Manualshelf

HP CIFS Server Administrator's Guide Version A.03.01.01 (5900-1282, May 2011)

ManualsBrandsHP ManualsSoftwareHP-UX Common Internet File System (CIFS) Client/Server Software
61626364656667686970
5 Windows 2003 and Windows 2008 Domains
Introduction
This chapter describes the process for joining an HP CIFS Server to a Windows 2003 or Windows
2008 Domain as an ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain
Member Server” (page 57) in Chapter 4, "NT Style Domains".
By default configuration, Windows 2003 and Windows 2008 Servers utilize the Kerberos
authentication protocol for increased security. By joining an HP CIFS Server to the Windows 2003
and Windows 2008 ADS domain as a Member Server, HP CIFS Server can also participate in
the increased security. The HP-UX Kerberos Client software and LDAP-UX Integration software are
required to enable HP CIFS Server Windows 2003 and Windows 2008 ADS domain member
capability.
This chapter describes instructions for joining an HP CIFS Server to a Windows 2003 and Windows
2008 ADS Domain. For detailed information about Kerberos, see “Kerberos Support” (page 110)
and white paper, "HP CIFS Server and Kerberos" available at the following web site:
http://docs.hp.com/en/netcom.html#CIFS%20%28Common%20Internet%20File%20System%29
For detailed information about LDAP, see “LDAP Integration Support” (page 78).
HP CIFS and Other HP-UX Kerberos Applications Co-existence
Because the HP CIFS Server stores the Kerberos secret key in
/var/opt/samba/private/secrets.tdb by default, the standard CIFS Kerberos configuration
can only be used by HP CIFS Server users. If other HP-UX applications use the /etc/krb5.keytab
file, a mismatch of keys occurs resulting in failure for CIFS or the other applications depending
upon which key is the latest. Moreover, HP-UX Internet Services users cannot use system Kerberos
libraries to access system resources because of a mismatch in Kerberos libraries on the system.
The Internet Services (IS) suite utilizes its own Kerberos library set which is delivered with the Internet
Services product.
If you wish to use Kerberos in your network for other products as well as HP CIFS Server, you may
generate an /etc/krb5.keytab file from an HP CIFS Server and configure HP CIFS Server to
access the secret key from the /etc/krb5.keytab file instead of the
/var/opt/samba/private/secrets.tdb file. This feature provides Kerberos interoperability between
HP CIFS Server users and HP-UX Internet Services users. See “Kerberos Support” (page 110), for
proper configuration.
HP-UX Kerberos Client Software and LDAP Integration Software
Dependencies
Kerberos v5 Client D.1.6.2 or later for HP-UX 11i v2 is required to support HP CIFS Server
integration with a Windows 2003 ADS Domain Controller (DC). Kerberos Client version 1.0 was
originally bundled on HP-UX 11i v2.
The following lists HP-UX Kerberos Client software dependencies:
Kerberos v5 Client D.1.6.2 or later for HP-UX 11i v2 is required for keytab file support.
Kerberos v5 Client D.1.6.2 or later for HP-UX 11i v2 is required for the encryption type
RC4-HMAC support.
Kerberos v5 Client D.1.6.2 requires Service Pack 1 on Windows 2003.
You can download the Kerberos v5 Client (KRB5CLIENT) product from the following Software
Depot web site:
http://www.hp.com/go/softwaredepot
Enter KRB5CLIENT in the search field.
68 Windows 2003 and Windows 2008 Domains