System Management Guide: Communications and Networks

Configuring Network Logon for AIX Fast Connect

AIX Fast Connect can be configured to support Network Logon. Network Logon support allows centralizing the user accounts, startup scripts, home directories, and configuration policy of Windows systems participating in a workgroup to a single AIX system running the AIX Fast Connect server. This support does not allow an AIX Fast Connect server to act as a Windows NT Domain Controller. However, with the IBM Networks Client software, both NT and Windows 95/98 clients can be configured to perform network logon to an AIX server using the Network Logon feature of AIX Fast Connect.

AIX Fast Connect Network Logon feature supports Windows 95/98 and NT clients. Windows 95/98 clients are supported using the standard Microsoft Client for Microsoft Networks or the IBM Client for IBM Networks. Windows NT clients require the IBM Networks Primary Logon Client for NT.

IBM Network Client can be downloaded from the following IBM Internet sites:

http://service.boulder.ibm.com/asd-bin/doc/en_us/winntcl2/f-feat.htm for the Windows NT logon client. (Use the Primary Logon Client rather than the Coordinated Logon Client.)
http://service.boulder.ibm.com/asd-bin/doc/en_us/win95cl/f-feat.htm for Windows 95/98 clients.

Configuration Options

The following AIX Fast Connect configuration options are available for Network Logon feature customization.

Option	Default Value	Description
`networklogon`	`0`	This option is used to enable or disable the Network Logon feature of AIX Fast Connect -- 1 indicates enabled, and 0 indicates disabled.
`startup_script`	`startup.bat`	This option specifies the filename of the startup script (in the NETLOGON share) used by the Microsoft Client for Windows 95/98 during network logon. Two meta tags in this string allow customization of the startup script filename during client logon -- `%U` is expanded to the client's user name, and `%N` is expanded to the client's computer name. (IBM Networks clients always search for filename profile.bat, in directory \dcdb\users\*username* in the IBMLAN$ file-share.)
`profiles_path`	`/home`	This string option specifies the AIX pathname for the PROFILES share, which the Network Logon feature uses to store user profiles and home directories.
`netlogon_path`	`/var/cifs/netlogon`	This string option specifies the UNIX path to the top of the NETLOGON and IBMLAN$ shares. These shares are used to store the startup scripts. This is also where the Windows client searches for the configuration policy files at domain network logon time (for example: `\\Server\netlogon\config.pol`).

Enabling the Network Logon Feature

Enabling domain network logon support is simply a matter of setting the networklogon option to 1. This option can be enabled (or disabled) using Web-based System Manager, SMIT, or the net command. To enable the Network Logon feature, type:

   net config /networklogon:1

Then restart the server. The AIX Fast Connect server then acts as a domain logon server for your workgroup.

Setting Up Startup Scripts

Startup scripts are DOS batch files that are executed automatically when client users logon to the domain through a domain logon server. Typically, these scripts are defined as user specific. By default, AIX Fast Connect installs a sample startup script (/var/cifs/netlogon/startup.bat), which can be customized as needed as a global startup script.

For Windows 95/98 clients using the Microsoft Networks client, the default installation of AIX Fast Connect configures /var/cifs/netlogon/startup.bat as a global startup script for all these clients. The parameter startup_script can be modified for these clients to support per-user or per-workstation scripts:

Setting startup_script to %N.bat specifies that each login from workstation look for a startup script workstation.BAT, (in /var/cifs/netlogon, the NETLOGON share), regardless of the login user.
Setting startup_script to %U.bat specifies that every login from username looks for a startup script username.BAT, (in /var/cifs/netlogon, the NETLOGON share), regardless of the PC workstation used.
Setting startup_script to dcdb\users\%U\profile.bat provides compatibility with workstations configured for the IBM Networks client software, so every login goes to that user's profile directory, and executes the profile.bat startup script, regardless of which client software is configured.

For Windows 95/98/NT clients using the IBM Networks client, the IBM Networks client always uses dcdb\users\username\profile.bat (in share IBMLAN$) as its startup script. By default, AIX Fast Connect sets /var/cifs/netlogon/dcdb/users as a link to /home (which is also the default for profiles_path). This allows the user-specific profile.bat files to reside in those users' profile directories (which are also AIX-user home directories, by default).

To setup a global startup script for all users using the IBM Networks client (and provide compatibility with Microsoft clients):

Edit the global startup script /var/cifs/netlogon/startup.bat
Create file links from profile.bat in every users' profile directory to the /var/cifs/netlogon/startup.bat file.

Setting Up Home Directories (Profile Directories)

Home directories, or profile directories, are used to store a Windows user's profile (USER.DAT and USER.MAN). Additionally, any application-specific settings and data are also stored in the Windows user's home directory. When the AIX Fast Connect server is configured as a domain network logon server, these home directories can reside on the AIX server.

AIX Fast Connect uses the profiles_path option to indicate where these profile directories are located. AIX Fast Connect expects the directory specified by profiles_path to contain a subdirectory for each AIX Fast Connect user. By default, AIX Fast Connect configures profiles_path to be /home (where most AIX user directories are kept).

If you want to change profiles_path, you must create subdirectories for each AIX Fast Connect user, with ownership and read/write permissions per user.

Windows Configuration Policy Files

When the AIX Fast Connect server is configured to support domain network logons, then Windows 95/98 and NT configuration policy files can be placed in the directory specified by the netlogon_path option. If CONFIG.POL or NTCONFIG.POL exist in the NETLOGON share at logon time, then the Windows client uses this policy file. By default, the location for these files is /var/cifs/netlogon.

Configuring Win 95/98 Clients for Network Logon

If IBM Network Client is being used, Follow the steps described in the IBM Network Client software README file.

If Microsoft Network Client is being used, select Client for Microsoft Networks as the default logon, and then change the Properties of this client software to logon to NT domains, using the AIX Fast Connect domainname as the NT-logon domain.

Configuring Network Logon for NT clients from Remote Subnets

The following are required to configure network logon from remote subnets:

You must use encrypted passwords.
The AIX Fast Connect logon server must have a domain name that is different from the NT domain controller's domain (if present), because the AIX Fast Connect logon server provides the logon services.
If the client is not in same subnet as the AIX Fast Connect logon server, then you need either an LMHOSTS or an NBNS entry that maps AIX Fast Connect's domainname<00> to the AIX Fast Connect logon server. You also need the entry domainname<1C>, which is automatically registered to the NBNS by the AIX Fast Connect NetLogon server. (The AIX Fast Connect NBNS server allows you to add domainname<00> as an Internet group name.)
For browsing to work correctly, you need at least one master browser (NT workstation, for example) to be in the same workgroup as the AIX Fast Connect server domain name, on each network segment.

The location of the LMHOSTS file varies depending on the system configuration. It can be found on the client by typing dir /s lmhosts from the Windows base directory. If this file does not exist on the system, the default file LMHOSTS.SAM can be copied to LMHOSTS and then modified.

LMHOSTS example:

192.1.2.3  fcserver    #PRE     #DOM:fcdomain  #AIX Fast Connect domain
192.1.2.3  "fcdomain       \0x00"  #PRE # 15 Bytes for the name, and
192.1.2.3  "fcdomain       \0x1C"  #PRE # the last byte is a hex subcode

These entries map the AIX Fast Connect name and domain to the server's IP-address. The #PRE operative indicates that this is to be preloaded, and the #DOM operative indicates the domain this server maps to. The other text above, after the '#' character is simply a comment statement. More details on this file can be found in the comment section of the LMHOSTS file.

After changing LMHOSTS, the PC client needs to be restarted, or run the command nbtstat -R to refresh the local name table.

Configuring LanServer (OS/2) Clients for Network Logon

The following restrictions apply to LanServer (OS/2) clients when accessing AIX Fast Connect as a network logon server:

When using the OS/2 LOGON command to connect to AIX Fast Connect, specify the AIX Fast Connect domain as the OS/2 logon domain.
LanServer clients always search for a startup script called profile.cmd rather than profile.bat.
LanServer clients do not support roaming profiles and configuration files.

AIX Fast Connect NetLogon Limitations

The following restrictions apply to the AIX Fast Connect implementation of Network Logon:

AIX Fast Connect logon server must be configured in the same IP subnet as the NT clients running the IBM Network client, or else follow the steps described above.
AIX Fast Connect must be configured to use encrypted passwords to provide logon services to NT clients.