Installing and configuring the SMB file and print server

Before you begin this process, you must ensure that the user ID the SMB Server is running under has authorization to the BPX.DAEMON and BPX.SERVER resources in the RACF® FACILITY class. If you are configuring SMB for the first time, or for a new release, see RACF definitions for SMB.

To install, configure, and access the Distributed File Service server (dfskern) for SMB file and print server operation, perform the following steps:

Install and perform post-installation processing of the Distributed File Service, using the applicable instructions in ServerPac: Installing Your Order (for ServerPac users) and z/OS Program Directory (for CBPDO users).
The following list summarizes the information in those documents:
1. Ensure that the target and distribution libraries for the Distributed File Service are available.
2. Run the prefix.SIOESAMP(IOEISMKD) job from UID 0 to create the symbolic links that are used by the Distributed File Service. This job reads the member prefix.SIOESAMP(IOEMKDIR) to delete and create the symbolic links.
3. Ensure that the DDDEFS for the Distributed File Service are defined by running the prefix.SIOESAMP(IOEISDDD) job.
4. Install the Load Library for the Distributed File Service. The Load Library (hlq.SIEALNKE) must be APF-authorized and must be in link list.
5. Install the samples (hlq.SIOESAMP).
6. If you plan to use encrypted passwords (recommended) and optionally, you want to use OCSF and hardware encryption, you must ensure that the appropriate authorizations have been given to the DFS server user ID to use OCSF services. See the section on Cryptographic Services OCSF customization considerations” in z/OS Program Directory and the “Configuring and Getting Started” section in for information about this topic.
  If you are using Integrated Cryptographic Service Facility (ICSF), define the following service names to the CSFSERV resource class:
  CSFCKI CSFDEC CSFENC CSFKEX CSFKGN
  CSFKIM CSFKPI CSFKRW CSFKRC CSFKRD
  CSFKRR CSFMGN CSFOWH CSFRNG
  
  You might also need to PERMIT the user ID DFS READ access to the profiles in the CSFSERV general resource class. For more information about the CSFSERV resource class, see z/OS Cryptographic Services ICSF Administrator's Guide.
7. The SMB server process (DFSKERN) needs a relative dispatching priority set less than TCP/IP and UNIX System Services, but not too low. When the dispatch priority is too low, TCB and associated SRBs are not processed quickly enough, which can result in possible resource contention and hang conditions.
  The SMB server uses an Event Notification Facility (ENF) exit for event code 51 (contention). When this event occurs, an SRB is scheduled to queue a request to the SMB server. If the SMB server dispatching priority is too low, the requests can become backed up and the system can eventually run out of resources. The SMB server needs a dispatching priority that is high enough to permit these requests to be processed in a timely manner.
Stop the Distributed File Service server (dfskern), if it is already running, using the instructions in Managing SMB processes.
Define administrators on the host system using the instructions in Defining SMB administrators.
Create the default DFS configuration files using the /opt/dfsglobal/scripts/dfs_cpfiles shell script, if they were not created during the installation process.
These configuration files, required by SMB file and print server, are typically created before the Distributed File Service installation is verified by the /opt/dfsglobal/scripts/dfs_cpfiles shell script, as indicated in z/OS Program Directory. See Creating the default DFS configuration files for more information about dfs_cpfiles.
Modify the /opt/dfslocal/home/dfskern/envar file to activate SMB file and print servers by setting the environment variable _IOE_PROTOCOL_SMB=ON.
If you are using OCSF, ensure that the /opt/dfslocal/home/dfskern/envar file has a LIBPATH that adds the directory that contains the OCSF DLLs. Be sure that the directory added is the directory indicated in z/OS Program Directory.

If you are using the print capability of the SMB file and print server, ensure that the Infoprint Server is installed and customized using the applicable instructions in z/OS Program Directory. In addition, ensure that the /opt/dfslocal/home/dfskern/envar file has a LIBPATH entry that adds the directory that contains the Infoprint Server DLLs. Be sure that the directory added is the directory indicated in the “Infoprint Server Customization Considerations” section of z/OS Program Directory.

For example, a LIBPATH that specifies both the OCSF DLL directory and the Infoprint Server DLL directory might be LIBPATH=/usr/lib:/usr/lpp/Printsrv/lib.
There is a relationship between number of threads specified for the SMB server and the maximum number of threads that z/OS® UNIX permits in a process. The following DFSKERN envars have an effect on the number of threads created for the SMB server:
- _IOE_RFS_WORKER_THREADS
- _IOE_SMB_CALLBACK_POOL
- _IOE_SMB_MAIN_POOL
- _IOE_TKMGLUE_SERVER_THREADS
There are also a number of dynamically created DFSKERN threads (approximately 25). The total of the DFSKERN threads must be less than the z/OS UNIX MAXTHREADS specification in the BPXPRMxx. If this is not the case, DFSKERN can abend during thread creation. The number of z/OS UNIX MAXTHREADS can be increased using the SETOMVS MAXTHREADS=nn operator command. The number of z/OS UNIX MAXTHREADS can be displayed using the D OMVS,O operator command. See z/OS MVS System Commands for additional information about these operator commands.
Because the SMB file and print server runs as an APF-authorized server, you must ensure that any DLLs that are used by the SMB file and print server are APF-authorized. This can be accomplished by using the z/OS UNIX extattr +a command. If you are using the Infoprint Server or OCSF, see the “Infoprint Server Customization Considerations” section in z/OS Program Directory and the “Cryptographic Services OCSF Customization Considerations” section in z/OS Open Cryptographic Services Facility Application Programming for information about the location of the DLLs and setting the APF-authorized extended attribute. The DFS load library is called hlq.SIEALNKE.
SMB clients must be able to find the server on the network in order to use the shares that the SMB server makes available. If you are using Windows, you should ensure that your computer name (specified in the _IOE_SMB_COMPUTER_NAME environment variable in the /opt/dfslocal/home/dfskern/envar) file is the same as your TCP/IP host name. See Networking considerations.
SMB communicates over several TCP/IP ports. Check your TCP/IP profile data set and verify that there are no reserves for ports 137,138, 139, and 445. See z/OS Communications Server: IP Configuration Reference for information about TCP/IP configuration and reserving ports.
Define SMB users by modifying the smbidmap file identified by the _IOE_SMB_IDMAP environment variable of dfskern. Map SMB users to z/OS users on the host system using the instructions in Mapping SMB user IDs to z/OS user IDs.
In addition, z/OS users should put the following line in their HFS .profile file in their home directory or in /etc/profile. This value is then set for all z/OS UNIX users.
```
export _EUV_AUTOLOG=NO
```
Determine whether you intend to use passthrough authentication. See Using passthrough authentication for information about passthrough authentication. Users in the domain will be authenticated using a Windows Server acting as a domain controller. Users that are not in the domain and that fail the domain authentication will additionally attempt local authentication (at the SMB server). This local authentication will use clear or encrypted passwords based on what the Domain Controller chose (most likely encrypted passwords) independent of the _IOE_SMB_CLEAR_PW environment variable. In the case of encrypted passwords, those users that get authenticated locally will need to store their SMB password in their RACF DCE segment.
Determine whether you intend to use password encryption. For more information, see the _IOE_SMB_CLEAR_PW environment variable and _IOE_SMB_CLEAR_PW. Before you enable password encryption, your PC users must store their SMB password into their RACF DCE segment. Otherwise, they are not able to log on except possibly as a guest user.
Determine whether you intend to permit guest users. Guest users are PC users that have (limited) access to files and printers on the SMB server without identifying themselves. Guest users are permitted when the _IOE_MVS_DFSDFLT environment variable in the dfskern process is set to a valid z/OS user ID. Guest users can access any data or files that z/OS user ID can access. If guest users are permitted, users that specify an incorrect password or no password become the guest user ID. It is better to deny guest users until you are certain you need this capability and that it meets your security guidelines.
Determine whether you intend to use the dynamic export capability. It is controlled by the _IOE_DYNAMIC_EXPORT environment variable of dfskern. The default is OFF, meaning that dynamic export is not enabled. Dynamic export permits the SMB server to support file systems mounted by using the z/OS Automount Facility. See z/OS UNIX System Services Planning for information about the automount facility. Dynamic export also permits the SMB server to dynamically “discover” mounted file systems without the need to provide dfstab and devtab entries for the file systems. See Dynamic export for HFS for information about using the dynamic export capability of the SMB server.
Define shared directories if the SMB file and print server is run on the host system to export file data sets for access by PC clients by updating the smbtab, dfstab, and devtab files and optionally, for RFS, by specifying an rfstab file in the /opt/dfslocal/var/dfs directory. Define file systems and file sets using the applicable instructions in Sharing files. For RFS, the DFS server user ID (typically DFS) must have RACF ALTER authority to the data sets that are made available to PC users. Alternatively, you can give the DFS server user ID the OPERATIONS attribute. If you specify a single level prefix in the devtab, you must use the OPERATIONS attribute because you cannot create a data set profile that covers a single level prefix. (The OPERATIONS attribute can be limited so that the DFS server user ID has authority only to the required data sets. See z/OS Security Server RACF Security Administrator's Guide for information about the OPERATIONS attribute).
Define shared printers if the SMB file and print server is run on the host system to export Infoprint Server printers for access by PC clients. Define the print shares by updating the file /opt/dfslocal/var/dfs/smbtab. See Sharing printers for more information.
SMB server performance can be significantly enhanced using the Language Environment® HEAPPOOLS(ON) parameter. See ioepdcf on how to specify HEAPPOOLS for the SMB server. See z/OS Language Environment Programming Guide for information about HEAPPOOLS.
Start the Distributed File Service server (dfskern) by following the applicable instructions in Managing SMB processes.
Configure PC client workstations to access the SMB file and print server using the instructions in Locating the SMB server.

Rule: If you modify the RACF FSSEC class to activate or deactivate ACL checking, the SMB server must be restarted. The SMB server caches permissions and does not get notified of changes to the FSSEC class.