HELIOS Base UB for Windows User manual

2 HELIOS Base UB for Windows

2.1 HELIOS architecture on Windows

HELIOS Base is the foundation for all HELIOS products and contains all basic libraries, the HELIOS Admin administration software, and additional powerful tools.

2.1.1 Optimal integration into Windows

• Windows Services are administered by the HELIOS Service Controller
• Windows shares can be published as HELIOS volumes
• HELIOS supports Windows ACL (Access Control List) permissions
• Windows users/groups (local and AD/PDC) are supported by HELIOS
• Windows file changes are reported to the HELIOS notification server via the HELIOS file event driver
• System messages, issued by HELIOS services, are written to the Windows event log (see 2.3 "Windows event log")
• Windows Unicode is used by HELIOS
• Windows print jobs can be automatically forwarded to HELIOS printer queues (see 3.2 "Windows printing to HELIOS queues")

2.1.2 HELIOS server processes on Windows

All processes are monitored and administered by the HELIOS Service Controller. One master process is started for each service, additional client processes are spawned for each user/session. The security is enforced by each session running as an authenticated user. There are various options for process auditing and tracing.

Fig. 13: Process Explorer (by Sysinternals)

2.1.3 Starting and stopping the HELIOS software

The HELIOS services are started automatically when Windows is booted. This is done by the HELIOS Windows service "heliossvc".

The HELIOS services can be started or stopped manually by any user with administrative rights (i.e. member of the "Administrators" group).

The "start-helios" command (in "HELIOSDIR\bin") starts the HELIOS Windows service "heliossvc" which runs with system privileges and calls "start-helios -a" to actually start the HELIOS services. This is done to ensure that all HELIOS services are running with system privileges, regardless of who called "start-helios".

Likewise, "stop-helios" causes the HELIOS Windows service "heliossvc" to call "stop-helios -a" with system privileges.

The Windows Services tool (Administrative Tools > Services) allows you to start and stop HELIOS services in the Windows GUI.

Note: Neither "start-helios" nor "stop-helios" can print messages to the console. All "stderr" messages are logged to the Windows event log (see 2.3 "Windows event log"), all "stdout" messages are discarded.

2.2 Windows permissions

Windows SIDs

Windows SIDs (Security Identification) are used almost everywhere in Windows. They are very complex and include machine information, domain information, user/group information, etc. Each user or group has a unique SID. A typical user SID has a length of 224 bit.

The HELIOS "authutil" program maps the Windows SIDs into 32-bit IDs and back, in order to be used with "htar", "dt tools", printing, accounting, etc.

Effective user session SIDs

The "authutil" login command shows the effective permissions, including the mapped HELIOS user ID of the Windows SID and the HELIOS group IDs. The "authutil" tool is described in the HELIOS Base manual.

Example:

authutil login -n Administrator -p secret -s
user: Administrator
uid: 67109364 <S-1-5-21-527237240-2111687655-1343024091-500>
gid: 67109377:None
long name: <null>
last refresh: Thu Aug 17 09:32:12 2006
origin: Windows <*>
homedir: <null>
admin: system,queue,printer,WebShare
groups: None:67109377, Everyone:16842752,
Administrators:0, Users:35652129,
INTERACTIVE:17104900, Authenticated
Users:17104907, LOCAL:16908288
This organization:17104911, NTLM Authentication:37748746

Mapping of names/ID

"authutil" also delivers information on a certain user without logging in, via the user name (Example 1) or the mapped HELIOS user ID (Example 2):

Example 1:

authutil user -n Administrator
user: Administrator
uid: 67109364 <S-1-5-21-527237240-2111687655-1343024091-500>
gid: -1:<null>
long name: <null>
last refresh: Thu Aug 17 09:35:31 2006
origin: Windows <*>
homedir: <null>
groups: Administrators:0

Example 2:

authutil user -i 67109364
user: Administrator
uid: 67109364 <S-1-5-21-527237240-2111687655-1343024091-500>
gid: -1:<null>
long name: <null>
last refresh: Thu Aug 17 09:37:04 2006
origin: Windows <*>
homedir: <null>
groups: Administrators:0

Windows ACLs

Windows ACLs specify SID access lists for files, services and resources. They differ from UNIX ACLs, and also from TCP/IP ACLs.

2.2.1 Permissions for owner and group

UNIX

On UNIX, access rights and permissions can be set via the HELIOS tools "dt chown" and "dt chmod". In the following example, the file "file" is set to allow owner and group read/write permissions, and others read-only. The HELIOS tools "dt chown" and "dt chmod" are described in the HELIOS Base manual.

Example:

dt chown mike:helios file
dt chmod 664 file

A directory listing shows the effect of the action:

dt ls -l samplefile
...
-rw-rw-r-- 1 mike helios 160 Mar 15 2005 file
...

Windows

On Windows, ACLs specify file permissions for the owner, the group and others.

HELIOS file access is always performed using the Windows file system. Hence, all Windows file permissions and ACLs are always honored.

The Windows program "cacls.exe" allows displaying or modifying ACLs. The "cacls.exe" program is documented by Microsoft.

Note: The HELIOS tools "dt chown", "dt chgroup" and "dt chmod" can map UNIX permissions to Windows ACLs. This allows setting the same permissions, using the same syntax across platforms (Windows, Mac, UNIX), for the convenience of users and administrators. We recommend to set owner, group and permissions with these "dt" tools.

Example:

Owner:

C:\TEMP\file ANKH\mike:(special access:)
STANDARD_RIGHTS_ALL
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
STANDARD_RIGHTS_REQUIRED
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES

Group:

ANKH\helios:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_GENERIC_WRITE
FILE_READ_DATA
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_READ_EA
FILE_WRITE_EA
FILE_DELETE_CHILD
FILE_READ_ATTRIBUTES
FILE_WRITE_ATTRIBUTES

Everyone:

Everyone:(special access:)
READ_CONTROL
SYNCHRONIZE
FILE_GENERIC_READ
FILE_READ_DATA
FILE_READ_EA
FILE_READ_ATTRIBUTES
BUILTIN\Administrators:F

2.3 Windows event log

Messages issued by HELIOS services are stored in the "Application" event log file which is accessible via the Windows Event Viewer (Administrative Tools > Event Viewer).

The HELIOS logs can also be accessed via the HELIOS Admin System Messages list or by use of the HELIOS "psyslog" utility. Unlike the Windows Event Viewer, "psyslog" does not need to be refreshed manually and can be used in batch mode (see 4.1.8 "psyslog").

2.4 File name encoding

There are different methods of file name encoding. For example, we assume the file name "Müller".

Windows 8-bit client encoding

This encoding method is used by many client applications including "cmd.exe", "perl.exe", "ZIP", etc. The file name "Müller" in the PC850 encoding is:

4d 81 6c 6c 65 72

Unicode

Unicode can contain different encodings. The file name "Müller" in the Windows UCS16 encoding is:

00 4d 00 fc 00 6c 00 6c 00 65 00 72

The file name "Müller" in UTF-8 encoding (which is used by HELIOS) is:

4d c3 bc 6c 6c 65 72

Note: HELIOS "dt tools" or ImageServer file events use the UTF-8 encoding.

HELIOS "uniconv" tool

The HELIOS "uniconv" tool converts between different encodings (see 4.1.1 "uniconv").

2.5 HELIOS CLI parameters

The HELIOS CLI (Command Line Interface) tools accept Unicode input parameters. Internally HELIOS uses UTF-8.

Important: Perl only supports 8-bit Windows encoding. This is important to know since HELIOS scripts, e.g. WebShare scripts, are based on Perl.
By default, Windows uses the PC-850 character set and converts parameters from/to PC-850.

Wildcard parameters

HELIOS CLI tools support simple Windows wildcard parameters:

* = any character
? = single character

Windows arguments

Windows command arguments containing spaces, e.g.:

\Program Files\HELIOS\bin\dt.exe C:\My Files\Docs\

must be called quoted:

"\Program Files\HELIOS\bin\dt.exe" "C:\My Files\Docs\"

To verify how many parameters are passed to programs, the HELIOS "uniconv" tool (4.1.1 "uniconv") supports the -e option to echo all arguments.

Example:

uniconv -e 123 Hello World "Hello HELIOS"

will print:

ARGV[0]: uniconv
ARGV[1]: -e
ARGV[2]: 123
ARGV[3]: Hello
ARGV[4]: World
ARGV[5]: Hello HELIOS

2.6 File path information

UNIX

UNIX file paths are delimited by slashes ("/"), e.g.:

C:/data1/myfiles/filename

Windows

Windows file paths are either delimited by slashes ("/") or backslashes ("\"), e.g.:

C:\data1\myfiles\filename or C:/data1/myfiles/filename

HELIOS Windows normalized

HELIOS uses a normalized path syntax. This allows referencing files on Windows or on UNIX in case Windows data is restored in UNIX, e.g.:

/C:/data1/myfiles/filename (standard HELIOS file path)

Windows file paths are also supported by HELIOS:

C:\data1\myfiles\filename
C:/data1/myfiles/filename

Windows reparse points

HELIOS supports Windows reparse points similarly to UNIX mounts, e.g.:

"disk 1 partition 5" is mounted as C:\data

Windows hard links

Although HELIOS supports Windows hard links, it is advised to use them with caution. Support is provided using the HELIOS "ln" tool (see 4.1.5 "ln").

UNIX symbolic links

In Windows there is no such feature as symbolic links. Within HELIOS applications emulated symlinks do work. The HELIOS command "ln -s" allows creating symlinks.

NTFS file IDs

On the Windows NTFS (NT File System), each file or directory is assigned a 64-bit unique ID number. This is similar to the Apple HFS/AFP ID number for files and directories. In addition, Windows assigns a unique volume identifier ID. The unique IDs on Windows and UNIX can be viewed via the "dt ls -i" command.

Example:

dt ls -i "\Program Files\helios\Public"

   2814749767188534 Documentation
   2533274790477893 Java
   5066549580873721 MacOS
   3940649674031168 ReadMe
  38280596832731537 WebShare
   2251799813767233 Windows

You may additionally specify the -l option ("long") along with the -i option in order to get the extended output.

2.7 Windows shares & HELIOS volumes

Windows shares

Windows shares are shared folders that can be accessed in a network by other computers. They are managed by Windows Explorer or the "Computer Management" tool. Windows shares can be imported in the HELIOS Admin Volumes tab, where folder properties (e.g. OPI layouts) may be customized. You may have to refresh the volume list with the "Refresh" button. Windows shares are removed from within the Windows Explorer, or the "Computer Management" tool. However, the HELIOS volume is not automatically removed.

HELIOS Volumes

HELIOS volumes are completely managed by HELIOS Admin. The Volumes tab of HELIOS Admin gives a summary of all HELIOS volumes and all available Windows shares. Grayed-out volumes in the HELIOS Admin volume list indicate that the volume is defined as a HELIOS volume, but is not defined as a Windows share (see e.g. the ICC-Profiles volume in Fig. 14).

AFP shares in Windows 2003

Windows AFP shares can be enabled with the "Share a Folder" wizard in the Windows "Computer Management" tool if the Apple Macintosh users option is checked.

Fig. 14: HELIOS volume not defined as Windows share

2.8 Modifications in the Windows system

2.8.1 DLL search path for HELIOS libraries

All HELIOS tools and services require several HELIOS libraries that are installed in "HELIOSDIR\lib". The HELIOS Installer adds this path to the Windows search path, so that HELIOS programs will find the libraries.

Note: Sometimes third-party installers or users modify the Windows search path, which may result in missing library error messages. Issuing a "stop-helios" and a "start-helios -i" will fix this.

2.8.2 HELIOS files copied into the Windows folder

USB driver

The USB-dongle driver files are copied into the "WINDOWS\system32\drivers" and the "WINDOWS\inf" directory. This is done by Windows during the driver installation.

HELIOS print monitor driver

The HELIOS print monitor driver "HELIOSPrinterMon_s.dll" (or "HELIOSPrinterMon64_s.dll" - depending on the architecture) is copied from "HELIOSDIR\etc\printmon" into the "WINDOWS\system32" folder.

2.8.3 Windows registry entries

When the HELIOS software is installed on the Windows platform, only a few changes are applied to the Windows registry in "HKEY_LOCAL_MACHINE\".

• Uninstall info:
  SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HELIOS
• HELIOS installation path:
  SOFTWARE\HELIOS Software GmbH\Helios
• Event log:
  SYSTEM\CurrentControlSet\Services\Eventlog\Application\Helios
  SYSTEM\CurrentControlSet\Services\Eventlog\Application\heliossvc
• Environment:
  SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Note: All other settings for the HELIOS modules are stored in the HELIOS Preferences and configuration files.

2.9 HELIOS file event driver

The HELIOS file event driver is a kernel driver that monitors the HELIOS volumes and reports file changes to the HELIOS notification server. This is needed e.g. for the HELIOS ImageServer product to generate layout files or to trigger hot-folder actions.

The driver ("HELIOS_FileEvent.sys" or "HELIOS_FileEvent64.sys", depending on the architecture), is located in "HELIOSDIR\etc\kernel". The notification server "notifysrv" loads the file event driver when it is started. The driver remains loaded until Windows is shut down.

If an update for the file event driver should become available, Windows must be rebooted to load the updated driver. Otherwise "notifysrv" will issue the following error message at startup:

A previous version of the kernel driver is already loaded.

You must reboot the computer to load the updated kernel driver.

In the case of a Windows crash within 2 minutes after "start-helios", the file event driver is not loaded with the next "start-helios". In this case, "notifysrv" will issue the following error message at startup:

Kernel driver not loaded because the file 'HELIOSDIR/var/run/kdrvStart' exists. This could be caused by an abnormal termination of the notify server. You must delete this file and restart the HELIOS services to get the driver loaded again.

The HELIOS services will start, but no file events will be reported to the notification server and therefore automatic layout generation or hot-folder actions in ImageServer will not work. The file event driver will not be loaded until you delete the file "HELIOSDIR\var\run\kdrvStart" and restart the HELIOS software.

Third-party applications can use the "Notification feature" of HELIOS ImageServer to receive information about file and directory changes in HELIOS volumes.

2.10 Windows firewall problems

All installed firewalls must be turned off for the initial HELIOS installation. After successful HELIOS software installation test all services without firewall, anti-virus software, etc.

If everything works as expected, enable the firewall and test the HELIOS services again. The ports that the services use are listed in the HELIOS Base UB manual.

Note: Some firewalls will not allow localhost TCP/IP communications needed by HELIOS.

Many problems occur with firewall configurations which will not allow HELIOS TCP/IP communications, custom configuration is needed in this case.

The command socket -v <servername> <port> from a client will show if a connection to the server can be established. The HELIOS "socket" program is described in the HELIOS Base UB manual.

2.11 HELIOS Admin notes

Differences on Windows

In a Windows installation, HELIOS Admin provides less administration, compared to its UNIX counterpart. This is due to the fact that Windows file services and authentication methods are used rather than the corresponding HELIOS services (see Available products in 1 "Introduction"):

• No Security Settings menu
• No Mac, Windows, WINS and DHCP tabs in the Server Settings menu
• No Starting Program, User Home Directory, Primary Group, Minimum User / Group ID in the General tab of the Server Settings menu

Users and Groups

HELIOS Admin cannot be used to administer Windows users or groups. They can be viewed as a read-only list.

Administrative groups

HELIOS Admin administrative groups are not created during the installation. The groups "SysAdm", "PrnAdm", "WSAdm" and "QueueAdm" should be created via Windows to allow control of administrative rights within HELIOS modules. Refer to the chapter "General remarks" in the HELIOS Base UB manual for full details.

Note: In Windows, any member of the "Administrators" group is functionally equivalent to root user under UNIX. Hence, a member of the "Administrators" group can log in to HELIOS Admin and be granted full administrative rights.

HELIOS authentication server

On Windows, HELIOS Base UB does not contain the HELIOS authentication server ("authsrv"). Authentication is automatically configured to use local users and AD/PDC users. However, the "authutil" tool is available as described in 2.2 "Windows permissions".

2.12 "srvmsg" program notes

On Windows installations, the HELIOS program "srvmsg" behaves slightly different than its counterpart on UNIX:

When calling "srvmsg" with the -d and -D options for auditing purposes, only the specified process is traced. Forked child processes are not automatically traced in the live auditing. They must be called with their own spawned process ID.

Note: In a future version, there will be no differences in the program behavior on Windows and on UNIX.

The usage and all available options of the "srvmsg" program is described in the chapter "HELIOS utility programs" in the HELIOS Base UB manual.