This section discusses advanced AIX Fast Connect features used for customized configurations. See AIX Fast Connect Configuration and Administration for basic administrative procedures.
Note: Several of the features described in this section cannot be used simultaneously.
AIX Fast Connect supports the following advanced features:
Several performance considerations for AIX Fast Connect are also discussed in this section.
Many choices for the above features depend on the authentication method selected. Each type has its advantages and disadvantages. Which authentication method or methods you choose depends on your environment, your administration policy, and the ease of administration and use. The following methods for user authentication are described in detail in this section:
AIX-based authentication uses AIX user definitions and passwords. All AIX authentication grammars are supported, including DCE and LDAP. Following session setup, a AIX Fast Connect session gets the authenticated AIX user's credentials (UID, GID, and secondary groups).
The following requirements apply:
net config /encrypt_passwords:0
Plain text passwords have the following advantages:
Plain text passwords have the following disadvantages:
Note: SMB networking does not support mixed case for plain text passwords. Every AIX user accessing AIX Fast Connect must have all uppercase or all lowercase AIX passwords.
The CIFS password encryption protocol method uses AIX Fast Connect user definitions and encrypted passwords for user authentication. Each user must be defined under the same user name as an AIX user as well. AIX Fast Connect encrypts passwords and saves them in its user database (/etc/cifs/cifsPasswd) for use during session setup. (See Configuring Encrypted Passwords.) Following session setup, a AIX Fast Connect session gets the authenticated user's credentials (UID, GID and secondary groups).
CIFS password encryption protocol method has the following requirements:
(User passwords do not have to be the same on both systems.)
net config /encrypt_passwords:2
This method has the following advantages:
This method has the following disadvantages:
This authentication method uses AIX user definitions and NT server user authentication. In this mode, each AIX Fast Connect user must also be defined as an AIX user. Passthrough authentication is enabled using Web-based System Manager, SMIT, or the net command by specifying an IP address for the NT Passthrough Authentication Server. To configure this mode using the net command, type:
net config /passthrough_authentication_server:IPaddress
You can also designate a backup server for NT authentication by typing:
net config /backup_passthrough_authentication_server:IPaddress2
During session setup, AIX Fast Connect forwards the session setup request to the NT server. If the NT server authenticates the user, AIX Fast Connect grants access. Following session setup, a AIX Fast Connect session gets the authenticated user's credentials (UID, GID and secondary groups).
Passthrough authentication has the following requirements:
This method has the following advantages:
This method has the following disadvantage:
Notes:
- If passthrough authentication fails to authenticate a AIX Fast Connect user, user authentication continues with normal authentication on the AIX Fast Connect server. Depending on the value of the encrypt_passwords option, the server attempts to authenticate the PC client using either plain text or encrypted passwords.
- When passthrough authentication is enabled, guest logon support cannot work. These options are mutually exclusive. Disable guest logon by typing:
net config /guestlogon:0- When passthrough authentication is enabled, AIX Fast Connect's network logon feature cannot work. These options are mutually exclusive. (Frequently, the external NT authentication server is also acting as a Network Logon server, or even a Primary Domain Controller for NT-domains.)
Disable AIX Fast Connect's network logon feature by typing:
net config /networklogon:0
AIX Fast Connect can be configured to act as a Network Logon server. In this mode, Windows-based PCs are configured for Network-Logon, rather than Local-Logon, which provides the following benefits:
The following restrictions apply to AIX Fast Connect's network logon feature:
AIX Fast Connect's Network Logon feature is enabled (or disabled) using the networklogon parameter. This feature has multiple configuration settings, many of which are rarely used. For more information, see Configuring Network Logon for AIX Fast Connect.
AIX Fast Connect can be configured to provide access to DFS for Windows clients. Each AIX Fast Connect user name is used as a DCE principal name. Mixed case user names or passwords are only supported in encrypted passwords are used..
DCE support is automatically installed if the DCE filesets are installed before installing AIX Fast Connect. (cifsUserProc is then linked to cifsPrintServerDCE rather than cifsPrintServer.)
DCE support is controlled through the dce_auth configuration option, which can be set to 0 or 1. A value of 1 indicates that DCE authentication option is enabled. When dce_auth=1 (and cifsPrintServerDCE is being used), all incoming PC client logins are sent to DCE for authentication. This requires plain text passwords, and all PC-client user names and passwords must also be valid DCE user names and passwords. (UID, GID, and groupset are defined by the DCE authentication.)
When dce_auth=0, AIX Fast Connect can still provide some access to DFS files:
Notes:
- When DCE integration is enabled and the user's AIX UID is different from DCE UID, the user might not have the same access rights as an AIX login shell.
- Older versions of AIX Fast Connect (prior to 2.1.1.20) required that the root user be logged in as the cell administrator when loading the cifsServer daemon, for access to certain files. This is not a restriction in the current version of AIX Fast Connect.
- DCE/DFS authentication (dce_auth=1) is mutually exclusive with NT Passthrough authentication.
- DCE/DFS authentication (dce_auth=1) is mutually exclusive with the guest logon feature.
AIX Fast Connect can support guest-mode logins when configured for either plain text or encrypted passwords. To enable guest-mode logins, two parameters must be configured:
net config /guestlogonsupport:1 (enables guest logons)
net config /guestname:GuestID (AIX guestid with null
password)
When guest logon support is enabled (guestlogonsupport=1), and the guestname field is set, non-AIX users can connect to the AIX Fast Connect Server. The credentials for guest clients is set to those of the guestname attribute.
The AIX account specified by guestname must have a null AIX password -- it is being used for guest-mode access to the AIX file-system. This guest account can access all of the file system directories exported by AIX Fast Connect (as File Shares); therefore, this guest account should probably be in its own unique AIX group, to simplify access control.
Guest access is only given to user names that are not defined AIX Fast Connect users with passwords that are not null.
Incoming login requests are authenticated as follows:
To disable guest logon support, type:
net config /guestlogonsupport:0
Note:
- When guest logon support and encrypted passwords are both enabled, the guestname user does not have to be added to the AIX Fast Connect user database (/etc/cifs/cifsPasswd), but still must have a null AIX password.
- Guest logon support does cooperate with Network Logon support (networklogon=1). Whenever guest-mode access is granted, then the profile, startup scripts, and home directory of the guestname user are used for the network logon.
- If dce_auth=1, guest logon support does not work.
- If NT-passthrough authentication is configured, guest logon support does not work.
- If share_level_security=1, guest logon support does not work.
When the AIX Fast Connect server is configured for share-level security, then passwords are associated with individual file and print shares, not with PC client user names. In this mode, AIX Fast Connect provides access rights to PC clients based on a share-mode user name specified as the share_level_security_username parameter, similar to the guest logon access mode.
Note: When share-level security is enabled, all user-level authentication mechanisms are disabled.
To enable share-level security, type:
net config /share_level_security:1 (enable share-level
security)
net config /share_level_security_username:AIXuser (configure
share user)
In share-level security mode, AIX Fast Connect supports both ReadWrite passwords and ReadOnly passwords. When a PC client tries to connect to a share, the following can occur:
Note: These access modes are also affected by the access credentials of the share_level_security_username for that share, and by the mode share option, both of which can effectively change ReadWrite access to ReadOnly access.
net share /add /netname:NETTEMP /path:/tmp /rw_password:"write-is-okay"
net share /add /netname:USERS /path:/home /rw_password:writeme /ro_password:readme
Note: Specifying a ReadOnly password without specifying a ReadWrite password normally allows all clients to get ReadWrite access (if the ReadWrite password is null).
net config /share_level_security:0
This feature allows AIX Fast Connect to map PC client user names (or sets of PC client user names) to server (AIX) user names, for purposes of user-mode authentication and file access. When enabled, AIX Fast Connect tries to map every incoming client user name to a server user name, and then uses that server user name for further user authentication and AIX credentials. (All user-authentication mechanisms are supported: AIX-based, encrypted passwords, NT-passthrough, DCE, ...)
This feature is controlled by the usernamemapping parameter, and mappings are configured by the net user /map command.
net config /usernamemapping:1
net user /map longclientname aixname
net user /map secondclientname aixname
net user /delete longclientname
net config /usernamemapping:0
Notes:
- PC client usernames are restricted to 20 characters.
- When username mapping is enabled, the username root is mapped to the username nobody by default. This mapping can be changed.
- After mapping a client username XXXX to an AIX server username, then that client username cannot be defined as a server username (with its own unique encrypted password) until that username mapping is deleted by net user/delete.
- When username mapping is enabled, the username root is mapped to the username nobody by default. This mapping can be changed. If it is desired to allow the username root to map to itself (as a server user name), then this default mapping must be deleted with net user/delete root.
AIX Fast Connect provides several additional features for file access and user management, which are described in the following sections.
AIX Fast Connect supports the net session command, for displaying and managing logged-in user sessions.
net session
net session /user:username /workstation:IPaddress /shareinfo
net session /user:username /workstation:IPaddress /fileinfo
net session /user:username /workstation:IPaddress /close
net session /user:username /workstation:IPaddress /close /netname:sharename
net session /user:username /workstation:IPaddress /close /file:filename
Note: The workstation parameter works with NetBIOS names, also.
AIX Fast Connect provides several parameters to specify limits on resource
use:
maxusers | Maximum number of user-sessions (logins), at any given time |
maxconnections | Maximum number of connections to a single share-resource |
maxopens | Maximum number of open files allowed |
maxsearches | Maximum number of open file-searches |
autodisconnect | Autodisconnect time for idle sessions (in minutes) |
See the net config command, or the Table of Configurable Parametersfor the net Command, for more details.
AIX Fast Connect provides a global parameter umask to control permission bits on all files created by all AIX Fast Connect users. The umask parameter is specified as an octal number (with a leading zero), and defaults to 022.
To change the umask to 002, type:
net config /umask:002
Several advanced features of AIX Fast Connect are available as per-share options. These options are encoded as bit fields within the sh_options parameter of each share definition. These options must be defined when the share is created with the net share /add command.
Per-share options currently allowed by net share /add are:
parameter | values | default | description |
sh_oplockfiles | (0,1) | 1 | Enables oplocks on this share, if oplockfiles=1 |
sh_searchcache | (0,1) | 0 | Enables search caching on this share, if cache_searches=1 |
sh_sendfile | (0,1) | 0 | Enables SendFile API on this share, if send_file_api=1 |
mode | (0,1) | 1 | Allows ReadWrite access to this share. (0 implies ReadOnly mode.) |
Example: To create a ReadOnly share that has SendFile enabled, type:
net share /add /netname:ROSHARE /path:/usr/etc /mode:0 /sh_sendfile:1
AIX Access Control Lists allows extended control of files and directories of AIX Journaled File System. AIX Fast Connect exploits this features by honoring AIX ACLs. AIX 4.3.3 adds graphical manipulation of ACLs using CDE dtfile application.
AIX Fast Connect extends this support by implementing ACL inheritance for AIX Fast Connect file shares. This feature can be used to implement default ACLs for created file objects. When acl_inheritance is enabled, the umask parameter is not effective.
ACL inheritance is enabled by setting the acl_inheritance option to 1. This option can be viewed and changed using the net config command. Once enabled, it applies to all the AIX Fast Connect file shares.
ACLs are inherited from the ACL defined on the base directory of the share. For example, if you have a share named TEMP mapped to the AIX directory /tmp (assuming a valid ACL is defined for this directory and acl_inheritance=1), all files created in this share now inherit the ACLs defined for /tmp.
net config /acl_inheritance:1
net config /acl_inheritance:0
net config /parm:acl_inheritance
When necessary, the AIX Fast Connect administrator can use the cifsClient command to send messages to individual workstations, or to all user-sessions connected to AIX Fast Connect.
cifsClient send -a -m "message"
cifsClient send -c computer -m "message"
cifsClient send -u username -m "message"
cifsClient send -d domainname -m "message"
Notes:
- A file may be sent as the message using the -f filename option, or the message can be read from standard input.
- The domainname is optional. The default domain is the AIX Fast Connect server's domain.
- The target computer must be enabled to receive messages, using messaging software. On Windows NT clients, the messaging service is started by default. To start the messaging service on Windows 95, 98, or 3.11, run:
WIN95> winpopup- When share-level security is enabled (share_level_security=1), then the user-specified messaging command "cifsClient send --u username" is not supported.
Older PC client operating systems, such as Windows for Workgroups 3.11, do not support long filenames. Also, this restriction is true for many older (16-bit) applications running under Windows 95, Windows 98, and Windows NT. This restriction requires mapping long names of AIX files to DOS file name format. (The DOS format is also called 8.3 format because file names are limited to a maximum of eight characters followed by a period and a three-character extension.)
Simply truncating a long name to a shorter name is not the solution, because multiple files could get mapped to the same name whenever the first eight characters are same. AIX Fast Connect maps AIX file names (AFN) to DOS File Names (DFN) ensuring file name uniqueness. It maps AFNs to DFNs using Microsoft Windows NT method for mapping names (that is, name conflicts are handled by using a delimiting character in the short name followed by a unique numeric to make the name unique).
For example, consider two files in the root directory of an exported SMB share: LongFileName1.txt and LongFileName2.txt. Assume a Windows 3.11 client mounts this share and searches the directory. The resulting filenames are:
LONGFI~1.TXT for LongFileName1.txt
LONGFI~2.TXT for LongFileName2.txt
AIX Fast Connect generates a mapped name whenever the AFN needs to be passed back to a DOS client. DFNs generated by AIX Fast Connect are not remembered across server restarts. Filename mappings remain consistent until the AIX Fast Connect server is restarted.
AIX Fast Connect has a configuration option to turn off the mapping. When the mapping is turned off, no mapping is attempted. When disabled, any mapping of long names must be done by the PC client software.
net config /dosfilenamemapping:1
net config /dosfilenamemapping:0
Notes:
- AFN-to-DFN mapping might not map correctly if the server restarts. Given the previous example, assume a user on a Windows 3.11 client opens LONGFI~1.TXT, edits it, and saves the changes. Then the server shuts down. Someone then removes LongFileName1.txt from the server file system. Once the server is up and running, the user on the client again edits LONGFI~1.TXT. This time, however, the same file maps to LongFileName2.txt, not the previously deleted file name, and the client ends up editing the wrong file. To prevent this situation, after the network drive is reconnected following server restart, new file lists must be obtained before accessing any mapped names.
- If your site does not need this feature, turn dosfilenamemapping off (0) to reduce memory and CPU usage and thereby improve performance.
AIX Fast Connect provides optional support for the ReadOnly, Archive, System, and Hidden file attribute bits of DOS files. These bits are encoded by AIX Fast Connect into the AIX file permission bits of the AIX file system.
AIX Fast Connect automatically handles these bits in the AIX file system; the examples listed above simply show how AIX Fast Connect interprets these AIX-permission bits, when reporting DOS file attributes to a PC client. If you have AIX Fast Connect configured to support DOS file attributes (the default), then you might need to manually turn off the Execute bits in your AIX directories that are being exported as AIX Fast Connect file shares.
find dirname -type f -exec chmod a-x "{}" ";" -print
net config /dosattrmapping:0
AIX Fast Connect supports server name aliases, which allows a AIX Fast Connect server to respond to multiple NetBIOS server names. This feature is helpful in HACMP mutual takeover. Server aliases can be configured using the net name command, as described below.
net config /parm:servername
net name /list
net name /add sname2
net name /delete sname2
Server aliases normally use NetBIOS subcodes 0x00 and 0x20, but other subcodes can be specified, for example:
net name /add test3 /sub:03 net name /delete sname2 /sub:2f
Notes:
- Whenever adding or deleting an alias name without specifying a subcode, or if subcode 0x00 or 0x20 is specified, the alias name is added or deleted with subcodes 0x00 and 0x20.
- net name /list uses angle-brackets ("<",">") to show subcodes other than 0x00 and 0x20.
- To register alias name(s) to WINS or NBNS (including the local NBNS), the IP address of the WINS or NBNS server needs to be specified in parameters primary_wins_ipaddr or secondary_wins_ipaddr.
- When adding an alias name:
- If someone on the same subnet is currently holding the name, adding fails.
- If no one on the same subnet is holding the name, but it exists in name table of the NBNS, then the name cannot be registered to the NBNS, but is still added to the local name table.
This section discusses several issues affecting AIX Fast Connect performance.
Directory enumerations are frequent network operations on Windows clients. Whenever Network Neighborhood (or Windows Explorer) opens a network directory, that entire directory is enumerated over the network, for display in a Explorer-window. Usually, Windows Explorer waits to display the contents of the window until the entire network directory has been listed. For large directories containing many files, this delay is noticable to the PC user, and can be frustrating. Remote file accesses from AIX (such as DCE/DFS or NFS) tend to aggravate this situation.
Try shielding your AIX Fast Connect users from having to access large directories to get to the network files they need. One possible solution is to define smaller-sized AIX directories to be exported by AIX Fast Connect. These directories can contain links to files in the large directories.
If large directories are needed but rarely change (for example, CD-ROM), then you might find the search caching features useful.
Directory searches are very frequent network operations on Windows clients. Every time a network file is opened, or renamed, or deleted, or listed, a directory search for that filename is performed. (For example, simply opening a document in Microsoft Word can cause multiple directory searches for that filename.)
AIX Fast Connect has a search-caching feature that allows directory searches to be temporarily cached to improve the performance of multiple-search scenarios like opening documents, as mentioned above. Also, for directories that change infrequently, but are accessed often, this feature enhances performance.
Search-caching is implemented in AIX Fast Connect by taking snapshots of directories and their modification times.
Search caching is configured on AIX Fast Connect by several
parameters:
parameter | default | description |
---|---|---|
cache_searches | 0 (disabled) | Globally disable the search-caching feature. (Set to 1 to enable.) |
sh_searchcache | 0 (disabled) | Disable search caching on a per-share basis. (Set to 1 to enable.) |
Note: To enable search caching on any file shares, the cache_searches parameter must be enabled (set to 1), and sh_searchcache must be enabled for every file share for which search caching is desired.
For file transfers to clients, AIX Fast Connect can use the SendFile API for performance enhancement. The SendFile API is an AIX kernel extension that provides efficient file transfers and can do data caching.
SendFile API is configured on AIX Fast Connect by several parameters:
parameter | default | description |
---|---|---|
send_file_api | 1 (enabled) | Flag to enable/disable the SendFile API to be used by AIX Fast Connect. Default is enable. To disable SendFile, set to 0. |
send_file_cache_size | 0 (disabled) | Maximum Read-Request size that is cached by the SendFile API. |
send_file_size | 4096 | Minimum Read-Request size, before SendFile API is used. |
sh_sendfile | 0 (disabled) | Flag to enable/disable per-share option. Default is disable. To enable SendFile for that file share, set to 1. |
Notes:
- To enable SendFile API on any file shares, the send_file_api must be enabled, and sh_sendfile must be enabled for every file share for which the SendFile API is desired.
- See the no command for system-wide SendFile configuration parameters.