Manualshelf

HP-UX HB v13.00 Ch-20 - CIFS

ManualsBrandsHP ManualsSoftwareHP-UX 11i v3 Virtual Server Operating Environment (VSE-OE) LTU
11121314151617181920
HP-UX Handbook Rev 13.00 Page 19 (of 40)
Chapter 20 CIFS
October 29, 2013
information) and any BDC (Backup Domain Controller) features are currently not implemented.
So the Samba PDC is not able to synchronize with any native NT-BDC which means BDCs are
currently not supported in a Samba domain. Because of this, if the PDC fails, there is no way for
Windows clients to authenticate to the domain. And, if a disk fails on the PDC, there is no
backup on the domain with the critical credential data. This means that it is very important to
make backups of users credential files. It also means that there is no system that can easily be
promoted to a PDC to replace the current one.
All necessary settings will be done by samba_setup for you. For more detailed maintenance
information check the section later in this chaper.
Samba can be a domain member server
HP CIFS Server can operate in a Windows Active Directory domain as a “domain member
server.” This allows the clients that want to connect to and use resources on the CIFS Server to
be authenticated based on their Windows Domain account information. ver, a Windows NT
workstation, or a Windows 98 or a HP CIFS server machine. The domain member servers will
contact a domain controller and request the DC authenticate the credentials of the client
requesting access to the resource. The advantage of this is a separate password is not required to
be maintained on the HP CIFS Server. The authentication is done using the Windows NTLM or
NTLMv2 authentication protocol.
To use Samba as domain member you need to select the following in the smb.conf file:
security = domain
Samba can be a ADS Member Server
HP CIFS Server can operate in a Windows Active Directory domain as a “ADS member server.”
When CIFS is configured as a ADS member server the authentication protocol that will be used
by default is Kerberos, as opposed to the NTLM/NTLMv2 that is used when configured for a
domain member server. Starting with Windows 2000 domains Microsoft started using Kerberos
as their default authentication protocol. The NTLM and NTLMv2 is still available for
compatibility with older clients, but Kerberos is considered more secure and the preferred
method. When a client attempts to connect to a resource on the CIFS Server, their credentials
will be checked by the Windows domain controller using the Kerberos protocol if available.
To use Samba as a ADS member server you need to select the following in the smb.conf file:
security = ads
Because the default authentication protocol is Kerberos this means you will need to have the
Kerberos client configured and functional on HP-UX. When you run the samba_setup script, it
will create the Kerberos configuration file, /etc/krb5.conf, if one does not exist. In order for
CIFS Server to join the Windows AD domain, the Kerberos client must be functional which can
be tested with the ‘kinit username’ command.