 |
» |
|
|
|
You can use the Unified Domain Deployment Model in environments with the following characteristics: A domain consisting of Windows 200x servers. Support for any number of HP CIFS Servers that provide file and print services for number of users. It requires LDAP-UX Integration software on an HP CIFS member server.
The Unified Domain Model provides the following benefits: Support for Windows domain member single sign on, network logon, and Windows and UNIX account management system. Easy expansion capability.
Figure 9-9 shows the Unified Domain Deployment Model as follows: The Unified Domain Model consists of a Windows 200x server with Active Directory Services (ADS) configured as a Domain Controller (DC), and a single or multiple HP CIFS member servers. To use the Windows 200x ADS server as a data repository to consolidate Windows and UNIX user accounts, you need to install the Services for UNIX (SFU) add-on package which extends the Active Directory schema based on RFC 2307 to allow integration of POSIX attributes. All user management is unified on the Windows 2000/2003 ADS Server; winbind is not required. You must install and configure the LDAP-UX Integration software on your HP CIFS member server. The LDAP-UX Integration software helps HP CIFS Server machine access UNIX user account data from the ADS Server. "LDAP-UX Client Service with Micrsoft Windows 2000 Active Directory Administrator's Guide", available at http://docs.hp.com, provides help for HP-UX ADS client configurations. Unified Domain Components | |
HP CIFS Acting as a Windows 200x ADS Member ServerThe HP CIFS member server operating in a unified domain depends on the ADS to be aided by Services For UNIX (SFU). SFU provides the required management of UNIX UID and GID to Windows SID mappings. SFU and accompanying documentation is available for download at http://www.microsoft.com/windows/sfu. Because all user management is unified on the Windows 2000/2003 ADS server, winbind is not required and there are no ID consistency issues regardless of the number of HP CIFS member servers. HP CIFS Server uses Kerberos security in a Windows Unified Domain setup. For more information on how to join an HP CIFS Server to a Windows 200x Domain using Kerberos security, see Chapter 5 “Windows 2000/2003 Domains”. Setting up the Unified Domain Model | |
You need to set up and configure the following components to deploy an Unified Domain Model using Windows Services For UNIX (SFU): Windows 2000 or 2003 domain controller with Active Directory Service (ADS) LDAP-UX Integration software B.03.20 or later on HP CIFS member servers SFU 3.5 on Windows 2000 or 2003 Domain Controller Install, Configure and Join the HP CIFS Server to the SFU enabled Windows 200x domain. See Chapter 5 “Windows 2000/2003 Domains” for details on configuting and joining the HP CIFS Server to the Windows domain.
Setting up LDAP-UX Client Services on an HP CIFS Server | |
In the Unified domain model, you integrate HP CIFS domain member servers with the Windows 200x ADS to centralize managemnt of user accounts databases. You must install the HP LDAP-UX integration software B.03.20 or later, and configure the LDAP-UX client.This permits the consolidation of Posix and Windows user accounts on the ADS directory. You also need to configure the /etc/krb5.conffile to authenticate users using Kerberos. Installing and Configuring LDAP-UX Client Services on an HP CIFS ServerThe following summarizes major steps you need to take to install and configure an LDAP-UX Client Services. For detailed instructions on how to install and configure LDAP-UX Client Services to work with Windows 2000 ADS, refer to chapter 2, "Installing LDAP-UX Client Services" in LDAP-UX Client Services with Microsoft Windows 2000 Active Directory Server Administrator's Guide, available at http://docs.hp.com. Install LDAP-UX Client Services on each HP CIFS member server. Migrate your supported name service data to the directory. Refer to the section, "Importing Name Serice Data into Your Directory" in LDAP-UX Client Services with Microsoft Windows 2000 Active Directory Server Administrator's Guide, available at http://docs.hp.com. Run the setup program to configure LDAP-UX Client Services on a client system. Setup does the following for you: Extends your Active Directory schema with the configuration profile schema, if not already done. Creates a start-up file on the client. This enables each client to download the configuration profile. Creates a configuration profile of directory access information in the directory, to be shared by a group of (or possibly all) clients. Downloads the configuration profile from the directory to the client. Starts the product daemon, ldapclientd.
Modify the files /etc/pam.conf and /etc/nsswitch.conf on the client to specify Kerberos authentication and LDAP name service, respectively.
Configuring /etc/krb5.conf to Authenticate Using KerberosOn your HP CIFS Server, you need to create the Kerberos configuration file, /etc/krb5.conf, which specifies the default realm, the location of a Key Distribution Center (KDC) server and the logging file names. The Kerberos client depends on the configuration to locate the realm's KDC. The following is an example of /etc/krb5.conf which has the realm CIFSW2KSFU.ORG.HP.COM, and machine hostA.org.hp.com as a KDC: [libdefaults]
default_realm = CIFSW2KSFU.ORG.HP.COM #Samba Domain
default_tkt_enctypes = DES-CBC-CRC
default_tgs_enctypes = DES-CBC-CRC
ccache_type = 2
[realms]
CIFSW2KSFU.ORG.HP.COM = {
kdc = hostA.org.hp.com:88
admin_server = hostA.org.hp.com }
[domain_realm]
.org.hp.com = CIFSW2KSFU.ORG.HP.COM
[logging]
kdc = FILE: /var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/opt/KRB5lib.log |
An Example of the Unified Domain Model | |
Figure 9-10 shows an example of the Unified Domain Model which has the realm named HPCIFSW2KSFU.ORG.HP.COM, an ADS domain controller machine hpntcdn, an HP CIFS Server machinehostD acting as a member server and the Windows NT machine with IP address 1.13.112.166 as the WINs server. A sample smb.conf file For an HP CIFS Member ServerThe following is a sample Samba configuration File, /etc/smb.conf, used for an HP CIFS Server machine hostD acting as an ADS member server in the sample Unified Domain Model shown in Figure 9-10: ######################################################
#
# An sample smb.conf file for an HP CIFS ADS member server
#
# Global Parameters
[global]
workgroup = CIFSW2KSFU # Domain Name
server string = CIFS Server as a domain member
realm = CIFSW2KSFU.ORG.HP.COM
security = ADS
netbios name = hostD
security = ads
local master = no
wins server = 1.12.112.166
log fie = /var/opt/samba/log.%m
short preserve case = no
dos filetime resolution = yes
read only = no
#
[homes]
comment = Home Directory
browseable = No
#
[tmp]
comment = temporary file space
path = /tmp |
A Sample /etc/nsswitch.conf FileIn the Unified Domain Model, you must configure the /etc/nsswitch.conf file to specify the LDAPname service and other name services you want to use . The following is a sample /etc/nsswitch.conf used in the sample Unified Domain Model shown in Figure 9-10: # /etc/nsswitch.conf #
# #
# This sample file uses Lightweigh Directory Access #
# Protocol(LDAP) in conjunction with dns and files. #
passwd: files ldap
group: files ldap
hosts: dns [NOTFOUND=return] files ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: files
netgroup: files ldap
automount: files
aliases: files
services: files ldap
|
|
Printable version
