20.3 CIFS Server Configuration

Previous page
Table of content
Next page
     

A primary concern of a CIFS server is how to authenticate a CIFS client. There are two options:

  • Windows NT LanManager authentication (NTLM), which is discussed in the next section.

  • Kerberos authentication, which necessitates a thorough understanding of Kerberos, so we will not discuss it any further in this chapter.

20.3.1 Windows NT LanManager authentication

The main authentication method is via what is known as Windows NT LanManager (NTLM) authentication. Unlike NFS that does not ask for usernames and passwords, NTLM requires a user (a client) to log in to the CIFS server before accessing a mount point. Thereafter, we utilize file permissions and ownerships to enforce security. NTLM authentication requires a CIFS client to have a valid username and password configured in a password file located somewhere in the Windows domain . When we start talking about an administrative domain, we are talking about a Windows concept, which is a distributed environment for managing usernames, passwords, and access rights; we have concepts such as a primary domain controller (PDC) and backup domain controllers (BDC). Before you start having heart palpitations, you may initially want to authenticate users via a CIFS/SMB password file located on your HP-UX server that is not explicitly part of the Windows domain . This means we need to have a separate password file configured for all CIFS clients . It would be helpful if we could just use /etc/passwd , but life is never that simple, is it? Unfortunately, we need a separate CIFS password file to /etc/passwd ; it's normally called /var/opt/samba/private/smbpasswd. As well as having a separate password file, we have a separate command to configure passwords: smbpasswd . This may seem a bit long-winded, but it actually is relatively simple to set up and does mean that your HP-UX server can authenticate CIFS clients without necessarily having a PDC/BDC configured and running. The drawback is that we now have two password files to manage on HP-UX; c'est la vie. The flipside is that with CIFS/9000 we can utilize the password file in our Windows domain; we can authenticate CIFS clients via our PDC/BDC. We look at that later. Some administrators would argue that having Windows/CIFS clients out there in out network, it might be a safe(ish) bet to assume that you have some means of authenticating them; in other words, most Windows networks will have a PDC/DBC configured. I can't comment on the number of Windows networks that use a domain (PDC/BDC) or a workgroup. We look at setting up a local SMB/CIFS password file on an HP-UX server as well as integrating our authentication with a Windows PDC/BDC.

20.3.1.1 USING A LOCAL SMB/CIFS PASSWORD FILE

The setup for a simple CIFS server using a local SMB/CIFS password file is relatively simple. Here's a cookbook for the setup:

  1. Install the CIFS/9000 Server product.

  2. Enable CIFS server functionality in /etc/rc.config.d/samba .

  3. Configure /etc/opt/samba/smb.conf .

  4. Verify your smb.conf configuration with the testparm utility.

  5. Create a SMB password file.

  6. Start the CIFS daemon.

  7. Verify the configuration with the smbclient utility.

20.3.1.1.1 Installing CIFS-server software

I don't need to show you how to install software, do I? I have downloaded the most recent version of the software from http://software.hp.com and, as you can see, it does not require a reboot: 

 

 root@hpeos003[]  swlist -l fileset -a is_reboot -s /tmp/B8725AA_A.01.10_HP-UX_B.11.11_32+64 graphics/ccc.gif .depot  # Initializing... # Contacting target "hpeos003"... # # Target:  hpeos003:/tmp/B8725AA_A.01.10_HP-UX_B.11.11_32+64.depot # # CIFS-Development   CIFS-Development.CIFS-PRG     false # CIFS-Server   CIFS-Server.CIFS-ADMIN        false   CIFS-Server.CIFS-DOC          false   CIFS-Server.CIFS-MAN          false   CIFS-Server.CIFS-RUN          false   CIFS-Server.CIFS-UTIL         false root@hpeos003[]

Once it's installed, we can proceed.

20.3.1.1.2 Enable CIFS server functionality in /etc/rc.config.d/samba

This part of the configuration is simply to ensure that the CIFS server daemon is started after every reboot. 

 

 root@hpeos003[]  vi /etc/rc.config.d/samba  ... # # Installed at /etc/rc.config.d/samba #  RUN_SAMBA=1

20.3.1.1.3 Configure /etc/opt/samba/smb.conf

I will not cover every option in this file because there are quite a few. What I propose to do is to show you how to get this configuration off the ground . You can explore some of the more esoteric options for yourself. I am looking to share the directory /ora1 with my CIFS clients. Here are the changes I made to the default smb.conf file ( underlined ): 

 

 root@hpeos003[]  vi /etc/opt/samba/smb.conf  ... [global] # workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4  workgroup = UKDOM1  ... # server string is the equivalent of the NT Description field  server string = CIFS9000 Samba Server  ... # this tells Samba to use a separate log file for each machine # that connects    log file = /var/opt/samba/log.%m  log level = 1  ... # Security mode. Most people will want user level security. See # security_level.txt for details.  security = user  ... #=========================== Share Definitions ========================= [homes]    comment = Home Directories    browseable = no # This one is useful for people to share files [tmp]    comment = Temporary file space    path = /tmp    read only = no ...  [ora1]   comment           = Shared Database Directory   path              = /ora1   writable         = yes   browseable        = yes

You may notice that user home directories and /tmp are part of the default configuration. If you want to disable this feature, simply remove the [homes] and [tmp] sections from the smb.conf file. I will leave them in for this demonstration.

20.3.1.1.4 Verify your smb.conf configuration with the testparm utility

While not absolutely necessary, testparm will highlight any syntax errors in your smb.conf file; it's an especially good idea when you have never configured CIFS before (I will truncate this output because it covers more than seven pages). 

 

 root@hpeos003[]  /opt/samba/bin/testparm  Load smb config files from /etc/opt/samba/smb.conf Processing section "[homes]" Processing section "[tmp]" Processing section "[ora1]" Loaded services file OK. Processing comments in /etc/opt/samba/smb.conf Press enter to see a dump of your service definitions # Global parameters [global]         coding system =         client code page = 850         code page directory = /etc/opt/samba/codepages         workgroup = UKDOM1         netbios name =         netbios aliases =         netbios scope =         server string = Samba Server         interfaces =         bind interfaces only = No         security = USER         encrypt passwords = Yes         update encrypted = No         allow trusted domains = Yes         hosts equiv = ...         vfs options =         msdfs root = No [homes]         comment = Home Directories         browseable = No [tmp]         comment = Temporary file space         path = /tmp [ora1]         comment = Shared Database Directory         path = /ora1

As you can see, there are quite a few parameters to configure. We have taken the defaults for the vast majority of these parameters.

20.3.1.1.5 Create an SMB password file

The SMB/CIFS password file does not exist by default. We need to create it and ensure that the permissions are correct. Again, it's not a difficult task: 

 

 root@hpeos003[]  ll /var/opt/samba/private  total 0 root@hpeos003[]  touch /var/opt/samba/private/smbpasswd  root@hpeos003[]  chmod 500 /var/opt/samba/private  root@hpeos003[]  chmod 600 /var/opt/samba/private/smbpasswd  root@hpeos003[]  ll /var/opt/samba/private  total 0 -rw-------   1 root       sys              0 Sep  7 16:24 smbpasswd root@hpeos003[]

We can now add users into the SMB password file using the smbpasswd command. These users will exist on our CIFS client machines, either Windows clients or CIFS clients on HP-UX machines. Before we add a user to the SMB password file, the user must exist in /etc/passwd . In this example, the user fred does not exist in the /etc/passwd file: 

 

 root@hpeos003[]  pwget -n charlesk  charlesk:Q2BGUB0vg2nnE:103:20::/home/charlesk:/sbin/sh root@hpeos003[]  /opt/samba/bin/smbpasswd -a charlesk  New SMB password: Retype new SMB password: Added user charlesk. root@hpeos003[]  /opt/samba/bin/smbpasswd -a fred  New SMB password: Retype new SMB password: User fred does not exist in system password file (usually /etc/passwd). Cannot add account graphics/ccc.gif without a valid local system user. Failed to modify password entry for user fred root@hpeos003[]

20.3.1.1.6 Start the CIFS daemon

We are now ready to start the CIFS daemons, smbd and nmbd . We can run the startup routine /sbin/init.d/samba : 

 

 root@hpeos003[]  /sbin/init.d/samba start  Samba started successfully; process ids: smbd: 3110, nmbd: 3108 root@hpeos003[] root@hpeos003[]  ll /var/opt/samba  total 6 drwxr-xr-x   2 root       sys           1024 Sep  7 16:29 locks -rw-r--r--   1 root       sys            462 Sep  7 16:29 log.nmbd -rw-r--r--   1 root       root           162 Sep  7 16:29 log.smbd dr-x------   2 root       sys             96 Sep  7 16:26 private root@hpeos003[]  more /var/opt/samba/log.smbd  [2003/09/07 16:29:35, 0] smbd/server.c:(793)   smbd version 2.2.8a based HP CIFS Server A.01.10 started.   Copyright Andrew Tridgell and the Samba Team 1992-2002 root@hpeos003[]

20.3.1.1.7 Verify the configuration with the smbclient utility

The smbclient command should display our server's domain/workgroup as well as the shares that have been made available to clients. You can replace the "%" sign with a specific username if you want to see the shares available to a specific Windows user. 

 

 root@hpeos003[]  /opt/samba/bin/smbclient -L localhost -U%  added interface ip=192.168.0.203 bcast=192.168.0.255 nmask=255.255.255.0 Domain=[UKDOM1] OS=[Unix] Server=[Samba 2.2.8a based HP CIFS Server A.01.10]         Sharename      Type      Comment         ---------      ----      -------         tmp            Disk      Temporary file space         ora1           Disk      Shared Database Directory         IPC$           IPC       IPC Service (CIFS9000 Samba Server)         ADMIN$         Disk      IPC Service (CIFS9000 Samba Server)         Server               Comment         ---------            -------         CKHOME1              The Main Machine         HPEOS003             CIFS9000 Samba Server         Workgroup            Master         ---------            -------         UKDOM1                CKHOME1 root@hpeos003[]

Because we are now acting as a CIFS Server, we should be able to see the configured shares on a Windows-based machine (running Windows XP in this instance) as shown in Figure 20-1.

Figure 20-1. Screenshot from a Windows-based machine.
graphics/20fig01.gif

This command was run by the Windows user charlesk . It is important that the users we add to the smbpasswd file are the same usernames (and passwords) used by Windows. We now look at setting up HP-UX as a CIFS Client, i.e., able to use shares advertised from a CIFS Server. This could be a Windows-based server or another HP-UX machine acting as a CIFS server.


Previous page
Table of content
Next page
HP-UX CSE(c) Official Study Guide and Desk Reference
HP-UX CSE(c) Official Study Guide and Desk Reference
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 434
BUY ON AMAZON
Project Management JumpStart
OpenSSH: A Survival Guide for Secure Shell Handling (Version 1.0)
CISSP Exam Cram 2
A Practitioners Guide to Software Test Design
Sap Bw: a Step By Step Guide for Bw 2.0
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy