HP CIFS Client A.02.02 Administrator's Guide: HP-UX 11i v1 and v2

HP CIFS Client A.02.
02 Administrators Guide
HP-UX 11i v1 and v2
Manufacturing Part Number : B8724-90079 April, 2006
U.S.A. Copyright 2006 Hewlett-Packard Company, L.P.
Legal Notices
The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and tness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty A copy of the specic warranty terms applicable to your Hewlett-Packard product and replacement parts can be obtained from your local Sales and Service Ofce. U.S. Government License Proprietary computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. PAM NTLM includes a library derived from the Open Source Samba product. This library is subject to the GPL license. For detailed information, refer to the GPL license in Chapter 12 of the CIFS/9000 Server manual. Copyright Notices Copyright 2006 Hewlett-Packard Company L.P. All rights reserved. Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws. Trademark Notices UNIX is a registered trademark in the United States and other countries, licensed exclusively throughThe Open Group.
Contents
1. Introduction to the HP CIFS Client
Introduction to HP CIFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What is the CIFS Protocol? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP CIFS Client Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP CIFS Client Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CIFS UNIX Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTLM PAM Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kerberos Authentication: Integration with System Kerberos Cache . . . . . . . . . . . . AutoFS 2.3 Support for HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Support for Internationalized Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NTLM, NTLMv2 Password Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . NetBIOS Name Services, WINS, and DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microsoft Distributed File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dynamically Loadable Kernel Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SMB Over TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 13 15 16 16 17 17 17 18 18 18 19 19 20 21
2. Installing, Conguring, and Using the HP CIFS Client

Overview of HP CIFS Client Installation and Conguration . . . . . . . . . . . . . . . . . . . . Step 1: Checking HP CIFS Client Installation Prerequisites . . . . . . . . . . . . . . . . . . . . Step 2: Installing HP CIFS Client and PAM Software . . . . . . . . . . . . . . . . . . . . . . . . . Installing From CD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing From a Software Depot File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 3: Conguring the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing cifsclient.cfg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 4: Starting and Stopping the HP CIFS Client Daemon. . . . . . . . . . . . . . . . . . . . . Using the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mounting and Logging in in One Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CIFS Client Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic Mounting of CIFS Filesystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using /etc/fstab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Storing Mounts in the CIFS Client Mount Database . . . . . . . . . . . . . . . . . . . . . . . . . Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration . . . . . . . . . HP CIFS Client Files and Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 26 27 27 27 28 28 30 31 35 35 36 36 36 37 39
3. CIFS Security and Authentication

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Contents
Conguration Settings For Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Login Procedures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction To Kerberos. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements and Limitations Using Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Kerberos with the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Step 1. Review fundamental Kerberos Operating Principals. . . . . . . . . . . . . . . . . . . Step 2. Set Up and Verify the Kerberos Infrastructure . . . . . . . . . . . . . . . . . . . . . . . Step 3. Congure Kerberos on the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . CIFS Client Kerberos Authentication Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Explicit login: cifslogin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatic login: Integration with System Kerberos Cache (kinit(1) and PAM Kerberos) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ticket Lifetime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring Packet Signing with HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 45 47 47 48 48 49 51 52 52 52 52 53 53
4. Migrating From HP CIFS Client A.01 to A.02

Migrating from version A.01.* to A.02.* of HP CIFS Client . . . . . . . . . . . . . . . . . . . . . Special Instructions For Users of HP CIFS Client Versions A.01.* . . . . . . . . . . . . . Preserving Data From A.01 Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Reverting to Version A.01. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Funtionality Differences Between HP CIFS Client A.01.* and A.02.* . . . . . . . . . . . . . Conguration Differences Between HP CIFS Client A.01.* and A.02.* . . . . . . . . . . . . Comments in Conguration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguration Parameter Differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Command Option Differences Between HP CIFS Client A.01.* and A.02.*. . . . . . . . . 57 57 57 58 60 61 61 61 65
5. Commandline Utilities
cifsclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifsmount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 71 71 71 72 73 74 74
Contents
Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifslogin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifsumount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifslogout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifslist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sample cifslist Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . cifsdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . mount_cifs, umount_cifs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Synopsis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . See Also . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 74 76 76 76 77 77 77 77 79 79 79 80 80 80 80 80 81 81 81 81 82 82 82 82 82 85 85 85 86 86 86 87 87 87 87 89 89
Contents
6. Troubleshooting and Error Messages
Troubleshooting FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Shutdown the Daemon with cifsclient stop . . . . . . . . . . . . . . . . . . . . . . . . . . What to Do if the Daemon Terminates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting Kerberos in the HP CIFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Troubleshooting cifsmount or mount in the HP CIFS Client . . . . . . . . . . . . . . . . . . . . How to Do if the HP CIFS Client DLKM is Unused . . . . . . . . . . . . . . . . . . . . . . . . . . How to Do if You Encounter the Error Message: Device Busy . . . . . . . . . . . . . . . . CIFS Client Log File and Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 93 93 94 96 96 97 98
7. Conguration File
General Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Conguration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
8. PAM NTLM
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PAM NTLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PAM NTLM Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PAM NTLM Conguration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring the PAM NTLM Module. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conguring a User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using NIS Distribution of the User Map File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 134 134 134 135 135 139 139
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Preface: About This Document

The latest version of this document can be found on line at: http://www.docs.hp.com This document describes how to install, congure, and troubleshoot HP CIFS Client on HP-UX platforms. The document printing date and part number indicate the documents current edition. The printing date will change when a new edition is printed. Minor changes may be made at reprint without changing the printing date. The document part number will change when extensive changes are made. Document updates may be issued between editions to correct errors or document product changes. To ensure that you receive the updated or new editions, you should subscribe to the appropriate product support service. See your HP sales representative for details.
Intended Audience
This document is intended for system and network administrators responsible for installing, conguring, and managing HP CIFS Client. Administrators are expected to have knowledge of HP CIFS Client product.
New and Changed Documentation in This Edition

Information about CIFS Client Dynamically Loadable Kernel Module (DLKM) support was added. Information about Microsoft Distribution File System (MS DFS) support was added. Information about the CIFS Client conguration parameters and command options was updated. Information about the SMB over TCP support using port number 445 was added.
Publishing History
Table 1 Publishing History Details Document Manufacturing Part Number B8724-90079 Operating Systems Supported 11i v1 and v2 Supported Product Versions A.02.02 Publication Date April 2006
B8724-90067
11i v1 and v2
A.02.01
April 2005
B8724-90044
11.0, 11i v1 and v2 IA 11.22
A.01.09
August 2003
B8724-90022
A.01.08
June 2002
B8724-90011
11.0, 11i v1 and v2
A.01.06
June 2001
Whats in This document

This manual describes how to install, congure and troubleshoot the HP CIFS Client software product. The manual is organized as follows: Chapter 1 Introduction to the HP CIFS Client Use this chapter to learn the HP CIFS Client product features, requirements and limitations. Installing, Conguring, and Using the HP CIFS Client Use this chapter to learn how to install, congure, and use the HP CIFS Client software. CIFS Security and Authentication Use this chapter to understand the CIFS security and authentication methods.
Chapter 2
Chapter 3
Chapter 4
Updating HP CIFS Client A.01.* to A.02.* Use this chapter to describe conguration parameter and command option differences between HP CIFS Client A.01.* and A.02.*. This chapter also provides the update procedures so that you can plan and upgrade your CIFS Client. Commandline Utilities Use this chapter to learn about UNIX man pages for all HP CIFS Client utilities. Troubleshooting the HP CIFS Client Use this chapter to understand the detailed procedures to help diagnose HP CIFS Client problems. Conguration File Use this chapter to know a list of all conguration variables if you want to customize HP CIFS Client software. PAM NTLM Use this chapter to understand detailed information about the PAM NTLM authentication service.
Chapter 5 Chapter 6
Chapter 7
Chapter 8
Typographical Conventions
This document uses the following conventions. Italics Bold monotype Identies titles of documentation, lenames and paths Text that is strongly emphasized. Identies program/script, command names, parameters or display.
HP Encourages Your Comments

HP encourages your comments concerning this document. We are truly committed to providing documentation that meets your needs. Please send comments to: netinfo_feedback@cup.hp.com Please include document title, manufacturing part number, and any comment, error found, or suggestion for improvement you have concerning this document. Also, please include what we did right so we can incorporate it into other documents.
10
Introduction to the HP CIFS Client

This chapter provides a HP CIFS Client description.
Chapter 1
11
Introduction to the HP CIFS Client
It contains the following sections: Introduction to HP CIFS. HP CIFS Client Description. HP CIFS Client Features.
12
Chapter 1
Introduction to the HP CIFS Client Introduction to HP CIFS
Introduction to HP CIFS
HP CIFS provides HP-UX with a distributed le system based on the Microsoft Common Internet File System (CIFS) protocols. HP CIFS implements both the server and client components of the CIFS protocol on HP-UX. The HP CIFS Server is based on the well-established open-source software Samba, and provides le and print services to CIFS clients including Windows, other CIFS clients, and HP-UX machines running HP CIFS Client software. The HP CIFS Client enables HP-UX users to mount as UNIX lesystems shares from CIFS le servers including Windows servers and HP-UX machines running HP CIFS Server. The HP CIFS client also offers an optional Pluggable Authentication Module (PAM) that implements the Windows NT Lan Manager (NTLM) authentication protocols. When installed and congured within HP-UXs PAM facility, PAM NTLM allows HP-UX users to be authenticated against a Windows authentication server.
What is the CIFS Protocol?

CIFS had its beginnings in the networking protocols, sometimes called Server Message Block (SMB) protocols, that were developed by IBM in the late 1980. SMB is the native le-sharing protocol used by the Microsoft Windows. CIFS is simply a renaming of SMB; and CIFS and SMB are the same. (Microsoft now emphasizes the use of CIFS, although references to SMB still occur.) CIFS is also widely available on UNIX, Linux, Macintosh, and other platforms. CIFS is a remote le access protocol; it provides access to les on remote systems. CIFS denes both a server and a client: the CIFS client is used to access les on a CIFS server. HP CIFS uses the CIFS protocol from the HP-UX machines, which enables directories from HP-UX servers to be mounted on to Windows machines and vice versa.
Chapter 1
13
Introduction to the HP CIFS Client Introduction to HP CIFS
PAM NTLM The HP-UX PAM subsystem gives system administrators the exibility of choosing any authentication service available on the system to perform authentication. The framework also allows new authentication service modules to be plugged in and made available without modifying the applications. The PAM framework, libpam, consists of an interface library and multiple authentication service modules. The authentication service modules are a set of dynamically loadable objects invoked by the PAM API to provide a particular type of user authentication. NT LAN Manager (NTLM) is the protocol by which CIFS clients are authenticated by CIFS servers. PAM NTLM is a PAM module that implements the NTLM protocol. It enables users logging in to an HP-UX system to have access to CIFS-mounted le systems without having to use the cifslogin command.
14
Chapter 1
Introduction to the HP CIFS Client HP CIFS Client Description
HP CIFS Client Description

HP CIFS Client implements the CIFS protocols on HP-UX so that HP-UX users may mount shares from CIFS servers as UNIX le systems.
Chapter 1
15
Introduction to the HP CIFS Client HP CIFS Client Features
HP CIFS Client Features

Following is a list of the HP CIFS Client major features: CIFS UNIX Extensions NTLM PAM Integration Kerberos Authentication, Integration with System Kerberos Cache ONC AutoFS 2.3 Support Support for Internationalized Clients NTLM, NTLMv2 Password Encryption Packet Signing NetBIOS Name Services, WINS, and DNS Support Support for Microsoft Distributed File System (MS DFS) Support for Dynamically Loadable Kernel Module (DLKM) Support for SMB over TCP using port 445
CIFS UNIX Extensions

CIFS UNIX Extensions enable the CIFS Client and Samba server to implement standard UNIX le system features. These include: UNIX permission modes File ownership based on UNIX UIDs and GIDs Symbolic links and hard links Standard UNIX timestamps for le access, change, and modication Includes other data contained in the UNIX stat(2) data structure
NOTE
This feature only works with CIFS servers that support CIFS UNIX extensions.
16
Chapter 1
NTLM PAM Integration

NT LAN Manager (NTLM) is the default protocol by which CIFS clients are authenticated by CIFS servers. When used in conjunction with HP's NTLM Pluggable Authentication Module (PAM) and the HP CIFS Client, users who log in to an HP-UX system will have access automatically to CIFS-mounted le systems provided that PAM NTLM and the CIFS server are using the same database.
Kerberos Authentication: Integration with System Kerberos Cache

The CIFS Client supports the Kerberos authentication mechanism. Kerberos is a secure, industry-standard authentication protocol. It provides signicant improvements over the older NTLM protocol traditionally used by CIFS Clients and Servers. The CIFS servers in your network must support Kerberos in order for you to take advantage of Kerberos support in the HP CIFS Client. Kerberos must be properly congured both on the HP-UX host on which the Client runs and on your network. An additional feature is that the HP CIFS Client is integrated with the system Kerberos cache. If the HP-UX host uses PAM Kerberos or other Kerberos-aware programs that utilize the system Kerberos cache, such as kinit(1), the CIFS Client can utilize these cached credentials to provide automatic access to mounted CIFS servers without explicit user-initiated authentication for each server.
AutoFS 2.3 Support for HP CIFS Client

The AutoFS is a service which is part of the HP ONC product set that automatically mounts or unmounts lesystems with near- transparency to the end users. The latest version of AutoFS 2.3 supports the mount and unmount of the HP CIFS Client mounted lesystems. AutoFS 2.3 can automatically perform direct and indirect mounts of the HP CIFS lesystems. AutoFS 2.3 only supports the HP CIFS Client with direct and indirect map les, it doesnt support CIFS Client with special or executable map les, or with multiple (replicated) servers.
Chapter 1
17
Introduction to the HP CIFS Client HP CIFS Client Features In order to provide HP CIFS Client AutoFS support, AutoFS 2.3 must be installed and congured on the system. For detailed information on installing and conguring AutoFS, please refer to Conguring and Administering AutoFS in NFS Services Administrators Guide on HP-UX at http://www.docs.hp.com.
NOTE
Automounting a CIFS lesystem using the HP ONC+ AutoFS service is only supported on HP-UX release 11i v1 and v2. If you have the HP-UX 11i v1 system, you must install the ONC software package, Enhanced AutoFS, available at http://software.hp.com to enable the AutoFS 2.3 support. AutoFS doesnt support HP CIFS Client on HP-UX release 11.0.
Support for Internationalized Clients

The CIFS Client is designed to work with a variety of internationalized clients and servers. It can use Unicode to transmit multi-byte characters on the network, or any of several character encoding tables located in /etc/opt/cifsclient/unitables. See the README le in that directory for an index of the tables.
NTLM, NTLMv2 Password Encryption

NTLM is a challenge-response protocol. The server sends a challenge key to the client which the client returns to the server encrypted with the users password. The server performs the same encryption and veries that the clients request matches. No semblance of the users password is transmitted over the network. The CIFS Client supports NTLM and NTLMv2. NTLM verison 2 (NTLMv2) uses the same challenge-response protocol, but it provides more sophisticated encryption algorithms than NTLM, and hence better password protection.
Packet Signing
The purpose of CIFS packet signatures is prevention of man-in-the middle attacks: the client and server are mutually assured of the others identity by requiring a unique signature on each SMB packet.
18
Chapter 1
Introduction to the HP CIFS Client HP CIFS Client Features In the CIFS protocol, packet signing is negotiated when the client makes its initial connection to the server. Starting with the rst user login to the server, all SMB packets between the client and server must be signed. See Packet Signing on page 53 for a description of the smbPacketSigning conguration parameter.
NetBIOS Name Services, WINS, and DNS

HP CIFS Client A.02.01 or later supports DNS and the NetBIOS Name Services, including WINS, a Windows name resolution service similar to DNS. The conguration parameters lookupTryNetbios, lookupTryDns and nbnsWinsIP are used to congure which lookup mechanisms are used. For detailed information, see Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration on page 37.
Microsoft Distributed File System

The HP CIFS Client A.02.02 supports the Microsoft Distributed File System (MS DFS). DFS is a network server component that enables administrators to build a single, hierarchical view of multiple le servers and le server shares on their network. DFS unites les on different computers into a single name space and provides a way to separate the logical view of les and directories that users see from the actual physical locations of these network. DFS comprises three major components, the DFS Root, one of more DFS links, and the DFS client. A DFS Root is a special share on a CIFS Server, that serves as the starting point for DFS functionality. A DFS link is a special directory within the DFS Root, that maps to another CIFS share on the same or different server. A DFS client is a CIFS client which is capable of processing DFS links. When the DFS client accesses a DFS link, it sends a request for the CIFS share that the DFS link maps to, and establishes a connection to that CIFS share. The HP CIFS Client supports the following DFS servers: Windows NT Windows 2000/2003 HP CIFS Server
Chapter 1
19
Introduction to the HP CIFS Client HP CIFS Client Features For information on how to set up DFS on a CIFS server, consult your CIFS server documentation. The following describe the major features of DFS: High data availability Multiple copies of read-only shares can be mounted under the same logical DFS name to provide alternate locations for accessing data. If one of the copies becomes unavailable, an alternate is automatically selected. Load balancing Multiple copies of read-only shares on separate disk drivers or servers can be mounted under the same logical DFS name, thus permitting limited load balancing between drives or servers. Name and location transparency DFS transparently links server volumes and shares into a single name space. You can navigate the logical name space without consideration to the physical location of your data. Integration with Windows NT security model There are no additional administrative or security issues. Users who connect to DFS shares are only permitted to access les for which they have appropriate rights on that share. Limitations CIFS Client MS DFS support has the following limitations: Moving les across DFS links is not supported. Before the CIFS Client connects to a DFS Root on an HP CIFS Server (Samba), CIFS UNIX Extensions must be disabled on either the CIFS Client or Server.
Dynamically Loadable Kernel Module

The kernel component of the HP CIFS Client is implemented as a Dynamically Loadable Kernel Module (DLKM). Both static binding and dynamic loading are supported. Dynamic loading can be demand-loading or auto-loading. With DLKM support, installation, removal, and update of the HP CIFS Client do not require a system reboot.
20
Chapter 1
Introduction to the HP CIFS Client HP CIFS Client Features The HP CIFS Client supports the following kernel module states: Auto: The module will be dynamically loaded at the rst time it is used. Static: The module is statically linked into the kernel. Loaded: The module is dynamically loaded and running in the kernel. Unused: The module is not loaded in the kernel. Best: A state that selects the following order of preference: auto, static, loaded, unused.
By default, the kernel module state is auto. The HP CIFS Client kernel module will be dynamically loaded when the rst CIFS le system mount is performed. You may use the kcmodule command to change the kernel conguration state. Ensure you understand the effects of any changes if you want to modify the kernel conguration state. Refer to man page kcmodule(1M) for details.
NOTE
HP CIFS Client DLKM support is available only on HP-UX release 11i v2 or later.
SMB Over TCP

This feature eliminates the use of the NetBIOS Session Service in CIFS client-server connections. This is the default on current Windows clients. SMB-over-TCP is turned off by default in the HP CIFS Client. This feature is not supported by Windows NT servers. For detailed information on how to congure this feature in networks with and without NT servers, see the smbOverTCP parameter in Chapter 7, Conguration File, on page 99.
Chapter 1
21
22
Chapter 1
Installing, Conguring, and Using the HP CIFS Client

This chapter describes the procedures for installing HP CIFS Client software on your system.
Chapter 2
23
Installing, Conguring, and Using the HP CIFS Client
It contains the following sections: Overview of HP CIFS Client Installation and Conguration on page 25. Step 1: Checking HP CIFS Client Installation Prerequisites on page 26. Step 2: Installing HP CIFS Client and PAM Software on page 27. Step 3: Conguring the HP CIFS Client on page 28. Step 4: Starting and Stopping the HP CIFS Client Daemon on page 30. Using the HP CIFS Client on page 31. Automatic Mounting of CIFS Filesystems on page 36. Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration on page 37. HP CIFS Client Files and Directories on page 39.
24
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Overview of HP CIFS Client Installation and Conguration
Overview of HP CIFS Client Installation and Conguration

Installation of the HP CIFS Client includes checking installation prerequisites, loading the HP CIFS Client lesets using the swinstall(1M) utility, and completing HP CIFS conguration procedures. The CIFS Client and PAM NTLM products are delivered in the same bundle, packaged for installation via HP Software Distributor (SD). HP recommends that both products be installed at the same time. This is not a requirement as each one can also be installed and run as a standalone product. To install and remove software, use the HP-UX commands swinstall(1M) and swremove(1M). Detailed information on these commands are provided in the HP-UX man pages. The CIFS Client forces a system reboot during installation and removal. The CIFS Client modies the kernel so that it will recognize CIFS as a mountable lesystem. When you install the bundles for the HP CIFS Client, there will be two products for you to install. The rst one is the HP CIFS client software and the second one (optional) is the NTLM PAM module.
NOTE
You can download the HP CIFS Client software, available at http://software.hp.com.
Chapter 2
25
Installing, Conguring, and Using the HP CIFS Client Step 1: Checking HP CIFS Client Installation Prerequisites
Step 1: Checking HP CIFS Client Installation Prerequisites

Prior to loading the HP CIFS Client software onto your system, check that you have met the following hardware and software prerequisites: 1. The HP CIFS client runs on all HP workstations and Servers that are capable of running HP-UX version 11.11 or later, in either 32-bit or 64-bit mode. No specic system patches are required for the HP CIFS Client. See item 3 below. 2. The Kerberos libraries, libkrb5.sl and libcom_err.lib, must be present on your system. For HP-UX version 11i (B.11.11) and future releases, these libraries should be on your system by default as part of your base HP-UX operating system installation. However, on HP-UX version 11.0 (B.11.00), these libraries may not be present (check in /usr/lib). To acquire these libraries, install the product PAM Kerberos, available at http://software.hp.com 3. Check that you have the latest PAM library patch. Patches are available at HPs online patch catalogue, search for libpam. You can use the swlist command to list software installed on your system. If a General Release patch is listed, you can check its contents for PAM patches with the following command: swlist -l fileset _patch-name_ | grep -i pam Refer to the HP CIFS Client release notes for information about patch dependencies. 4. You must log in as a user with root privileges o perform the installation.
NOTE
If you are currently using an A.01.* version of the HP CIFS Client, read the Migrating from version A.01.* to A.02.* of HP CIFS Client on page 57 before installing any A.02.* version.
26
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Step 2: Installing HP CIFS Client and PAM Software
Step 2: Installing HP CIFS Client and PAM Software

You must have root privileges to install software on your HP-UX system. Because the CIFS Client contains a kernel module, the installation reboots the system upon completion.
Installing From CD
If you are installing HP CIFS Client and PAM software from CD, run swinstall, and select HP CIFS Client or PAM NTLM (or both) from the CD ROM depot path.
Installing From a Software Depot File

If you are installing from a depot le, such as those downloadable from http://software.hp.com, enter the following at the command line: swinstall options -s /path/lename B8724AA where options is -x autoreboot=true -x mount_all_filesystems=false. path must be an absolute path, it must start with /, for example, /tmp. lename is the name of the downloaded depot le, usually a long name of the form: B8724AA_A.02...HP-UX_B.11...32+64.depot An Example For example, if you attempt to install the HP CIFS Client bundle version A.02.01 on HP-UX 11i v2 system from a downloaded depot le, enter the command line as shown below: swinstall -x autoreboot=true -x mount_all_filesystems=false\ -s /tmp/B8724AA_A.02.01_HP-UX_11.23_IA+PA.depot B8724AA
Chapter 2
27
Installing, Conguring, and Using the HP CIFS Client Step 3: Conguring the HP CIFS Client
Step 3: Conguring the HP CIFS Client

The conguration le for the HP CIFS Client, /etc/opt/cifsclient/cifsclient.cfg, can be used as delivered, with no modication of its default values.
Editing cifsclient.cfg
The le /etc/opt/cifsclient/cifsclient.cfg.default contains factory default settings. The user is urged not to modify this le but to save it as a reference. If appropriate, edit the le as described below. 1. To enable WINS lookups, set the parameter nbnsWinsIp to the IP address of the WINS server. See Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration on page 37 for details. 2. Congure Internationalized Clients. The CIFS Client is designed to work with a variety of internationalized clients and servers. It can use Unicode to transmit multi-byte characters on the network, or any of several character encoding tables located in /etc/opt/cifsclient/unitables. See the README le in that directory for an index of the tables. Each table is a character map le which can be congured for encoding le and directory names on the client or server (le contents are not affected). The character set displayed on the CIFS Client console is congured with the parameter clientCharMapFile, which selects any one of the many character mapping les provided with the product. Character translations for communications with CIFS Servers can be done either in Unicode or through the conguration parameter serverCharMapFile, which also is used to select a character mapping le. Use of Unicode is turned on and off with the useUnicode parameter. The default settings in cifsclient.cfg are:
serverCharMapFile = "/etc/opt/cifsclient/unitables/unimapCP437.cfg"; clientCharMapFile = "/etc/opt/cifsclient/unitables/unimap8859-1.cfg";
28
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Step 3: Conguring the HP CIFS Client If, for example, your CIFS Client is congured as a Japanese system using the Shift-JIS locale, and it is connected to a Japanese CIFS Server that also uses Shift-JIS, you would congure the following:
serverCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg"; clientCharMapFile = "/etc/opt/cifsclient/unitables/unimapShiftJIS.cfg";
3. Authentication Method The authenticationMethod parameter should be set to ntlm or kerberos. See Using Kerberos with the HP CIFS Client in Chapter 3 for details. 4. NTLM Password Encrytion For servers with which Kerberos is not used, you can set the conguration parameter ntlmEncryptionVersion to ntlm or ntlmv2 to determine which NTLM version to use. See Conguring Authentication in Chapter 3 for details. 5. Server-Specic Conguration The CIFS Client provides a method for over-riding global settings on a server-specic basis. For example, if you set ntlmEncryptionVersion globally to NTLM, but you want to ensure that server cifshostA uses only NTLMv2, you can create the following section (within the enclosing "servers" section, see also the example at the end of the CIFS Client conguration le):
cifshostA = { ntlmEncryptionVersion = ntlmv2; );
Chapter 2
29
Installing, Conguring, and Using the HP CIFS Client Step 4: Starting and Stopping the HP CIFS Client Daemon
Step 4: Starting and Stopping the HP CIFS Client Daemon

Use the cifsclient command to start and stop the HP CIFS client. The syntax is: cifsclient {start|stop} cifsclient with no argument is equivalent to cifsclient start. If the HP CIFS client is already running when you execute the command, you will get a message indicating it is already up. Use the stop option of the cifsclient command to stop the HP CIFS Client. When the CIFS Client is shut down, it rst attempts to unmount all of the CIFS shares. If any unmount fails, the shutdown is not completed. See cifsclient man page in Commandline Utilities chapter for details.
30
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Using the HP CIFS Client
Using the HP CIFS Client

This section presents summary of how the HP CIFS Client can be used. The basic procedure is (1) start the daemon, (2) mount shared directories, (3) log in to CIFS Servers. Following are examples of these steps and some additional useful tips: 1. Start the daemon. Normally the system administrator, logged in as root, enters this command at system startup: $ cifsclient start CIFS Client started; process id: 12783 To check status at any time: $ cifsclient status
path: /opt/cifsclient/sbin/cifsclientd version: FILESET HP CIFS CLIENT: Version: A.02.01 Compiled on HP-UX B.11.11, s785/C360, 03/05/30, 13:34:15 cifsclientd: ver_id=1291218999 cksum: 2781544263 status: CIFS Client is up; process id 12783, started Apr 13 mntck: ok
You can congure your HP-UX system to start the CIFS Client automatically at bootup by editing the le /etc/rc.cong.d/cifsclient such that the run ag is set to 1: RUN_CIFSCLIENT=1. There must be no spaces on either side of the equal sign. If you use this option, you can still stop and restart the HP CIFS Client after the system boots up. 2. Mount and unmount shares on a CIFS server. This must be done by root. Remote directories to be mounted by the HP CIFS Client must be congured as shares on the HP CIFS server. In the following example, the share source, congured as a share on the HP CIFS server buildsys, is mounted by the CIFS Client using the directory /home/devl/source as the mount point. The directory used as the mount point must already exist and must be specied as an absolute path. Chapter 2 31
Installing, Conguring, and Using the HP CIFS Client Using the HP CIFS Client To mount: $ mount -F cifs buildsys:/source /home/devl/source To unmount, specify only the mout point: $ umount /home/devl/source 3. Access the shared directory via the mount point on the Client. The CIFS protocol allows access to mounted directories only to users who have been authenticated by the server or a domain controller. This is accomplished through the cifslogin command. In the examples that follow, the share source has been congured on the server. The joe user on the Client wants to access the shared directory on buildsys. This is rst attempted by changing directories to the mount point, but without rst logging into the server (this fails). Then, by logging into buildsys with the cifslogin command, the user is authenticated by buildsys and can access its shared source directory through the CIFS Clients mount point. Note that the user name used to login to the CIFS Server can be different than the current HP-UX login name at the Client. The account and password pair used in cifslogin must exist on the system that performs the authentication. Further, if the server is an HP-UX system, all users on the Client that access the Server should have the same uid on both systems, so that le ownership is consistent.
$ whoami joe cd /home/dev1/source sh: /home/dev1/source: not found
This fails because the user has not yet logged into the CIFS Server buildsys.
$cifslogin buildsys joe Remote user joes password: *****
32
Chapter 2
This succeeds. you can use cifslist command to verify the results. The cifslist command without any option displays servers with shares and mountpoints information, it uses the \\server\share format for mounted objects.
$ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\buildsys\source /home/devl/source M ============================================================= Server Local User Remote User Domain State ------------------------------------------------------------buildsys joe joe L
If you use the cifslist -x command to verify the results, the output shows servers with shares and mountpoints information using UNIX format: server:/share for mounted objects.
$ cifslist -x Mounted Object Mountpoint State ------------------------------------------------------------buildsys:/source /home/devl/source M ============================================================= Server Local User Remote User Domain State ------------------------------------------------------------buildsys joe joe L
$ cd /home/dev1/source
This succeeds because of the cifslogin above. Using the example above (source is mounted and user joe is authenticated on buildsys), a user named lucy accesses the mount as follows:
$ cifslogin buildsys lucy Remote user lucys password: *****
You can use the cifslist command to verify results:
Chapter 2
33
$ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\BUILDSYS\source /home/devl/source M ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------buildsys joe joe L buildsys lucy lucy L
Note that the Local User (the HP-UX account name) does not need to be the same as the Remote User (the CIFS server account name). In the previous example, if the local (HP-UX) user lucy has the CIFS account name lucille, she would login as follows:
$ cifslogin buildsys lucille Remote user lucilles password: *****
You can use the cifslist command to show results:

$ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\BUILDSYS\source /home/devl/source M ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------buildsys joe joe L buildsys lucy lucille L
For more detailed information on how to use the cifslist command to view the internal tables of HP CIFS Client, see Chapter 5, Commandline Utilities, on page 69.
34
Chapter 2
Mounting and Logging in in One Step

The root user has the option to mount a CIFS lesystem and log in to the CIFS Server in one step, eliminating the need to explicitly issue the cifslogin command. Using the names from the examples above:
$ mount -F cifs -o username=x,password=y buildsys:/source /home/dev1/source
where x and y are the name and password pair recognized by the server. The cifsmount command can perform the same function. Using the names from the examples above:
$ cifsmount -U <username> [-P<password>] //buildsys/source \ /home/dev1/source
If you do not specify -P password on the command line, cifsmount prompts you for a password.
CIFS Client Logging

The CIFS Client produces a log le of its activities. Various levels of logging can be turned on or off, for example, the activities of different modules within the software. See the CIFS Client Log File and Log Levels on page 98 for detailed information.
Chapter 2
35
Installing, Conguring, and Using the HP CIFS Client Automatic Mounting of CIFS Filesystems
Automatic Mounting of CIFS Filesystems

In addition to the mount command discussed in the previous section, which was used to explicitly create a single mount, there are other methods to manage the mounting of CIFS le systems. See the reference for mount_cifs and umount_cifs in Chapter 6 for syntax details not contained in this section.
Using /etc/fstab
By creating entries in /etc/fstab you can mount CIFS lesystems automatically at boot time, or mount multiple CIFS le systems on one or more CIFS Servers, with a single command entered manually. The format for such entries is: server:/share mount_point cifs defaults 0 0 See fstab(4) man page for detailed information on the format of this le. Then, to mount all CIFS entries in /etc/fstab manually, enter: $ mount -aF cifs To unmount all currently mounted CIFS lesystems, enter: $ umount -aF cifs These commands will occur automatically, at bootup and shutdown, if the system is congured to start the CIFS Client at bootup, as explained above in item 1 of Using the HP CIFS Client on page 31.
Storing Mounts in the CIFS Client Mount Database

CIFS mount information can also be stored in the CIFS mount database. In this case, the mounts are re-established whenever the CIFS Client is started. Mounts can be stored with either the cifsdb or cifsmount commands. See Chapter 5, Commandline Utilities, on page 69 for details. The CIFS Client mount database le is /var/opt/cifsclient/cfgdb.ppl. The path to this le is not congurable. This le is generated automatically and must not be manually edited.
36
Chapter 2
Installing, Conguring, and Using the HP CIFS Client Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration
Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration

When the CIFS Client attempts to mount a CIFS server, it must rst establish a NetBIOS connection to the server, hence the server specied in the mount or cifsmount command must be the CIFS servers NetBIOS (Windows) name. To resolve the name to an IP address, the CIFS Client uses the following lookup methods, in this order (the sequence stops when a match is found): A congured server-specic IP address WINS lookup NetBIOS broadcast DNS lookup
Only NetBIOS broadcast and DNS are enabled by default, they are controlled through the conguration parameters lookupTryNetbios and lookupTryDns by setting these parameters to yes. The CIFS Client can also use WINS (a Windows name resolution service similar to DNS) or server-specic settings in the conguration le, to locate CIFS servers. WINS provides an efcient lookup mechanism that is sufcient for most CIFS environments. The conguration for name resolution can be as follows: To enable WINS, set the nbnsWinsIp parameter to the IP address of a WINS server. The CIFS servers to which you want to connect must be registered with the WINS server. For example, if you set the lookupTrynetbios and lookupTryDns parameters to yes and specify the IP address of the WINS server to 110.112.114.115, the CIFS Client rst attempts a WINS lookup, then a NetBIOS broadcast, then a DNS lookup. WINS is a feature of the NetBIOS Name Service, hence, disabling lookupTryNetbios also disables WINS. For example, if you set lookupTryNetbios to no, the HP CIFS Client ignores the nbnsWinsIp setting and does not attempt a WINS lookup at all.
Chapter 2
37
Installing, Conguring, and Using the HP CIFS Client Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration If the servers NetBIOS name differs from its DNS name (DNS cannot resolve it), and it is on a different subnet from the CIFS Client (NetBIOS broadcast cannot resolve it), and its address is not resolved by WINS, then you need to create a server entry for the IP address in the CIFS Client conguration le. To create a server-specic setting in the conguration le, rst create a section for the server (as illustrated in the example at the end of the le itself), then set the ipAddress parameter to the servers IP address. In this case, the congured IP address is used directly; other lookup methods are bypassed for this server. For example:
buildsys = { ipAddress = 110.112.114.115; };
Note that the ip address must be quoted. Note that NetBIOS broadcasts are useful only for servers on the same subnetwork as the client, and DNS enables the CIFS Client to establish NetBIOS connections only with servers whose DNS and Windows name are identical.
38
Chapter 2
Installing, Conguring, and Using the HP CIFS Client HP CIFS Client Files and Directories
HP CIFS Client Files and Directories

This section lists the important les that comprise the HP CIFS Client. Table 2-1 HP CIFS Client Files and Directories File/Directory /opt/cifsclient/ /opt/cifsclient/bin/ cifsmount Description Base directory for all CIFS Client core les and administrative les. CIFS Binaries. Mounts CIFS Shares from CIFS Servers. Can only be used by root user. Unmounts CIFS shares. Can only be used by root user. Utility to help set up Kerberos, see Using Kerberos with the HP CIFS Client on page 48 for details. For ordinary users to use the CIFS shares (already mounted), they rst login to the CIFS domain/machine with their username and password (according to CIFS conguration). User logout from the CIFS domain. Cannot use the mounted shares in the CIFS domain. Lists the mounted shares on the Client. Start/Stop script for CIFS Client. Please refer to Step 4: Starting and Stopping CIFS Client" for more details on this script.
cifsumount cifsgettkt
cifslogin
cifslogout
cifslist cifsclient
Chapter 2
39
Installing, Conguring, and Using the HP CIFS Client HP CIFS Client Files and Directories Table 2-1 HP CIFS Client Files and Directories (Continued) File/Directory cifsdb Description adds, modies and deletes entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically. HP CIFS PAM les. CIFS Clients for use by the administrator or root user. The CIFS Client daemon is contained in this directory. Directory for CIFS Client log, database, core les, and other temporary les. Conguration le accessed by CIFS Client daemon. Contains factory default setting; used as a references. Do not modify. Character-mapping tables for internationalized clients. PAM conguration le. You may need to modify according to your needs. Refer to "Chapter 6: PAM NTLM" for more details on this le. Default PAM le. Should be copied as pam/smb.conf for your use. Do not modify. Directory for the CIFS Client log les, pid les and any temporary les created for clients own use.
/opt/cifsclient/pam /opt/cifsclient/sbin
/etc/opt/cifsclient/
cifsclient.cfg cifsclient.cfg.default
/etc/opt/cifsclient/unita bles pam/smb.conf
pam/smb.conf.default
/var/opt/cifsclient
40
Chapter 2
CIFS Security and Authentication

This chapter provides a description for CIFS Security and Authentication Methods using Windows NT LanManager (NTLM),
Chapter 3
41
CIFS Security and Authentication
NTLMv2 and Kerberos. It contains the following sections: Introduction on page 43. User Login Procedures on page 45. Introduction To Kerberos on page 47. Using Kerberos with the HP CIFS Client on page 48. CIFS Client Kerberos Authentication Policies on page 52. Packet Signing on page 53.
42
Chapter 3
CIFS Security and Authentication Introduction
Introduction
One of the important characteristics of the CIFS le-sharing protocol is its security model. Before a user on a CIFS client can access the mountpoint of a CIFS server, the user must be authenticated by the server (the user must login to the server). Four login methods are available; they are explained in the following pages. Restrictions at the le or directory level on the servers lesystem are also enforced by the server.
Authentication Methods
The HP CIFS Client supports two authentication protocols. These protocols are congured on a global or server specic basis in the CIFS Client conguration le by the system administrator: Windows NT LanManager (NTLM) and NTLMv2 NTLM is a challenge-response protocol. The server sends a challenge key to the client which the client returns to the server encrypted with the users password. The server performs the same encryption and veries that the clients request matches. No semblance of the users password is transmitted over the network. The HP CIFS Client supports NTLM and NTLM version 2 (NTLMv2). NTLMv2 uses the same challenge-response protocol, but it additionally provides more sophisticated encryption algorithms than NTLM, and hence better password protection. Kerberos Kerberos is a distributed authentication service that allows a client running on behalf of a user to prove its identity to an application server without sending data across the network that might allow an attacker to subsequently impersonate the user. Kerberos is a secure, industry standard authentication protocol that provides signicant improvements over the NTLM protocol.
Conguration Settings For Authentication

The conguration parameters authenticationMethod and ntlmEncryptionVersion are specied globally, in the server section of the HP CIFS Client conguration le. They can also be set in the user-dened or server-specic section of the conguration le, see the Chapter 3 43
CIFS Security and Authentication Introduction Server-Specic conguration section below. These parameters are used to select which mechanisms are used by the CIFS Client to authenticate users to CIFS servers. Legal entries for the authenticationMethod parameter are ntlm or kerberos.The default value of this parameter is ntlm. If you wish to use Kerberos, the conguration setting is: authenticationMethod = kerberos; In this case, the CIFS Client requests the use of Kerberos when negotiating an initial connection with the CIFS Server. If the servers response is afrmative, only Kerberos is used for authenticating users to this server; otherwise NTLM is used. If the NTLM protocol is used, the CIFS Client determines which NTLM version to use based on the ntlmEncryptionVersion conguration. If you attempt to use the traditional Windows NT LAN Manager (NTLM) protocol, set the authenticationMethod parameter to ntlm. In this case, the CIFS Client determines which NTLM version to use based on the ntlmEncryptionVersion conguration. Valid entries for the ntlmEncryptionVersion parameter are ntlm or ntlmv2. For CIFS servers with which Kerberos is not used, if you want to use only NTLMv2 password encryption, set the ntlmEncryptionVersion parameter to ntlmv2. Otherwise, if you want to use only NTLM password encryption, set this parameter to ntlm. By default, the ntlmEncryptionVersion parameter is set to ntlm. Server-Specic Conguration The CIFS Client provides a method for over-riding global settings on a server-specic basis. For example, if you set ntlmEncryptionVersion globally to NTLM, but you want to ensure that server buildsys uses only NTLMv2, you can create the following section (within the enclosing cifs section, see also the example at the end of the CIFS Client conguration le):
buildsys = { ntlmEncryptionVersion = ntlmv2; };
44
Chapter 3
CIFS Security and Authentication User Login Procedures
User Login Procedures

Explicit Login (cifslogin) Users on the CIFS Client can authenticate themselves to CIFS servers explicitly with the cifslogin command. Please see the cifslogin man page in Commandline Utilities Chapter. Automatic Login The CIFS Client provides methods for accessing mounted CIFS le servers automatically. The initial request for access to a CIFS mountpoint (cd, ls, etc.) causes the CIFS Client to log the user in, in the background. If the background login succeeds, the users request for access succeeds, and the cifslogin command is not required. The CIFS Clients automatic login policy follows: 1. Kerberos: integration with kinit and PAM Kerberos If Kerberos authentication has been congured and the user has a Ticket-Granting Ticket (TGT) in the system Kerberos credentials cache (created explicitly with the kinit(1) command or automatically by PAM Kerberos), and the use of Kerberos has been negotiated with the mounted CIFS server, the CIFS Client will use the TGT to perform an automatic login. For more information on how to use Kerberos Authentication with the CIFS Client, see Using Kerberos with the HP CIFS Client on page 48. 2. Integration with PAM NTLM If PAM NTLM has been congured on the system (in /etc/pam.conf) and the user has logged into the CIFS Client HP-UX host with PAM NTLM, the CIFS Client will attempt to use the users cached PAM NTLM credentials to authenticate the user to the CIFS server. Please see Chapter 8 for more information on PAM NTLM. 3. User Database If no PAM NTLM credentials are found, but the user has an entry in the CIFS Client user database, the CIFS Client will attempt to log the user into the CIFS server using the encrypted password in the user database. You must rst successfully
Chapter 3
45
CIFS Security and Authentication User Login Procedures perform a manual login in order to store the encrypted passsword. You can use the cifslogin -s or cifsdb command to save an entry in the user database or use the cifsdb -d command to delete an entry from the user database. Please see man pages cifslogin, cifsdb in Chapter 5, Commandline Utilities, on page 69 for details.
NOTE
Automatic login using user database is not supported with Kerberos
4. Guest User This feature enables all users on the HP CIFS Client host who are not logged into a mounted CIFS server to access the servers mountpoints, with the privileges of a guest user. Please also see the detailed information on the guestRemoteUser parameter in Chapter 7. To set up guest user capabilities, set the conguration parameters guestRemoteUser and guestPassword to those of a valid account on the server. HP recommends setting up a generic guest user account on the server, so that access rights of guest users can be limited. Now, when any UNIX users on the CIFS Client HP-UX host who have not logged into the CIFS server try to access its mounted share, they will automatically access them as the guest user without doing an explicit cifslogin.
46
Chapter 3
CIFS Security and Authentication Introduction To Kerberos
Introduction To Kerberos
Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verier (an application server, or only a server) without sending data across the network that might allow an attacker or the verier to subsequently impersonate the principal. Kerberos optionally provides integrity and condentiality for data sent between the client and server. [B. Clifford Neuman,Theadore Tso: Kerberos: An Authentication Service for Computer Networks] Kerberos was developed at the Massachusetts Institute of Technology (MIT). Use of Kerberos in the CIFS environment provides signicant security improvements over the older NT LanManager (NTLM) protocol traditionally used by CIFS Clients and Servers.
Requirements and Limitations Using Kerberos

Kerberos Key Distribution Center and CIFS Servers The HP CIFS Client supports only Windows 2000 and Windows 2003 Key Distribution Centers (KDCs). Tickets Not Acquired For this release, the following ticket types are not acquired by the HP CIFS Client: Renewable Proxiable Forwardable
NOTE
Cross-realm authentication is not supported in this release.
Chapter 3
47
CIFS Security and Authentication Using Kerberos with the HP CIFS Client
Using Kerberos with the HP CIFS Client

These procedures should be followed to use Kerberos with the HP CIFS Client: Step 1. Review fundamental Kerberos operating principals Step 2. Set up and verify the Kerberos infrastructure Step 3. Congure Kerberos in the HP CIFS Client
Step 1. Review fundamental Kerberos Operating Principals

If you are not familiar with the fundamental features and operation of Kerberos, consult one or more of the following references. These HP-UX resources explain the essentials of Kerberos (in the respective Overview chapters in each manual). This level of detail may be sufcient for most installations. Conguration Guide for Kerberos Client Products on HP-UX: http://docs.hp.com/hpux/onlinedocs/T1417-90005/T1417-90005.ht ml Installing, Conguring and Administering the Kerberos Server on HP-UX 11i: http://docs.hp.com/hpux/onlinedocs/T1417-90001/T1417-90001.ht ml Installing, Conguring and Administering the Kerberos Server V 2.0 on HP-UX 11i: http://docs.hp.com/hpux/onlinedocs/T1417-90003/T1417-90003.ht ml Other HP-UX resources can be found by searching for kerberos at http://docs.hp.com In-depth discussion of the Kerberos protocol can be found in the following excellent documentation: Kerberos: An Authentication Service for Computer Networks, B. Clifford Neuman and Theodore Tso:
48
Chapter 3
CIFS Security and Authentication Using Kerberos with the HP CIFS Client http://www.isi.edu/gost/publications/kerberos-neuman-tso.html The documentation repository at Massachusetts Institute of Technology (the developer of Kerberos): http://web.mit.edu/kerberos The Kerberos specication, RFC 1510. An excellent introduction (section 1) and descriptions of message exchanges (section 3): http://ftp.rfc-editor.org/in-notes/rfc1510.txt Several informative papers can also be found at the Microsoft web site. Most of these documentation also include practical infomation on how you should set up security in networks of Windows computers. Please search for kerberos or related topics at: http://www.microsoft.com
Step 2. Set Up and Verify the Kerberos Infrastructure

In order to use Kerberos with the HP CIFS Client, you must rst have a working Kerberos infrastructure on your network including the HP-UX host (independent of the CIFS Client). The Kerberos infrastructure consists of: A Key Distribution Center (KDC) At least one CIFS server that supports Kerberos and is a member of the KDCs domain (called a realm in the Kerberos terminology) At least one user account on the KDC A properly congured HP-UX Kerberos Client installation on the system running the HP CIFS Client
NOTE
A domain name server (DNS) is recommended to be active on a Windows server on your network. CIFS servers to which you want to connect should be congured in the Windows DNS table in order to be recognized by the KDC.
For information on setting up a Key Distribution Center on a Windows 2000 or 2003 server, refer to your Microsoft documentation.
Chapter 3
49
CIFS Security and Authentication Using Kerberos with the HP CIFS Client The CIFS servers to which you want to connect via Kerberos with the CIFS client must be joined to the Windows Domain. For more information, refer to Windows online help or the HP CIFS Server Administrators Guide. For information on setting up user accounts on a Windows KDC, consult online help for managing user Domain accounts. To set up the HP-UX Kerberos client, consult the Conguration Guide cited above in step 1. The following HP-UX man pages also contain useful information: kerberos(9), krb5.conf(4), kpasswd(1), kinit(1), klist(1), kdestroy(1). Once you have set up these elements of your Kerberos infrastructure, you can use the following checks to verify that everything is working. Do not proceed to step 3 without performing this verication. To verify that user accounts have been set up properly on the KDC, and that the Kerberos authentication service on the KDC and the HP-UX Kerberos client can communicate properly, enter the following command: $ kinit name where name is one of the user names. If the operation succeeds, a Ticket-Granting Ticket (TGT) will be issued for name. To verify that this actually occurred, execute the klist command to display the contents of the ticket stored in the system Kerberos cache. To verify that CIFS servers have been properly congured as member servers on the KDC, execute the test program, cifsgettkt, located in /opt/cifsclient/bin: $ cifsgettkt -s server where server is one of the CIFS servers. This command uses the TGT acquired with kinit to request a service ticket (ST) from the Ticket-Granting Server (TGS). Because cifsgettkt is used only for testing, it does not modify the system Kerberos cache. However, it produces an informative message at the console. If these verication steps succeed, Kerberos authentication for CIFS clients and servers should succeed. You are ready to proceed to step 3.
50
Chapter 3
CIFS Security and Authentication Using Kerberos with the HP CIFS Client
Step 3. Congure Kerberos on the HP CIFS Client

Set the conguration parameter authenticationMethod to kerberos. The conguration setting is: authenticationMethod = kerberos; Ensure there are no active CIFS mounts or logins at the server, and then login as illustrated in User Login Procedures on page 45. To ensure Kerberos is used, you can enable log levels, cifstrace and authentication, see CIFS Client Log File and Log Levels on page 98 for information on log levels and log les. Once you have veried that Kerberos has been negotiated and used for user authentication, disable cifstrace and authentication logging.
Chapter 3
51
CIFS Security and Authentication CIFS Client Kerberos Authentication Policies
CIFS Client Kerberos Authentication Policies

This section assumes that the CIFS server and client have negotiated the use of Kerberos.
Explicit login: cifslogin

Kerberos authentication is implemented transparently in this command. Required Kerberos credentials (TGT and ST) are acquired from the KDC on behalf of the user and the Service Ticket (ST) is sent to the CIFS server within a SESSION_SETUP request. No special action is performed by the user.
Automatic login: Integration with System Kerberos Cache (kinit(1) and PAM Kerberos)
This feature allows users to access mounted CIFS servers without uisng cifslogin. If you have a pre-existing Ticket-Granting Ticket (TGT) in the system Kerberos cache, established with kinit(1) or PAM Kerberos, you can attempt to access the CIFS mountpoint directly (cd, ls, etc.). The CIFS Client uses the TGT to acquire a Service Ticket (ST) for the mounted CIFS server and performs a CIFS login, all in the background. It is unnecessary for you to explicitly invoke cifslogin this case.
Ticket Lifetime
Maximum ticket lifetime is controlled by the conguration of the KDC. For cifslogin, the CIFS client requests a lifetime of 30 days for a TGT. Thus, the actual lifetime of a TGT issued to a CIFS client is the lesser of 30 days and the congured maximum at the KDC. For automatic login, the expiration time of a users ST is equal to the expiration time of the TGT in the system cache.
52
Chapter 3
CIFS Security and Authentication Packet Signing
Packet Signing
The purpose of the CIFS packet signatures is prevention of man-in-the middle attacks: the client and server are mutually assured of the others identity by requiring an unique signature on each SMB packet. The following terms are equivalent and are used interchangeably: security signatures packet signing packet signatures digital signatures message integrity message authentication codes (MACs)
Packet signing is performed on a per-server-connection basis. Once packet signing has been negotiated with a server, the rst user login request and all subsequent SMB packets must be signed.
Conguring Packet Signing with HP CIFS Client

The conguration parameter, smbPacketSigning, specied in the HP CIFS Client conguration le indicates how the CIFS Client performs packet signing. Valid entries for this parameter are enabled, required and disabled. By default, this parameter is set to enabled. Packet signing is negotiated between the client and server when their initial connection is set up. The servers conguration can also be either enabled, required, or disabled. The client and server settings must be synchronized for the connection to succeed, as shown in Table 3-1.
Chapter 3
53
CIFS Security and Authentication Packet Signing
Table 3-1
Conguration Options For smbPacketSigning Valid Option enabled Description HP CIFS Client connects with the CIFS server and signs packets if the server supports signing. HP CIFS Client connects with the CIFS server, but does not sign packets if the CIFS server does not support signing. The CIFS server must support signing. The CIFS Client refuses to establish the connection with the CIFS server if the server does not support packet signing. HP CIFS Client disables packet signing. If the CIFS server requires signing, the client is unable to connect with the server.
required
disabled
54
Chapter 3
Migrating From HP CIFS Client A.01 to A.02

HP CIFS Client A.02.* provides new features and requires only minimal conguration changes to update in most cases. However,
Chapter 4
55
Migrating From HP CIFS Client A.01 to A.02
there are some conguration parameter and command option differences between HP CIFS Client A.01.* versions and HP CIFS Client A.02.* versions. This chapter describes these differences and provides update procedures so that you can plan and upgrade your CIFS Client. This chapter contains the following sections: Migrating from version A.01.* to A.02.* of HP CIFS Client on page 57. Funtionality Differences Between HP CIFS Client A.01.* and A.02.* on page 60. Conguration Differences Between HP CIFS Client A.01.* and A.02.* on page 61. Command Option Differences Between HP CIFS Client A.01.* and A.02.* on page 65.
56
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client
Migrating from version A.01.* to A.02.* of HP CIFS Client

Special Instructions For Users of HP CIFS Client Versions A.01.*
NOTE These migration procedures are recommended for users who: may want to revert to an A.01.* version of the CIFS Client, or use a modied version of the CIFS Client conguration le, or utilize mount or user entries in the CIFS Client database
The conguration and user database les used in version A.01.* of CIFS Client are not recognized by version A.02.*. If you use an A.01.* version of the HP CIFS Client, and you have modied cifsclient.cfg, or if there are user or mount entries in the CIFS Client database, then follow these instructions below before updating any A.01.* version to any A.02.* version of the CIFS Client.
Preserving Data From A.01 Installations

In the following procedure, you save your conguration and database les. An ascii listing of saved users and mounts in the database also is saved so that you can re-create these entries under A.02. See the reference for cifsdb, cifsmount, and cifslogin in the Chapter 5, Commandline Utilities, on page 69 for detailed information on managing database entries in version A.02. Preserving these data also allows you to reuse it, if you decide to revert to version A.01. Follow the steps below to save your conguration and database les: Step 1. Create the backup directory:
$ cd /var/opt/cifsclient $ mkdir A.01_migration_files
Chapter 4
57
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client Step 2. Save conguration le to the backup directory. If you do not use a modied version of the conguration le, you may skip this step.
$ cp /etc/opt/cifsclient/cifsclient.cfg A.01_migration_files/A.01.cfg
Step 3. Use the cifslist -U command to generate an ascii listing of saved user records in database and to save it to the backup directory. If there are no user records in the database , you may skip this step (use cifslist -U to check). You can view this list as a reference when re-creating user database entries under version A.02.
$ cifslist -U > A.01_migration_files/A.01.udb.users.list
Step 4. Use the cifslist -M command to generate an ascii listing of saved mount records in database and to save it to the backup directory. If there are no mount records in the database , you may skip this step (use cifslist -M to check). You can view this list as a reference when re-creating mount database entries under version A.02.
$ cifslist -M > A.01_migration_files/A.01.udb.mounts.list
Step 5. Preserve CIFS Client database to the backup directory . If you skipped steps 3, 4 above, you may skip this step as well.
$ mv cifsclient.udb A.01_migration_files/A.01.ubd
NOTE
The CIFS Client database is encrypted, using among other elements, the inode of the database in the HP-UX lesystem. This is a security measure that prevents the database from being moved to a different computer. Hence, if you decide to revert to version A.01 of the CIFS Client, the inode number of the database must be preserved, else the CIFS Client is unable to decrypt the database. To ensure that the inode number is retained, the database must be backed up into the same logical volume, with the mv command. Do not use cp or any other UNIX command that changes the inode of the le. Use the mv command to back up the CIFS Client database.
Reverting to Version A.01

If you prefer version A.01 of the HP CIFS Client to A.02, use the following steps to revert to the most recent release of version A.01:
58
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Migrating from version A.01.* to A.02.* of HP CIFS Client Step 1. Remove version A.02 (a system reboot will occur after the removal is completed):
$ swremove -x autoreboot=true -x mount_all_filesystems=false B8724AA
Step 2. Download the most recent release of version A.01 of the CIFS Client from http://software.hp.com. Step 3. Install the downloaded CIFS Client depot. See Step 2: Installing HP CIFS Client and PAM Software on page 27 for detailed information on installation. Step 4. If you preserved your old conguration le, in step 2 under the Preserving Data From A.01 Installations section above, restore it to /etc/opt/cifsclient. Step 5. If you preserved your old database le, in step 5 under the Preserving Data From A.01 Installations section above, restore it to /var/opt/cifsclient. You must use the mv command to preserve your database le, as explained in step 5 under the Preserving Data From A.01 Installations section above.
Chapter 4
59
Migrating From HP CIFS Client A.01 to A.02 Funtionality Differences Between HP CIFS Client A.01.* and A.02.*
Funtionality Differences Between HP CIFS Client A.01.* and A.02.*

The following describes functionality differences between HP CIFS Client A.01.* and A.02.*: In HP CIFS Sever A.02.01, unmounting the last mount to a server does not logout any of the users logged in at the server. The HP CIFS Client A.01.x or earlier versions log out the users when the last share is unmounted. The new behavior in version A.02.01 allows users to be automatically reconnected if the system administrator needs to unmount and remount a share. In HP CIFS Server A.02.01, the cifslist command displays state information in addition to shares and mountpoints information. The following is explanation of State symbols in the output of cifslist: For mounts: M = Mounted S = Saved in mount database R = Read only For users: L = Logged in S = Saved in user database
60
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.*
Conguration Differences Between HP CIFS Client A.01.* and A.02.*

Comments in Conguration File
In HP CIFS Client A.01.*, multiple comment tags were recognized. In HP CIFS Client A.02.*, the # character starts a comment; any text between a # character and the end of a line is a comment.
Conguration Parameter Differences

This section describes conguration parameter differences between HP CIFS Client A.01.* and A.02.* shown as follows. This section does not describe parameters that have not changed between versions A.01.* and A.02.*. This section shows a list of removed parameters, new parameters and parameter name changes in HP CIFS Client A.02.*. For detailed information about CIFS conguration parameters, see Conguration Parameters on page 103.
Chapter 4
61
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.* Removed Conguration Parameters The following is a list of A.01.* conguration parameters which are no longer used in the HP CIFS Client A.02.*: runAsUser databaseFile mtabName maxOpenFiles
Parameter Name Changes Table 4-1 shows a list of A.01.* conguration parameters which have been renamed in the HP CIFS Client A.02.*: Table 4-1 Parameter Name Changes A.01.* allowSaving netbiosName nfsAttributeCaching authenticationLevel dirDefaultLinks dirSize guestUser A.02.* usersMayStoreSessionData localNetbiosName nfsKernelCacheTime authenticationMethod fakedDirLinks fakedDirSize guestRemoteUser
New Conguration Parameters The following is a list of new conguration parameters for the logLevels section in HP CIFS Client A.02.*: 62 smbConnect uiTrace nbnsTrace diskarb authentication Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.* The following is a list of new conguration parameters for the Global section in HP CIFS Client A.02.*: corefileLimit networkInterfaces bindUdpExplicitly pagePoolInitialSize
The following is a list of new conguration parameters for the nfs3 specic basis in HP CIFS Client A.02.*: cacheFiles cacheOpenFiles changeMicrosecondFileTimes nfsKernelCacheTime preferredPort
The following is a list of new parameters for the cifs specic basis in HP CIFS Client A.02.*: databaseParseInterval initialDataCaches initialDirCaches bindNbnsPort bindNbdgsPort lookupTryNetbios lookupTryDns nbnsWinsIp nbnsInitialTimeout nbnsTotalTimeout nbnsCacheTime
The following is a list of new parameters for the server specic basis in HP CIFS Client A.02.*: ntlmEncryptionVersion
Chapter 4
63
Migrating From HP CIFS Client A.01 to A.02 Conguration Differences Between HP CIFS Client A.01.* and A.02.* guestPassword allowHardLinks hardlinkUseRemoteCopy fileModeMask dirModeMask ctimeIsCreate smbPacketSigning
64
Chapter 4
Migrating From HP CIFS Client A.01 to A.02 Command Option Differences Between HP CIFS Client A.01.* and A.02.*
Command Option Differences Between HP CIFS Client A.01.* and A.02.*

This section describes command option differences between HP CIFS Client A.01.* and A.02.* shown in the following tables. These tables do not show command options that have not changed between versions A.01.* and A.02.*. For detailed information on the commands, see Chapter 5, Commandline Utilities, on page 69. Table 4-2 shows a list of cifsmount command option differences between A.01.* and A.02.*. Table 4-2 cifsmount A.01.* -c <client netbios name> -p <tcp port> A.02.* conguration parameter only: localNetbiosName conguration parameter only: bindNbnsPort conguration parameter ipAddress -D <domain> comments Moved to the conguration le
Moved to the conguration le
-I <ip address or hostname> conguration parameter domain only
Moved to the conguration le Implemented as -D option, and a conguration parameter in A.02.*
Chapter 4
65
Table 4-3 shows a list of mount -F cifs command option differences between A.01.* and A.02.*. Table 4-3 mount_cifs A.01.* -o nbname= -o port= -o domain= -o forcemnt A.02.* comments Moved to conguration le in A.02.* Moved to conguration le in A.02.* New option in A.02.* Removed in HP CIFS Client A.02.*; always true
Table 4-4 shows a list of cifslist command option differences between A.01.* and A.02.*. Table 4-4 cifslist A.01.* -r -s -s server, -m share -u server -A, -S -x -U, -M -m (no additional arguments) -u (no additional arguments) Removed in A.02.* New option in A.02.*. Removed in A.02.*; always true A.02.* comments New option in A.02.* New option in A.02.*.
66
Chapter 4
Table 4-5 shows a list of cifslogin command option differences between A.01.* and A.02.*. Table 4-5 cifslogin A.01.* Username given in the command line A.02.* -U username comments Can specify the username with or without -U option in A.02.*. New parameter in A.02.*, overrides the congured value.
-D domain
Table 4-6 shows a new cifsdb command implemented in A.02.*. Table 4-6 cifsdb A.01.* A.02.* cifsdb <server> cifsdb -d <server> cifsdb <mount_point> cifsdb -d <mount_point> comments
Chapter 4
67
68
Chapter 4
Commandline Utilities
This chapter provides details for the CIFS Client Commandline Utilities. The HP CIFS Client software package consists of the following programs:
Chapter 5
69
Commandline Utilities
cifsclient cifsmount cifslogin cifsumount cifslogout
Stop and start the CIFS client. Mount a directory from a remote server. Authenticates a user to the remote server. Disconnect a local mountpoint from the server, if it is not mounted elsewhere. Disconnect a user login session and disconnect the server shares from the specied server. After logging out, the user cannot access any les from that server. Lists connected servers, mountpoints, mounted shares, etc. Add, modify and delete entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically. Mounts the CIFS lesystem via mount (1M). Unmounts the CIFS lesystem via umount (1M).
cifslist cifsdb
mount_cifs umount_cifs
Each of the utilities described above also accepts the options -h and -v if given as the only parameter. The option -h prints a short help to standard error and the option -v prints the current version numbers to standard output.
70
Chapter 5
Commandline Utilities cifsclient
cifsclient
Synopsis
cifsclient {command} cifsclient fuser [-v] mountpoint [...] cifsclient force_umount {mountpoint [...]| -a}
Description
This shell script is used to start and stop the HP CIFS Client, and perform other useful tasks. Only users with root capabilities can invoke start, stop, restart, fuser, and force_umount (see also the -a option to klist and kdestroy). Any user can invoke status, klist, kdestroy, and ver. cifsclient without any additional command is equivalent to cifsclient start.
Commands
start stop restart status klist [-a] Starts the daemon. Shut down the daemon. Stop, sleep 1 second, start. Display information about daemon. Display the contents of all of the invoking users CIFS Client Kerberos credentials les. This command provides a shortcut that invokes klist(1) on all of the users credentials les, automatically appending the -c {filename} option for each le. -a (recognized only for root) lists entries for all users. CIFS Client Kerberos credentials les will be present on the system only if the conguration parameter, rmTmpKerbCredFiles, has been set to no. The les are located in /var/opt/cifsclient/krb5_tmp. Destroy all of the invoking users CIFS Client Kerberos credentials les, using kdestroy(1). To destroy a single CIFS Kerberos credentials le, use kdestroy(1) 71
kdestroy [-a]
Chapter 5
Commandline Utilities cifsclient directly, specifying the -c {filename} option. CIFS Client Kerberos credentials les are located in /var/opt/cifsclient/krb5_tmp. These les will be present on the system only if the conguration parameter, rmTmpKerbCredFiles, has been set to no. -a (recognized only for root) destroys all les for all users. ver [-v] Report version information. The following modiers are also recognized: -v Verbose: display what(1) strings for binaries, scripts and conguration les. fuser [-v] mountpoint [...] Run fuser -fu (see fuser(1M)) against the given CIFS lesystem mountpoint and each of its subdirectories. This is useful for determining which users are accessing the mount, in the event that unmounting fails with a Device busy message. You must be logged into the mounted CIFS leserver for this command to be effective. -v produces verbose output (all subdirectories are shown), otherwise, only directories with active user processes are shown. NOTE: The execution time for this command is proportional to the number of entries in the mounted lesystems. force_umount {mountpoint [...] |-a} Forcibly unmount given mountpoints; this is an emergency procedure to be used only in case of failure of the standard umount commands: umount mountpoint or cifsumount mountpoint -a Forcibly unmount all stale CIFS mounts.
Cannot be used unless the CIFS Client is down.
Files
/etc/opt/cifsclient/cifsclient.cfg 72 Chapter 5
Commandline Utilities cifsclient This le contains run-time conguration options for the HP CIFS Client. For detailed information see Chapter 7. /var/opt/cifsclient/krb5_tmp/krb5cc_<server>_<uid> Temporary CIFS Client Kerberos credentials le. <server> is the name of the CIFS server to which the user has been authenticated, <uid> is the decimal UID of the user.
See Also
cifsmount, fuser(1M), kdestroy(1), klist(1), mount_cifs, umount_cifs
Chapter 5
73
Commandline Utilities cifsmount
cifsmount
You can use the mount command to execute the cifsmount command. See mount_cifs, umount_cifs on page 87 for the usage of the mount command. This section describes the usage of the cifsmount command.
Synopsis
cifsmount [<options>] //<server>/<share> <mountpoint>
Description
The cifsmount command is used to mount remote shares on the local le system. It mounts the share <share> from server <server> in the local le system at <mountpoint>. The mountpoint must exist. You are prompted for a password and the program uses the combination username/password to log in to the server. If you are already logged in to the given server, the password prompt is skipped. You can use the option -N to suppress password prompting. Only users with root capabilities can invoke the cifsmount command to mount lesystems.
Options
-r -U <username> Login on server as this user. By default, the HP CIFS Client accesses the server under the same user name as the login name of the user that issues the cifsmount command. If you have a different user name at the server, you may use this option to set that name. It is ignored if you are already logged in at the server. -D <domain> Send this domain name to the CIFS server. Mounts as read-only lesystem.
-P <password> Password given in commandline. Use this option only if necessary, because all commandline parameters may show up in the output of the ps command. It gives you
74
Chapter 5
Commandline Utilities cifsmount the possibility to pass a dynamically generated password to the server. The password is ignored if the user is already logged in at the server. -S Reads the password from stdin. This option may be useful if you want to use cifsmount from a shell script or another program. The -P option is insecure for this purpose because the UNIX command ps can show the commandline parameters of running processes. Do not prompt for a password. This option may be used to avoid prompting for a password if you do not have a password. Use only this IP address to connect to the server. This setting causes the CIFS Client to bypass all name-resolution procedures for this mount request, and supersedes any corresponding entry congured in cifsclient.cfg. Enables plain text passwords. The HP CIFS Client refuses to send passwords in plain text to the server by default because this is a security risk. There are tools available that sniff the network for plain text passwords. If you really must send the password in plain text (e.g., because your server does not allow password encryption), you can enable it with this option. It is ignored if you are already logged in at the server. Forces mount. When this option is used, the mount is done even if the server is not responding. No requests are sent to the server. Consequently, none of the parameters can be checked for validity. Print version information. Saves mount and password in database. Do not use unless you understand the security implications. HP CIFS Client can maintain a database of mounts, usernames, and passwords. This database is used at startup to re-establish stored mounts and to log in users on demand, even if you are not logged in at the client.
-N
-I <ipaddress>
-u
-f
-v -s
Chapter 5
75
Commandline Utilities cifsmount This option may be useful for automounting and to run programs by cron that cannot ask the user for a password. Passwords are stored in the HP CIFS Client's user database le. It is possible to get the HP CIFS hash values of the passwords (which is functionally equivalent to the passwords themselves) out of this le, although the le itself is not sufcient. You can use this option safely only if you are the only one who has physical or root access to your machine or if you trust everyone who has this access. The HP CIFS Client does not store unencrypted passwords in the user database. If your server does not support encrypted passwords, you cannot use this option.
Examples
The following command mounts the share entiredisk from the server bigserver at the local mountpoint /mounts/bigserver and mounts as read-only lesystem. cifsmount -r //bigserver/entiredisk /mounts/bigserver
Files
Mounts info using the cifsmount -s command are stored in the HP CIFS Clients database le, /var/opt/cifsclient/cfgdb.ppl. The path to this le is not congurable.
See Also
cifslogin, cifsumount, cifslogout, cifslist
76
Chapter 5
Commandline Utilities cifslogin
cifslogin
Synopsis
cifslogin [<options>] <servername> [<username>] cifslogin [<options>] //<servername>/<share>
Description
The cifslogin command is used to authenticate additional users at a server. Only authenticated users may access mounted les. Each user accesses the le at the server with his or her privilege status at that server. Because there must be a one-to-one (many=to-one) mapping from local users to remote user names, every user can log in only once at a given server. By default, cifslogin sends the user's login name to the server. You can specify the username using -U option.
Options
-P <password> Password given in commandline. Use this option only if you really have to, because all commandline parameters may show up in the output of the ps command. It gives you the possibility to pass a dynamically generated password to the server. The password is ignored if the user is already logged in at the server. -U <username> Login on the server as this user. -D <domain name> Specify the domain name that is sent to the server. -S Reads the password from stdin. This option may be useful if you want to use cifslogin from a shell script or another program. The -P option is insecure for this purpose because the Unix command ps can show the commandline parameters of running processes. 77
Chapter 5
Commandline Utilities cifslogin -N Do not prompt for a password. This option may be used to avoid prompting for a password if you are already logged in at the server or if the user does not have a password. Enables plain text passwords. The HP CIFS Client refuses to send passwords in plain text to the server by default because this is a security risk. There are tools available that sniff the network for plain text passwords. If you really must send the password in plain text (e.g., because your server does not allow password encryption), you can enable it with this option. It is ignored if you are already logged in at the server. Forces login. When this option is used, the login is done even when the server is not responding. No requests are sent to the server. Consequently, none of the parameters can be checked for validity. Saves password in database. Do not use unless you understand the security implications. This option can maintain a database of mounts, username, and passwords. This database is used at startup to re-establish stored mounts and to log in users on demand, even if you are not logged in at the client. This option may be useful for automounting and to run programs by cron that have no possibility to ask the user for a password. Passwords are stored in the HP CIFS Client's user database le. It is possible to get the CIFS hash values of the passwords (which is functionally equivalent to the passwords themselves) out of this le, although the le itself is not sufcient. You can use this option safely only if you are the only one who has physical or root access to your machine or if you trust everyone who has this access. The HP CIFS Client does not store unencrypted passwords in the user database. If your server does not support encrypted passwords, you cannot use this option.
-u
-f
-s
78
Chapter 5
Commandline Utilities cifslogin
Examples
If local user steve has mounted a share from server bigserver, local user bill has no access to the mounted les because he is not logged in at the server. Bill, who has an account on bigserver under his real name miller, can do the following to gain access: cifslogin bigserver -U miller Bill will be prompted for a password and if it is correct, he will be given access to the share with the same privileges that user miller has on bigserver.
Files
Usernames and passwords are stored encrypted in the HP CIFS Client's user database le. The path to the user database le can be congured in HP CIFS Client's conguration le. The default path is /var/opt/cifsclient/cifsclient.udb
See Also
cifsmount, cifsdb, cifslogout, cifslist
Chapter 5
79
Commandline Utilities cifsumount
cifsumount
You can use the umount command to execute the cifsumount command. Both commands are shown below.
Synopsis
cifsumount [<options>] <mountpoint> cifsumount -a
Description
The cifsumount command is used to unmount any shares mounted with cifsmount. Shares can only be unmounted by the user that mounted the share at the given mountpoint or the superuser. The second variant (with the -a option) unmounts all mounts that are currently served. In HP CIFS Sever A.02.*, unmounting the last mount to a server does not logout any of the users logged in at the server. This allows users to be automatically reconnected if the system administrator needs to unmount and remount a share. Only users with root capabilities can invoke the cifsumount command to unmount lesystems.
Options
-a -f Unmounts all CIFS lesystems. Forces unmount: Avoids requests to the server (useful if the server is down).
See Also
cifsmount, cifslist, mount_cifs, umount_cifs
80
Chapter 5
Commandline Utilities cifslogout
cifslogout
Synopsis
cifslogout <servername>
Description
The cifslogout command is used to log the user who uses the command out of the server specied. After issuing cifslogout, the user cannot access any les from that server unless he or she is still stored in the user database.
See Also
cifslogin, cifslist
Chapter 5
81
Commandline Utilities cifslist
cifslist
Synopsis
cifslist [<options>]
Description
The cifslist command is used to view internal tables of HP CIFS Client. In HP CIFS Client A.02.*, the cifslist command without options will list all connected servers with shares and mountpoints information.
Options
-h -u -m -x -r Prints short help and exits. Lists users only. Lists mounts only. Displays mounted objects using UNIX style format: server:/share. Prints raw output format.
-s <separator> Sets string used to separate table entries (recognized only when used with -r).
Sample cifslist Output

This section provides examples of cifslist output including the options, -x, -u and -m.
82
Chapter 5
The sample output of the cifslist command is shown as follows:

$ cifslist Mounted Object Mountpoint State ------------------------------------------------------------\\er721142\pub /mnt/cifs_linux/00 M \\er721141\pub /mnt/cifs_nt/00 M \\hpntc43\pub /mnt/cifs_nt/01 MS ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------er721141 root cifsuser L er721142 root john L hpntc43 root cifsuser WORKGROUP LS
In the above exmaple, the cifslist command without any option displays servers with shares and mountpoints information, it uses the \\server\share format for mounted objects. The following is explanation of State symbols in the output of cifslist: For mounts: M = Mounted S = Saved in mount database R = Read only For users: L = Logged in S = Saved in user database The following is a sample output of the cifslist -x command:
$ cifslist -x Mounted Object Mountpoint State ------------------------------------------------------------er721142:/pub /mnt/cifs_linux/00 M er721141:/pub /mnt/cifs_nt/00 M hpntc43:/pub /mnt/cifs_nt/01 MS ============================================================= Server Local User Remote User Domain State -------------------------------------------------------------er721141 root cifsuser L er721142 root john L
Chapter 5
83

hpntc43 root cifsuser WORKGROUP LS
In the above exmaple, HP CIFS Client displays servers with shares and mountpoints information, it uses the UNIX format: server:/share for mounted objects. The following is an example output for the cifslist -u command:
$ cifslist -u Server Local User Remote User Domain State ------------------------------------------------------------er721141 root cifsuser L er721142 root john L hpntc43 root cifsuser WORKGROUP LS
The following is an example output for the cifslist -m command:

$ cifslist -m Mounted Object Mountpoint State ------------------------------------------------------------\\er721142\pub /mnt/cifs_linux/00 M \\er721141\pub /mnt/cifs_nt/00 M \\hpntc43\pub /mnt/cifs_nt/01 MS
In the above example, HP CIFS Client uses the \\server\share foramt for mounted objects.
84
Chapter 5
Commandline Utilities cifsdb
cifsdb
Synopsis
cifsdb [-d] {<mount_point|server>}
Description
The cifsdb command is used to add, modify and delete entries in CIFS Client databases. The entries allow CIFS mounts and logins to be performed automatically, as described below. CIFS Mounts If a shared directory on a CIFS server has been mounted at mount_point, then cifsdb mount_point saves the mount-point, server, shared-directory names, and other pertinent information in the CIFS Client mount database le, /var/opt/cifsclient/cfgdb.ppl, such that the mount can be re-established automatically whenever the CIFS Client is started. If an entry already exits for this mount-point in the database, it is replaced. mount_point must be absolute path. Only users with root privileges may manage CIFS mounts database entries. The HP CIFS Client supports similar functionality through the standard UNIX /etc/fstab mechanism, see Using /etc/fstab on page 36 or fstab(4) for details. CIFS Logins If a user has established a CIFS login session at server through the NTLM authentication protocol, then if that user invokes cifsdb server, the NTLM hash of the users password and other information pertinent to the login session are encrypted and then saved in the CIFS Client user database, cifsclient.udb, such that the user can subsequently be automatically logged in to server. If an entry already exists for this user-server pair in the database, it is replaced.
Chapter 5
85
Commandline Utilities cifsdb For CIFS logins that have been authenticated with Kerberos, users NTLM password hashes are not saved in the CIFS Client user database. You can establish automatic CIFS logins with Kerberos through kinit(1) or PAM-KERBEROS, as described in the Chapter 3, CIFS Security and Authentication, on page 41.
Options
-d {<mount_point|server>} Delete the corresponding entry for this mount_point or server from the database. Neither the mount nor the login needs to be active for the entry to be deleted.
Files
/var/opt/cifsclient/cifsclient .udb /var/opt/cifsclient/cfgdb.ppl CIFS user database le CIFS mount database le
See Also
cifsmount, cifslogin, cifslist
86
Chapter 5
Commandline Utilities mount_cifs, umount_cifs
mount_cifs, umount_cifs
Mounts and unmounts CIFS le systems. This section describes the usage of the mount and umount commands when the CIFS lesystem is specied for the FS type
Synopsis
mount -F cifs [-ar] [-o fs_specific_option[,...]] [server:/share mount_point]
umount -aF cifs | mount_point
Description
The mount command mounts le systems. Only a superuser can mount le systems. Other users can use mount to list mounted le systems. Use cifslist to view CIFS-specic mounts and user connections. The mount command attaches server:/share to mount_point. server is a remote system. share is a directory on this remote system and mount_point is a directory on the local le tree. mount_point must already exist, and be given as an absolute path name. It will become the name of the root of the newly mounted le system. If mount is invoked without any arguments, it lists all of the mounted le systems from the le system mount table, /etc/mnttab. The umount command unmounts currently-mounted le systems. Only a superuser can unmount le systems. In HP CIFS Server A.02.01, unmounting the last mount to a server does not logout any of the users logged in at the server. This new behavior allows users to be automatically reconnected if the user needs to unmount and remount a share.
Options
-F cifs Filesystem-specic identier. Always required for mounting and unmounting CIFS le systems, except for the command form umount moint_point.
Chapter 5
87
Commandline Utilities mount_cifs, umount_cifs -a Used with mount, mounts all CIFS lesystems that have entries in /etc/fstab. Used with umount, unmounts all currently mounted CIFS le systems. Mounts as read-only. This class of options is specied with the following syntax: -o keywrd[,keywrd...],keywrd=value[,keywrd=va lue...] Some keywords are specied as keyword/value pairs, some are not. -o options must be delimited by commas; no white space is allowed. For example: -o ro,username=fulton,password=pokey Following are the -o options to mount supported by the CIFS Client (keywords that require values are indicated by "keyword=value"): ro Mount as read-only lesystem.
-r -o
domain=domain Send this domain name to the server, username=name Username sent to server. By default, the HP CIFS Client accesses the server under the same user name as the login name of the user. If you have a different user name at the server, you may use this option to set that name. It is ignored if you are already logged in. Must be used with the password option. password=passwd Password for username given in commandline. Use this option only if you really have to, because all commandline parameters may show up in the output of the ps command. This makes it possible to pass a dynamically generated password to the server. Password is ignored if the user is already logged in at the server. Must be used with the username option.
88
Chapter 5
Commandline Utilities mount_cifs, umount_cifs ipaddr=ipaddress Use only this IP address to connect to the server. This setting causes the CIFS Client to bypass all name-resolution procedures for this mount request, and supersedes any corresponding entry congured in cifsclient.cfg. plaintxt Enable plain text passwords. The HP CIFS Client refuses to send passwords in plain text to the server by default because this is a security risk. There are tools available that sniff the network for plain text passwords. If you really must send the password in plain text (e.g., because your server does not allow password encryption), you can enable it with this option. It is ignored if the user is already logged in at the server.
Files
/etc/mnttab /etc/fstab Table of mounted le systems. List of default parameters for each CIFS le system.
See Also
mount (1M), umount(1M), cifslogin, cifsumount, cifslogout, cifslist
Chapter 5
89
Commandline Utilities mount_cifs, umount_cifs
90
Chapter 5
Troubleshooting and Error Messages

This chapter includes information about problems that you may encounter when using the HP CIFS client and explanations of error
Chapter 6
91
Troubleshooting and Error Messages
messages that might occur with HP CIFS commands. Troubleshooting FAQs on page 93. Troubleshooting Kerberos in the HP CIFS Client on page 94. Troubleshooting cifsmount or mount in the HP CIFS Client on page 96. CIFS Client Log File and Log Levels on page 98.
92
Chapter 6
Troubleshooting and Error Messages Troubleshooting FAQs
Troubleshooting FAQs
This section includes commonly asked questions about HP CIFS.
How to Shutdown the Daemon with cifsclient stop

You should never kill the daemon process directly. Although HP CIFS tries to unmount all mounted shares, it may not be successful and the stale mounts will become unusable and cause problems. The correct way to do it is with cifsclient stop. Refer to Step 4, Starting and Stopping the Client in chapter 2 in this manual for more detailed information about cifsclient stop.
What to Do if the Daemon Terminates

If the daemon terminates, all shares served by HP CIFS will immediately become unusable. Every access will hang until the NFS timeout (congured in the conguration le) elapses. You can probably get away without rebooting if you immediately terminate all processes using the mounts, change all current directories from within the mounts and then use the cifsclient force_umount <mountpoint> command to unmount the stale mounts. Report the event to HP Technical Support and describe how the problem can be reproduced.
Chapter 6
93
Troubleshooting and Error Messages Troubleshooting Kerberos in the HP CIFS Client
Troubleshooting Kerberos in the HP CIFS Client

cifsTrace, authentication log levels Informative log messages will be produced by Kerberos processing in the HP CIFS Client log le if the cifsTrace and authentication log levels are enabled. Temporary credentials les When Kerberos authentication is used, the HP CIFS Client utilizes a temporary le to store users credentials during login processing. There is one temporary credentials le per user per server. Kerberos tickets are not reused by the HP CIFS Client. Hence, when the users login processing is completed, the temporary le is removed. For troubleshooting, the temporary credential les can be preserved by setting the conguration variable rmTempKerbCredFiles to no. You can then examine and remove the les with the standard Kerberos Client utilities, klist(1) and kdestroy(1). Use the -c cache_lename option with these commands, specifying lenames in the followng form: /var/opt/cifsclient/krb5_tmp/krb5cc_servername_uid where servername is the CIFS server and uid is the users Unix uid on the local HP-UX host on which the CIFS Client is running. As a convenience, the cifsclient control script can also be used to operate on these credentials les without referring to le or path names. Enter cifsclient -h for a syntax summary. Basic Kerberos functionality If you suspect that basic functionality of your Kerberos infrastructure is not working properly, repeat the verication checks in step 2. If you wish to set authenticationMethod for specic servers to a value different from the global setting in the default Server section of the conguration le, you can create server-specic options
94
Chapter 6
Troubleshooting and Error Messages Troubleshooting Kerberos in the HP CIFS Client in the servers section. The servers section of the conguration le is discussed near the end of Chapter 7, and the conguration le itself contains a sample servers entry.
Chapter 6
95
Troubleshooting and Error Messages Troubleshooting cifsmount or mount in the HP CIFS Client
Troubleshooting cifsmount or mount in the HP CIFS Client

This section includes information about problems that you may encounter when using the cifsmount or mount command to mount a share on a CIFS server and actions you may take to correct the problems.
How to Do if the HP CIFS Client DLKM is Unused

You may encounter the following error messages when running the cifsmount or mount command to mount the CIFS lesystem: $ cifsmount -U <user> -P <password> //<server>/<share> \ /<mount-point>
ERROR: UNIX: No such device
or $ mount -F cifs <server>:/<share> /<mount-point>

ERROR mount: cifs : Invalid argument usage: mount [-l][-v|-p] mount [-F FStype][-eQ] -a mount [-F FStype][-eQrV][-o specific_options] { special | directory } mount [-F FStype][-eQrV][-o specific_options] special directory
To resolve the above errors, if you ensure that all the command-line arguments are correct and the CIFS server is up.then use the following command to check the CIFS Client Dynamically Loadable Kernel Module (DLKM) state: $ kcmodule cifs If the CIFS Client DLKM state is unused, the following output message is displayed:
Module cifs State unused Cause Notes auto-loadable,unloadable
96
Chapter 6
Troubleshooting and Error Messages Troubleshooting cifsmount or mount in the HP CIFS Client After you verify that the CIFS Client DLKM state is unused, you can use the following command to change the CIFS Client DLKM state to auto, so the CIFS Client DLKM can be loaded. The command and output message display are shown as follows: $ kcmodule cifs=auto
* The sutomatic backup configuration has been updated. * The request changes have been applied to the currently * running system. Module State Cause Notes cifs (before) unused auto-loadable,unloadable (now) auto explicit
The auto state will enable the CIFS Client DLKM to be dynamically loaded when the rst cifsmount or mount command over the CIFS share is performed.
How to Do if You Encounter the Error Message: Device Busy

You may encounter the device busy error message when running the cifsmount or mount command to mount the CIFS lesystem. To resolve this type of error, check to see whether the CIFS lesystem mountpoint is tied to any process by running the fuser -fu mountpoint (see fuser(1M)) or cifsclient fuser [-v] mountpoint command against the given mountpoint and each of its subdirectories. This is useful for determining which processes are accessing the mount, in the event that mounting fails with a device busy message. Terminate these processes tied to the mountpoint, then invoke the cifsmount or mount command to succeed.
Chapter 6
97
Troubleshooting and Error Messages CIFS Client Log File and Log Levels
CIFS Client Log File and Log Levels

The CIFS Client produces a log le of its activities, in the directory /var/opt/cifsclient/debug. Each time the client starts, it creates a new log le, named client-log.pid, where pid is the HP-UX process id of the CIFS Client daemon, cifsclientd. Normally, the log le records only errors or warnings. But, many log levels can be enabled for checking activities of various modules within the CIFS Client. If you report a problem to HP, your support representative may ask you to enable one or more log levels. This is done by editing the CIFS Client conguration le, /etc/opt/cifsclient/cifsclient.cfg, and uncommenting the particular log level, by removing the preceding # character and saving the le. You do not need to restart the CIFS Client for it to recognize the newly enabled (or disabled) log levels. Note that increased logging consumes more disk space and slows the performance of the CIFS Client. Hence, when you do not need logging, it is best to disable it. Refer to the cifsclient.cfg.default le for recommended default operating log levels. If a log size reaches 50 Megabytes, it is copied with .prev appended to its name, and a new log is started. If the new log reaches 50 Megabytes, it is copied with .prev appended, overwriting the previous one.
98
Chapter 6
Conguration File
The default conguration le should work without modications. Please be sure you understand the effects of any changes before you decide to modify the conguration le.
Chapter 7
99
Conguration File
The conguration le is parsed by the HP CIFS Client daemon at startup and when edited. Although it is re-read by the running daemon, not all conguration changes will work immediately. Most options are read into internal variables when they are used. The server conguration, for instance, is transferred into internal structures when a connection to the server is opened. Therefore, if a change to the server conguration is made, you must rst unmount all shares and log out all users from that server. The conguration le for the HP CIFS Client is /etc/opt/cifsclient/cifsclient.cfg.
NOTE
The CIFS Client conguration le, cifsclient.cfg, used for HP CIFS Client A.01.* is not valid for HP CIFS Client A.02.*. For detailed information on how to update any A.01.* version to any A.02.* version of the CIFS Client, see Migrating from version A.01.* to A.02.* of HP CIFS Client on page 57 in Chapter 4.
100
Chapter 7
Conguration File General Structure
General Structure
Conguration les are built from the following simple syntactic structures: comments strings arrays dictionaries
The # character starts a comment; any text between a # character and the end of a line is a comment. # comment to end of line Strings, arrays and dictionaries are classied by the generic term "property". Strings are sequences of alphanumeric characters, including the underscore. If a string should consist of other characters like spaces, it must be quoted in double quotes. Within double quotes, the same escape sequences as in C strings can be used. There is no separate syntax for numeric arguments. Numeric arguments are regarded as strings and converted when used. Arrays are ordered lists of other properties. An array is delimited by parentheses and the properties constituting the array may be separated by commas. The following example is an array consisting of several string elements: (1, 2, 3, hello, "how are you") Dictionaries are unordered lists of named properties. These lists are delimited by curly braces. Each dictionary entry consists of a left -hand side (key), which must be a string, an equal sign, and a right -hand side (value) which may be any property. Entries may be separated by semicolons. The following is an example of a dictionary consisting of three entries named property1 to property3 ;where the rst one has a string value, the second an array value, and the third a dictionary value: { property1 = "value of property1"; property2 = (value, of, property2);
Chapter 7
101
Conguration File General Structure property3 = { firstWord = value; secondWord = of; thirdWord = property3; }; } The conguration le itself is a dictionary (the surrounding curly braces are optional because other properties are not allowed). The keys at the top level are the names of the conguration variables. Properties that have been parsed as strings may be interpreted in one of the following ways: string number enumeration boolean
String needs no further explanation. Numbers are interpreted in decimal, unless they are prexed with 0 (meaning octal), or 0x (meaning hexadecimal). Enumerations are strings from a predened set of strings. Boolean variables are a special case of enumeration where the set consists of the strings yes and no.
102
Chapter 7
Conguration File Conguration Parameters
Conguration Parameters
The following is a list of all variables that may be congured for the top 3 basis sessions: main, nfs3, cifs. logLevels The value of this variable is an array enumerating all logging modes that are active, the number in the square bracket indicates the messages of the respective logging mode in the log le. A logging mode is a string out of the following set: [0]info Logging of informational messages. Should be turned on. [1]error Logging error messages. Should be turned on. [2] debug General debug messages. Used only during debugging. [3] resource Messages about allocation and deallocation of objects. Usedl only during debugging. [4] netbiosError Logging error messages from the Netbios layer. Should be turned on, unless too many errors occur. This is separated from general error logging because not all of Netbios is implemented in HP CIFS Client, and the unimplemented features result in Netbios error messages. [5] netbiosDebug Debug messages from the Netbios layer. Used only during debugging. [6] netbiosTrace
Chapter 7
103
Conguration File Conguration Parameters Generates hex-dumps of all outgoing and incoming Netbios trafc. This is very useful during debugging but should be turned off for normal operation. [7] nfsTrace Provides detailed information about all NFS requests done by the kernel and the respective return values. It is very useful for debugging NFS but should be turned off for normal operation. [8] rare Logging of rare conditions. Used only during debugging. [9] cacheDebug Debugging of the cache's operation. Used only during debugging. [10] cifsTrace Logging of all CIFS commands issued and the respective return values. Very useful together with netbiosTrace for debugging, but should really be turned off during normal operation. [11] oplock Debugging of opportunistic lock mechanism. Used only during debugging. [12] warn Warnings of any kind, mostly used by the conguration le parser. Should be turned on. [13] smbSequence Debugging messages about the order of HP CIFS requests and the respective messages. Used only during debugging. [14] debugAttributes Debugging of le attribute routines. Useful only during debugging. [15]smbConnect
104
Chapter 7
Conguration File Conguration Parameters Debugging of server connection and disconnection messages for NetBIOS. Useful only during debugging. [16] uiTrace Generates hex-dumps of the communication with user interface. This is useful during debugging but should be turned off for normal operation. [17] nbnsTrace Generates hex-dumps of all NetBIOS name service trafc. This is useful during debugging but should be turned off for normal operation. [18] diskarb Debugging of disk arbitration. Useful only during debugging. [19] authentication Debugging of CIFS authentication details. Useful only during debugging. The default logging modes are info, error, netbiosError, warn, smbConnect. The default logging setting is as follows:
logLevels = ( info, error, # debug, # resource, netbiosError, # netbiosDebug, # netbiosTrace, # nfsTrace, # rare, # cacheDebug, # cifsTrace, # oplock, warn, # smbSequence, # debugAttributes, smbConnect, # uiTrace, # nbnsTrace,
Chapter 7
105

# diskarb,# disk arbitration # authentication, );
The log le records only errors or warnings. But, many log levels can be enabled for checking activities of various modules within the CIFS Client. If you report a problem to HP, your support representative may ask you to enable one or more log levels. This is done by editing the CIFS Client conguration le and uncommenting the particular log level, by removing the preceding # character of the logging mode and saving the le. Note that increased logging consumes more disk space and slows the performance of the CIFS Client. Hence, when you do not need logging, it is best to not change the default logging setting, unless your support representative asks you to enable it. cfgParseInterval HP CIFS Client can reparse the conguration le while running. For this feature to work, the HP CIFS Client must poll the le regularly. The variable cfgParseInterval denes the time of this poll cycle in milliseconds. The default is 5000. Parameters that are negotiated upon connection to the server will not reect changed conguration values until all shares on the server are unmounted and a new connection is established, whereas other changes take effect within the time specied in cfsParseInterval. sockMode sockOwner sockGroup File access mode and ownership for the UNIX domain socket that is used for communication between the HP CIFS Client daemon and the command line utilities. The access mode may be given in octal notation, if prexed with a leading 0; in hexadecimal notation if prexed with a leading 0x; or in decimal notation if not prexed with any of the above. Owner and group may
106
Chapter 7
Conguration File Conguration Parameters be given by name or as numeric id. Do not set these values to anything other than mode=0600 and owner=root unless you really know what you are doing. The le access modes of this UNIX domain socket are used to provide secure authentication of the user that requests a service to the daemon. If these variables are not congured from the le, they default to the correct values. pidFile HP CIFS Client can maintain a le with the process id of the daemon, if desired. If this variable is dened, it is interpreted as the path of the le where the pid should be stored. If this varible is not dened, no such le is created. usersMayStoreSessionData The system administrator can control whether users can store passwords in the user database, cifsclient.udb, through the usersMayStoreSessionData parameter. This database can be used to establish automatic user logins to the CIFS server. Users with root privileges can store mounts or their own passwords, regardless of how this parameter is set. Setting it to no disables storing. The default setting is yes. caseConvertFile This variable congures the path to the case conversion table. This le denes the mapping to upper and lower case for all unicode characters. The default is to use no table le and retain the default ISO 8859-1 mapping. A mapping le derived from the Unicode standard is part of the HP CIFS Client distribution. You can nd it at unitables/unicase.cfg. serverCharMapFile This variable congures the path to the character mapping le for the server. This le is only used when client and server do not agree on using Unicode. It denes the mapping from the internal Unicode representation to the ASCII strings sent to the server
Chapter 7
107
Conguration File Conguration Parameters (and vice versa). The default is a codepage 437 mapping, which is the US-Latin DOS character set. Mapping les for various character sets are distributed with HP CIFS Client in the directory unitables. clientCharMapFile This variable congures the path to the character mapping le for the client. This le denes the mapping from internal Unicode representation to the ASCII strings seen at the client. Together with the serverCharMapFile, any conversions between server and client character code can be accomplished. These tables can be used to compensate for vendor-specic character sets and to cope with various national character sets such as JIS and ShiftJIS for Kanji, etc. The default is ISO 8859-1 mapping. uniTableCompressBlocks This integer variable customizes the compression of the Unicode table. A higher value reduces conversion speed but improves memory efciency. Values higher than the number of contiguous unused code blocks have no effect. The default is 3. coreleLimit This integer variable denes the maximum core dumps size in megabytes (1024 * 1024 bytes) the daemon creates. To disable core dumps, set this value to 0. The default value is 500 ( in megabytes). networkInterfaces This variable denes network interfaces. The syntax is an array of strings. Each string consists of the IP address of an interface, a slash and the number of bits used for the network address (this is a variant of specifying the netmask). If you attempt to congure this variable, consider using the bindUdpExplicitly variable, too. For example, networkInterfaces = (192.168.1.21/24, 192.168.2.23/24) bindUdpExplicitly
108
Chapter 7
Conguration File Conguration Parameters If this variable is set to yes, HP CIFS Client binds UDP ports to all networks explicitly. Otherwise, it binds to address 0.0.0.0, a wildcard for all network interfaces installed. Binding explicitly may be required on operating systems which do not handle the source IP address of broadcasts correctly if there are multiple network interfaces. Please note that HP CIFS Client has to use the socket option SO_REUSEADDR and does not get an error if it binds to the same socket as Samba. You may have to change the default bind port for bindNbnsPort and bindNbdgsPort if you use this option. By default, this parameter is set to no. pagePoolInitialSize This integer variable denes the number of 8k pages of virtual memory that is allocated in advance for every share. The default value is 128.
Chapter 7
109
nfs3
This section denes a default behavior which can be overridden by specic congurations. The NFS3 section contains the following parameters: This variable denes the number of les cached by NFS handle. The default is 500.
cacheFiles
cacheOpenFiles This variable denes the number of les that can be kept open even if they are not currently accessed. The default is 20. changeMicrosecondFileTimes This boolean variable determines whether the microsecond part of le modication dates is changed on each access. Changing the modication date effectively disables the kernels NFS cache. The default is no. fakeDirLinks This variable denes the number of hard-links displayed for directories if the backend can not provide a valid value. The default is 2. fakeDirSize This variable denes the the size displayed for directories if the backend can not provide a valid value. It should be set to a multiple of the block size. mnttabPrex This boolean variable is used to specify whether the identier [cifs] is prexed to listings of mounted CIFS le systems in /etc/mnttab and the output of mount(1M) and bdf(1M). If mnttabPrefix is set to no, the standard UNIX format is used; if it is set to yes, the format is "[cifs]server:/share". The default setting is no. The format with which the mounted lesystem is displayed depends on the setting of mnttabPrefix at the time the lesystem is mounted. To change the format after the lesystem has been mounted, you must unmount and remount the lesystem.
110
Chapter 7
Conguration File Conguration Parameters nfsKernelCacheTime NFS kernel is cached for this amount of time (in seconds). A variable that can enable kernel caching by NFS. This improves performance of certain types of operations by reducing the number of calls sent over the network. The deault setting is 0 second. lookupStrategy As you probably know, the HP CIFS Client maps between NFS requests and SMB/CIFS requests. On the NFS side, les are referenced by unique identiers, called NFS le handles. On the HP CIFS side, les are referenced simply by their path. The HP CIFS Client must be able to determine the path given to an NFS le handle. There are two strategies available to do this: pseudoInode This strategy derives the NFS le handle as a hash value from the path. The hash is chosen in a way that makes efcient lookups possible, as long as the depth of the le in the directory hierarchy is lower than 27. The advantage of this strategy is the low memory consumption: Files can be looked up on demand, nothing has to be stored. The main disadvantage is that NFS le handles change when les are renamed. This leads to a conict with Unix semantics when open les are renamed: After renaming, the handle of the open le is stale and the le can not be accessed without reopening. It also conicts with a bug in the caching code of the Solaris NFS client where the writeback occurs only after closing the le, not during closing the le. database In this strategy all NFS le handle to le path relations are stored in an internal database. This is the most secure and most compatible approach. The disadvantage is that all this information must be kept in memory. The HP CIFS Client needs about 500kB more real memory and about 10MB more virtual memory for each share that uses this strategy. The database strategy is the default.
Chapter 7
111
Conguration File Conguration Parameters nfsTimeout This integer variable denes the initial timeout in 1/10 seconds that is used by the kernel when it requests data from HP CIFS Client. This value is doubled on each retry. Together with nfsRetransmit, this denes the absolute timeout for NFS requests. A value of 50 (5 seconds) avoids frequent retries of already running (slow) requests and ensures a total timeout of about 2 minutes. This should be sufcient even for the slowest devices and links. If you use a jukebox, it may also be necessary to increase requestTimeout. This integer variable denes the number of retries the kernel attempts when HP CIFS Client does not reply in time. The timeout starts with nfsTimeout and is doubled on each retry. Retransmissions should not be necessary, because HP CIFS Client should not lose any requests. However, if your system's NFS client puts high loads on NFS servers and has small maximum socket buffer sizes, requests can get lost due to buffer overows. A value of 5 (which is also the default) should be a good choice. You may want to experiment with nfsTimeout to get the optimum performance even with frequent buffer overows.
nfsRetransmit
nfsSockRxBuf This integer variable sets the receive buffer size of the socket used to communicate with the kernel. If the value given is out of the acceptable range for your machine, the HP CIFS Client automatically limits the range. Increase the buffer size if you have extremely slow writes. nfsSockTxBuf This integer variable sets the transmit buffer size of the socket used to communicate with the kernel. It is not be necessary to set an explicit buffer size.
nfsTransferSize This integer variable denes the maximum block size used in data transfer between the kernel and HP CIFS Client. The maximum allowed value is 8k (8192). It may be necessary to reduce the value if the NFS socket has frequent overows, as it may be the case with AIX 3.x. It is useful to use only powers of 2 as block sizes. The default is 8192.
112
Chapter 7
Conguration File Conguration Parameters preferredPort This integer variable denes the port number that HP CIFS Client attempts to use for NFS. If this port is not available, the HP CIFS Client chooses a free one. It is good to have a constant port for NFS because it allows a restarted daemon to take over the mounts of a previous incarnation. The port number must be below 1024 if not all local users are trusted.
Chapter 7
113
cifs
The structure of CIFS has its mirror in the multitude of options for CIFS congurations. This section denes a default behavior which can be overridden by specic congurations. The CIFS section contains the following parameters: This integer variable denes the number of bytes spent for per data cache. The value of this variable should be a multiple of 8k. This variable congures the path to the user database le. It stores the user passwords and the registration key. The default is /var/opt/cifsclient/cifsclient.udb.
dataCacheSize
databaseFile
databaseParseInterval HP CIFS Client can re-parse the user database le if it changes. For this function to work, HP CIFS Client must poll the le regularly. The databaseParseInterval variable denes the time of this poll cycle in milliseconds. If you set this variable to 0, the user database le is only parsed once during startup. The default value is 10000. domain This string variable denes the domain name the client sends to the server. If undened, it defaults to an empty string suitable for all known servers.
initialDataCaches, initialDirCaches These two integer variables dene the number of caches that are allocated for directories and data les at startup. The defaults for both variables is 8. bindNbnsPort This variable denes the port number to which HP CIFS Client sends NetBIOS name service requests. If the port number specied is not available, HP CIFS Client reverts to a random free port. The default is 137. bindNbdgsPort This variable denes the port number to which HP CIFS Client sends NetBIOS datagram requests. If the port number specied is not available, HP CIFS Client reverts to a random free port. The default is 138. lookupTryNetbios 114 Chapter 7
Conguration File Conguration Parameters This boolean variable congures whether NetBIOS broadcast is enabled. WINS is feature of the NetBIOS name server. To enable WINS lookup, you must set this variable to yes and specify the nbnsWinsIp variable with the IP address of the WINS server. The CIFS servers to which you want to connect must be registered with the WINS server. By default, this parameter is set to yes. lookupTryDns leCreateMask This variable congures whether Domain Name Server (DNS) lookup is enabled. The default setting is yes. This variable allows you to specify a mask for the UNIX permissions mode of a le upon creation. The actual mode of the new le will be the result of the logical OR of the mask and the default mode for the operation. The default value of fileCreateMask is 0, which does not affect the le creation mode. This setting is useful only with CIFS servers that use CIFS UNIX extensions. Windows servers do not support UNIX le permissions. Refer to the man page umask(1) for more information.
allowBackslashesInPaths This is a boolean variable with default setting no. When this parameter is set to yes, DOS-style backslashes can be used to refer to paths on CIFS servers. The rst backslash in the path must refer to a le or subdirectory at least one level below the root of the share, and backslashes must be protected from interpretation by the shell. For example, the following path references are recognized: /local_mountpoint/dir_at_top_level_of_share\ subdir\file /local_mountpoint/dir_at_top_level_of_share\\ subdir\\file but this is not valid: /local_mountpoint\dir_at_top_level_of_share\ subdir\file The standard UNIX forward-slash path delimiter is always recognized: Chapter 7 115
Conguration File Conguration Parameters /local_mountpoint/dir_at_top_level_of_share/ subdir/file nbnsWinsIp This string variable denes the IP address of the WINS server. If there is no WINS server in your network, set this variable to an empty string.
nbnsInitialTimeout, nbnsTotalTimeout The nbnsInitialTimeout variable denes the initial timeout in milliseconds that is used by the NetBIOS name service operations. This value is doubled on each retry. The nbnsTotalTimeout variable denes the maximum timeout in milliseconds that is waited for a NetBIOS name service operation to succeed. If it exceeds the maximum timeout, the operation fails with a timeout error. By default, set nbnsInitialTimeout to 100 and nbnsTotalTimeout to 1200. nbnsCacheTime The NetBIOS name lookups are cached for this amount of time (in milliseconds). scopeID This string variable denes the NetBIOS name scope of the client. If it is not dened, no scope ID is used. If you do not know what a scope ID is, you do not need one.
rmTmpKerbCredFiles When kerberos authentication is used, the CIFS Client uses a temporary le to store users credentials during login processing. There is one temporary credentials le per user per server. Kerberos tickets are not reused by the CIFS Client, thus when the users login processing is completed, the temporary le is removed. If required for troubleshooting, these les can be preserved by setting this variable to no. The les are located in /var/opt/cifsclient/krb5_tmp. The default is yes. oldUdbEncrypt The encryption method used for the user database le (UDB) is enhanced in CIFS Client version A.02.02 such that the le can be reused after back-ups and restores. This feature is enabled by default. However, due to this enhancement, UDBs from version A.02.01 are not
116
Chapter 7
Conguration File Conguration Parameters compatible with later CIFS Client binaries. In order for CIFS Client A.02.02 or later to use an older UDB, this parameter must be set to yes: oldUdbEncrypt = yes;
Chapter 7
117
cifs.server..default The baroque structure of CIFS has its mirror in the multitude of conguration options for CIFS connections. This variable denes a default behavior which can be overridden by specic congurations for each server. The value is a dictionary with the following parameters: localNetbiosName This entry can be used to set the Netbios name for the client that is sent to the server. ipAddress This entry can be used to set the IP address of the CIFS server that you attempts to connect.
connectTimeout This integer variable denes the maximum time in milliseconds that is waited for a connection to succeed. You probably have to increase the time if you are on a slow network. The default is 2000ms (2 seconds). requestTimeout This integer variable denes the maximum time in milliseconds a server response may take (if the connection is already established). The default is 60000ms (60 seconds). authenticationMethod This entry species the method that the HP CIFS Client uses to authenticate users to the CIFS server. Allowed values are ntlm or kerberos.The default setting is ntlm. If the value is set to ntlm, only the NTLM protocol is used for logins to the server. If the value is set to kerberos, then if the server supports Kerberos, only Kerberos is used for logins. Otherwise, NTLM will be used. If NTLM is used, the CIFS Client determines which NTLM version to use based on the ntlmEncryptionVersion conguration. ntlmEncryptionVersion This entry species the method that the HP CIFS Client should use to authenticate users to the CIFS server. Allowed values are ntlm or ntlmv2. If the value is set to ntlm, the NTLM encryption password
118
Chapter 7
Conguration File Conguration Parameters is used for logins to the server. If the value is set to ntlmv2,then NTLMv2 is used. The default setting is ntlm. smbPacketSigning This string variable species which option is used by the HP CIFS Client to perform packet signing. The valid entries for this parameter are enbled, required and disabled. By default, this parameter is set to enabled. preventCreationEnable, preventCreationPattern These parameters can be used to prevent creation of les on CIFS servers that match a given pattern. preventCreationEnable is a boolean variable; its default value is no. Setting it to yes prevents creation of les on the CIFS server with names that match the pattern specied in preventCreationPattern. If preventCreationEnable is set to no, preventCreationPattern is ignored. preventCreationPattern is a string variable. The default value is null(""). File names that match the text pattern dened in preventCreationPattern cannot be created when preventCreationEnable is set to yes. The pattern can include the wildcard characters "*" (match any sequence of characters) and "?" (match any single character), thus an expression like "*le" matches le names such as my_le, xxle etc. For example, to prevent users from placing DOS executables on the server, congure these parameters as follows: preventCreationEnable = yes; preventCreationPattern = "*.exe"; smbOverTCP This is a boolean variable that controls whether to use SMB over TCP, which causes the CIFS Client to bypass the NetBIOS Session Services for server connections. The default is no.
Chapter 7
119
NOTE
Windows NT servers do not support SMB over TCP; they do not accept connection requests on the established TCP port for this functionality (port 445). If you have NT servers in your network, and have enabled SMB over TCP, then you must create an "individual server" entry in the conguration le for each NT server. Individual server entries are placed after the "server.default" section, and before the tag "# End of server section". For example, if an NT servers NetBIOS name is "ntsrv01", the section can be:
ntsrv01 = { smbOverTCP = no; };
unixExtensions This boolean variable is used to enable or disable CIFS UNIX extensions for connections to CIFS servers. The valid values for this parameter are yes and no. The default setting is yes. This variable can be congured globally or on a server-by-server basis. See CIFS UNIX Extensions on page 16 for details. caseSensitive This is a boolean variable (possible values yes or no) which species whether lenames on the server are case sensitive. By default, they are case sensitive in order to be consistent with the UNIX le system. If you use a case mapping different from none (see next parameter), you must set this parameter to no. This variable (of type enumeration) denes whether le names are mapped to all upper case (upper), all lower case (lower) or preserved as they are on the server (none).
caseMapping
capitalizeShares This boolean variable denes whether share names are converted to all uppercase characters before a connection is attempted. Share names should be case insensitive, but Windows 95 does not accept lowercase names. If this option occurs in section serverClasses, it can override a no to a yes, but not a yes to a no. The default is yes. 120 Chapter 7
Conguration File Conguration Parameters useUnicode domain This boolean variable species whether the HP CIFS Client will use Unicode if the server supports it. This string variable denes the domain name the client sends to the server. If undened, it defaults to an empty string which should be suitable for all known servers. (move to cifs.domain)
alwaysEncryptData If this boolean variable is set to yes, only SSL (Secure Socket Layer) connections with the server are accepted. If set to no, SSL is negotiated with the server. guestRemoteUser The guestRemoteUser conguration solves the following problem: each UNIX user must be logged in (mapped to a CIFS username/password pair) at the server in order to access it, even if the share is public. It may be impractical to log in each user if there are a large number of UNIX users who, for example, want to access a public share where access permissions are not important. If you dene a guestRemotetUser, all UNIX users that are logged in to the HP-UX system, but not logged in to the CIFS server, are automatically logged in to the CIFS server, as the guest user, when they attempt to access its mount point. No pre-existing login for the guestRemoteUser is needed. The name specied as guestRemoteUser must be the name of a valid account on the CIFS server or its domain, and the correct password for this user must be specied in the guestPassword parameter. guestPassword leModeMask This variable sets the password of a user specied by the guestRemoteUser parameter. This variable can be used to limit the UNIX permissions given to les by the CIFS. The default setting is 0777. Do not change unless you know what you are doing. The UNIX permissions are not relevant for whether a user can access a le. They are relevant after les are copied from a CIFS share to the local disk since the cp command preserves attributes.
Chapter 7
121
Conguration File Conguration Parameters dirModeMask This variable can be used to limit the UNIX permissions given to directories by the CIFS. The default setting is 0777. Do not change unless you know what you are doing. This variable denes whether the UNIX ctime (Change Time) is taken from the DOS Creation Time or copied from the le modication time. If this parameter is set to yes, the creation time is used. The default setting is no.
ctimeIsCreate
fakeMountpointDate If this boolean variable is yes, the modication and access times of the mount point always read the current time. This is useful for servers that return bogus values for the modication dates of root directories, such as Windows NT. The default is no. execMapping This enumeration variable is useful for les stored on Windows servers. It denes which DOS attribute would be mapped to the UNIX execute permission. The following keywords are valid: archive, system, hidden, on, or off. Default is on. A side-effect of execMapping is that if the congured attribute is set on the server, the le will be listed on the UNIX Client with the execute bit set for all users (owner, group, and other).
WARNING
If you plan to store UNIX executables on an CIFS server and invoke them on a UNIX Client, then the default setting execMapping = on is required. In this case, as seen by the UNIX Client, the execute bit is set on all le listings from the CIFS server. Using execMapping = on will not affect the attributes of les on HP CIFS Servers; those will still behave like normal UNIX les.
execInvert
When this boolean variable is yes, the execute bit (as derived with the execMapping setting) is inverted.
122
Chapter 7
Conguration File Conguration Parameters fakeDirLinks If the server does not supply a number of hard-links for directories, this number is used. The value defaults to 2, if not specied. Some implementations of the UNIX utility nd determine whether recursion is necessary or not from the link count. If your nd uses this optimization, you may want to fake a high number of links for directories. Alternatively you can switch off the optimization with a commandline switch to nd.
enableFakeLinks If this boolean variable is set to yes, the HP CIFS Client can do softlinks on Windows-servers. These softlinks can be used by the HP CIFS Client clients only. On the Windows server they look like ordinary les with special attributes set (system and hidden attributes, if you have not modied the conguration). linkModeMask, linkMode These two integer variables dene the le attributes that are used to distinguish faked softlinks from ordinary les. linkModeMask is 7 by default, which means that the attributes read-only, hidden and system are taken into account. linkMode denes the actual state that these attributes must have. It is 6 by default, which means that hidden and system must be set, but not read-only. The conguration value is calculated as the sum of the following components: Table 7-1 1 read-only 2 hidden 4 system 32 archive
linksAreUnicode If this boolean variable is set to yes, the HP CIFS Client stores faked links in Unicode format on the server. This is incompatible with the CygWin32 format for symbolic links, but allows lossless storage of client paths. If it is set to no, symbolic links are more or less compatible to those of CygWin32 on Windows, but a conversion to the server character set is performed. Regardless of this variable, the HP CIFS Client can read symbolic link les in both formats. attributesCacheTime
Chapter 7
123
Conguration File Conguration Parameters File attributes are cached for this amount of time (in milliseconds). dirCacheTime Directory contents are cached for this amount of time (in milliseconds).
maxCachedFiles This is the maximum number of le objects that are held as cache of NFS le handles. If an NFS le handle is requested which is not in the cache, it must be looked up recursively, which may result in a notable performance loss. Recursive lookups are logged as rare events. dataCacheSize This is the size of the data cache that is allocated for open les in bytes. The value is rounded to a multiple of the cache's page size, which is derived from the maximum transferable size. The page size will always be a power of two. (move to cifs.dataCacheSize) This variable denes the time a le is kept open when it is not used. The value is a dictionary with the following keys: exclusiveLock The keep-open time in milliseconds if an exclusive oplock has been acquired. batchLock The keep-open time in milliseconds if a batch oplock has been acquired. noLock The keep-open time in milliseconds if no lock has been granted. dataCacheTimeNoLock If no oplock has been granted, no caching should be done. This might result in bad performance on servers that do not support oplocks. This value sets a cache-valid time (in milliseconds) that is used if no oplock was granted. readAhead This variable denes the number of cache pages to read ahead. It is a dictionary with the following keys:
closeDelay
124
Chapter 7
Conguration File Conguration Parameters lock The number of pages to read ahead if an oplock was granted. noLock The number of pages to read ahead of no oplock was granted. useWriteBack This variable denes whether cache writeback techniques should be used. Write back is insecure (in terms of error recovery) if used with NFS2, but it may increase performance notably. The value is a dictionary with the following keys: lock Boolean value which congures whether write back should be used when an oplock has been granted. noLock Boolean value which congures whether write back should be used when no oplock has been granted. If you care about reliability, always leave these options off. This conguration variable is also passed to the server. There are server/OS combinations (notably Samba/Linux) which become very slow in writethrough mode. You may want to congure write back for these. requestOplock This boolean variable denes whether oplocks should be requested from the server. It should be set to no for Windows 95 machines because they grant an oplock although there is no support for it. This boolean variable denes whether les should be closed before attributes (write protection, modication dates) are changed. This is very useful for Windows 95 servers because these servers can not set the attributes of open les. However, with this feature enabled, the UNIX semantics mapping does not work completely. The default is no.
closeForSetattr
Chapter 7
125
Conguration File Conguration Parameters disableSmbs Not every server supports every SMB command equally well. In fact, many commands are unusable on certain server types. The value of this variable is an array which enumerates the SMB commands that should not be used. The respective commands will be replaced by a workaround automatically. The enumeration constants may be taken from the following set: getattrFind Suppresses the use of the trans2/ndrst2 command for reading le attributes. trans2/ndrst2 is the best way to query attributes, so only disable it if you need to. getattrTrans2QueryPath Suppresses the use of the trans2/query_pathinfo command for reading le attributes. Trans2/query_pathinfo seems to be broken on Windows 95. attrUnix Disables the UNIX extensions for le attributes. setattrTrans2SetFile Suppresses the command trans2/setleinfo to be used for setting le attributes. This SMB command does not work properly on Windows. setattrTrans2SetPath Suppresses the command trans2/setpathinfo to be used for setting le attributes. This SMB command does not work properly on Windows. setattrSetFile2 Suppresses the use of SET_INFORMATION2 for setting attributes. setattrCoreWithTime Suppresses the use of the core SET_INFORMATION command for setting modication dates. createOpenX 126 Chapter 7
Conguration File Conguration Parameters Suppresses the use of SMB_COM_OPEN_ANDX for creating les. openOpenX Suppresses the use of SMB_COM_OPEN_ANDX for opening les. readReadX Suppresses the use of SMB_COM_READ_ANDX for reading les. readOpenRead Suppresses the use of SMB_COM_OPEN_ANDX batched with SMB_COM_READ_ANDX for reading les. writeWriteX Suppresses the use of SMB_COM_WRITE_ANDX for writing les. writeOpenWrite Suppresses the use of SMB_COM_OPEN_ANDX batched with SMB_COM_WRITE_ANDX for writing les. findUnix Disables the CIFS UNIX extensions for reading directories. findTrans2 Disables the use of trans2/nd for reading directories. fsinfoTrans2 Suppresses the use of trans2/query_fs_info for reading le system infos. sessionSetup Suppresses the session setup command (only used for core dialect). treeconAndX
Chapter 7
127
Conguration File Conguration Parameters Suppresses the TREE_CONNNECT_ANDX command (TREE_CONNECT is used instead). setDirDates Suppresses setting directory modication dates when les are created or deleted in a directory. This may be useful if the server sets the date automatically when directories are modied. leModeMask This integer variable denes the le permissions. leModeMask is 0777 by default. Do not change unless you know what you are doing. The UNIX permissions are not relevant for whether a user can access a le or not. They are relevant, however, after les are copied from a CIFS share to the local disk because the cp operation preserves le attributes. This integer variable denes the directory permissions. dirModeMask is 0777 by default. Do not change unless you know what you are doing. The UNIX permissions are not relevant for whether a user can access a le or not. They are relevant, however, after les are copied from a CIFS share to the local disk because the cp operation preserves le attributes.
dirModeMask
128
Chapter 7
cifs.servers
This variable may modify the values congured with cifs.server.default for specic servers. It consists of a dictionary where the keys are the Netbios names of servers. The value for each server key is also a dictionary. This dictionary has the same structure as the defaultServer dictionary. In addition, the following keys may be used: This entry may contain an IP address or a DNS name for the server. By default, the Netbios name is used for a DNS query. This parameter may be overridden from the cifsmount commandline. This entry is a last chance to change the Netbios name that is sent to the server for a given server. You may change the TCP port that is used to connect to the server here. Default is 139, the Netbios session service port.
ipAddress
netbiosName tcpPort
Chapter 7
129
cifs.serverClasses This variable may modify the values congured with cifs.server.default and servers after the connection has been established based on the information derived from session setup. The decision can depend on the server's operating system and LAN manager type. The format for this variable is an array of dictionaries. Each dictionary must have all of the following three keys: OS This entry contains a matching pattern in shell style syntax (* matches any character sequence,? matches one character, [<characters>] matches any of the given characters and [^<characters>] matches none of the given characters). It is matched against the operating system name derived from session setup. This entry also consists of a matching pattern in shellstyle syntax. It is matched against the LAN manager name derived from session setup. The operating system name and LAN manager name are printed to syslog if log level info is enabled. If the previous two patterns match, the content of this variable (which must be a dictionary) is used as a server conguration which may contain all denitions that defaultServer may contain. If an option is given, it overrides the respective option from the other congurations. The option disableSmbs is an exception: all disabled SMBs add up to give the nal list of disabled SMBs.
LanManager
cong
The array is searched from the rst to the last entry. If an entry matches, the corresponding conguration is used and the search is aborted.
130
Chapter 7
PAM NTLM
This chapter provides a description of PAM NTLM.
Chapter 8
131
PAM NTLM Introduction
Introduction
PAM NTLM ( NT Lan Manager) is a Pluggable Authentication Module (PAM) that enables HP-UX users to be authenticated against Windows servers during system login. PAM is an authentication framework in UNIX, used to authenticate users logging into a UNIX system. PAM loads a dynamically loadable module (shared library) that performs the actual authentication. PAM can also be congured to use multiple shared library modules. PAM NTLM uses CIFS servers to authenticate users logging into an HP-UX system. In other words, PAM NTLM uses the NT LanManager protocol to authenticate the UNIX users. It sends the UNIX users name and password to the CIFS server for validation and returns the result to the PAM framework. The HP CIFS client uses the PAM NTLM authentication information to access the shares on the CIFS server. Thus, users logging into an HP-UX system can access CIFS-mounted le systems without having to use the cifslogin command.
NOTE
PAM NTLM does not support NTLMv2 password encryption.
132
Chapter 8
PAM NTLM Introduction Conguring PAM NTLM requires you to understand the PAM framework in general. Refer to pam(3), pam.conf(4), and Managing Systems and Workgroups at http://docs.hp.com/hpux/os for more information about PAM. Figure 8-1 PAM Introduction
Chapter 8
133
PAM NTLM PAM NTLM
PAM NTLM
This section provides a list of PAM NTLM features and a description of the User Map File.
PAM NTLM Features

PAM NTLM supports authentication and password management. PAM NTLM uses a subset of the Samba smb.conf le as its conguration le. See the PAM NTLM Post-installation Instructions below for further information. PAM NTLM supports username mapping to map a local UNIX user name to a remote CIFS domain user name to use for authentication. See the PAM NTLM Conguration section for more detailed information. Successful user/password authentications are cached for use by the CIFS client. Login authentication to CIFS Servers using NTLM encrypted passwords. Updating CIFS user passwords on the Primary Domain Controller (PDC) using the HP-UX passwd(1) command.
Refer to Chapter 2 for installation steps.
User Map File

PAM NTLM supports a user map le that maps UNIX user names to CIFS domain user names before authentication by the CIFS server. PAM NTLM will search the user map le for the UNIX user name. If found, the mapped CIFS domain user name will be used to authenticate the user on the CIFS server. You must enter the correct password for the mapped NT user in order to be authenticated. If you congure password(1M) to use PAM NTLM, then the password of the mapped CIFS domain user will be changed on the CIFS domain.
134
Chapter 8
PAM NTLM PAM NTLM Conguration
PAM NTLM Conguration

Congure the following to set up PAM-NTLM: The PAM-NTLM module The system le /etc/pam.conf to use the PAM-NTLM module A usermap le (optional)
Conguring the PAM NTLM Module

The PAM-NTLM conguration le is /etc/opt/cifsclient/pam/smb.conf. A default conguration le is also provided (smb.conf.default). Do not change the default conguration le because you may need to refer to it in the future. Table 8-1
## ## Name: smb.conf ## ## Set the values below to the actual names used in your environment ## ## Any line which starts with a semi-colon(;) or a hash(#) ## is a comment and is ignored. ## ##==================== Global Settings ============================ [global] ## workgroup: Domain-Name or Workgroup-Name workgroup = workgroup ## password server: the netbios name of the system which will be ## used to authenticate logins. password server = pdc_name bdc1_name bdc2_name ## wins server: the system used to locate password servers, ## specified as a fully-qualified DNS name or an IP address. wins server = winserv.mycorp.com
Chapter 8
135
PAM NTLM PAM NTLM Conguration Conguring the system to use the PAM NTLM Module This task consists of editing the global HP-UX PAM conguration le /etc/pam.conf.
IMPORTANT
You may not be able to log into the system if PAM is not correctly congured. Make sure that you understand the PAM framework before you modify pam.conf. For information on PAM, see these sections of HP-UX manpages: pam.conf(4), pam_unix(5). For security reasons, HP strongly recommends you set up your system such that, for both authentication and password change, the host system (PAM UNIX), not the password server congured by PAM NTLM, authenticates root and other privileged users. Access on a per-user basis can be controlled through the use of libpam_updbe in pam.conf, and the ignore option to libpam_ntlm in pam_user.conf. See pam.conf(4), pam_user.conf(4), and pam_updbe(5) for explanations and examples of usage. HP also recommends using PAM NTLM services in addition to, not in place of, PAM-UNIX. This conguration is depicted in the sample pam.conf le below.
PAM NTLM provides the following services: Password Authentication Password Change Password Change Upon Notice of Expiration
Each service corresponds to a specic section of pam.conf. Add entries for the services you wish to use: For Password Authentication, modify the Authentication management section of pam.conf. For Password Change, modify Password management. For Password Change Upon Notice of Expiration, modify Authentication management, Password management, and Account management (in order to utilize Password Change Upon Notice of expiration, you must also enable both Password Authentication and Password Change).
136
Chapter 8
PAM NTLM PAM NTLM Conguration The following are sample pam.conf les with all three PAM NTLM services congured. Each PAM NTLM entry consistes of a line that refers to the shared library libpam_ntlm.1. In the authentication management section, when PAM NTLM is used in conjunction with PAM UNIX, it is recommended that the option try_first_pass be specied with the PAM-UNIX entry, as shown.
WARNING
If incorrect paths are used in pam.conf, it can become impossible to login to the system. Ensure that you refer to the pam.conf le that matches the version of HP-UX installed on your system (use uname -r to check the version). In particular, you should add lines to pam.conf exactly as shown without modifying paths. Starting with versions B.11.22 of HP-UX, paths to the PAM libraries are different than in earlier versions.
The following sample pam.conf le is for version B.11.23 of HP-UX: Example 8-1 Sample le for HP-UX version B.11.23
===================================================================== # # PAM configuration # # Authentication management # Note: For PA applications, /usr/lib/security/libpam_unix.so.1 is a # symbolic link that points to the corresponding PA PAM module. # # login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1 login auth required /usr/lib/security/$ISA/libpam_unix.so.1 try_first_pass su auth required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin auth required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction auth required /usr/lib/security/$ISA/libpam_unix.so.1 ftp auth required /usr/lib/security/$ISA/libpam_unix.so.1 OTHER auth required /usr/lib/security/$ISA/libpam_unix.so.1 # # Account management # login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1 login account required /usr/lib/security/$ISA/libpam_unix.so.1 su account required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin account required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction account required /usr/lib/security/$ISA/libpam_unix.so.1 ftp account required /usr/lib/security/$ISA/libpam_unix.so.1 # OTHER account required /usr/lib/security/$ISA/libpam_unix.so.1 # # Session management
Chapter 8
137

# login session required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin session required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction session required /usr/lib/security/$ISA/libpam_unix.so.1 OTHER session required /usr/lib/security/$ISA/libpam_unix.so.1 # # Password management # login auth sufficient /usr/lib/security/$ISA/libpam_ntlm.so.1 login password required /usr/lib/security/$ISA/libpam_unix.so.1 passwd password required /usr/lib/security/$ISA/libpam_unix.so.1 dtlogin password required /usr/lib/security/$ISA/libpam_unix.so.1 dtaction password required /usr/lib/security/$ISA/libpam_unix.so.1 OTHER password required /usr/lib/security/$ISA/libpam_unix.so.1 =====================================================================
The following sample pam.conf le is for versions B.11.00 and B.11.11 of HP-UX:
Example 8-2
Sample le for HP-UX versions B.11.00 and B.11.11

# # PAM configuration # # Authentication management # login auth sufficient login auth required su auth required dtlogin auth required dtaction auth required ftp auth required OTHER auth required # # Account management # login account required login account required su account required dtlogin account required dtaction account required ftp account required OTHER account required # # Session management # login session required dtlogin session required dtaction session required OTHER session required # # Password management
/usr/lib/security/libpam_ntlm.1 /usr/lib/security/libpam_unix.1 try_first_pass /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_ntlm.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1
/usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1
138
Chapter 8

# login login passwd dtlogin dtaction OTHER
password password password password password password
sufficient required required required required required
/usr/lib/security/libpam_ntlm.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_ntlm.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_unix.1
Conguring a User Map File

To congure PAM NTLM to use the user map le, add the following line to the [Global] section of the /etc/opt/cifsclient/pam/smb.conf le: Domain user map = /etc/opt/cifsclient/pam/domain_user.map You can congure the name and location of the user map le. For name and location, HP recommends the line as shown above. The format of a domain user le entry is: UNIXusername = [\\DOMAIN_NAME\\] DomainUserName UNIXusername is an existing account on the HP-UX system; DomainUserName is the name of the user that is mapped in the CIFS domain. DOMAIN_NAME is optional. The user map le is parsed line by line. If any line begins with a # or a; then the line is ignored. Each line should contain a single UNIX user name on the left and then a single CIFS Domain User name on the right, separated by a tabstop or '='. If either name contains spaces then you must enclose it in quotes.
Using NIS Distribution of the User Map File

The user map le is enabled to be distributed via NIS in a similar manner to the distribution of /etc/passwd to NIS clients. To use this feature: 1. Convert the master user map le into an NIS map le named domainusermap.byname on the NIS master server.
Chapter 8
139
NOTE
The NIS map le name domainusermap.byname is the default name that PAM NTLM uses for the NIS map le. You can congure a different NIS user map name in the PAM NTLM conguration le (/etc/opt/cifsclient/pam/smb.conf) of each NIS client. The conguration option is: nis ntuser mapname = <new usr map lename>
2. In the user map le of each NIS client that will receive the distributed map le, add an entry with the plus sign (+) in the rst column of the line. The plus sign is used to indicate that parsing the le should stop at that point and the remaining search of the user map le should use NIS calls to the NIS server.
140
Chapter 8
Index
C CIFS description, 13 protocol, 13 cifsclient, 31, 71 cifsclient.cfg, 28 cifslist, 70, 82 cifslogin, 70, 77 cifslogout, 70, 81 cifsmount, 70, 74, 87 cifsumount, 70, 80 Common Internet File System. See CIFS conguration defaultServer, 110, 114, 118 le, 101 logLevels, 103 conguring overview, 25 D daemon killing, 93 when it crashes, 93 F le and directories, 39 H HP CIFS le and directories, 39 introduction, 13 starting, 30 stopping, 30 HP CIFS Client features, 16 internationalized, 18, 28 troubleshooting, 93 UNIX Extensions, 16 HP product enhancements, 15 I installing overview, 25 prerequisites, 26 internationalized clients, 18, 28 L loading software, 27 M mount command, 31 mount_cifs, 87 N netbios, 87 NIS and the user map le, 139 O overview conguring, 25 installing, 25 P PAM NTLM conguration, 135 conguration le, 135 description, 14, 132 features, 52, 134 secure storage integration, 17 password(1M), 134 S Server Message Block, 13, 15 SMB. See Server Message Block SSL options, 100 starting HP CIFS, 30 stopping HP CIFS, 30 swinstall(1M), 27 T troubleshooting the HP CIFS client, 93 U unmount command, 31 unmount_cifs, 87 user map le, 134 user map les, 139 using client, 31 utilities, summary, 69
141

HP CIFS Client A.02.02 Administrator's Guide: HP-UX 11i v1 and v2

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

HP CIFS Client A.02.02 Administrator's Guide: HP-UX 11i v1 and v2

Transféré par

Droits d'auteur :

Formats disponibles

HP CIFS Client A.02.

Manufacturing Part Number : B8724-90079 April, 2006

U.S.A. Copyright 2006 Hewlett-Packard Company, L.P.

2. Installing, Conguring, and Using the HP CIFS Client

3. CIFS Security and Authentication

4. Migrating From HP CIFS Client A.01 to A.02

Preface: About This Document

New and Changed Documentation in This Edition

11.0, 11i v1 and v2 IA 11.22

11.0, 11i v1 and v2

Whats in This document

HP Encourages Your Comments

Introduction to the HP CIFS Client

Introduction to the HP CIFS Client

Introduction to the HP CIFS Client Introduction to HP CIFS

What is the CIFS Protocol?

Introduction to the HP CIFS Client Introduction to HP CIFS

Introduction to the HP CIFS Client HP CIFS Client Description

HP CIFS Client Description

Introduction to the HP CIFS Client HP CIFS Client Features

HP CIFS Client Features

CIFS UNIX Extensions

Introduction to the HP CIFS Client HP CIFS Client Features

NTLM PAM Integration

Kerberos Authentication: Integration with System Kerberos Cache

AutoFS 2.3 Support for HP CIFS Client

Support for Internationalized Clients

NTLM, NTLMv2 Password Encryption

NetBIOS Name Services, WINS, and DNS

Microsoft Distributed File System

Dynamically Loadable Kernel Module

SMB Over TCP

Introduction to the HP CIFS Client HP CIFS Client Features

Installing, Conguring, and Using the HP CIFS Client

Installing, Conguring, and Using the HP CIFS Client

Overview of HP CIFS Client Installation and Conguration

You can download the HP CIFS Client software, available at http://software.hp.com.

Step 1: Checking HP CIFS Client Installation Prerequisites

Step 2: Installing HP CIFS Client and PAM Software

Installing From a Software Depot File

Step 3: Conguring the HP CIFS Client

Step 4: Starting and Stopping the HP CIFS Client Daemon

Using the HP CIFS Client

You can use the cifslist command to verify results:

You can use the cifslist command to show results:

Mounting and Logging in in One Step

CIFS Client Logging

Automatic Mounting of CIFS Filesystems

Storing Mounts in the CIFS Client Mount Database

Name Resolution: NetBIOS Name Service, WINS, DNS, IP Conguration

HP CIFS Client Files and Directories

/etc/opt/cifsclient/unita bles pam/smb.conf

CIFS Security and Authentication

CIFS Security and Authentication

CIFS Security and Authentication Introduction

Conguration Settings For Authentication

CIFS Security and Authentication User Login Procedures

User Login Procedures

Automatic login using user database is not supported with Kerberos

CIFS Security and Authentication Introduction To Kerberos

Requirements and Limitations Using Kerberos

Cross-realm authentication is not supported in this release.

Using Kerberos with the HP CIFS Client