A primary concern of a CIFS server is how to authenticate a CIFS client. There are two options: -
Windows NT LanManager authentication (NTLM), which is discussed in the next section. -
Kerberos authentication, which necessitates a thorough understanding of Kerberos, so we will not discuss it any further in this chapter. 20.3.1 Windows NT LanManager authentication The main authentication method is via what is known as Windows NT LanManager (NTLM) authentication. Unlike NFS that does not ask for usernames and passwords, NTLM requires a user (a client) to log in to the CIFS server before accessing a mount point. Thereafter, we utilize file permissions and ownerships to enforce security. NTLM authentication requires a CIFS client to have a valid username and password configured in a password file located somewhere in the Windows domain . When we start talking about an administrative domain, we are talking about a Windows concept, which is a distributed environment for managing usernames, passwords, and access rights; we have concepts such as a primary domain controller (PDC) and backup domain controllers (BDC). Before you start having heart palpitations, you may initially want to authenticate users via a CIFS/SMB password file located on your HP-UX server that is not explicitly part of the Windows domain . This means we need to have a separate password file configured for all CIFS clients . It would be helpful if we could just use /etc/passwd , but life is never that simple, is it? Unfortunately, we need a separate CIFS password file to /etc/passwd ; it's normally called /var/opt/samba/private/smbpasswd. As well as having a separate password file, we have a separate command to configure passwords: smbpasswd . This may seem a bit long-winded, but it actually is relatively simple to set up and does mean that your HP-UX server can authenticate CIFS clients without necessarily having a PDC/BDC configured and running. The drawback is that we now have two password files to manage on HP-UX; c'est la vie. The flipside is that with CIFS/9000 we can utilize the password file in our Windows domain; we can authenticate CIFS clients via our PDC/BDC. We look at that later. Some administrators would argue that having Windows/CIFS clients out there in out network, it might be a safe(ish) bet to assume that you have some means of authenticating them; in other words, most Windows networks will have a PDC/DBC configured. I can't comment on the number of Windows networks that use a domain (PDC/BDC) or a workgroup. We look at setting up a local SMB/CIFS password file on an HP-UX server as well as integrating our authentication with a Windows PDC/BDC. 20.3.1.1 USING A LOCAL SMB/CIFS PASSWORD FILE The setup for a simple CIFS server using a local SMB/CIFS password file is relatively simple. Here's a cookbook for the setup: -
Install the CIFS/9000 Server product. -
Enable CIFS server functionality in /etc/rc.config.d/samba . -
Configure /etc/opt/samba/smb.conf . -
Verify your smb.conf configuration with the testparm utility. -
Create a SMB password file. -
Start the CIFS daemon. -
Verify the configuration with the smbclient utility. 20.3.1.1.1 Installing CIFS-server software I don't need to show you how to install software, do I? I have downloaded the most recent version of the software from http://software.hp.com and, as you can see, it does not require a reboot: root@hpeos003[] swlist -l fileset -a is_reboot -s /tmp/B8725AA_A.01.10_HP-UX_B.11.11_32+64 .depot # Initializing... # Contacting target "hpeos003"... # # Target: hpeos003:/tmp/B8725AA_A.01.10_HP-UX_B.11.11_32+64.depot # # CIFS-Development CIFS-Development.CIFS-PRG false # CIFS-Server CIFS-Server.CIFS-ADMIN false CIFS-Server.CIFS-DOC false CIFS-Server.CIFS-MAN false CIFS-Server.CIFS-RUN false CIFS-Server.CIFS-UTIL false root@hpeos003[] Once it's installed, we can proceed. 20.3.1.1.2 Enable CIFS server functionality in /etc/rc.config.d/samba This part of the configuration is simply to ensure that the CIFS server daemon is started after every reboot. root@hpeos003[] vi /etc/rc.config.d/samba ... # # Installed at /etc/rc.config.d/samba # RUN_SAMBA=1 20.3.1.1.3 Configure /etc/opt/samba/smb.conf I will not cover every option in this file because there are quite a few. What I propose to do is to show you how to get this configuration off the ground . You can explore some of the more esoteric options for yourself. I am looking to share the directory /ora1 with my CIFS clients. Here are the changes I made to the default smb.conf file ( underlined ): root@hpeos003[] vi /etc/opt/samba/smb.conf ... [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4 workgroup = UKDOM1 ... # server string is the equivalent of the NT Description field server string = CIFS9000 Samba Server ... # this tells Samba to use a separate log file for each machine # that connects log file = /var/opt/samba/log.%m log level = 1 ... # Security mode. Most people will want user level security. See # security_level.txt for details. security = user ... #=========================== Share Definitions ========================= [homes] comment = Home Directories browseable = no # This one is useful for people to share files [tmp] comment = Temporary file space path = /tmp read only = no ... [ora1] comment = Shared Database Directory path = /ora1 writable = yes browseable = yes You may notice that user home directories and /tmp are part of the default configuration. If you want to disable this feature, simply remove the [homes] and [tmp] sections from the smb.conf file. I will leave them in for this demonstration. 20.3.1.1.4 Verify your smb.conf configuration with the testparm utility While not absolutely necessary, testparm will highlight any syntax errors in your smb.conf file; it's an especially good idea when you have never configured CIFS before (I will truncate this output because it covers more than seven pages). root@hpeos003[] /opt/samba/bin/testparm Load smb config files from /etc/opt/samba/smb.conf Processing section "[homes]" Processing section "[tmp]" Processing section "[ora1]" Loaded services file OK. Processing comments in /etc/opt/samba/smb.conf Press enter to see a dump of your service definitions # Global parameters [global] coding system = client code page = 850 code page directory = /etc/opt/samba/codepages workgroup = UKDOM1 netbios name = netbios aliases = netbios scope = server string = Samba Server interfaces = bind interfaces only = No security = USER encrypt passwords = Yes update encrypted = No allow trusted domains = Yes hosts equiv = ... vfs options = msdfs root = No [homes] comment = Home Directories browseable = No [tmp] comment = Temporary file space path = /tmp [ora1] comment = Shared Database Directory path = /ora1 As you can see, there are quite a few parameters to configure. We have taken the defaults for the vast majority of these parameters. 20.3.1.1.5 Create an SMB password file The SMB/CIFS password file does not exist by default. We need to create it and ensure that the permissions are correct. Again, it's not a difficult task: root@hpeos003[] ll /var/opt/samba/private total 0 root@hpeos003[] touch /var/opt/samba/private/smbpasswd root@hpeos003[] chmod 500 /var/opt/samba/private root@hpeos003[] chmod 600 /var/opt/samba/private/smbpasswd root@hpeos003[] ll /var/opt/samba/private total 0 -rw------- 1 root sys 0 Sep 7 16:24 smbpasswd root@hpeos003[] We can now add users into the SMB password file using the smbpasswd command. These users will exist on our CIFS client machines, either Windows clients or CIFS clients on HP-UX machines. Before we add a user to the SMB password file, the user must exist in /etc/passwd . In this example, the user fred does not exist in the /etc/passwd file: root@hpeos003[] pwget -n charlesk charlesk:Q2BGUB0vg2nnE:103:20::/home/charlesk:/sbin/sh root@hpeos003[] /opt/samba/bin/smbpasswd -a charlesk New SMB password: Retype new SMB password: Added user charlesk. root@hpeos003[] /opt/samba/bin/smbpasswd -a fred New SMB password: Retype new SMB password: User fred does not exist in system password file (usually /etc/passwd). Cannot add account without a valid local system user. Failed to modify password entry for user fred root@hpeos003[] 20.3.1.1.6 Start the CIFS daemon We are now ready to start the CIFS daemons, smbd and nmbd . We can run the startup routine /sbin/init.d/samba : root@hpeos003[] /sbin/init.d/samba start Samba started successfully; process ids: smbd: 3110, nmbd: 3108 root@hpeos003[] root@hpeos003[] ll /var/opt/samba total 6 drwxr-xr-x 2 root sys 1024 Sep 7 16:29 locks -rw-r--r-- 1 root sys 462 Sep 7 16:29 log.nmbd -rw-r--r-- 1 root root 162 Sep 7 16:29 log.smbd dr-x------ 2 root sys 96 Sep 7 16:26 private root@hpeos003[] more /var/opt/samba/log.smbd [2003/09/07 16:29:35, 0] smbd/server.c:(793) smbd version 2.2.8a based HP CIFS Server A.01.10 started. Copyright Andrew Tridgell and the Samba Team 1992-2002 root@hpeos003[] 20.3.1.1.7 Verify the configuration with the smbclient utility The smbclient command should display our server's domain/workgroup as well as the shares that have been made available to clients. You can replace the "%" sign with a specific username if you want to see the shares available to a specific Windows user. root@hpeos003[] /opt/samba/bin/smbclient -L localhost -U% added interface ip=192.168.0.203 bcast=192.168.0.255 nmask=255.255.255.0 Domain=[UKDOM1] OS=[Unix] Server=[Samba 2.2.8a based HP CIFS Server A.01.10] Sharename Type Comment --------- ---- ------- tmp Disk Temporary file space ora1 Disk Shared Database Directory IPC$ IPC IPC Service (CIFS9000 Samba Server) ADMIN$ Disk IPC Service (CIFS9000 Samba Server) Server Comment --------- ------- CKHOME1 The Main Machine HPEOS003 CIFS9000 Samba Server Workgroup Master --------- ------- UKDOM1 CKHOME1 root@hpeos003[] Because we are now acting as a CIFS Server, we should be able to see the configured shares on a Windows-based machine (running Windows XP in this instance) as shown in Figure 20-1. Figure 20-1. Screenshot from a Windows-based machine. This command was run by the Windows user charlesk . It is important that the users we add to the smbpasswd file are the same usernames (and passwords) used by Windows. We now look at setting up HP-UX as a CIFS Client, i.e., able to use shares advertised from a CIFS Server. This could be a Windows-based server or another HP-UX machine acting as a CIFS server. |