HP CIFS Server Administrator Guide Version A.03.01.03 (5900-2006, October 2011)
Table Of Contents
- HP CIFS Server Administrator Guide Version A.03.01.03
- Contents
- About this document
- 1 Introduction to the HP CIFS Server
- 2 Installing and configuring HP CIFS Server
- HP CIFS Server requirements and limitations
- Step 1: Installing HP CIFS Server software
- Step 2: Running the configuration script
- Step 3: Modify the configuration
- Step 4: Starting HP CIFS Server
- Other Samba configuration issues
- 3 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7
- Introduction
- UNIX file permissions and POSIX ACLs
- Using the Windows NT Explorer GUI to create ACLs
- Using the Windows Vista Explorer GUI to create ACLs
- POSIX ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- HP CIFS Server Directory ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- In conclusion
- 4 Windows style domains
- Introduction
- Configure HP CIFS Server as a PDC
- Configure HP CIFS Server as a BDC
- Domain member server
- Create the Machine Trust Accounts
- Configure domain users
- Join a Windows client to a Samba domain
- Roaming profiles
- Configuring user logon scripts
- Home drive mapping support
- Trust relationships
- 5 Windows 2003 and Windows 2008 domains
- 6 LDAP integration support
- Overview
- Network environments
- Summary of installing and configuring
- Installing and configuring your Directory Server
- Installing LDAP-UX Client Services on an HP CIFS Server
- Configuring the LDAP-UX Client Services
- Enabling Secure Sockets Layer (SSL)
- Extending the Samba subschema into your Directory Server
- Migrating your data to the Directory Server
- Configuring the HP CIFS Server
- Creating Samba users in directory
- Management tools
- 7 Winbind support
- 8 Kerberos support
- 9 HP CIFS deployment models
- Introduction
- Samba Domain Model
- Windows Domain Model
- Unified Domain Model
- 10 Securing HP CIFS Server
- 11 Configuring HA HP CIFS
- 12 HP-UX configuration for HP CIFS
- 13 Tool reference
- Glossary
- Index
• Security Files
An important security file is secrets.tdb. Machine account information is among the important
contents of this file. Since this file will be updated periodically (as defined in smb.conf by
machine password timeout, 604800 seconds by default), HP recommends that you locate
secrets.tdb on a shared logical volume. The location of the secrets.tdb file is defined by the
smb.conf parameter, private dir. For example, private dir =
/var/opt/samba/shared_vol_1/private will result in the file
/var/opt/samba/shared_vol_1/private/secrets.tdb.
User authentication is also dependent on several entries in different security files. Other
important security files are the user password file, smbpasswd and passdb.tdb. If you have
your Samba server configured with the "passdb backend = smbpasswd", for example,
then you have an smbpasswd file. By default, this file is located in the path
/var/opt/samba/private but the passdb backend parameter can be in two parts, the
backend name and a location string that has meaning only to that particular backend. For
example, passdb backend =
tdbsam:/var/opt/samba/private/path1/passdb.tdb,
smbpasswd:/var/opt/samba/private/path2/smbpasswd will result in files
/var/opt/samba/private/path1/passdb.tdb and /var/opt/samba/private/path2/smbpasswd.
For both the machine account file and user password file, HP recommends that you store the
files in a common and secure directory on a shared logical volume.
• Username Mapping File
If you configure your Samba server to use a username mapping file, HP recommends that you
configure it to be located on a shared logical volume. This way, if changes are made, all the
nodes will always be up-to-date. The username mapping file location is defined in smb.conf
by the parameter username map, e.g. username map =
/var/opt/samba/shared_vol_1/username.map. There is no username map file by
default.
• Winbind Configurations
Add the commented winbind lines in samba.mon and samba.cntl as previously described.
Winbind makes use of several files winbindd.pid, winbindd_cache.tdb, winbindd_idmap.tdb,
and directory winbindd_privileged, in the /var/opt/samba/locks directory.
You may want to put the entire /var/opt/samba/locks directory on a logical shared volume
but the locking data may not be correctly interpreted after a failover. You may want to add
a line to your startup script to remove the locking data file .../locks/locking.tdb.
• Samba as a WINS Server
If you configure your Samba server to be a WINS server by setting the wins support
parameter to yes, it will store the WINS database in the file
/var/opt/samba/locks/WINS.DAT.
If this file is not on a logical shared volume, when a failover occurs, there will be a short period
of time when all the WINS clients update the Samba WINS server with their address. However,
if this short period of time to restore the WINS database is not acceptable, you can reduce
the period of time to restore the full WINS service.
To do so, configure /var/opt/samba/locks/WINS.DAT to be a symbolic link to a WINS.DAT
file on a logical shared volume. HP does not recommend putting the entire
/var/opt/samba/locks directory on a logical shared volume, because the locking data may
not be correctly interpreted after a failover.
Special notes for HA HP CIFS Server 145