狠狠撸

1. File Access and LUM Deployment with Novell 庐 Open Enterprise Server 2 Martin Weiss , Senior Technical Specialist [email_address] Dr. Frieder Schmidt , Senior Technical Specialist [email_address]

2. Agenda Linux User Management (LUM)

3. File Access Protocols and Proxy User

4. NCP 鈩� , AFP, CIFS, (S)FTP, HTTP(S)

5. Deploying Multiple Methods for File Access

6. Troubleshooting

7. Question and Answer

8. Linux User Management (LUM)

9. Linux User Management Before deployment What does LUM do? Allow eDirectory 鈩� users and groups to show up as Linux users Why and what for do YOU need LUM? All services that run on base of Linux ex. Apache, FTP, SSH, SFTP, Samba

10. Administration Prepare your environment Naming conventions

11. Case sensitivity

12. POSIX attributes

13. ODBC / DSReport is your friend

14. Linux User Management Implementation Placement of objects in the tree Unix config object

15. Unix workstation objects Configuration of NAMCD 鈥� alternative-ldap-server-list鈥�

16. SSL certificates

17. 鈥� convert-lower鈥�

18. 鈥� cache-only鈥�

19. 鈥� persistent-search鈥�

20. Linux User Management LUM Enablement iManager or CLI

21. Groups

22. Users

23. namconfig cache_refresh

24. Which users should be LUM enabled for which servers? Troubleshooting duplicate UIDs/GIDs

25. Certificates for alternate LDAP server (namconfig -k)

26. File Access Protocols and Proxy User

27. Novell 庐 Open Enterprise Server 2 The best multi-protocol file server Multiple choices of file systems Novell Storage Services 鈩�

28. POSIX file systems: ext3, Reiser, XFS Multiple choices of file access protocols NCP 鈩� - Novell NetWare 庐 Core Protocol

29. CIFS/SMB 鈥� Novell CIFS, Samba

30. AFP 鈥� Novell AFP

31. HTTP 鈥� NetStorage, Apache

32. FTP 鈥� PureFTP with Novell changes

33. NFS 鈥� Linux NFS

34. Proxy Users No server based authentication to eDirectory 鈩� Security Requirement for 鈥淜ernel-鈥� vs. 鈥淯ser-space鈥� CIFS, AFP, NetStorage and Samba require proxy users For accessing information from eDirectory

35. For reading user passwords for non-cleartext authentication Proxy user problem Too many proxy users per server

36. Management of proxy user password expiry

37. Security issue of reading user passwords

38. Proxy Users (continued) Novell 庐 Open Enterprise Server (OES) 2 FCS, SP1, SP2 One proxy user per service per server (AFP, CIFS, Samba, NetStorage, other OES services) Novell Open Enterprise Server 2 SP3 Novell is looking at less proxy users and improved security

39. Default to a single OES common proxy for all services

40. Proxy user is made less powerful 鈥� no password read privileges NMAS 鈩� methods to do authentication on behalf of the services Auto-change of proxy passwords before expiry Future Novell is looking at service based authentication

41. Novell 庐 NetWare Core Protocol 鈩� (NCP 鈩� )

42. NCP 鈩� 鈥� High Level Features NCP Novell 庐 Open Enterprise Server 2 SP2 Cross protocol file locking support between NCP, AFP and CIFS

43. Trustee change synchronization with eDirectory 鈩� - Deletion and rename of trustees

44. Trustee information obtained from _NETWARE/.trustee_database.xml

45. Auditing support for NCP file events

46. Salvage support (deleter) for non-LUM users Novell Open Enterprise Server 2 SP3 NCP volumes read only support functionality

47. Add the ability to disable logins per volume and automated 鈥渃lear connection鈥� Future release Improved performance

48. NCP 鈩� - Recommendations on Novell 庐 Open Enterprise Server 2 Linux Monitor usage and evictions LOG_CACHE_STATISTICS = 1 will log statistics in ncpserv.log Configure based on working set and available memory MAXIMUM_CACHED_FILES_PER_VOLUME Default 鈥� 20000 MAXIMUM_CACHED_SUBDIRECTORIES_PER_VOLUME Default 鈥� 50000 MAXIMUM_CACHED_FILES_PER_SUBDIRECTORY Default - 2048 Cache Entry memory usage - ~216 bytes + Full path name Additional Information http://www.novell.com/documentation/oes2/file_ncp_lx/data/bc06ts8.html

49. TID 7004888 鈥� NCP Performance Tuning on OES2 Linux

50. Novell 庐 Common Internet Filesystem (CIFS)

51. Novell 庐 CIFS 鈥� High Level Features Novell CIFS Novell Open Enterprise Server 2 SP2 Cross protocol file locking support between NCP 鈩� , AFP and CIFS

52. DFS support (including junctions pointing to sub-directories)

53. Auditing support

54. No LUM or SAMBA enablement required Novell Open Enterprise Server 2 SP3 NTLM v2 support for Windows Vista and Windows 7

55. DST support

56. CIFS context search to be LDAP enabled

57. Enhanced auditing support Future release Kerberos and CIFS, DSFW support

58. Novell 庐 CIFS - Recommendations Cluster Restart CIFS service whenever eDirectory 鈩� is restarted

59. You have to offline and online resources whenever the CIFS service is restarted on a node

60. CIFS service will bind to the cluster resource IP Troubleshooting cifsctxs.conf

61. novcifs -sl (share list), novcifs -o (current configuration)

62. novcifs --enable-debug=yes --enable-info=yes

63. /var/opt/novell/log/cifs.log

64. Novell 庐 Apple Filing Protocol (AFP)

65. Novell 庐 AFP - High Level Features Novell AFP Novell Open Enterprise Server 2 SP2 Cross protocol file locking support between NCP 鈩� , AFP and CIFS

66. Auditing support Novell Open Enterprise Server 2 SP3 Enhanced auditing

67. Improved reliability

68. LDAP Proxy User simplifications Future release Support for spotlight on MAC

69. Kerberos support

70. DST support

71. Novell 庐 AFP - Recommendations Clustering When a client connects to the cluster IP, then only cluster enabled shared volumes associated with the IP are exported

72. Machine name and volume name (e.g. server.afp_vol)

73. Edit /etc/opt/novell/afptcpd/afpvols.conf on each cluster node Syntax: Servername.VolumeName VolumeName Troubleshooting Use CASAcli

74. Verify Password Policies

75. Use afpstat

76. /var/log/afptcpd/afptcp.log

77. File Access via HTTP

78. NetStorage 鈥� High Level Features NetStorage Novell 庐 Open Enterprise Server 2 SP2 NCP 鈩� , CIFS, SSH

79. Login Script processing

80. Storage Location objects

81. Universal Password support

82. DFS support

83. Webdav

84. NetStorage 鈥� Recommendations Clustering Install and configure on all nodes

85. 鈥� just鈥� migrate the IP-Address (maybe use a shared SSL certificate) Troubleshooting Registry (xregd and xsrvd)

86. Filesystem Rights

87. Linux User Management

88. Apache and Xtier Users

89. File Access via FTP

90. FTP 鈥� High Level Features Pure-FTP Novell 庐 Open Enterprise Server 2 SP2 Remote Server navigation support (Gateway)

91. LUM required Novell Open Enterprise Server 2 SP3 Support FTP share on a locally mounted Novell Storage Services 鈩� volume

92. Support for multiple instances of Pure-FTP instances running either on different or a same node within a cluster Future release FTP common home directory option

93. FTP 鈥� Recommendations Configuration pam configuration (pam_ldap vs. pam_nam)

94. ldap.conf (context and LDAP sever)

95. /etc/pure-ftpd/pure-ftpd.conf Parameters remote_server 听听听听听听听听听听听听听听听听听听听yes disallow_list_oes_server 听听听no edir_ldap_port 听听听听听听听听听听听听听听听听听听听389 NoRename 听听听听听听听no AutoRename 听听听听no

96. Deploying Multiple Methods for File Access

97. Deploying Multiple Methods for File Access Data integrity Cross-protocol file locking: AFP, CIFS, NCP 鈩� , Samba Commonly supported capabilities DST: Supported across NCP and Samba (Novell-CIFS in SP3)

98. Auditing: Supported in Novell 庐 Open Enterprise Server (OES) 2 SP2 across NCP, AFP, CIFS

99. DFS: Supported only by NCP, Novell-CIFS and NetStorage

100. LUM-less operation: NCP, AFP, CIFS but not Samba Performance and scalability Scale: NCP: 20,000 connections, CIFS ~ 5000 connections tested in field, AFP: 200 connections

101. Performance: OES2 SP2: CIFS around the same as Samba OES2 SP3: CIFS performs better than Samba with scaled connections

102. Cross Protocol File Locking Lock DB /var/lib/samba/locking.tdb NCP 鈩� Server CIFS Server AFP Server

103. Cross Protocol File Locking Configuration Enable/Disable CPFL NCP 鈩� : ncpcon set CROSS_PROTOCOL_LOCKS=1/0 CPFL is enabled by default To ensure data integrity is always maintained

104. If only one of the protocols is used, CPFL can be disabled Performance improved with CPFL disabled

105. Support for Distributed File Services

106. DFS Support for NCP 鈩� and CIFS NCP, CIFS and NetStorage on Novell 庐 Open Enterprise Server 2 SP2 support DFS junctions that point to Root of Novell Storage Services 鈩� (NSS) volume

107. Sub-directories on NSS volumes Trustee rights are set both on the junction and the target of the junction

108. Support for Dynamic Storage Technology

109. Dynamic Storage Technology PRIMARY TREE: Subdirectory 鈥� 1 file 鈥� 1 file 鈥� 2 Subdirectory 鈥� 2 file 鈥� 4 Important Data Less Important Data SHADOW TREE: Subdirectory 鈥� 1 file 鈥� 3 Subdirectory 鈥� 2 file 鈥� 5 file 鈥� 6 NCP, CIFS Client View Subdirectory 鈥� 1 file 鈥� 1 file 鈥� 2 file 鈥� 3 Subdirectory 鈥� 2 file 鈥� 4 file 鈥� 5 file 鈥� 6

110. Dynamic Storage Technology Components NCP 鈩� Engine

111. CIFS Service

112. Policy Engine Global

113. Volume

114. Dynamic Storage Technology Configuration Novell 庐 Remote Manager (NRM) https://server_IP_address:8009 or other_configured_port_number Command line utility ncpcon

115. Dynamic Storage Technology Novell 庐 Remote Manager

116. Dynamic Storage Technology Global Configuration Manage NCP 鈩� Services > Manage Server > Server Parameter Information

117. Question and Answer

118. 听

119. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

120. Supporting 狠狠撸s

121. NCP 鈩� 鈥� Server Architecture NCP service eDirectory 鈩� NSS posix iManager Plugin POSIX IPC CIM IPC trustee file

122. Novell 庐 CIFS 鈥� Architecture NCP 鈩� Server eDirectory 鈩� NSS CASA store CIFS Server iManager Plugin ldap dclient (ncp) ncp-rpc POSIX IPC CIM IPC Volume policies trustee file DST global policies

123. Novell 庐 CIFS Authentication Configuration

124. Latest Novell 庐 CIFS vs. Samba Performance

125. Novell 庐 AFP 鈥� Architecture NSS CASA store CIM Provider NCP 鈩� Server eDirectory 鈩� AFP Server iManager Plugin ncp-rpc nmas-ldap xplat (ncp) zAPI conf file

126. File Access Protocols (combined) NCP-RPC zAPI Rights, trustee changes, DST events Lock DB Samba AFP Service Novell CIFS File System posix CPL NCP 鈩� Server eDirectory 鈩�

狠狠撸

Cl116

Recommended

More Related Content

What's hot (20)

Similar to Cl116 (20)

More from Juliette Ponnet (6)

Cl116

Editor's Notes