Overview of HCLNFSD daemon

What does HCLNFSD do and how do I run it?

RESOLUTION

Authentication by an NFS Server is performed by HCLNFSD

Authentication is a means of validating the username and password entered by a user. File security and access to resources are controlled based upon the privileges that a particular user is assigned during authentication. Authentication is one of the functions that the pcnfsd or hclfsd server daemon provides.

A UNIX username/password is required when nfs linking a specific file, or by using the nfs register command. The Authentication process is invoked when an nfs link command (or its equivalent Connect As in the File Manager) is attempted. A username/password (either specifically entered or the username/password stored with the nfs register command) is encrypted and a call is made to the pcnfsd or bwnfsd server daemon. If this succeeds, a user ID (UID) and group ID (GID) are returned to the NFS Client which are used for all subsequent NFS calls. If this authentication call fails, an appropriate error message is displayed indicating that the username/password is invalid.

On subsequent NFS calls from the client to the server, the server checks the file access rights to ensure that the user specified UID and GID has the appropriate permissions to server files. The UID/GID are also used to assign file privileges when creating new files on the NFS Server.

HCLNFSD Syntax

Hclnfsd is the authentication, print, and lock daemon for Maestro, and is executed on the NFS File Server machine. Refer to the Integrating hclnfsd into the network topic for information about implementing hclnfsd on your network. Before hclnfsd can be run on the server it must be compiled.

This daemon should generally be run by a ROOT user on the Unix machine and not just any logged in user. It would be best if the user was logged in as ROOT and did not su to ROOT or 'su -' to ROOT

It is very important that hclnfsd is not stopped with a "kill -9 xxxx" from the UNIX console. Hclnfsd should only be stopped with "kill xxxx", where xxxx is the PID of the process.

SYNTAX

hclnfsd [-A] [-d] [-l log] [-X] [-s server_file] [/staging_directory]

The case and the order is very important. If either the wrong case or the wrong order is used the daemon will not function as designed and most often show you the syntax line.

-A

The HCLNFSD daemon will authenticate a username and password request from any client that calls it. (these can be NFS from HCL, NFS from Novell, NFS from 3com, NFS for DOS from Chameleon, NFS from Intercon for MacIntosh etc.) It will also authenticate the username and password if the request is sent from another server. ie. If you try to mount a drive on server A and server A sends the request to server B that is running the HCLNFSD daemon, server B has the option to authenticate for server A.

The -A option tells the daemon to authenticate for any machine that sends the request. The -A switch is the most commonly used one. Unless this is a very secure environment you can leave this one on all of the time.

Without the -A or -s options, hclnfsd only authorizes access to the machine it is executing on. The -A option tells the daemon to serve all hosts.

-d

This starts the daemon in debug mode. This option is optional and is not necessary if using the -l option. This will start the daemon in a logging method that will display all HCLNFSD daemon activity on the console. This is useful and can be piped to a file to be sent to support to debug printing, and linking problems. To stop the daemon when running like this you will need to issue a CTRL+C on the server or start another telnet/console session, find the PID for the daemon and kill it. (don't use the -9 option.). You can start the daemon in debug mode and have it running in the background if at the end of the command you use the & sign.

-l log

This will enable Logging in the hclnfsd daemon and put the output to a file. Generally it is good to use this only if support tells you to and to put the file to /dev/null. When the daemon starts it makes calls to the OS on the UNIX machine asking it do things. When it makes these calls it will wait for the server to answer (with either an ack or a result) and then continue with the next call or request for the OS or a process on the OS. Some UNIX OS's don't want anything waiting around for a return of information. (Solaris 2.5+/and Alpha 3.0+ servers are 2 of the most common).

The -l option will make the call and not wait to return, but will disconnect and send the output to a file. Most commonly this is needed if the user runs the daemon and the daemon appears to CORE DUMP or hang. Have the user start the daemon in debug mode (-d) and see if this helps. If the daemon no longer hangs or CORE DUMPS, kill it and restart it with the -l option. This will mean that you have found a server that does not like a daemon to start a process and wait for the result.

-X

When starting the HCLNFSD daemon you must specify a staging directory that will be used as a temp directory. Most commonly this is used for printing. If the user does not want to do printing there is no need for the daemon to spool anything and the staging directory is not needed. The -X option will allow the user to start the daemon and not specify a directory.

-s

The -s servers_file option allows the daemon to authenticate more than one file server but not all servers (like when using the -A option). The entries in the specified file will indicate which additional machines are to be served by the daemon, and also which other server machines have such daemons. The format of this file contains any combination of the following lines:

+Address/Name
-Address/Name
=Address/Name Address/Name

where Address/Name refers to either an IP address such as 123.231.73.19, an Internet name such as maccs.mcmaster.ca or a Network_Address/Name which matches all IP addresses on the specified network. The "+" field means that the daemon is to service requests for the named host/network.

The + field means that the daemon is to authenticate for the named host/network.

The "-" field means that the daemon is not to service requests for the named host/network.

The "=" field means that the daemon is to receive requests for the first named host/network and pass them to the second named host where there is another such daemon running.

Hosts with more than one IP address must use either the -A option or the -s option with all of the hosts' IP addresses in the servers_file.

For example:
The line in the servers_file file on host "A" might read:
C D
The line in the servers_file file on host "D" would read:
+C

With the above parameters entered, the following sequence would take place when PC "B" wants to link a file system on host "C".

1. PC "B" attempts to authorize on host "C".
   
2. Host "C" returns "no server" error.
   
3. PC "B" tries default server "A" for host "C".
   
4. Host "A" responds with a redirect to "D".
   
5. PC "B" attempts to authorize on host "D" for "C".
   
6. Host "D" responds to the authorization.
   

Note that the IP address 0.0.0.0 is a wild-card match. Further note that the daemon searches for the first matching entry in the file, so if the first line of the file is:
+0.0.0.0

any following lines will be completely ignored.

[staging_directory]
If the -X option is used this can be left out. When starting the HCLNFSD daemon you will need to have a directory with 777 permissions that everyone can write to. This directory must be exported and be mountable by ROOT and by the Unix machine. This directory is used for spooling print jobs. There are some sites that do not want a directory on the server that has 777 permissions (because anyone can write things into it), and others that will not be using printing. If either of the above is true have the user use the -X option and not use the directory.

DESCRIPTION

The hclnfsd command (executed on the NFS File Server computer) creates a process which provides authentication of users for NFS activities and also provides the capability to print files on the Server machine to networked printers.

When an NFS client prints a file and the client uses HCLNFSD it will send the print job in a raw binary format to the HCLNFSD daemon. HCLNFSD will take the job spool it with a number and queue the job. It will then call LPD with the compiled command in the daemon and send the file to the server LPD daemon. The directory where the file is queued is the staging directory.

The print server feature uses the file /etc/printcap to determine the names of the available printers. This file is also required to be present on SYS V- based UNIX systems which do not have /etc/printcap files normally. See the topic on Printing for more information. The specified directory must be a world-writable directory where files to be printed are temporarily stored before printing. The directory must be included in the /etc/exports file and available for mounting by the server host as well as all PCs running HCLNFS. The authentication function allows UID and GID mapping between PC users and the NFS Server machine based upon username and password authentication. Up to 16 GIDs associated with the UID are passed to HCLNFS for subsequent access to the file systems. The locking function allows HCLNFS to implement DOS 3.1 record locking and file sharing functions.

Hclnfsd requires other daemons such as portmapper, nfsd, and the mount daemon to be active on the server.

Hclnfsd must be started by user root or included at the end of the system start-up file (typically rc.local). It should not be started by a Super User.

ACTION

For further information please contact Hummingbird Technical Support.