HP CIFS Server Administrator's Guide Version A HP-UX 11i v2 and HP-UX 11i v3

Transcription

1 HP CIFS Server Administrator's Guide Version A HP-UX 11i v2 and HP-UX 11i v3 HP Part Number: Published: March 2013

2 Copyright 2012, 2013 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. HP CIFS Server is derived from the Open Source Samba product and is subject to the GPL license. Trademark Acknowledgements UNIX is a registered trademark of The Open Group. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

3 Contents About this document...10 Intended audience...10 New and changed documentation in this edition...10 Typographical conventions...10 Publishing history...10 Document organization...11 HP welcomes your comments Introduction to the HP CIFS Server...13 HP CIFS Server description and features...13 Features...13 Samba open source software and HP CIFS Server...14 Flexibility...14 HP CIFS Server documentation: Printed and Online...15 HP CIFS documentation roadmap...15 HP CIFS Server file and directory roadmap Installing and configuring the HP CIFS Server...19 HP CIFS Server requirements and limitations...19 HP CIFS Server installation requirements...19 HP CIFS Server memory requirements...19 Software requirements...19 Swap space requirements...19 Memory requirements...20 Step 1: Installing HP CIFS Server software...20 An example...21 Step 2: Running the configuration script...21 Step 3: Modify the configuration...22 Configuration modification...22 Configure case sensitivity...22 Configure for SMB2 Features...24 Configuring print services for HP CIFS version A Configuring a [printers] share...24 Creating a [printers] share...25 Setup Server for automatically uploading printer driver files...25 Setup Client for automatically uploading of printer drivers...26 Publishing printers in an MS Windows 2003/2008 R2 ADS domain...26 Setting up HP CIFS Server for publishing printers support...26 Publishing printers from a windows client...27 Verifying that the printer is published...28 Commands used for publishing printers...29 Searching printers...29 Removing a printer...29 Re-Publishing a printer...29 Setting up Distributed File System (DFS) support...29 Setting up a DFS Tree on a HP CIFS Server...30 Setting up DFS links in the DFS root directory on a HP CIFS Server...30 MC/ServiceGuard high availability support...31 Step 4: Starting the HP CIFS Server...31 Starting and stopping daemons individually...32 Configuring automatic start at system boot...32 Stopping and re-starting daemons to apply new settings...32 Contents 3

4 Other samba configuration issues...33 Translate open-mode locks into HP-UX advisory locks...33 Performance tuning using change notify...33 Special concerns when using HP CIFS Server on a Network File System (NFS) or a Clustered File System (CFS)...33 NetBIOS names are not supported on port Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows Introduction...35 UNIX file permissions and POSIX ACLs...35 Viewing UNIX permissions from windows...35 The VxFS POSIX ACL file permissions...38 Using the Windows NT Explorer GUI to create ACLs...39 Using the Windows Vista Explorer GUI to create ACLs...41 POSIX ACLs and Windows XP, Windows Vista and Windows 7 clients...44 Viewing UNIX permissions from Windows XP, Windows Vista and Windows 7 clients...44 Setting permissions from Windows XP, Windows Vista and Windows 7 clients...45 Viewing ACLs from Windows 7 clients...46 Displaying the owner of a file...47 HP CIFS Server directory ACLs and Windows XP, Windows Vista and Windows 7 clients...47 Directory ACL types...47 Viewing ACLs from Windows 7 clients...47 Viewing basic ACLs from Windows 7 clients...47 Viewing advanced ACLs from Windows 2000 clients...48 Mapping Windows XP directory inheritance values to POSIX...49 Modifying directory ACLs from Windows XP clients...50 Removing an ACE entry from Windows XP clients...52 Examples...52 Adding directory ACLs from Windows XP clients...54 POSIX default owner and owning group ACLs...55 POSIX ACEs with zero permissions...55 In conclusion Windows style domains...57 Introduction...57 Advantages of the Samba Domain model...57 Primary domain controllers...57 Backup domain controllers...58 Advantages of backup domain controllers...58 Limitations...58 Domain members...58 Configure the HP CIFS Server as a PDC...58 Configure the HP CIFS Server as a BDC...59 Promote a BDC to a PDC in a Samba Domain...60 Domain member server...60 Configure the HP CIFS Server as a member server...60 Join an HP CIFS Server to an NT Domian, Windows 2000/2003 (as a pre-windows 2000 computer), or Samba Domain...61 Step-by-step procedure...62 Create the machine trust accounts...62 Configure domain users...64 Join a Windows client to a Samba Domain...64 Roaming profiles...67 Configuring roaming profiles...67 Configuring user logon scripts Contents

5 Running logon scripts when logging on...68 Home drive mapping support...68 Trust relationships...69 Configuring smb.conf for trusted users...69 Establishing a trust relationship on an HP CIFS PDC with another Samba Domain...69 Establishing a trust relationship on an HP CIFS PDC with an NT domain...70 Trusting an NT Domain from a Samba Domain...70 Trusting a Samba Domain from an NT domain...70 Establishing a trust relationship on an HP CIFS member server of a Samba Domain or an NT domain Windows 2003 and Windows 2008 domains...71 Introduction...71 HP CIFS and other HP-UX Kerberos applications co-existence...71 HP-UX Kerberos client software and LDAP integration software dependencies...71 Strong authentication support...72 Steps to install Certification Authority (CA) on a Windows ADS server...72 Steps to download the CA certificates from Windows CA server...73 Configuring HP CIFS server to enable starttls...73 Joining an HP CIFS server to a Windows 2003 and Windows 2008 domain...74 Configuration parameters...74 Setting permissions for a user...75 Step-by-step procedure...76 Trust relationships...78 Establishing external trust relationships between HP CIFS PDCs and Windows 2003 and Windows 2008 domains...78 Establishing a trust relationship on an HP CIFS member server of a Windows 2003 or Windows 2008 domain LDAP integration support...81 Overview...81 HP CIFS server advantages...82 Network environments...82 Domain model networks...82 CIFS Server acting as the Primary Domain Controller (PDC)...82 CIFS Server acting as the member server...82 CIFS Server acting as Backup Domain Controller (BDC) to Samba PDC...82 CIFS server acting as an Active Directory Service (ADS) member server...82 Workgroup model networks...83 UNIX user authentication - /etc/passwd, NIS migration...83 The CIFS authentication with LDAP integration...83 Summary of installing and configuring...84 Installing and configuring your directory server...84 Installing the directory server...84 Configuring your directory server...85 Verifying the directory server...85 Installing LDAP-UX client services on an HP CIFS server...85 Configuring the LDAP-UX client services...85 Quick configuration...86 Enabling Secure Sockets Layer (SSL)...89 Configuring the directory server to enable SSL...89 Configuring the LDAP-UX client to use SSL...90 Configuring HP CIFS Server to enable SSL...90 Extending the Samba subschema into your directory server...91 Samba subschema differences between HP CIFS Server versions...91 Procedures to extend the Samba subschema into your directory...91 Contents 5

6 Migrating your data to the directory server...92 Migrating all your files...92 An example...92 Migrating individual files...93 Environment variables...93 General syntax for perl migration scripts...93 Migration scripts...93 Examples...94 Migrating your data from one backend to another...94 Configuring the HP CIFS Server...95 LDAP configuration parameters...95 Configuring LDAP feature support...96 Creating Samba users in the directory...97 Adding credentials...97 Adding a Samba user to the LDAP directory...98 Verifying Samba uers...98 Syntax...99 Option...99 Example...99 Management tools Winbind support Overview Winbind features Winbind process flow Winbind supports non-blocking, asynchronous functionality When and how to deploy Winbind Commonly asked questions Considering alternatives Configuring HP CIFS Server with Winbind Winbind configuration parameters Unsupported parameters or options A smb.conf example Configuring Name Service Switch idmap backend support in Winbind idmap rid backend support Limitations using idmap rid Configuring and using idmap rid LDAP backend support Configuring the LDAP backend Starting and stopping winbind Starting winbind Stopping winbind Automatically starting winbind at system startup An Example for file ownership by winbind users wbinfo Utility Kerberos support Introduction Kerberos overview Kerberos CIFS authentication example HP-UX Kerberos application co-existence Components for Kerberos configuration Configuring krb5.keytab Contents

7 9 HP CIFS deployment models Introduction Samba domain model Samba Domain components HP CIFS Server acting as a PDC HP CIFS Server acting as a BDC HP CIFS acting as the member server An example of the Samba Domain model A Sample smb.conf file for a PDC Configuration options A Sample smb.conf file for a BDC Configuration options A Sample smb.conf file for a domain member server Configuration options A Sample /etc/nsswitch.ldap file Windows domain model Components for Windows domain model An Example of the ADS domain model A sample smb.conf file For an HP CIFS ADS member server A sample /etc/krb5.conf file A sample /etc/nsswitch.conf file An example of Windows NT domain model A Sample smb.conf file for an HP CIFS member server Unified domain model Unified domain components HP CIFS acting as a Windows 200x ADS member server Setting up the unified domain model Setting up LDAP-UX client services on an HP CIFS Server Installing and configuring LDAP-UX client services on an HP CIFS Server Configuring /etc/krb5.conf to authenticate using Kerberos Installing SFU 3.5 on a Window 2003 or 2008 R2 ADS Domain Controller An Example of the Unified omain Model A sample smb.conf file for an HP CIFS member server A sample /etc/krb5.conf file A sample /etc/nsswitch.conf file Securing HP CIFS Server Security protection methods Restricting network access Using host restrictions An example Using interface protection Interface protection example Using a firewall Using an IPC$ share-based denial Protecting sensitive information Encrypting authentication Protecting sensitive configuration files Using %m name replacement macro With caution Restricting execute permission on stacks Restricting user access Automatically receiving HP security bulletins Reporting new security vulnerabilities Configuring HA HP CIFS Overview of HA HP CIFS Server Contents 7

8 Recommended clients Installing highly available HP CIFS Server HA HP CIFS Server installation Configure a highly available HP CIFS Server Introduction Instructions Edit the package configuration file samba.conf Edit the samba.cntl control script Edit the samba.mon monitor script Create the MC/ServiceGuard binary configuration file Special notes for HA HP CIFS Server HP-UX configuration for HP CIFS HP CIFS process model TDB memory-mapped access for HP CIFS Server Fixed size memory map support on HP-UX 11i v2 PA and HP-UX 11i v3 PA systems Configuration parameters Mostly Private Address Space (MPAS) support on HP-UX 11i v2 IA and HP-UX 11i v3 IA systems Unified file cache support on an HP-UX 11i v3 system What to do if you encounter memory map error messages Constraints Overview of Kernel configuration parameters Configuring Kernel parameters for HP CIFS Swap space requirements Memory requirements Tool reference HP CIFS management tools Smbpasswd Syntax Examples Syncsmbpasswd Options Example Pdbedit Syntax Examples net Net commands Syntax for net user Examples wbinfo Syntax Examples LDAP directory management tools ldapmodify Syntax ldapmodify options Examples ldapsearch Syntax ldapsearch options Examples ldapdelete Syntax Contents

9 ldapdelete options Examples Glossary Index Contents 9

10 About this document This document describes how to install, configure, and administer the HP CIFS Server product. It is the official documentation supported for the HP CIFS Server product. This document provides HP-UX common variations, features, and recommendations tested and supported by HP. Other documentations such as The Samba How To Collection and Using Samba, 2nd Edition, supplied with the HP CIFS Server product are provided as a convenience to the user. This document and all the previous-release related documents are located at Intended audience This document is intended for system administrators, who want to install, configure, and administer the HP CIFS Server product. For additional information about the HP CIFS Server, see HP CIFS Server documentation online at New and changed documentation in this edition This edition documents the following changes for HP CIFS Server version A : HP CIFS Server version A is based on open source Samba HP CIFS Server now supports Windows Server 2008, Windows Server 2008r2, Windows Vista and Windows 7 operating systems. Support for these operating systems is documented. NOTE: Starting from version A xx, HP CIFS Server does not provide support for CFSM. HP provides support only for the contents described in the HP CIFS Server Administrator Guide. Typographical conventions Table 1 Documentation conventions Type of Information Representations of what appears on a display, program/script code and command names or parameters Emphasis in text, actual document titles Headings and sub-headings Publishing history Table 2 Publishing history details Font Monotype Italics Bold Examples > user logged in. Users should verify that the power is turned off before removing the board. Related Documents Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date HP-UX 11i v2 A March HP-UX 11i v3 A January HP-UX 11i v2 and HP-UX 11i v3 A April HP-UX 11i v2 and HP-UX 11i v3 A October HP-UX 11i v3 A September HP-UX 11i v2 and HP-UX 11i v3 A May

11 Table 2 Publishing history details (continued) Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date HP-UX 11i v2 and HP-UX 11i v3 A December HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 A March 2010 B HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 A May 2009 B HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 A January 2008 B HP-UX 11i v2 and HP-UX 11i v3 A June 2007 B HP-UX 11i v1, HP-UX 11i v2 and HP-UX 11i v3 A February 2007 B HP-UX 11i v1, HP-UX 11i v2 A August 2006 B HP-UX 11i v1, HP-UX 11i v2 A April 2006 B HP-UX 11i v1, HP-UX 11i v2 A October 2005 B HP-UX 11i v1, HP-UX 11i v2 A February 2005 B HP-UX 11i v1, HP-UX 11i v2 A December 2004 B , HP-UX 11i v1, HP-UX 11i v2 A June 2004 B , HP-UX 11i v1, HP-UX 11i v2 A February 2004 B , HP-UX 11i v1, HP-UX 11i v2 A September 2003 B , HP-UX 11i v1 A March 2002 Document organization This manual describes how to install, configure, administer and use the HP CIFS Server product. The manual is organized as follows: Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Introduction to the HP CIFS Server Use this chapter to obtain a summary and an introduction of HP CIFS Server architecture, available documentation resources and product organization roadmap. Installing and Configuring the HP CIFS Server Use this chapter to learn how to install, configure the HP CIFS Server product. Managing HP-UX File Access Permissions from Windows NT/XP Use this chapter to understand how to use Windows NT and XP clients to view and change UNIX file permissions and POSIX Access Control List on an HP CIFS Server. NT Style Domains Use this chapter to learn how to set up and configure the HP CIFS Server as a PDC or BDC. This chapter also describes the process for joining an HP CIFS Server to an NT style domain, Samba domain, or a Windows 2003/2008 R2 ADS domain as a pre-windows 2000 compatible computer. Windows 2003 and Windows 2008 Domains Use this chapter to understand the process for joining an HP CIFS Server to a Windows 200x Domain using Kerberos security. Document organization 11

12 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 LDAP-UX Integration Support Use this chapter to learn how to install, configure and verify the HP Netscape Directory, HP LDAP-UX Integration product and HP CIFS Server software with LDAP feature support. Winbind Support Use this chapter to learn how to set up and configure the HP CIFS Server with the winbind support. Kerberos Support Use this chapter to understand configuration detail which can be used when HP CIFS Server co-exists with other HP-UX applications that make use of the Kerberos security protocol. HP CIFS Deployment Models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference. Securing HP CIFS Server Use this chapter to understand the network security methods that you can use to protect your HP CIFS Server. Configuring HA HP CIFS Use this chapter to understand the procedures required to configure the active-standby or active-active High Availability configuration. HP-UX Configuration for HP CIFS This chapter provides guidance for configuring and optimizing the HP-UX kernel and system for use with HP CIFS. Tool Reference This chapter describes tools for management of Samba user, group account database. HP welcomes your comments HP welcomes your comments and suggestions on this document. We are truly committed to provide documentation that meets your needs. You can send comments to: [email protected] Please include the following information along with your comments: The complete title of the manual and the part number. The part number appears on the title page of printed and PDF versions of a manual. The section numbers and page numbers of the information on which you are commenting. The version of HP-UX that you are using. 12

13 1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS. HP CIFS Server description and features Features The HP CIFS Server product implements many Windows Servers features on HP-UX. The Microsoft Common Internet File System (CIFS) protocol, sometimes called Server Message Block (SMB), is a Windows network protocol for remote file and printer access. Because the HP CIFS Server product gives HP-UX access to the CIFS protocol, HP CIFS Server enables HP-UX to interoperate in network environments exposed to Windows clients and servers by means of a Windows native protocol. The HP CIFS Server source is based on Samba, an Open Source Software (OSS) project first developed in 1991 by Andrew Tridgell. Samba has been made available to HP and others under the terms of the GNU Public License (GPL). The goal of GPL software is to encourage the cooperative development of new software. To learn about the GNU Public License, refer to the web site at A Samba team continues to update the Samba source. To learn about the Samba team, visit their web site at HP CIFS Server merges the HP-UX and Windows environments by integrating HP-UX and Windows features as follows: Authentication Mechanisms and Secure Communication Methods including: Netscape Directory Server/Red Hat Directory Service (NDS/RHDS) via LDAP Windows Active Directory Services (ADS) Kerberos, NTLMv2, and SMB Signing Support HP CIFS internal mechanisms to facilitate HP-UX and Windows compatibility such as username mapping, winbind, and idmap_rid. File System Access Support Network Printer Access Support Domain Features and Network Neighborhood Browsing HP CIFS Server A release supports the following new features: Full support for SMB2 SMB2 within Samba is implemented with a brand new asynchronous server architecture, allowing Samba to display the performance enhancements SMB2 brings to Microsoft networking technology. Improved Printing Support Print subsystem has been rewritten to use automatically generated RPCs and provides greater compatibility with the Windows SPOOLSS print subsystem architecture, including export of printer data via registry interfaces. HP CIFS Server description and features 13

14 Simplified Identity Mapping For this release, ID mapping has been rewritten yet again with the goal of making the configuration simpler and more coherent while keeping the needed flexibility and even adding to the flexibility in some respects. Caching of user credentials by winbind Winbind allows to logon using cached credentials. Integrated authentication mechanisms means that administrators can centrally manage both UNIX and Windows users, groups, and user attributes on their choice of Windows ADS, NT, NDS/RHDS, or HP CIFS Server s tdbsam or smbpasswd account databases. The CIFS clients can have their users authenticated through a single Windows interface enabling HP-UX and Windows server resource access by means of secure communication channels. Integrated file system access means that users can use Windows clients and interfaces including Windows GUIs and applications such as Microsoft Office to read, write, copy, or execute files on HP-UX and Windows clients and servers. Users and administrators can use Windows to set access control rights on files stored on HP-UX. Integrated printer access means that users can publish and find network printers, download drivers from HP-UX systems, and print to printers with Windows interfaces. Integrated domain features and network neighborhood means that HP-UX Servers and their file systems can participate in Windows NT or Windows 2003/2008 R2 ADS domain and can be found through Windows interfaces along Windows resources. HP CIFS Servers can also present their own domain. Samba open source software and HP CIFS Server Flexibility Since the HP CIFS Server source is based on Samba open source software, it gains the advantages of the evolutionary growth and improvement efforts of Samba developers around the world. In addition, HP CIFS Server also provides the following support: Includes Samba defect fixes and features only when they meet expectations for enterprise reliability. Provides HP developed defect fixes and enhancement requests for HP customers. Source is compiled and tuned specifically for the HP-UX platform and integrated with the latest HP-UX environments. Adds customized scripts and Serviceguard templates for HP-UX environments. Provides documentation specifically for HP-UX users. In order to accommodate a great variety of environments, HP CIFS Server provides many features with hundreds of configuration options. Various management tools are available to establish and control CIFS attributes. Chapter 13, Tool Reference, explains the management tools. Chapter 2, Installing and Configuring the HP CIFS Server, discusses the installation and configuration process. You must first understand the deployment environment and choose the appropriate features for your server. The concept of Samba Domain, Windows Domain, and Unified Domain models was developed to assist in deploying HP CIFS Server based on the particulars of various popular network environments. Hence, Chapter 9, HP CIFS Deployment Models, describes each model and the relevant configuration parameters required to establish servers in each deployment model. Windows domain concepts are applied within the deployment models. HP CIFS Servers can participate in either older NT style or newer Windows 2003/Windows 2008 style domains. Chapter 4, NT Style Domains, describes how an HP CIFS Server can participate in an NT style 14 Introduction to the HP CIFS Server

15 domain. Chapter 5, Windows 2003 and Windows 2008 Domains, describes how an HP CIFS Server joins a Windows 2003 or a Windows 2008 domain as an ADS domain member server. HP CIFS Server manages a given configuration using a configuration file, /etc/opt/samba/ smb.conf (by default) which contains configuration parameters set appropriately for the specific installation. HP CIFS Server must also maintain internal data (including Trivial Data Base (TDB)) files and log files in the /var/opt/samba directory (by default). See Table 1-2, Table 4 (page 17), for the full HP CIFS Server product layout. HP CIFS Server documentation: Printed and Online The set of documentation that comprises the information you need to explore the full features and capabilities of the HP CIFS product consists of non-hp books available at most technical bookstores, and this printed and online manual HP CIFS Server Administrator's Guide available on the following web site: A list of current recommended non-hp Samba documentation is: The Official Samba-3 HOWTO and Reference Guide by John H. Terpstra and Jelmer R. Vernooij, Editors, ISBN: Samba-3 By Example Practical exercises to Successful Deployment by John H. Terpstra, ISBN: Using Samba, 2nd Edition Robert Eckstein, David Collier-Brown, Peter Kelly and Jay Ts. (O'Reilly, 2000), ISBN: Samba, Integrating UNIX and Windows by John D Blair (Specialized Systems Consultants, Inc., 1998), ISBN: Samba Web site When using the HP CIFS product, HP recommends that you refer to The Samba HOWTO Collection and Samba-3 by Example, shipped with the product in the /opt/samba/docs directory. The book, Using Samba, 2nd Edition, can also be found in /opt/samba/swat/using_samba. All three books are also available through Samba Web Administration Tool (SWAT). IMPORTANT: The book Using Samba, 2nd Edition describes a previous version of Samba (V.2.0.4). However, much of the information in Using Samba, 2nd Edition is applicable to this version of the CIFS Server. Readers should always use the HP-provided Samba man pages or the SWAT help facility for the most definitive information on the HP CIFS server. NOTE: Please note that non-hp Samba documentation sometimes includes descriptions of features and functionality planned for future releases of Samba, or that are only offered on certain operating system platforms. The authors of these books do not always provide information indicating which features are in existing releases and which features will be available in future Samba releases, or are specific to a particular operating system. HP CIFS documentation roadmap Use the following road map to locate the Samba and HP CIFS documentation that provides details of the features and operations of the HP CIFS Server. Table 3 Documentation roadmap HP CIFS Product Server Description Document Title: Chapter: Section HP CIFS Server Administrator's Guide: Chapter 1, Introduction to the HP CIFS Server Samba Meta FAQ No. 2, General Information about Samba Samba FAQ No. 1, General Information HP CIFS Server documentation: Printed and Online 15

16 Table 3 Documentation roadmap (continued) HP CIFS Product Document Title: Chapter: Section Samba Server FAQ: No. 1, What is Samba Using Samba: Chapter 1, Learning the Samba Samba Man Page: samba(7) HP CIFS Client Administrator's Guide: Chapter 1, Introduction to the HP CIFS Client Client Description HP Add-on Features Server Installation Client Installation Samba GUI Administration Tools Server Configuration Client Configuration Server deployment models Configuration: PAM Server: Starting & Stopping Client: Starting & Stopping Server: Samba Scripts SMB & CIFS File Protocols SMB & CIFS Network Design Samba Man Pages Server Utilities Client Utilities Server Printing HP CIFS Client Administrator's Guide: Chapter 1, Introduction to the HP CIFS Client HP CIFS Server Administrator's Guide: Chapter 1 Introduction to the HP CIFS Server, Section: HP CIFS Enhancements to the Samba Server Source, and Chapter 3, Access Control Lists (ACLs) HP CIFS Client Administrator's Guide: Chapter 1, Introduction to the HP CIFS Client, Sections: HP CIFS Extensions and ACL Mappings HP CIFS Server Administrator's Guide: Chapter 2. Installing and Configuring the HP CIFS Server Samba FAQ: No 2, Compiling and Installing Samba on a UNIX Host HP CIFS Client Administrator's Guide: Chapter 2. Installing and Configuring the HP CIFS Client Samba HOWTO and Reference Guide: Chapter 30, SWAT - The Samba Web Administration Tool or Using Samba: Chapter 2, Installing Samba on a Unix System HP CIFS Server Administrator's Guide: Chapter 2, Installing and Configuring the HP CIFS Server HP CIFS Client Administrator's Guide: Chapter 2, Installing and Configuring the HP CIFS Client HP CIFS Server supports three deployment models: Samba Domain Model, Windows Domain Model and Unified Domain Model. See HP CIFS Server Administrator's Guide: Chapter 9, HP CIFS Deployment Models HP CIFS Client Administrator's Guide: Chapter 8, PAM NTLM HP-UX Man page: pam(3) HP-UX Man page: pam.conf HP CIFS Server Administrator's Guide: Chapter 2 HP CIFS Client Administrator's Guide: Chapter 2. Using Samba: Appendix D, Summary of Samba Daemons and Commands for detailed information about the command-line parameters for Samba programs such as smbd, nmbd,smbstatus and smbclient. HP CIFS Client Administrator's Guide: Chapter 9, HP CIFS Deployment Domain Models Using Samba: Chapter 1, Learning the Samba Samba Meta FAQ No. 4: Designing an SMB and CIFS Network Refer to man pages in SWAT Samba HOW TO and Reference Guide HP CIFS Client Administrator's Guide: Chapter 5, Command-line Utilities Samba HOWTO and Reference Guide: Chapter17, Classic Printing Support 16 Introduction to the HP CIFS Server

17 Table 3 Documentation roadmap (continued) HP CIFS Product Server Browsing Server Security Server Troubleshooting Client Troubleshooting NIS and HP CIFS Document Title: Chapter: Section Refer to Chapter 9, Network Browsing in Samba HOW TO and Reference Guide for a description of browsing functionality and all browsing options. HP CIFS Client Administrator's Guide: Chapter 11, Securing CIFS Server. Part V, Troubleshooting, Samba HOW TO and Reference Guide Using Samba, Chapter 9, Troubleshooting Samba Samba FAQs No. 4, Specific Client Application Problems and No 5, Miscellaneous DIAGNOSIS.txt in the /opt/samba/docs directory Samba Man page: debug2html(1), smbd(8), nmbd(8), smb.conf(5) HP CIFS Client Administrator's Guide: Chapter 6, Troubleshooting and Error Messages HP CIFS now works with NIS and NIS+. For detailed information on special options, refer to Samba HOW TO and Reference Guide. HP CIFS Server file and directory roadmap The default base installation directory of HP CIFS Server product is /opt/samba. The HP CIFS configuration files are located in the directory /etc/opt/samba. The HP CIFS log files and any temporary files are created in /var/opt/samba. Table 1-2 briefly describes the important directories and files that comprise the CIFS Server. Table 4 Files and directory description File/Directory /opt/samba /opt/samba_src /opt/samba/bin /opt/samba/man /opt/samba/script /opt/samba/swat /opt/samba/ha /var/opt/samba /etc/opt/samba /etc/opt/samba/smb.conf /etc/opt/samba/smb.conf.default /opt/samba/ldap3 Description This is the base directory for most of the HP CIFS Server product files. This is the directory that contains the source code for the HP CIFS Server (if the source bundle was installed). This is the directory that contains the binaries for HP CIFS Server, including the daemons and utilities. This directory contains the man pages for HP CIFS Server. This directory contains various scripts which are utilities for the HP CIFS Server. This directory contains html and image files which the Samba Web Administration Tool (SWAT) needs. This directory contains example High Availability scripts, configuration files, and README files. This directory contains the HP CIFS Server log files as well as other dynamic files that the HP CIFS Server uses, such as lock files. This directory contains configuration files which the HP CIFS Server uses, primarily the smb.conf file. This is the main configuration file for the HP CIFS Server, which is discussed in great detail elsewhere. This is the defaultsmb.conf file that ships with the HP CIFS server. This can be modified to fit your needs. This directory contains files which HP CIFS Server uses for LDAP integration support. HP CIFS Server file and directory roadmap 17

18 Table 4 Files and directory description (continued) File/Directory /opt/samba/copying, /opt/samba_src/copying, /opt/samba_src/samba/copying /sbin/init.d/samba /etc/rc.config.d/samba /sbin/rc2.d/s900samba, /sbin/rc1.d/k100samba Description These are copies of the GNU Public License which applies to the HP CIFS Server. This is the script that starts HP CIFS Server at boot time and stops it at shutdown (if it is configured to do so). This text file configures whether the HP CIFS server starts automatically at boot time or not. These are links to /sbin/init.d/samba, which are actually executed at boot time and shutdown time to start and stop the HP CIFS Server, (if it is configured to do so). 18 Introduction to the HP CIFS Server

19 2 Installing and configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software. It contains the following sections: HP CIFS Server Requirements and Limitations Step 1: Installing HP CIFS Server Software Step 2: Running the Configuration Script Step 3: Modify the Configuration Step 4: Starting the HP CIFS Server HP CIFS Server requirements and limitations Prior to installing the HP CIFS product, check that your system can accommodate the following product requirements and limitations. HP CIFS Server installation requirements The HP CIFS Server requires approximately 210 MB of disk space for installation on an HP-UX 11i v2 system and 215 MB of disk space for installation on an HP-UX 11i v3 system. The HP CIFS Server source code files requires approximately 36 MB of disk space. NOTE: The CIFS Server source code files are not required for execution of HP CIFS Server. You can choose not to install them or you can remove them after installation at the following location: /opt/samba_src HP CIFS Server memory requirements An smbd process is usually created for each new connection. Each smbd requires about 4 MB of system memory on HP-UX 11i v2 and HP-UX 11i v3. The smbd process may now also allocate memory for specialized caching requirements as needed. The size and timing of these memory allocations vary widely depending on the client type and the resources being accessed. However, most client access patterns will not trigger such specialized caching. System administrators should routinely monitor memory utilization in order to evaluate this dynamic memory behavior. You may need to adjust HP-UX server memory configurations to accommodate these changes while upgrading from previous versions. For details, see Chapter 12, HP-UX Configuration for HP CIFS in this manual. Software requirements The following describes software requirements: HP CIFS Server A or later requires LDAP-UX Integration product, J4269AA, to be installed. Kerberos v5 Client E or later is required to support HP CIFS Server integration with a Windows 2003 or Windows 2008 ADS Domain Controller (DC) on HP-UX 11i v3. Kerberos v5 Client D or later is required to support HP CIFS Server integration with a Windows 2003 or Windows 2008 ADS Domain Controller (DC) on HP-UX 11i v2. Swap space requirements Due to the one-process-per-client model of HP CIFS, perhaps the most stringent requirement imposed on the system is that of swap space. HP-UX reserves a certain amount of swap space for each process that is launched, to prevent it from being aborted in case it needs to swap out some pages HP CIFS Server requirements and limitations 19

20 during times of memory pressure. Other operating systems, only reserve swap space when it is needed. This results in the process not finding the swap space that it needs, in which case it has to be terminated by the OS. Each smbd process will reserve about 2 MB of swap space and depending on the type of client activity, process size may grow up to 4 MB of swap space. For a maximum of 2048 clients, 4 * 2048 or about 8 GB of swap space would be required. Therefore, HP recommends configuring enough swap space to accommodate the maximum number of simultaneous clients connected to the HP CIFS server. Memory requirements Each smbd process requires approximately 4 MB of memory on HP-UX 11i v2 and HP-UX 11i v3. For 2048 clients, therefore, the system must have at least 8 GB of physical memory. This is over and above the requirements of other applications that will be running concurrent with HP CIFS. Step 1: Installing HP CIFS Server software If the HP CIFS Server software has been pre-installed on your system, you may skip Step 1 and go directly to Step 2: Running the Configuration Script. HP CIFS Server Upgrades: If you are upgrading an existing HP CIFS Server configuration, HP recommends that you create a backup copy of your current environment. The SD install procedure may alter or replace your current configuration files. All files under /var/opt/samba, /etc/opt/samba, and /opt/ samba must be saved in order to ensure that you will be able to return to your current configuration, if necessary. For example: $ stopsmb or if winbind is in use, then do: $ stopsmb -w $ mkdir /tmp/cifs_save $ tar -cvf /tmp/cifs_save/var_backup.tar /var/opt/samba $ tar -cvf /tmp/cifs_save/etc_backup.tar /etc/opt/samba $ tar -cvf /tmp/cifs_save/optsamba_backup.tar /opt/samba Do not use the -o option with the tar command. This will ensure proper file ownership. If a problem with the upgrade does occur, use SD to remove the entire HP CIFS Server product and restore your previous backup version. Once this is done, you may restore the saved configuration files and the HP CIFS Server. For example: $ tar -xvf /tmp/cifs_save/var_backup.tar $ tar -xvf /tmp/cifs_save/etc_backup.tar $ tar -xvf /tmp/cifs_save/optsamba_backup.tar This procedure is not intended to replace a comprehensive backup strategy that includes user data files. If you are in security = domain, or security = ads mode, it will probably be necessary to re-join an HP CIFS Server to the domain once you restore your previous backup version. See Windows style domains (page 57) and Windows 2003 and Windows 2008 domains (page 71) for details on how to re-join an HP CIFS Server to a Windows domain. Overview: Installation of the HP CIFS Server software includes loading the HP CIFS Server filesets using the swinstall(1m) utility, completing the HP CIFS configuration procedures, and starting Samba using the startsmb script. 20 Installing and configuring the HP CIFS Server

21 An example Installing From a Software Depot File: To install the HP CIFS Server software from a depot file, such as those downloadable from enter the following at the command line: swinstall options -s /path/filename ProductNumber Where theproductnumber is CIFS-SERVER for HP-UX 11i v2 or HP-UX 11i v3. options is -x autoreboot=true path must be an absolute path, it must start with /, for example,/tmp. filename is the name of the downloaded depot file, usually a long name of the form: CIFS-SERVER_A _HP-UX_B.11.31_IA_PA.depot For example, to install HP CIFS Server A on an HP-UX 11i v3 system from a downloaded depot file, enter the following command: swinstall -x autoreboot=true \ -s /tmp/cifs-server_a _hp-ux_b.11.31_ia_pa.depot CIFS-SERVER Step 2: Running the configuration script The samba_setup configuration script is intended for new installations only. Prior to running the samba_setup configuration script, you must obtain some basic configuration information and might need to install additional software based on the HP CIFS deployment domain model you use. You need to supply the following before you run the samba_setup script: Decide whether an HP CIFS to be a WINS server or not. Obtain the WINS IP address if the HP CIFS accesses an existing WINS server. Provide the following global LDAP parameters information if you choose to use an LDAP backend: the fully qualified distiguished name for the LDAP directory server ldap SSL ldap suffix ldap user suffix ldap group suffix ldap admin dn For detailed information on how to configure LDAP parameters, see LDAP integration support (page 81). Obtain the name of your HP CIFS Server. Provide the following information if you choose to use the Windows NT4 domain: the name of your domain the name of your Primary Domain Controller (PDC) the names of Backup Domain Controllers (BDCs) administrator user name and password See Windows style domains (page 57) for detailed information. Step 2: Running the configuration script 21

22 Provide the following information if you choose to use the Windows Active Directory Server (ADS) realm: the name of your realm the name of your Domain Controller administrator user name and password LDAP-UX Integration product is installed ensure that the most recent Kerberos client product is installed For detailed information on how to join an HP CIFS Server to a Windows 2000/2003 Domain using Kerberos security, see Windows 2003 and Windows 2008 domains (page 71). Select the following authentication security type if you attempt to use the workgroup environment: Server-level security: When this security type is specified, password authentication is handled by another SMB password server. When a client attempts to access a specific share, Samba checks that the user is authorized to access the share. Samba then validates the password via the SMB password server. NOTE: HP does not recommend you use the server-level security type, this security type will be unavailable in the future. User-level security: When this security type is specified, each share is assigned specific users. When a request is made for access, Samba checks the user's user name and password against a local list of authorized users and only gives access if a match is made. Share-level security: When this security type is specified, each share (directory) has at least one password associated with it. Anyone with a password will be able to access the share. There are no other access restrictions. Run the Samba configuration script using the command below: /opt/samba/bin/samba_setup The script will modify thesmb.conf file according to the information that you have entered. Step 3: Modify the configuration Configuration modification HP CIFS Server requires configuration modifications for the following functionality: Case Sensitivity for the Client and Server for UNIX Extensions DOS Attribute Mapping Print Services for version A Distributed File System (DFS) Support Configure MC/ServiceGuard High Availability (HA) Configure case sensitivity By default, the HP CIFS Server is configured to be case insensitive, like Windows. NOTE: HP recommends that when using CIFS Extensions for UNIX, both the CIFS Client and Server be configured to be case sensitive. 22 Installing and configuring the HP CIFS Server

23 For the CIFS Server, edit the server configuration file: /etc/opt/samba/smb.conf as follows: case sensitive = yes For the CIFS Client configuration, in the /etc/opt/cifsclient/cifsclient.cfg file, ensure the following default is set: casesensitive = yes map system, map hidden and map archive Attributes There are three parameters, map system, map hidden, and map archive, that can be configured in Samba to map DOS file attributes to owner, group, and other execute bits in the UNIX file system. When using the CIFS Client, you may want to have all three of these parameters turned off. If the map archiveparameter is on, any time a user writes to a file, the owner execute permission will be set. This is usually not desired behavior for HP CIFS clients or UNIX clients in general. By default,map system andmap hidden are off, andmap archive is on. To turnmap archive off, modify/etc/opt/samba/smb.conf as follows: map archive = no map readonly attribute The smb.conf parameter, map readonly, controls how the DOS read only attribute should be mapped from a UNIX files system. Three valid settings for this parameter are: yes The read only DOS attribute is mapped to the inverse of the user (owner) write bit in the UNIX permission mode set. If the owner write bit is not set, the read only attribute is reported as being set on the file. permissions no The read only DOS attribute is mapped to the effective permissions of the connecting user, as evaluated by reading the UNIX permissions and POSIX ACL (if present). If the connecting user does not have permission to modify the file, the read only attribute is reported as being set on the file. The read only DOS attribute is unaffected by permissions. By default, the map readonly attribute is set to yes. Samba uses user (owner) access permission to determine whether a file is read only. The file access permission is determined by the POSIX write access permission for user (owner). If the write permission on a file is not set for the user (owner), then Samba treats that file as read-only. Once Samba identifies a file as read-only, any write access attempting to that file would immediately result in access denied error. Group members are unable to write to a file with UNIX write access permission disabled for the user (such as 070 or 060). If you set this parameter to permissions, the file access permissions for group members will be evaluated by validating UNIX group permissions. Group members can write to files with UNIX write permission enabled for the group (such as 060 or 070). The smb.conf parameter, store dos attributes, must be set to No (default), otherwise, the map readonly parameter setting will be ignored. Step 3: Modify the configuration 23

24 Configure for SMB2 Features Table 5 List of SMB2 parameters Parameter Name max protocol = SMB2 smb2 max read smb2 max write smb2 max trans smb2 max credits async smb echo handler Description This parameter enables SMB2 protocol. We can test SMB2 feature only with Windows 7 or windows vista client. This option specifies the protocol value that smbd(8) will return to a client, informing the client of the largest size that may be returned by a single SMB2 read call. NOTE: Currently this parameter is hardcoded to and cannot be configured. This option specifies the protocol value that smbd(8) will return to a client, informing the client of the largest size that may be sent to the server by a single SMB2 write call. NOTE: Currently this parameter is hardcoded to and cannott be configured. This option specifies the protocol value that smbd(8) will return to a client, informing the client of the largest size of buffer that may be used in querying file meta-data via QUERY_INFO and related SMB2 calls. This option controls the maximum number of outstanding simultaneous SMB2 operations that Samba tells the client it will allow. You should never need to set this parameter. This parameter specifies whether Samba should fork the async smb echo handler. It can be beneficial if your file system can block syscalls for a very long time. In some circumstances, it prolongs the timeout that Windows uses to determine whether a connection is dead. Default smb2 max read = smb2 max write = smb2 max trans = smb2 max credits = 8192 async smb echo handler = no Configuring print services for HP CIFS version A This section provides information about configuring Print Services on systems running HP CIFS version A The HP CIFS Server now provides the following NT printing functionality: Support for Windows Access Control Lists (ACL) on printer objects Information about setting up and configuring each of the Print Services (except ACLs) is shown in the following sections. Information about configuring ACL Support is discussed in a previous section. Configuring a [printers] share The following is a minimal printing setup. Use either one of the following two procedures to create a [printers] share: 24 Installing and configuring the HP CIFS Server

25 1. SWAT (Samba Administration Tool) -or- 2. Create a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [hpdeskjet] path = /tmp printable = yes Where "hpdeskjet" is the name of the printer to be added. Creating a [printers] share Configure a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [printers] path = /tmp printable = yes browseable = no This share is required if you want the printer's list to be displayed in SWAT, which is not defined in the smb.conf file, but exists on the HP CIFS Server. If this share is not defined, the printer's list will display only those printer shares which are defined in the smb.conf file. Setup Server for automatically uploading printer driver files In order to add a new driver to your Samba host using version A of the software, one of two conditions must hold true: 1. The account used to connect to the Samba host must have a uid of 0 (i.e. a root account), or 2. The account used to connect to the Samba host must be a member of the printer admin list. This will require a [global] smb.conf parameter as follows: printer admin = netadmin The connected account must still possess access to add files to the subdirectories beneath [print$]. Keep in mind that all files are set to 'read only' by default, and that theprinter admin parameter must also contain the names of all users or groups that are going to be allowed to upload drivers to the server, not just 'netadmin'. The following is an example of the other parameters required: 1. Create a [print$] share in the smb.conf file that points to an empty directory named /etc/ opt/samba/printers on the HP CIFS Server. Refer to the following example: [print$] path = /etc/opt/samba/printers browseable = yes guest ok = yes read only = yes write list = netadmin In this example, the parameter write list specifies that administrative lever user accounts will have write access for updating files, on the share. 2. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported. Refer to the following example: cd /etc/opt/samba/printers mkdir W32X86 Step 3: Modify the configuration 25

26 mkdir Win40 There are two possible locations (subdirectories) for keeping driver files, depending upon what version of Windows the files are for: For Windows NT, XP, Windows 2000, Vista, or Windows 7 driver files, the files will be stored in the/etc/opt/samba/printers/w32x86 subdirectory. For Windows 9x driver files, the files will be stored in the /etc/opt/samba/printers/ Win40/0 subdirectory. Setup Client for automatically uploading of printer drivers Printer driver files can be automatically uploaded from disk to the printers on a HP CIFS Server. Here are the steps: 1. Connect to CIFS Server by running the \\[server name] command or browse to CIFS Server through Network Neighborhood. Make sure you are connected as a member of the printer admin list. 2. From the CIFS Server, double click on the Printers or Printers and Faxes folder. A list of printers available from your CIFS Server will be shown in the folder. Viewing the printer properties will result in the error message: The printer driver is not installed on this computer. Some printer properties will not be accessible unless you install the printer driver. Do you want to install the driver now? 3. Click no in the error dialog and the printer properties window will be displayed. 4. Click on the Advanced tab, then the New Driver... button. 5. Select the printer driver e.g. hp LaserJet 5i. You will be asked for the driver files. Give the path where the driver files are located. The driver files will be uploaded from the disk, and stored into the subdirectories under the [print$] share. Publishing printers in an MS Windows 2003/2008 R2 ADS domain Publishing printers makes HP CIFS Server printers searchable in an Microsoft Windows 2003/2008 R2 ADS domain. If a Windows client is a domain member of the ADS domain, that client can search for the printer and install it. Setting up HP CIFS Server for publishing printers support Use the following procedures to set up an HP CIFS Server for publishing printers support: 1. Create the printer shares for each printer and a [printers] share in the smb.conf file. The following is an example of a [printers] share: [printers] path = /tmp printable = yes browseable = yes See the following example for setting up a specific printer share, where lj1005 is the name of the printer: [lj1005] path = /tmp printable = yes 2. Create a [print$] share in the smb.conf file and set the path parameter to a directory named /etc/opt/samba/printers. See the following example: [print$] path = /etc/opt/samba/printers 26 Installing and configuring the HP CIFS Server

27 use client driver = no browseable = yes guest ok = yes read only = yes write list = netadmin In the above example, thewrite list parameter specifies that administrative level user account has write access for updating files on this share. Theuse client driver parameter must be set tono. 3. Configure theprinter admin parameter to specify a list of domain users that are allowed to connect to an HP CIFS Server. See the following example: [global] printer admin = cifsuser1,cifsuser2 4. If the HP CIFS Server is not yet a member of the ADS domain, then run the net ads join -U Administrator%password command to join an HP CIFS Server to the ADS domain as a domain member server. See section Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server in Windows 2003 and Windows 2008 domains (page 71) for details. Publishing printers from a windows client Use the following procedures to publish printers from a windows client which is a domain member of the ADS domain: 1. Log in to your window client as a user who is a member of the printer admin list. For example, the user's name is cifsuser1. 2. Click on start. 3. Click on therun tab. 4. Type\\<HP CIFS Server name> in the open box to connect to an HP CIFS Server. For example, type \\hpservera.hpservera is the name of an HP CIFS Server. 5. Click on theprinters folder. 6. Double click on a printer and select printer, then theproperties tab. 7. Click onsharing tab in the properties windows screen. 8. Check the list in the directory check-box in the sharing windows screen. See the following screen snapshot for an example: Step 3: Modify the configuration 27

28 Figure 1 Publishing printer screen Verifying that the printer is published On an HP CIFS Server system, you can run thenet ads printer search command to verify that the printer is published. For example, verify that the printer hpdesklj2 is published, type: $ net ads printer search hpdesklj2 After you ran the above command, the output is shown as follows: objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:hpdesklj2 servername:hpservera On a windows client, you can also use the following steps to verify that the printer is published: 1. Log in to your window client as a user who is a member of the printer admin list. For example, the user's name is cifsuser1. 2. Click on start. 3. Click on the search tab. 4. Click on buttons to find network printers. 5. Select the name of the ADS domain in the In box. 6. Click on the find now tab. 28 Installing and configuring the HP CIFS Server

29 Commands used for publishing printers This section describes thenet ads printer command used for publishing printers support on an HP CIFS Server. Searching printers To search a printer across the entire Windows 2003/2008 R2 ADS domain, run the following command: $ net ads printer search <printer_name> Without specifying the printer name, the command searches all printers available on the ADS domain. For example, the following command searches all printers available on the ADS domain: $ net ads printer search After you ran the above command, the output is shown as follows: objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:hpdesklj2 servername:hpservera objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:lj1005 servername:hpservera objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:lj3200 servername:hpserverb Removing a printer To remove a printer from the ADS domain, run the following command: $ net ads printer remove <printer_name> For example, the following command removes the printer lj1005 from the ADS domain: $ net ads printer remove lj1005 Re-Publishing a printer To publish a printer for the first time, you must use the procedures described in section Publishing Printers from a Windows Client. If you remove a printer, you can use the following command to re-publish it: $ net ads printer publish <printer_name> For example, the following command re-publishes the printer lj1005 to the ADS domain: $ net ads printer publish lj1005 Setting up Distributed File System (DFS) support This section will provide the procedures for: Setting up a DFS Tree on a HP CIFS Server Setting up DFS Links in the DFS root directory on a HP CIFS Server Step 3: Modify the configuration 29

30 NOTE: HP does not recommend filesharing of the root directory. Only subdirectories under the root should be set up for filesharing. Setting up a DFS Tree on a HP CIFS Server After the DFS Tree is set up using this procedure, users on DFS clients can browse the DFS tree located on the HP CIFS Server at \\servername\dfs. 1. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. 2. Configure a HP CIFS server as a DFS server by modifying the smb.conf file to set the global parameter host msdfs to yes. Example: [global] host msdfs = yes 3. Create a directory to act as a DFS root on the HP CIFS Distributed File System (DFS) Server. 4. Create a share and define it with the parameter path = directory of DFS root in the smb.conf file. Example: [DFS] path = /export/dfsroot 5. Modify the smb.conf file and set the msdfs root parameter to yes. Example: [DFS] path = /export/dfsroot msdfs root = yes Setting up DFS links in the DFS root directory on a HP CIFS Server A Distributed File System (DFS) root directory on a HP CIFS Server can host DFS links in the form of symbolic links which point to other servers. Before setting up DFS links in the DFS root directory, you should set the permissions and ownership of the root directory so that only designated users can create, delete or modify the DFS links. Symbolic link names should be all lowercase. All clients accessing a DFS share should have the same user name and password. An example for setting up DFS links follows: 1. Use theln command to set up the DFS links for linka and linkb on the/export/dfsroot directory. Both linka and linkb point to other servers on the network. Example commands: cd /export/dfsroot chown root /export/dfsroot chmod 775 /export/dfsroot ln -S msdfs:servera\\sharea linka ln -S msdfs:serverb\\shareb serverc\\sharec linkb 2. If you use the ls -l command on the /export/dfsroot directory, it should show an output similar to this one: lrwxrwxrwx l root sys 24 Oct 30 10:20 linka -> msdfs:servera\\sharea lrwxrwxrwx l root sys 30 Oct 30 10:25 linkb -> msdfs:serverb\\shareb, serverc\\sharec In this example, serverc is the alternate path for linkb. Because of this, if serverb goes down, linkb can still be accessed from serverc. linka and linkb are share names. Accessing either one will take users directly to the appropriate share on the network. 30 Installing and configuring the HP CIFS Server

31 Refer to the following screen snapshot for an example: Figure 2 Link share names example MC/ServiceGuard high availability support Highly Available HP CIFS Server allows the HP CIFS Server product to run on an MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 server computers. Template files for version A have been revised to allow any number of cluster nodes and other advantages over previous schemes. NOTE: The templates are only starting points, and must be modified for the customer environment. Consulting can be purchased from HP to assist in configuring a HA CIFS Server environment. Step 4: Starting the HP CIFS Server Run the script below to start Samba if you do not use winbind support: /opt/samba/bin/startsmb Run the script below to start Samba if you configure HP CIFS Server to use winbind support: /opt/samba/bin/startsmb -w or /opt/samba/bin/startsmb --winbind When the command successfully starts Samba, a message is displayed indicating the specific processes that have been started. When the script is successful, the exit value is 0. If the script fails, the exit value is 1. Samba installation and configuration are complete. Run the following script to stop Samba if you do not use winbind support: /opt/samba/bin/stopsmb Run the following script to stop Samba if you use winbind support: /opt/samba/bin/stopsmb -w or /opt/samba/bin/stopsmb --winbind When the script is successful, the exit value is 0. If the script fails, the exit value is 1. Winbind execution may be controlled without affecting the execution of smbd and nmbd with the following commands. Step 4: Starting the HP CIFS Server 31

32 Run the following command to start winbind alone: /opt/samba/bin/startwinbind Run the following command to stop winbind alone: /opt/samba/bin/stopwinbind NOTE: HP does not support the inetd configuration to start the HP CIFS Server. Starting and stopping daemons individually Two new options-n (nmbd only) and-s (smbd only) have been added tostartsmb andstopsmb scripts to start and stop the daemons individually. The startsmb -s command starts the smbd daemon. The stopsmb -s command stops the smbd daemon. The-n option starts and stops thenmbd daemon in the same way. Configuring automatic start at system boot When the HP CIFS Server is first installed, it will not automatically start when the system boots. You can enable the HP CIFS Server and related daemons to do so by editing the/etc/ rc.config.d/samba file. This configuration file contains two variables: RUN_SAMBA=0 RUN_WINBIND=0 The RUN_SAMBA variable controls whether HP CIFS Server daemons, smbd and nmbd, will start at system startup. The RUN_WINBIND variable controls whether the winbind daemon, winbindd, will start at system startup. The two variables function independently. To configure HP CIFS Server to start automatically, set RUN_SAMBA to a non-zero value. To configure Winbind to start automatically, set RUN_WINBIND to a non-zero value. For example, if you want HP CIFS Server and Winbind to start automatically at system startup, edit the variables in the /etc/rc.config.d/samba file as follows: RUN_SAMBA=1 RUN_WINBIND=1 Stopping and re-starting daemons to apply new settings Thesmb.conf configuration file is automatically reloaded every minute if it changes. You can force a reload by sending a SIGHUP to the CIFS server. Reloading the configuration file does not affect connections to any service that is already established. But, you must stop and re-start the CIFS server daemons to apply the new setting for the following parameters in smb.conf: netbios aliases interfaces auth methods passdb backend invalid users valid users admin users read list write list printer admin hosts allow 32 Installing and configuring the HP CIFS Server

33 hosts deny hosts equiv preload modules wins server vfs objects idmap backend Other samba configuration issues Translate open-mode locks into HP-UX advisory locks The HP CIFS Server A.02.* and A.03.* versions can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients. This also means CIFS clients cannot open files that have conflicting advisory locks from HP-UX processes. You must change the map share modes setting in smb.conf to yes to translate open mode locks to HP-UX advisory locks. The default setting of map share modes is no. Performance tuning using change notify This section describes performance tuning using thechange Notify feature and internationalization. NOTE: Starting with the Samba version, the Change Notify Timeout feature is deprecated. The Change Notify Timeout feature is replaced with the Change Notify feature. This new feature depends on Linux inotify, which is not available in HP-UX operating systems. The Samba Server supports a new feature called Change Notify. Change Notify provides the ability for a client to request notification from the server when changes occur to files or subdirectories below a directory on a mapped file share. When a file or directory which is contained within the specified directory is modified, the server notifies the client. The purpose of this feature is to keep the client screen display up-to-date in Windows Explorer. The result: if a file you are looking at in Windows Explorer is changed while you are looking at it, you will see the changes on the screen almost immediately. The only way to implement this feature in Samba is to periodically scan through every file and subdirectory below the directory in question and check for changes made since the last scan. This is a resource intensive operation which has the potential to affect the performance of Samba as well as other applications running on the system. Two major factors affect how resource intensive a scan is: the number of directories having a Change Notify request on them, and the size of those directories. If you have many clients running Windows Explorer (or other file browsers) or if you have directories on shares with a large number of files and/or subdirectories, each scan cycle might be very CPU intensive. Special concerns when using HP CIFS Server on a Network File System (NFS) or a Clustered File System (CFS) Both NFS and CFS provide file system access to unique file storage from multiple systems. However, controlling access to files, particularly files open for write access, from multiple systems poses challenges. Applications are not necessarily network or cluster-aware. Applications may not be Other samba configuration issues 33

34 able to make use of locking mechanisms when multiple systems are involved. You need to be aware of the following things when using HP CIFS Server in either an NFS or a Veritas CFS environment: CIFS Server running simultaneously on multiple nodes should not use either NFS or Veritas CFS to concurrently share thesmb.conf configuration and its subordinate CIFS system files in/var/opt/samba/locks and /var/opt/samba/private. There are operational reasons why multiple nodes should not share a configuration file concurrently such a name/ip registration conflicts, etc. Also, sharing ansmb.conf file will likely lead to sharing CIFS Server system data, increasing the likelihood of concurrent file access and the possibility of CIFS Server corruption. Beginning with version A.02.02, HP CIFS Server does not start if another master daemon is sharing the daemon PID files including a daemon on another node. (By default, PID files are found in the/var/opt/samba/lock path). CIFS does this to prevent the problems with sharing the CIFS Server configuration as discussed above. Avoid using HP CIFS Server to share Veritas CFS directories simultaneously on multiple nodes. Since NFS and Veritas CFS provides for multiple nodes to read and write the same files concurrently, you should use extra caution when configuring HP CIFS Server on multiple nodes since most locking mechanisms do not span across multiple nodes. Simultaneous file access can lead to data corruption if multiple producers overwrite each others work. The smb.conf parameterstrict locking may be set to yes to prevent data corruption but it may also lead to decrease performance. By default, since HP CIFS Server provides access to files from multiple clients (and from multiple nodes sharing an NFS or a Veritas CFS), there is the possibility of concurrent file access and hence at least a remote chance of data corruption. Therefore, HP CIFS Server provides a strict locking mechanism that can be enabled to prevent concurrent file access. Whenstrict locking is set to yes in smb.conf, the server checks every read and write access for file locks, and denies access if locks exist. Since this check will be slow on some systems and well behaved clients do ask for lock checks when it is important, HP recommends that you set strict locking to no insmb.conf for most environments. The default value for strict locking is no. NetBIOS names are not supported on port 445 HP CIFS Server A.02.* and A.03.* versions (based on Samba 3.x.y) can accept connections on port 445 as well as the original port 139. However, since port 445 connections are for SMB over TCP and do not support the NetBIOS protocol. NetBIOS names are not supported on port 445. This means features of Samba that depend on NetBIOS will not work. For example, the virtual server technique depending on an include = /etc/opt/samba/smb.conf.%l which ends up referring to another smb.conf.<netbios name> will not work. You can use the smb.conf parametersmb ports to specify which ports the server should listen on for SMB traffic. Set smb ports to 139 to disable port 445. By default, smb ports is set to Installing and configuring the HP CIFS Server

35 3 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7 Introduction This chapter describes how to use Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced. UNIX file permissions and POSIX ACLs The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, Windows 2000, Windows XP, Windows Vista and Windows 7 clients. With this capability most management of UNIX file permissions or POSIX ACLs can be done from the familiar Windows Explorer interface. NOTE: Although concepts of file ACLs are similar across the Windows and HP-UX platforms, there are sufficient differences in functionality that one cannot substitute UNIX ACLs for Windows ACLs (i.e. full emulation is not provided). For example, a Windows application that changes the ACL data of a file may behave unexpectedly if that file resides on a HP CIFS Server. Viewing UNIX permissions from windows As a result of the ACL data differences in Windows and UNIX file permissions and VxFS POSIX, Samba must map data from UNIX to Windows and Windows to UNIX. The table below shows how UNIX file permissions translate to Windows ACL access types: Table 6 UNIX File permission maps windows ACL UNIX Permission r-- -w- --x rwr-x -wx rwx r-- Windows access type Special Access(R) Special Access(W) Special Access(X) Special Access(RW) Read(RX) Special Access(WX) Special Access(RWX) Special Access In addition to the permission modes shown above, UNIX file permissions also distinguish between the file owner, the owning group of the file, and other (all other users and group). UNIX file owner translation in Windows ACL A UNIX file system owner has additional permissions that other users do not have. For example, the owner can give away his ownership of the file, delete the file, rename the file, or change the permission mode on the file. These capabilities are similar to the delete (D), change permissions (P) and take ownership (O) permissions on the Windows client. Samba adds the DPO permissions to represent UNIX file ownership in the Windows explorer interface. Introduction 35

36 For example, if a file on the UNIX file system is owned by UNIX user John and John has read and write (rw-) permissions on that file, the Windows client will display the same permissions for user John as: Special Access(RWDPO) You can also display the UNIX owner in the Windows Explorer interface. If you are in the File Properties dialog box with the Security tab selected and you press the Ownership button, the owning UNIX user's name will be displayed. UNIX owning group translation in Windows ACL The owning group on a UNIX file system is represented on the Windows client with the take ownership (O) permission. While the meaning of the take ownership permission on Windows does not exactly match the meaning of an owning group on the UNIX file system, this permission is still translated into the take ownership permission. This representation becomes even more significant when translating VxFS POSIX ACLs, as there can be many groups with different permissions on an individual file in this file system. Without this permission type, you would not be able to tell the owning group entry from other group entries. For example, if an owning group named sales on the UNIX file system has.read and execute (r-x) permissions on a file, the Windows client will display the permissions for group sales as: Special Access(RXO) UNIX other permission translation in Windows ACL In UNIX, the other permission entry represents permissions for any user or group that is not the owner, and does not belong to the owning group. This entry maps to the everyone access control entry on the Windows client. Windows directory and file permission translations Windows clients display two sets of permissions for directory entries: directory permissions and file permissions. Directory Permissions are the permissions for the directory itself. File Permissions are the permissions inherited by the files and subdirectories created in the directory. Samba translates UNIX permissions for a directory into Windows directory permissions and vice versa. Windows file permissions are not supported when the translation is to/from UNIX permissions. Windows file permissions, however, are supported with VxFS POSIX ACLs (as described in the next section). Setting UNIX permissions from Windows With one exception, reversing the UNIX to Windows translations described above will always work. You cannot, however, change the owner or owning group by adding Special Access(DPO) or Special Access(O) to a user or group from the client. All Windows permissions, except read, write and execute, are disregarded when applied to files on the Samba server. These include delete (D), change permissions (P) and take ownership (O). The table below shows how Windows access types map to UNIX permissions: Table 7 Windows access type maps to UNIX permission Windows access type Special Access(R) Special Access(W) Special Access(X) Special Access(RW) Read(RX) UNIX Permission r-- -w- --x rwr-x 36 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

37 Table 7 Windows access type maps to UNIX permission (continued) Windows access type Special Access(WX) Special Access(RWX) Special Access UNIX Permission -wx rwx r-- When mapping to UNIX file permissions from Windows, you will not be able to add new Windows ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries. Conversely, you cannot delete any of the three entries listed above as these entries are required by UNIX. Pre-defined windows permissions The Windows Explorer ACL interface allows you to choose predefined permissions like Change and Full Control in addition to creating custom Special Access permissions. Figure 3 Windows explorer ACL interface If you use pre-defined Windows access types to set permissions on a Samba share, the permissions that are displayed later will not match what you set in Windows. For example, Full Control will become rwx on the Samba server, and when it is displayed on the Windows client, it will show up as Special Access (RWX). Table 8 Windows access type maps UNIX permission Windows Access Type No Access Read Change Full Control UNIX Permission --- r-x rwx rwx UNIX file permissions and POSIX ACLs 37

38 Figure 4 Windows special access permissions The VxFS POSIX ACL file permissions VxFS POSIX ACLs provide additional functionality over default UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions. This means that any files created in that directory will automatically inherit the default ACEs of the parent directory. It adds an inheritance permission type to directory permissions. A special ACE called the class ACE is used. The role of the class ACE is to limit the other ACEs. The base UNIX permissions are not affected. For example, if the class ACE for a file is set to read (r--), then even when ACEs grant some users and groups write and execute access, write and execute access will not be given to them. The class ACE acts as a mask that filters out the permissions of non-class ACEs. If the class ACE was set to (---) or no access, other ACEs might exist, but they would not change the effective permissions. VxFS POSIX ACLs translated to Windows ACLs The extra features of VxFS POSIX ACLs affect the translations to and from Windows ACLs in the following ways: The extra VxFS POSIX ACEs show up aswindows ACEs on the Windows client. The permission mode translates like a UNIX permission mode. With this feature you can also add new user and group entries from the Windows client. The limitations to this feature will be discussed in the next section. The default ACEs that are supported for inheritance by directories are translated into file permissions for a directory on Windows. The file permissions displayed on the Windows client represent the default ACEs on the UNIX file system of the Samba server. If the file permissions are set on a directory on the Windows client, equivalent default ACEs are set on the directory on the UNIX file system. The class ACE used to limit the other ACEs is ignored. It is not displayed on the Windows client and there is no way to set it from the client. It would be difficult to support on the client side, as Windows has nothing similar to a class ACE. 38 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

39 Using the Windows NT Explorer GUI to create ACLs Use the Windows Explorer GUI to set new ACLs. This section describes how to add new entries to the ACE list: Click the add button in the File/Directory Permissions dialog box of the Windows GUI to bring up the Add Users and Groups dialog box. Figure 5 Windows Explorer file permissions NOTE: The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs. Figure 6 Windows Explorer list names from field Instead, what you need is a list of groups and users that can be recognized by the underlying UNIX file system. Since the actual ACLs will be UNIX file permissions or VxFS POSIX ACLs in their final form, the only valid groups and users are UNIX groups and users that the Samba server knows about. Go to the List Names From dropdown list in the Add Users and Groups dialog box. One screen choice is to list names on your Samba server. This is the list HP recommends. Using the Windows NT Explorer GUI to create ACLs 39

40 Figure 7 Windows Explorer add users and groups dialog box Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server. Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list. Figure 8 Add UNIX groups and users You can type user and group names into the Add Names text field to add users and groups. If the names are valid UNIX group or user names, the users and groups will be added. Optionally, add the Samba server name and a backslash to the beginning of the user or group name and it will be added (for example, server1\users1). When you select names off the 40 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

41 name list, the GUI will put that name in the text list and automatically add the server name as well. Optionally use the user name mapping feature to define a mapping of Windows user names (or domain names) to UNIX user names. For example, you could map the Windows user names administrator and admin to the UNIX user name root. The mapping can be either one-to-one or many-to-one. Samba supports the creation of ACEs with Windows user names that are mapped to UNIX user names. To continue the example above, you could create an ACE for the administrator user on the Windows client and, on the Samba server, the ACE would be created for the root user. The client will display the corresponding ACE as being for the root user, not the administrator user. If you add an ACE for one user name, like administrator and then display the list of ACEs and see a new ACE for a different user name (root), it maybe confusing. As many Windows user names can be mapped to one UNIX user name, Samba only displays the one UNIX user name. It cannot display the Windows name that was mapped to the UNIX user name. You also have to be careful not to create multiple conflicting ACEs for one UNIX user. For example, in the Windows GUI you might add an ACE for the user administrator, admin and root. But when you apply these changes, Samba maps administrator and admin to the UNIX user root and the result is that Samba tries to add three different ACEs, all for the user root, to one file. That is not valid and Samba ignores two of the three ACEs. Selecting Names From the Samba Name List The Windows user names mapped to UNIX users will also be displayed when you press the Show Users button in the Add Users and Groups dialog box. Every valid name that you add to an ACE is in the name list on the Samba server (after you hit the Show Users button). You do not need to type in names or select names from the Windows domain list. If, however, you pick a name from the Windows domain list and it happens to be a UNIX user name on the Samba server, it will be added. This also applies to names that have a user name mapping in Samba. There is another reason HP recommends selecting names from the Samba server's list of names instead of typing names in manually. There might be a UNIX group and a UNIX user with the same name. If you select a name from the list, Samba knows whether you mean the user or the group. If you type the name in, there is no way for you to specify the user or the group and Samba may add the ACE for a user when you meant the UNIX group with the same name. Using the Windows Vista Explorer GUI to create ACLs To create ACLs using the Windows Vista Explorer, complete the following steps: Using the Windows Vista Explorer GUI to create ACLs 41

42 1. Right-click the file for which users and groups must be assigned, and select Properties->Security. The displayed page is as shown in Figure 9 (page 42). Figure 9 Selecting file security 2. Click Edit. The Permissions page is displayed as shown in Figure 10 (page 42). Figure 10 Permissions 42 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

43 3. Click Add. The Select Users or Groups page is displayed as shown in Figure 11 (page 43). Figure 11 Select users or groups 4. Enter the user or group name that you want to add and click Check Names. The new user or group name is displayed as shown in Figure 12 (page 43). Figure 12 New user or group Using the Windows Vista Explorer GUI to create ACLs 43

44 5. Set the permissions for the new user or group and click Apply. The new user or group name and the associated permissions are displayed as shown in Figure 13 (page 44). Figure 13 New user or group and permissions The new user or group is configured. POSIX ACLs and Windows XP, Windows Vista and Windows 7 clients The HP CIFS Server allows Windows XP clients to view and set POSIX ACL permissions. The information in this section assumes you are familiar with Windows 2000 and Windows XP permissions. The purpose of this section is to explain how the HP CIFS Server interprets Windows XP permissions, and how Windows XP clients interpret and display HP-UX permissions. Windows XP clients interact with POSIX ACLs similar to Windows clients, except for the minor differences covered in the following sections. Learn more about ACLs and Windows XP clients in the following sections in this chapter. You can also learn more about POSIX ACLs with man aclv. Viewing UNIX permissions from Windows XP, Windows Vista and Windows 7 clients The following table shows how the UNIX permissions on the HP CIFS Server are mapped to permissions on Windows XP clients' Basic and Advanced ACL views: Table 9 UNIX permission maps Windows XP client permissions UNIX Permission Permission Shown on Windows XP Clients r-- -w- Basic View Read Write Advanced View Read Attributes, Read Extended Attributes, Read Data, Read Permissions Write Attributes Write Extended Attributes, Append Data, Write Data, Read Permissions 44 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

45 Table 9 UNIX permission maps Windows XP client permissions (continued) Permission Shown on Windows XP Clients None Read and Execute Read, Write Full Control No boxes are ticked Execute or Traverse Folder, Read Attributes, Read Permissions All Read Permissions as in the first cell Execute or Traverse Folder All Read Permissions as in the first cell All Write Permissions as in the second cell Full Control and All permission bits are ticked None NOTE: In the table above, the permissions labeled Advanced can be viewed from the ACL dialog box by clicking on Advanced, then View/Edit. For a file owner ACE, Take Ownership, Delete and Change permissions flags are shown. For a file's owning group ACE, Take ownership permission flag is shown. However, all permissions are ticked in both Windows ACE Advanced and Basic views if a file permission is Full Control. Setting permissions from Windows XP, Windows Vista and Windows 7 clients The following table shows how each Windows XP client permission is mapped to the UNIX permission when permissions are set from a client: Table 10 Windows XP permissions maps UNIX permissions Windows XP Full Control Write Modify Read and Execute Read List Folder / Read Data (Advanced) Read Attributes (Advanced) Read Extended Attributes (Advanced) Read Permissions (Advanced) Create Files / Write Data (Advanced) Create Folder / Append Data (Advanced) Write Attributes (Advanced) Write Extended Attributes (Advanced) Traverse Folder / Execute File (Advanced) Delete Subfolders and Files (Advanced) Delete (Advanced) UNIX Permission --x r-x rwrwx --- UNIX Permission rwx -wrwx r-x r-- r-- r-- r-- r-- -w- -w- -w- -w- --x No meaning on HP-UX * see explanation following table POSIX ACLs and Windows XP, Windows Vista and Windows 7 clients 45

46 Table 10 Windows XP permissions maps UNIX permissions (continued) Windows XP Change Permissions (Advanced) Take Ownership (Advanced) UNIX Permission * see explanation following table * see explanation following table * The Delete, Change Permissions, and Take Ownership permissions represent the file and group ownership. You can only see these permissions, but you cann't set them from Windows XP clients. When the file permission is not set to Full Control, the Delete, Change and Take Ownership permissions are shown for the file owner. Take Ownership permission is shown for the file owning group. Everyone and other ACEs do not show these permissions except when the permission is set to Full Control. NOTE: The CIFS Server ensures that at least "read" permission is set for the file owner. For example, if a user tries to set a file's permissions to "- - -", the CIFS Server will actually set it to "r - -". Viewing ACLs from Windows 7 clients 1. Right-click on a file and select Properties 2. Click on the Security tab 46 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

47 Displaying the owner of a file 1. Click on Advanced 2. Click on the Owner tab on the Access Control Settings dialog box HP CIFS Server directory ACLs and Windows XP, Windows Vista and Windows 7 clients Directory ACL types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory. Viewing ACLs from Windows 7 clients Windows 7 or XP can show ACLs on a file or a directory in Basic and Advanced views. Viewing basic ACLs from Windows 7 clients 1. Right-click on a file or a directory and select Properties HP CIFS Server directory ACLs and Windows XP, Windows Vista and Windows 7 clients 47

48 2. Click on the Security tab Figure 14 Basic ACL viewsix Viewing advanced ACLs from Windows 2000 clients 1. Right-click on a file or a directory and select Properties 2. Click on the Security tab 3. Click on the Advanced button 48 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

49 Figure 15 Advanced ACL view Mapping Windows XP directory inheritance values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories. In a Windows XP environment, directory ACE entries differ from POSIX and use the following Windows Inheritance Values (Apply To values in the Windows Advanced ACE screen) to distinguish access and default behavior: This folder only This folder, subfolders and files This folder and subfolders This folder and files Subfolders and files only Subfolders only Files only When a user attempts to change or add a directory ACE from the Windows Advanced ACE screen, the HP CIFS Server maps the Windows Inheritance Values to the corresponding POSIX ACE type. The following table shows how Windows Inheritance Values are mapped to POSIX: HP CIFS Server directory ACLs and Windows XP, Windows Vista and Windows 7 clients 49

50 Table 11 Mapping table for inheritance values to POSIX Inheritance Value This Folder only This Folder, Subfolders and Files This Folder and Subfolders This Folder and Files Subfolders and Files only Subfolders only Files only POSIX Mapping by HP CIFS Server Maps to access ACE. An ACE of this type is mapped to both access and default ACE. Maps only to access ACE for this directory. Maps only to access ACE for this directory. Maps to default ACE for this directory. This type is not supported and any ACE with this type is ignored by the HP CIFS Server. This type is not supported and any ACE with this type is ignored by the HP CIFS Server. Modifying directory ACLs from Windows XP clients NOTE: HP-UX directory ACLs are set inconsistently using the ACL Basic permission screen from the Windows XP client. You must use the Windows Advanced permission screen (Directory-> Properties->Security Tab->Advanced Button) to view or change POSIX directory ACLs. This section describes how to modify a directory ACE from the Widnows XP client: 1. Right-click on a directory and select Properties 2. Click on the Security tab 3. Click on the Advanced button 4. Select an ACE, click on the View/Edit tab 50 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

51 Figure 16 Modifying ACE permissions 5. Check/uncheck the boxes next to each permission to add/remove any permissions that you want. Please refer to "Mapping Table for Windows XP Permissions to UNIX Permissions" for detail information on how each permission in this window is mapped to UNIX permissions 6. Select the appropriate ACE type from Apply to dropdown list in the dialog box. Choose the selection according to how it will be mapped to POSIX ACEs. Please refer to "Mapping Table for Inheritance Values to POSIX" for detail information 7. Click on OK, you will be taken back to the Advanced ACE screen. Repeat the step 4 through step 6 to modify other ACEs 8. Click on OK or Apply button on the Advanced ACE screen HP CIFS Server directory ACLs and Windows XP, Windows Vista and Windows 7 clients 51

52 Figure 17 Modifying an ACE type with apply to value IMPORTANT: If you want different permissions on default and access ACEs for the same user or group, you must select two different ACE entries in the advanced ACE view dialog box before you click on the OK button. If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server. To prevent a directory owner from losing access, both access and default ACEs for the owner should be set to Full Control permissions. Removing an ACE entry from Windows XP clients For mandatory ACLs (user, owning group, everyone), removing an ACE entry from the Advanced Windows permission screen does not remove that ACE entry on the UNIX system. The HP CIFS Server generates the missing ACEs from the existing access ACEs on the file. For any other user or group ACEs, removing an ACE entry from the Advanced Windows screen will remove that ACE entry on the HP CIFS Server. Examples Following are three examples to show the changes of the directory ACEs on the HP CIFS Server when an ACE entry is removed from the Windows XP client. Example 1: In the example 1, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:other:rwx default:owner:rwx default:owning group:r-x 52 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

53 default:other:r-x In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:othere:rwx defualt:owner:rwx default:owning group:rwx default:other:r-x Example 2: In the example 2, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:r-x access:other:rwx defualt:owner:rwx default:owning group:r-- default:other:r-- In the example 2, if both access owning gorup ACE entry, r-x, and defautl owning group ACE entry, r--, are removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing owning group ACE entries based on the existing access owning group ACE. The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:r-x access:other:rwx defualt:owner:rwx default:owning group:r-x default:other:r-- Example 3: In the example 3, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir HP CIFS Server directory ACLs and Windows XP, Windows Vista and Windows 7 clients 53

54 # owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group:r-x access:other group:rwdefualt:owner:rwx default:owning group:r-- default:other group:r-w In the example 3, if both access other gorup ACE entry, rw-, and defaut other group ACE entry, r--x, are removed from the Advanced Windows ACE screen, the HP CIFS Server will remove both access other group and default other group ACE entries.the following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group:r-x defualt:owner:rwx default:owning group:r-- Adding directory ACLs from Windows XP clients This section describes how to add a directory ACE from the Widnows XP client: 1. Right-click on a directory and select Properties 2. Click on the Security tab 3. Click on the Advanced button 4. Click on Add button, a select user or group window is displayed 5. You may select any user or group from the available one. 6. Click on OK, you will be prompted to enter ACE permissions and the type of ACE 7. Enter the desired permissions, click on OK 8. You will be taken to the ACE Advanced view screen, click on OK or Apply button to add the new ACE 54 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

55 Figure 18 Selecting a new ACE user or group IMPORTANT: POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface. POSIX default owner and owning group ACLs The POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group. In HP CIFS Server A version and earlier, only one ACE each for owner, owning group and everyone is shown if the permissions are the same on corresponding access and default ACEs. The POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group even if the permissions on the access and default ACEs are the same. However, everyone is shown as only one ACE if the access and default permissions are the same. Changing permissions on Windows Creator Owner and Creator Group ACEs will only modify POSIX default owner and owning group ACEs on the HP CIFS Server. POSIX ACEs with zero permissions POSIX owning group and everyone ACEs with zeros permissions are not displayed in the Windows interface. For example, if a directory owning group has zero permissions on the HP CIFS Server, an ACE for that owning group will not be shown on the Windows interface. ACEs for any other user or group with zero permissions are shown with no permissions in the Windows interface. POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface. In conclusion Samba ACL support is a feature that enables the manipulation of UNIX file permissions or UNIX ACLs from Windows 2000, Windows XP, Windows Vista or Windows 7 clients. With this feature, almost any modification you want to make to UNIX permissions or VxFS POSIX ACLs can now be done from an Windows 2000, Windows XP, Windows Vista or Windows 7 client (with the exception of the class entry for VxFS POSIX ACLs). Windows applications running on the Windows 2000, Windows XP, or Windows Vista client cannot expect full Windows 2000, Windows XP, or Windows Vista ACL support. Although much In conclusion 55

56 of the Windows 2000, Windows XP, or Windows Vista ACL information is retained and retrieved by the Samba server, some of the information may be lost or changed in some cases. NOTE: The ACL support is not an Windows 2000, Windows XP, Windows Vista or Windows 7 ACL emulation, but rather access to UNIX ACLs through the Windows 2000, Windows XP, Windows Vista or Windows 7 client. Therefore, you cannot run Windows applications which require full, perfect Windows 2000, Windows XP, Windows Vista or Windows 7 ACL support. 56 Managing HP-UX file access permissions from Windows NT/XP/2000/Vista/Windows 7

57 4 Windows style domains Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in a Windows style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as a Windows domain with a Microsoft Domain Controller (DC). Configuration of Member Servers joining a Windows 2003 and Windows 2008 R2 ADS domain as a pre-windows 2000 compatible computer is described here. Chapter 5, Windows 2003 and Windows 2008 Domains, should be consulted for configuration of Member Servers joining Domains with a Windows 2003 or Windows 2008 Domain Controller as an ADS Member Server. Chapter 9, HP CIFS Deployment Models describes further how the server roles can be utilized in common network deployments. HP CIFS Server can be configured to play different roles in an Windows style Domain Model including: Member Server in a Windows 2003 or Windows 2008 Domain with a Microsoft DC PDC in an Samba Domain where an HP CIFS Server serves as the PDC Backup Domain Controller (BDC) in an Samba Domain where an HP CIFS Server serves as the PDC Member Server in an Samba Domain where HP CIFS Server serves as the PDC Advantages of the Samba Domain model The HP CIFS Server PDC domain model provides a number of advantages: HP CIFS Server PDC domain administrators may group workstations and servers under the authority of a domain controller Domain members may be centrally administered by using domains to group related machines. One of the benefits of this is the ability for user accounts to be common for multiple systems. A user may now make one password change which will affect multiple systems accessed by that user. Another benefit is that IT administration work is reduced, since there is no longer a need for individual accounts to be administered on each system HP CIFS BDCs may be configured to off load some of the HP CIFS PDC authentication responsibilities and can be promoted to a PDC if the PDC fails or needs to be taken out of services. Primary domain controllers The Primary Domain Controller (PDC) is responsible for several tasks within the domain. These include: Authenticating user logons for users and workstations that are members of the domain Acting as a centralized point for managing user account and group information for the domain A user logged on to the Primary Domain Controller (PDC) as the domain administrator can add, remove or modify Windows domain account information on any machine that is part of the domain Introduction 57

58 Backup domain controllers Advantages of backup domain controllers Limitations HP CIFS Server with BDC support provides the following benefits to the customer: The BDC can authenticate user logons for users and workstations that are members of the domain when the wide area network link to a PDC is down. A BDC plays an important role in both domain seurity and network integrity. The BDC can pick up network logon requests and authenticate users while the PDC is very busy on the local network. It can help to add robustnees to network services. The BDC can be promoted to a PDC if the PDC needs to be taken out of services or fails. This is an important feature of domain controller management. To promote a BDC to a PDC on the HP CIFS Server, change the domain master parameter from "no" to "yes". The following is a list of limitations for the BDC support: HP CIFS Server can only function as a BDC to an HP CIFS PDC. HP CIFS Server and MS Windows server can each function as a BDC to its own type of PDC. HP CIFS Server cannot create Security Account Management (SAM) update delta files. It cannot interoperate with a PDC to synchronize the SAM from delta files that are held by a BDC. The Samba 3.0 BDC does not support replication to a PDC. Running a Samba 3.0 BDC with a non-ldap backend can have the difficulty in synchronizing the SAM database. Refer to Table 5.1, Domain Backend Account Distribution Option, in the Official Samba HOWTO and Reference Guide for more information on possible design configuration for a PDC/BDC infrastructure. Domain members The following member servers are supported: Windows NT Windows 2003 and Windows 2008 R2 HP CIFS Server Users on a domain member machine can access network resources within the domain. Some examples of these resources are file and printer shares and application servers Domain members do not perform the user authentication for user logons. Instead, the member sends the credentials to a domain controller via a secure channel. The domain controller checks the credentials against those in its database and returns the results to the member server. Access is granted based on the results returned Configure the HP CIFS Server as a PDC When configured to act as a Primary Domain Controller (PDC), the HP CIFS Server should create machine accounts for Windows Clients (member servers). To enable this feature, choose "Primary Domain Controller" when executing samba_setup, then verify the following: 1. The smb.conf file is as shown if the HP CIFS Server acting as a PDC does not use the LDAP backend: [global] workgroup = SAMBADOM #Samba Domain 58 Windows style domains

59 security = user domain logon = yes domain master = yes encrypt passwords = yes [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no [profiles] comment = profiles Service path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = The smb.conf file is as shown if the HP CIFS Server acting as a PDC uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = SAMBADOM #Samba Domain security = user domain logon = yes domain master = yes encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver: /var/opt/samba/netlogon subdirectory for the domain logon service exists. NOTE: security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend. domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. domain logon: Set this parameter to yes to provide netlogon services. Encrypt passwords: You set this parameter to yes, the passwords used to authenticate users are encrypted. You must set this parameter to yes when you configure a HP CIFS Server acting as a PDC. Configure the HP CIFS Server as a BDC When configuring HP CIFS Server to act as a Backup Domain Controller (BDC), you need to configure the relative domain controller parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: The smb.conf file is as shown if the HP CIFS Server acting as a BDC does not use the LDAP backend: [global] workgroup = SAMBADOM # Samba Domain security = user domain logon = yes Configure the HP CIFS Server as a BDC 59

60 domain master = no encrypt passwords = yes security = user [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no The smb.conf file is as shown if the HP CIFS Server acting as a BDC uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = SAMBADOM #Samba Domain security = user domain logon = yes domain master = no encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 When you configure the relative domain controller parameters, ensure that the /var/opt/samba/netlogon subdirectory for the domain logon service exists. HP CIFS does not implement a true SAM database and nor its replication. HP CIFS implementation of BDCs is very much like a PDC with one important difference. A BDC is configured like a PDC except the smb.conf parameter, domain master, must be set to no. NOTE: security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend. domain master: Set this parameter to no in order for the HP CIFS Server to act as a BDC. domain logon: Set this parameter to yes to provide netlogon services. Encrypt passwords: You set this parameter to yes, the passwords used to authenticate users are encrypted. You must set this parameter to yes when you configure HP CIFS Server to act as a BDC. Promote a BDC to a PDC in a Samba Domain If a PDC fails or needs to be taken out of services, simply set "domain master = yes" on a BDC. It will then register the appropriate NetBIOS names and will assume the PDC role. Domain member server Configure the HP CIFS Server as a member server When configuring HP CIFS Server to act as a domain member server, you need to configure the relative domain parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: The smb.conf file is as shown if the HP CIFS Server acting as a member server does not use the LDAP backend: [global] workgroup = NTDOM 60 Windows style domains

61 security = domain password server = DOMPDA encrypt passwords = yes netbios name = myserver The smb.conf file is as shown if the HP CIFS Server acting as a member server uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = NTDOM security = domain encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 netbios name = myserver NOTE: workgroup: This parameter specifies the domain name of which the HP CIFS Server is a member. security: When the HP CIFS Server joins a domain as a member, this parameter must be set to "domain". password server: This parameter defines the NetBIOS name of the PDC machine which performs the username authentication and validation. encrypt passwords: If this parameter is set to yes, the passwords used to authenticate users are encrypted. netbios: Set this parameter to the NetBIOS name by which a member server is known. Join an HP CIFS Server to an NT Domian, Windows 2000/2003 (as a pre-windows 2000 computer), or Samba Domain This section describes the procedures to join an HP CIFS Server to a Windows NT domain, Windows 2000 and Windows 2003 (as a pre-windows 2000 computer) or Samba Domain as a member server. Domain member server 61

62 Step-by-step procedure 1. Choose "Domain Member Server" when executing samba_setup. When prompted, you will need to add your domain Member Server machine account to the PDC. For Windows NT: Go to the Windows NT PDC and create a machine account for the HP CIFS Member Server by performing the following steps: a. Open the "start/programs/administrator/tools/server manager" tool. b. Select the "computer/add to domain" icon and enter the host name of the HP CIFS Server. c. Choose the "Windows NT Workstation or Server" option when you are asked for the computer type. For Windows 2000: Go to the Windows 2000 PDC and create a machine account for the HP CIFS Member Server by using the Active Directory Controller Wizard. Check the "Allow Pre-Windows 2000 computers to use this account" box and add the computer name For Samba (including HP CIFS): Go to the Samba Server acting as a PDC and create a machine account for the HP CIFS Member Server by following the steps provided in Chapter 4 section titled, "Create a Machine Trust Account.". samba_setup will then perform the "net rpc join -U Administrator%password" command for you. Create the machine trust accounts A Machine Trust Account for a Windows Client (Client=member server) on a HP CIFS Server acting as a PDC is simply a user account entry created for a machine. It is denoted by the machine name followed by "$". For PDCs not using LDAP (default), machine accounts will have entries in both /etc/passwd (unix user accounts) and /var/opt/samba/private/smbpasswd (Windows user accounts). For PDCs using LDAP, machine accounts will have posixaccount and sambasamaccount object class entries in a directory server database. The following steps are used to create a machine account for a Windows Client on a HP CIFS Server acting as a Primary Domain Controller (PDC): 1. Create the UNIX or POSIX account for a Windows Client: 62 Windows style domains Use the following command to create the POSIX account for a Windows client in the /etc/passwd file if LDAP is disabled: $ useradd -c NT_workstation -d /home/temp -s /bin/false client1$ As an example, the resulting entry in the /etc/passwd file for a client machine named "client1" would be: client1$:*:801:800:nt_workstation: /home/temp:/bin/false where 801 is a uid and 800 is the group id of a group called "machines." A uid or group id can be any unique number. You may find that uid values 0 through 100 are considered special, and/or server specific. This may, or may not apply to your system. The machine account is the machine's name with a dollar sign character ("$") appended to it. The home directory can be set to /home/temp. The shell field in the /etc/passwd file is not used and can be set to /bin/false. Use the following command to create the posixaccount entry for a Windows client in the LDAP directory if LDAP is enabled: $ /opt/ldapux/bin/ldapmodify a D cn=directory Manager w dmpasswd h ldaphosta f new.ldif $ Where LDIF update statements specified in the new.ldif file are added to the LDAP directory server, ldaphosta. The following is an example of LDIF update statements in the new.ldif file:

63 dn: uid=client1$ ou=people,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount homedirectory: /home/temp loginshell: /bin/false As an example, the resulting entry in the LDAP directory server for a client machine named "client1" would be: objectclass: posixaccount cn: client1$ uid: client1$ uidnumber: 1000 gidnumber: 200 homedirectory: /home/temp loginshell: /bin/false userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 acctflags: [W ] displayname: client1$ 2. Run the smbpasswd program on the Samba PDC server to create the Windows account: Use the following command to add the Windows account for a Windows client to the /var/opt/samba/private/smbpasswd file if LDAP is disabled: $ smbpasswd -a -m client1 An example of the associated machine entry in the /etc/opt/samba/private/smbpasswd file for a client machine named "client1" would be: client1$:*801:800:ed816800d0393daad3b435b51404ee:321abeefe10ec431b9aaff1a1d0d47:[w ]:LCT : Use the following command to add the sambasamaccount entry for a Windows client to the LDAP directory server if LDAP is enabled: For ldapsam_compat backend: $ /opt/samba/bin/smbpasswd -a -m client1 Forldapsam backend: $ /opt/samba/bin/smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named "client1" would be: objectclass: posixaccount objectclass: sambasamaccount cn: client1$ uid: client1$ uidnumber: 1000 gidnumber: 200 homedirectory: /home/temp loginshell: /bin/false gecos: Samba_Server description: Samba_Server userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: Create the machine trust accounts 63

64 kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 lmpassword: E0AFF63989B8FA A685C6AFAF1 ntpassword: E0AFF63989B8FA A685C6AFAF1 acctflags: [W ] displayname: client1$ NOTE: You can also use utilities including pdbedit, net commands to create the machine trust accounts. The net commands provide numerous new utility operations. For more information on how to create machine trust accounts using pdbedit and net commands, see SWAT help text for pdbedit, net commands. Configure domain users The following examples show the commands used to configure Domain Users, Domain Administrators and Domain Guests on a HP CIFS Server configured as a PDC. If you are a root-level user, create a Domain User in the group named "users", located in the /sbin/sh directory. For example: useradd -g users -c "Domain Users" -s /sbin/sh domuser If you are not a root-level user, create a Domain User in the group named "users", located in the /usr/bin/sh directory. For example: useradd -g users -c "Domain Users" -s /usr/bin/sh domuser where domuser is the name of a Domain User. If you are a root-level user, create a Domain Administrator in the group named "adm", located in the /sbin/sh directory. For example: useradd -g adm -c "Domain Administrators" -s /sbin/sh domadmin If you are not a root-level user, create a Domain Administrator in the group named "adm", located in the /usr/bin/sh directory. For example: useradd -g adm -c "Domain Administrators" -s /usr/bin/sh domadmin where domadmin is the name of a Domain Administrator. If you are a root-level user, create a Domain Guest in a group named "users", located in the /sbin/sh directory. For example: useradd -g users -c "Domain Guest" -s /sbin/sh domguest If you are not a root-level user, create a Domain Guest in a group named "users", located in the /usr/bin/sh directory. For example: useradd -g users -c "Domain Guest" -s /usr/bin/sh domguest where domguest is the name of a Domain Guest. Be sure that all of the users that were created (see the example above) have been added to the /etc/passwd file. Join a Windows client to a Samba Domain 1. Verify the following parameters in the smb.conf file: Set the security parameter to "user." Set the workgroup parameter to the name of the domain. Set the encrypt passwords parameter to "yes." 64 Windows style domains

65 [global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2. Create the UNIX or POSIX account for a Windows Client: Use the following command to create the POSIX account for a Windows client in the /etc/passwd file if the passdb backend option is set to smbpasswd: $ useradd -c NT_workstation -d /home/temp -s /bin/false client1$ As an example, the resulting entry in the /etc/passwd file for a client machine named "client1" would be: client1$:*:803:808:nt_workstation: /home/temp:/bin/false where 803 is a uid and 808 is the group id of a group called "machines." A uid or group id can be any unique number. You may find that uid values 0 through 100 are considered special, and/or server specific. This may, or may not apply to your system. The machine account is the machine's name with a dollar sign character ("$") appended to it. The home directory can be set to /home/temp. The shell field in the /etc/passwd file is not used and can be set to /bin/false. Use the following command to create the posixaccount entry for a Windows client in the LDAP directory if the passdb backend option is set to ldapsam or ldapsam_compat: $ /opt/ldapux/bin/ldapmodify a D cn=directory Manager w dmpasswd h ldaphosta f new.ldif $ Where LDIF update statements specified in the new.ldif file are added to the LDAP directory server, ldaphosta. The following is an example of LDIF update statements in the new.ldif file: dn: uid=client1$ ou=people,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount homedirectory: /home/temp loginshell: /bin/false As an example, the resulting entry in the LDAP directory server for a client machine named "client1" would be: dn: uid=client1, ou=people,dc=hp,dc=com objectclass: top objectclass: posixaccount cn: client1$ sn: client1$ uid: client1$ uidnumber: 1002 gidnumber: 202 homedirectory: /home/client1$ loginshell: /bin/false userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 Join a Windows client to a Samba Domain 65

66 acctflags: [W ] displayname: client1$ 3. Run the smbpasswd program on the Samba PDC server to create the Windows account: Use the following command to add the Windows account for a Windows client to the /var/opt/samba/private/smbpasswd file if the passdb backend option is set tosmbpasswd: $ smbpasswd -a -m client1$ An example of the associated machine entry in the /etc/opt/samba/private/smbpasswd file for a client machine named "client1" would be: client1$:*803:808:ed816822d0393daad3b435b51404dd:321 ABEEFE10EC431B9BBFF1A1C0C047:[W ]:LCT : Use the following command to add the sambasamaccount entry for a Windows client to the LDAP directory server if the passdb backend option is set to ldapsam or ldapsam_compat: $ smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named "client1" would be: objectclass: posixaccount objectclass: sambasamaccount cn: client1$ uid: client1$ uidnumber: 1002 gidnumber: 202 homedirectory: /home/temp loginshell: /bin/false gecos: Samba_Server description: Samba_Server userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 lmpassword: E0AFF63989B8FA A685C6ADFC1 ntpassword: E0AFF63989B8FA A685C6ADFC1 acctflags: [W ] displayname: client1$ 4. Logon to Windows NT as a local admin user. 5. From the Windows NT desktop, click 'Start', 'Settings' and 'Control Panel'. When the Control Panel window opens, double-click on the 'Network' icon. When the 'Network' window opens, click the 'Identification' tab. Refer to Figure 19 (page 67) below. 6. Enter the Samba domain name in the 'Domain' field, and click on the 'Change' button. Refer to Figure 19 (page 67) below. 66 Windows style domains

67 Figure 19 Entering a samba PDC domain name Roaming profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: A user's environment, preference settings, desktop settings, etc. are stored on the HP CIFS Server Roaming Profiles can be created as a share, and be shared between Windows clients When a user logs on to a workstation in the domain, the roaming profile is downloaded from the share which is on a HP CIFS Server configured as a PDC, to the local machine. Upon logout, the profile is copied back to the server Configuring roaming profiles Use the following procedure to configure roaming profiles: 1. Modify or enable roaming profiles by using the global parameter named logon path, in the smb.conf file. Example: [global] logon path = \\%L\profile\%U workgroup = SAMBADOM security = user encrypt passwords = yes domain logon = yes 2. Create a [profiles] share for roaming profiles. Set profile acls = yes for the profile share used for the user profile files. Do not set profile acls = yes on normal shares as this will result in incorrect ownership of the files created on those shares. The following is an example configuration for the [profiles] share: [profiles] Roaming profiles 67

68 profile acls = yes path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = 770 writeable = yes browseable = no guest ok = no Configuring user logon scripts The logon script configuration must meet the following requirements: User logon scripts should be stored in a file share called [netlogon] on the HP CIFS Server. Should be set to UNIX executable permission. Any logon script should contain valid commands recognized by the Windows client. A logon user should have proper access permissions to execute logon scripts. The following is an example configuration for user logon scripts: [global] logon script = %U.bat [netlogon] path = /etc/opt/samba/netlogon writeable = yes browseable = no guest ok = no In this example, the batch (.bat) file is executed from a file share called [netlogon] on a HP CIFS Server configured as a PDC. Running logon scripts when logging on A HP CIFS Server configured as a PDC can enable the execution of logon scripts when users log on. To enable this feature, the following must be done: User logon scripts should be stored in a file share on the HP CIFS Server called [netlogon]. The HP CIFS Server enables the execution of login scripts by setting the global parameter named logon script in the smb.conf file. Any logon script that is to be executed on a Windows Client must be in DOS text format and contain executable permission. Home drive mapping support A HP CIFS Server provides user home directories and home drive mapping functionality by using the following two global parameters in the smb.conf file: login home logon drive Example: [global] logon drive = H: 68 Windows style domains

69 logon home = \\%L\%U Trust relationships Trust relationships enable pass-through authentication to users of one domain in another. A trusting domain permits logon authentication to users of a trusted domain. There are various forms of trusts, depending on the domain type and Windows 2003/2008 R2 ADS domain trusts differ from NT Domain trusts. For more information on trusts, consult the MS TechNet papers at technet.microsoft.com. For information on HP CIFS Server trust relationships with Windows 2003/2008 R2, see Windows 2003 and Windows 2008 domains (page 71). HP CIFS Server supports the following external trust relationships with NT Style Domains: HP CIFS PDCs support external trusts between a Samba and an NT Domain. A CIFS Samba Domain may be a trusting, trusted, or bi-directional trust (both trusting and trusted or two way") domain with an NT Domain. HP CIFS PDCs support trusts between Samba Domains. A Samba Domain may be a trusting, trusted, or bi-directional trust domain with another Samba Domain. HP CIFS Member Servers of either a Samba Domain or an NT Domain will respect the trust relationships established by their domain controller. Transitive trusts, in which domain A trusts domain B which trusts domain C thereby domain A trusts domain C, are not respected by HP CIFS Servers. Configuring smb.conf for trusted users HP CIFS Server requires an HP-UX local logon for all Samba users. Therefore, even a trusted Samba user from another domain needs a matching local POSIX user. To allow POSIX users to be added on-the-fly, set the add user script smb.conf configuration parameter. For Example, add user script = /usr/sbin/useradd -g users -c "Auto_Account" \ -s /bin/false %u Establishing a trust relationship on an HP CIFS PDC with another Samba Domain This section decribes the procedures used to establish a trust relationship on an HP CIFS PDC with anther Samba Domain. Logon as root and execute the following steps on the trusted domain PDC: 1. Add a trust account for the trusting domain to /etc/passwd. Add the domain name with the "$" using useradd command as follows: $ useradd <trusting domain name>$ Due to the maximum name length of 8 for the useradd command, you may need to edit /etc/passwd to add the trusting domain name account. 2. Run smbpasswd to add a trusting domain Samba account to your trusted domain backend database and create a password for the trusting account. This password is used by the trusting domain when it establishes the trust relationship. $ smbpasswd -a -i <trusting domain name> Logon as root and execute the following steps on the trusting domain PDC: Run net rpc trustdom to establish the trust and type the passoword that was created with the smbpasswd command on the trusted domain PDC. $ net rpc trustdom establish <trusted domain name> Trust relationships 69

70 Establishing a trust relationship on an HP CIFS PDC with an NT domain Trusting an NT Domain from a Samba Domain Use the following steps to trust an NT domain from a Samba Domain: 1. On the NT domain controller, run the User Manager utility. Go to policies/trust relationship, add the trusting Samba domain account for CIFS Server and establish a password. 2. Logon as root on the trusting Samba Domain PDC. Run net rpc trustdom to establish the trust and type the password that was created with the User Manager utility on the trusted NT Domain PDC. $ net rpc trustdom establish <trusted domain name> Trusting a Samba Domain from an NT domain Logon as root and execute the following steps on the trusted Samba Domain PDC: 1. Add a trust account for the trusting NT domain to /etc/passwd. Add the domain name with the "$" using the useradd command as follows: $ useradd <trusting NT domain name>$ Due to the name length limitation of the useradd command, you may need to edit /etc/passwd to add the trusting NT domain name account. 2. Run smbpasswd to add a trusting NT domain Samba account to your trusted Samba domain backend database and create a password for the trusting account. This password is used by the trusting NT domain when it establishes the trust relationship. $ smbpasswd -a -i <trusting domain name> 3. On the NT domain controller, run the User Manager utility. Go to policies/trust relationship. Add the trusted Samba domain account for CIFS Server and type a password established by the smbpasswd command on the Samba Domain PDC. Establishing a trust relationship on an HP CIFS member server of a Samba Domain or an NT domain HP CIFS Member Servers of an NT Domain will automatically respect the trust relationships established by their domain controllers. No extra configuration is required. 70 Windows style domains

71 5 Windows 2003 and Windows 2008 domains Introduction This chapter describes the process for joining an HP CIFS Server to a Windows 2003 or Windows 2008 Domain as an ADS Member Server. To join as a pre-windows 2000 computer, see Domain member server (page 60) in Chapter 4, "NT Style Domains". By default configuration, Windows 2003 and Windows 2008 Servers utilize the Kerberos authentication protocol for increased security. By joining an HP CIFS Server to the Windows 2003 and Windows 2008 ADS domain as a Member Server, HP CIFS Server can also participate in the increased security. The HP-UX Kerberos Client software and LDAP-UX Integration software are required to enable HP CIFS Server Windows 2003 and Windows 2008 ADS domain member capability. This chapter describes instructions for joining an HP CIFS Server to a Windows 2003 and Windows 2008 ADS Domain. For detailed information about Kerberos, see Kerberos support (page 113) and white paper, "HP CIFS Server and Kerberos" available at the following web site: For detailed information about LDAP, see LDAP integration support (page 81). HP CIFS and other HP-UX Kerberos applications co-existence Because the HP CIFS Server stores the Kerberos secret key in /var/opt/samba/private/secrets.tdb by default, the standard CIFS Kerberos configuration can only be used by HP CIFS Server users. If other HP-UX applications use the /etc/krb5.keytab file, a mismatch of keys occurs resulting in failure for CIFS or the other applications depending upon which key is the latest. Moreover, HP-UX Internet Services users cannot use system Kerberos libraries to access system resources because of a mismatch in Kerberos libraries on the system. The Internet Services (IS) suite utilizes its own Kerberos library set which is delivered with the Internet Services product. If you wish to use Kerberos in your network for other products as well as HP CIFS Server, you may generate an /etc/krb5.keytab file from an HP CIFS Server and configure HP CIFS Server to access the secret key from the /etc/krb5.keytab file instead of the /var/opt/samba/private/secrets.tdb file. This feature provides Kerberos interoperability between HP CIFS Server users and HP-UX Internet Services users. See Kerberos support (page 113), for proper configuration. HP-UX Kerberos client software and LDAP integration software dependencies Kerberos v5 Client E or later for HP-UX 11i v3 is required to support HP CIFS Server integration with a Windows 2003 ADS Domain Controller (DC). The following lists HP-UX Kerberos Client software dependencies: Kerberos v5 Client E or later for HP-UX 11i v3 is required for keytab file support. Kerberos v5 Client E or later for HP-UX 11i v3 is required for the encryption type RC4-HMAC support. Kerberos v5 Client E requires Service Pack 1 on Windows You can download the Kerberos v5 Client (KRB5CLIENT) product from the following Software Depot web site: Enter KRB5CLIENT in the search field. Introduction 71

72 For the latest LDAP Integration software, download the product from the following web site: Enter LDAP-UX Integration for HP-UX in the search field. Strong authentication support When you enable LDAP server signing with required signing for strong authentication support on a Windows 2003/2008 R2 ADS Domain Controller (DC), you can enable an extended operation of Transport Layer Security (TLS) protocol called starttls on an HP CIFS Server to provide signing negotiation with a Windows ADS DC. The SSL/TLS protocol provides secure communication between an HP CIFS Server and a Windows 2003/2008 R2 ADS DC. You have flexibility to use an un-encrypted port, 389, to establish an encrypted connection when using the starttls feature. If you want to enable starttls for strong authentication support, you must perform the following tasks before you follow the instructions to run the kinit and net ads join commands as described in Step-by-step procedure (page 76) to join an HP CIFS Server to a Windows 2003/2008 R2 ADS domain as a domain member server: Install Certification Authority (CA) on a Windows ADS Server. Download and install the certificate database files, cert8.db and key3.db on the HP CIFS Server machine from a Windows CA Server. Configure HP CIFS Server to enable the starttls feature. Steps to install Certification Authority (CA) on a Windows ADS server You need to install SSL/TLS Certification Authority (CA) on a Windows ADS Server before you download the certificate database file, cert8.db and key3.db, on your HP CIFS Server machine. If you have installed MS IIS Service, you must stop and restart MS IIS Service while installing CA. NOTE: If a previous CA has been installed on your Windows ADS Server and the CA services do not work, you must remove them before you reinstall CA. For detailed information on how to manually remove Windows Certificate Authority from a Windows 2003/2008 R2 ADS domain, refer to a document from Microsoft at: The following steps show you how to install MS CA on a Windows ADS Server using MS Certificate Service Installation Wizard: 1. Select Control Panel -> ADD-Remove Programs -> Add-Remove Windows Components 2. Check Certificate Service 3. Check Application Server 4. Click Next button 5. Select Enterprise Root Certificate Authority 6. Provide a common name (CN) for the system. It must be a fully qualified domain name. 7. Specify Certificate database settings log location. For example, C:\Windows\system32\CertLog 8. To install CA services, you must temperately stop MS IIS Service if you have installed it. Then, restart it after installation of CA services is completed. 9. Run Certificate Services in Administrator Tools to verify that installation of Windows Certificate Authority succeeds 10. Access web browser at: 72 Windows 2003 and Windows 2008 domains

73 Steps to download the CA certificates from Windows CA server Use the following steps to download the Certificate Authority certificates from a Windows 2003 CA Server using Mozilla browser : 1. You must install Mozilla browser on your HP-UX system. 2. Log in your HP CIFS Server machine as root. 3. Use the following command to setup your DISPLAY environment variable on your HP CIFS Server machine: export DISPLAY = your_machine_ip: Run the following command to start Mozilla browser: /opt/mozilla/bin/mozilla & 5. Use Mozilla browser to connect to your Windows CA Server. The following shows an example of using a link to connect to your Windows CA Server: CA Server name/certsrv 6. Provide administrator and password information after you connect to your CA Server. 7. Click on the Download a CA Certificate, Certificate Chain, or CRL link. 8. Check Base 64 in the Encoding method field. 9. Click on the Download CA Certificate link. 10. Check the Trust this CA to identify web sites, Trust this CA to identify user, and Trust this CA to identify software developers check boxes in the Downloading Certificate window screen. Then click the OK button. 11. Click the Open button when the file download window appears. 12. Check the Install Certificate button. 13. Click Next. 14. Use Automatically select the certificate store based on the type of certificate. Then click the Next button. 15. Click the Finish button. 16. The CA certificates are downloaded to the following two files on your HP CIFS Server system: /.mozilla/default/*.slt/cert8.db /.mozilla/default/*.slt/key3.db 17. You can simply copy certificates to the file location you want. The default location of the certificate database files is /etc/opt/ldapux. For example, the following commands copy certificates from the /.mozilla/default/*.slt directory to the /etc/opt/samba directory: cd /.mozilla/default/*.slt cp cert8.db /etc/opt/samba/cert8.db cp key3.db /etc/opt/samba/key3.db 18. Run the following command to verify whether the certificates wok with a Windows ADS: ldapsearch -h ADS_server_name -Z -P /etc/opt/samba/cert8.db -s base \ -b "" (objectclass=*) The results from the command display if the certificates work. Configuring HP CIFS server to enable starttls To configure HP CIFS Server to enable starttls in a Windows 2003/2008 R2 ADS domain, you must configure the smb.conf file which specifies the name of ADS Kerberos realm, ADS security, Strong authentication support 73

74 starttls enabled, the NetBIOS name or IP address of the Windows ADS PDC machine, and the location of the certificate database files, cert8.db and key8.db. The following is an example for the [Global] section of the /etc/opt/samba/smb.conf file: [Global] realm= MYREALM security = ADS password server = adsdc_server ldap server = adsdc_server ssl cert path = /etc/opt/ldapux To enable starttls with an un-encrypted port 389, set: ldap ssl = start_tls For more information about the smb.conf configuration parameters used in the previous example, see Configuration parameters (page 74). Joining an HP CIFS server to a Windows 2003 and Windows 2008 domain HP CIFS Server only supports the following Kerberos encryption types: DES-CBC-MD5 DES-CBC-CRC RC4-HMAC You must configure one of these encryption types in the /etc/krb5.conf file as shown below. HP recommends you set the encrption type to DES-CBC-MD5 in /etc/krb5.conf unless you have other kerberos enabled applications on the HP server that require one of the other supported encryption types. If your machine has already been added to the ADS with the Windows Server Manager GUI, you may simply use Window Server Manager to delete the machine account. Then, follow the instructions to run the "kinit" and "net ads join" commands as described below in Step-by-step procedure (page 76). Another way to resolve this problem is to *AND* the "useraccountcontrol" attribute value for the CIFS member server with the ADS_UF_USE_DES_KEY_ONLY ( or 0x ) flag in the ADS. This can be accomplished by using the "adsiedit.msc" tool from the Windows 2003 or 2008 R2 CD or using the ldapmodify command. NOTE: If an HP CIFS Server is currently joined to the domain as a pre-windows 2000 member server, please first remove the server from the domain before adding an HP CIFS Server to a Windows domain as a ADS member server. Configuration parameters The following is a description of the smb.conf parameters shown in Step-by-step procedure (page 76): realm ldap server ldap ssl This string parameter specifies the name of the ADS kerberos realm which has the fully qualified domain name. It must be set the same as the kerberos realm value in krb5.conf. This string parameter specifies the host name of the LDAP ADS PDC Server where you want to store your data. This parameter specifies the SSL/TLS support. SpecifyYes to enable SSL feature using the encrypted port number 636 to connect to the LDAP ADS server. If you choose to use starttls, set this parameter to start_tls using the un-encrypted port number 389 to connect to the LDAP ADS server. To disable SSL, set it to No. The default value is No. 74 Windows 2003 and Windows 2008 domains

75 ssl cert path workgroup security password server encrypt passwords netbios name This string parameter specifies the file location of the certificate database files, cert8.db and key3.db. For example, ssl cert path = /etc/opt/samba. The default value is /etc/opt/ldapux. This parameter specifies the name of domain in which the HP CIFS Server is a domain member server. When the HP CIFS Server joins to Windows 2003/2008 R2 native mode domain as a member server, you must set this parameter to ADS. This parameter defines the NetBIOS name or IP address of the Windows ADS PDC machine that performs the user name authentication and validation. The default setting of this parameter is *. If set to the character *, then Samba will attempt to automatically locate the Primary Domain Controllers. It is an optional parameter. If this parameter is set to yes, the passwords used to authenticate users are encrypted. The default value is yes. Set this parameter to the NetBIOS name by which a member server is known. Setting permissions for a user When using the net ads join command on an HP-UX machine to join an HP CIFS Server to a Windows 2003/2008 R2 ADS Domain as a member server, a normal user is not allowed to perform the net ads join command. You must configure a Windows user to have create/delete computer object permissions. The following Windows users are allowed to run the net ads join command: An administrator A user is a member of the Administrators, Domain Admins", Enterprise Admins or OU Admins group in the Windows ADS Domain Controller, who has create/delete computer object permissions by default. A normal user is granted to have create/delete computer object permissions. Without the privilege, a normal user does not have permissions to create/delete a machine account in the Windows ADS database for an HP CIFS Server. Use the following procedures to grant create/delete computer object permissions to a normal user, cifsuser, as an example on the Windows 2003 ADS Domain: 1. In the Active Directory Users and Computers console, click View and select Advanced feature. 2. Click on the Computers object and right click on the properties tab. 3. Select the Security tab on the properties window. 4. Click on the Advanced button. 5. In the permission entries list, select Account operators(yourads_domain\account operators) with Create/Delete Computer Objects permission. 6. Click on the Add button. 7. Click on the Advanced button. 8. Click on Object Type" for specifying search scope to "Users" only. You may need to remain the check box on "Users" only, remove all others of check boxes. And then click on the OK button. 9. Click on the Find Now button to look for normal user names. In the search result list, click on the domain user name, cifsuser, who wants to use the net ads join command. Then, click on the OK button. Joining an HP CIFS server to a Windows 2003 and Windows 2008 domain 75

76 10. Once the selected user is presented in the Enter the object name to select list, click the OK button to get in the permission entry for Computers window. 11. In the Permissions dialog box, check Create Computer Objects and Delete Computer Objects selections. 12. Click on the OK button 13. Click on the Apply button. 14. Click on the OK button on the Advanced Security Setting for Computers window. 15. Click on the OK button on the Computers Properties window. Step-by-step procedure Use the following instructions to join an HP CIFS Server to a Windows 2003/2008 R2 ADS Domain as a member server: 1. Verify that LDAP-UX Integration product has been installed on your HP CIFS Server: swlist grep J4269AA Consult Installing LDAP-UX client services on an HP CIFS server (page 85) in Chapter 6, "LDAP Integration Support" if necessary. 2. On your HP CIFS Server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm's KDC. If there is no /etc/krb5.conf file in existence at the time that /opt/samba/bin/samba_setup is run, samba_setup will attempt to create and validate an appropriately configured krb5.conf file based on the answers to the questions asked when 'ads member server' is chosen. The following is an example of /etc/krb5.conf which has the realm MYREALM.XYZ.COM, and machine adsdc.myrealm.xyz.com as a KDC: # Kerberos Configuration # # # # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace MYREALM.XYZ.COM with your kerberos Realm. # # Replace adsdc.myrealm.xyz.com with your Windows ADS DC full# # domain name. # # # [libdefaults] default_realm = MYREALM.XYZ.COM default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 ccache_type = 2 [realms] MYREALM.XYZ.COM = { kdc = adsdc.myrealm.xyz.com:88 admin_server = adsdc.myrealm.xyz.com } [domain_realm].xyz.com = MYREALM.XYZ.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log 76 Windows 2003 and Windows 2008 domains

77 NOTE: You must configure the port number :88 after the node name specified for the kdc entry in the [realms]section. Kerberos v5 uses the port number 88 for the KDC service. For detailed information on how to configure the /etc/krb5.conf file, refer to the krb5.conf(4) man page. 3. Run the following commands to verify Kerberos configuration log in as root kinit <user> (e.g. (add user and password to a Windows ADS DC if necessary) The possible errors during verification are as follows: Pre-Authentication Failed means you have typed the password incorrectly. Clock skew too great means the time on the HP-UX machine is not synchronized with the Windows domain controller. Execute the date command to reset the date or set TZ=GMT and try again. You may see the warning message, kinit: KDC has no support for encryption type while getting initial credentials. You must change your Administrator password at least once from the original password that you used for Administrator when installing your Windows 2003/2008 R2 ADS domain. This warning message is also displayed when you do not have appropriate encryption methods set in the /etc/krb5.conf file. Check the content of the /etc/krb5.conf file for syntax or content errors and ensure that port :88 has been added to the kdc entry in the [Realms] section. 4. Use the following procedures to configure the HP CIFS Server: For new installations, you can run /opt/samba/bin/samba_setup and choose ADS Member Server. For new installations, finish samba_setup commands and verify the following smb.conf configuration items. samba_setup will then perform the "net ads join -U Administrator%password" command to join the ADS domain for you. [global] workgroup = MYREALM # Domain Name realm = MYREALM.XYZ.COM security = ADS domain master = no encrypt passwords = yes password server = adsdc.myrealm.xyz.com netbios name = MYSERVER For existing installations, modify smb.conf configuration items as follows: [global] workgroup = MYREALM # Domain Name realm = MYREALM.XYZ.COM security = ADS domain master = no encrypt passwords = yes password server = adsdc.myrealm.xyz.com Joining an HP CIFS server to a Windows 2003 and Windows 2008 domain 77

78 netbios name = MYSERVER Then join the ADS domain by manually executing the "net ads join -U Administrator%password" command. NOTE: If you use the starttls feature for strong authentication support, see Configuring HP CIFS Server to Enable starttls section for more information about smb.conf configuration. 5. Use the following command to start your HP CIFS Server: /opt/samba/bin/startsmb 6. Run the following command to verify Kerberos authentication. In the following command, the -k option is required to force the use of Kerberos security: Trust relationships smbclient -W <Window Domain> -U <user name in domain> -k //<HP CIFS Server name>/<share> <password for user> You can connect to the share on the HP CIFS Server if you succeed to run the smbclient command. Trust relationships enable pass-through authentication to users of one domain in another. A trusting domain permits logon authentication to users of a trusted domain. There are various forms of trusts, depending on the domain type and Windows 2003/2008 R2 ADS domain trusts differ from NT Domain trusts. For more information on trusts, consult the MS TechNet papers at technet.microsoft.com. For information on HP CIFS Server trust relationships with NT Domains, see Windows style domains (page 57). Windows 2003/2008 R2 ADS domain trusts can take many forms. HP CIFS Server can support some but not all Windows 2003/2008 R2 trusts as described below: HP CIFS PDCs can support external trusts which include trust relationships established between CIFS Samba Domains and Windows 2003/2008 R2, including incoming, outgoing, and two-way trusts. HP CIFS Member Servers do not support all Windows 2003/2008 R2 ADS domain intra/inter-forest trusts. Most parent-child and child-child trusts are recognized appropriately and shortcut trusts are supported. Shortcut trusts can be established explicitly between Windows 2003/2008 R2 ADS domain to ensure HP CIFS Servers recognized forest configurations where necessary. Transitive trusts, in which domain A trusts domain B which trusts domain C thereby domain A trusts domain C, are not respected by HP CIFS Servers. Establishing external trust relationships between HP CIFS PDCs and Windows 2003 and Windows 2008 domains To configure the Windows domain controller for the trust relationship with the Samba domain PDC, perform one of the following procedures as appropriate for the server in your domain. For a Windows 2003 domain controller, use the Administrative Tools utility to perform the following steps: 1. From the Start menu, select Programs -> Administrative Tools -> Active Directory Domains and Trusts. 2. Right click on the desired Active Directory domain name and select Properties. 3. Select the tab Trusts, then click New Trusts. Click Next. 4. Specify the Samba PDC domain name and select Next. The Samba domain name is the domain name specified in the workgroup parameter in smb.conf. 5. Select your choice of trust type, One-way: incoming, One-way: outgoing, or Two-way and select Next. 78 Windows 2003 and Windows 2008 domains

79 6. Enter and confirm the trust password. 7. Review and select Next. 8. Select Yes and select Next, two more times. 9. Select Finish and then OK. NOTE: Windows Server 2003 Service Pack 1 (SP1) may require the RestrictAnonymous registry subkey to be set to 0 and the value of the RestrictNullSessAccess registry subkey also to be set to 0. Run regedit from the start button and find RestrictNullSessAccess under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ LanmanServer\ Parameters. For more details, refer to trusts RestrictNullSessAccess on the Microsoft TechNet at Alternatively, if you do not want to change the registry on Windows Server 2003 Service Pack 1 (SP1), you can use the --set-auth-user option of the wbinfo command to set a domain user account and password for the winbind service. Using this option enables the winbind service to authenticate itself with a valid domain user account while accessing the user and group information from the Windows 2003 Server. To create the corresponding configuration of the Samba domain PDC for two way trust relationship with the Windows domain, logon as root and execute the following steps: 1. Run the following command to start the winbind daemon: startsmb -winbind 2. Add a trust account for the trusting Windows domain to /etc/passwd. Add the trusting domain name with the $ using the useradd command. For example, the following command adds a trust account for the trusting Windows domain name, windomaina, to /etc/passwd: useradd windomaina$ Due to the maximum name length of 8 for the useradd command, you may need to edit /etc/passwd to add the trusting Windows domain name account. 3. Run smbpasswd to add a trusting Windows domain Samba account to your trusted Samba domain database and create a password for the trusting account. Use the same trusting Windows domain name specified in step 1. This password is used by the trusting Windows domain when it establishes the trust relationship. For example, the following command adds the trusting Windows domain account, windomaina, to the Samba domain database: smbpasswd -a -i windomaina$ 4. Run net rpc trustdom to establish the trust with the trusted Windows domain. For example, the following command is used to establish the trust relationship with the trusted windows domain name, windomaina: net rpc trustdom establish windomaina S <ADS domain controller server name> U windomaina\\administrator%pw 5. Use the following command to verify the trust relationship: net rpc trustdom list -U root/%pw Establishing a trust relationship on an HP CIFS member server of a Windows 2003 or Windows 2008 domain HP CIFS Servers will not automatically recognize all intra/inter-forest trusts. CIFS member servers will recognize most parent-child and child-child relationships and shortcut trusts but you may need to use Windows Administrators Tool Active Directory Domains and Trusts to establish explicit shortcut trusts where other trusts are desired. Trust relationships 79

80 In order for an HP CIFS Member of a Windows 2003 or Windows 2008 Domain to recognize trusts established by its Domain Server, its /etc/krb5.conf file must declare the trusted domains in the [realms] section (only not [domain_realm]). For example, an HP CIFS member of Windows 2003/2008 R2 ADS domain, mydom, which trusts trust1dom and trust2dom might have the /etc/krb5.conf file as follows: [libdefaults] default_realm = MYDOM.ORG.HP.COM default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 ccache_type = 2 [realms] MYDOM.ORG.HP.COM = { kdc = myserv.mydom.org.hp.com:88 admin_server = myserv.mydom.org.hp.com } TRUST1DOM.ORG.HP.COM = { kdc = trust1serv.trust1dom.org.hp.com:88 admin_server = trust1serv.trust1dom.org.hp.com } TRUST2DOM.ORG.HP.COM = { kdc = trust2serv.trust2dom.org.hp.com:88 admin_server = trust2serv.trust2dom.org.hp.com } [domain_realm].org.hp.com = MYDOM.ORG.HP.COM [logging] kdc = FILE:/var/opt/samba/log.krb5kdc admin_server = FILE:/var/opt/samba/log.kadmin default = FILE:/var/opt/samba/log.krb5lib ~ 80 Windows 2003 and Windows 2008 domains

81 6 LDAP integration support Overview This chapter describes the HP CIFS Server with LDAP integration. It includes benefits of LDAP, procedures to install, configure and verify the HP Netscape Directory Server, HP LDAP-UX Integration product and HP CIFS Server software. It contains the following sections: Overview (page 81) Network environments (page 82) Summary of installing and configuring (page 84) Installing and configuring your directory server (page 84) Installing LDAP-UX client services on an HP CIFS server (page 85) Configuring the LDAP-UX client services (page 85) Enabling Secure Sockets Layer (SSL) (page 89) Extending the Samba subschema into your directory server (page 91) Migrating your data to the directory server (page 92) Configuring the HP CIFS Server (page 95) Creating Samba users in the directory (page 97) HP CIFS management tools (page 162) Lightweight Directory Access Protocol (LDAP) provides a framework for the development of a centralized management infrastructure. LDAP supports directory enabled computing by consolidating applications, services, user accounts, Windows account and configuration information into a central LDAP directory. Samba customer sites with large numbers of users and servers may want to integrate the HP CIFS Server with LDAP support. Configuring multiple HP CIFS servers to communicate with the LDAP directory server provides a centralized and scalable management of user databases. When you integrate the HP CIFS Server with the LDAP-UX Integration product on HP-UX, the HP CIFS Server can store user accounts information on the Netscape Directory Server.The LDAP database can replace /etc/passwd or NIS and smbpasswd or NT server user databases. The LDAP directory can be used to store the Windows user information which had previously beeen stored in the smbpasswd file. When the HP CIFS Server is configured to use the LDAP integration, the smbd program will use the LDAP directory to look up the Windows user information during authentication and authorization processes. Also, when you invoke the smbpasswd program to add, delete or change Windows user information, updates are made in the LDAP user database rather than the smbpasswd file. You can enable the LDAP support with configuration parameters provided by the HP CIFS Server. HP CIFS Server will access an LDAP directory server for password, user, group, and other data when you specify the smb.conf passwd backend parameter to ldapsam. You can configure the ldap ssl parameter specified in the smb.conf file to enable the Secure Sockets Layer (SSL) support. With the SSL support, the HP CIFS Server allows you to access an SSL enabled LDAP directory to protect passwords over the network and to ensure confidentiality and data integrity between CIFS servers and the LDAP directory server. NOTE: While the HP CIFS Server may operate satisfactorily with other LDAP products, HP only provides LDAP support for the HP CIFS Server with HP LDAP-UX Integration, J4269AA, HP Netscape Directory Server, J4258CA, or HP Red Hat Directory Server, NSDirSvr7, product configurations. Overview 81

82 HP CIFS server advantages The HP CIFS Server with the LDAP support provides the following benefits to the customer: Reduces the need to maintain user account information across multiple HP CIFS servers, as LDAP provides a centralized user database management. Easily adds multiple HP CIFS servers or users to the LDAP directory environment. This greatly improves the scalability of the HP CIFS Server. Stores and looks up user account information in the LDAP directory. This reduces the user lookup time for large databases by providing an indexed search rather than a sequential search. The amount of information stored in the smbpasswd file has no room for additional attributes. With the LDAP support, the schema is extensible, you can store more user information into the LDAP directory. This also eliminates the need for additional employee and user databases. Network environments The HP CIFS Server supports many different network environments. Features such as WINS, browser control, domain logons, roaming profiles, and many others continue to be available to support a diverse range of network environments. LDAP integration provides one more alternative solution for Samba user authentication. Domain model networks CIFS Server acting as the Primary Domain Controller (PDC) Since PDCs are responsible for Windows authentication, HP CIFS Servers configured as PDCs will replace smbpasswd with LDAP enabled directory servers for Windows authentication. Other Samba configuration items may remain unchanged. Administrators of new LDAP configurations must also install the HP LDAP-UX Integration software and configure the LDAP client. This will also permit the consolidation of Posix and Windows users on the LDAP directory server. CIFS Server acting as the member server HP CIFS Servers acting as member servers in the domain model network environment can continue to operate as member servers by leaving their Samba configuration unchanged. The Windows authentication requests will continue to be managed by the PDC whether through LDAP or smbpasswd. Administrators of new LDAP configurations may want to install the HP LDAP-UX Integration software and configure the LDAP client to consolidate Posix and Windows users on the LDAP directory server. If a member server (security = domain) is also configured to enable LDAP, then it will still try to authenticate via the PDC. If the PDC authentication fails, then it will try to authenticate directly via the LDAP directory server set in its own smb.conf configuration file. CIFS Server acting as Backup Domain Controller (BDC) to Samba PDC Since BDCs are also responsible for Windows authentication, HP CIFS Servers configured as BDCs can access the LDAP directory for user authentication. BDC configuration is vey similar to PDC configuration with the exception that you set both master browser and domain master to no. CIFS server acting as an Active Directory Service (ADS) member server ADS Member Servers use LDAP libriaries and Kerberos security to access ADS Domain Controllers' authentication services. Therefore, LDAP-UX Integration and HP Kerberos Client Library products are required. See Windows 2003 and Windows 2008 domains (page 71) for details. 82 LDAP integration support

83 Workgroup model networks HP CIFS Servers configured with server mode security will attempt to authenticate Windows users on the server specified. If LDAP is enabled, then authentication will fall back to the LDAP server if the server mode authentication fails.hp CIFS Servers configured with share mode security may replace smbpasswd with an LDAP directory server.hp CIFS Servers configured with as stand-alone user mode servers may replace smbpasswd with an LDAP directory server. UNIX user authentication - /etc/passwd, NIS migration HP UNIX user authentication is required in addition to Samba (Windows) user authentication for HP CIFS Server logon. You can consolidate Samba and UNIX users into a single LDAP directory server database. However, the /etc/passwd file or NIS database files can continue to be used for UNIX users if desired.you can use migration scripts provided by HP to migrate the /etc/ passwd file and NIS database files to the LDAP directory server. For more information on the migration scripts, see Migrating your data to the directory server (page 92). The CIFS authentication with LDAP integration With LDAP integration, multiple HP CIFS Servers can share a single LDAP directory server for a centralized user database management. The HP CIFS Server can access the LDAP directory and look up the windows user information for user authentication. The figure 6-1 shows the CIFS authentication in the LDAP network environment: Figure 20 The CIFS authentication with LDAP integration Windows PC Windows PC CIFS Protocol CIFS Server1 CIFS Server2 4 5 LDAP Protocol LDAP Directory Server The following describes the message exchanges among the Windows PC, CIFS Server and LDAP directory server for the user authentication shown on Figure 6-1: 1. A Windows user requests a connection. 2. The CIFS Server sends a challenge to the Windows PC client. 3. The Windows PC client sends a responsepacket to the CIFS Server based on the user password and the challenge information. 4. The CIFS Server looks up the LDAP directory server for the user data and requests data attributes including the password information. Network environments 83

84 5. The CIFS Server receives data attributes including the password information from the LDAP directory server. If the password and challenge information matches with information in the client response package, the Samba user authentication succeeds. 6. If the Samba user is authenticated and is successfully mapped to a valid posix user, the CIFS Server returns a user token session ID to the Windows PC client. Summary of installing and configuring The following summarizes the steps you take when installing, configuring, verifying and activating the HP CIFS Server with the LDAP support: Install Directory Server, if not already installed. See Installing the directory server (page 84). Configure Directory Server, if not already configured. See Configuring your directory server (page 85). Install the LDAP-UX Client Services on an HP CIFS Server, if not already installed. See Installing LDAP-UX client services on an HP CIFS server (page 85). Configure the LDAP-UX Client Services on an HP CIFS Server, if not already configured. See Configuring the LDAP-UX client services (page 85). Enable Secure Sockets Layer (SSL) if you want to use it. See Enabling Secure Sockets Layer (SSL) (page 89). Extend the Samba subschema to the Netscape Directory Server, See Extending the Samba subschema into your directory server (page 91). Migrate your data to your Directory Server. See Migrating your data to the directory server (page 92). Configure the HP CIFS Server to enable LDAP support. See Configuring the HP CIFS Server (page 95) Install your Samba Users to Directory Server. See Creating Samba users in the directory (page 97). Read subsequent sections of this chapter for more information on installing and configuring the HP CIFS Server with the LDAP support. Installing and configuring your directory server This section describes how to set up and configure your Netscape/Red Hat Directory Server to work with LDAP-UX Client Services and the HP CIFS Server. See Preparing Your LDAP Directory for HP-UX Integration at for more information on directory configuration. Installing the directory server You need to set up the Netscape/Red Hat Directory Server if it is not already installed. HP recommends that you install the HP Netscape Directory Server product, J4258CA, or HP Red Hat Directory Server, NSDirSvr7. This product can be downloaded from You need to install it with the Netscape Directory Server product for HP-UX version 6.11/6.21 or HP Red Hat Directory Server 7.0/7.1. The posix schema is already installed if you have installed the Directory Server for HP-UX version 6.02 or later version. The schema is in the file /opt/ldapux/ypldapd/etc/ slapd-v3.nis.conf. For more information on the posix schema (RFC2307), see RFC 2307 consists of object classes such as, posixaccount, posixgroup, and so on. posixaccount represents a user entry from the /etc/passwd file. posixgroup represents a group entry from the /etc/group file. 84 LDAP integration support

85 Configuring your directory server You need to configure the Netscape/Red Hat Directory Server if it is not already configured. For detailed information on how to configure your Directory Server, refer to the following documentation: Netscape Directory Server Installation Guide Netscape Directory Server Configuration, Command and File Reference Red Hat Directory Server Installation Guide Red Hat Directory Server Configuration, Command and File Reference The above documents are available at the following web site: Verifying the directory server Run the following command to verify that you have installed and configured the Directory Server properly, and verify if Directory Server daemons are up and running: $ ps -ef grep ns- The output of this command is as follows: root :54:34? 0:00 ns-httpd -d /var/opt/netscape/servers/admin-serv/config www :53:54? 0:03./ns-slapd -D/var/opt/netscape/servers/slapd-hpcif57 -i /var/o Installing LDAP-UX client services on an HP CIFS server For this version of HP CIFS Server, you must install the LDAP-UX Client Services version B or later verson. The LDAP-UX Client Services software is available at Use swinstall(1m) to install the LDAP-UX Client Services software, the NativeLdapClient subproduct, on an HP CIFS Server. See the LDAP-UX Client Services B Release Notes and LDAP-UX Client Services Administrators Guide for more details on the installation procedures. You do not need to reboot your system after installing the product. Configuring the LDAP-UX client services You need to configure the LDAP-UX Client Services if it is not already configured. This section describes major steps to configure LDAP-UX Client Services with the Netscape Directory Server 6.11/6.21 or Red Hat Directory Server 7.0/7.1. For detailed information on how to configure the LDAP-UX Client Services, see the "Configure the LDAP-UX Client Services" section of LDAP-UX Client Services Administrator's Guide at You must run the setup program to configure the LDAP-UX Client Services. This requirement must not be skipped. Otherwise, the HP CIFS Server with LDAP support will not work properly. When you run the setup program to configure the LDAP-UX Client Services on a client system, setup does the following major tasks for you: Extends your directory schema with posixaccount objectclass and attributes, if not already done. Creates a configuration profile entry in your Netscape Directory from information you provide. The profile contains the information required by clients to access user and group data in the directory, for example: Your directory server host Your directory server network port Location of your user, group and other information in the directory Updates the startup file of the local client with your directory and configuration profile location. Downloads the configuration profile from the directory to the LDAP client system. Installing LDAP-UX client services on an HP CIFS server 85

86 Assigns your base DN as your LDAP suffix for user and group searches. Starts the product daemon, ldapclientd, if you choose to start it. For LDAP-UX Client B.03.20, you must start the client daemon for LDAP-UX functions to work. NOTE: If the value of the security parameter is ads, running setup for the LDAP-UX Client Services is not required. Quick configuration You can do a quick configuration of the LDAP-UX Client Services by selecting the default values of the configuration parameters. NOTE: The LDAP server is dctvm86.ind.hp.com ( ) and dctvm105.ind.hp.com is the LDAP client and Samba server. Prerequisites for a quick configuration To do a quick configuration, you must have: Base path in the LDAP server that you want to use for creating a new profile Credentials for the USER DN [cn=directory Manager] for creating a new profile To do a quick configuration: 1. Edit the /opt/ldapux/migrate/migrate_common.ph file and change the default group object class under $RFC2307BI structure from ou=group to ou=groups. 2. Log in as root and run the setup program: $ cd /opt/ldapux/config $./setup NOTE: The setup program displays a series of questions and provides default answers. Press the Enter key to accept the default values, or change the values and press Enter. At any point during the setup, you can press Ctrl-B to back up or Ctrl-C to exit the setup program. The following is a sample log for LDAP-UX Client services. Select which Directory Server you want to connect to: 1. HP-UX, Red Hat or Tivoli Directory 2. Windows 2003 R2/2008 Active Directory To accept the default shown in brackets, press the Return key. Directory Server: [1]: Enter the host name of the directory where you want to store the profile. Enter either the fully qualified host name (for example: sys001.hp.com) or IP address (for example: or 2001:0db8:3c4d:0015:0:0:abcd:ef12). To accept the default shown in brackets, press the Return key. Directory server host [dctvm105.ind.hp.com = ]: To accept the default shown in brackets, press the Return key. Directory Server port number [389]: nl Enter the distinguished name (DN) of an existing LDAP-UX profile entry you want to use or the DN where you want to store a new LDAP-UX profile entry. For a new entry, all parent entries of the DN must already exist in the directory or this step will fail, (for example: cn=ldapuxprofile, ou=ldapuxprofile, dc=hp, dc=com) 86 LDAP integration support Profile Entry DN: []: cn=samba-ldap, dc=org, dc=hp, dc=com nl Enter the distinguished name (DN) of the directory user allowed to create a new LDAP-UX profile entry or to check an existing profile entry.

87 User DN [cn=directory Manager]: Password: NOTE: setup. You must enter the DN user password, which you have given in the LDAP server Select authentication method for users to bind/authenticate to the server 1. SIMPLE 2. SASL DIGEST-MD5 To accept the default shown in brackets, press the Return key. Authentication method: [1]: For high-availability, each LDAP-UX client can look for user and group information in up to three different directory servers. Please enter either the fully qualified host name and optional port number (for example: sys001.hp.com:389) or IP address and optional port number (for example: :389 or [2001:0db8:3c4d:0015:0:0:abcd:ef12]:389) where your directory is running. The following hosts are currently specified: Default search host 1: [dctvm86.ind.hp.com:389 = :389] Default search host 2: [ ] Default search host 3: [ ] Enter 0 to accept these hosts and continue with the setup program or Enter the number of the hosts you want to specify [0]: Enter the default base DN where LDAP-UX clients should look for user and group information, (for example: ou=nis, dc=hp, dc=com) Default base DN [dc=ind,dc=hp,dc=com]: The setup program has all the information needed to configure a default profile and client. You can accept default values for the remaining parameters or configure the remaining parameters. Accept remaining defaults? (y/n) [y]: Are you ready to create the Profile Entry? [Yes]: Each client system must bind to the directory to download the LDAP-UX configuration profile entry and to access user and group information. To perform this, the client can bind to the directory either anonymously or as a proxy user. Anonymous access can also be attempted if access by proxy fails. Select the type of client binding you want. 1. Anonymous 2. Proxy 3. Proxy; if proxy fails, then use anonymous To accept the default shown in brackets, press the Return key. Client binding: [1]: Updated directory server at :389 with a profile entry at [cn=pdc1, dc=ind, dc=hp, dc=com] Updated the local client configuration file /etc/opt/ldapux/ldapux_client.conf Updated the local client profile entry LDIF file /etc/opt/ldapux/ldapux_profile.ldif Updated the local client profile entry cache file /etc/opt/ldapux/ldapux_profile.bin Press any key to continue: Configuring the LDAP-UX client services 87

88 No proxy user is configured at this client. Note : Starting the LDAP-UX daemon is now required for the LDAP-UX product! You have created/changed the configuration profile. To make it take effect, you need to start/restart the LDAP-UX daemon Would you like to start/restart the LDAP-UX daemon (y/n)? [y]: Updated the LDAP-UX daemon configuration file /etc/opt/ldapux/ldapclientd.conf Restarted the LDAP-UX daemon! To enable the LDAP Pluggable Authentication Module, save a copy of the file /etc/pam.conf then add ldap to it. See /etc/pam.ldap for an example. To enable the LDAP Name Service Switch, save a copy of the file /etc/nsswitch.conf then add ldap to it. See /etc/nsswitch.ldap for an example. LDAP-UX Client Services setup complete. Table 12 (page 88) shows the configuration parameters and the default values that they will be configured with. Table 12 Configuration parameters and default values Parameter Type of client binding Bind time limit Search time limit Use of referrals Profile TTL (Time To Live) Use standard RFC-2307 object class attributes for supported services Use default search descriptions for supported services Authentication method Default Value Anonymous 5 seconds no limit Yes 0 - infinite Yes Yes Simple For the detailed configuration parameters information listed in the table 6-1, see "Appendix B: LDAP-UX Client Services Object Classes" of LDAP-UX Client Services B Administrator's Guide at 3. After entering all the configuration information, setup extends the schema, creates a new profile, and configures the client to use the directory. 4. Configure the Name Service Switch (NSS). Save a copy of the /etc/nsswitch.conf file and edit the original to specify the ldap name service and other name services you want to use. See the /etc/nsswitch.ldap file for a sample. You may be able to just copy /etc/nsswitch.ldap to /etc/nsswitch.conf. See nsswitch.conf(4) for more information. 5. You will be asked whether or not you want to start the client daemon, /opt/ldapux/bin/ ldapclientd. You must start the client daemon for LDAP functions to work. 88 LDAP integration support

89 6. Run the following command to verify your configuration: $ /opt/ldapux/bin/ldapsearch -T -b "cn=schema" -s base \ "(objectclass=*)" grep -i posix Ensure that the posixaccount objectclass is displayed in the output when you run the ldapsearch command. The output is as follows: objectclasses: ( NAME 'posixaccount' DESC 'Standard LDAP objectclass' SUP top AUXILIARY MUST ( cn $ uid $ uidnumber $ gidnumber $ homedirectory) MAY ( userpassword $ loginshell $ gecos $ description ) X-ORIGIN 'RFC 2307' ) objectclasses: ( NAME 'posixgroup' DESC 'Standard LDAP objectclass' SUP top STRUCTURAL MUST ( cn $ gidnumber ) MAY ( userpassword $ memberuid $description ) X-ORIGIN 'RFC 2307' ) NOTE: You can use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified Distinguished Name (DN) and password, and locates entries based on the specified search filter. For details, see the Netscape Directory Server Administrator's Guide or the Red Hat Directory Server Administrator's Guide available at Enabling Secure Sockets Layer (SSL) The HP CIFS Server provides Secure Sockets Layer (SSL) support to secure communication between CIFS servers and SSL enabled LDAP directory servers. If you plan to use SSL and it is not already in use for LDAP, you need to enable it on the Directory Server and LDAP-UX clients. When you have enabled the LDAP server and clients, then you can configure the HP CIFS Server to use SSL. You must set up the Certification Authority (CA) Server properly before you plan to enable SSL communication over LDAP. Read the following subsections for more information on configuring the LDAP directory server, LDAP-UX client and HP CIFS Server with SSL support if you plan to use it. Configuring the directory server to enable SSL Use the following steps to configure your Netscape Directory Server to enable SSL communication over LDAP: 1. Obtain and install a certificate for your Directory Server, and configure the Netscape Directory Server to trust the Certification Authority's (CA's) certificate. For detailed instructions, see the "Obtaining and Installing Server Certificates" section of the "Managing SSL" chapter in Netscape Directory Server 6.1 Administrator's Guide at 2. Turn on SSL in your directory. For detailed instructions on how to enable SSL in your directory server, see the "Activating SSL" section of the "Managing SSL" chapter in Netscape Directory Server 6.1 Administrator's Guide at 3. Configure the Administration Server to connect to an SSL-enabled directory server. For detailed instructions on how to configure the administration server to connect to an SSL enabled directory server, see Managing Servers with Netscape Console available at Enabling Secure Sockets Layer (SSL) 89

90 Configuring the LDAP-UX client to use SSL If you plan to use SSL, you need to install the Certification Authority (CA) certificate on your LDAP-UX Client and configure the LDAP-UX Client to enable SSL. Use the following steps to enable SSL on your LDAP client system: 1. Optionally, ensure that each user of the directory server obtains and installs a personal certificate for all LDAP clients that will authenticate with SSL. Downloading the certificate database from the Netscape Communicator is one way to set up the certificate database into your LDAP-UX Client. The certificate database files, cert7.db and key3.db, will be downloaded to either /.netscapeor /.mozilla/default/*.slt directory on your client system depending on the version of Netscape Communicator that you use. If you download the Certification Authority certificate using Netscape Communicator 7.0, the certificate database files, cert7.db and key3.db, will be downloaded to /.mozilla/default/*.slt directory. If you download the Certificate Authority certificate using Netscape Communicator 4.75, the certificate database files, cert7.db and key3.db, will be downloaded to /.netscape directory. After you download the certificate database files, cert7.db and key3.db, on your client, you need to create a symbolic link /etc/opt/ldapux/cert7.db that points to cert7.dband /etc/opt/ldapux/key3.db that points to key3.db. For detailed instructions on how to install Certification Authority's certificate on your LDAP-UX client system, see "Configuring LDAP Clients to Use SSL" section of the "Installing LDAP-UX Client Services" chapter in LDAP-UX Client Services B Administrator's Guide at 2. Configure the LDAP-UX client services to use SSL by running the setup program. For detailed instructions on how to run the setup program to enable SSL on LDAP-UX client services, see " Custom Configuration" subsection of the "Installing LDAP-UX Client Services" chapter in LDAP-UX Client Services B Administrator's Guide at If the LDAP-UX client services has already been set up, modify the authenticationmethod and preferredserverlist attributes in the /etc/opt/ldapux/ldapux_profile file as follows: Modify the authenticationmethod attribute to add the transport layer security authentication method, tls:, in front of the original authentication method, simple. For example, without SSL enabled, the original authenticationmethod entry is authenticationmethod: simple. With SSL enabled, the authenticationmethod entry will be authenticationmethod: tls:simple. Modify the preferredserverlist attribute to change the regular LDAP port number, 389, to the SSL port number, 636. For example, without SSL enabled, the original preferredserverlist entry is preferredserverlist: :389. With SSL enabled, the preferredserverlist entry will be preferredserverlist: :636. Configuring HP CIFS Server to enable SSL Configure the following smb.conf parameters to enable SSL: For HP CIFS Server A.02.* as well as A versions, set the following parameter in the [Global] section of the smb.conf file: passwd backend = ldapsam:ldaps://<directory server name> 90 LDAP integration support

91 Where <directory server name> is the fully qualified name of the target directory server. HP CIFS Server A or later supports the start_tls option to the ldap_ssl parameter. To enable SSL connections to the directory server, set the following parameters one of the two ways shown below in the [Global] section of the smb.conf file: To use the SSL port 636 set: ldap ssl = yes If you choose to use the Start TLS option with port 389 set: ldap ssl = start_tls For detailed information on how to enable SSL on the HP CIFS Server, see LDAP configuration parameters (page 95). Extending the Samba subschema into your directory server You now need to extend the Directory Server schema with the Samba subschema from the HP CIFS Server into your Directory Server. Ensure that you have configured your LDAP directory and LDAP-UX Client Services before extending the schema. Set the passwd backend parameter to ldapsam:ldap://<ldap server name>. Samba subschema differences between HP CIFS Server versions New HP CIFS Server releases sometimes extend the attributes for use but update are backwards compatible with older versions of LDAP schemas. Procedures to extend the Samba subschema into your directory Use the following steps to extend the Samba subschema /opt/samba/ldap3/98samba ldif in HP CIFS Server A.02.* into the Directory Server: 1. Run the ftp commands to get the /opt/samba/ldap3/98samba ldif file from the HP CIFS Server and place it in the Directory Server: For example, the following commands copy /opt/samba/ldap3/98samba ldif file from the HP CIFS Server to the /var/opt/netscape/servers/ sldapd-hosta.hp.com/config/schema/98samba ldif file in the Directory Server, hosta.hp.com: cd /opt/samba/ldap3 ftp hosta.org.hp.com user root root passwd cd /var/opt/netscape/servers/sldapd-hosta.hp.com/config/schema put 98samba ldif quit 2. Login to your Directory Server and restart the daemon, slapd. This is to ensure that the sambasamaccount subschema is recognized by the LDAP directory. $ /var/opt/netscape/servers/slapd-<server name>/restart-slapd For example: $ /var/opt/netscape/servers/slapd-hosta.hp.com/restart-slapd Extending the Samba subschema into your directory server 91

92 3. Use the following ldapsearch command to verify that you have updated the schema in the Directory Server with the Samba subschema: $ /opt/ldapux/bin/ldapsearch -T -b "cn=schema" -s base \ "(objectclass=*)" grep -i samb You need to ensure that the output displays the following sambasamaccount objectclass when you run the ldapsearch command: objectclasses: ( NAME 'sambasamaccount' DESC 'Samba 3.0 Auxilary SAM Account' STRUCTURAL MUST ( uid $ sambasid ) Migrating your data to the directory server HP recommends that all UNIX user accounts either in the /etc/passwd file or NIS database files are migrated to the Directory Server. The LDAP-UX Integration product provides migration scripts to accomplish the task in an automated way. These scripts are located in /opt/ldapux/migrate directory. The two shell scripts, migrate_all_online.sh and migrate_all_nis_online.sh, migrate all your source files in the/etc directory or NIS maps, while the perl scripts, migrate_passwd.pl, migrate_group.pl, and migrate_hosts.pl, migrate individual files. The shell scripts call the perl scripts. For detailed information for a complete description of the migration scripts, and what they do, and how to use them, see the /opt/ldapux/readme files or the "Name Service Migration Scripts" section of LDAP-UX Client Services B Administrator's Guide at Migrating all your files An example The two shell scripts migrate_all_online.sh and migrate_all_nis_online.sh migrate all your name service data either to an LDAP Data Interchange Format (LDIF) file or directly into your directory. The migrate_all_online.sh shell script gets information from the source files, such as /etc/passwd, /etc/group, and /etc/hosts. The migrate_all_nis_online.sh script gets information from your NIS maps using the ypcat(1) command. The scripts take no parameters but prompt you for needed information. They also prompt you for whether to leave the output as LDIF or to add the entries to your directory. NOTE: HP recommends that you keeps a small subset of users in the /etc/passwd file, such as the root user, IT manager. This allows root users having the different password across HP-UX systems. Also, if the LDAP directory server is unavailable, you can still log into the system. NOTE: Before you run the migration scripts, you must edit the /opt/ldapux/migrate/ migrate_common.ph file to change the default group objectclass under $RFC2307BIS structure from ou=group to ou=groups. By doing this, it can match with the Samba organizational unit defaults. The following example shows the necessary steps to import your data into the LDAP directory using the migration script, migrare_all_online.sh: 1. Set the environment variable, LDAP_BASEDN, to specify where you want to store your data: For example, the following command sets the LDAP base DN to org.hp.com: $ export LDAP_BASEDN="dc=org, dc=hp, dc=com" 92 LDAP integration support

93 2. Run the following script, migrate_all_online.sh, to migrate all name service data files in the/etcfile to the LDIF file: $ migrate_all_online.sh Reply as appropriate to the script. In our example, use cn=directory Manager and credentials to bind with means the Directory Manager password. NOTE: At this point, you have an LDAP directory server with everything you need to use as a backend for pam and nsswitch. You need this first as the HP CIFS Server shares some attributes from the posixaccount objectclass with the sambasamaccount objectclass. Migrating individual files The following perl scripts migrate each of your source files in the /etcdirectory to LDIF. These scripts are called by the shell scripts, described in the section Migrating all your files (page 92). The perl scripts obtain their information from the input source file and output LDIF. Environment variables When using the perl scripts to migrate individual files, you need to set the following environment variables: LDAP_BASEDN General syntax for perl migration scripts The base distinguished name where you want to store your data. For example, the following command sets the base DN to DC=org, DC=hp, DC=com: export LDAP_BASEDN="DC=org, DC=hp, DC=com" All the perl migration scripts use the following general syntax: scriptname inputfile [outputfile] where scriptname inputfile outputfile Migration scripts This is the name of the particular script you are using. Table 6-2, lists the migration scripts. This is the name of the appropriate name service source file corresponding to the script you are using. This is an optional parameter and is the name of the file where the LDIF is saved. stdout is the default output. The migration scripts are described in Table 6-2 below. Table 13 Migration scripts Script Name migrate_base.pl migrate_group.pl migrate_hosts.pl 1 migrate_networks.pl migrate_passwd.pl 2 migrate_protocols.pl migrate_rpc.pl Description Creates base DN information. Migrates groups in the /etc/group file. Migrates hosts in the /etc/hosts file. Migrates networks in the /etc/networks file. Migrates users in the /etc/passwd file. Migrates protocols in the /etc/protocols file. Migrates RPCs in the /etc/rpc file. Migrating your data to the directory server 93

94 Table 13 Migration scripts (continued) Script Name migrate_services.pl 3 migrate_common.ph Description Migrates services in the /etc/services file. Specifies a set of routines and configuration information all the perl scripts use. Examples 1 Systems have been configured with the same host name, then the migration script migrate_host.pl will create multiple entries in its resulting LDIF file with the same distinguished name for the host name for each of the IP addresses. Since distinguished names need to be unique in an LDAP directory, you need to first manually merge the IP addresses with one designated host record and delete the duplicated records in your LDIF file. A resulting merge might look as follows:.... dn: cn=machinea, ou=hosts, ou=unix, dc=org, dc=hp, dc=com objectclass: top objectclass: iphost iphostnumber: iphostnumber: iphostnumber: cn: hosta cn: hosta.org.hp.com Netgroup - The NIS optimization maps 'byuser' and 'byhost' are not utilized. -Each triple is stored as a single string. -Each triple must be enclosed by parentheses. For example, "(machine, user, domain)" is a valid triple while "machine, user, domain" is not. 3 When migrating services data into the LDAP directory, You keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports. Complete the following steps to migrate the /etc/passwd file to the LDIF file: 1. Set the environment variable, LDAP_BASEDN, to specify where you want to store your data. For example, the following command sets the LDAP base DN to org.hp.com: $ export LDAP_BASEDN="dc=org, dc=hp, dc=com" 2. Run the following script, migrate_passwd.pl, to migrate all data in the /etc/passwd file to the /tmp/passwd.ldif file: $ migrate_passwd.pl /etc/passwd /tmp/passwd.ldif A part of the output is as follows: dn: uid=johnl,ou=people,dc=org,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount objectclass: Account loginshell: /usr/bin/ksh uidnumber: 8662 gidnumber: 8200 homedirectory: /home/johnl gecos: John Louie, 48S-020, userpassword: {crypt}aoacgvt0t, 1foacctFlags: UX pwdlastset: Migrating your data from one backend to another Use the syncsmbpasswd tool to synchronize Samba user accounts with all currently available POSIX user accounts in the configured password database backend. If you set the passdb 94 LDAP integration support

95 backend parameter in smb.conf to ldapsam:ldap://<ldap server name>, this tool adds Samba user accounts that correspond to existing POSIX user accounts to the LDAP directory server. See the syncsmbpasswd (1) man page for details. For example, use the following procedures to synchronize Samba user accounts with available POSIX user accounts in the LDAP directory server, ldaphosta.example.hp.com: 1. Configure the passdb backend parameter in smb.conf: $ passdb backend = ldapsam:ldap://ldaphosta.example.hp.com 2. Run the following command: $ syncsmbpasswd Configuring the HP CIFS Server You must set up and configure your HP CIFS Server to enable the LDAP feature support. LDAP configuration parameters The following is the list of new global parameters available for you to configure the HP CIFS Server to enable the LDAP feature. These parameters are set in the /etc/opt/samba/smb.conf file under global parameters. [global] Any global setting defined here will be used by the HP CIFS Server with the LDAP support. Table 14 Global parameters Parameter ldap server ldap suffix ldap user suffix ldap group suffix ldap admin dn ldap delete dn Description Specifies the host name of the Directory Server where you want to store your data. Specifies the base of the directory tree where you want to add users and machine accounts information. It is also used as the Distinguished Name (DN) of the search base, which tells LDAP where to start the search for the entry. For example, if your base DN is "dc=org, dc=hp, dc=com", then you need to set the value of ldapsuffix = "dc=org, dc=hp, dc=com". Specifies the base of the directory tree where you want to add users information. If you do not specify this parameter, HP CIFS Server uses the value of ldap suffix. For example, ldap user suffix = "ou=people". Specifies the base of the directory tree where you want to add groups information. If you do not specify this parameter, HP CIFS Server uses the value of ldap suffix instead. For example, ldap group suffix = "ou=groups". Specifies the user Distinguished Name (DN) used by the HP CIFS Server to connect to the LDAP directory server when retrieving user account information. The ldap admin dn is used in conjunction with the admin dn password stored in the /var/opt/samba/ private/secrets.tdb file. For example, ldap admin dn = "cn = directory manager". Specifies whether a delete operation in the ldapsam deletes the complete entry or only the attributes specific to Samba. The default value is No. Configuring the HP CIFS Server 95

96 Table 14 Global parameters (continued) Parameter ldap passwd sync ldap replication sleep ldap timeout ldap ssl ldap ssl ads ldap connection timeout Description Specifies whether the HP CIFS Server should sync the LDAP password with the NT and LM hashes for normal accounts on a password change. This option can be set to one of three values: Yes: Update the LDAP, NT and LM passwords and update the pwdlastset time. No: Update NT and LM passwords and update the pwdlastset time. Only: Only update the LDAP password and let the LDAP server do the rest. The default value is No. When Samba is requested to write to a read-only LDAP replica, it is redirected to talk to the read-write master server. This server then replicates the changes back to the local server. The replication might take some seconds, especially over slow links. Certain client activities can become confused by the 'success' that does not immediately change the LDAP back-end's data. This option simply causes Samba to wait a short time and allows the LDAP server to catch up. The value is specified in milliseconds, the maximum value is 5000 (5 seconds). By default, ldapreplication sleep = 1000 (1 second). Specifies in seconds how long the HP CIFS Server waits for the LDAP server to respond to the connect request if the LDAP server is down or unreachable. The defualt value is 15 (in seconds). Specifies the Secure Sockets Layer (SSL) support. HP CIFS Server A or later supports theldap ssl = start_tls option. Specifies Yes to enable this feature using the port number 636 to connect to the LDAP directory server. If you choose to use Start TLS, set it to start_tls to enable SSL using port number 389 to connect to the LDAP directory server. To disable SSL, set it to No. By default, this parameter is set to No. Specifies if the Samba must use Secure Sockets Layer (SSL) support when connecting to the LDAP server, using the Active Domain Server (ADS) methods. NOTE: The Remote Procedure Call (RPC) methods are not affected by the ldap ssl ads parameter. If the ldap ssl is value is set to no, this will not affect the ldap ssl ads parameter. Specifies in seconds how long the LDAP library calls must wait for the LDAP servers to connect the request. The ldap connection timeout parameter is useful in failure scenarios when one or more LDAP servers are not reachable. The ldap connection timeout parameter must be supported by the LDAP library. NOTE: The ldap connection timeout is different from the ldap timeout parameter as this parameter does not affect any LDAP server operations. By default, this parameter is set to ldap connection timeout = 2 Configuring LDAP feature support After installing the HP CIFS Server, the existing configuration continues to operate as currently configured. To enable the LDAP support, you must configure the relative LDAP configuration parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or the editor. NOTE: HP recommends that new installation customers run the samba_setup program to set up and configure the HP CIFS Server. 96 LDAP integration support

97 You can quickly run the samba_setup program to configure the HP CIFS Server with the LDAP feature support as follows: 1. Run the following commands to enable the LDAP feature: $ export PATH=$PATH:/opt/samba/bin $ samba_setup When running the samba_setup program, you will be asked whether you want to use LDAP or not. Press Yes to use LDAP, and press No to disable LDAP. 2. Reply to the samba_setup program to configure the following global LDAP parameters in the /etc/opt/samba/smb.conf file: ldap server ldap suffix ldap admin dn ldap ssl ldap ssl ads ldap user suffix ldap group suffix ldap idmap suffix ldap machine suffix ldap delete dn ldap passwd sync ldap replication sleep ldap timeout See LDAP configuration parameters (page 95), for detailed information on how to configure these new parameters. NOTE: By default, the ldap ssl parameter value is set to ldap ssl = Yes. If you are not using the SSL communication between the LDAP server and LDAP client, then you must change the value of the parameter to ldap ssl = No. Creating Samba users in the directory This section describes how to create and verify your Samba users in your LDAP directory. Adding credentials When you use the HP CIFS Server with the LDAP feature support, the smbpasswd command manipulates user accounts information on the LDAP directory rather than the /var/opt/samba/ private/smbpasswd file. You must add the directory manager credentials to the /var/opt/ samba/private/secrets.tdb file before creating Samba users to the LDAP directory. Run the following command to save the LDAP credentials for the user who can modify the LDAP directory for Samba information: $ smbpasswd -w <password of the LDAP Directory Manager> For example, the following command saves the credentials of the LDAP directory manager: $ smbpasswd -w dmpasswd Where dmpasswd is the password of the LDAP directory manager. Creating Samba users in the directory 97

98 NOTE: You must ensure that the password correctly matches with the password for the ldap admin directory manager. This password is for user administration and is stored for later use. If the password is incorrect, no error message is displayed, but the user administration will fail when attempted. Adding a Samba user to the LDAP directory An existing POSIX user must already exists in the LDAP directory before you run the smbpasswd -a command to add the corresponding Samba user and its sambasamaccount information required for HP CIFS Server user authentication. If the POSIX user does not already exist in the LDAP directory server, you must first add the POSIX user entry with your HP Netscape/Red Hat Directory Server commands. You can use the ldapmodify tool to add, modify or delete the POSIX user account in an LDAP directory. See the LDAP directory management tools (page 172) section in the Tool Reference chapter for more information on these LDAP directory management tools. Procedures for adding a Samba user 1. Use the ldapmodify command to create the POSIX user account entry to the LDAP directory server: For example, the following ldapmodify command adds the POSIX user account entry, usercifs1, to the LDAP directory server, ldapserver: ldapmodify -a -D "cn=directory Manager,dc=hp,dc=com" -w dmpasswd -h ldapserver -f new.ldif As an example, the following LDIF update file, new.ldif, contains update statements to create the user account, usercifs1, to the LDAP directory server: dn: uid=usercifs1,ou=pepole, dc=example,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount memberuid: usercifs1 homedirectory: /home/usercifs1 loginshell: /usr/bin/krh gecos: Usercifs1 Hu, 40N-20 For more information on how to use the ldapmodify tool to modify the entries of the LDAP directory server using the LDIF update file, refer to the Creating Directory Entries chapter in Part 1, Administering Red Hat Director Server of the Netscape/Red Hat Directory Server Administrator's Guide. 2. Run the smbpasswd -a command to add the sambasamaccount information for a user to the LDAP directory server if the smb.conf parameter, passwd_backend, is set to ldapsam: Verifying Samba uers smbpasswd -a <user name> For example, the following command creates the Samba account for the user, cifsuser1: smbpasswd -a cifsuser1 You can use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified Distinguished Name (DN) and password, and locates entries based on the specified search filter. This section describes a portion of the available options for the ldapsearch command. See the LDAP directory management tools (page 172) section in chapter 13, Tool Reference for a more complete description of this command. 98 LDAP integration support

99 Syntax Option ldapsearch [option] -b Specifies the starting point for the search. The value specified must be a distinguished name that currently exits in the database. -s Specifies the scope of the search. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries. -w Specifies the password of the directory manager Example The following example uses the ldapsearch utility to check that the user entry johnl contains the sambaaccount objectclass: $ /opt/ldapux/bin/ldapsearch -b "dc=org,dc=hp, dc=com" -s sub \ -D "cn=directory Manager" -w dmpasswd "uid=johnl" The output is shown as the follows: dn: uid=johnl,ou=people,dc=org,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount objectclass: sambaaccount loginshell: /usr/bin/ksh uidnumber: 8662 gidnumber: 8200 homedirectory: /home/johnl gecos: John Louie, 48S-020, userpassword: {crypt}aoacgvt0t, 1fo lmpassword: 0AED71B AG2ED50F26D3C5EB07 NTPassword: 7C46DE22B8963EAA3F9F90BE4E0F661 acctflags: UX pwdlastset: Management tools HP no longer maintains the LDAP management scripts smbldap-tools which exist in the /opt/ samba/ldap3/smbldap-tools directory. To see more details on smbldap-tools package, refer to README file present in directory /opt/samba/ldap3. You can use LDAP directory tools provided by the LDAP-UX Integration product (such as ladpmodify, ldapsearch and ldapdelete) and several HP CIFS Server tools to manage CIFS data in an HP Netscape/Red Hat Directory Server database. The HP CIFS management tools include the smbpasswd, net and pdbedit tools. For more information about these tools, see the chapter 13, Tool Reference. Management tools 99

100 7 Winbind support Overview This chapter describes the HP CIFS winbind feature and explains when to use it and how best to configure its use. It contains the following topics: Overview (page 100) Winbind features (page 100) Winbind process flow (page 102) Winbind supports non-blocking, asynchronous functionality (page 103) When and how to deploy Winbind (page 104) Configuring HP CIFS Server with Winbind (page 107) idmap backend support in Winbind (page 109) Starting and stopping winbind (page 111) An Example for file ownership by winbind users (page 111) HP CIFS Server must resolve the fact that HP-UX and Microsoft Windows use different technologies to represent user and group identity. Winbind is a CIFS feature which is one of several different ways in which CIFS can map the Windows implementation of user and group security identifiers, SIDs, to the HP-UX implementation of user and group identifiers, UIDs and GIDs. Further, there are several different ways to deploy winbind to achieve this mapping. The purpose of winbind is to automate the creation of UIDs and GIDs and maintain their correspondence to the appropriate Windows SIDs in order to minimize identity management efforts. Winbind is an important feature to understand before you configure HP CIFS Server because choosing an appropriate configuration for your environment is the key to minimize IT management problems. Choosing the best way to map identities for your environment is important because directories and files populate file systems with permissions based on the identities of the owners. Over time, the difficulty of changing user maps will increase unless the proper configuration is chosen initially. This chapter will help you understand winbind and configure CIFS appropriately. NOTE: Winbind user mapping is only appropriate when the HP CIFS Server is a member server of a Microsoft Windows domain. For more information about winbind, refer to chapter 24, "Winbind:Use of Domain Accounts" in the Samba 3.0 HOWTO Reference Guide at the following web site: Winbind features Winbind provides the following features: Identity resolution via the Name Services Switch (NSS) (as configured in /etc/ nsswitch.conf) The Name Service Switch (NSS) is an HP-UX feature which allows system information such as host names, user names, and group names to be resolved from different sources. 100 Winbind support

101 Winbind provides a library routine, /usr/lib/libnss_winbind.1, that NSS can use to interface to the winbind daemon to resolve ID mappings. User and group ID allocation When winbind is presented with a Windows SID for which there is no corresponding UID and GID, winbind generates a UID and GID. Depending on the configuration, winbind uses one of the following three different algorithms for creating IDs: Local increment Winbind default settings will result in ID values based on a simple increment above the current highest value within a defined range. The pool of values is confined to the local HP CIFS Server. This solution is limited by the fact that UID and GID values may differ among multiple HP CIFS Servers within the same Windows domain for the same Windows user. Also, if the idmap database need to be recreated for any reason, UID and GID maps could differ from the previous map which can lead to serious security issues (file ownership may change). NOTE: You can back up and restore the idmap database to avoid having to recreate UID and GID maps. The local increment model requires the idmap database to be backed up frequently. Idmap rid The idmap rid solution resolves the potential problems with the local increment algorithm because winbind provides a unique mapping of Windows SIDs to local UNIX UIDs and GIDs across multiple HP CIFS Servers. The UIDs and GIDs are generated based on the RID portion of the Windows SID, the RID is unique within the domain. This solution can be particularly helpful if there are multiple HP CIFS member servers connected to the domain and it is useful to have user names and group names with unique IDs across multiple HP CIFS member servers. However, without the domain portion of the SID, the idmap rid method is limited by the fact that it is not appropriate for domains that trust other domains unless you do not require IDs to be resolved from the domain trusts. You can not migrate the idmap rid model to the local increment or shared sambaunixidpool model because of the way it assigns IDs. This model can be quite useful if a unique mapping of Windows SIDs to UNIX UIDs and GIDs across multiple member servers within a domain is needed. If you are configuring a large number of CIFS member servers, or if it is important to be able to provide access to Windows trusts, you may want to consider the shared sambaunixidpool method. Using the shared sambaunixidpool model reduces the traffic and load in maintaining similar idmap caches and mapping user and group names of Windows trusted domains. See the shared sambaunixidpool method below for details. Shared sambaunixidpool When using the shared Samba UNIX ID pool method, you use an LDAP backend to store user and group identities across multiple servers and domains. Winbind makes use of a shared sambaunixidpool value to increment UID and GID values across all HP CIFS member servers sharing the LDAP backend. As with the local increment solution, if the idmap database needs to be recreated for any reason, UID and GID maps could differ from the previous map which could lead to serious security issues (file ownership may change). The user and group data should be replicated and/or backed up using this model. The disadvantage of using this model is that it is more complicated to configure. However, the shared sambaunixidpool method provides several significant benefits described below to customers who have multiple CIFS member servers connected to a Windows Active Directory Server (ADS) environment. Winbind features 101

102 ID mapping Advantages The advantages of using the shared sambaunixidpool method are as follows: UIDs and GIDs are unique across all domain member servers that access this LDAP database. Native non-winbind users can be authorized using the POSIX objectclass and LDAP PAM module from the same LDAP database. The database can be replicated. Replication reduces the likelihood of data loss and provides backup servers if the primary server is unavailable. A single LDAP database can provide consistent ID data for a large number of domain member servers and greatly reduces network traffic and the load on domain and trust Domain Controllers. Winbind creates mappings between given Windows SIDs and corresponding HP-UX UIDs and GIDs. Winbind uses one of the methods described above to create a mapping between HP-UX UIDs/GIDs and Windows SIDs. With a Windows SID, winbind either finds the existing UID and GID map or creates a new map if none currently exits. Identity storage Winbind maintains a database where it stores the mappings between HP-UX UIDs and GIDs and Windows SIDs. In the simplest case, winbind maintains the database in a local Trivial Data Base (TDB) file called winbind_idmap.tdb. If the idmap backend parameter in smb.conf has been specified as ldap:ldap://<ldap server name>:[389], then instead of using a local mapping file, winbind maintains the ID mapping data in the Directory Server database. It is important to back up the data often, particularly if you use a solution other than the idmap rid method. Refer to the tdbbackup man page for detailed information about TDB file backup. Winbind process flow Figure 7 1 shows winbind process flow in a Windows Domain environment. 102 Winbind support

103 Figure 21 Winbind process flow Windows UNIX netlogin 1 Client 11 3 return user/group SIDs accept/reject open file share mapped map share 4 14 Samba 10 UID/GID now mapped 6 Is this SID mapped? 12 If UID/GID = ACE get file accept/deny JFS 13 W2003 = PAC 2 NSSWITCH ADS Domain Controller 5 Pass-thru authentication DC returns user/group SID list winbind 7 9 Return UID/GID 8 tdb If mapped, get UID/GID else, map SID to UID/GID The following describes winbind process flow shown in Figure 7 1: 1. A Windows client logs in to the domain (authentication). 2. The Windows 2003 domain controller authenticates client and passes user security data. 3. The Windows client maps an HP CIFS share. 4. The HP CIFS Server passes the user name to Windows Domain Controller to verify the user is a domain member. 5. The Windows Domain Controller returns the user authorization and member SID list. 6. The smbd daemon passes the SID and user information to the winbind daemon. 7. The Winbind daemon checks the SID and user name against ID mapping data in the Trivial Database (TDB). Winbind either finds the existing mappings between the Windows SID and the HP-UX UID/GID or creates a new map if no mapping currently exists. 8. Return mapped UID or GID from TDB database. 9. Winbind returns UID and GID mappings to smbd. 10. The HP CIFS Server presents the mapped share to the Windows client. 11. The Windows client opens file on the HP CIFS server share. 12. UID and GID are compared with file owner, group, and any ACE on ACL in the file system. 13. The File open action is accepted or denied based on the checking result in step The Samba sever displays the open status to the Windows client. Winbind supports non-blocking, asynchronous functionality For HP CIFS Server A or later, winbind supports an almost completely non-blocking, asynchronous request/reply implementation (with the exception of user and group enumeration). With this new enhancement, winbind provides better scalability in large domain environments and on high-latency networks. Winbind supports non-blocking, asynchronous functionality 103

104 Winbind uses the blocking, synchronous behavior when enumerating users and groups. Set both winbind enum users and winbind enum groups to No to force winbind to suppress the enumeration of users and groups. When and how to deploy Winbind Commonly asked questions The section describes a couple of common questions asked when deciding to use winbind as follows: How do I control the access that all these winbind generated identities have? The most common ways to control access to resources are as follows: Control access to the HP CIFS shares by using the valid users = [user/group name list] parameter in the smb.conf file. Use standard UNIX group and ownership permissions on directories and files to further limit access. Use ACLs on files and directories as needed. What can I do so native UNIX users can automatically access files created by their windows account? Windows users including winbind users can be mapped to a specific UID using the username.map utility. When this is done with a winbind user name, the winbind uid is still mapped and reported using the wbinfo tool. This allows the native UNIX user and windows or winbind user to have the same UID belonging to all of the same UNIX groups. When gaining access to the system through the HP CIFS Server, the user is no longer allowed access to resources based on any Windows group permission that Windows user belongs to. Files or directories created will be owned by the UNIX user name and primary group of the UNIX user name. This type of user name mapping can be automatically implemented through the username map script to minimize administration of a user name map file. How can I provide selective permission to a group with some native UNIX users and some windows users? This is a problem because HP-UX does not allow Windows or winbind users as members of a UNIX group. There is no way to add native UNIX users to Windows or winbind groups. There is a solution that you can create a group with some native UNIX members and some windows or winbind members, but it requires that you perform the following administration tasks: Map one or more winbind users or groups to a UNIX user. Assign the mapped UNIX user to a native UNIX group. Assign the selective native UNIX users to the same group. The following are some drawbacks that you need to take into consideration if you use the above solution: Windows groups that are not assigned GIDs by winbind may not be mapped to a UNIX user. You must use Winbind if you want to assign specific windows groups to a UNIX user name. Once mapped, the session of the mapped user does not belong to the Windows groups of the original Windows user. The user no longer gains access to resources through the windows groups on the mapped server. If the UNIX user is mapped from a number of Windows, winbind users or groups, all files of all mapped users will be created with the same owner and primary group names. You cannot differentiate which user actually created the file or directory from a file system perspective. 104 Winbind support

105 Why can t I use the net groupmap utility to map a windows group to a UNIX group, then add UNIX members to this group? The net groupmap feature allows administrators to assign Windows group RIDs to UNIX groups, so they can be recognized by Windows clients allowing them to be used when setting permissions on the local server resources. A complete SID is generated by appending the entered RID to the SID of the server, making local groups on CIFS member servers. You edit /etc/group to add Windows or winbind names as members, but they are not recognized by the files system when granting access. Considering alternatives The purpose of winbind is to automate the creation of UIDs and GIDs and maintain their correspondence to the Windows SIDs in order to minimize identity management efforts but this may not be required in all environments. Your environment may have few users or may already have additional HP-UX user requirements for UNIX user activities in which separate Windows and UNIX management is acceptable (consider the use of a user name map file, see SWAT help for smb.conf parameter username map). Also, there are several alternatives that may meet your requirements. Consider the following alternatives before deploying winbind: Username map script One alternative to winbind for assigning UIDs is to create and configure a username map script to selectively assign users. This allows you to write a script that potentially creates and/or assigns a native UNIX user name based on the windows name requesting access. The groups that a specific user belongs to depends on how the script is implemented, but it will be a native UNIX group because the mapping is to a native UNIX user. The results of the user name map script overwrite any match in the user name map file if the script provides an output name. Create users on-the-fly One alternative to winbind is to allow an HP-UX user to be added on-the-fly during a Windows user s first HP CIFS login. Set the add user script parameter in the smb.conf file. For example: add user script = /usr/sbin/useradd -g users c "Auto_Account" -s /bin/false %u For the above example, the %u is a macro that specifies the Windows user name. The HP-UX user name is created to match the Windows name. It is stored and is managed in the same way as other UNIX users separate from Windows users NOTE: On HP-UX 11v1 and v2, this solution is limited by the useradd command s eight character maximum name length. All the Windows user names have to be limited to eight characters. The command fails if the %u macro user name does not meet the constraints of the useradd command. NOTE: On HP-UX 11v3, you can explicitly enable the system for expanded user and group names by using the lugadmin command. Refer to the lugadmin man page for details. The lugadmin e option enables long user name. When the system is enabled for long user and group names, it cannot be disabled. When the expanded user and group name feature is enabled, all the user and group management commands (useradd, usermod, userdel, groupadd, groupmod and groupdel) allow you to create and update users with long user and group names. Some products have limitations, consult HP-UX 11v3 documentation before enabling long name feature. Unified Login (Microsoft Identity Manager for UNIX or Services For Unix) For environments with Windows 2003 or 2008 Domain Controllers, Microsoft offers Identity Management for Unix or Services for UNIX (SFU) which provide a variety of tools to support When and how to deploy Winbind 105

106 Windows and UNIX inter-operability including sharing identity credentials. IMU and SFU download and technical papers are available from Microsoft s TechNet at the following web site: SFU features are incorporated into Windows Active Directory Server 2003 Release 2 (R2), so no download is necessary for this version. There are two approaches to integrate HP-UX account management and authentication with Windows IMU and SFU: NIS One of the SFU tools, Server for NIS, enables Windows to serve as a NIS server. Windows Active Directory Server (ADS) stores user account and group information including SID, UID, and GID in the Windows ADS schema. LDAP When using LDAP-UX Client Services, HP-UX uses Windows ADS directly. SID, UID, and GID information is stored as attributes of a user account in the Windows ADS schema. With IMU and SFU, HP CIFS Server can access both Windows and UNIX identity information from the Windows Domain Controller. For more information on configuring HP CIFS Server for Unified Login, see Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2 at: CIFSUnifiedLogin.pdf. HP CIFS Deployment Model Consideration When winbind is desired, consider how your environment best fits into the following HP CIFS deployment models. See Chapter 9 (page 117) for detailed information on HP CIFS deployment models. Samba Domain Model A Samba Domain consists of HP CIFS Servers and no Windows Domain Controllers. The Samba Domain deployment may benefit from the use of winbind when the domain trusts other domains. Rather than managing local UNIX users for corresponding Windows/Samba users for all trusted domains, winbind can be used to generate the UIDs and GIDs required for the trusted domains. When multiple domains are involved, HP suggests that you configure winbind with LDAP to use the sambaunixidpool identity allocation algorithm. UNIX user requirements are likely to drive management of users in Samba Domain deployments. HP recommends that you use the syncsmbpasswd script to generate Samba user entries based on the existing UNIX user entries. See the syncsmbpasswd man page for more information. Note that the name "syncsmbpasswd" originates from the name of the password file. This tool only creates Samba user entries, it is not possible to translate UNIX passwords into Samba passwords. Winbind bases its mappings on existing Windows/Samba identities rather than existing UNIX users so it may be of little use in many Samba Domains. Domain member servers may use winbind to minimize management of all domain users. However, HP CIFS Primary Domain Controllers may only make use of winbind to minimize management of trusted domain users. Windows Domain Model In the Windows Domain deployment, Window NT or ADS Domain Controller does not utilize Windows Services for UNIX (SFU) to maintain UNIX UID and GID data. HP CIFS Servers participate as member servers and may benefit from the use of winbind to create the local UNIX UIDs and GIDs required to correspond to Windows identities or when other domains are trusted. Even when a Windows Domain Controller provides primary domain authentication, 106 Winbind support

107 HP CIFS member servers would benefit from the use of an LDAP directory server, so winbind can be used while storing ID maps in an LDAP directory and maintaining unique ID maps across multiple HP CIFS member servers. You can deploy Winbind with the idmap rid method when your environment does not require domain trusts. Unified Login Domain Model In the Unified Domain environment, the Windows 2003 or 2008 R2 ADS Domain Controller maintains the unique user UID and GID data with Windows Services for UNIX (SFU). So that it is not necessary to deploy winbind. Configuring HP CIFS Server with Winbind You must set up and configure your HP CIFS Server to use the winbind feature support. Winbind configuration parameters Table 7-1 shows the list of global parameters used to control the behavior of winbind. These parameters are set in the /etc/opt/samba/smb.conf file in the [global] section. Refer to the smb.conf man page for more details. Table 15 Global parameters Parameter winbind separator idmap uid idmap gid winbind enum users winbind enum groups idmap backend Description This string variable specifies the separator to separate domain name and user name. For example,winbind separator = \. This variable specifies the UID range for domain users. For example, idmap uid = This variable specifies the GID range for domain groups. For example, idmap gid = This boolean variable enables enumeration of winbind users. Set this parameter to Yes to allow and No to disallow enumeration of winbind users. This boolean variable enables enumeration of winbind groups. Set this parameter to Yes to allow and No to disallow enumeration of winbind groups. This string variable specifies the type of the idmap backend that is used. The syntax can be: idmap backend = This is the default where the local idmap tdb file is used. idmap backend = rid:<domain name>=<idmap_rid_range> The ID mappings are generated by the idmap rid facility. For example, idmap backend = rid:domaina= idmap backend = ldap:ldap://<ldap server name>[:389] The ID mapping data is stored in a common LDAP directory server backend. For example, idmap backend = ldap:ldap://ldapservera.hp.com. winbind cache time winbind cache ug list This integer variable specifies the number of seconds the winbindd daemon caches user and group information before querying a Windows NT server again. The default value is 300. This boolean variable controls whether to enable or disable winbind caching for the user or group list entries. When this parameter is set to Yes, the winbind daemon, winbindd, caches the user or group list entries into the winbindd cache to reduce the HP CIFS Server response time while enumerating user or group list. To disable winbind caching for the user or group list entries, set this parameter to No. The default setting is Yes. Configuring HP CIFS Server with Winbind 107

108 Table 15 Global parameters (continued) Parameter Description You can also use the winbindd -n command to disable winbind caching when you start the winbind daemon, this means winbindd always has to wait a response from the Windows domain controller before it can respond to a client. Either the winbindd -n command or winbind cache ug list = No configuration disables winbind caching for the user or group list entries. winbind use default domain template homedir template shell winbind reconnect delay winbind expand groups winbind rpc only This boolean variable specifies whether the winbindd daemon operates on users without domain component in their username. Users without a domain component are treated as a part of the winbindd server's own domain. The default setting is No. This string variable specifies the winbind users a home directory. For example, template homedir = /home/%u This string variable specifies the winbind users a login shell. For example, template shell = /shin/ksh. This parameter specifies the seconds in time that the winbindd(8) daemon needs to wait before contacting a Domain controller for a domain that is down. The default value for this parameter is set to winbind reconnect delay = 30. This parameter controls the maximum depth of winbindd traverse when flattening nested group memberships of Windows domain groups. The winbind expand groups parameter is different from the winbind expand groups, which applies to the membership of the domain groups. NOTE: Setting a high value for the winbind expand groups parameter can cause the system to slow down and thewinbindd daemon cannot answer incoming NSS or authentication requests. The default value for this parameter is set to winbind expand groups = 1. If the value is set to yes, this parameter forces winbindd to use RPC instead of LDAP to retrieve information from Domain controllers. The default value for this parameter is set to winbind rpc only = no. NOTE: If you want to use the default value "\" of the winbind separator parameter in smb.conf, you should comment out this parameter. By doing this, the testparm and wbinfo commands can show the correct default separator character "/" without generating an error. Commenting out the winbind separator parameter with the default value, you must type the default "\" separator character twice ("\\") when using the wbinfo -n command. For example, wbinfo -n domain_name\\domain_username. NOTE: The HP CIFS Server does not support the ad option for idmap backend. The idmap rid utility requires that the parameter, allow trusted domains = No, must be specified, as it is not compatible with multiple domain environments. The idmap uid and idmap gid ranges must also be specified. Unsupported parameters or options Table 7 2 shows the parameters or options which are not supported by the HP CIFS Server. Table 16 Unsupported parameters or options winbind nss info This string variable control how winbind retrieves name service information to construct a user's home directory and login shell. Only the template option is functional, the SFU option is not supported by HP CIFS Server. If set to template, winbind constructs a user's home directory and login shell using the 108 Winbind support

109 Table 16 Unsupported parameters or options (continued) parameters of template shell and templatehomedir. The default setting is template. winbind nested groups This is a boolean variable. If set to yes, this parameter activates the support for nested groups. Nested groups are also called local groups or aliases. Nested groups are defined locally on any machine (they are shared between DC's through their SAM) and can contain users and global groups from any trusted SAM. To be able to use nested groups, you need to run nss_winbind. This parameter is not yet supported by HP CIFS Server. You may consider to use net groupmap. Refer to net groupmap help for detailed information. A smb.conf example An example of smb.conf file is shown below: [global] workgroup = DomainA # Doamin name security = domain or ADS # Winbindd section idmap uid = idmap gid = idmap backend = winbind enum users = no winbind enum groups = no winbind use default domain = no winbind cache time = 300 # winbind separator = \ template homedir = /home/%u template shell = /sbin/sh [sharea] path = /tmp/sharea guest ok = no writable = yes Configuring Name Service Switch To use winbind support, you need to configure the Name Service Switch control file,/etc/nsswitch.conf, to use winbind as the name services for user or group name lookup. For example, you can set up the /etc/nsswitch.conf file as follows: passwd: group: files winbind files winbind In this example, NSS first checks the files, /etc/passwd and /etc/group, and if no entry is found, it checks winbind. For detailed information on how to configure NSS, refer to switch(4) and "Configuring the Name Service Switch" in NFS Services Administrator's Guide at: idmap backend support in Winbind This section describe the idmap rid backend and LDAP backend for idmap support when using winbind. Examples of configuration files for each backend are provided. idmap rid backend support The idmap rid facility with winbind provides a unique mapping of Windows SIDs to local UNIX UIDs and GIDs. The idmap rid facility uses the RID of the user SID to generate the UID and GID by adding the RID number to a configurable base value. Since the RIDs are allocated by the centrally managed Windows Domain Controller, this tool permits the CIFS winbind daemons to idmap backend support in Winbind 109

110 generate unique HP-UX UIDs and GIDs across the domain. It can be used for synchronization of mappings across multiple CIFS servers without an LDAP directory. You can use the idmap rid facility in a Windows NT domain or a Windows 2003/2008 R2 ADS domain, but it can not be used in Windows trusted domains. In HP CIFS Server A or later, the idmap rid shared library, idmap_rid.sl(so), is changed to rid.sl(so). Limitations using idmap rid The idmap rid facility is only used in a single Windows domain. It doesn't work with Windows trusted domains. Using the idmap rid method requires that you set the allow trusted domains parameter to No. You must set the idmap_rid range to be equal to both idmap uid and idmap gid ranges in the smb.conf file. When you set the idmap backend parameter to rid, UIDs and GIDs mapping data is only stored locally. Configuring and using idmap rid To use the idmap rid method, you must configure the following parameters in the smb.conf file: Set idmap backend to rid:<domain name>=<idmap_rid range>. Set allow trusted domains to No. An example of smb.conf using rid is shown below: [global] workgroup = DomainA # Doamin name security = domain or ADS # idmap section idmap uid = idmap gid = idmap backend = rid:domaina= allow trusted domains = no Check the log file to see if the rid shared library is loaded after you configure and setup rid. LDAP backend support When multiple CIFS Servers participate in a Windows NT or Windows ADS domain and make use of winbind, you can configure multiple CIFS Servers to store ID maps in an LDAP directory. Making use of an LDAP server and configuring CIFS servers with the idmap backend parameter in smb.conf will ensure that all UIDs and GIDs are unique across the domain. This is important in order to support Windows access to NFS shares. NOTE: The HP CIFS Server does not support the ad option for idmap backend. For Windows ADS environments, you can consider to use idmap rid. See the idmap rid Backend Support section for detailed information Configuring the LDAP backend To manage ID maps in an LDAP backend server, set idmap backend = ldap:ldap://<ldap server name>. The following is an example of /etc/smb.conf file which has machine ldaphosta.company.com as the idmap backend: [global] workgroup = DomainA # Doamin name security = domain 110 Winbind support

111 # idmap section ldap user suffix = ou=pepole ldap grup suffix = ou=groups idmap uid = idmap gid = idmap backend = ldap:ldap://ldaphosta.company.com ldap idmap suffix = Idmap ldap admin dn = "cn=directory Manager" ldap suffix = dc=org, dc=company, dc=com Starting and stopping winbind This section describes how to start or stop the HP CIFS Server with winbind support. Starting winbind Use the startsmb -winbind or startsmb -w command to start the winbind daemon on the HP CIFS server as follows: $ startsmb -winbind or $ startsmb -w The startsmb command without specifying any option will start both smbd and nmbd daemons only. Stopping winbind Use the stopsmb -winbind or stopsmb -w command to stop the winbind daemon on the HP CIFS server as follows: $ stopsmb -winbind or $ stopsmb -w The stopsmb command without specifying any option will stop both smbd and nmbd daemons only. NOTE: Use the scripts startwinbind and stopwinbind to start or stop the winbind daemon only. For example, use the following command to start the winbind daemon only: $ startwinbind Automatically starting winbind at system startup The RUN_WINBIND parameter can be specified in /etc/rc.config.d/samba to control whether the winbind daemon, winbindd, will start at system startup. To configure winbind to start automatically at system startup, set RUN_WINBIND to 1. An Example for file ownership by winbind users In the following example, use /opt/samba/bin/smbclient to connect to a share, sharea, on the HP CIFS Server, Server1, as the user, John, from the domain, DomA: $ cd /opt/samba/bin $./smbclient //Server1/shareA -U DomA\\John The output is as follows: Domain=[DomainA] OS=[Unix] Server=[Samba based HP CIFS Server A.03.02] $ smb:\>put JohnTest $ smb:\>quit Use the ll command to show the ownership of the file, /tmp/sharea/johntest, as follows: Starting and stopping winbind 111

112 $ ll /tmp/sharea/johntest When you run the ll command, the output is as follows: -rwxr--r-- 1 DomA\John DomA\GroA 290 Nov 0 12:05 tmp/sharea/johntest In the above output, the file owner is DomA\John,and the group owner is DomA\GroA. The first part of owner and group owner, DomA, is the domain name, the \ is the winbind separator. The last part, John and GroA are the actual user name and group name from the windows domain. Use the ll -n command to show the UID and GID of file ownership as follows: $ ll -n /tmp/sharea/johntest -rwxr--r Nov 0 12:05 tmp/sharea/johntest When you run the ll -n command, the UID(10002) and GID (10005) are displayed in the output. Both UID and GID are in the range of values that are specified in the smb.conf file for winbind to use. wbinfo Utility You can use the wbinfo tool to get information from the winbind daemon. To use wbinfo, you must configure and start up the winbind daemon, winbindd. See wbinfo (page 170) section in Chapter 13, Tool Reference for detailed information of this tool. 112 Winbind support

113 8 Kerberos support Introduction The Kerberos protocol is regulated by the IETF RFC Kerberos was adopted by Microsoft for Windows 2000, and is the default authentication protocol for Windows 2003, Windows XP, and Windows Vista clients. For the HP CIFS Server, Kerberos authentication is limited exclusively to server membership in a Windows 2003 and Windows 2008 domain, and only when the HP CIFS Server is configured with "security = ads". This chapter provides a brief overview of Kerberos and a variety of Kerberos configuration information including configuration detail which can be used when HP CIFS Server co-exists with other HP-UX applications that make use of the Kerberos security protocol. For basic Windows 2003 and Windows 2008 domain membership configuration, see Windows 2003 and Windows 2008 domains (page 71). For more detailed CIFS related Kerberos information, refer to the HP white paper HP CIFS Server and Kerberos, at the following web site: netcom.html then navigate to CIFS Kerberos overview Kerberos is an authentication protocol which utilizes shared secrets and encryption to decode keys between an authenticator, authenticatee, and some resource that the authenticatee requires access to. In the particular case of HP CIFS Server, the following applies Windows Key Distribution Center (KDC): Authenticator Windows client: Authenticatee HP CIFS Server: Resource The protocol exchanges do not include actual passwords passed over the wire, therefore a password cannot be sniffed and unencrypted to gain access to a resource. Instead, encrypted keys are passed over the wire and the 3 principals (KDC, Windows client, and CIFS server) each use pre-arranged secrets to decode the keys and allow access. The secrets are not transferred.the critical components of the exchanges are: Windows Key Distribution Center (KDC): Central Kerberos Authority for a domain Long-Term Key: Persistent key that is derived from a client's password Session Key: Short-term key that is used for authentication before it expires Ticket Granting Ticket (TGT): Allows a client access to the KDC to get a service ticket from TGS Ticket Granting Service (TGS): Exchange that provides client access to a CIFS server's service Authentication Service: Exchange that actually allows client access to the KDC For a comprehensive Microsoft Kerberos implementation white paper, refer to the following web site: Introduction 113

114 Kerberos CIFS authentication example Figure 22 Kerberos authentication environment Authenticator Windows 2000/2003 KDC AS TGS Windows 2000 or XP Client Authenticatee 5 6 HP CIFS Server Resource The following describes a typical Kerberos logon and share service exchange using Kerberos authentication in an Windows 2003/2008 R2 ADS domain environment shown in Figure 8-1: 1. The Windows Client sends the principal name and password to the Authentication Server (AS) when running a user netlogon command. 2. The AS validates the principal and sends credentials to the Windows client, including a Ticket Granting Ticket (TGT) and associated session key that allows the client to access the Windows KDC. 3. The Windows client uses the session key and the TGT to request a service ticket for a share service from Ticket Granting Service (TGS). 4. TGS sends the service ticket and other information to the Windows client. 5. The Windows client sends the service ticket to the HP CIFS Server for a share service. 6. The HP CIFS Server verifies the received information and authorizes the Windows client to access the server's share. HP-UX Kerberos application co-existence The HP CIFS Server is capable of updating Kerberos keytab file. The HP CIFS Server can co-exist with other Kerberos applications such as HP-UX Internet as described in the Configuring krb5.keytab (page 115) section. Components for Kerberos configuration The following is a list of the various components that are necessary to configure HP CIFS Server for Kerberos authentication: HP CIFS Server: Version A or later (Based upon Samba or later) HP-UX 11i v2 or HP-UX 11i v3 114 Kerberos support

115 HP-UX Kerberos Client Kerberos v5 Client D or later for HP-UX 11i v2 Kerberos v5 Client E or later for HP-UX 11i v3 Service Pack 1 is recommended for Windows 2003, and required for inter-operation with Kerberos v5 Client D or later on HP-UX 11i v2 or Kerberos v5 Client E or later on HP-UX 11i v3. HP-UX LDAP-UX Integration product Windows 2003, or Windows 2008 Server domain. Windows XP Client Configuring krb5.keytab Here are the required components to configure HP CIFS Server with HP-UX Internet Services co-existence: Kerberos v5 Client D or later on HP-UX 11i v2 or Kerberos v5 Client E or later on HP-UX 11i v3. /etc/krb5.conf file /etc/opt/samba/smb.conf file /etc/krb5.keytab file net ads keytab create command The first task is to configure HP CIFS Server for Kerberos authentication and join it to a Windows domain. Use the following steps to generate a valid keytab file and to configure an HP CIFS Server to access the keytab file: 1. Add the default_keytab_name parameter with the FILE attribute in the /etc/krb5.conf file. The Kerberos v5 Client D or later on HP-UX 11i v2 or Kerberos v5 Client E or later on HP-UX 11i v3 is required for the FILE attribute. An example of /etc/krb5.conf for HP CIFS Server keytab creation is as follows: # Kerberos configuration [libdefaults] default_realm = MYREALM.HP.COM default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 [realms] MYREALM.HP.COM = { kdc = HPWIN2K4.MYREALM.HP.COM:88 admin_server = HPWIN2K4.MYREALM.HP.COM } [domain_realm].hp.com = MYREALM.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log 2. To configure the HP CIFS Server to read /etc/krb5.keytab, set the Kerberos method parameter in the /etc/opt/samba/smb.conf file to dedicated keytab = <keytab file location>. HP-UX Kerberos application co-existence 115

116 NOTE: You can also use the Kerberos method = system keytab parameter to configure HP CIFS Server without specifying the dedicated keytab file parameter. An example of /etc/opt/samba/smb.conf is as follows: [global] workgroup = MYREALM realm = MYREALM.HP.COM netbios name = atcux5 server string = Samba Serveraces = bind interfaces only = Yes security = ADS password server = HPATCWIN2K4.MYREALM.HP.COM kerberos method = dedicated keytab dedicated keytab file = /etc/krb5.keytab 3. Run the following net ads commands to generate the keytab file: net ads keytab create -U administrator net ads keytab add cifs U administrator NOTE: If you have problems with authenticating earlier versions of clients, then you must add HOST spn to the keytab file. Run the following command: net ads keytab add HOST U administrator 4. Validate your configuration by starting the HP CIFS Server, logging on to the domain with clients, and mounting an HP CIFS share. The HP CIFS Server can authorize the Windows client to access the server share using Kerberos in the Windows domain and the keytab file on the HP CIFS Server. The keytab file generated from HP CIFS Server can be used by HP-UX Internet Services also. 116 Kerberos support

117 9 HP CIFS deployment models Introduction This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference. It contains the following sections: Introduction (page 117) Samba domain model (page 117) Windows domain model (page 125) Unified domain model (page 131) HP CIFS provides HP-UX with a distributed file system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS server interoperates with Windows NT, Windows 200x, Advanced Server, and other CIFS servers and clients. This chapter provides reference for three deployment models: Samba Domain Model, Windows Domain Model, and Unified Domain Model. These three models represent common network environments and demonstrate HP CIFS Server's flexibility. Each model shows server relationships, but all deployment models support native file access with any combination of the following clients: Windows 2003, Windows 2008, Windows XP SP1 and Windows XP SP2, Windows Vista Windows Terminal Server (NT4 and 2000) HP CIFS Client UNIX workstations (via mounting NFS exported CIFS directories) Samba domain model You can use the Samba Domain Deployment Model in environments with the following characteristics: A domain consisting of HP CIFS Servers and no Windows domain controllers. Support for any number of UNIX servers that provide file and print services for corresponding numbers of users. An HP CIFS server is configured as a Primary Domain Controller (PDC). One or more HP CIFS Servers act as Backup Domain Controllers (BDCs). The PDC and BDCs use the LDAP backend to consolidate common Posix and Windows accounts on the LDAP directory. It requires LDAP-UX Integration software for larger deployments. Access to an LDAP-UX Netscape Directory Server as the backend storage for larger deployments. The Samba Domain Model provides the following benefits: It can be expanded easily. The HP CIFS Server acting as a BDC can pick up network logon requests and authenticate users while the PDC is busy on the network. The BDC can be promoted to a PDC if the PDC needs to be taken out of services or fails. The PDC-BDC model provides authentication load balancing for larger networks. The PDC, BDCs, and domain member servers store account databases in the LDAP directory to centralize administration regardless of network size. Figure 9-1 shows a standalone HP CIFS Server as a PDC with the local password database: Introduction 117

118 Figure 23 Standalone HP CIFS Server as a PDC HP CIFS PDC Windows and UNIX users password backend: smbpasswd tdbsam Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend: Figure 24 Standalone HP CIFS Server as a PDC with NDS backend HP CIFS PDC NDS LDAP Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend: 118 HP CIFS deployment models

119 Figure 25 Multiple HP CIFS Servers with NDS backend HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat Figure 9-4 shows the Samba Domain Model: Figure 26 Samba Domain HP CIFS PDC and WINs Server NDS LDAP Server HP CIFS BDC HP CIFS Member Server Windows and UNIX users password backend: ldapsam ldapsam_compat The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controller (PDC), and one or more HP CIFS Servers acting as Backup Domain Controllers (BDCs). The PDC, BDCs, and member servers use the central LDAP backend to consolidate POSIX and Windows accounts on the LDAP directory. It requires HP LDAP-UX Client Services software installed and configured on HP CIFS Servers for larger deployments. Samba domain model 119

120 Samba Domain components As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See LDAP integration support (page 81) for detailed information on how to set up LDAP. WINS is used for multi-subnetted environments. Multi-subnetted environments require name-to-ip-address mapping to go beyond broadcast limits of a single LAN segment. HP CIFS Server provides WINS server capabilities, which can be enabled on one node (usually the PDC) for the domain and whose address needs to be specified in the configuration of the remaining nodes (usually BDCs and member servers). PC client configurations also can specify the WINS server address to ensure that they are able to join the domain. Set wins support = yes in smb.conf on one HP CIFS Server to be the WINS server. Set "wins server = <ip address>" in smb.conf on the rest of the HP CIFS Servers. Because Samba supplied WINS does not provide for replication, the WINS server can be a single point of failure in the network. Consider using Serviceguard on the WINS server, using client host files or static caches of NetBIOS names in DNS servers if high availability requirements are needed. HP CIFS Server acting as a PDC HP CIFS Server configured as a PDC is responsible for Windows authentication throughout the domain. "security = user" and "domain logons = yes" smb.conf parameters force this behavior. Single server installations may use smbpasswd or tdbsam password backends, but large installations should use the LDAP backend to provide centralized management of both Posix users and Windows users. Configure LDAP with passdb backend = ldapsam:ldap://<ldap server name> or passdb backend = ldapsam_compat:ldap://<ldap server name>. An important characteristic of a CIFS PDC is browsing control. The parameter, domain master = yes, causes the server to register the NetBIOS name <pdc name>1b, where 1B is reserved for the domain master browser. This name will be recognized by other servers. When you integrate the HP CIFS Server acting as a PDC with the LDAP directory, you must install the HP LDAP-UX Integration software and configure the LDAP-UX client. This permits the consolidation of POSIX and Windows user accounts on the LDAP directory. The LDAP database can replace /etc/passwd and smbpasswd, and the PDC can access the LDAP directory for Windows authentication. HP CIFS Server acting as a BDC The configuration of BDCs is similar to that of the PDC. This enables BDCs to carry much of the network logon processing. A BDC on a local segment handles logon requests and authenticates users when the PDC is busy on the local network. When a segment becomes heavily loaded, the reponsibility is offloaded to another segment's BDC or to the PDC. Therefore, you can optimize resources and add robustness to network services by deploying BDCs throughout the network. If you set the local master parameter to yes in smb.conf, browsing can also be spread throughout the network. You can promote a BDC to a PDC if the PDC needs to be taken out of service or fails. To promote a BDC to a PDC, change the domain masterparameter from no to yes. The PDC and BDCs use the central LDAP directory to store common POSIX and Windows accounts on the LDAP directory. When you integrate the HP CIFS Server acting as a BDC with the LDAP directory, you must install the HP LDAP-UX Integration software and configure the LDAP-UX client. The BDC can access the LDAP directory for Windows authentication. 120 HP CIFS deployment models

121 HP CIFS acting as the member server To ensure that there are always sufficient domain controllers to handle authentication and logon requests, in general, configure BDCs rather than member servers unless there are fewer than about 30 Windows clients per BDC. You can join an HP CIFS Server to the Samba Domain.The Windows authentication requests are managed by the PDC or BDCs using LDAP, smbpasswd or other backend. For detailed information on how to join an HP CIFS Server to the Samba Domain, see Domain member server (page 60) in Chapter 4. The member server smb.conf configuration differs from that of the PDC and BDC. You must set the security parameter to domain. This forces the member server to authenticate via the PDC or BDCs. You must set the password server parameter to the names of the PDC and may also add the names of one or more BDCs. Set the domain master parameter to no to let the PDC take control. As with the PDC and BDC, you set the passdb backend parameter to the name of LDAP server to centralize POSIX and Windows account database management. Using LDAP requires to install the HP LDAP-UX Integration software and configures the LDAP client to consolidate POSIX and Windows users on the LDAP directory. An example of the Samba Domain model Figure 9-5 shows an example of the Samba Domain Model which has HP CIFS Server machine hostw and IP address acting as a PDC and WINs server, HP CIFS Server machine hostb and IP address acting as a BDC, and Netscape Directory Server machine hptem128. Figure 27 An example of the Samba Domain model HP CIFS PDC and WINs Server hostw IP address HP CIFS BDC hostb IP address HP CIFS Member Server hostc IP address password backend: ldapsam smbpasswd A Sample smb.conf file for a PDC NDS LDAP Server hptem128 IP address Windows and UNIX users The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostw acting as a PDC in the sample Samba Domain Model shown in Figure 9-5: Samba domain model 121

122 ###################################### # # Samba config file created using SWAT # from # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostw PDC passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd log level = 0 security = user syslog = 0 log fie = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes preferred master = Yes local master = Yes domain master = Yes wins support = yes ldap admin dn = cn=directory Manager ldap group suffix = ou=groups ldap machine suffix = ou= Computers ldap suffix = dc=org, dc=hp, dc=com ldap user suffix = ou= People read only = No short preserve case = No dos filetime resolution = Yes # [homes] comment = Home Directory browseable = No [tmp] comment = Temporary file space path = /tmp [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon read only = Yes NOTE: Set passdb backend = ldapsam:ldaps://<fully qualified name of NDS Server> for SSL enabled LDAP. Set passdb backend = ldapsam:ldap://<nds server name > to disable SSL support. If you choose to use the A.01.* versions of backward compatible LDAP account backend, set the passwd backend = ldapsam_compat://ldaps:< ldap server name>, and ldap ssl = yes in smb.conf to enable SSL support. Configuration options domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. domain logon: Set this parameter to yes to provide netlogon services. passdb backend: You must set this parameter to ldapsam_compat:ldap://<ldap server name> if you want to use an old Samba subschema for the LDAP databases. If you attempt to use the new subschema supported by HP CIFS Server A or later, you must set this parameter to ldapsam:ldap://<ldap server name>. WINs support: Set this parameter to yes to confiure an HP CIFS Server as a WINs server. 122 HP CIFS deployment models

123 A Sample smb.conf file for a BDC The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostb acting as a BDC in the sample Samba Domain Model shown in Figure 9-5: ###################################### # # Samba config file created using SWAT # from # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostb BDC password server = passdb backend = ldapsam:ldap://hptem128:389, smbpasswd log level = 0 syslog = 0 log fie = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes security = user local master = No domain master = No wins server = # Set the PDC as WINs Serer wins support = yes ldap admin dn = cn=directory Manager ldap group suffix = ou=groups ldap machine suffix = ou= Computers ldap suffix = dc=org, dc=hp, dc=com ldap user suffix = ou= People read only = No short preserve case = No dos filetime resolution = Yes # [homes] comment = Home Directory browseable = No [tmp] comment = temporary file space path = /tmp Configuration options passdb backend: You must set this parameter to ldapsam_compat:ldap://<ldap server name> if you want to use an old Samba subschema for the LDAP databases. If you attempt to use the new subschema supported by HP CIFS Server A.02.01, you must set this parameter to ldapsam:ldap://<ldap server name> domain master: Set this parameter to no in order for the HP CIFS Server to act as a BDC. WINs Server: If you attempt to use the PDC as the WINs server, set this parameter to the PDC's machine name. domain logon: You must set this parameter to yes to provide netlogon services. A Sample smb.conf file for a domain member server When configuring the HP CIFS Server to act as a member server, you need to configure the relative domain parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool, or an editor, or by running samba_setup. The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostc acting as a domain member server in the sample Samba Domain Model shown in Figure 9-5: Samba domain model 123

124 ###################################### # # Samba config file created using SWAT # from # # Global Parameters [global] workgroup = SAMBA30_DOMAIN # Domain Name server string = Samba Server hostc Domian Member Server password server = hostw hostb security = Domain netbios aliases = MOONEY log level = 0 syslog = 0 log fie = /var/opt/samba/log.%m max log size = 1000 domain logons = Yes preferred master = No domain master = No wins server = # Set the PDC ad Wins Server wins support = yes ldap admin dn = cn=directory Manager ldap group suffix = ou=groups ldap machine suffix = ou= Computers ldap suffix = dc=org, dc=hp, dc=com ldap ssl = no ldap user suffix = ou= People read only = No short preserve case = No dos filetime resolution = Yes # [homes] comment = Home Directory browseable = No Configuration options workgroup: This parameter specifies the name of the domain in which the HP CIFS Server is a domain member. security: When the HP CIFS Server joins a domain as a member, you must set this parameter to domain. WINs Server: If you attempt to use the PDC as the Wins server, set this parameter to the PDC's machine name. password server: This parameter defines the NetBIOS names of the PDC and BDC machines that perform the user name authentication and validation. A Sample /etc/nsswitch.ldap file When you set up the PDC, BDC and member servers using the LDAP backend support, you need to configure the /etc/nsswitch.conf file to restrieve your user account information from Netscape Directory Server.You can save a copy of the/etc/nsswitch conf file and edit the original to specify the LDAP name service and other name services that you want to use. You may just copy /etc/nsswitch.ldap to /etc/nsswitch.conf. The following is a sample /etc/nsswitch.ldap used in the sample Samba Domain Model shown in the Figure 9-5: # /etc/nsswitch.ldap # # You can copy this sample file to /etc/nsswitch.conf. # # This sample file uses Lightweigh Directory Access # # Protocol(LDAP) in conjunction with dns and files. # passwd: files ldap 124 HP CIFS deployment models

125 group: files ldap hosts: dns [NOTFOUND=return] files ldap networks: files ldap protocols: files ldap rpc: files ldap publickey: files netgroup: files ldap automount: files aliases: files services: files ldap Windows domain model You can use the Windows Domain Model in environments with the following characteristics: Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled). Support for any number of HP CIFS servers that provide file and print services for corresponding numbers of users. It requires HP-UX LDAP Integration Client software for ADS domain member servers. Access to an LDAP-UX Netscape Directory Server as the backend storage for larger deployments to maintain winbind ID maps across multiple HP CIFS Servers. The Windows Domain Model provides the following benefits: Support for Windows domain member single sign on, network logon, and Windows account management system. Support for easy user management across multiple HP CIFS servers by using winbind. Easy expansion capability. Figure 9-6 shows the Windows Domain Deployment Model as follows: Figure 28 Windows domain Windows NT or Windows ADS/PDC windows users HP CIFS Member Server winbind LDAP winbind idmaps Windows NT BDC windows users ldap-ux client winbind daemon libnss_winbind idmap.tdb idmap backend = ldap In the Windows Domain Model, HP CIFS Server can join to a Windows domain as a member server with Windows NT or Windows 200x domain controllers. HP CIFS Server supports winbind to provide UID and GID mappings for Windows users. For a larger deployment environment, you can use the LDAP directory to maintain unique ID maps across multiple HP CIFS Servers. Windows domain model 125

126 Components for Windows domain model HP CIFS Server supports the NTLMv1/NTLMv2 security used for NT domain membership and Kerberos security used for Windows 2000/2003 native membership, so HP CIFS Servers can be managed in any Windows 2000/2003 ADS, Windows 200x mixed mode, or NT environment. HP CIFS Server does not support a true SAM database and can not participate as a domain controller in an Windows NT, Windows 2000 or Windows 2003 domain. HP CIFS supports winbind, which can be used to avoid explicitly allocating POSIX users and groups for Windows users and groups mapping. Winbind provides UID and GID generation and mapping for Windows users. Set smb.conf parameters to idmap uid = <uid range> and idmap gid = <gid range>. See Winbind support (page 100) for detailed information on winbind. When you deploy multiple HP CIFS Servers, you can use the LDAP directory to maintain unique ID maps across multiple systems. idmap=rid is a smb.conf parameter. To centralize management of ID maps in an LDAP directory, set the idmap backend parameter to ldap:ldap://<ldap server name> in the smb.conf file. You can use wins server = <Windows or NT WINS server address> smb.conf parameter for access throughout a multi-subnetted network. Avoid using the WINS server supplied by HP CIFS if Windows or NT WINS servers are available, because HP CIFS WINS servers cannot replicate the WINS data. "LDAP-UX Client Service with Micrsoft Windows 2000 Active Directory Administrator's Guide", available at provides help for HP-UX ADS client configurations. An Example of the ADS domain model Figure 9-7 shows an example of the Windows 2000/2003 ADS Domain Model which has the realm named HPCIF23DOM.ORG.HP.COM, an ADS domain controller machine hpcif23, an HP CIFS Server machine hpcif54 acting as a native member server and the Netscape Directory Server system hptem128. Figure 29 An example of the ADS domain model Windows ADS/DC hpcif23 Realm: HPCIF23DOM..ORG.HP.COM windows users NDS LDAP hptem128 winbind idmaps HP CIFS ADS Member Server hpcif54 winbind kerberos client winbind daemon libnss_winbind idmap backend = ldap A sample smb.conf file For an HP CIFS ADS member server The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hpcif54 acting as a ADS member server in the sample ADS Domain Model shown in Figure 9-7: 126 HP CIFS deployment models

127 ###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a domain member of hpcif23_dom realm = HPCIF23DOM.ORG.HP.COM security = ADS netbios name = hpcif54 encrypt passwords = yes password server = * passdb backend =smbpasswd log level = 0 syslog = 0 log fie = /var/opt/samba/log.%m max log size = 1000 host msdfs = yes # For LDAPSAM # passdb backend = ldapsam:/ldap://hptem128 # ldap admin dn = cn=directory Manager # ldap user suffix = ou=people # ldap group suffix = ou=groups # ldap machine suffix = ou= Computers # ldap suffix = dc=org, dc=hp, dc=com # ldap ssl = no # ldap user suffix = ou= People # ldap delete dn = no # ldap passwd sync = no # ldap replication sleep = 1000 # ldap timeout = 15 # For idmap configuration of winbind idmap backend = ldap:ldap://hptem128 idmap uid = idmap gid = ldap server = hptem128 ldap admin dn = "cn=directory Manager" ldap suffix = dc=org, dc=hp, dc=com ldap idmap suffix = ou=ldmap # # For non winbind solution # add user script = /usr/sbin/useradd -g users -c \ # winbind_create -d /tmp -s /bin/false %u # For winbind solution winbind use default domain = yes winbind uid = winbind gid = winbind enum users = yes winbind enum groups = yes template homedir = /home/%d/%u template shell = /bin/false [homes] comment = Home Directory browseable = no writable = yes valid users = /home/%d/%u create mode = 0664 directory mode = 0775 [share1] path = /tmp Windows domain model 127

128 read only = no valid users = %D\%U [share2] path = /tmp read only = no # Specify values of force user and force group to a valid domain user or group force user = localusr force group = localgrp [tmp] path=/tmp read only = no browseable = yes writable = yes A sample /etc/krb5.conf file On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the name of the realm, the location of a Key Distribution Center (KDC) server and the logging file names. The following is a sample /etc/krb5.conf used in the sample ADS Domain Model shown in Figure 9-7: # Kerberos Configuration # # # # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace MYREALM.XYZ.COM with your kerberos Realm. # # Replace adsdc.myrealm.xyz.com with your Windows ADS DC full# # domain name. # # # [libdefaults] default_realm = HPCIF23DOM.ORG.HP.COM default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 ccache_type = 2 [realms] MYREALM.XYZ.COM = { kdc = hpcif23.org.hp.com:88 admin_server = hpcif23.org.hp.com } [domain_realm].org.hp.com = HPCIF23DOM.ORG.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log NOTE: :88 is required on the server field. A sample /etc/nsswitch.conf file In the ADS Domain Model, you must configure the /etc/nsswitch.conf file to specify the winbind name service and other name services that you want to use. 128 HP CIFS deployment models

129 The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 9-7: # /etc/nsswitch.conf # # # # This sample file uses Lightweigh Directory Access # # Protocol(LDAP) in conjunction with dns and files. # passwd: files winbind [NOTFOUND=return] ldap group: files winbind [NOTFOUND=return] ldap hosts: files dns [NOTFOUND=return] networks: files protocols: files rpc: files publickey: files netgroup: files automount: files aliases: files services: files NOTE: HP CIFS Server supports several ways to allocate and map POSIX users and groups. If winbind is used, winbind name service is required in /etc/nsswitch.conf. If winbind is not used, a local POSIX account associated with each Windows user and group must be created. One way to create these accounts automatically is to define the "add user script" and "add group script" options in smb.conf. See the SWAT help text for more information. An example of Windows NT domain model Figure 9-8 shows an example of the Windows NT Domain Model which has a Windows NT server named hostp as a PDC, an HP CIFS Server machine hostm acting as a domain member server. The ID maps are saved in the local file, idmap.tdb. Figure 30 An example of the Windows NT domain model Windows NT Server/ PDC hostp windows users HP CIFS Member Server hostm winbind daemon libnss_winbind idmap.tdb winbind A Sample smb.conf file for an HP CIFS member server The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostm acting as a member server in the sample Windows NT Domain Model shown in Figure 9-8: Windows domain model 129

130 ###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = hpcif23_dom # Domain Name server string = CIFS Server as a member of NT domain netbios name = hostm # For NT specific option workgroup = hostp_dom security = domain encrypt passwords = yes passdb backend = smbpasswd password server = hostp.org.hp.com log level = 0 log fie = /var/opt/samba/log.%m max log size = 1000 # # For non winbind solution # add user script = /usr/sbin/useradd -g users -c \ # add_user_script -d /tmp -s /bin/false %u # # For winbind specific options winbind use default domain =yes winbind uid = winbind gid = winbind enum users = yes winbind enum groups = yes winbind cache time = 300 template homedir = /home/%d/%u template shell = /bin/false # [homes] comment = Home Directory create mode = 0664 directory mode = 0775 valid users = /home/%d/%u browseable = No read only = No writable = yes [print$] comment = For Printer share browseable = yes [printers] comment = All Printers path =/tmp printable = yes browseable = yes printer admin = root, admuser create mask = 0600 guest ok = Yes use client driver = Yes [lj810002] path = /tmp printable = yes print command = /usr/bin/lp -d%p %s; /usr/bin/rm %s [share1] path = /tmp valid users = %D\%U read only = Yes [share2] path = /tmp read only = No comment = force user and force group can be set to a valid domain user and gourp. force user = localusr force group = localgrp 130 HP CIFS deployment models

131 [tmp] path=/tmp read only = no browseable = yes writable = yes Unified domain model You can use the Unified Domain Deployment Model in environments with the following characteristics: A domain consisting of Windows 200x servers. The Windows 2000 or 2003 domain controller maintains the UNIX UID and GID data with Windows Services for Unix (SFU). NOTE: SFU Version 3.5 does not support the Windows NT4 Domain. Support for any number of HP CIFS Servers that provide file and print services for number of users. It requires LDAP-UX Integration software on an HP CIFS member server. The Unified Domain Model provides the following benefits: Support for Windows domain member single sign on, network logon, and Windows and UNIX account management system. Easy expansion capability. Figure 9-9 shows the Unified Domain Deployment Model as follows: Figure 31 Unified domain Windows ADS DC/SFU HP-UX Client Windows and UNIX users HP CIFS Member Server The Unified Domain Model consists of a Windows 200x server with Active Directory Services (ADS) configured as a Domain Controller (DC), and a single or multiple HP CIFS member servers. To use the Windows 200x ADS server as a data repository to consolidate Windows and UNIX user accounts, you need to install the Services for UNIX (SFU) add-on package which extends the Active Directory schema based on RFC 2307 to allow integration of POSIX attributes. All user management is unified on the Windows 2000/2003 ADS Server; winbind is not required. You must install and configure the LDAP-UX Integration software on your HP CIFS member server. The LDAP-UX Integration software helps HP CIFS Server machine access UNIX user account data from the ADS Server. "LDAP-UX Client Service with Micrsoft Windows 2000 Active Directory Administrator's Guide", available at provides help for HP-UX ADS client configurations. Unified domain model 131

132 For more information on how to configure Unified Login, see Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2 at: SupportManual/c /c pdf. Unified domain components HP CIFS acting as a Windows 200x ADS member server The HP CIFS member server operating in a unified domain depends on the ADS to be aided by Services For UNIX (SFU). SFU provides the required management of UNIX UID and GID to Windows SID mappings. SFU and accompanying documentation is available for download at Because all user management is unified on the Windows 2000/2003 ADS server, winbind is not required and there are no ID consistency issues regardless of the number of HP CIFS member servers. HP CIFS Server uses Kerberos security in a Windows Unified Domain setup. For more information on how to join an HP CIFS Server to a Windows 200x Domain using Kerberos security, see Windows 2003 and Windows 2008 domains (page 71). Setting up the unified domain model You need to set up and configure the following components to deploy an Unified Domain Model using Windows Services For UNIX (SFU): Windows 2000 or 2003 domain controller with Active Directory Service (ADS) LDAP-UX Integration software B or later on HP CIFS member servers SFU 3.5 on Windows 2000 or 2003 Domain Controller Install, Configure and Join the HP CIFS Server to the SFU enabled Windows 200x domain. See Windows 2003 and Windows 2008 domains (page 71) for details on configuting and joining the HP CIFS Server to the Windows domain. Setting up LDAP-UX client services on an HP CIFS Server In the Unified domain model, you integrate HP CIFS domain member servers with the Windows 200x ADS to centralize managemnt of user accounts databases. You must install the HP LDAP-UX integration software B or later, and configure the LDAP-UX client.this permits the consolidation of Posix and Windows user accounts on the ADS directory. You also need to configure the /etc/krb5.conffile to authenticate users using Kerberos. Installing and configuring LDAP-UX client services on an HP CIFS Server The following summarizes major steps you need to take to install and configure an LDAP-UX Client Services. For detailed instructions on how to install and configure LDAP-UX Client Services to work with Windows 2000 ADS, refer to chapter 2, "Installing LDAP-UX Client Services" in LDAP-UX Client Services with Microsoft Windows 2000 Active Directory Server Administrator's Guide, available at 1. Install LDAP-UX Client Services on each HP CIFS member server. 2. Migrate your supported name service data to the directory. Refer to the section, "Importing Name Serice Data into Your Directory" in LDAP-UX Client Services with Microsoft Windows 2000 Active Directory Server Administrator's Guide, available at 3. Run the setup program to configure LDAP-UX Client Services on a client system. Setup does the following for you: Extends your Active Directory schema with the configuration profile schema, if not already done. Creates a start-up file on the client. This enables each client to download the configuration profile. 132 HP CIFS deployment models

133 Creates a configuration profile of directory access information in the directory, to be shared by a group of (or possibly all) clients. Downloads the configuration profile from the directory to the client. Starts the product daemon, ldapclientd. 4. Modify the files /etc/pam.conf and /etc/nsswitch.conf on the client to specify Kerberos authentication and LDAP name service, respectively. Configuring /etc/krb5.conf to authenticate using Kerberos On your HP CIFS Server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm's KDC. The following is an example of /etc/krb5.conf which has the realm CIFSW2KSFU.ORG.HP.COM, and machine hosta.org.hp.com as a KDC: [libdefaults] default_realm = CIFSW2KSFU.ORG.HP.COM #Samba Domain default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 ccache_type = 2 [realms] CIFSW2KSFU.ORG.HP.COM = { kdc = hosta.org.hp.com:88 admin_server = hosta.org.hp.com } [domain_realm].org.hp.com = CIFSW2KSFU.ORG.HP.COM [logging] kdc = FILE: /var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/opt/KRB5lib.log Installing SFU 3.5 on a Window 2003 or 2008 R2 ADS Domain Controller POSIX accounts have some attributes, such as user ID, login shell, and home directory, which are not used by Windows To use Active Directory as a data repository for HP-UX users, you must install SFU Version 3.5 on a Windows 2003 domain controller. SFU is used to extend the Active Directory schema to include the POSIX schema. For detailed installation instructions for SFU 3.5, refer to Chapter 2 "Installing LDAP-UX Client Services", in LDAP-UX Client Services with Windows 2000 Active Directory Server Administrator's Guide, available at For more information on SFU, refer to the Microsoft web site at windows2000/sfu/. NOTE: You need to install the LDAP-UX Client Services software on an HP CIFS member server before installing SFU on a Windows 2000 or 2003 domain controller. An Example of the Unified omain Model Figure 9-10 shows an example of the Unified Domain Model which has the realm named HPCIFSW2KSFU.ORG.HP.COM, an ADS domain controller machine hpntcdn, an HP CIFS Server machinehostd acting as a member server and the Windows NT machine with IP address as the WINs server. Unified domain model 133

134 Figure 32 An Example of the Unified Domain Windows ADS DC/SFU hpntcdn Realm: CIFSW2KSFU.ORG.HP.COM Windows and UNIX users Windows NT/WINS Server IP address HP CIFS Member Server hostd A sample smb.conf file for an HP CIFS member server The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostd acting as an ADS member server in the sample Unified Domain Model shown in Figure 9-10: ###################################################### # # An sample smb.conf file for an HP CIFS ADS member server # # Global Parameters [global] workgroup = CIFSW2KSFU # Domain Name server string = CIFS Server as a domain member realm = CIFSW2KSFU.ORG.HP.COM security = ADS netbios name = hostd security = ads local master = no wins server = log fie = /var/opt/samba/log.%m short preserve case = no dos filetime resolution = yes read only = no # [homes] comment = Home Directory browseable = No # [tmp] comment = temporary file space path = /tmp A sample /etc/krb5.conf file On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the name of the realm, the location of a Key Distribution Center (KDC) server and the logging file names. The following is a sample /etc/krb5.conf which has the realm CIFSW2KSFU.ORG.HP.COM, and the machine hpntcdn.org.hp.comas a KDC: 134 HP CIFS deployment models

135 # Kerberos Configuration # # # # This krb5.conf file is intended as an example only. # # See krb5.conf(4) for more details. # # # Please verify that you have created the directory /var/log.# # # # Replace HPCIFSW2KSFU.ORG.HP.COM with your kerberos Realm. # # Replace hpntcdn.org.hp.com with your Windows ADS DC full # # domain name. # # # [libdefaults] default_realm = HPCIFSW2KSFU.ORG.HP.COM default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5 ccache_type = 2 [realms] CIFSW2KSFU.ORG.HP.COM = { kdc = hpntcdn.org.hp.com:88 admin_server = hpntcdn.org.hp.com } [domain_realm].org.hp.com = CIFSW2KSFU.ORG.HP.COM [logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log NOTE: :88 is required on the server field. A sample /etc/nsswitch.conf file In the Unified Domain Model, you must configure the /etc/nsswitch.conf file to specify the LDAPname service and other name services you want to use. The following is a sample /etc/nsswitch.conf used in the sample Unified Domain Model shown in Figure 9-10: # /etc/nsswitch.conf # # # # This sample file uses Lightweigh Directory Access # # Protocol(LDAP) in conjunction with dns and files. # passwd: files ldap group: files ldap hosts: dns [NOTFOUND=return] files ldap networks: files ldap protocols: files ldap rpc: files ldap publickey: files netgroup: files ldap automount: files aliases: files services: files ldap Unified domain model 135

136 10 Securing HP CIFS Server This chapter describes the network security methods that you can use to protect your HP CIFS Server. It includes the following sections: Security protection methods (page 136) Automatically receiving HP security bulletins (page 139) Security protection methods HP CIFS Server provides a flexible approach to network security and implements the protocols to support more secure Microsoft Windows file and print services. You can secure HP CIFS Server from connections that originate from outside the local network by using host-based protection. You can also use interface-based exclusion, so that SMBD binds only to specifically permitted interfaces. It is also possible to set specific share or resource-based exclusions: for example, you can set a specific denial on the IPC$ share. You can also set access control entries (ACEs) in an access control list (ACL) on the shares to secure the HP CIFS Server. Restricting network access You can use host-based restrictions, interface-based protection, a firewall, or IPC$ share-based denials to restrict network access and secure your HP CIFS Server. This section documents the information on how to configure and use these protection methods. Using host restrictions In many installations, the threat to server security comes from outside the immediate network. By default, the HP CIFS Server accepts connections from any host, so you might want to set the hosts allow and hosts deny options in the smb.conf configuration file to only allow access to your server from a specific range of hosts. An example The following configuration example allows SMB connections only from 'localhost' (your own computer) and from the two private networks, and All other connections are refused as soon as the client sends its first packet. The refusal message is displayed as a not listening on called name error: hosts allow = / /24 hosts deny = /0 Using interface protection By default, the HP CIFS Servers accepts connections on any network interface that it finds on your system. That means if you have a ISDN line or a PPP connection to the internet, then the HP CIFS server can accept connections on those links. You can use the interfaceconfiguration options to change the interface behavior. Interface protection example For example, you can change the interface behavior using options as the followings: interface = lan* lo0 bind interface only = yes In above example, the HP CIFS Server only listens for connections on interfaces with a name starting with lan such as lan0, lan1, plus on the loopback interface called lo0. The interface name you need to use depends on what OS you are using. If you use a LAN interface and someone tries to 136 Securing HP CIFS Server

137 Using a firewall make an SMB connection to your host over a PPP interface called 'ppp0', he or she gets a TCP connection refused reply. You can use a firewall to deny access to services that you do not want exposed outside your network. This can be a very good protection method, although the methods mentioned above can also be used in case the firewall is not active for some reasons. When you set up a firewall, you need to know which TCP and UDP ports to allow. The HP CIFS Server uses the following ports: UDP/137 - used by nmbd UDP/138 - used by nmbd TCP/139 - used by smbd TCP/445 - used by smbd The port, 445, is important as you may not be aware of it with many older firewall setups, this port was only added to the protocol in recent years. Using an IPC$ share-based denial You can also use a more specific deny on the IPC$ share. This allows you to offer access to other shares while denying access to a IPC$ share from potentially untrustworthy hosts. For example, you can configure an IPC$ share as follows: [ipc$] hosts allow = / hosts deny = /0 This configuration tells the HP CIFS Server that it cannot accept IPC$ connections from anywhere but the two places listed: a local host and a local subnet. Because the IPC$ share is the only share that is always accessible anonymously, this provides some level of protection against attackers that do not know a valid user name and password for your host. If you use this method, then clients receive an access denied reply when they try to access the IPC$ share. This means that those clients cannot browse shares and might also be unable to access some other resources Protecting sensitive information This section describes the security methods you can use to protect sensitive information. Encrypting authentication You must set the encrypt password parameter to yes in the smb.conf file to ensure that encryption is used on passwords when they transmit across the network during authentication. The HP CIFS Server accepts LM,NTLM and NTLMv2 encryption authentication methods based on client settings. NTLMv2 is the most secure. To usentlmv2 authentication, you need to configure the following client registry keys: [HKEY_LOCAL_MACHINE\SYSTEM\C urrentcontrolset\control\lsa] "lmcompatibilitylevel"=dword: The value of 0x means to sendntlmv2responses only. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0] "NtlmMinClientSec"=dword: The value0x means to permit only NTLMv2 session security. If either thentlmminclientsec or NtlmMinServerSec option is set to 0x , the connection fails if NTLMv2 session security is not negotiated. You can also use the Lightweight Directory Access Protocol (LDAP) for authentication. To prevent plain text password transfer with LDAP directories, you can configure Secure Socket Layer (SSL) Security protection methods 137

138 on your systems and enable HP CIFS Server with SSL. For detailed information on how to enable SSL communication over LDAP, see LDAP integration support (page 81). The HP CIFS Server accepts the highly secure Kerberos tickets for Windows 2000 Active Directory configurations. Protecting sensitive configuration files The default permissions for HP CIFS Server configuration files have been carefully selected to ensure security while providing appropriate accessibility. However, you need also to protect these configuration files from unauthorized access. Be especially careful if you decide to locate them in alternative directories. Table 6-1describes a list of commonly used configuration files and their default locations. There are also many smb.conf configuration parameters which permit alternate locations for these files and many parameters that result in additional configuration files or scripts controlling run-time actions not mentioned here. Configuration file Table 17 Configuration files File /etc/opt/samba/smb.conf /var/opt/samba/log.* /var/opt/samba/locks/*.tdb /var/opt/samba/locks/*.dat /var/opt/samba/locks/*.pid /var/opt/samba/private/*.tdb /var/opt/samba/private/smbpasswd /var/opt/samba/private/passdb.tdb Description Master configuration file Log files Database files containing important internal run-time information Data files containing system name and addresses Master daemon process ID files used for starting, stopping, and clustering scripts Database files containg important internal run-time information Data file containing user name and password information Data file containing user name and password information You need to be aware that the smbpasswd -w command stores the LDAP administrator's user and password in the /var/opt/samba/private/secrets.tdb file in plain text. Using %m name replacement macro With caution The NetBIOS name of remote clients is substituted into the "%m" macro wherever it occurs in the smb.confconfiguration file. The use of contrived NetBIOS names may result in Samba using a file path outside of the intended Samba directories. This can be used to cause Samba to append data to important system files, which in turn can be used to compromise security on the server. An immediate fix is to edit your smb.conf configuration file and remove all occurrences of the macro "%m". Depending on the requirements of each site, other smb.confmacros may be suitable replacements. The log file option is the most vulnerable to this redefinition problem. The sample configuration file contains the path,/var/opt/samba/log.%m. Using this default path does not create a vulnerability unless there happens to exist a subdirectory in /var/opt/samba which starts with the prefix "log.". If you choose to maintain the use of the "%m" macro in thelog file option, you should use the default value, /var/opt/samba/log.%m. 138 Securing HP CIFS Server

139 Restricting execute permission on stacks A common method of breaking into a system is by maliciously overflowing buffers on a program's stack, such as passing unusually long command line arguments to a privileged program that does not expect them. Malicious unprivileged users can use this technique to trick a privileged program into starting a superuser shell for them, or to perform similar unauthorized actions. One effective way to reduce the risk from this type of attack is to remove the execute permission from the program's stack pages. This improves system security without impacting performance and has no negative effects on the majority of legitimate applications. The HP CIFS Server does not require execution on the stack. While the HP CIFS Server attempts to prevent buffer overflow possibilities, you can set the HP-UX kernel tunable parameter, executable_stack, to disallow stack execution to provide a layer of protection from malicious attacks. For details, refer to man pages for chatr. Restricting user access In addtion to authentication services, the HP CIFS Server provides the configuration parameters, valid users and invalid users, in the smb.conf file, which you can use to further restrict access to your CIFS server. You can configure the admin users parameter to provide administration capabilities only to the users listed with this parameter, to restrict its use. For example, you can configure the valid users option in the smb.conf file as follows: [global] valid users jack This restricts all server access to either the user, jack, and to members of the system group, smbusers. Automatically receiving HP security bulletins You can subscribe to automatically receive future HP Security Bulletins or other technical digests from the HP IT Resource Center (ITRC) via electronic mail. Use the following steps to register for and subscribe to HP Security Bulletins: 1. Use your browser to get to the HP IT Resource Center web site at: 2. Use your existing login or use the Register button to create a login for gaining access to many areas of the ITRC. Remember to save your user ID and password. 3. Choose the Support Information Digests option under the Notification section (near the bottom of page). 4. To subscribe future HP Security Bulletins or other technical digests, click the check box for the appropriate digest and then click the Update Subcriptions button. To review bulletins already released, choose the link for the appropriate digest. You can find your ITRC account security bulletins at: Automatically receiving HP security bulletins 139

140 5. To gain access to the Security Patch Matrix, choose the link for "The Security Bulletins Archive". In the archive, the third link is to the current Security Patch Matrix. This matrix categorizes security patches by the platform/os release, and by the bulletin topic. The Security Patch Check tool completely automates the process of reviewing the patch matrix for the v2 system. wilthe Security Patch Check tool can verify that a security bulletin has been implemented on the v2 system providing that the fix is completely implemented in a patch with no manual actions required. The Security Patch Check tool cannot verify fixes implemented using a product upgrade. For detailed information on the Security Patch Check tool, refer to the following web site at: The security patch matrix is also available via the anonymous ftp site at: ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/ Reporting new security vulnerabilities You can report new security vulnerabilities by sending an to [email protected]. You need to encrypt any exploit information by using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to [email protected]. 140 Securing HP CIFS Server

141 11 Configuring HA HP CIFS Overview of HA HP CIFS Server Highly Available HP CIFS Server allows the HP CIFS Server product to run on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 Server computers. You must set up an MC/ServiceGuard cluster before you can set up an HA HP CIFS Server. For instructions on setting up an MC/ServiceGuard cluster, refer to the Managing MC/ServiceGuard manual. The HA HP CIFS Server provides customizable configuration, control scripts and monitor scripts. These scripts as well as the README file are in the /opt/samba/ha directory. These are sample scripts for you to customize for your environment. The README file and the files in /opt/samba/ha apply to an active-standby or active-active HA configuration. Recommended clients The recommended clients for the HA HP CIFS Server are Windows 2003, Windows 2008, Windows XP SP1 and Windows XP SP2, and Windows Vista, Windows Terminal Server (NT4) and HP CIFS Client. Older clients, such as DOS/Windows 3.1 LM 2.2C and Windows for Workgroups, may not respond well to the HP CIFS Server stopping and to network connections terminating, as occurs during an HA HP CIFS Server switchover. Review the "Special Notes for HA HP CIFS Server" section contained later in this section for usage considerations. Installing highly available HP CIFS Server HA HP CIFS Servers must be installed and configured on all cluster nodes in the configuration. All cluster nodes may (but are not required to) act as "primary" nodes and, at the same time, as "alternate" nodes for others. If there is no failover, each cluster node runs one of the packages. If a failover occurs, a cluster node will pick up the failed package in addition to its original package. Before creating a Highly Available HP CIFS Server package, you must set up your MC/ServiceGuard cluster according to the instructions in the Managing MC/ServiceGuard manual. To do so, perform the following: 1. Following the instructions, configure the disk hardware for high availability. 2. Use SAM or LVM commands, or VxVM commands to set up the volume groups, logical volumes, and file systems needed for the data that must be available to the primary and alternate cluster nodes when failover occurs. HA HP CIFS Server installation 1. Install HP CIFS Server using SD on all cluster nodes. If HP CIFS Server is already installed and configured on either node, simply stop it with the /opt/samba/bin/stopsmb command and skip to step On the first node: Run the script /opt/samba/bin/samba_setup to configure the Samba server. Enter the server name and domain/workgroup name for the HA HP CIFS Server. 3. On the secondary nodes: Run the script /opt/samba/bin/samba_setup to configure the second node. You will need to specify the same domain/workgroup name specified on the first node. Do not use the same server name. Overview of HA HP CIFS Server 141

142 4. For any UNIX users used to authenticate CIFS clients, check that they have the same name, user ID number, primary group and password on both of the nodes. This is required for any users used to authenticate to either Samba server in the Active-Active configuration. This means that any user name used on both Samba servers must have the same user ID, primary group ID, and password on both cluster nodes. If this isn't the case, you cannot use Samba as an Active-Active server for this MC/ServiceGuard cluster. 5. Check that the RUN_SAMBA and RUN_WINBIND parameters in the /etc/rc.config.d/samba file is set to 0 on both nodes. Configure a highly available HP CIFS Server Introduction Instructions Before configuring the MC/Serviceguard packages, it is important to understand how HP CIFS Server is able to support active-active configurations. The HP CIFS Server permits multiple instances of its NetBIOS and SMB master demons. Each CIFS Server has its own smb.conf file to define its behavior. The NetBIOS name and IP address that the client connects to is used to decide which smb.conf file is used for the connection. This multiple CIFS master demon configuration allows HP CIFS to run multiple MC/ServiceGuard packages simultaneously. When a failover occurs, MC/ServiceGuard transfers the IP address from the failing cluster node to another node. When MC/ServiceGuard moves the package from the failing cluster node to the other node, it activates the appropriate CIFS Server on a remaining node. With the IP address switched, all the traffic that was going to the failed node now goes to the other active node. The key is to have a CIFS Server configured to look and act just like the CIFS Server that was running on the original node. Load balancing between systems while all systems are up can be achieved by having the CIFS shares accessible only through certain CIFS Server names (NetBIOS names). Keep this in mind when you associate the CIFS shares and directories with logical volumes during server configuration. Note that each cluster node needs to know all the UNIX users that connect to the samba servers (packages). This means that the /etc/passwd file may need to be updated. For NIS installations, you can generate new maps using theypmake or similar tool if there are new passwd or group files. For LDAP installations, you may grenerate LDAP data for new accounts using the migration tools provided by the LDAP-UX Integration product. These tools are found in /opt/ldapux/migrate and documented in the LDAP-UX Client Services Administrator's Guide available at The following instructions are for one of the MC/ServiceGuard package. You will have to go through these steps for each CIFS server package (one for each node). You will then need to copy all the files to all nodes in your cluster. When complete, each HP-UX system will have a package using the unique name for each node in the cluster, though only the package corresponding to itself will be active until a failover occurs. For example, if you have a three node cluster, you will have three packages on each of the three HPUX systems. There will be three cluster directories: 1. /etc/cmcluster/samba/pkg1 2. /etc/cmcluster/samba/pkg2 3. /etc/cmcluster/samba/pkg3 There will be three configuration files: 142 Configuring HA HP CIFS

143 1. /etc/opt/samba/smb.conf.pkg1 2. /etc/opt/samba/smb.conf.pkg2 3. /etc/opt/samba/smb.conf.pkg3 There will be three directories: 1. /var/opt/samba/pkg1 2. /var/opt/samba/pkg2 3. /var/opt/samba/pkg3...where the locks and log files will reside. With most configurations, it will be easier to set up and maintain the dynamic security and data files on shared disks. Therefore, you may want to create the /var/opt/samba/<package name> paths used in the example on shared disks. Complete the following for each CIFS package of your MC/ServiceGuard cluster: 1. Create the following directories: /var/opt/samba/<package name> /var/opt/samba/<package name>/locks /var/opt/samba/<package name>/logs /var/opt/samba/<package name >/private where <package name> is the name for cluster package for your CIFS server. For example: $mkdir /var/opt/samba/pkg1 $mkdir /var/opt/samba/pkg1/locks $mkdir /var/opt/samba/pkg1/logs $mkdir /var/opt/samba/pkg1/private This step is IMPORTANT because these paths are referenced by the MCServiceGuard cluster scripts, samba.cntl and samba.mon. 2. Create a file /etc/opt/samba/smb.conf.<package> (For example, /etc/opt/samba/smb.conf.pkg1) with the following lines: [global] workgroup = ha_domain netbios name = ha_server1 interfaces = XXX.XXX.XXX.XXX/xxx.xxx.xxx.xxx bind interfaces only = yes # Make sure there are no directories named starting # with "log." if you plan to use "%m" this way log file = /var/opt/samba/pkg1/logs/log.%m lock directory = /var/opt/samba/pkg1/locks pid directory = /var/opt/samba/pkg1/locks smbpasswd file = /var/opt/samba/pkg1/private/smbpasswd Replace the "XXX.XXX.XXX.XXX/xxx.xxx.xxx.xxx" with one relocatable IP address and subnet mask for the MC ServiceGuard package. If /opt/samba/bin/samba_setup was run during installation as suggested: Take the workgroup line from the /etc/opt/samba/smb.conf file. Add in the rest of your desired configuration items. Take the NetBIOS name line from the same file, or, if there is no NetBIOS name line, put in the UNIX host name for the server on the NetBIOS name line. Overview of HA HP CIFS Server 143

144 Consider load balancing when creating the share paths. Consider whether you need to locate your smbpasswd and private files on a shared volume, etc. You may want to review "Special Notes for HA HP CIFS Server" found at the end of this section, now. If you run SWAT or smbpasswd utilities, keep in mind that they will be operating on smb.conf not your smb.conf.<package name> configuration. You may want to copy smb.conf.<package name> to smb.conf for this reason. Domain security configurations require 'net join' to run in order to join the domain. Since this command updates the secrets.tdb file, you should perform this step after smb.conf has been updated with the correct (possibly shared logical volume) path to the private directory (configured with "smb passwd file" in smb.conf). Make sure that the file name is in all lowercase letters (e.g. /etc/opt/samba/smb.conf.pkg1, NOT /etc/opt/samba/smb.conf.pkg1). If capital letters are used in the file name, failover will not work properly. 3. Move all relevant data to the HP CIFS Server package shared volume. Relevant data, consisting of all directories and files which will be accessed using HP CIFS Server, should reside on shared volumes. This data includes any shares created by the user. For example, if the HP CIFS Server administrator creates a TEST=c:/tmp/test share, then all the data from /tmp/test should reside on a shared logical volume. Below is an example of copied data from the required HP CIFS Server directories to the logical volumes in the volume group vg01. The same can be done for pkg2. mkdir /tmp/share1 /tmp/share2 mount /dev/vg01/lvol1 /tmp/share1 mount /dev/vg01/lvol2 /tmp/share2 cp -r /your/data1/* /tmp/share1 cp -r /your/data2/* /tmp/share2 umount /tmp/share1 umount /tmp/share2 rm -rf /tmp/share1 /tmp/share2 4. Create a directory for HP CIFS Server cluster package: mkdir /etc/cmcluster/samba/pkg1 5. Copy the sample scripts samba.conf, samba.cntl and samba.mon from /opt/samba/ha to /etc/cmcluster/samba/pkg1 (or /etc/cmcluster/samba/pkg2) on the primary node. Make all scripts writeable. cp /opt/samba/ha/samba.* /etc/cmcluster/samba/pkg1 chmod 666 samba.conf samba.cntl samba.mon 6. Customize the sample scripts for your MC/ServiceGuard configuration. A sample customization of the HA HP CIFS Server package configuration, control and monitor scripts are shown below. 7. Ensure that the control (samba.cntl) and monitor (samba.mon) scripts are executable. chmod 750 samba.cntl samba.mon Edit the package configuration file samba.conf To configure the samba.conf configuration file, complete the following tasks below: 1. Set the PACKAGE_NAME variable. PACKAGE_NAME pkg1 or 144 Configuring HA HP CIFS PACKAGE_NAME pkg2

145 ...depending on which package you are currently working on. 2. Create a NODE_NAME variable for each node that will run the package. The first NODE_NAME should specify the primary node. All other NODE_NAME variables should specify the alternate nodes in the order in which they will be tried. NODE_NAME ha_server1 NODE_NAME ha_server2...for pkg1, NODE_NAME ha_server2 NODE_NAME ha_server1...for pkg2, etc. 3. Set the RUN_SCRIPT and HALT_SCRIPT variables to the full path name of the control script. RUN_SCRIPT /etc/cmcluster/samba/pkg1/samba.cntl RUN_SCRIPT_TIMEOUT NO_TIMEOUT HALT_SCRIPT /etc/cmcluster/samba/pkg1/samba.cntl HALT_SCRIPT_TIMEOUT NO_TIMEOUT...for pkg1, and RUN_SCRIPT /etc/cmcluster/samba/pkg2/samba.cntl RUN_SCRIPT_TIMEOUT NO_TIMEOUT HALT_SCRIPT /etc/cmcluster/samba/pkg2/samba.cntl HALT_SCRIPT_TIMEOUT NO_TIMEOUT...for pkg2, etc. 4. Set the SERVICE_NAME variable to samba_mon SERVICE_NAME samba_mon1 SERVICE_FAIL_FAST_ENABLED NO SERVICE_HALT_TIMEOUT for pkg1, and SERVICE_NAME samba_mon2 SERVICE_FAIL_FAST_ENABLED NO SERVICE_HALT_TIMEOUT for pkg2, etc. 5. Set the SUBNET variable to the subnet that will be monitored for the package, as in the following example: SUBNET Edit the samba.cntl control script To configure the samba.cntl Control Script file, you must complete the following tasks: 1. Create a volume group of either logical volume groups or VxVM volume groups for the HP CIFS Server directories. For example, VG[0]=/dev/vg01 # for LVM volume group DG[0]=/dev/vx/dg01 # for VxVM volume group...for pkg1, and VG[0]=/dev/vg02 # for LVM volume group DG[0]=/dev/vx/dg02 # for VxVM volume group Overview of HA HP CIFS Server 145

146 ...for pkg2, etc. 2. Create a separate LV[n] and FS[n] variable for each volume group and file system that will be mounted on the server. For example, for pkg1: for LVM volume group LV[0]=/dev/vg01/lvol1;FS[0]=/your/data1; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" LV[1]=/dev/vg01/lvol2;FS[1]=/your/data2; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" for VxVM volume group LV[0]=/dev/vx/dg01/lvol1;FS[0]=/your/data1; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" LV[1]=/dev/vx/dg01/lvol2;FS[1]=/your/data2; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" for pkg2: for LVM volume group LV[0]=/dev/vg02/lvol1;FS[0]=/halvm/2a; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" LV[1]=/dev/vg02/lvol2;FS[1]=/halvm/2b;FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" for VxVM volume group LV[0]=/dev/vx/dg02/lvol1;FS[0]=/your/data3; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" LV[1]=/dev/vx/dg02/lvol2;FS[1]=/your/data4; FS_MOUNT_OPT[0]="-o rw" FS_UMOUNT_OPT[0]=""; FS_FSCK_OPT[0]=""; FS_TYPE[0]="vxfs" 3. Specify the relocatable IP address and the address of the subnet to which the IP address belongs: IP[0]= SUBNET[0]= for pkg1, IP[0]= SUBNET[0]= for pkg2, etc. 146 Configuring HA HP CIFS

147 4. If you want to use the HP CIFS Server monitor script, set the SERVICE_NAME variable to the value of the SERVICE_NAME variable in the package configuration file samba.conf. SERVICE_NAME[0]=samba_mon1 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg1/samba.mon for pkg1, and SERVICE_NAME[0]=samba_mon2 SERVICE_CMD[0]=/etc/cmcluster/samba/pkg2/samba.mon for pkg2. 5. If you have an smb.conf file which makes use of winbind, you need to uncomment these winbind lines for winbind support in the cluster. Edit the samba.mon monitor script To configure the samba.mon Monitor Script file, you must complete the following tasks: 1. Use the following template provided with samba.mon. for pkg1: CONF_FILE=/etc/opt/samba/smb.conf.pkg1 LOG_FILE=/var/opt/samba/pkg1/logs SMBD_PID_FILE=/var/opt/samba/pkg1/locks/smbd.pid NMBD_PID_FILE=/var/opt/samba/pkg1/locks/nmbd.pid #WINBIND_PID_FILE=/var/opt/samba/pkg1/locks/winbindd.pid for pkg2: CONF_FILE=/etc/opt/samba/smb.conf.pkg2 LOG_FILE=/var/opt/samba/pkg2/logs SMBD_PID_FILE=/var/opt/samba/pkg2/locks/smbd.pid NMBD_PID_FILE=/var/opt/samba/pkg2/locks/nmbd.pid #WINBIND_PID_FILE=/var/opt/samba/pkg2/locks/winbindd.pid NOTE: If you have an smb.conf file which makes use of winbind, you need to uncomment these winbind lines for winbind support. Create the MC/ServiceGuard binary configuration file NOTE: In the following example, the cluster configuration file will be assigned the name / etc/cmcluster/cluster.conf and the HA HP CIFS Server package configuration file will be assigned the name /etc/cmcluster/samba/pkg1/samba.conf. The actual cluster and HA HP CIFS Server package configuration file names on your system may be different. 1. On alternate nodes create a cluster package directory: mkdir /etc/cmcluster/samba/pkg1 or pkg2, pkg3..n Copy the package scripts from the primary node. rcp -r primary_node:/etc/cmcluster/samba/* \ alternate_node:/etc/cmcluster/samba 2. Use the cmquerycl command to create a cluster configuration file for the CIFS server: cmquerycl -v -C clucifs.conf -n primary_node -n alternate_node Overview of HA HP CIFS Server 147

148 3. Use the cmcheckconf command to verify the contents of your cluster and package configuration. At this point it is assumed that you have created your MCServiceGuard cluster configuration file (clucifs.conf) through MCServiceGuard procedures. cmcheckconf -C /etc/cmcluster/clucifs.conf \ -P /etc/cmcluster/samba/pkg1/samba.conf \ -P /etc/cmcluster/samba/pkg2/samba.conf 4. Activate the shared volume for cluster locks. vgchange a y /dev/vglock 5. Use the cmapplyconf command to copy the binary configuration file to all the nodes in the cluster. cmapplyconf -v -C /etc/cmcluster/clucifs.conf \ -P /etc/cmcluster/samba/pkg1/samba.conf \ -P /etc/cmcluster/samba/pkg2/samba.conf This command will distribute the updated cluster binary configuration file to all of the nodes of the cluster. You are ready to start the HA HP CIFS Server packages. The configuration of the HA HP CIFS Server is now complete. Special notes for HA HP CIFS Server There are several areas of concern when implementing Samba in the MC/ServiceGuard HA framework. These areas are described below: Client Applications HA HP CIFS Server cannot guarantee that client applications with open files on a HP CIFS Server share, or, applications launched from HP CIFS Server shares, will transparently recover from a switchover. In these instances there may be cases where the application will need to be restarted and the files reopened as a switchover is a logical shutdown and restart of the HP CIFS Server. File Locks File locks are not preserved during failover. File locks are lost and applications are not advised about any lost file locks. Print Jobs If a failover occurs when a print job is in process, the job may be printed twice or not at all, depending on the job state at the time of the failover. Symbolic Links If you have your Samba server configured with follow symlinks set to yes and wide links set to yes, the defaults for these parameters, you should be cautious. Symbolic links in the shared directory trees may point to files outside any shared directory. If the symbolic links point to files that are not in logical shared volumes, then, after a failover occurs, the symbolic link may point to a different file or no file. Keeping the targets of all shared symbolic links synchronized with all MC/ServiceGuard nodes at all times could be difficult in this situation. Easier options would be to set wide links to no or to be sure that every file or directory that you point to is on a logical shared volume. 148 Configuring HA HP CIFS

149 Security Files An important security file is secrets.tdb. Machine account information is among the important contents of this file. Since this file will be updated periodically (as defined in smb.conf by machine password timeout, seconds by default), HP recommends that you locate secrets.tdb on a shared logical volume. The location of the secrets.tdb file is defined by the smb.conf parameter, private dir. For example, private dir = /var/opt/samba/shared_vol_1/private will result in the file /var/opt/samba/shared_vol_1/private/secrets.tdb. User authentication is also dependent on several entries in different security files. Other important security files are the user password file, smbpasswd and passdb.tdb. If you have your Samba server configured with the "passdb backend = smbpasswd", for example, then you have an smbpasswd file. By default, this file is located in the path /var/opt/samba/private but the passdb backend parameter can be in two parts, the backend name and a location string that has meaning only to that particular backend. For example, passdb backend = tdbsam:/var/opt/samba/private/path1/passdb.tdb, smbpasswd:/var/opt/samba/private/path2/smbpasswd will result in files /var/opt/samba/private/path1/passdb.tdb and /var/opt/samba/private/path2/smbpasswd. For both the machine account file and user password file, HP recommends that you store the files in a common and secure directory on a shared logical volume. Username Mapping File If you configure your Samba server to use a username mapping file, HP recommends that you configure it to be located on a shared logical volume. This way, if changes are made, all the nodes will always be up-to-date. The username mapping file location is defined in smb.conf by the parameter username map, e.g. username map = /var/opt/samba/shared_vol_1/username.map. There is no username map file by default. Winbind Configurations Add the commented winbind lines in samba.mon and samba.cntl as reviously described. Winbind makes use of several files winbindd.pid, winbindd_cache.tdb, winbindd_idmap.tdb, and directory winbindd_privileged, in the /var/opt/samba/locks directory. You may want to put the entire /var/opt/samba/locks directory on a logical shared volume but the locking data may not be correctly interpreted after a failover. You may want to add a line to your startup script to remove the locking data file.../locks/locking.tdb. Samba as a WINS Server If you configure your Samba server to be a WINS server by setting the wins support parameter to yes, it will store the WINS database in the file /var/opt/samba/locks/wins.dat. If this file is not on a logical shared volume, when a failover occurs, there will be a short period of time when all the WINS clients update the Samba WINS server with their address. However, if this short period of time to restore the WINS database is not acceptable, you can reduce the period of time to restore the full WINS service. To do so, configure /var/opt/samba/locks/wins.dat to be a symbolic link to a WINS.DAT file on a logical shared volume. HP does not recommend putting the entire /var/opt/samba/locks directory on a logical shared volume, because the locking data may not be correctly interpreted after a failover. Special notes for HA HP CIFS Server 149

150 Samba as a Master Browser If you configure your Samba server to be the domain master browser by setting the domain master to yes, it will store the browsing database in the /var/opt/samba/locks/browse.tdb file. HP does not recommend doing this in an HA configuration. If you do so, you will probably want to configure /var/opt/samba/locks/browse.tdb as a symbolic link to a BROWSE.DAT file on a logical shared volume. HP doesn't recommend putting the entire /var/opt/samba/locks directory on a logical shared volume because the locking data may not be correctly interpreted after a failover. You may want to add a line to your startup script to remove the locking data file, /locks/locking.tdb. Automatic Printer Sharing If you configure your Samba server with a [printers] share to automatically share all the printers on your HP-UX system, then you will need to be certain that all your MC/ServiceGuard nodes have the same HP-UX printers defined. Otherwise, when a failover occurs, the list of shared printers for the Samba server will change, resulting in problems on clients using those printers. Samba's LMHOSTS File If you wish to use an LMHOSTS file to store the static addresses for certain netbios names, HP recommends that you put the LMHOSTS file on a logical shared volume. To do this you will need to specify a different path for the LMHOSTS file using the -H option when invoking nmbd. HP recommends that you put the LMHOSTS file on a logical shared volume so that all the nodes can share it. You will need to edit the MC/ServiceGuard scripts to add the -H options to the places where nmbd is invoked directly. You will also need to edit the /opt/samba/bin/startsmb script to add the -H option to the places where nmbd is started. Utilities In the MC/SG cluster environment, some utilities need to specify the location of the smb.conf file for the package. For example: smbpasswd -c /etc/opt/samba/pkg1/smb.conf.pkg1 -a username smbclient -s /etc/opt/samba/pkg1/smb.conf.pkg1 //ha_server1/lvm1a -c ls testparm -s /etc/opt/samba/pkg1/smb.conf.pkg1 smbstatus -s /etc/opt/samba/pkg1/smb.conf.pkg1 Network File System (NFS) and Veritas Cluster File System (CFS) NFS and Veritas CFS permits concurrent file access from multiple nodes. Since most file locking mechanisms do not span across multiple systems, you should use extra caution when configuring CIFS Server in an NFS or a CFS environment. See Chapter 2, section "Special Concerns when Using HP CIFS Server with a Network File System (NFS) or a Clustered File System (CFS)". Caution should be used when using NFS or CFS to share the locks and private directory files, only one CIFS instance should be active at any given time. CIFS may prevent multiple instances from starting if they share the CIFS configured PID files. Using NFS to Share the Locks and Private Directory Files If NFS is used to share to the locks and private directory files from multiple nodes as single instances, the following procedures may help to prevent configuration errors. The NFS Server must permit access to the 'root' user to the CIFS directories. For the NFS example: 150 Configuring HA HP CIFS Execute the following commands on the NFS server: mkdir -p -m 777 /exported

151 mkdir -p -m 755 /exported/looks mkdir -p -m 700 /exported/private mkdir -p -m 777 /exported/data vi /etc/exports /exported -anon=root root=host:nfsclient1:nfsclient2 Run the following command to export all directories listed in /exported to NFS clients: exportfs -a Execute the following commands on an NFS client: vi /etc/fstab nfsserver:/exported /mnt/nfsserver nfs defaults 0 0 mkdir -p /mnt/nfsserver mount /mnt/nfsserver An example of smb.conf is as follows: [Global] security = user lock directory = /mnt/nfsserver/locks pid directory = /mnt/nfsserver/locks private directory = /mnt/nfsserver/private smb passwd file = /mnt/nfsserver/private/smbpasswd [nfs] path = /mnt/nfsserver/data browseable = yes read only = no For the CFS example: Run the following command on the CFS master node to start HA cluster: cmruncl -v On both nodes: Run /opt/vrts/bin/vxinstall Run the cfscluster config command to configure multinode package Run the cfscluster start command to start CVM package Run the cfscluster status command to see status and node master On CFS master node: /etc/vx/bin/vxdisksetup -i <disk name> Example: /etc/vx/bin/vxdisksetup -i c4t2d3 Create diskgroup: (vxdg -s init <diskgroup name> <disk name>) Example: vxdg -s init dgha c4t2d3 See diskgroup created: vxdg list Add diskgroup to cluster: cfsdgadm add <diskgroup name> all=sw Example: cfsdgadm add dgha all=sw Activate diskgroup: cfsdgadm activate <diskgroup name> Special notes for HA HP CIFS Server 151

152 Example: cfsdgadm activate dgha Create volumn: vxassist g <diskgroup name> make <volumn name> <size in MB> Example: vxassist -g dgha make lvol1 1024M vxassist -g dgha make lvol2 2048M newfs -F vxfs /dev/vx/rdsk/dgha/lvol1 newfs -F vxfs /dev/vx/rdsk/dgha/lvol2 Add volumn: cfsmntadm add <diskgroup name> <volumne> <mount point> all=rw Example: cfsmntadm add dgha lvol1 /cfs1 all=rw cfsmntadm add dgha lvol2 /cfs2 all=rw Mount CFS mount points: cfsmount <mount point> cfsmount /cfs1 /cfs2 If CIFS Server binaries are moved, note that CIFS Server depends on libraries including /opt/ samba/lib. Do the followings: Use chatr (see man chatr) to move libraries Copy binaries to /cfs1/opt/samba/bin, for example. Define "CIFS_BIN" in samba.cntl and samba.mon SG script files. Copy smb.conf to /cfs1/etc/opt/samba/smb.conf and define "CONF_FILE" in SG script files. Define "LOG_DIR", "SMBD_PID_FILE", and "NMBD_PID_FILE" in SG script files. The smb.conf file can be: [global] secruity = user lock directory = /cfs1/var/opt/samba/locks pid directory = /cfs1/var/opt/samba/locks private directory = /cfs1/var/opt/samba/private smb passwd file = /cfs1/var/opt/samba/private/smbpasswd... [cfs2] path = /cfs2/data browseable = yes read only = no Use of any CFS mount points should be declared as depencencies in the samba.conf file to ensure that the resource is available before the package is started and to monitor the resource's availability. See the following example of samba.conf. The samba.conf file: The samba.conf # For /cfs1 dependency DEPENDENCY_NAME DEPENDENCY_CONDITION DEPENDENCY_LOCATION # For /cfs2 dependency SG-CFS-MP-1 SG-CFS-MP-1=UP SAME_NODE 152 Configuring HA HP CIFS

153 DEPENDENCY_NAME SG-CFS-MP-2 DEPENDENCY_CONDITION SG-CFS-MP-2=UP DEPENDENCY_LOCATION SAME_NODE Special notes for HA HP CIFS Server 153

154 12 HP-UX configuration for HP CIFS This chapter describes HP-UX tuning procedures for the HP CIFS Server. It contains the following sections: HP CIFS Process Model TDB Memory Map for HP CIFS Server Overview of Kernel Configuration Parameters Configuring Kernel Parameters for HP CIFS The following information should be considered as general guidelines and not a rigid formula to determine the resource requirements of a HP CIFS server running on HP-UX 11i v3. Each customer configuration is unique and on-line tools should be used while the system is running its normal load to ascertain the requirements of each system. HP CIFS process model The SMB daemon process, smbd, handles all SMB requests from a client. One such process is launched for each connected client. Each smbd process handles one and only one client. Therefore, if there are 2048 connected clients, there will be 2048 smbd processes. Such a large number of processes will demand system resources, requiring adjustment of certain kernel configuration parameters. It will also deplete memory, disc and swap space resources. TDB memory-mapped access for HP CIFS Server Fixed size memory map support on HP-UX 11i v2 PA and HP-UX 11i v3 PA systems HP CIFS Server A on HP-UX 11i v3 PA systems and HP CIFS Server A on HP-UX 11i v2 and HP-UX 11i v3 PA systems support the fixed size memory map for memory-mapped access of the locking.tdb file. HP CIFS Server can access the Trivial DataBase (TDB) files using memory-mapped access with a pre-determined size that is sufficient to accommodate the growth of TDB files, so that the risk of data corruption due to expanding and remapping the memory-mapped files can be avoided. To provide balance between performance and address space utilization, the fixed size memory map feature is supported only on locking.tdb. The smb.conf use mmap parameter controls whether or not the memory map feature is enabled. The fixed mmap size parameter is used to configure the fixed memory size if the memory map feature is enabled. See the Configuration parameters section for details. Configuration parameters The following is a list of the new global parameters in smb.conf: access based share enum (S) This parameter enables the users to view the share hosted by the service during a share enumeration. If the value of the access based share enum (S) parameter is set toyes for a service, then the share hosted is viewable to users with read and write access. The default setting for this parameter is access based share enum = no. 154 HP-UX configuration for HP CIFS

155 NOTE: The difference between the access based share enum (S) parameter and the access based enumeration parameter is that in access based share enum (S) only the share permissions are evaluated and security descriptors are not used in computing enumeration access rights. cache directory (G) This parameter specifies the directory where the TBD files containing non-persistent data are stored. The default setting of this parameter is cache directory = /var/opt/samba/locks. client ntlmv2 auth (G) This parameter determines if smbclient(8) authenticates servers using the NTLMv2 encrypted password requests. If you enable this parameter, only NTLMv2 and LMv2 responses are authenticated and NTLMv1 client lanman auth and client plaintext auth authentication is disabled. If you disable this parameter, then an NTLM response is sent by the client. The default setting for this parameter is client ntlmv2 auth = no. NOTE: Web sites that follow the Best Practice security polices enable only NTLMv2 responses. client ldap sasl wrapping (G) This parameter defines whether the LDAP traffic is signed or sealed. The values for this parameter are plain, sign, and seal. The client ldap sasl wrapping (G) parameter is useful when Domain Controllers are enforcing the usage of signed LDAP connections. You can control the LDAP sign and seal with the "HKLM\System\CurrentControlSet\Services\ NTDS\Parameters\ LDAPServerIntegrity" registry key on a Windows server. The default setting for this parameter is client ldap sasl wrapping = plain. NOTE: For HP CIFS Server, the krb5 library is used as a MIT version library. The default plain value does not affect the krb5 clock skew errors. cups connection timeout (G) NOTE: This parameter is available only when printing value is set to cups. This parameter specifies the time is seconds that smbd must wait when trying to connect to the CUPS server. The connection fails after the set time. The default setting for this parameter is cups connection timeout = 30. debug class (G) When this boolean parameter is enabled, it displays the debug class (DBGC_CLASS) in the debug header. The default setting for this parameter is debug class = no. dedicated keytab file (G) This parameter specifies the path of the Kerberos keytab file when the kerberos method is set to dedicated keytab. The default setting for this parameter is dedicated keytab file = [/usr/local/etc/krb5.keytab]. init logon delayed hosts (G) This parameter specifies the host names, addresses, and networks for which the samlogon must be delayed. Use the init logon delay parameter to set the delay time. The default setting for this parameter is init logon delayed hosts = [ myhost.mynet.de ]. TDB memory-mapped access for HP CIFS Server 155

156 init logon delay (G) This parameter specifies the delay in milliseconds for the configured hosts for the initial samlogon parameter with init logon delayed hosts. The default setting for this parameter is init logon delay = 100. kerberos method (G) This parameter specifies how Kerberos tickets are verified. You can use the following values for the kerberos method (G) parameter: secrets only Use secrets.tdb for ticket verification. system keytab dedicated keytab Use system keytab for ticket verification. Use dedicated keytab for ticket verification. NOTE: While using the dedicated keytab value, ensure the dedicated keytab file specifies the location of the keytab file. The main difference between the system keytab and dedicated keytab is that the latter depends on Kerberos to find the correct keytab instead of filtering based on principles. secrets and keytab Use the secrets.tdb first, then the system keytab. The default setting for this parameter is kerberos method = secrets only. map untrusted to domain (G) This parameter specifies the legacy behavior of mapping untrusty domain names to the primary domain. When you set the value to yes for map untrusted to domain (G), smbd provides the legacy behavior of mapping untrusted domain names to domain server. For example, if a client connects to smbd using an untrusted domain name such as BOGUS\user, smbd replaces the BOGUS domain with its SAM name before authenticating that user. When smbd functions as a PDC, it is Domain\user. When smbd functions as a domain member server, it is WORKSTATION\user. The default setting for this parameter is map untrusted to domain = no. min receivefile size (G) This parameter modifies the behavior of smbd(8) when it processes SMBwriteX calls. If an incoming SMBwriterX call on a non-signed SMB/CIFS connection is greater than the value specified in min receivefile size (G), it will not process the call and pass it to any underlying kernel. If you set the value as 0 for min receivefile size (G), Samba processes SMBwrite X calls in specified manner. To enable Samba to process large write support, set the value of min receivefile size (G) as non zero. You can set the maximum value to128 K. The default setting for this parameter is min receivefile size = 0. registry shares (G) This parameter specifies the support for the share definitions read from registry. Shares defined in the smb.conf are given priority over the same shares defined in the registry. The default setting for this parameter is registry shares = No. 156 HP-UX configuration for HP CIFS

157 state directory (G) This parameter specifies the directory location where the TDB files containing persistent data is stored. The default setting for this parameter is state directory = /var/opt/samba/locks. smb encrypt (S) This parameter specifies if the remote client should use SMB encryption. Starting from Samba 3.2 version and later, SMB encryption uses the GSSAPI to encrypt and sign request and response in a SMB protocol stream. When smb encrypt (S) is enabled, it provides a secure method of SMB/CIFS communication, using the SMB/CIFS authentication to encrypt and sign keys. NOTE: The smb encrypt (S) parameter is supported only on Samba 3.2 clients. It is not supported on Linux CIFSFS, MacOS/X, and Windows clients. You can use the following values for the smb encrypt (S) parameter: auto When set to auto, encryption is offered but not forced. mandatory disabled When set to mandatory, SMB encryption is required. When set to disabled, you cannot change the SMB encryption. The default setting for smb encrypt (S) is smb encrypt = auto. NOTE: The clustering (G), cluster addresses (G), ctdb timeout (G), and ctdbd socket (G) parameters are not implemented in HP CIFS Server A The following is a list of the global parameters in smb.conf used to support the fixed size memory map feature: use mmap It is a boolean parameter that controls whether the memory map functionality is enabled or disabled on the HP CIFS Server. The default setting for this parameter is yes. fixed mmap size This integer variable specifies the fixed memory size for memory-mapped access. The default value is 16MB. This means that a 16MB contiguous address space is reserved when the file is first opened and no expansion is allowed. HP recommends that the value of fixed mmap size should be set to a multiple of the TDB page size. The TDB page size is 8192 bytes. In the most cases, you should not need to change the default values of the use mmap and fixed mmap size parameters. Parameter Name async smb echo handler client use spnego principal ctdb locktime warn threshold log writeable files on exit multicast dns register ncalrpc dir send spnego principal smb2 max credits smb2 max read Description New New New New New New New New New Default No No 0 No Yes No TDB memory-mapped access for HP CIFS Server 157

158 Parameter Name smb2 max trans smb2 max write username map cache time winbind max clients create krb5 conf ctdb timeout cups encrypt ldap deref ldap follow referral nmbd bind explicit broadcast idmap config * : range idmap config * : backend passdb backend lanman auth client lanman auth client ntlmv2 auth wide links client plaintext auth max open files max stat cache size preferred master idmap backend allocation roundup size kernel oplocks ldap ssl use kerberos keytab mangled map kernel share modes idmap domains read bmpx idmap alloc backend Description New New New New New New New New New New New New Changed default Changed default Changed default Changed default Changed default Changed default Changed default Changed default Changed default Changed default Modified Modified Modified Removed Removed Removed Removed Removed Removed Default Yes 0 No Auto Auto No tdbsam No No Yes No No No tdb Yes start tls Mostly Private Address Space (MPAS) support on HP-UX 11i v2 IA and HP-UX 11i v3 IA systems HP CIFS Server A on HP-UX 11i v2 IA and HP-UX 11i v3 IA systems provide MPAS enhancement to support memory-mapped access to all TDB files. With this functionality, each process uses a private, process-specific address. Because of address aliasing, many private addresses can point to the same file, this will ensure memory-mapped access for all CIFS Server 158 HP-UX configuration for HP CIFS

159 processes. To enable the memory-mapped access functionality, set the smb.conf use mmap parameter to yes. The default value of use mmap is yes. NOTE: To modify the value of use mmap, you must first stop all of the CIFS Server processes (smbd, nmbd and winbind daemons), modify the setting of the parameter, and then restart the CIFS Server processes. It is not safe to modify the setting of use mmap using a procedure other than the one mentioned above. Unified file cache support on an HP-UX 11i v3 system The unified file cache is an HP-UX file system feature that integrates the page cache and buffer cache to provide coherency for file access. In case of memory-mapped failures such as low on memory resource or exceeding the fixed memory map size, HP CIFS Server for HP-UX 11i v3 IA supports fall back to file I/O operations on all TDB files. HP CIFS Server for HP-UX 11i v3 PA supports fall back to file I/O operations only on the memory-mapped TDB file, locking.tdb. On HP-UX 11i v2 PA/IA, HP CIFS Server does not support TDB file I/O fall back operations. In case of memory-mapped failures, the connections terminate. HP CIFS Server supports HP-UX unified file cache functionality for memory-mapped access of Trivial Database (TDB) files on HP-UX 11i v3 PA and IA systems. The unified file cache is an HP-UX file system feature that integrates the page cache and buffer cache to provide coherency for file access. Without the unified file cache support, the file system uses the buffer cache to cache file data and the memory-mapped access of files uses the page cache to cache file data. If an application accesses the file using both read()/write() system calls and memory-mapped access simultaneously, no coherency is guaranteed between these two caches. With the unified file cache support, coherency can be achieved. What to do if you encounter memory map error messages This section includes information about memory map error messages and actions you may take as follows: The HP CIFS Server will terminate the connection and log the following error messages, in the event that the value of fixed mmap size is not sufficient: "tdb_expand: ERROR. Requested size (%d) > fixed mmap size (%d). Please increase the value of "fixed mmap size" option then restart CIFS Server" "mmap_if_required: ERROR. "fixed mmap size" parameter must be at least 8192 bytes.\n" NOTE: The fixed mmap size parameter does not support version A on HP-UX 11i v2 IA/PA. Hence, the mmap size parameter, mmap=yes is not functional. Use the default value use mmap=no for HP-UX 11i v2 IA/PA systems. To resolve the above errors, you must increase the value of fixed mmap size in smb.conf accordingly and then restart the HP CIFS Server. Memory-mapped access fails when the system is low on memory resources. In this case, the HP CIFS Server will terminate the connection and log the following error messages: "ERROR. Abort due to munmap failure." "ERROR. Abort due to tdb_mmap failure." To resolve the above errors, you can turn off the memory map feature by setting the value of use mmap to no and then restart the HP CIFS Server. TDB memory-mapped access for HP CIFS Server 159

160 Constraints The HP CIFS Server TDB memory map support has the following constraints: NOTE: Do not have binaries from mixed versions of mmap and non-mmap daemons/utilities of CIFS Server in the /opt/samba/bin subdirectory. You must use the tdbbackup utility to backup TDB files, do not use the cp command to backup TDB files. Overview of Kernel configuration parameters The kernel configuration parameters, maxuser, nproc, ninode, nflocks and nfile are described below. These are the kernel parameters that you must adjust to support a large number of clients on HP CIFS. maxusers: the name of this kernel parameter is a misnomer as it does not directly control the number of UNIX users that can logon to HP-UX. However, this kernel parameter is used in various formulae throughout the kernel. In fact, the default values for nproc, nfiles and ninodes are expressed in terms of maxusers. nproc: this kernel parameter controls the size of the process table. Its default formula is (20+8*maxusers). On most systems the default value for this parameter is 21, which yields a default value of 20+8*32 or 276 maximum processes supported. When this table fills up prior to launching a process, the error message "proc: table is full" will appear on the console. It will be viewable via the dmesg command. nfiles: this kernel parameter controls the size of the system file table and limits the total number of open files in the system. Note that this affects each instance of an open file since the same file opened twice would take up 2 entries in the system file table. This default formula is (16*(nproc+16+maxusers)/ *(npty+nstrpty+nstrtel)). When this tables becomes full, the console message file: table is full will appear on the console. ninode: this kernel parameters controls the size of the in-core inode table or the inode cache. To improve performance, the most recently accessed inodes are kept in memory. The default formula for this parameter is ((nproc+16+maxusers)+32+(2*npty)). Attempts to open a file beyond the capacity of this table will result in the message inode table full being displayed on the console. nflocks: defines the maximum combined total number of file locks that are available system-wide to all processes at any given time. The default value of 200 will need to be increased for HP CIFS Servers. Configuring Kernel parameters for HP CIFS The first step in configuring HPUX to be able to support a large number of clients on a HP CIFS server is to adjust the maxusers kernel parameter. The second step involves adjusting nproc, nfile, nflocks and ninode individually so as to allow a large number of users to be connected simultaneously. 1. Configuring maxusers Determine the maximum number of simultaneous clients that will be connected and add this number to the current value of maxusers. For example, if 2048 clients are to be supported, simply add 2048 to the current value of maxusers. Note that, unless the parameters have been manually changed, adjusting maxusers automatically adjusts the corresponding values for nproc, nfile and ninodes. For example, if the default maxusers value of 32 is adjusted to or 2080 to support the maximum allowable clients of 2048, the other parameters will be adjusted as follows on a typical system: 160 HP-UX configuration for HP CIFS

161 nproc will be increased to 8,468 nfile will be increased to 15,656 ninode will be increased to 9,692 If these values are found to be too large or too small for that matter, then the individual kernel parameters can be adjusted as described below. 2. Configuring nproc, nfile and ninode. nproc: since each client will be handled by one unique smbd process, and each process will take up one entry in the process table, this parameter has to be at least equal to the maximum number of simultaneously connected clients. This is a necessary condition, but it will obviously not be sufficient since there will be others processes, including system processes beyond your control, that will take up proc table entries. In practice then, this parameter needs to be set to the anticipated maximum number of clients plus the number of the other processes that will also be running concurrent with HP CIFS. nfile: when an smbd process is launched, it will, right at the beginning, take up 28 entries in the system file table. This does not include any other files that the client will open and operate on. At a minimum, therefore, the value of nfile, should be equal to the anticipated number of simultaneous clients times (28 + the anticipated number of files simultaneously opened by each client). Again, this is necessary, but it may not be sufficient, since there will be other non-hp CIFS processes that will have files opened, concurrent with HP CIFS. ninode: unlike nfile, each instance on an open will NOT increase the number of inode entries. Rather, each unique opened file will only take up one entry, regardless of how many times it is opened. Therefore this parameter should be set to the anticipated number of UNIQUE open files used by HP CIFS plus the number opened by other processes in the system. nflocks: each smbd process will utilize at least ten file locks. Therefore, the value of nflocks should, at least, be equal to the anticipated number of simultaneous clients, multiplied by ten (10). The use of nflocks by other applications must also be considered. Swap space requirements Due to the one-process-per-client model of HP CIFS, perhaps the most stringent requirement imposed on the system is that of swap space. HPUX reserves a certain amount of swap space for each process that is launched, to prevent it from being aborted in case it needs to swap out some pages during times of memory pressure. Other operating systems, only reserve swap space when it is needed. This results in the process not finding the swap space that it needs, in which case it has to be terminated by the OS. Each smbd process will reserve about 2 MB of swap space and depending on the type of client activity, process size may grow up to 4 MB of swap space. For a maximum of 2048 clients, 4 * 2048 or about 8 GB of swap space would be required. Therefore, HP recommends configuring enough swap space to accommodate the maximum number of simultaneous clients connected to the HP CIFS server. Memory requirements Each smbd process will need approximate 4 MB of memory on HP-UX 11i v2 and HP-UX 11i v3. For 2048 clients, therefore, the system should have at least 8 GB of physical memory on HP-UX 11i v2 and HP-UX 11i v3. This is over and above the requirements of other applications that will be running concurrent with HP CIFS. Configuring Kernel parameters for HP CIFS 161

162 13 Tool reference This chapter describes tools for management of Samba user, group account database. It includes the following topics: HP CIFS management tools (page 162) LDAP directory management tools (page 172) HP CIFS management tools Several HP CIFS Server tools are available for management of CIFS user data stored in the smbpasswd file or in Netscape/Red Hat Directory Server database. This section documents the following user management tools: smbpasswd Tool for management of the Samba encrypted password database. syncsmbpasswd pdbedit net wbinfo Smbpasswd Tool for Synchronizing the HP CIFS Samba users with the UNIX or POSIX users. Tool for management of the SAM database (Database of Samba Users). Tool for administration of Samba and remote CIFS servers. Tool for querying information from the winbind daemon. These management tools are available in the /opt/samba/bin directory. This tool is used to manage a users' SMB password that is stored in the Samba encrypted password file, smbpasswd, or in the LDAP directory server. The Samba password database contains the user name, UNIX user id and the SMB hashed passwords of the user, as well as account flag information and the time the password was last changed. The smbpasswd program has several different functions, depending on whether it is run by the root user or not. When run by a normal user, it allows the user to change the password used for their SMB sessions on any machine that store SMB passwords. When you run it as a root user, it allows you to add or delete user accounts, and to change the attributes of the user accounts in the SMB password database. Use smbpasswd to perform the following operations: Add user or machine accounts. Delete user or machine accounts. Enable user or machine accounts. Disable user or machine accounts. Set user passwords to NULL. Manage inter-domain trust accounts. For detailed information on the smbpasswd command, refer to the smbpasswd man page, SWAT or The Official Samba HOWTO and Reference Guide. The smbpasswd tool performs its operations on the data store specified by the passdb backend parameter in the smb.conf file. If a LDAP directory is to be used, then this parameter is set to ldapsam:ldap://<ldap server name>. If a Samba password file, smbpasswd, is used, this parameter is set to smbpasswd. If you manage user accounts in an LDAP directory server, an existing POSIX user must already exist in the LDAP directory before you run the smbpasswd -a command to add the corresponding Samba user and its sambasamaccount information required for HP CIFS Server user authentication. 162 Tool reference

163 If the POSIX user does not already exist in the LDAP directory server, you must first add the POSIX user entry with the LDAP directory tools (such as ldapmodify). The ldapmodify tool can be used to add, modify or delete a POSIX user in an LDAP directory server. For more information on how to add POSIX user accounts to the LDAP Directory server, see the Creating Samba users in the directory (page 97) section in the chapter 6, LDAP Integration Support. Syntax smbpasswd [options] [username] where options can be any of the following: -L Runs in the local mode (must be first option). -h Prints a list of options that the HP CIFS Server supports. -s Uses stdin for password prompt. This option causes smbpasswd to read passwords from standard input. -c <config file> Specifies the path and file name of the smb.conf configuration file when you want to use one other than the default file. -D <debug level > Specifies the debug level. The debug level is an integer from 0 to 10. If this parameter is not specified, the default value is zero. -r <remote machine name> Allows users to specify what machine they want to change their password on. Without this parameter, smbpasswd defaults to the local host. The remote machine name is the NetBIOS name of the SMB/CIFS server to contact to attempt the password change. -U <username [%password]> Specifies the remote user name. This option may only be used in conjunction with the -r option. When changing a password on a remote machine, it allows the user to specify the user name on that machine whose password will be changed. When you run smbpasswd as root, the following extra options are valid: -a This option specifies that the [username] following should be added to the configured passdb backend, with the new password typed in response to the prompt (type <Enter> to keep the old password). -d This option specifies that the account of the [username] following should be disabled in the configured passdb backend. -e This option specifies that the account of the [username] following should be enabled if the account was previously disabled. If the account was not disabled, this option has no effect. -i This option tells smbpasswd that the account being changed is an inter-domain trust account. Currently this is used when HP CIFS Server is configured as a Primary Domain Controller. The account contains the info about another trusted domain. -n This option specifies that the username following should have their password set to null (i.e. a blank password) in the configured passdb backend. -m This option tells smbpasswd that the account being changed is a machine account. Currently this is used when HP CIFS Server is configured as a Primary Domain Controller. -w < password> This option specifies the password to be used with the ldap admin dn. The password is stored in the /var/opt/samba/private/secrets.tdb file. If the password of ldap admin dn ever changes, the password will HP CIFS management tools 163

164 Examples need to be manually updated as well. The password is entered in the command line. -W Changes the LDAP directory manager password. With the -W option, the user is prompted for the password. The password is entered using stdin and thus the clear text password never appears on the command line. -x This option specifies that the [username] following should be deleted from the configured passdb backend. username Specifies the user name for all of the root only options to operate on. Only root can specify this parameter, as only root has the permissions needed to modify attributes directly in the SMB password database. Run the following command to create a Samba account for the user cifsuser1: $ smbpasswd -a cifsuser1 Run the following command to delete a Samba account for the user cifsuser2: $ smbpasswd -x cifsuser2 Run the following command to change the LDAP directory manager password: $ smbpasswd -w <password of the LDAP Directory Manager> For example, the following command changes the credentials of the LDAP directory manager: $ smbpasswd -w dmpasswd or you can run the smbpasswd -W command to change the LDAP directory manager password as follows: $ smbpasswd -W With the -W option, the user is prompted for the password. The password is entered using stdin. Syncsmbpasswd Options Example You can use the syncsmbpasswd tool is to synchronize the CIFS Server Samba user list with the UNIX or POSIX user list regardless of user database or CIFS authentication backend. When executed, syncsmbpasswd will add (without password) Samba user entries not already present corresponding to UNIX or POSIX user entries (based on listusers(1)). See the syncsmbpasswd (1) man page for details. If you set the passdb backend parameter in smb.conf to ldapsam:ldap://<ldap server name>, this tool adds Samba user entries that correspond to the existing POSIX user accounts to the LDAP directory server. None. There are no options for this command. For example, use the following procedures to synchronize Samba user accounts with available POSIX user accounts in /etc/passwd to the smbpasswd file: 1. Configure the passdb backend parameter in smb.conf: $ passdb backend = smbpasswd 2. Run the following command: $ syncsmbpasswd 164 Tool reference

165 Pdbedit You can use the pdbedit tool to manage the Samba user accounts stored in the SAM database (database of Samba users). You must be logged in as the root user to run this tool. The pdbedit tool can be used to perform the following operations: Add, remove or modify user accounts. List user accounts. Migrate user accounts. Migrate group accounts. Manage account policies. Manage domain access policy settings. For detailed information on the pdbedit command, refer to the pdbedit man page, SWAT or The Official Samba HOWTO and Reference Guide. The pdbedit tool performs its operations on the data store specified by the passdb backend parameter in the smb.conf file. If an LDAP directory is to be used, then the this parameter is set to ldapsam:ldap://<ldap server name>. If the Samba user account database file, smbpasswd, is used, this parameter is set to smbpasswd. If you manage user accounts in an LDAP directory server, an existing POSIX user must already exists in the LDAP directory before you run the pdbedit -a command to add the corresponding Samba user and its sambasamaccount information required for HP CIFS Server user authentication. If the POSIX user does not already exist in the LDAP directory server, you must first add the POSIX user entry with the LDAP directory tools (such as ldapmodify). You can use the ldapmodify tool to add, modify or delete a POSIX user in an LDAP directory server. For more information on how to add POSIX user accounts to the LDAP Directory server, see the Creating Samba users in the directory (page 97) section in the Chapter 6, LDAP Integration Support. Syntax pdbedit [options] where options can be any of the following: -L, list -v, verbose -w, smbpasswd-style -u, user=username -N, account-desc=arg -f, fullname=arg -h, homedir=arg Lists all the user accounts in the users database. This option displays a list of uid/user pairs information by the : character. Enables the verbose listing format. It causes pdbedit to list the users in the database, display the account fields in a descriptive format. This option enables pdbedit to list the users in the database, display the account fields in the smbpasswd style file format. Specifies the user name to be used for the operation requested (listing, adding, modifying and removing). It is required for add, remove and modify operations and is optional for list operations. Specifies a machine account description to be set. Specifies the user's full name. This option can be used while adding or modifying a user account. Sets the user's home directory. This option can be used while adding or modifying a user account. HP CIFS management tools 165

166 -D, drive=arg -S, script=arg -P, profile=arg -I, domain=arg Specifies the windows driver letter to be used to map the home directory. This option can be used while adding or modifying a user account. Sets the user's logon script path. This option can be used while adding or modifying a user account. Specifies the user's profile directory. This option can be used while adding or modifying a user account. Specifies the user's domain name. -U <user SID/RID> Specifies the user's SID (Security Identifier) or RID. This option can be used while adding or modifying a user account. -G <group SID/RID> Specifies the user's group SID (Security Identifier) or RID. This option can be used while adding or modifying a user account. -a, create -r, modify -m, machine -x, delete -b, backend=arg -i, import=arg <in-backend> Adds a Samba user account. This command needs a user name specified with the -u option. When adding a new user, pdbedit will ask for the password to be used. Modifies an existing Samba user account. This command requires a user name specified with the -u option. Adds a new machine account. This option may only be used in conjunction with the -a option. It will cause pdbedit to add a machine trust account instead of a user account (The -m -u <machine name> option provides the machine account name). Deletes a Samba user account. This command needs a user name specified with the -u option. Use a different passdb backend as the default password backend. Use a different passdb backend to retrieve user accounts than the one specified in the smb.conf passdb backend parameter. This option can be used to import user accounts from this passdb backend. This option will ease migration of user accounts from one passdb backend to another. -e, export=arg <out-backend> -g, group Exports all currently available user accounts to the specified password database backend. This option will ease migration of user accounts from one passdb backend to another. Uses this option with the -i <in-passdb backend> option to import groups from this passdb backend. You can use the -g -e <out-passdb backend> options to exports all currently available groups to the specified password database backend. Account policy setting options Use the following options to manage account policy settings: -P, account-policy=arg Displays an account policy. Valid policies are minimum password age, reset count minutes, disconnect 166 Tool reference

167 -C, value=arg -c, account-control=arg -z, bad-password-count-reset -Z, logon-hours-reset <logon-hours-reset> pwd-can-change-time =ARG pwd-must-change-time =ARG -t, password-from-stdin time, user must logon to change password, password history, lockout duration, min password length, maximum password age and bad lockout attempt. Sets an account policy to a specified value. This option may only be used in conjunction with the -P option. Specifies the user's account control property. This option can be used while adding or modifying a user account. Possible flags are listed below: N: No password required D: Account disabled H: Home directory required T: Temporary duplicate of other account U: Regular user account M: MNS logon user account W: Workstation Trust Account S: Server Trust Account L: Automatic Locking X: Password does not expire I: Domain Trust Account Resets the bad password count value. Resets the login hours. Sets the password-can-change-time policy value. Sets the password-must-change-time policy value (UNIX time in seconds since 1970 if time format not provided). Reads password from standard input. Examples Help options -?, help Shows help messages. usage Common samba options Displays brief usage message. The following is a list of common Samba options: -d, debuglevel=debuglevel Specifies the debug level which is an integer from 0 to 10. If this parameter is not specified, the default value is zero. -l, log-basename=logfilebase -s, configfile=configfile -V, version Specifies base name for log files. The extension ".progname" will be appended (e.g. log.smbclient, log.smbd, etc...). Specifies the alternative Samba configuration file. Prints the program version number. Run the following command to show a list of the pdbedit options: HP CIFS management tools 167

168 $ pdbedit -? Run the following command to create a Samba account for the user cifsuser1 in the group cifsgrp with the home directory /home/cifsuser1. The pdbedit tool will prompt for input of an initial user password. $ pdbedit -a cifsuser1 -g cifsgrp -h /home/cifsuser1 Run the following command to delete a Samba account for the user cifsuser2: $ pdbedit -x cifsuser2 net This tool is used for administration of Samba and remote CIFS servers. The Samba net utility is meant to work just like the net utility available for windows and DOS. The first argument of the net utility is used to specify the protocol to use when executing the net command. The argument can be ADS, RAP or RPC. ADS is used for Windows Active Directory, RAP is used for old Windows clients (Win9x/NT3) and RPC can be used for DCE-RPC. The net tool performs its operations on the LDAP directory if the smb.conf passdb backend parameter is set to ldapsam:ldap://<ldap server name>. If you manage user accounts in an LDAP directory, a POSIX user account must already exists in the LDAP directory before you run the net rpc user add command to add the corresponding Samba user and its sambasamaccount information required for HP CIFS Server user authentication. If the POSIX user does not already exist in the LDAP directory server, you must first add the POSIX user entry with the LDAP directory tools (such as ldapmodify). You can use the ldapmodify tool to add, modify or delete a POSIX user in an LDAP directory server. See the Creating Samba users in the directory (page 97) section in Chapter 6 LDAP Integration Support for more information on how to add the POSIX user account to an LDAP directory server. There are many net commands. This section describes a portion of the available commands. This section only describes syntaxes for the net rpc user command that you can use to manage Samba user account database. For a more complete description of how to use the net commands and syntaxes, refer to the net man page, SWAT, net help text or The Official Samba HOWTO and Reference Guide. Net commands The following is a partial description of the net commands. For detailed information on a specified command and its syntax, use net help <command option>. net time net lookup net user net group net groupmap net idmap net join net cache net getlocalsid [domain] net setlocalsid net changesecretpw Displays or set time information. Lookups the IP address or host name for a specified host. Manages users. Manages groups. Manages group mappings. Manages the idmap id mappings. Joins a CIFS server to a domain. Operates on cache Trivial Database (tdb) file. Displays the domain SID for the specified domain. If the [domain] parameter is not specified, The SID of the domain the local CIFS server is in. Sets the local domain SID. This command allows the Samba machine account password to be set from an external application to a machine account 168 Tool reference

169 net status net usersidlist net ads <command> net rpc <command> net rap <command> password that has already been stored in a Windows Active Directory. Do not use this command unless you know exactly what you are doing. The use of this command requires that the force flag (-f) is used also. There will be no command prompt. Whatever information is input into stdin is stored as the literal machine password. Do not use this without care and attention because it will overwrite a legitimate machine password without warning. Displays machine account status of the local server. Gets a list of all users with their Windows SIDs. Runs ADS commands. Runs RPC commands. Runs RAP (pre-rpc) commands. Syntax for net user This section only includes syntaxes for the net user command. Use the following command syntax to list user account information: net [<method>]user [options] [targets] Use the following command syntax to delete a specified Samba user account: net [<method>]user DELETE <name> [options] [targets] Use the following command syntax to list the domain groups of the specified Samba user: net [<method>]user INFO <name> [options] [targets] Use the following command syntax to add a Samba user account: net [<method>]user ADD <name> [options] [-c container] [-F user flags [targets] Use the following command syntax to rename a Samba user: net [<method>]user RENAME [oldname] [newname] [targets] Valid methods where the valid methods can be any of the following: ads rpc rap Valid targets Can be used for Windows Active Directory Can be used for systems with DCE-RPC. Can be used for older systems such as Windows 9x or NT3 clients. The valid targets can be any of the following. If this argument is not specified, the default is the local host. -S or server=<server> Specifies the target server name. -I or ipaddress=<ipaddr> Specifies the IP address of the target server. -w or workgroup=<wg> Specifies the target workgroup or domain. Valid options where the valid options can be any of the following: -p or port=<port> Specifies the port number on the target server to connect to. -W or myworkgroup=<wg> Specifies the client workgroup or domain. -d or <debuglevel=<level> Specifies the debug level which is an integer from 0 to 10. If this parameter is not specified, the default value is zero. HP CIFS management tools 169

170 Examples wbinfo -n or myname=<name> Specifies the NetBIOS name. This option allows you to override the NetBIOS name that Samba uses. The command line setting will take precedence over parameter settings in the smb.conf file. -U or user=<name> Specifies the user name. -s or configfile=<path> Specifies the alternative path name of the Samba configuration file. -l or long Displays full information on each item when listing data. -V or version Prints Samba version information. -P or machine-pass Authenticate as the machine account. -C or comment=<comment> Specifies the descriptive comments. This option is only valid for the ADD operation. -c Specifies the LDAP container when adding a user to the LDAP directory server. The default value is cn=users. help Prints a summary of command line options and usage. Run the following command to create a Samba user account for the user cifsuser1: $ net rpc user ADD cifsuser1 Run the following command to delete a Samba account for the user cifsuser2: $ net rpc user DELETE cifsuser2 Run the following command to list the domain groups for the user cifsuser3: $ net rpc user INFO cifsuser3 You can use the wbinfo tool to get information from the winbind daemon. To use the wbinfo tool, you must configure and start up the winbind daemon, winbindd. Syntax wbinfo [option] where option can be any of the following: -l <pathname> Displays path data with Windows user and group names that exceed the HP-UX name limitation of 8 characters. -L<pathname> -u, domain-users -g, domain-groups -N, WINS-by-name <name> Displays path data with the fully qualified Windows domain name appended to the Windows user and group names that exceed the HP-UX name limitation of 8 characters. Displays all user names and name-uid mappings that are available in the Windows NT domain for which the winbindd daemon is operating in. Users in all trusted domains will also be listed. Displays all group names and name-gid mappings that are available in the Windows NT domain for which the samba(7) daemon is operating in. Groups in all trusted domains will also be listed. Queries the winbindd daemon to query the WINS server for the IP address associated with the NetBIOS name specified by the name parameter. 170 Tool reference

171 -I, WINS-by-ip <ip> -n, name-to-sid <name> -s, sid-to-name <sid> -U, uid-to-sid <uid> This option queries winbindd to send a node status request to get the NetBIOS name associated with the IP address specified by the ip parameter. This option queries winbindd for Windows SID associated with the name specified. Uses this option to resolve a Windows SID to a name. This is the inverse of the -n option. The Windows SID must be specified as ASCII strings in the traditional Microsoft format. For example, S Converts an UNIX user UID to a Windows SID. If the UID specified does not refer to the one within the idmap uid range then the operation will fail. -G <gid> Converts an UNIX GID to a Windows SID. If the GID specified does not refer to the one within the idmap gid range then the operation will fail. -S, sid-to-uid <sid> -Y, sid-to-gid <sid> -A, allocate-rid -t, check-secret -p, ping domain <name> -D, domain-info <domain> -r, user-groups <username> user-domgroups <SID> user-sids <SID> -V, version -a, authenticate <username%password> set-auth-user <username%password> get-auth-user getdcname <domainname> sequence Converts a Windows SID to an UNIX user id. If the Windows SID does not correspond to an UNIX user mapped by winbindd then the operation will fail. Converts a Windows SID to an UNIX group id. If the windows SID does not correspond to an UNIX group mapped by winbindd then the operation will fail. Gets a new RID from idmap. Verifies that the workstation trust account created when the Samba server is added to the Windows NT domain is working. Ping winbindd to see whether it is still alive. This parameter sets the domain on which any specified operations will performed. Currently only the --sequence, -u, and -g options honor this parameter Shows most of the information we have about the domain. Gets the list of UNIX group ids that a specific user belongs to. This only works for users defined on a Domain Controller. Gets user domain groups. Gets user group SIDs for user. Prints the winbind version. Authenticates a user via winbindd. This checks both authentication methods and reports its results. Stores username and password used by winbindd during session setup to a domain controller. This option is only available for root. Prints username and password used by winbindd during session setup to a domain controller. This option is only available for root. Gets the name of the Domain Controller for the specified domain. Shows sequence numbers of all known domains. -?, -h, help Shows the help messages. HP CIFS management tools 171

172 Examples usage Displays brief usage messages. For detailed information on how to use this tool, refer to the /opt/samba/man/man1/wbinfo.1 file. The following is an example of the output using the wbinfo -l command: $ wbinfo -l /tmp drwxr-xr-x 2 user1 Domain Users 96 Jun 23 16:52 Folder1 drwxr-xr-x 2 user2 Domain Users 96 Jun 23 16:52 Folder2 The following is an example of the output using the wbinfo -L command: $ wbinfo -L /tmp drwxr-xr-x 2 DOMAIN_DOM\user1 DOMAIN_DOM\Domain Users 96 Jun 23 16:52 Folder1 drwxr-xr-x 2 DOMAIN_DOM\user2 DOMAIN_DOM\Domain Users 96 Jun 23 16:52 Folder2 The following is an example of the output using the wbinfo -u command: $ wbinfo -u DOMAIN_DOM\johnb DOMAIN_DOM\user DOMAIN_DOM\user DOMAIN_DOM\user DOMAIN_DOM\user DOMAIN_DOM\Guest DOMAIN_DOM\user DOMAIN_DOM\ntuser DOMAIN_DOM\root DOMAIN_DOM\pcuser DOMAIN_DOM\winusr DOMAIN_DOM\maryw The following is an example of the output using the wbinfo -g command: $ wbinfo -g DOMAIN_DOM\Domain Admins DOMAIN_DOM\Domain Guests DOMAIN_DOM\Domain Users DOMAIN_DOM\Domain Computers DOMAIN_DOM\Domain Controllers DOMAIN_DOM\Schema Admins DOMAIN_DOM\Enterprise Admins DOMAIN_DOM\Cert Publishers DOMAIN_DOM\Account Operators DOMAIN_DOM\Print Operators DOMAIN_DOM\Group Policy Creator Owners LDAP directory management tools This section provides information for the ldapmodify, ldapsearch and ldapdelete tools. These LDAP directory tools are bundled with the LDAP-UX Integration product (J4269AA) and are available in the /opt/ldapux/bin directory. This section includes only those options that are useful for managing the HP CIFS users when using the LDAP Directory Server as the datastore backend. For a complete description of how to use these commands, refer to the "Creating Directory Entries" chapter in "Part 1, Administering Red Hat Directory Server" of the Netscape/Red Hat Directory Server Administrator's Guide. For a complete description of all the options available for these commands, refer to the "Command-Line Utilities" chapter in the Netscape/Red Hat Directory Server Configuration, Command, File Reference". These manuals are available in the Internet and Security Solutions on the HP Technical Documentation web site at the following URL: Tool reference

173 ldapmodify You use the ldapmodify command-line utility to add, delete or modify POSIX user entries in an existing LDAP directory. ldapmodify opens a connection to the specified server using the distinguished name and password you supply, and adds or modifies the entries based on the LDIF update statements contained in a specified file. Syntax ldapmodify [optional_options] where optional_options Specifies a series of command-line options. ldapmodify options Examples ldapsearch The section lists the most commonly used ldapmodify options. -a Allows you to add LDIF entries to the directory without requiring the changetype:add LDIF update statement. This provides a simplified method of adding entries to the directory. -B Specifies the suffix under which the new entries will be added. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries. -f This option specifies the file containing the LDIF update statements used to define the directory modification. If you do not supply this option, the update statements are read from stdin. -h Specifies the hostname or IP address of the Directory Server. If not specified, ldapmodify uses the local host. -p Specifies the TCP port number that the Directory Server uses. The default is q Causes each add operation to be performed silently as opposed to being echoed to the screen individually. -w Specifies the password associated with the distinguished name that is specified in the -D option. The following commands add the entries to the LDAP directory server: $ /opt/ldapux/ldamodify -a -D "cn=directory Manager, dc=hp,dc=com" -w dmpasswd -h ldaphosta \ -p 389 -f new.ldif Where the entries specified in the new.ldif file will be added to the directory server. As an example, the following LDIF update file, new.ldif, contains update statements to create the user account, user1, to the LDAP directory server: dn: uid=user1,ou=pepole,dc=example,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount memberuid: user1 homedirectory: /home/user1 loginshell: /usr/bin/krh gecos: User1 Hu, 40N-20 You can use the ldapsearch command-line utility to locate and retrieve LDAP directory entries. This utility opens a connection to the specified server using the specified distinguished name and password, and locates entries based on the specified search filter. Search results are returned in LDIF format. LDAP directory management tools 173

174 Syntax ldapsearch -b basedn [optional_options][filter] [optional_list_of_attributes] where filterfilter optional_options optional_list_of_attributes Specifies an LDAP search filter. Do not specify a search filter if you supply search filters in a file using the -f option. Specifies a series of command-line options. These must be specified before the search filter, if used. are spaces-separaed attributes that reduct the scope of the attributes returned in the search results. This list of attributes must appear after the search filter. Refer to the Red Hat Directory Server Administrator's Guide for details. ldapsearch options Examples ldapdelete This section lists the most commonly used ldapsearch command-line options. -b Specifies the starting point for the search. The value specified here must be a distinguished name that currently exits in the database. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to search for the entries. -h Specifies the hostname or IP address of the Directory Server. If you do not specify a host, ldapsearch uses the local host. -l Specifies the maximum number of seconds to wait for a search request to complete. -P Specifies the TCP port number that the Directory Server uses. The default is s Specifies the scope of the search. The scope can be one of the following: base: Search only the entry specified in the -b option or defined by the LDAP_BASEDN environment variable. one: Search only the immediate children of the entry specified in the -b option. sub: Search the entry specified in the -b option and all of its descendants. Perform a subtree search starting at the point identified in the -b option. This is the default. -w Specifies the password associated with the distinguished name that is specified in the -D option. -x Specifies that the search results are sorted on the server rather than on the client. In general, it is faster to sort on the server rather than on the client. -f Specifies the file containing the search filter(s) to be used in the search. Omit this option if you want to supply a search filter directly to the command-line. For example, run the following command to search the user entry Dave in the LDAP directory server, ldaphosta. The ldapsearch tool performs a subtree search starting at dc=example, dc=hp, dc=com. $ /opt/ldapux/ldapsearch -b "dc=example,dc=hp,dc=com" -s sub \ -D "cn=directory Manager,dc=hp,dc=com" -w dmpasswd -h ldaphosta "uid=dave" You use the ldapdelete command-line utility to delete entries from an existing LDAP directory. ldapdelete opens a connection to the specified server using the distinguished name and password you provide, and deletes the entry or entries. 174 Tool reference

175 Syntax ldapdelete [optional_options] where optional_options Specifies a series of command-line options. ldapdelete options Examples The section lists ldapdelete options most commonly used. -D Specifies the distinguished name (DN) with which to authenticate to the server. If specified, this value must be a DN recognized by the Directory Server, and it must also have the authority to delete the entries. -h Specifies the name of the host on which the Directory Server is running. If you do not specify a host, ldapdelete uses the local host. -P Specifies the TCP port number that the Directory Server uses. The default is dn Specifies the DN of the entry to be deleted. -w Specifies the password associated with the distinguished name that is specified in the -D option. For example, the following command deletes the entry for user John in the LDAP directory server, ldaphosta: $ /opt/ldapux/ldapdelete -D "cn=directory Manager,dc=example,dc=hp,dc=com" -w dmpasswd \ -h ldaphosta "uid=john,ou=people,dc=hp,dc=com" LDAP directory management tools 175

176 Glossary A ACL ASP Authentication Authorization Access Control List, meta-data that describes which users are allowed access to file data and what type of access is granted to that data. ACLs define "access rights." In this scheme, users typically belong to "groups," and groups are given access rights as a whole. Typical types of access rights are read (list), write (modify), or create (insert.) Different file systems have varying levels of ACL support and different file systems define different access rights. For example, DOS has only one set of rights for a file (since only one user is considered to use a DOS system). A POSIX 6-compliant file system allows multiple rights to be assigned to multiple files and directories for multiple users and multiple groups of users. Application service provider, an e-business that essentially "rents" applications to users. Scheme to ensure that a user who is accessing file data is indeed the intended user. A secure networked file system uses authentication to prevent access occurring from someone pretending to be the intended user. Ensures that a user has access only to file system data that the user has the right to access. Just because a user is authenticated does not mean he or she should be able to read or modify any file. In the simplest form or authorization, users are given read or modify permissions to individual files and directories in a file system, through the use of access control information (called an Access Control List, or ACL.) C CIFS Credential HP CIFS Common Internet File System, a specification for a file access protocol designed for the Internet. A piece of information that identifies a user. A credential may be as simple as a number that is uniquely associated with a user (like a social security number), or it may be complicated and contain additional identifying information. A strong credential contains proof, sometimes called a verifier, that the user of the credential is indeed the actual user the credential identifies. Hewlett-Packard's implementation of CIFS for UNIX. HP CIFS provides both server and client modules for both HP 9000 servers and workstations. D Diffie-Hellman A protocol used to securely share a secret key between two users. Diffie-Hellman protocol uses a form of public key exchange to share the secret key. Diffie-Hellman is known to be susceptible to an interceptor's attack, but authenticated Diffie-Hellman Key Agreement, a later enhancement, prevents such a middle-person attack. E Encryption Encryption ensures that data is viewable only by those who possess a secret (or private) key. Encrypted data is meaningless unless the secret key is used to decrypt the data. Encryption and decryption of data is called ciphering. I Integrity Integrity ensures that file system data is not modified by an intruder. An intruder can not intercept a file system data packet and modify it without the network file system discovering and rejecting the tampering. K Kerberos An authentication and authorization security system developed by MIT and the IETF working group. It is based on secret key technology, and is generally easier to manage than a public key infrastructure because of its centralized design. However, Kerberos is not as scalable as a public key infrastructure. 176 Glossary

177 P Public Key Public Key Infrastructure An encryption method by which two users exchange data securely, but in one direction only. A user, who has a private key, creates a corresponding public key. This public key can be given to anyone. Anyone who wishes to send encrypted data to the user may encrypt the data using the public key. Only the user who possesses the private key can decrypt the data. Method of managing public key encryption. Although public key technology has the advantage of never exchanging decryption keys, it has the disadvantage of being difficult to manage. Some issues include distribution of public keys with proof of the key's ownership, and revocation of expired or terminated keys. S Samba Secret Key SMB An open source product that first appeared in the mid-1990's. Samba provides NT file and print server capability for UNIX systems, including most of the capabilities of Advanced Server for UNIX, with the exception of the Primary Domain Controller (PDC) and Backup Domain Controller (BDC) synchronization protocols. Although Samba is widely used, vendor support for it is not generally available. Secret key, also known as symmetric-key or shared-key, encryption is a ciphering technique by which two users exchange data by encrypting and decrypting data with a shared secret key. Data is both encrypted and decrypted with the same key. The secret key must be exchanged securely (such as through the "cones of silence") since anyone knowing the secret key can decrypt the data. Server Message Block, the file-sharing protocol at the heart of Windows networking. SMB is shared by Windows NT, Windows 95, Windows for Workgroups, and OS/2 LAN Manager. CIFS is essentially a renaming of this protocol. 177

178 Index Symbols /etc/nsswitch.conf, 88, 133 /etc/nsswitch.ldap, 88 /etc/pam.conf, 133 A Access Control Lists, 35 VxFS, 35 ACLs. See Access Control Lists, 35 adding ACE entries, 39 B boot, 85 C Change Notify, 33 CIFS protocol, 13 Common Internet File System. See CIFS, 13 configuration client, 85 directory, 84 quick, 86 subsequent clients, 91, 95 summary, 84 configuring kernel parameters for CIFS/9000, 160 overview, 20 D directory configuration, 84 white paper, 84 documentation file and directory information, 17 HP CIFS Server, 15 most recent, 19 roadmap, H HP CIFS description, 13 documentation, 19 introduction, 13 HP CIFS Server documentation, 15 documentation roadmap, 15 file and directory information, 17 memory and disc requirements, 19 process model, 154 requirements and limitations, 19, 84, 154 starting, 31 I installation, 85 summary, 84 installing overview, 20 K kernel configuration parameters configuring, 160 description, 160 L ldapdelete program, 174 ldapmodify program, 173 ldapsearch program, 173 M maxusers, 160 N name service, 88 NativeLdapClient subproduct, 85 nproc, 160 NSS, 88 NT file permission translations, 36 O obtaining CIFS/9000 software, 19 overview configuring, 20 installing, 20 P performance tuning, 33 pre-defined permissions, 37 pre-installed software, 19 Profile TTL, 88, 108, 138 Q quick configuration, 86 R reboot, 85 S Samba server name list, 41 requirements and limitations, 19, 84, 154 Server Message Block, 13 setting new ACLs, 39 setup program, 86, 132 startsmb, 31 subproduct, NativeLdapClient, 85 swap space requirements, Index

179 swinstall, 85 T tools ldapdelete, 174 ldapmodify, 173 ldapsearch, 173 TTL, profile, 88, 108, 138 U UNIX file owner, 35 other permission, 35 owning group, 35 permissions, 35 V VxFS POSIX ACL File Permission Superset, 38 W white paper, directory configuration, 84 Windows ACLs, 35 directory translations,