solaris cifs service

7/23/2019 Solaris CIFS Service

1/39

CIFS

Solaris CIFS ServiceSeamless, ubiquitous, cross-protocol file sharing

Jarod NashRevenue Product Engineering,

Sun Microsystems, Inc.


2/39

Sun Microsystems, Inc2

Solaris CIFS Server: TOI Overvie

Background Workgroup Demo> Explanation of Workgroup Mode setup

> Including sharemgr Domain Demo> Domain Model setup>

Including identity mapping (idmap !ther "I#S changes in Solaris


3/39

Sun Microsystems, Inc$

Solaris CIFS Server: !ac"groun#

%Seamless, u&i'uitous, crossprotocol file sharing)*lan Wright, +roect -ead for "I#S Ser.er

"I#S ser.er is no/ a first class citi0en in Solaris

> +ut&ack into De.elopment1e.ada !cto&er 2334>*.aila&le in Solaris Express and !penSolaris 233563$

>278 *9" cases, 533 files, approximately $43,333 linesof code (including :53,333 lines of ne/ code

;ight integration /ith #S, Windo/s1"I#S concepts such as Security

Identifiers and *ccess ;okens are no/ nati.e to

Solaris kernel


4/39

Sun Microsystems, Inc=

$or"group %o#e &emo


5/39


$or"group Setup: Things to 'no

!nly /orks /ith local 1etc1pass/d users> IS1IS81-D*+ not supported

%Works out of the &ox) not 'uite true>> +*M modification re'uired to generate SMB pass/ords> SMB pass/ords need to &e generated for local accounts

>!nly needed to &e done at setup, after this the +*M changetakes care of pass/ord updating automatically

Windo/s %?@ES;) account not supported> Sam&a> guest ok A yes

> *ll access must &e .ia authenticatedlocal accounts


6/39

Sun Microsystems, Inc

$or"group Setup

Ena&le "I#S Ser.er (along /ith dependencies> svcadm enable -r smb/server

Set mode for SMB ser.er

> ot needed if using default /orkgroup CW!9?9!@+C> smbadm join -w WORKGROUP

*dd follo/ing line to pam6conf this /ill generate SMBstyle pass/ords for local users>> other password required pam_smb_passwd.so.1 nowarn

?enerate SMB pass/ords for existing local users DoneF


7/39Sun Microsystems, Inc4

sharemgr()m*

e/ share management admin interface Manages #S and "I#S shares> ;o a large extent, #S and "I#S &eha.e similarly

sharemgr /orks /ith groupsof shares associated/ith sharing protocols> +rotocols may &e nfs, sm& or &oth

>Default is &oth ;/o automatic groups>> default legacy share(:m interface>

0fs shares created .ia 0fs(: interface


8/39Sun Microsystems, Inc5

share()m*+sharemgr()m* amples

# cat /etc/dfs/dfstab...

share -F nfs -o ro /export/install

# sharemgr show -vp default

default nfs=()

/export/install nfs=() nfs:sys=(ro="*")

#sharemgr create -P nfs home

# sharemgr add-share -s /export/home home

# sharemgr show -vp homehome nfs=()

/export/home

# cat /etc/dfs/dfstab

...

share -F nfs /export/home @home

;raditional dfsta& entry

*utogenerated %default)sharemgr group entry

"reate group, then add share

*utogenerated dfsta& entry


9/39Sun Microsystems, IncG

.fs()m*+sharemgr()* amples

# zfs list | grep pool/homepool/home 57K 9.84G 21K /pool/home

pool/home/jarod 18K 9.84G 18K /pool/home/jarod

pool/home/rayh 18K 9.84G 18K /pool/home/rayh

# zfs sharenfs=on pool/home

# sharemgr show -vp zfszfs

zfs/pool/home nfs=()

/pool/home

/pool/home/jarod

/pool/home/rayh


10/39Sun Microsystems, Inc:3

.fs()m*+sharemgr()* amples

# zfs list | grep installpool/install 57K 9.84G 21K /pool/install

pool/install/snv_95 18K 9.84G 18K /pool/install/snv_95

pool/install/snv_96 18K 9.84G 18K /pool/install/snv_96

# zfs sharenfs=ro pool/install

# sharemgr show -vp zfszfs

zfs/pool/home nfs=()

/pool/home

/pool/home/jarod

/pool/home/rayh zfs/pool/install nfs=() nfs:sys=(ro="*")

/pool/install

/pool/install/snv_95

/pool/install/snv_96

;his sho/s the 2 shares in%0fs) group /ith differingprotocol security settings

Share readonly


11/39Sun Microsystems, Inc::

sharemgr()m* an# smb protocol

Differences in sharing &eha.iour1functionality&et/een #S and "I#S>> SMB shares use resource names /hile #S shares are

path &asedH for #S, resource is merely an alias>SMB> arodA1export1home1arod

>#S> 1export1home1arodA1export1home1arod

> #S only allo/s a gi.en path to &e shared once, /hileSMB allo/s it to &e shared multiple times> ;his is handled /ith SMB .ia differing resource names

> If an #S path is shared, it is not also possi&le to shareparent or any su&directory (in same filesystem6 SMBallo/s this> ;his is flagged in sharemgr output /ith %notshared/ithA)


12/39Sun Microsystems, Inc:2

smb+sharemgr()* amples

# sharemgr create home# sharemgr add-share -s /export/home/jarod home

Resource name is required by at least one enabled protocolin group

# sharemgr add-share -r jarod -s /export/home/jarod home

# sharemgr add-share -r home -s /export/home home

# sharemgr add-share -r newhome -s /export/home home

# sharemgr show -vp home

home smb=() nfs=()

jarod=/export/home/jarod

/export/home not-shared-with=[nfs]

newhome=/export/home

home=/export/home

SMB protocol re'uires

%resource name)

+arent directory 1export1homeis shared t/ice

+arent directory and dou&lesharing reflected here


13/39Sun Microsystems, Inc:$

.fs+smb+sharemgr()* amples

#zfs list pool/home/jarodNAME USED AVAIL REFER MOUNTPOINT

pool/home/jarod 18K 134G 18K /pool/home/jarod

# zfs set sharesmb=on pool/home/jarod

# sharemgr show -vp zfs

zfs zfs/pool/home/jarod smb=()

pool_home_jarod=/pool/home/jarod

# zfs set sharesmb=name=jarod pool/home/jarod

#sharemgr show -vp zfs

zfs zfs/pool/home/jarod smb=()

/pool/home/jarod

jarod=/pool/home/jarod

pool_home_jarod=/pool/home/jarod

@se pseudo property %name)

to set SMB resource .alue

SMB resource .alues

"reate default SMB share /ith

path &ased resource


14/39Sun Microsystems, Inc:=

&omain %o#e Setup: Things to 'no

Integrates /ith Windo/s *cti.e Directory (*D> "I#S Ser.er oins *D domain and talks to Domain

"ontroller (D" to authenticate access automatically

Identity mapping &et/een Windo/s @sers and @nix@sers performed &y idmap ser.ice @#S unchanged to support "I#S and lacks functionality

> eg Windo/s Identity semantics, *"-s, caseinsensiti.ity


15/39Sun Microsystems, Inc

:7

&omain %o#e Setup: &emo /etor"

Solaris CIFS Server

Windos !P Windos "##$ Server

%& &omain Controller

NIS'

(arod rayh%&

JarodN Ray)

*. %uthenticate to %&

". Ma+ share rom Solaris

$. Solaris authenticates ith &C



:

&omain %o#e Setup 0)

Ena&le "I#S Ser.er (along /ith dependencies> svcadm enable -r smb/server

Set SMB mode> DS and er&eros

> "onfigure 1etc1resol.6conf>>Domain set to *D domain, nameser.er set to D" I+

> "onfigure er&eros> (*D uses er&eros authentication> In the 1etc1kr&71kr&76conf file, specify the fully 'ualified *D

domain name, in uppercase characters, as the default realm6*lso, specify the fully 'ualified host name of the domaincontroller as the .alue for the kdc, adminJser.er, andkpass/dJser.er parameters6 kpass/dJprotocol is set toSE;J"K*?E6



:4

&omain %o#e Setup 01

Sync clocks> Solaris "I#S Ser.er system needs to &e /ithin fi.e

minutes of the system clock of the D">er&eros re'uirement

> ntpdate DC-host

Loin *D using a user /ith Domain *dministratorpri.ileges, domainname is a fully 'ualified domain

name>> smbadm join -u username domain-name 9estart "I#S Ser.er (kno/n &ug

> svcadm restart smb/server



:5

&omain %o#e Setup 02: I& %apping

Windo/s *D needs to &e mapped to Solaris namespacefor true interopera&ility, &ut not a re'uirement

idmap pro.ides a num&er of mapping mechanisms>

> #ixed Windo/s %Well no/n) Identities> Directory *D or -D*+ explicit mappings> -ocal Solaris "I#S Ser.er idmap rules

> Ephemeral and -ocalSID

More a&out this in a fe/ slides Daemon and *dmin>> idmapd(:m> cache and dynamic ID allocation>

idmap(:m> Mapping lookups, rule manipulation



:G

&omain %o#e Setup 03

"reate idmap rule for all Windo/s users in alldomains to @nix users /ith same names>> idmap add -d winname:*@* unixuser:*

"reate idmap rule to fix up username mismatch>> idmap add winuser:JarodN unixuser:jarod

DoneF

!;E>> ;hese rules are not generic, ust for demo



23

&omain %o#e &emo


21/39

Sun Microsystems, Inc2:

Sorting 4C5s

Windo/s ?@I needs *"-s to &e sorted> Deny *"Es should appear &efore allo/


22/39


Sorting 4C5s ample$ touch file

$ ls -v file

-rw-r--r-- 1 jarod techies 0 Sep 24 10:24 file

0:owner@:execute:deny

1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/write_acl/write_owner:allow

2:group@:write_data/append_data/execute:deny

3:group@:read_data:allow

4:everyone@:write_data/append_data/write_xattr/execute/write_attributeswrite_acl/write_owner:deny

5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow

$ ls -v file

-r--r--r--+ 1 jarod techies 0 Sep 24 10:24 file

0:everyone@:write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:deny

1:user:jarod:execute:deny

2:group:techies:write_data/append_data/execute:deny

3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow

4:user:jarod:read_data/write_data/append_data/write_xattr /write_attributes/write_acl/write_owner/

synchronize:allow

5:group:techies:read_data/synchronize:allow

#iles *"-s .ie/ed and sa.ed

&y Windo/s "lient6 !rder

changed, @nix permissions

no/ different


23/39


24/39

Sun Microsystems, Inc2=

SI&s an# =I&s+>I&s

Sharing protocol interopera&ility has seen se.eralsolutions to the SID1@ID1?ID storing1mapping pro&lem>> :6 Store SID, map to1from @ID1?ID

>

Microsoft Ser.ices for @nix (S#@> 26 Store @ID1?ID, map to1from SID

> Sam&a offers name mapping, algorithmic, namese.ice entries

> $6 Store &oth>

etapps W*#- uses ;#S1@nix %'trees) /hich store one and mapthe other ID


25/39


I#entit6 %apping: The Sun $a6

Maintain "I#S o/nership semantics> Dont rely on mapping to reco.er SID, store the SIDF

> Encoded as #@IDs (#ilesystem @ni'ue IDs in


26/39


%apping %echanisms: Overvie

Directory-based name mapping

Local name-based mapping rules

Ephemeral mapping Local-SID mapping

Error code + ID_NOBOD Error code + Local-SID

!i"ed mapping


27/39


I#entit6 %apping: phemeral

@nkno/n Windo/s identities mapped to dynamicallyallocated @IDs1?IDs> @ses next a.aila&le @ID1?ID from 2$:to 2$2 2 (ephemeral

@IDs1?IDs

> Solaris @IDs1?IDs are no/ unsigned, &ut max out atM*NJI;, lea.ing the unsigned range a&o.e for ephemerals

ot retained across re&oots

Stored in SP-ite 263 DB 1.ar1run1idmap1idmap6d&> +reser.ed across ser.ice restarts

> If lost then pre.iously allocated ephemeral uids1gidsne.er reused (unless re&ootedH idmapd uses inkernelstate to determine &ottom of .alid range of IDs


28/39


phemeral %apping ample

$idmap show -c winuser:john

winuser:[email protected] ->uid:2147508225

$idmap show -c uid:2147508225 winuser

uid:2147508225 ->winuser:[email protected]

uppose a rule is added !o map john!o "nix user jd12#45

$idmap add winuser:[email protected] unixuser:jd12#45

$idmap show -c winuser:john uid

winuser:[email protected] ->uid:12#45

%phemeral uid 2147508225s!ill maps !o john

$idmap show -c uid:2147508225 winuser

uid:2147508225 ->winuser:[email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]


29/39

Sun Microsystems, Inc2G

I#entit6 %apping: 5ocal SI&s

If a nonephemeral @ID1?ID cannot &e mapped &yname, then it is mapped to an algorithmicallygenerated SID called a localSID

;he localSID is generated as follo/s>> localSID for @ID A Qmachine SIDO Q:333 8 @IDO

> localSID for ?ID A Qmachine SIDO Q2$:8 ?IDO

Qmachine SIDO is a uni'ue SID generated &y theidmap ser.ice for the host on /hich it runs


30/39

Sun Microsystems, Inc$3

=nifie# 4ccess Control %o#el

Security Descriptors (SDs used &y "I#S for protection> Encoded as *"-s in

>

@#S *"-s ha.e no explicit deny or audit *"Es, only $ permission&its and different access check algorithm @SE

Split1merged appropriately &y Solaris "I#S during translation Default "I#S ser.ice applies Windo/s inheritance rules for "I#S

operations


31/39

Sun Microsystems, Inc$:

?FS nhancements for CIFS

"ase Insensiti.ity> ot re'uired &y SMB protocol, &ut some Windo/s

applications rely on caseinsensiti.e &eha.iour

> *t filesystem creation time, can specify sensitive,insensitiveor mixed (&oth &eha.iours

> foo6txt and #oo6txt not distinguisha&le to "I#S client

>ame mangling used to resol.e conflicts, for example> foo6txt O #!!R56txt #oo6txt O #!!RG6txt

> "I#S clients can open original name> returned file /ill &ethe first caseinsensiti.e match


32/39

Sun Microsystems, Inc $2

4lternate &ata Streams

;#S treats files as a collection of streams> 9egular file content is the defaultor unnamedstream

> ** a Resource Fork

amed streams used to store ar&itrary data> Metadata (statistics, notes, history for documents> irusesF

Implemented using Solaris extended attri&utes> S@Wsm& prefix assigned to "I#S stream names

> S@Wsm& prefix not seen &y "I#S clients (use runat(: on Solaris

> "I#S ser.ice explicitly assigns mode 3=33

>

@nnamed stream @ID1?ID assigned to stream xattr file


33/39

Sun Microsystems, Inc $$

tensible 4ttributes

ot to &e confused /ith extended attri&utes> Extensi&le attri&utes maintained in extended attri&ute files>

S@WattrJro readonly system attri&utesS@WattrJr/ read1/rite system attri&utes

Supports D!S attri&utes> *rchi.e, 9eadonly, Kidden, System

Same *+I used &y "I#S also supports othersystems>> Mac!S1BSD, eg

> IMM@;*B-E, *++ED!-T

> Solaris irus Scanning (S"* I"*+ implementation>

*JP@*9*;IED, *JM!DI#IED


34/39

Sun Microsystems, Inc $=

ls()* Changes/OT: OpenSolaris has +usr+gnu+bin before +bin

# ls -/ c test.txt

-rw-rr-- 1 root root 0 Jan 14 16:51 test.txt

{A-RS---m--}

# ls -/ v test.txt

-rw-r--r-- 1 root root 0 Jan 14 16:51 test.txt {archive,nohidden,readonly,system,noappend

only,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink}

# ls -l -% all file

-rw-rr-- 1 root root 0 Jan 14 16:51 test.txt

timestamp: atime Jan 14 16:51:16 2008 timestamp: ctime Jan 14 16:53:07 2008

timestamp: mtime Jan 14 16:51:16 2008 timestamp: crtime Jan 14 16:51:16 2008

!;E> ;/o part s/itch to lsSome may find this uglyF


35/39


chmo#()* Changes/OT: OpenSolaris has +usr+gnu+bin before +bin

# chmod S+cRS test.txt

# chmod S+v'{readonly,system}' test.txt

# ls -/c

-rw-r-r-- 1 root root 0 Jan 14 16:51 test.txt

{A-RS---m--}# chmod S-cRS test.txt

# chmod S-v'{readonly,system}' test.txt

# ls -/c

-rw-r-r-- 1 root root 0 Jan 14 16:51 test.txt

{A------m--}

@se &oth compact (8c and.er&ose (8. forms to set theSystem *ttri&utes 9eadonly

and System

tar(:, cpio(: and pax(: are a/are of the ne/ system attri&utes and

ha.e appropriate s/itches for archi.ing1unpacking


36/39

Sun Microsystems, Inc $

@eferences

Sun Documentation>> docs.sun.com/app/docs/doc/820-2429

!penSolaris site>> opensolaris.org/os/project/cifs-server/

> opensolaris.org/os/project/cifs-server/docs/

?enunix ?uide to Solaris "I#S>> www.genunix.org/wiki/index.php/Getting_Started_With_t

he_Solaris_CIFS_Service

>

www.genunix.org/wiki/index.php/Solaris_CIFS_Service_Troubleshooting

De.eloper 9ecipes> Setting up *S> developers.sun.com/openstorage/articles/opensolaris_n

as.html


37/39


4c"nole#gements

Sun Internal "I#S1Windo/s Interopera&ility ;!Is umerous &logs Sun Documents Stacey Marshall, !/en 9o&erts and 9ay Kassan

for their important help in assem&ling the materialand pro.iding feed&ack


38/39

CIFS

Solaris CIFS ServiceSeamless, ubiquitous, cross-protocol file sharing

Jarod NashRevenue Product Engineering,

Sun Microsystems, Inc.


39/39

$G

&iagnostic Information

@se chkcfg6sh and gendiag6sh> opensolaris.org/os/project/cifs-server/files/

Diagnostic Information to ?ather>

sharemgr show -vp> sharectl get smb

> smbadm list

> zfs get all

> /etc/krb5/krb5.conf

> /etc/pam.conf

> /etc/resolv.conf

> et/ork captures (/ireshark, netmon

> Dtrace output> En.ironment (uname a, "lient !S, .ersion and ser.ice packs