HP CIFS Client A.02.02 Administrator's Guide: HP-UX 11i v1 and v2
HP CIFS Client A.02.02 Administrator's Guide: HP-UX 11i v1 and v2
HP CIFS Client A.02.02 Administrator's Guide: HP-UX 11i v1 and v2
02 Administrators Guide
HP-UX 11i v1 and v2
Legal Notices
The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and tness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty A copy of the specic warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Ofce. U.S. Government License Proprietary computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. PAM NTLM includes a library derived from the Open Source Samba product. This library is subject to the GPL license. For detailed information, refer to the GPL license in Chapter 12 of the CIFS/9000 Server manual. Copyright Notices Copyright 2006 Hewlett-Packard Company L.P. All rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws. Trademark Notices UNIX is a registered trademark in the United States and other countries, licensed exclusively throughThe Open Group.
Contents
1. Introduction to the HP CIFS Client
Introduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP CIFS Client Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP CIFS Client Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CIFS UNIX Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTLM PAM Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kerberos Authentication: Integration with System Kerberos Cache . . . . . . . . . . . . AutoFS 2.3 Support for HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support for Internationalized Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTLM, NTLMv2 Password Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NetBIOS Name Services, WINS, and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microsoft Distributed File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamically Loadable Kernel Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB Over TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 13 15 16 16 17 17 17 18 18 18 19 19 20 21
Contents
Conguration Settings For Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Login Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction To Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements and Limitations Using Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Kerberos with the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1. Review fundamental Kerberos Operating Principals. . . . . . . . . . . . . . . . . . . Step 2. Set Up and Verify the Kerberos Infrastructure . . . . . . . . . . . . . . . . . . . . . . . Step 3. Congure Kerberos on the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . CIFS Client Kerberos Authentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Explicit login: cifslogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic login: Integration with System Kerberos Cache (kinit(1) and PAM Kerberos) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ticket Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring Packet Signing with HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 45 47 47 48 48 49 51 52 52 52 52 53 53
5. Commandline Utilities
cifsclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifsmount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 71 71 71 72 73 74 74
Contents
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifslogin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifsumount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifslogout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifslist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample cifslist Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifsdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mount_cifs, umount_cifs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 74 76 76 76 77 77 77 77 79 79 79 80 80 80 80 80 81 81 81 81 82 82 82 82 82 85 85 85 86 86 86 87 87 87 87 89 89
Contents
6. Troubleshooting and Error Messages
Troubleshooting FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Shutdown the Daemon with cifsclient stop . . . . . . . . . . . . . . . . . . . . . . . . . . What to Do if the Daemon Terminates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting Kerberos in the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting cifsmount or mount in the HP CIFS Client . . . . . . . . . . . . . . . . . . . . How to Do if the HP CIFS Client DLKM is Unused . . . . . . . . . . . . . . . . . . . . . . . . . . How to Do if You Encounter the Error Message: Device Busy . . . . . . . . . . . . . . . . CIFS Client Log File and Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 93 93 94 96 96 97 98
7. Conguration File
General Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Conguration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
8. PAM NTLM
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PAM NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PAM NTLM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PAM NTLM Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring the PAM NTLM Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring a User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using NIS Distribution of the User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 134 134 134 135 135 139 139
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Intended Audience
This document is intended for system and network administrators responsible for installing, conguring, and managing HP CIFS Client. Administrators are expected to have knowledge of HP CIFS Client product.
Publishing History
Table 1 Publishing History Details Document Manufacturing Part Number B8724-90079 Operating Systems Supported 11i v1 and v2 Supported Product Versions A.02.02 Publication Date April 2006
B8724-90067
11i v1 and v2
A.02.01
April 2005
B8724-90044
A.01.09
August 2003
B8724-90022
A.01.08
June 2002
B8724-90011
A.01.06
June 2001
Chapter 2
Chapter 3
Chapter 4
Updating HP CIFS Client A.01.* to A.02.* Use this chapter to describe conguration parameter and command option differences between HP CIFS Client A.01.* and A.02.*. This chapter also provides the update procedures so that you can plan and upgrade your CIFS Client. Commandline Utilities Use this chapter to learn about UNIX man pages for all HP CIFS Client utilities. Troubleshooting the HP CIFS Client Use this chapter to understand the detailed procedures to help diagnose HP CIFS Client problems. Conguration File Use this chapter to know a list of all conguration variables if you want to customize HP CIFS Client software. PAM NTLM Use this chapter to understand detailed information about the PAM NTLM authentication service.
Chapter 5 Chapter 6
Chapter 7
Chapter 8
Typographical Conventions
This document uses the following conventions. Italics Bold monotype Identies titles of documentation, lenames and paths Text that is strongly emphasized. Identies program/script, command names, parameters or display.
10
Chapter 1
11
It contains the following sections: Introduction to HP CIFS. HP CIFS Client Description. HP CIFS Client Features.
12
Chapter 1
Introduction to HP CIFS
HP CIFS provides HP-UX with a distributed le system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS implements both the server and client components of the CIFS protocol on HP-UX. The HP CIFS Server is based on the well-established open-source software Samba, and provides le and print services to CIFS clients including Windows, other CIFS clients, and HP-UX machines running HP CIFS Client software. The HP CIFS Client enables HP-UX users to mount as UNIX lesystems shares from CIFS le servers including Windows servers and HP-UX machines running HP CIFS Server. The HP CIFS client also offers an optional Pluggable Authentication Module (PAM) that implements the Windows NT Lan Manager (NTLM) authentication protocols. When installed and congured within HP-UXs PAM facility, PAM NTLM allows HP-UX users to be authenticated against a Windows authentication server.
Chapter 1
13
PAM NTLM The HP-UX PAM subsystem gives system administrators the exibility of choosing any authentication service available on the system to perform authentication. The framework also allows new authentication service modules to be plugged in and made available without modifying the applications. The PAM framework, libpam, consists of an interface library and multiple authentication service modules. The authentication service modules are a set of dynamically loadable objects invoked by the PAM API to provide a particular type of user authentication. NT LAN Manager (NTLM) is the protocol by which CIFS clients are authenticated by CIFS servers. PAM NTLM is a PAM module that implements the NTLM protocol. It enables users logging in to an HP-UX system to have access to CIFS-mounted le systems without having to use the cifslogin command.
14
Chapter 1
Chapter 1
15
NOTE
This feature only works with CIFS servers that support CIFS UNIX extensions.
16
Chapter 1
Chapter 1
17
Introduction to the HP CIFS Client HP CIFS Client Features In order to provide HP CIFS Client AutoFS support, AutoFS 2.3 must be installed and congured on the system. For detailed information on installing and conguring AutoFS, please refer to Conguring and Administering AutoFS in NFS Services Administrators Guide on HP-UX at http://www.docs.hp.com.
NOTE
Automounting a CIFS lesystem using the HP ONC+ AutoFS service is only supported on HP-UX release 11i v1 and v2. If you have the HP-UX 11i v1 system, you must install the ONC software package, Enhanced AutoFS, available at http://software.hp.com to enable the AutoFS 2.3 support. AutoFS doesnt support HP CIFS Client on HP-UX release 11.0.
Packet Signing
The purpose of CIFS packet signatures is prevention of man-in-the middle attacks: the client and server are mutually assured of the others identity by requiring a unique signature on each SMB packet.
18
Chapter 1
Introduction to the HP CIFS Client HP CIFS Client Features In the CIFS protocol, packet signing is negotiated when the client makes its initial connection to the server. Starting with the rst user login to the server, all SMB packets between the client and server must be signed. See Packet Signing on page 53 for a description of the smbPacketSigning conguration parameter.
Chapter 1
19
Introduction to the HP CIFS Client HP CIFS Client Features For information on how to set up DFS on a CIFS server, consult your CIFS server documentation. The following describe the major features of DFS: High data availability Multiple copies of read-only shares can be mounted under the same logical DFS name to provide alternate locations for accessing data. If one of the copies becomes unavailable, an alternate is automatically selected. Load balancing Multiple copies of read-only shares on separate disk drivers or servers can be mounted under the same logical DFS name, thus permitting limited load balancing between drives or servers. Name and location transparency DFS transparently links server volumes and shares into a single name space. You can navigate the logical name space without consideration to the physical location of your data. Integration with Windows NT security model There are no additional administrative or security issues. Users who connect to DFS shares are only permitted to access les for which they have appropriate rights on that share. Limitations CIFS Client MS DFS support has the following limitations: Moving les across DFS links is not supported. Before the CIFS Client connects to a DFS Root on an HP CIFS Server (Samba), CIFS UNIX Extensions must be disabled on either the CIFS Client or Server.
20
Chapter 1
Introduction to the HP CIFS Client HP CIFS Client Features The HP CIFS Client supports the following kernel module states: Auto: The module will be dynamically loaded at the rst time it is used. Static: The module is statically linked into the kernel. Loaded: The module is dynamically loaded and running in the kernel. Unused: The module is not loaded in the kernel. Best: A state that selects the following order of preference: auto, static, loaded, unused.
By default, the kernel module state is auto. The HP CIFS Client kernel module will be dynamically loaded when the rst CIFS le system mount is performed. You may use the kcmodule command to change the kernel conguration state. Ensure you understand the effects of any changes if you want to modify the kernel conguration state. Refer to man page kcmodule(1M) for details.
NOTE
HP CIFS Client DLKM support is available only on HP-UX release 11i v2 or later.
Chapter 1
21
22
Chapter 1
Chapter 2
23
It contains the following sections: Overview of HP CIFS Client Installation and Conguration on page 25. Step 1: Checking HP CIFS Client Installation Prerequisites on page 26. Step 2: Installing HP CIFS Client and PAM Software on page 27. Step 3: Conguring the HP CIFS Client on page 28. Step 4: Starting and Stopping the HP CIFS Client Daemon on page 30. Using the HP CIFS Client on page 31. Automatic Mounting of CIFS Filesystems on page 36. Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration on page 37. HP CIFS Client Files and Directories on page 39.
24
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Overview of HP CIFS Client Installation and Conguration
NOTE
Chapter 2
25
Installing, Conguring, and Using the HP CIFS Client Step 1: Checking HP CIFS Client Installation Prerequisites
NOTE
If you are currently using an A.01.* version of the HP CIFS Client, read the Migrating from version A.01.* to A.02.* of HP CIFS Client on page 57 before installing any A.02.* version.
26
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Step 2: Installing HP CIFS Client and PAM Software
Installing From CD
If you are installing HP CIFS Client and PAM software from CD, run swinstall, and select HP CIFS Client or PAM NTLM (or both) from the CD ROM depot path.
Chapter 2
27
Installing, Conguring, and Using the HP CIFS Client Step 3: Conguring the HP CIFS Client
Editing cifsclient.cfg
The le /etc/opt/cifsclient/cifsclient.cfg.default contains factory default settings. The user is urged not to modify this le but to save it as a reference. If appropriate, edit the le as described below. 1. To enable WINS lookups, set the parameter nbnsWinsIp to the IP address of the WINS server. See Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration on page 37 for details. 2. Congure Internationalized Clients. The CIFS Client is designed to work with a variety of internationalized clients and servers. It can use Unicode to transmit multi-byte characters on the network, or any of several character encoding tables located in /etc/opt/cifsclient/unitables. See the README le in that directory for an index of the tables. Each table is a character map le which can be congured for encoding le and directory names on the client or server (le contents are not affected). The character set displayed on the CIFS Client console is congured with the parameter clientCharMapFile, which selects any one of the many character mapping les provided with the product. Character translations for communications with CIFS Servers can be done either in Unicode or through the conguration parameter serverCharMapFile, which also is used to select a character mapping le. Use of Unicode is turned on and off with the useUnicode parameter. The default settings in cifsclient.cfg are:
serverCharMapFile = "/etc/opt/cifsclient/unitables/unimapCP437.cfg"; clientCharMapFile = "/etc/opt/cifsclient/unitables/unimap8859-1.cfg";
28
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Step 3: Conguring the HP CIFS Client If, for example, your CIFS Client is congured as a Japanese system using the Shift-JIS locale, and it is connected to a Japanese CIFS Server that also uses Shift-JIS, you would congure the following:
serverCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg"; clientCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg";
3. Authentication Method The authenticationMethod parameter should be set to ntlm or kerberos. See Using Kerberos with the HP CIFS Client in Chapter 3 for details. 4. NTLM Password Encrytion For servers with which Kerberos is not used, you can set the conguration parameter ntlmEncryptionVersion to ntlm or ntlmv2 to determine which NTLM version to use. See Conguring Authentication in Chapter 3 for details. 5. Server-Specic Conguration The CIFS Client provides a method for over-riding global settings on a server-specic basis. For example, if you set ntlmEncryptionVersion globally to NTLM, but you want to ensure that server cifshostA uses only NTLMv2, you can create the following section (within the enclosing "servers" section, see also the example at the end of the CIFS Client conguration le):
cifshostA = { ntlmEncryptionVersion = ntlmv2; );
Chapter 2
29
Installing, Conguring, and Using the HP CIFS Client Step 4: Starting and Stopping the HP CIFS Client Daemon
30
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Using the HP CIFS Client
You can congure your HP-UX system to start the CIFS Client automatically at bootup by editing the le /etc/rc.cong.d/cifsclient such that the run ag is set to 1: RUN_CIFSCLIENT=1. There must be no spaces on either side of the equal sign. If you use this option, you can still stop and restart the HP CIFS Client after the system boots up. 2. Mount and unmount shares on a CIFS server. This must be done by root. Remote directories to be mounted by the HP CIFS Client must be congured as shares on the HP CIFS server. In the following example, the share source, congured as a share on the HP CIFS server buildsys, is mounted by the CIFS Client using the directory /home/devl/source as the mount point. The directory used as the mount point must already exist and must be specied as an absolute path. Chapter 2 31
Installing, Conguring, and Using the HP CIFS Client Using the HP CIFS Client To mount: $ mount -F cifs buildsys:/source /home/devl/source To unmount, specify only the mout point: $ umount /home/devl/source 3. Access the shared directory via the mount point on the Client. The CIFS protocol allows access to mounted directories only to users who have been authenticated by the server or a domain controller. This is accomplished through the cifslogin command. In the examples that follow, the share source has been congured on the server. The joe user on the Client wants to access the shared directory on buildsys. This is rst attempted by changing directories to the mount point, but without rst logging into the server (this fails). Then, by logging into buildsys with the cifslogin command, the user is authenticated by buildsys and can access its shared source directory through the CIFS Clients mount point. Note that the user name used to login to the CIFS Server can be different than the current HP-UX login name at the Client. The account and password pair used in cifslogin must exist on the system that performs the authentication. Further, if the server is an HP-UX system, all users on the Client that access the Server should have the same uid on both systems, so that le ownership is consistent.
$ whoami joe cd /home/dev1/source sh: /home/dev1/source: not found
This fails because the user has not yet logged into the CIFS Server buildsys.
$cifslogin buildsys joe Remote user joes password: *****
32
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Using the HP CIFS Client
This succeeds. you can use cifslist command to verify the results. The cifslist command without any option displays servers with shares and mountpoints information, it uses the \\server\share format for mounted objects.
$ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\buildsys\source /home/devl/source M ============================================================= Server Local User Remote User Domain State ------------------------------------------------------------buildsys joe joe L
If you use the cifslist -x command to verify the results, the output shows servers with shares and mountpoints information using UNIX format: server:/share for mounted objects.
$ cifslist -x Mounted Object Mountpoint State ------------------------------------------------------------buildsys:/source /home/devl/source M ============================================================= Server Local User Remote User Domain State ------------------------------------------------------------buildsys joe joe L
$ cd /home/dev1/source
This succeeds because of the cifslogin above. Using the example above (source is mounted and user joe is authenticated on buildsys), a user named lucy accesses the mount as follows:
$ cifslogin buildsys lucy Remote user lucys password: *****
Chapter 2
33
Installing, Conguring, and Using the HP CIFS Client Using the HP CIFS Client
$ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\BUILDSYS\source /home/devl/source M ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------buildsys joe joe L buildsys lucy lucy L
Note that the Local User (the HP-UX account name) does not need to be the same as the Remote User (the CIFS server account name). In the previous example, if the local (HP-UX) user lucy has the CIFS account name lucille, she would login as follows:
$ cifslogin buildsys lucille Remote user lucilles password: *****
For more detailed information on how to use the cifslist command to view the internal tables of HP CIFS Client, see Chapter 5, Commandline Utilities, on page 69.
34
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Using the HP CIFS Client
where x and y are the name and password pair recognized by the server. The cifsmount command can perform the same function. Using the names from the examples above:
$ cifsmount -U <username> [-P<password>] //buildsys/source \ /home/dev1/source
If you do not specify -P password on the command line, cifsmount prompts you for a password.
Chapter 2
35
Installing, Conguring, and Using the HP CIFS Client Automatic Mounting of CIFS Filesystems
Using /etc/fstab
By creating entries in /etc/fstab you can mount CIFS lesystems automatically at boot time, or mount multiple CIFS le systems on one or more CIFS Servers, with a single command entered manually. The format for such entries is: server:/share mount_point cifs defaults 0 0 See fstab(4) man page for detailed information on the format of this le. Then, to mount all CIFS entries in /etc/fstab manually, enter: $ mount -aF cifs To unmount all currently mounted CIFS lesystems, enter: $ umount -aF cifs These commands will occur automatically, at bootup and shutdown, if the system is congured to start the CIFS Client at bootup, as explained above in item 1 of Using the HP CIFS Client on page 31.
36
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration
Only NetBIOS broadcast and DNS are enabled by default, they are controlled through the conguration parameters lookupTryNetbios and lookupTryDns by setting these parameters to yes. The CIFS Client can also use WINS (a Windows name resolution service similar to DNS) or server-specic settings in the conguration le, to locate CIFS servers. WINS provides an efcient lookup mechanism that is sufcient for most CIFS environments. The conguration for name resolution can be as follows: To enable WINS, set the nbnsWinsIp parameter to the IP address of a WINS server. The CIFS servers to which you want to connect must be registered with the WINS server. For example, if you set the lookupTrynetbios and lookupTryDns parameters to yes and specify the IP address of the WINS server to 110.112.114.115, the CIFS Client rst attempts a WINS lookup, then a NetBIOS broadcast, then a DNS lookup. WINS is a feature of the NetBIOS Name Service, hence, disabling lookupTryNetbios also disables WINS. For example, if you set lookupTryNetbios to no, the HP CIFS Client ignores the nbnsWinsIp setting and does not attempt a WINS lookup at all.
Chapter 2
37
Installing, Conguring, and Using the HP CIFS Client Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration If the servers NetBIOS name differs from its DNS name (DNS cannot resolve it), and it is on a different subnet from the CIFS Client (NetBIOS broadcast cannot resolve it), and its address is not resolved by WINS, then you need to create a server entry for the IP address in the CIFS Client conguration le. To create a server-specic setting in the conguration le, rst create a section for the server (as illustrated in the example at the end of the le itself), then set the ipAddress parameter to the servers IP address. In this case, the congured IP address is used directly; other lookup methods are bypassed for this server. For example:
buildsys = { ipAddress = 110.112.114.115; };
Note that the ip address must be quoted. Note that NetBIOS broadcasts are useful only for servers on the same subnetwork as the client, and DNS enables the CIFS Client to establish NetBIOS connections only with servers whose DNS and Windows name are identical.
38
Chapter 2
Installing, Conguring, and Using the HP CIFS Client HP CIFS Client Files and Directories
cifsumount cifsgettkt
cifslogin
cifslogout
cifslist cifsclient
Chapter 2
39
Installing, Conguring, and Using the HP CIFS Client HP CIFS Client Files and Directories Table 2-1 HP CIFS Client Files and Directories (Continued) File/Directory cifsdb Description adds, modies and deletes entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically. HP CIFS PAM les. CIFS Clients for use by the administrator or root user. The CIFS Client daemon is contained in this directory. Directory for CIFS Client log, database, core les, and other temporary les. Conguration le accessed by CIFS Client daemon. Contains factory default setting; used as a references. Do not modify. Character-mapping tables for internationalized clients. PAM conguration le. You may need to modify according to your needs. Refer to "Chapter 6: PAM NTLM" for more details on this le. Default PAM le. Should be copied as pam/smb.conf for your use. Do not modify. Directory for the CIFS Client log les, pid les and any temporary les created for clients own use.
/opt/cifsclient/pam /opt/cifsclient/sbin
/etc/opt/cifsclient/
cifsclient.cfg cifsclient.cfg.default
pam/smb.conf.default
/var/opt/cifsclient
40
Chapter 2
Chapter 3
41
NTLMv2 and Kerberos. It contains the following sections: Introduction on page 43. User Login Procedures on page 45. Introduction To Kerberos on page 47. Using Kerberos with the HP CIFS Client on page 48. CIFS Client Kerberos Authentication Policies on page 52. Packet Signing on page 53.
42
Chapter 3
Introduction
One of the important characteristics of the CIFS le-sharing protocol is its security model. Before a user on a CIFS client can access the mountpoint of a CIFS server, the user must be authenticated by the server (the user must login to the server). Four login methods are available; they are explained in the following pages. Restrictions at the le or directory level on the servers lesystem are also enforced by the server.
Authentication Methods
The HP CIFS Client supports two authentication protocols. These protocols are congured on a global or server specic basis in the CIFS Client conguration le by the system administrator: Windows NT LanManager (NTLM) and NTLMv2 NTLM is a challenge-response protocol. The server sends a challenge key to the client which the client returns to the server encrypted with the users password. The server performs the same encryption and veries that the clients request matches. No semblance of the users password is transmitted over the network. The HP CIFS Client supports NTLM and NTLM version 2 (NTLMv2). NTLMv2 uses the same challenge-response protocol, but it additionally provides more sophisticated encryption algorithms than NTLM, and hence better password protection. Kerberos Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to an application server without sending data across the network that might allow an attacker to subsequently impersonate the user. Kerberos is a secure, industry standard authentication protocol that provides signicant improvements over the NTLM protocol.
CIFS Security and Authentication Introduction Server-Specic conguration section below. These parameters are used to select which mechanisms are used by the CIFS Client to authenticate users to CIFS servers. Legal entries for the authenticationMethod parameter are ntlm or kerberos.The default value of this parameter is ntlm. If you wish to use Kerberos, the conguration setting is: authenticationMethod = kerberos; In this case, the CIFS Client requests the use of Kerberos when negotiating an initial connection with the CIFS Server. If the servers response is afrmative, only Kerberos is used for authenticating users to this server; otherwise NTLM is used. If the NTLM protocol is used, the CIFS Client determines which NTLM version to use based on the ntlmEncryptionVersion conguration. If you attempt to use the traditional Windows NT LAN Manager (NTLM) protocol, set the authenticationMethod parameter to ntlm. In this case, the CIFS Client determines which NTLM version to use based on the ntlmEncryptionVersion conguration. Valid entries for the ntlmEncryptionVersion parameter are ntlm or ntlmv2. For CIFS servers with which Kerberos is not used, if you want to use only NTLMv2 password encryption, set the ntlmEncryptionVersion parameter to ntlmv2. Otherwise, if you want to use only NTLM password encryption, set this parameter to ntlm. By default, the ntlmEncryptionVersion parameter is set to ntlm. Server-Specic Conguration The CIFS Client provides a method for over-riding global settings on a server-specic basis. For example, if you set ntlmEncryptionVersion globally to NTLM, but you want to ensure that server buildsys uses only NTLMv2, you can create the following section (within the enclosing cifs section, see also the example at the end of the CIFS Client conguration le):
buildsys = { ntlmEncryptionVersion = ntlmv2; };
44
Chapter 3
Chapter 3
45
CIFS Security and Authentication User Login Procedures perform a manual login in order to store the encrypted passsword. You can use the cifslogin -s or cifsdb command to save an entry in the user database or use the cifsdb -d command to delete an entry from the user database. Please see man pages cifslogin, cifsdb in Chapter 5, Commandline Utilities, on page 69 for details.
NOTE
4. Guest User This feature enables all users on the HP CIFS Client host who are not logged into a mounted CIFS server to access the servers mountpoints, with the privileges of a guest user. Please also see the detailed information on the guestRemoteUser parameter in Chapter 7. To set up guest user capabilities, set the conguration parameters guestRemoteUser and guestPassword to those of a valid account on the server. HP recommends setting up a generic guest user account on the server, so that access rights of guest users can be limited. Now, when any UNIX users on the CIFS Client HP-UX host who have not logged into the CIFS server try to access its mounted share, they will automatically access them as the guest user without doing an explicit cifslogin.
46
Chapter 3
Introduction To Kerberos
Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verier (an application server, or only a server) without sending data across the network that might allow an attacker or the verier to subsequently impersonate the principal. Kerberos optionally provides integrity and condentiality for data sent between the client and server. [B. Clifford Neuman,Theadore Tso: Kerberos: An Authentication Service for Computer Networks] Kerberos was developed at the Massachusetts Institute of Technology (MIT). Use of Kerberos in the CIFS environment provides signicant security improvements over the older NT LanManager (NTLM) protocol traditionally used by CIFS Clients and Servers.
NOTE
Chapter 3
47
CIFS Security and Authentication Using Kerberos with the HP CIFS Client
48
Chapter 3
CIFS Security and Authentication Using Kerberos with the HP CIFS Client http://www.isi.edu/gost/publications/kerberos-neuman-tso.html The documentation repository at Massachusetts Institute of Technology (the developer of Kerberos): http://web.mit.edu/kerberos The Kerberos specication, RFC 1510. An excellent introduction (section 1) and descriptions of message exchanges (section 3): http://ftp.rfc-editor.org/in-notes/rfc1510.txt Several informative papers can also be found at the Microsoft web site. Most of these documentation also include practical infomation on how you should set up security in networks of Windows computers. Please search for kerberos or related topics at: http://www.microsoft.com
NOTE
A domain name server (DNS) is recommended to be active on a Windows server on your network. CIFS servers to which you want to connect should be congured in the Windows DNS table in order to be recognized by the KDC.
For information on setting up a Key Distribution Center on a Windows 2000 or 2003 server, refer to your Microsoft documentation.
Chapter 3
49
CIFS Security and Authentication Using Kerberos with the HP CIFS Client The CIFS servers to which you want to connect via Kerberos with the CIFS client must be joined to the Windows Domain. For more information, refer to Windows online help or the HP CIFS Server Administrators Guide. For information on setting up user accounts on a Windows KDC, consult online help for managing user Domain accounts. To set up the HP-UX Kerberos client, consult the Conguration Guide cited above in step 1. The following HP-UX man pages also contain useful information: kerberos(9), krb5.conf(4), kpasswd(1), kinit(1), klist(1), kdestroy(1). Once you have set up these elements of your Kerberos infrastructure, you can use the following checks to verify that everything is working. Do not proceed to step 3 without performing this verication. To verify that user accounts have been set up properly on the KDC, and that the Kerberos authentication service on the KDC and the HP-UX Kerberos client can communicate properly, enter the following command: $ kinit name where name is one of the user names. If the operation succeeds, a Ticket-Granting Ticket (TGT) will be issued for name. To verify that this actually occurred, execute the klist command to display the contents of the ticket stored in the system Kerberos cache. To verify that CIFS servers have been properly congured as member servers on the KDC, execute the test program, cifsgettkt, located in /opt/cifsclient/bin: $ cifsgettkt -s server where server is one of the CIFS servers. This command uses the TGT acquired with kinit to request a service ticket (ST) from the Ticket-Granting Server (TGS). Because cifsgettkt is used only for testing, it does not modify the system Kerberos cache. However, it produces an informative message at the console. If these verication steps succeed, Kerberos authentication for CIFS clients and servers should succeed. You are ready to proceed to step 3.
50
Chapter 3
CIFS Security and Authentication Using Kerberos with the HP CIFS Client
Chapter 3
51
Automatic login: Integration with System Kerberos Cache (kinit(1) and PAM Kerberos)
This feature allows users to access mounted CIFS servers without uisng cifslogin. If you have a pre-existing Ticket-Granting Ticket (TGT) in the system Kerberos cache, established with kinit(1) or PAM Kerberos, you can attempt to access the CIFS mountpoint directly (cd, ls, etc.). The CIFS Client uses the TGT to acquire a Service Ticket (ST) for the mounted CIFS server and performs a CIFS login, all in the background. It is unnecessary for you to explicitly invoke cifslogin this case.
Ticket Lifetime
Maximum ticket lifetime is controlled by the conguration of the KDC. For cifslogin, the CIFS client requests a lifetime of 30 days for a TGT. Thus, the actual lifetime of a TGT issued to a CIFS client is the lesser of 30 days and the congured maximum at the KDC. For automatic login, the expiration time of a users ST is equal to the expiration time of the TGT in the system cache.
52
Chapter 3
Packet Signing
The purpose of the CIFS packet signatures is prevention of man-in-the middle attacks: the client and server are mutually assured of the others identity by requiring an unique signature on each SMB packet. The following terms are equivalent and are used interchangeably: security signatures packet signing packet signatures digital signatures message integrity message authentication codes (MACs)
Packet signing is performed on a per-server-connection basis. Once packet signing has been negotiated with a server, the rst user login request and all subsequent SMB packets must be signed.
Chapter 3
53
Table 3-1
Conguration Options For smbPacketSigning Valid Option enabled Description HP CIFS Client connects with the CIFS server and signs packets if the server supports signing. HP CIFS Client connects with the CIFS server, but does not sign packets if the CIFS server does not support signing. The CIFS server must support signing. The CIFS Client refuses to establish the connection with the CIFS server if the server does not support packet signing. HP CIFS Client disables packet signing. If the CIFS server requires signing, the client is unable to connect with the server.
required
disabled
54
Chapter 3
Chapter 4
55
there are some conguration parameter and command option differences between HP CIFS Client A.01.* versions and HP CIFS Client A.02.* versions. This chapter describes these differences and provides update procedures so that you can plan and upgrade your CIFS Client. This chapter contains the following sections: Migrating from version A.01.* to A.02.* of HP CIFS Client on page 57. Funtionality Differences Between HP CIFS Client A.01.* and A.02.* on page 60. Conguration Differences Between HP CIFS Client A.01.* and A.02.* on page 61. Command Option Differences Between HP CIFS Client A.01.* and A.02.* on page 65.
56
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client
The conguration and user database les used in version A.01.* of CIFS Client are not recognized by version A.02.*. If you use an A.01.* version of the HP CIFS Client, and you have modied cifsclient.cfg, or if there are user or mount entries in the CIFS Client database, then follow these instructions below before updating any A.01.* version to any A.02.* version of the CIFS Client.
Chapter 4
57
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client Step 2. Save conguration le to the backup directory. If you do not use a modied version of the conguration le, you may skip this step.
$ cp /etc/opt/cifsclient/cifsclient.cfg A.01_migration_files/A.01.cfg
Step 3. Use the cifslist -U command to generate an ascii listing of saved user records in database and to save it to the backup directory. If there are no user records in the database , you may skip this step (use cifslist -U to check). You can view this list as a reference when re-creating user database entries under version A.02.
$ cifslist -U > A.01_migration_files/A.01.udb.users.list
Step 4. Use the cifslist -M command to generate an ascii listing of saved mount records in database and to save it to the backup directory. If there are no mount records in the database , you may skip this step (use cifslist -M to check). You can view this list as a reference when re-creating mount database entries under version A.02.
$ cifslist -M > A.01_migration_files/A.01.udb.mounts.list
Step 5. Preserve CIFS Client database to the backup directory . If you skipped steps 3, 4 above, you may skip this step as well.
$ mv cifsclient.udb A.01_migration_files/A.01.ubd
NOTE
The CIFS Client database is encrypted, using among other elements, the inode of the database in the HP-UX lesystem. This is a security measure that prevents the database from being moved to a different computer. Hence, if you decide to revert to version A.01 of the CIFS Client, the inode number of the database must be preserved, else the CIFS Client is unable to decrypt the database. To ensure that the inode number is retained, the database must be backed up into the same logical volume, with the mv command. Do not use cp or any other UNIX command that changes the inode of the le. Use the mv command to back up the CIFS Client database.
58
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client Step 1. Remove version A.02 (a system reboot will occur after the removal is completed):
$ swremove -x autoreboot=true -x mount_all_filesystems=false B8724AA
Step 2. Download the most recent release of version A.01 of the CIFS Client from http://software.hp.com. Step 3. Install the downloaded CIFS Client depot. See Step 2: Installing HP CIFS Client and PAM Software on page 27 for detailed information on installation. Step 4. If you preserved your old conguration le, in step 2 under the Preserving Data From A.01 Installations section above, restore it to /etc/opt/cifsclient. Step 5. If you preserved your old database le, in step 5 under the Preserving Data From A.01 Installations section above, restore it to /var/opt/cifsclient. You must use the mv command to preserve your database le, as explained in step 5 under the Preserving Data From A.01 Installations section above.
Chapter 4
59
Migrating From HP CIFS Client A.01 to A.02 Funtionality Differences Between HP CIFS Client A.01.* and A.02.*
60
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.*
Chapter 4
61
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.* Removed Conguration Parameters The following is a list of A.01.* conguration parameters which are no longer used in the HP CIFS Client A.02.*: runAsUser databaseFile mtabName maxOpenFiles
Parameter Name Changes Table 4-1 shows a list of A.01.* conguration parameters which have been renamed in the HP CIFS Client A.02.*: Table 4-1 Parameter Name Changes A.01.* allowSaving netbiosName nfsAttributeCaching authenticationLevel dirDefaultLinks dirSize guestUser A.02.* usersMayStoreSessionData localNetbiosName nfsKernelCacheTime authenticationMethod fakedDirLinks fakedDirSize guestRemoteUser
New Conguration Parameters The following is a list of new conguration parameters for the logLevels section in HP CIFS Client A.02.*: 62 smbConnect uiTrace nbnsTrace diskarb authentication Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.* The following is a list of new conguration parameters for the Global section in HP CIFS Client A.02.*: corefileLimit networkInterfaces bindUdpExplicitly pagePoolInitialSize
The following is a list of new conguration parameters for the nfs3 specic basis in HP CIFS Client A.02.*: cacheFiles cacheOpenFiles changeMicrosecondFileTimes nfsKernelCacheTime preferredPort
The following is a list of new parameters for the cifs specic basis in HP CIFS Client A.02.*: databaseParseInterval initialDataCaches initialDirCaches bindNbnsPort bindNbdgsPort lookupTryNetbios lookupTryDns nbnsWinsIp nbnsInitialTimeout nbnsTotalTimeout nbnsCacheTime
The following is a list of new parameters for the server specic basis in HP CIFS Client A.02.*: ntlmEncryptionVersion
Chapter 4
63
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.* guestPassword allowHardLinks hardlinkUseRemoteCopy fileModeMask dirModeMask ctimeIsCreate smbPacketSigning
64
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.*
Chapter 4
65
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.*
Table 4-3 shows a list of mount -F cifs command option differences between A.01.* and A.02.*. Table 4-3 mount_cifs A.01.* -o nbname= -o port= -o domain= -o forcemnt A.02.* comments Moved to conguration le in A.02.* Moved to conguration le in A.02.* New option in A.02.* Removed in HP CIFS Client A.02.*; always true
Table 4-4 shows a list of cifslist command option differences between A.01.* and A.02.*. Table 4-4 cifslist A.01.* -r -s -s server, -m share -u server -A, -S -x -U, -M -m (no additional arguments) -u (no additional arguments) Removed in A.02.* New option in A.02.*. Removed in A.02.*; always true A.02.* comments New option in A.02.* New option in A.02.*.
66
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.*
Table 4-5 shows a list of cifslogin command option differences between A.01.* and A.02.*. Table 4-5 cifslogin A.01.* Username given in the command line A.02.* -U username comments Can specify the username with or without -U option in A.02.*. New parameter in A.02.*, overrides the congured value.
-D domain
Table 4-6 shows a new cifsdb command implemented in A.02.*. Table 4-6 cifsdb A.01.* A.02.* cifsdb <server> cifsdb -d <server> cifsdb <mount_point> cifsdb -d <mount_point> comments
Chapter 4
67
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.*
68
Chapter 4
Commandline Utilities
This chapter provides details for the CIFS Client Commandline Utilities. The HP CIFS Client software package consists of the following programs:
Chapter 5
69
Commandline Utilities
Stop and start the CIFS client. Mount a directory from a remote server. Authenticates a user to the remote server. Disconnect a local mountpoint from the server, if it is not mounted elsewhere. Disconnect a user login session and disconnect the server shares from the specied server. After logging out, the user cannot access any les from that server. Lists connected servers, mountpoints, mounted shares, etc. Add, modify and delete entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically. Mounts the CIFS lesystem via mount (1M). Unmounts the CIFS lesystem via umount (1M).
cifslist cifsdb
mount_cifs umount_cifs
Each of the utilities described above also accepts the options -h and -v if given as the only parameter. The option -h prints a short help to standard error and the option -v prints the current version numbers to standard output.
70
Chapter 5
cifsclient
Synopsis
cifsclient {command} cifsclient fuser [-v] mountpoint [...] cifsclient force_umount {mountpoint [...]| -a}
Description
This shell script is used to start and stop the HP CIFS Client, and perform other useful tasks. Only users with root capabilities can invoke start, stop, restart, fuser, and force_umount (see also the -a option to klist and kdestroy). Any user can invoke status, klist, kdestroy, and ver. cifsclient without any additional command is equivalent to cifsclient start.
Commands
start stop restart status klist [-a] Starts the daemon. Shut down the daemon. Stop, sleep 1 second, start. Display information about daemon. Display the contents of all of the invoking users CIFS Client Kerberos credentials les. This command provides a shortcut that invokes klist(1) on all of the users credentials les, automatically appending the -c {filename} option for each le. -a (recognized only for root) lists entries for all users. CIFS Client Kerberos credentials les will be present on the system only if the conguration parameter, rmTmpKerbCredFiles, has been set to no. The les are located in /var/opt/cifsclient/krb5_tmp. Destroy all of the invoking users CIFS Client Kerberos credentials les, using kdestroy(1). To destroy a single CIFS Kerberos credentials le, use kdestroy(1) 71
kdestroy [-a]
Chapter 5
Commandline Utilities cifsclient directly, specifying the -c {filename} option. CIFS Client Kerberos credentials les are located in /var/opt/cifsclient/krb5_tmp. These les will be present on the system only if the conguration parameter, rmTmpKerbCredFiles, has been set to no. -a (recognized only for root) destroys all les for all users. ver [-v] Report version information. The following modiers are also recognized: -v Verbose: display what(1) strings for binaries, scripts and conguration les. fuser [-v] mountpoint [...] Run fuser -fu (see fuser(1M)) against the given CIFS lesystem mountpoint and each of its subdirectories. This is useful for determining which users are accessing the mount, in the event that unmounting fails with a Device busy message. You must be logged into the mounted CIFS leserver for this command to be effective. -v produces verbose output (all subdirectories are shown), otherwise, only directories with active user processes are shown. NOTE: The execution time for this command is proportional to the number of entries in the mounted lesystems. force_umount {mountpoint [...] |-a} Forcibly unmount given mountpoints; this is an emergency procedure to be used only in case of failure of the standard umount commands: umount mountpoint or cifsumount mountpoint -a Forcibly unmount all stale CIFS mounts.
Files
/etc/opt/cifsclient/cifsclient.cfg 72 Chapter 5
Commandline Utilities cifsclient This le contains run-time conguration options for the HP CIFS Client. For detailed information see Chapter 7. /var/opt/cifsclient/krb5_tmp/krb5cc_<server>_<uid> Temporary CIFS Client Kerberos credentials le. <server> is the name of the CIFS server to which the user has been authenticated, <uid> is the decimal UID of the user.
See Also
cifsmount, fuser(1M), kdestroy(1), klist(1), mount_cifs, umount_cifs
Chapter 5
73
cifsmount
You can use the mount command to execute the cifsmount command. See mount_cifs, umount_cifs on page 87 for the usage of the mount command. This section describes the usage of the cifsmount command.
Synopsis
cifsmount [<options>] //<server>/<share> <mountpoint>
Description
The cifsmount command is used to mount remote shares on the local le system. It mounts the share <share> from server <server> in the local le system at <mountpoint>. The mountpoint must exist. You are prompted for a password and the program uses the combination username/password to log in to the server. If you are already logged in to the given server, the password prompt is skipped. You can use the option -N to suppress password prompting. Only users with root capabilities can invoke the cifsmount command to mount lesystems.
Options
-r -U <username> Login on server as this user. By default, the HP CIFS Client accesses the server under the same user name as the login name of the user that issues the cifsmount command. If you have a different user name at the server, you may use this option to set that name. It is ignored if you are already logged in at the server. -D <domain> Send this domain name to the CIFS server. Mounts as read-only lesystem.
-P <password> Password given in commandline. Use this option only if necessary, because all commandline parameters may show up in the output of the ps command. It gives you
74
Chapter 5
Commandline Utilities cifsmount the possibility to pass a dynamically generated password to the server. The password is ignored if the user is already logged in at the server. -S Reads the password from stdin. This option may be useful if you want to use cifsmount from a shell script or another program. The -P option is insecure for this purpose because the UNIX command ps can show the commandline parameters of running processes. Do not prompt for a password. This option may be used to avoid prompting for a password if you do not have a password. Use only this IP address to connect to the server. This setting causes the CIFS Client to bypass all name-resolution procedures for this mount request, and supersedes any corresponding entry congured in cifsclient.cfg. Enables plain text passwords. The HP CIFS Client refuses to send passwords in plain text to the server by default because this is a security risk. There are tools available that sniff the network for plain text passwords. If you really must send the password in plain text (e.g., because your server does not allow password encryption), you can enable it with this option. It is ignored if you are already logged in at the server. Forces mount. When this option is used, the mount is done even if the server is not responding. No requests are sent to the server. Consequently, none of the parameters can be checked for validity. Print version information. Saves mount and password in database. Do not use unless you understand the security implications. HP CIFS Client can maintain a database of mounts, usernames, and passwords. This database is used at startup to re-establish stored mounts and to log in users on demand, even if you are not logged in at the client.
-N
-I <ipaddress>
-u
-f
-v -s
Chapter 5
75
Commandline Utilities cifsmount This option may be useful for automounting and to run programs by cron that cannot ask the user for a password. Passwords are stored in the HP CIFS Client's user database le. It is possible to get the HP CIFS hash values of the passwords (which is functionally equivalent to the passwords themselves) out of this le, although the le itself is not sufcient. You can use this option safely only if you are the only one who has physical or root access to your machine or if you trust everyone who has this access. The HP CIFS Client does not store unencrypted passwords in the user database. If your server does not support encrypted passwords, you cannot use this option.
Examples
The following command mounts the share entiredisk from the server bigserver at the local mountpoint /mounts/bigserver and mounts as read-only lesystem. cifsmount -r //bigserver/entiredisk /mounts/bigserver
Files
Mounts info using the cifsmount -s command are stored in the HP CIFS Clients database le, /var/opt/cifsclient/cfgdb.ppl. The path to this le is not congurable.
See Also
cifslogin, cifsumount, cifslogout, cifslist
76
Chapter 5
cifslogin
Synopsis
cifslogin [<options>] <servername> [<username>] cifslogin [<options>] //<servername>/<share>
Description
The cifslogin command is used to authenticate additional users at a server. Only authenticated users may access mounted les. Each user accesses the le at the server with his or her privilege status at that server. Because there must be a one-to-one (many=to-one) mapping from local users to remote user names, every user can log in only once at a given server. By default, cifslogin sends the user's login name to the server. You can specify the username using -U option.
Options
-P <password> Password given in commandline. Use this option only if you really have to, because all commandline parameters may show up in the output of the ps command. It gives you the possibility to pass a dynamically generated password to the server. The password is ignored if the user is already logged in at the server. -U <username> Login on the server as this user. -D <domain name> Specify the domain name that is sent to the server. -S Reads the password from stdin. This option may be useful if you want to use cifslogin from a shell script or another program. The -P option is insecure for this purpose because the Unix command ps can show the commandline parameters of running processes. 77
Chapter 5
Commandline Utilities cifslogin -N Do not prompt for a password. This option may be used to avoid prompting for a password if you are already logged in at the server or if the user does not have a password. Enables plain text passwords. The HP CIFS Client refuses to send passwords in plain text to the server by default because this is a security risk. There are tools available that sniff the network for plain text passwords. If you really must send the password in plain text (e.g., because your server does not allow password encryption), you can enable it with this option. It is ignored if you are already logged in at the server. Forces login. When this option is used, the login is done even when the server is not responding. No requests are sent to the server. Consequently, none of the parameters can be checked for validity. Saves password in database. Do not use unless you understand the security implications. This option can maintain a database of mounts, username, and passwords. This database is used at startup to re-establish stored mounts and to log in users on demand, even if you are not logged in at the client. This option may be useful for automounting and to run programs by cron that have no possibility to ask the user for a password. Passwords are stored in the HP CIFS Client's user database le. It is possible to get the CIFS hash values of the passwords (which is functionally equivalent to the passwords themselves) out of this le, although the le itself is not sufcient. You can use this option safely only if you are the only one who has physical or root access to your machine or if you trust everyone who has this access. The HP CIFS Client does not store unencrypted passwords in the user database. If your server does not support encrypted passwords, you cannot use this option.
-u
-f
-s
78
Chapter 5
Examples
If local user steve has mounted a share from server bigserver, local user bill has no access to the mounted les because he is not logged in at the server. Bill, who has an account on bigserver under his real name miller, can do the following to gain access: cifslogin bigserver -U miller Bill will be prompted for a password and if it is correct, he will be given access to the share with the same privileges that user miller has on bigserver.
Files
Usernames and passwords are stored encrypted in the HP CIFS Client's user database le. The path to the user database le can be congured in HP CIFS Client's conguration le. The default path is /var/opt/cifsclient/cifsclient.udb
See Also
cifsmount, cifsdb, cifslogout, cifslist
Chapter 5
79
cifsumount
You can use the umount command to execute the cifsumount command. Both commands are shown below.
Synopsis
cifsumount [<options>] <mountpoint> cifsumount -a
Description
The cifsumount command is used to unmount any shares mounted with cifsmount. Shares can only be unmounted by the user that mounted the share at the given mountpoint or the superuser. The second variant (with the -a option) unmounts all mounts that are currently served. In HP CIFS Sever A.02.*, unmounting the last mount to a server does not logout any of the users logged in at the server. This allows users to be automatically reconnected if the system administrator needs to unmount and remount a share. Only users with root capabilities can invoke the cifsumount command to unmount lesystems.
Options
-a -f Unmounts all CIFS lesystems. Forces unmount: Avoids requests to the server (useful if the server is down).
See Also
cifsmount, cifslist, mount_cifs, umount_cifs
80
Chapter 5
cifslogout
Synopsis
cifslogout <servername>
Description
The cifslogout command is used to log the user who uses the command out of the server specied. After issuing cifslogout, the user cannot access any les from that server unless he or she is still stored in the user database.
See Also
cifslogin, cifslist
Chapter 5
81
cifslist
Synopsis
cifslist [<options>]
Description
The cifslist command is used to view internal tables of HP CIFS Client. In HP CIFS Client A.02.*, the cifslist command without options will list all connected servers with shares and mountpoints information.
Options
-h -u -m -x -r Prints short help and exits. Lists users only. Lists mounts only. Displays mounted objects using UNIX style format: server:/share. Prints raw output format.
-s <separator> Sets string used to separate table entries (recognized only when used with -r).
82
Chapter 5
In the above exmaple, the cifslist command without any option displays servers with shares and mountpoints information, it uses the \\server\share format for mounted objects. The following is explanation of State symbols in the output of cifslist: For mounts: M = Mounted S = Saved in mount database R = Read only For users: L = Logged in S = Saved in user database The following is a sample output of the cifslist -x command:
$ cifslist -x Mounted Object Mountpoint State ------------------------------------------------------------er721142:/pub /mnt/cifs_linux/00 M er721141:/pub /mnt/cifs_nt/00 M hpntc43:/pub /mnt/cifs_nt/01 MS ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------er721141 root cifsuser L er721142 root john L
Chapter 5
83
In the above exmaple, HP CIFS Client displays servers with shares and mountpoints information, it uses the UNIX format: server:/share for mounted objects. The following is an example output for the cifslist -u command:
$ cifslist -u Server Local User Remote User Domain State ------------------------------------------------------------er721141 root cifsuser L er721142 root john L hpntc43 root cifsuser WORKGROUP LS
In the above example, HP CIFS Client uses the \\server\share foramt for mounted objects.
84
Chapter 5
cifsdb
Synopsis
cifsdb [-d] {<mount_point|server>}
Description
The cifsdb command is used to add, modify and delete entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically, as described below. CIFS Mounts If a shared directory on a CIFS server has been mounted at mount_point, then cifsdb mount_point saves the mount-point, server, shared-directory names, and other pertinent information in the CIFS Client mount database le, /var/opt/cifsclient/cfgdb.ppl, such that the mount can be re-established automatically whenever the CIFS Client is started. If an entry already exits for this mount-point in the database, it is replaced. mount_point must be absolute path. Only users with root privileges may manage CIFS mounts database entries. The HP CIFS Client supports similar functionality through the standard UNIX /etc/fstab mechanism, see Using /etc/fstab on page 36 or fstab(4) for details. CIFS Logins If a user has established a CIFS login session at server through the NTLM authentication protocol, then if that user invokes cifsdb server, the NTLM hash of the users password and other information pertinent to the login session are encrypted and then saved in the CIFS Client user database, cifsclient.udb, such that the user can subsequently be automatically logged in to server. If an entry already exists for this user-server pair in the database, it is replaced.
Chapter 5
85
Commandline Utilities cifsdb For CIFS logins that have been authenticated with Kerberos, users NTLM password hashes are not saved in the CIFS Client user database. You can establish automatic CIFS logins with Kerberos through kinit(1) or PAM-KERBEROS, as described in the Chapter 3, CIFS Security and Authentication, on page 41.
Options
-d {<mount_point|server>} Delete the corresponding entry for this mount_point or server from the database. Neither the mount nor the login needs to be active for the entry to be deleted.
Files
/var/opt/cifsclient/cifsclient .udb /var/opt/cifsclient/cfgdb.ppl CIFS user database le CIFS mount database le
See Also
cifsmount, cifslogin, cifslist
86
Chapter 5
mount_cifs, umount_cifs
Mounts and unmounts CIFS le systems. This section describes the usage of the mount and umount commands when the CIFS lesystem is specied for the FS type
Synopsis
mount -F cifs [-ar] [-o fs_specific_option[,...]] [server:/share mount_point]
Description
The mount command mounts le systems. Only a superuser can mount le systems. Other users can use mount to list mounted le systems. Use cifslist to view CIFS-specic mounts and user connections. The mount command attaches server:/share to mount_point. server is a remote system. share is a directory on this remote system and mount_point is a directory on the local le tree. mount_point must already exist, and be given as an absolute path name. It will become the name of the root of the newly mounted le system. If mount is invoked without any arguments, it lists all of the mounted le systems from the le system mount table, /etc/mnttab. The umount command unmounts currently-mounted le systems. Only a superuser can unmount le systems. In HP CIFS Server A.02.01, unmounting the last mount to a server does not logout any of the users logged in at the server. This new behavior allows users to be automatically reconnected if the user needs to unmount and remount a share.
Options
-F cifs Filesystem-specic identier. Always required for mounting and unmounting CIFS le systems, except for the command form umount moint_point.
Chapter 5
87
Commandline Utilities mount_cifs, umount_cifs -a Used with mount, mounts all CIFS lesystems that have entries in /etc/fstab. Used with umount, unmounts all currently mounted CIFS le systems. Mounts as read-only. This class of options is specied with the following syntax: -o keywrd[,keywrd...],keywrd=value[,keywrd=va lue...] Some keywords are specied as keyword/value pairs, some are not. -o options must be delimited by commas; no white space is allowed. For example: -o ro,username=fulton,password=pokey Following are the -o options to mount supported by the CIFS Client (keywords that require values are indicated by "keyword=value"): ro Mount as read-only lesystem.
-r -o
domain=domain Send this domain name to the server, username=name Username sent to server. By default, the HP CIFS Client accesses the server under the same user name as the login name of the user. If you have a different user name at the server, you may use this option to set that name. It is ignored if you are already logged in. Must be used with the password option. password=passwd Password for username given in commandline. Use this option only if you really have to, because all commandline parameters may show up in the output of the ps command. This makes it possible to pass a dynamically generated password to the server. Password is ignored if the user is already logged in at the server. Must be used with the username option.
88
Chapter 5
Commandline Utilities mount_cifs, umount_cifs ipaddr=ipaddress Use only this IP address to connect to the server. This setting causes the CIFS Client to bypass all name-resolution procedures for this mount request, and supersedes any corresponding entry congured in cifsclient.cfg. plaintxt Enable plain text passwords. The HP CIFS Client refuses to send passwords in plain text to the server by default because this is a security risk. There are tools available that sniff the network for plain text passwords. If you really must send the password in plain text (e.g., because your server does not allow password encryption), you can enable it with this option. It is ignored if the user is already logged in at the server.
Files
/etc/mnttab /etc/fstab Table of mounted le systems. List of default parameters for each CIFS le system.
See Also
mount (1M), umount(1M), cifslogin, cifsumount, cifslogout, cifslist
Chapter 5
89
90
Chapter 5
Chapter 6
91
messages that might occur with HP CIFS commands. Troubleshooting FAQs on page 93. Troubleshooting Kerberos in the HP CIFS Client on page 94. Troubleshooting cifsmount or mount in the HP CIFS Client on page 96. CIFS Client Log File and Log Levels on page 98.
92
Chapter 6
Troubleshooting FAQs
This section includes commonly asked questions about HP CIFS.
Chapter 6
93
94
Chapter 6
Troubleshooting and Error Messages Troubleshooting Kerberos in the HP CIFS Client in the servers section. The servers section of the conguration le is discussed near the end of Chapter 7, and the conguration le itself contains a sample servers entry.
Chapter 6
95
Troubleshooting and Error Messages Troubleshooting cifsmount or mount in the HP CIFS Client
To resolve the above errors, if you ensure that all the command-line arguments are correct and the CIFS server is up.then use the following command to check the CIFS Client Dynamically Loadable Kernel Module (DLKM) state: $ kcmodule cifs If the CIFS Client DLKM state is unused, the following output message is displayed:
Module cifs State unused Cause Notes auto-loadable,unloadable
96
Chapter 6
Troubleshooting and Error Messages Troubleshooting cifsmount or mount in the HP CIFS Client After you verify that the CIFS Client DLKM state is unused, you can use the following command to change the CIFS Client DLKM state to auto, so the CIFS Client DLKM can be loaded. The command and output message display are shown as follows: $ kcmodule cifs=auto
* The sutomatic backup configuration has been updated. * The request changes have been applied to the currently * running system. Module State Cause Notes cifs (before) unused auto-loadable,unloadable (now) auto explicit
The auto state will enable the CIFS Client DLKM to be dynamically loaded when the rst cifsmount or mount command over the CIFS share is performed.
Chapter 6
97
Troubleshooting and Error Messages CIFS Client Log File and Log Levels
98
Chapter 6
Conguration File
The default conguration le should work without modications. Please be sure you understand the effects of any changes before you decide to modify the conguration le.
Chapter 7
99
Conguration File
The conguration le is parsed by the HP CIFS Client daemon at startup and when edited. Although it is re-read by the running daemon, not all conguration changes will work immediately. Most options are read into internal variables when they are used. The server conguration, for instance, is transferred into internal structures when a connection to the server is opened. Therefore, if a change to the server conguration is made, you must rst unmount all shares and log out all users from that server. The conguration le for the HP CIFS Client is /etc/opt/cifsclient/cifsclient.cfg.
NOTE
The CIFS Client conguration le, cifsclient.cfg, used for HP CIFS Client A.01.* is not valid for HP CIFS Client A.02.*. For detailed information on how to update any A.01.* version to any A.02.* version of the CIFS Client, see Migrating from version A.01.* to A.02.* of HP CIFS Client on page 57 in Chapter 4.
100
Chapter 7
General Structure
Conguration les are built from the following simple syntactic structures: comments strings arrays dictionaries
The # character starts a comment; any text between a # character and the end of a line is a comment. # comment to end of line Strings, arrays and dictionaries are classied by the generic term "property". Strings are sequences of alphanumeric characters, including the underscore. If a string should consist of other characters like spaces, it must be quoted in double quotes. Within double quotes, the same escape sequences as in C strings can be used. There is no separate syntax for numeric arguments. Numeric arguments are regarded as strings and converted when used. Arrays are ordered lists of other properties. An array is delimited by parentheses and the properties constituting the array may be separated by commas. The following example is an array consisting of several string elements: (1, 2, 3, hello, "how are you") Dictionaries are unordered lists of named properties. These lists are delimited by curly braces. Each dictionary entry consists of a left -hand side (key), which must be a string, an equal sign, and a right -hand side (value) which may be any property. Entries may be separated by semicolons. The following is an example of a dictionary consisting of three entries named property1 to property3 ;where the rst one has a string value, the second an array value, and the third a dictionary value: { property1 = "value of property1"; property2 = (value, of, property2);
Chapter 7
101
Conguration File General Structure property3 = { firstWord = value; secondWord = of; thirdWord = property3; }; } The conguration le itself is a dictionary (the surrounding curly braces are optional because other properties are not allowed). The keys at the top level are the names of the conguration variables. Properties that have been parsed as strings may be interpreted in one of the following ways: string number enumeration boolean
String needs no further explanation. Numbers are interpreted in decimal, unless they are prexed with 0 (meaning octal), or 0x (meaning hexadecimal). Enumerations are strings from a predened set of strings. Boolean variables are a special case of enumeration where the set consists of the strings yes and no.
102
Chapter 7
Conguration Parameters
The following is a list of all variables that may be congured for the top 3 basis sessions: main, nfs3, cifs. logLevels The value of this variable is an array enumerating all logging modes that are active, the number in the square bracket indicates the messages of the respective logging mode in the log le. A logging mode is a string out of the following set: [0]info Logging of informational messages. Should be turned on. [1]error Logging error messages. Should be turned on. [2] debug General debug messages. Used only during debugging. [3] resource Messages about allocation and deallocation of objects. Usedl only during debugging. [4] netbiosError Logging error messages from the Netbios layer. Should be turned on, unless too many errors occur. This is separated from general error logging because not all of Netbios is implemented in HP CIFS Client, and the unimplemented features result in Netbios error messages. [5] netbiosDebug Debug messages from the Netbios layer. Used only during debugging. [6] netbiosTrace
Chapter 7
103
Conguration File Conguration Parameters Generates hex-dumps of all outgoing and incoming Netbios trafc. This is very useful during debugging but should be turned off for normal operation. [7] nfsTrace Provides detailed information about all NFS requests done by the kernel and the respective return values. It is very useful for debugging NFS but should be turned off for normal operation. [8] rare Logging of rare conditions. Used only during debugging. [9] cacheDebug Debugging of the cache's operation. Used only during debugging. [10] cifsTrace Logging of all CIFS commands issued and the respective return values. Very useful together with netbiosTrace for debugging, but should really be turned off during normal operation. [11] oplock Debugging of opportunistic lock mechanism. Used only during debugging. [12] warn Warnings of any kind, mostly used by the conguration le parser. Should be turned on. [13] smbSequence Debugging messages about the order of HP CIFS requests and the respective messages. Used only during debugging. [14] debugAttributes Debugging of le attribute routines. Useful only during debugging. [15]smbConnect
104
Chapter 7
Conguration File Conguration Parameters Debugging of server connection and disconnection messages for NetBIOS. Useful only during debugging. [16] uiTrace Generates hex-dumps of the communication with user interface. This is useful during debugging but should be turned off for normal operation. [17] nbnsTrace Generates hex-dumps of all NetBIOS name service trafc. This is useful during debugging but should be turned off for normal operation. [18] diskarb Debugging of disk arbitration. Useful only during debugging. [19] authentication Debugging of CIFS authentication details. Useful only during debugging. The default logging modes are info, error, netbiosError, warn, smbConnect. The default logging setting is as follows:
logLevels = ( info, error, # debug, # resource, netbiosError, # netbiosDebug, # netbiosTrace, # nfsTrace, # rare, # cacheDebug, # cifsTrace, # oplock, warn, # smbSequence, # debugAttributes, smbConnect, # uiTrace, # nbnsTrace,
Chapter 7
105
The log le records only errors or warnings. But, many log levels can be enabled for checking activities of various modules within the CIFS Client. If you report a problem to HP, your support representative may ask you to enable one or more log levels. This is done by editing the CIFS Client conguration le and uncommenting the particular log level, by removing the preceding # character of the logging mode and saving the le. Note that increased logging consumes more disk space and slows the performance of the CIFS Client. Hence, when you do not need logging, it is best to not change the default logging setting, unless your support representative asks you to enable it. cfgParseInterval HP CIFS Client can reparse the conguration le while running. For this feature to work, the HP CIFS Client must poll the le regularly. The variable cfgParseInterval denes the time of this poll cycle in milliseconds. The default is 5000. Parameters that are negotiated upon connection to the server will not reect changed conguration values until all shares on the server are unmounted and a new connection is established, whereas other changes take effect within the time specied in cfsParseInterval. sockMode sockOwner sockGroup File access mode and ownership for the UNIX domain socket that is used for communication between the HP CIFS Client daemon and the command line utilities. The access mode may be given in octal notation, if prexed with a leading 0; in hexadecimal notation if prexed with a leading 0x; or in decimal notation if not prexed with any of the above. Owner and group may
106
Chapter 7
Conguration File Conguration Parameters be given by name or as numeric id. Do not set these values to anything other than mode=0600 and owner=root unless you really know what you are doing. The le access modes of this UNIX domain socket are used to provide secure authentication of the user that requests a service to the daemon. If these variables are not congured from the le, they default to the correct values. pidFile HP CIFS Client can maintain a le with the process id of the daemon, if desired. If this variable is dened, it is interpreted as the path of the le where the pid should be stored. If this varible is not dened, no such le is created. usersMayStoreSessionData The system administrator can control whether users can store passwords in the user database, cifsclient.udb, through the usersMayStoreSessionData parameter. This database can be used to establish automatic user logins to the CIFS server. Users with root privileges can store mounts or their own passwords, regardless of how this parameter is set. Setting it to no disables storing. The default setting is yes. caseConvertFile This variable congures the path to the case conversion table. This le denes the mapping to upper and lower case for all unicode characters. The default is to use no table le and retain the default ISO 8859-1 mapping. A mapping le derived from the Unicode standard is part of the HP CIFS Client distribution. You can nd it at unitables/unicase.cfg. serverCharMapFile This variable congures the path to the character mapping le for the server. This le is only used when client and server do not agree on using Unicode. It denes the mapping from the internal Unicode representation to the ASCII strings sent to the server
Chapter 7
107
Conguration File Conguration Parameters (and vice versa). The default is a codepage 437 mapping, which is the US-Latin DOS character set. Mapping les for various character sets are distributed with HP CIFS Client in the directory unitables. clientCharMapFile This variable congures the path to the character mapping le for the client. This le denes the mapping from internal Unicode representation to the ASCII strings seen at the client. Together with the serverCharMapFile, any conversions between server and client character code can be accomplished. These tables can be used to compensate for vendor-specic character sets and to cope with various national character sets such as JIS and ShiftJIS for Kanji, etc. The default is ISO 8859-1 mapping. uniTableCompressBlocks This integer variable customizes the compression of the Unicode table. A higher value reduces conversion speed but improves memory efciency. Values higher than the number of contiguous unused code blocks have no effect. The default is 3. coreleLimit This integer variable denes the maximum core dumps size in megabytes (1024 * 1024 bytes) the daemon creates. To disable core dumps, set this value to 0. The default value is 500 ( in megabytes). networkInterfaces This variable denes network interfaces. The syntax is an array of strings. Each string consists of the IP address of an interface, a slash and the number of bits used for the network address (this is a variant of specifying the netmask). If you attempt to congure this variable, consider using the bindUdpExplicitly variable, too. For example, networkInterfaces = (192.168.1.21/24, 192.168.2.23/24) bindUdpExplicitly
108
Chapter 7
Conguration File Conguration Parameters If this variable is set to yes, HP CIFS Client binds UDP ports to all networks explicitly. Otherwise, it binds to address 0.0.0.0, a wildcard for all network interfaces installed. Binding explicitly may be required on operating systems which do not handle the source IP address of broadcasts correctly if there are multiple network interfaces. Please note that HP CIFS Client has to use the socket option SO_REUSEADDR and does not get an error if it binds to the same socket as Samba. You may have to change the default bind port for bindNbnsPort and bindNbdgsPort if you use this option. By default, this parameter is set to no. pagePoolInitialSize This integer variable denes the number of 8k pages of virtual memory that is allocated in advance for every share. The default value is 128.
Chapter 7
109
nfs3
This section denes a default behavior which can be overridden by specic congurations. The NFS3 section contains the following parameters: This variable denes the number of les cached by NFS handle. The default is 500.
cacheFiles
cacheOpenFiles This variable denes the number of les that can be kept open even if they are not currently accessed. The default is 20. changeMicrosecondFileTimes This boolean variable determines whether the microsecond part of le modication dates is changed on each access. Changing the modication date effectively disables the kernels NFS cache. The default is no. fakeDirLinks This variable denes the number of hard-links displayed for directories if the backend can not provide a valid value. The default is 2. fakeDirSize This variable denes the the size displayed for directories if the backend can not provide a valid value. It should be set to a multiple of the block size. mnttabPrex This boolean variable is used to specify whether the identier [cifs] is prexed to listings of mounted CIFS le systems in /etc/mnttab and the output of mount(1M) and bdf(1M). If mnttabPrefix is set to no, the standard UNIX format is used; if it is set to yes, the format is "[cifs]server:/share". The default setting is no. The format with which the mounted lesystem is displayed depends on the setting of mnttabPrefix at the time the lesystem is mounted. To change the format after the lesystem has been mounted, you must unmount and remount the lesystem.
110
Chapter 7
Conguration File Conguration Parameters nfsKernelCacheTime NFS kernel is cached for this amount of time (in seconds). A variable that can enable kernel caching by NFS. This improves performance of certain types of operations by reducing the number of calls sent over the network. The deault setting is 0 second. lookupStrategy As you probably know, the HP CIFS Client maps between NFS requests and SMB/CIFS requests. On the NFS side, les are referenced by unique identiers, called NFS le handles. On the HP CIFS side, les are referenced simply by their path. The HP CIFS Client must be able to determine the path given to an NFS le handle. There are two strategies available to do this: pseudoInode This strategy derives the NFS le handle as a hash value from the path. The hash is chosen in a way that makes efcient lookups possible, as long as the depth of the le in the directory hierarchy is lower than 27. The advantage of this strategy is the low memory consumption: Files can be looked up on demand, nothing has to be stored. The main disadvantage is that NFS le handles change when les are renamed. This leads to a conict with Unix semantics when open les are renamed: After renaming, the handle of the open le is stale and the le can not be accessed without reopening. It also conicts with a bug in the caching code of the Solaris NFS client where the writeback occurs only after closing the le, not during closing the le. database In this strategy all NFS le handle to le path relations are stored in an internal database. This is the most secure and most compatible approach. The disadvantage is that all this information must be kept in memory. The HP CIFS Client needs about 500kB more real memory and about 10MB more virtual memory for each share that uses this strategy. The database strategy is the default.
Chapter 7
111
Conguration File Conguration Parameters nfsTimeout This integer variable denes the initial timeout in 1/10 seconds that is used by the kernel when it requests data from HP CIFS Client. This value is doubled on each retry. Together with nfsRetransmit, this denes the absolute timeout for NFS requests. A value of 50 (5 seconds) avoids frequent retries of already running (slow) requests and ensures a total timeout of about 2 minutes. This should be sufcient even for the slowest devices and links. If you use a jukebox, it may also be necessary to increase requestTimeout. This integer variable denes the number of retries the kernel attempts when HP CIFS Client does not reply in time. The timeout starts with nfsTimeout and is doubled on each retry. Retransmissions should not be necessary, because HP CIFS Client should not lose any requests. However, if your system's NFS client puts high loads on NFS servers and has small maximum socket buffer sizes, requests can get lost due to buffer overows. A value of 5 (which is also the default) should be a good choice. You may want to experiment with nfsTimeout to get the optimum performance even with frequent buffer overows.
nfsRetransmit
nfsSockRxBuf This integer variable sets the receive buffer size of the socket used to communicate with the kernel. If the value given is out of the acceptable range for your machine, the HP CIFS Client automatically limits the range. Increase the buffer size if you have extremely slow writes. nfsSockTxBuf This integer variable sets the transmit buffer size of the socket used to communicate with the kernel. It is not be necessary to set an explicit buffer size.
nfsTransferSize This integer variable denes the maximum block size used in data transfer between the kernel and HP CIFS Client. The maximum allowed value is 8k (8192). It may be necessary to reduce the value if the NFS socket has frequent overows, as it may be the case with AIX 3.x. It is useful to use only powers of 2 as block sizes. The default is 8192.
112
Chapter 7
Conguration File Conguration Parameters preferredPort This integer variable denes the port number that HP CIFS Client attempts to use for NFS. If this port is not available, the HP CIFS Client chooses a free one. It is good to have a constant port for NFS because it allows a restarted daemon to take over the mounts of a previous incarnation. The port number must be below 1024 if not all local users are trusted.
Chapter 7
113
cifs
The structure of CIFS has its mirror in the multitude of options for CIFS congurations. This section denes a default behavior which can be overridden by specic congurations. The CIFS section contains the following parameters: This integer variable denes the number of bytes spent for per data cache. The value of this variable should be a multiple of 8k. This variable congures the path to the user database le. It stores the user passwords and the registration key. The default is /var/opt/cifsclient/cifsclient.udb.
dataCacheSize
databaseFile
databaseParseInterval HP CIFS Client can re-parse the user database le if it changes. For this function to work, HP CIFS Client must poll the le regularly. The databaseParseInterval variable denes the time of this poll cycle in milliseconds. If you set this variable to 0, the user database le is only parsed once during startup. The default value is 10000. domain This string variable denes the domain name the client sends to the server. If undened, it defaults to an empty string suitable for all known servers.
initialDataCaches, initialDirCaches These two integer variables dene the number of caches that are allocated for directories and data les at startup. The defaults for both variables is 8. bindNbnsPort This variable denes the port number to which HP CIFS Client sends NetBIOS name service requests. If the port number specied is not available, HP CIFS Client reverts to a random free port. The default is 137. bindNbdgsPort This variable denes the port number to which HP CIFS Client sends NetBIOS datagram requests. If the port number specied is not available, HP CIFS Client reverts to a random free port. The default is 138. lookupTryNetbios 114 Chapter 7
Conguration File Conguration Parameters This boolean variable congures whether NetBIOS broadcast is enabled. WINS is feature of the NetBIOS name server. To enable WINS lookup, you must set this variable to yes and specify the nbnsWinsIp variable with the IP address of the WINS server. The CIFS servers to which you want to connect must be registered with the WINS server. By default, this parameter is set to yes. lookupTryDns leCreateMask This variable congures whether Domain Name Server (DNS) lookup is enabled. The default setting is yes. This variable allows you to specify a mask for the UNIX permissions mode of a le upon creation. The actual mode of the new le will be the result of the logical OR of the mask and the default mode for the operation. The default value of fileCreateMask is 0, which does not affect the le creation mode. This setting is useful only with CIFS servers that use CIFS UNIX extensions. Windows servers do not support UNIX le permissions. Refer to the man page umask(1) for more information.
allowBackslashesInPaths This is a boolean variable with default setting no. When this parameter is set to yes, DOS-style backslashes can be used to refer to paths on CIFS servers. The rst backslash in the path must refer to a le or subdirectory at least one level below the root of the share, and backslashes must be protected from interpretation by the shell. For example, the following path references are recognized: /local_mountpoint/dir_at_top_level_of_share\ subdir\file /local_mountpoint/dir_at_top_level_of_share\\ subdir\\file but this is not valid: /local_mountpoint\dir_at_top_level_of_share\ subdir\file The standard UNIX forward-slash path delimiter is always recognized: Chapter 7 115
Conguration File Conguration Parameters /local_mountpoint/dir_at_top_level_of_share/ subdir/file nbnsWinsIp This string variable denes the IP address of the WINS server. If there is no WINS server in your network, set this variable to an empty string.
nbnsInitialTimeout, nbnsTotalTimeout The nbnsInitialTimeout variable denes the initial timeout in milliseconds that is used by the NetBIOS name service operations. This value is doubled on each retry. The nbnsTotalTimeout variable denes the maximum timeout in milliseconds that is waited for a NetBIOS name service operation to succeed. If it exceeds the maximum timeout, the operation fails with a timeout error. By default, set nbnsInitialTimeout to 100 and nbnsTotalTimeout to 1200. nbnsCacheTime The NetBIOS name lookups are cached for this amount of time (in milliseconds). scopeID This string variable denes the NetBIOS name scope of the client. If it is not dened, no scope ID is used. If you do not know what a scope ID is, you do not need one.
rmTmpKerbCredFiles When kerberos authentication is used, the CIFS Client uses a temporary le to store users credentials during login processing. There is one temporary credentials le per user per server. Kerberos tickets are not reused by the CIFS Client, thus when the users login processing is completed, the temporary le is removed. If required for troubleshooting, these les can be preserved by setting this variable to no. The les are located in /var/opt/cifsclient/krb5_tmp. The default is yes. oldUdbEncrypt The encryption method used for the user database le (UDB) is enhanced in CIFS Client version A.02.02 such that the le can be reused after back-ups and restores. This feature is enabled by default. However, due to this enhancement, UDBs from version A.02.01 are not
116
Chapter 7
Conguration File Conguration Parameters compatible with later CIFS Client binaries. In order for CIFS Client A.02.02 or later to use an older UDB, this parameter must be set to yes: oldUdbEncrypt = yes;
Chapter 7
117
cifs.server..default The baroque structure of CIFS has its mirror in the multitude of conguration options for CIFS connections. This variable denes a default behavior which can be overridden by specic congurations for each server. The value is a dictionary with the following parameters: localNetbiosName This entry can be used to set the Netbios name for the client that is sent to the server. ipAddress This entry can be used to set the IP address of the CIFS server that you attempts to connect.
connectTimeout This integer variable denes the maximum time in milliseconds that is waited for a connection to succeed. You probably have to increase the time if you are on a slow network. The default is 2000ms (2 seconds). requestTimeout This integer variable denes the maximum time in milliseconds a server response may take (if the connection is already established). The default is 60000ms (60 seconds). authenticationMethod This entry species the method that the HP CIFS Client uses to authenticate users to the CIFS server. Allowed values are ntlm or kerberos.The default setting is ntlm. If the value is set to ntlm, only the NTLM protocol is used for logins to the server. If the value is set to kerberos, then if the server supports Kerberos, only Kerberos is used for logins. Otherwise, NTLM will be used. If NTLM is used, the CIFS Client determines which NTLM version to use based on the ntlmEncryptionVersion conguration. ntlmEncryptionVersion This entry species the method that the HP CIFS Client should use to authenticate users to the CIFS server. Allowed values are ntlm or ntlmv2. If the value is set to ntlm, the NTLM encryption password
118
Chapter 7
Conguration File Conguration Parameters is used for logins to the server. If the value is set to ntlmv2,then NTLMv2 is used. The default setting is ntlm. smbPacketSigning This string variable species which option is used by the HP CIFS Client to perform packet signing. The valid entries for this parameter are enbled, required and disabled. By default, this parameter is set to enabled. preventCreationEnable, preventCreationPattern These parameters can be used to prevent creation of les on CIFS servers that match a given pattern. preventCreationEnable is a boolean variable; its default value is no. Setting it to yes prevents creation of les on the CIFS server with names that match the pattern specied in preventCreationPattern. If preventCreationEnable is set to no, preventCreationPattern is ignored. preventCreationPattern is a string variable. The default value is null(""). File names that match the text pattern dened in preventCreationPattern cannot be created when preventCreationEnable is set to yes. The pattern can include the wildcard characters "*" (match any sequence of characters) and "?" (match any single character), thus an expression like "*le" matches le names such as my_le, xxle etc. For example, to prevent users from placing DOS executables on the server, congure these parameters as follows: preventCreationEnable = yes; preventCreationPattern = "*.exe"; smbOverTCP This is a boolean variable that controls whether to use SMB over TCP, which causes the CIFS Client to bypass the NetBIOS Session Services for server connections. The default is no.
Chapter 7
119
NOTE
Windows NT servers do not support SMB over TCP; they do not accept connection requests on the established TCP port for this functionality (port 445). If you have NT servers in your network, and have enabled SMB over TCP, then you must create an "individual server" entry in the conguration le for each NT server. Individual server entries are placed after the "server.default" section, and before the tag "# End of server section". For example, if an NT servers NetBIOS name is "ntsrv01", the section can be:
ntsrv01 = { smbOverTCP = no; };
unixExtensions This boolean variable is used to enable or disable CIFS UNIX extensions for connections to CIFS servers. The valid values for this parameter are yes and no. The default setting is yes. This variable can be congured globally or on a server-by-server basis. See CIFS UNIX Extensions on page 16 for details. caseSensitive This is a boolean variable (possible values yes or no) which species whether lenames on the server are case sensitive. By default, they are case sensitive in order to be consistent with the UNIX le system. If you use a case mapping different from none (see next parameter), you must set this parameter to no. This variable (of type enumeration) denes whether le names are mapped to all upper case (upper), all lower case (lower) or preserved as they are on the server (none).
caseMapping
capitalizeShares This boolean variable denes whether share names are converted to all uppercase characters before a connection is attempted. Share names should be case insensitive, but Windows 95 does not accept lowercase names. If this option occurs in section serverClasses, it can override a no to a yes, but not a yes to a no. The default is yes. 120 Chapter 7
Conguration File Conguration Parameters useUnicode domain This boolean variable species whether the HP CIFS Client will use Unicode if the server supports it. This string variable denes the domain name the client sends to the server. If undened, it defaults to an empty string which should be suitable for all known servers. (move to cifs.domain)
alwaysEncryptData If this boolean variable is set to yes, only SSL (Secure Socket Layer) connections with the server are accepted. If set to no, SSL is negotiated with the server. guestRemoteUser The guestRemoteUser conguration solves the following problem: each UNIX user must be logged in (mapped to a CIFS username/password pair) at the server in order to access it, even if the share is public. It may be impractical to log in each user if there are a large number of UNIX users who, for example, want to access a public share where access permissions are not important. If you dene a guestRemotetUser, all UNIX users that are logged in to the HP-UX system, but not logged in to the CIFS server, are automatically logged in to the CIFS server, as the guest user, when they attempt to access its mount point. No pre-existing login for the guestRemoteUser is needed. The name specied as guestRemoteUser must be the name of a valid account on the CIFS server or its domain, and the correct password for this user must be specied in the guestPassword parameter. guestPassword leModeMask This variable sets the password of a user specied by the guestRemoteUser parameter. This variable can be used to limit the UNIX permissions given to les by the CIFS. The default setting is 0777. Do not change unless you know what you are doing. The UNIX permissions are not relevant for whether a user can access a le. They are relevant after les are copied from a CIFS share to the local disk since the cp command preserves attributes.
Chapter 7
121
Conguration File Conguration Parameters dirModeMask This variable can be used to limit the UNIX permissions given to directories by the CIFS. The default setting is 0777. Do not change unless you know what you are doing. This variable denes whether the UNIX ctime (Change Time) is taken from the DOS Creation Time or copied from the le modication time. If this parameter is set to yes, the creation time is used. The default setting is no.
ctimeIsCreate
fakeMountpointDate If this boolean variable is yes, the modication and access times of the mount point always read the current time. This is useful for servers that return bogus values for the modication dates of root directories, such as Windows NT. The default is no. execMapping This enumeration variable is useful for les stored on Windows servers. It denes which DOS attribute would be mapped to the UNIX execute permission. The following keywords are valid: archive, system, hidden, on, or off. Default is on. A side-effect of execMapping is that if the congured attribute is set on the server, the le will be listed on the UNIX Client with the execute bit set for all users (owner, group, and other).
WARNING
If you plan to store UNIX executables on an CIFS server and invoke them on a UNIX Client, then the default setting execMapping = on is required. In this case, as seen by the UNIX Client, the execute bit is set on all le listings from the CIFS server. Using execMapping = on will not affect the attributes of les on HP CIFS Servers; those will still behave like normal UNIX les.
execInvert
When this boolean variable is yes, the execute bit (as derived with the execMapping setting) is inverted.
122
Chapter 7
Conguration File Conguration Parameters fakeDirLinks If the server does not supply a number of hard-links for directories, this number is used. The value defaults to 2, if not specied. Some implementations of the UNIX utility nd determine whether recursion is necessary or not from the link count. If your nd uses this optimization, you may want to fake a high number of links for directories. Alternatively you can switch off the optimization with a commandline switch to nd.
enableFakeLinks If this boolean variable is set to yes, the HP CIFS Client can do softlinks on Windows-servers. These softlinks can be used by the HP CIFS Client clients only. On the Windows server they look like ordinary les with special attributes set (system and hidden attributes, if you have not modied the conguration). linkModeMask, linkMode These two integer variables dene the le attributes that are used to distinguish faked softlinks from ordinary les. linkModeMask is 7 by default, which means that the attributes read-only, hidden and system are taken into account. linkMode denes the actual state that these attributes must have. It is 6 by default, which means that hidden and system must be set, but not read-only. The conguration value is calculated as the sum of the following components: Table 7-1 1 read-only 2 hidden 4 system 32 archive
linksAreUnicode If this boolean variable is set to yes, the HP CIFS Client stores faked links in Unicode format on the server. This is incompatible with the CygWin32 format for symbolic links, but allows lossless storage of client paths. If it is set to no, symbolic links are more or less compatible to those of CygWin32 on Windows, but a conversion to the server character set is performed. Regardless of this variable, the HP CIFS Client can read symbolic link les in both formats. attributesCacheTime
Chapter 7
123
Conguration File Conguration Parameters File attributes are cached for this amount of time (in milliseconds). dirCacheTime Directory contents are cached for this amount of time (in milliseconds).
maxCachedFiles This is the maximum number of le objects that are held as cache of NFS le handles. If an NFS le handle is requested which is not in the cache, it must be looked up recursively, which may result in a notable performance loss. Recursive lookups are logged as rare events. dataCacheSize This is the size of the data cache that is allocated for open les in bytes. The value is rounded to a multiple of the cache's page size, which is derived from the maximum transferable size. The page size will always be a power of two. (move to cifs.dataCacheSize) This variable denes the time a le is kept open when it is not used. The value is a dictionary with the following keys: exclusiveLock The keep-open time in milliseconds if an exclusive oplock has been acquired. batchLock The keep-open time in milliseconds if a batch oplock has been acquired. noLock The keep-open time in milliseconds if no lock has been granted. dataCacheTimeNoLock If no oplock has been granted, no caching should be done. This might result in bad performance on servers that do not support oplocks. This value sets a cache-valid time (in milliseconds) that is used if no oplock was granted. readAhead This variable denes the number of cache pages to read ahead. It is a dictionary with the following keys:
closeDelay
124
Chapter 7
Conguration File Conguration Parameters lock The number of pages to read ahead if an oplock was granted. noLock The number of pages to read ahead of no oplock was granted. useWriteBack This variable denes whether cache write- back techniques should be used. Write back is insecure (in terms of error recovery) if used with NFS2, but it may increase performance notably. The value is a dictionary with the following keys: lock Boolean value which congures whether write back should be used when an oplock has been granted. noLock Boolean value which congures whether write back should be used when no oplock has been granted. If you care about reliability, always leave these options off. This conguration variable is also passed to the server. There are server/OS combinations (notably Samba/Linux) which become very slow in writethrough mode. You may want to congure write back for these. requestOplock This boolean variable denes whether oplocks should be requested from the server. It should be set to no for Windows 95 machines because they grant an oplock although there is no support for it. This boolean variable denes whether les should be closed before attributes (write protection, modication dates) are changed. This is very useful for Windows 95 servers because these servers can not set the attributes of open les. However, with this feature enabled, the UNIX semantics mapping does not work completely. The default is no.
closeForSetattr
Chapter 7
125
Conguration File Conguration Parameters disableSmbs Not every server supports every SMB command equally well. In fact, many commands are unusable on certain server types. The value of this variable is an array which enumerates the SMB commands that should not be used. The respective commands will be replaced by a workaround automatically. The enumeration constants may be taken from the following set: getattrFind Suppresses the use of the trans2/ndrst2 command for reading le attributes. trans2/ndrst2 is the best way to query attributes, so only disable it if you need to. getattrTrans2QueryPath Suppresses the use of the trans2/query_pathinfo command for reading le attributes. Trans2/query_pathinfo seems to be broken on Windows 95. attrUnix Disables the UNIX extensions for le attributes. setattrTrans2SetFile Suppresses the command trans2/setleinfo to be used for setting le attributes. This SMB command does not work properly on Windows. setattrTrans2SetPath Suppresses the command trans2/setpathinfo to be used for setting le attributes. This SMB command does not work properly on Windows. setattrSetFile2 Suppresses the use of SET_INFORMATION2 for setting attributes. setattrCoreWithTime Suppresses the use of the core SET_INFORMATION command for setting modication dates. createOpenX 126 Chapter 7
Conguration File Conguration Parameters Suppresses the use of SMB_COM_OPEN_ANDX for creating les. openOpenX Suppresses the use of SMB_COM_OPEN_ANDX for opening les. readReadX Suppresses the use of SMB_COM_READ_ANDX for reading les. readOpenRead Suppresses the use of SMB_COM_OPEN_ANDX batched with SMB_COM_READ_ANDX for reading les. writeWriteX Suppresses the use of SMB_COM_WRITE_ANDX for writing les. writeOpenWrite Suppresses the use of SMB_COM_OPEN_ANDX batched with SMB_COM_WRITE_ANDX for writing les. findUnix Disables the CIFS UNIX extensions for reading directories. findTrans2 Disables the use of trans2/nd for reading directories. fsinfoTrans2 Suppresses the use of trans2/query_fs_info for reading le system infos. sessionSetup Suppresses the session setup command (only used for core dialect). treeconAndX
Chapter 7
127
Conguration File Conguration Parameters Suppresses the TREE_CONNNECT_ANDX command (TREE_CONNECT is used instead). setDirDates Suppresses setting directory modication dates when les are created or deleted in a directory. This may be useful if the server sets the date automatically when directories are modied. leModeMask This integer variable denes the le permissions. leModeMask is 0777 by default. Do not change unless you know what you are doing. The UNIX permissions are not relevant for whether a user can access a le or not. They are relevant, however, after les are copied from a CIFS share to the local disk because the cp operation preserves le attributes. This integer variable denes the directory permissions. dirModeMask is 0777 by default. Do not change unless you know what you are doing. The UNIX permissions are not relevant for whether a user can access a le or not. They are relevant, however, after les are copied from a CIFS share to the local disk because the cp operation preserves le attributes.
dirModeMask
128
Chapter 7
cifs.servers
This variable may modify the values congured with cifs.server.default for specic servers. It consists of a dictionary where the keys are the Netbios names of servers. The value for each server key is also a dictionary. This dictionary has the same structure as the defaultServer dictionary. In addition, the following keys may be used: This entry may contain an IP address or a DNS name for the server. By default, the Netbios name is used for a DNS query. This parameter may be overridden from the cifsmount commandline. This entry is a last chance to change the Netbios name that is sent to the server for a given server. You may change the TCP port that is used to connect to the server here. Default is 139, the Netbios session service port.
ipAddress
netbiosName tcpPort
Chapter 7
129
cifs.serverClasses This variable may modify the values congured with cifs.server.default and servers after the connection has been established based on the information derived from session setup. The decision can depend on the server's operating system and LAN manager type. The format for this variable is an array of dictionaries. Each dictionary must have all of the following three keys: OS This entry contains a matching pattern in shell style syntax (* matches any character sequence,? matches one character, [<characters>] matches any of the given characters and [^<characters>] matches none of the given characters). It is matched against the operating system name derived from session setup. This entry also consists of a matching pattern in shellstyle syntax. It is matched against the LAN manager name derived from session setup. The operating system name and LAN manager name are printed to syslog if log level info is enabled. If the previous two patterns match, the content of this variable (which must be a dictionary) is used as a server conguration which may contain all denitions that defaultServer may contain. If an option is given, it overrides the respective option from the other congurations. The option disableSmbs is an exception: all disabled SMBs add up to give the nal list of disabled SMBs.
LanManager
cong
The array is searched from the rst to the last entry. If an entry matches, the corresponding conguration is used and the search is aborted.
130
Chapter 7
PAM NTLM
This chapter provides a description of PAM NTLM.
Chapter 8
131
Introduction
PAM NTLM ( NT Lan Manager) is a Pluggable Authentication Module (PAM) that enables HP-UX users to be authenticated against Windows servers during system login. PAM is an authentication framework in UNIX, used to authenticate users logging into a UNIX system. PAM loads a dynamically loadable module (shared library) that performs the actual authentication. PAM can also be congured to use multiple shared library modules. PAM NTLM uses CIFS servers to authenticate users logging into an HP-UX system. In other words, PAM NTLM uses the NT LanManager protocol to authenticate the UNIX users. It sends the UNIX users name and password to the CIFS server for validation and returns the result to the PAM framework. The HP CIFS client uses the PAM NTLM authentication information to access the shares on the CIFS server. Thus, users logging into an HP-UX system can access CIFS-mounted le systems without having to use the cifslogin command.
NOTE
132
Chapter 8
PAM NTLM Introduction Conguring PAM NTLM requires you to understand the PAM framework in general. Refer to pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for more information about PAM. Figure 8-1 PAM Introduction
Chapter 8
133
PAM NTLM
This section provides a list of PAM NTLM features and a description of the User Map File.
134
Chapter 8
Chapter 8
135
PAM NTLM PAM NTLM Conguration Conguring the system to use the PAM NTLM Module This task consists of editing the global HP-UX PAM conguration le /etc/pam.conf.
IMPORTANT
You may not be able to log into the system if PAM is not correctly congured. Make sure that you understand the PAM framework before you modify pam.conf. For information on PAM, see these sections of HP-UX manpages: pam.conf(4), pam_unix(5). For security reasons, HP strongly recommends you set up your system such that, for both authentication and password change, the host system (PAM UNIX), not the password server congured by PAM NTLM, authenticates root and other privileged users. Access on a per-user basis can be controlled through the use of libpam_updbe in pam.conf, and the ignore option to libpam_ntlm in pam_user.conf. See pam.conf(4), pam_user.conf(4), and pam_updbe(5) for explanations and examples of usage. HP also recommends using PAM NTLM services in addition to, not in place of, PAM-UNIX. This conguration is depicted in the sample pam.conf le below.
PAM NTLM provides the following services: Password Authentication Password Change Password Change Upon Notice of Expiration
Each service corresponds to a specic section of pam.conf. Add entries for the services you wish to use: For Password Authentication, modify the Authentication management section of pam.conf. For Password Change, modify Password management. For Password Change Upon Notice of Expiration, modify Authentication management, Password management, and Account management (in order to utilize Password Change Upon Notice of expiration, you must also enable both Password Authentication and Password Change).
136
Chapter 8
PAM NTLM PAM NTLM Conguration The following are sample pam.conf les with all three PAM NTLM services congured. Each PAM NTLM entry consistes of a line that refers to the shared library libpam_ntlm.1. In the authentication management section, when PAM NTLM is used in conjunction with PAM UNIX, it is recommended that the option try_first_pass be specied with the PAM-UNIX entry, as shown.
WARNING
If incorrect paths are used in pam.conf, it can become impossible to login to the system. Ensure that you refer to the pam.conf le that matches the version of HP-UX installed on your system (use uname -r to check the version). In particular, you should add lines to pam.conf exactly as shown without modifying paths. Starting with versions B.11.22 of HP-UX, paths to the PAM libraries are different than in earlier versions.
The following sample pam.conf le is for version B.11.23 of HP-UX: Example 8-1 Sample le for HP-UX version B.11.23
===================================================================== # # PAM configuration # # Authentication management # Note: For PA applications, /usr/lib/security/libpam_unix.so.1 is a # symbolic link that points to the corresponding PA PAM module. # # login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1 login auth required /usr/lib/security/$ISA/libpam_unix.so.1 try_first_pass su auth required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin auth required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction auth required /usr/lib/security/$ISA/libpam_unix.so.1 ftp auth required /usr/lib/security/$ISA/libpam_unix.so.1 OTHER auth required /usr/lib/security/$ISA/libpam_unix.so.1 # # Account management # login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1 login account required /usr/lib/security/$ISA/libpam_unix.so.1 su account required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin account required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction account required /usr/lib/security/$ISA/libpam_unix.so.1 ftp account required /usr/lib/security/$ISA/libpam_unix.so.1 # OTHER account required /usr/lib/security/$ISA/libpam_unix.so.1 # # Session management
Chapter 8
137
The following sample pam.conf le is for versions B.11.00 and B.11.11 of HP-UX:
Example 8-2
138
Chapter 8
Chapter 8
139
NOTE
The NIS map le name domainusermap.byname is the default name that PAM NTLM uses for the NIS map le. You can congure a different NIS user map name in the PAM NTLM conguration le (/etc/opt/cifsclient/pam/smb.conf) of each NIS client. The conguration option is: nis ntuser mapname = <new usr map lename>
2. In the user map le of each NIS client that will receive the distributed map le, add an entry with the plus sign (+) in the rst column of the line. The plus sign is used to indicate that parsing the le should stop at that point and the remaining search of the user map le should use NIS calls to the NIS server.
140
Chapter 8
Index
C CIFS description, 13 protocol, 13 cifsclient, 31, 71 cifsclient.cfg, 28 cifslist, 70, 82 cifslogin, 70, 77 cifslogout, 70, 81 cifsmount, 70, 74, 87 cifsumount, 70, 80 Common Internet File System. See CIFS conguration defaultServer, 110, 114, 118 le, 101 logLevels, 103 conguring overview, 25 D daemon killing, 93 when it crashes, 93 F le and directories, 39 H HP CIFS le and directories, 39 introduction, 13 starting, 30 stopping, 30 HP CIFS Client features, 16 internationalized, 18, 28 troubleshooting, 93 UNIX Extensions, 16 HP product enhancements, 15 I installing overview, 25 prerequisites, 26 internationalized clients, 18, 28 L loading software, 27 M mount command, 31 mount_cifs, 87 N netbios, 87 NIS and the user map le, 139 O overview conguring, 25 installing, 25 P PAM NTLM conguration, 135 conguration le, 135 description, 14, 132 features, 52, 134 secure storage integration, 17 password(1M), 134 S Server Message Block, 13, 15 SMB. See Server Message Block SSL options, 100 starting HP CIFS, 30 stopping HP CIFS, 30 swinstall(1M), 27 T troubleshooting the HP CIFS client, 93 U unmount command, 31 unmount_cifs, 87 user map le, 134 user map les, 139 using client, 31 utilities, summary, 69
141