AIX Fast Connect
Version 3.1 Guide

Configuration and Administration

This chapter discusses basic configuration and operation of AIX Fast Connect.

Note

Unless otherwise noted, all references to the net command in this section refer to the AIX Fast Connect command (/usr/sbin/net) not the NET command used on DOS, OS/2, and Windows. (Examples of the NET command use on PC clients are shown in the next section, Configuring Client PCs.)

You can use the Web-based System Manager, SMIT, the net command, or a combination of these methods to configure and administer the AIX Fast Connect server for your site.

As indicated in Packaging and Installation Requirements, AIX Fast Connect preconfigures itself to provide basic access to AIX user home directories (as defined in /etc/passwd) using plain-text network passwords. When started, the AIX Fast Connect server responds to SMB/NetBIOS requests on all operational TCP/IP interfaces.

Configurable Parameters

AIX Fast Connect is designed for ease of administration, but provides a set of customizable parameters to support various configurations. Several of these parameters are dynamically configurable and do not require the server to be stopped and restarted for the changes to become effective.

These parameters are found in the /etc/cifs/cifsConfig file and can be configured by using the net config command with the following syntax:

net config /parameter_name:parameter_value

The complete list of these configurable parameters is shown in Appendix B. Configurable Parameters for the net Command or by typing: net config help on the command line.

Note

Use the Web-based System Manager or SMIT for most changes to the AIX Fast Connect configuration parameters, both to avoid spelling mistakes and because some of these parameters must be changed simultaneously. However, examples of the net config command are shown below, for AIX Fast Connect system administrators who prefer this method.

To show the current configuration (an abbreviated list), type:
```
net config
```
This comand shows some of the most important parameters, including servername, domainname, and primary_wins_ipaddr.
To show a single parameter (for example, servername parameter), type:
```
net config /parm:servername
```

To change a parameter (for example, changing the domainname, the autodisconnect timeout, and the server comment), type:

net config /domainname:testdomain
net config /autodisconnect:60
net config /comment:"String parameter containing Spaces"

Configuration of File Shares and Print Shares (Exports)

AIX Fast Connect can configure and export file shares and print shares. File shares are exported AIX directories. Print shares are exported AIX print queues.Every time that the AIX Fast Connect server is started, a file share with the network name HOME is created by default. This special file share maps to $HOME, the AIX home directory (from the /etc/passwd file) of any PC-client user that connects to AIX Fast Connect. (Additionally, the file shares IBMLAN$ and ADMIN$ may be created by default, to support the Network Logon feature of AIX Fast Connect.) More file shares or print shares can be added by the system administrator using Web-based System Manager, SMIT, or the net command.

Note

The default shares HOME, IBMLAN$, and ADMIN$ cannot be changed or deleted.

Each file share or print share represents an object that AIX Fast Connect is exporting to the Windows network, accessed by its netname. Below are some common tasks related to file shares and print shares:

To list all shares currently exported by AIX Fast Connect, type:
```
net share
```
To add a new file share (for example, to export the /tmp AIX directory as network-name NETTEMP), type:
```
net share /add /type:f /netname:NETTEMP /path:/tmp /desc:"File share test" 
```
To add a new printer share (for example, to export the psColor1 AIX print queue as network name PSCOLOR1), type:
```
net share /add /type:p /netname:PSCOLOR1 /printq:psColor1 /desc:"Print share test"
```
Note

AIX names for files, directories, and print queues are case-sensitive, but network-names used by Windows networking are not case-sensitive.
To delete a share (for example, share NETTEMP listed above), type:
```
net share /delete /netname:NETTEMP
```

Note

If files seem to be missing in the directory when viewed from a PC client, AIX Fast Connect uses the AIX file permission bits to encode DOS file attributes (ReadOnly, Archive, System, Hidden). For more information, see Support for DOS File Attributes. Also, you can review Mapping Long AIX File Names to 8.3 DOS File Names.

Changing a file share or print Share (including the share description) causes that share definition to be deleted and then re-added with its new values. This change affects all PC clients that are connected to that share when it is redefined. These PC clients may experience Network error or Shared not found error messages until they remap the share manually or reboot the PC.

Hidden shares (not displayed by the Network Neighborhood or by NET VIEW) may be defined by adding a $ (dollar sign) at the end of the share name when creating the share.

If the AIX Fast Connect server has too much data to report, "NET VIEW \\servername" (on PC clients) can report an empty list.

User Administration

Access to AIX Fast Connect shares is managed internally by AIX user-security mechanisms. For example, if an AIX user has write access to a particular AIX subdirectory that is being exported by AIX Fast Connect, any PC client connecting to AIX Fast Connect (as that AIX user) would then have write access to that same subdirectory. (There are cases when an external PC client accesses AIX Fast Connect with a client user name that is different from the server user name being used for access checking; for example, guest mode, share-level security, and user name mapping.)

User accounts can be configured on the server using Web-based System Manager, SMIT, or the net command. Each defined AIX Fast Connect user must also be a defined AIX user. AIX Fast Connect supports user-level authentication using several mechanisms described in the following section. Resource access is permitted based on the authenticated AIX user credentials.

Note

Every AIX user name used for AIX Fast Connect authentication must have an AIX home directory specified. Otherwise, that user cannot access the AIX Fast Connect server.

Overview of User-Authentication Mechanisms

AIX Fast Connect supports several different types of user-authentication for access to the AIX Fast Connect server. Which authentication method you choose depends on your existing network environment and your network policies. These authentication methods are discussed briefly in this section. For more information, see Advanced Configuration Features.

AIX-based User Authentication (using plain text network passwords)

When the AIX Fast Connect server is configured for plain text passwords (and not for NT-Passthrough authentication), incoming SMB user name/password logins are sent to standard AIX system services for user authentication, which includes integrated DCE login, if specified for that AIX user.

To enable Plain Text passwords for AIX Fast Connect, type the following:

net config /encrypt_passwords:0

Note

SMB networking does not support mixed case for plain text passwords. In plain text mode, every AIX user accessing AIX Fast Connect must have AIX passwords that are in all uppercase or all lowercase.

CIFS Password Encryption Protocols

When the AIX Fast Connect server is configured for encrypted passwords (and not for NT-Passthrough authentication), incoming SMB user name/encrypted_password logins are validated by AIX Fast Connect against the /etc/cifs/cifsPasswd file, which is a database of AIX Fast Connect users (and their encrypted passwords). The /etc/cifs/cifsPasswd file is initialized and maintained by the net user command (see Configuring Encrypted Passwords).

To enforce encrypted passwords for AIX Fast Connect, type the following:

net config /encrypt_passwords:2

NT- Passthrough Authentication

When the AIX Fast Connect server is configured for NT-Passthrough Authentication, then the encrypt_passwords parameter is ignored, and incoming PC client login requests are routed through the network to an external Windows NT server for user authentication. (Normally, the PC-client uses encrypted passwords to authenticate with the external Windows NT server.) This method is often used when an NT server is already being used as a Network Logon server for the Windows network.

To enable AIX Fast Connect to authenticate to an external NT server (located at TCP/IP address IPaddress), type:

net config /passthrough_authentication_server:IPaddress

You can also designate a backup server for NT authentication with the following command:

net config /backup_passthrough_authentication_server:IPaddress2

Network Logon to AIX Fast Connect

AIX Fast Connect itself can be configured to act as a Network Logon server. (Windows NT and Windows 2000 clients require the IBM Primary Logon Client for NT to use this feature.) For more information, see Network Logon to AIX Fast Connect and Configuring Network Logon.

DCE/DFS Support

AIX Fast Connect can be configured for DCE/DFS support using plain text or encrypted passwords. In this mode, Fast Connect uses DCE-authentication mechanisms to validate PC clients for DFS access.

For more details, see DCE/DFS Support.

Kerberos-based Authentication

AIX Fast Connect supports the Kerberos 5-based authentication feature of Windows 2000 clients. To use this feature, the Windows 2000 clients must be configured for this mode.

Guest Logon

AIX Fast Connect can support guest-mode logon when configured for either plain-text or encrypted passwords. If AIX Fast Connect is enabled for guest-mode logins, an incoming PC client user name (which AIX Fast Connect must recognize as not a standard AIX Fast Connect user) is granted guest-mode access rights based on the AIX Fast Connect user name specified as the guest user (guestname parameter).

For more details, see Guest Logon.

Share-Level Security

When the AIX Fast Connect server is configured for share-level security, passwords are associated with individual file and print shares, not with PC client user names. In this mode, AIX Fast Connect provides access rights to PC clients based on a share-mode user name specified as the share_level_security_usernameparameter, similar to the guest-logon access mode.

For more details, see Advanced Configuration Features.

Client-to-Server Username Mappings

As an extension of the net user command, AIX Fast Connect can map PC client user names (or sets of PC client user names) to AIX user names, for user-mode authentication and file access.

For more details, see User-Name Mappings.

Configuring Encrypted Passwords

When the AIX Fast Connect server is configured for encrypted passwords, AIX Fast Connect attempts to authenticate all incoming SMB username/encrypted_password logins against the AIX Fast Connect /etc/cifs/cifsPasswd file, which is a database of AIX Fast Connect users (and their encrypted passwords). This file is initialized and maintained by the net user command.

Note

When AIX Fast Connect is configured to use encrypted passwords, only AIX Fast Connect usernames configured to use encrypted passwords by net user are able to log in to AIX Fast Connect. These passwords are distinct from (and may differ from) the standard AIX passwords in the /etc/security file. When an AIX user changes their password (using /usr/bin/passwd), the AIX Fast Connect password for that user does not automatically change. Nevertheless, you may want to use encrypted passwords on your network to enhance network security or to simplify configuration of recent Windows clients (who assume encrypted passwords, by default).

To enforce Encrypted Passwords for AIX Fast Connect, type:
```
net config /encrypt_passwords:2
```
To list all users configured in the /etc/cifs/cifsPasswd file, type:
```
net user
```
To configure a new user for encrypted passwords, type:
```
net user username password /add
```
or:
```
net user username -p /add
```
The -p flag prompts for a no-echo password.
To change a user's encrypted password, and also update that user's AIX password, type:
```
net user username password /changeaixpwd:yes
```
-or-
```
net user username -p /changaixpwd:yes
```
To delete a user from the encrypted-passwords database, type:
```
net user username /delete
```
For security reasons, the default /etc/cifs/cifsPasswd file maps the client user name root to the server user name nobody. If you want to allow the user name root to map to itself (as a server user name), delete the default mapping by typing:
```
net user  /delete root
```
The user name root can then be added as a Fast Connect user with its own encrypted password.

Basic Server Administration

You can use Web-based System Manager, SMIT, or the net command to manage AIX Fast Connect server operations. The following sections show basic server operations, using the AIX Fast Connect net command, and highlight the fast paths for SMIT at the end of the section.

Starting and Stopping the AIX Fast Connect Server

Follow these steps to start or stop the AIX Fast Connect Server:

To load the server daemon, and enable PC clients to connect, type:
```
/etc/rc.cifs start
```
To stop the server, (and unload the server daemon), type:
```
/etc/rc.cifs stop
```
Note

When the server daemon (cifsServer) is not loaded, the AIX Fast Connect net command does not function. To configure AIX Fast Connect parameters offline, you might need to load the server daemon manually by typing /usr/sbin/cifsServer on the command line. This enables the net command to function, but does not start the server. PC clients are not able to connect until the /etc/rc.cifs start command is issued.
To temporarily reject new SMB sessions (without disturbing existing connections), type:
```
net pause
```
To re-enable the server to accept new connections, type:
```
net resume
```

Showing Server Status Information

AIX Fast Connect provides several mechanisms for displaying current server status, including general status, configuration information, statistical information, and user-session information.

To query the server's operational status, type:
```
net status
```
To show general configuration information, type:
```
net config
```
To show statistical information (for example, packets delivered), type:
```
net statistics
```
Note

You can reset the statistics counts by typing net statistics /reset on the command line.
To query the status of logged-in user sessions, type:
```
net session
```

Web-based System Manager, SMIT Fast Paths, and net Commands

You can use the Web-based System Manager PC Services container to administer AIX Fast Connect, or you can use the SMIT fast paths and net commands shown in the following table.

Table 1. SMIT Fast Paths and commands or files to use when performing common AIX Fast Connect tasks.
Task	SMIT fast path	Command or file
Starting the Server	smit smbadminstart	net start
Stopping the Server	smit smbadminstop	net stop
Pausing the Server		net pause
Resuming the Server		net resume
Changing Parameters	smit smbcfghatt	net config
Changing Resources	smit smbcfgresi	net config
Adding Users	smit smbcfgusradd	net user
Changing Users	smit smbchgusrlis	net user
Changing a User Password	smit smbusrpwd	net user
Deleting a User	smit smbrmusrlis	net user
Configuring nbns	smit smbwcfgn
Listing All Shares	smit smbsrvlisall	net share
Listing All File Shares	smit smbsrvfilist	net share
Adding a File Share	smit smbsrvfiladd	net share
Changing a File Share	smit smbsrvfilchg	net share
Deleting a File Share	smit smbsrvfilrm	net share
Adding Printer Share	smit smbsrvprtadd	net share
Changing Printer Share	smit smbsrvprchg	net share
Deleting Printer Share	smit smbsrvprtrm	net share
Showing Server Status	smit smbadminstatu	net status
Showing the Configuration	smit smbcfg	net config
Showing Statistics	smit smbadminstats	net statistics
Showing Share	smit smbsrvlisall	net share
Getting Help	(smit help-panels)	net help

NetBIOS Name Service (NBNS)

NetBIOS Name Service (NBNS) for AIX Fast Connect provides name-resolution services. It also supports some functions of Windows Internet Name Service (WINS), such as registration of multihomed name and Internet group name.

To activate NBNS, type:
```
net config /nbns:1
```
To turn off NBNS, type:
```
net config /nbns:0
```
Note

The nbns parameter is static, not dynamic. The AIX Fast Connect server must be shut down and restarted to enable NBNS service.

Table 2. SMIT Fast Paths and commands or files to use when performing common administrative NBNS tasks.
Task	SMIT fast path	Command or File
List all names in the NetBIOS Name Table		net nblistnames
Add a static NetBIOS Name	smit smbwcfgadd	net nbaddname /name:NBname /ipaddress:IPaddress [ /sub:XX ] or net nbaddgroup or net nbaddmulti
Delete a NetBIOS name in Name Table	smit smbwcfgdel	net nbdelname /name:NBname [ /sub:XX ]
Delete by Name and Address	smit smbwcfdadd	net nbdeladdr /name:NBname /ipaddress:IPaddress
Back up the NBNS Name Table to a File	smit smbwcfgbak	net nbbackup [ /file:filename ]
Restore the NBNS Name Table from Backup	smit smbwcfgres	net nbrestore [ /file:filename ]

Notes:

The value of IPaddress can be any number in IP address range.
The subcode value XX is any two-digit hexadecimal number in the range 00-FF.

AIX Fast Connect Version 3.1 Guide

Configuration and Administration

Configurable Parameters

Configuration of File Shares and Print Shares (Exports)

User Administration

Overview of User-Authentication Mechanisms

Configuring Encrypted Passwords

Basic Server Administration

Starting and Stopping the AIX Fast Connect Server

Showing Server Status Information

Web-based System Manager, SMIT Fast Paths, and net Commands

NetBIOS Name Service (NBNS)

AIX Fast Connect
Version 3.1 Guide