5 The Base product (Windows)

5.1 HELIOS architecture on Windows

HELIOS Base is the foundation for all HELIOS products and contains all basic libraries, the HELIOS Admin administration software, and additional powerful tools.

5.1.1 Optimal integration into Windows

Windows Services are administered by the HELIOS Service Controller
Windows shares can be published as HELIOS volumes
HELIOS supports Windows ACL (Access Control List) permissions
Windows users/groups (local and AD/PDC) are supported by HELIOS
Windows file changes are reported to the HELIOS notification server via the HELIOS file event driver
System messages, issued by HELIOS services, are written to the Windows event log (see 5.3 “Windows event log”)
Windows Unicode is used by HELIOS
Windows print jobs can be automatically forwarded to HELIOS printer queues (see 15.9.1 “Windows printing to HELIOS queues”)

5.1.2 HELIOS server processes on Windows

All processes are monitored and administered by the HELIOS Service Controller. One master process is started for each service, additional client processes are spawned for each user/session. The security is enforced by each session running as an authenticated user. There are various options for process auditing and tracing.

5.1.3 Starting and stopping the HELIOS software

The HELIOS services are started automatically when Windows is booted. This is done by the HELIOS Windows service “heliossvc”.

The HELIOS services can be started or stopped manually by any user with administrative rights (i.e. member of the “Administrators” group).

The “start-helios” command (in “HELIOSDIR\bin”) starts the HELIOS Windows service “heliossvc” which runs with system privileges and calls “start-helios -a” to actually start the HELIOS services. This is done to ensure that all HELIOS services are running with system privileges, regardless of who called “start-helios”.

Likewise, “stop-helios” causes the HELIOS Windows service “heliossvc” to call stop-helios -a with system privileges.

The Windows Services tool (Administrative Tools > Services) allows you to start and stop HELIOS services in the Windows GUI.

Note:: Neither “start-helios” nor “stop-helios” can print messages to the console. All “stderr” messages are logged to the Windows event log (see 5.3 “Windows event log”), all “stdout” messages are discarded.

5.2 Windows permissions

Windows SIDs

Windows SIDs (Security Identification) are used almost everywhere in Windows. They are very complex and include machine information, domain information, user/group information, etc. Each user or group has a unique SID. A typical user SID has a length of 224 bit.

The HELIOS “authutil” program maps the Windows SIDs into 32-bit IDs and back, in order to be used with “htar”, “dt tools”, printing, accounting, etc.

Effective user session SIDs

The “authutil” login command shows the effective permissions, including the mapped HELIOS user ID of the Windows SID and the HELIOS group IDs (see 10.2 “authutil”).

Example:

$ authutil login -n Administrator -p secret -s 
        user: Administrator 
         uid: 67109364 <S-1-5-21-527237240-2111687655-1343024091-500> 
         gid: 67109377:None 
   long name: <null> 
last refresh: Thu Aug 27 09:32:12 2009 
      origin: Windows <*> 
     homedir: <null> 
       admin: system,queue,printer,WebShare 
      groups: None:67109377, Everyone:16842752, 
              Administrators:0, Users:35652129, 
              INTERACTIVE:17104900, Authenticated 
              Users:17104907, LOCAL:16908288 
This organization:17104911, NTLM Authentication:37748746

Mapping of names/IDs

“authutil” also delivers information on a certain user without logging in, via the user name (Example 1) or the mapped HELIOS user ID (Example 2):

Example 1:

$ authutil user -n Administrator 
        user: Administrator 
         uid: 67109364 <S-1-5-21-527237240-2111687655-1343024091-500> 
         gid: -1:<null> 
   long name: <null> 
last refresh: Thu Aug 27 09:35:31 2009 
      origin: Windows <*> 
     homedir: <null> 
      groups: Administrators:0

Example 2:

$ authutil user -i 67109364 
        user: Administrator 
         uid: 67109364 <S-1-5-21-527237240-2111687655-1343024091-500> 
         gid: -1:<null> 
   long name: <null> 
last refresh: Thu Aug 27 09:37:04 2009 
      origin: Windows <*> 
     homedir: <null> 
      groups: Administrators:0

Windows ACLs

Windows ACLs specify SID access lists for files, services and resources. They differ from UNIX ACLs, and also from TCP/IP ACLs.

5.2.1 Permissions for owner and group

UNIX

On UNIX, access rights and permissions can be set via the HELIOS tools “dt chown” and “dt chmod”. In the following example, the file “file” is set to allow owner and group read/write permissions, and others read-only. The HELIOS tools “dt chown” and “dt chmod” are described in 8.11.1 “Command descriptions”.

Example:

# dt chown mike:helios file 
# dt chmod 664 file

A directory listing shows the effect of the action:

# dt ls -l file 
... 
-rw-rw-r--  1 mike helios 160 Mar 15 2005 file 
...

Windows

On Windows, ACLs specify file permissions for the owner, the group and others.

HELIOS file access is always performed using the Windows file system. Hence, all Windows file permissions and ACLs are always honored.

The Windows program “cacls.exe” allows displaying or modifying ACLs. “cacls.exe” is documented by Microsoft.

Note:: The HELIOS tools “dt chown”, “dt chgrp” and “dt chmod” can map UNIX permissions to Windows ACLs. This allows setting the same permissions, using the same syntax across platforms (Windows, Mac, UNIX), for the convenience of users and administrators. We recommend to set owner, group and permissions with these “dt” tools.

Example

(“cacls.exe” output of “C:\TEMP\file”):

Owner:

C:\TEMP\file ANKH\mike:(special access:) 
STANDARD_RIGHTS_ALL 
DELETE 
READ_CONTROL 
WRITE_DAC 
WRITE_OWNER 
SYNCHRONIZE 
STANDARD_RIGHTS_REQUIRED 
FILE_GENERIC_READ 
FILE_GENERIC_WRITE 
FILE_READ_DATA 
FILE_WRITE_DATA 
FILE_APPEND_DATA 
FILE_READ_EA 
FILE_WRITE_EA 
FILE_DELETE_CHILD 
FILE_READ_ATTRIBUTES 
FILE_WRITE_ATTRIBUTES

Group:

ANKH\helios:(special access:) 
READ_CONTROL 
SYNCHRONIZE 
FILE_GENERIC_READ 
FILE_GENERIC_WRITE 
FILE_READ_DATA 
FILE_WRITE_DATA 
FILE_APPEND_DATA 
FILE_READ_EA 
FILE_WRITE_EA 
FILE_DELETE_CHILD 
FILE_READ_ATTRIBUTES 
FILE_WRITE_ATTRIBUTES

Everyone:

Everyone:(special access:) 
READ_CONTROL 
SYNCHRONIZE 
FILE_GENERIC_READ 
FILE_READ_DATA 
FILE_READ_EA 
FILE_READ_ATTRIBUTES 
BUILTIN\Administrators:F

5.3 Windows event log

Messages issued by HELIOS services are stored in the “Application” event log file which is accessible via the Windows “Event Viewer” (Administrative Tools > Event Viewer).

The HELIOS logs can also be accessed via the HELIOS Admin System Messages list or by use of the HELIOS “psyslog” utility. Unlike the Windows “Event Viewer”, “psyslog“ need not be refreshed manually and can be used in batch mode (see 8.24 “psyslog”).

5.4 File name encoding

There are different methods of file name encoding. For example, we assume the file name “Müller”.

Windows 8-bit client encoding

This encoding method is used by many client applications including “cmd.exe”, “perl.exe”, “ZIP”, etc. The file name “Müller” in the PC850 encoding is:

4d 81 6c 6c 65 72

Unicode

Unicode can contain different encodings. The file name “Müller” in the Windows UCS16 encoding is:

00 4d 00 fc 00 6c 00 6c 00 65 00 72

The file name “Müller” in UTF-8 encoding (which is used by HELIOS) is:

4d c3 bc 6c 6c 65 72

Note:: HELIOS “dt” tools or ImageServer file events use the UTF-8 encoding.

HELIOS “uniconv” tool

The HELIOS “uniconv” tool converts between different encodings (see 8.5 “uniconv”).

5.5 HELIOS CLI parameters

The HELIOS CLI (Command Line Interface) tools accept Unicode input parameters. Internally HELIOS uses UTF-8.

Note:: Perl only supports 8-bit Windows encoding. This is important to know since HELIOS scripts, e.g. WebShare scripts, are based on Perl. By default, Windows uses the PC-850 character set and converts parameters from/to PC-850.

Wildcard parameters

HELIOS CLI tools support simple Windows wildcard parameters:

* = No, one or more characters
? = single character

Windows arguments

Windows command arguments containing spaces, e.g.:

\Program Files\HELIOS\bin\dt.exe ls -l C:\My Files\Docs\

must be called quoted:

"\Program Files\HELIOS\bin\dt.exe" ls -l "C:\My Files\Docs\"

To verify how many parameters are passed to programs, the HELIOS “uniconv” tool (8.5 “uniconv”) supports the -e option to echo all arguments.

Example:

$ uniconv -e 123 Hello World "Hello HELIOS"

will print:

ARGV[0]: uniconv 
ARGV[1]: -e 
ARGV[2]: 123 
ARGV[3]: Hello 
ARGV[4]: World 
ARGV[5]: Hello HELIOS

5.6 File path information

UNIX

UNIX file paths are delimited by slashes (“/”),
e.g.: /data1/myfiles/filename

Windows

Windows file paths are delimited by backslashes (“\”),
e.g.: C:\data1\myfiles\filename

HELIOS Windows normalized

HELIOS uses a normalized path syntax. This allows referencing files on Windows or on UNIX in case Windows data is restored in UNIX,
e.g.: /C:/data1/myfiles/filename (standard HELIOS file path).

Windows file paths are also supported by HELIOS:

C:\data1\myfiles\filename 
C:/data1/myfiles/filename

Windows reparse points

HELIOS supports Windows reparse points similarly to UNIX mounts, e.g.:
“disk 1 partition 5” is mounted as C:\data

Windows hard links

Although HELIOS supports Windows hard links, it is advised to use them with caution. Support is provided using the HELIOS “ln” tool (see 8.28.2 “ln”).

UNIX symbolic links

In Windows there is no such feature as symbolic links. Within HELIOS applications emulated symlinks do work. The HELIOS command ln -s allows creating symlinks.

NTFS file IDs

On the Windows NTFS (NT File System), each file or directory is assigned a 64-bit unique ID number. This is similar to the Apple HFS/AFP ID number for files and directories. In addition, Windows assigns a unique volume identifier ID. The unique IDs on Windows and UNIX can be viewed via the dt ls -i command.

Example:

$ dt ls -i "\Program Files\helios\Public"
   2814749767188534 Documentation 
   2533274790477893 Java 
   5066549580873721 MacOS 
   3940649674031168 ReadMe 
  38280596832731537 WebShare 
   2251799813767233 Windows

You may additionally specify the -l option (“long”) along with the -i option in order to get the extended output.

5.7 Windows shares & HELIOS volumes

Windows shares

Windows shares are shared folders that can be accessed in a network by other computers. They are managed by the Windows Explorer or the “Computer Management” tool. Windows shares can be imported in the HELIOS Admin Volumes tab, where folder properties (e.g. OPI layouts) may be customized. You may have to refresh the volume list with the “Refresh” button. Windows shares are removed from within Explorer or “Computer Management”. However, the HELIOS volume is not automatically removed.

AFP shares in Windows 2003

If SFM (Services for Macintosh) is installed on Windows 2003, Windows AFP shares can be enabled with the “Share a Folder” wizard in the Windows “Computer Management” tool if the Apple Macintosh users option is checked.

HELIOS volumes

HELIOS volumes are completely managed by HELIOS Admin. The Volumes tab of HELIOS Admin gives a summary of all HELIOS volumes and all available Windows shares. Grayed-out volumes in the HELIOS Admin volume list indicate that the volume is defined as a HELIOS volume, but is not defined as a Windows share (see the “ICC-Profiles” volume in Fig. 5.1).

Fig. 5.1: HELIOS volume not defined as Windows share

5.8 Modifications in the Windows system

5.8.1 DLL search path for HELIOS libraries

All HELIOS tools and services require several HELIOS libraries that are installed in “HELIOSDIR\lib”. The HELIOS Installer adds this path to the Windows search path, so that HELIOS programs will find the libraries.

Note:: Sometimes third-party installers or users modify the Windows search path, which may result in missing library error messages. Issuing a stop-helios and start-helios -i will fix this.

5.8.2 HELIOS files copied into the Windows folder

USB driver

The USB-dongle driver files are copied into the “WINDOWS\system32\drivers” and the “WINDOWS\inf” directory. This is done by Windows during the driver installation.

HELIOS print monitor driver

The HELIOS print monitor driver “HELIOSPrinterMon_s.dll” (or – depending on the architecture – “HELIOSPrinterMon64_s.dll”) is copied from “HELIOSDIR\etc\printmon” into the “WINDOWS\system32” folder.

5.8.3 Windows registry entries

When the HELIOS software is installed on the Windows platform, only a few changes are applied to the Windows registry in “HKEY_LOCAL_MACHINE”.

Uninstall info:

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HELIOS

HELIOS installation path:
```
SOFTWARE\HELIOS Software GmbH\Helios
```

Event log:

SYSTEM\CurrentControlSet\Services\Eventlog\Application\Helios SYSTEM
\CurrentControlSet\Services\Eventlog\Application\heliossvc

Environment:

SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Note:: All other settings for the HELIOS modules are stored in the HELIOS Preferences and configuration files.

5.9 HELIOS file event driver

The HELIOS file event driver is a kernel driver that monitors the HELIOS volumes and reports file changes to the HELIOS notification server. This is needed e.g. for the ImageServer product to generate layout files or to trigger hot folder actions.

The driver (“HELIOS_FileEvent.sys” or “HELIOS_FileEvent64.sys”, depending on the architecture), is located in “HELIOSDIR\etc\kernel”. The notification server “notifysrv” loads the file event driver when it is started. The driver remains loaded until Windows is shut down.

If an update for the file event driver should become available, Windows must be rebooted to load the updated driver. Otherwise “notifysrv” will issue the following error message at startup:

A previous version of the kernel driver is already loaded.
You must reboot the computer to load the updated kernel driver.

In the case of a Windows crash within 2 minutes after “start-helios”, the file event driver is not loaded with the next “start-helios”. In this case, “notifysrv” will issue the following error message at startup:

Kernel driver not loaded because the file "HELIOSDIR/var/run/kdrvStart"
exists. This could be caused by an abnormal termination of the notify
server. You must delete this file and restart the HELIOS services to
get the driver loaded again.

The HELIOS services will start, but no file events will be reported to the notification server and therefore automatic layout generation or hot folder actions in ImageServer will not work. The file event driver will not be loaded until you delete the file “HELIOSDIR\var\run\kdrvStart” and restart the HELIOS software.

Third-party applications can use the “Notification feature” of ImageServer to receive information about file and directory changes in HELIOS volumes.

5.10 Windows firewall problems

All installed firewalls must be turned off for the initial HELIOS installation. After a successful HELIOS software installation, all services without firewall, anti-virus software, etc. must be tested.

If everything works as expected, the HELIOS services should be tested again, with enabled firewall. The ports that the services use are listed in chapter C.7 “TCP ports used by HELIOS”.

Note:: Some firewalls will not allow localhost TCP/IP communications needed by HELIOS. Also, many problems can occur with firewall configurations that do not allow HELIOS TCP/IP communications. Custom firewall configuration is needed in this case.

The command socket -v <servername> <port> from a client will show if a connection to the server can be established. The HELIOS “socket” program is described in 8.6 “socket”.

5.11 HELIOS Admin notes

Differences on Windows

On Windows, HELIOS Admin provides less administration, compared to its UNIX counterpart. This is because Windows file services and authentication methods are used instead of the corresponding HELIOS services (see Available products in 4.1.9 “Software installation (Windows)”:

No Security Settings menu
No Mac, Windows, WINS and DHCP tabs in the Server Settings menu
No Starting Program, User Home Directory, Primary Group,
Minimum User/Group ID in the General tab of the Server Settings menu

Users and groups

HELIOS Admin cannot be used to administer Windows users or groups. They can be viewed as a read-only list.

Administrative groups

HELIOS Admin administrative groups are not created during the installation. The groups “SysAdm”, “PrnAdm”, “WSAdm” and “QueueAdm” should be created via Windows to allow control of administrative rights within HELIOS modules. Refer to Security – who can use HELIOS Admin? for full details.

Note:: Under Windows, any member of the “Administrators” group is functionally equivalent to the user “root” under UNIX. Hence, a member of the “Administrators” group can log on to HELIOS Admin and receive full administrative rights.

HELIOS authentication server

Under Windows, HELIOS Base does not contain the HELIOS authentication server (“authsrv”). Authentication is automatically configured to use local users and AD/PDC users. However, the “authutil” tool is available as described in 5.2 “Windows permissions”.

5.12 “srvmsg” program notes

On Windows installations, the HELIOS program “srvmsg” behaves slightly different than its counterpart on UNIX:

When calling “srvmsg” with the -d and -D options for auditing purposes, only the specified process is traced. Forked child processes are not automatically traced in the live auditing. They must be called with their own spawned process ID.

The usage and all available options of the “srvmsg” program is described in chapter 8 “HELIOS utility programs”.

5.13 PAP and HELIOS TCP Printing

For printing from a Mac client to the HELIOS printing system, HELIOS provides the Mac PAP and HELIOS TCP printers.

Mac PAP

If the Windows server has SFM (Services for Macintosh) installed, HELIOS Admin can set up the HELIOS queues as Mac – PAP. Mac clients can then browse for AppleTalk PAP printers, add the printers to the Mac client using the Mac OS X “Printer Setup Utility” and print from the client to the server.

HELIOS TCP

For better performance or if SFM is not running, print queues can be published as HELIOS TCP printers. For this to work, the “HELIOS TCP” printer driver must be installed on each Mac client. The following table gives an overview on the required plug-in that has to be installed for configuring the HELIOS TCP printer.

Client	HELIOS TCP Printer plug-in
Mac OS X	HELIOSTCPPrinter.dmg
Mac OS 9	HELIOS TCP Chooser/HELIOS TCP Printer

Installing and configuring Mac PAP and HELIOS TCP printers is described in the chapters “Printer spooler settings”, “PAP printer output settings” and “HELIOS TCP Printer driver” in the HELIOS EtherShare manual.

HELIOS Manuals May 17, 2013