File Access and LUM Deployment with Novell ®   Open Enterprise Server 2 Martin Weiss , Senior Technical Specialist [email_...
Agenda <ul><li>Linux User Management (LUM)
File Access Protocols and Proxy User
NCP ™ , AFP, CIFS, (S)FTP, HTTP(S)
Deploying Multiple Methods for File Access
Troubleshooting
Question and Answer </li></ul>
Linux User Management (LUM)
Linux User Management <ul><li>Before deployment </li><ul><li>What does LUM do? </li><ul><li>Allow eDirectory ™  users and ...
Administration </li></ul></ul><li>Prepare your environment </li><ul><li>Naming conventions
Case sensitivity
POSIX attributes
ODBC / DSReport is your friend </li></ul></ul>
Linux User Management <ul><li>Implementation </li><ul><li>Placement of objects in the tree </li><ul><li>Unix config object
Unix workstation objects </li></ul></ul><li>Configuration of NAMCD </li><ul><li>“ alternative-ldap-server-list”
SSL certificates
“ convert-lower”
“ cache-only”
“ persistent-search” </li></ul></ul>
Linux User Management <ul><li>LUM Enablement </li><ul><li>iManager or CLI
Groups
Users
namconfig cache_refresh
Which users should be LUM enabled for which servers? </li></ul><li>Troubleshooting </li><ul><li>duplicate UIDs/GIDs
Certificates for alternate LDAP server (namconfig -k) </li></ul></ul>
File Access Protocols and Proxy User
Novell ®  Open Enterprise Server 2 The best multi-protocol file server <ul><li>Multiple choices of file systems </li><ul><...
POSIX file systems: ext3, Reiser, XFS </li></ul><li>Multiple choices of file access protocols </li><ul><li>NCP ™  - Novell...
CIFS/SMB – Novell CIFS, Samba
AFP – Novell AFP
HTTP – NetStorage, Apache
FTP – PureFTP with Novell changes
NFS – Linux NFS </li></ul></ul>
Proxy Users <ul><li>No server based authentication to eDirectory ™ </li><ul><li>Security Requirement for “Kernel-” vs. “Us...
For reading user passwords for non-cleartext authentication </li></ul><li>Proxy user problem </li><ul><li>Too many proxy u...
Management of proxy user password expiry
Security issue of reading user passwords </li></ul></ul>
Proxy Users  (continued) <ul><li>Novell ®  Open Enterprise Server (OES) 2 FCS, SP1, SP2 </li><ul><li>One proxy user per se...
Default to a single OES common proxy for all services
Proxy user is made less powerful – no password read privileges </li><ul><li>NMAS ™  methods to do authentication on behalf...
Novell ®  NetWare Core Protocol ™  (NCP ™ )
NCP ™  – High Level Features <ul><li>NCP </li><ul><li>Novell ®  Open Enterprise Server 2 SP2 </li><ul><li>Cross protocol f...
Trustee change synchronization with eDirectory ™  - Deletion and rename of trustees
Trustee information obtained from _NETWARE/.trustee_database.xml
Auditing support for NCP file events
Salvage support (deleter) for non-LUM users </li></ul><li>Novell Open Enterprise Server 2 SP3 </li><ul><li>NCP volumes rea...
Add the ability to disable logins per volume and automated “clear connection” </li></ul><li>Future release </li><ul><li>Im...
Upcoming SlideShare
Loading in …5
×

Cl116

911 views
776 views

Published on

Novell Brainshare 2010 Amsterdam

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
911
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • f
  • CIFS can be configured using iManager, and uses the _admin interface to pass on the configuration to the CIFS server. The CIFS server uses a NW Rights model and cache similar to the NCP server. It stores its secrets (the secrets required for the CIFS server to authenicate) in CASA, and also provides a file-based alternative. The CIFS server uses the same trustee file that is created by NCP server, but does not write to the trustee file.
  • CIFS can be configured using iManager, and uses the _admin interface to pass on the configuration to the CIFS server. The CIFS server uses a NW Rights model and cache similar to the NCP server. It stores its secrets (the secrets required for the CIFS server to authenicate) in CASA, and also provides a file-based alternative. The CIFS server uses the same trustee file that is created by NCP server, but does not write to the trustee file.
  • -The AFP configuration is done using iManager. The iManager plugins are written to CIM, and the CIM provider at the backend writes the configuration data into an AFP configuration file. The AFP server takes its configuration from the configuration file. The secrets required for the AFP server to startup are stored in CASA and secret store there is also an option to store secrets without CASA being installed. AFP server uses zAPI to talk to NSS file-system. The AFP server supports cross-protocol locking by having lock arbitration done by the NCP server.
  • Cl116

    1. 1. File Access and LUM Deployment with Novell ® Open Enterprise Server 2 Martin Weiss , Senior Technical Specialist [email_address] Dr. Frieder Schmidt , Senior Technical Specialist [email_address]
    2. 2. Agenda <ul><li>Linux User Management (LUM)
    3. 3. File Access Protocols and Proxy User
    4. 4. NCP ™ , AFP, CIFS, (S)FTP, HTTP(S)
    5. 5. Deploying Multiple Methods for File Access
    6. 6. Troubleshooting
    7. 7. Question and Answer </li></ul>
    8. 8. Linux User Management (LUM)
    9. 9. Linux User Management <ul><li>Before deployment </li><ul><li>What does LUM do? </li><ul><li>Allow eDirectory ™ users and groups to show up as Linux users </li></ul><li>Why and what for do YOU need LUM? </li><ul><li>All services that run on base of Linux ex. Apache, FTP, SSH, SFTP, Samba
    10. 10. Administration </li></ul></ul><li>Prepare your environment </li><ul><li>Naming conventions
    11. 11. Case sensitivity
    12. 12. POSIX attributes
    13. 13. ODBC / DSReport is your friend </li></ul></ul>
    14. 14. Linux User Management <ul><li>Implementation </li><ul><li>Placement of objects in the tree </li><ul><li>Unix config object
    15. 15. Unix workstation objects </li></ul></ul><li>Configuration of NAMCD </li><ul><li>“ alternative-ldap-server-list”
    16. 16. SSL certificates
    17. 17. “ convert-lower”
    18. 18. “ cache-only”
    19. 19. “ persistent-search” </li></ul></ul>
    20. 20. Linux User Management <ul><li>LUM Enablement </li><ul><li>iManager or CLI
    21. 21. Groups
    22. 22. Users
    23. 23. namconfig cache_refresh
    24. 24. Which users should be LUM enabled for which servers? </li></ul><li>Troubleshooting </li><ul><li>duplicate UIDs/GIDs
    25. 25. Certificates for alternate LDAP server (namconfig -k) </li></ul></ul>
    26. 26. File Access Protocols and Proxy User
    27. 27. Novell ® Open Enterprise Server 2 The best multi-protocol file server <ul><li>Multiple choices of file systems </li><ul><li>Novell Storage Services ™
    28. 28. POSIX file systems: ext3, Reiser, XFS </li></ul><li>Multiple choices of file access protocols </li><ul><li>NCP ™ - Novell NetWare ® Core Protocol
    29. 29. CIFS/SMB – Novell CIFS, Samba
    30. 30. AFP – Novell AFP
    31. 31. HTTP – NetStorage, Apache
    32. 32. FTP – PureFTP with Novell changes
    33. 33. NFS – Linux NFS </li></ul></ul>
    34. 34. Proxy Users <ul><li>No server based authentication to eDirectory ™ </li><ul><li>Security Requirement for “Kernel-” vs. “User-space” </li></ul><li>CIFS, AFP, NetStorage and Samba require proxy users </li><ul><li>For accessing information from eDirectory
    35. 35. For reading user passwords for non-cleartext authentication </li></ul><li>Proxy user problem </li><ul><li>Too many proxy users per server
    36. 36. Management of proxy user password expiry
    37. 37. Security issue of reading user passwords </li></ul></ul>
    38. 38. Proxy Users (continued) <ul><li>Novell ® Open Enterprise Server (OES) 2 FCS, SP1, SP2 </li><ul><li>One proxy user per service per server (AFP, CIFS, Samba, NetStorage, other OES services) </li></ul><li>Novell Open Enterprise Server 2 SP3 </li><ul><li>Novell is looking at less proxy users and improved security
    39. 39. Default to a single OES common proxy for all services
    40. 40. Proxy user is made less powerful – no password read privileges </li><ul><li>NMAS ™ methods to do authentication on behalf of the services </li></ul><li>Auto-change of proxy passwords before expiry </li></ul><li>Future </li><ul><li>Novell is looking at service based authentication </li></ul></ul>
    41. 41. Novell ® NetWare Core Protocol ™ (NCP ™ )
    42. 42. NCP ™ – High Level Features <ul><li>NCP </li><ul><li>Novell ® Open Enterprise Server 2 SP2 </li><ul><li>Cross protocol file locking support between NCP, AFP and CIFS
    43. 43. Trustee change synchronization with eDirectory ™ - Deletion and rename of trustees
    44. 44. Trustee information obtained from _NETWARE/.trustee_database.xml
    45. 45. Auditing support for NCP file events
    46. 46. Salvage support (deleter) for non-LUM users </li></ul><li>Novell Open Enterprise Server 2 SP3 </li><ul><li>NCP volumes read only support functionality
    47. 47. Add the ability to disable logins per volume and automated “clear connection” </li></ul><li>Future release </li><ul><li>Improved performance </li></ul></ul></ul>
    48. 48. NCP ™ - Recommendations on Novell ® Open Enterprise Server 2 Linux <ul><li>Monitor usage and evictions </li><ul><li>LOG_CACHE_STATISTICS = 1 will log statistics in ncpserv.log </li></ul><li>Configure based on working set and available memory </li><ul><li>MAXIMUM_CACHED_FILES_PER_VOLUME </li><ul><li>Default – 20000 </li></ul><li>MAXIMUM_CACHED_SUBDIRECTORIES_PER_VOLUME </li></ul></ul><ul><ul><ul><li>Default – 50000 </li></ul><li>MAXIMUM_CACHED_FILES_PER_SUBDIRECTORY </li><ul><li>Default - 2048 </li></ul><li>Cache Entry memory usage - ~216 bytes + Full path name </li></ul></ul><ul><li>Additional Information </li></ul><ul><ul><ul><li>http://www.novell.com/documentation/oes2/file_ncp_lx/data/bc06ts8.html
    49. 49. TID 7004888 – NCP Performance Tuning on OES2 Linux </li></ul></ul></ul>
    50. 50. Novell ® Common Internet Filesystem (CIFS)
    51. 51. Novell ® CIFS – High Level Features <ul><li>Novell CIFS </li><ul><li>Novell Open Enterprise Server 2 SP2 </li><ul><li>Cross protocol file locking support between NCP ™ , AFP and CIFS
    52. 52. DFS support (including junctions pointing to sub-directories)
    53. 53. Auditing support
    54. 54. No LUM or SAMBA enablement required </li></ul><li>Novell Open Enterprise Server 2 SP3 </li><ul><li>NTLM v2 support for Windows Vista and Windows 7
    55. 55. DST support
    56. 56. CIFS context search to be LDAP enabled
    57. 57. Enhanced auditing support </li></ul><li>Future release </li><ul><li>Kerberos and CIFS, DSFW support </li></ul></ul></ul>
    58. 58. Novell ® CIFS - Recommendations <ul><li>Cluster </li><ul><li>Restart CIFS service whenever eDirectory ™ is restarted
    59. 59. You have to offline and online resources whenever the CIFS service is restarted on a node
    60. 60. CIFS service will bind to the cluster resource IP </li></ul><li>Troubleshooting </li><ul><li>cifsctxs.conf
    61. 61. novcifs -sl (share list), novcifs -o (current configuration)
    62. 62. novcifs --enable-debug=yes --enable-info=yes
    63. 63. /var/opt/novell/log/cifs.log </li></ul></ul>
    64. 64. Novell ® Apple Filing Protocol (AFP)
    65. 65. Novell ® AFP - High Level Features <ul><li>Novell AFP </li><ul><li>Novell Open Enterprise Server 2 SP2 </li><ul><li>Cross protocol file locking support between NCP ™ , AFP and CIFS
    66. 66. Auditing support </li></ul><li>Novell Open Enterprise Server 2 SP3 </li><ul><li>Enhanced auditing
    67. 67. Improved reliability
    68. 68. LDAP Proxy User simplifications </li></ul><li>Future release </li><ul><li>Support for spotlight on MAC
    69. 69. Kerberos support
    70. 70. DST support </li></ul></ul></ul>
    71. 71. Novell ® AFP - Recommendations <ul><li>Clustering </li><ul><li>When a client connects to the cluster IP, then only cluster enabled shared volumes associated with the IP are exported
    72. 72. Machine name and volume name (e.g. server.afp_vol)
    73. 73. Edit /etc/opt/novell/afptcpd/afpvols.conf on each cluster node Syntax: Servername.VolumeName VolumeName </li></ul><li>Troubleshooting </li><ul><li>Use CASAcli
    74. 74. Verify Password Policies
    75. 75. Use afpstat
    76. 76. /var/log/afptcpd/afptcp.log </li></ul></ul>
    77. 77. File Access via HTTP
    78. 78. NetStorage – High Level Features <ul><li>NetStorage </li><ul><li>Novell ® Open Enterprise Server 2 SP2 </li><ul><li>NCP ™ , CIFS, SSH
    79. 79. Login Script processing
    80. 80. Storage Location objects
    81. 81. Universal Password support
    82. 82. DFS support
    83. 83. Webdav </li></ul></ul></ul>
    84. 84. NetStorage – Recommendations <ul><li>Clustering </li><ul><li>Install and configure on all nodes
    85. 85. “ just” migrate the IP-Address (maybe use a shared SSL certificate) </li></ul><li>Troubleshooting </li><ul><li>Registry (xregd and xsrvd)
    86. 86. Filesystem Rights
    87. 87. Linux User Management
    88. 88. Apache and Xtier Users </li></ul></ul>
    89. 89. File Access via FTP
    90. 90. FTP – High Level Features <ul><li>Pure-FTP </li><ul><li>Novell ® Open Enterprise Server 2 SP2 </li><ul><li>Remote Server navigation support (Gateway)
    91. 91. LUM required </li></ul><li>Novell Open Enterprise Server 2 SP3 </li><ul><li>Support FTP share on a locally mounted Novell Storage Services ™ volume
    92. 92. Support for multiple instances of Pure-FTP instances running either on different or a same node within a cluster </li></ul><li>Future release </li><ul><li>FTP common home directory option </li></ul></ul></ul>
    93. 93. FTP – Recommendations <ul><li>Configuration </li><ul><li>pam configuration (pam_ldap vs. pam_nam)
    94. 94. ldap.conf (context and LDAP sever)
    95. 95. /etc/pure-ftpd/pure-ftpd.conf </li></ul><li>Parameters </li></ul>remote_server                    yes disallow_list_oes_server    no edir_ldap_port                    389 NoRename        no AutoRename     no
    96. 96. Deploying Multiple Methods for File Access
    97. 97. Deploying Multiple Methods for File Access <ul><li>Data integrity </li><ul><li>Cross-protocol file locking: AFP, CIFS, NCP ™ , Samba </li></ul><li>Commonly supported capabilities </li><ul><li>DST: Supported across NCP and Samba (Novell-CIFS in SP3)
    98. 98. Auditing: Supported in Novell ® Open Enterprise Server (OES) 2 SP2 across NCP, AFP, CIFS
    99. 99. DFS: Supported only by NCP, Novell-CIFS and NetStorage
    100. 100. LUM-less operation: NCP, AFP, CIFS but not Samba </li></ul><li>Performance and scalability </li><ul><li>Scale: NCP: 20,000 connections, CIFS ~ 5000 connections tested in field, AFP: 200 connections
    101. 101. Performance: OES2 SP2: CIFS around the same as Samba </li><ul><li>OES2 SP3: CIFS performs better than Samba with scaled connections </li></ul></ul></ul>
    102. 102. Cross Protocol File Locking Lock DB /var/lib/samba/locking.tdb NCP ™ Server CIFS Server AFP Server
    103. 103. Cross Protocol File Locking Configuration <ul><li>Enable/Disable CPFL </li><ul><li>NCP ™ : ncpcon set CROSS_PROTOCOL_LOCKS=1/0 </li></ul><li>CPFL is enabled by default </li><ul><li>To ensure data integrity is always maintained
    104. 104. If only one of the protocols is used, CPFL can be disabled </li><ul><li>Performance improved with CPFL disabled </li></ul></ul></ul>
    105. 105. Support for Distributed File Services
    106. 106. DFS Support for NCP ™ and CIFS <ul><li>NCP, CIFS and NetStorage on Novell ® Open Enterprise Server 2 SP2 support DFS junctions that point to </li><ul><li>Root of Novell Storage Services ™ (NSS) volume
    107. 107. Sub-directories on NSS volumes </li></ul><li>Trustee rights are set both on the junction and the target of the junction </li></ul>
    108. 108. Support for Dynamic Storage Technology
    109. 109. Dynamic Storage Technology PRIMARY TREE: Subdirectory – 1 file – 1 file – 2 Subdirectory – 2 file – 4 Important Data Less Important Data SHADOW TREE: Subdirectory – 1 file – 3 Subdirectory – 2 file – 5 file – 6 NCP, CIFS Client View Subdirectory – 1 file – 1 file – 2 file – 3 Subdirectory – 2 file – 4 file – 5 file – 6
    110. 110. Dynamic Storage Technology Components <ul><li>NCP ™ Engine
    111. 111. CIFS Service
    112. 112. Policy Engine </li><ul><li>Global
    113. 113. Volume </li></ul></ul>
    114. 114. Dynamic Storage Technology Configuration <ul><li>Novell ® Remote Manager (NRM) </li><ul><li>https://server_IP_address:8009 or other_configured_port_number </li></ul><li>Command line utility ncpcon </li></ul>
    115. 115. Dynamic Storage Technology Novell ® Remote Manager
    116. 116. Dynamic Storage Technology Global Configuration Manage NCP ™ Services > Manage Server > Server Parameter Information
    117. 117. Question and Answer
    118. 119. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
    119. 120. Supporting Slides
    120. 121. NCP ™ – Server Architecture NCP service eDirectory ™ NSS posix iManager Plugin POSIX IPC CIM IPC trustee file
    121. 122. Novell ® CIFS – Architecture NCP ™ Server eDirectory ™ NSS CASA store CIFS Server iManager Plugin ldap dclient (ncp) ncp-rpc POSIX IPC CIM IPC Volume policies trustee file DST global policies
    122. 123. Novell ® CIFS Authentication Configuration
    123. 124. Latest Novell ® CIFS vs. Samba Performance
    124. 125. Novell ® AFP – Architecture NSS CASA store CIM Provider NCP ™ Server eDirectory ™ AFP Server iManager Plugin ncp-rpc nmas-ldap xplat (ncp) zAPI conf file
    125. 126. File Access Protocols (combined) NCP-RPC zAPI Rights, trustee changes, DST events Lock DB Samba AFP Service Novell CIFS File System posix CPL NCP ™ Server eDirectory ™

    ×