Likewise-CIFS User Guide

Likewise-CIFS is an SMB/CIFS file server for Linux and Unix computers. It provides client-side and server-side SMB support so Microsoft Windows clients can access folders and files on Linux and Unix computers. The Likewise-CIFS FUSE module mounts remote Windows shares on a Linux computer for access to folders and files on Windows. You can remotely manage the file server on Linux machines by using popular Microsoft Windows tools such as the Computer Management console. For general information about the features of Likewise-CIFS, see the datasheet.

The file server is a technology preview. Because it is a technology preview and is a separate software product from Likewise Enterprise and Likewise Open, it is not covered under your support contract. In addition, some aspects of the file server might be under development and are subject to change without notice.

1.1. Architecture

Likewise-CIFS supports the SMB1 and SMB2 protocols. The file server includes drivers for an SMB redirector, a named pipe file system, a POSIX virtual file system, and SMB1/SMB2 protocol handlers. In addition, the modern architecture lets third-party ISVs design and implement their own custom device drivers. The architecture is modular and extensible. Its processes are threaded for scalability.

The Likewise-CIFS architecture includes the following single-process threaded services:

lwiod: The Likewise input-output service and the CIFS file server.
lsassd: The Likewise security and authentication subsystem that forms the core of the Likewise Identity Service, or LWIS.
srvsvcd: Server and workstation RPC services.

netlogond: The domain controller locator and affinity manager.
dcerpcd: The DCE/RPC end-point mapper.
eventlogd: The logging service for local and remote computers.

The following diagram presents an overview of the Likewise-CIFS architecture.

More information on the services is in the Likewise Open Installation and Administration Guide.

1.2. Preparing Computers for Likewise-CIFS

To prepare your computer to be a Likewise-CIFS server, do the following:

Install Likewise-CIFS, which includes those aspects of Likewise Open that you need to connect the file server to Active Directory and authenticate users. Even though the Likewise-CIFS is a separate software package from Likewise Open, the instructions to install it are the same as those for Likewise Open. Follow the installation instructions in the Likewise Open Installation and Administration Guide.
Open Port 445, which is required by the CIFS file server.
Make sure SELinux is either disabled or set to permissive.
Stop Samba if it is running:
/etc/init.d/smb stop
Open the ports required by the Likewise agent. The ports are listed in the Likewise Open Installation and Administration Guide.

1.3. Preparing Accounts for Access

The account that you use to access the CIFS file server must have permission to log on the Linux or Unix computer running the file server. There are two types of accounts that you can use:

An administrator's account in the Likewise local provider database on the Linux or Unix computer
An Active Directory administrator's account if the computer is joined to your domain

Either way, the account must be permitted to access the computer. Thus, before you attempt to access the file server from another machine, such as a Windows computer, you should make sure the Linux or Unix computer running the file server can locate the account.

You can check whether the Linux computer running the CIFS file server can recognize an account in the local Likewise provider database by querying it with the following command. You must escape the slash character that separates the domain from the account name by proceeding it with a slash:

[root@rhel5d bin]# /opt/likewise/bin/lw-find-user-by-name BUILTIN\\Administrator 
User info (Level-0):
====================
Name:              BUILTIN\Administrator
SID:               S-1-5-21-1200979543-2940742856-1554716312-500
Uid:               500
Gid:               544
Gecos:             <null>
Shell:             /bin/sh
Home dir:          /
Logon restriction: NO
[root@rhel5d bin]#

Similarly, if you plan to access the file server with an Active Directory domain account, you should make sure the account has been provisioned with access to the Linux or Unix computer:

[root@rhel5d ~]# /opt/likewise/bin/lw-find-user-by-name LIKEWISEDEMO\\administrator
User info (Level-0):
====================
Name:              LIKEWISEDEMO\administrator
SID:               S-1-5-21-3190566242-1409930201-3490955248-500
Uid:               1366819316
Gid:               1366819329
Gecos:             <null>
Shell:             /bin/bash
Home dir:          /home/LIKEWISEDEMO/administrator
Logon restriction: NO

Both of the accounts in the examples above have no logon restrictions. The logon restriction of the account you use, however, might vary. For instance, domain users might be restricted to read-only access, while those with membership in the BUILTIN\Administrators group and root accounts might have write access.

Note: The Domain Administrators security group from Active Directory is automatically added to the local BUILTIN\Administrators group from Likewise when the computer is joined to Active Directory.

Using Likewise-CIFS with Likewise Enterprise

In the unlikely event that you are running Likewise-CIFS on your computer while using Likewise Enterprise to manage Likewise clients in Active Directory, you must make sure that the Active Directory account you use to access the Linux computer has been provisioned with Likewise access by enabling the account in a Likewise cell. In the following example, the account was not found until I added the AD administrator account to the default Likewise cell.

/opt/likewise/bin/lw-find-user-by-name LIKEWISEDEMO\\administrator
Failed to locate user.  Error code 40008 (LW_ERROR_NO_SUCH_USER).
No such user

[root@rhel5d ~]# /opt/likewise/bin/lw-find-user-by-name LIKEWISEDEMO\\administrator
User info (Level-0):
====================
Name:              LIKEWISEDEMO\administrator
SID:               S-1-5-21-3190566242-1409930201-3490955248-500
Uid:               1366819316
Gid:               1366819329
Gecos:             <null>
Shell:             /bin/bash
Home dir:          /home/LIKEWISEDEMO/administrator
Logon restriction: NO
[root@rhel5d ~]#

1.4. Turn On and Access the File Server with a Domain Account

The following procedure demonstrates how to set up Likewise-CIFS on a Red Hat Enterprise Linux 5 computer from a Windows Server 2003 computer connected to Active Directory. After setting up the CIFS server, you can view files on the Linux machine from the Windows computer. The procedure is similar for other versions of Linux and Windows. The procedure assumes you are familiar with managing shared files and folders on both Linux and Windows.

Before you can turn on the CIFS file server, you must install Likewise-CIFS 5.4 or later. To download Likewise-CIFS, go to www.Likewise.com.

The Linux computer must be connected to Active Directory with Likewise. For instructions on how to install the CIFS file server software package and join a domain, see the Likewise Open Installation and Administration Guide.

You can, however, turn on and access the CIFS file server without connecting the Linux computer on which it is running to Active Directory; see Turn On and Access the File Server with a Local Account below.

Important: On Linux, you must perform the following steps with a root account. On Windows, you must log on as a member of the Domain Administrators security group, the Enterprise Administrators security group, or another group that gives you sufficient privileges to modify objects and child objects in Active Directory. Or you must have been delegated privileges to modify the settings of the objects that you want to change.

Make sure the Linux computer is joined to your domain with Likewise-CIFS 5.4 by executing the following command at the command line:
domainjoin-cli query
The result should look something like this:
```
Name = rhel5d
Domain = LIKEWISEDEMO.COM
Distinguished Name = CN=RHEL5D,CN=Computers,DC=likewisedemo,DC=com
```
If you are not joined to the domain, see the instructions in the Likewise Open Installation and Administration Guide.
DNS must be set up correctly on both your Linux client and your Windows server: Make sure that you can ping the domain from the client and that you can ping the FQDN of the client from the server. In addition, on the Linux computer, make sure you can resolve your Active Directory domain with nslookup. On the Windows computer, make sure that you can resolve the host name of the Linux computer by executing nslookup in a command prompt window.
Example on a Linux client:
```
nslookup likewisedemo.com
Server:         192.168.100.132
Address:        192.168.100.132#53

Name:   likewisedemo.com
Address: 192.168.100.132
```
Example on a Windows server:
```
nslookup rhel5d
Server:  localhost
Address:  127.0.0.1

Name:    rhel5d.likewisedemo.com
Address:  192.168.92.128
```

On your Linux computer's command line, start the Likewise file server, which is not running be default, by executing the following command as root:

/opt/likewise/bin/lwsm start srvsvc

You can verify that srvsvc is running by executing the following command:

/opt/likewise/bin/lwsm list

The list should include an entry for srvsvc that shows that it is running:

[root@rhel5d bin]# ./lwsm list
lwreg       running (standalone: 1889)
dcerpc      running (standalone: 2500)
eventlog    running (standalone: 2545)
lsass       running (standalone: 15741)
lwio        running (standalone: 15727)
netlogon    running (standalone: 2137)
npfs        running (io: 15727)
pvfs        running (io: 15727)
rdr         running (io: 15727)
srv         running (io: 15727)
srvsvc      running (standalone: 15784)

On a Windows administrative workstation that can connect to your Active Directory domain controller, start Active Directory Users and Computers.
In the console tree, find the computer object of the Linux or Unix computer that you want to access through CIFS.
Right-click the computer object and then click Manage to open the object in the Microsoft Computer Management console.
Note: Your user account must have the rights to connect to the target computer, or your account must have been delegated authority on the target computer. See the section above on preparing accounts for access.
In the Computer Management console, create a new shared folder in the Shares folder for the Linux computer -- for example, /lwshare:
On the Action menu, click New Share, and then follow the instructions in the Share a Folder Wizard. In the wizard, when you specify a Folder path, click Browse, and then map the path to the folder.
On your Windows computer, use the net view command to connect to your Linux computer by entering its FQDN. Remember: You must use an account that has permission to access the Linux computer.
net view \\rhel5d.likewisedemo.com
Mount the Linux computer as a drive:
net use * \\rhel5d.likewisedemo.com\likewise
Execute the following command to open Windows Explorer and browse the mounted drive:
explorer Z:
In Windows Explorer, you should be able to see the images or files that you placed in the directory on the Linux computer.

1.5. Turn On and Access the File Server with a Local Account

When the Linux or Unix computer running the CIFS file server is not connected to Active Directory, you can turn on the file server from a remote Windows computer and then access it, but you must use an account in the local Likewise provider database on the Linux computer -- for example, a root account or an account with membership in the BUILTIN\Administrators group.

On your Windows administrative workstation, click Start, click Administrative Tools, and then click Computer Management.
In the Computer Management console, right-click the Computer Management (Local) node, and then click Connect to another computer:
Select Another computer, enter the FQDN of the Linux or Unix computer, and then click OK:
The first attempt at authentication will fail because the target computer tries to use the credentials from your current Windows session. After the first attempt to connect fails, Windows lets you attempt to connect with alternative credentials. In the dialog that appears, enter the credentials of a local account on the target computer -- for example, your builtin\\Administrator account.
Proceed as outlined above in the procedure Turn On and Access the File Server with a Domain Account.

1.6. Build and Configure a Standalone Likewise-CIFS Server

This section demonstrates how to build and configure a standalone instance of Likewise-CIFS from the command line. The following procedure assumes that you want to set up Likewise-CIFS on a Linux server to share files with Windows computers in a network without Active Directory. This procedure also assumes you know how to build Linux applications from their source code and then install them.

Download Likewise-CIFS from its open source git location:
$ git clone git://git.likewiseopen.org/

Download, build, and install the following tools. The tools listed are known to work, but earlier or later versions might work as well. Also, instead of downloading the tools, you might be able to install them on your platform with apt-get or some other means.

    http://ftp.gnu.org/gnu/autoconf/autoconf-2.65.tar.gz
    http://ftp.gnu.org/gnu/automake/automake-1.9.6.tar.gz
    http://ftp.gnu.org/gnu/libtool/libtool-2.2.6a.tar.gz
    http://pkgconfig.freedesktop.org/releases/pkg-config-0.23.tar.gz
    gcc --version 3.x or greater

Build Likewise-CIFS:

    $ cd likewise-open
    $ build/mkcomp --debug all

Install Likewise-CIFS:

    $ sudo su
    $ cd staging/install-root
    $ tar cf - . | (cd / && tar xvf -)

Make sure Samba is not running:
$ /etc/init.d/smb stop
Make sure SELinux is either disabled or set to permissive.
Make sure the ports required by Likewise are open. For a list of ports that Likewise uses, see the Likewise Open Installation and Administration Guide.

Configure Likewise Open:

    $ /etc/init.d/lwsmd start
    $ for i in /etc/likewise/*.reg; do /opt/likewise/bin/lwregshell upgrade $i; done
    $ /etc/init.d/lwsmd stop
    $ /etc/init.d/lwsmd start
    $ /opt/likewise/bin/lwsm start srvsvc
    $ /opt/likewise/bin/domainjoin-cli configure --enable nsswitch

Add a user account to the local Likewise provider database. In the following example, substitute the account name that you want for newuser.
```
    $ /opt/likewise/bin/lw-add-user --home /home/newuser --shell /bin/bash newuser
    Successfully added user newuser
```

Enable the user and set the password:

    $ /opt/likewise/bin/lw-mod-user --enable-user --set-password newuser
    New Password: **********
    Successfully modified user newuser

Look up new user's identity as follows. Substitute the value from the command hostname -s for the hostname. Keep in mind that Likewise truncates a hostname longer than 15 characters to the first 15 characters of the string.
```
    % id hostname\\newuser
    uid=2000(HOSTNAME\newuser) gid=1800(HOSTNAME\Likewise Users)   
    groups=1800(HOSTNAME\Likewise Users) 
    context=system_u:system_r:unconfined_t:s0
```

Make a CIFS directory for the user:

    mkdir /lwcifs/newuser
    chown 2000:1800 /lwcifs/newuser

From a Windows computer, map the Likewise-CIFS drive share:

     Computer->Map Network Drive...
     Folder: \\IP_hostname\c$
     Click "Finish"
     Username: hostname\newuser
     Password: user_password

1.7. Troubleshooting

1.7.1. Get a Stack Trace

To determine whether the CIFS file server is hanging, get a stack trace of all current threads.

As root, execute the following command:
/opt/likewise/bin/lwsm gdb lwio
Then execute the following commands:
```
gdb> set logging on
gdb> thread apply all bt full
gdb> set logging off
```
The full back trace is typically written to gdb.txt.

1.7.2. Get a Network Trace

It can be useful to perform a network trace (tcpdump, netmon, or wireshark trace), especially one filtered on Port 445, which carries the SMB traffic. To prevent the packet from being truncated, use the following snytax to capture traffic related to SMB/CIFS, Kerberos, DNS, LDAP, and the Active Directory global catalog:

$ tcpdump -w filename -i interface -s 0 \
port 445 or port 53 or port 389 or port 88 or port 3268

Because neither wireshark nor netmon truncate packets, no extra options necessary.

Chapter 2. Commands

Table of Contents

2.1. lwio: Input-Output Commands

2.1.1. lwio-fuse-mount: Gain Access to a Shared Windows Folder
2.1.2. lwio-copy: Copy Files Across Disparate Operating Systems
2.1.3. lwio-refresh: Reload the Input-Output Settings After Changes
2.1.4. lwio-set-log-level
2.1.5. lwio-get-log-info

2.1. lwio: Input-Output Commands

The commands prefaced with lwio are included as part of the Likewise-CIFS technology preview. These commands are not covered under your support contract.

2.1.1. lwio-fuse-mount: Gain Access to a Shared Windows Folder

The lwio-fuse-mount command lets you gain access to a shared folder on a Windows computer. For this command to work, your Linux or Unix computer must have File System in User Space, or FUSE, a loadable kernel module that gives non-privileged users the power to create their own file systems without editing the kernel code. FUSE is preinstalled on several Linux platforms. It is freely available from SourceForge at http://sourceforge.net/projects/fuse/files/fuse-2.X/.

The location of the Likewise tool is as follows:

/opt/likewise/bin/lwio-fuse-mount

Example:

/opt/likewise/bin/lwio-fuse-mount --server steveh-dc --share winshare /rhelshare

To view the tool's arguments, execute the following command:

/opt/likewise/bin/lwio-fuse-mount --help

2.1.2. lwio-copy: Copy Files Across Disparate Operating Systems

The lwio-copy command-line utility lets you copy files across computers running different operating systems. You can, for example, copy files from a Linux computer to a Windows computer.

There two prerequisites to use lwio-copy: The lwiod daemon must be running, and the rdr driver -- /opt/likewise/lib/librdr.sys.so -- must be available as specified by the registry. By default, the rdr driver is available.

The location of the tool is as follows:

/opt/likewise/bin/lwio-copy

To view the tool's arguments, execute the following command on your Unix, Linux, or Mac computer:

/opt/likewise/bin/lwio-copy --help

2.1.3. lwio-refresh: Reload the Input-Output Settings After Changes

The lwio-refresh command reloads the configuration for the lwio daemon, lwiod. When you modify the daemon's configuration, the changes take effect only after you run the lwio-refresh command or after you reboot the computer.

The location of the tool is as follows:

/opt/likewise/bin/lwio-refresh

Example usage:

/opt/likewise/bin/lwio-refresh

2.1.4. lwio-set-log-level

This command sets the logging status of the Likewise SMB file server to one of six levels: error, warning, info, verbose, debug, or trace.

The location of the tool is as follows:

/opt/likewise/bin/lwio-set-log-level

Example usage:

/opt/likewise/bin/lwio-set-log-level error

2.1.5. lwio-get-log-info

This command displays the logging status of the Likewise SMB file server. The location of the tool is as follows:

/opt/likewise/bin/lwio-get-log-info

Example output:

[root@rhel5d bin]# ./lwio-get-log-info 
Current log settings:
=================
SMB Server is logging to syslog
Maximum allowed log level: error

Chapter 3. Legal Disclaimer and Copyright Notice

The information contained in these documents represents the current view of Likewise Software on the issues discussed as of the date of publication. Because Likewise Software must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Likewise, and Likewise Software cannot guarantee the accuracy of any information presented after the date of publication.

These documents are for informational purposes only. LIKEWISE SOFTWARE MAKES NO WARRANTIES, EXPRESS OR IMPLIED.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form, by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Likewise Software.

Likewise may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Likewise, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The Likewise Open software is free to download and use according to the terms of the Limited GPL 2.1 for client libraries and the GPL 2 for daemons. The licenses for Likewise Enterprise and for Likewise UID-GID Module are different. For complete information on the software licenses and terms of use for Likewise products, see www.likewise.com.

Likewise and the Likewise logos are either registered trademarks or trademarks of Likewise Software in the United States and/or other countries. All other trademarks are property of their respective owners.

Likewise Software
15395 SE 30th Place, Suite 140
Bellevue, WA 98007
USA

For more information, contact info@likewise.com or visit www.Likewise.com.