Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP CIFS Server 3.0g Administrator's Guide version A.02.03.01: HP-UX 11i v1, v2 and v3 > Chapter 9 HP CIFS Deployment Models

Windows Domain Model
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

You can use the Windows Domain Model in environments with the following characteristics:

  • Deploy Windows NT4, Windows 200x Mixed Mode, or Windows 200x ADS servers (with NetBIOS enabled).

  • Support for any number of HP CIFS servers that provide file and print services for corresponding numbers of users. It requires HP-UX LDAP Integration Client software for ADS domain member servers.

  • Access to an LDAP-UX Netscape Directory Server as the backend storage for larger deployments to maintain winbind ID maps across multiple HP CIFS Servers.

The Windows Domain Model provides the following benefits:

  • Support for Windows domain member single sign on, network logon, and Windows account management system.

  • Support for easy user management across multiple HP CIFS servers by using winbind.

  • Easy expansion capability.

Figure 9-6 shows the Windows Domain Deployment Model as follows:

Figure 9-6 Windows Domain

Windows Domain

In the Windows Domain Model, HP CIFS Server can join to a Windows domain as a member server with Windows NT or Windows 200x domain controllers. HP CIFS Server supports winbind to provide UID and GID mappings for Windows users. For a larger deployment environment, you can use the LDAP directory to maintain unique ID maps across multiple HP CIFS Servers.

Components for Windows Domain Model

HP CIFS Server supports the NTLMv1/NTLMv2 security used for NT domain membership and Kerberos security used for Windows 2000/2003 native membership, so HP CIFS Servers can be managed in any Windows 2000/2003 ADS, Windows 200x mixed mode, or NT environment. HP CIFS Server does not support a true SAM database and can not participate as a domain controller in an Windows NT, Windows 2000 or Windows 2003 domain. HP CIFS supports winbind, which can be used to avoid explicitly allocating POSIX users and groups for Windows users and groups mapping. Winbind provides UID and GID generation and mapping for Windows users. Set smb.conf parameters to idmap uid = <uid range> and idmap gid = <gid range>. See Chapter 7 “Winbind Support” for detailed information on winbind. When you deploy multiple HP CIFS Servers, you can use the LDAP directory to maintain unique ID maps across multiple systems. Otherwise, user mapping will not be consistent from system to system when using NFS shares mounted on HP CIFS Servers. To centralize management of ID maps in an LDAP directory, set the idmap backend parameter to ldap:ldap://<ldap server name> in the smb.conf file .

You can use wins server = <Windows or NT WINS server address> smb.conf parameter for access throughout a multi-subnetted network. Avoid using the WINS server supplied by HP CIFS if Windows or NT WINS servers are available, because HP CIFS WINS servers cannot replicate the WINS data.

"LDAP-UX Client Service with Micrsoft Windows 2000 Active Directory Administrator's Guide", available at http://docs.hp.com, provides help for HP-UX ADS client configurations.

An Example of the ADS Domain Model

Figure 9-7 shows an example of the Windows 2000/2003 ADS Domain Model which has the realm named HPCIF23DOM.ORG.HP.COM, an ADS domain controller machine hpcif23, an HP CIFS Server machine hpcif54 acting as a native member server and the Netscape Directory Server system hptem128.

Figure 9-7 An example of the ADS Domain Model

An example of the ADS Domain Model

A sample smb.conf file For an HP CIFS ADS Member Server

The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hpcif54 acting as a ADS member server in the sample ADS Domain Model shown in Figure 9-7:

######################################################
#
# An sample smb.conf file for an HP CIFS ADS member server 
#
# Global Parameters
[global]
workgroup = hpcif23_dom    # Domain Name
server string = CIFS Server as a domain member of hpcif23_dom
realm = HPCIF23DOM.ORG.HP.COM
security = ADS
netbios name = hpcif54
encrypt passwords = yes
password server = *
passdb backend =smbpasswd
log level = 0
syslog = 0
log fie = /var/opt/samba/log.%m
max log size = 1000
host msdfs = yes

# For LDAPSAM
# passdb backend = ldapsam:/ldap://hptem128
# ldap port = 389
# ldap admin dn = cn=Directory Manager
# ldap filter = (&(uid=%u)(objectclas=SambaSamAccount))
# ldap user suffix = ou=People
# ldap group suffix = ou=Groups
# ldap machine suffix = ou= Computers
# ldap suffix = dc=org, dc=hp, dc=com
# ldap ssl = no
# ldap user suffix = ou= People
# ldap delete dn = no
# ldap passwd sync = no
# ldap replication sleep = 1000
# ldap timeout = 15

# For idmap configuration of winbind
idmap backend = ldap:ldap://hptem128
idmap uid = 1000-10000
idmap gid = 1000-10000
ldap server = hptem128
ldap admin dn = "cn=Directory Manager"
ldap suffix = dc=org, dc=hp, dc=com
ldap port = 389
ldap idmap suffix = ou=ldmap
#
# For non winbind solution
# add user script = /usr/sbin/useradd -g users -c \
# winbind_create -d /tmp -s /bin/false %u
# For winbind solution
winbind use default domain = yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%D/%U
template shell = /bin/false

[homes]
comment = Home Directory
browseable = no
writable = yes
valid users = /home/%D/%U
create mode = 0664
directory mode = 0775

[share1]
path = /tmp
read only = no
valid users = %D\%U

[share2]
path = /tmp
read only = no
# Specify values of force user and force group to a valid domain
user or group
force user = localusr	
force group = localgrp	

[tmp]
path=/tmp
read only = no
browseable = yes
writable = yes

A Sample /etc/krb5.conf File

On your HP CIFS Server acting as a ADS member server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the name of the realm, the location of a Key Distribution Center (KDC) server and the logging file names.

The following is a sample /etc/krb5.conf used in the sample ADS Domain Model shown in Figure 9-7:

# Kerberos Configuration                                     #
#                                                            #
# This krb5.conf file is intended as an example only.        #
# See krb5.conf(4) for more details.                         #
# 
# Please verify that you have created the directory /var/log.#
#                                                            #
# Replace MYREALM.XYZ.COM with your kerberos Realm.          #
# Replace adsdc.myrealm.xyz.com with your Windows ADS DC full#
# domain name.                                               #
#                                                            #
[libdefaults]
default_realm = HPCIF23DOM.ORG.HP.COM
default_tkt_enctypes = DES-CBC-MD5
default_tgs_enctypes = DES-CBC-MD5
ccache_type = 2

[realms]
MYREALM.XYZ.COM = {
kdc = hpcif23.org.hp.com:88
admin_server = hpcif23.org.hp.com
}

[domain_realm]
.org.hp.com = HPCIF23DOM.ORG.HP.COM

[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
NOTE: :88 is required on the server field.

A Sample /etc/nsswitch.conf File

In the ADS Domain Model, you must configure the /etc/nsswitch.conf file to specify the winbindname service and other name services that you want to use.

The following is a sample /etc/nsswitch.conf used in the sample ADS Domain Model shown in Figure 9-7:

# /etc/nsswitch.conf                                      #
#                                                         #
# This sample file uses Lightweigh Directory Access       #
# Protocol(LDAP) in conjunction with dns and files.       #
passwd:    files winbind [NOTFOUND=return] ldap
group:     files winbind [NOTFOUND=return] ldap
hosts:     files dns [NOTFOUND=return]
networks:  files 
protocols: files 
rpc:       files 
publickey: files
netgroup:  files 
automount: files
aliases:   files
services:  files
NOTE: HP CIFS Server supports several ways to allocate and map POSIX users and groups. If winbind is used, winbind name service is required in /etc/nsswitch.conf. If winbind is not used, a local POSIX account associated with each Windows user and group must be created. One way to create these accounts automatically is to define the "add user script" and "add group script" options in smb.conf. See the SWAT help text for more information.

An Example of Windows NT Domain Model

Figure 9-8 shows an example of the Windows NT Domain Model which has a Windows NT server named hostP as a PDC, an HP CIFS Server machine hostM acting as a domain member server. The ID maps are saved in the local file, idmap.tdb.

Figure 9-8 An example of the Windows NT Domain Model

An example of the Windows NT Domain Model

A Sample smb.conf File for an HP CIFS Member Server

The following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostM acting as a member server in the sample Windows NT Domain Model shown in Figure 9-8:

######################################################
#
# An sample smb.conf file for an HP CIFS ADS member server 
#
# Global Parameters
[global]
workgroup = hpcif23_dom    # Domain Name
server string = CIFS Server as a member of NT domain
netbios name = hostM
# For NT specific option
workgroup = hostP_dom
security = domain
encrypt passwords = yes
passdb backend = smbpasswd
password server = hostP.org.hp.com
log level = 0
log fie = /var/opt/samba/log.%m
max log size = 1000
#
# For non winbind solution
# add user script = /usr/sbin/useradd -g users -c \
# add_user_script -d /tmp -s /bin/false %u
#
# For winbind specific options 
winbind use default domain =yes
winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
winbind cache time = 300
template homedir = /home/%D/%U
template shell = /bin/false
#
[homes]
comment = Home Directory
create mode = 0664
directory mode = 0775
valid users = /home/%D/%U
browseable = No
read only = No
writable = yes

[print$]
comment = For Printer share
browseable = yes

[printers]
comment = All Printers
path =/tmp
printable = yes
browseable = yes
printer admin = root, admuser
create mask = 0600
guest ok = Yes
use client driver = Yes

[lj810002]
path = /tmp
printable = yes
print command = /usr/bin/lp -d%p %s; /usr/bin/rm %s

[share1]
path = /tmp
valid users = %D\%U
read only = Yes

[share2]
path = /tmp
read only = No
comment = force user and force group can be set to a valid domain user and gourp.
force user = localusr
force group = localgrp

[tmp]
path=/tmp
read only = no
browseable = yes
writable = yes


Samba Domain Model
  		 


Unified Domain Model  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2007 Hewlett-Packard Development Company, L.P.