Chapter 20 CIFS HP-UX Handbook Revision 13.
Chapter 20 CIFS October 29, 2013 TERMS OF USE AND LEGAL RESTRICTIONS FOR THE HP-UX RECOVERY HANDBOOK ATTENTION: PLEASE READ THESE TERMS CAREFULLY BEFORE USING THE HP-UX HANDBOOK. USING THESE MATERIALS INDICATES THAT YOU ACCEPT THESE TERMS. IF YOU DO NOT ACCEPT THESE TERMS, DO NOT USE THE HP-UX HANDBOOK. THE HP-UX HANDBOOK HAS BEEN COMPILED FROM THE NOTES OF HP ENGINEERS AND CONTAINS HP CONFIDENTIAL INFORMATION.
Chapter 20 CIFS October 29, 2013 TABLE OF CONTENTS Introduction ______________________________________________________________________ 5 Software _______________________________________________________________________________5 Documentation __________________________________________________________________________6 Differences between HP CIFS and Samba ______________________________________________________6 Release Differences_______________________________________________________________________7 Downl
Chapter 20 CIFS October 29, 2013 Daemons ______________________________________________________________________________38 Start and configuration commands__________________________________________________________ 39 Troubleshooting commands _______________________________________________________________ 39 Relevant directories _____________________________________________________________________39 Additional Information ____________________________________________________________ 39 HP-UX Handbook – Re
Chapter 20 CIFS October 29, 2013 This chapter will introduce you to the ability of HP-UX to communicate in heterogeneous networks with MS-Windows-computers. (Windows NT, Windows 2000, Windows XP Windows 2003 and Windows 2008). There are some products which enable data exchange in mixed environments: there was Advanced Server for Unix (ASU), which is obsolete for HP-UX but still alive on Tru64-Unix. There is Samba (from samba.org) and the HP CIFS bundle.
Chapter 20 CIFS October 29, 2013 smbmount (from the Samba product suite). Cifsclient offers more options than smbmount e.g. the ability to validate users against the Windows-computer that offered the share even with Kerberos Authentication and it behaves different. The HP CIFS Product Suite includes a NTLM PAM module to authenticate unix users to against a Windows Domain Controller by NTLM authentication. (http://www.software.hp.com/portal/swdepot/displayProductInfo.
Chapter 20 CIFS October 29, 2013 delayed. Security fixes will be back ported to HP CIFS Server asap in order to maintain a stable product. Samba offers much more compile options and thus a large variety of usage, which makes it difficult to support. The compile options that are used for HP CIFS server can be seen in /opt/samba_src/samba/source/configure_hp_options.sh. HP does as well provide the compiled Samba binaries for HP-UX on http://www.samba.org (External) for the latest Samba-version.
Chapter 20 CIFS October 29, 2013 Samba-3 By Example / practical experience to successful deployment (John H. Terpstra; Prentice Hall PTR; Bk&CD-Rom edition (March 29, 2004) ISBN: 0131472216 ) Both books are under GPL, so you can download them as pdf from samba.org: "The Official Samba-3 HOWTO and Reference Guide" "Samba-3 by Example" Especially the HOWTO coolection is available in other languages: German for example: http://gertranssmb3.berlios.de/Samba-HOWTO-Sammlung.
Chapter 20 CIFS encrypt passwords = yes security = ads workgroup = gel2000 realm = GEL2000.GRC.HP.COM # # # # netbios name = picard # server string = CIFS Server 3 password server = grcdg227, * wins server = 15.140.145.16 name resolve order = wins bcast # # # # October 29, 2013 must be yes for actual Windows versions if Kerberos should be used, choose ads ADS domain name the same realm that you ADS is, and which is in /etc/krb5.
Chapter 20 CIFS October 29, 2013 kerberos_kinit_password administrator@GEL2000.GRC.HP.COM failed: Cannot find KDC for requested realm [2004/11/19 11:31:43, 0] utils/net_ads.c:ads_startup(183) ads_connect: Cannot find KDC for requested realm check the confirguration of the /etc/krb5.conf file. It must macht realm and password server in the smb.conf. Check nameresolution and network connection to the KDC. You can as well use the command: # kinit Administrator@GEL2000.GRC.HP.
Chapter 20 CIFS October 29, 2013 There is one smbd for rdoelker, which is from a mapped drive and another one which is from entering the UNC patch \\hprtdu96\kunden into the run line of the windows-client. Each time a IPC$ share is connected too. Kernel The sytem-requirements did not change much since CIFS A.01.08 (see table in “System requirements for Samba 2.2 on HP-UX 11.0 for PA-Risc). There might be some changes if you are running on HP-UX 11.23 September04 release.
Chapter 20 CIFS October 29, 2013 server signing server signing is another global parameter which offers [auto|mandatory|disable]. Auto (default) will offer SMB signing but not enforce it.Mandatory will SMB signing is required, this will exclude connections to older Windows Servers. SMB signing is a feature which approx started with Windows 2000 SP3. The same values exist for the communication with the clients: client schannel and client signing.
Chapter 20 CIFS October 29, 2013 and cannot be unmounted the only way to get rid of the mountpoint is reboot. It is the same as with nfs. General commands Generally all commands deliver a short help if you start them with argument "-?" or "-h" cifsclient {start|stop|restart|ver|force_umount}: cifsclient does start and stop the daemon.The cifsclient startup would give back a process id. The cifsclient stop would unmount all cifsmounts while stopping the daemon.
Chapter 20 CIFS October 29, 2013 Share: \\NTSERV\PUBLIC rw /cifs_mnt cifslist is a command to view which shares and servers are connected and which user is logged in. Users normally need to validate against the NT-server by using the cifslogin command to be able to access the share. cifslogout : A user needs to use cifslogout to end his session with a dedicated server. An option available is "-a" which will log the user out from all their current sessions.
Chapter 20 CIFS October 29, 2013 HP CIFS Client and WAN Some configurations require special settings. So we noted that when using cifsclient connections over a wide area network (e.g. ISDN router) then you might have to adapt some of the parameters in /etc/opt/cifsclient/cifsclient.
Chapter 20 CIFS October 29, 2013 usable by the system. Debugging To enable an enhanced logging you need to edit /etc/opt/cifsclient/cifsclient.cfg. Remove slashes before the statement you want to get more information about. The changes will become active as soon as you close the file. A restart of the cifsclient is not needed. Logfiles will be found in /var/opt/cifsclient/debug the naming convention is cifsclient-log.pid. # The following section defines the logging verbosity.
Chapter 20 CIFS October 29, 2013 Info Command Options Comment cifsclientd ver Get version information from cifsclientd Daemons Daemons Options Comment cifsclientd {stop|start|restart} force_umount Start, stop or restart the main daemon Umount a hanging mountpoint after cifsclient is shutdown Start commands Startup Commands Options Comment /sbin/init.d/cifsclient /etc/rc.config.d/cifsclient /sbin/rc2.d/S900cifsclient /sbin/rc1.
Chapter 20 CIFS October 29, 2013 basic configuration: Proceeding with samba_setup... You now must choose a role for your server.
Chapter 20 CIFS October 29, 2013 information) and any BDC (Backup Domain Controller) features are currently not implemented. So the Samba PDC is not able to synchronize with any native NT-BDC which means BDCs are currently not supported in a Samba domain. Because of this, if the PDC fails, there is no way for Windows clients to authenticate to the domain. And, if a disk fails on the PDC, there is no backup on the domain with the critical credential data.
Chapter 20 CIFS October 29, 2013 Samba can be a workgroup server A workgroup server is a server in an environment with several windows clients and servers, which are not centrally administered. Samba can act as a workgroup server with three different security levels: security = share this security level is one which is hard to understand as any valid password by any user to any share can be used. HP does not recommend this security level.
Chapter 20 CIFS October 29, 2013 you need to authenticate as root. Useful share configuration parameters strict allocate This is a boolean that controls the handling of disk space allocation in the server. When this is set to yes the server will change from UNIX behaviour of not committing real disk storage blocks when a file is extended to the Windows behaviour of actually forcing the disk system to allocate real storage blocks when a file is created or extended to be a given size.
Chapter 20 CIFS October 29, 2013 We have often realized that applications such as MS Outlook and SAP printing have problems if oplocks is turned to yes. At least as a test we recommend to set it to no: oplocks = no General user validation Sometimes it is important to have a good insight to what happens if a user “maps a network drive” on his Windows client or just enters a UNC path in the run command line of the startmenu like \\sambasrv.
Chapter 20 CIFS Windows-Client (PC) October 29, 2013 Win-User password Samba 2.2.8a security = domain Session-Setup Samba 2.2.8a security = domain Windows-Client (PC) No decline Windows Domain Controller User and password correct? No /var/opt/samba/ private/ smbpasswd smbpasswd entry ok? yes Tree-Connect Samba 2.2.8a security = domain yes /etc/opt/samba/ username.
Chapter 20 CIFS October 29, 2013 /etc/passwd file and machine. account entries in the /var/opt/samba/private/smbpasswd file. The following are the steps to create a machine account for a Windows client on a HP CIFS Server acting as a PDC: create a new group called "machines" in the /etc/group file then create the machine trust account for a Windows client in the /etc/passwd file. groupadd machines Create the machine trust account for a Windows client in the /etc/passwd file.
Chapter 20 CIFS October 29, 2013 and realname "Domain guest": useradd -g guest -c "Domain Guest" -s /usr/bin/sh domguest Create a user that will be the admin-user which needs to have unix-id "0" to create computer accounts etc.: useradd -g sys -c "Samba Admin" -s /sbin/sh -d /home/sambaadm –s /bin/false sambaadm You will have to change the uid manually to "0" in /etc/passwd.
Chapter 20 CIFS October 29, 2013 Printer driver upload within Samba To configure printers and uploadable printer drivers for HP CIFS server you would at first create a [printers] share to provide the printers known by the server (e.g. via lpstat). Be sure the path has a valid path that is accessable. To configure a [printers] share you would edit the /etc/opt/samba/smb.
Chapter 20 CIFS October 29, 2013 architectures, we need to create subdirectories under the [print$] share that correspond to each of the supported client architectures. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported: cd /etc/opt/samba/printers mkdir W32X86 mkdir Win40 The driver files will be stored in the /etc/opt/samba/printers/W32X86/2 subdirectory for the Windows NT/2000 client or W32X86/3 for WinXP clients.
Chapter 20 CIFS October 29, 2013 will need to use the rpcclient command to announce the driver to the printer. root@hprtdu96:>rpcclient hprtdu96 -U ntadmin%password -c enumprinters cmd = enumprinters flags:[0x800000] name:[\\hprtdu96\grcdg101] description:[\\hprtdu96\grcdg101,,BW/Laser 5si ground floor] comment:[BW/Laser 5si ground floor] You may lookup the correct name for the dirver when choosing it from the APW (add printer wizard) if you pretend to install it locally.
Chapter 20 CIFS October 29, 2013 IP address switched, all the traffic that was going to the failed node now goes to the other active node. The key is to have a CIFS Server configured to look and act just like the CIFS Server that was running on the original node. The /opt/samba/HA/README.txt file provides the smb.conf parameters that need to be configured and the detailed instructions for completing the MC/SG configuration for CIFS.
Chapter 20 CIFS October 29, 2013 # /opt/samba/bin/smbstatus Samba version 2.2.12 Service uid gid pid machine ---------------------------------------------trainings rdoelker users 383 fish (15.139.20.64) Tue Apr 1 17:11:23 2003 IPC$ rdoelker users 383 fish (15.139.20.64) Tue Apr 1 10:36:55 2003 So in this example the process for client "fish" is 383.
Chapter 20 CIFS October 29, 2013 enabled as described above and it might be worth to see as whom you are connected therefore the include file is the best option, especially for CIFS server that handle connections. Empty the logfile and connect to the share. Make a copy of the log while it was connecting. Prepare everything to reproduce the error. Empty the logfile again. Reproduce the error and Make another copy of the logfile which has captured the error.
Chapter 20 CIFS October 29, 2013 are dynamically elected by the kind of OS they run. A windows domain controller is often the DMB as well. Some parameters to which influence an election are: domain master local master preferred master os level specifies if this nmbd will take part in an election to become a DMB specifies if this nmbd will take part in an election to become a LMB specifies if nmbd will force an election upon its startup specifies a value of the OS in order to win an election (e.g.
Chapter 20 CIFS October 29, 2013 verify additionally that this DMB is as well a WINS server: telnet grcdg226 42 Trying... Connected to grcdg226.grc.hp.com. Escape character is '^]'. (stop with +) retrieve a list of master browsers on the subnet you can use: nmblookup -M querying __MSBROWSE__ on 15.140.15.255 15.140.10.224 __MSBROWSE__<01> 15.140.11.132 __MSBROWSE__<01> ... list computers and services in a domain: root@hprtdu96:>nmblookup -T -S gel2000 querying gel2000 on 15.140.15.
Chapter 20 CIFS October 29, 2013 16th byte of a NetBIOS packet.
Chapter 20 CIFS October 29, 2013 and hard links, UID/GID, etc. HP CIFS Server supports viewing and changing both UNIX file permissions and VxFS (JFS) POSIX ACLs from Windows clients. This is done through the standard Windows Explorer interface as if changing NTFS permissions (Windows ACLs). ACL support is not an emulation of native NTFS (like it was with Advances Server Unix), but it allows access to UNIX ACLs through the Windows client.
Chapter 20 CIFS October 29, 2013 Recommendations for kernel parameters Requirement for each client connection Memory space Swap space nproc nfile nflocks PA System A.01.05 0.789MB 1.9MB 1 7 A.01.07 0.799MB 1.9MB 1 7 A.01.08 1.173MB 2.0MB 1 20 10 IA System A.01.08 1.08MB 2.0MB 1 20 10 Besides the new features of CIFS-Server 2.2 (A.01.08 and later) some server requirements have changed. Each smbd takes now approx 10 unix locks. CIFS-Server A.01.08 (Samba2.
Chapter 20 CIFS October 29, 2013 here is a detailed calculation to determine how to increase nfile: increase nfile by NFILE, where NFILE does only concern the filetable entries used by Samba.
Chapter 20 CIFS October 29, 2013 limitation. The ninode means the maximum number of open inodes that can be in memory, which is one of kernel configurable parameters. It's defined as nproc+48+maxusers+(2*npty), rather than dependence on any application. If kernel parameters nproc or maxuser or npty are changed, then ninode would be changed. So ninode does not need to be adapted. CIFS server at one glance Info commands Info Command Options Comment –V -h –u username View samba information.
Chapter 20 CIFS October 29, 2013 Start and configuration commands Startup Commands Options Comment startsmb stopsmb /sbin/init.d/samba /etc/rc.config.d/samba /sbin/rc2.d/S900samba /sbin/rc1.d/K100samba /opt/samba/bin/samba_setup /opt/samba/bin/rpcclient {stop|start} RUN_SAMBA={0|1} Used to start nmbd and smbd. It will report if daemons are already running. Used to stop nmbd and smbd's. Startscript Runvariable Sambastartscript for booting.
Chapter 20 CIFS October 29, 2013 Samba.org Links http://samba.org/samba/docs/: The best souce one can get for detailed reading about Samba 2.x and for introduction is the O’reilly book, which came out as second edition recently: www.oreilly.com (ISBN: 0-59600256-4) 1st editon Using Samba online and 2nd editon Using Samba online http://samba.org the maintainer of samba.