HP CIFS Server Administrator Guide Version A.03.01.03 (5900-2006, October 2011)
Table Of Contents
- HP CIFS Server Administrator Guide Version A.03.01.03
- Contents
- About this document
- 1 Introduction to the HP CIFS Server
- 2 Installing and configuring HP CIFS Server
- HP CIFS Server requirements and limitations
- Step 1: Installing HP CIFS Server software
- Step 2: Running the configuration script
- Step 3: Modify the configuration
- Step 4: Starting HP CIFS Server
- Other Samba configuration issues
- 3 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7
- Introduction
- UNIX file permissions and POSIX ACLs
- Using the Windows NT Explorer GUI to create ACLs
- Using the Windows Vista Explorer GUI to create ACLs
- POSIX ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- HP CIFS Server Directory ACLs and Windows 2000, Windows XP, Windows Vista, and Windows 7 clients
- In conclusion
- 4 Windows style domains
- Introduction
- Configure HP CIFS Server as a PDC
- Configure HP CIFS Server as a BDC
- Domain member server
- Create the Machine Trust Accounts
- Configure domain users
- Join a Windows client to a Samba domain
- Roaming profiles
- Configuring user logon scripts
- Home drive mapping support
- Trust relationships
- 5 Windows 2003 and Windows 2008 domains
- 6 LDAP integration support
- Overview
- Network environments
- Summary of installing and configuring
- Installing and configuring your Directory Server
- Installing LDAP-UX Client Services on an HP CIFS Server
- Configuring the LDAP-UX Client Services
- Enabling Secure Sockets Layer (SSL)
- Extending the Samba subschema into your Directory Server
- Migrating your data to the Directory Server
- Configuring the HP CIFS Server
- Creating Samba users in directory
- Management tools
- 7 Winbind support
- 8 Kerberos support
- 9 HP CIFS deployment models
- Introduction
- Samba Domain Model
- Windows Domain Model
- Unified Domain Model
- 10 Securing HP CIFS Server
- 11 Configuring HA HP CIFS
- 12 HP-UX configuration for HP CIFS
- 13 Tool reference
- Glossary
- Index
Winbind provides a library routine, /usr/lib/libnss_winbind.1, that NSS can use to
interface to the winbind daemon to resolve ID mappings.
• User and group ID allocation
When winbind is presented with a Windows SID for which there is no corresponding UID
and GID, winbind generates a UID and GID. Depending on the configuration, winbind
uses one of the following three different algorithms for creating IDs:
◦ Local increment
Winbind default settings will result in ID values based on a simple increment above the
current highest value within a defined range. The pool of values is confined to the local
HP CIFS Server. This solution is limited by the fact that UID and GID values may differ
among multiple HP CIFS Servers within the same Windows domain for the same Windows
user. Also, if the idmap database need to be recreated for any reason, UID and GID
maps could differ from the previous map which can lead to serious security issues (file
ownership may change).
NOTE: You can back up and restore the idmap database to avoid having to recreate
UID and GID maps. The local increment model requires the idmap database to be backed
up frequently.
◦ Idmap rid
The idmap rid solution resolves the potential problems with the local increment algorithm
because winbind provides a unique mapping of Windows SIDs to local UNIX UIDs and
GIDs across multiple HP CIFS Servers. The UIDs and GIDs are generated based on the
RID portion of the Windows SID, the RID is unique within the domain. This solution can
be particularly helpful if there are multiple HP CIFS member servers connected to the
domain and it is useful to have user names and group names with unique IDs across
multiple HP CIFS member servers. However, without the domain portion of the SID, the
idmap rid method is limited by the fact that it is not appropriate for domains that trust
other domains unless you do not require IDs to be resolved from the domain trusts.
You can not migrate the idmap rid model to the local increment or shared
sambaUnixIDPool model because of the way it assigns IDs. This model can be quite useful
if a unique mapping of Windows SIDs to UNIX UIDs and GIDs across multiple member
servers within a domain is needed.
If you are configuring a large number of CIFS member servers, or if it is important to be
able to provide access to Windows trusts, you may want to consider the shared
sambaUnixIDPool method. Using the shared sambaUnixIDPool model reduces the traffic
and load in maintaining similar idmap caches and mapping user and group names of
Windows trusted domains. See the shared sambaUnixIDPool method below for details.
◦ Shared sambaUnixIDPool
When using the shared Samba UNIX ID pool method, you use an LDAP backend to store
user and group identities across multiple servers and domains. Winbind makes use of
a shared sambaUnixIDPool value to increment UID and GID values across all HP CIFS
member servers sharing the LDAP backend. As with the local increment solution, if the
idmap database needs to be recreated for any reason, UID and GID maps could differ
from the previous map which could lead to serious security issues (file ownership may
change).
The user and group data should be replicated and/or backed up using this model. The
disadvantage of using this model is that it is more complicated to configure. However,
the shared sambaUnixIDPool method provides several significant benefits described below
to customers who have multiple CIFS member servers connected to a Windows Active
Directory Server (ADS) environment.
98 Winbind support