cifs admin

HP CIFS Client A.02.02 Administrator’sGuide

HP-UX 11i v1 and v2

Manufacturing Part Number : B8724-90079

April, 2006

U.S.A.

© Copyright 2006 Hewlett-Packard Company, L.P.

Legal NoticesThe information in this document is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to thismanual, including, but not limited to, the implied warranties ofmerchantability and fitness for a particular purpose. Hewlett-Packardshall not be held liable for errors contained herein or direct, indirect,special, incidental or consequential damages in connection with thefurnishing, performance, or use of this material.

Warranty

A copy of the specific warranty terms applicable to your Hewlett-Packardproduct and replacement parts can be obtained from your local Sales andService Office.

U.S. Government License

Proprietary computer software. Valid license from HP required forpossession, use or copying. Consistent with FAR 12.211 and 12.212,Commercial Computer Software, Computer Software Documentation,and Technical Data for Commercial Items are licensed to the U.S.Government under vendor's standard commercial license.

PAM NTLM includes a library derived from the Open Source Sambaproduct. This library is subject to the GPL license. For detailedinformation, refer to the GPL license in Chapter 12 of the CIFS/9000Server manual.

Copyright Notices

Copyright 2006 Hewlett-Packard Company L.P. All rights reserved.Reproduction, adaptation, or translation of this document without priorwritten permission is prohibited, except as allowed under the copyrightlaws.

Trademark Notices

UNIX is a registered trademark in the United States and othercountries, licensed exclusively throughThe Open Group.

2

Contents

1. Introduction to the HP CIFS ClientIntroduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13HP CIFS Client Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15HP CIFS Client Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CIFS UNIX Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16NTLM PAM Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Kerberos Authentication: Integration with System Kerberos Cache . . . . . . . . . . . . 17AutoFS 2.3 Support for HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Support for Internationalized Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18NTLM, NTLMv2 Password Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Packet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18NetBIOS Name Services, WINS, and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Microsoft Distributed File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Dynamically Loadable Kernel Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20SMB Over TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2. Installing, Configuring, and Using the HP CIFS ClientOverview of HP CIFS Client Installation and Configuration . . . . . . . . . . . . . . . . . . . . 25Step 1: Checking HP CIFS Client Installation Prerequisites . . . . . . . . . . . . . . . . . . . . 26Step 2: Installing HP CIFS Client and PAM Software . . . . . . . . . . . . . . . . . . . . . . . . . 27

Installing From CD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Installing From a Software Depot File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Step 3: Configuring the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Editing cifsclient.cfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Step 4: Starting and Stopping the HP CIFS Client Daemon. . . . . . . . . . . . . . . . . . . . . 30Using the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Mounting and Logging in in One Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35CIFS Client Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Automatic Mounting of CIFS Filesystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Using /etc/fstab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Storing Mounts in the CIFS Client Mount Database . . . . . . . . . . . . . . . . . . . . . . . . . 36

Name Resolution: NetBIOS Name Service, WINS, DNS, IP Configuration. . . . . . . . . 37HP CIFS Client Files and Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

3. CIFS Security and AuthenticationIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

3

Contents

Configuration Settings For Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43User Login Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Introduction To Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Requirements and Limitations Using Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Using Kerberos with the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Step 1. Review fundamental Kerberos Operating Principals. . . . . . . . . . . . . . . . . . . 48Step 2. Set Up and Verify the Kerberos Infrastructure . . . . . . . . . . . . . . . . . . . . . . . 49Step 3. Configure Kerberos on the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . 51

CIFS Client Kerberos Authentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Explicit login: cifslogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Automatic login: Integration with System Kerberos Cache (kinit(1) and PAMKerberos) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Ticket Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Packet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Configuring Packet Signing with HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

4. Migrating From HP CIFS Client A.01 to A.02Migrating from version A.01.* to A.02.* of HP CIFS Client . . . . . . . . . . . . . . . . . . . . . 57

Special Instructions For Users of HP CIFS Client Versions A.01.* . . . . . . . . . . . . . 57Preserving Data From A.01 Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Reverting to Version A.01. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Funtionality Differences Between HP CIFS Client A.01.* and A.02.* . . . . . . . . . . . . . 60Configuration Differences Between HP CIFS Client A.01.* and A.02.* . . . . . . . . . . . . 61

Comments in Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Configuration Parameter Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Command Option Differences Between HP CIFS Client A.01.* and A.02.*. . . . . . . . . 65

5. Commandline Utilitiescifsclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

cifsmount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4

Contents

Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

cifslogin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

cifsumount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

cifslogout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

cifslist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Sample cifslist Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

cifsdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

mount_cifs, umount_cifs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

5

Contents

6. Troubleshooting and Error MessagesTroubleshooting FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

How to Shutdown the Daemon with cifsclient stop . . . . . . . . . . . . . . . . . . . . . . . . . . 93What to Do if the Daemon Terminates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Troubleshooting Kerberos in the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94Troubleshooting cifsmount or mount in the HP CIFS Client . . . . . . . . . . . . . . . . . . . . 96

How to Do if the HP CIFS Client DLKM is Unused. . . . . . . . . . . . . . . . . . . . . . . . . . 96How to Do if You Encounter the Error Message: “Device Busy” . . . . . . . . . . . . . . . . 97

CIFS Client Log File and Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

7. Configuration FileGeneral Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

8. PAM NTLMIntroduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132PAM NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

PAM NTLM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

PAM NTLM Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Configuring the PAM NTLM Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135Configuring a User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Using NIS Distribution of the User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

6

Preface: About This DocumentThe latest version of this document can be found on line at:

http://www.docs.hp.com

This document describes how to install, configure, and troubleshoot HPCIFS Client on HP-UX platforms.

The document printing date and part number indicate the document’scurrent edition. The printing date will change when a new edition isprinted. Minor changes may be made at reprint without changing theprinting date. The document part number will change when extensivechanges are made.

Document updates may be issued between editions to correct errors ordocument product changes. To ensure that you receive the updated ornew editions, you should subscribe to the appropriate product supportservice. See your HP sales representative for details.

Intended AudienceThis document is intended for system and network administratorsresponsible for installing, configuring, and managing HP CIFS Client.Administrators are expected to have knowledge of HP CIFS Clientproduct.

New and Changed Documentation in ThisEditionInformation about CIFS Client Dynamically Loadable Kernel Module(DLKM) support was added.

Information about Microsoft Distribution File System (MS DFS) supportwas added.

Information about the CIFS Client configuration parameters andcommand options was updated.

Information about the SMB over TCP support using port number 445was added.

7

Publishing History

What’s in This documentThis manual describes how to install, configure and troubleshoot the HPCIFS Client software product.

The manual is organized as follows:

Chapter 1 Introduction to the HP CIFS Client Use thischapter to learn the HP CIFS Client product features,requirements and limitations.

Chapter 2 Installing, Configuring, and Using the HP CIFSClient Use this chapter to learn how to install,configure, and use the HP CIFS Client software.

Chapter 3 CIFS Security and Authentication Use this chapterto understand the CIFS security and authenticationmethods.

Table 1 Publishing History Details

DocumentManufacturingPart Number

OperatingSystems

Supported

SupportedProductVersions

PublicationDate

B8724-90079 11i v1 and v2 A.02.02 April 2006

B8724-90067 11i v1 and v2 A.02.01 April 2005

B8724-90044 11.0, 11i v1and v2

A.01.09 August 2003

B8724-90022 IA 11.22 A.01.08 June 2002

B8724-90011 11.0, 11i v1and v2

A.01.06 June 2001

8

Chapter 4 Updating HP CIFS Client A.01.* to A.02.* Use thischapter to describe configuration parameter andcommand option differences between HP CIFS ClientA.01.* and A.02.*. This chapter also provides theupdate procedures so that you can plan and upgradeyour CIFS Client.

Chapter 5 Commandline Utilities Use this chapter to learnabout UNIX man pages for all HP CIFS Client utilities.

Chapter 6 Troubleshooting the HP CIFS Client Use thischapter to understand the detailed procedures to helpdiagnose HP CIFS Client problems.

Chapter 7 Configuration File Use this chapter to know a list ofall configuration variables if you want to customize HPCIFS Client software.

Chapter 8 PAM NTLM Use this chapter to understand detailedinformation about the PAM NTLM authenticationservice.

Typographical ConventionsThis document uses the following conventions.

Italics Identifies titles of documentation, filenames and paths

Bold Text that is strongly emphasized.

monotype Identifies program/script, command names,parameters or display.

HP Encourages Your CommentsHP encourages your comments concerning this document. We are trulycommitted to providing documentation that meets your needs.

Please send comments to: [email protected]

Please include document title, manufacturing part number, and anycomment, error found, or suggestion for improvement you haveconcerning this document. Also, please include what we did right so wecan incorporate it into other documents.

9

1 Introduction to the HP CIFSClient

This chapter provides a HP CIFS Client description.

Chapter 1 11

Introduction to the HP CIFS Client

It contains the following sections:

• Introduction to HP CIFS.

• HP CIFS Client Description.

• HP CIFS Client Features.

Chapter 112

Introduction to the HP CIFS ClientIntroduction to HP CIFS

Introduction to HP CIFSHP CIFS provides HP-UX with a distributed file system based on theMicrosoft Common Internet File System (CIFS) protocols. HP CIFSimplements both the server and client components of the CIFS protocolon HP-UX.

The HP CIFS Server is based on the well-established open-sourcesoftware Samba, and provides file and print services to CIFS clientsincluding Windows, other CIFS clients, and HP-UX machines runningHP CIFS Client software.

The HP CIFS Client enables HP-UX users to mount as UNIX filesystemsshares from CIFS file servers including Windows servers and HP-UXmachines running HP CIFS Server. The HP CIFS client also offers anoptional Pluggable Authentication Module (PAM) that implements theWindows NT Lan Manager (NTLM) authentication protocols. Wheninstalled and configured within HP-UX’s PAM facility, PAM NTLMallows HP-UX users to be authenticated against a Windowsauthentication server.

What is the CIFS Protocol?

CIFS had its beginnings in the networking protocols, sometimes calledServer Message Block (SMB) protocols, that were developed by IBM inthe late 1980. SMB is the native file-sharing protocol used by theMicrosoft Windows.

CIFS is simply a renaming of SMB; and CIFS and SMB are the same.(Microsoft now emphasizes the use of CIFS, although references to SMBstill occur.) CIFS is also widely available on UNIX, Linux, Macintosh,and other platforms.

CIFS is a remote file access protocol; it provides access to files on remotesystems. CIFS defines both a server and a client: the CIFS client is usedto access files on a CIFS server.

HP CIFS uses the CIFS protocol from the HP-UX machines, whichenables directories from HP-UX servers to be mounted on to Windowsmachines and vice versa.

Chapter 1 13

Introduction to the HP CIFS ClientIntroduction to HP CIFS

PAM NTLM

The HP-UX PAM subsystem gives system administrators the flexibilityof choosing any authentication service available on the system toperform authentication. The framework also allows new authenticationservice modules to be plugged in and made available without modifyingthe applications.

The PAM framework, libpam, consists of an interface library andmultiple authentication service modules. The authentication servicemodules are a set of dynamically loadable objects invoked by the PAMAPI to provide a particular type of user authentication.

NT LAN Manager (NTLM) is the protocol by which CIFS clients areauthenticated by CIFS servers. PAM NTLM is a PAM module thatimplements the NTLM protocol. It enables users logging in to an HP-UXsystem to have access to CIFS-mounted file systems without having touse the cifslogin command.

Chapter 114

Introduction to the HP CIFS ClientHP CIFS Client Description

HP CIFS Client DescriptionHP CIFS Client implements the CIFS protocols on HP-UX so thatHP-UX users may mount shares from CIFS servers as UNIX filesystems.

Chapter 1 15

Introduction to the HP CIFS ClientHP CIFS Client Features

HP CIFS Client FeaturesFollowing is a list of the HP CIFS Client major features:

• CIFS UNIX Extensions

• NTLM PAM Integration

• Kerberos Authentication, Integration with System Kerberos Cache

• ONC AutoFS 2.3 Support

• Support for Internationalized Clients

• NTLM, NTLMv2 Password Encryption

• Packet Signing

• NetBIOS Name Services, WINS, and DNS Support

• Support for Microsoft Distributed File System (MS DFS)

• Support for Dynamically Loadable Kernel Module (DLKM)

• Support for SMB over TCP using port 445

CIFS UNIX Extensions

CIFS UNIX Extensions enable the CIFS Client and Samba server toimplement standard UNIX file system features. These include:

• UNIX permission modes

• File ownership based on UNIX UIDs and GIDs

• Symbolic links and hard links

• Standard UNIX timestamps for file access, change, and modification

• Includes other data contained in the UNIX stat(2) data structure

NOTE This feature only works with CIFS servers that support CIFS UNIXextensions.

Chapter 116


NTLM PAM Integration

NT LAN Manager (NTLM) is the default protocol by which CIFS clientsare authenticated by CIFS servers. When used in conjunction with HP'sNTLM Pluggable Authentication Module (PAM) and the HP CIFS Client,users who log in to an HP-UX system will have access automatically toCIFS-mounted file systems provided that PAM NTLM and the CIFSserver are using the same database.

Kerberos Authentication: Integration with SystemKerberos Cache

The CIFS Client supports the Kerberos authentication mechanism.Kerberos is a secure, industry-standard authentication protocol. Itprovides significant improvements over the older NTLM protocoltraditionally used by CIFS Clients and Servers. The CIFS servers inyour network must support Kerberos in order for you to take advantageof Kerberos support in the HP CIFS Client. Kerberos must be properlyconfigured both on the HP-UX host on which the Client runs and on yournetwork.

An additional feature is that the HP CIFS Client is integrated with thesystem Kerberos cache. If the HP-UX host uses PAM Kerberos or otherKerberos-aware programs that utilize the system Kerberos cache, suchas kinit(1), the CIFS Client can utilize these cached credentials toprovide automatic access to mounted CIFS servers without explicituser-initiated authentication for each server.

AutoFS 2.3 Support for HP CIFS Client

The AutoFS is a service which is part of the HP ONC product set thatautomatically mounts or unmounts filesystems with near- transparencyto the end users. The latest version of AutoFS 2.3 supports the mountand unmount of the HP CIFS Client mounted filesystems. AutoFS 2.3can automatically perform direct and indirect mounts of the HP CIFSfilesystems. AutoFS 2.3 only supports the HP CIFS Client with directand indirect map files, it doesn’t support CIFS Client with special orexecutable map files, or with multiple (replicated) servers.

Chapter 1 17


In order to provide HP CIFS Client AutoFS support, AutoFS 2.3 must beinstalled and configured on the system. For detailed information oninstalling and configuring AutoFS, please refer to “Configuring andAdministering AutoFS” in NFS Services Administrator’s Guide onHP-UX at http://www.docs.hp.com.

NOTE Automounting a CIFS filesystem using the HP ONC+ AutoFS service isonly supported on HP-UX release 11i v1 and v2. If you have the HP-UX11i v1 system, you must install the ONC software package, EnhancedAutoFS, available at http://software.hp.com to enable the AutoFS 2.3support. AutoFS doesn’t support HP CIFS Client on HP-UX release 11.0.

Support for Internationalized Clients

The CIFS Client is designed to work with a variety of internationalizedclients and servers. It can use Unicode to transmit multi-byte characterson the network, or any of several character encoding tables located in/etc/opt/cifsclient/unitables. See the README file in that directory foran index of the tables.

NTLM, NTLMv2 Password Encryption

NTLM is a challenge-response protocol. The server sends a challenge keyto the client which the client returns to the server encrypted with theuser’s password. The server performs the same encryption and verifiesthat the client’s request matches. No semblance of the user’s password istransmitted over the network. The CIFS Client supports NTLM andNTLMv2. NTLM verison 2 (NTLMv2) uses the same challenge-responseprotocol, but it provides more sophisticated encryption algorithms thanNTLM, and hence better password protection.

Packet Signing

The purpose of CIFS packet signatures is prevention of man-in-themiddle attacks: the client and server are mutually assured of the other’sidentity by requiring a unique signature on each SMB packet.

Chapter 118


In the CIFS protocol, packet signing is negotiated when the client makesits initial connection to the server. Starting with the first user login tothe server, all SMB packets between the client and server must besigned.

See “Packet Signing” on page 53 for a description of thesmbPacketSigning configuration parameter.

NetBIOS Name Services, WINS, and DNS

HP CIFS Client A.02.01 or later supports DNS and the NetBIOS NameServices, including WINS, a Windows name resolution service similar toDNS. The configuration parameters lookupTryNetbios, lookupTryDnsand nbnsWinsIP are used to configure which lookup mechanisms areused. For detailed information, see “Name Resolution: NetBIOS NameService, WINS, DNS, IP Configuration” on page 37.

Microsoft Distributed File System

The HP CIFS Client A.02.02 supports the Microsoft Distributed FileSystem (MS DFS). DFS is a network server component that enablesadministrators to build a single, hierarchical view of multiple file serversand file server shares on their network. DFS unites files on differentcomputers into a single name space and provides a way to separate thelogical view of files and directories that users see from the actualphysical locations of these network.

DFS comprises three major components, the DFS Root, one of more DFSlinks, and the DFS client. A DFS Root is a special share on a CIFSServer, that serves as the starting point for DFS functionality. A DFSlink is a special directory within the DFS Root, that maps to anotherCIFS share on the same or different server. A DFS client is a CIFS clientwhich is capable of processing DFS links. When the DFS client accesses aDFS link, it sends a request for the CIFS share that the DFS link mapsto, and establishes a connection to that CIFS share.

The HP CIFS Client supports the following DFS servers:

• Windows NT

• Windows 2000/2003

• HP CIFS Server

Chapter 1 19


For information on how to set up DFS on a CIFS server, consult yourCIFS server documentation.

The following describe the major features of DFS:

• High data availability

Multiple copies of read-only shares can be mounted under the samelogical DFS name to provide alternate locations for accessing data. Ifone of the copies becomes unavailable, an alternate is automaticallyselected.

• Load balancing

Multiple copies of read-only shares on separate disk drivers orservers can be mounted under the same logical DFS name, thuspermitting limited load balancing between drives or servers.

• Name and location transparency

DFS transparently links server volumes and shares into a singlename space. You can navigate the logical name space withoutconsideration to the physical location of your data.

• Integration with Windows NT security model

There are no additional administrative or security issues. Users whoconnect to DFS shares are only permitted to access files for whichthey have appropriate rights on that share.

Limitations

CIFS Client MS DFS support has the following limitations:

• Moving files across DFS links is not supported.

• Before the CIFS Client connects to a DFS Root on an HP CIFSServer (Samba), CIFS UNIX Extensions must be disabled on eitherthe CIFS Client or Server.

Dynamically Loadable Kernel Module

The kernel component of the HP CIFS Client is implemented as aDynamically Loadable Kernel Module (DLKM). Both static binding anddynamic loading are supported. Dynamic loading can be demand-loadingor auto-loading. With DLKM support, installation, removal, and updateof the HP CIFS Client do not require a system reboot.

Chapter 120


The HP CIFS Client supports the following kernel module states:

• Auto: The module will be dynamically loaded at the first time it isused.

• Static: The module is statically linked into the kernel.

• Loaded: The module is dynamically loaded and running in thekernel.

• Unused: The module is not loaded in the kernel.

• Best: A state that selects the following order of preference: auto,static, loaded, unused.

By default, the kernel module state is auto. The HP CIFS Client kernelmodule will be dynamically loaded when the first CIFS file system mountis performed. You may use the kcmodule command to change the kernelconfiguration state. Ensure you understand the effects of any changes ifyou want to modify the kernel configuration state. Refer to man pagekcmodule(1M) for details.

NOTE HP CIFS Client DLKM support is available only on HP-UX release 11iv2 or later.

SMB Over TCP

This feature eliminates the use of the NetBIOS Session Service in CIFSclient-server connections. This is the default on current Windows clients.SMB-over-TCP is turned off by default in the HP CIFS Client. Thisfeature is not supported by Windows NT servers. For detailedinformation on how to configure this feature in networks with andwithout NT servers, see the smbOverTCP parameter in Chapter 7,“Configuration File,” on page 99.

Chapter 1 21


Chapter 122

2 Installing, Configuring, andUsing the HP CIFS Client

This chapter describes the procedures for installing HP CIFS Clientsoftware on your system.

Chapter 2 23

Installing, Configuring, and Using the HP CIFS Client

It contains the following sections:

• “Overview of HP CIFS Client Installation and Configuration” onpage 25.

• “Step 1: Checking HP CIFS Client Installation Prerequisites” onpage 26.

• “Step 2: Installing HP CIFS Client and PAM Software” on page 27.

• “Step 3: Configuring the HP CIFS Client” on page 28.

• “Step 4: Starting and Stopping the HP CIFS Client Daemon” onpage 30.

• “Using the HP CIFS Client” on page 31.

• “Automatic Mounting of CIFS Filesystems” on page 36.

• “Name Resolution: NetBIOS Name Service, WINS, DNS, IPConfiguration” on page 37.

• “HP CIFS Client Files and Directories” on page 39.

Chapter 224

Installing, Configuring, and Using the HP CIFS ClientOverview of HP CIFS Client Installation and Configuration

Overview of HP CIFS Client Installation andConfigurationInstallation of the HP CIFS Client includes checking installationprerequisites, loading the HP CIFS Client filesets using theswinstall(1M) utility, and completing HP CIFS configuration procedures.

The CIFS Client and PAM NTLM products are delivered in the samebundle, packaged for installation via HP Software Distributor (SD). HPrecommends that both products be installed at the same time. This is nota requirement as each one can also be installed and run as a standaloneproduct. To install and remove software, use the HP-UX commandsswinstall(1M) and swremove(1M). Detailed information on thesecommands are provided in the HP-UX man pages.

The CIFS Client forces a system reboot during installation and removal.The CIFS Client modifies the kernel so that it will recognize CIFS as amountable filesystem.

When you install the bundles for the HP CIFS Client, there will be twoproducts for you to install. The first one is the HP CIFS client softwareand the second one (optional) is the NTLM PAM module.

NOTE You can download the HP CIFS Client software, available athttp://software.hp.com.

Chapter 2 25

Installing, Configuring, and Using the HP CIFS ClientStep 1: Checking HP CIFS Client Installation Prerequisites

Step 1: Checking HP CIFS Client InstallationPrerequisitesPrior to loading the HP CIFS Client software onto your system, checkthat you have met the following hardware and software prerequisites:

1. The HP CIFS client runs on all HP workstations and Servers thatare capable of running HP-UX version 11.11 or later, in either 32-bitor 64-bit mode. No specific system patches are required for the HPCIFS Client. See item 3 below.

2. The Kerberos libraries, libkrb5.sl and libcom_err.lib, must be presenton your system. For HP-UX version 11i (B.11.11) and future releases,these libraries should be on your system by default as part of yourbase HP-UX operating system installation. However, on HP-UXversion 11.0 (B.11.00), these libraries may not be present (check in/usr/lib). To acquire these libraries, install the product PAMKerberos, available at http://software.hp.com

3. Check that you have the latest PAM library patch. Patches areavailable at HP’s online patch catalogue, search for “libpam”. Youcan use the swlist command to list software installed on yoursystem. If a General Release patch is listed, you can check itscontents for PAM patches with the following command:

swlist -l fileset _patch-name_ | grep -i pam

Refer to the HP CIFS Client release notes for information aboutpatch dependencies.

4. You must log in as a user with root privileges o perform theinstallation.

NOTE If you are currently using an A.01.* version of the HP CIFS Client, readthe “Migrating from version A.01.* to A.02.* of HP CIFS Client” onpage 57 before installing any A.02.* version.

Chapter 226

Installing, Configuring, and Using the HP CIFS ClientStep 2: Installing HP CIFS Client and PAM Software

Step 2: Installing HP CIFS Client and PAMSoftwareYou must have root privileges to install software on your HP-UX system.Because the CIFS Client contains a kernel module, the installationreboots the system upon completion.

Installing From CD

If you are installing HP CIFS Client and PAM software from CD, runswinstall, and select HP CIFS Client or PAM NTLM (or both) from theCD ROM depot path.

Installing From a Software Depot File

If you are installing from a depot file, such as those downloadable fromhttp://software.hp.com, enter the following at the command line:

swinstall options -s /path/filename B8724AA

where

options is -x autoreboot=true -x mount_all_filesystems=false.

path must be an absolute path, it must start with /, for example, /tmp.

filename is the name of the downloaded depot file, usually a long name ofthe form:

B8724AA_A.02...HP-UX_B.11...32+64.depot

An Example

For example, if you attempt to install the HP CIFS Client bundle versionA.02.01 on HP-UX 11i v2 system from a downloaded depot file, enter thecommand line as shown below:

swinstall -x autoreboot=true -x mount_all_filesystems=false\-s /tmp/B8724AA_A.02.01_HP-UX_11.23_IA+PA.depot B8724AA

Chapter 2 27

Installing, Configuring, and Using the HP CIFS ClientStep 3: Configuring the HP CIFS Client

Step 3: Configuring the HP CIFS ClientThe configuration file for the HP CIFS Client,/etc/opt/cifsclient/cifsclient.cfg, can be used as delivered, with nomodification of its default values.

Editing cifsclient.cfg

The file /etc/opt/cifsclient/cifsclient.cfg.default contains factory defaultsettings. The user is urged not to modify this file but to save it as areference.

If appropriate, edit the file as described below.

1. To enable WINS lookups, set the parameter nbnsWinsIp to the IPaddress of the WINS server. See “Name Resolution: NetBIOS NameService, WINS, DNS, IP Configuration” on page 37 for details.

2. Configure Internationalized Clients.

The CIFS Client is designed to work with a variety ofinternationalized clients and servers. It can use Unicode to transmitmulti-byte characters on the network, or any of several characterencoding tables located in /etc/opt/cifsclient/unitables. See theREADME file in that directory for an index of the tables.

Each table is a character map file which can be configured forencoding file and directory names on the client or server (filecontents are not affected). The character set displayed on the CIFSClient console is configured with the parameter clientCharMapFile,which selects any one of the many character mapping files providedwith the product. Character translations for communications withCIFS Servers can be done either in Unicode or through theconfiguration parameter serverCharMapFile, which also is used toselect a character mapping file. Use of Unicode is turned on and offwith the useUnicode parameter.

The default settings in cifsclient.cfg are:

serverCharMapFile = "/etc/opt/cifsclient/unitables/unimapCP437.cfg";

clientCharMapFile = "/etc/opt/cifsclient/unitables/unimap8859-1.cfg";

Chapter 228

Installing, Configuring, and Using the HP CIFS ClientStep 3: Configuring the HP CIFS Client

If, for example, your CIFS Client is configured as a Japanese systemusing the Shift-JIS locale, and it is connected to a Japanese CIFSServer that also uses Shift-JIS, you would configure the following:

serverCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg";

clientCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg";

3. Authentication Method

The authenticationMethod parameter should be set to ntlm orkerberos. See “Using Kerberos with the HP CIFS Client” in Chapter3 for details.

4. NTLM Password Encrytion

For servers with which Kerberos is not used, you can set theconfiguration parameter ntlmEncryptionVersion to ntlm orntlmv2 to determine which NTLM version to use. See “ConfiguringAuthentication” in Chapter 3 for details.

5. Server-Specific Configuration

The CIFS Client provides a method for over-riding global settings ona server-specific basis. For example, if you setntlmEncryptionVersion globally to NTLM, but you want to ensurethat server cifshostA uses only NTLMv2, you can create the followingsection (within the enclosing "servers" section, see also the exampleat the end of the CIFS Client configuration file):

cifshostA = {

ntlmEncryptionVersion = ntlmv2;);

Chapter 2 29

Installing, Configuring, and Using the HP CIFS ClientStep 4: Starting and Stopping the HP CIFS Client Daemon

Step 4: Starting and Stopping the HP CIFSClient DaemonUse the cifsclient command to start and stop the HP CIFS client.

The syntax is:

cifsclient {start|stop}

cifsclientwith no argument is equivalent to cifsclient start. If theHP CIFS client is already running when you execute the command, youwill get a message indicating it is already up.

Use the stop option of the cifsclient command to stop the HP CIFSClient.

When the CIFS Client is shut down, it first attempts to unmount all ofthe CIFS shares. If any unmount fails, the shutdown is not completed.

See cifsclient man page in Commandline Utilities chapter for details.

Chapter 230

Installing, Configuring, and Using the HP CIFS ClientUsing the HP CIFS Client

Using the HP CIFS ClientThis section presents summary of how the HP CIFS Client can be used.The basic procedure is (1) start the daemon, (2) mount shareddirectories, (3) log in to CIFS Servers. Following are examples of thesesteps and some additional useful tips:

1. Start the daemon.

Normally the system administrator, logged in as root, enters thiscommand at system startup:

$ cifsclient startCIFS Client started; process id: 12783

To check status at any time:

$ cifsclient status

path: /opt/cifsclient/sbin/cifsclientdversion: FILESET HP CIFS CLIENT: Version: A.02.01

Compiled on HP-UX B.11.11, s785/C360, 03/05/30,13:34:15cifsclientd: ver_id=1291218999

cksum: 2781544263status: CIFS Client is up; process id 12783,

started Apr 13mntck: ok

You can configure your HP-UX system to start the CIFS Clientautomatically at bootup by editing the file /etc/rc.config.d/cifsclientsuch that the run flag is set to 1: RUN_CIFSCLIENT=1. There mustbe no spaces on either side of the equal sign. If you use this option,you can still stop and restart the HP CIFS Client after the systemboots up.

2. Mount and unmount shares on a CIFS server.

This must be done by root. Remote directories to be mounted by theHP CIFS Client must be configured as shares on the HP CIFS server.

In the following example, the share source, configured as a share onthe HP CIFS server buildsys, is mounted by the CIFS Client usingthe directory /home/devl/source as the mount point. The directoryused as the mount point must already exist and must be specified asan absolute path.

Chapter 2 31


To mount:

$ mount -F cifs buildsys:/source /home/devl/source

To unmount, specify only the mout point:

$ umount /home/devl/source

3. Access the shared directory via the mount point on the Client.

The CIFS protocol allows access to mounted directories only to userswho have been authenticated by the server or a domain controller.This is accomplished through the cifslogin command.

In the examples that follow, the share source has been configured onthe server. The joe user on the Client wants to access the shareddirectory on buildsys. This is first attempted by changing directoriesto the mount point, but without first logging into the server (thisfails).

Then, by logging into buildsys with the cifslogin command, theuser is authenticated by buildsys and can access its shared sourcedirectory through the CIFS Client’s mount point. Note that the username used to login to the CIFS Server can be different than thecurrent HP-UX login name at the Client. The account and passwordpair used in cifslogin must exist on the system that performs theauthentication.

Further, if the server is an HP-UX system, all users on the Clientthat access the Server should have the same uid on both systems, sothat file ownership is consistent.

$ whoami

joecd /home/dev1/source

sh: /home/dev1/source: not found

This fails because the user has not yet logged into the CIFS Serverbuildsys.

$cifslogin buildsys joe

Remote user joe’s password: *****

Chapter 232


This succeeds. you can use cifslist command to verify the results.The cifslist command without any option displays servers withshares and mountpoints information, it uses the \\server\shareformat for mounted objects.

$ cifslist

Mounted Object Mountpoint State-------------------------------------------------------------\\buildsys\source /home/devl/source M=============================================================Server Local User Remote User Domain State-------------------------------------------------------------buildsys joe joe L

If you use the cifslist -x command to verify the results, theoutput shows servers with shares and mountpoints informationusing UNIX format: server:/share for mounted objects.

$ cifslist -x

Mounted Object Mountpoint State-------------------------------------------------------------buildsys:/source /home/devl/source M=============================================================Server Local User Remote User Domain State-------------------------------------------------------------buildsys joe joe L

$ cd /home/dev1/source

This succeeds because of the cifslogin above.

Using the example above (source is mounted and user joe isauthenticated on buildsys), a user named lucy accesses the mount asfollows:

$ cifslogin buildsys lucy

Remote user lucy’s password: *****

You can use the cifslist command to verify results:

Chapter 2 33


$ cifslist

Mounted Object Mountpoint State-------------------------------------------------------------\\BUILDSYS\source /home/devl/source M=============================================================Server Local User Remote User Domain State--------------------------------------------------------------buildsys joe joe Lbuildsys lucy lucy L

Note that the Local User (the HP-UX account name) does not need tobe the same as the Remote User (the CIFS server account name). Inthe previous example, if the local (HP-UX) user lucy has the CIFSaccount name lucille, she would login as follows:

$ cifslogin buildsys lucille

Remote user lucille’s password: *****

You can use the cifslist command to show results:

$ cifslist

Mounted Object Mountpoint State-------------------------------------------------------------\\BUILDSYS\source /home/devl/source M=============================================================Server Local User Remote User Domain State--------------------------------------------------------------buildsys joe joe Lbuildsys lucy lucille L

For more detailed information on how to use the cifslist commandto view the internal tables of HP CIFS Client, see Chapter 5,“Commandline Utilities,” on page 69.

Chapter 234


Mounting and Logging in in One Step

The root user has the option to mount a CIFS filesystem and log in to theCIFS Server in one step, eliminating the need to explicitly issue thecifslogin command. Using the names from the examples above:

$ mount -F cifs -o username=x,password=y buildsys:/source /home/dev1/source

where x and y are the name and password pair recognized by the server.

The cifsmount command can perform the same function. Using thenames from the examples above:

$ cifsmount -U <username> [-P<password>] //buildsys/source \

/home/dev1/source

If you do not specify -P password on the command line, cifsmountprompts you for a password.

CIFS Client Logging

The CIFS Client produces a log file of its activities. Various levels oflogging can be turned on or off, for example, the activities of differentmodules within the software. See the “CIFS Client Log File and LogLevels” on page 98 for detailed information.

Chapter 2 35

Installing, Configuring, and Using the HP CIFS ClientAutomatic Mounting of CIFS Filesystems

Automatic Mounting of CIFS FilesystemsIn addition to the mount command discussed in the previous section,which was used to explicitly create a single mount, there are othermethods to manage the mounting of CIFS file systems. See the referencefor mount_cifs and umount_cifs in Chapter 6 for syntax details notcontained in this section.

Using /etc/fstab

By creating entries in /etc/fstab you can mount CIFS filesystemsautomatically at boot time, or mount multiple CIFS file systems on oneor more CIFS Servers, with a single command entered manually. Theformat for such entries is:

server:/share mount_point cifs defaults 0 0

See fstab(4) man page for detailed information on the format of thisfile.

Then, to mount all CIFS entries in /etc/fstab manually, enter:

$ mount -aF cifs

To unmount all currently mounted CIFS filesystems, enter:

$ umount -aF cifs

These commands will occur automatically, at bootup and shutdown, ifthe system is configured to start the CIFS Client at bootup, as explainedabove in item 1 of “Using the HP CIFS Client” on page 31.

Storing Mounts in the CIFS Client Mount Database

CIFS mount information can also be stored in the CIFS mount database.In this case, the mounts are re-established whenever the CIFS Client isstarted. Mounts can be stored with either the cifsdb or cifsmountcommands. See Chapter 5, “Commandline Utilities,” on page 69 fordetails.

The CIFS Client mount database file is /var/opt/cifsclient/cfgdb.ppl.The path to this file is not configurable. This file is generatedautomatically and must not be manually edited.

Chapter 236

Installing, Configuring, and Using the HP CIFS ClientName Resolution: NetBIOS Name Service, WINS, DNS, IP Configuration

Name Resolution: NetBIOS Name Service,WINS, DNS, IP ConfigurationWhen the CIFS Client attempts to mount a CIFS server, it must firstestablish a NetBIOS connection to the server, hence the server specifiedin the mount or cifsmount command must be the CIFS server’sNetBIOS (Windows) name. To resolve the name to an IP address, theCIFS Client uses the following lookup methods, in this order (thesequence stops when a match is found):

• A configured server-specific IP address

• WINS lookup

• NetBIOS broadcast

• DNS lookup

Only NetBIOS broadcast and DNS are enabled by default, they arecontrolled through the configuration parameters lookupTryNetbios andlookupTryDns by setting these parameters to yes.

The CIFS Client can also use WINS (a Windows name resolution servicesimilar to DNS) or server-specific settings in the configuration file, tolocate CIFS servers. WINS provides an efficient lookup mechanism thatis sufficient for most CIFS environments. The configuration for nameresolution can be as follows:

• To enable WINS, set the nbnsWinsIp parameter to the IP address ofa WINS server. The CIFS servers to which you want to connect mustbe registered with the WINS server. For example, if you set thelookupTrynetbios and lookupTryDns parameters to yes andspecify the IP address of the WINS server to 110.112.114.115, theCIFS Client first attempts a WINS lookup, then a NetBIOSbroadcast, then a DNS lookup.

WINS is a feature of the NetBIOS Name Service, hence, disablinglookupTryNetbios also disables WINS. For example, if you setlookupTryNetbios to no, the HP CIFS Client ignores thenbnsWinsIp setting and does not attempt a WINS lookup at all.

Chapter 2 37

Installing, Configuring, and Using the HP CIFS ClientName Resolution: NetBIOS Name Service, WINS, DNS, IP Configuration

• If the server’s NetBIOS name differs from its DNS name (DNScannot resolve it), and it is on a different subnet from the CIFSClient (NetBIOS broadcast cannot resolve it), and its address is notresolved by WINS, then you need to create a server entry for the IPaddress in the CIFS Client configuration file.

To create a server-specific setting in the configuration file, first createa section for the server (as illustrated in the example at the end ofthe file itself), then set the ipAddress parameter to the server’s IPaddress. In this case, the configured IP address is used directly; otherlookup methods are bypassed for this server.

For example:

buildsys = {ipAddress = “110.112.114.115”;

};

Note that the ip address must be quoted.

Note that NetBIOS broadcasts are useful only for servers on the samesubnetwork as the client, and DNS enables the CIFS Client to establishNetBIOS connections only with servers whose DNS and Windows nameare identical.

Chapter 238

Installing, Configuring, and Using the HP CIFS ClientHP CIFS Client Files and Directories

HP CIFS Client Files and DirectoriesThis section lists the important files that comprise the HP CIFS Client.

Table 2-1 HP CIFS Client Files and Directories

File/Directory Description

/opt/cifsclient/ Base directory for all CIFS Clientcore files and administrative files.

/opt/cifsclient/bin/ CIFS Binaries.

cifsmount Mounts CIFS Shares from CIFSServers. Can only be used by rootuser.

cifsumount Unmounts CIFS shares. Can onlybe used by root user.

cifsgettkt Utility to help set up Kerberos, see“Using Kerberos with the HP CIFSClient” on page 48 for details.

cifslogin For ordinary users to use the CIFSshares (already mounted), theyfirst login to the CIFSdomain/machine with theirusername and password(according to CIFS configuration).

cifslogout User logout from the CIFS domain.Cannot use the mounted shares inthe CIFS domain.

cifslist Lists the mounted shares on theClient.

cifsclient Start/Stop script for CIFS Client.Please refer to “Step 4: Startingand Stopping CIFS Client" formore details on this script.

Chapter 2 39

Installing, Configuring, and Using the HP CIFS ClientHP CIFS Client Files and Directories

cifsdb adds, modifies and deletes entriesin CIFS Client databases. Theentries allow CIFS mounts andlogins to be performedautomatically.

/opt/cifsclient/pam HP CIFS PAM files.

/opt/cifsclient/sbin CIFS Clients for use by theadministrator or root user. TheCIFS Client daemon is containedin this directory.

/etc/opt/cifsclient/ Directory for CIFS Client log,database, core files, and othertemporary files.

cifsclient.cfg Configuration file accessed byCIFS Client daemon.

cifsclient.cfg.default Contains factory default setting;used as a references. Do notmodify.

/etc/opt/cifsclient/unitables

Character-mapping tables forinternationalized clients.

pam/smb.conf PAM configuration file. You mayneed to modify according to yourneeds. Refer to "Chapter 6: PAMNTLM" for more details on thisfile.

pam/smb.conf.default Default PAM file. Should be copiedas pam/smb.conf for your use. Donot modify.

/var/opt/cifsclient Directory for the CIFS Client logfiles, pid files and any temporaryfiles created for client’s own use.

Table 2-1 HP CIFS Client Files and Directories (Continued)

File/Directory Description

Chapter 240

3 CIFS Security andAuthentication

This chapter provides a description for CIFS Security andAuthentication Methods using Windows NT LanManager (NTLM),

Chapter 3 41

CIFS Security and Authentication

NTLMv2 and Kerberos. It contains the following sections:

• “Introduction” on page 43.

• “User Login Procedures” on page 45.

• “Introduction To Kerberos” on page 47.

• “Using Kerberos with the HP CIFS Client” on page 48.

• “CIFS Client Kerberos Authentication Policies” on page 52.

• “Packet Signing” on page 53.

Chapter 342

CIFS Security and AuthenticationIntroduction

IntroductionOne of the important characteristics of the CIFS file-sharing protocol is its

security model. Before a user on a CIFS client can access the mountpoint of a

CIFS server, the user must be authenticated by the server (the user must

login to the server). Four login methods are available; they are explained in

the following pages. Restrictions at the file or directory level on the server’s

filesystem are also enforced by the server.

Authentication Methods

The HP CIFS Client supports two authentication protocols. Theseprotocols are configured on a global or server specific basis in the CIFSClient configuration file by the system administrator:

• Windows NT LanManager (NTLM) and NTLMv2

NTLM is a challenge-response protocol. The server sends a challengekey to the client which the client returns to the server encryptedwith the user’s password. The server performs the same encryptionand verifies that the client’s request matches. No semblance of theuser’s password is transmitted over the network. The HP CIFSClient supports NTLM and NTLM version 2 (NTLMv2). NTLMv2uses the same challenge-response protocol, but it additionallyprovides more sophisticated encryption algorithms than NTLM, andhence better password protection.

• Kerberos

Kerberos is a distributed authentication service that allows a clientrunning on behalf of a user to prove its identity to an applicationserver without sending data across the network that might allow anattacker to subsequently impersonate the user. Kerberos is a secure,industry standard authentication protocol that provides significantimprovements over the NTLM protocol.

Configuration Settings For Authentication

The configuration parameters authenticationMethod andntlmEncryptionVersion are specified globally, in the server section ofthe HP CIFS Client configuration file. They can also be set in theuser-defined or server-specific section of the configuration file, see the

Chapter 3 43

CIFS Security and AuthenticationIntroduction

Server-Specific configuration section below. These parameters are usedto select which mechanisms are used by the CIFS Client to authenticateusers to CIFS servers.

Legal entries for the authenticationMethod parameter are ntlm orkerberos.The default value of this parameter is ntlm. If you wish touse Kerberos, the configuration setting is:

authenticationMethod = kerberos;

In this case, the CIFS Client requests the use of Kerberos whennegotiating an initial connection with the CIFS Server. If the server’sresponse is affirmative, only Kerberos is used for authenticating users tothis server; otherwise NTLM is used. If the NTLM protocol is used, theCIFS Client determines which NTLM version to use based on thentlmEncryptionVersion configuration.

If you attempt to use the traditional Windows NT LAN Manager (NTLM)protocol, set the authenticationMethod parameter to ntlm. In thiscase, the CIFS Client determines which NTLM version to use based onthe ntlmEncryptionVersion configuration.

Valid entries for the ntlmEncryptionVersion parameter are ntlm orntlmv2. For CIFS servers with which Kerberos is not used, if you want touse only NTLMv2 password encryption, set thentlmEncryptionVersion parameter to ntlmv2. Otherwise, if you wantto use only NTLM password encryption, set this parameter to ntlm. Bydefault, the ntlmEncryptionVersion parameter is set to ntlm.

Server-Specific Configuration

The CIFS Client provides a method for over-riding global settings on aserver-specific basis. For example, if you set ntlmEncryptionVersionglobally to NTLM, but you want to ensure that server buildsys uses onlyNTLMv2, you can create the following section (within the enclosing “cifs”section, see also the example at the end of the CIFS Client configurationfile):

buildsys = {ntlmEncryptionVersion = ntlmv2;

};

Chapter 344

CIFS Security and AuthenticationUser Login Procedures

User Login Procedures

• Explicit Login (cifslogin)

Users on the CIFS Client can authenticate themselves to CIFSservers explicitly with the cifslogin command. Please see thecifslogin man page in Commandline Utilities Chapter.

• Automatic Login

The CIFS Client provides methods for accessing mounted CIFS fileservers automatically. The initial request for access to a CIFSmountpoint (cd, ls, etc.) causes the CIFS Client to log the user in, inthe background. If the background login succeeds, the user’s requestfor access succeeds, and the cifslogin command is not required.

The CIFS Client’s automatic login policy follows:

1. Kerberos: integration with kinit and PAM Kerberos

If Kerberos authentication has been configured and the user hasa Ticket-Granting Ticket (TGT) in the system Kerberoscredentials cache (created explicitly with the kinit(1) commandor automatically by PAM Kerberos), and the use of Kerberos hasbeen negotiated with the mounted CIFS server, the CIFS Clientwill use the TGT to perform an automatic login. For moreinformation on how to use Kerberos Authentication with theCIFS Client, see “Using Kerberos with the HP CIFS Client” onpage 48.

2. Integration with PAM NTLM

If PAM NTLM has been configured on the system (in/etc/pam.conf) and the user has logged into the CIFS ClientHP-UX host with PAM NTLM, the CIFS Client will attempt touse the user’s cached PAM NTLM credentials to authenticate theuser to the CIFS server. Please see Chapter 8 for moreinformation on PAM NTLM.

3. User Database

If no PAM NTLM credentials are found, but the user has anentry in the CIFS Client user database, the CIFS Client willattempt to log the user into the CIFS server using the encryptedpassword in the user database. You must first successfully

Chapter 3 45

CIFS Security and AuthenticationUser Login Procedures

perform a manual login in order to store the encryptedpasssword. You can use the cifslogin -s or cifsdb commandto save an entry in the user database or use the cifsdb -dcommand to delete an entry from the user database. Please seeman pages cifslogin, cifsdb in Chapter 5, “CommandlineUtilities,” on page 69 for details.

NOTE Automatic login using user database is not supported withKerberos

4. Guest User

This feature enables all users on the HP CIFS Client host whoare not logged into a mounted CIFS server to access the server’smountpoints, with the privileges of a guest user. Please also seethe detailed information on the guestRemoteUser parameter inChapter 7.

To set up guest user capabilities, set the configurationparameters guestRemoteUser and guestPassword to those of avalid account on the server. HP recommends setting up a genericguest user account on the server, so that access rights of guestusers can be limited. Now, when any UNIX users on the CIFSClient HP-UX host who have not logged into the CIFS server tryto access its mounted share, they will automatically access themas the guest user without doing an explicit cifslogin.

Chapter 346

CIFS Security and AuthenticationIntroduction To Kerberos

Introduction To KerberosKerberos is a distributed authentication service that allows a process (aclient) running on behalf of a principal (a user) to prove its identity to averifier (an application server, or only a server) without sending dataacross the network that might allow an attacker or the verifier tosubsequently impersonate the principal. Kerberos optionally providesintegrity and confidentiality for data sent between the client and server.[B. Clifford Neuman,Theadore Ts’o: Kerberos: An Authentication Servicefor Computer Networks]

Kerberos was developed at the Massachusetts Institute of Technology(MIT).

Use of Kerberos in the CIFS environment provides significant securityimprovements over the older NT LanManager (NTLM) protocoltraditionally used by CIFS Clients and Servers.

Requirements and Limitations Using Kerberos

Kerberos Key Distribution Center and CIFS Servers

The HP CIFS Client supports only Windows 2000 and Windows 2003Key Distribution Centers (KDCs).

Tickets Not Acquired

For this release, the following ticket types are not acquired by the HPCIFS Client:

• Renewable

• Proxiable

• Forwardable

NOTE Cross-realm authentication is not supported in this release.

Chapter 3 47

CIFS Security and AuthenticationUsing Kerberos with the HP CIFS Client

Using Kerberos with the HP CIFS ClientThese procedures should be followed to use Kerberos with the HP CIFSClient:

Step 1. Review fundamental Kerberos operating principals

Step 2. Set up and verify the Kerberos infrastructure

Step 3. Configure Kerberos in the HP CIFS Client

Step 1. Review fundamental Kerberos OperatingPrincipals

If you are not familiar with the fundamental features and operation ofKerberos, consult one or more of the following references.

These HP-UX resources explain the essentials of Kerberos (in therespective Overview chapters in each manual). This level of detail may besufficient for most installations.

• Configuration Guide for Kerberos Client Products on HP-UX:

http://docs.hp.com/hpux/onlinedocs/T1417-90005/T1417-90005.html

• Installing, Configuring and Administering the Kerberos Server onHP-UX 11i:


• Installing, Configuring and Administering the Kerberos Server V 2.0on HP-UX 11i:


Other HP-UX resources can be found by searching for kerberos athttp://docs.hp.com

In-depth discussion of the Kerberos protocol can be found in thefollowing excellent documentation:

• Kerberos: An Authentication Service for Computer Networks, B.Clifford Neuman and Theodore Ts’o:

Chapter 348


http://www.isi.edu/gost/publications/kerberos-neuman-tso.html

• The documentation repository at Massachusetts Institute ofTechnology (the developer of Kerberos):

http://web.mit.edu/kerberos

• The Kerberos specification, RFC 1510. An excellent introduction(section 1) and descriptions of message exchanges (section 3):

http://ftp.rfc-editor.org/in-notes/rfc1510.txt

• Several informative papers can also be found at the Microsoft website. Most of these documentation also include practical infomationon how you should set up security in networks of Windowscomputers. Please search for kerberos or related topics at:

http://www.microsoft.com

Step 2. Set Up and Verify the Kerberos Infrastructure

In order to use Kerberos with the HP CIFS Client, you must first have aworking Kerberos infrastructure on your network including the HP-UXhost (independent of the CIFS Client). The Kerberos infrastructureconsists of:

• A Key Distribution Center (KDC)

• At least one CIFS server that supports Kerberos and is a member ofthe KDC’s domain (called a “realm” in the Kerberos terminology)

• At least one user account on the KDC

• A properly configured HP-UX Kerberos Client installation on thesystem running the HP CIFS Client

NOTE A domain name server (DNS) is recommended to be active on a Windowsserver on your network. CIFS servers to which you want to connectshould be configured in the Windows DNS table in order to be recognizedby the KDC.

For information on setting up a Key Distribution Center on a Windows2000 or 2003 server, refer to your Microsoft documentation.

Chapter 3 49


The CIFS servers to which you want to connect via Kerberos with theCIFS client must be joined to the Windows Domain. For moreinformation, refer to Windows online help or the HP CIFS ServerAdministrator’s Guide.

For information on setting up user accounts on a Windows KDC, consultonline help for managing user Domain accounts.

To set up the HP-UX Kerberos client, consult the Configuration Guidecited above in step 1. The following HP-UX man pages also containuseful information: kerberos(9), krb5.conf(4), kpasswd(1), kinit(1),klist(1), kdestroy(1).

Once you have set up these elements of your Kerberos infrastructure,you can use the following checks to verify that everything is working. Donot proceed to step 3 without performing this verification.

• To verify that user accounts have been set up properly on the KDC,and that the Kerberos authentication service on the KDC and theHP-UX Kerberos client can communicate properly, enter thefollowing command:

$ kinit name

where name is one of the user names. If the operation succeeds, aTicket-Granting Ticket (TGT) will be issued for name. To verify thatthis actually occurred, execute the klist command to display thecontents of the ticket stored in the system Kerberos cache.

• To verify that CIFS servers have been properly configured asmember servers on the KDC, execute the test program,cifsgettkt, located in /opt/cifsclient/bin:

$ cifsgettkt -s server

where server is one of the CIFS servers. This command uses the TGTacquired with kinit to request a service ticket (ST) from theTicket-Granting Server (TGS). Because cifsgettkt is used only fortesting, it does not modify the system Kerberos cache. However, itproduces an informative message at the console.

If these verification steps succeed, Kerberos authentication for CIFSclients and servers should succeed. You are ready to proceed to step3.

Chapter 350


Step 3. Configure Kerberos on the HP CIFS Client

Set the configuration parameter authenticationMethod to kerberos.The configuration setting is:

authenticationMethod = kerberos;

Ensure there are no active CIFS mounts or logins at the server, and thenlogin as illustrated in “User Login Procedures” on page 45.

To ensure Kerberos is used, you can enable log levels, cifstrace andauthentication, see “CIFS Client Log File and Log Levels” on page 98 forinformation on log levels and log files. Once you have verified thatKerberos has been negotiated and used for user authentication, disablecifstrace and authentication logging.

Chapter 3 51

CIFS Security and AuthenticationCIFS Client Kerberos Authentication Policies

CIFS Client Kerberos Authentication PoliciesThis section assumes that the CIFS server and client have negotiatedthe use of Kerberos.

Explicit login: cifslogin

Kerberos authentication is implemented transparently in this command.Required Kerberos credentials (TGT and ST) are acquired from the KDCon behalf of the user and the Service Ticket (ST) is sent to the CIFSserver within a SESSION_SETUP request. No special action isperformed by the user.

Automatic login: Integration with System KerberosCache (kinit(1) and PAM Kerberos)

This feature allows users to access mounted CIFS servers without uisngcifslogin. If you have a pre-existing Ticket-Granting Ticket (TGT) inthe system Kerberos cache, established with kinit(1) or PAM Kerberos,you can attempt to access the CIFS mountpoint directly (cd, ls, etc.).The CIFS Client uses the TGT to acquire a Service Ticket (ST) for themounted CIFS server and performs a CIFS login, all in the background.It is unnecessary for you to explicitly invoke cifslogin this case.

Ticket Lifetime

Maximum ticket lifetime is controlled by the configuration of the KDC.For cifslogin, the CIFS client requests a lifetime of 30 days for a TGT.Thus, the actual lifetime of a TGT issued to a CIFS client is the lesser of30 days and the configured maximum at the KDC. For automatic login,the expiration time of a user’s ST is equal to the expiration time of theTGT in the system cache.

Chapter 352

CIFS Security and AuthenticationPacket Signing

Packet SigningThe purpose of the CIFS packet signatures is prevention of man-in-themiddle attacks: the client and server are mutually assured of the other’sidentity by requiring an unique signature on each SMB packet. Thefollowing terms are equivalent and are used interchangeably:

• security signatures

• packet signing

• packet signatures

• digital signatures

• message integrity

• message authentication codes (MACs)

Packet signing is performed on a per-server-connection basis. Oncepacket signing has been negotiated with a server, the first user loginrequest and all subsequent SMB packets must be signed.

Configuring Packet Signing with HP CIFS Client

The configuration parameter, smbPacketSigning, specified in the HPCIFS Client configuration file indicates how the CIFS Client performspacket signing. Valid entries for this parameter are enabled, requiredand disabled. By default, this parameter is set to enabled.

Packet signing is negotiated between the client and server when theirinitial connection is set up. The server’s configuration can also be eitherenabled, required, or disabled. The client and server settings must besynchronized for the connection to succeed, as shown in Table 3-1.

Chapter 3 53

CIFS Security and AuthenticationPacket Signing

Table 3-1 Configuration Options For smbPacketSigning

Valid Option Description

enabled HP CIFS Client connects with the CIFSserver and signs packets if the serversupports signing. HP CIFS Client connectswith the CIFS server, but does not signpackets if the CIFS server does not supportsigning.

required The CIFS server must support signing. TheCIFS Client refuses to establish theconnection with the CIFS server if the serverdoes not support packet signing.

disabled HP CIFS Client disables packet signing. If theCIFS server requires signing, the client isunable to connect with the server.

Chapter 354

4 Migrating From HP CIFS ClientA.01 to A.02

HP CIFS Client A.02.* provides new features and requires only minimalconfiguration changes to update in most cases. However,

Chapter 4 55

Migrating From HP CIFS Client A.01 to A.02

there are some configuration parameter and command option differencesbetween HP CIFS Client A.01.* versions and HP CIFS Client A.02.*versions. This chapter describes these differences and provides updateprocedures so that you can plan and upgrade your CIFS Client. Thischapter contains the following sections:

• “Migrating from version A.01.* to A.02.* of HP CIFS Client” onpage 57.

• “Funtionality Differences Between HP CIFS Client A.01.* andA.02.*” on page 60.

• “Configuration Differences Between HP CIFS Client A.01.* andA.02.*” on page 61.

• “Command Option Differences Between HP CIFS Client A.01.* andA.02.*” on page 65.

Chapter 456

Migrating From HP CIFS Client A.01 to A.02Migrating from version A.01.* to A.02.* of HP CIFS Client

Migrating from version A.01.* to A.02.* of HPCIFS Client

Special Instructions For Users of HP CIFS ClientVersions A.01.*

NOTE These migration procedures are recommended for users who:

• may want to revert to an A.01.* version of the CIFS Client, or

• use a modified version of the CIFS Client configuration file, or

• utilize mount or user entries in the CIFS Client database

The configuration and user database files used in version A.01.* of CIFSClient are not recognized by version A.02.*. If you use an A.01.* versionof the HP CIFS Client, and you have modified cifsclient.cfg, or ifthere are user or mount entries in the CIFS Client database, then followthese instructions below before updating any A.01.* version to anyA.02.* version of the CIFS Client.

Preserving Data From A.01 Installations

In the following procedure, you save your configuration and databasefiles. An ascii listing of saved users and mounts in the database also issaved so that you can re-create these entries under A.02. See thereference for cifsdb, cifsmount, and cifslogin in the Chapter 5,“Commandline Utilities,” on page 69 for detailed information onmanaging database entries in version A.02.

Preserving these data also allows you to reuse it, if you decide to revertto version A.01.

Follow the steps below to save your configuration and database files:

Step 1. Create the backup directory:

$ cd /var/opt/cifsclient

$ mkdir A.01_migration_files

Chapter 4 57


Step 2. Save configuration file to the backup directory. If you do not use amodified version of the configuration file, you may skip this step.

$ cp /etc/opt/cifsclient/cifsclient.cfg A.01_migration_files/A.01.cfg

Step 3. Use the cifslist -U command to generate an ascii listing of saved userrecords in database and to save it to the backup directory. If there are nouser records in the database , you may skip this step (use cifslist -Uto check). You can view this list as a reference when re-creating userdatabase entries under version A.02.

$ cifslist -U > A.01_migration_files/A.01.udb.users.list

Step 4. Use the cifslist -M command to generate an ascii listing of savedmount records in database and to save it to the backup directory. If thereare no mount records in the database , you may skip this step (usecifslist -M to check). You can view this list as a reference whenre-creating mount database entries under version A.02.

$ cifslist -M > A.01_migration_files/A.01.udb.mounts.list

Step 5. Preserve CIFS Client database to the backup directory . If you skippedsteps 3, 4 above, you may skip this step as well.

$ mv cifsclient.udb A.01_migration_files/A.01.ubd

NOTE The CIFS Client database is encrypted, using among other elements, theinode of the database in the HP-UX filesystem. This is a securitymeasure that prevents the database from being moved to a differentcomputer. Hence, if you decide to revert to version A.01 of the CIFSClient, the inode number of the database must be preserved, else theCIFS Client is unable to decrypt the database. To ensure that the inodenumber is retained, the database must be backed up into the samelogical volume, with the mv command. Do not use cp or any other UNIXcommand that changes the inode of the file. Use the mv command to backup the CIFS Client database.

Reverting to Version A.01

If you prefer version A.01 of the HP CIFS Client to A.02, use thefollowing steps to revert to the most recent release of version A.01:

Chapter 458


Step 1. Remove version A.02 (a system reboot will occur after the removal iscompleted):

$ swremove -x autoreboot=true -x mount_all_filesystems=false B8724AA

Step 2. Download the most recent release of version A.01 of the CIFS Clientfrom http://software.hp.com.

Step 3. Install the downloaded CIFS Client depot. See “Step 2: Installing HPCIFS Client and PAM Software” on page 27 for detailed information oninstallation.

Step 4. If you preserved your old configuration file, in step 2 under the“Preserving Data From A.01 Installations” section above, restore it to/etc/opt/cifsclient.

Step 5. If you preserved your old database file, in step 5 under the “PreservingData From A.01 Installations” section above, restore it to/var/opt/cifsclient. You must use the mv command to preserve yourdatabase file, as explained in step 5 under the “Preserving Data FromA.01 Installations” section above.

Chapter 4 59

Migrating From HP CIFS Client A.01 to A.02Funtionality Differences Between HP CIFS Client A.01.* and A.02.*

Funtionality Differences Between HP CIFSClient A.01.* and A.02.*The following describes functionality differences between HP CIFSClient A.01.* and A.02.*:

• In HP CIFS Sever A.02.01, unmounting the last mount to a serverdoes not logout any of the users logged in at the server. The HP CIFSClient A.01.x or earlier versions log out the users when the last shareis unmounted. The new behavior in version A.02.01 allows users tobe automatically reconnected if the system administrator needs tounmount and remount a share.

• In HP CIFS Server A.02.01, the cifslist command displays stateinformation in addition to shares and mountpoints information.

The following is explanation of State symbols in the output ofcifslist:

For mounts:

M = Mounted

S = Saved in mount database

R = Read only

For users:

L = Logged in

S = Saved in user database

Chapter 460

Migrating From HP CIFS Client A.01 to A.02Configuration Differences Between HP CIFS Client A.01.* and A.02.*

Configuration Differences Between HP CIFSClient A.01.* and A.02.*

Comments in Configuration File

In HP CIFS Client A.01.*, multiple comment tags were recognized.

In HP CIFS Client A.02.*, the # character starts a comment; any textbetween a # character and the end of a line is a comment.

Configuration Parameter Differences

This section describes configuration parameter differences between HPCIFS Client A.01.* and A.02.* shown as follows. This section does notdescribe parameters that have not changed between versions A.01.* andA.02.*. This section shows a list of removed parameters, new parametersand parameter name changes in HP CIFS Client A.02.*. For detailedinformation about CIFS configuration parameters, see “ConfigurationParameters” on page 103.

Chapter 4 61


Removed Configuration Parameters

The following is a list of A.01.* configuration parameters which are nolonger used in the HP CIFS Client A.02.*:

• runAsUser

• databaseFile

• mtabName

• maxOpenFiles

Parameter Name Changes

Table 4-1 shows a list of A.01.* configuration parameters which havebeen renamed in the HP CIFS Client A.02.*:

New Configuration Parameters

The following is a list of new configuration parameters for the logLevelssection in HP CIFS Client A.02.*:

• smbConnect

• uiTrace

• nbnsTrace

• diskarb

• authentication

Table 4-1 Parameter Name Changes

A.01.* A.02.*

allowSaving usersMayStoreSessionData

netbiosName localNetbiosName

nfsAttributeCaching nfsKernelCacheTime

authenticationLevel authenticationMethod

dirDefaultLinks fakedDirLinks

dirSize fakedDirSize

guestUser guestRemoteUser

Chapter 462


The following is a list of new configuration parameters for the Globalsection in HP CIFS Client A.02.*:

• corefileLimit

• networkInterfaces

• bindUdpExplicitly

• pagePoolInitialSize

The following is a list of new configuration parameters for the nfs3specific basis in HP CIFS Client A.02.*:

• cacheFiles

• cacheOpenFiles

• changeMicrosecondFileTimes

• nfsKernelCacheTime

• preferredPort

The following is a list of new parameters for the cifs specific basis inHP CIFS Client A.02.*:

• databaseParseInterval

• initialDataCaches

• initialDirCaches

• bindNbnsPort

• bindNbdgsPort

• lookupTryNetbios

• lookupTryDns

• nbnsWinsIp

• nbnsInitialTimeout

• nbnsTotalTimeout

• nbnsCacheTime

The following is a list of new parameters for the server specific basis inHP CIFS Client A.02.*:

• ntlmEncryptionVersion

Chapter 4 63


• guestPassword

• allowHardLinks

• hardlinkUseRemoteCopy

• fileModeMask

• dirModeMask

• ctimeIsCreate

• smbPacketSigning

Chapter 464

Migrating From HP CIFS Client A.01 to A.02Command Option Differences Between HP CIFS Client A.01.* and A.02.*

file

file

file

,eter

Command Option Differences Between HPCIFS Client A.01.* and A.02.*This section describes command option differences between HP CIFSClient A.01.* and A.02.* shown in the following tables. These tables donot show command options that have not changed between versionsA.01.* and A.02.*. For detailed information on the commands, seeChapter 5, “Commandline Utilities,” on page 69.

Table 4-2 shows a list of cifsmount command option differencesbetween A.01.* and A.02.*.

Table 4-2 cifsmount

A.01.* A.02.* comments

-c <client netbiosname>

configurationparameter only:localNetbiosName

Moved to the configuration

-p <tcp port> configurationparameter only:bindNbnsPort


-I <ip address orhostname>

configurationparameter ipAddress


configurationparameter domainonly

-D <domain> Implemented as -D optionand a configuration paramin A.02.*

Chapter 4 65


nt

Table 4-3 shows a list of mount -F cifs command option differencesbetween A.01.* and A.02.*.

Table 4-4 shows a list of cifslist command option differences betweenA.01.* and A.02.*.

Table 4-3 mount_cifs


-o nbname= Moved to configuration filein A.02.*

-o port= Moved to configuration filein A.02.*

-o domain= New option in A.02.*

-o forcemnt Removed in HP CIFS ClieA.02.*; always true

Table 4-4 cifslist


-r New option in A.02.*

-s New option in A.02.*.

-s server, -m share -m (no additionalarguments)

-u server -u (no additionalarguments)

-A, -S Removed in A.02.*

-x New option in A.02.*.

-U, -M Removed in A.02.*; alwaystrue

Chapter 466


in

Table 4-5 shows a list of cifslogin command option differencesbetween A.01.* and A.02.*.

Table 4-6 shows a new cifsdb command implemented in A.02.*.

Table 4-5 cifslogin


Username given in thecommand line

-U username Can specify the usernamewith or without -U option A.02.*.

-D domain New parameter in A.02.*,overrides the configuredvalue.

Table 4-6 cifsdb


cifsdb <server>

cifsdb -d <server>

cifsdb <mount_point>

cifsdb -d<mount_point>

Chapter 4 67


Chapter 468

5 Commandline Utilities

This chapter provides details for the CIFS Client Commandline Utilities.

The HP CIFS Client software package consists of the followingprograms:

Chapter 5 69

Commandline Utilities

cifsclient Stop and start the CIFS client.

cifsmount Mount a directory from a remote server.

cifslogin Authenticates a user to the remote server.

cifsumount Disconnect a local mountpoint from the server, if it isnot mounted elsewhere.

cifslogout Disconnect a user login session and disconnect theserver shares from the specified server. After loggingout, the user cannot access any files from that server.

cifslist Lists connected servers, mountpoints, mounted shares,etc.

cifsdb Add, modify and delete entries in CIFS Clientdatabases. The entries allow CIFS mounts and loginsto be performed automatically.

mount_cifs Mounts the CIFS filesystem via mount (1M).

umount_cifs Unmounts the CIFS filesystem via umount (1M).

Each of the utilities described above also accepts the options -h and -v ifgiven as the only parameter. The option -h prints a short help tostandard error and the option -v prints the current version numbers tostandard output.

Chapter 570

Commandline Utilitiescifsclient

cifsclient

Synopsis

cifsclient {command}

cifsclient fuser [-v] mountpoint [...]

cifsclient force_umount {mountpoint [...]| -a}

Description

This shell script is used to start and stop the HP CIFS Client, andperform other useful tasks. Only users with root capabilities caninvoke start, stop, restart, fuser, and force_umount (see alsothe -a option to klist and kdestroy). Any user can invoke status,klist, kdestroy, and ver. cifsclient without any additionalcommand is equivalent to cifsclient start.

Commands

start Starts the daemon.

stop Shut down the daemon.

restart Stop, sleep 1 second, start.

status Display information about daemon.

klist [-a] Display the contents of all of the invoking user’s CIFSClient Kerberos credentials files. This commandprovides a shortcut that invokes klist(1) on all of theuser’s credentials files, automatically appending the -c{filename} option for each file. -a (recognized only forroot) lists entries for all users. CIFS Client Kerberoscredentials files will be present on the system only ifthe configuration parameter, rmTmpKerbCredFiles,has been set to no. The files are located in/var/opt/cifsclient/krb5_tmp.

kdestroy [-a] Destroy all of the invoking user’s CIFS Client Kerberoscredentials files, using kdestroy(1). To destroy asingle CIFS Kerberos credentials file, use kdestroy(1)

Chapter 5 71


directly, specifying the -c {filename} option. CIFSClient Kerberos credentials files are located in/var/opt/cifsclient/krb5_tmp. These files will bepresent on the system only if the configurationparameter, rmTmpKerbCredFiles, has been set to no.-a (recognized only for root) destroys all files for allusers.

ver [-v] Report version information. The following modifiersare also recognized:

-v Verbose: display what(1) strings for binaries,scripts and configuration files.

fuser [-v] mountpoint [...]

Run fuser -fu (see fuser(1M)) against the givenCIFS filesystem mountpoint and each of itssubdirectories. This is useful for determining whichusers are accessing the mount, in the event thatunmounting fails with a “Device busy” message. Youmust be logged into the mounted CIFS fileserver forthis command to be effective. -v produces verboseoutput (all subdirectories are shown), otherwise, onlydirectories with active user processes are shown.NOTE: The execution time for this command isproportional to the number of entries in the mountedfilesystems.

force_umount {mountpoint [...] |-a}

Forcibly unmount given mountpoints; this is anemergency procedure to be used only in case of failureof the standard umount commands:

umount mountpoint

or

cifsumount mountpoint

-a Forcibly unmount all stale CIFS mounts.

Cannot be used unless the CIFS Client is down.

Files

/etc/opt/cifsclient/cifsclient.cfg

Chapter 572


This file contains run-time configuration options for the HP CIFS Client.For detailed information see Chapter 7.

/var/opt/cifsclient/krb5_tmp/krb5cc_<server>_<uid>

Temporary CIFS Client Kerberos credentials file. <server> is the name ofthe CIFS server to which the user has been authenticated, <uid> is thedecimal UID of the user.

See Also

cifsmount, fuser(1M), kdestroy(1), klist(1), mount_cifs, umount_cifs

Chapter 5 73

Commandline Utilitiescifsmount

cifsmountYou can use the mount command to execute the cifsmount command.See “mount_cifs, umount_cifs” on page 87 for the usage of the mountcommand. This section describes the usage of the cifsmount command.

Synopsis

cifsmount [<options>] //<server>/<share> <mountpoint>

Description

The cifsmount command is used to mount remote shares on the local filesystem. It mounts the share <share> from server <server> in the local filesystem at <mountpoint>. The mountpoint must exist. You are promptedfor a password and the program uses the combinationusername/password to log in to the server. If you are already logged in tothe given server, the password prompt is skipped. You can use the option-N to suppress password prompting.

Only users with root capabilities can invoke the cifsmount commandto mount filesystems.

Options

-r Mounts as read-only filesystem.

-U <username>

Login on server as this user. By default, the HP CIFSClient accesses the server under the same user nameas the login name of the user that issues thecifsmount command. If you have a different username at the server, you may use this option to set thatname. It is ignored if you are already logged in at theserver.

-D <domain> Send this domain name to the CIFS server.

-P <password> Password given in commandline. Use this option only ifnecessary, because all commandline parameters mayshow up in the output of the ps command. It gives you

Chapter 574


the possibility to pass a dynamically generatedpassword to the server. The password is ignored if theuser is already logged in at the server.

-S Reads the password from stdin. This option may beuseful if you want to use cifsmount from a shell scriptor another program. The -P option is insecure for thispurpose because the UNIX command ps can show thecommandline parameters of running processes.

-N Do not prompt for a password. This option may be usedto avoid prompting for a password if you do not have apassword.

-I <ipaddress> Use only this IP address to connect to the server. Thissetting causes the CIFS Client to bypass allname-resolution procedures for this mount request,and supersedes any corresponding entry configured incifsclient.cfg.

-u Enables plain text passwords. The HP CIFS Clientrefuses to send passwords in plain text to the server bydefault because this is a security risk. There are toolsavailable that sniff the network for plain textpasswords. If you really must send the password inplain text (e.g., because your server does not allowpassword encryption), you can enable it with thisoption. It is ignored if you are already logged in at theserver.

-f Forces mount. When this option is used, the mount isdone even if the server is not responding. No requestsare sent to the server. Consequently, none of theparameters can be checked for validity.

-v Print version information.

-s Saves mount and password in database. Do not useunless you understand the security implications. HPCIFS Client can maintain a database of mounts,usernames, and passwords. This database is used atstartup to re-establish stored mounts and to log inusers on demand, even if you are not logged in at theclient.

Chapter 5 75


This option may be useful for automounting and to runprograms by cron that cannot ask the user for apassword. Passwords are stored in the HP CIFSClient's user database file. It is possible to get the HPCIFS hash values of the passwords (which isfunctionally equivalent to the passwords themselves)out of this file, although the file itself is not sufficient.

You can use this option safely only if you are the onlyone who has physical or root access to your machine orif you trust everyone who has this access. The HP CIFSClient does not store unencrypted passwords in theuser database. If your server does not supportencrypted passwords, you cannot use this option.

Examples

The following command mounts the share entiredisk from the serverbigserver at the local mountpoint /mounts/bigserver and mounts asread-only filesystem.

cifsmount -r //bigserver/entiredisk /mounts/bigserver

Files

Mounts info using the cifsmount -s command are stored in the HPCIFS Client’s database file, /var/opt/cifsclient/cfgdb.ppl. The path tothis file is not configurable.

See Also

cifslogin, cifsumount, cifslogout, cifslist

Chapter 576

Commandline Utilitiescifslogin

cifslogin

Synopsis

cifslogin [<options>] <servername> [<username>]

cifslogin [<options>] //<servername>/<share>

Description

The cifslogin command is used to authenticate additional users at aserver. Only authenticated users may access mounted files. Each useraccesses the file at the server with his or her privilege status at thatserver. Because there must be a one-to-one (many=to-one) mapping fromlocal users to remote user names, every user can log in only once at agiven server. By default, cifslogin sends the user's login name to theserver. You can specify the username using -U option.

Options

-P <password>

Password given in commandline. Use this option only ifyou really have to, because all commandlineparameters may show up in the output of the pscommand. It gives you the possibility to pass adynamically generated password to the server. Thepassword is ignored if the user is already logged in atthe server.

-U <username>

Login on the server as this user.

-D <domain name>

Specify the domain name that is sent to the server.

-S Reads the password from stdin. This option may beuseful if you want to use cifslogin from a shell scriptor another program. The -P option is insecure for thispurpose because the Unix command ps can show thecommandline parameters of running processes.

Chapter 5 77


-N Do not prompt for a password. This option may be usedto avoid prompting for a password if you are alreadylogged in at the server or if the user does not have apassword.

-u Enables plain text passwords. The HP CIFS Clientrefuses to send passwords in plain text to the server bydefault because this is a security risk. There are toolsavailable that sniff the network for plain textpasswords. If you really must send the password inplain text (e.g., because your server does not allowpassword encryption), you can enable it with thisoption. It is ignored if you are already logged in at theserver.

-f Forces login. When this option is used, the login is doneeven when the server is not responding. No requestsare sent to the server. Consequently, none of theparameters can be checked for validity.

-s Saves password in database. Do not use unless youunderstand the security implications. This option canmaintain a database of mounts, username, andpasswords. This database is used at startup tore-establish stored mounts and to log in users ondemand, even if you are not logged in at the client.

This option may be useful for automounting and to runprograms by cron that have no possibility to ask theuser for a password. Passwords are stored in the HPCIFS Client's user database file. It is possible to get theCIFS hash values of the passwords (which isfunctionally equivalent to the passwords themselves)out of this file, although the file itself is not sufficient.

You can use this option safely only if you are the onlyone who has physical or root access to your machine orif you trust everyone who has this access. The HP CIFSClient does not store unencrypted passwords in theuser database. If your server does not supportencrypted passwords, you cannot use this option.

Chapter 578


Examples

If local user steve has mounted a share from server bigserver, local userbill has no access to the mounted files because he is not logged in at theserver. Bill, who has an account on bigserver under his real name miller,can do the following to gain access:

cifslogin bigserver -U miller

Bill will be prompted for a password and if it is correct, he will be givenaccess to the share with the same privileges that user miller has onbigserver.

Files

Usernames and passwords are stored encrypted in the HP CIFS Client'suser database file. The path to the user database file can be configured inHP CIFS Client's configuration file. The default path is

/var/opt/cifsclient/cifsclient.udb

See Also

cifsmount, cifsdb, cifslogout, cifslist

Chapter 5 79

Commandline Utilitiescifsumount

cifsumountYou can use the umount command to execute the cifsumount command.Both commands are shown below.

Synopsis

cifsumount [<options>] <mountpoint>

cifsumount -a

Description

The cifsumount command is used to unmount any shares mounted withcifsmount. Shares can only be unmounted by the user that mounted theshare at the given mountpoint or the superuser. The second variant (withthe -a option) unmounts all mounts that are currently served.

In HP CIFS Sever A.02.*, unmounting the last mount to a server doesnot logout any of the users logged in at the server. This allows users to beautomatically reconnected if the system administrator needs to unmountand remount a share.

Only users with root capabilities can invoke the cifsumount commandto unmount filesystems.

Options

-a Unmounts all CIFS filesystems.

-f Forces unmount: Avoids requests to the server (usefulif the server is down).

See Also

cifsmount, cifslist, mount_cifs, umount_cifs

Chapter 580

Commandline Utilitiescifslogout

cifslogout

Synopsis

cifslogout <servername>

Description

The cifslogout command is used to log the user who uses the commandout of the server specified. After issuing cifslogout, the user cannotaccess any files from that server unless he or she is still stored in theuser database.

See Also

cifslogin, cifslist

Chapter 5 81

Commandline Utilitiescifslist

cifslist

Synopsis

cifslist [<options>]

Description

The cifslist command is used to view internal tables of HP CIFSClient. In HP CIFS Client A.02.*, the cifslist command withoutoptions will list all connected servers with shares and mountpointsinformation.

Options

-h Prints short help and exits.

-u Lists users only.

-m Lists mounts only.

-x Displays mounted objects using UNIX style format:server:/share.

-r Prints raw output format.

-s <separator> Sets string used to separate table entries (recognizedonly when used with -r).

Sample cifslist Output

This section provides examples of cifslist output including theoptions, -x, -u and -m.

Chapter 582


The sample output of the cifslist command is shown as follows:

$ cifslist

Mounted Object Mountpoint State-------------------------------------------------------------\\er721142\pub /mnt/cifs_linux/00 M\\er721141\pub /mnt/cifs_nt/00 M\\hpntc43\pub /mnt/cifs_nt/01 MS=============================================================Server Local User Remote User Domain State--------------------------------------------------------------er721141 root cifsuser Ler721142 root john Lhpntc43 root cifsuser WORKGROUP LS

In the above exmaple, the cifslist command without any optiondisplays servers with shares and mountpoints information, it uses the\\server\share format for mounted objects.

The following is explanation of State symbols in the output of cifslist:

For mounts:

M = Mounted

S = Saved in mount database

R = Read only

For users:

L = Logged in

S = Saved in user database

The following is a sample output of the cifslist -x command:

$ cifslist -x

Mounted Object Mountpoint State-------------------------------------------------------------er721142:/pub /mnt/cifs_linux/00 Mer721141:/pub /mnt/cifs_nt/00 Mhpntc43:/pub /mnt/cifs_nt/01 MS=============================================================Server Local User Remote User Domain State--------------------------------------------------------------er721141 root cifsuser Ler721142 root john L

Chapter 5 83


hpntc43 root cifsuser WORKGROUP LS

In the above exmaple, HP CIFS Client displays servers with shares andmountpoints information, it uses the UNIX format: server:/share formounted objects.

The following is an example output for the cifslist -u command:

$ cifslist -u

Server Local User Remote User Domain State-------------------------------------------------------------er721141 root cifsuser Ler721142 root john Lhpntc43 root cifsuser WORKGROUP LS

The following is an example output for the cifslist -m command:

$ cifslist -m

Mounted Object Mountpoint State-------------------------------------------------------------\\er721142\pub /mnt/cifs_linux/00 M\\er721141\pub /mnt/cifs_nt/00 M\\hpntc43\pub /mnt/cifs_nt/01 MS

In the above example, HP CIFS Client uses the \\server\share foramtfor mounted objects.

Chapter 584

Commandline Utilitiescifsdb

cifsdb

Synopsis

cifsdb [-d] {<mount_point|server>}

Description

The cifsdb command is used to add, modify and delete entries in CIFSClient databases. The entries allow CIFS mounts and logins to beperformed automatically, as described below.

CIFS Mounts

If a shared directory on a CIFS server has been mounted at mount_point,then cifsdb mount_point saves the mount-point, server,shared-directory names, and other pertinent information in the CIFSClient mount database file, /var/opt/cifsclient/cfgdb.ppl, such that themount can be re-established automatically whenever the CIFS Client isstarted. If an entry already exits for this mount-point in the database, itis replaced. mount_point must be absolute path. Only users with rootprivileges may manage CIFS mounts database entries.

The HP CIFS Client supports similar functionality through the standardUNIX /etc/fstab mechanism, see “Using /etc/fstab” on page 36 orfstab(4) for details.

CIFS Logins

If a user has established a CIFS login session at server through the NTLM

authentication protocol, then if that user invokes cifsdb server, the

NTLM hash of the user’s password and other information pertinent to the

login session are encrypted and then saved in the CIFS Client user database,

cifsclient.udb, such that the user can subsequently be automatically logged

in to server. If an entry already exists for this user-server pair in the

database, it is replaced.

Chapter 5 85

Commandline Utilitiescifsdb

For CIFS logins that have been authenticated with Kerberos, users’NTLM password hashes are not saved in the CIFS Client user database.You can establish automatic CIFS logins with Kerberos throughkinit(1) or PAM-KERBEROS, as described in the Chapter 3, “CIFSSecurity and Authentication,” on page 41.

Options

-d {<mount_point|server>}

Delete the corresponding entry for this mount_point orserver from the database. Neither the mount nor thelogin needs to be active for the entry to be deleted.

Files

/var/opt/cifsclient/cifsclient .udb CIFS user database file

/var/opt/cifsclient/cfgdb.ppl CIFS mount database file

See Also

cifsmount, cifslogin, cifslist

Chapter 586

Commandline Utilitiesmount_cifs, umount_cifs

mount_cifs, umount_cifsMounts and unmounts CIFS file systems. This section describes theusage of the mount and umount commands when the CIFS filesystem isspecified for the FS type

Synopsis

mount -F cifs [-ar] [-o fs_specific_option[,...]] [server:/share

mount_point]

umount -aF cifs | mount_point

Description

The mount command mounts file systems. Only a superuser can mountfile systems. Other users can use mount to list mounted file systems.Use cifslist to view CIFS-specific mounts and user connections.

The mount command attaches server:/share to mount_point. server is aremote system. share is a directory on this remote system andmount_point is a directory on the local file tree. mount_point mustalready exist, and be given as an absolute path name. It will become thename of the root of the newly mounted file system.

If mount is invoked without any arguments, it lists all of the mounted filesystems from the file system mount table, /etc/mnttab.

The umount command unmounts currently-mounted file systems. Only asuperuser can unmount file systems.

In HP CIFS Server A.02.01, unmounting the last mount to a server doesnot logout any of the users logged in at the server. This new behaviorallows users to be automatically reconnected if the user needs tounmount and remount a share.

Options

-F cifs Filesystem-specific identifier. Always required formounting and unmounting CIFS file systems, exceptfor the command form umount moint_point.

Chapter 5 87


-a Used with mount, mounts all CIFS filesystems thathave entries in /etc/fstab. Used with umount,unmounts all currently mounted CIFS file systems.

-r Mounts as read-only.

-o This class of options is specified with the followingsyntax:

-o keywrd[,keywrd...],keywrd=value[,keywrd=value...]

Some keywords are specified as keyword/value pairs,some are not. -o options must be delimited bycommas; no white space is allowed. For example:

-o ro,username=fulton,password=pokey

Following are the -o options to mount supported bythe CIFS Client (keywords that require values areindicated by "keyword=value"):

ro Mount as read-only filesystem.

domain=domain Send this domain name to the server,

username=name Username sent to server. By default,the HP CIFS Client accesses theserver under the same user name asthe login name of the user. If youhave a different user name at theserver, you may use this option to setthat name. It is ignored if you arealready logged in. Must be used withthe password option.

password=passwd Password for username given incommandline. Use this option only ifyou really have to, because allcommandline parameters may showup in the output of the ps command.This makes it possible to pass adynamically generated password tothe server. Password is ignored if theuser is already logged in at theserver. Must be used with theusername option.

Chapter 588


ipaddr=ipaddress

Use only this IP address to connect tothe server. This setting causes theCIFS Client to bypass allname-resolution procedures for thismount request, and supersedes anycorresponding entry configured incifsclient.cfg.

plaintxt Enable plain text passwords. The HPCIFS Client refuses to sendpasswords in plain text to the serverby default because this is a securityrisk. There are tools available thatsniff the network for plain textpasswords. If you really must sendthe password in plain text (e.g.,because your server does not allowpassword encryption), you can enableit with this option. It is ignored if theuser is already logged in at theserver.

Files

/etc/mnttab Table of mounted file systems./etc/fstab List of default parameters for each CIFS file system.

See Also

mount (1M), umount(1M), cifslogin, cifsumount, cifslogout, cifslist

Chapter 5 89


Chapter 590

6 Troubleshooting and ErrorMessages

This chapter includes information about problems that you mayencounter when using the HP CIFS client and explanations of error

Chapter 6 91

Troubleshooting and Error Messages

messages that might occur with HP CIFS commands.

• “Troubleshooting FAQs” on page 93.

• “Troubleshooting Kerberos in the HP CIFS Client” on page 94.

• “Troubleshooting cifsmount or mount in the HP CIFS Client” onpage 96.

• “CIFS Client Log File and Log Levels” on page 98.

Chapter 692

Troubleshooting and Error MessagesTroubleshooting FAQs

Troubleshooting FAQsThis section includes commonly asked questions about HP CIFS.

How to Shutdown the Daemon with cifsclient stop

You should never kill the daemon process directly. Although HP CIFStries to unmount all mounted shares, it may not be successful and thestale mounts will become unusable and cause problems. The correct wayto do it is with cifsclient stop.

Refer to “Step 4, Starting and Stopping the Client” in chapter 2 in thismanual for more detailed information about cifsclient stop.

What to Do if the Daemon Terminates

If the daemon terminates, all shares served by HP CIFS willimmediately become unusable. Every access will hang until the NFStimeout (configured in the configuration file) elapses. You can probablyget away without rebooting if you immediately terminate all processesusing the mounts, change all current directories from within the mountsand then use the cifsclient force_umount <mountpoint> command tounmount the stale mounts. Report the event to HP Technical Supportand describe how the problem can be reproduced.

Chapter 6 93

Troubleshooting and Error MessagesTroubleshooting Kerberos in the HP CIFS Client

Troubleshooting Kerberos in the HP CIFSClient

• cifsTrace, authentication log levels

Informative log messages will be produced by Kerberos processing inthe HP CIFS Client log file if the cifsTrace and authenticationlog levels are enabled.

• Temporary credentials files

When Kerberos authentication is used, the HP CIFS Client utilizes atemporary file to store users’ credentials during login processing.There is one temporary credentials file per user per server. Kerberostickets are not reused by the HP CIFS Client. Hence, when the user’slogin processing is completed, the temporary file is removed.

For troubleshooting, the temporary credential files can be preservedby setting the configuration variable rmTempKerbCredFiles to no.You can then examine and remove the files with the standardKerberos Client utilities, klist(1) and kdestroy(1). Use the -ccache_filename option with these commands, specifying filenames inthe followng form:

/var/opt/cifsclient/krb5_tmp/krb5cc_servername_uid

where servername is the CIFS server and uid is the user’s Unix uidon the local HP-UX host on which the CIFS Client is running.

As a convenience, the cifsclient control script can also be used tooperate on these credentials files without referring to file or pathnames. Enter cifsclient -h for a syntax summary.

• Basic Kerberos functionality

If you suspect that basic functionality of your Kerberosinfrastructure is not working properly, repeat the verification checksin step 2.

• If you wish to set authenticationMethod for specific servers to avalue different from the global setting in the default Serversection of the configuration file, you can create server-specific options

Chapter 694

Troubleshooting and Error MessagesTroubleshooting Kerberos in the HP CIFS Client

in the servers section. The servers section of the configurationfile is discussed near the end of Chapter 7, and the configuration fileitself contains a sample servers entry.

Chapter 6 95

Troubleshooting and Error MessagesTroubleshooting cifsmount or mount in the HP CIFS Client

Troubleshooting cifsmount or mount in theHP CIFS ClientThis section includes information about problems that you mayencounter when using the cifsmount or mount command to mount ashare on a CIFS server and actions you may take to correct the problems.

How to Do if the HP CIFS Client DLKM is Unused

You may encounter the following error messages when running thecifsmount or mount command to mount the CIFS filesystem:

$ cifsmount -U <user> -P <password> //<server>/<share> \/<mount-point>

ERROR: UNIX: No such device

or

$ mount -F cifs <server>:/<share> /<mount-point>

ERROR mount: cifs : Invalid argumentusage: mount [-l][-v|-p]

mount [-F FStype][-eQ] -amount [-F FStype][-eQrV][-o specific_options]

{ special | directory }mount [-F FStype][-eQrV][-o specific_options]

special directory

To resolve the above errors, if you ensure that all the command-linearguments are correct and the CIFS server is up.then use the followingcommand to check the CIFS Client Dynamically Loadable KernelModule (DLKM) state:

$ kcmodule cifs

If the CIFS Client DLKM state is unused, the following output messageis displayed:

Module State Cause Notescifs unused auto-loadable,unloadable

Chapter 696

Troubleshooting and Error MessagesTroubleshooting cifsmount or mount in the HP CIFS Client

After you verify that the CIFS Client DLKM state is unused, you can usethe following command to change the CIFS Client DLKM state to auto,so the CIFS Client DLKM can be loaded. The command and outputmessage display are shown as follows:

$ kcmodule cifs=auto

* The sutomatic ‘backup’ configuration has been updated.* The request changes have been applied to the currently* running system.Module State Cause Notescifs (before) unused auto-loadable,unloadable

(now) auto explicit

The auto state will enable the CIFS Client DLKM to be dynamicallyloaded when the first cifsmount or mount command over the CIFS shareis performed.

How to Do if You Encounter the Error Message:“Device Busy”

You may encounter the “device busy” error message when running thecifsmount or mount command to mount the CIFS filesystem. To resolvethis type of error, check to see whether the CIFS filesystem mountpointis tied to any process by running the fuser -fu mountpoint (seefuser(1M)) or cifsclient fuser [-v] mountpoint command againstthe given mountpoint and each of its subdirectories. This is useful fordetermining which processes are accessing the mount, in the event thatmounting fails with a “device busy” message. Terminate theseprocesses tied to the mountpoint, then invoke the cifsmount or mountcommand to succeed.

Chapter 6 97

Troubleshooting and Error MessagesCIFS Client Log File and Log Levels

CIFS Client Log File and Log LevelsThe CIFS Client produces a log file of its activities, in the directory/var/opt/cifsclient/debug. Each time the client starts, it creates anew log file, named client-log.pid, where pid is the HP-UX process idof the CIFS Client daemon, cifsclientd.

Normally, the log file records only errors or warnings. But, many loglevels can be enabled for checking activities of various modules withinthe CIFS Client.

If you report a problem to HP, your support representative may ask youto enable one or more log levels. This is done by editing the CIFS Clientconfiguration file, /etc/opt/cifsclient/cifsclient.cfg, anduncommenting the particular log level, by removing the preceding #character and saving the file.

You do not need to restart the CIFS Client for it to recognize the newlyenabled (or disabled) log levels.

Note that increased logging consumes more disk space and slows theperformance of the CIFS Client. Hence, when you do not need logging, itis best to disable it. Refer to the cifsclient.cfg.default file forrecommended default operating log levels.

If a log size reaches 50 Megabytes, it is copied with .prev appended toits name, and a new log is started. If the new log reaches 50 Megabytes,it is copied with .prev appended, overwriting the previous one.

Chapter 698

7 Configuration File

The default configuration file should work without modifications. Pleasebe sure you understand the effects of any changes before you decide tomodify the configuration file.

Chapter 7 99

Configuration File

The configuration file is parsed by the HP CIFS Client daemon at startupand when edited. Although it is re-read by the running daemon, not allconfiguration changes will work immediately. Most options are read intointernal variables when they are used. The server configuration, forinstance, is transferred into internal structures when a connection to theserver is opened. Therefore, if a change to the server configuration ismade, you must first unmount all shares and log out all users from thatserver. The configuration file for the HP CIFS Client is/etc/opt/cifsclient/cifsclient.cfg.

NOTE The CIFS Client configuration file, cifsclient.cfg, used for HP CIFSClient A.01.* is not valid for HP CIFS Client A.02.*. For detailedinformation on how to update any A.01.* version to any A.02.* version ofthe CIFS Client, see “Migrating from version A.01.* to A.02.* of HP CIFSClient” on page 57 in Chapter 4.

Chapter 7100

Configuration FileGeneral Structure

General StructureConfiguration files are built from the following simple syntacticstructures:

• comments

• strings

• arrays

• dictionaries

The # character starts a comment; any text between a # character andthe end of a line is a comment.

# comment to end of line

Strings, arrays and dictionaries are classified by the generic term"property".

Strings are sequences of alphanumeric characters, including theunderscore. If a string should consist of other characters like spaces, itmust be quoted in double quotes. Within double quotes, the same escapesequences as in C strings can be used. There is no separate syntax fornumeric arguments. Numeric arguments are regarded as strings andconverted when used.

Arrays are ordered lists of other properties. An array is delimited byparentheses and the properties constituting the array may be separatedby commas. The following example is an array consisting of severalstring elements:

(1, 2, 3, hello, "how are you")

Dictionaries are unordered lists of named properties. These lists aredelimited by curly braces. Each dictionary entry consists of a left -handside (key), which must be a string, an equal sign, and a right -hand side(value) which may be any property. Entries may be separated bysemicolons. The following is an example of a dictionary consisting ofthree entries named property1 to property3 ;where the first one has astring value, the second an array value, and the third a dictionary value:

{property1 = "value of property1";

property2 = (value, of, property2);

Chapter 7 101

Configuration FileGeneral Structure

property3 = { firstWord = value; secondWord = of; thirdWord = property3; }; }

The configuration file itself is a dictionary (the surrounding curly bracesare optional because other properties are not allowed). The keys at thetop level are the names of the configuration variables.

Properties that have been parsed as strings may be interpreted in one ofthe following ways:

• string

• number

• enumeration

• boolean

String needs no further explanation. Numbers are interpreted indecimal, unless they are prefixed with 0 (meaning octal), or 0x (meaninghexadecimal). Enumerations are strings from a predefined set of strings.Boolean variables are a special case of enumeration where the setconsists of the strings yes and no.

Chapter 7102

Configuration FileConfiguration Parameters

Configuration ParametersThe following is a list of all variables that may be configured for the top 3basis sessions: main, nfs3, cifs.

logLevels The value of this variable is an array enumerating alllogging modes that are active, the number in thesquare bracket indicates the messages of the respectivelogging mode in the log file.

A logging mode is a string out of the following set:

[0]info

Logging of informational messages. Should be turnedon.

[1]error

Logging error messages. Should be turned on.

[2] debug

General debug messages. Used only during debugging.

[3] resource

Messages about allocation and deallocation of objects.Usedl only during debugging.

[4] netbiosError

Logging error messages from the Netbios layer. Shouldbe turned on, unless too many errors occur. This isseparated from general error logging because not all ofNetbios is implemented in HP CIFS Client, and theunimplemented features result in Netbios errormessages.

[5] netbiosDebug

Debug messages from the Netbios layer. Used onlyduring debugging.

[6] netbiosTrace

Chapter 7 103


Generates hex-dumps of all outgoing and incomingNetbios traffic. This is very useful during debuggingbut should be turned off for normal operation.

[7] nfsTrace

Provides detailed information about all NFS requestsdone by the kernel and the respective return values. Itis very useful for debugging NFS but should be turnedoff for normal operation.

[8] rare

Logging of rare conditions. Used only duringdebugging.

[9] cacheDebug

Debugging of the cache's operation. Used only duringdebugging.

[10] cifsTrace

Logging of all CIFS commands issued and therespective return values. Very useful together withnetbiosTrace for debugging, but should really be turnedoff during normal operation.

[11] oplock

Debugging of opportunistic lock mechanism. Used onlyduring debugging.

[12] warn

Warnings of any kind, mostly used by the configurationfile parser. Should be turned on.

[13] smbSequence

Debugging messages about the order of HP CIFSrequests and the respective messages. Used onlyduring debugging.

[14] debugAttributes

Debugging of file attribute routines. Useful only duringdebugging.

[15]smbConnect

Chapter 7104


Debugging of server connection and disconnectionmessages for NetBIOS. Useful only during debugging.

[16] uiTrace

Generates hex-dumps of the communication with userinterface. This is useful during debugging but shouldbe turned off for normal operation.

[17] nbnsTrace

Generates hex-dumps of all NetBIOS name servicetraffic. This is useful during debugging but should beturned off for normal operation.

[18] diskarb

Debugging of disk arbitration. Useful only duringdebugging.

[19] authentication

Debugging of CIFS authentication details. Useful onlyduring debugging.

The default logging modes are info, error,netbiosError, warn, smbConnect. The default loggingsetting is as follows:

logLevels = (info,error,# debug,# resource,netbiosError,# netbiosDebug,# netbiosTrace,# nfsTrace,# rare,# cacheDebug,# cifsTrace,# oplock,warn,# smbSequence,# debugAttributes,smbConnect,# uiTrace,# nbnsTrace,

Chapter 7 105


# diskarb,# disk arbitration# authentication,

);

The log file records only errors or warnings. But, manylog levels can be enabled for checking activities ofvarious modules within the CIFS Client.

If you report a problem to HP, your supportrepresentative may ask you to enable one or more loglevels. This is done by editing the CIFS Clientconfiguration file and uncommenting the particular loglevel, by removing the preceding # character of thelogging mode and saving the file.

Note that increased logging consumes more disk spaceand slows the performance of the CIFS Client. Hence,when you do not need logging, it is best to not changethe default logging setting, unless your supportrepresentative asks you to enable it.

cfgParseInterval

HP CIFS Client can reparse the configuration file whilerunning. For this feature to work, the HP CIFS Clientmust poll the file regularly. The variablecfgParseInterval defines the time of this poll cycle inmilliseconds. The default is 5000.

Parameters that are negotiated upon connection to theserver will not reflect changed configuration valuesuntil all shares on the server are unmounted and a newconnection is established, whereas other changes takeeffect within the time specified in cfsParseInterval.

sockModesockOwnersockGroup

File access mode and ownership for the UNIX domainsocket that is used for communication between the HPCIFS Client daemon and the command line utilities.The access mode may be given in octal notation, ifprefixed with a leading 0; in hexadecimal notation ifprefixed with a leading 0x; or in decimal notation if notprefixed with any of the above. Owner and group may

Chapter 7106


be given by name or as numeric id. Do not set thesevalues to anything other than mode=0600 andowner=root unless you really know what you are doing.The file access modes of this UNIX domain socket areused to provide secure authentication of the user thatrequests a service to the daemon. If these variables arenot configured from the file, they default to the correctvalues.

pidFile

HP CIFS Client can maintain a file with the process idof the daemon, if desired. If this variable is defined, it isinterpreted as the path of the file where the pid shouldbe stored. If this varible is not defined, no such file iscreated.

usersMayStoreSessionData

The system administrator can control whether userscan store passwords in the user database,cifsclient.udb, through theusersMayStoreSessionData parameter. Thisdatabase can be used to establish automatic user loginsto the CIFS server. Users with root privileges canstore mounts or their own passwords, regardless of howthis parameter is set. Setting it to no disables storing.The default setting is yes.

caseConvertFile

This variable configures the path to the case conversiontable. This file defines the mapping to upper and lowercase for all unicode characters. The default is to use notable file and retain the default ISO 8859-1 mapping. Amapping file derived from the Unicode standard is partof the HP CIFS Client distribution. You can find it atunitables/unicase.cfg.

serverCharMapFile

This variable configures the path to the charactermapping file for the server. This file is only used whenclient and server do not agree on using Unicode. Itdefines the mapping from the internal Unicoderepresentation to the ASCII strings sent to the server

Chapter 7 107


(and vice versa). The default is a codepage 437mapping, which is the US-Latin DOS character set.Mapping files for various character sets are distributedwith HP CIFS Client in the directory unitables.

clientCharMapFile

This variable configures the path to the charactermapping file for the client. This file defines themapping from internal Unicode representation to theASCII strings seen at the client. Together with theserverCharMapFile, any conversions between serverand client character code can be accomplished. Thesetables can be used to compensate for vendor-specificcharacter sets and to cope with various nationalcharacter sets such as JIS and ShiftJIS for Kanji, etc.The default is ISO 8859-1 mapping.

uniTableCompressBlocks

This integer variable customizes the compression of theUnicode table. A higher value reduces conversion speedbut improves memory efficiency. Values higher thanthe number of contiguous unused code blocks have noeffect. The default is 3.

corefileLimit

This integer variable defines the maximum core dumpssize in megabytes (1024 * 1024 bytes) the daemoncreates. To disable core dumps, set this value to 0. Thedefault value is 500 ( in megabytes).

networkInterfaces

This variable defines network interfaces. The syntax isan array of strings. Each string consists of the IPaddress of an interface, a slash and the number of bitsused for the network address (this is a variant ofspecifying the netmask). If you attempt to configurethis variable, consider using the bindUdpExplicitlyvariable, too. For example, networkInterfaces =(“192.168.1.21/24”, “192.168.2.23/24”)

bindUdpExplicitly

Chapter 7108


If this variable is set to yes, HP CIFS Client bindsUDP ports to all networks explicitly. Otherwise, itbinds to address 0.0.0.0, a wildcard for all networkinterfaces installed. Binding explicitly may be requiredon operating systems which do not handle the sourceIP address of broadcasts correctly if there are multiplenetwork interfaces. Please note that HP CIFS Clienthas to use the socket option SO_REUSEADDR anddoes not get an error if it binds to the same socket asSamba. You may have to change the default bind portfor bindNbnsPort and bindNbdgsPort if you use thisoption. By default, this parameter is set to no.

pagePoolInitialSize

This integer variable defines the number of 8k pages ofvirtual memory that is allocated in advance for everyshare. The default value is 128.

Chapter 7 109


nfs3 This section defines a default behavior which can beoverridden by specific configurations. The NFS3 sectioncontains the following parameters:

cacheFiles This variable defines the number of files cached byNFS handle. The default is 500.

cacheOpenFiles This variable defines the number of files that can bekept open even if they are not currently accessed. Thedefault is 20.

changeMicrosecondFileTimes

This boolean variable determines whether themicrosecond part of file modification dates is changedon each access. Changing the modification dateeffectively disables the kernel’s NFS cache. The defaultis no.

fakeDirLinksThis variable defines the number of hard-linksdisplayed for directories if the backend can not providea valid value. The default is 2.

fakeDirSizeThis variable defines the the size displayed fordirectories if the backend can not provide a valid value.It should be set to a multiple of the block size.

mnttabPrefixThis boolean variable is used to specify whether theidentifier [cifs] is prefixed to listings of mountedCIFS file systems in /etc/mnttab and the output ofmount(1M) and bdf(1M). If mnttabPrefix is set to no,the standard UNIX format is used; if it is set to yes,the format is "[cifs]server:/share". The defaultsetting is no.

The format with which the mounted filesystem isdisplayed depends on the setting of mnttabPrefix atthe time the filesystem is mounted. To change theformat after the filesystem has been mounted, youmust unmount and remount the filesystem.

Chapter 7110


nfsKernelCacheTimeNFS kernel is cached for this amount of time (inseconds). A variable that can enable kernel caching byNFS. This improves performance of certain types ofoperations by reducing the number of calls sent overthe network. The deault setting is 0 second.

lookupStrategy As you probably know, the HP CIFS Client mapsbetween NFS requests and SMB/CIFS requests. On theNFS side, files are referenced by unique identifiers,called NFS file handles. On the HP CIFS side, files arereferenced simply by their path. The HP CIFS Clientmust be able to determine the path given to an NFS filehandle. There are two strategies available to do this:

• pseudoInode

This strategy derives the NFS file handle as a hashvalue from the path. The hash is chosen in a waythat makes efficient lookups possible, as long as thedepth of the file in the directory hierarchy is lowerthan 27. The advantage of this strategy is the lowmemory consumption: Files can be looked up ondemand, nothing has to be stored. The maindisadvantage is that NFS file handles change whenfiles are renamed. This leads to a conflict with Unixsemantics when open files are renamed: Afterrenaming, the handle of the open file is stale andthe file can not be accessed without reopening. Italso conflicts with a bug in the caching code of theSolaris NFS client where the writeback occurs onlyafter closing the file, not during closing the file.

• database

In this strategy all NFS file handle to file pathrelations are stored in an internal database. This isthe most secure and most compatible approach.The disadvantage is that all this information mustbe kept in memory. The HP CIFS Client needsabout 500kB more real memory and about 10MBmore virtual memory for each share that uses thisstrategy.

The database strategy is the default.

Chapter 7 111


nfsTimeout This integer variable defines the initial timeout in 1/10seconds that is used by the kernel when it requestsdata from HP CIFS Client. This value is doubled oneach retry. Together with nfsRetransmit, this definesthe absolute timeout for NFS requests. A value of 50 (5seconds) avoids frequent retries of already running(slow) requests and ensures a total timeout of about 2minutes. This should be sufficient even for the slowestdevices and links. If you use a jukebox, it may also benecessary to increase requestTimeout.

nfsRetransmit This integer variable defines the number of retries thekernel attempts when HP CIFS Client does not reply intime. The timeout starts with nfsTimeout and isdoubled on each retry. Retransmissions should not benecessary, because HP CIFS Client should not lose anyrequests. However, if your system's NFS client putshigh loads on NFS servers and has small maximumsocket buffer sizes, requests can get lost due to bufferoverflows. A value of 5 (which is also the default)should be a good choice. You may want to experimentwith nfsTimeout to get the optimum performance evenwith frequent buffer overflows.

nfsSockRxBuf

This integer variable sets the receive buffer size of thesocket used to communicate with the kernel. If thevalue given is out of the acceptable range for yourmachine, the HP CIFS Client automatically limits therange. Increase the buffer size if you have extremelyslow writes.

nfsSockTxBuf This integer variable sets the transmit buffer size ofthe socket used to communicate with the kernel. It isnot be necessary to set an explicit buffer size.

nfsTransferSize This integer variable defines the maximum block sizeused in data transfer between the kernel and HP CIFSClient. The maximum allowed value is 8k (8192). Itmay be necessary to reduce the value if the NFS sockethas frequent overflows, as it may be the case with AIX3.x. It is useful to use only powers of 2 as block sizes.The default is 8192.

Chapter 7112


preferredPort This integer variable defines the port number that HPCIFS Client attempts to use for NFS. If this port is notavailable, the HP CIFS Client chooses a free one. It isgood to have a constant port for NFS because it allowsa restarted daemon to take over the mounts of aprevious incarnation. The port number must be below1024 if not all local users are trusted.

Chapter 7 113


cifs The structure of CIFS has its mirror in the multitudeof options for CIFS configurations. This section definesa default behavior which can be overridden by specificconfigurations. The CIFS section contains the followingparameters:

dataCacheSize This integer variable defines the number of bytes spentfor per data cache. The value of this variable should bea multiple of 8k.

databaseFile This variable configures the path to the user databasefile. It stores the user passwords and the registrationkey. The default is /var/opt/cifsclient/cifsclient.udb.

databaseParseInterval

HP CIFS Client can re-parse the user database file if itchanges. For this function to work, HP CIFS Clientmust poll the file regularly. The databaseParseIntervalvariable defines the time of this poll cycle inmilliseconds. If you set this variable to 0, the userdatabase file is only parsed once during startup. Thedefault value is 10000.

domain This string variable defines the domain name the clientsends to the server. If undefined, it defaults to anempty string suitable for all known servers.

initialDataCaches, initialDirCaches

These two integer variables define the number ofcaches that are allocated for directories and data filesat startup. The defaults for both variables is 8.

bindNbnsPortThis variable defines the port number to which HPCIFS Client sends NetBIOS name service requests. Ifthe port number specified is not available, HP CIFSClient reverts to a random free port. The default is 137.

bindNbdgsPortThis variable defines the port number to which HPCIFS Client sends NetBIOS datagram requests. If theport number specified is not available, HP CIFS Clientreverts to a random free port. The default is 138.

lookupTryNetbios

Chapter 7114


This boolean variable configures whether NetBIOSbroadcast is enabled. WINS is feature of the NetBIOSname server. To enable WINS lookup, you must set thisvariable to yes and specify the nbnsWinsIp variablewith the IP address of the WINS server. The CIFSservers to which you want to connect must beregistered with the WINS server. By default, thisparameter is set to yes.

lookupTryDns This variable configures whether Domain Name Server(DNS) lookup is enabled. The default setting is yes.

fileCreateMask This variable allows you to specify a mask for theUNIX permissions mode of a file upon creation. Theactual mode of the new file will be the result of thelogical OR of the mask and the default mode for theoperation. The default value of fileCreateMask is 0,which does not affect the file creation mode. Thissetting is useful only with CIFS servers that use CIFSUNIX extensions. Windows servers do not supportUNIX file permissions. Refer to the man pageumask(1) for more information.

allowBackslashesInPaths

This is a boolean variable with default setting no.When this parameter is set to yes, DOS-stylebackslashes can be used to refer to paths on CIFSservers. The first backslash in the path must refer to afile or subdirectory at least one level below the root ofthe share, and backslashes must be protected frominterpretation by the shell. For example, the followingpath references are recognized:

‘/local_mountpoint/dir_at_top_level_of_share\subdir\file’

/local_mountpoint/dir_at_top_level_of_share\\subdir\\file

but this is not valid:

‘/local_mountpoint\dir_at_top_level_of_share\subdir\file’

The standard UNIX forward-slash path delimiter isalways recognized:

Chapter 7 115


/local_mountpoint/dir_at_top_level_of_share/subdir/file

nbnsWinsIp This string variable defines the IP address of the WINSserver. If there is no WINS server in your network, setthis variable to an empty string.

nbnsInitialTimeout, nbnsTotalTimeout

The nbnsInitialTimeout variable defines the initialtimeout in milliseconds that is used by the NetBIOSname service operations. This value is doubled on eachretry. The nbnsTotalTimeout variable defines themaximum timeout in milliseconds that is waited for aNetBIOS name service operation to succeed. If itexceeds the maximum timeout, the operation fails witha timeout error. By default, set nbnsInitialTimeout to100 and nbnsTotalTimeout to 1200.

nbnsCacheTime The NetBIOS name lookups are cached for this amountof time (in milliseconds).

scopeID This string variable defines the NetBIOS name scope ofthe client. If it is not defined, no scope ID is used. If youdo not know what a scope ID is, you do not need one.

rmTmpKerbCredFiles

When kerberos authentication is used, the CIFS Clientuses a temporary file to store users credentials duringlogin processing. There is one temporary credentialsfile per user per server. Kerberos tickets are not reusedby the CIFS Client, thus when the user’s loginprocessing is completed, the temporary file is removed.If required for troubleshooting, these files can bepreserved by setting this variable to no. The files arelocated in /var/opt/cifsclient/krb5_tmp. The default isyes.

oldUdbEncrypt The encryption method used for the user database file(UDB) is enhanced in CIFS Client version A.02.02 suchthat the file can be reused after back-ups and restores.This feature is enabled by default. However, due to thisenhancement, UDBs from version A.02.01 are not

Chapter 7116


compatible with later CIFS Client binaries. In order forCIFS Client A.02.02 or later to use an older UDB, thisparameter must be set to yes:

oldUdbEncrypt = yes;

Chapter 7 117


cifs.server.”.default”

The baroque structure of CIFS has its mirror in themultitude of configuration options for CIFSconnections. This variable defines a default behaviorwhich can be overridden by specific configurations foreach server. The value is a dictionary with thefollowing parameters:

localNetbiosName

This entry can be used to set the Netbios name for theclient that is sent to the server.

ipAddress This entry can be used to set the IP address of theCIFS server that you attempts to connect.

connectTimeout This integer variable defines the maximum time inmilliseconds that is waited for a connection to succeed.You probably have to increase the time if you are on aslow network. The default is 2000ms (2 seconds).

requestTimeout This integer variable defines the maximum time inmilliseconds a server response may take (if theconnection is already established). The default is60000ms (60 seconds).

authenticationMethod

This entry specifies the method that the HP CIFSClient uses to authenticate users to the CIFS server.Allowed values are ntlm or kerberos.The defaultsetting is ntlm. If the value is set to ntlm, only theNTLM protocol is used for logins to the server. If thevalue is set to kerberos, then if the server supportsKerberos, only Kerberos is used for logins. Otherwise,NTLM will be used. If NTLM is used, the CIFS Clientdetermines which NTLM version to use based on thentlmEncryptionVersion configuration.

ntlmEncryptionVersion

This entry specifies the method that the HP CIFSClient should use to authenticate users to the CIFSserver. Allowed values are ntlm or ntlmv2. If thevalue is set to ntlm, the NTLM encryption password

Chapter 7118


is used for logins to the server. If the value is set tontlmv2,then NTLMv2 is used. The default setting isntlm.

smbPacketSigning

This string variable specifies which option is used bythe HP CIFS Client to perform packet signing. Thevalid entries for this parameter are enbled, requiredand disabled. By default, this parameter is set toenabled.

preventCreationEnable, preventCreationPattern

These parameters can be used to prevent creation offiles on CIFS servers that match a given pattern.

preventCreationEnable is a boolean variable; itsdefault value is no. Setting it to yes prevents creationof files on the CIFS server with names that match thepattern specified in preventCreationPattern. IfpreventCreationEnable is set to no,preventCreationPattern is ignored.

preventCreationPattern is a string variable. Thedefault value is null(""). File names that match thetext pattern defined in preventCreationPatterncannot be created when preventCreationEnable isset to yes. The pattern can include the wildcardcharacters "*" (match any sequence of characters) and"?" (match any single character), thus an expressionlike "*file" matches file names such as my_file, xxfileetc.

For example, to prevent users from placing DOSexecutables on the server, configure these parametersas follows:

preventCreationEnable = yes;preventCreationPattern = "*.exe";

smbOverTCP This is a boolean variable that controls whether to useSMB over TCP, which causes the CIFS Client to bypassthe NetBIOS Session Services for server connections.The default is no.

Chapter 7 119


NOTE Windows NT servers do not support SMB over TCP;they do not accept connection requests on theestablished TCP port for this functionality (port 445). Ifyou have NT servers in your network, and haveenabled SMB over TCP, then you must create an"individual server" entry in the configuration file foreach NT server. Individual server entries are placedafter the "server.default" section, and before the tag"# End of ’server’ section". For example, if an NTserver’s NetBIOS name is "ntsrv01", the section canbe:

ntsrv01 = {smbOverTCP = no;};

unixExtensions This boolean variable is used to enable or disable CIFSUNIX extensions for connections to CIFS servers. Thevalid values for this parameter are yes and no. Thedefault setting is yes. This variable can be configuredglobally or on a server-by-server basis. See “CIFSUNIX Extensions” on page 16 for details.

caseSensitive This is a boolean variable (possible values yes or no)which specifies whether filenames on the server arecase sensitive. By default, they are case sensitive inorder to be consistent with the UNIX file system. If youuse a case mapping different from none (see nextparameter), you must set this parameter to no.

caseMapping This variable (of type enumeration) defines whetherfile names are mapped to all upper case (upper), alllower case (lower) or preserved as they are on theserver (none).

capitalizeShares This boolean variable defines whether share names areconverted to all uppercase characters before aconnection is attempted. Share names should be caseinsensitive, but Windows 95 does not accept lowercasenames. If this option occurs in section serverClasses, itcan override a no to a yes, but not a yes to a no. Thedefault is yes.

Chapter 7120


useUnicode This boolean variable specifies whether the HP CIFSClient will use Unicode if the server supports it.

domain This string variable defines the domain name the clientsends to the server. If undefined, it defaults to anempty string which should be suitable for all knownservers. (move to cifs.domain)

alwaysEncryptData

If this boolean variable is set to yes, only SSL (SecureSocket Layer) connections with the server are accepted.If set to no, SSL is negotiated with the server.

guestRemoteUser The guestRemoteUser configuration solves thefollowing problem: each UNIX user must be logged in(mapped to a CIFS username/password pair) at theserver in order to access it, even if the share is public.It may be impractical to log in each user if there are alarge number of UNIX users who, for example, want toaccess a public share where access permissions are notimportant. If you define a guestRemotetUser, all UNIXusers that are logged in to the HP-UX system, but notlogged in to the CIFS server, are automatically loggedin to the CIFS server, as the guest user, when theyattempt to access its mount point. No pre-existing loginfor the guestRemoteUser is needed. The name specifiedas guestRemoteUser must be the name of a validaccount on the CIFS server or its domain, and thecorrect password for this user must be specified in theguestPassword parameter.

guestPassword This variable sets the password of a user specified bythe guestRemoteUser parameter.

fileModeMask This variable can be used to limit the UNIXpermissions given to files by the CIFS. The defaultsetting is 0777. Do not change unless you know whatyou are doing. The UNIX permissions are not relevantfor whether a user can access a file. They are relevantafter files are copied from a CIFS share to the local disksince the cp command preserves attributes.

Chapter 7 121


dirModeMask This variable can be used to limit the UNIXpermissions given to directories by the CIFS. Thedefault setting is 0777. Do not change unless you knowwhat you are doing.

ctimeIsCreate This variable defines whether the UNIX ctime (ChangeTime) is taken from the DOS Creation Time or copiedfrom the file modification time. If this parameter is setto yes, the creation time is used. The default setting isno.

fakeMountpointDate

If this boolean variable is yes, the modification andaccess times of the mount point always read thecurrent time. This is useful for servers that returnbogus values for the modification dates of rootdirectories, such as Windows NT. The default is no.

execMapping This enumeration variable is useful for files stored onWindows servers. It defines which DOS attribute wouldbe mapped to the UNIX execute permission. Thefollowing keywords are valid: archive, system,hidden, on, or off. Default is on. A side-effect ofexecMapping is that if the configured attribute is set onthe server, the file will be listed on the UNIX Clientwith the execute bit set for all users (owner, group, andother).

WARNING If you plan to store UNIX executables on an CIFSserver and invoke them on a UNIX Client, thenthe default setting execMapping = on is required.In this case, as seen by the UNIX Client, theexecute bit is set on all file listings from the CIFSserver. Using execMapping = on will not affect theattributes of files on HP CIFS Servers; those willstill behave like normal UNIX files.

execInvert When this boolean variable is yes, the execute bit (asderived with the execMapping setting) is inverted.

Chapter 7122


fakeDirLinks If the server does not supply a number of hard-links fordirectories, this number is used. The value defaults to2, if not specified. Some implementations of the UNIXutility find determine whether recursion is necessaryor not from the link count. If your find uses thisoptimization, you may want to fake a high number oflinks for directories. Alternatively you can switch offthe optimization with a commandline switch to find.

enableFakeLinks If this boolean variable is set to yes, the HP CIFSClient can do softlinks on Windows-servers. Thesesoftlinks can be used by the HP CIFS Client clientsonly. On the Windows server they look like ordinaryfiles with special attributes set (system and hiddenattributes, if you have not modified the configuration).

linkModeMask, linkMode

These two integer variables define the file attributesthat are used to distinguish faked softlinks fromordinary files. linkModeMask is 7 by default, whichmeans that the attributes read-only, hidden andsystem are taken into account. linkMode defines theactual state that these attributes must have. It is 6 bydefault, which means that hidden and system must beset, but not read-only. The configuration value iscalculated as the sum of the following components:

linksAreUnicode If this boolean variable is set to yes, the HP CIFSClient stores faked links in Unicode format on theserver. This is incompatible with the CygWin32 formatfor symbolic links, but allows lossless storage of clientpaths. If it is set to no, symbolic links are more or lesscompatible to those of CygWin32 on Windows, but aconversion to the server character set is performed.Regardless of this variable, the HP CIFS Client canread symbolic link files in both formats.

attributesCacheTime

Table 7-1

1 read-only 2 hidden 4 system 32 archive

Chapter 7 123


File attributes are cached for this amount of time (inmilliseconds).

dirCacheTime Directory contents are cached for this amount of time(in milliseconds).

maxCachedFiles This is the maximum number of file objects that areheld as cache of NFS file handles. If an NFS file handleis requested which is not in the cache, it must be lookedup recursively, which may result in a notableperformance loss. Recursive lookups are logged as rareevents.

dataCacheSize This is the size of the data cache that is allocated foropen files in bytes. The value is rounded to a multipleof the cache's page size, which is derived from themaximum transferable size. The page size will alwaysbe a power of two. (move to cifs.dataCacheSize)

closeDelay This variable defines the time a file is kept open whenit is not used. The value is a dictionary with thefollowing keys:

exclusiveLock

The keep-open time in milliseconds if an exclusiveoplock has been acquired.

batchLock

The keep-open time in milliseconds if a batch oplockhas been acquired.

noLock

The keep-open time in milliseconds if no lock has beengranted.

dataCacheTimeNoLock

If no oplock has been granted, no caching should bedone. This might result in bad performance on serversthat do not support oplocks. This value sets acache-valid time (in milliseconds) that is used if nooplock was granted.

readAhead This variable defines the number of cache pages to readahead. It is a dictionary with the following keys:

Chapter 7124


lock

The number of pages to read ahead if an oplock wasgranted.

noLock

The number of pages to read ahead of no oplock wasgranted.

useWriteBack This variable defines whether cache write- backtechniques should be used. Write back is insecure (interms of error recovery) if used with NFS2, but it mayincrease performance notably. The value is a dictionarywith the following keys:

lock

Boolean value which configures whether write backshould be used when an oplock has been granted.

noLock

Boolean value which configures whether write backshould be used when no oplock has been granted.

If you care about reliability, always leave these optionsoff. This configuration variable is also passed to theserver. There are server/OS combinations (notablySamba/Linux) which become very slow in write-through mode. You may want to configure write backfor these.

requestOplock This boolean variable defines whether oplocks shouldbe requested from the server. It should be set to no forWindows 95 machines because they grant an oplockalthough there is no support for it.

closeForSetattr This boolean variable defines whether files should beclosed before attributes (write protection, modificationdates) are changed. This is very useful for Windows 95servers because these servers can not set the attributesof open files. However, with this feature enabled, theUNIX semantics mapping does not work completely.The default is no.

Chapter 7 125


disableSmbs Not every server supports every SMB commandequally well. In fact, many commands are unusable oncertain server types. The value of this variable is anarray which enumerates the SMB commands thatshould not be used. The respective commands will bereplaced by a workaround automatically. Theenumeration constants may be taken from thefollowing set:

getattrFind

Suppresses the use of the trans2/findfirst2 commandfor reading file attributes. trans2/findfirst2 is the bestway to query attributes, so only disable it if you needto.

getattrTrans2QueryPath

Suppresses the use of the trans2/query_pathinfocommand for reading file attributes.Trans2/query_pathinfo seems to be broken onWindows 95.

attrUnix

Disables the UNIX extensions for file attributes.

setattrTrans2SetFile

Suppresses the command trans2/setfileinfo to be usedfor setting file attributes. This SMB command does notwork properly on Windows.

setattrTrans2SetPath

Suppresses the command trans2/setpathinfo to be usedfor setting file attributes. This SMB command does notwork properly on Windows.

setattrSetFile2

Suppresses the use of SET_INFORMATION2 forsetting attributes.

setattrCoreWithTime

Suppresses the use of the core SET_INFORMATIONcommand for setting modification dates.

createOpenX

Chapter 7126


Suppresses the use of SMB_COM_OPEN_ANDX forcreating files.

openOpenX

Suppresses the use of SMB_COM_OPEN_ANDX foropening files.

readReadX

Suppresses the use of SMB_COM_READ_ANDX forreading files.

readOpenRead

Suppresses the use of SMB_COM_OPEN_ANDXbatched with SMB_COM_READ_ANDX for readingfiles.

writeWriteX

Suppresses the use of SMB_COM_WRITE_ANDX forwriting files.

writeOpenWrite

Suppresses the use of SMB_COM_OPEN_ANDXbatched with SMB_COM_WRITE_ANDX for writingfiles.

findUnix

Disables the CIFS UNIX extensions for readingdirectories.

findTrans2

Disables the use of trans2/find for reading directories.

fsinfoTrans2

Suppresses the use of trans2/query_fs_info for readingfile system infos.

sessionSetup

Suppresses the session setup command (only used forcore dialect).

treeconAndX

Chapter 7 127


Suppresses the TREE_CONNNECT_ANDX command(TREE_CONNECT is used instead).

setDirDates

Suppresses setting directory modification dates whenfiles are created or deleted in a directory. This may beuseful if the server sets the date automatically whendirectories are modified.

fileModeMask This integer variable defines the file permissions.fileModeMask is 0777 by default. Do not change unlessyou know what you are doing. The UNIX permissionsare not relevant for whether a user can access a file ornot. They are relevant, however, after files are copiedfrom a CIFS share to the local disk because the cpoperation preserves file attributes.

dirModeMask This integer variable defines the directory permissions.dirModeMask is 0777 by default. Do not change unlessyou know what you are doing. The UNIX permissionsare not relevant for whether a user can access a file ornot. They are relevant, however, after files are copiedfrom a CIFS share to the local disk because the cpoperation preserves file attributes.

Chapter 7128


cifs.servers This variable may modify the values configured withcifs.server.default for specific servers. It consists of adictionary where the keys are the Netbios names ofservers. The value for each server key is also adictionary. This dictionary has the same structure asthe defaultServer dictionary. In addition, the followingkeys may be used:

ipAddress This entry may contain an IP address or a DNS namefor the server. By default, the Netbios name is used fora DNS query. This parameter may be overridden fromthe cifsmount commandline.

netbiosName This entry is a last chance to change the Netbios namethat is sent to the server for a given server.

tcpPort You may change the TCP port that is used to connect tothe server here. Default is 139, the Netbios sessionservice port.

Chapter 7 129


cifs.serverClasses

This variable may modify the values configured withcifs.server.default and servers after the connection hasbeen established based on the information derived fromsession setup. The decision can depend on the server'soperating system and LAN manager type. The formatfor this variable is an array of dictionaries. Eachdictionary must have all of the following three keys:

OS This entry contains a matching pattern in shell stylesyntax (* matches any character sequence,? matchesone character, [<characters>] matches any of the givencharacters and [^<characters>] matches none of thegiven characters). It is matched against the operatingsystem name derived from session setup.

LanManager This entry also consists of a matching pattern in shell-style syntax. It is matched against the LAN managername derived from session setup. The operating systemname and LAN manager name are printed to syslog iflog level info is enabled.

config If the previous two patterns match, the content of thisvariable (which must be a dictionary) is used as aserver configuration which may contain all definitionsthat defaultServer may contain. If an option is given, itoverrides the respective option from the otherconfigurations. The option disableSmbs is an exception:all disabled SMBs add up to give the final list ofdisabled SMBs.

The array is searched from the first to the last entry. If an entry matches,the corresponding configuration is used and the search is aborted.

Chapter 7130

8 PAM NTLM

This chapter provides a description of PAM NTLM.

Chapter 8 131

PAM NTLMIntroduction

IntroductionPAM NTLM ( NT Lan Manager) is a Pluggable Authentication Module(PAM) that enables HP-UX users to be authenticated against Windowsservers during system login.

PAM is an authentication framework in UNIX, used to authenticateusers logging into a UNIX system. PAM loads a dynamically loadablemodule (shared library) that performs the actual authentication. PAMcan also be configured to use multiple shared library modules.

PAM NTLM uses CIFS servers to authenticate users logging into anHP-UX system. In other words, PAM NTLM uses the NT LanManagerprotocol to authenticate the UNIX users. It sends the UNIX user’s nameand password to the CIFS server for validation and returns the result tothe PAM framework. The HP CIFS client uses the PAM NTLMauthentication information to access the shares on the CIFS server.Thus, users logging into an HP-UX system can access CIFS-mounted filesystems without having to use the cifslogin command.

NOTE PAM NTLM does not support NTLMv2 password encryption.

Chapter 8132

PAM NTLMIntroduction

Configuring PAM NTLM requires you to understand the PAMframework in general. Refer to pam(3), pam.conf(4), and ManagingSystems and Workgroups at http://docs.hp.com/hpux/os for moreinformation about PAM.

Figure 8-1 PAM Introduction

Chapter 8 133

PAM NTLMPAM NTLM

PAM NTLMThis section provides a list of PAM NTLM features and a description ofthe User Map File.

PAM NTLM Features

• PAM NTLM supports authentication and password management.

• PAM NTLM uses a subset of the Samba smb.conf file as itsconfiguration file. See the PAM NTLM Post-installation Instructionsbelow for further information.

• PAM NTLM supports username mapping to map a local UNIX username to a remote CIFS domain user name to use for authentication.See the PAM NTLM Configuration section for more detailedinformation.

• Successful user/password authentications are cached for use by theCIFS client.

• Login authentication to CIFS Servers using NTLM encryptedpasswords.

• Updating CIFS user passwords on the Primary Domain Controller(PDC) using the HP-UX passwd(1) command.

Refer to Chapter 2 for installation steps.

User Map File

PAM NTLM supports a user map file that maps UNIX user names toCIFS domain user names before authentication by the CIFS server. PAMNTLM will search the user map file for the UNIX user name. If found,the mapped CIFS domain user name will be used to authenticate theuser on the CIFS server. You must enter the correct password for themapped NT user in order to be authenticated.

If you configure password(1M) to use PAM NTLM, then the password ofthe mapped CIFS domain user will be changed on the CIFS domain.

Chapter 8134

PAM NTLMPAM NTLM Configuration

ent

====

e

PAM NTLM ConfigurationConfigure the following to set up PAM-NTLM:

• The PAM-NTLM module

• The system file /etc/pam.conf to use the PAM-NTLM module

• A usermap file (optional)

Configuring the PAM NTLM Module

The PAM-NTLM configuration file is /etc/opt/cifsclient/pam/smb.conf.A default configuration file is also provided (smb.conf.default). Do notchange the default configuration file because you may need to refer to itin the future.

Table 8-1

#### Name: smb.conf#### Set the values below to the actual names used in your environm#### Any line which starts with a semi-colon(;) or a hash(#)## is a comment and is ignored.####==================== Global Settings ========================[global]

## workgroup: Domain-Name or Workgroup-Name workgroup = workgroup

## password server: the netbios name of the system which will b## used to authenticate logins.

password server = pdc_name bdc1_name bdc2_name

## wins server: the system used to locate password servers,## specified as a fully-qualified DNS name or an IP address.

wins server = winserv.mycorp.com

Chapter 8 135


Configuring the system to use the PAM NTLM Module

This task consists of editing the global HP-UX PAM configuration file/etc/pam.conf.

IMPORTANT You may not be able to log into the system if PAM is not correctlyconfigured. Make sure that you understand the PAM framework beforeyou modify pam.conf. For information on PAM, see these sections ofHP-UX manpages: pam.conf(4), pam_unix(5).

For security reasons, HP strongly recommends you set up your systemsuch that, for both authentication and password change, the host system(PAM UNIX), not the password server configured by PAM NTLM,authenticates root and other privileged users. Access on a per-user basiscan be controlled through the use of libpam_updbe in pam.conf, and theignore option to libpam_ntlm in pam_user.conf. See pam.conf(4),pam_user.conf(4), and pam_updbe(5) for explanations and examplesof usage.

HP also recommends using PAM NTLM services in addition to, not inplace of, PAM-UNIX. This configuration is depicted in the samplepam.conf file below.

PAM NTLM provides the following services:

• Password Authentication

• Password Change

• Password Change Upon Notice of Expiration

Each service corresponds to a specific section of pam.conf. Add entries forthe services you wish to use:

• For Password Authentication, modify the Authenticationmanagement section of pam.conf.

• For Password Change, modify Password management.

• For Password Change Upon Notice of Expiration, modifyAuthentication management, Password management, and Accountmanagement (in order to utilize Password Change Upon Notice ofexpiration, you must also enable both Password Authentication andPassword Change).

Chapter 8136


The following are sample pam.conf files with all three PAM NTLMservices configured. Each PAM NTLM entry consistes of a line thatrefers to the shared library libpam_ntlm.1. In the authenticationmanagement section, when PAM NTLM is used in conjunction with PAMUNIX, it is recommended that the option try_first_pass be specifiedwith the PAM-UNIX entry, as shown.

WARNING If incorrect paths are used in pam.conf, it can become impossibleto login to the system. Ensure that you refer to the pam.conf filethat matches the version of HP-UX installed on your system (useuname -r to check the version). In particular, you should addlines to pam.conf exactly as shown without modifying paths.Starting with versions B.11.22 of HP-UX, paths to the PAMlibraries are different than in earlier versions.

The following sample pam.conf file is for version B.11.23 of HP-UX:

Example 8-1 Sample file for HP-UX version B.11.23

=====================================================================## PAM configuration## Authentication management# Note: For PA applications, /usr/lib/security/libpam_unix.so.1 is a# symbolic link that points to the corresponding PA PAM module.##login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1login auth required /usr/lib/security/$ISA/libpam_unix.so.1 try_first_passsu auth required /usr/lib/security/$ISA/libpam_unix.so.1dtlogin auth required /usr/lib/security/$ISA/libpam_unix.so.1dtaction auth required /usr/lib/security/$ISA/libpam_unix.so.1ftp auth required /usr/lib/security/$ISA/libpam_unix.so.1OTHER auth required /usr/lib/security/$ISA/libpam_unix.so.1## Account management#login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1login account required /usr/lib/security/$ISA/libpam_unix.so.1su account required /usr/lib/security/$ISA/libpam_unix.so.1dtlogin account required /usr/lib/security/$ISA/libpam_unix.so.1dtaction account required /usr/lib/security/$ISA/libpam_unix.so.1ftp account required /usr/lib/security/$ISA/libpam_unix.so.1#OTHER account required /usr/lib/security/$ISA/libpam_unix.so.1## Session management

Chapter 8 137


#login session required /usr/lib/security/$ISA/libpam_unix.so.1dtlogin session required /usr/lib/security/$ISA/libpam_unix.so.1dtaction session required /usr/lib/security/$ISA/libpam_unix.so.1OTHER session required /usr/lib/security/$ISA/libpam_unix.so.1## Password management#login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1login password required /usr/lib/security/$ISA/libpam_unix.so.1passwd password required /usr/lib/security/$ISA/libpam_unix.so.1dtlogin password required /usr/lib/security/$ISA/libpam_unix.so.1dtaction password required /usr/lib/security/$ISA/libpam_unix.so.1OTHER password required /usr/lib/security/$ISA/libpam_unix.so.1=====================================================================

The following sample pam.conf file is for versions B.11.00 and B.11.11 ofHP-UX:

Example 8-2 Sample file for HP-UX versions B.11.00 and B.11.11

#

# PAM configuration## Authentication management#login auth sufficient /usr/lib/security/libpam_ntlm.1login auth required /usr/lib/security/libpam_unix.1 try_first_passsu auth required /usr/lib/security/libpam_unix.1dtlogin auth required /usr/lib/security/libpam_unix.1dtaction auth required /usr/lib/security/libpam_unix.1ftp auth required /usr/lib/security/libpam_unix.1OTHER auth required /usr/lib/security/libpam_unix.1## Account management#login account required /usr/lib/security/libpam_ntlm.1login account required /usr/lib/security/libpam_unix.1su account required /usr/lib/security/libpam_unix.1dtlogin account required /usr/lib/security/libpam_unix.1dtaction account required /usr/lib/security/libpam_unix.1ftp account required /usr/lib/security/libpam_unix.1OTHER account required /usr/lib/security/libpam_unix.1## Session management#login session required /usr/lib/security/libpam_unix.1dtlogin session required /usr/lib/security/libpam_unix.1dtaction session required /usr/lib/security/libpam_unix.1OTHER session required /usr/lib/security/libpam_unix.1## Password management

Chapter 8138


#login password sufficient /usr/lib/security/libpam_ntlm.1login password required /usr/lib/security/libpam_unix.1passwd password required /usr/lib/security/libpam_ntlm.1dtlogin password required /usr/lib/security/libpam_unix.1dtaction password required /usr/lib/security/libpam_unix.1OTHER password required /usr/lib/security/libpam_unix.1

Configuring a User Map File

To configure PAM NTLM to use the user map file, add the following lineto the [Global] section of the /etc/opt/cifsclient/pam/smb.conf file:

Domain user map = /etc/opt/cifsclient/pam/domain_user.map

You can configure the name and location of the user map file. For nameand location, HP recommends the line as shown above.

The format of a domain user file entry is:

UNIXusername = [\\DOMAIN_NAME\\] DomainUserName

UNIXusername is an existing account on the HP-UX system;DomainUserName is the name of the user that is mapped in the CIFSdomain. DOMAIN_NAME is optional.

The user map file is parsed line by line. If any line begins with a # or a;then the line is ignored. Each line should contain a single UNIX username on the left and then a single CIFS Domain User name on the right,separated by a tabstop or '='. If either name contains spaces then youmust enclose it in quotes.

Using NIS Distribution of the User Map File

The user map file is enabled to be distributed via NIS in a similarmanner to the distribution of /etc/passwd to NIS clients.

To use this feature:

1. Convert the master user map file into an NIS map file nameddomainusermap.byname on the NIS master server.

Chapter 8 139


NOTE The NIS map file name domainusermap.byname is the default namethat PAM NTLM uses for the NIS map file. You can configure adifferent NIS user map name in the PAM NTLM configuration file(/etc/opt/cifsclient/pam/smb.conf) of each NIS client. Theconfiguration option is:

nis ntuser mapname = <new usr map filename>

2. In the user map file of each NIS client that will receive thedistributed map file, add an entry with the plus sign (+) in the firstcolumn of the line. The plus sign is used to indicate that parsing thefile should stop at that point and the remaining search of the usermap file should use NIS calls to the NIS server.

Chapter 8140

Index

CCIFS

description, 13protocol, 13

cifsclient, 31, 71cifsclient.cfg, 28cifslist, 70, 82cifslogin, 70, 77cifslogout, 70, 81cifsmount, 70, 74, 87cifsumount, 70, 80Common Internet File System. See CIFSconfiguration

defaultServer, 110, 114, 118file, 101logLevels, 103

configuringoverview, 25

Ddaemon

killing, 93when it crashes, 93

Ffile and directories, 39

HHP CIFS

file and directories, 39introduction, 13starting, 30stopping, 30

HP CIFS Clientfeatures, 16internationalized, 18, 28troubleshooting, 93UNIX Extensions, 16

HP product enhancements, 15

Iinstalling

overview, 25prerequisites, 26

internationalized clients, 18, 28

Lloading software, 27

Mmount command, 31mount_cifs, 87

Nnetbios, 87NIS and the user map file, 139

Ooverview

configuring, 25installing, 25

PPAM NTLM

configuration, 135configuration file, 135description, 14, 132features, 52, 134secure storage integration, 17

password(1M), 134

SServer Message Block, 13, 15SMB. See Server Message BlockSSL options, 100starting HP CIFS, 30stopping HP CIFS, 30swinstall(1M), 27

Ttroubleshooting the HP CIFS client, 93

Uunmount command, 31unmount_cifs, 87user map file, 134user map files, 139using client, 31utilities, summary, 69

141

cifs admin

Documents