HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

CIFS on OpenVMS IA64.

 
The Brit
Honored Contributor

CIFS on OpenVMS IA64.

I am just picking my way through the installation procedure for CIFS Vers 1.1 ECO1.

I have just reached a point where I am trying to "Build the HP CIFS Sources on OpenVMS". I have extracted all of the source code from the Kit, and the instructions then say, "Execute BUILD.COM with RELEASE as P1"
When I attempt this I get

$ @build release
%DCL-W-IVVERB, unrecognized command verb - check validity and spelling
\MMS\

which is generated by the last line in the script, vis.

$ MMS /MACRO='MAC 'ARGS

Refering back to the instructions, I noticed a footnote which said "...you need to install HP Module Management System for OpenVMS".

(MMS (??))

Is anyone familiar with this, and can tell me where I can get it?? I Googled it and got to a link which appeared promising,

http://h10010.www1.hp.com/wwpc/uk/en/sm/WF06b/18964-18964-391524-3212724-3212724-3212855-3719061.html

unfortunately, the number given does not pick up. (Also, I was a little concerned by the "Are you ready to buy" label.)

Thanks

Dave.
32 REPLIES
Hoff
Honored Contributor

Re: CIFS on OpenVMS IA64.

The MMS package is a component of DECset; it's the DECset version of "make" or MMK.

If you don't have an MMS or DECset license around, then you might be able to get MMK to work here (with some edits) as IIRC the MMK freeware package has a reasonable degree of MMS compatibility.
Paul Nunez
Respected Contributor

Re: CIFS on OpenVMS IA64.

Hi Dave,

Just in case...

You only need to run build.com (which requires MMS) if you want to compile your own version of CIFS for OpenVMS (i.e., you modified the included source code to meet local needs).

Otherwise, just ignore that stuff in the docs about compiling CIFS...

Regards,

Paul
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

Dave, at last count there are 8 ECO patches for CIFS (not all publically available). As far as I'm aware, HP are still working on some serious (file corruption) problems for patch 9.

The reason I say this is that you should probably expect some problems when you do instal CIFS.

I spent 6 months working with HP on various issues, so feel I know parts of the product fairly well. If you want a hand getting your install up and running, let me know.

Rob.
Hoff
Honored Contributor

Re: CIFS on OpenVMS IA64.

After prototyping CIFS, I've deployed an alternate platform.

In deference to our hosts, I'll not comment further.
Paul Nunez
Respected Contributor

Re: CIFS on OpenVMS IA64.


The current patch set for v1.1 ECO1 is PS009, which has been relatively stable. More importantly, it no longer modifies the security applied by OpenVMS to new objects (almost to a fault). Be sure to read the ps009 release notes (you have been warned :O)

The patches are maintained for FTP download at:

Server: ftp.usa.hp.com
Username: pathwork
Password: Support9

cd cifs-v11-eco1
dir ! Find the appropriate file.
bin
get


Paul
The Brit
Honored Contributor

Re: CIFS on OpenVMS IA64.

To Paul;

I thought that initially, however;

$ show symb addshare
ADDSHARE == "$SAMBA$ROOT:[BIN.IA64]SAMBA$ADDSHARE.EXE;"
$ addshare
%DCL-W-ACTIMAGE, error activating image SAMBA$ROOT:[BIN.IA64]SAMBA$ADDSHARE.EXE;
-CLI-E-IMAGEFNF, image file not found DSA400:[000000.SAMBA.][BIN.IA64]SAMBA$ADDSHARE.EXE;

this is why I went down the "BUILD" path!

To Rob;

I may take you up on your offer of help, however I/we was/were concerned about your use of the "c" word (corruption). At the moment, I have installed 1.1 ECO1, however I dont have any specific patches installed.

My e-mail is in my profile if you want to take this offline. Alternatively, just contact me so that I have your contact info.

Thanks

Dave.
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

I see the PS009 kit is from October, after I last spoke to HP, so I'm guessing they re-released the patch after they fixed the file corruption problem.

I'm quite surprised Paul or Hans didn't drop me an email to say it's back out. Think I'll drop him a line to get the current status.

Rob.
Paul Nunez
Respected Contributor

Re: CIFS on OpenVMS IA64.

Hi,

"Corruption" is perhaps too harsh a term to use for the problem introduced in PS008 and fixed in PS009.

The data is still there, it's just that the Record Format on the file was not set correctly which could make it appear as though the file were corrupted :O).

Paul
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

Just going by the words I heard. Glad to see it's fixed though.

Rob.
The Brit
Honored Contributor

Re: CIFS on OpenVMS IA64.

Paul,

....
More importantly, it no longer modifies the security applied by OpenVMS to new objects (almost to a fault). Be sure to read the ps009 release notes (you have been warned :O)
....

I assume that the warning relates to the sentence above, regarding OpenVMS Security settings.

(or is there something else??)

Dave
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

Just spotted the fix in the release notes (attached) :-

"If a file is being overwritten from DOS prompt, it leads to file corruption"


Dave, I'm guessing the reference to reading the release notes is because the way CIFS handles security has been completely rewritten in PS009.

From HP - "You better read them carefully because much has changed regarding security settings".

Rob.
The Brit
Honored Contributor

Re: CIFS on OpenVMS IA64.

Thanks Rob,
I already downloaded the Patch Kit and Release Notes. I read through the release notes, and my comment was due to the fact that nothing else really jumped out at me.

Having said that, I am not sufficiently comfortable with this AD/DC/etc (basically, Windows) stuff, to be able to say that I would immediatly recognise potential problems.

Dave
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

To be honest, I'm still struggling to get my head round how to set it up so that security is managed from the Windows side rather than the VMS side - something A/S did completely transparently.

There's a whole step to do with UID's and GID's and mapping over to SID's, that are all required in the default configuration, but aren't documented all that well.

If someone would like to write a brief document on the whys and wherefores of these mappings, I'm sure that would help us all out. I've discussed it with HP, but I still can't get my head round it.

Rob.
Willem Grooters
Honored Contributor

Re: CIFS on OpenVMS IA64.

Rob,

I can only agree on that matter.
If you're not familair with the Windows or Unix way of doing things (:D the wrong way ? :D ) it's hard to get things running properly.
What do I need to set up, and how? What are the steps in creating a domain controller, and what has to be done to get a nachine inside the domain? I gave up here, since it simply is too much work.
CIFS would be really useful if there were scripts you coul run to:
* create a domain
* Add systems to a domain
* Add users to a domain
* create a single-sign-on to acces these shares...

Now I need to know Windows system administration as well, and be an Unix/Linux admin as well. Just to get the thing running....
Willem Grooters
OpenVMS Developer & System Manager
Willem Grooters
Honored Contributor

Re: CIFS on OpenVMS IA64.

Scipts - I mean DCL procedures, of course.
Willem Grooters
OpenVMS Developer & System Manager
The Brit
Honored Contributor

Re: CIFS on OpenVMS IA64.

OK, here's what I have,

I have a windows PDC controlling DOM1

I have a second Server (Alpha DS10, OpenVMS 8.3) running Advanced Server and controlling domain DOM2

There is mutual trust between DOM1 and DOM2.

Now along comes the new server

BL860c blade, (IA64, OpenVMS 8.3-1H1) running CIFS 1.1-E1 (including PS009). It needs to join the DOM2 domain as a member server.

I have added this host to the Alpha ADV Server (DOM2) using;

$ ADMIN ADD COMPUTER /ROLE=SERVER

The SMB.CONF file on the new blade server looks like,

[global]
server string = Samba %v running on %h (OpenVMS)
netbios name = %h
security = domain
passdb backend = tdbsam
domain master = no
domain logons = no
guest account = SAMBA$GUEST
log file = /samba$root/var/log_%h.%m
create mode = 0755
host msdf = no

[homes]
comment = Home Directories
browseable = no
read only = no
create mode = 0750

[dave]
comment = Dave's Testing Directory
path = /users/dave
guest ok = yes
read only = no

OK! Here is the question!

I want the CIFS server to join the DOM2 domain, and to do this I intend to execute the

$ NET RPC JOIN

command.

Will the new server automatically join DOM2 because its biosname has only been added to DOM2, or,

Do I need to specify the correct domain by using the

work group = DOM2

parameter in the [global] section of the SMB.CONF file ??

Dave.

Paul Nunez
Respected Contributor

Re: CIFS on OpenVMS IA64.

Hi Dave,

You have to specify:

workgroup = dom2

(note: no space in "workgroup") in the [global] section. The default workgroup name is LANGROUP.

Regards,

Paul
The Brit
Honored Contributor

Re: CIFS on OpenVMS IA64.

Thanks for the reply Paul,

The documentation is pretty lacking in this area. In the section on "Adding an HP CIFS Server to a Domain", there is no mention of this requirement. The only hint was that both of the examples (on p45 and p46) included this parameter (workgroup) with a comment "# Domain Name"

Thanks for your help. I'll let you know how it goes.

Dave
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

Dave, here's the start of my SMB.CONF :-

[global]
workgroup = UK
server string = Samba %v running on %h (OpenVMS)
security = DOMAIN
username map = /samba$root/lib/username.map
log level = 1
log file = /samba$root/var/log_%h.%m
max log size = 1000000
load printers = No
os level = 65
preferred master = No
local master = No
domain master = No
wins server = 10.110.17.12
admin users = cifsadmin
# create mask = 0755
# include = samba$root:[lib]smb.conf_%h
idmap uid = 10000-10000
idmap gid = 15000-20000



Take special note of the 'max log size', 'security', 'preferred master', 'local master', 'domain master', 'wins servers', 'idmap uid' and 'idmap gid' fields.

The documentation isn't completely clear, but you will _probably_ need all of these fields for a basic configuration.

You don't need to pre-add the member server to you DOM2 domain, as the JOIN will do all that for you :-

$ net rpc join --user=administrator --server=myserver
Password:
Joined domain UKVISTA.

Rob.
The Brit
Honored Contributor

Re: CIFS on OpenVMS IA64.

Hi Rob.

Just a small confusion, you have "workgroup = UK", but your example at the bottom looks like it joined Domain "UKVISTA".

Are "workgroup" and "domain" not equivalent??

Dave.
CJBe
Advisor

Re: CIFS on OpenVMS IA64.

Hello Rob,

I'm a young openVMS Admin and now taking my first steps in CIFS on OpenVMS. I looked up your configuration and found the entry

username map = ...

I also tried to use this entry but still having problems with it. I want to map an Domainuser to an existing OpenVMS-User with winbind. Could you tell me how Your entries in the "username.map" look like?

I tried something like:

OpenVMS-USER = Domainuser

Must the openVMS-User and the Domainuser use the same Password on openVMS and in the Domain?

Thanks

Chris
Shilpa K
Valued Contributor

Re: CIFS on OpenVMS IA64.

Hi Dave,

Could you please send me e-mail so that I can send you the document which might help you with CIFS file security and the uid/gid stuff?

my mail id (shilpa.krishnareddy@hp.com)

Regards,
Shilpa
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

Sorry to confuse Dave - the CONF file is from our Production network (UK), but the JOIN command was taken from a test network (UKVISTA).

You're correct that the two would normally be the same.

Rob.
Robert Atkinson
Respected Contributor

Re: CIFS on OpenVMS IA64.

Chris, the format for the USERNAME.MAP file is :-

VMSUSER=DOMAIN\USERNAME

i.e. ROBERT=UK\RATKINSON

If your security config is set to DOMAIN, then the authentication is done using the Windows username and password. If authentication is successful, then the SMB process is created using the persona of the VMS username.

There's something REALLY important in this, and is why we had so many problems with CIFS. Every time you do anything on a CIFS share, the CIFS server has to go off and authenticate against the Windows domain. Depending on how big your domain is, this can obviously take a certain amount of time.

If you have multiple processes polling every 5 seconds (as we do) then this load gets fairly heavy. You'll see the NMBD accounting stats get fairly high pretty quickly. This is how CIFS (SAMBA) works on all platforms, so isn't particular to VMS. In fact, the same problem gives us grief on an Equilogix SAN we're running CIFS from. CIFS doesn't cache authentication details, at least not on VMS, so that can't help us.

The good news is that if you map a Windows drive to the CIFS share, the SMB process is held in place permanently. Any processes running in that Windows security context (using the same username) will be able to access the share without re-authentication. Even if you access using a UNC instead of the drive letter, it still works.

The downside! Drives can only _normally_ be mapped by interactive users. However, we've developed a .Net system service that can do this for you at boot time, so if you have a Windows application that runs as a service, as long as you use the same username for both the DriveMapper and your own service, no more authentication problem.

Those of you who's used A/S and CIFS to the same directory will note the big difference in returning a directory listing, for instance. Most of that is down to the authentication happening in the background. Try the same test with a mapped drive and the two are very similar in speed, depending on how many files are in the directory.

Sorry for the long waffle, but it is a big 'gotcha'.

Rob.