[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

AIX Fast Connect
Version 3.1 Guide

Advanced Configuration Features

This chapter discusses advanced AIX Fast Connect features used for customized configurations. For basic administrative procedures, see Configuration and Administration.

Note
Several of the features described in this chapter cannot be used simultaneously.

AIX Fast Connect supports the following advanced features:

Several performance considerations for AIX Fast Connect are also discussed in this section.

Many choices for the features described in this chapter depend on the type of authentication method selected. Each type has its advantages and disadvantages. Which authentication method or methods you choose depends on your environment, your administration policy, and the ease of administration and use. The following methods for user authentication are described in detail in this section:

AIX-Based User Authentication (Plain-Text Passwords)

AIX-based authentication uses AIX user definitions and passwords. All AIX authentication grammars are supported, including DCE and LDAP. Following session setup, a AIX Fast Connect session obtains the authenticated AIX user's credentials (UID, GID, and secondary groups).

The following requirements apply:

Plain-text passwords have the following advantages:

Plain-text passwords have the following disadvantages:

Note
SMB networking does not support mixed case for plain-text passwords. Every AIX user accessing AIX Fast Connect must have AIX passwords that are in all uppercase or all lowercase.

CIFS Password Encryption Protocols

The CIFS password encryption protocol method uses AIX Fast Connect user definitions and encrypted passwords for user authentication. Each user must be defined under the same user name as an AIX user. AIX Fast Connect encrypts passwords and saves them in its user database (/etc/cifs/cifsPasswd) for use during session setup. (See Configuring Encrypted Passwords.) Following session setup, a AIX Fast Connect session obtains the authenticated user's credentials (UID, GID and secondary groups).

CIFS password encryption protocol method has the following requirements:

This method has the following advantages:

This method has the following disadvantages:

NT Passthrough Authentication

This authentication method uses AIX user definitions and NT server user authentication. In this mode, each AIX Fast Connect user must also be defined as an AIX user. Passthrough authentication is enabled using Web-based System Manager, SMIT, or the net command by specifying an IP address for the NT Passthrough Authentication Server.

To configure this mode using the net command, type:

net config /passthrough_authentication_server:IPaddress

You can also designate a backup server for NT authentication by typing: 

net config /backup_passthrough_authentication_server:IPaddress2

During session setup, AIX Fast Connect forwards the session setup request to the NT server. If the NT server authenticates the user, AIX Fast Connect grants access. Following session setup, an AIX Fast Connect session obtains the authenticated user's credentials (UID, GID and secondary groups).

Passthrough authentication has the following requirements:

This method has the following advantages:

This method has the following disadvantage:

Notes:
  1. If passthrough authentication fails to authenticate a AIX Fast Connect user, user authentication continues with normal authentication on the AIX Fast Connect server. Depending on the value of the encrypt_passwords option, the server attempts to authenticate the PC client using either plain text or encrypted passwords.
  2. When passthrough authentication is enabled, guest logon support cannot work. These options are mutually exclusive. Disable guest logon by typing: 

    net config /guestlogon:0
  3. When passthrough authentication is enabled, AIX Fast Connect's network logon feature cannot work. These options are mutually exclusive. (Frequently, the external NT authentication server is also acting as a Network Logon server, or even a Primary Domain Controller for NT domains.)
    Disable AIX Fast Connect's network logon feature by typing: 

    net config /networklogon:0

Network Logon to AIX Fast Connect

AIX Fast Connect can be configured to act as a Network Logon server. In this mode, Windows-based PCs are configured for network logon, rather than local logon, which provides the following benefits:

Network Password
PC users can log in to any network workstation using their network password, without having separate Local-Logon passwords per workstation.
Startup Scripts
During network login, startup scripts can be executed from the Network Logon server, based on user name and workstation name.
Roaming Profile
After network login, each PC user's desktop environment is automatically initialized to the correct network settings, regardless of which workstation that user is using.
Home Directories
After network login, each PC user's home directory is available, regardless of which workstation that user is using.

The following restrictions apply to AIX Fast Connect's network logon feature:

AIX Fast Connect's Network Logon feature is enabled (or disabled) using the networklogon parameter. For more information, see Configuring Network Logon.

DCE/DFS Support

AIX Fast Connect can be configured to provide access to DFS for Windows clients. Each AIX Fast Connect user name is used as a DCE principal name. Mixed-case user names or passwords are only supported when encrypted passwords are used.

DCE support is automatically installed if the DCE filesets are installed before installing AIX Fast Connect. (cifsUserProc is then linked to cifsPrintServerDCE rather than cifsPrintServer.)

DCE support is controlled through the dce_auth configuration option, which can be set to 0 or 1. A value of 1 indicates that DCE authentication option is enabled. When dce_auth=1 (and cifsPrintServerDCE is being used), all incoming PC client logins are sent to DCE for authentication. All PC-client user names and passwords must also be valid DCE user names and passwords (UID, GID, and groupset are defined by the DCE authentication). If DCE authentication is enabled and if AIX Fast Connect is configured to use encrypted passwords, each AIX Fast Connect user must be configured by entering the DCE password for that user by using the net user Subcommand (see net user Subcommand). In addition, multiple AIX Fast Connect servers in a DCE environment can be configured to share one common user database (for encrypted passwords) using the DCE-Registry User Database feature.

When dce_auth=0, AIX Fast Connect can still provide some access to DFS files under the following conditions:

Notes:
  1. When DCE integration is enabled and the user's AIX UID is different from DCE UID, the user might not have the same access rights as an AIX login shell.
  2. DCE/DFS authentication (dce_auth=1) is mutually exclusive with NT Passthrough authentication.
  3. DCE/DFS authentication (dce_auth=1) is mutually exclusive with the guest logon feature.

Kerberos-based Authentication

AIX Fast Connect supports the Kerberose5-authentication feature of Windows 2000 clients (Windows 2000 clients must be configured for this mode). The AIX Fast Connect configuration option, krb5_auth, is used to enable this feature, and krb5_service_name is used to configure AIX Fast Connect for the external Kerberos Domain-Controller (KDC).

When this feature is enabled, other AIX Fast Connect clients can use other authentication methods, such as plain-text passwords or encrypted passwords, to connect to the AIX Fast Connect server and access its file shares and print shares.

Notes:
  1. NT passthrough authentication is not supported if krb5_auth is enabled.
  2. Kerberos-based authentication is only supported for Windows 2000 clients configured for that functionality.
  3. If krb5_auth is enabled, AIX Fast Connect must be configured for either plain-text passwords or encrypted passwords in order to support non-Kerberos clients, such as Windows 95, Windows 98 and Windows NT. These clients cannot be authenticated by NT-passthrough or DCE/DFS authentication if the Kerberos feature is enabled.

Use the following instructions to configure an AIX Fast Connect server for Kerberos-based authentication of Windows 2000 clients. These instructions assume that the Windows 2000 clients have been successfully configured for Kerberos-based authentication to a working Kerberos Domain Controller.

  1. If the AIX Fast Connect server is running on an AIX server that has already been successfully configured as a Kerberos client machine, run the following commands: 
    net config /krb5_service_name:krb5svc
net config /krb5_auth:
    where krb5svc is a Kerberos Service in the following form: HOST@server1.austin.ibm.com.
  2. Restart AIX Fast Connect with the new configuration by running the following commands: 
    /etc/rc.cifs stop
/etc/rc.cifs start

Guest Logon

AIX Fast Connect can support guest-mode logins when configured for either plain text or encrypted passwords. To enable guest-mode logins, the following parameters must be configured:

net config /guestlogonsupport:1           (enables guest logons)

and

net config /guestname:GuestID             (AIX guestid with null password)

When guest logon support is enabled (guestlogonsupport=1), and the guestname field is set, non-AIX users can connect to the AIX Fast Connect Server. The credentials for guest clients is set to those of the guestname attribute.

The AIX account specified by the guestname attribute must have a null AIX password -- it is being used for guest-mode access to the AIX file system. This guest account can access all of the file system directories exported by AIX Fast Connect (as file shares). Therefore, to simplify access control this guest account should probably be in its own unique AIX group.

Guest access is only given to user names that are not defined AIX Fast Connect users with passwords that are not null.

Incoming login requests are authenticated as follows:

To disable guest logon support, type:

net config /guestlogonsupport:0
Notes:
  1. When guest logon support and encrypted passwords are both enabled, the guestname user does not have to be added to the AIX Fast Connect user database (/etc/cifs/cifsPasswd), but still must have a null AIX password.
  2. Guest logon support does cooperate with Network Logon support (networklogon=1). Whenever guest-mode access is granted, then the profile, startup scripts, and home directory of the guestname user are used for the network logon.
  3. If dce_auth=1, guest logon support does not work.
  4. If NT-passthrough authentication is configured, guest logon support does not work.
  5. If share_level_security=1, guest logon support does not work.

Share-Level Security

When the AIX Fast Connect server is configured for share-level security, passwords are associated with individual file shares and print shares, not with PC client user names. In this mode, AIX Fast Connect provides access rights to PC clients based on a share-mode user name specified as the share_level_security_username parameter, similar to the guest logon access mode.

Note
When share-level security is enabled, all user-level authentication mechanisms are disabled.

To enable share-level security, type:

net config /share_level_security:1                (enable share-level security) 
net config /share_level_security_username:AIXuser  (configure share user)

In share-level security mode, AIX Fast Connect supports both ReadWrite passwords and ReadOnly passwords. When a PC client tries to connect to a share, the following can occur:

Note
These access modes are also affected by the access credentials of the share_level_security_username for that share, and by the mode share option, both of which can effectively change ReadWrite access to ReadOnly access.

User-Name Mappings

This feature allows AIX Fast Connect to map PC client user names (or sets of PC client user names) to server (AIX) user names, for purposes of user-mode authentication and file access. When enabled, AIX Fast Connect tries to map every incoming client user name to a server user name, and then uses that server user name for further user authentication and AIX credentials. (All user-authentication mechanisms are supported, such as AIX-based, encrypted passwords, NT-passthrough, DCE)

The feature is controlled by the usernamemapping parameter, and mappings are configured by the net user /map command.

Notes:
  1. PC client user names are restricted to 20 characters.
  2. When user-name mapping is enabled, the user name root is mapped to the user name nobody by default. This mapping can be changed.
  3. After mapping a client user name XXXX to an AIX server user name, that client user name cannot be defined as a server user name (with its own unique encrypted password) until that user-name mapping is deleted by net user/delete.
  4. When user-name mapping is enabled, the user name root is mapped to the user name nobody by default. This mapping can be changed. To allow the user name root to map to itself (as a server user name), this default mapping must be deleted with the net user/delete root command (See net user Subcommand).

Changing Passwords Remotely

AIX Fast Connect supports two methods for users to change their AIX Fast Connect encrypted passwords and, optionally, their AIX password from remote locations. These methods are described below.

cifsPasswd Command

The /usr/bin/cifsPasswd command is provided with AIX Fast Connect to allow users to change their own encrypted password without having root authority. To use this command, a telnet or other AIX-login session is required.

For details, see cifsPasswd Command.

Remote Password Change

If AIX Fast Connect is being used as a Network Logon Server, the Remote Change Password feature can be used. This feature allows Windows 95 or Windows 98 clients to change their AIX Fast Connect passwords from a remote location using the Passwords applet in the Control Panel application. The Windows 95 or Windows 98 clients must be configured for network logon to the AIX Fast Connect server using either the Microsoft Client for Microsoft Networks or the IBM Network Client for IBM Networks (if the IBM Network Client for IBM Networks is being used, AIX Fast Connect must be configured to use plain-text passwords).

Remote password change is not supported on Windows NT or Windows 2000 clients. In addition, remote password change is ignored if network logon is disabled. For more information about network logon, see Network Logon to AIX Fast Connect. Remote password change does not work with NT-passthrough authentication.

If User-name mapping is being used, only server user names can use remote password change.

Follow these procedures to enable or disable remote password change:

sync_aix_password Option

If remote password change is enabled, the sync_aix_password option can also be enabled. When the sync_aix_password is enabled, every successful remote password change will also change the AIX password for that user name. This functionality is useful in environments where the Windows 95 or Windows 98 users frequently log in to the AIX server using tools such as telnet and ftp. The sync_aix_support feature is ignored if network logon is disabled.

Follow these procedures to enable or disable sync_aix_password:

AIX Fast Connect User Management and File Access

AIX Fast Connect provides several additional features for file access and user management, which are described in the following sections.

User-Session Management Using the net session Command

AIX Fast Connect supports the net session command, for displaying and managing logged-in user sessions.

Note
The workstation parameter also works with NetBIOS names.

Establishing Resource Limits

AIX Fast Connect provides several parameters to specify limits on resource use:

maxusers Maximum number of user sessions (logins), at any given time
maxconnections Maximum number of connections to a single share-resource
maxopens Maximum number of open files allowed
maxsearches Maximum number of open file searches
autodisconnect Autodisconnect time for idle sessions (in minutes)

For more details, see net Command or Appendix B. Configurable Parameters for the net Command.

Disk Quotas

AIX Fast Connect supports disk quotas (user limits on disk space) when the bos.sysmgt.quota file is installed and configured. No additional configuration of AIX Fast Connect is necessary.

Auditing File Access

The audit system command can be used to log all file operations from AIX Fast Connect clients. To display this file activity by Real User Name rather than by Login ID, use the following command:

auditpr -h e,r,R,t,c

No additional configuration of AIX Fast Connect is necessary.

Changing the umask

AIX Fast Connect provides a umask global parameter to control permission bits on all files created by all AIX Fast Connect users. The umask parameter is specified as an octal number (with a leading zero), and defaults to 022.

To change the umask to 002, type:

net config /umask:002

Specifying Per-Share Options

Several advanced features of AIX Fast Connect are available as per-share options. These options are encoded as bit fields within the sh_options parameter of each share definition. These options must be defined when the share is created with the net share /add command.

Per-share options currently allowed bynet share  /add are:

Parameter Values Default Description
sh_oplockfiles (0,1) 1 Enables opportunistic locks (oplocks) on this share, if oplockfiles=1
sh_searchcache (0,1) 0 Enables search caching on this share, if cache_searches=1
sh_sendfile (0,1) 0 Enables SendFile API on this share, if send_file_api=1
mode (0,1) 1 Allows ReadWrite access to this share. (0 indicates ReadOnly mode.)

Example: To create a ReadOnly share that has SendFile enabled, type:

   net share /add /netname:ROSHARE /path:/usr/etc /mode:0 /sh_sendfile:1

Support for AIX JFS Access Control Lists

AIX Access Control Lists (ACLs) allows extended control of files and directories of the AIX Journaled File System (JFS). AIX Fast Connect exploits this features by honoring AIX ACLs.

AIX Fast Connect extends this support by implementing ACL inheritance for AIX Fast Connect file shares. This feature can be used to implement default ACLs for created file objects. When ACL inheritance is enabled, the umask parameter is not effective.

ACL inheritance is enabled by setting the acl_inheritance option to 1. This option can be viewed and changed using the net config command. After it is enabled, it applies to all the AIX Fast Connect file shares.

ACLs are inherited from the ACL defined on the base directory of the share. For example, if you have a share named TEMP mapped to the AIX directory /tmp (assuming a valid ACL is defined for this directory and acl_inheritance=1), all files created in this share now inherit the ACLs defined for /tmp.

Note

Sending Messages to Clients

When necessary, the AIX Fast Connect administrator can use the cifsClient command to send messages to individual workstations, or to all user sessions connected to AIX Fast Connect.

Notes:
  1. A file may be sent as the message using the -f filename option, or the message can be read from standard input.
  2. The domainname is optional. The default domain is the AIX Fast Connect server's domain.
  3. The target computer must be enabled to receive messages, using messaging software. On Windows NT clients, the messaging service is started by default. To start the messaging service on Windows 95 or Windows 98, run the following command: 

    WIN95> winpopup
  4. When share-level security is enabled (share_level_security=1), the user-specified messaging command cifsClient send -u username is not supported.

Mapping Long AIX File Names to 8.3 DOS File Names

Older PC client operating systems, such as Windows for Workgroups 3.11, do not support long file names. This restriction is also true for many older (16-bit) applications running under Windows 95, Windows 98, and Windows NT. This restriction requires mapping long names of AIX files to DOS file name format. (The DOS format is also called 8.3 format because file names are limited to a maximum of eight characters followed by a period and a three-character extension.)

Simply truncating a long name to a shorter name is not the solution, because multiple files could get mapped to the same name whenever the first eight characters are same. AIX Fast Connect maps AIX file names (AFN) to DOS File Names (DFN), ensuring file-name uniqueness. It maps AFNs to DFNs using the Microsoft Windows NT method for mapping names (that is, name conflicts are handled by using a delimiting character in the short name, followed by a unique numeric to make the name unique).

For example, consider two files in the root directory of an exported SMB share:LongFileName1.txt and LongFileName2.txt. Assume a 16-bit application mounts this share and searches the directory. The resulting file names are as follows:
LONGFI~1.TXT for LongFileName1.txt
LONGFI~2.TXT for LongFileName2.txt

AIX Fast Connect generates a mapped name whenever the AFN must be passed back to a DOS client. DFNs generated by AIX Fast Connect are not remembered across server restarts. File-name mappings remain consistent until the AIX Fast Connect server is restarted.

AIX Fast Connect can be configured to turn off the mapping. When the mapping is turned off, no mapping is attempted. When disabled, any mapping of long names must be done by the PC client software.

Notes:
  1. AFN-to-DFN mapping might not map correctly if the server restarts. Given the previous example, assume a user opens LONGFI~1.TXT, edits it, and saves the changes. Then the server shuts down. Someone then removesLongFileName1.txt from the server file system. After the server is up and running, the user on the client again edits LONGFI~1.TXT. This time, however, the same file maps to LongFileName2.txt, not the previously deleted file name, and the client edits the wrong file. To prevent this situation, after the network drive is reconnected following server restart, new file lists must be obtained before accessing any mapped names.
  2. If your site does not need this feature, disable the dosfilenamemapping option to reduce memory and CPU usage and thereby improve performance.
  3. It is strongly recommended to have the dosfilenamemapping option enabled if 16-bit applications, Windows 3.1, or DOS is being used. Leaving the dosfilenamemapping option disabled in these environments can lead to unpredictable results and is neither recommended nor supported.

Support for DOS File Attributes

AIX Fast Connect provides optional support for the ReadOnly, Archive, System, and Hidden file attribute bits of DOS files. These bits are encoded by AIX Fast Connect into the AIX file-permission bits of the AIX file system.

AIX Fast Connect automatically handles these bits in the AIX file system; the examples listed above simply show how AIX Fast Connect interprets these AIX-permission bits, when reporting DOS file attributes to a PC client. If you have AIX Fast Connect configured to support DOS file attributes (the default), you might need to manually turn off the Execute bits in your AIX directories that are being exported as AIX Fast Connect file shares.

Specifying NetBIOS Aliases for HACMP support

AIX Fast Connect supports server-name aliases, which allows a AIX Fast Connect server to respond to multiple NetBIOS server names. This feature is helpful in HACMP mutual takeover. Server aliases can be configured using the net name command, as follows:

Server aliases normally use NetBIOS subcodes 0x00 and 0x20, but other subcodes can be specified, for example:

   net name /add test3 /sub:03
   net name /delete sname2 /sub:2f
Notes:
  1. Whenever adding or deleting an alias name without specifying a subcode, or if subcode 0x00 or 0x20 is specified, the alias name is added or deleted with subcodes 0x00 and 0x20.
  2. The net name /list command uses angle brackets ("<",">") to show subcodes other than 0x00 and 0x20.
  3. To register alias name(s) to WINS or NBNS (including the local NBNS), the IP address of the WINS or NBNS server needs to be specified in the primary_wins_ipaddr or secondary_wins_ipaddr parameters.
  4. When adding an alias name:

Browse Master Support

AIX Fast Connect supports Browse Master functionalilty. This feature, when enabled, allows AIX Fast Connect to act as a data repository for network browse information for support of Network Neighborhood, My Network Places, and NET VIEW.

Notes:
  1. Whenever Network Logon support is enabled, Browse Master support is automatically enabled regardless of the browsemaster setting. Browse Master support is needed for support of Network Logon. If AIX Fast Connect cannot successfully register as Browse Master, the Network Logon feature is automatically disabled.
  2. AIX Fast Connect maintains browse information only for its own local subnets (based on IP interface definitions).
  3. AIX Fast Connect maintains browse information only for its own local domain/workgroup (based on the domainname option.

Performance Considerations

This section discusses several issues affecting AIX Fast Connect performance.

Large Directories

Directory enumerations are frequent network operations on Windows clients. Whenever Network Neighborhood (or Windows Explorer) opens a network directory, that entire directory is enumerated over the network, for display in a Explorer window. Windows Explorer usually waits to display the contents of the window until the entire network directory has been listed. For large directories containing many files, this delay is noticeable to the PC user and can be frustrating. Remote file accesses from AIX (such as DCE/DFS or NFS) tend to aggravate this situation.

Try to prevent your AIX Fast Connect users from having to access large directories to get to the network files they need. One possible solution is to define smaller-sized AIX directories to be exported by AIX Fast Connect. These directories can contain links to files in the large directories.

If large directories are needed but rarely change (for example, CD-ROM), you might find the search caching features useful.

Search Caching

Directory searches are very frequent network operations on Windows clients. Every time a network file is opened, renamed, deleted, or listed, a directory search for that file name is performed. (For example, simply opening a document in Microsoft Word can cause multiple directory searches for that file name.)

The AIX Fast Connect search-caching feature allows directory searches to be temporarily cached to improve the performance of multiple-search scenarios such as opening documents. Also, for directories that change infrequently, but are accessed often, this feature can enhance performance.

Search caching is implemented in AIX Fast Connect by taking snapshots of directories and their modification times, as follows:

  1. When AIX Fast Connect needs to perform a directory search, AIX Fast Connect first checks its search cache (if enabled).
  2. If a search-cache entry is found, it is first validated. If that directory's current modification time is different from the cached time, the feature determines that the cache entry is not valid.
  3. Whenever the search-cache table is full, older entries are deleted to make space for new entries.

Search caching is configured on AIX Fast Connect by the following parameters:

Parameter Default Description
cache_searches 0 (disabled) Globally disable the search-caching feature. (Set to 1 to enable.)
sh_searchcache 0 (disabled) Disable search caching on a per-share basis. (Set to 1 to enable.)
Note
To enable search caching on any file shares, the cache_searches parameter must be enabled (set to 1), and the sh_searchcache parameter must be enabled for every file share for which search caching is desired.

SendFile API support

For file transfers to clients, AIX Fast Connect can use the SendFile API for performance enhancement. The SendFile API is an AIX kernel extension that provides efficient file transfers and can do data caching.

SendFile API is configured on AIX Fast Connect by the following:

Parameter Default Description
send_file_api 1 (enabled) Flag to enable/disable the SendFile API to be used by AIX Fast Connect. Default is enable. To disable SendFile, set to 0.
send_file_cache_size 0 (disabled) Maximum Read-Request size that is cached by the SendFile API.
send_file_size 4096 Minimum Read-Request size, before SendFile API is used.
sh_sendfile 0 (disabled) Flag to enable/disable per-share option. Default is disable. To enable SendFile for that file share, set to 1.
Notes:
  1. To enable SendFile API on any file shares, the send_file_api parameter must be enabled, and the sh_sendfile parameter must be enabled for every file share for which the SendFile API is desired.
  2. For systemwide SendFile configuration parameters, see the no command.

Memory-Mapped Files

AIX Fast Connect can be configured to use AIX memory-mapped files during CIFS read and write operations. This feature is enabled with the mmapfiles configuration option. By default, it is disabled.

DBCS and Unicode Issues

Following are some DBCS and Unicode issues:

Using ATM Interfaces

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]