Samba 3.0.22 for MPE/iX


	»	Home

	»	Software
	»	Papers & Training
	»	Java

Samba 3.0.22: Last updated September 26, 2007

HP vCSY is pleased to announce the availability of Samba 3.0.22 for MPE/iX 6.5, 7.0, and 7.5. This version of Samba offers new functionality compared to the previous HP release of Samba 2.2.8a for MPE/iX. Samba 3.0.22 is distributed by the following base patches that can be obtained from the HP Response Center:

SMBMXY6D (BT) for MPE/iX 6.5
SMBMXY6E (BT) for MPE/iX 7.0
SMBMXY6F (BT) for MPE/iX 7.5

Note: These versions replace the original A, B, C versions and include a "Large Disk" aware script my_dfree to implement the samba.conf "dfree command" function.

A Communicator article describes features unique to 3.0.22 which are supported on MPE/iX. It also covers features not supported on MPE/iX, performance tuning tips, how to configure SWAT, and where to get more information.

The Samba 3.0.22 Porting Whitepaper covers in depth the steps taken by HP to port this version of Samba to MPE/iX. This should also prove useful to others looking to do their own open source ports to MPE/iX.

Samba 2.2.8a: Last updated August 25, 2005 HP vCSY is pleased to announce the availability of Samba 2.2.8a for MPE/iX 6.5, 7.0, and 7.5. This version of Samba offers significant new functionality compared to the previous HP release of Samba 2.0.7 for MPE/iX. Please read this entire document carefully before installing 2.2.8a.

Samba 2.2.8a is distributed by the following base patches that can be obtained from the HP Response Center:

SMBMXG3A (GR) for MPE/iX 6.5
SMBMXG3B (GR) for MPE/iX 7.0
SMBMXG3C (GR) for MPE/iX 7.5

After installing the appropriate base patch, please install the corresponding security patch:

SMBMXR5A (GR) for MPE/iX 6.5
SMBMXR5B (GR) for MPE/iX 7.0
SMBMXR5C (GR) for MPE/iX 7.5

The above security patches will upgrade the SMBD server daemon to version 2.2.12.

Migrating from Samba 2.0.7

Users of Samba 2.0.7 need to be aware of the following issues before installing Samba 2.2.8a.

Streamlined installation layout(some files have moved)

Previous versions of Samba installed a few files into the SAMBA.SYS group and the remaining files into the SAMBA account. Starting with Samba 2.2.8a, all files are now installed into the SAMBA account in a version-specific group, i.e. SMB228A.SAMBA. The Samba 2.2.8a installation script does not modify any of the old Samba files in the SAMBA.SYS group.

The Samba 2.2.8a installation script automatically modifies the /usr/local/samba symbolic link to point to the new /SAMBA/SMB228A file location. A new symbolic link of /SAMBA/CURRENT is created to point to the same location.

If you have any jobs or UDCs or command files or /SYS/NET/INETDCNF etc that refer to the old SAMBA.SYS files, you will need to modify these old references to point to the new file locations. You should use either of the symbolic links to do this. I.e. instead of SMBD.SAMBA.SYS, you can refer to SMBD.CURRENT.SAMBA or /usr/local/samba/SMBD or /SAMBA/CURRENT/SMBD.

Existing 2.0.7 configuration files are compatible with 2.2.8a

Your existing 2.0.7 configuration files are compatible with 2.2.8a. Copy them from the old /SAMBA/SMB207/lib location to /usr/local/samba/lib or /SAMBA/CURRENT/lib.

In order to take full advantage of the new 2.2.8a functionality, it is recommended that you use /usr/local/samba/lib/samp-smb.conf as a template for creating a new smb.conf file.

New "full-power" model enabled by default

Previous versions of Samba for MPE required manually adding PM capability to the MGR.SAMBA user in order to enable "full-power mode" where Samba can authenticate against traditional MPE user & account passwords of the format USERPW,ACCTPW. This functionality is now enabled by default starting with Samba 2.2.8a.

Full-power mode is the recommended mode of operation. Besides the convenience of authenticating against traditional MPE passwords, full-power mode also enables Samba to setuid() to the authenticated user so that all file accesses occur with the authenticated user's access rights.

Full-power mode under Samba 2.2.8a is enabled for Samba program files if they are owned by MANAGER.SYS but reside in the SAMBA account. The full-power program files are currently NMBD, SMBD, and SWAT. Since PM capability on the MGR.SAMBA user is no longer required for full-power mode, it is removed by the Samba 2.2.8a installation script.

Migrating back to Samba 2.0.7

If after installing Samba 2.2.8a you decide that you want to migrate back to Samba 2.0.7, perform the following steps:

:HELLO MANAGER.SYS
:PURGELINK /usr/local/samba
:NEWLINK /usr/local/samba,/SAMBA/SMB207
:ALTUSER MGR.SAMBA;CAP=+PM (if you were previously using Samba 2.0.7 in full power mode)

Major new functionality since Samba 2.0.7

Samba 2.2.8a offers many bug fixes and enhancements since 2.0.7. The key enhancements supported on MPE are listed below.

Encrypted passwords

Previous versions of Samba on MPE could only perform SMB authentication using plaintext passwords which certain versions of Windows could only support via the registry modifications described in the /usr/local/samba/docs/Registry directory. Because passwords were transmitted over the network in plaintext, this constituted somewhat of a security exposure that some customers were not willing to risk.

With the release of Samba 2.2.8a, encrypted password functionality is now available to customers. Passwords are no longer transmitted over the network in plaintext, and registry modifications are no longer required. If you desire, you may now disable plaintext passwords in your Windows registry by modifying the registry values described in the /usr/local/samba/docs/Registry directory to be 0 (zero) instead of 1 (one).

Note that Samba encrypted passwords are maintained separately from MPE user & account passwords. The /usr/local/samba/bin/smbpasswd utility is used to maintain the encrypted passwords in the file /usr/local/samba/private/smbpasswd.

To enable Samba encrypted passwords, the Samba administrator must perform the following steps:

:HELLO MGR.SAMBA
Edit /usr/local/samba/lib/smb.conf to specify "encrypt passwords = yes"
Add an entry to /usr/local/samba/private/smbpasswd for each MPE USER.ACCOUNT that Samba will be authenticating:

/usr/local/samba/bin/smbpasswd -a USER.ACCOUNT encryptedpassword

Regular MPE users may then change their Samba encrypted passwords by running /usr/local/samba/bin/smbpasswd without any parameters. The smbpasswd utility will first prompt for the old encrypted password, followed by two prompts for the new encrypted password. Note that the SMBD daemon must be running on the local host when the smbpasswd utility is invoked by regular MPE users.

Samba encrypted passwords only apply when authenticating to the SMBD daemon. Regular MPE USERPASS,ACCTPASS passwords (see below) apply when authenticating to SWAT even if smb.conf says "encrypt passwords = yes".

For more information about encrypted passwords, please see /usr/local/samba/docs/htmldocs/ENCRYPTION.html.

Improved printer integration

Samba 2.2.8a offers greatly improved integration between MPE printers and Windows clients:

The Samba administrator can upload printer drivers to the Samba server via standard Windows GUI interfaces when connected to the Samba server as MGR.SAMBA
End-users can download printer drivers from the Samba server when installing new network printers on Windows
Samba printer queues can be manipulated through standard Windows GUI interfaces

To take full advantage of the improved printer integration, please see /usr/local/samba/lib/samp-smb.conf for some necessary configuration file modifications.

For further information about improved printer integration, please see /usr/local/samba/docs/htmldocs/printer_driver2.html.

MPE filename mapping character now configurable

Previous versions of Samba would map PC filename characters that are not legal on MPE to "_XX_", where "XX" is the hexadecimal value of the filename character in question.

Samba 2.2.8a now allows the "_" mapping delimiter to be reconfigured to any value. For example, to have special PC filename characters mapped to ":XX:", specify "mpe mapping char = :" in smb.conf.

Note that changing the MPE mapping delimiter will cause MPE files using the old delimiter to become inaccessible via the special PC filename. For example, when your PC creates a file called "New Text Document.txt" while Samba is using the default mapping delimiter, an MPE file called "New_20_Text_20_Document.txt" is created.

If you then specify "mpe mapping char = :" in smb.conf, a PC trying to access "New Text Document.txt" will cause Samba to look for "New:20:Text:20:Document.txt". The original file will still exist, but must now be referenced from the PC as "New_20_Text_20_Document.txt".

If you decide to change mapping characters, for best results you should rename all MPE files that are using the old naming convention.

Domain security now functional

The smb.conf option "security = domain" is now functional on MPE as of Samba 2.2.8a, which means that you can now authenticate to Samba using your regular Windows domain logons. If you use this option, note that you will need to use the /usr/local/samba/lib/user.map file to map the Windows domain logons to valid MPE users.

Swat -a option no longer required

The SWAT utility is now capable of authenticating against MPE userids & passwords, so you no longer need to use the -a option to run SWAT in the unauthenticated anonymous mode. MPE passwords use the standard Samba format of USERPASS,ACCTPASS, even if "encrypt passwords = yes" is specified in smb.conf.

Functionality not implemented or supported

Samba's functionality for serving as a Primary or Backup Domain Controller has not been tested on MPE and is not supported by HP.

Samba support for server-side Access Control Lists (ACLs) has not been implemented on MPE. Samba continues to map Windows ACL changes onto the standard Unix owner/group/other permissions model.

Other MPE-specific issues

Filename mapping

PC filenames can use characters that are not valid in MPE filenames. Therefore when a PC tries to create such a file on an MPE Samba share, Samba must map these extra PC characters into something valid for MPE.

The following PC filename characters are valid in MPE filenames in addition to digits and letters:

$ % * + - . / : \ ^ _ ` { | } ~

Any characters NOT mentioned above will be mapped to the string "_XX_" where "XX" is the hexadecimal representation of the ASCII character in question. The leading and trailing "_" character can be reconfigured via the "mpe mapping char" directive in smb.conf (see above).

Distribution file layout

All files are installed below /SAMBA/SMB228A. Some of the major files and directories:

ReadME.mpe: you're reading it now
ReadME.mpe.207: earlier MPE-specific information not duplicated here
NMBD: the NetBIOS nameserver daemon NMPRG
SMBD: the SMB/CIFS file and print sharing daemon NMPRG
SWAT: the web server NMPRG for browser-based editing of Samba config files
bin/: directory containing utility programs such as smbpasswd and testparm
docs/: directory containing documentation in text and HTML format
lib/: directory containing sample configuration files to be used as templates for creating your real configuration files
man/: directory containing man page documentation -- export MANPATH="/usr/local/samba/man:$MANPATH"; man xxxxx
printers/: directory for storing uploaded printer drivers (initially empty)
private/: directory containing the smbpasswd encrypted password file (initially empty)
samp-JNMB: sample job stream for running NMBD (some customer environments may require the use of PRI=CS for adequate performance)
samp-JSMB: sample job stream for running SMBD (some customer environments may require the use of PRI=CS for adequate performance)
sbin/: directory containing symbolic links for nmbd, smbd, and swat
spool/: directory for temporary print files before they are spooled to MPE (initally empty)
src/: directory containing source code for the rawlp support utility and the MPE porting diffs
swat/: directory containing SWAT support files
var/: directory containing log files, pid files, and various runtime databases (initally empty)

Unencrypted MPE password authentication

Samba offers two types of password authentication -- unencrypted (the default) and encrypted (see above).

Unencrypted passwords are of the format USERPASS,ACCTPASS where USERPASS is the MPE user password and ACCTPASS is the MPE account password corresponding to the MPE USER.ACCT that you are authenticating as.

If there is only an MPE user password without an account password, simply specify USERPASS. But if there is only an MPE account password without a user password, you must specify ,ACCTPASS.

Bytestream VS. non-bytestream file access

Samba is a POSIX program and uses the POSIX API for all file access. As a result, Samba works best when accessing POSIX bytestream files.

Whenever a PC creates a new file on a Samba share, Samba will create a POSIX bytestream file on the MPE side.

Samba can read from traditional MPE record format files but cannot always determine the EOF correctly and may experience slow performance.

Guest users

Enabling Samba to allow authentication as a guest user is not recommended because numerous hacker tools exist to exploit guest services.

If you MUST allow guest access, do not configure the guest user in smb.conf to be MGR.SAMBA because MGR.SAMBA has full access to sensitive files in the SAMBA account. The Samba 2.2.8a installation script creates a minimum-capability GUEST.SAMBA user that should be used instead.

For further information

http://www.samba.org/
Configuring and Managing MPE/iX Internet Services manual (contains useful Samba information not duplicated here)
/usr/local/samba/ReadME.mpe.207
/usr/local/samba/docs
/usr/local/samba/man

Top JazzInfo Hosted by 3kRanger.com email 3kRanger Updated