* Stateful (!) personality
- Not same kind of statefulness as CIFS
- session is at app layer, not TCP layer.
- locks state are in controller memory, not persistent. Client can re-check on lock and ensure no disruption during HA event.
* UDP no longer supported
* GSS-API: Generic Security Services API (RPCSEC_GSS)
- Kerberos
- LIPPKEY - Low Infrastructure Public Key Mechanism
- Simple PUblic Key Mechanism (SPKM-3)
* Kerberos 5
- Symetric key
- Encrypted tickets and sesions keys from KDC
- Unix use MIT
- Windows use 2008R2 AD
- Support for Kerberos attribute is REQUIRED on client and server,
but run time can opt to leave this blank;
whence Kerberos is not a must to have NFSv4 client talkign to NFSv4 server.
* ACL is much closer and interoperable with CIFS
- based on NTFS model
- array of ACE (Access Control Entries)
- support allowed and denied permissions, flags
- UID/GID are string based (eg user@domain) instead of 32-bit integers used in NFSv3. (!!)
+ vserver nfs show -vserver nas1 -fields v4-numeric-ids :
make netapp respond with numeric UID for client that cannot understand string,
this would generally make things easier (eg for transition period) [TR-4072 page 46]
- NFSv4 ACL, no support for POSIX ACL (migration from 3rd party must manually set NFSv4 ACL)
- nfs4_setfacl -e
nfs4_getfacl /home/als/physbase/hlc/General/
nfs4_editfacl
nfs4_setfacl
* At least on netapp OnTap 9.x
- traditional bits permisisons seems to be kept in parallel to NFSv4 ACL on the file object
- chmod in NFSv3 by default will change NFSv4 ACL, unless such trigger is set not to happen
* Pseudo FS (in dedicated namespace)
- entry point at /
- junction path
* Client need /etc/idmapd.conf
- if not set, use `domainname`
NFSv4 ref
- TR-4067: Clustered Data ONTAP NFS Implementation and Best Practice Guide(2017.07). Page 81 discuss about NFSv4.1 and numeric id (instead of default string-based id)
[cache]
- TR-4073 (2017) - NFSv4.x LDAP, etc security mappings.
- TR-3580: NetApp NFSv4 Best Practices Guide(2016.02)
[cache] - covers more details and background of NFSv3 vs NFSv4, ACL, etc.
-
- https://help.ubuntu.com/community/NFSv4Howto:
- Can operate without a Domain/Kerberos server. set NEED_SVCGSSD=no, and NFSv4 can rely on client side authentication as in NFSv3, albeit this isn't all that secure.
- Use with Kerberos (MIT or Heimdal) + KDC (Key Distribution Center) provides much better security.
-
- NFS exports works differently. On the server side, it has a root export where everything else falls under.
- Typically default to proto=tcp,port=2049
- /etc/idmapd.cfg, nfsidmap, map user with different UID b/w NFSv4 server and client.
-
- http://www.enterprisenetworkingplanet.com/netos/article.php/3644471/Implement-NFSv4-Domains-and-Authentication.htm (from 2006!):
- NFSv4 introduce concept of Domain. Many would rely on DNS domain for client and server to match. Solaris allow for setting an explicit NFS domain.
- In addition to UID/GID needing to batch b/w client and server, Domain must match as well.
- Could use DNS RR or TXT record to specify domain.
- Eisler's NFS blog describe how to use Active Directory with NFSv4. From 2005! Long solved problem, how many use it?
Samba
samba 3 uses NT domain logins to serve account information, and
samba 4 is compatible with active directory.
samba 2 use smbpasswd. samba 3 use pdbedit (and no more smbpasswd?)
samba 2.x
smbpasswd -j -r -Uuser%password
run winbindd
then start samba.
getent
nmblookup -U -R
---
samba 3.0 use the "net" command:
net [method] [-d dbgLevelNum] join member -Uadministrator%password -S tileg-bdc1
member = add host as member host (not as pdc/bdc)
-S = target (window) server to use
[method] can be blank, it will auto detect
ads = XP style
rpc = nt4 style
ads = win95 style ?
-d 0-10 specify debug level info (spill to console), 0=none, 5=a lot, 10=unreadable. Try 3.
net testjoin
check whether domain participation is still valid
# no longer avail???
net help
show help
---
strace -o /tmp/output smbpasswd ...
to see what file it opens, has tendendy to open wrong smb.conf
wbinfo -u
list all doamin user
bin/testparm lib/smb.conf
check that smb.conf is correct.
smbclient //10.0.71.231/cifs -W ntdom1 -Uadministrator%password
ftp like client to connect to nt-style share
smbclient -L 10.0.71.231 -N
list shares available from the given server
-N = force no ask password
----
update 2004/06/23, for samba 3.0, in tileg/hybridauto
config procedure
create /usr/local/samba/lib/smb.conf file (see eg here for core elements).
bin/testparm lib/smb.conf
add member host in PDC via server manager.
net join -Uadmin -S PDC-server # for security=server
sbin/nmbd
sbin/smbd -D -s lib/smb.conf
# parameters are really default, but just in case samba have its own mind.
sbin/smbd --version
# show version
If using security=user, then may need to use smbpasswd -a to add user
Although it seems to authenticate via NIS if no smbpasswd entry.
---
2005/12/02
quick and dirty config w/o domain fuss,
in smb.conf, set to use user level security mode (ie local list of samba user) :
security = user
add users to smbpasswd file as (user must be recognized os level user):
smbpasswd -a USERNAME
change existing user password:
smbpasswd USERNAME
Samba 3 use pdbedit.
pdbedit -L -v # list samba users, verbose
# samba local db stored in /var/lib/samba/private/private.tdb
---
logs:
location specified by smb.conf, typically /usr/local/samba/var
log.IP = NetBIOS ip to name resolution log, per each client machine connecting to the server.
log.HOSTNAME = smbd log for each connecting client after netbios name resolution.
log.nmbd = nmbd server process/status log
log.smbd = smbd server process/status log. level determined by smb.conf
smb.conf
[global]
; Wcry-like exploit
; security fix as per http://thehackernews.com/2017/05/samba-rce-exploit.html?m=1
nt pipe support = no
# log level = 3 passdb:5 auth:10 winbind:2
# log level = 0 (default)
log level = 2
# workgroup = NT-Domain-Name or Workgroup-Name, eg: REDHAT4
workgroup = TILEG # NT4
# Security mode. Defines in which mode Samba will operate. Possible
# values are share, user, server, domain and ads. Most people will want
# user level security. See the HOWTO Collection for details.
#security = user # user = local passwd/smbpasswd file
security = server # need to join machine to nt domain
#security = domain # probably never used this.
# whether to use encrypted password
#encrypt passwords = yes # default = yes
#encrypt passwords = no
load printers = yes
log file = /usr/local/samba/var/log.%m
password server = tileg-bdc1
# this was needed as somehow my machine could not determin
# who was PDC, probably no broadcast on this vlan.
wins support = no
wins server = 10.215.2.21
# set it so that samba is not wins server,
# and have it use wins on BRIO-BDC1
# otherwise, lot of browse by \\hostname will get bad
# unresolvable hostname :(
socket options = TCP_NODELAY
dns proxy = no
#============================ Share Definitions ==============================
### custom settings here
[test]
comment = test dir
browsable = yes
read only = no
create mode = 755
path = /export/tmp/test
user = tho
#============================ Share Definitions ==============================
### this and other were smb.conf.default settings.
[homes]
comment = Home Directories
browseable = no
writable = yes
username mapping
in smb.conf, there is a clause like
username map = /etc/samba/smbusers
which by default is
root=administrator admin
nobody=guest pcguest smbg
This file can be updated to map user whose login name differ between unix and windows.
SID to UID/GID mapping
the ID numbers is what the computer use.
winbind has to provide unix UID/GID numbers. If a username is not resolvable to unix UID number, it will generate a number and use it.
The number generated is in a range defined in smb.conf.
This number is stored in "idmap" and there is a "net idmap" command to do dump and restore (edit is by hand edit this file and reimport?).
pdbedit is the samba user database. User of samba need to have account added here.
The UID number assigned here may differ from what winbind (wbinfo) may return.
OS calls such as getent and id would honor the UID# assigned in pdbedit (when winbind is used in nsswitch.conf).
Not sure what order of precedence wbinfo works on.
It does "do the right thing" in that id would look at places where one can manipulate UID# using pdbedit (?)
pdbedit — manage the SAM database (Database of Samba Users)
pdbedit entry can overwrite UID# winbindd returns
getent passwd USERNAME will return UID# specified in pdbedit (nsswitch.conf passwd use "files winbind")
pdbedit -L -w -d0 # -L = list all entries (ie a dump).
# -w = smbpasswd format
# -d0= debug level 0 (may still get warning messages in output)
pdbedit --modify
pdbedit -a sn # add user sn. user must exist as unix (passwd) or windows (AD) user.
pdbedit -x -u sn # deleting a user that has a uid randomly assigned
# and readding it after it exist in passwd
# may set it to have the right UID#
wbinfo # query winbind for info
wbinfo -u | wc # list all --domain-users
wbinfo -n ateran # --name-to-sid
wbinfo --user-sidinfo SID # return passwd-like string with UID# for a given SID
wbinfo -S S-1-5-21-1224182940-43089146-691797619-2275 # --sid-to-uid eg: 781
wbinfo -s S-1-5-21-1224182940-43089146-691797619-4805 # --sid-to-name
wbinfo --sid-to-fullname SID # conver to DOMAIN\username
wbinfo --user-sids SID # list group SID a given SID belongs to
wbinfo --user-domgroups SID # list domaingroup a given SID belongs to
wbinfo --sid-aliases S-1-5-21-1224182940-43089146-691797619-2275 # sid has aliases!!
wbinfo -i bofh # login to uid#
wbinfo -r bofh # get unix secondary gid for named user
wbinfo --uid-info 781 # return passwd-like string for given uid#
ref:
samba doc on wbinfo
winbind
winbindd perform SID to UID# mapping.
info stored in a db.
ref:
NAME AND ID RESOLUTION section of winbindd samba doc
UID# are often generated for user w/o unix passwd entry. Thus, if have multiple machine running winbindd, would be good to
setup cronjob to keep the winbid db in sync (idmap)
net cache flush
idmap does mapping between SID and UID#/GID#.
When the file is dumped, it can be (carefully) edited and (re)-imported (by different hosts).
# syncing IDs between different winbind machines
net idmap dump /var/lib/samba/winbindd_idmap.tdb > dumpfile.txt
net idmap restore /var/lib/samba/winbindd_idmap.tdb < dumpfile.txt
net idmap dump winbindd_idmap.tdb > /dev/null 2>&1 | ssh slave.samba.net 'net idmap restore' > /dev/null 2>&1
ref:
Samba3 :: Chapter 12. Remote and Local Management: The Net Command :: Managing IDMAP UID/SID Mappings (at the end)
wbinfo -m # list --trusted-domains
wbinfo --own-domain # what domain this smb server is on
wbinfo -p # --ping winbindd to ensure connection still good
wbinfo -P # --ping-dc to ensure connection still good
wbinfo -t # --check-secret of workstation to AD still good
# ie determine if secret used to join ntdomain is still good (security=server)
net cmd
To interact with AD, the DOS net commands are available.
net rpc info
the net idmap command operates locally and is covered in the UID to SID mapping section above
See also:
Netapp
Isilon
Synology
Synology NAS Admin cmd CLI ref,
covers: synouser, synogroup, synoshare, synonet, synoservice, synowin (ADS domain settings).
GUI:
DSM 6.2: Control panel, info, General. See model and serial. CPU, number of expansion unit attached, etc.
DSM 6 storage pool repair. When no hot spare is available, (but a disk is available as unused), go to Action, Repair, and drag an available drive/slot into the desired array that has a place holder "require disk", then the RAID rebuild process will kick on. This allow specifiying which disk to use as replacement drive (hopefully fail back to the original source once the drive has been replaced, this is so all disks for a RAID group is in same enclosure, and not subceptable to the single link failure (1 IB-like cable is used between head and expansion shelf).
DSM 6 hotspare.
When a hotspare has been removed, after reinstall, it will no longer be hotspare anymore (just becomes an available drive, unused, in the system. Reassign as hotspare is a manual process. Once done, then drive failure in any RAID gropu in any shelf can use the hotspare automagically.
syno-letsencrypt
syno_disk_ctl
syno_disk_health_record ... these are likely deamon process
synoupgrade? synostorage
syno* eg synocopy, synocrond, synocleaner
syn_[tab][tab]
RackStation RS4017xs+ HW Install Guide
page 8 has
drives are numbers horizontally first, then down.
[ 1][ 2][ 3][ 4]
[ 5][ 6][ 7][ 8]
[ 9][10][11][12]
[13][14][15][16]
from support, it like /dev/sd* are assigned somewhat randomly, it scan order at system boot.
hoti1
bofh1
- Can operate without a Domain/Kerberos server. set NEED_SVCGSSD=no, and NFSv4 can rely on client side authentication as in NFSv3, albeit this isn't all that secure.
- Use with Kerberos (MIT or Heimdal) + KDC (Key Distribution Center) provides much better security.
- NFSv4 introduce concept of Domain. Many would rely on DNS domain for client and server to match. Solaris allow for setting an explicit NFS domain.
- In addition to UID/GID needing to batch b/w client and server, Domain must match as well.
- Could use DNS RR or TXT record to specify domain.
hoti1
bofh1