HP CIFS Server Administrator's Guide Version A.03.01.
© Copyright 2002, 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Contents About This Document...................................................................................10 Intended Audience..................................................................................................................10 New and Changed Documentation in This Edition......................................................................10 Typographical Conventions......................................................................................................
Other Samba Configuration Issues............................................................................................31 Translate Open-Mode Locks into HP-UX Advisory Locks...........................................................31 Performance Tuning using Change Notify..............................................................................31 Special Concerns when Using HP CIFS Server on a Network File System (NFS) or a Clustered File System (CFS)...............................................
Roaming Profiles.....................................................................................................................64 Configuring Roaming Profiles...............................................................................................64 Configuring User Logon Scripts.................................................................................................65 Running Logon Scripts When Logging On.............................................................................
Extending the Samba Subschema into Your Directory Server........................................................88 Samba Subschema Differences Between HP CIFS Server Versions.............................................88 Procedures to Extend the Samba Subschema into Your Directory..............................................88 Migrating Your data to the Directory Server...............................................................................89 Migrating All Your Files................................
Configuring krb5.keytab...................................................................................................112 9 HP CIFS Deployment Models....................................................................114 Introduction..........................................................................................................................114 Samba Domain Model..........................................................................................................
11 Configuring HA HP CIFS........................................................................138 Overview of HA HP CIFS Server.............................................................................................138 Recommended Clients......................................................................................................138 Installing Highly Available HP CIFS Server...........................................................................138 HA HP CIFS Server Installation.........
Syntax.......................................................................................................................172 ldapdelete Options......................................................................................................172 Examples...................................................................................................................172 Glossary..................................................................................................173 Index................
About This Document This document describes how to install, configure, and administer the HP CIFS Server product. It augments The Samba How To Collection and Using Samba, 2nd books supplied with the HP CIFS Server product and provides additional HP-UX endemic variations, features, and recommendations. This document, as well as previously released documents may be found online at http://www.docs.hp.com.
Table 2 Publishing History Details (continued) Document Manufacturing Part Operating Systems Number Supported Supported Product Versions Publication Date B8725-90110 11i v1, v2 and v3 A.02.03 February 2007 B8725-90103 11i v1, v2 A.02.03 August 2006 B8725-90101 11i v1, v2 A.02.02 April 2006 B8725-90093 11i v1, v2 A.02.02 October 2005 B8725-90079 11i v1, v2 A.02.01.01 February 2005 B8725-90074 11i v1, v2 A.02.01 December 2004 B8725-90063 11.0, 11i v1, v2 A.01.11.
Chapter 11 Configuring HA HP CIFS Use this chapter to understand the procedures required to configure the active-standby or active-active High Availability configuration. Chapter 12 HP-UX Configuration for HP CIFS This chapter provides guidance for configuring and optimizing the HP-UX kernel and system for use with HP CIFS. Chapter 13 Tool Reference This chapter describes tools for management of Samba user, group account database.
1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS. HP CIFS Server Description and Features The HP CIFS Server product implements many Windows Servers features on HP-UX.
Samba Open Source Software and HP CIFS Server Since the HP CIFS Server source is based on Samba open source software, it gains the advantages of the evolutionary growth and improvement efforts of Samba developers around the world. In addition, HP CIFS Server also provides the following support: • Includes Samba defect fixes and features only when they meet expectations for enterprise reliability. • Provides HP developed defect fixes and enhancement requests for HP customers.
• Samba, Integrating UNIX and Windows by John D Blair (Specialized Systems Consultants, Inc., 1998), ISBN: 1-57831-006-7. • Samba Web site: http://www.samba.org/samba/docs. When using the HP CIFS product, HP recommends that you refer to The Samba HOWTO Collection and Samba-3 by Example, shipped with the product in the /opt/samba/docs directory. The book, Using Samba, 2nd Edition, can also be found in /opt/samba/swat/using_samba.
Table 3 Documentation Roadmap (continued) HP CIFS Product Document Title: Chapter: Section Server Configuration HP CIFS Server Administrator's Guide: Chapter 2, "Installing and Configuring the HP CIFS Server" Client Configuration HP CIFS Client Administrator's Guide: Chapter 2, "Installing and Configuring the HP CIFS Client" Server deployment models HP CIFS Server supports three deployment models: Samba Domain Model, Windows Domain Model and Unified Domain Model.
Table 4 Files and Directory Description File/Directory Description /opt/samba This is the base directory for most of the HP CIFS Server product files. /opt/samba_src This is the directory that contains the source code for the HP CIFS Server (if the source bundle was installed). /opt/samba/bin This is the directory that contains the binaries for HP CIFS Server, including the daemons and utilities. /opt/samba/man This directory contains the man pages for HP CIFS Server.
2 Installing and Configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software.
during times of memory pressure. Other operating systems, only reserve swap space when it is needed. This results in the process not finding the swap space that it needs, in which case it has to be terminated by the OS. Each smbd process will reserve about 2 MB of swap space and depending on the type of client activity, process size may grow up to 4 MB of swap space. For a maximum of 2048 clients, 4 * 2048 or about 8 GB of swap space would be required.
To install the HP CIFS Server software from a depot file, such as those downloadable from http://www.hp.com/go/softwaredepot, enter the following at the command line: swinstall options -s /path/filename ProductNumber Where the ProductNumber is CIFS-SERVER for HP-UX 11i v3. options is -x autoreboot=true path must be an absolute path, it must start with /, for example,/tmp. filename is the name of the downloaded depot file, usually a long name of the form: CIFS-SERVER_A.03.01.02_HP-UX_B.11.31_IA_PA.
◦ administrator user name and password ◦ LDAP-UX Integration product is installed ◦ Ensure that the most recent Kerberos client product is installed For detailed information on how to join an HP CIFS Server to a Windows 2000/2003 Domain using Kerberos security, see “Windows 2003 and Windows 2008 Domains” (page 68).
Configure DOS Attribute Mapping map system, map hidden and map archive Attributes There are three parameters, map system, map hidden, and map archive, that can be configured in Samba to map DOS file attributes to owner, group, and other execute bits in the UNIX file system. When using the CIFS Client, you may want to have all three of these parameters turned off. If the map archive parameter is on, any time a user writes to a file, the owner execute permission will be set.
1. SWAT (Samba Administration Tool) -or- 2. Create a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [hpdeskjet] path = /tmp printable = yes Where "hpdeskjet" is the name of the printer to be added. Creating a [printers] share Configure a [printers] share in the /etc/opt/samba/smb.conf file.
There are two possible locations (subdirectories) for keeping driver files, depending upon what version of Windows the files are for: For Windows NT, XP, Windows 2000, Vista, or Windows 7 driver files, the files will be stored in the /etc/opt/samba/printers/W32X86 subdirectory. For Windows 9x driver files, the files will be stored in the /etc/opt/samba/printers/Win40/0 subdirectory.
browseable = yes guest ok = yes read only = yes write list = netadmin In the above example, the write list parameter specifies that administrative level user account has write access for updating files on this share. The use client driver parameter must be set toNo. 3. Configure the printer admin parameter to specify a list of domain users that are allowed to connect to an HP CIFS Server. See the following example: [global] printer admin = cifsuser1,cifsuser2 4.
Figure 1 Publishing Printer Screen Verifying that the Printer is Published On an HP CIFS Server system, you can run the net ads printer search command to verify that the printer is published.
Commands Used for Publishing Printers This section describes the net ads printer command used for publishing printers support on an HP CIFS Server. Searching Printers To search a printer across the entire Windows 2000/2003 ADS domain, run the following command: $ net ads printer search Without specifying the printer name, the command searches all printers available on the ADS domain.
NOTE: HP does not recommend filesharing of the root directory. Only subdirectories under the root should be set up for filesharing. Setting Up a DFS Tree on a HP CIFS Server After the DFS Tree is set up using this procedure, users on DFS clients can browse the DFS tree located on the HP CIFS Server at \\servername\DFS. 1. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. 2. Configure a HP CIFS server as a DFS server by modifying the smb.
Refer to the following screen snapshot for an example: Figure 2 Link Share Names Example MC/ServiceGuard High Availability Support Highly Available HP CIFS Server allows the HP CIFS Server product to run on an MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 server computers. Template files for version A.02.02 have been revised to allow any number of cluster nodes and other advantages over previous schemes.
Run the following command to start winbind alone: /opt/samba/bin/startwinbind Run the following command to stop winbind alone: /opt/samba/bin/stopwinbind NOTE: HP does not support the inetd configuration to start the HP CIFS Server. Starting and stopping Daemons Individually Two new options -n (nmbd only) and -s (smbd only) have been added to startsmb andstopsmb scripts to start and stop the daemons individually. The startsmb -scommand starts the smbd daemon. The stopsmb -s command stops the smbd daemon.
• hosts deny • hosts equiv • preload modules • wins server • vfs objects • idmap backend Other Samba Configuration Issues Translate Open-Mode Locks into HP-UX Advisory Locks The HP CIFS Server A.02.* and A.03.* versions can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients.
able to make use of locking mechanisms when multiple systems are involved. You need to be aware of the following things when using HP CIFS Server in either an NFS or a Veritas CFS environment: • CIFS Server running simultaneously on multiple nodes should not use either NFS or Veritas CFS to concurrently share the smb.conf configuration and its subordinate CIFS system files in /var/opt/samba/locks and /var/opt/samba/private.
3 Managing HP-UX File Access Permissions from Windows NT/XP/2000/Vista/Windows 7 Introduction This chapter describes how to use Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced.
For example, if a file on the UNIX file system is owned by UNIX user john and john has read and write (rw-) permissions on that file, the Windows client will display the same permissions for user john as: Special Access(RWDPO) You can also display the UNIX owner in the Windows Explorer interface. If you are in the File Properties dialog box with the Security tab selected and you press the Ownership button, the owning UNIX user's name will be displayed.
Table 6 Windows Access Type Maps to UNIX Permission (continued) Windows access type UNIX Permission Special Access(WX) -wx Special Access(RWX) rwx Special Access r-- When mapping to UNIX file permissions from Windows, you will not be able to add new Windows ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries.
Figure 4 Windows Special Access Permissions The VxFS POSIX ACL File Permissions VxFS POSIX ACLs provide additional functionality over default UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. • VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. • VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions.
Using the Windows NT Explorer GUI to Create ACLs Use the Windows Explorer GUI to set new ACLs. This section describes how to add new entries to the ACE list: • Click the add button in the File/Directory Permissions dialog box of the Windows GUI to bring up the Add Users and Groups dialog box. Figure 5 Windows Explorer File Permissions NOTE: The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs.
Figure 7 Windows Explorer Add Users and Groups Dialog Box • Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server. • Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list.
name list, the GUI will put that name in the text list and automatically add the server name as well. • Optionally use the user name mapping feature to define a mapping of Windows user names (or domain names) to UNIX user names. For example, you could map the Windows user names administrator and admin to the UNIX user name root. The mapping can be either one-to-one or many-to-one. Samba supports the creation of ACEs with Windows user names that are mapped to UNIX user names.
1. Right-click the file for which users and groups must be assigned, and select Properties->Security. The displayed page is as shown in Figure 9 (page 40). Figure 9 Selecting File Security 2. Click Edit. The Permissions page is displayed as shown in Figure 10 (page 40).
3. Click Add. The Select Users or Groups page is displayed as shown in Figure 11 (page 41). Figure 11 Select Users or Groups 4. Enter the user or group name that you want to add and click Check Names. The new user or group name is displayed as shown in Figure 12 (page 41).
5. Set the permissions for the new user or group and click Apply. The new user or group name and the associated permissions are displayed as shown in Figure 13 (page 42). Figure 13 New User or Group and Permissions The new user or group is configured. POSIX ACLs and Windows 2000, Windows XP, Windows Vista and Windows 7 Clients The HP CIFS Server allows Windows 2000 and Windows XP clients to view and set POSIX ACL permissions.
Table 8 UNIX Permission Maps Windows 2000/XP Client Permissions UNIX Permission Permission Shown on Windows 2000/XP Clients Basic View Advanced View r-- Read Read Attributes, Read Extended Attributes, Read Data, Read Permissions -w- Write Write Attributes Write Extended Attributes, Append Data, Write Data, Read Permissions --x None Execute or Traverse Folder, Read Attributes, Read Permissions r-x Read and Execute All Read Permissions as in the first cell Execute or Traverse Folder rw- Read,
Table 9 Windows 2000 and Windows XP Permissions Maps UNIX Permissions (continued) Windows 2000/XP UNIX Permission Write Extended Attributes (Advanced) -w- Traverse Folder / Execute File (Advanced) --x Delete Subfolders and Files (Advanced) No meaning on HP-UX Delete (Advanced) * see explanation following table Change Permissions (Advanced) * see explanation following table Take Ownership (Advanced) * see explanation following table * The Delete, Change Permissions, and Take Ownership permissio
Displaying the Owner of a File 1. 2. Click on Advanced Click on the Owner tab on the Access Control Settings dialog box HP CIFS Server Directory ACLs and Windows 2000, Windows XP, Windows Vista and Windows 7 Clients Directory ACL Types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory.
Figure 14 Basic ACL View Viewing Advanced ACLs from Windows 2000 Clients 1. 2. 3.
Figure 15 Advanced ACL View Mapping Windows 2000/XP Directory Inheritance Values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories.
Table 10 Mapping Table for Inheritance Values to POSIX (continued) Inheritance Value POSIX Mapping by HP CIFS Server Subfolders only This type is not supported and any ACE with this type is ignored by the HP CIFS Server. Files only This type is not supported and any ACE with this type is ignored by the HP CIFS Server. Modifying Directory ACLs From Windows 2000/XP Clients NOTE: HP-UX directory ACLs are set inconsistently using the ACL Basic permission screen from the Windows 2000 or XP client.
Figure 17 Modifying an ACE Type With Apply To value IMPORTANT: If you want different permissions on default and access ACEs for the same user or group , you must select two different ACE entries in the advanced ACE view dialog box before you click on the OK button. If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server.
default:other:r-x In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:othere:rwx defualt:owner:rwx default:owning group:rwx default:other:r-x
# owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group:r-x access:other group:rwdefualt:owner:rwx default:owning group:r-default:other group:r-w In the example 3, if both access other gorup ACE entry, rw-, and defaut other group ACE entry, r--x, are removed from the Advanced Windows ACE screen, the HP CIFS Server will remove both access other group and default other group ACE entries.
Figure 18 Selecting a new ACE user or group IMPORTANT: POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface. POSIX Default Owner and Owning Group ACLs The POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group. In HP CIFS Server A.01.
of the Windows 2000, Windows XP, or Windows Vista ACL information is retained and retrieved by the Samba server, some of the information may be lost or changed in some cases. NOTE: The ACL support is not an Windows 2000, Windows XP, Windows Vista or Windows 7 ACL emulation, but rather access to UNIX ACLs through the Windows 2000, Windows XP, Windows Vista or Windows 7 client.
4 Windows Style Domains Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in a Windows style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as a Windows domain with a Microsoft Domain Controller (DC). Configuration of Member Servers joining a Windows 2000 and Windows 2003 Domain as a pre-Windows 2000 compatible computer is described here.
Backup Domain Controllers Advantages of Backup Domain Controllers HP CIFS Server with BDC support provides the following benefits to the customer: • The BDC can authenticate user logons for users and workstations that are members of the domain when the wide area network link to a PDC is down. A BDC plays an important role in both domain seurity and network integrity. • The BDC can pick up network logon requests and authenticate users while the PDC is very busy on the local network.
domain logon = yes domain master = yes encrypt passwords = yes [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no [profiles] comment = profiles Service path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = 770 2. The smb.
encrypt passwords = yes security = user [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no • The smb.
password server = DOMPDA encrypt passwords = yes netbios name = myserver • The smb.conf file is as shown if the HP CIFS Server acting as a member server uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = NTDOM security = domain encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 netbios name = myserver NOTE: workgroup: This parameter specifies the domain name of which the HP CIFS Server is a member.
Step-by-step Procedure 1. Choose "Domain Member Server" when executing samba_setup. When prompted, you will need to add your domain Member Server machine account to the PDC. For Windows NT: Go to the Windows NT PDC and create a machine account for the HP CIFS Member Server by performing the following steps: a. Open the "start/programs/administrator/tools/server manager" tool. b. Select the "computer/add to domain" icon and enter the host name of the HP CIFS Server. c.
dn: uid=client1$ ou=People,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixAccount homeDirectory: /home/temp loginShell: /bin/false As an example, the resulting entry in the LDAP directory server for a client machine named "client1" would be: objectClass: posixAccount cn: client1$ uid: client1$ uidNumber: 1000 gidNumber: 200 homeDirectory: /home/temp loginShell: /bin/false userPassword: {crypt}x pwdLastSet: 1076466492 logonTime: 0 logofftime: 2147483647 kickoffTime: 2147483647 pwdCanCh
kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 rid: 1206 primaryGroupID: 1041 lmPassword: E0AFF63989B8FA6576549A685C6AFAF1 ntPassword: E0AFF63989B8FA6576549A685C6AFAF1 acctFlags: [W ] displayName: client1$ NOTE: You can also use utilities including pdbedit, net commands to create the machine trust accounts. The net commands provide numerous new utility operations.
[global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2.
acctFlags: [W displayName: client1$ 3.
Figure 19 Entering A Samba PDC Domain Name Roaming Profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: • A user's environment, preference settings, desktop settings, etc.
profile acls = yes path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = 770 writeable = yes browseable = no guest ok = no Configuring User Logon Scripts The logon script configuration must meet the following requirements: • User logon scripts should be stored in a file share called [netlogon] on the HP CIFS Server. • Should be set to UNIX executable permission. • Any logon script should contain valid commands recognized by the Windows client.
logon home = \\%L\%U Trust Relationships Trust relationships enable pass-through authentication to users of one domain in another. A trusting domain permits logon authentication to users of a trusted domain. There are various forms of trusts, depending on the domain type and Windows 2000/2003 Domain trusts differ from NT Domain trusts. For more information on trusts, consult the MS TechNet papers at http://technet.microsoft.com.
Establishing a Trust Relationship on an HP CIFS PDC With an NT Domain Trusting an NT Domain from a Samba Domain Use the following steps to trust an NT domain from a Samba Domain: 1. On the NT domain controller, run the User Manager utility. Go to policies/trust relationship, add the trusting Samba domain account for CIFS Server and establish a password. 2. Logon as root on the trusting Samba Domain PDC.
5 Windows 2003 and Windows 2008 Domains Introduction This chapter describes the process for joining an HP CIFS Server to a Windows 2003 or Windows 2008 Domain as an ADS Member Server. To join as a pre-Windows 2000 computer, see “Domain Member Server” (page 57) in Chapter 4, "NT Style Domains". By default configuration, Windows 2003 and Windows 2008 Servers utilize the Kerberos authentication protocol for increased security.
For the latest LDAP Integration software, download the product from the following web site: http://www.hp.com/go/softwaredepot Enter LDAP-UX Integration for HP-UX in the search field.
Steps to Download the CA Certificates From Windows CA Server Use the following steps to download the Certificate Authority certificates from a Windows 2003 CA Server using Mozilla browser 1.6.0.01.00: 1. You must install Mozilla browser on your HP-UX system. 2. Log in your HP CIFS Server machine as root. 3. Use the following command to setup your DISPLAY environment variable on your HP CIFS Server machine: export DISPLAY = your_machine_IP:0.0 4.
startTLS enabled, the NetBIOS name or IP address of the Windows ADS PDC machine, and the location of the certificate database files, cert8.db and key8.db. The following is an example for the [Global] section of the /etc/opt/samba/smb.conf file: [Global] realm= MYREALM security = ADS password server = adsdc_server ldap server = adsdc_server ssl cert path = /etc/opt/ldapux To enable startTLS with an un-encrypted port 389, set: ldap ssl = start_tls For more information about the smb.
ssl cert path This string parameter specifies the file location of the certificate database files, cert8.db and key3.db. For example, ssl cert path = /etc/opt/samba. The default value is /etc/opt/ldapux. workgroup This parameter specifies the name of domain in which the HP CIFS Server is a domain member server. security When the HP CIFS Server joins to Windows 2000/2003 native mode domain as a member server, you must set this parameter to ADS.
10. Once the selected user is presented in the Enter the object name to select list, click the OK button to get in the permission entry for Computers window. 11. In the Permissions dialog box, check Create Computer Objects and Delete Computer Objects selections. 12. Click on the OK button 13. Click on the Apply button. 14. Click on the OK button on the Advanced Security Setting for Computers window. 15. Click on the OK button on the Computers Properties window.
NOTE: You must configure the port number :88 after the node name specified for the kdc entry in the [realms]section. Kerberos v5 uses the port number 88 for the KDC service. For detailed information on how to configure the /etc/krb5.conf file, refer to the krb5.conf(4) man page. 3. Run the following commands to verify Kerberos configuration log in as root kinit (e.g. Administrator@myrealm.xyz.
netbios name = MYSERVER Then join the ADS domain by manually executing the "net ads join -U Administrator%password" command. NOTE: If you use the startTLS feature for strong authentication support, see “Configuring HP CIFS Server to Enable startTLS” section for more information about smb.conf configuration. 5. Use the following command to start your HP CIFS Server: /opt/samba/bin/startsmb 6. Run the following command to verify Kerberos authentication.
“workgroup” parameter of smb.conf. Enter and confirm the trust password and select OK. • 5. 6. 7. To add Windows 2000 as a trusted domain, click the Add button next to the box titled “Domains that trust this domain”. For “Trusting Domain”, enter the Samba PDC domain name. Enter and confirm the trust password and select OK. When prompted, review the confirmation and select Yes. Enter the administrator name and password. Select Finish, and then OK.
Windows domain name specified in step 1. This password is used by the trusting Windows domain when it establishes the trust relationship. For example, the following command adds the trusting Windows domain account, windomainA, to the Samba domain database: smbpasswd -a -i windomainA$ 4. Run net rpc trustdom to establish the trust with the trusted Windows domain.
6 LDAP Integration Support This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software.
NOTE: While the HP CIFS Server may operate satisfactorily with other LDAP products, HP only provides LDAP support for the HP CIFS Server with HP LDAP-UX Integration, J4269AA, HP Netscape Directory Server, J4258CA, or HP Red Hat Directory Server, NSDirSvr7, product configurations.
CIFS Server acting as an Active Directory Service (ADS) Member Server ADS Member Servers use LDAP libriaries and Kerberos security to access ADS Domain Controllers' authentication services. Therefore, LDAP-UX Integration and HP Kerberos Client Library products are required. See “Windows 2003 and Windows 2008 Domains” (page 68) for details. Workgroup Model Networks HP CIFS Servers configured with server mode security will attempt to authenticate Windows users on the server specified.
3. The Windows PC client sends a responsepacket to the CIFS Server based on the user password and the challenge information. 4. The CIFS Server looks up the LDAP directory server for the user data and requests data attributes including the password information. 5. The CIFS Server receives data attributes including the password information from the LDAP directory server. If the password and challenge information matches with information in the client response package, the Samba user authentication succeeds.
slapd-v3.nis.conf. For more information on the posix schema (RFC2307), see http://www/ietf.org/rfc.html. RFC 2307 consists of object classes such as, posixAccount, posixGroup, and so on. posixAccount represents a user entry from the /etc/passwd file. posixGroup represents a group entry from the /etc/group file. Configuring Your Directory Server You need to configure the Netscape/Red Hat Directory Server if it is not already configured.
When you run the setup program to configure the LDAP-UX Client Services on a client system, setup does the following major tasks for you: • Extends your directory schema with posixAccount objectclass and attributes, if not already done. • Creates a configuration profile entry in your Netscape Directory from information you provide.
or IP address (for example: 15.13.118.130 or 2001:0db8:3c4d:0015:0:0:abcd:ef12). To accept the default shown in brackets, press the Return key. Directory server host [dctvm105.ind.hp.com = 15.146.157.105]: To accept the default shown in brackets, press the Return key. Directory Server port number [389]: Enter the distinguished name (DN) of an existing LDAP-UX profile entry you want to use or the DN where you want to store a new LDAP-UX profile entry.
Select the type of client binding you want. 1. Anonymous 2. Proxy 3. Proxy; if proxy fails, then use anonymous To accept the default shown in brackets, press the Return key. Client binding: [1]: Updated directory server at 15.146.157.80:389 with a profile entry at [cn=pdc1, dc=ind, dc=hp, dc=com] Updated the local client configuration file /etc/opt/ldapux/ldapux_client.conf Updated the local client profile entry LDIF file /etc/opt/ldapux/ldapux_profile.
4. Configure the Name Service Switch (NSS). Save a copy of the /etc/nsswitch.conf file and edit the original to specify the ldap name service and other name services you want to use. See the /etc/nsswitch.ldap file for a sample. You may be able to just copy /etc/nsswitch.ldap to /etc/nsswitch.conf. See nsswitch.conf(4) for more information. 5. 6. You will be asked whether or not you want to start the client daemon, /opt/ldapux/bin/ ldapclientd. You must start the client daemon for LDAP functions to work.
3. Configure the Administration Server to connect to an SSL-enabled directory server. For detailed instructions on how to configure the administration server to connect to an SSL enabled directory server, see Managing Servers with Netscape Console available at http://docs.hp.com. Configuring the LDAP-UX Client to Use SSL If you plan to use SSL, you need to install the Certification Authority (CA) certificate on your LDAP-UX Client and configure the LDAP-UX Client to enable SSL.
Configuring HP CIFS Server to enable SSL Configure the following smb.conf parameters to enable SSL: • For HP CIFS Server A.02.* as well as A.03.01.02 versions, set the following parameter in the [Global] section of the smb.conf file: passwd backend = ldapsam:ldaps:// Where is the fully qualified name of the target directory server. • HP CIFS Server A.02.03 or later supports the start_tls option to the ldap_ssl parameter.
3. Use the following ldapsearch command to verify that you have updated the schema in the Directory Server with the Samba subschema: $ /opt/ldapux/bin/ldapsearch -T -b "cn=schema" -s base \ "(objectclass=*)"|grep -i samb You need to ensure that the output displays the following sambaSamAccount objectclass when you run the ldapsearch command: objectClasses: ( 1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' DESC 'Samba 3.
2. Run the following script, migrate_all_online.sh, to migrate all name service data files in the/etcfile to the LDIF file: $ migrate_all_online.sh Reply as appropriate to the script. In our example, use cn=Directory Manager and credentials to bind with means the Directory Manager password. NOTE: At this point, you have an LDAP directory server with everything you need to use as a backend for pam and nsswitch.
Table 12 Migration Scripts (continued) Script Name Description 3 migrate_services.pl Migrates services in the /etc/services file. migrate_common.ph Specifies a set of routines and configuration information all the perl scripts use. 1 2 3 Systems have been configured with the same host name, then the migration script migrate_host.pl will create multiple entries in its resulting LDIF file with the same distinguished name for the host name for each of the IP addresses.
Migrating Your data from one backend to another Use the syncsmbpasswd tool to synchronize Samba user accounts with all currently available POSIX user accounts in the configured password database backend. If you set the passdb backend parameter in smb.conf to ldapsam:ldap://, this tool adds Samba user accounts that correspond to existing POSIX user accounts to the LDAP directory server. See the syncsmbpasswd (1) man page for details.
Table 13 Global Parameters (continued) Parameter Description ldap passwd sync Specifies whether the HP CIFS Server should sync the LDAP password with the NT and LM hashes for normal accounts on a password change. This option can be set to one of three values: • Yes: Update the LDAP, NT and LM passwords and update the pwdLastSet time. • No: Update NT and LM passwords and update the pwdLastSet time. • Only: Only update the LDAP password and let the LDAP server do the rest. The default value is No.
NOTE: HP recommends that new installation customers run the samba_setup program to set up and configure the HP CIFS Server. You can quickly run the samba_setup program to configure the HP CIFS Server with the LDAP feature support as follows: 1. Run the following commands to enable the LDAP feature: $ export PATH=$PATH:/opt/samba/bin $ samba_setup When running the samba_setup program, you will be asked whether you want to use LDAP or not. Press Yes to use LDAP, and press No to disable LDAP. 2.
NOTE: You must ensure that the password correctly matches with the password for the ldap admin directory manager. This password is for user administration and is stored for later use. If the password is incorrect, no error message is displayed, but the user administration will fail when attempted.
Syntax ldapsearch [option] Option -b Specifies the starting point for the search. The value specified must be a distinguished name that currently exits in the database. -s Specifies the scope of the search. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries.
7 Winbind Support This chapter describes the HP CIFS winbind feature and explains when to use it and how best to configure its use.
Winbind provides a library routine, /usr/lib/libnss_winbind.1, that NSS can use to interface to the winbind daemon to resolve ID mappings. • User and group ID allocation When winbind is presented with a Windows SID for which there is no corresponding UID and GID, winbind generates a UID and GID.
Advantages The advantages of using the shared sambaUnixIDPool method are as follows: • – UIDs and GIDs are unique across all domain member servers that access this LDAP database. – Native non-winbind users can be authorized using the POSIX objectclass and LDAP PAM module from the same LDAP database. – The database can be replicated. Replication reduces the likelihood of data loss and provides backup servers if the primary server is unavailable.
Figure 21 Winbind Process Flow Windows UNIX 11 Client open file 10 share mapped 3 Samba 14 accept/reject 12 JFS map share 1 accept/deny 4 return user/group SIDs netlogin If UID/GID = ACE get file UID/GID now mapped 13 6 Is this SID mapped? W2003 = PAC NSSWITCH 2 ADS Domain Controller 5 9 Pass-thru authentication winbind DC returns user/group SID list 7 Return UID/GID 8 tdb If mapped, get UID/GID else, map SID to UID/GID The following describes winbind process flow shown in
Winbind uses the blocking, synchronous behavior when enumerating users and groups. Set both winbind enum users and winbind enum groups to No to force winbind to suppress the enumeration of users and groups.
cannot differentiate which user actually created the file or directory from a file system perspective. Why can’t I use the net groupmap utility to map a windows group to a UNIX group, then add UNIX members to this group? The net groupmap feature allows administrators to assign Windows group RIDs to UNIX groups, so they can be recognized by Windows clients allowing them to be used when setting permissions on the local server resources.
NOTE: On HP-UX 11v1 and v2, this solution is limited by the useradd command’s eight character maximum name length. All the Windows user names have to be limited to eight characters. The command fails if the %u macro user name does not meet the constraints of the useradd command. NOTE: On HP-UX 11v3, you can explicitly enable the system for expanded user and group names by using the lugadmin command. Refer to the lugadmin man page for details. The lugadmin –e option enables long user name.
UNIX user requirements are likely to drive management of users in Samba Domain deployments. HP recommends that you use the syncsmbpasswd script to generate Samba user entries based on the existing UNIX user entries. See the syncsmbpasswd man page for more information. Note that the name "syncsmbpasswd" originates from the name of the password file. This tool only creates Samba user entries, it is not possible to translate UNIX passwords into Samba passwords.
Table 14 Global Parameters (continued) Parameter Description idmap backend This string variable specifies the type of the idmap backend that is used. The syntax can be: • idmap backend = This is the default where the local idmap tdb file is used. • idmap backend = rid:= The ID mappings are generated by the idmap rid facility. For example, idmap backend = rid:DomainA=50000–60000.
NOTE: If you want to use the default value "\" of the winbind separator parameter in smb.conf, you should comment out this parameter. By doing this, the testparm and wbinfo commands can show the correct default separator character "/" without generating an error. Commenting out the winbind separator parameter with the default value, you must type the default "\" separator character twice ("\\") when using the wbinfo -n command. For example, wbinfo -n domain_name\\domain_username.
Configuring Name Service Switch To use winbind support, you need to configure the Name Service Switch control file,/etc/nsswitch.conf, to use winbind as the name services for user or group name lookup. For example, you can set up the /etc/nsswitch.conf file as follows: passwd: group: files winbind files winbind In this example, NSS first checks the files, /etc/passwd and /etc/group, and if no entry is found, it checks winbind.
idmap gid = 50000-60000 idmap backend = rid:DomainA=50000-60000 allow trusted domains = no Check the log file to see if the rid shared library is loaded after you configure and setup rid. LDAP Backend Support When multiple CIFS Servers participate in a Windows NT or Windows ADS domain and make use of winbind, you can configure multiple CIFS Servers to store ID maps in an LDAP directory. Making use of an LDAP server and configuring CIFS servers with the idmap backend parameter in smb.
The stopsmb command without specifying any option will stop both smbd and nmbd daemons only. NOTE: Use the scripts startwinbind and stopwinbind to start or stop the winbind daemon only. For example, use the following command to start the winbind daemon only: $ startwinbind Automatically Starting Winbind at System Startup The RUN_WINBIND parameter can be specified in /etc/rc.config.d/samba to control whether the winbind daemon, winbindd, will start at system startup.
8 Kerberos Support Introduction The Kerberos protocol is regulated by the IETF RFC 1510. Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2000, Windows 2003, Windows XP, and Windows Vista clients. For the HP CIFS Server, Kerberos authentication is limited exclusively to server membership in a Windows 2003 and Windows 2008 domain, and only when the HP CIFS Server is configured with "security = ads".
Kerberos CIFS Authentication Example Figure 22 Kerberos Authentication Environment Authenticator Windows 2000/2003 KDC AS 1 2 TGS 3 4 Windows 2000 or XP Client Authenticatee 5 6 HP CIFS Server Resource The following describes a typical Kerberos logon and share service exchange using Kerberos authentication in an Windows 2000/2003 domain environment shown in Figure 8-1: 1.
• Service Pack 1 is recommended for Windows 2003, and required for inter-operation with Kerberos v5 Client D.1.6.2 or later on HP-UX 11i v2 or Kerberos v5 Client E.1.6.2 or later on HP-UX 11i v3. • HP-UX LDAP-UX Integration product • Windows 2000, Windows 2003, or Windows 2008 Server domain. • Windows 2000 or Windows XP Client Configuring krb5.keytab Here are the required components to configure HP CIFS Server with HP-UX Internet Services co-existence: • Kerberos v5 Client D.1.6.
workgroup = MYREALM realm = MYREALM.HP.COM netbios name = atcux5 server string = Samba Serveraces = 15.43.214.58 bind interfaces only = Yes security = ADS password server = HPATCWIN2K4.MYREALM.HP.COM kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab 3.
9 HP CIFS Deployment Models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference.
Figure 23 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 24 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: Samba Domain Model 115
Figure 25 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-4 shows the Samba Domain Model: Figure 26 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controller
Samba Domain Components As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See “LDAP Integration Support” (page 78) for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments. Multi-subnetted environments require name-to-IP-address mapping to go beyond broadcast limits of a single LAN segment.
HP CIFS Acting as the Member Server To ensure that there are always sufficient domain controllers to handle authentication and logon requests, in general, configure BDCs rather than member servers unless there are fewer than about 30 Windows clients per BDC. You can join an HP CIFS Server to the Samba Domain.The Windows authentication requests are managed by the PDC or BDCs using LDAP, smbpasswd or other backend.
###################################### # # Samba config file created using SWAT # from 1.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostW PDC passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd log level = 0 security = user syslog = 0 log fie = /var/opt/samba/log.
A Sample smb.conf File For a BDC The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostB acting as a BDC in the sample Samba Domain Model shown in Figure 9-5: ###################################### # # Samba config file created using SWAT # from 1.13.129.
###################################### # # Samba config file created using SWAT # from 1.13.129.217 # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostC Domian Member Server password server = hostW hostB security = Domain netbios aliases = MOONEY log level = 0 syslog = 0 log fie = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes preferred master = No domain master = No wins server = 1.13.115.
group: hosts: networks: protocols: rpc: publickey: netgroup: automount: aliases: services: files ldap dns [NOTFOUND=return] files ldap files ldap files ldap files ldap files files ldap files files files ldap Windows Domain Model You can use the Windows Domain Model in environments with the following characteristics: • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled).
Components for Windows Domain Model HP CIFS Server supports the NTLMv1/NTLMv2 security used for NT domain membership and Kerberos security used for Windows 2000/2003 native membership, so HP CIFS Servers can be managed in any Windows 2000/2003 ADS, Windows 200x mixed mode, or NT environment. HP CIFS Server does not support a true SAM database and can not participate as a domain controller in an Windows NT, Windows 2000 or Windows 2003 domain.
###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a domain member of hpcif23_dom realm = HPCIF23DOM.ORG.HP.COM security = ADS netbios name = hpcif54 encrypt passwords = yes password server = * passdb backend =smbpasswd log level = 0 syslog = 0 log fie = /var/opt/samba/log.
read only = no valid users = %D\%U [share2] path = /tmp read only = no # Specify values of force user and force group to a valid domain user or group force user = localusr force group = localgrp [tmp] path=/tmp read only = no browseable = yes writable = yes A Sample /etc/krb5.conf File On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.
The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 9-7: # /etc/nsswitch.conf # # This sample file uses Lightweigh Directory Access # Protocol(LDAP) in conjunction with dns and files.
###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a member of NT domain netbios name = hostM # For NT specific option workgroup = hostP_dom security = domain encrypt passwords = yes passdb backend = smbpasswd password server = hostP.org.hp.com log level = 0 log fie = /var/opt/samba/log.
[tmp] path=/tmp read only = no browseable = yes writable = yes Unified Domain Model You can use the Unified Domain Deployment Model in environments with the following characteristics: • A domain consisting of Windows 200x servers. • The Windows 2000 or 2003 domain controller maintains the UNIX UID and GID data with Windows Services for Unix (SFU). NOTE: • SFU Version 3.5 does not support the Windows NT4 Domain.
For more information on how to configure Unified Login, see Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2 at: http://www.docs.hp.com/en/15204/CIFSUnifiedLogin.pdf. Unified Domain Components HP CIFS Acting as a Windows 200x ADS Member Server The HP CIFS member server operating in a unified domain depends on the ADS to be aided by Services For UNIX (SFU). SFU provides the required management of UNIX UID and GID to Windows SID mappings.
4. • Creates a configuration profile of directory access information in the directory, to be shared by a group of (or possibly all) clients. • Downloads the configuration profile from the directory to the client. • Starts the product daemon, ldapclientd. Modify the files /etc/pam.conf and /etc/nsswitch.conf on the client to specify Kerberos authentication and LDAP name service, respectively. Configuring /etc/krb5.
Figure 32 An Example of the Unified Domain Windows ADS DC/SFU “hpntcdn” Realm: CIFSW2KSFU .ORG.HP.COM Windows and UNIX users Windows NT/WINS Server IP address “1.13.112.166” HP CIFS Member Server “hostD” A sample smb.conf file For an HP CIFS Member Server The following is a sample Samba configuration File, /etc/smb.
# Kerberos Configuration # # # # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace HPCIFSW2KSFU.ORG.HP.COM with your kerberos Realm. # # Replace hpntcdn.org.hp.com with your Windows ADS DC full # # domain name. # # # [libdefaults] default_realm = HPCIFSW2KSFU.ORG.HP.
10 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server. It includes the following sections: • “Security Protection Methods” (page 133) • “Automatically Receiving HP Security Bulletins” (page 136) Security Protection Methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services.
make an SMB connection to your host over a PPP interface called 'ppp0', he or she gets a TCP connection refused reply. Using a Firewall You can use a firewall to deny access to services that you do not want exposed outside your network. This can be a very good protection method, although the methods mentioned above can also be used in case the firewall is not active for some reasons. When you set up a firewall, you need to know which TCP and UDP ports to allow.
on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, see “LDAP Integration Support” (page 78). The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory configurations. Protecting Sensitive Configuration Files The default permissions for HP CIFS Server configuration files have been carefully selected to ensure security while providing appropriate accessibility.
Restricting Execute Permission on Stacks A common method of breaking into a system is by maliciously overflowing buffers on a program's stack, such as passing unusually long command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions.
5. To gain access to the Security Patch Matrix, choose the link for "The Security Bulletins Archive". In the archive, the third link is to the current Security Patch Matrix. This matrix categorizes security patches by the platform/OS release, and by the bulletin topic. The Security Patch Check tool completely automates the process of reviewing the patch matrix for the v2 system.
11 Configuring HA HP CIFS Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual.
4. For any UNIX users used to authenticate CIFS clients, check that they have the same name, user ID number, primary group and password on both of the nodes. This is required for any users used to authenticate to either Samba server in the Active-Active configuration. This means that any user name used on both Samba servers must have the same user ID, primary group ID, and password on both cluster nodes.
1. 2. 3. /etc/opt/samba/smb.conf.pkg1 /etc/opt/samba/smb.conf.pkg2 /etc/opt/samba/smb.conf.pkg3 There will be three directories: 1. /var/opt/samba/pkg1 2. /var/opt/samba/pkg2 3. /var/opt/samba/pkg3 ...where the locks and log files will reside. With most configurations, it will be easier to set up and maintain the dynamic security and data files on shared disks. Therefore, you may want to create the /var/opt/samba/ paths used in the example on shared disks.
• Consider load balancing when creating the share paths. • Consider whether you need to locate your smbpasswd and private files on a shared volume, etc. You may want to review "Special Notes for HA HP CIFS Server" found at the end of this section, now. If you run SWAT or smbpasswd utilities, keep in mind that they will be operating on smb.conf not your smb.conf. configuration. You may want to copy smb.conf. to smb.conf for this reason.
...depending on which package you are currently working on. 2. Create a NODE_NAME variable for each node that will run the package. The first NODE_NAME should specify the primary node. All other NODE_NAME variables should specify the alternate nodes in the order in which they will be tried. NODE_NAME ha_server1 NODE_NAME ha_server2 ...for pkg1, NODE_NAME ha_server2 NODE_NAME ha_server1 ...for pkg2, etc. 3. Set the RUN_SCRIPT and HALT_SCRIPT variables to the full path name of the control script.
...for pkg2, etc. 2. Create a separate LV[n] and FS[n] variable for each volume group and file system that will be mounted on the server.
4. If you want to use the HP CIFS Server monitor script, set the SERVICE_NAME variable to the value of the SERVICE_NAME variable in the package configuration file samba.conf. SERVICE_NAME[0]=samba_mon1 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg1/samba.mon for pkg1, and SERVICE_NAME[0]=samba_mon2 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg2/samba.mon for pkg2. 5. If you have an smb.conf file which makes use of winbind, you need to uncomment these winbind lines for winbind support in the cluster. Edit the samba.
3. Use the cmcheckconf command to verify the contents of your cluster and package configuration. At this point it is assumed that you have created your MCServiceGuard cluster configuration file (clucifs.conf) through MCServiceGuard procedures. cmcheckconf -C /etc/cmcluster/clucifs.conf \ -P /etc/cmcluster/samba/pkg1/samba.conf \ -P /etc/cmcluster/samba/pkg2/samba.conf 4. Activate the shared volume for cluster locks. vgchange —a y /dev/vglock 5.
• Security Files An important security file is secrets.tdb. Machine account information is among the important contents of this file. Since this file will be updated periodically (as defined in smb.conf by machine password timeout, 604800 seconds by default), HP recommends that you locate secrets.tdb on a shared logical volume. The location of the secrets.tdb file is defined by the smb.conf parameter, private dir.
• Samba as a Master Browser If you configure your Samba server to be the domain master browser by setting the domain master to yes, it will store the browsing database in the /var/opt/samba/locks/browse.tdb file. HP does not recommend doing this in an HA configuration. If you do so, you will probably want to configure /var/opt/samba/locks/browse.tdb as a symbolic link to a BROWSE.DAT file on a logical shared volume.
mkdir -p -m 755 /exported/looks mkdir -p -m 700 /exported/private mkdir -p -m 777 /exported/data vi /etc/exports /exported -anon=root root=host:nfsclient1:nfsclient2 Run the following command to export all directories listed in /exported to NFS clients: exportfs -a Execute the following commands on an NFS client: vi /etc/fstab nfsserver:/exported /mnt/nfsserver nfs defaults 0 0 mkdir -p /mnt/nfsserver mount /mnt/nfsserver An example of smb.
Example: cfsdgadm activate dgha Create volumn: vxassist g make Example: vxassist -g dgha make lvol1 1024M vxassist -g dgha make lvol2 2048M newfs -F vxfs /dev/vx/rdsk/dgha/lvol1 newfs -F vxfs /dev/vx/rdsk/dgha/lvol2 Add volumn: cfsmntadm add all=rw Example: cfsmntadm add dgha lvol1 /cfs1 all=rw cfsmntadm add dgha lvol2 /cfs2 all=rw Mount CFS mount points: cfsmount cfsmount /cfs1 /cfs2 If CIFS Server binaries a
DEPENDENCY_CONDITION DEPENDENCY_LOCATION 150 Configuring HA HP CIFS SG-CFS-MP-2=UP SAME_NODE
12 HP-UX Configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server. It contains the following sections: • HP CIFS Process Model • TDB Memory Map for HP CIFS Server • Overview of Kernel Configuration Parameters • Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v3.
NOTE: The difference between the access based share enum (S) parameter and the access based enumeration parameter is that in access based share enum (S) only the share permissions are evaluated and security descriptors are not used in computing enumeration access rights. • cache directory (G) This parameter specifies the directory where the TBD files containing non-persistent data are stored. The default setting of this parameter is cache directory = /var/opt/samba/locks.
• init logon delay (G) This parameter specifies the delay in milliseconds for the configured hosts for the initial samlogon parameter with init logon delayed hosts. The default setting for this parameter is init logon delay = 100. • kerberos method (G) This parameter specifies how Kerberos tickets are verified. You can use the following values for the kerberos method (G) parameter: secrets only Use secrets.tdb for ticket verification. system keytab Use system keytab for ticket verification.
• state directory (G) This parameter specifies the directory location where the TDB files containing persistent data is stored. The default setting for this parameter is state directory = /var/opt/samba/locks. • smb encrypt (S) This parameter specifies if the remote client should use SMB encryption. Starting from Samba 3.2 version and later, SMB encryption uses the GSSAPI to encrypt and sign request and response in a SMB protocol stream.
max open files Changed default 1024 max stat cache size Changed default 256 preferred master Changed default No idmap backend Changed default tdb idmap cache time Changed default 604800 Modified SMB.CONF parameters allocation roundup size Modified 1048576 kernel oplocks Modified Yes ldap ssl Modified start tls Removed SMB.
no coherency is guaranteed between these two caches. With the unified file cache support, coherency can be achieved. What to Do if You Encounter Memory Map Error Messages This section includes information about memory map error messages and actions you may take as follows: • The HP CIFS Server will terminate the connection and log the following error messages, in the event that the value of fixed mmap size is not sufficient: "tdb_expand: ERROR. Requested size (%d) > fixed mmap size (%d).
• nfiles: this kernel parameter controls the size of the system file table and limits the total number of open files in the system. Note that this affects each instance of an open file since the same file opened twice would take up 2 entries in the system file table. This default formula is (16*(nproc+16+maxusers)/10+32+2*(npty+nstrpty+nstrtel)). When this tables becomes full, the console message “file: table is full” will appear on the console.
• ninode: unlike nfile, each instance on an open will NOT increase the number of inode entries. Rather, each unique opened file will only take up one entry, regardless of how many times it is opened. Therefore this parameter should be set to the anticipated number of UNIQUE open files used by HP CIFS plus the number opened by other processes in the system. • nflocks: each smbd process will utilize at least ten file locks.
13 Tool Reference This chapter describes tools for management of Samba user, group account database. It includes the following topics: • “HP CIFS Management Tools” (page 159) • “LDAP Directory Management Tools” (page 169) HP CIFS Management Tools Several HP CIFS Server tools are available for management of CIFS user data stored in the smbpasswd file or in Netscape/Red Hat Directory Server database.
If the POSIX user does not already exist in the LDAP directory server, you must first add the POSIX user entry with the LDAP directory tools (such as ldapmodify). The ldapmodify tool can be used to add, modify or delete a POSIX user in an LDAP directory server. For more information on how to add POSIX user accounts to the LDAP Directory server, see the “Creating Samba Users in the Directory” (page 94) section in the chapter 6, “LDAP Integration Support”.
need to be manually updated as well. The password is entered in the command line. -W Changes the LDAP directory manager password. With the -W option, the user is prompted for the password. The password is entered using stdin and thus the clear text password never appears on the command line. -x This option specifies that the [username] following should be deleted from the configured passdb backend. username Specifies the user name for all of the root only options to operate on.
Pdbedit You can use the pdbedit tool to manage the Samba user accounts stored in the SAM database (database of Samba users). You must be logged in as the root user to run this tool. The pdbedit tool can be used to perform the following operations: • Add, remove or modify user accounts. • List user accounts. • Migrate user accounts. • Migrate group accounts. • Manage account policies. • Manage domain access policy settings.
-D, –drive=ARG Specifies the windows driver letter to be used to map the home directory. This option can be used while adding or modifying a user account. -S, –script=ARG Sets the user's logon script path. This option can be used while adding or modifying a user account. -P, –profile=ARG Specifies the user's profile directory. This option can be used while adding or modifying a user account. -I, –domain=ARG Specifies the user's domain name.
time, user must logon to change password, password history, lockout duration, min password length, maximum password age and bad lockout attempt. -C, –value=ARG Sets an account policy to a specified value. This option may only be used in conjunction with the -P option. -c, –account-control=ARG Specifies the user's account control property. This option can be used while adding or modifying a user account.
$ pdbedit -? Run the following command to create a Samba account for the user cifsuser1 in the group cifsgrp with the home directory /home/cifsuser1. The pdbedit tool will prompt for input of an initial user password. $ pdbedit -a cifsuser1 -g cifsgrp -h /home/cifsuser1 Run the following command to delete a Samba account for the user cifsuser2: $ pdbedit -x cifsuser2 net This tool is used for administration of Samba and remote CIFS servers.
password that has already been stored in a Windows Active Directory. Do not use this command unless you know exactly what you are doing. The use of this command requires that the force flag (-f) is used also. There will be no command prompt. Whatever information is input into stdin is stored as the literal machine password. Do not use this without care and attention because it will overwrite a legitimate machine password without warning. net status Displays machine account status of the local server.
-n or –myname= Specifies the NetBIOS name. This option allows you to override the NetBIOS name that Samba uses. The command line setting will take precedence over parameter settings in the smb.conf file. -U or –user= Specifies the user name. -s or –configfile= Specifies the alternative path name of the Samba configuration file. -l or –long Displays full information on each item when listing data. -V or –version Prints Samba version information.
-I, –WINS-by-ip This option queries winbindd to send a node status request to get the NetBIOS name associated with the IP address specified by the ip parameter. -n, –name-to-sid This option queries winbindd for Windows SID associated with the name specified. -s, –sid-to-name Uses this option to resolve a Windows SID to a name. This is the inverse of the -n option. The Windows SID must be specified as ASCII strings in the traditional Microsoft format.
Displays brief usage messages. –usage For detailed information on how to use this tool, refer to the /opt/samba/man/man1/wbinfo.1 file.
ldapmodify You use the ldapmodify command-line utility to add, delete or modify POSIX user entries in an existing LDAP directory. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and adds or modifies the entries based on the LDIF update statements contained in a specified file. Syntax ldapmodify [optional_options] where optional_options Specifies a series of command-line options.
Syntax ldapsearch -b basedn [optional_options][filter] [optional_list_of_attributes] where filterfilter optional_options Specifies an LDAP search filter. Do not specify a search filter if you supply search filters in a file using the -f option. Specifies a series of command-line options. These must be specified before the search filter, if used. optional_list_of_attributes are spaces-separaed attributes that reduct the scope of the attributes returned in the search results.
Syntax ldapdelete [optional_options] where optional_options Specifies a series of command-line options. ldapdelete Options The section lists ldapdelete options most commonly used. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. -h Specifies the name of the host on which the Directory Server is running.
Glossary A ACL Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define "access rights." In this scheme, users typically belong to "groups," and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights.
P Public Key An encryption method by which two users exchange data securely, but in one direction only. A user, who has a private key, creates a corresponding public key. This public key can be given to anyone. Anyone who wishes to send encrypted data to the user may encrypt the data using the public key. Only the user who possesses the private key can decrypt the data. Public Key Infrastructure Method of managing public key encryption.
Index Symbols I /etc/nsswitch.conf, 86, 130 /etc/nsswitch.ldap, 86 /etc/pam.conf, 130 installation, 82 summary, 81 installing overview, 19 A Access Control Lists, 33 VxFS, 33 ACLs. See Access Control Lists, 33 adding ACE entries, 37 K B L boot, 82 ldapdelete program, 171 ldapmodify program, 170 ldapsearch program, 170 C Change Notify, 31 CIFS protocol, 13 Common Internet File System.
swinstall, 82 T tools ldapdelete, 171 ldapmodify, 170 ldapsearch, 170 TTL, profile, 85, 105, 135 U UNIX file owner, 33 other permission, 33 owning group, 33 permissions, 33 V VxFS POSIX ACL File Permission Superset, 36 W white paper, directory configuration, 81 Windows ACLs, 33 directory translations, 34 www.docs.hp.com, 18 www.software.hp.