Manualshelf

HP CIFS Server Administrator's Guide (5900-1282, April 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
71727374757677787980
startTLS enabled, the NetBIOS name or IP address of the Windows ADS PDC machine, and the
location of the certificate database files, cert8.db and key8.db.
The following is an example for the [Global] section of the /etc/opt/samba/smb.conf file:
[Global]
realm= MYREALM
security = ADS
password server = adsdc_server
ldap server = adsdc_server
ssl cert path = /etc/opt/ldapux
To enable startTLS with an un-encrypted port 389, set:
ldap ssl = start_tls
For more information about the smb.conf configuration parameters used in the previous example,
see “Configuration Parameters” (page 71).
Joining an HP CIFS Server to a Windows 2000, Windows 2003, and
Windows 2008 Domain
HP CIFS Server only supports the following Kerberos encryption types:
DES-CBC-MD5
DES-CBC-CRC
RC4-HMAC
You must configure one of these encryption types in the /etc/krb5.conf file as shown below.
HP recommends you set the encrption type to DES-CBC-MD5 in /etc/krb5.conf unless you
have other kerberos enabled applications on the HP server that require one of the other supported
encryption types.
WARNING! Do not add your machine name to the ADS Server with the Windows Server Manager.
If your machine has already been added to the ADS with the Windows Server Manager GUI, you
may simply use Window Server Manager to delete the machine account. Then, follow the instructions
to run the "kinit" and "net ads join" commands as described below in “Step-by-step
Procedure” (page 73).
Another way to resolve this problem is to *AND* the "userAccountControl" attribute value
for the CIFS member server with the ADS_UF_USE_DES_KEY_ONLY (2097152 or 0x2000000)
flag in the ADS. This can be accomplished by using the "adsiedit.msc" tool from the Windows
2000 or 2003 CD or using the ldapmodify command.
NOTE: If an HP CIFS Server is currently joined to the domain as a pre-Windows 2000 member
server, please first remove the server from the domain before adding an HP CIFS Server to a
Windows domain as a ADS member server.
Configuration Parameters
The following is a description of the smb.conf parameters shown in “Step-by-step Procedure
(page 73):
realm This string parameter specifies the name of the ADS kerberos realm
which has the fully qualified domain name. It must be set the same as
the kerberos realm value in krb5.conf.
ldap server This string parameter specifies the host name of the LDAP ADS PDC
Server where you want to store your data.
ldap ssl This parameter specifies the SSL/TLS support. SpecifyYes to enable
SSL feature using the encrypted port number 636 to connect to the
Joining an HP CIFS Server to a Windows 2000, Windows 2003, and Windows 2008 Domain 71