View
228
Download
0
Category
Preview:
Citation preview
7/23/2019 Solaris CIFS Service
1/39
CIFS
Solaris CIFS ServiceSeamless, ubiquitous, cross-protocol file sharing
Jarod NashRevenue Product Engineering,
Sun Microsystems, Inc.
7/23/2019 Solaris CIFS Service
2/39
Sun Microsystems, Inc2
Solaris CIFS Server: TOI Overvie
Background Workgroup Demo> Explanation of Workgroup Mode setup
> Including sharemgr Domain Demo> Domain Model setup>
Including identity mapping (idmap !ther "I#S changes in Solaris
7/23/2019 Solaris CIFS Service
3/39
Sun Microsystems, Inc$
Solaris CIFS Server: !ac"groun#
%Seamless, u&i'uitous, crossprotocol file sharing)*lan Wright, +roect -ead for "I#S Ser.er
"I#S ser.er is no/ a first class citi0en in Solaris
> +ut&ack into De.elopment1e.ada !cto&er 2334>*.aila&le in Solaris Express and !penSolaris 233563$
>278 *9" cases, 533 files, approximately $43,333 linesof code (including :53,333 lines of ne/ code
;ight integration /ith #S, Windo/s1"I#S concepts such as Security
Identifiers and *ccess ;okens are no/ nati.e to
Solaris kernel
7/23/2019 Solaris CIFS Service
4/39
Sun Microsystems, Inc=
$or"group %o#e &emo
7/23/2019 Solaris CIFS Service
5/39
Sun Microsystems, Inc7
$or"group Setup: Things to 'no
!nly /orks /ith local 1etc1pass/d users> IS1IS81-D*+ not supported
%Works out of the &ox) not 'uite true>> +*M modification re'uired to generate SMB pass/ords> SMB pass/ords need to &e generated for local accounts
>!nly needed to &e done at setup, after this the +*M changetakes care of pass/ord updating automatically
Windo/s %?@ES;) account not supported> Sam&a> guest ok A yes
> *ll access must &e .ia authenticatedlocal accounts
7/23/2019 Solaris CIFS Service
6/39
Sun Microsystems, Inc
$or"group Setup
Ena&le "I#S Ser.er (along /ith dependencies> svcadm enable -r smb/server
Set mode for SMB ser.er
> ot needed if using default /orkgroup CW!9?9!@+C> smbadm join -w WORKGROUP
*dd follo/ing line to pam6conf this /ill generate SMBstyle pass/ords for local users>> other password required pam_smb_passwd.so.1 nowarn
?enerate SMB pass/ords for existing local users DoneF
7/23/2019 Solaris CIFS Service
7/39Sun Microsystems, Inc4
sharemgr()m*
e/ share management admin interface Manages #S and "I#S shares> ;o a large extent, #S and "I#S &eha.e similarly
sharemgr /orks /ith groupsof shares associated/ith sharing protocols> +rotocols may &e nfs, sm& or &oth
>Default is &oth ;/o automatic groups>> default legacy share(:m interface>
0fs shares created .ia 0fs(: interface
7/23/2019 Solaris CIFS Service
8/39Sun Microsystems, Inc5
share()m*+sharemgr()m* amples
# cat /etc/dfs/dfstab...
share -F nfs -o ro /export/install
# sharemgr show -vp default
default nfs=()
/export/install nfs=() nfs:sys=(ro="*")
#sharemgr create -P nfs home
# sharemgr add-share -s /export/home home
# sharemgr show -vp homehome nfs=()
/export/home
# cat /etc/dfs/dfstab
...
share -F nfs /export/home @home
;raditional dfsta& entry
*utogenerated %default)sharemgr group entry
"reate group, then add share
*utogenerated dfsta& entry
7/23/2019 Solaris CIFS Service
9/39Sun Microsystems, IncG
.fs()m*+sharemgr()* amples
# zfs list | grep pool/homepool/home 57K 9.84G 21K /pool/home
pool/home/jarod 18K 9.84G 18K /pool/home/jarod
pool/home/rayh 18K 9.84G 18K /pool/home/rayh
# zfs sharenfs=on pool/home
# sharemgr show -vp zfszfs
zfs/pool/home nfs=()
/pool/home
/pool/home/jarod
/pool/home/rayh
7/23/2019 Solaris CIFS Service
10/39Sun Microsystems, Inc:3
.fs()m*+sharemgr()* amples
# zfs list | grep installpool/install 57K 9.84G 21K /pool/install
pool/install/snv_95 18K 9.84G 18K /pool/install/snv_95
pool/install/snv_96 18K 9.84G 18K /pool/install/snv_96
# zfs sharenfs=ro pool/install
# sharemgr show -vp zfszfs
zfs/pool/home nfs=()
/pool/home
/pool/home/jarod
/pool/home/rayh zfs/pool/install nfs=() nfs:sys=(ro="*")
/pool/install
/pool/install/snv_95
/pool/install/snv_96
;his sho/s the 2 shares in%0fs) group /ith differingprotocol security settings
Share readonly
7/23/2019 Solaris CIFS Service
11/39Sun Microsystems, Inc::
sharemgr()m* an# smb protocol
Differences in sharing &eha.iour1functionality&et/een #S and "I#S>> SMB shares use resource names /hile #S shares are
path &asedH for #S, resource is merely an alias>SMB> arodA1export1home1arod
>#S> 1export1home1arodA1export1home1arod
> #S only allo/s a gi.en path to &e shared once, /hileSMB allo/s it to &e shared multiple times> ;his is handled /ith SMB .ia differing resource names
> If an #S path is shared, it is not also possi&le to shareparent or any su&directory (in same filesystem6 SMBallo/s this> ;his is flagged in sharemgr output /ith %notshared/ithA)
7/23/2019 Solaris CIFS Service
12/39Sun Microsystems, Inc:2
smb+sharemgr()* amples
# sharemgr create home# sharemgr add-share -s /export/home/jarod home
Resource name is required by at least one enabled protocolin group
# sharemgr add-share -r jarod -s /export/home/jarod home
# sharemgr add-share -r home -s /export/home home
# sharemgr add-share -r newhome -s /export/home home
# sharemgr show -vp home
home smb=() nfs=()
jarod=/export/home/jarod
/export/home not-shared-with=[nfs]
newhome=/export/home
home=/export/home
SMB protocol re'uires
%resource name)
+arent directory 1export1homeis shared t/ice
+arent directory and dou&lesharing reflected here
7/23/2019 Solaris CIFS Service
13/39Sun Microsystems, Inc:$
.fs+smb+sharemgr()* amples
#zfs list pool/home/jarodNAME USED AVAIL REFER MOUNTPOINT
pool/home/jarod 18K 134G 18K /pool/home/jarod
# zfs set sharesmb=on pool/home/jarod
# sharemgr show -vp zfs
zfs zfs/pool/home/jarod smb=()
pool_home_jarod=/pool/home/jarod
# zfs set sharesmb=name=jarod pool/home/jarod
#sharemgr show -vp zfs
zfs zfs/pool/home/jarod smb=()
/pool/home/jarod
jarod=/pool/home/jarod
pool_home_jarod=/pool/home/jarod
@se pseudo property %name)
to set SMB resource .alue
SMB resource .alues
"reate default SMB share /ith
path &ased resource
7/23/2019 Solaris CIFS Service
14/39Sun Microsystems, Inc:=
&omain %o#e Setup: Things to 'no
Integrates /ith Windo/s *cti.e Directory (*D> "I#S Ser.er oins *D domain and talks to Domain
"ontroller (D" to authenticate access automatically
Identity mapping &et/een Windo/s @sers and @nix@sers performed &y idmap ser.ice @#S unchanged to support "I#S and lacks functionality
> eg Windo/s Identity semantics, *"-s, caseinsensiti.ity
7/23/2019 Solaris CIFS Service
15/39Sun Microsystems, Inc
:7
&omain %o#e Setup: &emo /etor"
Solaris CIFS Server
Windos !P Windos "##$ Server
%& &omain Controller
NIS'
(arod rayh%&
JarodN Ray)
*. %uthenticate to %&
". Ma+ share rom Solaris
$. Solaris authenticates ith &C
7/23/2019 Solaris CIFS Service
16/39Sun Microsystems, Inc
:
&omain %o#e Setup 0)
Ena&le "I#S Ser.er (along /ith dependencies> svcadm enable -r smb/server
Set SMB mode> DS and er&eros
> "onfigure 1etc1resol.6conf>>Domain set to *D domain, nameser.er set to D" I+
> "onfigure er&eros> (*D uses er&eros authentication> In the 1etc1kr&71kr&76conf file, specify the fully 'ualified *D
domain name, in uppercase characters, as the default realm6*lso, specify the fully 'ualified host name of the domaincontroller as the .alue for the kdc, adminJser.er, andkpass/dJser.er parameters6 kpass/dJprotocol is set toSE;J"K*?E6
7/23/2019 Solaris CIFS Service
17/39Sun Microsystems, Inc
:4
&omain %o#e Setup 01
Sync clocks> Solaris "I#S Ser.er system needs to &e /ithin fi.e
minutes of the system clock of the D">er&eros re'uirement
> ntpdate DC-host
Loin *D using a user /ith Domain *dministratorpri.ileges, domainname is a fully 'ualified domain
name>> smbadm join -u username domain-name 9estart "I#S Ser.er (kno/n &ug
> svcadm restart smb/server
7/23/2019 Solaris CIFS Service
18/39Sun Microsystems, Inc
:5
&omain %o#e Setup 02: I& %apping
Windo/s *D needs to &e mapped to Solaris namespacefor true interopera&ility, &ut not a re'uirement
idmap pro.ides a num&er of mapping mechanisms>
> #ixed Windo/s %Well no/n) Identities> Directory *D or -D*+ explicit mappings> -ocal Solaris "I#S Ser.er idmap rules
> Ephemeral and -ocalSID
More a&out this in a fe/ slides Daemon and *dmin>> idmapd(:m> cache and dynamic ID allocation>
idmap(:m> Mapping lookups, rule manipulation
7/23/2019 Solaris CIFS Service
19/39Sun Microsystems, Inc
:G
&omain %o#e Setup 03
"reate idmap rule for all Windo/s users in alldomains to @nix users /ith same names>> idmap add -d winname:*@* unixuser:*
"reate idmap rule to fix up username mismatch>> idmap add winuser:JarodN unixuser:jarod
DoneF
!;E>> ;hese rules are not generic, ust for demo
7/23/2019 Solaris CIFS Service
20/39Sun Microsystems, Inc
23
&omain %o#e &emo
7/23/2019 Solaris CIFS Service
21/39
Sun Microsystems, Inc2:
Sorting 4C5s
Windo/s ?@I needs *"-s to &e sorted> Deny *"Es should appear &efore allo/
7/23/2019 Solaris CIFS Service
22/39
Sun Microsystems, Inc22
Sorting 4C5s ample$ touch file
$ ls -v file
-rw-r--r-- 1 jarod techies 0 Sep 24 10:24 file
0:owner@:execute:deny
1:owner@:read_data/write_data/append_data/write_xattr/write_attributes/write_acl/write_owner:allow
2:group@:write_data/append_data/execute:deny
3:group@:read_data:allow
4:everyone@:write_data/append_data/write_xattr/execute/write_attributeswrite_acl/write_owner:deny
5:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
$ ls -v file
-r--r--r--+ 1 jarod techies 0 Sep 24 10:24 file
0:everyone@:write_data/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:deny
1:user:jarod:execute:deny
2:group:techies:write_data/append_data/execute:deny
3:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
4:user:jarod:read_data/write_data/append_data/write_xattr /write_attributes/write_acl/write_owner/
synchronize:allow
5:group:techies:read_data/synchronize:allow
#iles *"-s .ie/ed and sa.ed
&y Windo/s "lient6 !rder
changed, @nix permissions
no/ different
7/23/2019 Solaris CIFS Service
23/39
7/23/2019 Solaris CIFS Service
24/39
Sun Microsystems, Inc2=
SI&s an# =I&s+>I&s
Sharing protocol interopera&ility has seen se.eralsolutions to the SID1@ID1?ID storing1mapping pro&lem>> :6 Store SID, map to1from @ID1?ID
>
Microsoft Ser.ices for @nix (S#@> 26 Store @ID1?ID, map to1from SID
> Sam&a offers name mapping, algorithmic, namese.ice entries
> $6 Store &oth>
etapps W*#- uses ;#S1@nix %'trees) /hich store one and mapthe other ID
7/23/2019 Solaris CIFS Service
25/39
Sun Microsystems, Inc27
I#entit6 %apping: The Sun $a6
Maintain "I#S o/nership semantics> Dont rely on mapping to reco.er SID, store the SIDF
> Encoded as #@IDs (#ilesystem @ni'ue IDs in
7/23/2019 Solaris CIFS Service
26/39
Sun Microsystems, Inc2
%apping %echanisms: Overvie
Directory-based name mapping
Local name-based mapping rules
Ephemeral mapping Local-SID mapping
Error code + ID_NOBOD Error code + Local-SID
!i"ed mapping
7/23/2019 Solaris CIFS Service
27/39
Sun Microsystems, Inc24
I#entit6 %apping: phemeral
@nkno/n Windo/s identities mapped to dynamicallyallocated @IDs1?IDs> @ses next a.aila&le @ID1?ID from 2$:to 2$2 2 (ephemeral
@IDs1?IDs
> Solaris @IDs1?IDs are no/ unsigned, &ut max out atM*NJI;, lea.ing the unsigned range a&o.e for ephemerals
ot retained across re&oots
Stored in SP-ite 263 DB 1.ar1run1idmap1idmap6d&> +reser.ed across ser.ice restarts
> If lost then pre.iously allocated ephemeral uids1gidsne.er reused (unless re&ootedH idmapd uses inkernelstate to determine &ottom of .alid range of IDs
7/23/2019 Solaris CIFS Service
28/39
Sun Microsystems, Inc25
phemeral %apping ample
$idmap show -c winuser:john
winuser:john@example.com ->uid:2147508225
$idmap show -c uid:2147508225 winuser
uid:2147508225 ->winuser:john@example.com
uppose a rule is added !o map john!o "nix user jd12#45
$idmap add winuser:john@example.com unixuser:jd12#45
$idmap show -c winuser:john uid
winuser:john@example.com ->uid:12#45
%phemeral uid 2147508225s!ill maps !o john
$idmap show -c uid:2147508225 winuser
uid:2147508225 ->winuser:john@example.com
mailto:john@example.commailto:john@example.commailto:john@example.commailto:john@example.com7/23/2019 Solaris CIFS Service
29/39
Sun Microsystems, Inc2G
I#entit6 %apping: 5ocal SI&s
If a nonephemeral @ID1?ID cannot &e mapped &yname, then it is mapped to an algorithmicallygenerated SID called a localSID
;he localSID is generated as follo/s>> localSID for @ID A Qmachine SIDO Q:333 8 @IDO
> localSID for ?ID A Qmachine SIDO Q2$:8 ?IDO
Qmachine SIDO is a uni'ue SID generated &y theidmap ser.ice for the host on /hich it runs
7/23/2019 Solaris CIFS Service
30/39
Sun Microsystems, Inc$3
=nifie# 4ccess Control %o#el
Security Descriptors (SDs used &y "I#S for protection> Encoded as *"-s in
>
@#S *"-s ha.e no explicit deny or audit *"Es, only $ permission&its and different access check algorithm @SE
Split1merged appropriately &y Solaris "I#S during translation Default "I#S ser.ice applies Windo/s inheritance rules for "I#S
operations
7/23/2019 Solaris CIFS Service
31/39
Sun Microsystems, Inc$:
?FS nhancements for CIFS
"ase Insensiti.ity> ot re'uired &y SMB protocol, &ut some Windo/s
applications rely on caseinsensiti.e &eha.iour
> *t filesystem creation time, can specify sensitive,insensitiveor mixed (&oth &eha.iours
> foo6txt and #oo6txt not distinguisha&le to "I#S client
>ame mangling used to resol.e conflicts, for example> foo6txt O #!!R56txt #oo6txt O #!!RG6txt
> "I#S clients can open original name> returned file /ill ðe first caseinsensiti.e match
7/23/2019 Solaris CIFS Service
32/39
Sun Microsystems, Inc $2
4lternate &ata Streams
;#S treats files as a collection of streams> 9egular file content is the defaultor unnamedstream
> ** a Resource Fork
amed streams used to store ar&itrary data> Metadata (statistics, notes, history for documents> irusesF
Implemented using Solaris extended attri&utes> S@Wsm& prefix assigned to "I#S stream names
> S@Wsm& prefix not seen &y "I#S clients (use runat(: on Solaris
> "I#S ser.ice explicitly assigns mode 3=33
>
@nnamed stream @ID1?ID assigned to stream xattr file
7/23/2019 Solaris CIFS Service
33/39
Sun Microsystems, Inc $$
tensible 4ttributes
ot to &e confused /ith extended attri&utes> Extensi&le attri&utes maintained in extended attri&ute files>
S@WattrJro readonly system attri&utesS@WattrJr/ read1/rite system attri&utes
Supports D!S attri&utes> *rchi.e, 9eadonly, Kidden, System
Same *+I used &y "I#S also supports othersystems>> Mac!S1BSD, eg
> IMM@;*B-E, *++ED!-T
> Solaris irus Scanning (S"* I"*+ implementation>
*JP@*9*;IED, *JM!DI#IED
7/23/2019 Solaris CIFS Service
34/39
Sun Microsystems, Inc $=
ls()* Changes/OT: OpenSolaris has +usr+gnu+bin before +bin
# ls -/ c test.txt
-rw-rr-- 1 root root 0 Jan 14 16:51 test.txt
{A-RS---m--}
# ls -/ v test.txt
-rw-r--r-- 1 root root 0 Jan 14 16:51 test.txt {archive,nohidden,readonly,system,noappend
only,nonodump,noimmutable,av_modified,noav_quarantined,nonounlink}
# ls -l -% all file
-rw-rr-- 1 root root 0 Jan 14 16:51 test.txt
timestamp: atime Jan 14 16:51:16 2008 timestamp: ctime Jan 14 16:53:07 2008
timestamp: mtime Jan 14 16:51:16 2008 timestamp: crtime Jan 14 16:51:16 2008
!;E> ;/o part s/itch to lsSome may find this uglyF
7/23/2019 Solaris CIFS Service
35/39
Sun Microsystems, Inc $7
chmo#()* Changes/OT: OpenSolaris has +usr+gnu+bin before +bin
# chmod S+cRS test.txt
# chmod S+v'{readonly,system}' test.txt
# ls -/c
-rw-r-r-- 1 root root 0 Jan 14 16:51 test.txt
{A-RS---m--}# chmod S-cRS test.txt
# chmod S-v'{readonly,system}' test.txt
# ls -/c
-rw-r-r-- 1 root root 0 Jan 14 16:51 test.txt
{A------m--}
@se &oth compact (8c and.er&ose (8. forms to set theSystem *ttri&utes 9eadonly
and System
tar(:, cpio(: and pax(: are a/are of the ne/ system attri&utes and
ha.e appropriate s/itches for archi.ing1unpacking
7/23/2019 Solaris CIFS Service
36/39
Sun Microsystems, Inc $
@eferences
Sun Documentation>> docs.sun.com/app/docs/doc/820-2429
!penSolaris site>> opensolaris.org/os/project/cifs-server/
> opensolaris.org/os/project/cifs-server/docs/
?enunix ?uide to Solaris "I#S>> www.genunix.org/wiki/index.php/Getting_Started_With_t
he_Solaris_CIFS_Service
>
www.genunix.org/wiki/index.php/Solaris_CIFS_Service_Troubleshooting
De.eloper 9ecipes> Setting up *S> developers.sun.com/openstorage/articles/opensolaris_n
as.html
7/23/2019 Solaris CIFS Service
37/39
Sun Microsystems, Inc $4
4c"nole#gements
Sun Internal "I#S1Windo/s Interopera&ility ;!Is umerous &logs Sun Documents Stacey Marshall, !/en 9o&erts and 9ay Kassan
for their important help in assem&ling the materialand pro.iding feed&ack
7/23/2019 Solaris CIFS Service
38/39
CIFS
Solaris CIFS ServiceSeamless, ubiquitous, cross-protocol file sharing
Jarod NashRevenue Product Engineering,
Sun Microsystems, Inc.
7/23/2019 Solaris CIFS Service
39/39
$G
&iagnostic Information
@se chkcfg6sh and gendiag6sh> opensolaris.org/os/project/cifs-server/files/
Diagnostic Information to ?ather>
sharemgr show -vp> sharectl get smb
> smbadm list
> zfs get all
> /etc/krb5/krb5.conf
> /etc/pam.conf
> /etc/resolv.conf
> et/ork captures (/ireshark, netmon
> Dtrace output> En.ironment (uname a, "lient !S, .ersion and ser.ice packs
Recommended