Appendix D. DCE Registry User Database

AIX Fast Connect user information (including encrypted passwords) can be kept in the DCE Registry, a centralized user database that multiple AIX Fast Connect servers can access. This database uses the Extended Registry Attribute Field to maintain encrypted passwords and user descriptions for each user.

Enable the AIX Fast Connect cifs_registy option to use this functionality on each server. The server need not be enabled for DCE/DFS authentication.

The dce_admin_user and dce_admin_keytab configuration parameters are needed for this functionality. In addition, the DCE keytab file, which allows each AIX Fast Connect server to access and update the DCE Registry User Database, is needed.

To configure and use the DCE Registry User Database, follow these steps:

1. Install the AIX Fast Connect filesets on each server.
2. Create the Extended Registry Attribute schema needed for this feature (needed only once for the entire DCE cell, not once per server) by following these steps:
   1. dce_login as cell_admin and run the following:

      /usr/sbin/cifsRgysetup.dcecp

   2. Use acl_edit to modify the ACLs of the new Extended Registry Attributes schema so that /.:/sec/xattrschema is fully protected from access by unauthenticated other_obj or any_other objects. Change these ACLs from r----- to ------.
3. Set up a DCE keytab file on each AIX Fast Connect server. This file contains the DCE user name and password of the dce_admin_user account that has authority to read and write data to the Extended Registry Attribute fields of every DCE user that is also an AIX Fast Connect user. For information on setting up a DCE keytab file, see DCE/DFS Support.
4. Configure the dce_admin_user and dce_admin_keytab parameters on each AIX Fast Connect server by running the following:

   net config /dce_admin_user:dceAdminUser
   net config /dce_admin_keytab:keytabFilename

5. Enable the cifs_registry feature on each AIX Fast Connect server by running the following:

   net config /cifs_registry:1

6. Restart each AIX Fast Connect server:

   /etc/rc.cifs stop
   /etc/rc.cifs start

   If any errors occur when restarting, check the /var/cifs/cifsLog file.
7. Add AIX Fast Connect users to the database by running:

   net user /add username password /comment:"userdescription"

   or

   net user /add username  /comment:"userdescription"

With cifs_registry enabled, the net user subcommand keeps its previous syntax with the following exceptions:

• All net user queries and updates are now directed to the DCE Registry version of the user database instead of the /etc/cifs/cifsPasswd file.
• The net user subcommand requires a username parameter to be specified when cifs_registry is enabled. The List All Users functionality is not supported in this mode.

Note the following:

• The cifs_registry feature is only effective when NT-passthrough authentication is disabled and encrypted passwords are enabled.
• The UserNameMapping feature is not supported when cifs_registry is enabled.
• When the cifs_registry feature is enabled, every AIX Fast Connect user name must also exist as a DCE user name. Each user name must also be recognized as a valid uid by the id command on every AIX Fast Connect server. This can be accomplished by running the DCE daemon dceunixd.
• User data that may be available in the local AIX Fast Connect user database (/etc/cifs/cifsPasswd) is not automatically transferred to or from the DCE Registry User Database. These databases can get out-of-sync and will generally contain different data. When cifs_registry is enabled, only the DCE Registry User Database is used and each local database will be ignored.
• When cifs_registry is enabled, the List All Users functionality of the net user subcommand is not supported.
• To prevent unauthorized access to DCE user information, the ACLs for the DCE Registry schema, /.:/sec/xattrschema must be modified from r----- to ------ for the other_obj and any_other objects.