HP CIFS Server 2.2h Administrator's Guide version A.01.11

HP CIFS Server 2.2h Administrator’sGuide version A.01.11

HP-UX 11.0, 11i version 1 and 2

Manufacturing Part Number : B8725-90061

E0204

U.S.A.

© Copyright 2004 Hewlett-Packard Company..

Legal NoticesThe information in this document is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to thismanual, including, but not limited to, the implied warranties ofmerchantability and fitness for a particular purpose. Hewlett-Packardshall not be held liable for errors contained herein or direct, indirect,special, incidental or consequential damages in connection with thefurnishing, performance, or use of this material.

Warranty. A copy of the specific warranty terms applicable to yourHewlett- Packard product and replacement parts can be obtained fromyour local Sales and Service Office.

Restricted Rights Legend. Use, duplication or disclosure by the U.S.Government is subject to restrictions as set forth in subparagraph (c) (1)(ii) of the Rights in Technical Data and Computer Software clause atDFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and(c) (2) of the Commercial Computer Software Restricted Rights clause atFAR 52.227-19 for other agencies.

HEWLETT-PACKARD COMPANY3000 Hanover StreetPalo Alto, California 94304 U.S.A.

Use of this manual and flexible disk(s) or tape cartridge(s) supplied forthis pack is restricted to this product only.

HP CIFS Server is derived from the Open Source Samba product and issubject to the GPL license.

Copyright Notices. ©copyright 1983-2004 Hewlett-Packard Company,all rights reserved.

Reproduction, adaptation, or translation of this document without priorwritten permission is prohibited, except as allowed under the copyrightlaws.

Trademark Notices. UNIX is a registered trademark of The OpenGroup.

ii

Contents

1. Introduction to the HP CIFS ServerPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Introduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4The Open Source Software (OSS) Samba Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Open Source Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Samba Server Description and Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Samba Documentation: Printed and Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

HP CIFS Enhancements to the Samba Server Source . . . . . . . . . . . . . . . . . . . . . . . . . . 9Access Control List (ACL) Mapping Features (version A.01.07) . . . . . . . . . . . . . . . . . 9Access Control List (ACL) Mapping Features (version A.01.08) . . . . . . . . . . . . . . . . 10NT Printing Support (version A.01.08) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Distributed File System (DFS) Server Functionality (version A.01.08) . . . . . . . . . . 11Primary Domain Controller (PDC) Functionality (version A.01.08) . . . . . . . . . . . . . 11

HP CIFS Server Documentation: Printed and Online. . . . . . . . . . . . . . . . . . . . . . . . . . 14Documentation Availability by Topic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14HP CIFS Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14HP CIFS Documentation Roadmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17HP CIFS Server File and Directory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

2. Installing and Configuring the HP CIFS ServerHP CIFS Server Requirements and Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

HP-UX 11.0 Memory and Disc Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25HP CIFS Server Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26HP CIFS Server Memory and Disc Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Step 1: Installing HP CIFS Server Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Step 2: Running the Configuration Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Step 3: Modify the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configure ACL Support (for version A.01.07) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Configure ACL Support (for version A.01.08) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configure Case Sensitivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Configure DOS Attribute Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configuring Print Services for HP CIFS Version A.01.07 . . . . . . . . . . . . . . . . . . . . . 34Configuring Print Services for HP CIFS Version A.01.08 . . . . . . . . . . . . . . . . . . . . . 37Setting Up Distributed File System (DFS) Support . . . . . . . . . . . . . . . . . . . . . . . . . . 40MC/ServiceGuard High Availability Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configure for German Character Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Configure for Japanese Character Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

iii

Contents

Step 4: Starting the HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Automatically Starting the HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Other Samba Configuration Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Translate Open-Mode Locks into HP-UX Advisory Locks . . . . . . . . . . . . . . . . . . . . . 45Performance Tuning using Change Notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Internationalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47European Character Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Japanese Character Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

3. Managing HP-UX File Access Permissions from Windows NT/XP/2000Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50UNIX File Permissions and POSIX ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Viewing UNIX Permissions From Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51The VxFS POSIX ACL File Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Using the NT Explorer GUI to Create ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58POSIX ACLs and Windows 2000/XP Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Viewing UNIX Permissions from Windows 2000/XP Clients . . . . . . . . . . . . . . . . . . . 63Setting Permissions from Windows 2000/XP Clients . . . . . . . . . . . . . . . . . . . . . . . . 65Viewing ACLs from Windows 2000 Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Displaying the Owner of a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

HP CIFS Server Directory ACLs and Windows 2000/XP Clients . . . . . . . . . . . . . . . . . 68Directory ACL Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Viewing ACLs from Windows 2000 Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Mapping Windows 2000/XP Directory Inheritance Values to POSIX . . . . . . . . . . . . 70Modifying Directory ACLs From Windows 2000/XP Clients . . . . . . . . . . . . . . . . . . . 71Adding Directory ACLs From Windows 2000/XP Clients. . . . . . . . . . . . . . . . . . . . . . 77POSIX Default Owner and Owning Group ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78POSIX ACEs with zero permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Configuring Samba ACL Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80For HP CIFS Version A.01.07. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80For HP CIFS Version A.01.08. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

In Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

4. Primary Domain Controller (PDC) SupportIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Advantages of the Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

iv

Contents

Primary Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Domain Members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Create the Machine Trust Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Configure Domain Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Configure the HP CIFS Server as a PDC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93Join a Windows Client to a Samba Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Configuring User Logon Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Running Logon Scripts When Logging On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Home Drive Mapping Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

5. Domain Member Server SupportJoin a HP CIFS Server to a Windows NT, Windows 2000 or Samba Domain . . . . . . 104

Step-by-step Procedure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

6. LDAP Integration SupportOverview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

HP CIFS Advantages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Network Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Domain Model Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Workgroup Model Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112UNIX User Authentication - /etc/passwd, NIS Migration . . . . . . . . . . . . . . . . . . . . 112The CIFS Authentication with LDAP Integration . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Summary of Installing and Configuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Installing and Configuring Your Netscape Directory Server. . . . . . . . . . . . . . . . . . . . 116

Installing the Netscape Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Configuring the Netscape Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116Verifying the Netscape Directory Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Installing LDAP-UX Client Services on an HP CIFS Server . . . . . . . . . . . . . . . . . . . 118Configuring the LDAP-UX Client Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Quick Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120Migrating Your data to the Netscape Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Migrating All Your Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124Migrating Individual Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Extending Samba subschema into Your Directory Server. . . . . . . . . . . . . . . . . . . . . . 129Configuring the HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

v

Contents

LDAP Configuration Parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131The smbpasswd Program Parameter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Configuring LDAP Feature Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Installing your Samba Users in the Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Adding Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Importing Samba Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Verifying Samba Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

LDAP management Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Samba LDAP Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137The smbpasswd Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Limitations with the LDAP Feature Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

7. Configuring HA HP CIFSOverview of HA HP CIFS Server Active-Standby . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Recommended Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Installing Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152Install the HA HP CIFS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Configure a Highly Available HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Move Data to the HP CIFS Share Volume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Edit the samba.conf Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Edit the samba.cntl Control Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Create the MC/ServiceGuard Binary Configuration File . . . . . . . . . . . . . . . . . . . . . 159

Special Notes for HA HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Overview of HA HP CIFS Server Active-Active . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Recommended Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Installing Highly Available HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165Configure a Highly Available HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Special Notes for HA HP CIFS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

8. HP-UX Configuration for HP CIFSHP CIFS Process Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Overview of Kernel Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Configuring Kernel Parameters for HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Swap Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

vi

Contents

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

vii

Contents

viii

About This DocumentThis document describes how to install, configure, and administer theHP CIFS Server product. This document, as well as previously releaseddocuments may be found on-line at http://www.docs.hp.com.

Intended AudienceThis document is intended for users who are already familiar with theHP CIFS Server product. For additional information about the HP CIFSServer, please refer to other HP CIFS Server documentation on-line athttp://www.docs.hp.com.

New and Changed Documentation in ThisEditionEnhances the HP CIFS Server 2.2h version A.01.11 to include thefollowing new information:

• Support for enabling the LDAP feature with the HP CIFS Server

• Support for new configuration parameters in the smb.conf file toenable the LDAP feature

• Support for Samba subschema, /opt/samba/LDAP/98samba.ldif,available for you to extend the Netscape Directory Server withsambaAccount objectclass and attributes

• Support for LDAP management tools to maintain user and groupaccounts in the Netscape Directory Server

ix

Typographical Conventions

Publishing History

Table 1 Documentation Conventions

Type of Information Font Examples

Representations ofwhat appears on adisplay, program/scriptcode and commandnames or parameters.

Monotype > user logged in.

Emphasis in text,actual document titles.

Italics Users should verify thatthe power is turned offbefore removing the board.

Headings andsub-headings.

Bold Related Documents

Table 2 Publishing History Details

DocumentManufacturingPart Number

OperatingSystems

Supported

SupportedProductVersions

PublicationDate

B8725-90021 11.0, 11.11,11.22

A.01.08 March 2002

B8725-90053 11.0, 11.11,11.23

A.01.10 September 2003

B8725-90061 11.0, 11.11,11.23

A.01.11 February 2004

x

What Is in This DocumentThis manual describes how to install, configure, administer and use theHP CIFS Server product. The organization of this manual is as follows:

Table 3 Document Organization

Chapter Description

Introduction to theHP CIFS Server

Use this chapter to know about HP CIFSServer, Samba, the open source software suitewhich the HP CIFS Server is based.

Installing andConfiguring the HPCIFS Server

Use this chapter to learn how to install andconfigure the HP CIFS Server product.

Managing HP-UXFile Accesspermissions fromWindows/NT/XP/2000

Use this chapter to understand how to useWindows NT, XP and 2000 clients to view andchange UNIX file permissions and POSIXAccess Control List on a HP CIFS Server.

Primary DomainController (PDC)Support

Use this chapter to learn how to set up andconfigure the HP CIFS Server as a PDC.

Domain MemberServer Support

Use this chapter to understand the processfor joining a HP CIFS Server to a WindowsNT or Samba domain.

LDAP IntegrationSupport

Use this chapter to learn how to install,configure and verify the HP NetscapeDirectory, HP LDAP-UX Integration productand HP CIFS Server software with LDAPfeature support.

Configuring HA HPCIFS

Use this chapter to understand theprocedures required to configure theactive-standby or active-active HighAvailability configuration.

HP-UX Configurationfor HP CIFS

Use this chapter to learn the HP-UX tuningprocedures for HP CIFS Server.

xi

HP Welcomes Your CommentsHP welcomes your comments and suggestions on this document. We aretruly committed to provide documentation that meets your needs. Youcan send comments to: [email protected]

Please include the following information along with your comments:

• The complete title of the manual and the part number. The partnumber appears on the title page of printed and PDF versions of amanual.

• The section numbers and page numbers of the information on whichyou are commenting.

• The version of HP-UX that you are using.

GNU GPL License Use this chapter to learn the GNU GeneralPublic License.

Table 3 Document Organization (Continued)

Chapter Description

xii

1 Introduction to the HP CIFSServer

This chapter provides a general introduction to this document, HP CIFS,information about Samba, the Open Source Software suite upon which

Chapter 1 1

Introduction to the HP CIFS Server

the HP CIFS server is based, HP enhancements to the Samba source,along with the various documentation resources available for HP CIFS.

Chapter 12

Introduction to the HP CIFS ServerPreface

PrefaceThe information in this manual is intended for network managers ornetwork security administrators who install and administer the HPCIFS server.

This manual describes how to install, configure, and troubleshoot the HPCIFS software product on HP 9000 systems.

The manual is organized as follows:

Chapter 1 “Introduction to the HP CIFS Server” describes theOpen Source Software (OSS) Samba Suite, upon whichHP CIFS is based, and HP’s CIFS Enhancements to theSamba Server Source.

Chapter 2 “Installing and Configuring the HP CIFS Server”describes how to install, configure and verify the HPCIFS server software.

Chapter 3 “Managing HP-UX File Access Permissions fromWindows NT/2000” describes how to use Windows NTand 2000 Clients to view and change standard Unix filepermissions and VxFS POSIX Access Control Lists(ACLs).

Chapter 4 “Primary Domain Controller (PDC) Support” describeshow to set up and configure a HP CIFS Server as thePrimary Domain Controller (PDC).

Chapter 5 “Domain Member Server Support” describes theprocess for joining a HP CIFS Server to a Windows NTdomain.

Chapter 6 “Configuring HA HP CIFS” describes Active-Standbyand Active-Active HA HP CIFS configurations.

Chapter 7 “HP-UX Configuration for HP CIFS” includesinformation about the HP CIFS process model, kernelconfiguration parameters, and kernel parameterconfiguration for HP CIFS.

Chapter 8 “GNU GPL License” contains a copy of the GPL license.

Chapter 1 3

Introduction to the HP CIFS ServerIntroduction to HP CIFS

Introduction to HP CIFSHP CIFS provides HP-UX with a distributed file system based on theMicrosoft Common Internet File System (CIFS) protocols. HP CIFSimplements both the server and client components of the CIFS protocolon HP-UX.

The current HP CIFS Server (version A.01.08) is based on thewell-established open-source software Samba, version 2.2.3a, andprovides file and print services to CIFS clients including Windows NT,XP, 2000 and HP-UX machines running HP CIFS Client software.

The HP CIFS Client enables HP-UX users to mount as UNIX filesystems shares from CIFS file servers including Windows servers andHP-UX machines running HP CIFS Server. The HP CIFS client alsooffers an optional Pluggable Authentication Module (PAM) thatimplements the Windows NTLM authentication protocols. Wheninstalled and configured within HP-UX’s PAM facility, PAM NTLMallows HP-UX users to be authenticated against a Windowsauthentication server.

What is the CIFS Protocol?

CIFS, or the Common Internet File System, is the Windows specificationfor remote file access.

CIFS had its beginnings in the networking protocols, sometimes calledServer Message Block (SMB) protocols, that were developed in the late1980's for PCs to share files over the then nascent Local Area Networktechnologies (e.g., Ethernet). SMB is the native file-sharing protocol inthe Microsoft Windows 95, Windows NT, XP and OS/2 operating systemsand the standard way that millions of PC users share files acrosscorporate intranets.

CIFS is simply a renaming of SMB; and CIFS and SMB are, for allpractical purposes, one and the same. (Microsoft now emphasizes the useof “CIFS,” although references to “SMB” still occur.) CIFS is also widelyavailable on UNIX, VMS(tm), Macintosh, and other platforms.

Chapter 14

Introduction to the HP CIFS ServerIntroduction to HP CIFS

Despite its name, CIFS is not actually a file system unto itself. Moreaccurately, CIFS is a remote file access protocol; it provides access to fileson remote systems. It sits on top of and works with the file systems of itshost systems. CIFS defines both a server and a client: the CIFS client isused to access files on a CIFS server.

HP CIFS speaks the CIFS protocol from the HP-UX machines, whichenables directories from HP-UX servers to be mounted on to Windowsmachines and vice versa.

Chapter 1 5

Introduction to the HP CIFS ServerThe Open Source Software (OSS) Samba Suite

The Open Source Software (OSS) Samba SuiteThe HP CIFS server source is based on Samba, an Open Source Software(OSS) project developed in 1991 by Andrew Tridgell in Australia. Thissection includes a very brief introduction to the Samba product. As thereare many publications about Samba available online and in mostbookstores, HP recommends that you use these source materials, some ofwhich were written by Samba team members, for more detailedinformation about this product.

Open Source Software

Samba has been made available to HP and other users under the termsof the GNU Public License (GPL). This means that Samba is “freesoftware”; free, that is, of any copyright restrictions. The goal of this typeof software is to encourage the cooperative development of new software.

To learn about the GNU Public License, go to the following web site:http://www.fsf.org.

Samba Server Description and Features

With the Samba suite of programs, systems running UNIX andUNIX-like OSs are able to provide services using the Microsoftnetworking protocol. This capability makes it possible for DOS andWindows machines using native networking clients supplied byMicrosoft to access a UNIX file system and/or printers.

As a user, you will see the UNIX file system as a drive-letter or an icon inthe “Network Neighborhood” and you will be able to open files frominside your Windows program as if they are stored on your local system.

To accomplish this, Samba implements the Server Message Block (SMB)networking protocol on top of NetBios over TCP/IP.

For a complete discussion of Samba and its protocols, refer to chapters 1and 2, in Using Samba by Robert Eckstein, David Collier-Brown andPeter Kelly

To access the Samba web site, go to http://www.samba.org.

Chapter 16


Samba Documentation: Printed and Online

When using the HP CIFS product, HP recommends that you refer toUsing Samba, by Robert Eckstein, David Collier-Brown and Peter Kellyalong with the supplemental HP CIFS product documentation availablein the /opt/samba/docs directory shipped with the product. UsingSamba is shipped with the HP CIFS Server and can be found in/opt/samba/swat/using_samba. Starting with this release, it will beavailable through SWAT.

IMPORTANT The book Using Samba describes a previous version of Samba (V.2.0.4).However, much of the information in Using Samba is applicable to thisversion of the CIFS Server. Readers should always use the HP-providedSamba man pages or the SWAT help facility for the most definitiveinformation on the HP CIFS server.

Installing and Administering the HP CIFS Server will also be availableon the http://www.docs.hp.com/hpux/communications web site.

A list of current non-HP Samba documentation is shown below.

• Using Samba, Robert Eckstein, David Collier-Brown and Peter Kelly.(O’Reilly, 2000), ISBN: 1-56592-449-5.

• Samba, Integrating UNIX and Windows by John D Blair (SpecializedSystems Consultants, Inc., 1998), ISBN: 1-57831-006-7.

• Samba in 24 Hours by Carter, Gerald and Richard Sharpe. (SAMS,1999), ISBN: 0-672-31609-9.

• Samba Administrator’s Handbook by Ed Brooksbank, GeorgeHaberberger, and Lisa Doyle. (M&T Books, 2000), ISBN:0-7645-4636-8.

• Samba Black Book by Dominic Baines. (Coriolis, 2000), ISBN:1-57610-455-9.

• Samba Web site: http://www.samba.org/samba/docs.

Chapter 1 7


NOTE Please note that non-HP Samba documentation sometimes includesdescriptions of features and functionality planned for future releases ofSamba. The authors of these books do not always provide informationindicating which features are in existing releases and which features willbe available in future Samba releases.

Chapter 18

Introduction to the HP CIFS ServerHP CIFS Enhancements to the Samba Server Source

HP CIFS Enhancements to the Samba ServerSourceThe HP CIFS server product consists of Samba source code which hasbeen enhanced with a variety of functional enhancements. The sectionsthat follow will provide an overview of each of these enhancements. Insome cases, separate sections of information will be provided. One sectionwill be for version A.01.07 of the server and another for version A.01.08.Be sure that you are reading the information appropriate for yourversion. The sections are:

• Access Control List (ACL) Mapping Features for version A.01.07

• Access Control List (ACL) Mapping Features for version A.01.08

• NT Printing Support (new for version A.01.08)

• Distributed File System (DFS) Server Functionality (new for versionA.01.08)

• Primary Domain Controller (PDC) Functionality (new for versionA.01.08).

Access Control List (ACL) Mapping Features (versionA.01.07)

The HP CIFS server product consists of Samba source code which hasbeen enhanced with ACL (Access Control List) mapping features. Thesemapping features allow you to change ACLs from an NT client. Thesefeatures include:

• Improved access to UNIX permission data through the NT ACLgraphical interface on NT clients.

• Access to VxFS POSIX ACLs through the NT ACL graphicalinterface on NT clients.

Samba supports the viewing and changing of UNIX file permissions andVxFS POSIX ACLs from Windows NT clients.

You can view and change UNIX file permissions through the standardWindows Explorer interface when accessing NT ACLs.

Chapter 1 9


Refer to Chapter 2 in this document for detailed information aboutconfiguring ACL support.

Refer to Chapter 3 in this document for more detailed descriptions ofUNIX file permissions and of VxFS POSIX ACLs.

In addition, HP CIFS works with CIFS UNIX extensions. For moreinformation about CIFS UNIX extensions, refer to the Installing andAdministering HP CIFS Client manual.

Access Control List (ACL) Mapping Features (versionA.01.08)

HP enhancements to the HP CIFS Server for version A.01.08 include allthose for the previous version (A.01.07 - see the previous section), plusthe following:

• This version provides a share level variable called “nt acl support”which allows users to turn ACL support on or off, on a per-sharebasis. Previous versions (A.01.07 and earlier) used a parametercalled “acl schemes” to configure ACL support. This is no longer used.

• Support for NT Access Control Lists (ACLs) on printer objects. Seethe next section.

Refer to Chapter 2 in this document for detailed information aboutconfiguring ACL support.

NT Printing Support (version A.01.08)

These enhancements are new for version A.01.08. The HP CIFS Servernow provides the following NT printing functionality:

• Printer driver files may be downloaded to Windows NT, 2000 and XPclients that do not have them

• Printer driver files may be uploaded from a Client’s disk to a HPCIFS Server that does not have them. This is done using theWindows NT, XP or Windows 2000 Add Printer Wizard

For detailed information about configuring printer support, please referto Chapter 2 in this document.

Chapter 110


Distributed File System (DFS) Server Functionality(version A.01.08)

These enhancements are new for version A.01.08. The HP CIFS Servernow provides the following DFS functionality:

• A HP CIFS Server can act as a Distributed File System (DFS) server

• The Distributed File System (DFS) provides a way to separate thelogical view of files and directories that users see from the actualphysical locations of these network resources

• The DFS tree allows users to easily access any particular resource onthe network server

• The HP CIFS DFS tree is accessible from the following types ofDFS-aware clients:

Windows NTWindows XPWindows 2000

• A DFS root directory can host DFS links in the form of symbolic linkswhich point to other servers

For detailed information about setting up DFS support, please refer toChapter 2 in this document.

Primary Domain Controller (PDC) Functionality(version A.01.08)

These enhancements are new for version A.01.08. Please refer toChapters 4 and 5 in this document for detailed information about settingup and configuring a PDC. The HP CIFS Server now provides thefollowing PDC functionality:

• Continue the support for joining a Samba server to the Windows NTdomain as a member server

• Provide the ability to act as a Primary Domain Controller (PDC) forWindows clients which include Windows NT, XP and 2000

• Support the Domain logon feature for Windows NT 4.0 SP3+,Windows XP and Windows 2000 clients

• Support for Windows NT group and username mapping

Chapter 1 11


• Support Windows NT logon scripts

• View resources on a Samba PDC using Microsoft’s “Server managerfor Domain” tool

• Support local and roaming profiles

• Support the specified logon home share to a Samba server

Exceptions:

Version A.01.08 of the HP CIFS Server does not support SecurityAccounts Manager (SAM) databases (containing NT user accountinformation) nor does it provide any Backup Domain Controller (BDC)features, and will not support BDCs in a domain in which it is serving asa PDC.

Advantages of the Domain Model

The Windows NT domain model provides a number of advantages:

• Windows NT administrators may group workstations and serversunder the authority of a domain controller

• Domain member servers may be centrally administered by usingdomains to group related machines

• The domain controller can be a central machine which performs alluser logons and authentication

Primary Domain Controllers

The Primary Domain Controller (PDC) is responsible for several taskswithin the domain. These include:

• Authenticating user logons for users and workstations that aremembers of the domain

• Acting as a centralized point for managing user account and groupinformation for the domain

• A user logged on as the domain administrator can add, remove ormodify account information on any machine that is part of thedomain

Chapter 112


Domain Members

• A domain member server can be a Windows NT Server, a WindowsNT workstation, a Windows 2000 or XP machine or a HP CIFSmachine

• Users on a domain member machine can access network resourceswithin the domain. Some examples of these resources are file andprinter shares and application servers

• Domain member servers do not participate in authenticating userlogons

Chapter 1 13

Introduction to the HP CIFS ServerHP CIFS Server Documentation: Printed and Online

HP CIFS Server Documentation: Printed andOnlineThe full set of HP CIFS server documentation consists of one non-HPbook available at most technical bookstores, and this printed and onlineHP CIFS server manual.

The HP manual is Installing and Administering the HP CIFS Server.

The non-HP book is: Using Samba, Robert Eckstein, DavidCollier-Brown and Peter Kelly (O’Reilly, 2000), ISBN: 1-56592-449-5.

NOTE Please note that non-HP Samba documentation sometimes includesdescriptions of features and functionality planned for future releases ofSamba. The authors of these books do not always provide informationindicating which features are in existing releases and which features willbe available in future Samba releases.

Use the HP-provided Samba man pages or the SWAT help facility for themost definitive information on the HP CIFS server.

Documentation Availability by Topic

This section includes brief descriptions of major Samba topics.

HP CIFS Basics

The HP CIFS Basics section include information about the location offiles on the server, installing HP CIFS, configuring HP CIFS, andstarting and stopping HP CIFS.

Location of Files on the Server

The default location of HP CIFS is /opt/samba. In this case, thefollowing directories should exist in the Samba directory: bin/, docs/,script/, examples /, HA/, man/, and swat/. Refer to the complete listingof HP CIFS Server files and directories in the Overview section inchapter 2.

Chapter 114


The HP CIFS configuration files are in /etc/opt/samba. The HP CIFSlog files and any temporary files are created in /var/opt/samba.

For more information about HP CIFS files and directories, refer tochapter 2 of this manual.

Installing HP CIFS

The HP CIFS Server product is installed using the swinstall utility. Thesteps to install this product are documented in chapter 2 of this manual.

Configuring HP CIFS

All the information needed to run the HP CIFS configuration script isprovided in chapter 2 of this manual.

There are also other configuration options that you may want to include.These options include global configuration options, service configurationoptions, and browser configuration options.

For more detailed information about these options, refer to “Chapters 4,Disk Shares,” “Chapter 5, Browsing and Advanced Disk Shares,” and“Chapter 7, Printing and Name Resolution in Using Samba.

Starting and Stopping HP CIFS

Use the following commands to start and stop HP CIFS:

/opt/samba/bin/startsmb

/opt/samba/bin / stopsmb

These commands are described in chapter 2 in this manual.

Other HP CIFS Topics

The Other HP CIFS Topics section includes information about HP CIFSscripts, adding and removing printers, utilities, the SWAT configurationtool, a browser description, troubleshooting and NIS and HP CIFS.

HP CIFS Scripts

In Using Samba, check Appendix D, “Summary of Samba Daemons andCommands,” for detailed information about the command-lineparameters for Samba programs such as smbd, nmbd, smbstatus andsmbclient. There is also information about user scripts in Chapters 4 and5.

Chapter 1 15


Setting Up Printers

For an explanation of the process of how printing takes place on a HPCIFS server, print commands, printing variables, and a minimal printingsetup, refer to chapter 7, “Printing and Name Resolution” in UsingSamba. This chapter also contains more in-depth information aboutSamba printing options and print to Windows client printers.

SWAT Configuration Tool

The Samba Web Administration Tool (SWAT) is a GUI which you can useto set up or change your Samba configuration in the smb.conf file. Youwill be able to change information in the following areas: globals, shares,printers, status, view (smb.conf), and password.

For information about SWAT, refer to chapter 1 of Using Samba.

Browsing

Browsing gives you the ability to view the servers and shares on yournetwork. Samba provides over fourteen different browsing options. HP,however, recommends that you start with the default values.

Refer to “Chapter 5, Browsing and Advanced Disk Shares” in UsingSamba for a description of all browsing options.

Troubleshooting

In “Chapter 9, Troubleshooting Samba” of Using Samba, you will find adescription of the Samba tool bag. It includes a list of tools to be usedwhen troubleshooting Samba. These tools include: Samba log files andUnix utilities such as trace and tcpdump. It also includes a fault tree tofix problems that occur during Samba installation or reconfiguration.

There are also several excellent tools that are very useful fortroubleshooting on HP systems. For example, nettl and netfmt are usedfor tracing activity specifically on HP-UX systems. Microsoft’s NetMonhas become a widely used tool for use on WIndows 2000 servers.

NIS and HP CIFS HP CIFS now works with NIS and NIS+. Fordetailed information on special options, refer to chapters 2 and 6 inUsing Samba.

Chapter 116


HP CIFS Documentation Roadmap

Use the following road map to locate the Samba and HP CIFSdocumentation that you need.

Table 1-1

HP CIFS Product Document Title: Chapter: Section

Server Description

Client Description

Installing and Administering the HP CIFSServer: Chapter 1, “Introduction to the HPCIFS Server”

Samba Meta FAQ No. 2, “GeneralInformation about Samba”

Samba FAQ No. 1, “General Information”

Samba Server FAQ: No. 1, “What is Samba”

Using Samba: Chapter 1, “Learning theSamba”

Samba Man Page: samba(7)

Installing and Administering the HP CIFSClient: Chapter 1, “Introduction to the HPCIFS Client”

HP Add-on Features Installing and Administering the HP CIFSServer: Chapter 1 “Introduction to the HPCIFS Server,” Section: “HP CIFSHP CIFSEnhancements to the Samba ServerSource” and Chapter 3, “Access ControlLists (ACLs).”

Installing and Administering the HP CIFSClient: Chapter 1, “Introduction to the HPCIFS Client,”. Sections: “HP CIFSExtensions” and “ACL Mappings.”

Chapter 1 17


Server Installation

Client Installation

Installing and Administering the HP CIFSServer: Chapter 2. “Installing andConfiguring the HP CIFS Server”

Samba FAQ: No 2, “Compiling andInstalling Samba on a UNIX Host.”

Installing and Administering the HP CIFSClient: Chapter 2. “Installing andConfiguring the HP CIFS Client”

Samba GUIAdministration Tools

Using Samba: Chapter 2, “InstallingSamba on a Unix System”

Server Configuration

Client Configuration

Installing and Administering the HP CIFSServer: Chapter 2, “Installing andConfiguring the HP CIFS Server”

Installing and Administering the HP CIFSClient: Chapter 2, “Installing andConfiguring the HP CIFS Client”

Configuration: PAM Installing and Administering the HP CIFSClient: Chapter 6, “Authentication”

HP-UX Man page: pam(3)

HP-UX Man page: pam.conf

Server: Starting &Stopping

Client: Starting &Stopping

Installing and Administering the HP CIFSServer, Chapter 2

Installing and Administering the HP CIFSClient, Chapter 2.

Server: Samba Scripts Using Samba: Appendix D, “Summary ofSamba Daemons and Commands”

Table 1-1 (Continued)


Chapter 118


SMB & CIFS FileProtocols

Samba Meta FAQ No. 3, “About the SMBand CIFS Protocols”

SMB & CIFS NetworkDesign

Using Samba: Chapter 1, “Learning theSamba”

Samba Meta FAQ No. 4, “Designing anSMB and CIFS Network”

Samba Man Pages http://us1.samba.org/samba/docs

Samba Meta FAQ No. 1, “Quick ReferenceGuide to Samba Documentation”

Server Utilities

Client Utilities

Using Samba: Appendix D, “Summary ofSamba Daemons and Commands”

Installing and Administering the HP CIFSClient: Chapter 4, “HP CIFS ClientUtilities”

Server Printing Using Samba: Chapter 7, “Printing andName Resolution”

Server Browsing Using Samba: “Chapter 5, Browsing andAdvanced Disk Shares”

Server Security Using Samba: Chapter 6, “Users Securityand Domains



Chapter 1 19


HP CIFS Server File and Directory Information

This section briefly describes the important directories and files thatcomprise the CIFS Server.

Server Troubleshooting

Client Troubleshooting:

Installing and Administering the HP CIFSServer: Chapter 3, “Troubleshooting theHP CIFS Client”

Using Samba, “Chapter 9, TroubleshootingSamba”

Samba FAQs No. 4, “Specific ClientApplication Problems” and No 5,“Miscellaneous”

DIAGNOSIS.txt in the /opt/samba/docsdirectory

Samba Man page: debug2html(1), smbd(8),nmbd(8), smb.conf(5)

Installing and Administering the HP CIFSClient: Chapter 3, “Troubleshooting the HPCIFS Client”



Table 1-2 HP CIFS Server Files and Directories

File/Directory Description

/opt/samba This is the base directory formost of the HP CIFS Server.

/opt/samba_src This is the directory thatcontains the source code for theHP CIFS Server (if the sourcebundle was installed).

Chapter 120


/opt/samba/bin This is the directory thatcontains the binaries for HPCIFS Server, including thedaemons and utilities.

/opt/samba/docs This is the directory thatcontains documentation invarious formats including html(htmldocs) and text (textdocs).

/opt/samba/examples This directory contains examplesmb.conf files, example scriptsand other utilities, among otherthings.

/opt/samba/man This directory contains the manpages for HP CIFS Server.

/opt/samba/script This directory contains variousscripts which are utilities for theHP CIFS Server.

/opt/samba/swat This directory contains html andimage files which the SambaWeb Administration Tool(SWAT) needs.

/opt/samba/HA This directory contains exampleHigh Availability scripts,configuration files, andREADME files.

/var/opt/samba This directory contains the HPCIFS Server log files as well asother dynamic files that the HPCIFS Server uses, such as lockfiles.

Table 1-2 HP CIFS Server Files and Directories (Continued)


Chapter 1 21


/etc/opt/samba This directory containsconfiguration files which the HPCIFS Server uses, primarily thesmb.conf file.

/etc/opt/samba/smb.conf This is the main configurationfile for the HP CIFS Serverwhich is discussed in great detailelsewhere.

/etc/opt/samba/smb.conf.default This is the default smb.conf filethat ships with the HP CIFSserver. This can be modified to fityour needs.

/opt/samba/COPYING,/opt/samba_src/COPYING,/opt/samba_src/samba/COPYING

These are copies of the GNUPublic License which applies tothe HP CIFS Server.

/sbin/init.d/samba This is the script that starts HPCIFS Server at boot time andstops it at shutdown (if it isconfigured to do so).

/etc/rc.config.d/samba This text file configures whetherthe HP CIFS server startsautomatically at boot time ornot.

/sbin/rc2.d/S900samba,/sbin/rc1.d/K100samba

These are links to/sbin/init.d/samba which areactually executed at boot timeand shutdown time to start andstop the HP CIFS Server, (if it isconfigured to do so).

Table 1-2 HP CIFS Server Files and Directories (Continued)


Chapter 122

2 Installing and Configuring theHP CIFS Server

This chapter describes the procedures to install and configure the HPCIFS Server software. It contains the following sections:

Chapter 2 23

Installing and Configuring the HP CIFS Server

• HP CIFS Server Requirements and Limitations

• Step 1: Installing HP CIFS Server Software

• Step 2: Running the Configuration Script

• Step 3: Modify the Configuration

• Step 4: Starting the HP CIFS Server

NOTE If the HP CIFS Server software has been pre-installed on yoursystem, you may skip Step 1 above and go directly to “Step 2:Running the Configuration Script”

NOTE You can download the most recent version of HP CIFS Server fromthe www.software.hp.com website.

NOTE You can find the most recent and most complete version of HP CIFSdocumentation on the www.docs.hp.com website.

Chapter 224

Installing and Configuring the HP CIFS ServerHP CIFS Server Requirements and Limitations

HP CIFS Server Requirements andLimitationsPrior to installing the HP CIFS product, check that your system canaccommodate the following product requirements and limitations.

HP-UX 11.0 Memory and Disc Requirements

Although an 11.x 32-bit and 64-bit HP-UX system can boot with as littleas 64MB RAM and 1GB of disc space, the performance of such aconfiguration would be prohibitive. The HP recommended minimums areas follows

• 11.x 32-bit: 128MB RAM, 1-2GB disc

• 11.x 64-bit: 512MB RAM, 2-3GB disc

Updated HP CIFS Server Memory Requirements for versions A.01.05and later.

As of version A.01.05, the HP CIFS Server processes increased their baseuse of system memory by 20 percent. This represents an increase ofapproximately 100KB per smbd process over and above a base of 500KB.The increased memory footprint is the result of new caching mechanismsto improve performance.

In addition to the base memory increase, the smbd process may now alsoallocate memory for specialized caching requirements as needed. Thesize and timing of these memory allocations vary widely depending onthe client type and the resources being accessed. A single smbd processmay temporarily use up to 2.5MB of memory. However, most client accesspatterns will not trigger such specialized caching. System administratorsshould routinely monitor memory utilization in order to evaluate thisnew dynamic memory behavior.

You may need to adjust HP-UX server memory configurations toaccommodate these changes when upgrading from previous versions

Chapter 2 25

Installing and Configuring the HP CIFS ServerHP CIFS Server Requirements and Limitations

HP CIFS Server Installation Requirements

The HP CIFS server product requires about 15MB of disc space forproduct installation. The HP CIFS server product is composed of thefollowing:

• HP CIFS server source code files: 5 MB

• HP CIFS File and Print Services: 12MB

HP CIFS Server Memory and Disc Requirements

Refer to Chapter 6, “HP-UX Configuration for HP CIFS” in this manualfor more detailed information.

Chapter 226

Installing and Configuring the HP CIFS ServerStep 1: Installing HP CIFS Server Software

Step 1: Installing HP CIFS Server SoftwareHP CIFS Server Upgrades:

If you are upgrading an existing HP CIFS Server configuration, HPrecommends that you create a backup copy of your current environment.The SD install procedure may alter or replace your current configurationfiles. All files under /var/opt/samba and /etc/opt/samba must be savedin order to ensure that you will be able to return to your currentconfiguration, if necessary. For example:

$ stopsmb$ mkdir /tmp/cifs_save$ tar -cvf /tmp/cifs_save/var_backup.tar /var/opt/samba$ tar -cvf /tmp/cifs_save/etc_backup.tar /etc/opt/samba

Do not use the -o option with the tar command. This will ensure properfile ownership.

If a problem with the upgrade does occur, use SD to remove the entireHP CIFS Server product and reinstall your current version. Once this isdone, you may restore the saved configuration files. For example:

$ tar -xvf /tmp/cifs_save/var_backup.tar$ tar -xvf /tmp/cifs_save/etc_backup.tar

This procedure is not intended to replace a comprehensive backupstrategy that includes user data files.

Overview:

Installation of the HP CIFS Server software includes loading the HPCIFS Server filesets using the swinstall(1M) utility, completing the HPCIFS configuration procedures, and starting Samba using the startsmbscript.

Procedure:

Follow the steps below to install the HP CIFS Server software using theHP-UX swinstall program.

1. Log in as root.

2. Insert the software media (disk) into the appropriate drive.

3. Run the swinstall program using the command:

Chapter 2 27

Installing and Configuring the HP CIFS ServerStep 1: Installing HP CIFS Server Software

swinstall

This opens the Software Selection Window and Specify SourceWindow.

4. Change the Source Host Name if necessary, enter the mount point ofthe drive in the Source Depot Path field, and activate the OK buttonto return to the Software Selection Window. Activate the Help buttonto get more information.

The Software Selection Window now contains a list of availablesoftware bundles to install.

5. Highlight the HP CIFS Server software for your system type.

6. Choose Mark for Install from the ‘‘Actions’’ menu to choose theproduct to be installed. With an exception of the man pages anduser’s manual, you must install the complete HP CIFS product.

7. Choose Install from the ‘‘Actions’’ menu to begin productinstallation and open the Install Analysis Window.

8. Activate the OK button in the Install Analysis Window when theStatus field displays a Ready message.

9. Activate the Yes button at the Confirmation Window to confirm thatyou want to install the software. swinstall displays the InstallWindow.

View the Install Window to read processing data while the softwareis being installed. When the Status field indicates Ready and theNote Window opens.

swinstall loads the fileset and runs the control scripts for the fileset.Estimated time for processing: 3 to 5 minutes.

10. Check the log files in /var/adm/sw/swinstall.logand /var/adm/sw/swagent.log to make sure the installation wassuccessful.

Chapter 228

Installing and Configuring the HP CIFS ServerStep 2: Running the Configuration Script

Step 2: Running the Configuration ScriptPrior to running the configuration script, you must obtain the name ofyour domain or workgroup, choose either a “workgroup model” or“domain security model” role for your server and decide which securitylevel you would like to use. After you have this information, run thesamba_setup configuration script.

1. Run the Samba configuration script using the command below.

/opt/samba/bin/samba_setup

To specify a domain role and an authentication type, enter thenumber listed to the left of your choice. Answer the other questionsprompted by the script. The questions will vary according to theworkgroup or domain role that you selected.

2. Choose a domain role for your server.

With NT, Microsoft Corporation added the domain security model tothe more primitive workgroup model. Domain security offerscentralized administration and security. HP CIFS Servers not onlysupport the workgroup model but can also play the role of PrimaryDomain Controller (PDC) or Domain Member Server in the domainsecurity model.

Samba_setup will ask you to choose Primary Domain Controller,Domain Member Server, or Workgroup roles.

• Primary Domain Controllers perform the machine account andauthentication services which enables domain-wide logons.Domain logons are convenient because users can log on to thedomain with one logon and password rather than logging on toeach individual server in the domain. See Chapters 4 and 5 formore information about HP CIFS Server PDC features.Samba_setup will configure HP CIFS Server PDCs to useuser-level security for you.

• Domain Member Servers participate in domain security byforwarding logon requests to the PDC for authentication.Samba_setup will configure HP CIFS Server Domain MemberServers to use domain-level security for you.

Chapter 2 29


• Workgroups do not utilized the centralized authentication ofdomains. Samba_setup will require workgroups to choose eitherserver, share, or user-level security.

Since there are many important aspects of workgroup and domainarchitecture too lengthy to be discussed here, you should consultsome of the many books or white papers available through theworld-wide web and book stores if you are not already familiar withthe subject.

3. Select your authentication security type.

Samba supports four types of security: Domain-level security,Server-level security, User-level security, and Share-level security.You must select one of these security types for your server prior torunning the configuration script.

• Domain-level security: When this type of security is used, Sambaresponds as a member of a Windows domain and checks thepassword against the information contained in the Windows NTdomain controller.

• Server-level security: When this security type is specified,password authentication is handled by another SMB passwordserver. When a client attempts to access a specific share, Sambachecks that the user is authorized to access the share. Sambathen validates the password via the SMB password server.

• User-level security: When this security type is specified, eachshare is assigned specific users. When a request is made foraccess, Samba checks the user’s user name and password againsta local list of authorized users and only gives access if a match ismade.

• Share-level security: When this security type is specified, eachshare (directory) has at least one password associated with it.Anyone with a password will be able to access the share. Thereare no other access restrictions.

You might use multiple passwords when you want different usersto have different types of access (read-only, read-write, etc).

These security types are described in detail in “Chapter 6, Users,Security, and Domains” of Using Samba by Eckstein, Collier-Brownand Kelly.

Chapter 230


This information will be requested by the configuration script in Step4: Starting the HP CIFS Server, located later in this chapter.

4. Enter the name of the domain or workgroup that you want thisserver to be part of.

The script will modify the smb.conf file according to the information thatyou have entered.

For in-depth information about configuring disk shares; browsing; users,security and domains; and printing and name resolution; refer tochapters 4, 5, 6, and 7 in Using Samba by Eckstein, Collier-Brown andKelly.

Chapter 2 31

Installing and Configuring the HP CIFS ServerStep 3: Modify the Configuration

Step 3: Modify the ConfigurationHP CIFS Server requires configuration modifications for the followingfunctionality:

• ACL Support

• Case Sensitivity for the Client and Server for UNIX Extensions

• DOS Attribute Mapping

• Print Services for version A.01.07

• Print Services for version A.01.08 (current version)

• Distributed File System (DFS) Support

• Configure MC/ServiceGuard High Availability (HA)

• German Character Support

• Japanese Character Support

Configure ACL Support (for version A.01.07)

Two ACL schemes are currently supported: unix UNIX file permissionsand hpux_posix VxFS POSIX ACLs on HP-UX.

Example values are shown below:

• Example one:

acl schemes = unix

This is the default ACL scheme. This ignores UNIX ACL capabilitiesand uses UNIX file permissions.

• Example two:

acl schemes = none

This example turns off all ACL support for the share and an errorwill be returned whenever the client tries to get to or set ACLinformation on any file system on the share.

• Example three:

acl schemes = hpux_posix

Chapter 232


This example supports only VxFS POSIX ACLs on the entire share.Attempts to get or set ACLs from the client will only succeed if VxFSPOSIX ACLs are supported on that file system. If only UNIXpermissions are supported, attempts to get or set ACLs from theclient will fail.

• Example four:

acl schemes = hpux_posix unix

HP CIFS will attempt to use VxFS POSIX ACLs. If ACLs are notpresent, it will use UNIX permissions.

Configure ACL Support (for version A.01.08)

HP CIFS Server, version A.01.08, provides a share level variable called“nt acl support.” The possible values for this variable are “yes” and “no.”This variable defaults to “yes.” Using this variable, users can turn on/offACL support on a per-share basis. Refer to chapter 3 in this manual formore information about ACLs.

IMPORTANT VxFS POSIX ACL file permissions only work when JFS 3.3 or disklayout version 4 is installed on your system. Learn how to install JFS 3.3on HP-UX 11.0 in the HP JFS 3.3 and HP OnLineJFS 3.3 Release Notes(MPN B3929-90007), located at www.docs.hp.com. Learn about installingand upgrading disk layout versions in the HP JFS 3.3 andHPOnLineJFS 3.3 VERITAS File System 3.3 System Administrator’sGuide (MPN B3929-90011) also located at www.docs.hp.com.

Configure Case Sensitivity

By default, the HP CIFS Server is configured to be case insensitive, likeDOS and NT.

NOTE HP recommends that when using CIFS Extensions for UNIX, both theCIFS Client and Server be configured to be case sensitive.

For the CIFS Server, edit the server configuration file:/etc/opt/samba/smb.conf as follows.

Chapter 2 33


case sensitive = yes

For the CIFS Client, in the /etc/opt/cifsclient/cifsclient.cfg file, ensurethe following default is set:

caseSensitive = yes

Configure DOS Attribute Mapping

There are three parameters, map system, map hidden, and map archive,that can be configured in Samba to map DOS file attributes to owner,group, and other execute bits in the UNIX file system.

When using the CIFS Client, you may want to have all three of theseparameters turned off. If the map archive parameter is on, any time auser writes to a file, the owner execute permission will be set. This isusually not desired behavior for HP CIFS clients or UNIX clients ingeneral.

By default, map system and map hidden are off, and map archive is on.

To turn map archive off, modify /etc/opt/samba/smb.conf as follows:

map archive = no

Configuring Print Services for HP CIFS VersionA.01.07

This section provides information about configuring Print Services onsystems running HP CIFS version A.01.07. Please refer to the nextsection if you are running HP CIFS version A.01.08.

Configure Print Services

The minimal printing setup is shown below. Refer to chapter 7 in UsingSamba for more detailed information on how to set up printing in Sambaservers.

To configure a printer share, modify /etc/opt/samba/smb.conf asfollows:

printable=yesprinter=printer_name_string

Where printer_name_string is the name of an HP-UX-defined printerunder the control of the LP spooler.

Chapter 234


Configure A Printer Share

This is a special share to automatically create printing services. Refer tochapter 7 in Using Samba for more detailed information on how to set upprinting in Samba servers.

If you create a share named [printers] in the smb.conf file, the server willautomatically read in your printer capabilities file and create a printingshare for each printer that appears in that file.

Add the following information to the global and printers sections of thesmb.conf file:

[printers]printable=yes

Manually Set Up Printer Drivers

Each client needs to install the appropriate driver for each printer itwants to use. Refer to chapter 7 in Using Samba for more detailedinformation on how to set up printing in Samba servers.

Invoke the Windows Add Printer Wizard dialog by double-clicking on theprinter icon in the Network Neighborhood.

Enter the name of the printer. If you selected an uninstalled printer,Windows will ask you to select the printer manufacturer and model.

Windows should load the appropriate driver.

Automatically Set Up Printer Drivers

Printer drivers can be automatically set up for a specific printer. Thereare four steps:

• Install the drivers for the printer on a Windows client.

• Create a printer definition file from the information on a Windowsmachine.

• Create a PRINTER$ share where the resulting driver files can beplaced.

• Modify the smb.conf file

Refer to chapter 7 in Using Samba for more detailed information on howto set up printing in Samba servers.

Chapter 2 35


Install Printer Drivers. Install the drivers using a Windows 95/98client only. Other versions of Windows clients will be supported in futurereleases. The printer does not have to be attached to the machine toinstall the drivers.This step is getting the appropriate driver files intothe Windows directory.

Go to the Printers windows of My Computer and double-click on the AddPrinter icon.

Follow the Add Printer Wizard dialogs, providing the name ormanufacturer and model of the printer.

Create a Printer Definition File. Copy the following four files from aWindows client:

C:\WINDOWS\INF\MSPRINT.INFC:\WINDOWS\INF\MSPRINT2.INFC:\WINDOWS\INF\MSPRINT3.INFC:\WINDOWS\INF\MSPRINT4.INF

These files contain specific printer driver files. If the printer driver startswith the letter A-K, use either MSPRINT or MSPRINT3. If it beginswith L-Z, user MSPRINT2 or MSPRINT4 in the next step.

Use the make_printerdef script located in /opt/samba/bin Directory andthe appropriate printer driver INF file to create a printer definition file:

$make_printerdef MSPRINT3.INF HP DeskJet 560C Printerprinters.def

Create a PRINTER$ Share. Create a PRINTER$ share in thesmb.conf file that points to an empty directory on the CIFS server asfollows:

[PRINTER$]path = /opt/samba/print

This is where the resulting driver files will be placed.

Copy the files noted in step 2 to this location. Typically these files can befound in the C:\WINDOWS\SYSTEM directory.

Copy the printers.def file that you created in step 2 to this location aswell.

Chapter 236


Modify the smb.conf file. Modify the smb.conf file by adding threeoptions:

• Printer driver

• Printer driver file

• Printer driver location

Example smb.conf entries:

[global]printer driver file = /opt/samba/print/printers.def

[hpdeskjet]printer driver=HP DeskJet 560C Printerprinter driver=Hp DeskJet 560C Printerprinter driver location=\\%L\PRINTERS$

Configuring Print Services for HP CIFS VersionA.01.08

This section provides information about configuring Print Services onsystems running HP CIFS version A.01.08. Please refer to the previoussection if you are running HP CIFS version A.01.07.

These enhancements are new for version A.01.08. The HP CIFS Servernow provides the following NT printing functionality:

• Printer driver files may be downloaded to Windows NT, 2000 and XPclients that do not have them

• Printer driver files may be uploaded using the Windows NT/XP/2000Add Printer wizard

• Support for NT Access Control Lists (ACL) on printer objects

Information about setting up and configuring each of the Print Services(except ACLs) is shown in the following sections. Information aboutconfiguring ACL Support is discussed in a previous section.

Configuring a [printers] share

The following is a minimal printing setup. Use either one of the followingtwo procedures to create a [printers] share:

1. SWAT (Samba Administration Tool)

Chapter 2 37


-or-

2. Create a [printers] share in the /etc/opt/samba/smb.conf file. Referto the following example:

[hpdeskjet]path = /tmpprintable = yes

Where “hpdeskjet” is the name of the printer to be added.

Creating a [printers] share

Configure a [printers] share in the /etc/opt/samba/smb.conf file. Referto the following example:

[printers]path = /tmpprintable = yesbrowseable = no

This share is required if you want the printer’s list to be displayed inSWAT, which is not defined in the smb.conf file, but exists on the HPCIFS Server. If this share is not defined, the printer’s list will displayonly those printer shares which are defined in the smb.conf file.

Setup Server for automatically uploading printer driver files

In order to add a new driver to your Samba host using version A.01.08 ofthe software, one of two conditions must hold true:

1. The account used to connect to the Samba host must have a uid of 0(i.e. a root account), or...

2. The account used to connect to the Samba host must be a member ofthe printer admin list. This will require a [global] smb.confparameter as follows:

printer admin = netadmin

The connected account must still possess access to add files to thesubdirectories beneath [print$]. Keep in mind that all files are set to‘read only’ by default, and that the ‘printer admin =’ parameter mustalso contain the names of all users or groups that are going to be allowedto upload drivers to the server, not just ‘netadmin’.

The following is an example of the other parameters required:

Chapter 238


1. Create a [print$] share in the smb.conf file that points to an emptydirectory named “/etc/opt/samba/printers” on the HP CIFS Server.Refer to the following example:

[print$]path = /etc/opt/samba/printersbrowseable = yesguest ok = yesread only = yeswrite list = netadmin

In this example, the parameter “write list” specifies thatadministrative lever user accounts will have write access forupdating files, on the share.

2. Create the subdirectory tree, under the [print$] share, for eacharchitecture that needs to be supported. Refer to the followingexample:

cd /etc/opt/samba/printersmkdir W32X86mkdir Win40

There are two possible locations (subdirectories) for keeping driverfiles, depending upon what version of Windows the files are for:

For Windows NT, XP or Windows 2000 driver files, the files willbe stored in the /etc/opt/samba/printers/W32X86 subdirectory.

For Windows 9x driver files, the files will be stored in the/etc/opt/samba/printers/Win40/0 subdirectory.

Setup Client for automatically uploading of printer drivers

Printer driver files can be automatically uploaded from disk to theprinters on a HP CIFS Server. Here are the steps:

1. Invoke the Windows Add Printer Wizard dialog by double-clicking onthe printer icon in Network Neighborhood.

2. Enter the printer share name for an installed printer on the HPCIFS Server. Viewing the printer properties which has the defaultdriver assigned will result in the error message:

Chapter 2 39


Device settings can not be displayed. The driver for thespecified printer is not installed, only spoolerproperties will be displayed. Do you want to install thedriver now?

3. Click “yes” in the error dialog and the printer properties window willbe displayed, with an APW.

4. Select the printer driver e.g. hp LaserJet 5i. You will be asked for thedriver files. Give the path where the driver files are located. Thedriver files will be uploaded from the disk, and stored into thesubdirectories under the [print$] share.

Migrating Printing Services From version A.01.07 to A.01.08

The following are some typical reasons for migrating from a HP CIFSServer, version A.01.07, to version A.01.08:

• If you do not intend to use the new Windows NT/XP/2000 printdriver support feature, nothing should be done. All of the existingconfiguration parameters for printer services will continue to workthe same way.

• If you want to take advantage of the new NT/XP/2000 printer driversupport, but do not want to migrate the Windows 9x drivers to thenew setup, then use the existing printers.def file.

• If you install a Windows 9x driver for a printer on a HP CIFS Server,the new setup information will take precedence and the three oldparameters (printer driver, printer driver file and printerdriver location) will be ignored.

• If you have a printer installed on a HP CIFS Server version A.01.07or below, and you migrate to Server version A.01.08, you must rebootthe Windows client in order to make the printer work under versionA.01.08.

Setting Up Distributed File System (DFS) Support

This section will provide the procedures for:

• Setting up a DFS Tree on a HP CIFS Server

• Setting up DFS Links in the DFS root directory on a HP CIFS Server

Chapter 240


NOTE HP does not recommend filesharing of the root. Only subdirectoriesunder the root should be set up for filesharing.

Setting Up a DFS Tree on a HP CIFS Server

After the DFS Tree is set up using this procedure, users on DFS clientscan browse the DFS tree located on the HP CIFS Server at\\servername\DFS.

1. Select a HP CIFS Server to act as the Distributed File System (DFS)root directory.

2. Configure a HP CIFS server as a DFS server by modifying thesmb.conf file to set the global parameter host msdfs to yes.Example:

[global]host msdfs = yes

3. Create a directory to act as a DFS root on the HP CIFS DistributedFile System (DFS) Server.

4. Create a share and define it with the parameter path = directoryof DFS root in the smb.conf file. Example:

[DFS]path = /export/dfsroot

5. Modify the smb.conf file and set the msdfs root parameter to yes.Example:

[DFS]path = /export/dfsrootmsdfs root = yes

Setting Up DFS Links in the DFS Root Directory on a HP CIFSServer

A Distributed File System (DFS) root directory on a HP CIFS Server canhost DFS links in the form of symbolic links which point to other servers.

Before setting up DFS links in the DFS root directory, you should set thepermissions and ownership of the root directory so that only designatedusers can create, delete or modify the DFS links.

Chapter 2 41


Symbolic link names should be all lowercase. All clients accessing a DFSshare should have the same user name and password.

An example for setting up DFS links follows:

1. Use the ln command to set up the DFS links for “linka” and “linkb”on the /export/dfsroot directory. Both “linka” and “linkb” point toother servers on the network. Example commands:

cd /export/dfsrootchown root /export/dfsrootchmod 775 /export/dfsrootln -S msdfs:serverA\\shareA linkaln -S msdfs:serverB\\shareB serverC\\shareC linkb

2. If you use the ls -l command on the /export/dfsroot directory, itshould show an output similar to this one:

lrwxrwxrwx l root sys 24 Oct 30 10:20linka -> msdfs:serverA\\shareAlrwxrwxrwx l root sys 30 Oct 30 10:25linkb -> msdfs:serverB\\shareB, serverC\\shareC

In this example, “serverC” is the alternate path for “linkb”. Becauseof this, if “serverB” goes down, “linkb” can still be accessed from“serverC”. “linka” and “linkb” are share names. Accessing either onewill take users directly to the appropriate share on the network.

Refer to the following screen snapshot for an example:

Figure 2-1 Link Share Names Example

Chapter 242


MC/ServiceGuard High Availability Support

Highly Available HP CIFS Server allows the HP CIFS Server product torun on an MC/ServiceGuard cluster of nodes. MC/ServiceGuard allowsyou to create high availability clusters of HP 9000 server computers.

Template files for version A.01.08 have been revised to allow any numberof cluster nodes and other advantages over previous schemes.

Follow the configuration procedures provided in Chapter 6.

Configure for German Character Support

Modify the parameters below in the smb.conf file for German charactersupport:

character set = ISO8859-1client code page = 850

In order to view the file and directory names and contents correctly fromthe UNIX side, you must set the locale to ISO 8859-1 as follows:

export LANG=de_DE.iso88591

Refer to the Internationalization section later in this chapter for moredetailed information.

Configure for Japanese Character Support

To enable HP CIFS Japanese capabilities, start HP CIFS with thesmb.conf variables set as follows:

codingsystem = SJISclient code page = 932

In order to view the file and directory names and contents correctly fromthe UNIX side, you must set the locale to Shift-JIS like this:

export LANG=ja_JP.SJIS

Refer to the Internationalization section later in this chapter for moredetailed information.

Chapter 2 43

Installing and Configuring the HP CIFS ServerStep 4: Starting the HP CIFS Server

Step 4: Starting the HP CIFS ServerRun the script below to start Samba.

/opt/samba/bin/startsmb

When the command successfully starts Samba, a message is displayedindicating the specific processes that have been started. When the scriptis successful, the exit value is 0. If the script fails, the exit value is 1.

Samba installation and configuration are complete.

To stop the Samba server, run:

/opt/samba/bin/stopsmb

When the script is successful, the exit value is 0. If the script fails, theexit value is 1.

Automatically Starting the HP CIFS Server

When the HP CIFS Server is installed, by default it will not beconfigured to automatically start when the system boots up and stopwhen the system shuts down. You can enable this feature by doing thefollowing:

1. Edit the /etc/rc.config.d/samba file.

2. Change the last line of the file to: RUN_SAMBA=1.

3. Save the file.

If you later decide to disable the automatic start feature, change the lastline back to:

RUN_SAMBA=0

Chapter 244

Installing and Configuring the HP CIFS ServerOther Samba Configuration Issues

Other Samba Configuration Issues

Translate Open-Mode Locks into HP-UX AdvisoryLocks

The HP CIFS Server A.01.07, and subsequent versions, can translateopen mode locks into HP-UX advisory locks. This functionality preventsHP-UX processes from obtaining advisory locks on files with conflictingopen mode locks from CIFS clients. This also means CIFS clients cannotopen files that have conflicting advisory locks from HP-UX processes.

You must change the map share modes setting in smb.conf to yes totranslate open mode locks to HP-UX advisory locks. The default settingof map share modes is no.

Performance Tuning using Change Notify

This section describes performance tuning using the Change Notifyfeature and internationalization.

The Samba Server supports a new feature called Change Notify. ChangeNotify provides the ability for a client to request notification from theserver when changes occur to files or subdirectories below a directory ona mapped file share. When a file or directory which is contained withinthe specified directory is modified, the server notifies the client. Thepurpose of this feature is to keep the client screen display up-to-date inWindows Explorer. The result: if a file you are looking at in WindowsExplorer is changed while you are looking at it, you will see the changeson the screen almost immediately.

The only way to implement this feature in Samba is to periodically scanthrough every file and subdirectory below the directory in question andcheck for changes made since the last scan. This is a resource intensiveoperation which has the potential to affect the performance of Samba aswell as other applications running on the system. Two major factorsaffect how resource intensive a scan is: the number of directories havinga Change Notify request on them, and the size of those directories. If youhave many clients running Windows Explorer (or other file browsers) orif you have directories on shares with a large number of files and/orsubdirectories, each scan cycle might be very CPU intensive.

Chapter 2 45

Installing and Configuring the HP CIFS ServerOther Samba Configuration Issues

To counteract the possible performance impact, you can control howoften Samba scans for changes in the directories it has been requested tomonitor. The parameter that controls how often Samba scans for changesis Change Notify Timeout. The parameter value represents the numberof seconds between the start of each scanning cycle. The default value is60. So, if your system takes 55 seconds to complete the scan of all thedirectories with Change Notify requests, it would be under a heavy loadat nearly all times.

You can increase the Change Notify Timeout value to a larger number todecrease how often these Change Notify directory scans are done. Thetrade off is that your clients will take longer to see that changes weremade in the directories that they have placed Change Notify requests on.You will have to decide what the right trade-off is: performance loss orslow updates to client file browsers.

Chapter 246

Installing and Configuring the HP CIFS ServerInternationalization

InternationalizationThis section describes European and Japanese character support for theHP CIFS server.

European Character Support

HP CIFS provides European character support for Windows 95, XP andNT clients. HP CIFS also supports MS-DOS and Windows 3.x clientsusing the PC850 code page. To enable European character support forWindows 95, XP and NT, which includes applications running inDOS-PROMPT windows under these environments, the HP CIFS servermust be started with the smb.conf variables character set and client codepage set correctly.

For configuration examples, refer to “Step 4, Modifying the Configurationin this chapter”.

In order to view the file and directory names and contents correctly fromthe UNIX side for various languages, you must set the locale to theappropriate value. Here are two examples:

export LANG=de_DE.iso88591-or-export LANG=de_DE.iso88915@euro

The HP CIFS server must be restarted for the character set or client codepage parameters change to take effect. You cannot administer resourcepermissions on shares that contain German umlauts in their names fromthe Windows 95 Explorer. Permissions can be administered if theresource is accessed through the Network Neighborhood. Microsoft hasacknowledged this behavior but has indicated that it is by design and nofixes will be forthcoming.

Japanese Character Support

HP CIFS supports Japanese character sets as follows:

• HP CIFS supports Japanese only in Shift-JIS encoding. The EUCcodeset is not supported.

• The following clients have been tested with HP CIFS with Japanese:

Chapter 2 47

Installing and Configuring the HP CIFS ServerInternationalization

— Windows 95 Japanese

— Windows NT 4.0 Japanese

• To enable HP CIFS Japanese capabilities, start HP CIFS withsmb.conf variables set as follows:

codingsystem = SJISclient code page = 932

• Japanese is supported for the following:

— File/directory names

— File contents

— Printing

Japanese is not supported for share names, domain names, userlogin names or user passwords.

In order to view the file and directory names and contents correctlyfrom the UNIX side, you must set the locale to Shift-JIS like this:

export LANG=ja_JP.SJIS

• DOS utilities uchmod.exe, ud.exe, uren.exe, and udir.exe are notsupported for Japanese file/directory name. The bundled servermanagement tools for Windows NT or XP workstation and Windows95 are not supported on Japanese Windows NT workstation(J) andWindows 95(J).

• HP CIFS cannot handle the following characters as file or directorynames from Windows 95(J) clients. 8260 - 8279 (SJIS code)

• HP CIFS can only run batch files from Windows 95(J) clients if thefile or directory names are specified in the 8.3 format. This is not aJapanese specific problem but an MS-DOS limitation.

For example, the following batch files cannot run.

g:\a1234567890est.bat

g:\a123456est567890.bat

There is no workaround.

For configuration examples, refer to “Step 4, Modifying the Configurationin this chapter.”

Chapter 248

3 Managing HP-UX File AccessPermissions from WindowsNT/XP/2000

Chapter 3 49

Managing HP-UX File Access Permissions from Windows NT/XP/2000Introduction

IntroductionThis chapter describes how to use Windows NT, XP and 2000 clients toview and change standard UNIX file permissions and VxFS POSIXAccess Control Lists (ACL) on a HP CIFS server. A new configurationoption, acl_schemes, is also introduced.

Chapter 350

Managing HP-UX File Access Permissions from Windows NT/XP/2000UNIX File Permissions and POSIX ACLs

UNIX File Permissions and POSIX ACLsThe HP CIFS Server enables the manipulation of UNIX file permissionsor VxFS POSIX ACLs from Windows NT, XP or Windows 2000 clients.With this capability most management of UNIX file permissions orPOSIX ACLs can be done from the familiar Windows Explorer interface.

NOTE Although concepts of file ACLs are similar across the Windows andHP-UX platforms, there are sufficient differences in functionality thatone cannot substitute UNIX ACLs for Windows ACLs (i.e. full emulationis not provided). For example, a Windows application that changes theACL data of a file may behave unexpectedly if that file resides on a HPCIFS Server.

Viewing UNIX Permissions From Windows NT

As a result of the ACL data differences in NT and UNIX file permissionsand VxFS POSIX, Samba must map data from UNIX to NT and NT toUNIX.

The table below shows how UNIX file permissions translate to WindowsNT ACL access types:

Table 3-1

UNIX Permission NT access type

r-- Special Access(R)

-w- Special Access(W)

--x Special Access(X)

rw- Special Access(RW)

r-x Read(RX)

-wx Special Access(WX)

rwx Special Access(RWX)

Chapter 3 51


In addition to the permission modes shown above, UNIX file permissionsalso distinguish between the file owner, the owning group of the file, andother (all other users and group).

UNIX File Owner Translation in NT ACL

A UNIX file system owner has additional permissions that others usersdo not have. For example, the owner can give away his ownership of thefile, delete the file, rename the file, or change the permission mode on thefile. These capabilities are similar to the delete (D), change permissions(P) and take ownership (O) permissions on the Windows NT client.Samba adds the DPO permissions to represent UNIX file ownership inthe Windows NT explorer interface.

For example, if a file on the UNIX file system is owned by UNIX userjohn and john has read and write (rw-) permissions on that file, theWindows NT client will display the same permissions for user john as:

Special Access(RWDPO)

You can also display the UNIX owner in the Windows NT Explorerinterface. If you are in the File Properties dialog box with the Securitytab selected and you press the Ownership button, the owning UNIXuser's name will be displayed.

UNIX Owning Group Translation in NT ACL

The owning group on a UNIX file system is represented on the WindowsNT client with the take ownership (O) permission. While the meaning ofthe take ownership permission on NT doesn't exactly match the meaningof an owning group on the UNIX file system, this permission is stilltranslated into the take ownership permission.

This representation becomes even more significant when translatingVxFS POSIX ACLs, as there can be many groups with differentpermissions on an individual file in this file system. Without thispermission type, you would not be able to tell the owning group entryfrom other group entries.

r-- Special Access


UNIX Permission NT access type

Chapter 352


For example, if an owning group named sales on the UNIX file systemhas read and execute (r-x) permissions on a file, the Windows NT clientwill display the permissions for group sales as:

Special Access(RXO)

UNIX Other Permission Translation in NT ACL

In UNIX, the other permission entry represents permissions for any useror group that is not the owner, and doesn't belong to the owning group.This entry maps to the everyone access control entry on the Windows NTclient.

NT Directory and File Permission Translations

Windows NT clients display two sets of permissions for directory entries:directory permissions and file permissions. Directory Permissions are thepermissions for the directory itself. File Permissions are the permissionsinherited by the files and subdirectories created in the directory. Sambatranslates UNIX permissions for a directory into Windows NT directorypermissions and vice versa. Windows NT file permissions are notsupported when the translation is to/from UNIX permissions.

NT file permissions, however, are supported with VxFS POSIX ACLs (asdescribed in the next section).

Setting UNIX Permissions from Windows NT

With one exception, reversing the UNIX to NT translations describedabove will always work. You cannot, however, change the owner orowning group by adding Special Access(DPO) or Special Access(O) to auser or group from the client.

All NT permissions, except read, write and execute, are disregardedwhen applied to files on the Samba server. These include delete (D),change permissions (P) and take ownership (O).

The table below shows how NT access types map to UNIX permissions:

Table 3-2

NT access type UNIX Permission

Special Access(R) r--

Special Access(W) -w-

Special Access(X) --x

Chapter 3 53


When mapping to UNIX file permissions from NT, you will not be able toadd new NT ACL entries because only the owner, owning group andother ACL entries are supported by UNIX permissions. UNIX ignoresunrecognized entries. Conversely, you cannot delete any of the threeentries listed above as these entries are required by UNIX.

Pre-defined NT Permissions

The Windows NT Explorer ACL interface allows you to choose predefinedpermissions like Change and Full Control in addition to creating customSpecial Access permissions.

Figure 3-1 Windows NT Explorer ACL Interface

Special Access(RW) rw-

Read(RX) r-x

Special Access(WX) -wx

Special Access(RWX) rwx

Special Access r--


NT access type UNIX Permission

Chapter 354


If you use pre-defined NT access types to set permissions on a Sambashare, the permissions that are displayed later will not match what youset in NT.

For example, Full Control will become rwx on the Samba server, andwhen it is displayed on the Windows NT client, it will show up as SpecialAccess (RWX).

Figure 3-2 Windows NT Special Access Permissions

Table 3-3

NT Access Type UNIX Permission

No Access ---

Read r-x

Change rwx

Full Control rwx

Chapter 3 55


The VxFS POSIX ACL File Permissions

VxFS POSIX ACLs are a superset of UNIX file permissions. VxFSPOSIX ACLs extend the concept of UNIX file permissions in three ways.

• VxFS POSIX ACLs allow for more entries than the basic owner,group and other UNIX file permissions.

• VxFS POSIX ACLs support default Access Control Entry (ACE) fordirectory permissions. This means that any files created in thatdirectory will automatically inherit the default ACEs of the parentdirectory. It adds an inheritance permission type to directorypermissions.

• A special ACE called the class ACE is used. The role of the class ACEis to limit the other ACEs. The base UNIX permissions are notaffected.

For example, if the class ACE for a file is set to read (r--), then evenwhen ACEs grant some users and groups write and execute access,write and execute access will not be given to them. The class ACE actsas a mask that filters out the permissions of non-class ACEs. If theclass ACE was set to (---) or no access, other ACEs might exist, butthey would not change the effective permissions.

IMPORTANT VxFS is known as OnLineJFS.

VxFS POSIX ACL file permissions only work when JFS 3.3 disk layoutversion4 is installed on the HP-UX 11.00 system. For HP-UX 11.11, JFS3.3 and disk layout version4 is installed by default.

Learn how to install JFS 3.3 on HP-UX 11.0 in the HP JFS 3.3 and HPOnLineJFS 3.3 Release Notes (MPN B3929-90007) located atwww.docs.hp.com.

Learn about installing and upgrading disk layout versions in the HPJFS 3.3 and HPOnLineJFS 3.3 VERITAS File System 3.3 SystemAdministrator’s Guide (MPN B3929-90011) located at www.docs.hp.com.

VxFS POSIX ACLs translated to NT ACLs

The extra features of VxFS POSIX ACLs affect the translations to andfrom NT ACLs in the following ways:

Chapter 356


• The extra VxFS POSIX ACEs show up as NT ACEs on the WindowsNT client. The permission mode translates like a UNIX permissionmode. With this feature you can also add new user and group entriesfrom the Windows NT client. The limitations to this feature will bediscussed in the next section.

• The default ACEs that are supported for inheritance by directoriesare translated into file permissions for a directory on NT. The filepermissions displayed on the Windows NT client represent thedefault ACEs on the UNIX file system of the Samba server. If the filepermissions are set on a directory on the NT client, equivalentdefault ACEs are set on the directory on the UNIX file system.

• The class ACE used to limit the other ACEs is ignored. It is notdisplayed on the Windows NT client and there is no way to set it fromthe NT client. It would be difficult to support on the client side, asWindows NT has nothing similar to a class ACE.

Chapter 3 57

Managing HP-UX File Access Permissions from Windows NT/XP/2000Using the NT Explorer GUI to Create ACLs

Using the NT Explorer GUI to Create ACLsUse the Windows NT Explorer GUI to set new ACLs.

This section describes how to add new entries to the ACE list:

• Click the add button in the File/Directory Permissions dialog box ofthe Windows NT GUI to bring up the Add Users and Groups dialogbox.

Figure 3-3 Windows NT Explorer File Permissions

Chapter 358


NOTE The List Names From field displays the source of the list of groupnames. It may also show the name of your domain. Do not use thedomain list to add new ACLs.

Figure 3-4 Windows NT Explorer List Names From Field

Instead, what you need is a list of groups and users that can berecognized by the underlying UNIX file system.

Since the actual ACLs will be UNIX file permissions or VxFS POSIXACLs in their final form, the only valid groups and users are UNIXgroups and users that the Samba server knows about.

Chapter 3 59


• Go to the List Names From dropdown list in the Add Users andGroups dialog box. One screen choice is to list names on your Sambaserver. This is the list HP recommends.

Figure 3-5 Windows NT Explorer Add Users and Groups Dialog Box

• Select any name on the list that is labelled local UNIX group. Thosegroups are actually UNIX groups on the Samba server.

Chapter 360


• Optionally, click the Show Users button and all the UNIX users onthe Samba server will be added to the list as well. You will always beable to add an ACE for the local Unix groups and the users in thislist.

Figure 3-6 Add UNIX Groups and Users

• You can type user and group names into the Add Names text field toadd users and groups. If the names are valid UNIX group or usernames, the users and groups will be added.

• Optionally, add the Samba server name and a backslash to thebeginning of the user or group name and it will be added (forexample, server1\users1). When you select names off the name list,the GUI will put that name in the text list and automatically add theserver name as well.

• Optionally use the user name mapping feature to define a mappingof NT user names (or domain names) to UNIX user names. Forexample, you could map the NT user names administrator andadmin to the UNIX user name root. The mapping can be eitherone-to-one or many-to-one.

Samba supports the creation of ACEs with NT user names that aremapped to UNIX user names.

Chapter 3 61


To continue the example above, you could create an ACE for theadministrator user on the NT client and, on the Samba server, theACE would be created for the root user. The client will display thecorresponding ACE as being for the root user, not the administratoruser.

If you add an ACE for one user name, like administrator and thendisplay the list of ACEs and see a new ACE for a different user name(root), it maybe confusing. As many NT user names can be mapped toone UNIX user name, Samba only displays the one UNIX user name.It cannot display the NT name that was mapped to the UNIX username.

You also have to be careful not to create multiple conflicting ACEs for oneUNIX user. For example, in the NT GUI you might add an ACE for theuser administrator, admin and root. But when you apply these changes,Samba maps administrator and admin to the UNIX user root and theresult is that Samba tries to add three different ACEs, all for the userroot, to one file. That is not valid and Samba ignores two of the threeACEs.

Selecting Names From the Samba Name List

The NT user names mapped to UNIX users will also be displayed whenyou press the Show Users button in the Add Users and Groups dialogbox. Every valid name that you add to an ACE is in the name list on theSamba server (after you hit the Show Users button). You do not need totype in names or select names from the NT domain list. If, however, youpick a name from the NT domain list and it happens to be a UNIX username on the Samba server, it will be added. This also applies to namesthat have a user name mapping in Samba.

There is another reason HP recommends selecting names from theSamba server's list of names instead of typing names in manually. Theremight be a UNIX group and a UNIX user with the same name. If youselect a name from the list, Samba knows whether you mean the user orthe group. If you type the name in, there is no way for you to specify theuser or the group and Samba may add the ACE for a user when youmeant the UNIX group with the same name.

Chapter 362

Managing HP-UX File Access Permissions from Windows NT/XP/2000POSIX ACLs and Windows 2000/XP Clients

POSIX ACLs and Windows 2000/XP ClientsThe HP CIFS Server A.01.07, and subsequent versions, allow Windows2000/XP clients to view and set POSIX ACL permissions. Theinformation in this section assumes you are familiar with Windows2000/XP permissions. The purpose of this section is to explain how theHP CIFS Server interprets Windows 2000/XP permissions, and howWindows 2000/XP clients interpret and display HP-UX permissions.

Windows 2000/XP clients interact with POSIX ACLs similar to WindowsNT clients, except for the minor differences covered in the followingsections. Learn more about ACLs and Windows 2000/XP clients in thefolowing sections in this chapter. You can also learn more about POSIXACLs with man aclv.

Viewing UNIX Permissions from Windows 2000/XPClients

The following table shows how the UNIX permissions on the HP CIFSServer are mapped to permissions on Windows 2000/XP clients’ Basicand Advanced ACL views:

Table 3-4 UNIX Permission Maps Windows 2000/XP Client Permissions

UNIXPermission Permission Shown on Windows 2000/XP Clients

Basic View Advanced View

r-- Read Read Attributes, ReadExtended Attributes, ReadData, Read Permissions

-w- Write Write Attributes WriteExtended Attributes,Append Data, Write Data,Read Permissions

--x None Execute or TraverseFolder, Read Attributes,Read Permissions

Chapter 3 63


NOTE In the table above, the permissions labeled Advanced can be viewed fromthe ACL dialog box by clicking on Advanced, then View/Edit.

For a file owner ACE, Take Ownership, Delete and Change permissionsflags are shown. For a file’s owning group ACE, Take ownershippermission flag is shown.

However, all permissions are ticked in both Windows ACE Advanced andBasic views if a file permission is Full Control.

r-x Read and Execute All Read Permissions as inthe first cell

Execute or TraverseFolder

rw- Read, Write All Read Permissions as inthe first cell

All Write Permissions asin the second cell

rwx Full Control Full Control and Allpermission bits are ticked

--- No boxes are ticked None

Table 3-4 UNIX Permission Maps Windows 2000/XP Client Permissions

UNIXPermission Permission Shown on Windows 2000/XP Clients

Chapter 364


Setting Permissions from Windows 2000/XP Clients

The following table shows how each Windows 2000/XP client permissionis mapped to the UNIX permission when permissions are set from aclient:

Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions

Windows 2000/XP UNIX Permission

Full Control rwx

Write -w-

Modify rwx

Read and Execute r-x

Read r--

List Folder / Read Data (Advanced) r--

Read Attributes (Advanced) r--

Read Extended Attributes (Advanced) r--

Read Permissions (Advanced) r--

Create Files / Write Data (Advanced) -w-

Create Folder / Append Data (Advanced) -w-

Write Attributes (Advanced) -w-

Write Extended Attributes (Advanced) -w-

Traverse Folder / Execute File(Advanced)

--x

Delete Subfolders and Files (Advanced) No meaning onHP-UX

Delete (Advanced) * see explanationfollowing table

Change Permissions (Advanced) * see explanationfollowing table

Chapter 3 65


* The Delete, Change Permissions, and Take Ownership permissionsrepresent the file and group ownership. You can only see thesepermissions, but you cann’t set them from Windows 2000/XP clients.

When the file permission is not set to Full Control, the Delete, Changeand Take Ownership permissions are shown for the file owner. TakeOwnership permission is shown for the file owning group. Everyone andother ACEs do not show these permissions except when the permission isset to Full Control.

NOTE The Windows 2000 permissions labeled Advanced in the table above canbe viewed from the ACL dialog box by clicking on Advanced, thenView/Edit.

NOTE The CIFS Server ensures that at least “read” permission is set for the fileowner. For example, if a user tries to set a file’s permissions to “- - -”, theCIFS Server will actually set it to “r - -”.

Viewing ACLs from Windows 2000 Clients

Step 1. Right-click on a file and select Properties

Take Ownership (Advanced) * see explanationfollowing table

Table 3-5 Windows 2000/XP Permissions Maps UNIX Permissions

Windows 2000/XP UNIX Permission

Chapter 366


Step 2. Click on the Security tab

Displaying the Owner of a File

Step 1. Click on Advanced

Step 2. Click on the Owner tab on the Access Control Settings dialog box

Chapter 3 67

Managing HP-UX File Access Permissions from Windows NT/XP/2000HP CIFS Server Directory ACLs and Windows 2000/XP Clients

HP CIFS Server Directory ACLs and Windows2000/XP Clients

Directory ACL Types

Under POSIX, directory ACL contains both access and default ACEs.Access ACEs control the access to the directory itself. Default ACEsdefine what permissions are set for new files and subdirectories createdunder the current directory.

Viewing ACLs from Windows 2000 Clients

Windows 2000 or XP can show ACLs on a file or a directory in Basic andAdvanced views.

Viewing Basic ACLs from Windows 2000 Clients

Step 1. Right-click on a file or a directory and select Properties

Chapter 368



Figure 3-7 Basic ACL View

Viewing Advanced ACLs from Windows 2000 Clients

Step 1. Right-click on a file or a directory and select Properties


Chapter 3 69


Step 3. Click on the Advanced button

Figure 3-8 Advanced ACL View

Mapping Windows 2000/XP Directory InheritanceValues to POSIX

Under POSIX, default ACEs can apply to both files and subdirectories. Ina Windows 2000 or XP environment, directory ACE entries differ fromPOSIX and use the following Windows Inheritance Values (Apply Tovalues in the Windows Advanced ACE screen) to distinguish access anddefault behavior:

• This folder only

• This folder, subfolders and files

• This folder and subfolders

• This folder and files

Chapter 370


• Subfolders and files only

• Subfolders only

• Files only

When a user attempts to change or add a directory ACE from theWindows Advanced ACE screen, the HP CIFS Server maps the WindowsInheritance Values to the corresponding POSIX ACE type.

The following table shows how Windows Inheritance Values aremapped to POSIX:

Modifying Directory ACLs From Windows 2000/XPClients

NOTE HP-UX directory ACLs are set inconsistently using the ACL Basicpermission screen from the Windows 2000 or XP client.

Table 3-6 Mapping Table for Inheritance Values to POSIX

Inheritance Value POSIX Mapping by HP CIFS Server

This Folder only Maps to access ACE.

This Folder,Subfolders and Files

An ACE of this type is mapped to both accessand default ACE.

This Folder andSubfolders

Maps only to access ACE for this directory.

This Folder and Files Maps only to access ACE for this directory.

Subfolders and Filesonly

Maps to default ACE for this directory.

Subfolders only This type is not supported and any ACE withthis type is ignored by the HP CIFS Server.

Files only This type is not supported and any ACE withthis type is ignored by the HP CIFS Server.

Chapter 3 71


You must use the Windows Advanced permission screen (Directory->Properties->Security Tab->Advanced Button) to view or changePOSIX directory ACLs.

This section describes how to modify a directory ACE from the Widnows2000 or XP client:

Step 1. Right-click on a directory and select Properties



Step 4. Select an ACE, click on the View/Edit tab

Figure 3-9 Modifying ACE Permissions

Step 5. Check/uncheck the boxes next to each permission to add/remove anypermissions that you want. Please refer to “Mapping Table for Windows2000/XP Permissions to UNIX Permissions” for detail information onhow each permission in this window is mapped to UNIX permissions

Chapter 372


Step 6. Select the appropriate ACE type from Apply to dropdown list in thedialog box. Choose the selection according to how it will be mapped toPOSIX ACEs. Please refer to “Mapping Table for Inheritance Values toPOSIX” for detail information

Step 7. Click on OK, you will be taken back to the Advanced ACE screen. Repeatthe step 4 through step 6 to modify other ACEs

Step 8. Click on OK or Apply button on the Advanced ACE screen

Figure 3-10 Modifying an ACE Type With Apply To value

IMPORTANT If you want different permissions on default and access ACEs for thesame user or group , you must select two different ACE entries in theadvanced ACE view dialog box before you click on the OK button.

Chapter 3 73


If you modify an ACE entry and clear both Allow and Deny check boxes,the Windows 2000 or XP client removes that ACE and does not send it tothe HP CIFS Server.

To prevent a directory owner from losing access, both access and defaultACEs for the owner should be set to Full Control permissions.

Removing an ACE entry from Windows 2000/XP clients

For mandatory ACLs (user, owning group, everyone), removing an ACEentry from the Advanced Windows permission screen does not removethat ACE entry on the UNIX system. The HP CIFS Server generates themissing ACEs from the existing access ACEs on the file.

For any other user or group ACEs, removing an ACE entry from theAdvanced Windows screen will remove that ACE entry on the HP CIFSServer.

Examples

Following are three examples to show the changes of the directory ACEson the HP CIFS Server when an ACE entry is removed from theWindows 2000/XP client.

Example 1:

In the example 1, assume that the existing directory ACEs for testdiron the HP CIFS Server are:

# file:testdir

# owner:testuser

# owning group:users

access:owner:rwx

access:owning group:rwx

access:other:rwx

default:owner:rwx

default:owning group:r-x

default:other:r-x

Chapter 374


In the example 1, if a default owning group ACE entry, r-x, is removedfrom the Advanced Windows ACE screen, the HP CIFS Server generatesthe missing default owning group ACE entry based on the existing accessowning group ACE, rwx, The following shows the result of changes forthe directory ACEs on the HP CIFS Server:

# file:testdir

# owner:testuser


access:owner:rwx

access:owning group:rwx

access:othere:rwx

defualt:owner:rwx

default:owning group:rwx

default:other:r-x

Example 2:


# file:testdir

# owner:testuser


access:owner:rwx

access:owning group:r-x

access:other:rwx

defualt:owner:rwx

default:owning group:r--

default:other:r--

In the example 2, if both access owning gorup ACE entry, r-x, anddefautl owning group ACE entry, r--, are removed from the AdvancedWindows ACE screen, the HP CIFS Server generates the missing owninggroup ACE entries based on the existing access owning group ACE. Thefollowing shows the result of changes for the directory ACEs on the HPCIFS Server:

Chapter 3 75


# file:testdir

# owner:testuser


access:owner:rwx


access:other:rwx

defualt:owner:rwx

default:owning group:r-x

default:other:r--

Example 2:


# file:testdir

# owner:testuser


# other group:testgroup

access:owner:rwx


access:other group:rw-

defualt:owner:rwx


default:other group:r-w

In the example 3, if both access other gorup ACE entry, rw-, and defautother group ACE entry, r--x, are removed from the Advanced WindowsACE screen, the HP CIFS Server will remove both access other groupand default other group ACE entries.The following shows the result ofchanges for the directory ACEs on the HP CIFS Server:

# file:testdir

# owner:testuser


Chapter 376


# other group:testgroup

access:owner:rwx


defualt:owner:rwx


Adding Directory ACLs From Windows 2000/XPClients

This section describes how to add a directory ACE from the Widnows2000 or XP client:

Step 1. Right-click on a directory and select Properties



Step 4. Click on Add button, a select user or group window is displayed

Step 5. You may select any user or group from the available one.

Step 6. Click on OK, you will be prompted to enter ACE permissions and thetype of ACE

Step 7. Enter the desired permissions, click on OK

Chapter 3 77


Step 8. You will be taken to the ACE Advanced view screen, click on OK orApply button to add the new ACE

Figure 3-11 Selecting a new ACE user or group

IMPORTANT POSIX ACEs with zero permission can be modified by adding an ACEand setting the desired permissions for that user or group. A new ACEcan be added by using the Add button on the Windows ACL interface.

POSIX Default Owner and Owning Group ACLs

With HP CIFS Server version A.01.10, the POSIX default owner anddefault owning group ACEs are shown in the Windows interface asCreator Owner and Creator Group.

The HP CIFS Server versions A.01.09 and below, only one ACE each forowner, owning group and everyone is shown if the permissions are thesame on corresponding access and default ACEs.

Chapter 378


With HP CIFS Server version A.01.10, the POSIX default owner anddefault owning group ACEs are shown in the Windows interface asCreator Owner and Creator Group even if the permissions on theaccess and default ACEs are the same. However, everyone is shown asonly one ACE if the access and default permissions are the same.

Changing permissions on Windows Creator Owner and Creator GroupACEs will only modify POSIX default owner and owning group ACEs onthe HP CIFS Server.

POSIX ACEs with zero permissions

POSIX owning group and everyone ACEs with zeros permissions are notdisplayed in the Windows interface. For example, if a directory owninggroup has zero permissions on the HP CIFS Server, an ACE for thatowning group will not be shown on the Windows interface. ACEs for anyother user or group with zero permissions are shown with no permissionsin the Windows interface.

POSIX ACEs with zero permission can be modified by adding an ACEand setting the desired permissions for that user or group. A new ACEcan be added by using the Add button onthe Windows ACL interface.

Chapter 3 79

Managing HP-UX File Access Permissions from Windows NT/XP/2000Configuring Samba ACL Support

Configuring Samba ACL Support

For HP CIFS Version A.01.07

In non-HP Samba versions, you could only turn Samba's NT ACLSupport on or off on a serverwide basis. When turned on, UNIX filepermission support was enabled for all Samba shares. There was nosupport for any ACL scheme, including VxFS POSIX ACLs. Instead, youconfigured the old NT ACL support through the smb.conf variable nt aclsupport. This functionality is still supported in the HP CIFS product.

In HP CIFS, however, there is a new smb.conf variable that you can useto configure Samba ACL support. And, with this Samba version, you mayconfigure every share on the Samba server differently.

Since there may be many UNIX file systems under the root of a Sambashare, one Samba share may have files on HFS file systems, VxFS 3.3 filesystems, NFS file systems, and older VxFS file systems. If you assign onetype of ACL support for the share, you might not be taking fulladvantage of the capabilities of each file system located there. So withthis version of Samba you can create a list of ACL schemes for eachshare.

The list of ACL schemes specifies the order that ACL schemes will beattempted on a file in that share. Currently the ACL scheme unix issupported (meaning UNIX file permissions) and hpux_posix is supported(meaning VxFS POSIX ACLs on HP-UX).

In the examples below, assume that HP-UX HFS ACLs are alsosupported and that this scheme is called hpux_hfs. The name of theper-share variable in the smb.conf is acl_schemes.

Examples:

Following are five examples of ACL schemes.

Example 1:

acl schemes = hpux_posix hpux_hfs unix

If a share has this acl schemes parameter set, Samba will attempt to useVxFS POSIX ACLs. If that scheme is not supported, it trys HFS ACLs.And, if that scheme is not supported, it would use UNIX file permissions.

Chapter 380


If a Windows client makes a request to see the ACL for a file on an HFSfile system in that share, Samba attempts to use the POSIX ACL systemcall. It will fail and return an error indicating that the ACL scheme is notsupported on that file. Then Samba would try the HFS ACL system calland it would succeed. The user would not see the initial failure describedin this example.

Example 2:

acl schemes = unix

This is the default ACL scheme. The default ignores UNIX ACLcapabilities and uses UNIX file permissions, as was the case withprevious versions of Samba.

Example 3:

acl schemes = none

This ACL example turns off all ACL support for the share and causes anerror to be returned whenever a client tries to get or to set ACLinformation on any file system on the share.

Example 4:

acl schemes = hpux_posix

This ACL example supports only VxFS POSIX ACLs on the entire share.For files on NFS, HFS or VxFS pre 3.3 file systems, all attempts from theclient to get or to set ACLs will fail. This example will not fall back to theUNIX file permissions. ACL support will only work for files on filesystems supporting POSIX ACLs (currently VxFS 3.3 or higher).

Example 5:

acl schemes = unix hpux_posix

This ACL example is the same as setting acl scheme to unix (Example 2)because UNIX file permissions are supported on every UNIX file systemtype. This means the scheme will never fall through to the next ACLscheme in the list. The unix scheme will be the first and last schemeattempted in each case.

The examples described above show how any combination of ACLschemes can be supported on a Samba share.

If you plan to have many schemes in the ACL scheme list, you will wantto setup the best order to maximize efficiency. For example, if the filesaccessed the most are all on a VxFS 3.3 file system, put hpux_posix first

Chapter 3 81


on the ACL scheme list for that share. Otherwise, Samba will makemany system calls for other ACL schemes before it locates the right one.This prioritization will become even more important in the future whenSamba supports more and more ACL types.

For HP CIFS Version A.01.08

With HP CIFS Server version A.01.08, the “nt acl support” configurationvariable is made share level. It was previously a Global level variable. Itsdefault value is “yes”. Using this variable, users can now control the ACLsupport on a per-share basis.

Except for setting the above variable, there is no other specialconfiguration needed for supporting ACLs.

For a share supporting NT ACLs, the CIFS Server always tries to get, orset, POSIX ACLs on the Unix file system. If the underlying file systemdoes not support POSIX ACLs, then the CIFS Server will use the Unixfile permissions. In such a case, the user will only be able to set or get thethree default ACEs (owner, group and everyone). Additional ACEs willbe ignored.

With version A.01.08 of the CIFS Server, the configuration variable “aclschemes” (exists in version A.01.07, and below) is not supported.However, having this variable in the configuration file will not hurt CIFSServer operation.

The user is advised to remove or comment out occurrences of thesevariables from the configuration file (smb.conf) to prevent confusion.

IMPORTANT VxFS POSIX ACL file permissions only work when JFS 3.3 disk layoutversion4 is installed on your system. For HP-UX 11.11, JFS 3.3 and disklayout version4 is installed by default. Learn how to install JFS 3.3 onHP-UX 11.0 in the HP JFS 3.3 and HP OnLineJFS 3.3 Release Notes(MPN B3929-90007) located at www.docs.hp.com. Learn about installingand upgrading disk layout versions in the HP JFS 3.3 andHPOnLineJFS 3.3 VERITAS File System 3.3 System Administrator’sGuide (MPN B3929-90011) located at www.docs.hp.com.

Chapter 382

Managing HP-UX File Access Permissions from Windows NT/XP/2000In Conclusion

In ConclusionSamba ACL support is a feature that enables the manipulation of UNIXfile permissions or UNIX ACLs from Windows NT/XP/2000 clients.

With this feature, almost any modification you want to make to UNIXpermissions or VxFS POSIX ACLs can now be done from an NT/XP/2000client (with the exception of the class entry for VxFS POSIX ACLs).

Windows applications running on the Windows NT/XP/2000 clientcannot expect full NT/XP/2000 ACL support. Although much of theNT/XP/2000 ACL information is retained and retrieved by the Sambaserver, some of the information may be lost or changed in some cases.

The ACL support is not an NT/XP/2000 ACL emulation, but ratheraccess to UNIX ACLs through the NT/XP/2000 client. Therefore youcannot run Windows applications which require full, perfect NT/XP/2000ACL support.

Chapter 3 83

Managing HP-UX File Access Permissions from Windows NT/XP/2000In Conclusion

Chapter 384

4 Primary Domain Controller(PDC) Support

Chapter 4 85

Primary Domain Controller (PDC) SupportIntroduction

IntroductionThis chapter describes how to set up, and configure, a HP CIFS Server asa Primary Domain Controller (PDC).

The following is a list of recent enhancements for the HP CIFS Server.Those that are new for version A.01.08 have been identified as such.

• Continue the support for joining a Samba server to the Windows NTdomain as a member server

• New for A.01.08: provide the ability to act as a Primary DomainController (PDC) for Windows clients which include Windows 95, 98,NT, XP and 2000

• New for A.01.08: provide Domain login feature for Windows NT 4.0SP3+, XP and 2000 member servers and Samba member servers

• New for A.01.08: support mapping for Windows built-in group andusername to a Unix group

• New for A.01.08: support Windows NT logon scripts

• New for A.01.08: view resources on a Samba PDC using Microsoft’s“Server manager for Domain” tool

• New for A.01.08: support local and roaming profiles

• New for A.01.08: support the specified logon home share to a Sambaserver

NOTE Version A.01.08 of the HP CIFS Server does not support SecurityAccounts Manager (SAM) databases (containing NT user accountinformation) nor does it provide any Backup Domain Controller (BDC)features, and will not support BDCs in a domain for which it is servingas a PDC.

Advantages of the Domain Model

The Windows NT domain model provides a number of advantages:

Chapter 486


• Windows NT administrators may group workstations and serversunder the authority of a domain controller

• Domain members may be centrally administered by using domainsto group related machines. One of the benefits of this is the ability foruser accounts to be common for multiple systems. A user may nowmake one password change which will affect multiple systemsaccessed by that user. Another benefit is that IT administration workis reduced, since there is no longer a need for individual accounts tobe administered on each system

Primary Domain Controllers

The Primary Domain Controller (PDC) is responsible for several taskswithin the domain. These include:

• Authenticating user logons for users and workstations that aremembers of the domain

• Acting as a centralized point for managing user account and groupinformation for the domain

• A user logged on to the Primary Domain Controller (PDC) as thedomain administrator can add, remove or modify Windows domainaccount information on any machine that is part of the domain

• It should be noted that the current version of the PDC does notsupport having a BDC in the domain. Because of this, if the PDCfails, there is no way for Windows Client users of the domain to beauthenticated. And, if a disk fails on the PDC, there is no backup onthe domain with the critical credential data. This means that it isvery important to make backups of users credential files. It alsomeans that there is no system that can be easily promoted to a PDCto take the place of the existing PDC

Domain Members

• The following member servers are supported:

— Windows NT

— Windows 2000

— Windows XP

— HP CIFS

Chapter 4 87


— AS/U

• Users on a domain member machine can access network resourceswithin the domain. Some examples of these resources are file andprinter shares and application servers

• Domain members do not perform the user authentication for userlogons. Instead, the member sends the credentials to a domaincontroller via a secure channel. The domain controller checks thecredentials against those in its database and returns the results tothe member server. Access is granted based on the results returned

Chapter 488

Primary Domain Controller (PDC) SupportCreate the Machine Trust Accounts

Create the Machine Trust AccountsA Machine Trust Account for a Windows Client (Client=member server)on a HP CIFS Server acting as a PDC is simply a user account entrycreated for a machine. It is denoted by the machine name followed by"$".

For PDCs not using LDAP (default), machine accounts will have entriesin both /etc/passwd (unix user accounts) and/var/opt/samba/private/smbpasswd (Windows user accounts).

For PDCs using LDAP, machine accounts will have posixAccount andsambaAccount object class entries in a directory server database.

The following steps are used to create a machine account for a WindowsClient on a HP CIFS Server acting as a Primary Domain Controller(PDC):

1. Create the UNIX or POSIX account for a Windows Client:

• Use the following command to create the POSIX account for aWindows client in the /etc/passwd file if LDAP is disabled:

$ useradd -c NT_workstation -d /home/temp -s \/bin/false client1$

As an example, the resulting entry in the /etc/passwd file for aclient machine named “client1” would be:

client1$:*:801:800:NT_Workstation: \/home/temp:/bin/false

where 801 is a uid and 800 is the group id of a group called“machines.” A uid or group id can be any unique number. Youmay find that uid values 0 through 100 are considered special,and/or server specific. This may, or may not apply to your system.

The machine account is the machine’s name with a dollar signcharacter (“$”) appended to it. The home directory can be set to/home/temp. The shell field in the /etc/passwd file is not usedand can be set to /bin/false.

• Use the following command to create the posixAccount entry fora Windows client in the LDAP directory if LDAP is enabled:

Chapter 4 89


$ /opt/samba/LDAP/smbldap-tools/smbldap-useradd.pl \client1$

As an example, the resulting entry in the LDAP directory serverfor a client machine named “client1” would be:

objectClass: posixAccountcn: client1$uid: client1$uidNumber: 1000gidNumber: 200homeDirectory: /home/temploginShell: /bin/falseuserPassword: {crypt}xpwdLastSet: 1076466492logonTime: 0logofftime: 2147483647kickoffTime: 2147483647pwdCanChange: 0pwdMustChange: 2147483647rid: 1206primaryGroupID: 1041acctFlags: [W ]displayName: client1$

2. Run the smbpasswd program on the Samba PDC server to create theWindows account:

• Use the following command to add the Windows account for aWindows client to the /var/opt/samba/private/smbpasswd fileif LDAP is disabled:

$ smbpasswd -a -m client1

An example of the associated machine entry in the/etc/opt/samba/private/smbpasswd file for a client machinenamed “client1” would be:

client1$:*801:800:ED816800D0393DAAD3B435B51404EE:321ABEEFE10EC431B9AAFF1A1D0D47:[W ]:LCT-0000000:

• Use the following command to add the sambaAccount entry for aWindows client to the LDAP directory server if LDAP is enabled:


An example of the associated machine entry in the LDAPdirectory server for a client machine named “client1” would be:

Chapter 490


objectClass: posixAccountobjectClass: sambaAccountcn: client1$uid: client1$uidNumber: 1000gidNumber: 200homeDirectory: /home/temploginShell: /bin/falsegecos: Samba_Serverdescription: Samba_ServeruserPassword: {crypt}xpwdLastSet: 1076466492logonTime: 0logofftime: 2147483647kickoffTime: 2147483647pwdCanChange: 0pwdMustChange: 2147483647rid: 1206primaryGroupID: 1041lmPassword: E0AFF63989B8FA6576549A685C6AFAF1ntPassword: E0AFF63989B8FA6576549A685C6AFAF1acctFlags: [W ]displayName: client1$

Chapter 4 91

Primary Domain Controller (PDC) SupportConfigure Domain Users

Configure Domain UsersThe following examples show the commands used to configure DomainUsers, Domain Administrators and Domain Guests on a HP CIFS Serverconfigured as a PDC.

• If you are a root-level user, create a Domain User in the group named“users”, located in the /sbin/sh directory. For example:

useradd -g users -c “Domain Users” -s /sbin/sh domuser

If you are not a root-level user, create a Domain User in the groupnamed “users”, located in the /usr/bin/sh directory. For example:

useradd -g users -c “Domain Users” -s /usr/bin/sh domuser

where domuser is the name of a Domain User.

• If you are a root-level user, create a Domain Administrator in thegroup named “adm”, located in the /sbin/sh directory. For example:

useradd -g adm -c “Domain Administrators” -s /sbin/shdomadmin

If you are not a root-level user, create a Domain Administrator in thegroup named “adm”, located in the /usr/bin/sh directory. Forexample:

useradd -g adm -c “Domain Administrators” -s /usr/bin/shdomadmin

where domadmin is the name of a Domain Administrator.

• If you are a root-level user, create a Domain Guest in a group named“users”, located in the /sbin/sh directory. For example:

useradd -g users -c “Domain Guest” -s /sbin/sh domguest

If you are not a root-level user, create a Domain Guest in a groupnamed “users”, located in the /usr/bin/sh directory. For example:

useradd -g users -c “Domain Guest” -s /usr/bin/shdomguest

where domguest is the name of a Domain Guest.

Be sure that all of the users that were created (see the example above)have been added to the /etc/passwd file.

Chapter 492

Primary Domain Controller (PDC) SupportConfigure the HP CIFS Server as a PDC

Configure the HP CIFS Server as a PDCWhen configured to act as a Primary Domain Controller (PDC), the HPCIFS Server should create machine accounts for Windows Clients(member servers). To enable this feature, choose “Primary DomainController” when executing samba_setup, then verify the following:

1. The smb.conf file is as shown:

[global]workgroup = SAMBADOM #Samba Domainsecurity = userdomain logon = yesdomain master = yesencrypt passwords = yes

[netlogon]comment = The domain logon servicepath = /var/opt/samba/netlogonwriteable = noguest ok = no

2. /var/opt/samba/netlogon subdirectory for the domain logon serviceexists.

NOTE domain logons: This parameter must be set to “yes” in order for the HPCIFS Server to act as a PDC.

Encrypt passwords: If this parameter is set to “yes”, the passwordsused to authenticate users will be encrypted. This parameter must be setto “yes” when a HP CIFS Server is configured to act as a PDC.

Configuration Options

The configurations shown in this section are not required for the basicPDC functionality.

Chapter 4 93

Primary Domain Controller (PDC) SupportConfigure the HP CIFS Server as a PDC

Map an NT Domain Admin Group to a Unix Group

A Samba Server can be configured as a PDC to map a Windows NTdomain admin group to the Unix group.

Modify the smb.conf file to set the global parameter named domainadmin group to point to the Unix admin group and user. Example:

[global]domain admin group = root @adm

In this example, a group called “adm” should be created by the user inthe /etc/group file.

Map an NT Domain Guest Group to a Unix Group

A Samba Server can be configured as a PDC to map a Windows NTdomain guest group to the Unix group.

Modify the smb.conf file to set the global parameter named domainguest group to point to the Unix guest built-in group and user.Example:

[global]domain guest group = guest @guest

In this example, a group called “guest” should be created by the user inthe /etc/group file.

Chapter 494

Primary Domain Controller (PDC) SupportJoin a Windows Client to a Samba Domain

Join a Windows Client to a Samba Domain

1. Verify the following parameters in the smb.conf file:

Set the security parameter to “user.”

Set the workgroup parameter to the name of the domain.

Set the encrypt passwords parameter to “yes.”

[global]security = userworkgroup = SAMBADOM #SAMBA Domain namedomain logon = yesencrypt passwords = yes

2. Create the UNIX or POSIX account for a Windows Client:

• Use the following command to create the POSIX account for aWindows client in the /etc/passwd file if LDAP is disabled:

$ useradd -c NT_workstation -d /home/temp -s \/bin/false client1$

As an example, the resulting entry in the /etc/passwd file for aclient machine named “client1” would be:

client1$:*:803:808:NT_Workstation: \/home/temp:/bin/false

where 803 is a uid and 808 is the group id of a group called“machines.” A uid or group id can be any unique number. Youmay find that uid values 0 through 100 are considered special,and/or server specific. This may, or may not apply to your system.

The machine account is the machine’s name with a dollar signcharacter (“$”) appended to it. The home directory can be set to/home/temp. The shell field in the /etc/passwd file is not usedand can be set to /bin/false.

• Use the following command to create the posixAccount entry fora Windows client in the LDAP directory if LDAP is enabled:

$ /opt/samba/LDAP/smbldap-tools/smbldap-useradd.pl \client1$

Chapter 4 95


As an example, the resulting entry in the LDAP directory serverfor a client machine named “client1” would be:

objectClass: posixAccountcn: client1$uid: client1$uidNumber: 1002gidNumber: 202homeDirectory: /home/temploginShell: /bin/falseuserPassword: {crypt}xpwdLastSet: 1076466300logonTime: 0logofftime: 2147483650kickoffTime: 2147483650pwdCanChange: 0pwdMustChange: 2147483650rid: 1206primaryGroupID: 1041acctFlags: [W ]displayName: client1$

3. Run the smbpasswd program on the Samba PDC server to create theWindows account:

• Use the following command to add the Windows account for aWindows client to the /var/opt/samba/private/smbpasswd fileif LDAP is disabled:

$ smbpasswd -a -m client1$

An example of the associated machine entry in the/etc/opt/samba/private/smbpasswd file for a client machinenamed “client1” would be:

client1$:*803:808:ED816822D0393DAAD3B435B51404DD:321ABEEFE10EC431B9BBFF1A1C0C047:[W ]:LCT-0000000:

• Use the following command to add the sambaAccount entry for aWindows client to the LDAP directory server if LDAP is enabled:


An example of the associated machine entry in the LDAPdirectory server for a client machine named “client1” would be:

objectClass: posixAccountobjectClass: sambaAccountcn: client1$

Chapter 496


uid: client1$uidNumber: 1002gidNumber: 202homeDirectory: /home/temploginShell: /bin/falsegecos: Samba_Serverdescription: Samba_ServeruserPassword: {crypt}xpwdLastSet: 1076466300logonTime: 0logofftime: 2147483650kickoffTime: 2147483650pwdCanChange: 0pwdMustChange: 2147483650rid: 1206primaryGroupID: 1041lmPassword: E0AFF63989B8FA6576549A685C6ADFC1ntPassword: E0AFF63989B8FA6576549A685C6ADFC1acctFlags: [W ]displayName: client1$

4. Logon to Windows NT as a local admin user.

5. From the Windows NT desktop, click ‘Start’, ‘Settings’ and ‘ControlPanel’. When the Control Panel window opens, double-click on the‘Network’ icon. When the ‘Network’ window opens, click the‘Identification’ tab. Refer to Figure 4-1 below.

Chapter 4 97


6. Enter the Samba domain name in the ‘Domain’ field, and click on the‘Change’ button. Refer to Figure 4-3 below.

Figure 4-1 Entering A Samba PDC Domain Name

Chapter 498

Primary Domain Controller (PDC) SupportRoaming Profiles

Roaming ProfilesThe HP CIFS Server, configured as a PDC, supports Roaming Profileswith the following features:

• A user’s environment, preference settings, desktop settings, etc. arestored on the HP CIFS Server

• Roaming Profiles can be created as a share, and be shared betweenWindows clients

• When a user logs on to a workstation in the domain, the roamingprofile is downloaded from the share which is on a HP CIFS Serverconfigured as a PDC, to the local machine. Upon logout, the profile iscopied back to the server

Configuring Roaming Profiles

Use the following procedure to configure roaming profiles:

1. Modify or enable roaming profiles by using the global parameternamed logon path, in the smb.conf file. Example:

[global]logon path = \\%L\profile\%Uworkgroup = SAMBADOMsecurity = userencrypt passwords = yesdomain logon = yes

2. Create a [profiles] share for roaming profiles. The following is anexample configuration for the [profiles] share:

[profiles]path = /var/opt/samba/profilesread only = nocreate mode = 600directory mode = 770writeable = yesbrowseable = noguest ok = no

Chapter 4 99

Primary Domain Controller (PDC) SupportConfiguring User Logon Scripts

Configuring User Logon ScriptsThe logon script configuration must meet the following requirements:

• User logon scripts should be stored in a file share called [netlogon}on the HP CIFS Server.

• Should be set to UNIX executable permission.

• Any logon script should contain valid commands recognized by theWindows client.

• A logon user should have proper access permissions to execute logonscripts.

The following is an example configuration for user logon scripts:

[global]logon script = %U.bat

[netlogon]path = /var/opt/samba/netlogonwriteable = yesbrowseable = noguest ok = no

In this example, the batch (.bat) file is executed from a file share called[netlogon] on a HP CIFS Server configured as a PDC.

Running Logon Scripts When Logging On

A HP CIFS Server configured as a PDC can enable the execution of logonscripts when users log on. To enable this feature, the following must bedone:

• User logon scripts should be stored in a file share on the HP CIFSServer called [netlogon].

• The HP CIFS Server enables the execution of login scripts by settingthe global parameter named logon script in the smb.conf file.

• Any logon script that is to be executed on a Windows Client must bein DOS text format and contain executable permission.

Chapter 4100

Primary Domain Controller (PDC) SupportHome Drive Mapping Support

Home Drive Mapping SupportA HP CIFS Server provides user home directories and home drivemapping functionality by using the following two global parameters inthe smb.conf file:

• login home

• logon drive

Example:

[global]logon drive = H:logon home = \\%L\%U

Chapter 4 101

Primary Domain Controller (PDC) SupportHome Drive Mapping Support

Chapter 4102

5 Domain Member ServerSupport

This chapter describes the process for Joining a HP CIFS Server to aWindows NT or Samba Domain.

Chapter 5 103

Domain Member Server SupportJoin a HP CIFS Server to a Windows NT, Windows 2000 or Samba Domain

Join a HP CIFS Server to a Windows NT,Windows 2000 or Samba Domain

Step-by-step Procedure

1. Choose “Domain Member Server” when executing samba_setup.When prompted, you will need to add your domain Member Servermachine account to the PDC.

For Windows NT: Go to the Windows NT PDC and create amachine account for the HP CIFS Member Server by performing thefollowing steps:

a. Open the “start/programs/administrator/tools/server manager”tool.

b. Select the “computer/add to domain” icon and enter the hostname of the HP CIFS Server.

c. Choose the “Windows NT Workstation or Server” option whenyou are asked for the computer type.

For Windows 2000: Go to the Windows 2000 PDC and create amachine account for the HP CIFS Member Server by using theActive Directory Controller Wizard.

The HP CIFS Server only supports NTLM security.

For Samba (including HP CIFS): Go to the Samba Server actingas a PDC and create a machine account for the HP CIFS MemberServer by following the steps provided in Chapter 4 section titled,“Create a Machine Trust Account.” samba_setup will then performthe following commands for you:

smbpasswd -j NTDOM -r DOMPDC

The NTDOM parameter is the Windows NT domain name.

The DOMPDC parameter is the NetBIOS name of the Windows PDCmachine.

2. Verify the following parameters in the smb.conf file:

Chapter 5104


[global]security = domainworkgroup = NTDOM #Window NT or Samba Domain namepassword server = DOMPDCencrypt passwords = yes

NOTE workgroup: This parameter specifies the domain name of which theHP CIFS Server is a member.

security: When the HP CIFS Server joins a domain as a member,this parameter must be set to “domain”.

password server: This parameter defines the NetBIOS name of thePDC machine which performs the username authentication andvalidation.

encrypt passwords: If this parameter is set to “yes”, the passwordsused to authenticate users will be encrypted.

Chapter 5 105


Chapter 5106

6 LDAP Integration Support

This chapter describes the HP CIFS Server with LDAP integration. Itincludes benefits of LDAP, procedures to install, configure and verify theHP Netscape Directory Server, HP LDAP-UX Integration product andHP CIFS Server software. It contains the following sections:

Chapter 6 107

LDAP Integration Support

• “Overview” on page 109

• “Network Environments” on page 111

• “Summary of Installing and Configuring” on page 115

• “Installing and Configuring Your Netscape Directory Server” onpage 116

• “Installing LDAP-UX Client Services on an HP CIFS Server” onpage 118

• “Configuring the LDAP-UX Client Services” on page 119

• “Migrating Your data to the Netscape Directory” on page 124

• “Extending Samba subschema into Your Directory Server” onpage 129

• “Configuring the HP CIFS Server” on page 131

• “Installing your Samba Users in the Directory” on page 134

• “LDAP management Tools” on page 137

• “Limitations with the LDAP Feature Support” on page 147

Chapter 6108

LDAP Integration SupportOverview

OverviewLightweight Directory Access Protocol (LDAP) provides a framework forthe development of a centralized management infrastructure. LDAPsupports directory enabled computing by consolidating applications,services, user accounts, Windows account and configuration informationinto a central LDAP directory.

Samba customer sites with large numbers of users and servers may wantto integrate the HP CIFS Server with LDAP support. Configuringmultiple HP CIFS servers to communicate with the LDAP directoryserver provides a centralized and scalable management of userdatabases. When you integrate the HP CIFS Server with the LDAP-UXIntegration product on HP-UX, the HP CIFS Server can access theNetscape Directory Server for user authentication.The LDAP databasecan replace /etc/passwd or NIS and smbpasswd or NT server userdatabases.

You can now store the Windows user information in an LDAP directory,which had been previously stored in the smbpasswd file. With the LDAPintegration, the SMBD program will use the LDAP directory to look up theWindows user information during authentication and authorizationprocesses. Also, when you invoke the smbpasswd program to add, deleteor change Windows user information, updates are made in the LDAPuser database rather than the smbpasswd file.

You can now enable the LDAP support with new configurationparameters provided by the HP CIFS Server. By default, the ldapenable parameter is disabled which will result in smbpasswd orWindows server authentication. See “LDAP Configuration Parameters”on page 131, for more information on a list of new configurationparameters.

NOTE While the HP CIFS Server may operate satisfactorily with other LDAPproducts, HP only provides LDAP support for the HP CIFS Server withHP LDAP-UX Integration, J4269AA, and HP Netscape Directory Server,J4258C, product configurations.

Chapter 6 109

LDAP Integration SupportOverview

NOTE The HP CIFS Server does not support the SSL feature for the CIFSserver to the LDAP directory in the release version A.01.11.

HP CIFS Advantages

The HP CIFS Server with the LDAP support provides the followingbenefits to the customer:

• Reduces the need to maintain user account information acrossmultiple HP CIFS servers, as LDAP provides a centralized userdatabase management.

• Easily adds multiple HP CIFS servers or users to the LDAPdirectory environment. This greatly improves the scalability of theHP CIFS Server.

• Stores and looks up user account information in the LDAP directory.This reduces the user lookup time for large databases by providingan indexed search rather than a sequential search

• The amount of information stored in the smbpasswd file has no roomfor additional attributes. With the LDAP support, the schema isextensible, you can store more user information into the LDAPdirectory. This also eliminates the need for additional employee anduser databases.

Chapter 6110

LDAP Integration SupportNetwork Environments

Network EnvironmentsThe HP CIFS Server supports many different network environments.Features such as WINS, browser control, domain logons, roamingprofiles, and many others continue to be available to support a diverserange of network environments. LDAP integration provides one morealternative solution for Samba user authentication

Domain Model Networks

CIFS Server Acting as the Primary Domain Controller (PDC)

Since PDCs are responsible for Windows authentication, HP CIFSServers configured as PDCs will replace smbpasswd with LDAP enableddirectory servers for Windows authentication. Other Sambaconfiguration items may remain unchanged. Administrators of newLDAP configurations must also install the HP LDAP-UX integrationsoftware and configure the LDAP client. This will also permit theconsolidation of Posix and Windows users on the LDAP directory server.

CIFS Server Acting as the Member Server

HP CIFS Servers acting as member servers in the domain modelnetwork environment can continue to operate as member servers byleaving their Samba configuration unchanged. The Windowsauthentication requests will continue to be managed by the PDCwhether through LDAP or smbpasswd. Administrators of new LDAPconfigurations may want to install the HP LDAP-UX integrationsoftware and configure the LDAP client to consolidate Posix andWindows users on the LDAP directory server.

If a member server (security = domain) is also configured to enableLDAP, then it will still try to authenticate via the PDC. If the PDCauthentication fails, then it will try to authenticate directly via theLDAP directory server set in its own smb.conf configuration file.

NOTE The current HP CIFS Server does not support the Backup DomainController (BDC).

Chapter 6 111


NOTE The HP CIFS Server does not support the Microsoft Active DirectoryServices (ADS) configurations.

Advance Server for UNIX/9000 (ASU) Servers

With LDAP integration, the centralized management of user data helpsyou to migrate ASU to CIFS Server. ASU PDC servers can migrate usersto /etc/passwd entries using the migration help package available athttp:// software.hp.com. The HP CIFS Server provides the/opt/samba/bin/syncsmbpasswd tool to create entries in thesmbpasswd file. With entries in the /etc/passwd and smbpasswd files,you can consolidate both ASU users and UNIX users in an LDAPdirectory using the migration scripts discussed later in this chapter.

Workgroup Model Networks

HP CIFS Servers configured with server mode security will attempt toauthenticate Windows users on the server specified. If LDAP is enabled,then authentication will fall back to the LDAP server if the server modeauthentication fails.

HP CIFS Servers configured with share mode security may replacesmbpasswd with an LDAP directory server.

HP CIFS Servers configured with as stand-alone user mode servers mayreplace smbpasswd with an LDAP directory server.

UNIX User Authentication - /etc/passwd, NISMigration

HP UNIX user authentication is required in addition to Samba(Windows) user authentication for HP CIFS Server logon.You canconsolidate Samba and UNIX users into a single LDAP directory serverdatabase. However, the /etc/passwd file or NIS database files cancontinue to be used for UNIX users if desired.

You can use migration scripts provided by HP to migrate the/etc/passwd file and NIS database files to the LDAP directory server.For more information on the migration scripts, see “Migrating Your datato the Netscape Directory” on page 124.

Chapter 6112


The CIFS Authentication with LDAP Integration

With LDAP integration, multiple HP CIFS Servers can share a singleLDAP directory server for a centralized user database management. TheHP CIFS Server can access the LDAP directory and look up the windowsuser information for user authentication. The figure 6-1 shows the CIFSauthentication in the LDAP network environment:

Figure 6-1 The CIFS Authentication with LDAP Integration

The following describes the message exchanges among the Windows PC,CIFS Server and LDAP directory server for the user authenticationshown on Figure 6-1:

1. A Windows user requests a connection

2. The CIFS Server sends a challenge to the Windows PC client

3. The Windows PC client sends a response packet to the CIFS Serverbased on the user password and the challenge information

4. The CIFS Server looks up the LDAP directory server for the user dataand requests data attributes including the password information

CIFS Server2CIFS Server1

LDAP DirectoryServer

Windows PCWindows PC

12

4

5

3 CIFS Protocol

LDAP Protocol

6

Chapter 6 113


5. The CIFS Server receives data attributes including the passwordinformation from the LDAP directory server. If the password andchallenge information matches with information in the client responsepackage, the Samba user authentication succeeds. Then, the UNIXauthentication is conducted.

6. If both Samba and UNIX authentication is successful, the CIFS Serverreturns a user token session ID to the Windows PC client

Chapter 6114

LDAP Integration SupportSummary of Installing and Configuring

Summary of Installing and ConfiguringThe following summarizes the steps you take when installing,configuring, verifying and activating the HP CIFS Server with the LDAPsupport:

• Install the Netscape Directory Server, if not already installed. See“Installing the Netscape Directory Server” on page 116.

• Configure the Netscape Directory Server, if not already configured.See “Configuring the Netscape Directory Server” on page 116.

• Install the LDAP-UX Client Services on an HP CIFS Server, if notalready installed. See “Installing LDAP-UX Client Services on an HPCIFS Server” on page 118.

• Configure the LDAP-UX Client Services on an HP CIFS Server, if notalready configured. See “Configuring the LDAP-UX Client Services”on page 119.

• Migrate your data to the Netscape Directory Server. See “MigratingYour data to the Netscape Directory” on page 124.

• Extend the Samba subschema to the Netscape Directory Server, See“Extending Samba subschema into Your Directory Server” onpage 129.

• Configure the HP CIFS Server to enable LDAP support. See“Configuring the HP CIFS Server” on page 131

• Install your Samba Users to the Netscape Directory Server. See“Installing your Samba Users in the Directory” on page 134.

Read subsequent sections of this chapter for more information oninstalling and configuring the HP CIFS Server with the LDAP support.

Chapter 6 115

LDAP Integration SupportInstalling and Configuring Your Netscape Directory Server

Installing and Configuring Your NetscapeDirectory ServerThis section describes how to set up and configure your NetscapeDirectory Server to work with LDAP-UX Client Services and the HPCIFS Server.

See Preparing Your LDAP Directory for HP-UX Integration athttp://docs.hp.com/hpux/internet, for more information on directoryconfiguration.

Installing the Netscape Directory Server

You need to set up the Netscape Directory Server if it is not alreadyinstalled. HP recommends that you install the HP Netscape DirectoryServer product, J4258CA. This product can be downloaded fromhttp://software.hp.com. You need to install it with the NetscapeDirectory Server product for HP-UX version 6.02 or later version.

The posix schema is already installed if you have installed the NetscapeDirectory Server for HP-UX version 6.02 or later version. The schema isin the file /opt/ldapux/ypldapd/etc/slapd-v3.nis.conf. For moreinformation on the posix schema (RFC2307), seehttp://www/ietf.org/rfc.html. RFC 2307 consists of object classes suchas, posixAccount, posixGroup, and so on. posixAccount represents auser entry from the /etc/passwd file. posixGroup represents a groupentry from the /etc/group file.

Configuring the Netscape Directory Server

You need to configure the Netscape Directory Server if it is not alreadyconfigured. This section describes major tasks of how to configure theNetscape Directory Server for HP-UX.

You can quickly configure the Netscape Directory Server by selecting thedefault value for most of the configuration parameters. The followingshows major tasks of the configuration:

Step 1. Log in as root and run the setup program:

$ cd /var/opt/netscape/servers/setup$ ./setup

Chapter 6116

LDAP Integration SupportInstalling and Configuring Your Netscape Directory Server

Step 2. Enter the host name of the Netscape Directory Server where you want tostore your user data.

Step 3. Enter the port number of the previously specified directory server. Thedefault port number is 389

Step 4. Enter the Distinguished Name (DN) and password of the administrator.This user has operator permissions. For example, you can enter “admin”as the administrator DN.

Step 5. Enter the base DN. This DN is the DNS part of the fully qualified hostname of your Netscape Directory Server. For example, if the host name ofyour directory server is “hostA.cup.hp.com”, then the base DN is“dc=cup, dc=hp, dc=com”.

Step 6. Enter the Distinguished Name (DN) and password of the directorymanager who has full permissions. For example, you can enter“Directory Manager” as the directory manager DN.

Step 7. Specify the administration domain, which is the DNS domain part of thefully qualified host name of your Netscape Directory Server.

Step 8. Specify the administration port number. This port number is any randomnumber between 1024 and 65535. Use this port tnumber to connect tothe directory server for administering the Netscape Directory Server.

Step 9. After you have configured your directory server, it will automaticallystart up the administration console daemon to listen on the port youhave chosen.

Verifying the Netscape Directory Server

Run the following command to verify that you have installed andconfigured the Netscape Directory Server properly, and verify if theNetscape Directory Server daemons are up and running:

$ ps -ef | grep ns-

The output of this command is as follows:

root 17289 17288 0 18:54:34 ? 0:00 ns-httpd -d/var/opt/netscape/servers/admin-serv/configwww 17230 1 0 18:53:54 ? 0:03 ./ns-slapd -D/var/opt/netscape/servers/slapd-hpcif57 -i /var/o

Chapter 6 117

LDAP Integration SupportInstalling LDAP-UX Client Services on an HP CIFS Server

Installing LDAP-UX Client Services on an HPCIFS ServerUse swinstall(1M) to install the LDAP-UX Client Services software, theNativeLdapClient subproduct, on an HP CIFS Server. See the LDAP-UXClient Services B.03.20 Release Notes for more details on the installationprocedures. The LDAP-UX Client Services software is available athttp://www.software.hp.com. You must install the LDAP-UX ClientServices version B.03.20 or later verson. You do not need to reboot yoursystem after installing the product.

NOTE For the PA-RISC system, you also need to install the required patches.For more information about the required patches, see the LDAP-UXClient Services B.03.20 Release Notes at: http://www.docs.hp.com.

Chapter 6118

LDAP Integration SupportConfiguring the LDAP-UX Client Services

Configuring the LDAP-UX Client ServicesYou need to configure the LDAP-UX Client Services if it is not alreadyconfigured. This section describes major steps to configure LDAP-UXClient Services with the Netscape Directory Server 6.02 or later version.For detailed information on how to configure the LDAP-UX ClientServices, see the “Configure the LDAP-UX Client Services” section ofLDAP-UX Client Services B.03.20 Administrator’s Guide athttp://www.docs.hp.com.

You must run the setup program to configure the LDAP-UX ClientServices. This requirement must not be skipped. Otherwise, the HPCIFS Server with LDAP support will not work properly.

When you run the setup program to configure the LDAP-UX ClientServices on a client system, setup does the following major tasks foryou:

• Extends your Netscape directory schema with posixAccountobjectclass and attributes, if not already done.

• Creates a configuration profile entry in your Netscape Directory frominformation you provide. The profile contains the informationrequired by clients to access user and group data in the directory, forexample:

— Your directory server host

— Your directory server network port

— Location of your user, group and other information in thedirectory

• Updates the startup file of the local client with your directory andconfiguration profile location.

• Downloads the configuration profile from the directory to the LDAPclient system.

• Assigns your base DN as your LDAP suffix for user and groupsearches.

• Starts the product daemon, ldapclientd, if you choose to start it.For LDAP-UX Client B.03.20, you must start the client daemon forLDAP-UX functions to work.

Chapter 6 119


Quick Configuration

You can quickly configure the LDAP-UX Client Services by selecting thedefault value for most of the configuration parameters as follows:

Step 1. To be consistent with the Samba organizational unit defaults, you mustedit the /opt/ldapux/migrate/migrate_common.ph file to change thedefault group objectclass under $RFC2307BIS structure from ou=Groupto ou=Groups.

Step 2. Log in as root and run the setup program:

$ cd /opt/ldapux/config$ ./setup

The setup program asks you a series of questions and usually providesdefault answers. Press the Enter key to accept the default, or change thevalue and press Enter. At any point during setup, press Control+b toback up or Control+c to exit the setup program.

Step 3. Choose Netscape Directory as your LDAP directory server (option 1).

Step 4. Enter either the host name or IP address of the directory server whereyour profile exists, or where you want to create a new profile.

Step 5. Enter the port number of the previously specified directory server thatyou want to store the profile. The default port number is 389.

Setup checks the directory to see if the schema has been extended withthe posixAccount objectclass and attributes. This must be done, butonly needs to be done once.

Step 6. If the schema has already been extended, setup skips this step.Otherwise, to extend the schema, enter the Distinguished Name (DN)and password of the directory user who can extend the directory schema.For example, you can enter “Directory Manager “as the directorymanager DN and password of the directory manager.

To extend the schema, you are prompted for the following input:

1. Enter the DN of the directory user. The default value is displayed. Touse the default, press the Enter key; otherwise, enter you DN name.

2. Enter the password.

Chapter 6120


Step 7. If you are creating a new profile, add all parent entries of the profile DNto the directory (if any). If you attempt to create a new profile and anyparent entries of the profile do not already exist in the directory, setupwill fail. For example, if your profile will be cn=ldapuxprofile,dc=cup, dc=hp, dc=com, then the base path, cup.hp.com, must existin the directory or setup will fail.

While creating a new profile, add all parent entries of the profile DN tothe directory. setup will fail if you attempt to create a new profilewithout all the parent entries.

Step 8. Next enter either the DN of a new profile, or the DN of an existing profileyou want to use.

To display all the profiles in the directory, use a command like thefollowing:

$ ldapsearch -b o=cup.hp.com objectclass=DUAConfigProfile dn

If you are using an existing profile, setup configures your client,downloads the profile, and exits. In this case, continue with step 11below.

Step 9. If you are creating a new profile, enter the directory manager DN andpassword of the directory user who can create a new profile.

Step 10. Next enter the host name and port number of the directory where youwant to store your name service data. For high availability, eachLDAP-UX client can look for name service data in up to three differentdirectory hosts. You can enter up to three hosts, to be searched in order.

Step 11. Enter the base DN where clients should search for user name servicedata like passwd, group, hosts, services, etc.

Step 12. You can quickly configure a Netscape directory and the first client byaccepting the remaining default configuration parameters whenprompted.

Chapter 6 121


Table 6-1 shows the configuration parameters and the default valuesthat they will be configured with.

For the detailed configuration parameters information listed in the table6-1, see “Appendix B: LDAP-UX Client Services Object Classes” ofLDAP-UX Client Services B.03.20 Administrator’s Guide athttp://www.docs.hp.com.

Step 13. After entering all the configuration information, setup extends theschema, creates a new profile, and configures the client to use thedirectory.

Step 14. Configure the Name Service Switch (NSS).

Save a copy of the /etc/nsswitch.conf file and edit the original tospecify the ldap name service and other name services you want to use.See the /etc/nsswitch.ldap file for a sample. You may be able to justcopy /etc/nsswitch.ldap to /etc/nsswitch.conf. Seensswitch.conf(4) for more information.

Step 15. You will be asked whether or not you want to start the client daemon,/opt/ldapux/bin/ldapclientd. You must start the client daemon forLDAP functions to work.

Step 16. Run the following command to verify your configuration:

Table 6-1 Configuration Parameters and Default Values

Parameter DefaultValue

Type of client binding Anonymous

Bind time limit 5 seconds

Search time limit no limit

Use of referrals Yes

Profile TTL (Time To Live) 0 - infinite

Use standard RFC-2307 object class attributes forsupported services

Yes

Use default search descriptions for supported services Yes

Authentication method Simple

Chapter 6122


$ /opt/ldapux/bin/ldapsearch -T -b “cn=schema” -s base \“(objectclass=*)”|grep -i posix

Ensure that the posixAccount objectclass is displayed in the outputwhen you run the ldapsearch command. The output is as follows:

objectClasses: ( 1.3.6.1.1.1.2.0 NAME ’posixAccount’ DESC’Standard LDAP objectclass’ SUP top AUXILIARY MUST ( cn $uid $ uidNumber $ gidNumber $ homeDirectory) MAY (userPassword $ loginShell $ gecos $ description ) X-ORIGIN’RFC 2307’ )

objectClasses: ( 1.3.6.1.1.1.2.2 NAME ’posixGroup’ DESC’Standard LDAP objectclass’ SUP top STRUCTURAL MUST ( cn $gidNumber ) MAY ( userPassword $ memberUid $description )X-ORIGIN ’RFC 2307’ )

NOTE You can use the ldapsearch command-line utility to locate and retrieveLDAP directory entries. This utility opens a connection to the specifiedserver using the specified Distinguished Name (DN) and password, andlocates entries based on the specified search filter. For details, see theNetscape Directory Server 6.02 for HP-UX Administrator’s Guideavailable at http://www.docs.hp.com/hpux/internet.

Chapter 6 123

LDAP Integration SupportMigrating Your data to the Netscape Directory

Migrating Your data to the Netscape DirectoryHP recommends that all UNIX user accounts either in the /etc/passwdfile or NIS database files are migrated to the Netscape Directory Server.The LDAP-UX Integration product provides migration scripts toaccomplish the task in an automated way. These scripts are located in/opt/ldapux/migrate directory. The two shell scripts,migrate_all_online.shand migrate_all_nis_online.sh, migrate allyour source files in the /etc directory or NIS maps, while the perlscripts, migrate_passwd.pl, migrate_group.pl, andmigrate_hosts.pl, migrate individual files. The shell scripts call theperl scripts. For detailed information for a complete description of themigration scripts, and what they do, and how to use them, see the/opt/ldapux/README files or the “Name Service Migration Scripts”section of LDAP-UX Client Services B.03.20 Administrator’s Guide athttp://docs.hp.com

Migrating All Your Files

The two shell scripts migrate_all_online.sh andmigrate_all_nis_online.sh migrate all your name service data eitherto an LDAP Data Interchange Format (LDIF) file or directly into yourdirectory. The migrate_all_online.sh shell script gets informationfrom the source files, such as /etc/passwd, /etc/group, and /etc/hosts. Themigrate_all_nis_online.sh script gets information from your NISmaps using the ypcat(1) command. The scripts take no parameters butprompt you for needed information. They also prompt you for whether toleave the output as LDIF or to add the entries to your directory.

NOTE HP recommends that you keeps a small subset of users in the/etc/passwd file, such as the root user, IT manager. This allows rootusers having the different password across HP-UX systems. Also, if theLDAP directory server is unavailable, you can still log into the system.

Chapter 6124


NOTE Before you run the migration scripts, you must edit the/opt/ldapux/migrate/migrate_common.ph file to change the defaultgroup objectclass under $RFC2307BIS structure from ou=Group toou=Groups. By doing this, it can match with the Samba organizationalunit defaults.

An Example

The following example shows the necessary steps to import your datainto the LDAP directory using the migration script,migrare_all_online.sh:

Step 1. Set the environment variable, LDAP_BASEDN, to specify where you wantto store your data:

For example, the following command sets the LDAP base DN tocup.hp.com:

$ export LDAP_BASEDN=”dc=cup, dc=hp, dc=com”

Step 2. Run the following script, migrate_all_online.sh, to migrate all nameservice data files in the /etc file to the LDIF file:

$ migrate_all_online.sh

Reply as appropriate to the script. In our example, use cn=DirectoryManager and crednetials to bind with means the Directory Managerpassword.

NOTE At this point, you have an LDAP directory server with everything youneed to use as a backend for pam and nsswitch. You need this first asthe HP CIFS Server shares some attributes from the posixAccountobjectclass with the sambaAccount objectclass.

Chapter 6 125


Migrating Individual Files

The following perl scripts migrate each of your source files in the /etcdirectory to LDIF. These scripts are called by the shell scripts, describedin the section “Migrating All Your Files” on page 124. The perl scriptsobtain their information from the input source file and output LDIF.

Environment Variables

When using the perl scripts to migrate individual files, you need to setthe following environment variables:

LDAP_BASEDN The base distinguished name where you want to storeyour data.For example, the following command sets the base DNto DC=cup, DC=hp, DC=com:

export LDAP_BASEDN=”DC=cup, DC=hp, DC=com”

General Syntax for Perl Migration Scripts

All the perl migration scripts use the following general syntax:

scriptname inputfile [outputfile]

where

scriptname This is the name of the particular script you are using.Table 6-2, lists the migration scripts.

inputfile This is the name of the appropriate name servicesource file corresponding to the script you are using.

outputfile This is an optional parameter and is the name of thefile where the LDIF is saved. stdout is the defaultoutput.

Migration Scripts

The migration scripts are described in Table 6-2 below.

Table 6-2 Migration Scripts

Script Name Description

migrate_base.pl Creates base DN information.

Chapter 6126


migrate_group.pl Migrates groups in the /etc/group file.

migrate_hosts.pl a Migrates hosts in the /etc/hosts file.

migrate_networks.pl Migrates networks in the /etc/networks file.

migrate_passwd.plb Migrates users in the /etc/passwd file.

migrate_protocols.pl Migrates protocols in the /etc/protocolsfile.

migrate_rpc.pl Migrates RPCs in the /etc/rpc file.

migrate_services.plc Migrates services in the /etc/services file.

migrate_common.ph Specifies a set of routines and configurationinformation all the perl scripts use.

import_smbpasswd.pl Migrates NT/Windows users in thesmbpasswd file.

a. Systems have been configured with the same host name, then themigration script migrate_host.pl will create multiple entries inits resulting LDIF file with the same distinguished name for thehost name for each of the IP addresses. Since distinguished namesneed to be unique in an LDAP directory, you need to first manuallymerge the IP addresses with one designated host record and deletethe duplicated records in your LDIF file. A resulting merge mightlook as follows:

. . . .dn: cn=machineA, ou=hosts, ou=unix, dc=cup, dc=hp, dc=comobjectClass: topobjectClass: ipHostipHostNumber: 15.13.130.72ipHostNumber: 15.13.104.4ipHostNumber: 15.13.95.92cn: hostAcn: hostA.cup.hp.com. . . .

Table 6-2 Migration Scripts (Continued) (Continued)

Script Name Description

Chapter 6 127


Examples

Complete the following steps to migrate the /etc/passwd file to theLDIF file:

Step 1. Set the environment variable, LDAP_BASEDN, to specify where you wantto store your data.

For example, the following command sets the LDAP base DN tocup.hp.com:

$ export LDAP_BASEDN=”dc=cup, dc=hp, dc=com”

Step 2. Run the following script, migrate_passwd.pl, to migrate all data in the/etc/passwd file to the /tmp/passwd.ldif file:

$ migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

A part of the output is as follows:

dn: uid=johnl,ou=People,dc=cup,dc=hp,dc=comobjectclass: topobjectclass: accountobjectclass: posixAccountobjectclass: AccountloginShell: /usr/bin/kshuidNumber: 8662gidNumber: 8200homeDirectory: /home/johnlgecos: John Louie, 48S-020, 447-1890userPassword: {crypt}aOACGvt0T, 1foacctFlags: UXpwdLastSet: 1063301239

b. Netgroup- The NIS optimization maps ‘byuser’ and ‘byhost’ are not

utilized.-Each triple is stored as a single string.-Each triple must be enclosed by parentheses. For example,“(machine, user, domain)” is a valid triple while “machine, user,

domain” is not.c. When migrating services data into the LDAP directory, You keep

in mind that only multiple protocols can be associated with oneservice name, but not multiple service ports.

Chapter 6128

LDAP Integration SupportExtending Samba subschema into Your Directory Server

Extending Samba subschema into YourDirectory ServerYou now need to extend the Netscape Directory Server schema with thesambaAccount subschema from the HP CIFS Server to your NetscapeDirectory Server. Ensure that you have configured your LDAP directoryand LDAP-UX Client Services, and migrated your data to the LDAPdirectory before extending the schema.

The sambaAccount subschema is the /opt/samba/LDAP/98samba.ldiffile in the HP CIFS Server.

Complete the following steps to extend the sambaAccount subschema tothe Netscape Directory Server:

Step 1. Run the ftp commands to get the /opt/samba/LDAP/98samba.ldif filefrom the HP CIFS Server and place it in the Netscape Directory Server:

For example, the following commands copy/opt/samba/LDAP/98samba.ldif file from the HP CIFS Server to the/var/opt/netscape/servers/sldapd-hostA.hp.com/config/schema/98samba.ldif file in the Netscape Directory Server, hostA.hp.com:

cd /opt/samba/LDAPftp hostA.cup.hp.comuser rootrootpasswdcd /var/opt/netscape/servers/sldapd-hostA.hp.com/config/schemabinput 98samba.ldifquit

Step 2. Login to your Netscape Directory Server and restart the daemon, slapd.This is to ensure that the sambaAccount subschema is recognized bythe LDAP directory.

$ /var/opt/netscape/servers/slapd-<server name>/restart-slapd

For example:

/var/opt/netscape/servers/slapd-hostA.cup.hp.com/restart-slapd

Step 3. Use the following ldapsearch command to verify that you have updatedthe schema in the Netscape Directory Server with the sambaAccountsubschema:

Chapter 6 129

LDAP Integration SupportExtending Samba subschema into Your Directory Server

$ /opt/ldapux/bin/ldapsearch -T -b “cn=schema” -s base \“(objectclass=*)”|grep -i samb

You need to ensure that the output displays the sambaAccountobjectclass when you run the ldapsearch command. The output isshown as follows:

objectClasses: ( 1.3.1.5.1.4.1.7165.2.2.3 NAME’sambaAccount’ SUP top AUXILIARY MAY ( acctFlags $cn $displayName $ domain $ homeDrive $ kickoffTime $ lmPassword$ logofftime $ logonTime $ ntPassword $ primaryGroupID $profilePath $ pwdCanChange $ pwdLastSet $ pwdMustChange $rid $ scriptPath $ smbHome $ userWorkstations ) X-ORIGIN’user defined’ )

attributeTypes: ( 1.3.6.1.4.1.7165.2.1.18 NAME ’domain’ DESC’Windows NT domain Samba’ SYNTAX1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN ’userdefined’ )

Chapter 6130

LDAP Integration SupportConfiguring the HP CIFS Server

Configuring the HP CIFS ServerYou must set up and configure your HP CIFS Server to enable the LDAPfeature support.

LDAP Configuration Parameters

The following is the list of new global parameters available for you toconfigure the HP CIFS Server to enable the LDAP feature. Theseparameters are set in the /etc/opt/samba/smb.conf file under globalparameters.

[global] Any global setting defined here will be used by the HPCIFS Server with the LDAP support.

Table 6-3 Global Parameters

Parameter Description

ldap enable Enables the LDAP feature support. SpecifiesYes to enable LDAP, and No to disable LDAP.By default, this parameter is set to No.

ldap port Specifies the TCP port number used toconnect to the LDAP directory server. Bydefault, this parameter is set to 389.

ldap server Specifies the host name of the NetscapeDirectory Server where you want to store yourdata.

ldap suffix Specifies the base of the directory tree whereyou want to add users and machine accountsinformation. It is also used as theDistinguished Name (DN) of the search base,which tells LDAP where to start the searchfor the entry. For example, if your base DN is“dc=cup, dc=hp, dc=com”, then you need toset the value of ldap suffix = “dc= cup,dc=hp, dc=com”.

Chapter 6 131


The smbpasswd Program Parameter

The following is the new parameter for the smbpasswd program:

smbpasswd -w The new parameter, -w, has been added to thesmbpasswd program to change the ldap adminpassword information.

Configuring LDAP Feature Support

After installing the HP CIFS Server, the existing configuration continuesto operate as currently configured. To enable the LDAP support, youmust configure the relative LDAP configuration parameters in the/etc/opt/samba/smb.conf file by using the SWAT tool or the editor.

ldap filter Specifies the RPC 2254 compliant LDAPsearch filter. The default is to match the loginname with the uid attribute for all entriesmatching the sambaAccount objectclass. Forexample, ldap filter =(&(uid=%u)(objectclass=sambaAccount)).

ldap admin dn Specifies the user Distinguished Name (DN)used by the HP CIFS Server to connect to theLDAP directory server when retrieving useraccount information. The ldap admin dn isused in conjunction with the admin dnpassword stored in the/var/opt/samba/private/secrets.tdb file.For example, ldap admin dn = “cn =directory manager”.

ldap ssl Specifies the Secure Socket Layer (SSL)support. The HP CIFS Server does notsupport SSL in this release, this option mustbe set to off to disable this feature. Bydefault, the ldap ssl option is disabled

Table 6-3 Global Parameters (Continued) (Continued)

Parameter Description

Chapter 6132


NOTE HP recommends that new installation customers run the samba_setupprogram to set up and configure the HP CIFS Server.

You can quickly run the samba_setup program to configure the HP CIFSServer with the LDAP feature support as follows:

Step 1. Run the following commands to enable the LDAP feature:

$ export PATH=$PATH:/opt/samba/bin

$ samba_setup

When running the samba_setup program, you will be asked whetheryou want to use LDAP or not. Press Yes to use LDAP, and press No todisable LDAP.

Step 2. Reply to the samba_setup program to configure the following globalLDAP parameters in the /etc/opt/samba/smb.conf file:

• ldap enable• ldap server• ldap suffix• ldap admin dn

See “LDAP Configuration Parameters” on page 131, for detailedinformation on how to configure these new parameters.

Chapter 6 133

LDAP Integration SupportInstalling your Samba Users in the Directory

Installing your Samba Users in the DirectoryThis section describes how to install and verify your samba users in yourLDAP directory.

Adding Credentials

When you use the HP CIFS Server A.01.11 with the LDAP featuresupport, the smbpasswd command manipulates user accountsinformation on the LDAP directory rather than the/var/opt/samba/private/smbpasswd file. You must add the directorymanager credentials to the /var/opt/samba/private/secrets.tdb filebefore installing Samba users to the LDAP directory.

Run the following command to save the LDAP credentials for the userwho can modify the LDAP directory for samba information:

$ smbpasswd -w <password of the LDAP Directory Manager>

For example, the following command saves the credentials of the LDAPdirectory manager:

$ smbpasswd -w dmpasswd

Where dmpasswd is the password of the LDAP directory manager.

NOTE You must ensure that the password correctly matches with the passwordfor the ldap admin directory manager. This password is for useradministration and is stored for later use. If the password is incorrect, noerror message is displayed, but the user administration will fail whenattempted.

Importing Samba Users

The import_smbpasswd.pl script has been provided to automaticallyimport users and passwords data from the existing/var/opt/samba/private/smbpasswd file into the LDAP directory. Touse this perl script, perl on HP-UX 11.0/11i (PA-RISC) and HP-UX 11i(IA) version 5.6.1 or greater is required. A free download software isavailable at http://software.hp.com.

Chapter 6134


Before you run this script, you must edit the/opt/samba/LDAP/import_smbpasswd.pl script to set the $DN,$ROOTDN, $rootpw and $LDAPSERVER local site variables with theLDAP base DN, your Directory Manager name, password and directoryserver name.

Consider the following example which sets the LDAP base DN to“cup.hp.com”, the Directory Manager name to “Directory Manager”,password to “dmpasswd”, and the LDAP directory server name to“hostA.cup.hp.com”:

• $DN=”dc=cup, dc=hp, dc=com”• $ROOTDN=”cn=Directory Manager”• $rootpw=”dmpasswd”• $LDAPSERVER=”hostA.cup.hp.com”

This script reads from standard input and requires that user entriesalready exist in your LDAP directory containing the posixAccountobjectclass. Because it needs to know the uid number and uses it to addthe sambaAccount. For more information on this object and relatedschema, see RPC2307 available at http://www.pad1.com/software.html.

For example, the following command will import all data in the/var/opt/samba/private/smbpasswd file into the LDAP directory:

$ cat /var/opt/samba/private/smbpasswd | \

/opt/samba/LDAP/import_smbpasswd.pl

Verifying Samba Users

You can use the ldapsearch command-line utility to locate and retrieveLDAP directory entries. This utility opens a connection to the specifiedserver using the specified Distinguished Name (DN) and password, andlocates entries based on the specified search filter.

Syntax

ldapsearch [option]

Option

-b search/insert base

-s search scope

-D directory login

Chapter 6 135


-w password of the directory manager

Example

The following example uses the ldapsearch utility to check that the userentry johnl contains the sambaAccount objectclass:

$ /opt/ldapux/bin/ldapsearch -b “dc=cup,dc=hp, dc=com” -ssub \

-D “cn=Directory Manager” -w dmpasswd “uid=johnl”

The output is shown as the follows:

dn: uid=johnl,ou=People,dc=cup,dc=hp,dc=comobjectclass: topobjectclass: accountobjectclass: posixAccountobjectclass: sambaAccountloginShell: /usr/bin/kshuidNumber: 8662gidNumber: 8200homeDirectory: /home/johnlgecos: John Louie, 48S-020, 447-1890userPassword: {crypt}aOACGvt0T, 1folmPassword: 0AED71B7494489AG2ED50F26D3C5EB07NTPassword: 7C46DE22B8963EAA3F9F90BE4E0F661acctFlags: UXpwdLastSet: 1063301239

Chapter 6136

LDAP Integration SupportLDAP management Tools

LDAP management ToolsThe HP CIFS Server provides LDAP management tools for you tomaintain users, groups and passwords in the Netscape Directory Server.

Samba LDAP Tools

The following lists Samba LDAP tools available for you to maintainusers and groups data in the Netscape Directory Server. These tools arelocated in the /opt/samba/LDAP/smbldap-tools directory:

smbldap-groupadd.pl adds a new group (objectclass:posixGroup)

smbldap-groupdel.pl deletes a group (objectclass:posixGroup)

smbldap-groupmod.pl modifies a group (objectclass:posixGroup)

smbldap-groupshow.pl views a group (objectclass:posixGroup).

smbldap_conf.pm global configuration file

smbldap-useradd.pl adds a new user (objectclass:posixAccount, sambaAccont, or bothdepending on the tool option used)

smbldap-userdel.pl deletes a user (objectclass:posixAccount, sambaAccount, or bothdepending on the tool option used)

smbldap-usermod.pl modifies a user data (objectclass:posixAccount, sambaAccount, or bothdepending on the tool option used)

smbldap-usershow.pl views a user data (objectclass:posixAccount, sambaAccont or bothdepending on the tool option used)

smbldap-passwd.pl adds or modifies the samba password,posix password, or both

Chapter 6 137


You must edit the/opt/samba/LDAP/smbldap-tools/smbldap_conf.pm configuration filewith appropriate configuration values before you attempt to run thesetools. You can use the tool option, -?, for the detailed usage of each tool.For more information on how to use these tools, refer to/opt/samba/LDAP/smbldap-tools/FILES and/opt/samba/LDAP/smbldap-tools/README.

NOTE In order to run these management tools, perl on HP-UX 11.0/11i(PA-RISC) and HP-UX 11i (IA) version 5.6.1 or greater is required. A freedownload software is available at http://software.hp.com.

The smbldap_conf.pm

Before you run Samba management tools, you must edit the scriptconfiguration file,/opt/samba/LDAP/smbldap-tools/smbldap_conf.pm, to set the$masterLDAP, $suffix, $binddn and $bindpasswd local sitevariables with the LDAP directory server name, LDAP base DistinguishName (DN), directory manager name and password. Ensure that theorganizational units (ou) are consistent with your LDAP subschema,particularly three units, usersou, groupsou, and computersou. Thevalues of these three units are as follows:

• $usersou = q (People);

• $groupsou = q (Groups);

• $computersou = q (Computers).

Consider the following example which sets the LDAP directory servername to “hostA.cup.hhp.com”, the LDAP base DN to “cup.hp.com”,the directory manager name to “Directory Manager”, and the passwordto “dmpasswd”:

• $masterLDAP=”dc=cup, dc=hp, dc=com”

• $suffix=”cup.hp.com”

• $binddn=””cn=Directory Manager”

• $bindpasswd=”dmpasswd”

Chapter 6138


NOTE You can use the -w option to specify the LDAP directory managerpassword when you run LDAP management tools. Without using the -woption, the HP CIFS Server will look up the password value of the$bindpasswd attribute in the/opt/samba/LDAP/smbldap-tools/smbldap_conf.pm configuration file.

The smbldap-groupadd.pl Tool

You can use this tool to add a new group entry with the posixGourpobjectclass to your Netscape Directory Server.

Syntax

smbldap-groupadd.pl [options] groupname

where options can be any of the following:

-g specifies Group id (GID)

-w specifies the LDAP directory manager password

-o Group id (GID) is not unique

-? shows help messages

groupname

Specify the name of the group. The group data information will be addedto the LDAP directory.

An Example

The following commands add the new group name “group1” with thegroup id “200” to the Netscape Directory Server:

cd /opt/samba/LDAP/smbldap-tools./smbldap-groupadd.pl -g 200 group1

The smbldap-groupdel.pl Tool

You can use this tool to delete a group entry from the Netscape DirectoryServer. This tool will delete the posixGroup information.

Syntax

smbldap-groupdel.pl [option] groupname

Chapter 6 139


where option can be the following:



groupname

Specify the name of the group. The group data entry will be deleted fromthe LDAP directory.

An Example

The following commands delete the group name “group1” from theNetscape Directory Server:

cd /opt/samba/LDAP/smbldap-tools./smbldap-groupdel.pl group1

The smbldap-groupshow.pl Tool

You can use this tool to view a group entry with the posixGroupinformation in the Netscape Directory Server.

Syntax

smbldap-groupshow.pl [option] groupname

where option can be any of the following:



groupname

Specify the name of the group. The group service data in the directorywill be shown.

An Example

The following commands show the group name “group2” in the NetscapeDirectory Server:

cd /opt/samba/LDAP/smbldap-tools

./smbldap-groupshow.pl group2

Chapter 6140


The smbldap-useradd.pl Tool

You can use the smblcap-useradd.pl tool to add a new user to theNetscape Directory Server. The posixAccount and/or sambaAccountinformation can be added to the directory depending on the tool optionthat you specify.

NOTE If you specify the tool option, -a or -W, the sambaAccount informationcan be added to the LDAP directory in addition to posixAccountinformation. Without specifying the tool option, -a or -W, onlyposixAccount information can be added.

Syntax

smbldap-useradd.pl [options] username


-a specifies a Windows user. With this option, bothposixAccont and sambaAccount will be added to theLDAP directory. Without this option, only posixAccountinformation for the user will be added.

-W specifies a Windows workstation. With this option, bothposixAccount and sambaAccount will be added to theLDAP directory. Without this option, only posixAccountinformation will be added.

-x creates rid and primaryGroupID in hex numberinstead of decimal number

-u specifies the User id (UID)

-g specifies the Group id (GID)

-n does not create a group

-d specifies the home directory

-s specifies the shell information

-m creates the home directory and copies /etc/skel

-k creates the skeleton directory used with -m option

-c gecos

Chapter 6 141



-P invokes the smbldap-passwd.pl tool to add the userpassword

-A can change the user password

-B must change the user password

-C specifies the SMB home share, such as\\PDC-SRC\homes

-D specifies the home drive letter associated with homeshare, such as H:

-E specifies the script path (DOS script to execute onlogin)

-F specifies the profile directory.

-H specifies Samba account control bits.

-? shows help messages.

username

Specify the name of the new user. The user service data will be added tothe LDAP directory.

NOTE The -a option with the user name must be the last parameter. Everyparameter specified after the -a option will be ignored by thesmbldap-useradd.pl tool.

An Example

The following commands add the new user name “johnl” with the user id“102” and group id “1005” to the Netscape Directory Server. BothposixAccount and sambaAccount information for “johnl” will be added:

cd /opt/samba/LDAP/smbldap-tools./smbldap-useradd.pl -u 102 -g 1005 -a johnl

Chapter 6142


The smbldap-usermod.pl Tool

You can use the smblcap-usermod.pl tool to modify the user entry inthe Netscape Directory Server. The posixAccount and/or sambaAccountinformation can be modified in the directory depending on the tool optionthat you specify.

Syntax

smbldap-usermod.pl [options] username


-u modifies the User id (UID)

-o specifies that UID can be non unique

-g modifies the Group id (GID)

-l modifies the login name

-s modifies the shell information

-c gecos

-d modifies the home directory

-x creates rid and primaryGroupID in hex instead ofdecimal


-A can change the user password

-B must change the user password

-C specifies the SMB home share, such as\\PDC-SRC\homes

-D specifies the home drive letter associated with homeshare, such as H:

-E modifies the script path (DOS script to execute onlogin)

-F modifies the profile directory

-H modifies Samba account control bits

-I disables a user

-J enables a user

Chapter 6 143



username

Specify the name of the user. The user information in the LDAP directorywill be modified.

An Example

The following commands modify the user name “johnl” with the user id“200” in the Netscape Directory Server:

cd /opt/samba/LDAP/smbldap-tools./smbldap-usermod.pl -u 200 johnl

The smbldap-userdel.pl Tool

You can use the smbldap-userdel.pl tool to delete a user entry in theNetscape Directory Server. This tool will delete both posixAccout andsambaAccount information from the LDAP directory.

Syntax

smbldap-userdel.pl [options] username


-r removes the home directory



username

The name of the user entry. The user entry data will be deleted from theLDAP directory.

An Example

The following commands delete the user name “michael” from theNetscape Directory Server:

cd /opt/samba/LDAP/smbldap-tools./smbldap-userdel.pl michael

Chapter 6144


The smbldap-usershow.pl Tool

You can use the smbldap-usershow.pl tool to show the user entryinformation in the Netscape Directory Server.

Syntax

smbldap-usershow.pl [option] username




username

Specify name of the user entry.

An Example

The following commands shows the user entry data of the user “johnl”in the Netscape Directory Server:

cd /opt/samba/LDAP/smbldap-tools./smbldap-usershow.pl johnl

The smbldap-passwd.pl Tool

You can use the smbldap-passwd.pl tool to add or modify both sambapassword and posix password of the user to the Netscape DirectoryServer.

Syntax

smbldap-passwd.pl [option] username



username

Specify the name of the user entry. The password of the user will beadded or modified in the LDAP directory.

An Example

The following commands add or modify both samba password and posixpassword of the user name “johnl” to the Netscape Directory Server:

Chapter 6 145


cd /opt/samba/LDAP/smbldap-tools./smbldap-passwd.pl johnl

The smbpasswd Tool

The smbpasswd tool has been enhanced to provide the following features:

• Uses the -a option to add the Samba user to the LDAP directory

• Uses the -x option to remove the Samba user from the LDAPdirectory

You must ensure that the posix user existing in the LDAP directorybefore you run the smbpasswd -a command to add the sambaAccountinformation to that posix user.

Chapter 6146

LDAP Integration SupportLimitations with the LDAP Feature Support

Limitations with the LDAP Feature Support

• HP only supports the HP CIFS Server with LDAP integration thatworks with the HP LDAP-UX Integration product, J4269AA, and theHP Netscape Directory Server, J4258CA.

• With the LDAP feature enabled, the HP CIFS Server only looks upWindows user information in the LDAP directory. It does not use thesmbpasswd file at all if the user information is not found in thedirectory.

• The HP CIFS Server does not support the SSL feature in the releaseversion A.01.11.

Chapter 6 147

LDAP Integration SupportLimitations with the LDAP Feature Support

Chapter 6148

7 Configuring HA HP CIFS

HP CIFS has two High Availability configurations: Active-Standby andActive-Active.

Chapter 7 149

Configuring HA HP CIFS

An “active-standby” High Availability configuration is a configurationwhere, under normal conditions, one node of the MC/ServiceGuardcluster is running the MC/ServiceGuard package and one or more othernodes are in a “wait” mode, waiting to run the package if anything goeswrong on the first node. Only one node can run the package at any giventime. Hence the names in this type of HA configuration are: “active” forthe first node and “stand by” for the other node(s).

An “active-active” High Availability configuration is a configurationwhere, under normal conditions, both (or all) of the MC/ServiceGuardcluster nodes are running similar MC/ServiceGuard packages at thesame time. If one of the nodes fails, one of the other nodes has to startdoing the work that the failed node had been doing. Both nodes arenormally actively working. Neither one is standing by idle, waiting for afailure to occur. In our example, both MC/ServiceGuard cluster nodesnormally are running HP CIFS Servers.

This chapter includes complete descriptions of both types along with thesteps required to configure each one.

Chapter 7150

Configuring HA HP CIFSOverview of HA HP CIFS Server Active-Standby

Overview of HA HP CIFS ServerActive-StandbyHighly Available HP CIFS Server allows the HP CIFS Server product torun on a MC/ServiceGuard cluster of nodes. MC/ServiceGuard allowsyou to create high availability clusters of HP 9000 Server computers.

You must set up an MC/ServiceGuard cluster before you can set up anHA HP CIFS Server. For instructions on setting up an MC/ServiceGuardcluster, refer to the Managing MC/ServiceGuard manual.

HA HP CIFS Server provides customizable configuration, control scriptsand monitor scripts. These scripts as well as a README file reside in thedirectory /opt/samba/HA/active_standby. These are sample scripts andshould be customized for your environment.

This section and the files in /opt/samba/HA/active_standby only applyto an active-standby HA configuration. The equivalent files which applyto an active-active HA configuration are in the/opt/samba/HA/active-active directory.

Recommended Clients

The recommended clients for HA HP CIFS Server are Windows 95 andMicrosoft NT Workstation. Older clients, such as DOS/Windows 3.1 LM2.2C and Windows for Workgroups, may not respond well to HP CIFSServer stopping and network connections terminating as occurs duringan HA HP CIFS Server switchover.

Review the “Special Notes for HA HP CIFS Server” section containedlater in this chapter for usage considerations.

Chapter 7 151

Configuring HA HP CIFSInstalling Prerequisites

Installing PrerequisitesHA HP CIFS Server must be installed and configured on both theprimary and alternate cluster nodes.

Before creating a Highly Available HP CIFS Server package, however,you must set up your MC/ServiceGuard cluster according to theinstructions in the Managing MC/ServiceGuard manual.

To do so, perform the following:

1. Following the instructions, configure the disk hardware for highavailability.

2. Use SAM or LVM commands to set up volume groups, logicalvolumes, and file systems needed for the data that must be availableto the primary and alternate cluster nodes when failover occurs.

Chapter 7152

Configuring HA HP CIFSInstall the HA HP CIFS Server

Install the HA HP CIFS ServerFollow the steps below to load the HA HP CIFS Server software.

1. Install the HP CIFS Server using SD on the primary and alternatenodes. If the HP CIFS Server is already installed and configured onthe primary node, stop it using the /opt/samba/bin/stopsmbcommand and skip to Step 3 below.

2. On the primary node:

Run the /opt/samba/bin/samba_setup script to configure theinstalled files. Enter the server name and domain/workgroup namefor the HA HP CIFS Server at this time.

3. On the alternate nodes:

Run the /opt/samba/bin/samba_setup script and configure it withthe same authentication level and domain/workgroup as the primarynode.

NOTE For users used to authenticate CIFS clients, make sure that theyhave the same name, user ID number, primary group and passwordon all nodes. This is a very important step.

4. Add the following to the [global] section of the/etc/opt/samba/smb.conf file on both nodes:

interfaces = XXX.XXX.XXX.XXX 127.0.0.1

bind interfaces only = yes

Where “XXX.XXX.XXX.XXX 127.0.0.1” is replaced with therelocatable IP address for the MC ServiceGuard package, not theLANIC IP address associated with the physical LAN card of thesystem. If your MC ServiceGuard package has more than onerelocatable IP address, put the all on this line.

Chapter 7 153

Configuring HA HP CIFSInstall the HA HP CIFS Server

IMPORTANT This is important to ensure the IP address of the HP CIFS serverdoesn’t change when a failover occurs. If the IP address changed onfailover, clients might experience problems.

5. Check that the RUN_SAMBA parameter in the/etc/rc.config.d/samba file is set to 0 on all nodes.

Chapter 7154

Configuring HA HP CIFSConfigure a Highly Available HP CIFS Server

Configure a Highly Available HP CIFS ServerTo configure the HA HP CIFS Server product, you must complete thesteps below. These steps are described in detail in the following sections.

1. Move data to the HP CIFS share volume.

2. Edit the samba.conf package configuration file.

3. Edit the samba.cntl control script.

4. Create the MC/ServiceGuard Binary Configuration File.

Move Data to the HP CIFS Share Volume

To configure the highly available HP CIFS Server package, complete thefollowing tasks on the Primary Node of your MC/ServiceGuard cluster:

1. Move all relevant data to the HP CIFS Server package sharedvolume.

Relevant data, consisting of all directories and files which will beaccessed using HP CIFS Server, should reside on shared volumes.This data includes any shares created by the user. For example, if theHP CIFS Server administrator creates a TEST=c:/tmp/test share,then all the data from /tmp/test should reside on a shared logicalvolume.

NOTE HP recommends that you configure your /etc/opt/samba directoryto reside on a shared logical volume. This allows all nodes to sharean smb.conf file. This simplifies the configuration, but requires thatthe names of printers shared by Samba and directory paths to theroot of Samba shares be identical. While you could keep separatesmb.conf files on each node, it would be difficult to keep the smb.conffile on every node updated each time a change is made.

It would also be difficult to configure and manage a configurationwhere the names of shared printers and share locations vary fromnode to node.

Chapter 7 155


NOTE If you plan to use a username mapping file, HP recommends that youconfigure its location under the /etc/opt/samba directory. This way,when changes are made, all nodes will be updated.

Below is an example of copied data from the required HP CIFSServer directories to the logical volumes in the volume groupvgsamba.

mkdir /tmp/share1_copy /tmp/share2_copy /tmp/etc_copymount /dev/vgsamba/lvol1 /tmp/share1_copymount /dev/vgsamba/lvol2 /tmp/share2_copymount /dev/vgsamba/lvol3 /tmp/etc_copycp -r /opt/share1/* /tmp/share1_copycp -r /home/share2/* /tmp/share2_copycp -r /etc/opt/samba/* /tmp/etc_copyumount /tmp/share1_copyumount /tmp/share2_copyumount /tmp/share3_copyrm -rf /tmp/share1_copy /tmp/share2_copy /tmp/etc_copy

2. Create a directory for the HP CIFS Server cluster package.

mkdir /etc/cmcluster/samba

3. Copy the sample scripts samba.conf, samba.cntl and samba.monfrom /opt/samba/HA to /etc/cmcluster/samba on the primarynode. Make all of the scripts writeable.

cp /opt/samba/HA/active_standby/samba.* /etc/cmcluster/sambachmod 666 samba.conf samba.cntl samba.mon

4. Customize the sample scripts for your MC/ServiceGuardconfiguration. A sample customization of the HA HP CIFS Serverpackage configuration, control and monitor scripts is shown below.

5. Ensure that the control (samba.cntl) and monitor (samba.mon)scripts are executable.

chmod 777 samba.cntl samba.mon

Edit the samba.conf Configuration File

To configure the samba.conf configuration file, complete the followingtasks on the Primary Node of your MC/ServiceGuard cluster:

Chapter 7156


1. Set the PACKAGE_NAME variable.

PACKAGE_NAME Sambapkg

2. Create a NODE_NAME variable for each node that will be runningthe package. The first NODE_NAME variable should specify theprimary node. All other NODE_NAME variables should specifyalternate nodes in the order in which they are to be tried.

NODE_NAME node1NODE_NAME node2

3. Set the RUN_SCRIPT and HALT_SCRIPT variables to the full pathname of the control script.

RUN_SCRIPT /etc/cmcluster/samba/samba.cntlRUN_SCRIPT_TIMEOUT NO_TIMEOUTHALT_SCRIPT /etc/cmcluster/samba/samba.cntlHALT_SCRIPT_TIMEOUT NO_TIMEOUT

4. Set the SERVICE_NAME variable to samba_mon.

SERVICE_NAME samba_monSERVICE_FAIL_FAST_ENABLED NOSERVICE_HALT_TIMEOUT 300

5. Set the SUBNET variable to the subnet that will be monitored forthe package, as in the following example:

SUBNET 15.13.2.0

6. The following initialization settings will cause a package failover tooccur if there is a node or network failure, even if the HP CIFSServer monitor script is not being used.

PKG_SWITCHING_ENABLED YESNET_SWITCHING_ENABLED YES

7. If the NODE_FAIL_FAST_ENABLE variable is set to NO, the nodeis not brought down when the package goes down.

NODE_FAIL_FAST_ENABLED NO

Edit the samba.cntl Control Script

To configure the samba.cntl Control Script file, you must complete thefollowing tasks:

1. Create a volume group for the HP CIFS Server directories:

VG[0]=/dev/vgsamba

Chapter 7 157


2. Create a separate LV[n] and FS[n] variable for each volume groupand file system that will be mounted on the server, for example:

LV[0]=/dev/vgsamba/lvol1;FS[0]=/opt/share1LV[1]=/dev/vgsamba/lvol2;FS[1]=/home/share2LV[2]=/dev/vgsamba/lvol3;FS[1]=/etc/opt/samba

Add additional LV variables, if required.

3. Specify the relocatable IP address and the address of the subnet towhich the IP address belongs.

IP[0]=15.13.171.20SUBNET[0]=15.13.168.0

4. If you want to use the HP CIFS Server monitor script, set theNFS_SERVICE_NAME variable to the value of theSERVICE_NAME variable in the package configuration filesamba.conf.

SERVICE_NAME[0]=samba_monSERVICE_CMD[0]=/etc/cmcluster/samba/samba.mon

5. Use the following example as a template forcustomer_defined_run_cmds :

function customer_defined_run_cmds{# ADD customer defined run commands.

findproc smbdif [ "$pid" = "" ]then

findproc nmbd if [ "$pid" = "" ] then /opt/samba/bin/startsmb else /opt/samba/bin/stopsmb /opt/samba/bin/startsmb fi else findproc nmbd if [ "$pid" = "" ] then /opt/samba/bin/stopsmb /opt/samba/bin/startsmb fi fi

Chapter 7158


test_return 51}

6. Use the following as a template for customer_defined_halt_cmds:

function customer_defined_halt_cmds{# ADD customer defined halt commands. findproc smbd if [ "$pid" = "" ] then findproc nmbd if [ "$pid" = "" ] then : else /opt/samba/bin/stopsmb fi else /opt/samba/bin/stopsmb fi

test_return 52}

WARNING Make sure that all processes/applications that access the filesystems mounted by sambapkg are shutdown in thecustomer_defined_halt_cmds subroutine. This will allow thefilesystems to be unmounted and failed over to the standby node.Package failover may not occur if any of the file systemsmounted by the sambapkg cannot be unmounted.

Create the MC/ServiceGuard Binary ConfigurationFile

NOTE In the steps below, the cluster configuration file is assigned the name/etc/cmcluster/cluster.conf, and the HA HP CIFS Server packageconfiguration file is assigned the name

Chapter 7 159


/etc/cmcluster/samba/samba.conf. The actual cluster and HA HPCIFSHP CIFS Server package configuration file names on your systemmay be different.

To configure the MC/Service Guard Binary file, you must complete thefollowing tasks:

1. Use the cmcheckconf command to verify the contents of your clusterand package configuration.

cmcheckconf -C /etc/cmcluster/cluster.conf \-P /etc/cmcluster/samba/samba.conf

2. On the alternate node create cluster package directory:

mkdir /etc/cmcluster/ samba

And, copy the package scripts from the primary node.

rcp primary_node:/etc/cmcluster/samba/* /etc/cmcluster/samba

3. Use the cmapplyconf command to copy the binary configuration fileto all the nodes in the cluster.

cmapplyconf -v -C /etc/cmcluster/cluster.conf \-P /etc/cmcluster/samba/samba.conf

This command will distribute the updated cluster binaryconfiguration file to all of the nodes in the cluster.

You are ready to start the HA HP CIFS Server package on the primarynode.

You have completed your configuration of the HA HP CIFS Server.

Chapter 7160

Configuring HA HP CIFSSpecial Notes for HA HP CIFS Server

Special Notes for HA HP CIFS ServerThere are several areas of concern when implementing Samba in theMC/ServiceGuard HA framework. These areas are described below:

• Client Applications

HA HP CIFS Server cannot guarantee that client applications withopen files on a HP CIFS Server share, or applications launched fromHP CIFS Server shares, will transparently recover from aswitchover. In these instances there may be cases where theapplication will need to be restarted and the files reopened as aswitchover is a logical shutdown and restart of the HP CIFS Server.

• File Locks

File locks are not preserved during failover. File locks are lost andapplications are not advised about any lost file locks.

• Print Jobs

If a failover occurs when a print job is in process, the job may beprinted twice or not at all, depending on the job state at the time ofthe failover.

• Domain Authentication

If you are using domain level authentication for your Samba server,there are some files in /var/opt/samba/private that are veryimportant to authentication working properly. HP recommends thatyou make the /var/opt/samba/private directory part of a sharedlogical volume in this case.

• Symbolic Links

If you have your Samba server configured with follow symlinks set toyes and wide links set to yes, the defaults for these parameters, youshould be cautious.

Symbolic links in the shared directory trees may point to files outsideof any shared directory. If the symbolic links point to files that arenot in logical shared volumes, then, after a failover occurs, thesymbolic link may point to a different file or no file. Keeping thetargets of all shared symbolic links synchronized with allMC/ServiceGuard nodes at all times could be difficult in thissituation.

Chapter 7 161


Easier options would be to set wide links to no or to be sure thatevery file or directory that you point to is on a logical shared volume.

• Encrypted Passwords

If you have your Samba server configured with encrypt passwords setto yes, then you have to use an smbpasswd file. By default, this file isin /var/opt/samba/private, but you can specify a different pathwith the smb passwd file parameter.

HP recommends that you locate your smbpasswd file on a logicalshared volume if you use this file. You can do so by setting smbpasswd file to a path within a logical shared volume or by making/var/opt/samba/private part of a logical shared volume.

• Samba as a WINS Server

If you configure your Samba server to be a WINS server by settingthe wins support parameter to yes, it will store the WINS databasethe file /var/opt/samba/locks/WINS.DAT.

If this file is not on a logical shared volume, when a failover occurs,there will be a short period of time when all the WINS clients updatethe Samba WINS server with their address. However, if this shortperiod of time to restore the WINS database is not acceptable, youcan reduce the period of time to restore the full WINS service.

To do so, configure /var/opt/samba/locks/WINS.DAT to be asymbolic link to a WINS.DAT file on a logical shared volume. HPdoes not recommend putting the entire /var/opt/samba/locksdirectory on a logical shared volume, because the locking data maynot be correctly interpreted after a failover.

• Samba as a Master Browser

If you configure your Samba server to be the domain master browserby setting the domain master to yes, it will store the browsingdatabase in the /var/opt/samba/locks/BROWSE.DAT file. HPdoes not recommend doing this in an HA configuration.

If you do so, you will probably want to configure/var/opt/samba/locks/BROWSE.DAT as a symbolic link to aBROWSE.DAT file on a logical shared volume. HP does notrecommend putting the entire /var/opt/samba/locks directory on alogical shared volume because the locking data may not be correctlyinterpreted after a failover.

• Automatic Printer Sharing

Chapter 7162


If you configure your Samba server with a [printers] share toautomatically share all the printers on your HP-UX system, then youwill need to be certain that all your MC/ServiceGuard nodes have thesame HP-UX printers defined. Otherwise, when a failover occurs, thelist of shared printers for the Samba server will change resulting inproblems on clients using those printers.

• LMHOSTS File

If you wish to use an LMHOSTS file to store the static addresses forcertain NetBios names, HP recommends that you put the LMHOSTSfile on a logical shared volume.

By default the LMHOSTS file is in the /etc/opt/samba directory,which should already be in a logical shared volume, so the smb.conffile is shared for all the MC/ServiceGuard nodes. If you specify adifferent path for the LMHOSTS file with the -H option when youinvoke nmbd, HP recommends that you put the LMHOSTS file on alogical shared volume so that all the nodes can share it.

Chapter 7 163

Configuring HA HP CIFSOverview of HA HP CIFS Server Active-Active

Overview of HA HP CIFS Server Active-ActiveHighly Available HP CIFS Server allows the HP CIFS Server product torun on a MC/ServiceGuard cluster of nodes. C/ServiceGuard allows youto create high availability clusters of HP 9000 Server computers.

You must set up an MC/ServiceGuard cluster before you can set up anHA HP CIFS Server. For instructions on setting up an MC/ServiceGuardcluster, refer to the Managing MC/ServiceGuard manual.

The HA HP CIFS Server provides customizable configuration, controlscripts and monitor scripts. These scripts as well as this README fileare in the /opt/samba/HA/active_active directory. These are samplescripts for you to customize for your environment.

This README and the files in /opt/samba/HA/active_active only applyto an active-active HA configuration. The equivalent files, which apply toan active-standby HA configuration, are in the/opt/samba/HA/active-standby directory.

IMPORTANT This active-active configuration scheme has been revised and now differsfrom the scheme provided by initial HP CIFS Server releases. Thisscheme allows for any number of cluster nodes. The templates aresimpler. This scheme also avoids confusion about netbios name to IPaddress mapping and registration with WINS servers. This schemeavoids the “ghost” session issues when packages are moved. As with theprevious scheme, the SWAT utility has limited capabilities in an HAenvironment.

Recommended Clients

The recommended clients for the HA HP CIFS Server are Windows 9xand Microsoft NT/2000. Older clients, such as DOS/Windows 3.1 LM2.2C and Windows for Workgroups, may not respond well to the HP CIFSServer stopping and to network connections terminating, as occursduring an HA HP CIFS Server switchover.

Review the “Special Notes for HA HP CIFS Server” section containedlater in this section for usage considerations.

Chapter 7164


Installing Highly Available HP CIFS Server

HA HP CIFS Servers must be installed and configured on all clusternodes in the Active-Active configuration. All cluster nodes act as“primary” nodes and, at the same time, as “alternate” nodes for others. Ifthere is no failover, each cluster node runs one of the packages. If afailover occurs, a cluster node will pick up the failed package in additionto its original package.

Before creating a Highly Available HP CIFS Server package, you mustset up your MC/ServiceGuard cluster according to the instructions in theManaging MC/ServiceGuard manual.

To do so, perform the following:

1. Following the instructions, configure the disk hardware for highavailability.

2. Use SAM or LVM commands to set up the volume groups, logicalvolumes, and file systems needed for the data that must be availableto the primary and alternate cluster nodes when failover occurs.

HA HP CIFS Server Installation

1. Install HP CIFS Server using SD on all cluster nodes. If HP CIFSServer is already installed and configured on either node, simply stopit with the /opt/samba/bin/stopsmb command and skip to step 4.

2. On the first node:

Run the script /opt/samba/bin/samba_setup to configure theSamba server. Enter the server name and domain/workgroup namefor the HA HP CIFS Server.

3. On the secondary nodes:

Run the script /opt/samba/bin/samba_setup to configure the secondnode. You will need to specify the same domain/workgroup namespecified on the first node. Do not use the same server name.

4. For any UNIX users used to authenticate CIFS clients, check thatthey have the same name, user ID number, primary group andpassword on both of the nodes.

This is required for any users used to authenticate to either Sambaserver in the Active-Active configuration. This means that any username used on both Samba servers must have the same user ID,

Chapter 7 165


primary group ID, and password on both cluster nodes. If this isn’tthe case, you cannot use Samba as an Active-Active server for thisMC/ServiceGuard cluster.

5. Check that the RUN_SAMBA parameter in the /etc/rc.config.d/sambafile is set to 0 on both nodes.

Configure a Highly Available HP CIFS Server

Introduction

Before configuring the MC/Serviceguard packages, it is important tounderstand how HP CIFS Server is able to support active-activeconfigurations.

The HP CIFS Server permits multiple instances of its NetBIOS andSMB master demons.

Each CIFS Server has its own smb.conf file to define its behavior. TheNetBIOS name and IP address that the client connects to is used todecide which smb.conf file is used for the connection. This multiple CIFSmaster demon configuration allows HP CIFS to run multipleMC/ServiceGuard packages simultaneously.

When a failover occurs, MC/ServiceGuard transfers the IP address fromthe failing cluster node to another node. When MC/ServiceGuard movesthe package from the failing cluster node to the other node, it activatesthe appropriate CIFS Server on a remaining node. With the IP addressswitched, all the traffic that was going to the failed node now goes to theother active node. The key is to have a CIFS Server configured to lookand act just like the CIFS Server that was running on the original node.

Load balancing between systems while all systems are up can beachieved by having the CIFS shares accessible only through certainCIFS Server names (NetBIOS names). Keep this in mind when youassociate the CIFS shares and directories with logical volumes duringserver configuration.

Instructions

The following instructions are for one of the MC/ServiceGuard package.You will have to go through these steps for each CIFS server package(one for each node). You will then need to copy all the files to all nodes inyour cluster.

Chapter 7166


When complete, each HPUX system will have a package using theNetBIOS name for each node in the cluster, though only the packagewith its own NetBIOS name will be active until a failover occurs.

For example, if you have a three node cluster, you will have threepackages on each of the three HPUX systems.

There will be three cluster directories:

1. /etc/cmcluster/samba/sambapkg1

2. /etc/cmcluster/samba/sambapkg2

3. /etc/cmcluster/samba/sambapkg3.

There will be three configuration files:

1. /etc/opt/samba/smb.conf.ha_server1,

2. /etc/opt/samba/smb.conf.ha_server2

3. /etc/opt/samba/smb.conf.ha_server3.

There will be three directories:

1. /var/opt/samba/ha_server1



...where the locks and log files will reside.

Complete the following for each CIFS package of your MC/ServiceGuardcluster:

1. Create the following directories:

/var/opt/samba/<netbios name>/var/opt/samba/<netbios name>/locks/var/opt/samba/<netbios name>/logs

where <netbios name> is the name for your CIFS server. Forexample:

$mkdir /var/opt/samba/ha_server1$mkdir /var/opt/samba/ha_server1/locks$mkdir /var/opt/samba/ha_server1/logs

This step is IMPORTANT because these paths are referencedby the MCServiceGuard cluster scripts, samba.cntl andsamba.mon.

Chapter 7 167


2. Create a file /etc/opt/samba/smb.conf.<netbios name> (Forexample, /etc/opt/samba/smb.conf.hp_server1) with the followinglines:

[global]workgroup = ha_domainnetbios name = ha_server1interfaces = XXX.XXX.XXX.XXX/xxx.xxx.xxx.xxxbind interfaces only = yeslog file = /var/opt/samba/ha_server1/logs/log.%mlock directory = /var/opt/samba/ha_server1/locks

Replace the "XXX.XXX.XXX.XXX/xxx.xxx.xxx.xxx" with one (spaceseparated) relocatable IP address and subnet mask for the MCServiceGuard package.

If /opt/samba/bin/samba_setup was run during installation assuggested:

• Take the workgroup line from the /etc/opt/samba/smb.conf file.Add in the rest of your desired configuration items.

• Take the NetBIOS name line from the same file, or, if there is noNetBIOS name line, put in the UNIX host name for the server onthe NetBIOS name line.

• Consider load balancing when creating the share paths.

• Consider whether you need to locate your private files on ashared volume, etc. You may want to review “Special Notes forHA HP CIFS Server” found at the end of this section, now.

Make sure that the file name is in all lowercase letters (e.g./etc/opt/samba/smb.conf.ha_server1, NOT/etc/opt/samba/smb.conf.HA_Server1) even if the NetBIOSname of the server has capital letters. If capital letters are usedin the file name, failover will not work properly.

3. Move all relevant data to the HP CIFS Server package sharedvolume.

Relevant data, consisting of all directories and files which will beaccessed using HP CIFS Server, should reside on shared volumes.This data includes any shares created by the user. For example, if theHP CIFS Server administrator creates a TEST=c:/tmp/test share,then all the data from /tmp/test should reside on a shared logicalvolume.

Chapter 7168


Below is an example of copied data from the required HP CIFSServer directories to the logical volumes in the volume groupvgsamba. The same can be done for vgasambapkg2.

mkdir /tmp/share1_copy /tmp/share2_copymount /dev/vgsamba/lvol1 /tmp/share1_copymount /dev/vgsamba/lvol2 /tmp/share2_copycp -r /opt/share1/* /tmp/share1_copycp -r /homes/share2/* /tmp/share2_copyumount /tmp/share1_copyumount /tmp/share2_copyrm -rf /tmp/share1_copy /tmp/share2_copy

4. Create a directory for HP CIFS Server cluster package:

mkdir /etc/cmcluster/sambamkdir /etc/cmcluster/samba/sambapkg1

5. Copy the sample scripts samba.conf, samba.cntl and samba.monfrom /opt/samba/HA/active_active to /etc/cmcluster/sambapkg1(or /etc/cmcluster/sambapkg2) on the primary node. Make allscripts writeable.

cp /opt/samba/HA/active_active/samba.*/etc/cmcluster/sambapkg1chmod 666 samba.conf samba.cntl samba.mon

6. Customize the sample scripts for your MC/ServiceGuardconfiguration. A sample customization of the HA HP CIFS Serverpackage configuration, control and monitor scripts are shown below.

7. Ensure that the control (samba.cntl) and monitor (samba.mon)scripts are executable.

chmod 750 samba.cntl samba.mon

Edit the package configuration file samba.conf

To configure the samba.conf configuration file, complete the followingtasks below:

1. Set the PACKAGE_NAME variable.

PACKAGE_NAME cifs_pkg1

or

PACKAGE_NAME cifs_pkg2

Chapter 7 169


...depending on which package you are currently working on.

2. Create a NODE_NAME variable for each node that will run the package.The first NODE_NAME should specify the primary node. All otherNODE_NAME variables should specify the alternate nodes in theorder in which they will be tried.

NODE_NAME ha_server1NODE_NAME ha_server2

...for Sambapkg1,

NODE_NAME ha_server2NODE_NAME ha_server1

...for Sambapkg2, etc.

3. Set the RUN_SCRIPT and HALT_SCRIPT variables to the full pathname of the control script.

RUN_SCRIPT /etc/cmcluster/sambapkg1/samba.cntlRUN_SCRIPT_TIMEOUT NO_TIMEOUTHALT_SCRIPT /etc/cmcluster/sambapkg1/samba.cntlHALT_SCRIPT_TIMEOUT NO_TIMEOUT

...for sambapkg1, and

RUN_SCRIPT /etc/cmcluster/sambapkg2/samba.cntlRUN_SCRIPT_TIMEOUT NO_TIMEOUTHALT_SCRIPT /etc/cmcluster/sambapkg2/samba.cntlHALT_SCRIPT_TIMEOUT NO_TIMEOUT

...for sambapkg2, etc.

4. Set the SERVICE_NAME variable to samba_mon

SERVICE_NAME samba_mon1SERVICE_FAIL_FAST_ENABLED NOSERVICE_HALT_TIMEOUT 300

...for Sambapkg1, and

SERVICE_NAME samba_mon2SERVICE_FAIL_FAST_ENABLED NOSERVICE_HALT_TIMEOUT 300

...for Sambapkg2, etc.

5. Set the SUBNET variable to the subnet that will be monitored for thepackage, as in the following example:

Chapter 7170


SUBNET 15.13.2.0

6. The following initialization will cause package failover to occur ifthere is a node or network failure, even if the HP CIFS Servermonitor script is not being used.

PKG_SWITCHING_ENABLED YESNET_SWITCHING_ENABLED YES

7. If NODE_FAIL_FAST_ENABLE is set to NO, the node is not brought downwhen the package goes down.

NODE_FAIL_FAST_ENABLED NO

Edit the samba.cntl Control Script

To configure the samba.cntl Control Script file, you must complete thefollowing tasks:

1. Set the NETBIOS_NAME variable to your NetBIOS name.

NETBIOS_NAME=ha_server1

...for sambapkg1 and



2. Create a volume group for the HP CIFS Server directories:

VG[0]=/dev/vgsambapkg1

...for sambapkg1, and

VG[0]=/dev/vgsambapkg2


3. Create a separate LV[n] and FS[n] variable for each volume groupand file system that will be mounted on the server, for example:

LV[0]=/dev/vgsambapkg1/lvol1;FS[0]=/opt/share1LV[1]=/dev/vgsambapkg1/lvol2;FS[1]=/home/share2

Add more LVs if required for sambapkg.

LV[0]=/dev/vgsambapkg2/lvol1;FS[0]=/opt/share1LV[1]=/dev/vgsambapkg2/lvol2;FS[1]=/home/share2

Add more LVs if required for sambapkg2.

Chapter 7 171


4. Specify the relocatable IP address and the address of the subnet towhich the IP address belongs:

IP[0]=15.13.171.20SUBNET[0]=15.13.168.0

for sambapkg1,

IP[0]=15.13.171.21SUBNET[0]=15.13.168.0


5. If you want to use the HP CIFS Server monitor script, set theNFS_SERVICE_NAME variable to the value of the SERVICE_NAMEvariable in the package configuration file samba.conf.

SERVICE_NAME[0]=samba_mon1SERVICE_CMD[0]=/etc/cmcluster/sambapkg1/samba.mon

6. Use the following as a template for customer_defined_run_cmds.


CONF_FILE=/etc/opt/samba/smb.conf.${NETBIOS_NAME}LOG_FILE=/var/opt/samba/${NETBIOS_NAME}/logSMBD_PID_FILE=/var/opt/samba/${NETBIOS_NAME}/locks/smbd.pidNMBD_PID_FILE=/var/opt/samba/${NETBIOS_NAME}/locks/nmbd.pid

findproc() { # return pid of the namedprocess(es)

pid=`/usr/bin/ps -e | /usr/bin/grep "$1" | grep "mbd" |/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`

}

function customer_defined_run_cmds

{# ADD customer defined run commands.

nmbd -D -l ${LOG_FILE} -s ${CONF_FILE}smbd -D -s ${CONF_FILE}

test_return 51}

Chapter 7172


7. Use the following as a template for customer_defined_halt_cmds:

function customer_defined_halt_cmds{#ADD customer defined halt commands.

if [ ! -f ${SMBD_PID_FILE} ]thenprint "\tERROR: Kill of smbd.pid failed."print "\tERROR: ${SMBD_PID_FILE} could not be found."

elseSMBD_PID=`cat ${SMBD_PID_FILE}`findproc $SMBD_PIDif [ "$pid" = "" ]thenprint "\tERROR: Kill of smbd.pid failed."print "\tERROR: ${SMBD_PID} could not be found."

elsekill ${SMBD_PID}

fifi

if [ ! -f ${NMBD_PID_FILE} ]thenprint "\tERROR: Kill of nmbd.pid failed."print "\tERROR: ${NMBD_PID_FILE} could not be found."

elseNMBD_PID=`cat ${NMBD_PID_FILE}`findproc $NMBD_PIDif [ "$pid" = "" ]thenprint "\tERROR: Kill of nmbd.pid failed."print "\tERROR: ${NMBD_PID} could not be found."

elsekill ${NMBD_PID}

fifi

test_return 52}

WARNING

Chapter 7 173


Make sure that all processes/applications that access the filesystems mounted by sambapkg are shutdown in thecustomer_defined_halt_cmds subroutine. This will allow thefilesystems to be unmounted and failed over to the adoptivenode. Package failover may not occur if any of the filesystemsmounted by the sambapkg cannot be unmounted.

Edit the samba.mon Monitor Script

To configure the samba.mon Monitor Script file, you must complete thefollowing tasks:

1. Set the NETBIOS_NAME variable to your NetBIOS name.


...and sambapkg1,



2. Use the following template provided with samba.mon.

CONF_FILE=/etc/opt/samba/smb.conf.${NETBIOS_NAME}LOG_FILE=/var/opt/samba/${NETBIOS_NAME}/logSMBD_PID_FILE=/var/opt/samba/${NETBIOS_NAME}/locks/smbd.pidNMBD_PID_FILE=/var/opt/samba/${NETBIOS_NAME}/locks/nmbd.pid

INTERVAL=30

MAX_NMBD_RETRYS=1MAX_SMBD_RETRYS=1

PATH=$PATH:/opt/samba/bin

error_msg(){print "$(date '+%b %e %X') - $1"}

## Function findproc#findproc() { # return pid of the named process(es)

Chapter 7174


pid=`/usr/bin/ps -e |/usr/bin/grep "$1" | grep "mbd" |/usr/bin/sed -e 's/^ *//' -e 's/ .*//'`

}

## Function startnmbd#

startnmbd() { # start the nmbdlogger -t "${NETBIOS_NAME}.mon" "${NETBIOS_NAME}

nmbd daemon is not running. Restarting daemon."nmbd -D -l ${LOG_FILE} -s ${CONF_FILE}

}

startsmbd() { # start the nmbdlogger -t "${NETBIOS_NAME}.mon" "${NETBIOS_NAME}

smbd daemon is not running. Restarting daemon."smbd -D -s ${CONF_FILE}

}

while :do

if [ ! -f ${NMBD_PID_FILE} ]thensleep 1print "\tERROR: ${NMBD_PID_FILE} could not be

found!"exit 1

elseNMBD_PID=`cat ${NMBD_PID_FILE}`findproc $NMBD_PIDif [ "$pid" = "" ] ; thenif [ "$MAX_NMBD_RETRYS" -gt 0 ] ; then

startnmbdif [ "$MAX_NMBD_RETRYS" -ge 1 ] ; then

(( MAX_NMBD_RETRYS = MAX_NMBD_RETRYS - 1 ))fi

elsesleep 1

Chapter 7 175


echo "ERROR: ${NETBIOS_NAME} nmbd not running!"exit 1

fifi

fi

if [ ! -f ${SMBD_PID_FILE} ]thensleep 1print "\tERROR: ${SMBD_PID_FILE} could not be

found!"exit 1

elseSMBD_PID=`cat ${SMBD_PID_FILE}`findproc $SMBD_PIDif [ "$pid" = "" ] ; thenif [ "$MAX_SMBD_RETRYS" -gt 0 ] ; thenstartsmbdif [ "$MAX_SMBD_RETRYS" -ge 1 ] ; then

(( MAX_SMBD_RETRYS = MAX_SMBD_RETRYS - 1 ))fi

elsesleep 1echo "ERROR: ${NETBIOS_NAME} smbd not running!"exit 1

fifi

fi

sleep $INTERVALdone

Create the MC/ServiceGuard Binary Configuration File

NOTE In the following example, the cluster configuration file will be assignedthe name / etc/cmcluster/cluster.conf and the HA HP CIFS Serverpackage configuration file will be assigned the name/etc/cmcluster/samba/sambapkg1/samba.conf. The actual cluster andHA HP CIFS Server package configuration file names on your systemmay be different.

Chapter 7176


1. On alternate nodes create a cluster package directory:

mkdir /etc/cmcluster/samba/sambapkg1 or sambapkg2,sambapkg3..n

Copy the package scripts from the primary node.

rcp primary_node:/etc/cmcluster/samba/sambapkg1/* \/etc/cmcluster/samba/sambapkg1

2. Use the cmcheckconf command to verify the contents of your clusterand package configuration. At this point it is assumed that you havecreated your MCServiceGuard cluster configuration file(cmclconf.ascii) through MCServiceGuard procedures.

cmcheckconf -C /etc/cmcluster/cmclconf.ascii \-P /etc/cmcluster/samba/sambapkg1/samba.conf

\-P /etc/cmcluster/samba/sambapkg2/samba.conf

3. Use the cmapplyconf command to copy the binary configuration fileto all the nodes in the cluster.

cmapplyconf -v -C /etc/cmcluster/cmclconf.ascii \-P /etc/cmcluster/samba/sambapkg1/samba.conf

\-P /etc/cmcluster/samba/sambapkg2/samba.conf

This command will distribute the updated cluster binaryconfiguration file to all of the nodes of the cluster.

You are ready to start the HA HP CIFS Server packages.

The configuration of the HA HP CIFS Server is now complete.

Chapter 7 177


Special Notes for HA HP CIFS ServerThere are several areas of concern when implementing Samba in theMC/ServiceGuard HA framework. These areas are described below:

• Client Applications

HA HP CIFS Server cannot guarantee that client applications withopen files on a HP CIFS Server share, or, applications launched fromHP CIFS Server shares, will transparently recover from aswitchover. In these instances there may be cases where theapplication will need to be restarted and the files reopened as aswitchover is a logical shutdown and restart of the HP CIFS Server.

• File Locks

File locks are not preserved during failover. File locks are lost andapplications are not advised about any lost file locks.

• Print Jobs

If a failover occurs when a print job is in process, the job may beprinted twice or not at all, depending on the job state at the time ofthe failover.

• Symbolic Links

If you have your Samba server configured with follow symlinks set toyes and wide links set to yes, the defaults for these parameters, youshould be cautious.

Symbolic links in the shared directory trees may point to files outsideany shared directory. If the symbolic links point to files that are notin logical shared volumes, then, after a failover occurs, the symboliclink may point to a different file or no file. Keeping the targets of allshared symbolic links synchronized with all MC/ServiceGuard nodesat all times could be difficult in this situation.

Easier options would be to set wide links to no or to be sure thatevery file or directory that you point to is on a logical shared volume.

• Security Files and Encrypted Passwords

Authentication is dependent on several entries in different securityfiles. An important security file is the user password file, smbpasswd.If you have your Samba server configured with encrypt passwords

Chapter 7178


set to yes, then you have to use an smbpasswd file. By default, thisfile is located in the path /var/opt/samba/private but you mayspecify a different path with the smb passwd file parameter.

Another important security file used with domain level security isthe machine account file, <domain.server>.mac. Since this file will beupdated periodically (as defined in smb.conf by machine passwordtimeout, 604800 seconds by default), HP recommends that youlocate <domain.server>.mac on a shared logical volume. As with thesmbpasswd file, discussed above, the location of this file is defined bythe smb.conf parameter smb passwd file. For example, smb passwdfile = /var/opt/samba/shared_vol_1/private/smbpasswd willresult in the file/var/opt/samba/shared_vol_1/private/<domain.server>.mac.

For both the machine account file and user password file, HPrecommends that you locate the files on a shared logical volume. Doso by setting smb passwd file to a path within a logical sharedvolume.

• Username Mapping File

If you configure your Samba server to use a username mapping file,HP recommends that you configure it to be located on a sharedlogical volume. This way, if changes are made, all the nodes willalways be up-to-date. The username mapping file location is definedin smb.conf by the parameter username map, e.g. username map =/var/opt/samba/shared_vol_1/username.map. There is nousername map file by default.

• Samba as a WINS Server

If you configure your Samba server to be a WINS server by settingthe wins support parameter to yes, it will store the WINS databasein the file /var/opt/samba/locks/WINS.DAT.

If this file is not on a logical shared volume, when a failover occurs,there will be a short period of time when all the WINS clients updatethe Samba WINS server with their address. However, if this shortperiod of time to restore the WINS database is not acceptable, youcan reduce the period of time to restore the full WINS service.

Chapter 7 179


To do so, configure /var/opt/samba/locks/WINS.DAT to be asymbolic link to a WINS.DAT file on a logical shared volume. HPdoes not recommend putting the entire /var/opt/samba/locksdirectory on a logical shared volume, because the locking data maynot be correctly interpreted after a failover.

• Samba as a Master Browser

If you configure your Samba server to be the domain master browserby setting the domain master to yes, it will store the browsingdatabase in the /var/opt/samba/locks/BROWSE.DAT file. HP doesnot recommend doing this in an HA configuration.

If you do so, you will probably want to configure/var/opt/samba/locks/BROWSE.DAT as a symbolic link to aBROWSE.DAT file on a logical shared volume. HP doesn’trecommend putting the entire /var/opt/samba/locks directory on alogical shared volume because the locking data may not be correctlyinterpreted after a failover.

• Automatic Printer Sharing

If you configure your Samba server with a [printers] share toautomatically share all the printers on your HP-UX system, then youwill need to be certain that all your MC/ServiceGuard nodes have thesame HP-UX printers defined. Otherwise, when a failover occurs, thelist of shared printers for the Samba server will change, resulting inproblems on clients using those printers.

• Samba's LMHOSTS File

If you wish to use an LMHOSTS file to store the static addresses forcertain netbios names, HP recommends that you put the LMHOSTSfile on a logical shared volume. To do this you will need to specify adifferent path for the LMHOSTS file using the -H option wheninvoking nmbd. HP recommends that you put the LMHOSTS file ona logical shared volume so that all the nodes can share it.

You will need to edit the MC/ServiceGuard scripts to add the -Hoptions to the places where nmbd is invoked directly. You will alsoneed to edit the /opt/samba/bin/startsmb script to add the -Hoption to the places where nmbd is started.

Chapter 7180

8 HP-UX Configuration for HPCIFS

This chapter describes HP-UX tuning procedures for the HP CIFSServer. It contains the following sections:

Chapter 8 181

HP-UX Configuration for HP CIFS

• HP CIFS Server Memory and Disc Requirements

• HP CIFS Process Model

• Overview of Kernel Configuration Parameters

• Configuring Kernel Parameters for HP CIFS

The following information should be considered as general guidelinesand not a rigid formula to determine the resource requirements of a HPCIFS server running on HP-UX 11.0. Each customer configuration isunique and on-line tools should be used while the system is running itsnormal load to ascertain the requirements of each system.

NOTE Guidelines have changed in version A.01.08. Specifically, the use of nfileshas increased from a minimum of 8, to 23, and nflocks has been added asa mandatory configurable parameter.

Chapter 8182

HP-UX Configuration for HP CIFSHP CIFS Process Model

HP CIFS Process ModelThe SMB daemon process, smbd, handles all SMB requests from a client.One such process is launched for each connected client. Each SMBDprocess handles one and only one client. Therefore, if there are 2048connected clients, there will be 2048 SMBD processes. Such a largenumber of processes will demand system resources, requiringadjustment of certain kernel configuration parameters. It will alsodeplete memory, disc and swap space resources.

Chapter 8 183

HP-UX Configuration for HP CIFSOverview of Kernel Configuration Parameters

Overview of Kernel Configuration ParametersThe kernel configuration parameters, maxuser, nproc, ninode, nflocksand nfile are described below. These are the kernel parameters that youmust adjust to support a large number of clients on HP CIFS.

• maxusers: the name of this kernel parameter is a misnomer as itdoes not directly control the number of UNIX users that can logon toHP-UX. However, this kernel parameter is used in various formulaethroughout the kernel. In fact, the default values for nproc, nfilesand ninodes are expressed in terms of maxusers.

• nproc: this kernel parameter controls the size of the process table. Itsdefault formula is (20+8*maxusers). On most systems the defaultvalue for this parameter is 21, which yields a default value of20+8*32 or 276 maximum processes supported. When this table fillsup prior to launching a process, the error message: “proc: table isfull” will appear on the console. It will be viewable via the dmesgcommand.

• nfile: this kernel parameter controls the size of the system file tableand limits the total number of open files in the system. Note that thisaffects each instance of an open file since the same file opened twicewould take up 2 entries in the system file table. This default formulais (16*(nproc+16+maxusers)/10+32+2*(npty+nstrpty+nstrtel)).When this tables becomes full, the console message file: table is fullwill appear on the console.

• ninode: this kernel parameters controls the size of the in-core inodetable or the inode cache. To improve performance, the most recentlyaccessed inodes are kept in memory. The default formula for thisparameter is ((nproc+16+maxusers)+32+(2*npty)). Attempts to opena file beyond the capacity of this table will result in the messageinode table full being displayed on the console.

• nflocks: defines the maximum combined total number of file locksthat are available system-wide to all processes at any given time.The default value of 200 will need to be increased for HP CIFSServers.

Chapter 8184

HP-UX Configuration for HP CIFSConfiguring Kernel Parameters for HP CIFS

Configuring Kernel Parameters for HP CIFSThe first step in configuring HPUX to be able to support a large numberof clients on a HP CIFS server is to adjust the maxusers kernelparameter.

The second step involves adjusting nproc, nfile, nflocks and ninodeindividually so as to allow a large number of users to be connectedsimultaneously.

1. Configuring maxusers

Determine the maximum number of simultaneous clients that will beconnected and add this number to the current value of maxusers. Forexample, if 2048 clients are to be supported, simply add 2048 to thecurrent value of maxusers. Note that, unless the parameters havebeen manually changed, adjusting maxusers automatically adjuststhe corresponding values for nproc, nfile and ninodes.

For example, if the default maxusers value of 32 is adjusted to32+2048 or 2080 to support the maximum allowable clients of 2048,the other parameters will be adjusted as follows on a typical system:

nproc will be increased to 8,468

nfile will be increased to 15,656

ninode will be increased to 9,692

If these values are found to be too large or too small for that matter,then the individual kernel parameters can be adjusted as describedbelow.

2. Configuring nproc, nfile and ninode.

• nproc: since each client will be handled by one unique smbdprocess, and each process will take up one entry in the processtable, this parameter has to be at least equal to the maximumnumber of simultaneously connected clients. This is a necessarycondition, but it will obviously not be sufficient since there will beothers processes, including system processes beyond yourcontrol, that will take up proc table entries. In practice then, thisparameter needs to be set to the anticipated maximum numberof clients plus the number of the other processes that will also berunning concurrent with HP CIFS.

Chapter 8 185


• nfile: when an SMBD process is launched, it will, right at thebeginning, take up 23 entries in the system file table.

This does not include any other files that the client will open andoperate on. At a minimum, therefore, the value of nfile, should beequal to the anticipated number of simultaneous clients times(23 + the anticipated number of files simultaneously opened byeach client). Again, this is necessary, but it may not be sufficient,since there will be other non-HP CIFS processes that will havefiles opened, concurrent with HP CIFS.

• ninode: unlike nfile, each instance on an open will NOT increasethe number of inode entries. Rather, each unique opened file willonly take up one entry, regardless of how many times it isopened. Therefore this parameter should be set to theanticipated number of UNIQUE open files used by HP CIFS plusthe number opened by other processes in the system.

• nflocks: each smbd process will utilize at least ten file locks.Therefore, the value of nflocks should, at least, be equal to theanticipated number of simultaneous clients, multiplied by ten(10). The use of nflocks by other applications must also beconsidered.

Swap Space Requirements

Due to the one-process-per-client model of HP CIFS, perhaps the moststringent requirement imposed on the system is that of swap space.HPUX reserves a certain amount of swap space for each process that islaunched, to prevent it from being aborted in case it needs to swap outsome pages during times of memory pressure. Other operating systems,only reserve swap space when it is needed. This results in the process notfinding the swap space that it needs, in which case it has to beterminated by the OS.

Each smbd process will reserve about 1.7MB of swap space. For amaximum of 2048 clients, 1.7 * 2048 or about 4GB of swap space wouldbe required. Therefore, HP recommends configuring enough swap spaceto accommodate the maximum number of simultaneous clients connectedto the HP CIFS server.

Chapter 8186


Memory Requirements

Each smbd process will need approximate 1/2 MB of memory. For 2048clients, therefore, the system should have at least 1 GB of physicalmemory. This is over and above the requirements of other applicationsthat will be running concurrent with HP CIFS.

Chapter 8 187


Chapter 8188

Glossary

A

ACL Access Control List, meta-data thatdescribes which users are allowed access tofile data and what type of access is grantedto that data. ACLs define “access rights.” Inthis scheme, users typically belong to“groups,” and groups are given access rightsas a whole. Typical types of access rights areread (list), write (modify), or create (insert.)Different file systems have varying levels ofACL support and different file systemsdefine different access rights. For example,DOS has only one set of rights for a file(since only one user is considered to use aDOS system). A POSIX 6-compliant filesystem allows multiple rights to be assignedto multiple files and directories for multipleusers and multiple groups of users.

ASP Application service provider, ane-business that essentially “rents”applications to users.

Authentication Scheme to ensure that auser who is accessing file data is indeed theintended user. A secure networked filesystem uses authentication to prevent accessoccurring from someone pretending to be theintended user.

Authorization Ensures that a user hasaccess only to file system data that the userhas the right to access. Just because a user isauthenticated does not mean he or sheshould be able to read or modify any file. Inthe simplest form or authorization, users aregiven read or modify permissions toindividual files and directories in a filesystem, through the use of access controlinformation (called an Access Control List,or ACL.)

C

CIFS Common Internet File System, aspecification for a file access protocoldesigned for the Internet.

HP CIFS Hewlett-Packard'simplementation of CIFS for UNIX. HP CIFSprovides both server and client modules forboth HP 9000 servers and workstations.

Credential A piece of information thatidentifies a user. A credential may be assimple as a number that is uniquelyassociated with a user (like a social securitynumber), or it may be complicated andcontain additional identifying information. Astrong credential contains proof, sometimescalled a verifier, that the user of thecredential is indeed the actual user thecredential identifies.

D

Diffie-Hellman A protocol used to securelyshare a secret key between two users.Diffie-Hellman protocol uses a form of publickey exchange to share the secret key.Diffie-Hellman is known to be susceptible toan interceptor's attack, but authenticatedDiffie-Hellman Key Agreement, a laterenhancement, prevents such amiddle-person attack.

E

Encryption Encryption ensures that datais viewable only by those who possess asecret (or private) key. Encrypted data ismeaningless unless the secret key is used todecrypt the data. Encryption and decryptionof data is called ciphering.

Glossary 189

Glossary
Integrity
I

Integrity Integrity ensures that file systemdata is not modified by an intruder. Anintruder can not intercept a file system datapacket and modify it without the networkfile system discovering and rejecting thetampering.

K

Kerberos An authentication andauthorization security system developed byMIT and the IETF working group. It is basedon secret key technology, and is generallyeasier to manage than a public keyinfrastructure because of its centralizeddesign. However, Kerberos is not as scalableas a public key infrastructure.

P

Public Key An encryption method by whichtwo users exchange data securely, but in onedirection only. A user, who has a private key,creates a corresponding public key. Thispublic key can be given to anyone. Anyonewho wishes to send encrypted data to theuser may encrypt the data using the publickey. Only the user who possesses the privatekey can decrypt the data.

Public Key Infrastructure Method ofmanaging public key encryption. Althoughpublic key technology has the advantage ofnever exchanging decryption keys, it has thedisadvantage of being difficult to manage.Some issues include distribution of publickeys with proof of the key's ownership, andrevocation of expired or terminated keys.

S

Samba An open source product that firstappeared in the mid-1990's. Samba providesNT file and print server capability for UNIXsystems, including most of the capabilities ofAdvanced Server for UNIX, with theexception of the Primary Domain Controller(PDC) and Backup Domain Controller (BDC)synchronization protocols. Although Sambais widely used, vendor support for it is notgenerally available.

Secret Key Secret key, also known assymmetric-key or shared-key, encryption is aciphering technique by which two usersexchange data by encrypting and decryptingdata with a shared secret key. Data is bothencrypted and decrypted with the same key.The secret key must be exchanged securely(such as through the “cones of silence”) sinceanyone knowing the secret key can decryptthe data.

SMB Server Message Block, the file-sharingprotocol at the heart of Windows networking.SMB is shared by Windows NT, Windows 95,Windows for Workgroups, and OS/2 LANManager. CIFS is essentially a renaming ofthis protocol.

Glossary190

Index

Symbols/etc/nsswitch.conf, 122/etc/nsswitch.ldap, 122

AAccess Control Lists, 49

configuring, 80VxFS, 51

ACLs. See Access Control Listsactive-standby HA, 151adding ACE entries, 58

Bbase DN, 121boot, 118browsing

description, 16documentation, 16

CChange Notify, 45CIFS

protocol, 4Common Internet File System. See CIFSconfiguration

client, 118directory, 116quick, 120subsequent clients, 129, 131summary, 115

configuration profile, 121configuring

documentation, 15kernel parameters for CIFS/9000, 185overview, 27printing, 34

Ddirectory

configuration, 116host, 120port, 120white paper, 116

documentationCIFS/9000 enhancements, 9file and directory information, 20HP CIFS Server, 14most recent, 24roadmap, 17

Samba, 7www.docs.hp.com, 24

Ffiles

location on server, 14

GGNU Public License, 6group data

base DN, 121

Hhighly available CIFS/9000, 151host, directory, 120HP CIFS

description, 4documentation, 24introduction, 4

HP CIFS Serverdescription, 9documentation, 14documentation roadmap, 17features, 9file and directory information, 20installation requirements, 26memory and disc requirements, 26process model, 183requirements and limitations, 25, 115, 182starting, 44

HP-UX 11.0 memory and disc requirements,25

Iinstallation, 118

summary, 115installing

documentation, 15loading software, 27overview, 27

Kkernel configuration parameters

configuring, 184description, 184

Lloading software, 27

191

Index

Mmaxusers, 184

Nname service, 122NativeLdapClient subproduct, 118nfile, 184nflocks, 184ninode, 184NIS and Samba

documentation, 16nproc, 184NSS, 122NT

ACLs, 51directory translations, 53file permission translations, 53

Oobject class

posixDUAProfile, 120posixNamingProfile, 120

obtaining CIFS/9000 software, 24Open Source Software, 6OSS. See Open Source Softwareoverview

configuring, 27installing, 27

Pperformance tuning, 45port, directory, 120posix schema RFC 2307, 120posixDUAProfile object class, 120posixNamingProfile object class, 120pre-defined permissions, 54pre-installed software, 24printing

configuring, 34documentation, 16

Profile TTL, 122, 132profile, configuration, 121

Qquick configuration, 120

Rreboot, 118

SSamba server

description, 6documentation, 7features, 6name list, 62requirements and limitations, 25, 115, 182scripts, 15starting, 15

Samba Web Administration Tool (SWAT), 16schema, posix, RFC 2307, 120Server Message Block, 4, 6setting new ACLs, 58setup program, 120SMB. See Server Message Blocksoftware, loading, 27startsmb, 44stopsmb, 44subproduct, NativeLdapClient, 118swap space requirements, 186swinstall, 118swinstall(1M), 27

Ttroubleshooting

information, 16TTL, profile, 122, 132

UUNIX

file owner, 52other permission, 52owning group, 52permissions, 51

user database DN, 121

VVxFS POSIX ACL File Permission Superset,

56

Wwhite paper, directory configuration, 116www.docs.hp.com, 24www.software.hp.com, 24

192

HP CIFS Server 2.2h Administrator's Guide version A.01.11

Documents

Transcript of HP CIFS Server 2.2h Administrator's Guide version A.01.11