|
Samba 3.0.22: Last updated September 26, 2007
HP vCSY is pleased to announce the availability of Samba 3.0.22 for MPE/iX 6.5, 7.0, and 7.5. This version of Samba offers new functionality compared to the previous HP release of Samba 2.2.8a for MPE/iX.
Samba 3.0.22 is distributed by the following base patches that can be obtained from the HP Response Center:
- SMBMXY6D (BT) for MPE/iX 6.5
- SMBMXY6E (BT) for MPE/iX 7.0
- SMBMXY6F (BT) for MPE/iX 7.5
Note: These versions replace the original A, B, C versions and include a "Large
Disk" aware script my_dfree to implement the samba.conf "dfree command"
function.
A Communicator article describes features unique to 3.0.22 which are supported on MPE/iX. It also covers features not supported on MPE/iX, performance tuning tips, how to configure SWAT, and where to get more information.
The Samba 3.0.22 Porting Whitepaper
covers in depth the steps taken by HP to port this version of Samba to MPE/iX.
This should also prove useful to others looking to do their own open source
ports to MPE/iX.
Samba 2.2.8a: Last updated August 25, 2005
HP vCSY is pleased to announce the availability of Samba 2.2.8a for MPE/iX
6.5, 7.0, and 7.5. This version of Samba offers significant new
functionality compared to the previous HP release of Samba 2.0.7 for
MPE/iX. Please read this entire document carefully before installing
2.2.8a.
Samba 2.2.8a is distributed by the following base patches that can be obtained
from the HP Response Center:
- SMBMXG3A (GR) for MPE/iX 6.5
- SMBMXG3B (GR) for MPE/iX 7.0
- SMBMXG3C (GR) for MPE/iX 7.5
After installing the appropriate base patch, please install the corresponding security patch:
- SMBMXR5A (GR) for MPE/iX 6.5
- SMBMXR5B (GR) for MPE/iX 7.0
- SMBMXR5C (GR) for MPE/iX 7.5
The above security patches will upgrade the SMBD server daemon to version 2.2.12.
Migrating from Samba 2.0.7
Users of Samba 2.0.7 need to be aware of the following issues before installing
Samba 2.2.8a.
Streamlined installation layout(some files have moved)
Previous versions of Samba installed a few files into the SAMBA.SYS group
and the remaining files into the SAMBA account. Starting with
Samba 2.2.8a, all files are now installed into the SAMBA account in
a version-specific group, i.e. SMB228A.SAMBA. The Samba 2.2.8a
installation script does not modify any of the old Samba files in the
SAMBA.SYS group.
The Samba 2.2.8a installation script automatically modifies the /usr/local/samba
symbolic link to point to the new /SAMBA/SMB228A file location. A
new symbolic link of /SAMBA/CURRENT is created to point to the same
location.
If you have any jobs or UDCs or command files or /SYS/NET/INETDCNF etc
that refer to the old SAMBA.SYS files, you will need to modify these
old references to point to the new file locations. You should use
either of the symbolic links to do this. I.e. instead of SMBD.SAMBA.SYS,
you can refer to SMBD.CURRENT.SAMBA or /usr/local/samba/SMBD or /SAMBA/CURRENT/SMBD.
Existing 2.0.7 configuration files are compatible with 2.2.8a
Your existing 2.0.7 configuration files are compatible with 2.2.8a. Copy
them from the old /SAMBA/SMB207/lib location to /usr/local/samba/lib
or /SAMBA/CURRENT/lib.
In order to take full advantage of the new 2.2.8a functionality, it is
recommended that you use /usr/local/samba/lib/samp-smb.conf as a template
for creating a new smb.conf file.
New "full-power" model enabled by default
Previous versions of Samba for MPE required manually adding PM capability
to the MGR.SAMBA user in order to enable "full-power mode" where Samba
can authenticate against traditional MPE user & account passwords
of the format USERPW,ACCTPW. This functionality is now enabled by
default starting with Samba 2.2.8a.
Full-power mode is the recommended mode of operation. Besides the
convenience of authenticating against traditional MPE passwords, full-power
mode also enables Samba to setuid() to the authenticated user so that
all file accesses occur with the authenticated user's access rights.
Full-power mode under Samba 2.2.8a is enabled for Samba program files
if they are owned by MANAGER.SYS but reside in the SAMBA account. The
full-power program files are currently NMBD, SMBD, and SWAT. Since
PM capability on the MGR.SAMBA user is no longer required for full-power
mode, it is removed by the Samba 2.2.8a installation script.
Migrating back to Samba 2.0.7
If after installing Samba 2.2.8a you decide that you want to migrate back
to Samba 2.0.7, perform the following steps:
- :HELLO MANAGER.SYS
- :PURGELINK /usr/local/samba
- :NEWLINK /usr/local/samba,/SAMBA/SMB207
- :ALTUSER MGR.SAMBA;CAP=+PM (if you were previously using Samba
2.0.7 in full power mode)
Major new functionality since Samba 2.0.7
Samba 2.2.8a offers many bug fixes and enhancements since 2.0.7. The
key enhancements supported on MPE are listed below.
Encrypted passwords
Previous versions of Samba on MPE could only perform SMB authentication
using plaintext passwords which certain versions of Windows could only
support via the registry modifications described in the /usr/local/samba/docs/Registry
directory. Because passwords were transmitted over the network in
plaintext, this constituted somewhat of a security exposure that some customers
were not willing to risk.
With the release of Samba 2.2.8a, encrypted password functionality is
now available to customers. Passwords are no longer transmitted over
the network in plaintext, and registry modifications are no longer required.
If you desire, you may now disable plaintext passwords in your Windows
registry by modifying the registry values described in the /usr/local/samba/docs/Registry
directory to be 0 (zero) instead of 1 (one).
Note that Samba encrypted passwords are maintained separately from MPE
user & account passwords. The /usr/local/samba/bin/smbpasswd
utility is used to maintain the encrypted passwords in the file /usr/local/samba/private/smbpasswd.
To enable Samba encrypted passwords, the Samba administrator must perform
the following steps:
- :HELLO MGR.SAMBA
- Edit /usr/local/samba/lib/smb.conf to specify "encrypt passwords
= yes"
- Add an entry to /usr/local/samba/private/smbpasswd for each
MPE USER.ACCOUNT that Samba will be authenticating:
/usr/local/samba/bin/smbpasswd -a USER.ACCOUNT encryptedpassword
Regular MPE users may then change their Samba encrypted passwords by running
/usr/local/samba/bin/smbpasswd without any parameters. The smbpasswd
utility will first prompt for the old encrypted password, followed by
two prompts for the new encrypted password. Note that the SMBD daemon
must be running on the local host when the smbpasswd utility is invoked
by regular MPE users.
Samba encrypted passwords only apply when authenticating to the SMBD daemon.
Regular MPE USERPASS,ACCTPASS passwords (see below) apply when
authenticating to SWAT even if smb.conf says "encrypt passwords = yes".
For more information about encrypted passwords, please see /usr/local/samba/docs/htmldocs/ENCRYPTION.html.
Improved printer integration
Samba 2.2.8a offers greatly improved integration between MPE printers
and Windows clients:
- The Samba administrator can upload printer drivers to the Samba
server via standard Windows GUI interfaces when connected to the Samba
server as MGR.SAMBA
- End-users can download printer drivers from the Samba server
when installing new network printers on Windows
- Samba printer queues can be manipulated through standard Windows
GUI interfaces
To take full advantage of the improved printer integration, please see
/usr/local/samba/lib/samp-smb.conf for some necessary configuration file
modifications.
For further information about improved printer integration, please see
/usr/local/samba/docs/htmldocs/printer_driver2.html.
MPE filename mapping character now configurable
Previous versions of Samba would map PC filename characters that are not
legal on MPE to "_XX_", where "XX" is the hexadecimal value of the filename
character in question.
Samba 2.2.8a now allows the "_" mapping delimiter to be reconfigured to
any value. For example, to have special PC filename characters
mapped to ":XX:", specify "mpe mapping char = :" in smb.conf.
Note that changing the MPE mapping delimiter will cause MPE files using
the old delimiter to become inaccessible via the special PC filename.
For example, when your PC creates a file called "New Text Document.txt"
while Samba is using the default mapping delimiter, an MPE file called "New_20_Text_20_Document.txt"
is created.
If you then specify "mpe mapping char = :" in smb.conf, a PC trying to
access "New Text Document.txt" will cause Samba to look for "New:20:Text:20:Document.txt".
The original file will still exist, but must now be referenced
from the PC as "New_20_Text_20_Document.txt".
If you decide to change mapping characters, for best results you should
rename all MPE files that are using the old naming convention.
Domain security now functional
The smb.conf option "security = domain" is now functional on MPE as of
Samba 2.2.8a, which means that you can now authenticate to Samba using
your regular Windows domain logons. If you use this option, note
that you will need to use the /usr/local/samba/lib/user.map file to map
the Windows domain logons to valid MPE users.
Swat -a option no longer required
The SWAT utility is now capable of authenticating against MPE userids &
passwords, so you no longer need to use the -a option to run SWAT in the
unauthenticated anonymous mode. MPE passwords use the standard Samba
format of USERPASS,ACCTPASS, even if "encrypt passwords = yes" is specified
in smb.conf.
Functionality not implemented or supported
Samba's functionality for serving as a Primary or Backup Domain Controller
has not been tested on MPE and is not supported by HP.
Samba support for server-side Access Control Lists (ACLs) has not been
implemented on MPE. Samba continues to map Windows ACL changes onto
the standard Unix owner/group/other permissions model.
Other MPE-specific issues
Filename mapping
PC filenames can use characters that are not valid in MPE filenames. Therefore
when a PC tries to create such a file on an MPE Samba share, Samba must
map these extra PC characters into something valid for MPE.
The following PC filename characters are valid in MPE filenames in addition
to digits and letters:
$ % * + - . / : \ ^ _ ` { | } ~
Any characters NOT mentioned above will be mapped to the string "_XX_"
where "XX" is the hexadecimal representation of the ASCII character in
question. The leading and trailing "_" character can be reconfigured
via the "mpe mapping char" directive in smb.conf (see above).
Distribution file layout
All files are installed below /SAMBA/SMB228A. Some of the major files
and directories:
- ReadME.mpe
- you're reading it now
- ReadME.mpe.207
- earlier MPE-specific information not duplicated here
- NMBD
- the NetBIOS nameserver daemon NMPRG
- SMBD
- the SMB/CIFS file and print sharing daemon NMPRG
- SWAT
- the web server NMPRG for browser-based editing of Samba config files
- bin/
- directory containing utility programs such as smbpasswd and testparm
- docs/
- directory containing documentation in text and HTML format
- lib/
- directory containing sample configuration files to be used as templates
for creating your real configuration files
- man/
- directory containing man page documentation -- export MANPATH="/usr/local/samba/man:$MANPATH";
man xxxxx
- printers/
- directory for storing uploaded printer drivers (initially empty)
- private/
- directory containing the smbpasswd encrypted password file (initially
empty)
- samp-JNMB
- sample job stream for running NMBD (some customer environments may
require the use of PRI=CS for adequate performance)
- samp-JSMB
- sample job stream for running SMBD (some customer environments may
require the use of PRI=CS for adequate performance)
- sbin/
- directory containing symbolic links for nmbd, smbd, and swat
- spool/
- directory for temporary print files before they are spooled to MPE (initally
empty)
- src/
- directory containing source code for the rawlp support utility and the
MPE porting diffs
- swat/
- directory containing SWAT support files
- var/
- directory containing log files, pid files, and various runtime databases
(initally empty)
Unencrypted MPE password authentication
Samba offers two types of password authentication -- unencrypted (the
default) and encrypted (see above).
Unencrypted passwords are of the format USERPASS,ACCTPASS where USERPASS
is the MPE user password and ACCTPASS is the MPE account password corresponding
to the MPE USER.ACCT that you are authenticating as.
If there is only an MPE user password without an account password, simply
specify USERPASS. But if there is only an MPE account password without
a user password, you must specify ,ACCTPASS.
Bytestream VS. non-bytestream file access
Samba is a POSIX program and uses the POSIX API for all file access.
As a result, Samba works best when accessing POSIX bytestream files.
Whenever a PC creates a new file on a Samba share, Samba will create
a POSIX bytestream file on the MPE side.
Samba can read from traditional MPE record format files but cannot always
determine the EOF correctly and may experience slow performance.
Guest users
Enabling Samba to allow authentication as a guest user is not recommended
because numerous hacker tools exist to exploit guest services.
If you MUST allow guest access, do not configure the guest user in smb.conf
to be MGR.SAMBA because MGR.SAMBA has full access to sensitive files in
the SAMBA account. The Samba 2.2.8a installation script creates a
minimum-capability GUEST.SAMBA user that should be used instead.
For further information
|
Printable version
