.de Sc \\s-1\\$1\\s0\\$2 .. .ds cA 2005/695 .ds aR \s-1PSARC\s0 .LP .so ../../amac .Co .ds LF \fI\*(aR/\*(cA\fP .ds RF \fICopyright 2007 Sun Microsystems\fP .if n .ds CF .IP \fBSubject:\fP 15 CIFS Client on Solaris .IP "\fBSubmitted by:\fP" 15 Pavan Kumar Mettu .IP \fBFile:\fP 15 \*(aR/\*(cA/opinion.ms .IP \fBDate:\fP 15 May 30, 2007 .IP "\fBCommittee:\fP" 15 Gary Winiger (opinion written by Darren Reed), Kais Belgaied, James D Carlson, Glenn Skinner. .IP "\fBProduct Approval Committee:\fP" 15 Solaris PAC .br solaris-pac-opinion@sun.com .pn 2 .NH Summary .LP CIFS Client for Solaris is a virtual file system on Solaris providing access to the servers which support the CIFS protocol(Windows, Samba on Unix/Linux). The CIFS protocol allows sharing of files, printers and other resources across a network. .LP Using the CIFS client, users can mount remote CIFS server shares (directories) on their system. The CIFS client uses TCP naming and supports authentication, oplocks, caching, DFS, Extended Attributes, Unicode resource names and security signatures. Authorisation will be given to all users to mount and unmount CIFS filesystems. .NH Decision & Precedence Information .LP The project is approved as specified in reference [1-10], but as modified by the required technical changes listed in Appendix A below. .LP The project may be delivered in a patch release of Solaris. .LP The project depends on the following other project and may not be delivered before it. .RS .IP \*(aR/2007/303 16n pam_smb_login .RE .NH Interfaces .LP The project exports the following interfaces. .if n .ne 8 .if t .ne 3 .TS H box; c s s l | l | l. Interfaces Exported _ Interface Classification Comments _ .TH smbutil Committed nsmbrc(4) Committed mount_smbfs Committed umount_smbfs Committed libsmbfs.so Project Private Will contract with Nautilus smbfs module Consolidation Private nsmb module Project Private SMF service Committed svc:/network/smb/client:default SUNWsmbfsr Committed Package name SUNWsmbfsu Committed Package name .TE .LP The project imports the following interfaces. .if n .ne 8 .if t .ne 3 .TS H box; c s s l | l | l. Interfaces Imported _ Interface Classification Comments _ .TH libkrb5 Contracted \*(aR/2006/027 uconv routines Consolidation Private \*(aR/2005/446 md4 routines Consolidation Private \*(aR/2007/139 sockfs calls Project Private See design [5], 8.5.2.3 .TE .NH Opinion .LP .NH 2 NetBIOS name resolution .LP The CIFS client will make use of NetBIOS for name resolution if it is enabled and if nornmal hostname resolution has already failed to provide an answer for the name. This follows the algorithm used by Microsoft. We need to pay attention to their moves in this so that in the event that they abandon use of NetBIOS, Solaris is similarly adjusted. .NH 2 Patch binding .LP Although this case has sought and had approved a request for patch binding, the case presented is a large project, with the following 6 dependencies identified in during commitment review: .RS .IP \*(aR/2004/047 16n Enabling user mounts in Solaris in S10 .IP \*(aR/2005/446 16n Unicode encoding conversion functions at the kernel in SNV .IP \*(aR/2006/027 16n Open Kerberos APIs (contracted) in SNV .IP \*(aR/2006/715 16n CIFS Service (parts) .IP \*(aR/2007/139 16n Kernel Crypto support for MD4 in SNV .IP \*(aR/2005/374 16n Share management improvements (sharectl(1M)) in SNV .RE .LP In addition to this, contracts will be required for linking with the Kerberos APIs being used and SMF for removal of the SMF service on patch backout using /var/svc/profile/ugprade. .NH 2 Kerberos and Single Sign On .LP The ARC spent some time discussion the interaction of CIFS with Kerberos for single sign on, particularly with respect to the ease of use gained from this. In particular, when operational inside a Kerberos (or Active Directory) realm, there should be no need to use smbutil's login functionality in order to access CIFS shares. The project team commented that while it was within scope of their project, it was not considered to be a "must" for them to deliver. At the time of the meeting it was believed that the code worked, with the actual status unclear, which led to the ARC prescribing a TCR for the delivery of it to work and a case depenedency on \*(aR/2007/303 (pam_smb_login). .NH 2 Storing CIFS share passwords .LP The use of the .nsmbrc file to hold user passwords for CIFS shares was discussed and points made about how this is handled elsewhere. At the very least, the file needs to be protected by making it read and write for the owner only. To store the password, a recoverable hash is used, obscuring the plaintext password. Whilst some mechanics such as the need to support a different password per share were also discussed, the end result must be something that is easy for the user to use and should not require direct editing of the file. .NH 2 Unmounting the filesystem .LP At the close of the meeting, the issue of how the project intends to allow users to unmount filesystems was raised. At the time of the meeting, there was no proposal put forward on how to do this. Without this part of the architecture the case was considered to be incomplete. In lieu of a vote being able to be taken because of this, a straw poll was taken on whether or not it would be approved with all members present approving. The advice to the project was to find a solution to this problem and present it to the ARC which would then hold a vote via email. .LP The team took this advice up and presented a solution to PSARC at the next PSARC meeting, allowing the project to be voted on and formally approved. .NH 2 Use of SMF to store properties .LP The architecture of this case includes the use of SMF as the means for persistent storage of various properties for the CIFS client service. Initially it was believed that the SMF service needed to be enabled by default and at the commitment meeting, the committee requested that the project ensure that it was enabled in the appropriate generic service profile when the project delivered. .LP In a followup to this after commitment, it was made clear that the service did not need to be enabled in order for properties to be used, so the aforementioned requirement was later dropped. .NH Minority Opinion(s) .LP None. .NH Advisory Information .LP .NH 2 Backport .LP As noted in the 4.2, this project depends on many other projects spread throughout the present development release. Backports of projects with such dependences often introduce a higher level of instability and bugs than fully contained projects. The committee advises the PAC and any project teams to not undertake such a backport without thoroughly understanding the downside consequences. .NH Appendices .NH 2 Appendix A: Technical Changes Required .LP .RS .IP 1. Document the search order relative to NetBIOS and nsswitch.conf. .IP 2. Add password support to nsmbrc(4) in a user friendly way. .IP 3. Provide support for Kerberos credentials when Kerberos is the login mechanism. If this cannot be accomplished, submit a fast track to amend this case. .IP 4. Provide for appropriate value and action authorizations for the smb/client service. Ensure that the authorizations are delivered in a Rights Profile and documented in the sharectl(1M) man page or on a separate smb/client man page if appropriate. .IP 5. CIFS Client support when TX is enabled should mirror that of NFS client support. If this cannot be accomplished, submit a fast track to amend this case. .RE .NH 2 Appendix B: Technical Changes Advised .LP none .NH 2 Appendix C: Reference Material .LP Unless stated otherwise, path names are relative to the case directory \*(aR/\*(cA. .IP 1 20 Questions .br file: commitment.materials/20questions.txt .IP 2 nsmbrc(4) .br file: commitment.materials/nsmbrc.4.txt .br file: commitment.materials/nsmbrc.4.pdf .IP 3 CIFS Client Diagram .br file: commitment.materials/CIFS_Client_diagram.jpg .IP 4 Security Questionaire .br file: commitment.materials/sec_questions.html .br file: commitment.materials/sec_questions.txt .IP 5 CIFS design document .br file: commitment.materials/CIFS_Design_Doc.html .IP 6 Changes since inception .br file: commitment.materials/changes_since_inception.txt .IP 7 sharectl(1m) .br file: commitment.materials/sharectl.1m.txt .IP 8 Project requirements specification .br file: commitment.materials/cifs_client_prd.html .IP 9 mount_smbfs(1m) .br file: commitment.materials/mount_smbfs.1m.txt .br file: commitment.materials/mount_smbfs.1m.pdf .IP 10 smbutil(1) .br file: commitment.materials/smbutil.1.txt .br file: commitment.materials/smbutil.1.pdf