HP CIFS Server Administrator's Guide Version A.03.02.
© Copyright 2012, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents About this document....................................................................................10 Intended audience..................................................................................................................10 New and changed documentation in this edition........................................................................10 Typographical conventions.......................................................................................................
Other samba configuration issues.............................................................................................33 Translate open-mode locks into HP-UX advisory locks..............................................................33 Performance tuning using change notify................................................................................33 Special concerns when using HP CIFS Server on a Network File System (NFS) or a Clustered File System (CFS).........................................
Running logon scripts when logging on.................................................................................68 Home drive mapping support...................................................................................................68 Trust relationships...................................................................................................................69 Configuring smb.conf for trusted users..................................................................................
Migrating your data to the directory server................................................................................92 Migrating all your files........................................................................................................92 An example..................................................................................................................92 Migrating individual files....................................................................................................
9 HP CIFS deployment models....................................................................117 Introduction..........................................................................................................................117 Samba domain model...........................................................................................................117 Samba Domain components..............................................................................................
Recommended clients.......................................................................................................141 Installing highly available HP CIFS Server...........................................................................141 HA HP CIFS Server installation......................................................................................141 Configure a highly available HP CIFS Server.......................................................................142 Introduction...............
ldapdelete options......................................................................................................175 Examples...................................................................................................................175 Glossary..................................................................................................176 Index.......................................................................................................
About this document This document describes how to install, configure, and administer the HP CIFS Server product. It is the official documentation supported for the HP CIFS Server product. This document provides HP-UX common variations, features, and recommendations tested and supported by HP. Other documentations such as The Samba How To Collection and Using Samba, 2nd Edition, supplied with the HP CIFS Server product are provided as a convenience to the user.
Table 2 Publishing history details (continued) Document Manufacturing Part Operating Systems Number Supported Supported Product Versions Publication Date 5900-1282 HP-UX 11i v2 and HP-UX 11i v3 A.03.01 December 2010 5990-5097 HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 A.02.04 March 2010 B8725-90143 HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 A.02.04 May 2009 B8725-90133 HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 A.02.03.03 January 2008 B8725-90118 HP-UX 11i v2 and HP-UX 11i v3 A.02.
Chapter 6 LDAP-UX Integration Support Use this chapter to learn how to install, configure and verify the HP Netscape Directory, HP LDAP-UX Integration product and HP CIFS Server software with LDAP feature support. Chapter 7 Winbind Support Use this chapter to learn how to set up and configure the HP CIFS Server with the winbind support.
1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS. HP CIFS Server description and features The HP CIFS Server product implements many Windows Servers features on HP-UX.
• Simplified Identity Mapping For this release, ID mapping has been rewritten yet again with the goal of making the configuration simpler and more coherent while keeping the needed flexibility and even adding to the flexibility in some respects. • Caching of user credentials by winbind Winbind allows to logon using cached credentials.
domain. Chapter 5, “Windows 2003 and Windows 2008 Domains”, describes how an HP CIFS Server joins a Windows 2003 or a Windows 2008 domain as an ADS domain member server. HP CIFS Server manages a given configuration using a configuration file, /etc/opt/samba/ smb.conf (by default) which contains configuration parameters set appropriately for the specific installation.
Table 3 Documentation roadmap (continued) HP CIFS Product Document Title: Chapter: Section Samba Server FAQ: No.
Table 3 Documentation roadmap (continued) HP CIFS Product Document Title: Chapter: Section Server Browsing Refer to Chapter 9, “Network Browsing” in Samba HOW TO and Reference Guide for a description of browsing functionality and all browsing options. Server Security HP CIFS Client Administrator's Guide: Chapter 11, “Securing CIFS Server”. Server Troubleshooting Part V, Troubleshooting, Samba HOW TO and Reference Guide Using Samba, Chapter 9, “Troubleshooting Samba” Samba FAQs No.
Table 4 Files and directory description (continued) File/Directory Description /opt/samba/COPYING, /opt/samba_src/COPYING, These are copies of the GNU Public License which applies to the HP CIFS Server. /opt/samba_src/samba/COPYING /sbin/init.d/samba This is the script that starts HP CIFS Server at boot time and stops it at shutdown (if it is configured to do so). /etc/rc.config.d/samba This text file configures whether the HP CIFS server starts automatically at boot time or not. /sbin/rc2.
2 Installing and configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software.
during times of memory pressure. Other operating systems, only reserve swap space when it is needed. This results in the process not finding the swap space that it needs, in which case it has to be terminated by the OS. Each smbd process will reserve about 2 MB of swap space and depending on the type of client activity, process size may grow up to 4 MB of swap space. For a maximum of 2048 clients, 4 * 2048 or about 8 GB of swap space would be required.
Installing From a Software Depot File: To install the HP CIFS Server software from a depot file, such as those downloadable from http:// www.hp.com/go/softwaredepot, enter the following at the command line: swinstall options -s /path/filename ProductNumber Where theProductNumber is CIFS-SERVER for HP-UX 11i v2 or HP-UX 11i v3. options is -x autoreboot=true path must be an absolute path, it must start with /, for example,/tmp.
• Provide the following information if you choose to use the Windows Active Directory Server (ADS) realm: ◦ the name of your realm ◦ the name of your Domain Controller ◦ administrator user name and password ◦ LDAP-UX Integration product is installed ◦ ensure that the most recent Kerberos client product is installed For detailed information on how to join an HP CIFS Server to a Windows 2000/2003 Domain using Kerberos security, see “Windows 2003 and Windows 2008 domains” (page 71).
For the CIFS Server, edit the server configuration file: /etc/opt/samba/smb.conf as follows: case sensitive = yes For the CIFS Client configuration, in the /etc/opt/cifsclient/cifsclient.cfg file, ensure the following default is set: caseSensitive = yes map system, map hidden and map archive Attributes There are three parameters, map system, map hidden, and map archive, that can be configured in Samba to map DOS file attributes to owner, group, and other execute bits in the UNIX file system.
Configure for SMB2 Features Table 5 List of SMB2 parameters Parameter Name Description max protocol = SMB2 This parameter enables SMB2 protocol. We can test SMB2 feature only with Windows 7 or windows vista client. smb2 max read This option specifies the protocol value that smbd(8) will return to a client, informing the client of the largest size that may be returned by a single SMB2 read call.
1. SWAT (Samba Administration Tool) -or- 2. Create a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [hpdeskjet] path = /tmp printable = yes Where "hpdeskjet" is the name of the printer to be added. Creating a [printers] share Configure a [printers] share in the /etc/opt/samba/smb.conf file.
mkdir Win40 There are two possible locations (subdirectories) for keeping driver files, depending upon what version of Windows the files are for: For Windows NT, XP, Windows 2000, Vista, or Windows 7 driver files, the files will be stored in the/etc/opt/samba/printers/W32X86 subdirectory. For Windows 9x driver files, the files will be stored in the /etc/opt/samba/printers/ Win40/0 subdirectory.
use client driver = no browseable = yes guest ok = yes read only = yes write list = netadmin In the above example, thewrite list parameter specifies that administrative level user account has write access for updating files on this share. Theuse client driver parameter must be set toNo. 3. Configure theprinter admin parameter to specify a list of domain users that are allowed to connect to an HP CIFS Server. See the following example: [global] printer admin = cifsuser1,cifsuser2 4.
Figure 1 Publishing printer screen Verifying that the printer is published On an HP CIFS Server system, you can run thenet ads printer search command to verify that the printer is published.
Commands used for publishing printers This section describes thenet ads printer command used for publishing printers support on an HP CIFS Server. Searching printers To search a printer across the entire Windows 2003/2008 R2 ADS domain, run the following command: $ net ads printer search Without specifying the printer name, the command searches all printers available on the ADS domain.
NOTE: HP does not recommend filesharing of the root directory. Only subdirectories under the root should be set up for filesharing. Setting up a DFS Tree on a HP CIFS Server After the DFS Tree is set up using this procedure, users on DFS clients can browse the DFS tree located on the HP CIFS Server at \\servername\DFS. 1. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. 2. Configure a HP CIFS server as a DFS server by modifying the smb.
Refer to the following screen snapshot for an example: Figure 2 Link share names example MC/ServiceGuard high availability support Highly Available HP CIFS Server allows the HP CIFS Server product to run on an MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 server computers. Template files for version A.02.02 have been revised to allow any number of cluster nodes and other advantages over previous schemes.
Run the following command to start winbind alone: /opt/samba/bin/startwinbind Run the following command to stop winbind alone: /opt/samba/bin/stopwinbind NOTE: HP does not support the inetd configuration to start the HP CIFS Server. Starting and stopping daemons individually Two new options-n (nmbd only) and-s (smbd only) have been added tostartsmb andstopsmb scripts to start and stop the daemons individually. The startsmb -s command starts the smbd daemon. The stopsmb -s command stops the smbd daemon.
• hosts deny • hosts equiv • preload modules • wins server • vfs objects • idmap backend Other samba configuration issues Translate open-mode locks into HP-UX advisory locks The HP CIFS Server A.02.* and A.03.* versions can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients.
able to make use of locking mechanisms when multiple systems are involved. You need to be aware of the following things when using HP CIFS Server in either an NFS or a Veritas CFS environment: • CIFS Server running simultaneously on multiple nodes should not use either NFS or Veritas CFS to concurrently share thesmb.conf configuration and its subordinate CIFS system files in/var/opt/samba/locks and /var/opt/samba/private.
3 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7 Introduction This chapter describes how to use Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced.
For example, if a file on the UNIX file system is owned by UNIX user John and John has read and write (rw-) permissions on that file, the Windows client will display the same permissions for user John as: Special Access(RWDPO) You can also display the UNIX owner in the Windows Explorer interface. If you are in the File Properties dialog box with the Security tab selected and you press the Ownership button, the owning UNIX user's name will be displayed.
Table 7 Windows access type maps to UNIX permission (continued) Windows access type UNIX Permission Special Access(WX) -wx Special Access(RWX) rwx Special Access r-- When mapping to UNIX file permissions from Windows, you will not be able to add new Windows ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries.
Figure 4 Windows special access permissions The VxFS POSIX ACL file permissions VxFS POSIX ACLs provide additional functionality over default UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. • VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions.
Using the Windows NT Explorer GUI to create ACLs Use the Windows Explorer GUI to set new ACLs. This section describes how to add new entries to the ACE list: • Click the add button in the File/Directory Permissions dialog box of the Windows GUI to bring up the Add Users and Groups dialog box. Figure 5 Windows Explorer file permissions NOTE: The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs.
Figure 7 Windows Explorer add users and groups dialog box • Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server. • Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list.
name list, the GUI will put that name in the text list and automatically add the server name as well. • Optionally use the user name mapping feature to define a mapping of Windows user names (or domain names) to UNIX user names. For example, you could map the Windows user names administrator and admin to the UNIX user name root. The mapping can be either one-to-one or many-to-one. Samba supports the creation of ACEs with Windows user names that are mapped to UNIX user names.
1. Right-click the file for which users and groups must be assigned, and select Properties->Security. The displayed page is as shown in Figure 9 (page 42). Figure 9 Selecting file security 2. Click Edit. The Permissions page is displayed as shown in Figure 10 (page 42).
3. Click Add. The Select Users or Groups page is displayed as shown in Figure 11 (page 43). Figure 11 Select users or groups 4. Enter the user or group name that you want to add and click Check Names. The new user or group name is displayed as shown in Figure 12 (page 43).
5. Set the permissions for the new user or group and click Apply. The new user or group name and the associated permissions are displayed as shown in Figure 13 (page 44). Figure 13 New user or group and permissions The new user or group is configured. POSIX ACLs and Windows XP, Windows Vista and Windows 7 clients The HP CIFS Server allows Windows XP clients to view and set POSIX ACL permissions. The information in this section assumes you are familiar with Windows 2000 and Windows XP permissions.
Table 9 UNIX permission maps Windows XP client permissions (continued) UNIX Permission Permission Shown on Windows XP Clients --x None Execute or Traverse Folder, Read Attributes, Read Permissions r-x Read and Execute All Read Permissions as in the first cell Execute or Traverse Folder rw- Read, Write All Read Permissions as in the first cell All Write Permissions as in the second cell rwx Full Control Full Control and All permission bits are ticked --- No boxes are ticked None NOTE: In the
Table 10 Windows XP permissions maps UNIX permissions (continued) Windows XP UNIX Permission Change Permissions (Advanced) * see explanation following table Take Ownership (Advanced) * see explanation following table * The Delete, Change Permissions, and Take Ownership permissions represent the file and group ownership. You can only see these permissions, but you cann't set them from Windows XP clients.
Displaying the owner of a file 1. 2. Click on Advanced Click on the Owner tab on the Access Control Settings dialog box HP CIFS Server directory ACLs and Windows XP, Windows Vista and Windows 7 clients Directory ACL types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory.
2. Click on the Security tab Figure 14 Basic ACL viewSIX Viewing advanced ACLs from Windows 2000 clients 1. 2. 3.
Figure 15 Advanced ACL view Mapping Windows XP directory inheritance values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories.
Table 11 Mapping table for inheritance values to POSIX Inheritance Value POSIX Mapping by HP CIFS Server This Folder only Maps to access ACE. This Folder, Subfolders and Files An ACE of this type is mapped to both access and default ACE. This Folder and Subfolders Maps only to access ACE for this directory. This Folder and Files Maps only to access ACE for this directory. Subfolders and Files only Maps to default ACE for this directory.
Figure 16 Modifying ACE permissions 5. 6. 7. 8. Check/uncheck the boxes next to each permission to add/remove any permissions that you want. Please refer to "Mapping Table for Windows XP Permissions to UNIX Permissions" for detail information on how each permission in this window is mapped to UNIX permissions Select the appropriate ACE type from Apply to dropdown list in the dialog box. Choose the selection according to how it will be mapped to POSIX ACEs.
Figure 17 Modifying an ACE type with apply to value IMPORTANT: If you want different permissions on default and access ACEs for the same user or group , you must select two different ACE entries in the advanced ACE view dialog box before you click on the OK button. If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server.
default:other:r-x In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:othere:rwx defualt:owner:rwx default:owning group:rwx default:other:r-x
# owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group:r-x access:other group:rwdefualt:owner:rwx default:owning group:r-default:other group:r-w In the example 3, if both access other gorup ACE entry, rw-, and defaut other group ACE entry, r--x, are removed from the Advanced Windows ACE screen, the HP CIFS Server will remove both access other group and default other group ACE entries.
Figure 18 Selecting a new ACE user or group IMPORTANT: POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface. POSIX default owner and owning group ACLs The POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group. In HP CIFS Server A.01.
of the Windows 2000, Windows XP, or Windows Vista ACL information is retained and retrieved by the Samba server, some of the information may be lost or changed in some cases. NOTE: The ACL support is not an Windows 2000, Windows XP, Windows Vista or Windows 7 ACL emulation, but rather access to UNIX ACLs through the Windows 2000, Windows XP, Windows Vista or Windows 7 client.
4 Windows style domains Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in a Windows style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as a Windows domain with a Microsoft Domain Controller (DC). Configuration of Member Servers joining a Windows 2003 and Windows 2008 R2 ADS domain as a pre-Windows 2000 compatible computer is described here.
Backup domain controllers Advantages of backup domain controllers HP CIFS Server with BDC support provides the following benefits to the customer: • The BDC can authenticate user logons for users and workstations that are members of the domain when the wide area network link to a PDC is down. A BDC plays an important role in both domain seurity and network integrity. • The BDC can pick up network logon requests and authenticate users while the PDC is very busy on the local network.
security = user domain logon = yes domain master = yes encrypt passwords = yes [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no [profiles] comment = profiles Service path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = 770 2. The smb.
domain master = no encrypt passwords = yes security = user [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no • The smb.
security = domain password server = DOMPDA encrypt passwords = yes netbios name = myserver • The smb.conf file is as shown if the HP CIFS Server acting as a member server uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = NTDOM security = domain encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 netbios name = myserver NOTE: workgroup: This parameter specifies the domain name of which the HP CIFS Server is a member.
Step-by-step procedure 1. Choose "Domain Member Server" when executing samba_setup. When prompted, you will need to add your domain Member Server machine account to the PDC. For Windows NT: Go to the Windows NT PDC and create a machine account for the HP CIFS Member Server by performing the following steps: a. Open the "start/programs/administrator/tools/server manager" tool. b. Select the "computer/add to domain" icon and enter the host name of the HP CIFS Server. c.
dn: uid=client1$ ou=People,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixAccount homeDirectory: /home/temp loginShell: /bin/false As an example, the resulting entry in the LDAP directory server for a client machine named "client1" would be: objectClass: posixAccount cn: client1$ uid: client1$ uidNumber: 1000 gidNumber: 200 homeDirectory: /home/temp loginShell: /bin/false userPassword: {crypt}x pwdLastSet: 1076466492 logonTime: 0 logofftime: 2147483647 kickoffTime: 2147483647 pwdCanCh
kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 rid: 1206 primaryGroupID: 1041 lmPassword: E0AFF63989B8FA6576549A685C6AFAF1 ntPassword: E0AFF63989B8FA6576549A685C6AFAF1 acctFlags: [W ] displayName: client1$ NOTE: You can also use utilities including pdbedit, net commands to create the machine trust accounts. The net commands provide numerous new utility operations.
[global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2.
acctFlags: [W displayName: client1$ 3.
Figure 19 Entering a samba PDC domain name Roaming profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: • A user's environment, preference settings, desktop settings, etc.
profile acls = yes path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = 770 writeable = yes browseable = no guest ok = no Configuring user logon scripts The logon script configuration must meet the following requirements: • User logon scripts should be stored in a file share called [netlogon] on the HP CIFS Server. • Should be set to UNIX executable permission. • Any logon script should contain valid commands recognized by the Windows client.
logon home = \\%L\%U Trust relationships Trust relationships enable pass-through authentication to users of one domain in another. A trusting domain permits logon authentication to users of a trusted domain. There are various forms of trusts, depending on the domain type and Windows 2003/2008 R2 ADS domain trusts differ from NT Domain trusts. For more information on trusts, consult the MS TechNet papers at http:// technet.microsoft.com.
Establishing a trust relationship on an HP CIFS PDC with an NT domain Trusting an NT Domain from a Samba Domain Use the following steps to trust an NT domain from a Samba Domain: 1. On the NT domain controller, run the User Manager utility. Go to policies/trust relationship, add the trusting Samba domain account for CIFS Server and establish a password. 2. Logon as root on the trusting Samba Domain PDC.
5 Windows 2003 and Windows 2008 domains Introduction This chapter describes the process for joining an HP CIFS Server to a Windows 2003 or Windows 2008 Domain as an ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain member server” (page 60) in Chapter 4, "NT Style Domains". By default configuration, Windows 2003 and Windows 2008 Servers utilize the Kerberos authentication protocol for increased security.
For the latest LDAP Integration software, download the product from the following web site: http://www.hp.com/go/softwaredepot Enter LDAP-UX Integration for HP-UX in the search field.
Steps to download the CA certificates from Windows CA server Use the following steps to download the Certificate Authority certificates from a Windows 2003 CA Server using Mozilla browser 1.6.0.01.00: 1. You must install Mozilla browser on your HP-UX system. 2. Log in your HP CIFS Server machine as root. 3. Use the following command to setup your DISPLAY environment variable on your HP CIFS Server machine: export DISPLAY = your_machine_IP:0.0 4.
startTLS enabled, the NetBIOS name or IP address of the Windows ADS PDC machine, and the location of the certificate database files, cert8.db and key8.db. The following is an example for the [Global] section of the /etc/opt/samba/smb.conf file: [Global] realm= MYREALM security = ADS password server = adsdc_server ldap server = adsdc_server ssl cert path = /etc/opt/ldapux To enable startTLS with an un-encrypted port 389, set: ldap ssl = start_tls For more information about the smb.
ssl cert path This string parameter specifies the file location of the certificate database files, cert8.db and key3.db. For example, ssl cert path = /etc/opt/samba. The default value is /etc/opt/ldapux. workgroup This parameter specifies the name of domain in which the HP CIFS Server is a domain member server. security When the HP CIFS Server joins to Windows 2003/2008 R2 native mode domain as a member server, you must set this parameter to ADS.
10. Once the selected user is presented in the Enter the object name to select list, click the OK button to get in the permission entry for Computers window. 11. In the Permissions dialog box, check Create Computer Objects and Delete Computer Objects selections. 12. Click on the OK button 13. Click on the Apply button. 14. Click on the OK button on the Advanced Security Setting for Computers window. 15. Click on the OK button on the Computers Properties window.
NOTE: You must configure the port number :88 after the node name specified for the kdc entry in the [realms]section. Kerberos v5 uses the port number 88 for the KDC service. For detailed information on how to configure the /etc/krb5.conf file, refer to the krb5.conf(4) man page. 3. Run the following commands to verify Kerberos configuration log in as root kinit (e.g. Administrator@myrealm.xyz.
netbios name = MYSERVER Then join the ADS domain by manually executing the "net ads join -U Administrator%password" command. NOTE: If you use the startTLS feature for strong authentication support, see “Configuring HP CIFS Server to Enable startTLS” section for more information about smb.conf configuration. 5. Use the following command to start your HP CIFS Server: /opt/samba/bin/startsmb 6. Run the following command to verify Kerberos authentication.
6. 7. 8. 9. Enter and confirm the trust password. Review and select Next. Select Yes and select Next, two more times. Select Finish and then OK. NOTE: Windows Server 2003 Service Pack 1 (SP1) may require the RestrictAnonymous registry subkey to be set to 0 and the value of the RestrictNullSessAccess registry subkey also to be set to 0. Run regedit from the start button and find RestrictNullSessAccess under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ LanmanServer\ Parameters.
In order for an HP CIFS Member of a Windows 2003 or Windows 2008 Domain to recognize trusts established by its Domain Server, its /etc/krb5.conf file must declare the trusted domains in the [realms] section (only – not [domain_realm]). For example, an HP CIFS member of Windows 2003/2008 R2 ADS domain, mydom, which trusts trust1dom and trust2dom might have the /etc/krb5.conf file as follows: [libdefaults] default_realm = MYDOM.ORG.HP.
6 LDAP integration support This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software.
HP CIFS server advantages The HP CIFS Server with the LDAP support provides the following benefits to the customer: • Reduces the need to maintain user account information across multiple HP CIFS servers, as LDAP provides a centralized user database management. • Easily adds multiple HP CIFS servers or users to the LDAP directory environment. This greatly improves the scalability of the HP CIFS Server. • Stores and looks up user account information in the LDAP directory.
Workgroup model networks HP CIFS Servers configured with server mode security will attempt to authenticate Windows users on the server specified. If LDAP is enabled, then authentication will fall back to the LDAP server if the server mode authentication fails.HP CIFS Servers configured with share mode security may replace smbpasswd with an LDAP directory server.HP CIFS Servers configured with as stand-alone user mode servers may replace smbpasswd with an LDAP directory server.
5. The CIFS Server receives data attributes including the password information from the LDAP directory server. If the password and challenge information matches with information in the client response package, the Samba user authentication succeeds. 6. If the Samba user is authenticated and is successfully mapped to a valid posix user, the CIFS Server returns a user token session ID to the Windows PC client.
Configuring your directory server You need to configure the Netscape/Red Hat Directory Server if it is not already configured.
• Assigns your base DN as your LDAP suffix for user and group searches. • Starts the product daemon, ldapclientd, if you choose to start it. For LDAP-UX Client B.03.20, you must start the client daemon for LDAP-UX functions to work. NOTE: If the value of the security parameter is ads , running setup for the LDAP-UX Client Services is not required. Quick configuration You can do a quick configuration of the LDAP-UX Client Services by selecting the default values of the configuration parameters.
User DN [cn=Directory Manager]: Password: NOTE: setup. You must enter the DN user password, which you have given in the LDAP server Select authentication method for users to bind/authenticate to the server 1. SIMPLE 2. SASL DIGEST-MD5 To accept the default shown in brackets, press the Return key. Authentication method: [1]: For high-availability, each LDAP-UX client can look for user and group information in up to three different directory servers.
No proxy user is configured at this client. Note : Starting the LDAP-UX daemon is now required for the LDAP-UX product ! You have created/changed the configuration profile. To make it take effect, you need to start/restart the LDAP-UX daemon Would you like to start/restart the LDAP-UX daemon (y/n) ? [y]: Updated the LDAP-UX daemon configuration file /etc/opt/ldapux/ldapclientd.conf Restarted the LDAP-UX daemon! To enable the LDAP file /etc/pam.conf To enable the LDAP /etc/nsswitch.
6. Run the following command to verify your configuration: $ /opt/ldapux/bin/ldapsearch -T -b "cn=schema" -s base \ "(objectclass=*)"|grep -i posix Ensure that the posixAccount objectclass is displayed in the output when you run the ldapsearch command. The output is as follows: objectClasses: ( 1.3.6.1.1.1.2.
Configuring the LDAP-UX client to use SSL If you plan to use SSL, you need to install the Certification Authority (CA) certificate on your LDAP-UX Client and configure the LDAP-UX Client to enable SSL. Use the following steps to enable SSL on your LDAP client system: 1. Optionally, ensure that each user of the directory server obtains and installs a personal certificate for all LDAP clients that will authenticate with SSL.
Where is the fully qualified name of the target directory server. • HP CIFS Server A.02.03 or later supports the start_tls option to the ldap_ssl parameter. To enable SSL connections to the directory server, set the following parameters one of the two ways shown below in the [Global] section of the smb.
3. Use the following ldapsearch command to verify that you have updated the schema in the Directory Server with the Samba subschema: $ /opt/ldapux/bin/ldapsearch -T -b "cn=schema" -s base \ "(objectclass=*)"|grep -i samb You need to ensure that the output displays the following sambaSamAccount objectclass when you run the ldapsearch command: objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Samba 3.
2. Run the following script, migrate_all_online.sh, to migrate all name service data files in the/etcfile to the LDIF file: $ migrate_all_online.sh Reply as appropriate to the script. In our example, use cn=Directory Manager and credentials to bind with means the Directory Manager password. NOTE: At this point, you have an LDAP directory server with everything you need to use as a backend for pam and nsswitch.
Table 13 Migration scripts (continued) Script Name Description 3 migrate_services.pl Migrates services in the /etc/services file. migrate_common.ph Specifies a set of routines and configuration information all the perl scripts use. 1 2 3 Systems have been configured with the same host name, then the migration script migrate_host.pl will create multiple entries in its resulting LDIF file with the same distinguished name for the host name for each of the IP addresses.
backend parameter in smb.conf to ldapsam:ldap://, this tool adds Samba user accounts that correspond to existing POSIX user accounts to the LDAP directory server. See the syncsmbpasswd (1) man page for details. For example, use the following procedures to synchronize Samba user accounts with available POSIX user accounts in the LDAP directory server, ldaphostA.example.hp.com: 1. Configure the passdb backend parameter in smb.conf: $ passdb backend = ldapsam:ldap://ldaphostA.example.hp.
Table 14 Global parameters (continued) Parameter Description ldap passwd sync Specifies whether the HP CIFS Server should sync the LDAP password with the NT and LM hashes for normal accounts on a password change. This option can be set to one of three values: • Yes: Update the LDAP, NT and LM passwords and update the pwdLastSet time. • No: Update NT and LM passwords and update the pwdLastSet time. • Only: Only update the LDAP password and let the LDAP server do the rest. The default value is No.
You can quickly run the samba_setup program to configure the HP CIFS Server with the LDAP feature support as follows: 1. Run the following commands to enable the LDAP feature: $ export PATH=$PATH:/opt/samba/bin $ samba_setup When running the samba_setup program, you will be asked whether you want to use LDAP or not. Press Yes to use LDAP, and press No to disable LDAP. 2. Reply to the samba_setup program to configure the following global LDAP parameters in the /etc/opt/samba/smb.
NOTE: You must ensure that the password correctly matches with the password for the ldap admin directory manager. This password is for user administration and is stored for later use. If the password is incorrect, no error message is displayed, but the user administration will fail when attempted.
Syntax ldapsearch [option] Option -b Specifies the starting point for the search. The value specified must be a distinguished name that currently exits in the database. -s Specifies the scope of the search. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries.
7 Winbind support This chapter describes the HP CIFS winbind feature and explains when to use it and how best to configure its use.
Winbind provides a library routine, /usr/lib/libnss_winbind.1, that NSS can use to interface to the winbind daemon to resolve ID mappings. • User and group ID allocation When winbind is presented with a Windows SID for which there is no corresponding UID and GID, winbind generates a UID and GID.
Advantages The advantages of using the shared sambaUnixIDPool method are as follows: • – UIDs and GIDs are unique across all domain member servers that access this LDAP database. – Native non-winbind users can be authorized using the POSIX objectclass and LDAP PAM module from the same LDAP database. – The database can be replicated. Replication reduces the likelihood of data loss and provides backup servers if the primary server is unavailable.
Figure 21 Winbind process flow Windows UNIX 11 Client open file 10 share mapped 3 Samba 14 accept/reject If UID/GID = ACE get file 12 JFS UID/GID now mapped map share 1 accept/deny 4 return user/group SIDs netlogin 13 6 Is this SID mapped? W2003 = PAC NSSWITCH 2 ADS Domain Controller 5 9 Pass-thru authentication winbind DC returns user/group SID list 7 Return UID/GID 8 tdb If mapped, get UID/GID else, map SID to UID/GID The following describes winbind process flow shown in
Winbind uses the blocking, synchronous behavior when enumerating users and groups. Set both winbind enum users and winbind enum groups to No to force winbind to suppress the enumeration of users and groups.
Why can’t I use the net groupmap utility to map a windows group to a UNIX group, then add UNIX members to this group? The net groupmap feature allows administrators to assign Windows group RIDs to UNIX groups, so they can be recognized by Windows clients allowing them to be used when setting permissions on the local server resources. A complete SID is generated by appending the entered RID to the SID of the server, making local groups on CIFS member servers.
Windows and UNIX inter-operability including sharing identity credentials. IMU and SFU download and technical papers are available from Microsoft’s TechNet at the following web site: http://technet.microsoft.com SFU features are incorporated into Windows Active Directory Server 2003 Release 2 (R2), so no download is necessary for this version.
HP CIFS member servers would benefit from the use of an LDAP directory server, so winbind can be used while storing ID maps in an LDAP directory and maintaining unique ID maps across multiple HP CIFS member servers. You can deploy Winbind with the idmap rid method when your environment does not require domain trusts.
Table 15 Global parameters (continued) Parameter Description You can also use the winbindd -n command to disable winbind caching when you start the winbind daemon, this means winbindd always has to wait a response from the Windows domain controller before it can respond to a client. Either the winbindd -n command or winbind cache ug list = No configuration disables winbind caching for the user or group list entries.
Table 16 Unsupported parameters or options (continued) parameters of template shell and templatehomedir. The default setting is template. winbind nested groups This is a boolean variable. If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. Nested groups are defined locally on any machine (they are shared between DC's through their SAM) and can contain users and global groups from any trusted SAM.
generate unique HP-UX UIDs and GIDs across the domain. It can be used for synchronization of mappings across multiple CIFS servers without an LDAP directory. You can use the idmap rid facility in a Windows NT domain or a Windows 2003/2008 R2 ADS domain, but it can not be used in Windows trusted domains. In HP CIFS Server A.02.03 or later, the idmap rid shared library, idmap_rid.sl(so), is changed to rid.sl(so). Limitations using idmap rid • The idmap rid facility is only used in a single Windows domain.
# idmap section ldap user suffix = ou=Pepole ldap grup suffix = ou=Groups idmap uid = 50000-60000 idmap gid = 50000-60000 idmap backend = ldap:ldap://ldaphostA.company.com ldap idmap suffix = Idmap ldap admin dn = "cn=Directory Manager" ldap suffix = dc=org, dc=company, dc=com Starting and stopping winbind This section describes how to start or stop the HP CIFS Server with winbind support.
$ ll /tmp/shareA/JohnTest When you run the ll command, the output is as follows: -rwxr--r-- 1 DomA\John DomA\GroA 290 Nov 0 12:05 tmp/shareA/JohnTest In the above output, the file owner is DomA\John,and the group owner is DomA\GroA. The first part of owner and group owner, DomA, is the domain name, the \ is the winbind separator. The last part, John and GroA are the actual user name and group name from the windows domain.
8 Kerberos support Introduction The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2003, Windows XP, and Windows Vista clients. For the HP CIFS Server, Kerberos authentication is limited exclusively to server membership in a Windows 2003 and Windows 2008 domain, and only when the HP CIFS Server is configured with "security = ads".
Kerberos CIFS authentication example Figure 22 Kerberos authentication environment Authenticator Windows 2000/2003 KDC AS 1 2 TGS 3 4 Windows 2000 or XP Client Authenticatee 5 6 HP CIFS Server Resource The following describes a typical Kerberos logon and share service exchange using Kerberos authentication in an Windows 2003/2008 R2 ADS domain environment shown in Figure 8-1: 1.
• HP-UX Kerberos Client ◦ Kerberos v5 Client D.1.6.2 or later for HP-UX 11i v2 ◦ Kerberos v5 Client E.1.6.2.10 or later for HP-UX 11i v3 • Service Pack 1 is recommended for Windows 2003, and required for inter-operation with Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2.10 or later on HP-UX 11i v3. • HP-UX LDAP-UX Integration product • Windows 2003, or Windows 2008 Server domain. • Windows XP Client Configuring krb5.
NOTE: You can also use the Kerberos method = system keytab parameter to configure HP CIFS Server without specifying the dedicated keytab file parameter. An example of /etc/opt/samba/smb.conf is as follows: [global] workgroup = MYREALM realm = MYREALM.HP.COM netbios name = atcux5 server string = Samba Serveraces = 15.43.214.58 bind interfaces only = Yes security = ADS password server = HPATCWIN2K4.MYREALM.HP.COM kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab 3.
9 HP CIFS deployment models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference.
Figure 23 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 24 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: 118 HP CIFS deployment
Figure 25 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-4 shows the Samba Domain Model: Figure 26 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controller
Samba Domain components As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See “LDAP integration support” (page 81) for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments. Multi-subnetted environments require name-to-IP-address mapping to go beyond broadcast limits of a single LAN segment.
HP CIFS acting as the member server To ensure that there are always sufficient domain controllers to handle authentication and logon requests, in general, configure BDCs rather than member servers unless there are fewer than about 30 Windows clients per BDC. You can join an HP CIFS Server to the Samba Domain.The Windows authentication requests are managed by the PDC or BDCs using LDAP, smbpasswd or other backend.
###################################### # # Samba config file created using SWAT # from 1.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostW PDC passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd log level = 0 security = user syslog = 0 log fie = /var/opt/samba/log.
A Sample smb.conf file for a BDC The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostB acting as a BDC in the sample Samba Domain Model shown in Figure 9-5: ###################################### # # Samba config file created using SWAT # from 1.13.129.
###################################### # # Samba config file created using SWAT # from 1.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostC Domian Member Server password server = hostW hostB security = Domain netbios aliases = MOONEY log level = 0 syslog = 0 log fie = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes preferred master = No domain master = No wins server = 1.13.115.
group: hosts: networks: protocols: rpc: publickey: netgroup: automount: aliases: services: files ldap dns [NOTFOUND=return] files ldap files ldap files ldap files ldap files files ldap files files files ldap Windows domain model You can use the Windows Domain Model in environments with the following characteristics: • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled).
Components for Windows domain model HP CIFS Server supports the NTLMv1/NTLMv2 security used for NT domain membership and Kerberos security used for Windows 2000/2003 native membership, so HP CIFS Servers can be managed in any Windows 2000/2003 ADS, Windows 200x mixed mode, or NT environment. HP CIFS Server does not support a true SAM database and can not participate as a domain controller in an Windows NT, Windows 2000 or Windows 2003 domain.
###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a domain member of hpcif23_dom realm = HPCIF23DOM.ORG.HP.COM security = ADS netbios name = hpcif54 encrypt passwords = yes password server = * passdb backend =smbpasswd log level = 0 syslog = 0 log fie = /var/opt/samba/log.
read only = no valid users = %D\%U [share2] path = /tmp read only = no # Specify values of force user and force group to a valid domain user or group force user = localusr force group = localgrp [tmp] path=/tmp read only = no browseable = yes writable = yes A sample /etc/krb5.conf file On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.
The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 9-7: # /etc/nsswitch.conf # # This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files.
###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a member of NT domain netbios name = hostM # For NT specific option workgroup = hostP_dom security = domain encrypt passwords = yes passdb backend = smbpasswd password server = hostP.org.hp.com log level = 0 log fie = /var/opt/samba/log.
[tmp] path=/tmp read only = no browseable = yes writable = yes Unified domain model You can use the Unified Domain Deployment Model in environments with the following characteristics: • A domain consisting of Windows 200x servers. • The Windows 2000 or 2003 domain controller maintains the UNIX UID and GID data with Windows Services for Unix (SFU). NOTE: • SFU Version 3.5 does not support the Windows NT4 Domain.
For more information on how to configure Unified Login, see Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2 at: http://bizsupport1.austin.hp.com/bc/docs/support/ SupportManual/c02564031/c02564031.pdf. Unified domain components HP CIFS acting as a Windows 200x ADS member server The HP CIFS member server operating in a unified domain depends on the ADS to be aided by Services For UNIX (SFU). SFU provides the required management of UNIX UID and GID to Windows SID mappings.
4. • Creates a configuration profile of directory access information in the directory, to be shared by a group of (or possibly all) clients. • Downloads the configuration profile from the directory to the client. • Starts the product daemon, ldapclientd. Modify the files /etc/pam.conf and /etc/nsswitch.conf on the client to specify Kerberos authentication and LDAP name service, respectively. Configuring /etc/krb5.
Figure 32 An Example of the Unified Domain Windows ADS DC/SFU “hpntcdn” Realm: CIFSW2KSFU .ORG.HP.COM Windows and UNIX users Windows NT/WINS Server IP address “1.13.112.166” HP CIFS Member Server “hostD” A sample smb.conf file for an HP CIFS member server The following is a sample Samba configuration File, /etc/smb.
# Kerberos Configuration # # # # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace HPCIFSW2KSFU.ORG.HP.COM with your kerberos Realm. # # Replace hpntcdn.org.hp.com with your Windows ADS DC full # # domain name. # # # [libdefaults] default_realm = HPCIFSW2KSFU.ORG.HP.
10 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server. It includes the following sections: • “Security protection methods” (page 136) • “Automatically receiving HP security bulletins” (page 139) Security protection methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services.
make an SMB connection to your host over a PPP interface called 'ppp0', he or she gets a TCP connection refused reply. Using a firewall You can use a firewall to deny access to services that you do not want exposed outside your network. This can be a very good protection method, although the methods mentioned above can also be used in case the firewall is not active for some reasons. When you set up a firewall, you need to know which TCP and UDP ports to allow.
on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, see “LDAP integration support” (page 81). The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory configurations. Protecting sensitive configuration files The default permissions for HP CIFS Server configuration files have been carefully selected to ensure security while providing appropriate accessibility.
Restricting execute permission on stacks A common method of breaking into a system is by maliciously overflowing buffers on a program's stack, such as passing unusually long command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.
5. To gain access to the Security Patch Matrix, choose the link for "The Security Bulletins Archive". In the archive, the third link is to the current Security Patch Matrix. This matrix categorizes security patches by the platform/OS release, and by the bulletin topic. The Security Patch Check tool completely automates the process of reviewing the patch matrix for the v2 system.
11 Configuring HA HP CIFS Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual.
4. For any UNIX users used to authenticate CIFS clients, check that they have the same name, user ID number, primary group and password on both of the nodes. This is required for any users used to authenticate to either Samba server in the Active-Active configuration. This means that any user name used on both Samba servers must have the same user ID, primary group ID, and password on both cluster nodes.
1. 2. 3. /etc/opt/samba/smb.conf.pkg1 /etc/opt/samba/smb.conf.pkg2 /etc/opt/samba/smb.conf.pkg3 There will be three directories: 1. /var/opt/samba/pkg1 2. /var/opt/samba/pkg2 3. /var/opt/samba/pkg3 ...where the locks and log files will reside. With most configurations, it will be easier to set up and maintain the dynamic security and data files on shared disks. Therefore, you may want to create the /var/opt/samba/ paths used in the example on shared disks.
• Consider load balancing when creating the share paths. • Consider whether you need to locate your smbpasswd and private files on a shared volume, etc. You may want to review "Special Notes for HA HP CIFS Server" found at the end of this section, now. If you run SWAT or smbpasswd utilities, keep in mind that they will be operating on smb.conf not your smb.conf. configuration. You may want to copy smb.conf. to smb.conf for this reason.
...depending on which package you are currently working on. 2. Create a NODE_NAME variable for each node that will run the package. The first NODE_NAME should specify the primary node. All other NODE_NAME variables should specify the alternate nodes in the order in which they will be tried. NODE_NAME ha_server1 NODE_NAME ha_server2 ...for pkg1, NODE_NAME ha_server2 NODE_NAME ha_server1 ...for pkg2, etc. 3. Set the RUN_SCRIPT and HALT_SCRIPT variables to the full path name of the control script.
...for pkg2, etc. 2. Create a separate LV[n] and FS[n] variable for each volume group and file system that will be mounted on the server.
4. If you want to use the HP CIFS Server monitor script, set the SERVICE_NAME variable to the value of the SERVICE_NAME variable in the package configuration file samba.conf. SERVICE_NAME[0]=samba_mon1 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg1/samba.mon for pkg1, and SERVICE_NAME[0]=samba_mon2 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg2/samba.mon for pkg2. 5. If you have an smb.conf file which makes use of winbind, you need to uncomment these winbind lines for winbind support in the cluster. Edit the samba.
3. Use the cmcheckconf command to verify the contents of your cluster and package configuration. At this point it is assumed that you have created your MCServiceGuard cluster configuration file (clucifs.conf) through MCServiceGuard procedures. cmcheckconf -C /etc/cmcluster/clucifs.conf \ -P /etc/cmcluster/samba/pkg1/samba.conf \ -P /etc/cmcluster/samba/pkg2/samba.conf 4. Activate the shared volume for cluster locks. vgchange —a y /dev/vglock 5.
• Security Files An important security file is secrets.tdb. Machine account information is among the important contents of this file. Since this file will be updated periodically (as defined in smb.conf by machine password timeout, 604800 seconds by default), HP recommends that you locate secrets.tdb on a shared logical volume. The location of the secrets.tdb file is defined by the smb.conf parameter, private dir.
• Samba as a Master Browser If you configure your Samba server to be the domain master browser by setting the domain master to yes, it will store the browsing database in the /var/opt/samba/locks/browse.tdb file. HP does not recommend doing this in an HA configuration. If you do so, you will probably want to configure /var/opt/samba/locks/browse.tdb as a symbolic link to a BROWSE.DAT file on a logical shared volume.
mkdir -p -m 755 /exported/looks mkdir -p -m 700 /exported/private mkdir -p -m 777 /exported/data vi /etc/exports /exported -anon=root root=host:nfsclient1:nfsclient2 Run the following command to export all directories listed in /exported to NFS clients: exportfs -a Execute the following commands on an NFS client: vi /etc/fstab nfsserver:/exported /mnt/nfsserver nfs defaults 0 0 mkdir -p /mnt/nfsserver mount /mnt/nfsserver An example of smb.
Example: cfsdgadm activate dgha Create volumn: vxassist g make Example: vxassist -g dgha make lvol1 1024M vxassist -g dgha make lvol2 2048M newfs -F vxfs /dev/vx/rdsk/dgha/lvol1 newfs -F vxfs /dev/vx/rdsk/dgha/lvol2 Add volumn: cfsmntadm add all=rw Example: cfsmntadm add dgha lvol1 /cfs1 all=rw cfsmntadm add dgha lvol2 /cfs2 all=rw Mount CFS mount points: cfsmount cfsmount /cfs1 /cfs2 If CIFS Server binaries a
DEPENDENCY_NAME DEPENDENCY_CONDITION DEPENDENCY_LOCATION SG-CFS-MP-2 SG-CFS-MP-2=UP SAME_NODE Special notes for HA HP CIFS Server 153
12 HP-UX configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server. It contains the following sections: • HP CIFS Process Model • TDB Memory Map for HP CIFS Server • Overview of Kernel Configuration Parameters • Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v3.
NOTE: The difference between the access based share enum (S) parameter and the access based enumeration parameter is that in access based share enum (S) only the share permissions are evaluated and security descriptors are not used in computing enumeration access rights. • cache directory (G) This parameter specifies the directory where the TBD files containing non-persistent data are stored. The default setting of this parameter is cache directory = /var/opt/samba/locks.
• init logon delay (G) This parameter specifies the delay in milliseconds for the configured hosts for the initial samlogon parameter with init logon delayed hosts. The default setting for this parameter is init logon delay = 100. • kerberos method (G) This parameter specifies how Kerberos tickets are verified. You can use the following values for the kerberos method (G) parameter: secrets only Use secrets.tdb for ticket verification. system keytab Use system keytab for ticket verification.
• state directory (G) This parameter specifies the directory location where the TDB files containing persistent data is stored. The default setting for this parameter is state directory = /var/opt/samba/locks. • smb encrypt (S) This parameter specifies if the remote client should use SMB encryption. Starting from Samba 3.2 version and later, SMB encryption uses the GSSAPI to encrypt and sign request and response in a SMB protocol stream.
Parameter Name Description Default smb2 max trans New 1048576 smb2 max write New 1048576 username map cache time New 0 winbind max clients New 200 create krb5 conf New Yes ctdb timeout New 0 cups encrypt New No ldap deref New Auto ldap follow referral New Auto nmbd bind explicit broadcast New No idmap config * : range New 10000-80000 idmap config * : backend New passdb backend Changed default tdbsam lanman auth Changed default No client lanman auth Changed default
processes. To enable the memory-mapped access functionality, set the smb.conf use mmap parameter to yes. The default value of use mmap is yes. NOTE: To modify the value of use mmap, you must first stop all of the CIFS Server processes (smbd, nmbd and winbind daemons), modify the setting of the parameter, and then restart the CIFS Server processes. It is not safe to modify the setting of use mmap using a procedure other than the one mentioned above.
Constraints The HP CIFS Server TDB memory map support has the following constraints: • NOTE: Do not have binaries from mixed versions of mmap and non-mmap daemons/utilities of CIFS Server in the /opt/samba/bin subdirectory. • You must use the tdbbackup utility to backup TDB files, do not use the cp command to backup TDB files. Overview of Kernel configuration parameters The kernel configuration parameters, maxuser, nproc, ninode, nflocks and nfile are described below.
nproc will be increased to 8,468 nfile will be increased to 15,656 ninode will be increased to 9,692 If these values are found to be too large or too small for that matter, then the individual kernel parameters can be adjusted as described below. 2. Configuring nproc, nfile and ninode.
13 Tool reference This chapter describes tools for management of Samba user, group account database. It includes the following topics: • “HP CIFS management tools” (page 162) • “LDAP directory management tools” (page 172) HP CIFS management tools Several HP CIFS Server tools are available for management of CIFS user data stored in the smbpasswd file or in Netscape/Red Hat Directory Server database.
If the POSIX user does not already exist in the LDAP directory server, you must first add the POSIX user entry with the LDAP directory tools (such as ldapmodify). The ldapmodify tool can be used to add, modify or delete a POSIX user in an LDAP directory server. For more information on how to add POSIX user accounts to the LDAP Directory server, see the “Creating Samba users in the directory” (page 97) section in the chapter 6, “LDAP Integration Support”.
need to be manually updated as well. The password is entered in the command line. -W Changes the LDAP directory manager password. With the -W option, the user is prompted for the password. The password is entered using stdin and thus the clear text password never appears on the command line. -x This option specifies that the [username] following should be deleted from the configured passdb backend. username Specifies the user name for all of the root only options to operate on.
Pdbedit You can use the pdbedit tool to manage the Samba user accounts stored in the SAM database (database of Samba users). You must be logged in as the root user to run this tool. The pdbedit tool can be used to perform the following operations: • Add, remove or modify user accounts. • List user accounts. • Migrate user accounts. • Migrate group accounts. • Manage account policies. • Manage domain access policy settings.
-D, –drive=ARG Specifies the windows driver letter to be used to map the home directory. This option can be used while adding or modifying a user account. -S, –script=ARG Sets the user's logon script path. This option can be used while adding or modifying a user account. -P, –profile=ARG Specifies the user's profile directory. This option can be used while adding or modifying a user account. -I, –domain=ARG Specifies the user's domain name.
time, user must logon to change password, password history, lockout duration, min password length, maximum password age and bad lockout attempt. -C, –value=ARG Sets an account policy to a specified value. This option may only be used in conjunction with the -P option. -c, –account-control=ARG Specifies the user's account control property. This option can be used while adding or modifying a user account.
$ pdbedit -? Run the following command to create a Samba account for the user cifsuser1 in the group cifsgrp with the home directory /home/cifsuser1. The pdbedit tool will prompt for input of an initial user password. $ pdbedit -a cifsuser1 -g cifsgrp -h /home/cifsuser1 Run the following command to delete a Samba account for the user cifsuser2: $ pdbedit -x cifsuser2 net This tool is used for administration of Samba and remote CIFS servers.
password that has already been stored in a Windows Active Directory. Do not use this command unless you know exactly what you are doing. The use of this command requires that the force flag (-f) is used also. There will be no command prompt. Whatever information is input into stdin is stored as the literal machine password. Do not use this without care and attention because it will overwrite a legitimate machine password without warning. net status Displays machine account status of the local server.
-n or –myname= Specifies the NetBIOS name. This option allows you to override the NetBIOS name that Samba uses. The command line setting will take precedence over parameter settings in the smb.conf file. -U or –user= Specifies the user name. -s or –configfile= Specifies the alternative path name of the Samba configuration file. -l or –long Displays full information on each item when listing data. -V or –version Prints Samba version information.
-I, –WINS-by-ip This option queries winbindd to send a node status request to get the NetBIOS name associated with the IP address specified by the ip parameter. -n, –name-to-sid This option queries winbindd for Windows SID associated with the name specified. -s, –sid-to-name Uses this option to resolve a Windows SID to a name. This is the inverse of the -n option. The Windows SID must be specified as ASCII strings in the traditional Microsoft format.
Displays brief usage messages. –usage For detailed information on how to use this tool, refer to the /opt/samba/man/man1/wbinfo.1 file.
ldapmodify You use the ldapmodify command-line utility to add, delete or modify POSIX user entries in an existing LDAP directory. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and adds or modifies the entries based on the LDIF update statements contained in a specified file. Syntax ldapmodify [optional_options] where optional_options Specifies a series of command-line options.
Syntax ldapsearch -b basedn [optional_options][filter] [optional_list_of_attributes] where filterfilter optional_options Specifies an LDAP search filter. Do not specify a search filter if you supply search filters in a file using the -f option. Specifies a series of command-line options. These must be specified before the search filter, if used. optional_list_of_attributes are spaces-separaed attributes that reduct the scope of the attributes returned in the search results.
Syntax ldapdelete [optional_options] where optional_options Specifies a series of command-line options. ldapdelete options The section lists ldapdelete options most commonly used. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. -h Specifies the name of the host on which the Directory Server is running.
Glossary A ACL Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define "access rights." In this scheme, users typically belong to "groups," and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights.
P Public Key An encryption method by which two users exchange data securely, but in one direction only. A user, who has a private key, creates a corresponding public key. This public key can be given to anyone. Anyone who wishes to send encrypted data to the user may encrypt the data using the public key. Only the user who possesses the private key can decrypt the data. Public Key Infrastructure Method of managing public key encryption.
Index Symbols I /etc/nsswitch.conf, 88, 133 /etc/nsswitch.ldap, 88 /etc/pam.conf, 133 installation, 85 summary, 84 installing overview, 20 A Access Control Lists, 35 VxFS, 35 ACLs. See Access Control Lists, 35 adding ACE entries, 39 K B L boot, 85 ldapdelete program, 174 ldapmodify program, 173 ldapsearch program, 173 C Change Notify, 33 CIFS protocol, 13 Common Internet File System.
swinstall, 85 T tools ldapdelete, 174 ldapmodify, 173 ldapsearch, 173 TTL, profile, 88, 108, 138 U UNIX file owner, 35 other permission, 35 owning group, 35 permissions, 35 V VxFS POSIX ACL File Permission Superset, 38 W white paper, directory configuration, 84 Windows ACLs, 35 directory translations, 36 www.docs.hp.com, 19 www.software.hp.
