HP CIFS Server Administrator Guide Version A.02.04.04 (5070-6710, October 2011)
Windows and UNIX inter-operability including sharing identity credentials. IMU and SFU
download and technical papers are available from Microsoft’s TechNet at the following web
site:
http://technet.microsoft.com
SFU features are incorporated into Windows Active Directory Server 2003 Release 2 (R2),
so no download is necessary for this version.
There are two approaches to integrate HP-UX account management and authentication with
Windows IMU and SFU:
◦ NIS
One of the SFU tools, Server for NIS, enables Windows to serve as a NIS server. Windows
Active Directory Server (ADS) stores user account and group information including SID,
UID, and GID in the Windows ADS schema.
◦ LDAP
When using LDAP-UX Client Services, HP-UX uses Windows ADS directly. SID, UID, and
GID information is stored as attributes of a user account in the Windows ADS schema.
With IMU and SFU, HP CIFS Server can access both Windows and UNIX identity information
from the Windows Domain Controller.
For more information on configuring HP CIFS Server for Unified Login, see Integrate Logins
with HP CIFS Server, HP-UX, and Windows 2003R2 at: http://www.docs.hp.com/en/15204/
CIFSUnifiedLogin.pdf.
HP CIFS Deployment Model Consideration
When winbind is desired, consider how your environment best fits into the following HP
CIFS deployment models. See Chapter 9 (page 113) for detailed information on HP CIFS
deployment models.
• Samba Domain Model
A Samba Domain consists of HP CIFS Servers and no Windows Domain Controllers. The
Samba Domain deployment may benefit from the use of winbind when the domain trusts
other domains. Rather than managing local UNIX users for corresponding Windows/Samba
users for all trusted domains, winbind can be used to generate the UIDs and GIDs required
for the trusted domains. When multiple domains are involved, HP suggests that you configure
winbind with LDAP to use the sambaUnixIDPool identity allocation algorithm.
UNIX user requirements are likely to drive management of users in Samba Domain deployments.
HP recommends that you use the syncsmbpasswd script to generate Samba user entries
based on the existing UNIX user entries. See the syncsmbpasswd man page for more
information. Note that the name "syncsmbpasswd" originates from the name of the password
file. This tool only creates Samba user entries, it is not possible to translate UNIX passwords
into Samba passwords. Winbind bases its mappings on existing Windows/Samba identities
rather than existing UNIX users so it may be of little use in many Samba Domains.
Domain member servers may use winbind to minimize management of all domain users.
However, HP CIFS Primary Domain Controllers may only make use of winbind to minimize
management of trusted domain users.
• Windows Domain Model
In the Windows Domain deployment, Window NT or ADS Domain Controller does not utilize
Windows Services for UNIX (SFU) to maintain UNIX UID and GID data. HP CIFS Servers
participate as member servers and may benefit from the use of winbind to create the local
UNIX UIDs and GIDs required to correspond to Windows identities or when other domains
are trusted. Even when a Windows Domain Controller provides primary domain authentication,
HP CIFS member servers would benefit from the use of an LDAP directory server, so winbind
102 Winbind Support