Uploaded on

Novell Brainshare 2010 Amsterdam

Novell Brainshare 2010 Amsterdam

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
649
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
9
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • CIFS can be configured using iManager, and uses the _admin interface to pass on the configuration to the CIFS server. The CIFS server uses a NW Rights model and cache similar to the NCP server. It stores its secrets (the secrets required for the CIFS server to authenicate) in CASA, and also provides a file-based alternative. The CIFS server uses the same trustee file that is created by NCP server, but does not write to the trustee file.
  • CIFS can be configured using iManager, and uses the _admin interface to pass on the configuration to the CIFS server. The CIFS server uses a NW Rights model and cache similar to the NCP server. It stores its secrets (the secrets required for the CIFS server to authenicate) in CASA, and also provides a file-based alternative. The CIFS server uses the same trustee file that is created by NCP server, but does not write to the trustee file.
  • -The AFP configuration is done using iManager. The iManager plugins are written to CIM, and the CIM provider at the backend writes the configuration data into an AFP configuration file. The AFP server takes its configuration from the configuration file. The secrets required for the AFP server to startup are stored in CASA and secret store there is also an option to store secrets without CASA being installed. AFP server uses zAPI to talk to NSS file-system. The AFP server supports cross-protocol locking by having lock arbitration done by the NCP server.

Transcript

  • 1. File Access and LUM Deployment with Novell ® Open Enterprise Server 2 Martin Weiss , Senior Technical Specialist [email_address] Dr. Frieder Schmidt , Senior Technical Specialist [email_address]
  • 2. Agenda
    • Linux User Management (LUM)
    • 3. File Access Protocols and Proxy User
    • 4. NCP ™ , AFP, CIFS, (S)FTP, HTTP(S)
    • 5. Deploying Multiple Methods for File Access
    • 6. Troubleshooting
    • 7. Question and Answer
  • 8. Linux User Management (LUM)
  • 9. Linux User Management
    • Before deployment
      • What does LUM do?
        • Allow eDirectory ™ users and groups to show up as Linux users
      • Why and what for do YOU need LUM?
        • All services that run on base of Linux ex. Apache, FTP, SSH, SFTP, Samba
        • 10. Administration
    • Prepare your environment
      • Naming conventions
      • 11. Case sensitivity
      • 12. POSIX attributes
      • 13. ODBC / DSReport is your friend
  • 14. Linux User Management
    • Implementation
      • Placement of objects in the tree
        • Unix config object
        • 15. Unix workstation objects
    • Configuration of NAMCD
      • “ alternative-ldap-server-list”
      • 16. SSL certificates
      • 17. “ convert-lower”
      • 18. “ cache-only”
      • 19. “ persistent-search”
  • 20. Linux User Management
    • LUM Enablement
      • iManager or CLI
      • 21. Groups
      • 22. Users
      • 23. namconfig cache_refresh
      • 24. Which users should be LUM enabled for which servers?
    • Troubleshooting
      • duplicate UIDs/GIDs
      • 25. Certificates for alternate LDAP server (namconfig -k)
  • 26. File Access Protocols and Proxy User
  • 27. Novell ® Open Enterprise Server 2 The best multi-protocol file server
    • Multiple choices of file systems
      • Novell Storage Services ™
      • 28. POSIX file systems: ext3, Reiser, XFS
    • Multiple choices of file access protocols
      • NCP ™ - Novell NetWare ® Core Protocol
      • 29. CIFS/SMB – Novell CIFS, Samba
      • 30. AFP – Novell AFP
      • 31. HTTP – NetStorage, Apache
      • 32. FTP – PureFTP with Novell changes
      • 33. NFS – Linux NFS
  • 34. Proxy Users
    • No server based authentication to eDirectory ™
      • Security Requirement for “Kernel-” vs. “User-space”
    • CIFS, AFP, NetStorage and Samba require proxy users
      • For accessing information from eDirectory
      • 35. For reading user passwords for non-cleartext authentication
    • Proxy user problem
      • Too many proxy users per server
      • 36. Management of proxy user password expiry
      • 37. Security issue of reading user passwords
  • 38. Proxy Users (continued)
    • Novell ® Open Enterprise Server (OES) 2 FCS, SP1, SP2
      • One proxy user per service per server (AFP, CIFS, Samba, NetStorage, other OES services)
    • Novell Open Enterprise Server 2 SP3
      • Novell is looking at less proxy users and improved security
      • 39. Default to a single OES common proxy for all services
      • 40. Proxy user is made less powerful – no password read privileges
        • NMAS ™ methods to do authentication on behalf of the services
      • Auto-change of proxy passwords before expiry
    • Future
      • Novell is looking at service based authentication
  • 41. Novell ® NetWare Core Protocol ™ (NCP ™ )
  • 42. NCP ™ – High Level Features
    • NCP
      • Novell ® Open Enterprise Server 2 SP2
        • Cross protocol file locking support between NCP, AFP and CIFS
        • 43. Trustee change synchronization with eDirectory ™ - Deletion and rename of trustees
        • 44. Trustee information obtained from _NETWARE/.trustee_database.xml
        • 45. Auditing support for NCP file events
        • 46. Salvage support (deleter) for non-LUM users
      • Novell Open Enterprise Server 2 SP3
        • NCP volumes read only support functionality
        • 47. Add the ability to disable logins per volume and automated “clear connection”
      • Future release
        • Improved performance
  • 48. NCP ™ - Recommendations on Novell ® Open Enterprise Server 2 Linux
    • Monitor usage and evictions
      • LOG_CACHE_STATISTICS = 1 will log statistics in ncpserv.log
    • Configure based on working set and available memory
      • MAXIMUM_CACHED_FILES_PER_VOLUME
        • Default – 20000
      • MAXIMUM_CACHED_SUBDIRECTORIES_PER_VOLUME
        • Default – 50000
      • MAXIMUM_CACHED_FILES_PER_SUBDIRECTORY
        • Default - 2048
      • Cache Entry memory usage - ~216 bytes + Full path name
    • Additional Information
        • http://www.novell.com/documentation/oes2/file_ncp_lx/data/bc06ts8.html
        • 49. TID 7004888 – NCP Performance Tuning on OES2 Linux
  • 50. Novell ® Common Internet Filesystem (CIFS)
  • 51. Novell ® CIFS – High Level Features
    • Novell CIFS
      • Novell Open Enterprise Server 2 SP2
        • Cross protocol file locking support between NCP ™ , AFP and CIFS
        • 52. DFS support (including junctions pointing to sub-directories)
        • 53. Auditing support
        • 54. No LUM or SAMBA enablement required
      • Novell Open Enterprise Server 2 SP3
        • NTLM v2 support for Windows Vista and Windows 7
        • 55. DST support
        • 56. CIFS context search to be LDAP enabled
        • 57. Enhanced auditing support
      • Future release
        • Kerberos and CIFS, DSFW support
  • 58. Novell ® CIFS - Recommendations
    • Cluster
      • Restart CIFS service whenever eDirectory ™ is restarted
      • 59. You have to offline and online resources whenever the CIFS service is restarted on a node
      • 60. CIFS service will bind to the cluster resource IP
    • Troubleshooting
      • cifsctxs.conf
      • 61. novcifs -sl (share list), novcifs -o (current configuration)
      • 62. novcifs --enable-debug=yes --enable-info=yes
      • 63. /var/opt/novell/log/cifs.log
  • 64. Novell ® Apple Filing Protocol (AFP)
  • 65. Novell ® AFP - High Level Features
    • Novell AFP
      • Novell Open Enterprise Server 2 SP2
        • Cross protocol file locking support between NCP ™ , AFP and CIFS
        • 66. Auditing support
      • Novell Open Enterprise Server 2 SP3
        • Enhanced auditing
        • 67. Improved reliability
        • 68. LDAP Proxy User simplifications
      • Future release
        • Support for spotlight on MAC
        • 69. Kerberos support
        • 70. DST support
  • 71. Novell ® AFP - Recommendations
    • Clustering
      • When a client connects to the cluster IP, then only cluster enabled shared volumes associated with the IP are exported
      • 72. Machine name and volume name (e.g. server.afp_vol)
      • 73. Edit /etc/opt/novell/afptcpd/afpvols.conf on each cluster node Syntax: Servername.VolumeName VolumeName
    • Troubleshooting
      • Use CASAcli
      • 74. Verify Password Policies
      • 75. Use afpstat
      • 76. /var/log/afptcpd/afptcp.log
  • 77. File Access via HTTP
  • 78. NetStorage – High Level Features
    • NetStorage
      • Novell ® Open Enterprise Server 2 SP2
        • NCP ™ , CIFS, SSH
        • 79. Login Script processing
        • 80. Storage Location objects
        • 81. Universal Password support
        • 82. DFS support
        • 83. Webdav
  • 84. NetStorage – Recommendations
    • Clustering
      • Install and configure on all nodes
      • 85. “ just” migrate the IP-Address (maybe use a shared SSL certificate)
    • Troubleshooting
      • Registry (xregd and xsrvd)
      • 86. Filesystem Rights
      • 87. Linux User Management
      • 88. Apache and Xtier Users
  • 89. File Access via FTP
  • 90. FTP – High Level Features
    • Pure-FTP
      • Novell ® Open Enterprise Server 2 SP2
        • Remote Server navigation support (Gateway)
        • 91. LUM required
      • Novell Open Enterprise Server 2 SP3
        • Support FTP share on a locally mounted Novell Storage Services ™ volume
        • 92. Support for multiple instances of Pure-FTP instances running either on different or a same node within a cluster
      • Future release
        • FTP common home directory option
  • 93. FTP – Recommendations
    • Configuration
      • pam configuration (pam_ldap vs. pam_nam)
      • 94. ldap.conf (context and LDAP sever)
      • 95. /etc/pure-ftpd/pure-ftpd.conf
    • Parameters
    remote_server                    yes disallow_list_oes_server    no edir_ldap_port                    389 NoRename        no AutoRename     no
  • 96. Deploying Multiple Methods for File Access
  • 97. Deploying Multiple Methods for File Access
    • Data integrity
      • Cross-protocol file locking: AFP, CIFS, NCP ™ , Samba
    • Commonly supported capabilities
      • DST: Supported across NCP and Samba (Novell-CIFS in SP3)
      • 98. Auditing: Supported in Novell ® Open Enterprise Server (OES) 2 SP2 across NCP, AFP, CIFS
      • 99. DFS: Supported only by NCP, Novell-CIFS and NetStorage
      • 100. LUM-less operation: NCP, AFP, CIFS but not Samba
    • Performance and scalability
      • Scale: NCP: 20,000 connections, CIFS ~ 5000 connections tested in field, AFP: 200 connections
      • 101. Performance: OES2 SP2: CIFS around the same as Samba
        • OES2 SP3: CIFS performs better than Samba with scaled connections
  • 102. Cross Protocol File Locking Lock DB /var/lib/samba/locking.tdb NCP ™ Server CIFS Server AFP Server
  • 103. Cross Protocol File Locking Configuration
    • Enable/Disable CPFL
      • NCP ™ : ncpcon set CROSS_PROTOCOL_LOCKS=1/0
    • CPFL is enabled by default
      • To ensure data integrity is always maintained
      • 104. If only one of the protocols is used, CPFL can be disabled
        • Performance improved with CPFL disabled
  • 105. Support for Distributed File Services
  • 106. DFS Support for NCP ™ and CIFS
    • NCP, CIFS and NetStorage on Novell ® Open Enterprise Server 2 SP2 support DFS junctions that point to
      • Root of Novell Storage Services ™ (NSS) volume
      • 107. Sub-directories on NSS volumes
    • Trustee rights are set both on the junction and the target of the junction
  • 108. Support for Dynamic Storage Technology
  • 109. Dynamic Storage Technology PRIMARY TREE: Subdirectory – 1 file – 1 file – 2 Subdirectory – 2 file – 4 Important Data Less Important Data SHADOW TREE: Subdirectory – 1 file – 3 Subdirectory – 2 file – 5 file – 6 NCP, CIFS Client View Subdirectory – 1 file – 1 file – 2 file – 3 Subdirectory – 2 file – 4 file – 5 file – 6
  • 110. Dynamic Storage Technology Components
  • 114. Dynamic Storage Technology Configuration
    • Novell ® Remote Manager (NRM)
      • https://server_IP_address:8009 or other_configured_port_number
    • Command line utility ncpcon
  • 115. Dynamic Storage Technology Novell ® Remote Manager
  • 116. Dynamic Storage Technology Global Configuration Manage NCP ™ Services > Manage Server > Server Parameter Information
  • 117. Question and Answer
  • 118.  
  • 119. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
  • 120. Supporting Slides
  • 121. NCP ™ – Server Architecture NCP service eDirectory ™ NSS posix iManager Plugin POSIX IPC CIM IPC trustee file
  • 122. Novell ® CIFS – Architecture NCP ™ Server eDirectory ™ NSS CASA store CIFS Server iManager Plugin ldap dclient (ncp) ncp-rpc POSIX IPC CIM IPC Volume policies trustee file DST global policies
  • 123. Novell ® CIFS Authentication Configuration
  • 124. Latest Novell ® CIFS vs. Samba Performance
  • 125. Novell ® AFP – Architecture NSS CASA store CIM Provider NCP ™ Server eDirectory ™ AFP Server iManager Plugin ncp-rpc nmas-ldap xplat (ncp) zAPI conf file
  • 126. File Access Protocols (combined) NCP-RPC zAPI Rights, trustee changes, DST events Lock DB Samba AFP Service Novell CIFS File System posix CPL NCP ™ Server eDirectory ™