Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP CIFS Server 3.0g Administrator's Guide version A.02.03.01: HP-UX 11i v1, v2 and v3 > Chapter 9 HP CIFS Deployment Models

Samba Domain Model
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You can use the Samba Domain Deployment Model in environments with the following characteristics:

  • A domain consisting of HP CIFS Servers and no Windows domain controllers.

  • Support for any number of UNIX servers that provide file and print services for corresponding numbers of users.

  • An HP CIFS server is configured as a Primary Domain Controller (PDC). One or more HP CIFS Servers act as Backup Domain Controllers (BDCs).

  • The PDC and BDCs use the LDAP backend to consolidate common Posix and Windows accounts on the LDAP directory. It requires LDAP-UX Integration software for larger deployments.

  • Access to an LDAP-UX Netscape Directory Server as the backend storage for larger deployments.

The Samba Domain Model provides the following benefits:

  • It can be expanded easily.

  • The HP CIFS Server acting as a BDC can pick up network logon requests and authenticate users while the PDC is busy on the network. The BDC can be promoted to a PDC if the PDC needs to be taken out of services or fails. The PDC-BDC model provides authentication load balancing for larger networks.

  • The PDC, BDCs, and domain member servers store account databases in the LDAP directory to centralize administration regardless of network size.

Figure 9-1 shows a standalone HP CIFS Server as a PDC with the local password database:

Figure 9-1 Standalone HP CIFS Server as a PDC

Standalone HP CIFS Server as a PDC

Figure 9-2 shows a standalone HP CIFS Server as a PDC using the Netscape Directory Server (NDS) as an LDAP backend:

Figure 9-2 Standalone HP CIFS Server as a PDC with NDS backend

Standalone HP CIFS Server as a PDC with NDS backend

Figure 9-3 shows multiple HP CIFS Servers using Netscape Directory Server as an LDAP backend:

Figure 9-3 Multiple HP CIFS Servers with NDS backend

Multiple HP CIFS Servers with NDS backend

Figure 9-4 shows the Samba Domain Model:

Figure 9-4 Samba Domain

Samba Domain

The Samba Domain Deployment Model consists of a HP CIFS Server configured as a Primary Domain Controller (PDC), and one or more HP CIFS Servers acting as Backup Domain Controllers (BDCs). The PDC, BDCs, and member servers use the central LDAP backend to consolidate POSIX and Windows accounts on the LDAP directory. It requires HP LDAP-UX Client Services software installed and configured on HP CIFS Servers for larger deployments.

Samba Domain Components

As demand requires multiple servers, this model makes use of a directory server and LDAP access. You must install and configure LDAP-UX Client Services software on all nodes for centralization of both POSIX and Windows user data. See Chapter 6 “LDAP Integration Support” for detailed information on how to set up LDAP.

WINS is used for multi-subnetted environments. Multi-subnetted environments require name-to-IP-address mapping to go beyond broadcast limits of a single LAN segment. HP CIFS Server provides WINS server capabilities, which can be enabled on one node (usually the PDC) for the domain and whose address needs to be specified in the configuration of the remaining nodes (usually BDCs and member servers). PC client configurations also can specify the WINS server address to ensure that they are able to join the domain. Set wins support = yes in smb.conf on one HP CIFS Server to be the WINS server. Set "wins server = <ip address>" in smb.conf on the rest of the HP CIFS Servers. Because Samba supplied WINS does not provide for replication, the WINS server can be a single point of failure in the network. Consider using Serviceguard on the WINS server, using client host files or static caches of NetBIOS names in DNS servers if high availability requirements are needed.

HP CIFS Server Acting as a PDC

HP CIFS Server configured as a PDC is responsible for Windows authentication throughout the domain. "security = user" and "domain logons = yes" smb.conf parameters force this behavior.

Single server installations may use smbpasswd or tdbsam password backends, but large installations should use the LDAP backend to provide centralized management of both Posix users and Windows users. Configure LDAP with passdb backend = ldapsam:ldap://<ldap server name> or passdb backend = ldapsam_compat:ldap://<ldap server name>.

An important characteristic of a CIFS PDC is browsing control. The parameter, domain master = yes, causes the server to register the NetBIOS name <pdc name>1B, where 1B is reserved for the domain master browser. This name will be recognized by other servers.

When you integrate the HP CIFS Server acting as a PDC with the LDAP directory, you must install the HP LDAP-UX Integration software and configure the LDAP-UX client. This permits the consolidation of POSIX and Windows user accounts on the LDAP directory. The LDAP database can replace /etc/passwd and smbpasswd, and the PDC can access the LDAP directory for Windows authentication.

HP CIFS Server Acting as a BDC

The configuration of BDCs is similar to that of the PDC. This enables BDCs to carry much of the network logon processing. A BDC on a local segment handles logon requests and authenticates users when the PDC is busy on the local network. When a segment becomes heavily loaded, the reponsibility is offloaded to another segment's BDC or to the PDC. Therefore, you can optimize resources and add robustness to network services by deploying BDCs throughout the network.

If you set the local master parameter to yes in smb.conf, browsing can also be spread throughout the network.

You can promote a BDC to a PDC if the PDC needs to be taken out of service or fails. To promote a BDC to a PDC, change the domain masterparameter from no to yes.

The PDC and BDCs use the central LDAP directory to store common POSIX and Windows accounts on the LDAP directory. When you integrate the HP CIFS Server acting as a BDC with the LDAP directory, you must install the HP LDAP-UX Integration software and configure the LDAP-UX client. The BDC can access the LDAP directory for Windows authentication.

HP CIFS Acting as the Member Server

To ensure that there are always sufficient domain controllers to handle authentication and logon requests, in general, configure BDCs rather than member servers unless there are fewer than about 30 Windows clients per BDC.

You can join an HP CIFS Server to the Samba Domain.The Windows authentication requests are managed by the PDC or BDCs using LDAP, smbpasswd or other backend. For detailed information on how to join an HP CIFS Server to the Samba Domain, see “Domain Member Server” in Chapter 4.

The member server smb.conf configuration differs from that of the PDC and BDC. You must set the security parameter to domain. This forces the member server to authenticate via the PDC or BDCs. You must set the password server parameter to the names of the PDC and may also add the names of one or more BDCs. Set the domain master parameter to no to let the PDC take control. As with the PDC and BDC, you set the passdb backend parameter to the name of LDAP server to centralize POSIX and Windows account database management. Using LDAP requires to install the HP LDAP-UX Integration software and configures the LDAP client to consolidate POSIX and Windows users on the LDAP directory.

An example of the Samba Domain Model

Figure 9-5 shows an example of the Samba Domain Model which has HP CIFS Server machine hostW and IP address 1.13.115.226 acting as a PDC and WINs server, HP CIFS Server machine hostB and IP address 1.13.117.248 acting as a BDC, and Netscape Directory Server machine hptem128.

Figure 9-5 An example of the Samba Domain Model

An example of the Samba Domain Model

A Sample smb.conf File For a PDC

The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostW acting as a PDC in the sample Samba Domain Model shown in Figure 9-5:

######################################
#
# Samba config file created using SWAT
# from 1.13.129.217 
#
# Global Parameters
[global]
workgroup = SAMBA30_DOMAIN # Domain Name
server string = Samba Server hostW PDC
passdb backed = ldapsam:ldap://hpldap128:389, smbpasswd
log level = 0
security = user
syslog = 0
log fie = /var/opt/samba/log.%m
max log size = 1000
domain logons = Yes 
preferred master = Yes
local master = Yes
domain master = Yes
wins support = yes
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=Groups
ldap machine suffix = ou= Computers
ldap suffix = dc=org, dc=hp, dc=com
ldap user suffix = ou= People
read only = No
short preserve case = No
dos filetime resolution = Yes
#
[homes]
comment = Home Directory
browseable = No

[tmp]
comment = Temporary file space
path = /tmp

[netlogon]
comment = The domain logon service
path = /var/opt/samba/netlogon
read only = Yes
NOTE: Set passdb backend = ldapsam:ldaps://<fully qualitied name of NDS Server> for SSL enabled LDAP. Set passdb backend = ldapsam:ldap://<NDS server name > to disable SSL support. If you choose to use the A.01.* versions of backward compatible LDAP account backend, set the passwd backend = ldapsam_compat://ldaps:< ldap server name>, ldap ssl = yes and ldap port = 636 in smb.conf to enable SSL support.

Configuration Options

  • domain master: Set this parameter to yes in order for the HP CIFS Server to act as a PDC.

  • domain logon: Set this parameter to yes to provide netlogon services.

  • passdb backend: You must set this parameter to ldapsam_compat:ldap://<ldap server name> if you want to use an old Samba subschema for the LDAP databases. If you attempt to use the new subschema supported by HP CIFS Server A.02.01, you must set this parameter to ldapsam:ldap://<ldap server name>.

  • WINs support: Set this parameter to yes to confiure an HP CIFS Server as a WINs server.

A Sample smb.conf File For a BDC

The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostB acting as a BDC in the sample Samba Domain Model shown in Figure 9-5:

######################################
#
# Samba config file created using SWAT
# from 1.13.129.217 
#
# Global Parameters
[global]
workgroup = SAMBA30_DOMAIN     # Domain Name
server string = Samba Server hostB BDC
password server = 
passdb backend = ldapsam:ldap://hptem128:389, smbpasswd
log level = 0
syslog = 0
log fie = /var/opt/samba/log.%m
max log size = 1000
domain logons = Yes 
security = user
local master = No
domain master = No
wins server = 1.13.115.226 # Set the PDC as WINs Serer 
wins support = yes
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=Groups
ldap machine suffix = ou= Computers
ldap suffix = dc=org, dc=hp, dc=com
ldap user suffix = ou= People
read only = No
short preserve case = No
dos filetime resolution = Yes
#
[homes]
comment = Home Directory
browseable = No
[tmp]
comment = temporary file space
path = /tmp

Configuration Options

  • passdb backend: You must set this parameter to ldapsam_compat:ldap://<ldap server name> if you want to use an old Samba subschema for the LDAP databases. If you attempt to use the new subschema supported by HP CIFS Server A.02.01, you must set this parameter to ldapsam:ldap://<ldap server name>

  • domain master: Set this parameter to no in order for the HP CIFS Server to act as a BDC.

  • WINs Server: If you attempt to use the PDC as the WINs server, set this parameter to the PDC's machine name.

  • domain logon: You must set this parameter to yes to provide netlogon services.

A Sample smb.conf File for a Domain Member Server

When configuring the HP CIFS Server to act as a member server, you need to configure the relative domain parameters in the /etc/opt/samba/smb.conf file by using the SWAT tool, or an editor, or by running samba_setup.

The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostC acting as a domain member server in the sample Samba Domain Model shown in Figure 9-5:

######################################
#
# Samba config file created using SWAT
# from 1.13.129.217 
#
# Global Parameters
[global]
workgroup = SAMBA30_DOMAIN     # Domain Name
server string = Samba Server hostC Domian Member Server
password server = hostW hostB
security = Domain
netbios aliases = MOONEY
log level = 0
syslog = 0
log fie = /var/opt/samba/log.%m
max log size = 1000
domain logons = Yes 
preferred master = No
domain master = No
wins server = 1.13.115.226   # Set the PDC ad Wins Server 
wins support = yes
ldap port = 389
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=Groups
ldap machine suffix = ou= Computers
ldap suffix = dc=org, dc=hp, dc=com
ldap ssl = no
ldap user suffix = ou= People
read only = No
short preserve case = No
dos filetime resolution = Yes
#
[homes]
comment = Home Directory
browseable = No

Configuration Options

  • workgroup: This parameter specifies the name of the domain in which the HP CIFS Server is a domain member.

  • security: When the HP CIFS Server joins a domain as a member, you must set this parameter to domain.

  • WINs Server: If you attempt to use the PDC as the Wins server, set this parameter to the PDC's machine name.

  • password server: This parameter defines the NetBIOS names of the PDC and BDC machines that perform the user name authentication and validation.

A Sample /etc/nsswitch.ldap File

When you set up the PDC, BDC and member servers using the LDAP backend support, you need to configure the /etc/nsswitch.conf file to restrieve your user account information from Netscape Directory Server.You can save a copy of the/etc/nsswitch conf file and edit the original to specify the LDAP name service and other name services that you want to use. You may just copy /etc/nsswitch.ldap to /etc/nsswitch.conf.

The following is a sample /etc/nsswitch.ldap used in the sample Samba Domain Model shown in the Figure 9-5:

# /etc/nsswitch.ldap                                      #
# You can copy this sample file to /etc/nsswitch.conf.    #
# This sample file uses Lightweigh Directory Access       #
# Protocol(LDAP) in conjunction with dns and files.       #
passwd:    files ldap
group:     files ldap
hosts:     dns [NOTFOUND=return] files ldap
networks:  files ldap
protocols: files ldap
rpc:       files ldap
publickey: files
netgroup:  files ldap
automount: files
aliases:   files
services:  files ldap


Introduction
  		 


Windows Domain Model  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.