HP CIFS Server Administrator Guide version A

Transcription

1 HP CIFS Server Administrator Guide version A HP-UX 11i v1, HP-UX 11i v2, and HP-UX 11i v3 HP Part Number: Published: April 2012 Edition: 16

2 Copyright 2012 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. HP CIFS Server is derived from the Open Source Samba product and is subject to the GPL license. Trademark Acknowledgements UNIX is a registered trademark of The Open Group. Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

3 Contents About This Document...10 Intended Audience...10 New and Changed Documentation in This Edition...10 Typographical Conventions...10 Publishing History...10 Document Organization...11 HP Welcomes Your Comments Introduction to the HP CIFS Server...13 HP CIFS Server Description and Features...13 Features...13 Samba Open Source Software and HP CIFS Server...14 Flexibility...14 HP CIFS Server Documentation: Printed and Online...14 HP CIFS Documentation Roadmap...15 HP CIFS Server File and Directory Roadmap Installing and Configuring the HP CIFS Server...18 HP CIFS Server Requirements and Limitations...18 HP CIFS Server Installation Requirements...18 HP CIFS Server Memory Requirements...18 Software Requirements...18 Swap Space Requirements...19 Memory Requirements...19 Step 1: Installing HP CIFS Server Software...19 An Example...20 Procedures for Updating a New Version When Using CFSM...20 Step 2: Running the Configuration Script...21 Step 3: Modify the Configuration...22 Configuration Modification...22 Configure Case Sensitivity...22 Configure DOS Attribute Mapping...22 Configuring Print Services for HP CIFS Version A Configuring a [printers] share...23 Creating a [printers] share...24 Setup Server for automatically uploading printer driver files...24 Setup Client for automatically uploading of printer drivers...25 Publishing Printers in an MS Windows 2000/2003 ADS Domain...25 Setting up HP CIFS Server for Publishing Printers Support...25 Publishing Printers from a Windows Client...26 Verifying that the Printer is Published...27 Commands Used for Publishing Printers...28 Searching Printers...28 Removing a Printer...28 Re-Publishing a Printer...28 Setting Up Distributed File System (DFS) Support...28 Setting Up a DFS Tree on a HP CIFS Server...29 Setting Up DFS Links in the DFS Root Directory on a HP CIFS Server...29 MC/ServiceGuard High Availability Support...30 Step 4: Starting the HP CIFS Server...30 Starting and stopping Daemons Individually...31 Configuring Automatic Start at System Boot...31 Contents 3

4 Stopping and Restarting Daemons to Apply New Settings...31 Other Samba Configuration Issues...32 Translate Open-Mode Locks into HP-UX Advisory Locks...32 Performance Tuning using Change Notify...32 Special Concerns when Using HP CIFS Server on a Network File System (NFS) or a Clustered File System (CFS)...32 NetBIOS Names Are Not Supported on Port Managing HP-UX File Access Permissions from Windows NT/XP/ Introduction...34 UNIX File Permissions and POSIX ACLs...34 Viewing UNIX Permissions From Windows...34 The VxFS POSIX ACL File Permissions...37 Using the Windows NT Explorer GUI to Create ACLs...38 Using the Windows Vista Explorer GUI to Create ACLs...40 POSIX ACLs and Windows 2000, Windows XP, and Windows Vista Clients...43 Viewing UNIX Permissions from Windows 2000, Windows XP, and Windows Vista Clients...43 Setting Permissions from Windows 2000, Windows XP, and Windows Vista Clients...44 Viewing ACLs from Windows 2000 Clients...45 Displaying the Owner of a File...46 HP CIFS Server Directory ACLs and Windows 2000, Windows XP, and Windows Vista Clients...46 Directory ACL Types...46 Viewing ACLs from Windows 2000 Clients...46 Viewing Basic ACLs from Windows 2000 Clients...46 Viewing Advanced ACLs from Windows 2000 Clients...47 Mapping Windows 2000/XP Directory Inheritance Values to POSIX...48 Modifying Directory ACLs From Windows 2000/XP Clients...49 Removing an ACE entry from Windows 2000/XP clients...50 Examples...50 Adding Directory ACLs From Windows 2000/XP Clients...52 POSIX Default Owner and Owning Group ACLs...53 POSIX ACEs with zero permissions...53 In Conclusion Windows Style Domains...55 Introduction...55 Advantages of the Samba Domain Model...55 Primary Domain Controllers...55 Backup Domain Controllers...56 Advantages of Backup Domain Controllers...56 Limitations...56 Domain Members...56 Configure the HP CIFS Server as a PDC...56 Configure the HP CIFS Server as a BDC...57 Promote a BDC to a PDC in a Samba Domain...58 Domain Member Server...58 Configure the HP CIFS Server as a Member Server...58 Join an HP CIFS Server to an NT Domain, Windows 2000/2003 (as a pre-windows 2000 computer), or Samba Domain...59 Step-by-step Procedure...60 Create the Machine Trust Accounts...60 Configure Domain Users...62 Join a Windows Client to a Samba Domain...62 Roaming Profiles...65 Configuring Roaming Profiles...65 Configuring User Logon Scripts Contents

5 Running Logon Scripts When Logging On...66 Home Drive Mapping Support...66 Trust Relationships...67 Configuring smb.conf for Trusted Users...67 Establishing a Trust Relationship on an HP CIFS PDC With Another Samba Domain...67 Establishing a Trust Relationship on an HP CIFS PDC With an NT Domain...68 Trusting an NT Domain from a Samba Domain...68 Trusting a Samba Domain from an NT Domain...68 Establishing a Trust Relationship on an HP CIFS Member Server of a Samba Domain or an NT Domain Windows 2003 and Windows 2008 Domains...69 Introduction...69 HP CIFS and Other HP-UX Kerberos Applications Co-existence...69 HP-UX Kerberos Client Software and LDAP Integration Software Dependencies...69 Strong Authentication Support...70 Steps to install Certification Authority (CA) on a Windows ADS Server...70 Steps to Download the CA Certificates From Windows CA Server...71 Configuring HP CIFS Server to Enable starttls...71 Joining an HP CIFS Server to a Windows 2000, Windows 2003, and Windows 2008 Domain...72 Configuration Parameters...72 Setting Permissions for a User...73 Step-by-step Procedure...74 Trust Relationships...76 Establishing External Trust Relationships between HP CIFS PDCs and Windows 2003 and Windows 2008 Domains...76 Establishing a Trust Relationship on an HP CIFS Member Server of a Windows 2003 or Windows 2008 Domain LDAP Integration Support...79 Overview...79 HP CIFS Server Advantages...80 Network Environments...80 Domain Model Networks...80 CIFS Server Acting as the Primary Domain Controller (PDC)...80 CIFS Server Acting as the Member Server...80 CIFS Server Acting as Backup Domain Controller (BDC) to Samba PDC...80 CIFS Server acting as an Active Directory Service (ADS) Member Server...80 Workgroup Model Networks...81 UNIX User Authentication - /etc/passwd, NIS Migration...81 The CIFS Authentication with LDAP Integration...81 Summary of Installing and Configuring...82 Installing and Configuring Your Directory Server...82 Installing the Directory Server...82 Configuring Your Directory Server...83 Verifying the Directory Server...83 Installing LDAP-UX Client Services on an HP CIFS Server...83 Configuring the LDAP-UX Client Services...83 Quick Configuration...84 Enabling Secure Sockets Layer (SSL)...86 Configuring the Directory Server to enable SSL...86 Configuring the LDAP-UX Client to Use SSL...86 Configuring HP CIFS Server to enable SSL...87 Extending the Samba Subschema into Your Directory Server...88 Samba Subschema Differences Between HP CIFS Server Versions...88 Procedures to Extend the Samba Subschema into Your Directory...88 Contents 5

6 Migrating Your data to the Directory Server...88 Migrating All Your Files...89 An Example...89 Migrating Individual Files...89 Environment Variables...89 General Syntax for Perl Migration Scripts...90 Migration Scripts...90 Examples...91 Migrating Your data from one backend to another...91 Configuring the HP CIFS Server...91 LDAP Configuration Parameters...91 Configuring LDAP Feature Support...93 Creating Samba Users in the Directory...93 Adding Credentials...93 Adding a Samba User to the LDAP Directory...94 Verifying Samba Users...94 Syntax...95 Option...95 Example...95 Management Tools Winbind Support...96 Overview...96 Winbind Features...96 Winbind Process Flow...98 Winbind Supports Non-blocking, Asynchronous Functionality...99 When and How to Deploy Winbind Commonly Asked Questions Considering Alternatives Configuring HP CIFS Server with Winbind Winbind Configuration Parameters Unsupported Parameters or Options A smb.conf Example Configuring Name Service Switch idmap Backend Support in Winbind idmap rid Backend Support Limitations Using idmap rid Configuring and Using idmap rid LDAP Backend Support Configuring the LDAP Backend Starting and Stopping Winbind Starting Winbind Stopping Winbind Automatically Starting Winbind at System Startup An Example for File Ownership by Winbind Users wbinfo Utility Kerberos Support Introduction Kerberos Overview Kerberos CIFS Authentication Example HP-UX Kerberos Application Co-existence Components for Kerberos Configuration Configuring krb5.keytab Contents

7 9 HP CIFS Deployment Models Introduction Samba Domain Model Samba Domain Components HP CIFS Server Acting as a PDC HP CIFS Server Acting as a BDC HP CIFS Acting as the Member Server An example of the Samba Domain Model A Sample smb.conf File For a PDC Configuration Options A Sample smb.conf File For a BDC Configuration Options A Sample smb.conf File for a Domain Member Server Configuration Options A Sample /etc/nsswitch.ldap File Windows Domain Model Components for Windows Domain Model An Example of the ADS Domain Model A sample smb.conf file For an HP CIFS ADS Member Server A Sample /etc/krb5.conf File A Sample /etc/nsswitch.conf File An Example of Windows NT Domain Model A Sample smb.conf File for an HP CIFS Member Server Unified Domain Model Unified Domain Components HP CIFS Acting as a Windows 200x ADS Member Server Setting up the Unified Domain Model Setting up LDAP-UX Client Services on an HP CIFS Server Installing and Configuring LDAP-UX Client Services on an HP CIFS Server Configuring /etc/krb5.conf to Authenticate Using Kerberos Installing SFU 3.5 on a Window 2000 or 2003 Domain Controller An Example of the Unified Domain Model A sample smb.conf file For an HP CIFS Member Server A Sample /etc/krb5.conf File A Sample /etc/nsswitch.conf File Securing HP CIFS Server Security Protection Methods Restricting Network Access Using Host Restrictions An Example Using Interface Protection Interface Protection Example Using a Firewall Using an IPC$ Share-Based Denial Protecting Sensitive Information Encrypting Authentication Protecting Sensitive Configuration Files Using %m Name Replacement Macro With Caution Restricting Execute Permission on Stacks Automatically Receiving HP Security Bulletins Reporting New Security Vulnerabilities CIFS File System Module (CFSM) Support Using the CIFS File System Module (CFSM) for Concurrent NFS Client Access Stacking CFSM Contents 7

8 Stacking CFSM Using the mount Command Unstacking CFSM Using the umount Command Configuring CIFS for CFSM in /etc/fstab Configuring CIFS for CFSM in smb.conf Using CFSM with Other Stackable File System Modules fstadm command Syntax CFSM Implemented as Dynamically Loadable Kernel Modules (DLKMs) Supported Kernel Module States Procedures for Updating a New Version Special Issues When Using CFSM NFS delayed write errors with CFSM Memory Mapped Files with CFSM CFSM Tracing cfsmutil Command Syntax Configuring HA HP CIFS Overview of HA HP CIFS Server Recommended Clients Installing Highly Available HP CIFS Server HA HP CIFS Server Installation Configure a Highly Available HP CIFS Server Introduction Instructions Edit the package configuration file samba.conf Edit the samba.cntl Control Script Edit the samba.mon Monitor Script Create the MC/ServiceGuard Binary Configuration File Special Notes for HA HP CIFS Server HP-UX Configuration for HP CIFS HP CIFS Process Model TDB Memory-Mapped Access for HP CIFS Server Fixed Size Memory Map Support on HP-UX 11i v1, 11i v2 PA and 11i v3 PA Systems Configuration Parameters Mostly Private Address Space (MPAS) Support on HP-UX 11i v2 IA and 11i v3 IA systems Unified File Cache Support on an HP-UX 11i v3 system What to Do if You Encounter Memory Map Error Messages Constraints Overview of Kernel Configuration Parameters Configuring Kernel Parameters for HP CIFS Swap Space Requirements Memory Requirements Tool Reference HP CIFS Management Tools Smbpasswd Syntax Examples Syncsmbpasswd Options Example Pdbedit Syntax Examples Contents

9 net Net Commands Syntax for net user Examples wbinfo Syntax Examples LDAP Directory Management Tools ldapmodify Syntax ldapmodify Options Examples ldapsearch Syntax ldapsearch Options Examples ldapdelete Syntax ldapdelete Options Examples Glossary Index Contents 9

10 About This Document This document describes how to install, configure, and administer the HP CIFS Server product. It is the official documentation supported for the HP CIFS Server product. This document provides HP-UX common variations, features, and recommendations tested and supported by HP. Other documentations such as The Samba How To Collection and Using Samba, 2nd Edition supplied with the HP CIFS Server product are provided as a convenience to the user. This document and all the previous-release related documents are located at Intended Audience This document is intended for system administrators, who want to install, configure, and administer the HP CIFS Server product. For additional information about the HP CIFS Server, see HP CIFS Server documentation online at New and Changed Documentation in This Edition This edition documents the following changes for HP CIFS Server version A : HP CIFS Server version A is based on Samba with selected fixes from to It is a feature release that provides the CVE security fix from Samba and few defect fixes. The changed requirements of HP CIFS Server version A are documented. HP CIFS Server now supports Windows Server 2008 and Windows Vista operating systems. Support for these operating systems is documented. NOTE: Guide. HP provides support only for the contents described in the HP CIFS Server Administrator Typographical Conventions Table 1 Documentation Conventions Type of Information Representations of what appears on a display, program/script code and command names or parameters. Emphasis in text, actual document titles. Headings and sub-headings. Publishing History Table 2 Publishing History Details Font Monotype Italics Bold Examples > user logged in. Users should verify that the power is turned off before removing the board. Related Documents Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date A April 201

11 Table 2 Publishing History Details (continued) Document Manufacturing Part Number Operating Systems Supported Supported Product Versions Publication Date B i v2 and v3 A June 2007 B i v1, v2 and v3 A February 2007 B i v1, v2 A August 2006 B i v1, v2 A April 2006 B i v1, v2 A October 2005 B i v1, v2 A February 2005 B i v1, v2 A December 2004 B , 11i v1, v2 A June 2004 B , 11i v1, v2 A February 2004 B , 11i v1, v2 A September 2003 B , 11i v1 A March 2002 Document Organization This manual describes how to install, configure, administer and use the HP CIFS Server product. The manual is organized as follows: Chapter 1 Introduction to the HP CIFS Server Use this chapter to obtain a summary and an introduction of HP CIFS Server architecture, available documentation resources and product organization roadmap. Chapter 2 Installing and Configuring the HP CIFS Server Use this chapter to learn how to install, configure the HP CIFS Server product. Chapter 3 Managing HP-UX File Access Permissions from Windows NT/XP/2000 Use this chapter to understand how to use Windows NT, XP and 2000 clients to view and change UNIX file permissions and POSIX Access Control List on an HP CIFS Server. Chapter 4 NT Style Domains Use this chapter to learn how to set up and configure the HP CIFS Server as a PDC or BDC. This chapter also describes the process for joining an HP CIFS Server to an NT style domain, Samba domain, or a Windows 2000/2003 domain as a pre-windows 2000 compatible computer. Chapter 5 Windows 2003 and Windows 2008 Domains Use this chapter to understand the process for joining an HP CIFS Server to a Windows 200x Domain using Kerberos security. Chapter 6 LDAP-UX Integration Support Use this chapter to learn how to install, configure and verify the HP Netscape Directory, HP LDAP-UX Integration product and HP CIFS Server software with LDAP feature support. Chapter 7 Winbind Support Use this chapter to learn how to set up and configure the HP CIFS Server with the winbind support. Chapter 8 Kerberos Support Use this chapter to understand configuration detail which can be used when HP CIFS Server co-exists with other HP-UX applications that make use of the Kerberos security protocol. Chapter 9 HP CIFS Deployment Models This chapter describes three HP CIFS deployment models: Samba Domain, Windows Domain, and Unified Domain. Examples of configuration files for each deployment model are provided for reference. Document Organization 11

12 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Securing HP CIFS Server Use this chapter to understand the network security methods that you can use to protect your HP CIFS Server. CIFS File System Module (CFSM) Support Use this chapter to understand detailed information on how to set up, configure and use CFSM. This chapter also describes CFSM tracing functionality to diagnostic CFSM activities. Configuring HA HP CIFS Use this chapter to understand the procedures required to configure the active-standby or active-active High Availability configuration. HP-UX Configuration for HP CIFS This chapter provides guidance for configuring and optimizing the HP-UX kernel and system for use with HP CIFS. Tool Reference This chapter describes tools for management of Samba user, group account database. HP Welcomes Your Comments HP welcomes your comments and suggestions on this document. We are truly committed to provide documentation that meets your needs. You can send comments to: Please include the following information along with your comments: The complete title of the manual and the part number. The part number appears on the title page of printed and PDF versions of a manual. The section numbers and page numbers of the information on which you are commenting. The version of HP-UX that you are using. 12

13 1 Introduction to the HP CIFS Server This chapter provides a general introduction to this document, HP CIFS, information about Samba, the Open Source Software suite upon which the HP CIFS server is based, HP enhancements to the Samba source, along with the various documentation resources available for HP CIFS. HP CIFS Server Description and Features Features The HP CIFS Server product implements many Windows Servers features on HP-UX. The Microsoft Common Internet File System (CIFS) protocol, sometimes called Server Message Block (SMB), is a Windows network protocol for remote file and printer access. Because the HP CIFS Server product gives HP-UX access to the CIFS protocol, HP CIFS Server enables HP-UX to interoperate in network environments exposed to Windows clients and servers by means of a Windows native protocol. The HP CIFS Server source is based on Samba, an Open Source Software (OSS) project first developed in 1991 by Andrew Tridgell. Samba has been made available to HP and others under the terms of the GNU Public License (GPL). The goal of GPL software is to encourage the cooperative development of new software. To learn about the GNU Public License, refer to the web site at A Samba team continues to update the Samba source. To learn about the Samba team, visit their web site at HP CIFS Server merges the HP-UX and Windows environments by integrating HP-UX and Windows features as follows: Authentication Mechanisms and Secure Communication Methods including: Netscape Directory Server/Red Hat Directory Service (NDS/RHDS) via LDAP Windows Active Directory Services (ADS) Kerberos, NTLMv2, and SMB Signing Support HP CIFS internal mechanisms to facilitate HP-UX and Windows compatibility such as username mapping, winbind, and idmap_rid. File System Access Support Network Printer Access Support Domain Features and Network Neighborhood Browsing Integrated authentication mechanisms means that administrators can centrally manage both UNIX and Windows users, groups, and user attributes on their choice of Windows ADS, NT, NDS/RHDS, or HP CIFS Server s tdbsam or smbpasswd account databases. The CIFS clients can have their users authenticated through a single Windows interface enabling HP-UX and Windows server resource access by means of secure communication channels. Integrated file system access means that users can use Windows clients and interfaces including Windows GUIs and applications such as Microsoft Office to read, write, copy, or execute files on HP-UX and Windows clients and servers. Users and administrators can use Windows to set access control rights on files stored on HP-UX. Integrated printer access means that users can publish and find network printers, download drivers from HP-UX systems, and print to printers with Windows interfaces. Integrated domain features and network neighborhood means that HP-UX Servers and their file systems can participate in Windows NT or Windows 2000/2003 domains and can be found through Windows interfaces along Windows resources. HP CIFS Servers can also present their own domain. HP CIFS Server Description and Features 13

14 Samba Open Source Software and HP CIFS Server Flexibility Since the HP CIFS Server source is based on Samba open source software, it gains the advantages of the evolutionary growth and improvement efforts of Samba developers around the world. In addition, HP CIFS Server also provides the following support: Includes Samba defect fixes and features only when they meet expectations for enterprise reliability. Provides HP developed defect fixes and enhancement requests for HP customers. Source is compiled and tuned specifically for the HP-UX platform and integrated with the latest HP-UX environments. Adds customized scripts and Serviceguard templates for HP-UX environments. Provides documentation specifically for HP-UX users. In order to accommodate a great variety of environments, HP CIFS Server provides many features with hundreds of configuration options. Various management tools are available to establish and control CIFS attributes. Chapter 14, Tool Reference, explains the management tools. Chapter 2, Installing and Configuring the HP CIFS Server, discusses the installation and configuration process. You must first understand the deployment environment and choose the appropriate features for your server. The concept of Samba Domain, Windows Domain, and Unified Domain models was developed to assist in deploying HP CIFS Server based on the particulars of various popular network environments. Hence, Chapter 9, HP CIFS Deployment Models, describes each model and the relevant configuration parameters required to establish servers in each deployment model. Windows domain concepts are applied within the deployment models. HP CIFS Servers can participate in either older NT style or newer Windows 2003/Windows 2008 style domains. Chapter 4, NT Style Domains, describes how an HP CIFS Server can participate in an NT style domain. Chapter 5, Windows 2003 and Windows 2008 Domains, describes how an HP CIFS Server joins a Windows 2003 or a Windows 2008 domain as an ADS domain member server. HP CIFS Server manages a given configuration using a configuration file, /etc/opt/samba/ smb.conf (by default) which contains configuration parameters set appropriately for the specific installation. HP CIFS Server must also maintain internal data (including Trivial Data Base (TDB)) files and log files in the /var/opt/samba directory (by default). See Table 1-2, Table 4 (page 17), for the full HP CIFS Server product layout. HP CIFS Server Documentation: Printed and Online The set of documentation that comprises the information you will need to explore the full features and capabilities of the HP CIFS product consists of non-hp books available at most technical bookstores, and this printed and online manual HP CIFS Server Administrator's Guide available on the following web site: A list of current recommended non-hp Samba documentation is: The Official Samba-3 HOWTO and Reference Guide by John H. Terpstra and Jelmer R. Vernooij, Editors, ISBN: Samba-3 By Example Practical exercises to Successful Deployment by John H. Terpstra, ISBN: Using Samba, 2nd Edition Robert Eckstein, David Collier-Brown, Peter Kelly and Jay Ts. (O'Reilly, 2000), ISBN: Introduction to the HP CIFS Server

15 Samba, Integrating UNIX and Windows by John D Blair (Specialized Systems Consultants, Inc., 1998), ISBN: Samba Web site: When using the HP CIFS product, HP recommends that you refer to The Samba HOWTO Collection and Samba-3 by Example, shipped with the product in the /opt/samba/docs directory. The book, Using Samba, 2nd Edition, can also be found in /opt/samba/swat/using_samba. All three books are also available through Samba Web Administration Tool (SWAT). IMPORTANT: The book Using Samba, 2nd Edition describes a previous version of Samba (V.2.0.4). However, much of the information in Using Samba, 2nd Edition is applicable to this version of the CIFS Server. Readers should always use the HP-provided Samba man pages or the SWAT help facility for the most definitive information on the HP CIFS server. NOTE: Non-HP Samba documentation sometimes includes descriptions of features and functionality planned for future releases of Samba, or that are only offered on certain operating system platforms. The authors of these books do not always provide information indicating which features are in the existing releases and which features will be available in future Samba releases, or are specific to a particular operating system. Hence, HP only supports features and functions documented in the HP generated documentation such as this manual and the product release notes. HP CIFS Documentation Roadmap Use the following road map to locate the Samba and HP CIFS documentation that provides details of the features and operations of the HP CIFS Server. Table 3 Documentation Roadmap HP CIFS Product Server Description Client Description HP Add-on Features Server Installation Client Installation Samba GUI Administration Tools Document Title: Chapter: Section HP CIFS Server Administrator's Guide: Chapter 1, "Introduction to the HP CIFS Server" Samba Meta FAQ No. 2, "General Information about Samba" Samba FAQ No. 1, "General Information" Samba Server FAQ: No. 1, "What is Samba" Using Samba: Chapter 1, "Learning the Samba" Samba Man Page: samba(7) HP CIFS Client Administrator's Guide: Chapter 1, "Introduction to the HP CIFS Client" HP CIFS Client Administrator's Guide: Chapter 1, "Introduction to the HP CIFS Client" HP CIFS Server Administrator's Guide: Chapter 1 "Introduction to the HP CIFS Server," Section: "HP CIFS Enhancements to the Samba Server Source" and Chapter 3, "Access Control Lists (ACLs)." HP CIFS Client Administrator's Guide: Chapter 1, "Introduction to the HP CIFS Client,". Sections: "HP CIFS Extensions" and "ACL Mappings." HP CIFS Server Administrator's Guide: Chapter 2. "Installing and Configuring the HP CIFS Server" Samba FAQ: No 2, "Compiling and Installing Samba on a UNIX Host." HP CIFS Client Administrator's Guide: Chapter 2. "Installing and Configuring the HP CIFS Client" Samba HOWTO and Reference Guide: Chapter 30, "SWAT - The Samba Web Administration Tool" or Using Samba: Chapter 2, "Installing Samba on a UNIX System" HP CIFS Documentation Roadmap 15

16 Table 3 Documentation Roadmap (continued) HP CIFS Product Server Configuration Client Configuration Server deployment models Configuration: PAM Server: Starting & Stopping Client: Starting & Stopping Server: Samba Scripts SMB & CIFS File Protocols SMB & CIFS Network Design Samba Man Pages Server Utilities Client Utilities Server Printing Server Browsing Server Security Server Troubleshooting Client Troubleshooting NIS and HP CIFS Document Title: Chapter: Section HP CIFS Server Administrator's Guide: Chapter 2, "Installing and Configuring the HP CIFS Server" HP CIFS Client Administrator's Guide: Chapter 2, "Installing and Configuring the HP CIFS Client" HP CIFS Server supports three deployment models: Samba Domain Model, Windows Domain Model and Unified Domain Model. See HP CIFS Server Administrator's Guide: Chapter 9, "HP CIFS Deployment Models" HP CIFS Client Administrator's Guide: Chapter 8, "PAM NTLM" HP-UX Man page: pam(3) HP-UX Man page: pam.conf HP CIFS Server Administrator's Guide, Chapter 2 HP CIFS Client Administrator's Guide, Chapter 2. Using Samba: Appendix D, "Summary of Samba Daemons and Commands" for detailed information about the command-line parameters for Samba programs such as smbd, nmbd, smbstatus and smbclient. HP CIFS Client Administrator's Guide: Chapter 9, "HP CIFS Deployment Domain Models" Using Samba: Chapter 1, "Learning the Samba" Samba Meta FAQ No. 4, "Designing an SMB and CIFS Network" Refer to man pages in SWAT Samba HOWTO and Reference Guide HP CIFS Client Administrator's Guide: Chapter 5, "Command-line Utilities" Samba HOWTO and Reference Guide: Chapter17, "classic Printing Support" Refer to Chapter 9, "Network Browsing" in Samba HOWTO and Reference Guide for a description of browsing functionality and all browsing options. HP CIFS Client Administrator's Guide: Chapter 12, "Securing CIFS Server". Part V, Troubleshooting, Samba HOWTO and Reference Guide Using Samba, "Chapter 9, Troubleshooting Samba" Samba FAQs No. 4, "Specific Client Application Problems" and No 5, "Miscellaneous" DIAGNOSIS.txt in the /opt/samba/docs directory Samba Man page: debug2html(1), smbd(8), nmbd(8), smb.conf(5) HP CIFS Client Administrator's Guide: Chapter 6, "Troubleshooting and Error Messages" HP CIFS now works with NIS and NIS+. For detailed information on special options, refer to Samba HOWTO and Reference Guide. HP CIFS Server File and Directory Roadmap The default base installation directory of HP CIFS Server product is /opt/samba. The HP CIFS configuration files are located in the directory /etc/opt/samba. The HP CIFS log files and any temporary files are created in /var/opt/samba. Table 1-2 briefly describes the important directories and files that comprise the CIFS Server. 16 Introduction to the HP CIFS Server

17 Table 4 Files and Directory Description File/Directory /opt/samba /opt/samba_src /opt/samba/bin /opt/samba/docs /opt/samba/examples /opt/samba/man /opt/samba/script /opt/samba/swat /opt/samba/ha /var/opt/samba /etc/opt/samba /etc/opt/samba/smb.conf /etc/opt/samba/smb.conf.default /opt/samba/ldap3 /opt/samba/copying, /opt/samba_src/copying, /opt/samba_src/samba/copying /sbin/init.d/samba /etc/rc.config.d/samba /sbin/rc2.d/s900samba, /sbin/rc1.d/k100samba Description This is the base directory for most of the HP CIFS Server product files. This is the directory that contains the source code for the HP CIFS Server (if the source bundle was installed). This is the directory that contains the binaries for HP CIFS Server, including the daemons and utilities. This is the directory that contains documentation in various formats including html (htmldocs) and text (textdocs). This directory contains example smb.conf files, example scripts and other utilities, among other things. This directory contains the man pages for HP CIFS Server. This directory contains various scripts which are utilities for the HP CIFS Server. This directory contains html and image files which the Samba Web Administration Tool (SWAT) needs. This directory contains example High Availability scripts, configuration files, and README files. This directory contains the HP CIFS Server log files as well as other dynamic files that the HP CIFS Server uses, such as lock files. This directory contains configuration files which the HP CIFS Server uses, primarily the smb.conf file. This is the main configuration file for the HP CIFS Server which is discussed in great detail elsewhere. This is the default smb.conf file that ships with the HP CIFS server. This can be modified to fit your needs. This directory contains files which HP CIFS Server uses for LDAP integration support. These are copies of the GNU Public License which applies to the HP CIFS Server. This is the script that starts HP CIFS Server at boot time and stops it at shutdown (if it is configured to do so). This text file configures whether the HP CIFS server starts automatically at boot time or not. These are links to /sbin/init.d/samba which are actually executed at boot time and shutdown time to start and stop the HP CIFS Server, (if it is configured to do so). HP CIFS Server File and Directory Roadmap 17

18 2 Installing and Configuring the HP CIFS Server This chapter describes the procedures to install and configure the HP CIFS Server software. It contains the following sections: HP CIFS Server Requirements and Limitations Step 1: Installing HP CIFS Server Software Step 2: Running the Configuration Script Step 3: Modify the Configuration Step 4: Starting the HP CIFS Server HP CIFS Server Requirements and Limitations Prior to installing the HP CIFS product, check that your system can accommodate the following product requirements and limitations. HP CIFS Server Installation Requirements The HP CIFS Server requires approximately 108 MB of disk space for installation on an HP-UX 11i v1 system, 210 MB of disk space for installation on an HP-UX 11i v2 system, and 215 MB of disk space for installation on an HP-UX 11i v3 system. The HP CIFS Server source code files requires approximately 36 MB of disk space. NOTE: The CIFS Server source code files are not required for execution of HP CIFS Server. You can choose not to install them or you can remove them after installation at the following location: /opt/samba_src HP CIFS Server Memory Requirements An smbd process is usually created for each new connection. Each smbd requires about 2 MB of system memory on HP-UX 11i v1 and about 4 MB on HP-UX 11i v2. The smbd process may now also allocate memory for specialized caching requirements as needed. The size and timing of these memory allocations vary widely depending on the client type and the resources being accessed. However, most client access patterns will not trigger such specialized caching. System administrators should routinely monitor memory utilization in order to evaluate this dynamic memory behavior. You may need to adjust HP-UX server memory configurations to accommodate these changes while upgrading from previous versions. See Chapter 13, "HP-UX Configuration for HP CIFS" in this manual for more detailed information. Software Requirements The following describes software requirements: HP CIFS Server A or later requires LDAP-UX Integration product, J4269AA, to be installed. Kerberos v5 Client C or later is required to support HP CIFS Server integration with a Windows 2003 or Windows 2008 ADS Domain Controller (DC) on HP-UX 11i v1. Kerberos v5 Client D or later is required to support HP CIFS Server integration with a Windows 2003 or Windows 2008 ADS Domain Controller (DC) on HP-UX 11i v2. Kerberos v5 Client E or later is required to support HP CIFS Server integration with a Windows 2003 or Windows 2008 ADS Domain Controller (DC) on HP-UX 11i v3. 18 Installing and Configuring the HP CIFS Server

19 Swap Space Requirements Due to the one-process-per-client model of HP CIFS, perhaps the most stringent requirement imposed on the system is that of swap space. HP-UX reserves a certain amount of swap space for each process that is launched, to prevent it from being aborted in case it needs to swap out some pages during times of memory pressure. Other operating systems, only reserve swap space when it is needed. This results in the process not finding the swap space that it needs, in which case it has to be terminated by the OS. Each smbd process will reserve about 2 MB of swap space and depending on the type of client activity, process size may grow up to 4 MB of swap space. For a maximum of 2048 clients, 4 * 2048 or about 8 GB of swap space would be required. Therefore, HP recommends configuring enough swap space to accommodate the maximum number of simultaneous clients connected to the HP CIFS server. Memory Requirements Each smbd process requires approximately 2 MB of memory on HP-UX 11i v1 and 4 MB on HP-UX 11i v2. For 2048 clients, therefore, the system must have at least 8 GB of physical memory. This is over and above the requirements of other applications that will be running concurrent with HP CIFS. Step 1: Installing HP CIFS Server Software If the HP CIFS Server software has been pre-installed on your system, you may skip Step 1 and go directly to "Step 2: Running the Configuration Script". If you want to use the CIFS File System Module (CFSM) feature on an HP-UX release 11i v3 system, see section Procedures for Updating a New Version When Using CFSM for detailed procedures before you update to a new version of HP CIFS Server. HP CIFS Server Upgrades: If you are upgrading an existing HP CIFS Server configuration, HP recommends that you create a backup copy of your current environment. The SD install procedure may alter or replace your current configuration files. All files under /var/opt/samba, /etc/opt/samba and /opt/samba must be saved in order to ensure that you will be able to return to your current configuration, if necessary. For example: $ stopsmb or if winbind is in use, then do: $ stopsmb -w $ mkdir /tmp/cifs_save $ tar -cvf /tmp/cifs_save/var_backup.tar /var/opt/samba $ tar -cvf /tmp/cifs_save/etc_backup.tar /etc/opt/samba $ tar -cvf /tmp/cifs_save/optsamba_backup.tar /opt/samba Do not use the -o option with the tar command. This will ensure proper file ownership. If a problem with the upgrade does occur, use SD to remove the entire HP CIFS Server product and restore your previous backup version. Once this is done, you may restore the saved configuration files and the HP CIFS Server. For example: $ tar -xvf /tmp/cifs_save/var_backup.tar $ tar -xvf /tmp/cifs_save/etc_backup.tar $ tar -xvf /tmp/cifs_save/optsamba_backup.tar This procedure is not intended to replace a comprehensive backup strategy that includes user data files. Step 1: Installing HP CIFS Server Software 19

20 An Example If you are in security = domain, orsecurity = ads mode, it will probably be necessary to rejoin an HP CIFS Server to the domain once you restore your previous backup version. See Windows Style Domains (page 55) and Windows 2003 and Windows 2008 Domains (page 69) for details on how to rejoin an HP CIFS Server to a Windows domain. Overview: Installation of the HP CIFS Server software includes loading the HP CIFS Server filesets using the swinstall(1m) utility, completing the HP CIFS configuration procedures, and starting Samba using the startsmb script. Installing From a Software Depot File: To install the HP CIFS Server software from a depot file, such as those downloadable from enter the following at the command line: swinstall options -s /path/filename ProductNumber Where ProductNumber is either B8725AA for HP-UX 11i v1 and v2 or CIFS-SERVER for HP-UX 11i v3. options is -x autoreboot=true path must be an absolute path, it must start with /, for example,/tmp. filename is the name of the downloaded depot file, usually a long name of the form: B8725_AA HP-UX_ depot For example, if you attempt to install the HP CIFS Server A on HP-UX 11i v2 system from a downloaded depot file, enter the command line as shown below: swinstall -x autoreboot=true \ -s /tmp/b8725_aa.02.02_hp-ux_11.23_ia+pa.depot B8725AA Procedures for Updating a New Version When Using CFSM If you want to use the CIFS File System Module (CFSM) feature on HP-UX 11i v3, each time you update to a newer version of HP CIFS Server, it requires a system reboot after the update is complete. To avoid a system reboot, you must perform the steps described below. For detailed information about the CFSM feature, see Chapter 11, CIFS File System Module Support. Steps Before Updating the HP CIFS Server Use the following steps before updating the HP CIFS Server: 1. Use the umount command to unstack CFSM from any file system where it is stacked. For example, the following command unstacks CFSM when unmounting the physical file system mounted on /mnt: umount /mnt 2. Use the following commands to set both cfsm and cfsmdr modules to the unused state: kcmodule cfsmdr = unused kcmodule cfsm = unused Steps After Updating the HP CIFS Server Use the following steps after the update of the HP CIFS Server is complete: 1. Use the following commands to set both cfsm and cfsmdr modules to the auto state: kcmodule cfsmdr = auto kcmodule cfsm = auto 20 Installing and Configuring the HP CIFS Server

21 2. Execute the mount command with the "-o stackfs=cfsmtemplate" option to stack and mount the file system. For example, the following command stacks CFSM onto the physical file system using the cfsmtemplate template, when mounting the physical file system mounted on /mnt: mount -F vxfs -o stackfs=cfsmtemplate /dev/dsk/c1t2d3 /mnt Step 2: Running the Configuration Script The samba_setup configuration script is intended for new installations only. Prior to running the samba_setup configuration script, you must obtain some basic configuration information and might need to install additional software based on the HP CIFS deployment domain model you use. You need to supply the following before you run the samba_setup script: Decide whether an HP CIFS to be a WINS server or not. Obtain the WINS IP address if the HP CIFS accesses an existing WINS server. Provide the following global LDAP parameters information if you choose to use an LDAP backend: the fully qualified distinguished name for the LDAP directory server ldap SSL ldap suffix ldap user suffix ldap group suffix ldap admin dn For detailed information on how to configure LDAP parameters, see LDAP Integration Support (page 79). Obtain the name of your HP CIFS Server. Provide the following information if you choose to use the Windows NT4 domain: the name of your domain the name of your Primary Domain Controller (PDC) the names of Backup Domain Controllers (BDCs) administrator user name and password See Windows Style Domains (page 55) for detailed. Provide the following information if you choose to use the Windows Active Directory Server (ADS) realm: the name of your realm the name of your Domain Controller administrator user name and password LDAP-UX Integration product is installed Ensure that the most recent Kerberos client product is installed For detailed information on how to join an HP CIFS Server to a Windows 2000/2003 Domain using Kerberos security, see Windows 2003 and Windows 2008 Domains (page 69). Select the following authentication security type if you attempt to use the workgroup environment: Server-level security: When this security type is specified, password authentication is handled by another SMB password server. When a client attempts to access a specific Step 2: Running the Configuration Script 21

22 share, Samba checks that the user is authorized to access the share. Samba then validates the password via the SMB password server. NOTE: HP does not recommend you use the server-level security type, this security type will be unavailable in the future. User-level security: When this security type is specified, each share is assigned specific users. When a request is made for access, Samba checks the user's user name and password against a local list of authorized users and only gives access if a match is made. Share-level security: When this security type is specified, each share (directory) has at least one password associated with it. Anyone with a password will be able to access the share. There are no other access restrictions. Run the Samba configuration script using the command below. /opt/samba/bin/samba_setup The script will modify the smb.conf file according to the information that you have entered. Step 3: Modify the Configuration Configuration Modification HP CIFS Server requires configuration modifications for the following functionality: Case Sensitivity for the Client and Server for UNIX Extensions DOS Attribute Mapping Print Services for version A Distributed File System (DFS) Support Configure MC/ServiceGuard High Availability (HA) Configure Case Sensitivity By default, the HP CIFS Server is configured to be case insensitive, like Windows. NOTE: HP recommends that when using CIFS Extensions for UNIX, both the CIFS Client and Server be configured to be case sensitive. For the CIFS Server, edit the server configuration file: /etc/opt/samba/smb.conf as follows. case sensitive = yes For the CIFS Client configuration, in the /etc/opt/cifsclient/cifsclient.cfg file, ensure the following default is set: casesensitive = yes Configure DOS Attribute Mapping map system, map hidden and map archive Attributes There are three parameters, map system, map hidden, and map archive, that can be configured in Samba to map DOS file attributes to owner, group, and other execute bits in the UNIX file system. When using the CIFS Client, you may want to have all three of these parameters turned off. If the map archive parameter is on, any time a user writes to a file, the owner execute permission will be set. This is usually not desired behavior for HP CIFS clients or UNIX clients in general. By default, map system and map hidden are off, and map archive is on. 22 Installing and Configuring the HP CIFS Server

23 To turn map archive off, modify /etc/opt/samba/smb.conf as follows: map archive = no map readonly Attriubte The smb.conf parameter, map readonly, controls how the DOS read only attribute should be mapped from a UNIX files system Three valid settings for this parameter are: yes The read only DOS attribute is mapped to the inverse of the user (owner) write bit in the UNIX permission mode set. If the owner write bit is not set, the read only attribute is reported as being set on the file. permissions The read only DOS attribute is mapped to the effective permissions of the connecting user, as evaluated by reading the UNIX permissions and POSIX ACL (if present). If the connecting user does not have permission to modify the file, the read only attribute is reported as being set on the file. no The read only DOS attribute is unaffected by permissions. By default, the map readonly attribute is set to yes. Samba uses user (owner) access permission to determine whether a file is read only. The file access permission is determined by the POSIX write access permission for user (owner). If the write permission on a file is not set for the user (owner), then Samba treats that file as read-only. Once Samba identifies a file as read-only, any write access attempting to that file would immediately result in access denied error. Group members are unable to write to a file with UNIX write access permission disabled for the user (such as 070 or 060). If you set this parameter to permissions, the file access permissions for group members will be evaluated by validating UNIX group permissions. Group members can write to files with UNIX write permission enabled for the group (such as 060 or 070). The smb.conf parameter, store dos attributes, must be set to No (default), otherwise, the map readonly parameter setting will be ignored. Configuring Print Services for HP CIFS Version A This section provides information about configuring Print Services on systems running HP CIFS version A The HP CIFS Server now provides the following NT printing functionality: Printer driver files may be downloaded to Windows NT, 2000 and XP clients that do not have them Printer driver files may be uploaded using the Windows NT/XP/2000 Add Printer wizard Support for Windows Access Control Lists (ACL) on printer objects Information about setting up and configuring each of the Print Services (except ACLs) is shown in the following sections. Information about configuring ACL Support is discussed in a previous section. Configuring a [printers] share The following is a minimal printing setup. Use either one of the following two procedures to create a [printers] share: 1. SWAT (Samba Administration Tool) -or- 2. Create a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [hpdeskjet] path = /tmp printable = yes Where "hpdeskjet" is the name of the printer to be added. Step 3: Modify the Configuration 23

24 Creating a [printers] share Configure a [printers] share in the /etc/opt/samba/smb.conf file. Refer to the following example: [printers] path = /tmp printable = yes browseable = no This share is required if you want the printer's list to be displayed in SWAT, which is not defined in the smb.conf file, but exists on the HP CIFS Server. If this share is not defined, the printer's list will display only those printer shares which are defined in the smb.conf file. Setup Server for automatically uploading printer driver files In order to add a new driver to your Samba host using version A of the software, one of two conditions must hold true: 1. The account used to connect to the Samba host must have a uid of 0 (i.e. a root account), or The account used to connect to the Samba host must be a member of the printer admin list. This will require a [global] smb.conf parameter as follows: printer admin = netadmin The connected account must still possess access to add files to the subdirectories beneath [print$]. Keep in mind that all files are set to 'read only' by default, and that the printer admin parameter must also contain the names of all users or groups that are going to be allowed to upload drivers to the server, not just 'netadmin'. The following is an example of the other parameters required: 1. Create a [print$] share in the smb.conf file that points to an empty directory named "/etc/opt/samba/printers" on the HP CIFS Server. Refer to the following example: [print$] path = /etc/opt/samba/printers browseable = yes guest ok = yes read only = yes write list = netadmin In this example, the parameter "write list" specifies that administrative lever user accounts will have write access for updating files, on the share. 2. Create the subdirectory tree, under the [print$] share, for each architecture that needs to be supported. Refer to the following example: cd /etc/opt/samba/printers mkdir W32X86 mkdir Win40 There are two possible locations (subdirectories) for keeping driver files, depending upon what version of Windows the files are for: For Windows NT, XP or Windows 2000 driver files, the files will be stored in the /etc/opt/samba/printers/w32x86 subdirectory. For Windows 9x driver files, the files will be stored in the /etc/opt/samba/printers/win40/0 subdirectory. 24 Installing and Configuring the HP CIFS Server

25 Setup Client for automatically uploading of printer drivers Printer driver files can be automatically uploaded from disk to the printers on a HP CIFS Server. Here are the steps: 1. Connect to CIFS Server by running the \\[server name] command or browse to CIFS Server through Network Neighborhood.Make sure you are connected as a member of the printer admin list. 2. From the CIFS Server, double click on the "Printers" or "Printers and Faxes" folder. A list of printers available from your CIFS Server will be shown in the folder. Viewing the printer properties will result in the error message: The printer driver is not installed on this computer. Some printer properties will not be accessible unless you install the printer driver. Do you want to install the driver now? 3. Click "no" in the error dialog and the printer properties window will be displayed. 4. Click on the 'Advanced' tab, then the 'New Driver..." button. 5. Select the printer driver e.g. HP LaserJet 5i. You will be asked for the driver files. Give the path where the driver files are located. The driver files will be uploaded from the disk, and stored into the subdirectories under the [print$] share. Publishing Printers in an MS Windows 2000/2003 ADS Domain Publishing printers makes HP CIFS Server printers searchable in an Microsoft Windows 2000/2003 ADS domain. If a Windows client is a domain member of the ADS domain, that client can search for the printer and install it. Setting up HP CIFS Server for Publishing Printers Support Use the following procedures to set up an HP CIFS Server for publishing printers support: 1. Create the printer shares for each printer and a [printers] share in the smb.conf file. The following is an example of a [printers] share: [printers] path = /tmp printable = yes browseable = yes See the following example for setting up a specific printer share, where lj1005 is the name of the printer: [lj1005] path = /tmp printable = yes 2. Create a [print$] share in the smb.conf file and set the path parameter to a directory named /etc/opt/samba/printers. See the following example: [print$] path = /etc/opt/samba/printers use client driver = no browseable = yes guest ok = yes read only = yes write list = netadmin Step 3: Modify the Configuration 25

26 In the above example, the write list parameter specifies that administrative level user account has write access for updating files on this share. The use client driver parameter must be set tono. 3. Configure the printer admin parameter to specify a list of domain users that are allowed to connect to an HP CIFS Server. See the following example: [global] printer admin = cifsuser1,cifsuser2 4. If the HP CIFS Server is not yet a member of the ADS domain, then run the net ads join -U Administrator%password command to join an HP CIFS Server to the ADS domain as a domain member server. See section "Join an HP CIFS Server to a Windows 2000/2003 Domain as an ADS Member Server" in Windows 2003 and Windows 2008 Domains (page 69) for details. Publishing Printers from a Windows Client Use the following procedures to publish printers from a windows client which is a domain member of the ADS domain: 1. Log in to your window client as a user who is a member of the printer admin list. For example, the user's name is cifsuser1. 2. Click on start. 3. Click on the run tab. 4. Type \\<HP CIFS Server name> in the open box to connect to an HP CIFS Server. For example, type \\hpservera. hpservera is the name of an HP CIFS Server. 5. Click on the printers folder. 6. Double click on a printer and select printer, then the properties tab. 7. Click on sharing tab in the properties windows screen. 8. Check the list in the directory check-box in the sharing windows screen. See the following screen snapshot for an example: 26 Installing and Configuring the HP CIFS Server

27 Figure 1 Publishing Printer Screen Verifying that the Printer is Published On an HP CIFS Server system, you can run the net ads printer search command to verify that the printer is published. For example, verify that the printer hpdesklj2 is published, type: $ net ads printer search hpdesklj2 After you ran the above command, the output is shown as follows: objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:hpdesklj2 servername:hpservera On a windows client, you can also use the following steps to verify that the printer is published: 1. Log in to your window client as a user who is a member of the printer admin list. For example, the user's name is cifsuser1. 2. Click on start. 3. Click on the search tab. 4. Click on buttons to find network printers. 5. Select the name of the ADS domain in the In box. 6. Click on the find now tab. Step 3: Modify the Configuration 27

28 Commands Used for Publishing Printers This section describes the net ads printer command used for publishing printers support on an HP CIFS Server. Searching Printers To search a printer across the entire Windows 2000/2003 ADS domain, run the following command: $ net ads printer search <printer_name> Without specifying the printer name, the command searches all printers available on the ADS domain. For example, the following command searches all printers available on the ADS domain: $ net ads printer search After you ran the above command, the output is shown as follows: objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:hpdesklj2 servername:hpservera objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:lj1005 servername:hpservera objectclass:top objectclass:leaf objectclass:connectionpoint objectclass:printquene printername:lj3200 servername:hpserverb Removing a Printer To remove a printer from the ADS domain, run the following command: $ net ads printer remove <printer_name> For example, the following command removes the printer lj1005 from the ADS domain: $ net ads printer remove lj1005 Re-Publishing a Printer To publish a printer for the first time, you must use the procedures described in section "Publishing Printers from a Windows Client". If you remove a printer, you can use the following command to re-publish it: $ net ads printer publish <printer_name> For example, the following command re-publishes the printer lj1005 to the ADS domain: $ net ads printer publish lj1005 Setting Up Distributed File System (DFS) Support This section will provide the procedures for: Setting up a DFS Tree on a HP CIFS Server Setting up DFS Links in the DFS root directory on a HP CIFS Server 28 Installing and Configuring the HP CIFS Server

29 NOTE: HP does not recommend filesharing of the root directory. Only subdirectories under the root should be set up for filesharing. Setting Up a DFS Tree on a HP CIFS Server After the DFS Tree is set up using this procedure, users on DFS clients can browse the DFS tree located on the HP CIFS Server at \\servername\dfs. 1. Select a HP CIFS Server to act as the Distributed File System (DFS) root directory. 2. Configure a HP CIFS server as a DFS server by modifying the smb.conf file to set the global parameter host msdfs to yes. Example: [global] host msdfs = yes 3. Create a directory to act as a DFS root on the HP CIFS Distributed File System (DFS) Server. 4. Create a share and define it with the parameter path = directory of DFS root in the smb.conf file. Example: [DFS] path = /export/dfsroot 5. Modify the smb.conf file and set the msdfs root parameter to yes. Example: [DFS] path = /export/dfsroot msdfs root = yes Setting Up DFS Links in the DFS Root Directory on a HP CIFS Server A Distributed File System (DFS) root directory on a HP CIFS Server can host DFS links in the form of symbolic links which point to other servers. Before setting up DFS links in the DFS root directory, you should set the permissions and ownership of the root directory so that only designated users can create, delete or modify the DFS links. Symbolic link names should be all lowercase. All clients accessing a DFS share should have the same user name and password. An example for setting up DFS links follows: 1. Use the ln command to set up the DFS links for "linka" and "linkb" on the /export/dfsroot directory. Both "linka" and "linkb" point to other servers on the network. Example commands: cd /export/dfsroot chown root /export/dfsroot chmod 775 /export/dfsroot ln -S msdfs:servera\\sharea linka ln -S msdfs:serverb\\shareb serverc\\sharec linkb 2. If you use the ls -l command on the /export/dfsroot directory, it should show an output similar to this one: lrwxrwxrwx l root sys 24 Oct 30 10:20 linka -> msdfs:servera\\sharea lrwxrwxrwx l root sys 30 Oct 30 10:25 linkb -> msdfs:serverb\\shareb, serverc\\sharec In this example, "serverc" is the alternate path for "linkb". Because of this, if "serverb" goes down, "linkb" can still be accessed from "serverc". "linka" and "linkb" are share names. Accessing either one will take users directly to the appropriate share on the network. Step 3: Modify the Configuration 29

30 Refer to the following screen snapshot for an example: Figure 2 Link Share Names Example MC/ServiceGuard High Availability Support Highly Available HP CIFS Server allows the HP CIFS Server product to run on an MC/ServiceGuard cluster of nodes. MC/ServiceGuard allows you to create high availability clusters of HP 9000 server computers. Template files for version A have been revised to allow any number of cluster nodes and other advantages over previous schemes. Follow the configuration procedures provided in Chapter 11. Step 4: Starting the HP CIFS Server Run the script below to start Samba if you do not use winbind support: /opt/samba/bin/startsmb Run the script below to start Samba if you configure HP CIFS Server to use winbind support: /opt/samba/bin/startsmb -w or /opt/samba/bin/startsmb --winbind When the command successfully starts Samba, a message is displayed indicating the specific processes that have been started. When the script is successful, the exit value is 0. If the script fails, the exit value is 1. Samba installation and configuration are complete. Run the following script to stop Samba if you do not use winbind support: /opt/samba/bin/stopsmb Run the following script to stop Samba if you use winbind support: /opt/samba/bin/stopsmb -w or /opt/samba/bin/stopsmb --winbind When the script is successful, the exit value is 0. If the script fails, the exit value is 1. Winbind execution may be controlled without affecting the execution of smbd and nmbd with the following commands. Run the following command to start winbind alone: 30 Installing and Configuring the HP CIFS Server

31 /opt/samba/bin/startwinbind Run the following command to stop winbind alone: /opt/samba/bin/stopwinbind NOTE: HP does not support the inetd configuration to start the HP CIFS Server. Starting and stopping Daemons Individually Two new options -n (nmbd only) and -s (smbd only) have been added to startsmb andstopsmb scripts to start and stop the daemons individually. The startsmb -scommand starts the smbd daemon. The stopsmb -s command stops the smbd daemon. The -n option starts and stops the nmbd daemon in the same way. Configuring Automatic Start at System Boot When the HP CIFS Server is first installed, it will not automatically start when the system boots. You can enable the HP CIFS Server and related daemons to do so by editing the /etc/rc.config.d/samba file. This configuration file contains two variables: RUN_SAMBA=0 RUN_WINBIND=0 The RUN_SAMBA variable controls whether HP CIFS Server daemons, smbd and nmbd, will start at system startup. The RUN_WINBIND variable controls whether the winbind daemon, winbindd, will start at system startup. The two variables function independently. To configure HP CIFS Server to start automatically, set RUN_SAMBA to a non-zero value. To configure Winbind to start automatically, set RUN_WINBIND to a non-zero value. For example, if you want HP CIFS Server and Winbind to start automatically at system startup, edit the variables in the /etc/rc.config.d/samba file as follows: RUN_SAMBA=1 RUN_WINBIND=1 Stopping and Restarting Daemons to Apply New Settings The smb.conf configuration file is automatically reloaded every minute if it changes. You can force a reload by sending a SIGHUP to the CIFS server. Reloading the configuration file does not affect connections to any service that is already established. But, you must stop and restart the CIFS server daemons to apply the new setting for the following parameters in smb.conf: netbios aliases interfaces auth methods passdb backend invalid users valid users admin users read list write list printer admin hosts allow hosts deny Step 4: Starting the HP CIFS Server 31

32 hosts equiv preload modules wins server vfs objects idmap backend Other Samba Configuration Issues Translate Open-Mode Locks into HP-UX Advisory Locks The HP CIFS Server A.02.* versions can translate open mode locks into HP-UX advisory locks. This functionality prevents HP-UX processes from obtaining advisory locks on files with conflicting open mode locks from CIFS clients. This also means CIFS clients cannot open files that have conflicting advisory locks from HP-UX processes. You must change the map share modes setting in smb.conf to yes to translate open mode locks to HP-UX advisory locks. The default setting of map share modes is no. Performance Tuning using Change Notify This section describes performance tuning using the Change Notify feature and internationalization. NOTE: Starting with the Samba version, the Change Notify Timeout feature is deprecated. The Change Notify Timeout feature is replaced with the Change Notify feature. This new feature depends on Linux inotify, which is not available in HP-UX operating systems. The Samba Server supports a new feature called Change Notify. Change Notify provides the ability for a client to request notification from the server when changes occur to files or subdirectories below a directory on a mapped file share. When a file or directory which is contained within the specified directory is modified, the server notifies the client. The purpose of this feature is to keep the client screen display up-to-date in Windows Explorer. The result: if a file you are looking at in Windows Explorer is changed while you are looking at it, you will see the changes on the screen almost immediately. The only way to implement this feature in Samba is to periodically scan through every file and subdirectory below the directory in question and check for changes made since the last scan. This is a resource intensive operation which has the potential to affect the performance of Samba as well as other applications running on the system. Two major factors affect how resource intensive a scan is: the number of directories having a Change Notify request on them, and the size of those directories. If you have many clients running Windows Explorer (or other file browsers) or if you have directories on shares with a large number of files and/or subdirectories, each scan cycle might be very CPU intensive. Special Concerns when Using HP CIFS Server on a Network File System (NFS) or a Clustered File System (CFS) Both NFS and CFS provide file system access to unique file storage from multiple systems. However, controlling access to files, particularly files open for write access, from multiple systems poses challenges. Applications are not necessarily network or cluster-aware. Applications may not be able to make use of locking mechanisms when multiple systems are involved. You need to be aware of the following things when using HP CIFS Server in either an NFS or a Veritas CFS environment: CIFS Server running simultaneously on multiple nodes should not use either NFS or Veritas CFS to concurrently share the smb.conf configuration and its subordinate CIFS system files in /var/opt/samba/locks and /var/opt/samba/private. There are operational reasons why multiple nodes should not share a configuration file concurrently such a name/ip registration conflicts, etc. Also, sharing ansmb.conf file will 32 Installing and Configuring the HP CIFS Server

33 likely lead to sharing CIFS Server system data, increasing the likelihood of concurrent file access and the possibility of CIFS Server corruption. Beginning with version A.02.02, HP CIFS Server does not start if another master daemon is sharing the daemon PID files including a daemon on another node. (By default, PID files are found in the /var/opt/samba/lock path). CIFS does this to prevent the problems with sharing the CIFS Server configuration as discussed above. Avoid using HP CIFS Server to share Veritas CFS directories simultaneously on multiple nodes. Since NFS and Veritas CFS provides for multiple nodes to read and write the same files concurrently, you should use extra caution when configuring HP CIFS Server on multiple nodes since most locking mechanisms do not span across multiple nodes. Simultaneous file access can lead to data corruption if multiple producers overwrite each others work. The smb.conf parameter strict locking may be set to yes to prevent data corruption but it may also lead to decrease performance. By default, since HP CIFS Server provides access to files from multiple clients (and from multiple nodes sharing an NFS or a Veritas CFS), there is the possibility of concurrent file access and hence at least a remote chance of data corruption. Therefore, HP CIFS Server provides a "strict locking" mechanism that can be enabled to prevent concurrent file access. When strict locking is set toyes in smb.conf, the server checks every read and write access for file locks, and denies access if locks exist. Since this check will be slow on some systems and well behaved clients do ask for lock checks when it is important, HP recommends that you set strict locking to no in smb.conf for most environments. The default value for strict locking is no. NetBIOS Names Are Not Supported on Port 445 HP CIFS Server A.02.* versions (based and Samba 3.0.x) can accept connections on port 445 as well as the original port 139. However, since port 445 connections are for SMB over TCP and do not support the NetBIOS protocol. NetBIOS names are not supported on port 445. This means features of Samba that depend on NetBIOS will not work. For example, the "virtual server" technique depending on an "include = /etc/opt/samba/smb.conf.%l" which ends up referring to another smb.conf.<netbios name> will not work. You can use the smb.conf parametersmb ports to specify which ports the server should listen on for SMB traffic. Set smb ports to 139 to disable port 445. By default, smb ports is set to Other Samba Configuration Issues 33

34 3 Managing HP-UX File Access Permissions from Windows NT/XP/2000 Introduction This chapter describes how to use Windows NT, Windows 2000, Windows XP, and Windows Vista clients to view and change standard UNIX file permissions and VxFS POSIX Access Control Lists (ACL) on a HP CIFS server. A new configuration option, acl_schemes, is also introduced. UNIX File Permissions and POSIX ACLs The HP CIFS Server enables the manipulation of UNIX file permissions or VxFS POSIX ACLs from Windows NT, Windows 2000, Windows XP, and Windows Vista clients. With this capability most management of UNIX file permissions or POSIX ACLs can be done from the familiar Windows Explorer interface. NOTE: Although concepts of file ACLs are similar across the Windows and HP-UX platforms, there are sufficient differences in functionality that one cannot substitute UNIX ACLs for Windows ACLs (i.e. full emulation is not provided). For example, a Windows application that changes the ACL data of a file may behave unexpectedly if that file resides on a HP CIFS Server. Viewing UNIX Permissions From Windows As a result of the ACL data differences in Windows and UNIX file permissions and VxFS POSIX, Samba must map data from UNIX to Windows and Windows to UNIX. The table below shows how UNIX file permissions translate to Windows ACL access types: Table 5 UNIX File Permission Maps Windows ACL UNIX Permission r-- -w- --x rwr-x -wx rwx r-- Windows access type Special Access(R) Special Access(W) Special Access(X) Special Access(RW) Read(RX) Special Access(WX) Special Access(RWX) Special Access In addition to the permission modes shown above, UNIX file permissions also distinguish between the file owner, the owning group of the file, and other (all other users and group). UNIX File Owner Translation in Windows ACL A UNIX file system owner has additional permissions that others users do not have. For example, the owner can give away his ownership of the file, delete the file, rename the file, or change the permission mode on the file. These capabilities are similar to the delete (D), change permissions (P) and take ownership (O) permissions on the Windows client. Samba adds the DPO permissions to represent UNIX file ownership in the Windows explorer interface. For example, if a file on the UNIX file system is owned by UNIX user john and john has read and write (rw-) permissions on that file, the Windows client will display the same permissions for user john as: 34 Managing HP-UX File Access Permissions from Windows NT/XP/2000

35 Special Access(RWDPO) You can also display the UNIX owner in the Windows Explorer interface. If you are in the File Properties dialog box with the Security tab selected and you press the Ownership button, the owning UNIX user's name will be displayed. UNIX Owning Group Translation in Windows ACL The owning group on a UNIX file system is represented on the Windows client with the take ownership (O) permission. While the meaning of the take ownership permission on Windows doesn't exactly match the meaning of an owning group on the UNIX file system, this permission is still translated into the take ownership permission. This representation becomes even more significant when translating VxFS POSIX ACLs, as there can be many groups with different permissions on an individual file in this file system. Without this permission type, you would not be able to tell the owning group entry from other group entries. For example, if an owning group named sales on the UNIX file system hasread and execute (r-x) permissions on a file, the Windows client will display the permissions for group sales as: Special Access(RXO) UNIX Other Permission Translation in Windows ACL In UNIX, the other permission entry represents permissions for any user or group that is not the owner, and doesn't belong to the owning group. This entry maps to the everyone access control entry on the Windows client. Windows Directory and File Permission Translations Windows clients display two sets of permissions for directory entries: directory permissions and file permissions. Directory Permissions are the permissions for the directory itself. File Permissions are the permissions inherited by the files and subdirectories created in the directory. Samba translates UNIX permissions for a directory into Windows directory permissions and vice versa. Windows file permissions are not supported when the translation is to/from UNIX permissions. Windows file permissions, however, are supported with VxFS POSIX ACLs (as described in the next section). Setting UNIX Permissions from Windows With one exception, reversing the UNIX to Windows translations described above will always work. You cannot, however, change the owner or owning group by adding Special Access(DPO) or Special Access(O) to a user or group from the client. All Windows permissions, except read, write and execute, are disregarded when applied to files on the Samba server. These include delete (D), change permissions (P) and take ownership (O). The table below shows how Windows access types map to UNIX permissions: Table 6 Windows Access Type Maps to UNIX Permission Windows access type Special Access(R) Special Access(W) Special Access(X) Special Access(RW) Read(RX) Special Access(WX) UNIX Permission r-- -w- --x rwr-x -wx UNIX File Permissions and POSIX ACLs 35

36 Table 6 Windows Access Type Maps to UNIX Permission (continued) Windows access type Special Access(RWX) Special Access UNIX Permission rwx r-- When mapping to UNIX file permissions from Windows, you will not be able to add new Windows ACL entries because only the owner, owning group and other ACL entries are supported by UNIX permissions. UNIX ignores unrecognized entries. Conversely, you cannot delete any of the three entries listed above as these entries are required by UNIX. Pre-defined Windows Permissions The Windows Explorer ACL interface allows you to choose predefined permissions like Change and Full Control in addition to creating custom Special Access permissions. Figure 3 Windows Explorer ACL Interface If you use pre-defined Windows access types to set permissions on a Samba share, the permissions that are displayed later will not match what you set in Windows. For example, Full Control will become rwx on the Samba server, and when it is displayed on the Windows client, it will show up as Special Access (RWX). Table 7 Windows Access Type Maps UNIX Permission Windows Access Type No Access Read Change Full Control UNIX Permission --- r-x rwx rwx 36 Managing HP-UX File Access Permissions from Windows NT/XP/2000

37 Figure 4 Windows Special Access Permissions The VxFS POSIX ACL File Permissions VxFS POSIX ACLs provide additional functionality over default UNIX file permissions. VxFS POSIX ACLs extend the concept of UNIX file permissions in three ways. VxFS POSIX ACLs allow for more entries than the basic owner, group and other UNIX file permissions. VxFS POSIX ACLs support default Access Control Entry (ACE) for directory permissions. This means that any files created in that directory will automatically inherit the default ACEs of the parent directory. It adds an inheritance permission type to directory permissions. A special ACE called the class ACE is used. The role of the class ACE is to limit the other ACEs. The base UNIX permissions are not affected. For example, if the class ACE for a file is set to read (r--), then even when ACEs grant some users and groups write and execute access, write and execute access will not be given to them. The class ACE acts as a mask that filters out the permissions of non-class ACEs. If the class ACE was set to (---) or no access, other ACEs might exist, but they would not change the effective permissions. VxFS POSIX ACLs translated to Windows ACLs The extra features of VxFS POSIX ACLs affect the translations to and from Windows ACLs in the following ways: The extra VxFS POSIX ACEs show up as Windows ACEs on the Windows client. The permission mode translates like a UNIX permission mode. With this feature you can also add new user and group entries from the Windows client. The limitations to this feature will be discussed in the next section. The default ACEs that are supported for inheritance by directories are translated into file permissions for a directory on Windows. The file permissions displayed on the Windows client represent the default ACEs on the UNIX file system of the Samba server. If the file permissions are set on a directory on the Windows client, equivalent default ACEs are set on the directory on the UNIX file system. The class ACE used to limit the other ACEs is ignored. It is not displayed on the Windows client and there is no way to set it from the client. It would be difficult to support on the client side, as Windows has nothing similar to a class ACE. UNIX File Permissions and POSIX ACLs 37

38 Using the Windows NT Explorer GUI to Create ACLs Use the Windows Explorer GUI to set new ACLs. This section describes how to add new entries to the ACE list: Click the add button in the File/Directory Permissions dialog box of the Windows GUI to bring up the Add Users and Groups dialog box. Figure 5 Windows Explorer File Permissions NOTE: The List Names From field displays the source of the list of group names. It may also show the name of your domain. Do not use the domain list to add new ACLs. Figure 6 Windows Explorer List Names From Field Instead, what you need is a list of groups and users that can be recognized by the underlying UNIX file system. Since the actual ACLs will be UNIX file permissions or VxFS POSIX ACLs in their final form, the only valid groups and users are UNIX groups and users that the Samba server knows about. Go to the List Names From drop-down list in the Add Users and Groups dialog box. One screen choice is to list names on your Samba server. This is the list HP recommends. 38 Managing HP-UX File Access Permissions from Windows NT/XP/2000

39 Figure 7 Windows Explorer Add Users and Groups Dialog Box Select any name on the list that is labelled local UNIX group. Those groups are actually UNIX groups on the Samba server. Optionally, click the Show Users button and all the UNIX users on the Samba server will be added to the list as well. You will always be able to add an ACE for the local Unix groups and the users in this list. Figure 8 Add UNIX Groups and Users You can type user and group names into the Add Names text field to add users and groups. If the names are valid UNIX group or user names, the users and groups will be added. Optionally, add the Samba server name and a backslash to the beginning of the user or group name and it will be added (for example, server1\users1). When you select names off the Using the Windows NT Explorer GUI to Create ACLs 39

40 name list, the GUI will put that name in the text list and automatically add the server name as well. Optionally use the user name mapping feature to define a mapping of Windows user names (or domain names) to UNIX user names. For example, you could map the Windows user names administrator and admin to the UNIX user name root. The mapping can be either one-to-one or many-to-one. Samba supports the creation of ACEs with Windows user names that are mapped to UNIX user names. To continue the example above, you could create an ACE for the administrator user on the Windows client and, on the Samba server, the ACE would be created for the root user. The client will display the corresponding ACE as being for the root user, not the administrator user. If you add an ACE for one user name, like administrator and then display the list of ACEs and see a new ACE for a different user name (root), it maybe confusing. As many Windows user names can be mapped to one UNIX user name, Samba only displays the one UNIX user name. It cannot display the Windows name that was mapped to the UNIX user name. You also have to be careful not to create multiple conflicting ACEs for one UNIX user. For example, in the Windows GUI you might add an ACE for the user administrator, admin and root. Butwhen you apply these changes, Samba maps administrator and admin to the UNIX user root and the result is that Samba tries to add three different ACEs, all for the user root, to one file. That is not valid and Samba ignores two of the three ACEs. Selecting Names From the Samba Name List The Windows user names mapped to UNIX users will also be displayed when you press the Show Users button in the Add Users and Groups dialog box. Every valid name that you add to an ACE is in the name list on the Samba server (after you hit the Show Users button). You do not need to type in names or select names from the Windows domain list. If, however, you pick a name from the Windows domain list and it happens to be a UNIX user name on the Samba server, it will be added. This also applies to names that have a user name mapping in Samba. There is another reason HP recommends selecting names from the Samba server's list of names instead of typing names in manually. There might be a UNIX group and a UNIX user with the same name. If you select a name from the list, Samba knows whether you mean the user or the group. If you type the name in, there is no way for you to specify the user or the group and Samba may add the ACE for a user when you meant the UNIX group with the same name. Using the Windows Vista Explorer GUI to Create ACLs To create ACLs using the Windows Vista Explorer, complete the following steps: 40 Managing HP-UX File Access Permissions from Windows NT/XP/2000

41 1. Right-click the file for which users and groups must be assigned, and select Properties->Security. The displayed page is as shown in Figure 9 (page 41). Figure 9 Selecting File Security 2. Click Edit. The Permissions page is displayed as shown in Figure 10 (page 41). Figure 10 Permissions Using the Windows Vista Explorer GUI to Create ACLs 41

42 3. Click Add. The Select Users or Groups page is displayed as shown in Figure 11 (page 42). Figure 11 Select Users or Groups 4. Enter the user or group name that you want to add and click Check Names. The new user or group name is displayed as shown in Figure 12 (page 42). Figure 12 New User or Group 42 Managing HP-UX File Access Permissions from Windows NT/XP/2000

43 5. Set the permissions for the new user or group and click Apply. The new user or group name and the associated permissions are displayed as shown in Figure 13 (page 43). Figure 13 New User or Group and Permissions The new user or group is configured. POSIX ACLs and Windows 2000, Windows XP, and Windows Vista Clients The HP CIFS Server allows Windows 2000 and Windows XP clients to view and set POSIX ACL permissions. The information in this section assumes you are familiar with Windows 2000 and Windows XP permissions. The purpose of this section is to explain how the HP CIFS Server interprets Windows 2000 and Windows XP permissions, and how Windows 2000 and Windows XP clients interpret and display HP-UX permissions. Windows 2000 and Windows XP clients interact with POSIX ACLs similar to Windows clients, except for the minor differences covered in the following sections. Learn more about ACLs and Windows 2000 and Windows XP clients in the following sections in this chapter. You can also learn more about POSIX ACLs with man aclv. Viewing UNIX Permissions from Windows 2000, Windows XP, and Windows Vista Clients The following table shows how the UNIX permissions on the HP CIFS Server are mapped to permissions on Windows 2000/XP clients' Basic and Advanced ACL views: POSIX ACLs and Windows 2000, Windows XP, and Windows Vista Clients 43

44 Table 8 UNIX Permission Maps Windows 2000/XP Client Permissions UNIX Permission Permission Shown on Windows 2000/XP Clients Basic View Read Write None Read and Execute Read, Write Full Control No boxes are ticked Advanced View Read Attributes, Read Extended Attributes, Read Data, Read Permissions Write Attributes Write Extended Attributes, Append Data, Write Data, Read Permissions Execute or Traverse Folder, Read Attributes, Read Permissions All Read Permissions as in the first cell Execute or Traverse Folder All Read Permissions as in the first cell All Write Permissions as in the second cell Full Control and All permission bits are ticked None NOTE: In the table above, the permissions labeled Advanced can be viewed from the ACL dialog box by clicking on Advanced, then View/Edit. For a file owner ACE, Take Ownership, Delete and Change permissions flags are shown. For a file's owning group ACE, Take ownership permission flag is shown. However, all permissions are ticked in both Windows ACE Advanced and Basic views if a file permission is Full Control. Setting Permissions from Windows 2000, Windows XP, and Windows Vista Clients The following table shows how each Windows 2000 and Windows XP client permission is mapped to the UNIX permission when permissions are set from a client: Table 9 Windows 2000 and Windows XP Permissions Maps UNIX Permissions Windows 2000/XP Full Control Write Modify Read and Execute Read List Folder / Read Data (Advanced) Read Attributes (Advanced) Read Extended Attributes (Advanced) Read Permissions (Advanced) Create Files / Write Data (Advanced) Create Folder / Append Data (Advanced) Write Attributes (Advanced) Write Extended Attributes (Advanced) r-- -w- --x r-x rwrwx --- UNIX Permission rwx -wrwx r-x r-- r-- r-- r-- r-- -w- -w- -w- -w- 44 Managing HP-UX File Access Permissions from Windows NT/XP/2000

45 Table 9 Windows 2000 and Windows XP Permissions Maps UNIX Permissions (continued) Windows 2000/XP Traverse Folder / Execute File (Advanced) Delete Subfolders and Files (Advanced) Delete (Advanced) Change Permissions (Advanced) Take Ownership (Advanced) UNIX Permission --x No meaning on HP-UX * see explanation following table * see explanation following table * see explanation following table * The Delete, Change Permissions, and Take Ownership permissions represent the file and group ownership. You can only see these permissions, but you cannot set them from Windows 2000/XP clients. When the file permission is not set to Full Control, the Delete, Change and Take Ownership permissions are shown for the file owner. Take Ownership permission is shown for the file owning group. Everyone and other ACEs do not show these permissions except when the permission is set to Full Control. NOTE: The Windows 2000 permissions labeled Advanced in the table above can be viewed from the ACL dialog box by clicking on Advanced, then View/Edit. NOTE: The CIFS Server ensures that at least "read" permission is set for the file owner. For example, if a user tries to set a file's permissions to "- - -", the CIFS Server will actually set it to "r - -". Viewing ACLs from Windows 2000 Clients 1. Right-click on a file and select Properties 2. Click on the Security tab POSIX ACLs and Windows 2000, Windows XP, and Windows Vista Clients 45

46 Displaying the Owner of a File 1. Click on Advanced 2. Click on the Owner tab on the Access Control Settings dialog box HP CIFS Server Directory ACLs and Windows 2000, Windows XP, and Windows Vista Clients Directory ACL Types Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory. Viewing ACLs from Windows 2000 Clients Windows 2000 or XP can show ACLs on a file or a directory in Basic and Advanced views. Viewing Basic ACLs from Windows 2000 Clients 1. Right-click on a file or a directory and select Properties 2. Click on the Security tab 46 Managing HP-UX File Access Permissions from Windows NT/XP/2000

47 Figure 14 Basic ACL View Viewing Advanced ACLs from Windows 2000 Clients 1. Right-click on a file or a directory and select Properties 2. Click on the Security tab 3. Click on the Advanced button HP CIFS Server Directory ACLs and Windows 2000, Windows XP, and Windows Vista Clients 47

48 Figure 15 Advanced ACL View Mapping Windows 2000/XP Directory Inheritance Values to POSIX Under POSIX, default ACEs can apply to both files and subdirectories. In a Windows 2000 or XP environment, directory ACE entries differ from POSIX and use the following Windows Inheritance Values (Apply To values in the Windows Advanced ACE screen) to distinguish access and default behavior: This folder only This folder, subfolders and files This folder and subfolders This folder and files Subfolders and files only Subfolders only Files only When a user attempts to change or add a directory ACE from the Windows Advanced ACE screen, the HP CIFS Server maps the Windows Inheritance Values to the corresponding POSIX ACE type. The following table shows how Windows Inheritance Values are mapped to POSIX: Table 10 Mapping Table for Inheritance Values to POSIX Inheritance Value This Folder only This Folder, Subfolders and Files This Folder and Subfolders This Folder and Files Subfolders and Files only POSIX Mapping by HP CIFS Server Maps to access ACE. An ACE of this type is mapped to both access and default ACE. Maps only to access ACE for this directory. Maps only to access ACE for this directory. Maps to default ACE for this directory. 48 Managing HP-UX File Access Permissions from Windows NT/XP/2000

49 Table 10 Mapping Table for Inheritance Values to POSIX (continued) Inheritance Value Subfolders only Files only POSIX Mapping by HP CIFS Server This type is not supported and any ACE with this type is ignored by the HP CIFS Server. This type is not supported and any ACE with this type is ignored by the HP CIFS Server. Modifying Directory ACLs From Windows 2000/XP Clients NOTE: HP-UX directory ACLs are set inconsistently using the ACL Basic permission screen from the Windows 2000 or XP client. You must use the Windows Advanced permission screen (Directory-> Properties->Security Tab->Advanced Button) to view or change POSIX directory ACLs. This section describes how to modify a directory ACE from the Widnows 2000 or XP client: 1. Right-click on a directory and select Properties 2. Click on the Security tab 3. Click on the Advanced button 4. Select an ACE, click on the View/Edit tab Figure 16 Modifying ACE Permissions 5. Check/uncheck the boxes next to each permission to add/remove any permissions that you want. Please refer to "Mapping Table for Windows 2000/XP Permissions to UNIX Permissions" for detail information on how each permission in this window is mapped to UNIX permissions 6. Select the appropriate ACE type from Apply to drop-down list in the dialog box. Choose the selection according to how it will be mapped to POSIX ACEs. Please refer to "Mapping Table for Inheritance Values to POSIX" for detail information 7. Click on OK, you will be taken back to the Advanced ACE screen. Repeat the step 4 through step 6 to modify other ACEs 8. Click on OK or Apply button on the Advanced ACE screen HP CIFS Server Directory ACLs and Windows 2000, Windows XP, and Windows Vista Clients 49

50 Figure 17 Modifying an ACE Type With Apply To value IMPORTANT: If you want different permissions on default and access ACEs for the same user or group, you must select two different ACE entries in the advanced ACE view dialog box before you click on the OK button. If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server. To prevent a directory owner from losing access, both access and default ACEs for the owner should be set to Full Control permissions. Removing an ACE entry from Windows 2000/XP clients For mandatory ACLs (user, owning group, everyone), removing an ACE entry from the Advanced Windows permission screen does not remove that ACE entry on the UNIX system. The HP CIFS Server generates the missing ACEs from the existing access ACEs on the file. For any other user or group ACEs, removing an ACE entry from the Advanced Windows screen will remove that ACE entry on the HP CIFS Server. Examples Following are three examples to show the changes of the directory ACEs on the HP CIFS Server when an ACE entry is removed from the Windows 2000/XP client. Example 1: In the example 1, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:other:rwx default:owner:rwx default:owning group:r-x 50 Managing HP-UX File Access Permissions from Windows NT/XP/2000

51 default:other:r-x In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:rwx access:othere:rwx defualt:owner:rwx default:owning group:rwx default:other:r-x Example 2: In the example 2, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:r-x access:other:rwx defualt:owner:rwx default:owning group:r-- default:other:r-- In the example 2, if both access owning group ACE entry, r-x, and default owning group ACE entry, r--, are removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing owning group ACE entries based on the existing access owning group ACE. The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users access:owner:rwx access:owning group:r-x access:other:rwx defualt:owner:rwx default:owning group:r-x default:other:r-- Example 3: In the example 3, assume that the existing directory ACEs for testdir on the HP CIFS Server are: # file:testdir HP CIFS Server Directory ACLs and Windows 2000, Windows XP, and Windows Vista Clients 51

52 # owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group:r-x access:other group:rwdefualt:owner:rwx default:owning group:r-- default:other group:r-w In the example 3, if both access other group ACE entry, rw-, and default other group ACE entry, r--x, are removed from the Advanced Windows ACE screen, the HP CIFS Server will remove both access other group and default other group ACE entries. The following shows the result of changes for the directory ACEs on the HP CIFS Server: # file:testdir # owner:testuser # owning group:users # other group:testgroup access:owner:rwx access:owning group:r-x defualt:owner:rwx default:owning group:r-- Adding Directory ACLs From Windows 2000/XP Clients This section describes how to add a directory ACE from the Windows 2000 or XP client: 1. Right-click on a directory and select Properties 2. Click on the Security tab 3. Click on the Advanced button 4. Click on Add button, a select user or group window is displayed 5. You may select any user or group from the available one. 6. Click on OK, you will be prompted to enter ACE permissions and the type of ACE 7. Enter the desired permissions, click on OK 8. You will be taken to the ACE Advanced view screen, click on OK or Apply button to add the new ACE 52 Managing HP-UX File Access Permissions from Windows NT/XP/2000

53 Figure 18 Selecting a new ACE user or group IMPORTANT: POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface. POSIX Default Owner and Owning Group ACLs The POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group. In HP CIFS Server A version and earlier, only one ACE each for owner, owning group and everyone is shown if the permissions are the same on corresponding access and default ACEs. The POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group even if the permissions on the access and default ACEs are the same. However, everyone is shown as only one ACE if the access and default permissions are the same. Changing permissions on Windows Creator Owner and Creator Group ACEs will only modify POSIX default owner and owning group ACEs on the HP CIFS Server. POSIX ACEs with zero permissions POSIX owning group and everyone ACEs with zeros permissions are not displayed in the Windows interface. For example, if a directory owning group has zero permissions on the HP CIFS Server, an ACE for that owning group will not be shown on the Windows interface. ACEs for any other user or group with zero permissions are shown with no permissions in the Windows interface. POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface. In Conclusion Samba ACL support is a feature that enables the manipulation of UNIX file permissions or UNIX ACLs from Windows 2000, Windows XP, or Windows Vista clients. With this feature, almost any modification you want to make to UNIX permissions or VxFS POSIX ACLs can now be done from an Windows 2000, Windows XP, or Windows Vista client (with the exception of the class entry for VxFS POSIX ACLs). Windows applications running on the Windows 2000, Windows XP, or Windows Vista client cannot expect full Windows 2000, Windows XP, or Windows Vista ACL support. Although much In Conclusion 53

54 of the Windows 2000, Windows XP, or Windows Vista ACL information is retained and retrieved by the Samba server, some of the information may be lost or changed in some cases. NOTE: The ACL support is not an Windows 2000, Windows XP, or Windows Vista ACL emulation, but rather access to UNIX ACLs through the Windows 2000, Windows XP, or Windows Vista client. Therefore, you cannot run Windows applications which require full, perfect Windows 2000, Windows XP, or Windows Vista ACL support. 54 Managing HP-UX File Access Permissions from Windows NT/XP/2000

55 4 Windows Style Domains Introduction This chapter describes how to configure the roles that an HP CIFS Server can play in a Windows style domain, whether it is a Samba Domain, consisting solely of HP CIFS Servers, or as a Windows domain with a Microsoft Domain Controller (DC). Configuration of Member Servers joining a Windows 2000 and Windows 2003 Domain as a pre-windows 2000 compatible computer is described here. Chapter 5, Windows 2003 and Windows 2008 Domains, should be consulted for configuration of Member Servers joining Domains with a Windows 2003 or Windows 2008 Domain Controller as an ADS Member Server. Chapter 9, HP CIFS Deployment Models describes further how the server roles can be utilized in common network deployments. HP CIFS Server can be configured to play different roles in an Windows style Domain Model including: Member Server in a Windows 2003 or Windows 2008 Domain with a Microsoft DC PDC in an Samba Domain where an HP CIFS Server serves as the PDC Backup Domain Controller (BDC) in an Samba Domain where an HP CIFS Server serves as the PDC Member Server in an Samba Domain where HP CIFS Server serves as the PDC Advantages of the Samba Domain Model The HP CIFS Server PDC domain model provides a number of advantages: HP CIFS Server PDC domain administrators may group workstations and servers under the authority of a domain controller Domain members may be centrally administered by using domains to group related machines. One of the benefits of this is the ability for user accounts to be common for multiple systems. A user may now make one password change which will affect multiple systems accessed by that user. Another benefit is that IT administration work is reduced, since there is no longer a need for individual accounts to be administered on each system HP CIFS BDCs may be configured to off load some of the HP CIFS PDC authentication responsibilities and can be promoted to a PDC if the PDC fails or needs to be taken out of services. Primary Domain Controllers The Primary Domain Controller (PDC) is responsible for several tasks within the domain. These include: Authenticating user logons for users and workstations that are members of the domain Acting as a centralized point for managing user account and group information for the domain A user logged on to the Primary Domain Controller (PDC) as the domain administrator can add, remove or modify Windows domain account information on any machine that is part of the domain Introduction 55

56 Backup Domain Controllers Advantages of Backup Domain Controllers HP CIFS Server with BDC support provides the following benefits to the customer: The BDC can authenticate user logons for users and workstations that are members of the domain when the wide area network link to a PDC is down. A BDC plays an important role in both domain security and network integrity. The BDC can pick up network logon requests and authenticate users while the PDC is very busy on the local network. It can help to add robustness to network services. The BDC can be promoted to a PDC if the PDC needs to be taken out of services or fails. This is an important feature of domain controller management. To promote a BDC to a PDC on the HP CIFS Server, change the domain master parameter from "no" to"yes". Limitations The following is a list of limitations for the BDC support: HP CIFS Server can only function as a BDC to an HP CIFS PDC. HP CIFS Server and MS Windows server can each function as a BDC to its own type of PDC. HP CIFS Server cannot create Security Account Management (SAM) update delta files. It cannot interoperate with a PDC to synchronize the SAM from delta files that are held by a BDC. The Samba 3.0 BDC does not support replication to a PDC. Running a Samba 3.0 BDC with a non-ldap backend can have the difficulty in synchronizing the SAM database. Refer to Table 5.1, Domain Backend Account Distribution Option, in the Official Samba HOWTO and Reference Guide for more information on possible design configuration for a PDC/BDC infrastructure. Domain Members The following member servers are supported: Windows NT Windows 2000 and Windows 2003 HP CIFS Server Users on a domain member machine can access network resources within the domain. Some examples of these resources are file and printer shares and application servers Domain members do not perform the user authentication for user logons. Instead, the member sends the credentials to a domain controller via a secure channel. The domain controller checks the credentials against those in its database and returns the results to the member server. Access is granted based on the results returned Configure the HP CIFS Server as a PDC When configured to act as a Primary Domain Controller (PDC), the HP CIFS Server should create machine accounts for Windows Clients (member servers). To enable this feature, choose "Primary Domain Controller" when executing samba_setup, then verify the following: 1. The smb.conf file is as shown if the HP CIFS Server acting as a PDC does not use the LDAP backend: [global] workgroup = SAMBADOM #Samba Domain security = user 56 Windows Style Domains

57 domain logon = yes domain master = yes encrypt passwords = yes [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no [profiles] comment = profiles Service path = /etc/opt/samba/profiles read only = no create mode = 600 directory mode = The smb.conf file is as shown if the HP CIFS Server acting as a PDC uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = SAMBADOM #Samba Domain security = user domain logon = yes domain master = yes encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver: /var/opt/samba/netlogon subdirectory for the domain logon service exists. NOTE: security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend. domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC. domain logon: Set this parameter to yes to provide netlogon services. Encrypt passwords: You set this parameter to yes, the passwords used to authenticate users are encrypted. You must set this parameter to yes when you configure a HP CIFS Server acting as a PDC. Configure the HP CIFS Server as a BDC When configuring HP CIFS Server to act as a Backup Domain Controller (BDC), you need to configure the relative domain controller parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: The smb.conf file is as shown if the HP CIFS Server acting as a BDC does not use the LDAP backend: [global] workgroup = SAMBADOM # Samba Domain security = user domain logon = yes domain master = no Configure the HP CIFS Server as a BDC 57

58 encrypt passwords = yes security = user [netlogon] comment = The domain logon service path = /var/opt/samba/netlogon writeable = no guest ok = no The smb.conf file is as shown if the HP CIFS Server acting as a BDC uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = SAMBADOM #Samba Domain security = user domain logon = yes domain master = no encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 When you configure the relative domain controller parameters, ensure that the /var/opt/samba/netlogon subdirectory for the domain logon service exists. HP CIFS does not implement a true SAM database and nor its replication. HP CIFS implementation of BDCs is very much like a PDC with one important difference. A BDC is configured like a PDC except the smb.conf parameter, domain master, mustbesettono. NOTE: security: Set this parameter to user to ensure that Windows users, client machine accounts, and passwords are stored and managed in the smbpasswd file or LDAP backend. domain master: Set this parameter to no in order for the HP CIFS Server to act as a BDC. domain logon: Set this parameter to yes to provide netlogon services. Encrypt passwords: You set this parameter to yes, the passwords used to authenticate users are encrypted. You must set this parameter to yes when you configure HP CIFS Server to act as abdc. Promote a BDC to a PDC in a Samba Domain If a PDC fails or needs to be taken out of services, simply set "domain master = yes" ona BDC. It will then register the appropriate NetBIOS names and will assume the PDC role. Domain Member Server Configure the HP CIFS Server as a Member Server When configuring HP CIFS Server to act as a domain member server, you need to configure the relative domain parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool or an editor. The smb.conf file is shown as follows: The smb.conf file is as shown if the HP CIFS Server acting as a member server does not use the LDAP backend: [global] workgroup = NTDOM security = domain 58 Windows Style Domains

59 password server = DOMPDA encrypt passwords = yes netbios name = myserver The smb.conf file is as shown if the HP CIFS Server acting as a member server uses the LDAP backend to store UNIX and Samba account databases: [global] workgroup = NTDOM security = domain encrypt passwords = yes passdb backend = ldapsam:ldap://ldapserver:389 netbios name = myserver NOTE: workgroup: This parameter specifies the domain name of which the HP CIFS Server is a member. security: When the HP CIFS Server joins a domain as a member, this parameter must be set to "domain". password server: This parameter defines the NetBIOS name of the PDC machine which performs the username authentication and validation. encrypt passwords: If this parameter is set to yes, the passwords used to authenticate users are encrypted. netbios: Set this parameter to the NetBIOS name by which a member server is known. Join an HP CIFS Server to an NT Domain, Windows 2000/2003 (as a pre-windows 2000 computer), or Samba Domain This section describes the procedures to join an HP CIFS Server to a Windows NT domain, Windows 2000 and Windows 2003 (as a pre-windows 2000 computer) or Samba domain as a member server. Domain Member Server 59

60 Step-by-step Procedure 1. Choose "Domain Member Server" when executing samba_setup. When prompted, you will need to add your domain Member Server machine account to the PDC. For Windows NT: Go to the Windows NT PDC and create a machine account for the HP CIFS Member Server by performing the following steps: a. Open the "start/programs/administrator/tools/server manager" tool. b. Select the "computer/add to domain" icon and enter the host name of the HP CIFS Server. c. Choose the "Windows NT Workstation or Server" option when you are asked for the computer type. For Windows 2000: Go to the Windows 2000 PDC and create a machine account for the HP CIFS Member Server by using the Active Directory Controller Wizard. Check the "Allow Pre-Windows 2000 computers to use this account" box and add the computer name For Samba (including HP CIFS): Go to the Samba Server acting as a PDC and create a machine account for the HP CIFS Member Server by following the steps provided in Chapter 4 section titled, "Create a Machine Trust Account.". samba_setup will then perform the "net rpc join -U Administrator%password" command for you. Create the Machine Trust Accounts A Machine Trust Account for a Windows Client (Client=member server) on a HP CIFS Server acting as a PDC is simply a user account entry created for a machine. It is denoted by the machine name followed by "$". For PDCs not using LDAP (default), machine accounts will have entries in both /etc/passwd (UNIX user accounts) and /var/opt/samba/private/smbpasswd (Windows user accounts). For PDCs using LDAP, machine accounts will have posixaccount and sambasamaccount object class entries in a directory server database. The following steps are used to create a machine account for a Windows Client on a HP CIFS Server acting as a Primary Domain Controller (PDC): 1. Create the UNIX or POSIX account for a Windows Client: Use the following command to create the POSIX account for a Windows client in the /etc/passwd file if LDAP is disabled: $ useradd -c NT_workstation -d /home/temp -s /bin/false client1$ As an example, the resulting entry in the /etc/passwd file for a client machine named "client1" would be: client1$:*:801:800:nt_workstation: /home/temp:/bin/false where 801 is a uid and 800 is the group id of a group called "machines." A uid or group id can be any unique number. You may find that uid values 0 through 100 are considered special, and/or server specific. This may, or may not apply to your system. The machine account is the machine's name with a dollar sign character ("$") appended to it. The home directory can be set to /home/temp. The shell field in the /etc/passwd file is not used and can be set to /bin/false. Use the following command to create the posixaccount entry for a Windows client in the LDAP directory if LDAP is enabled: $ /opt/ldapux/bin/ldapmodify a D cn=directory Manager w dmpasswd h ldaphosta f new.ldif $ Where LDIF update statements specified in the new.ldif file are added to the LDAP directory server, ldaphosta. The following is an example of LDIF update statements in the new.ldif file: 60 Windows Style Domains

61 dn: uid=client1$ ou=people,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount homedirectory: /home/temp loginshell: /bin/false As an example, the resulting entry in the LDAP directory server for a client machine named "client1" would be: objectclass: posixaccount cn: client1$ uid: client1$ uidnumber: 1000 gidnumber: 200 homedirectory: /home/temp loginshell: /bin/false userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 acctflags: [W ] displayname: client1$ 2. Run the smbpasswd program on the Samba PDC server to create the Windows account: Use the following command to add the Windows account for a Windows client to the /var/opt/samba/private/smbpasswd file if LDAP is disabled: $ smbpasswd -a -m client1 An example of the associated machine entry in the /etc/opt/samba/private/smbpasswd file for a client machine named "client1" would be: client1$:*801:800:ed816800d0393daad3b435b51404ee:321abeefe10ec431b9aaff1a1d0d47:[w ]:LCT : Use the following command to add the sambasamaccount entry for a Windows client to the LDAP directory server if LDAP is enabled: For ldapsam_compat backend: $ /opt/samba/bin/smbpasswd -a -m client1 Forldapsam backend: $ /opt/samba/bin/smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named "client1" would be: objectclass: posixaccount objectclass: sambasamaccount cn: client1$ uid: client1$ uidnumber: 1000 gidnumber: 200 homedirectory: /home/temp loginshell: /bin/false gecos: Samba_Server description: Samba_Server userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: Create the Machine Trust Accounts 61

62 kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 lmpassword: E0AFF63989B8FA A685C6AFAF1 ntpassword: E0AFF63989B8FA A685C6AFAF1 acctflags: [W ] displayname: client1$ NOTE: You can also use utilities including pdbedit, net commands to create the machine trust accounts. The net commands provide numerous new utility operations. For more information on how to create machine trust accounts using pdbedit and net commands, see SWAT help text for pdbedit, net commands. Configure Domain Users The following examples show the commands used to configure Domain Users, Domain Administrators and Domain Guests on a HP CIFS Server configured as a PDC. If you are a root-level user, create a Domain User in the group named "users", located in the /sbin/sh directory. For example: useradd -g users -c "Domain Users" -s /sbin/sh domuser If you are not a root-level user, create a Domain User in the group named "users", located in the /usr/bin/sh directory. For example: useradd -g users -c "Domain Users" -s /usr/bin/sh domuser where domuser is the name of a Domain User. If you are a root-level user, create a Domain Administrator in the group named "adm", located in the /sbin/sh directory. For example: useradd -g adm -c "Domain Administrators" -s /sbin/sh domadmin If you are not a root-level user, create a Domain Administrator in the group named "adm", located in the /usr/bin/sh directory. For example: useradd -g adm -c "Domain Administrators" -s /usr/bin/sh domadmin where domadmin is the name of a Domain Administrator. If you are a root-level user, create a Domain Guest in a group named "users", located in the /sbin/sh directory. For example: useradd -g users -c "Domain Guest" -s /sbin/sh domguest If you are not a root-level user, create a Domain Guest in a group named "users", located in the /usr/bin/sh directory. For example: useradd -g users -c "Domain Guest" -s /usr/bin/sh domguest where domguest is the name of a Domain Guest. Be sure that all of the users that were created (see the example above) have been added to the /etc/passwd file. Join a Windows Client to a Samba Domain 1. Verify the following parameters in the smb.conf file: Set the security parameter to "user." Set the workgroup parameter to the name of the domain. Set the encrypt passwords parameter to "yes." 62 Windows Style Domains

63 [global] security = user workgroup = SAMBADOM #SAMBA Domain name domain logon = yes encrypt passwords = yes 2. Create the UNIX or POSIX account for a Windows Client: Use the following command to create the POSIX account for a Windows client in the /etc/passwd file if the passdb backend option is set to smbpasswd: $ useradd -c NT_workstation -d /home/temp -s /bin/false client1$ As an example, the resulting entry in the /etc/passwd file for a client machine named "client1" would be: client1$:*:803:808:nt_workstation: /home/temp:/bin/false where 803 is a uid and 808 is the group id of a group called "machines." A uid or group id can be any unique number. You may find that uid values 0 through 100 are considered special, and/or server specific. This may, or may not apply to your system. The machine account is the machine's name with a dollar sign character ("$") appended to it. The home directory can be set to /home/temp. The shell field in the /etc/passwd file is not used and can be set to /bin/false. Use the following command to create the posixaccount entry for a Windows client in the LDAP directory if the passdb backend option is set to ldapsam or ldapsam_compat: $ /opt/ldapux/bin/ldapmodify a D cn=directory Manager w dmpasswd h ldaphosta f new.ldif $ Where LDIF update statements specified in the new.ldif file are added to the LDAP directory server, ldaphosta. The following is an example of LDIF update statements in the new.ldif file: dn: uid=client1$ ou=people,dc=hp,dc=com objectclass: top objectclass: account objectclass: posixaccount homedirectory: /home/temp loginshell: /bin/false As an example, the resulting entry in the LDAP directory server for a client machine named "client1" would be: dn: uid=client1, ou=people,dc=hp,dc=com objectclass: top objectclass: posixaccount cn: client1$ sn: client1$ uid: client1$ uidnumber: 1002 gidnumber: 202 homedirectory: /home/client1$ loginshell: /bin/false userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 Join a Windows Client to a Samba Domain 63

64 acctflags: [W ] displayname: client1$ 3. Run the smbpasswd program on the Samba PDC server to create the Windows account: Use the following command to add the Windows account for a Windows client to the /var/opt/samba/private/smbpasswd file if the passdb backend option is set tosmbpasswd: $ smbpasswd -a -m client1$ An example of the associated machine entry in the /etc/opt/samba/private/smbpasswd file for a client machine named "client1" would be: client1$:*803:808:ed816822d0393daad3b435b51404dd:321 ABEEFE10EC431B9BBFF1A1C0C047:[W ]:LCT : Use the following command to add the sambasamaccount entry for a Windows client to the LDAP directory server if the passdb backend option is set to ldapsam or ldapsam_compat: $ smbpasswd -a -m client1 An example of the associated machine entry in the LDAP directory server for a client machine named "client1" would be: objectclass: posixaccount objectclass: sambasamaccount cn: client1$ uid: client1$ uidnumber: 1002 gidnumber: 202 homedirectory: /home/temp loginshell: /bin/false gecos: Samba_Server description: Samba_Server userpassword: {crypt}x pwdlastset: logontime: 0 logofftime: kickofftime: pwdcanchange: 0 pwdmustchange: rid: 1206 primarygroupid: 1041 lmpassword: E0AFF63989B8FA A685C6ADFC1 ntpassword: E0AFF63989B8FA A685C6ADFC1 acctflags: [W ] displayname: client1$ 4. Logon to Windows NT as a local admin user. 5. From the Windows NT desktop, click 'Start', 'Settings' and 'Control Panel'. When the Control Panel window opens, double-click on the 'Network' icon. When the 'Network' window opens, click the 'Identification' tab. Refer to Figure 4-1 below. 6. Enter the Samba domain name in the 'Domain' field, and click on the 'Change' button. Refer to Figure 4-3 below. 64 Windows Style Domains

65 Figure 19 Entering A Samba PDC Domain Name Roaming Profiles The HP CIFS Server, configured as a PDC, supports Roaming Profiles with the following features: A user's environment, preference settings, desktop settings, etc. are stored on the HP CIFS Server Roaming Profiles can be created as a share, and be shared between Windows clients When a user logs on to a workstation in the domain, the roaming profile is downloaded from the share which is on a HP CIFS Server configured as a PDC, to the local machine. Upon logout, the profile is copied back to the server Configuring Roaming Profiles Use the following procedure to configure roaming profiles: 1. Modify or enable roaming profiles by using the global parameter named logon path, in the smb.conf file. Example: [global] logon path = \\%L\profile\%U workgroup = SAMBADOM security = user encrypt passwords = yes domain logon = yes 2. Create a [profiles] share for roaming profiles. Set profile acls = yes for the profile share used for the user profile files. Do not set profile acls = yes on normal shares as this will result in incorrect ownership of the files created on those shares. The following is an example configuration for the [profiles] share: [profiles] Roaming Profiles 65