Communicator Article: Samba 3.0.22

HP vCSY is pleased to announce the availability of Samba 3.0.22 for MPE/iX 6.5, 7.0, and 7.5.  This version of Samba offers significant new functionality compared to the previous HP release of Samba 2.2.8a for MPE/iX.  Please read this entire document carefully before installing 3.0.22.

Samba 3.0.22 is distributed by the following patches that can be obtained from the HP Response Center:

• SMBMXY6D(BT) for MPE/iX 6.5
• SMBMXY6E (BT) for MPE/iX 7.0
• SMBMXY6F (BT) for MPE/iX 7.5

Samba 3.0.22 provides many defect repairs and enhancements beyond the 2.2.8a release. The discussion below addresses the key enhancements supported on MPE/iX. Samba 3.0.22 features not supported on MPE/iX are also listed. These bundles include the differences between the Samba-3.0.22 and the Samba/iX-3.0.22 source tree in the file named diff-3.0.22-mpe.txt inside the /usr/local/samba/src directory.

 

Major Functionality Beyond Samba 2.2.8a

 

1. Encrypted password mechanisms:

Unlike the previous versions of Samba, which required enabling password encryption, this mechanism is now enabled by default. To disable password encryption the line encrypt passwords = no must be added to the global section of smb.conf file, which resides by default inside the /usr/local/samba/lib directory. However, if password encryption is defeated, some Windows clients will not connect to the Samba server and will report unauthorized access, since many versions of Windows do not allow unencrypted passwords.

 

Please note that SWAT still uses unencrypted password mechanism of the form of userpw,acctpw. SWAT configuration is described at the end of this article.

 

Refer to swat/help/manpages/smb.conf.5.html#ENCRYPTPASSWORDS for more details.

 

2. New password database backend:

The Samba password databases are different from the MPE user database (HPUID.PUB.SYS) and are referred to as passdb backends. The passdb backends are mechanisms for account storage. This option is user configurable through the smb.conf parameter passdb backend = <name>. Samba-3 supports multiple types of passdb backends as listed below:

 

• smbapasswd: This option allows continued use of the smbpasswd file. This file remains a plain ASCII text layout which includes the MS Windows LanMan and NT-encrypted passwords, as well as a field which stores some account information. The disadvantage with this form of password backend is that it does not store any of the MS Windows NT/200x SAM (Security Account Manager) information required to provide the extended controls needed for more comprehensive interoperation with MS Windows NT4/200x servers. This backend should be used only for backward compatibility with older versions of Samba. It may be deprecated in future releases. This option can be used by inserting a line passdb backend = smbpasswd  in the global section of smb.conf.

 

• tdbsam : This backend provides a rich database backend for local servers. The tdbsam password backend stores the old smbpasswd information plus the extended MS Windows NT/200x SAM information into a binary format TDB (trivial database) file. The inclusion of the extended information makes it possible for Samba-3 to implement the same account and system access controls that are possible with MS Windows NT4/200x-based systems. tdbsam allows simple site operation without the complexities of running OpenLDAP. It is recommended to use this for sites having fewer than 250 users. For larger sites the use of OpenLDAP or of Active Directory integration is recommended. This option can be used by inserting the line passdb backend = tdbsam  in the global section of smb.conf. The encrypted password files are stored in /usr/local/samba/private directory.
  
  
• ldapsam – MPE/iX does not support an LDAP server, however some client libraries are available with Posix/iX. Samba/iX 3.0.22 can be configured to use ldapsam if the LDAP server is properly configured and functioning on a Linux or HP-UX system. The basic requirement is to copy the schema file /usr/local/samba/examples/LDAP/samba.schema to the LDAP configuration directory on the LDAP server. Also the LDAP database server needs to be populated with entries for the users to be authenticated. The setup of an LDAP server and populating the database with MPE user account names is beyond the scope of this article. Please visit www.openldap.org for an explanation of how to configure an LDAP server. Please refer section 10.4.4 of Samba-HOWTO (swat/help/Samba3-HOWTO/passdb.html#id2559672) for a detailed explanation on how to configure Samba to make use of ldapsam, provided an LDAP server is setup and running properly.

 

• Mysqlsam – Unsupported.
• xmlsam – Unsupported.

 

It is strongly recommended to read Chapter-10 of the Samba-HOWTO (swat/help/Samba3-HOWTO/passdb.html) document available with the Samba package through SWAT.

 

3. New account management tools:

In order to manage a Samba user database Samba provides two account management tools: sambpasswd and pdbedit.

 

smbpasswd can perform the following operation on a passdb:

• add user or machine accounts.
• delete user or machine accounts.
• enable user or machine accounts.
• disable user or machine accounts.
• set user passwords .
• manage inter-domain trust accounts.

 

pdbedit is considered a better account management tool and requires privileged user capability. It can perform the following tasks:

• add, remove, or modify user accounts.
• list user accounts.
• migrate user accounts.
• migrate group accounts.
• manage account policies.
• manage domain access policy settings.

 

How to migrate an account: Older versions of Samba/iX use the smbpasswd backend to support encrypted passwords. In order to use tdbsam as the backend a simple migration can be done as follows:

      a) Set the passdb backend = tdbsam, smbpasswd.

      b) Execute: root# pdbedit -i smbpasswd -e tdbsam

      c) Remove the smbpasswd from the passdb backend configuration in smb.conf

 

For more information on how to use these tools please see their respective man pages or section 10.3 of the Samba-HOWTO (swat/help/Samba3-HOWTO/passdb.html#acctmgmttools) document.

 

 

 4. Enhanced "net" command:

The Samba net utility is meant to work just like that on Windows and DOS systems. This tool helps to manage Samba and remote CIFS (SMB) servers. One major use of this command is to join any NT4 type domain with Samba-3 as follows:

Shell> net rpc join –S <pdc-name> -Uadministrator%password

 

Please refer to swat/help/manpages/net.8.html for more information.

 

5. New name mangling method:

Samba supports name mangling for systems which do not conform to “8.3” filenames supported in DOS, and Windows. Various configurable parameters like mangle prefix, mangling method (hash or hash2), mangling char, mangled map, mangled names are available which can be set in smb.conf to control mangling. The hash2 mangling method is much better than previous hash methods and produces fewer collisions. Please refer man page of smb.conf (swat/help/manpages/smb.conf.5.html#MANGLINGMETHOD) for more details.

 

6. Stackable VFS (Virtual File System) objects:

Stackable VFS modules are quite popular and their usability proves great in some cases. The VFS objects included in Samba-3 are as follows:

 

• Audit: This module is used to log file access to the syslog facility. File operations logged are: share, connect/disconnect, directory open/create/remove, file open/close/rename/unlink/chmod. This facility is enabled by smb.conf parameter vfs objects = audit.

 

• Default_quota: This module allows the default quota values, in the Windows Explorer GUI, to be stored on a Samba-3 server. This is enabled by multiple lines in smb.conf file:

vfs objects = default_quota:myprefix

myprefix uid = 65534

 

• Extd_audit: This module is identical to the audit module except that it sends the log entry to both syslog as well as the smbd logging facility. The log level for this facility can be set in smb.conf file as vfs:<log level>, where log level can be 0,1,2 & 10. It can be set as an smb.conf entry like log level = 2 vfs:10.

 

• Fake_perms: This module was designed to allow Roaming Profile files and directories to be set (on the Samba server under UNIX) as read only.

 

• Recycle: This module simulates the Windows recycle bin. Any file or directory deleted will be sent to a directory named .recycle which is automatically created inside the directory referred to by Samba shares upon the first file deletion. This can be activated by entering the smb.conf line vfs objects=recycle. This module offers flexibility with various parameters like recycle:keeptree to keep the tree structure of deleted files. This module helps recover from accidental deletion of files and directories.

 

• Netatalk: This module eases Samba and netatalk file sharing services.

 

• Shadow_copy: This module enables functionality similar to MS shadow copy services.

 

The VFS modules netalk, shadow_copy, default_quota, and fake_perms have not been tested on Samba/iX version 3.0.22. These modules have also not been tested aggressively by the Samba developers. Please see Chapter 22 of the Samba HOWTO document (swat/help/Samba3-HOWTO/VFS.html) for more insight.

 

7. Unicode support:

A major enhancement in Samba-3 is that it “talks” Unicode over the wire, and it can be tuned with three smb.conf parameters unix charset, display charset, and dos charset. The support for character set has been completely revised in Samba-3, and dependency on codepage system has been removed. Run testparm –v | grep “charset” to see the values of these parameters. There are a few problems encountered with the Japanese charset and it is quite difficult to set it appropriately, please see Section 29.4 of the Samba-HOWTO document for more information. The parameters client codepage, character set, codepage directory, valid chars and coding system have been removed in Samba-3. For more information please read Chapter-29 of the Samba-HOWTO (swat/help/Samba3-HOWTO/unicode.html) document.

 

8. Backup using Samba-3:

smbtar utility is a shell script which uses smbclient to provide Samba-3 with better backup functionality. smbtar can be used to backup and restore the Samba shares efficiently. Please see man smbtar or the Samba-HOWTO (swat/help/manpages/smbtar.1.html) document Also, see Chapter 30 of the Samba-HOWTO guide (swat/help/Samba3-HOWTO/Backup.html)for more details.

 

9. Logging per component:

The debug information gathered in Samba-2.2.X tended to degraded performance when set to a value greater than one. In Samba-3, the per-component logging option allows the administrator to set the log level for individual components. This provides flexibility in getting debug information with minimal performance impact. It can be enabled as follows:

log level = 1 vfs:3 auth:2 passdb:10

 

The above setting in smb.conf logs overall debug information of level 1, logs vfs debug information at level 3, logs debug information for authorization module at level 2, and logs debug information for passdb backends at level 10.

 

10. NT4 Domain Membership:

Samba/iX can join any NT4 type domain as domain member by including the following three configuration parameters:

security = domain

password server = <pdc-name>

workgroup=<NT4 domain-name>

 

Unlike earlier versions of Samba/iX, this release uses the net command to join any NT4 type domain as shown below:

shell/iX>net rpc join –S <pdc-machine-name> -Uadministrator%password –p 139

(Note: port 139 is described below)

It is mandatory to have a fully qualified (DOMAIN\username) entry in the map table (set by the smb.conf parameter username map) to map Windows users to real MPE/iX users. For example, to map the user auser on domain adomain to MPE/iX user user.acct, the map table entry should be “user.acct=adomain\auser “.

 

Only Windows NT 4.0 server systems and Samba-3 are qualified to serve as NT4 type domains. Windows 2000 and later versions can not serve as NT4 type domains. Since Samba/iX cannot join an ADS domain, it cannot be a domain member of Windows 2000 and later domains.

 

11. SMB ports:

TCP port 445 is the default port listened to by the Samba server. However, Samba/iX will listen on port 139 if it is unable to use port number 445. These ports numbers can be configured with the smb.conf option smb ports which is set to “445 139” by default. In order to maintain compatibility with previous releases of Samba/iX, the sample job file samp-JSMB, which streams SMBD, continues to use port number 139. If port 445 is desired then modify the JSMB file as follows:

 

!job jsmbstrt,manager.sys;pri=CS

!xeq smbd.smb3022.samba "-D"

!eoj

 

Modify SERVICES.NET.SYS to include the line:

“microsoft-ds 445/TCP #SMB over TCP/IP”

to allow INETD to launch the Samba server.

 

Important Note: The default port number for all tools which accept a port number argument (e.g., smbclient, net, etc) is 445. If your Samba/iX server listens on port 139 then –p 139 needs to be supplied to all tools which accept a port number, or else 445 will be assumed.  For example:

shell/iX> smbclient –p 139 –L sambaserver

 

12. Better disk free utility “my_dfree” on MPE/iX:

Previous SAMBA patches had a script "myfree", which calculates the free disk space on MPE/iX. From this patch onwards it is recommended to use the program "my_dfree" instead as it can report the largest disk size MPE/iX can have, whereas “myfree” could report successfully only up to 1TB. In order to utilize the my_dfree script set the smb.conf parameter "dfree command" to "/usr/local/lib/my_dfree" as shown below:

dfree command = /usr/local/samba/my_dfree

this overrode the default “dfree command = “ which by default reports 2GB of disk size and used and free space as 0 (zero). If “my_dfree” fails to calculate the total and free disk space, it reports the Samba default 2GB disk space as if "dfree command" is not set. For backwards compatibility the script “myfree” is also distributed with this package.

 

Features not supported on MPE/iX

 

1.      PDC/BDC:

Due to inability to create machine trust accounts with Samba/iX, PDC, and BDC remain unsupported.

 

2.      ADS:

Samba-3 clients can join as member of any Microsoft 200x ADS server only if the native system supports the Kerberos authentication mechanism. Since the native system MPE/iX does not support Kerberos, ADS domain membership is not supported.

 

Also, Samba-3 does not support Active Directory Server domain controller. Hence, ADS is not supported on MPE/iX.

 

3.      CUPS printing support:

CUPS printing is not supported on MPE/iX due to the absence of the required CUPS       libraries.

 

4.      Winbindd:

Since the C library on MPE/iX does not support NSS (Name Service Switch) and PAM (Pluggable Authentication Module), it is not feasible to support winbind.

 

5.      MySQLSam and XMLSam:

These two passdb backends remain unsupported due to their requirement of host MYSQL and XML support which is absent on MPE/iX.

     

 

Performance Tuning Tips

 

1.      Change notify timeout: The Samba server periodically scans for the changes and notifies clients every change notify timeout seconds. It is recommended to keep change notify timeout as large as possible. The default is 60 seconds, and preferably it should be set >= 3000.

2.      Debug level: The log level should be kept as low as possible, preferably one, and use component level logging where possible..

3.      Try to keep the log file size small.

4.      Use of plug-ins may hamper performance, so read the documentation carefully before using them.

5.      Socket configuration: TCP_NODELAY, so_sndbuf, so_rcvbuf can be configured to optimize performance.

6.      Maximum Transmit size: The sizes of smb commands can be limited using max xmit parameter, which is negotiated between the clients and server, can be set appropriately to improve performance.

7.      Read Size: The option read size synchronizes disc read/writes with network read/writes. The default value is 16384 bytes and can be tuned for optimal value. The tuning can be done by experimenting with different values based on the disc and network speed.

 

Refer Chapter 43 of the Samba-HOWTO (swat/help/Samba3-HOWTO/speed.html) guide for more details.

 

Configuring SWAT

 

SWAT (Samba Web Administration Tool) is very useful in configuring Samba efficiently through popular web browsers like Internet Explorer, Netscape, Forefox, etc. The steps to configure SWAT are as follows:

 

1.      Make sure that Samba is installed properly and that the SWAT program file is owned by the user MANAGER.SYS.

2.      Enable 901 service:

Edit SERVICES.NET.SYS to include port 901 as “swat 901/tcp  # SWAT tool”.

3.      Configure inetd:

Edit INETDCNF.NET.SYS to include the line 

“swat stream tcp nowait.400 MANAGER.SYS /SAMBA/SMB3022/SWAT swat” and then issue the command inetd –c from the MPE/iX Shell. Please note that SAMBA/SMB3022/SWAT is the location of SWAT program file.

4.      Running swat:

Open your favorite internet browser and issue the address http://samba_machine_name:901. When prompted for a user and password, use the MPE/iX user (USER.ACCT) and password (userpw,acctpw).

 

You will be welcomed to the Samba world of documentation and configuration. The SWAT tool helps configure Samba with associated help for each and every option. The main page has various links for utilities documentation and books related to Samba.

 

For further information

• http://www.samba.org/
• http://jazz.external.hp.com/src/samba/
• Configuring and Managing MPE/iX Internet Services manual (contains useful Samba information not duplicated here)
• /usr/local/samba/ReadME.mpe.228a ( Old Samba/iX info)
• /usr/local/samba/docs
• /usr/local/samba/man