smb.conf file can be: [global] secruity = user lock directory = /cfs1/var/opt/samba/locks pid directory = /cfs1/var/opt/samba/locks private directory = /cfs1/var/opt/samba/private smb passwd file = /cfs1/var/opt/samba/private/smbpasswd .... [cfs2] path = /cfs2/data browseable = yes read only = no Use of any CFS mount points should be declared as depencencies in the samba.conf file to ensure that the resource is available before the package is started and to monitor the resource's availability.
13 HP-UX Configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server. It contains the following sections: • • • • HP CIFS Process Model TDB Memory Map for HP CIFS Server Overview of Kernel Configuration Parameters Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v1 and v2.
NOTE: To modify the value of use mmap or fixed mmap size, you must first stop all of the CIFS Server processes (smbd, nmbd and winbindd daemons), modify the settings of the parameters, and then restart the CIFS Server processes. It is not safe to modify the memory map settings using a procedure other than the one mentioned above. Mostly Private Address Space (MPAS) Support on HP-UX 11i v2 IA and 11i v3 IA systems HP CIFS Server A.02.
To resolve the above errors, you must increase the value of fixed mmap size in smb.conf accordingly and then restart the HP CIFS Server. • Memory-mapped access fails when the system is low on memory resources. In this case, the HP CIFS Server will terminate the connection and log the following error messages: "ERROR. Abort due to munmap failure." "ERROR. Abort due to tdb_mmap failure.
Overview of Kernel Configuration Parameters The kernel configuration parameters, maxuser, nproc, ninode, nflocks and nfile are described below. These are the kernel parameters that you must adjust to support a large number of clients on HP CIFS. • • • • • 182 maxusers: the name of this kernel parameter is a misnomer as it does not directly control the number of UNIX users that can logon to HP-UX. However, this kernel parameter is used in various formulae throughout the kernel.
Configuring Kernel Parameters for HP CIFS The first step in configuring HPUX to be able to support a large number of clients on a HP CIFS server is to adjust the maxusers kernel parameter. The second step involves adjusting nproc, nfile, nflocks and ninode individually so as to allow a large number of users to be connected simultaneously. 1. Configuring maxusers Determine the maximum number of simultaneous clients that will be connected and add this number to the current value of maxusers.
it is needed. This results in the process not finding the swap space that it needs, in which case it has to be terminated by the OS. Each smbd process will reserve about 2 MB of swap space and depending on the type of client activity, process size may grow up to 4 MB of swap space. For a maximum of 2048 clients, 4 * 2048 or about 8 GB of swap space would be required.
14 Tool Reference This chapter describes tools for management of Samba user, group account database.
HP CIFS Management Tools Several HP CIFS Server tools are available for management of CIFS user data stored in the smbpasswd file or in Netscape/Red Hat Directory Server database. This section documents the following user management tools: Tool for management of the Samba encrypted password database. smbpasswd syncsmbpasswd Tool for Synchronizing the HP CIFS Samba users with the UNIX or POSIX users. pdbedit Tool for management of the SAM database (Database of Samba Users).
-L Runs in the local mode (must be first option). -h Prints a list of options that the HP CIFS Server supports. -s Uses stdin for password prompt. This option causes smbpasswd to read passwords from standard input. -c Specifies the path and file name of the smb.conf configuration file when you want to use one other than the default file. -D Specifies the debug level. The debug level is an integer from 0 to 10.
username Specifies the user name for all of the root only options to operate on. Only root can specify this parameter, as only root has the permissions needed to modify attributes directly in the SMB password database.
• • • Migrate group accounts. Manage account policies. Manage domain access policy settings. For detailed information on the pdbedit command, refer to the pdbedit man page, SWAT or The Official Samba HOWTO and Reference Guide. The pdbedit tool performs its operations on the data store specified by the passdb backend parameter in the smb.conf file. If an LDAP directory is to be used, then the this parameter is set to ldapsam:ldap://.
-U Specifies the user's SID (Security Identifier) or RID. This option can be used while adding or modifying a user account. -G Specifies the user's group SID (Security Identifier) or RID. This option can be used while adding or modifying a user account. -a, –create Adds a Samba user account. This command needs a user name specified with the -u option. When adding a new user, pdbedit will ask for the password to be used.
-c, –account-control=ARG Specifies the user's account control property. This option can be used while adding or modifying a user account.
net This tool is used for administration of Samba and remote CIFS servers. The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument of the net utility is used to specify the protocol to use when executing the net command. The argument can be ADS, RAP or RPC. ADS is used for Windows Active Directory, RAP is used for old Windows clients (Win9x/NT3) and RPC can be used for DCE-RPC. The net tool performs its operations on the LDAP directory if the smb.
Do not use this without care and attention because it will overwrite a legitimate machine password without warning. net status Displays machine account status of the local server. net usersidlist Gets a list of all users with their Windows SIDs. net ads Runs ADS commands. net rpc Runs RPC commands. net rap Runs RAP (pre-RPC) commands. Syntax for net user This section only includes syntaxes for the net user command.
-U or –user= Specifies the user name. -s or –configfile= Specifies the alternative path name of the Samba configuration file. -l or –long Displays full information on each item when listing data. -V or –version Prints Samba version information. -P or –machine-pass Authenticate as the machine account. -C or –comment= Specifies the descriptive comments. This option is only valid for the ADD operation.
wbinfo You can use the wbinfo tool to get information from the winbind daemon. To use the wbinfo tool, you must configure and start up the winbind daemon, winbindd. Syntax wbinfo [option] where option can be any of the following: -l Displays path data with Windows user and group names that exceed the HP-UX name limitation of 8 characters.
-t, –check-secret Verifies that the workstation trust account created when the Samba server is added to the Windows NT domain is working. -p, –ping Ping winbindd to see whether it is still alive. –domain This parameter sets the domain on which any specified operations will performed. Currently only the --sequence, -u, and -g options honor this parameter -D, –domain-info Shows most of the information we have about the domain.
DOMAIN_DOM\pcuser 50012 DOMAIN_DOM\winusr 50016 DOMAIN_DOM\maryw 50017 The following is an example of the output using the wbinfo -g command: $ wbinfo -g DOMAIN_DOM\Domain Admins 50010 DOMAIN_DOM\Domain Guests 50011 DOMAIN_DOM\Domain Users 50012 DOMAIN_DOM\Domain Computers 50013 DOMAIN_DOM\Domain Controllers 50014 DOMAIN_DOM\Schema Admins 50015 DOMAIN_DOM\Enterprise Admins 50016 DOMAIN_DOM\Cert Publishers 50017 DOMAIN_DOM\Account Operators 50018 DOMAIN_DOM\Print Operators 50000 DOMAIN_DOM\Group Policy Crea
LDAP Directory Management Tools This section provides information for the ldapmodify, ldapsearch and ldapdelete tools. These LDAP directory tools are bundled with the LDAP-UX Integration product (J4269AA) and are available in the /opt/ldapux/bin directory. This section includes only those options that are useful for managing the HP CIFS users when using the LDAP Directory Server as the datastore backend.
As an example, the following LDIF update file, new.
ldapsearch You can use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. Syntax ldapsearch -b basedn [optional_options][filter] [optional_list_of_attributes] where filterfilter Specifies an LDAP search filter.
ldapdelete You use the ldapdelete command-line utility to delete entries from an existing LDAP directory. ldapdelete opens a connection to the specified server using the distinguished name and password you provide, and deletes the entry or entries. Syntax ldapdelete [optional_options] where optional_options Specifies a series of command-line options. ldapdelete Options The section lists ldapdelete options most commonly used.
Glossary A ACL Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define "access rights." In this scheme, users typically belong to "groups," and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights.
P Public Key An encryption method by which two users exchange data securely, but in one direction only. A user, who has a private key, creates a corresponding public key. This public key can be given to anyone. Anyone who wishes to send encrypted data to the user may encrypt the data using the public key. Only the user who possesses the private key can decrypt the data. Public Key Infrastructure Method of managing public key encryption.
Index Symbols /etc/nsswitch.conf, 88, 145 /etc/nsswitch.ldap, 88 /etc/pam.conf, 145 A Access Control Lists, 39 VxFS, 39 ACLs.
Profile TTL, 88, 115, 151 profile, configuration, 88 Q quick configuration, 87 R reboot, 86 S Samba server name list, 45 requirements and limitations, 23, 85, 179 schema, posix, RFC 2307, 87 Server Message Block, 17 setting new ACLs, 42 setup program, 87, 145 startsmb, 35 subproduct, NativeLdapClient, 86 swap space requirements, 183 swinstall, 86 T tools ldapdelete, 201 ldapmodify, 198 ldapsearch, 200 TTL, profile, 88, 115, 151 U UNIX file owner, 39 other permission, 39 owning group, 39 permissions, 39
