System Management Guide: Communications and Networks

AIX Fast Connect Configuration and Administration

This chapter discusses basic configuration and operation of AIX Fast Connect. Some examples are given, using the AIX Fast Connect command-line interface, the net command. (AIX Fast Connect also supports the system-management tools SMIT and Web-based System Manager.)

Note: Unless otherwise noted, all references to the net command in this section refer to the AIX Fast Connect command (/usr/sbin/net) not the NET command used on DOS, OS/2, and Windows. (Examples of the NET command use on PC clients are shown in the next section, Configuring Client PCs for use with AIX Fast Connect.)

Overview

You can use the Web-based System Manager, SMIT, the net command, or a combination of these methods to configure and administer the AIX Fast Connect server for your site.

As indicated in AIX Fast Connect Packaging and Installation, AIX Fast Connect preconfigures itself to provide basic access to AIX user home directories (as defined in /etc/passwd) using plain-text network passwords. When started, the AIX Fast Connect server responds to SMB/NetBIOS requests on all operational TCP/IP interfaces.

Configurable Parameters

AIX Fast Connect is designed for ease of administration, but provides a sufficient set of customizable parameters to support various configurations. Several of these parameters are dynamically configurable and do not require the server to be stopped and restarted for the changes to become effective.

These parameters are found in the /etc/cifs/cifsConfig file, and can be configured by using the net config command with the following syntax:

net config /parameter_name:parameter_value

The entire list of these configurable parameters is shown in the Table of AIX Fast Connect Configurable Parameters or by typing: net config help on the command line.

Note: Use the Web-based System Manager or SMIT for most changes to the AIX Fast Connect configuration parameters, both to avoid spelling mistakes and because some of these parameters must be changed simultaneously. However, examples of the net config command are shown below, for AIX Fast Connect system administrators who prefer this method.

To show the current configuration (an abbreviated list), type:
```
net config
```
This comand shows some of the most important parameters, including servername, domainname, and primary_wins_ipaddr.
To show a single parameter (for example, parameter servername), type:
```
net config /parm:servername
```

To change a parameter (for example, changing the domainname, the autodisconnect timeout, and the server comment), type:

net config /domainname:testdomain
net config /autodisconnect:60
net config /comment:"String parameter containing Spaces"

Configuration of File and Print Shares (Exports)

There are two types of shares that can be configured and exported by AIX Fast Connect: File Shares and Print Shares. Whenever the AIX Fast Connect server is started, a file share with the network name HOME is created by default. This special file share maps to $HOME, the AIX home directory (from /etc/passwd) of any PC-client user that connects to AIX Fast Connect. (Additionally, the file shares IBMLAN$ and ADMIN$ may be created by default, to support the Network Logon feature of AIX Fast Connect.) More file or print shares can be added by the system administrator using Web-based System Manager, SMIT, or the net command.

Note: The default shares HOME, IBMLAN$, and ADMIN$ cannot be changed or deleted.

Each file or print share represents an object that AIX Fast Connect is exporting to the Windows network, accessed by its netname. File shares are exported AIX directories. Print shares are exported AIX print queues.

To list all shares currently exported by AIX Fast Connect, type:
```
net share
```
To add a new file share (for example, to export AIX directory /tmp as network-name NETTEMP), type:
```
net share /add /type:f /netname:NETTEMP /path:/tmp /desc:"File share test" 
```
To add a new printer share (for example, to export AIX print queue psColor1 as network name PSCOLOR1), type:
```
net share /add /type:p /netname:PSCOLOR1 /printq:psColor1 /desc:"Print share test"
```
Note: AIX names for files, directories, and print-queues are case-sensitive, but network-names used by Windows networking are not case-sensitive.
To delete a share (for example, share NETTEMP listed above), type:
```
net share /delete /netname:NETTEMP
```

Note: If files seem to be missing in the directory when viewed from a PC client, AIX Fast Connect uses the AIX file permission bits to encode DOS file attributes (ReadOnly, Archive, System, Hidden). For more information, see Support for DOS File Attributes. Also, you might want to review Mapping Long AIX File Names to DOS File Names.

User Administration

Access to AIX Fast Connect shares is managed internally by AIX user security mechanisms. For example, if an AIX user has write access to a particular AIX subdirectory that is being exported by AIX Fast Connect, then any PC client connecting to AIX Fast Connect (as that AIX user) would then have write access to that same subdirectory. (There are cases when an external PC client accesses AIX Fast Connect with a client username that is different than the server username being used for access checking, for example guestmode, share-level security, and username mapping.)

User accounts can be configured on the server using Web-based System Manager, SMIT, or the net command. Each defined AIX Fast Connect user must also be a defined AIX user. AIX Fast Connect supports user-level authentication using several mechanisms described in the following section. Resource access is permitted based on the authenticated AIX user credentials.

Note: Every AIX username used for AIX Fast Connect authentication must have an AIX home directory specified. Otherwise, that user cannot access the AIX Fast Connect server.

Overview of User-Authentication Mechanisms

AIX Fast Connect supports several different types of user-authentication for access to the AIX Fast Connect server. Whichever authentication method you choose depends on your existing network environment and your network policies. These authentication methods are discussed briefly in this section. For more information, see Advanced Server Administration.

AIX-based User Authentication (using plain text network passwords)

When the AIX Fast Connect server is configured for plain text passwords (and not NT-Passthrough authentication), then incoming SMB username/password logins are sent to standard AIX system services for user authentication, which includes integrated DCE-login, if specified for that AIX-user.)

To enable Plain Text passwords for AIX Fast Connect, type:

net config /encrypt_passwords:0

Note: SMB networking does not support mixed case for plain text passwords. In plain text mode, every AIX user accessing AIX Fast Connect must have all uppercase or all lowercase AIX passwords.

CIFS Password Encryption Protocols

When the AIX Fast Connect server is configured for encrypted passwords (and not NT-Passthrough authentication), then incoming SMB username/encrypted_password logins are validated by AIX Fast Connect against the /etc/cifs/cifsPasswd file, which is a database of AIX Fast Connect users (and their encrypted passwords). The /etc/cifs/cifsPasswd file is initialized and maintained by the net user command (see Configuring Encrypted Passwords).

To enforce encrypted passwords for AIX Fast Connect, type:

net config /encrypt_passwords:2

NT Passthrough Authentication

When the AIX Fast Connect server is configured for NT-Passthrough Authentication, then the encrypt_passwords parameter is ignored, and incoming PC client login requests are routed through the network to an external Windows NT server for user authentication. (Normally, the PC-client uses encrypted passwords to authenticate with the external Windows NT server.) This method is often used when an NT server is already being used as a Network Logon server for the Windows network.

To enable AIX Fast Connect to authenticate to an external NT server (located at TCP/IP address IPaddress), type:

net config /passthrough_authentication_server:IPaddress

You can also designate a backup server for NT authentication with the following command:

net config /backup_passthrough_authentication_server:IPaddress2

Network Logon to AIX Fast Connect

AIX Fast Connect itself can be configured to act as a Network Logon server. (Windows NT clients require the IBM Primary Logon Client for NT to use this feature. Windows 2000 clients cannot use this feature of AIX Fast Connect.) For more information about Network Logon, see Advanced Server Administration, and Configuring Network Logon for AIX Fast Connect.

DCE/DFS Support

AIX Fast Connect can be configured for DCE/DFS support using plain text or incrypted passwords. In this mode, Fast Connect uses DCE-authentication mechanisms to validate PC-clients for DFS access.

See Advanced Server Administration for more details.

Guest Logon

AIX Fast Connect can support guest-mode logon when configured for either plain-text or encrypted passwords. If AIX Fast Connect is enabled for guest-mode logins, then an incoming PC client username (which AIX Fast Connect must recognize as not a standard AIX Fast Connect user) is granted guest-mode access rights based on the AIX Fast Connect username specified as the guest-user (parameter guestname).

See Advanced Server Administration for more details.

Share-Level Security

When the AIX Fast Connect server is configured for share-level security, then passwords are associated with individual file and print shares, not with PC client usernames. In this mode, AIX Fast Connect provides access rights to PC clients based on a share-mode username specified as parameter share_level_security_username, similar to the guest-logon access mode.

See Advanced Server Administration for more details.

Client-to-Server Username Mappings

As an extension of the net user command, AIX Fast Connect can map PC client usernames (or sets of PC client usernames) to AIX usernames, for user-mode authentication and file access.

See Advanced Server Administration for more details.

Configuring Encrypted Passwords

When the AIX Fast Connect server is configured for encrypted passwords, AIX Fast Connect attempts to authenticate all incoming SMB username/encrypted_password logins against the AIX Fast Connect /etc/cifs/cifsPasswd file, which is database of AIX Fast Connect users (and their encrypted passwords). This file is initialized and maintained by the command net user.

Note: When AIX Fast Connect is configured to use encrypted passwords, only AIX Fast Connect usernames configured to use encrypted passwords by net user are able to login to AIX Fast Connect. These passwords are distinct from (and may differ from) the standard AIX passwords in /etc/security. When an AIX user changes their password (using /usr/bin/passwd), the AIX Fast Connect password for that user does not automatically change. Nevertheless, you may want to use encrypted passwords on your network to enhance network security or to simplify configuration of recent Windows clients (who assume encrypted passwords, by default).

To enforce Encrypted Passwords for AIX Fast Connect, type:
```
net config /encrypt_passwords:2
```
To list all users configured in /etc/cifs/cifsPasswd, type:
```
net user
```
To configure a new user for encrypted passwords, type:
```
net user username password /add
```
-or-
```
net user username -p /add
```
The -p flag prompts for a no-echo password.

To change a user's encrypted password, and also update his AIX password, type:

net user username password /changeaixpwd:yes

-or-

net user username -p /changaixpwd:yes

To delete a user from the encrypted-passwords database, type:
```
net user username /delete
```
For security reasons, the default /etc/cifs/cifsPasswd file maps the client user name root to the server user name nobody. If it is desired to allow the user name root to map to itself (as a server user name), then this default mapping must be deleted using:
```
net user  /delete root
```
Then, the user name root can be added as a Fast Connect user with its own encrypted password.

Basic Server Administration

You can use Web-based System Manager, SMIT, or the net command to manage AIX Fast Connect server operations. The following sections show basic server operations, using the AIX Fast Connect net command, and highlights the fast paths for SMIT at the end of the section.

Starting and Stopping the AIX Fast Connect Server

To load the server-daemon, and enable PC-clients to connect, type:
```
/etc/rc.cifs start
```
To stop the server, (and unload the server-daemon), type:
```
/etc/rc.cifs stop
```
Note: When the server-daemon (cifsServer) is not loaded, the AIX Fast Connect net command does not function. To configure AIX Fast Connect parameters offline, you might need to load the server daemon manually by typing /usr/sbin/cifsServer on the command line. This enables the net command to function, but does not start the server. PC clients are not able to connect until the /etc/rc.cifs start command is issued.
To temporarily reject new SMB-sessions (without disturbing existing connections), type:
```
net pause
```
To re-enable the server to accept new connections, type:
```
net resume
```

Showing Server Status Information

AIX Fast Connect provides several mechanisms for displaying current server status, including general status, configuration information, statistical information, and user-session information.

To query the server's operational status, type:
```
net status
```
To show general configuration information, type:
```
net config
```
To show statistical information (packets delivered, etc.), type:
```
net statistics
```
Note: You can reset the statistics counts by typing net statistics /reset on the command line.
To query the status of logged-in user-sessions, type:
```
net session
```

Web-based System Manager, SMIT fast paths, and net commands

You can use the Web-based System Manager PC Services container to administer AIX Fast Connect, or you can use the SMIT fast paths and net commands shown in the following table.

Administering AIX Fast Connect
Web-based System Manager: PC Services container -OR-
Task	SMIT Fast Path	Command or File
Starting the Server	smit smbadminstart	net start
Stopping the Server	smit smbadminstop	net stop
Pausing the Server		net pause
Resuming the Server		net resume
Changing Parameters	smit smbcfghatt	net config
Changing Resources	smit smbcfgresi	net config
Adding Users	smit smbcfgusradd	net user
Changing Users	smit smbchgusrlis	net user
Changing a User Password	smit smbusrpwd	net user
Removing a User	smit smbrmusrlis	net user
Configuring nbns	smit smbwcfgn
Listing All Shares	smit smbsrvlisall	net share
Listing All File Shares	smit smbsrvfilist	net share
Adding a File Share	smit smbsrvfiladd	net share
Changing a File Share	smit smbsrvfilchg	net share
Deleting a File Share	smit smbsrvfilrm	net share
Adding Printer Share	smit smbsrvprtadd	net share
Changing Printer Share	smit smbsrvprchg	net share
Deleting Printer Share	smit smbsrvprtrm	net share
Showing Server Status	smit smbadminstatu	net status
Showing the Configuration	smit smbcfg	net config
Showing Statistics	smit smbadminstats	net statistics
Showing Share	smit smbsrvlisall	net share
Getting Help	(smit help-panels)	net help

NetBIOS Name Service (NBNS)

NetBIOS Name Service (NBNS) for AIX Fast Connect provides name resolution services. It also supports some functions of Windows Internet Name Service (WINS), such as registration of multihomed name and Internet group name.

To activate NBNS, type:
```
net config /nbns:1
```
To turn off NBNS, type:
```
net config /nbns:0
```
Note: The nbns parameter is static, not dynamic. The AIX Fast Connect server must be shutdown and restarted to enable NBNS service.

Administering NBNS Tasks
Task	SMIT Fast Path	Command or File
List all names in the NetBIOS Name Table		net nblistnames
Add a static NetBIOS Name	smit smbwcfgadd	net nbaddname /name:NBname /ipaddress:IPaddress [ /sub:XX ] or net nbaddgroup or net nbaddmulti
Delete a NetBIOS name in Name Table	smit smbwcfgdel	net nbdelname /name:NBname [ /sub:XX ]
Delete by Name and Address	smit smbwcfdadd	net nbdeladdr /name:NBname /ipaddress:IPaddress
Backup the NBNS Name Table to a File	smit smbwcfgbak	net nbbackup [ /file:filename ]
Restore the NBNS Name Table from Backup	smit smbwcfgres	net nbrestore [ /file:filename ]

Notes:

The value of IPaddress can be any number in IP address range.
The subcode value XX is any two-digit hexadecimal number in the range 00-FF.