[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

System Management Guide: Communications and Networks

Advanced AIX Fast Connect Features

This section discusses advanced AIX Fast Connect features used for customized configurations. See AIX Fast Connect Configuration and Administration for basic administrative procedures.

Note: Several of the features described in this section cannot be used simultaneously.

AIX Fast Connect supports the following advanced features:

Several performance considerations for AIX Fast Connect are also discussed in this section.

Many choices for the above features depend on the authentication method selected. Each type has its advantages and disadvantages. Which authentication method or methods you choose depends on your environment, your administration policy, and the ease of administration and use. The following methods for user authentication are described in detail in this section:

AIX-based User Authentication (Plain Text Passwords)

AIX-based authentication uses AIX user definitions and passwords. All AIX authentication grammars are supported, including DCE and LDAP. Following session setup, a AIX Fast Connect session gets the authenticated AIX user's credentials (UID, GID, and secondary groups).

The following requirements apply:

Plain text passwords have the following advantages:

Plain text passwords have the following disadvantages:

Note: SMB networking does not support mixed case for plain text passwords. Every AIX user accessing AIX Fast Connect must have all uppercase or all lowercase AIX passwords.

CIFS Password Encryption Protocols

The CIFS password encryption protocol method uses AIX Fast Connect user definitions and encrypted passwords for user authentication. Each user must be defined under the same user name as an AIX user as well. AIX Fast Connect encrypts passwords and saves them in its user database (/etc/cifs/cifsPasswd) for use during session setup. (See Configuring Encrypted Passwords.) Following session setup, a AIX Fast Connect session gets the authenticated user's credentials (UID, GID and secondary groups).

CIFS password encryption protocol method has the following requirements:

This method has the following advantages:

This method has the following disadvantages:

NT Passthrough Authentication

This authentication method uses AIX user definitions and NT server user authentication. In this mode, each AIX Fast Connect user must also be defined as an AIX user. Passthrough authentication is enabled using Web-based System Manager, SMIT, or the net command by specifying an IP address for the NT Passthrough Authentication Server. To configure this mode using the net command, type:

net config /passthrough_authentication_server:IPaddress

You can also designate a backup server for NT authentication by typing:

net config /backup_passthrough_authentication_server:IPaddress2

During session setup, AIX Fast Connect forwards the session setup request to the NT server. If the NT server authenticates the user, AIX Fast Connect grants access. Following session setup, a AIX Fast Connect session gets the authenticated user's credentials (UID, GID and secondary groups).

Passthrough authentication has the following requirements:

This method has the following advantages:

This method has the following disadvantage:


Network Logon to AIX Fast Connect

AIX Fast Connect can be configured to act as a Network Logon server. In this mode, Windows-based PCs are configured for Network-Logon, rather than Local-Logon, which provides the following benefits:

Network Password
Each PC user can log in to any network workstation using his network password, without having separate Local-Logon passwords per workstation.

Startup Scripts
During network login, startup scripts can be executed from the Network Logon server, based on user name and workstation name.

Roaming Profile
After network login, each PC user's desktop environment is automatically initialized to the correct network settings, regardless of which workstation that user is using.

Home Directories
After network login, each PC user's "home directory" is available, regardless of which workstation that user is using.

The following restrictions apply to AIX Fast Connect's network logon feature:

AIX Fast Connect's Network Logon feature is enabled (or disabled) using the networklogon parameter. This feature has multiple configuration settings, many of which are rarely used. For more information, see Configuring Network Logon for AIX Fast Connect.

DCE/DFS Support

AIX Fast Connect can be configured to provide access to DFS for Windows clients. Each AIX Fast Connect user name is used as a DCE principal name. Mixed case user names or passwords are only supported in encrypted passwords are used..

DCE support is automatically installed if the DCE filesets are installed before installing AIX Fast Connect. (cifsUserProc is then linked to cifsPrintServerDCE rather than cifsPrintServer.)

DCE support is controlled through the dce_auth configuration option, which can be set to 0 or 1. A value of 1 indicates that DCE authentication option is enabled. When dce_auth=1 (and cifsPrintServerDCE is being used), all incoming PC client logins are sent to DCE for authentication. This requires plain text passwords, and all PC-client user names and passwords must also be valid DCE user names and passwords. (UID, GID, and groupset are defined by the DCE authentication.)

When dce_auth=0, AIX Fast Connect can still provide some access to DFS files:


Guest Logon

AIX Fast Connect can support guest-mode logins when configured for either plain text or encrypted passwords. To enable guest-mode logins, two parameters must be configured:

net config /guestlogonsupport:1 (enables guest logons)
net config /guestname:GuestID (AIX guestid with null password)

When guest logon support is enabled (guestlogonsupport=1), and the guestname field is set, non-AIX users can connect to the AIX Fast Connect Server. The credentials for guest clients is set to those of the guestname attribute.

The AIX account specified by guestname must have a null AIX password -- it is being used for guest-mode access to the AIX file-system. This guest account can access all of the file system directories exported by AIX Fast Connect (as File Shares); therefore, this guest account should probably be in its own unique AIX group, to simplify access control.

Guest access is only given to user names that are not defined AIX Fast Connect users with passwords that are not null.

Incoming login requests are authenticated as follows:

  1. If the incoming user name is recognized as a valid user, then the password is checked. If the password is correct, then standard user-mode access is granted; otherwise, the login attempt fails.
  2. If the incoming user name is not recognized as a valid user, then the password is checked. If the password is not null, then guest-mode access is granted; otherwise, the login attempt fails.

To disable guest logon support, type:

net config /guestlogonsupport:0


Share-Level Security

When the AIX Fast Connect server is configured for share-level security, then passwords are associated with individual file and print shares, not with PC client user names. In this mode, AIX Fast Connect provides access rights to PC clients based on a share-mode user name specified as the share_level_security_username parameter, similar to the guest logon access mode.

Note: When share-level security is enabled, all user-level authentication mechanisms are disabled.

To enable share-level security, type:

net config /share_level_security:1 (enable share-level security)
net config /share_level_security_username:AIXuser (configure share user)

In share-level security mode, AIX Fast Connect supports both ReadWrite passwords and ReadOnly passwords. When a PC client tries to connect to a share, the following can occur:

  1. If that client provides the ReadWrite password for a share (or if that share's ReadWrite password is null or undefined), then that client is granted ReadWrite access to the share.
  2. If that client fails to get ReadWrite access, but provides the ReadOnly password for a share (or if that share's ReadOnly password is null or undefined), then that client is granted ReadOnly access to the share.

Note: These access modes are also affected by the access credentials of the share_level_security_username for that share, and by the mode share option, both of which can effectively change ReadWrite access to ReadOnly access.

User Name Mappings

This feature allows AIX Fast Connect to map PC client user names (or sets of PC client user names) to server (AIX) user names, for purposes of user-mode authentication and file access. When enabled, AIX Fast Connect tries to map every incoming client user name to a server user name, and then uses that server user name for further user authentication and AIX credentials. (All user-authentication mechanisms are supported: AIX-based, encrypted passwords, NT-passthrough, DCE, ...)

This feature is controlled by the usernamemapping parameter, and mappings are configured by the net user /map command.


AIX Fast Connect User Management and File Access

AIX Fast Connect provides several additional features for file access and user management, which are described in the following sections.

User-Session Management Using net session

AIX Fast Connect supports the net session command, for displaying and managing logged-in user sessions.

Note: The workstation parameter works with NetBIOS names, also.

Establishing Resource Limits

AIX Fast Connect provides several parameters to specify limits on resource use:

maxusers Maximum number of user-sessions (logins), at any given time
maxconnections Maximum number of connections to a single share-resource
maxopens Maximum number of open files allowed
maxsearches Maximum number of open file-searches
autodisconnect Autodisconnect time for idle sessions (in minutes)

See the net config command, or the Table of Configurable Parametersfor the net Command, for more details.

Changing the umask

AIX Fast Connect provides a global parameter umask to control permission bits on all files created by all AIX Fast Connect users. The umask parameter is specified as an octal number (with a leading zero), and defaults to 022.

To change the umask to 002, type:

net config /umask:002

Specifying Per-Share Options

Several advanced features of AIX Fast Connect are available as per-share options. These options are encoded as bit fields within the sh_options parameter of each share definition. These options must be defined when the share is created with the net share /add command.

Per-share options currently allowed by net share /add are:

parameter values default description
sh_oplockfiles (0,1) 1 Enables oplocks on this share, if oplockfiles=1
sh_searchcache (0,1) 0 Enables search caching on this share, if cache_searches=1
sh_sendfile (0,1) 0 Enables SendFile API on this share, if send_file_api=1
mode (0,1) 1 Allows ReadWrite access to this share. (0 implies ReadOnly mode.)

Example: To create a ReadOnly share that has SendFile enabled, type:

   net share /add /netname:ROSHARE /path:/usr/etc /mode:0 /sh_sendfile:1


Support for AIX JFS ACLs

AIX Access Control Lists allows extended control of files and directories of AIX Journaled File System. AIX Fast Connect exploits this features by honoring AIX ACLs. AIX 4.3.3 adds graphical manipulation of ACLs using CDE dtfile application.

AIX Fast Connect extends this support by implementing ACL inheritance for AIX Fast Connect file shares. This feature can be used to implement default ACLs for created file objects. When acl_inheritance is enabled, the umask parameter is not effective.

ACL inheritance is enabled by setting the acl_inheritance option to 1. This option can be viewed and changed using the net config command. Once enabled, it applies to all the AIX Fast Connect file shares.

ACLs are inherited from the ACL defined on the base directory of the share. For example, if you have a share named TEMP mapped to the AIX directory /tmp (assuming a valid ACL is defined for this directory and acl_inheritance=1), all files created in this share now inherit the ACLs defined for /tmp.

Sending Messages to Clients

When necessary, the AIX Fast Connect administrator can use the cifsClient command to send messages to individual workstations, or to all user-sessions connected to AIX Fast Connect.


Mapping Long AIX File Names to 8.3 DOS File Names

Older PC client operating systems, such as Windows for Workgroups 3.11, do not support long filenames. Also, this restriction is true for many older (16-bit) applications running under Windows 95, Windows 98, and Windows NT. This restriction requires mapping long names of AIX files to DOS file name format. (The DOS format is also called 8.3 format because file names are limited to a maximum of eight characters followed by a period and a three-character extension.)

Simply truncating a long name to a shorter name is not the solution, because multiple files could get mapped to the same name whenever the first eight characters are same. AIX Fast Connect maps AIX file names (AFN) to DOS File Names (DFN) ensuring file name uniqueness. It maps AFNs to DFNs using Microsoft Windows NT method for mapping names (that is, name conflicts are handled by using a delimiting character in the short name followed by a unique numeric to make the name unique).

For example, consider two files in the root directory of an exported SMB share: LongFileName1.txt and LongFileName2.txt. Assume a Windows 3.11 client mounts this share and searches the directory. The resulting filenames are:

LONGFI~1.TXT for LongFileName1.txt

LONGFI~2.TXT for LongFileName2.txt

AIX Fast Connect generates a mapped name whenever the AFN needs to be passed back to a DOS client. DFNs generated by AIX Fast Connect are not remembered across server restarts. Filename mappings remain consistent until the AIX Fast Connect server is restarted.

AIX Fast Connect has a configuration option to turn off the mapping. When the mapping is turned off, no mapping is attempted. When disabled, any mapping of long names must be done by the PC client software.


Support for DOS File Attributes

AIX Fast Connect provides optional support for the ReadOnly, Archive, System, and Hidden file attribute bits of DOS files. These bits are encoded by AIX Fast Connect into the AIX file permission bits of the AIX file system.

AIX Fast Connect automatically handles these bits in the AIX file system; the examples listed above simply show how AIX Fast Connect interprets these AIX-permission bits, when reporting DOS file attributes to a PC client. If you have AIX Fast Connect configured to support DOS file attributes (the default), then you might need to manually turn off the Execute bits in your AIX directories that are being exported as AIX Fast Connect file shares.

Specifying NetBIOS Aliases for HACMP support

AIX Fast Connect supports server name aliases, which allows a AIX Fast Connect server to respond to multiple NetBIOS server names. This feature is helpful in HACMP mutual takeover. Server aliases can be configured using the net name command, as described below.

Server aliases normally use NetBIOS subcodes 0x00 and 0x20, but other subcodes can be specified, for example:

   net name /add test3 /sub:03
   net name /delete sname2 /sub:2f


Performance Considerations

This section discusses several issues affecting AIX Fast Connect performance.

Large Directories

Directory enumerations are frequent network operations on Windows clients. Whenever Network Neighborhood (or Windows Explorer) opens a network directory, that entire directory is enumerated over the network, for display in a Explorer-window. Usually, Windows Explorer waits to display the contents of the window until the entire network directory has been listed. For large directories containing many files, this delay is noticable to the PC user, and can be frustrating. Remote file accesses from AIX (such as DCE/DFS or NFS) tend to aggravate this situation.

Try shielding your AIX Fast Connect users from having to access large directories to get to the network files they need. One possible solution is to define smaller-sized AIX directories to be exported by AIX Fast Connect. These directories can contain links to files in the large directories.

If large directories are needed but rarely change (for example, CD-ROM), then you might find the search caching features useful.

Search Caching

Directory searches are very frequent network operations on Windows clients. Every time a network file is opened, or renamed, or deleted, or listed, a directory search for that filename is performed. (For example, simply opening a document in Microsoft Word can cause multiple directory searches for that filename.)

AIX Fast Connect has a search-caching feature that allows directory searches to be temporarily cached to improve the performance of multiple-search scenarios like opening documents, as mentioned above. Also, for directories that change infrequently, but are accessed often, this feature enhances performance.

Search-caching is implemented in AIX Fast Connect by taking snapshots of directories and their modification times.

  1. When AIX Fast Connect needs to perform a directory search, AIX Fast Connect first checks its search cache (if enabled).
  2. If a search-cache entry is found, it is first validated. If that directory's current modification time is different than the cached time, the the feature determines the cache entry is invalid.
  3. Whenever the search-cache table gets full, older entries are deleted, to make space for new entries.

Search caching is configured on AIX Fast Connect by several parameters:

parameter default description
cache_searches 0 (disabled) Globally disable the search-caching feature. (Set to 1 to enable.)
sh_searchcache 0 (disabled) Disable search caching on a per-share basis. (Set to 1 to enable.)

Note: To enable search caching on any file shares, the cache_searches parameter must be enabled (set to 1), and sh_searchcache must be enabled for every file share for which search caching is desired.

SendFile API support

For file transfers to clients, AIX Fast Connect can use the SendFile API for performance enhancement. The SendFile API is an AIX kernel extension that provides efficient file transfers and can do data caching.

SendFile API is configured on AIX Fast Connect by several parameters:

parameter default description
send_file_api 1 (enabled) Flag to enable/disable the SendFile API to be used by AIX Fast Connect. Default is enable. To disable SendFile, set to 0.
send_file_cache_size 0 (disabled) Maximum Read-Request size that is cached by the SendFile API.
send_file_size 4096 Minimum Read-Request size, before SendFile API is used.
sh_sendfile 0 (disabled) Flag to enable/disable per-share option. Default is disable. To enable SendFile for that file share, set to 1.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]