5.1 Administrator Tasks for Native File Access for Windows Services

Native File Access for Windows provides several ways to simplify your administration tasks and customize how Windows workstations interact with the network:

5.1.1 Creating Simple Passwords for Windows Users

In order to take advantage of Novell® Native File Access software, all users must have a NetWare® User object created in eDirectory™.

NOTE:A NetWare User object specifies attributes and information about which network resources the user can access. User objects are created using iManager or ConsoleOne®. For more information about iManager, see the iManager Security Issues. For more information about ConsoleOne, see the ConsoleOne 1.3.x User Guide.

Also, if the universal password feature in NetWare 6.5 is not enabled, most users must also have a simple password created for them before they can access network resources using Native protocols. The exception is when Native File Access for Windows software has been configured to use the Domain authentication method.

To avoid user lockout in windows pass through mode, change the following settings in windows PDC to RequireSecuritySignature - Disable

Execute command at PDC: net config server /autodisconnect:-1

This section describes the two Windows authentication methods and password requirements and explains how to create simple passwords for Windows users.

Windows Authentication Methods and Simple Passwords

The method that Windows workstations (using their Native Common Internet File System, or CIFS, Protocol) use to authenticate to the CIFS-enabled NetWare server is determined by which authentication method is configured. The two Windows authentication methods are Local and Domain.

If Local authentication is being used, each Windows user must have a simple password associated with their NetWare/eDirectory User object in order to access network resources using Native protocols. However, if Domain authentication is being used, a simple password is not required. The reason is that Domain authentication uses passthrough authentication to the Windows Domain Contoller. As a result, when implementing Domain authentication, Novell Native File Access software does not support the Change Password feature from the client; the password must be changed using the Domain Controller User Manager tool.

In order to understand how the Novell Native File Access software incorporates the security of NetWare with the Native operating system's security (such as Microsoft Networking), it is useful to first know the functionality and interrelation of the following four distinct passwords used in a mixed networking environment.

  • Windows Local Password: The Windows operating system requires a username and password to log in to the computer. This password, called the local password, is stored on the computer's local hard disk.

  • Windows Domain Controller Password: Windows networking uses a domain controller, which is a computer running Windows Server software that manages user access to the Microsoft network. When Windows users log in to the network using a Domain Controller, they are required to specify a username and password for authentication. This password, called the domain controller password, is stored on the domain controller computer.

  • NetWare Password: To access the NetWare network, each user must have a user account created specifically for him or her. This account is called a User object and is stored in the Novell eDirectory data store. It consists of a NetWare username and a corresponding NetWare password.

    When the workstation is running Novell Client™ software, users log in by specifying their NetWare username (including context) and password. NetWare usernames and passwords are stored securely in the eDirectory structure on NetWare servers.

  • Simple Password: The simple password is also associated with a corresponding User object and is required to provide network access from workstations that do not have Novell Client software installed. As with the NetWare password, the simple password is stored securely in eDirectory on the network.

IMPORTANT:Remember that if Local authentication has been implemented, Windows users must have a simple password in order to access network resources using their Native protocol (CIFS). However, if Domain authentication has been implemented for your server, a simple password is not required.

5.1.2 Two Methods for Creating Simple Passwords for Windows Users

You can create simple passwords with either ConsoleOne or iManager.

Using ConsoleOne

  1. At the Administrator Workstation, log in as a user with the Supervisor right.

    Make sure that the Administrator Workstation meets the prerequisites described in Section 3.2, Administrator Workstation Prerequisites.

  2. Run consoleone.exe (located in the \public\mgmt\consoleone\1.2\bin directory).

  3. Right-click the User object, then click Properties.

  4. Click the Login Methods tab and select Simple Password.

  5. Create a simple password for the selected user by filling in the following fields:

    • Set Simple Password: Specify a unique password for the user.

    • Confirm Simple Password: Specify the same password for confirmation.

    NOTE:If the simple password is different from the NetWare password, users specify the simple password when accessing the network with Native protocols and they specify the NetWare password when logging in with Novell Client software.

  6. Click OK.

  7. Repeat Step 3 through Step 6 in order to create a simple password for each user who requires network access using Novell Native File Access software.

  8. (Optional) If you want users to be able to change their own simple passwords after they log in the first time, check the Force Password Change check box.

Using iManager

You can also use iManager to create simple passwords for individual users.

  1. In a Web browser, specify the following in the address (URL) field:

    http://server_IP_address/nps/iManager.html
    

    For example:

    http://192.168.0.1/nps/iManager.html
    
  2. At the login prompt, specify the server administrator username and password.

  3. In the left frame, click Users, then click either Modify Users if you are creating a simple password for an existing user or Create Users if you are creating a new user object and want to create a simple password for that new user object.

  4. (Conditional) If you are creating a simple password for an existing user

    1. Specify the username, or browse to and select the user that you want to create the simple password for.

    2. Click the Restrictions tab and then click the Set Password link.

    3. Click the Set Simple Password check box and specify the simple password you want to assign to the user.

      Keeping the eDirectory password the same as the simple password is the easiest way to manage passwords.

  5. (Conditional) If you are creating a simple password for a new user object

    1. Specify the name and other requested information for the new user.

    2. Click the Set Simple Password check box and specify the simple password you want to assign to the user.

      NOTE:If the simple password is different from the NetWare password, users specify the simple password when accessing the network with Native protocols, and they specify the NetWare password when logging in with Novell Client software.

Now that you have created simple passwords for User objects in NetWare, those users can use Native protocols and familiar access methods (such as Network Neighborhood or My Network Places) to access and manipulate files on the server. When prompted to authenticate, users specify their NetWare username (without context) and their corresponding simple password

5.1.3 Enabling Users to Change Their Simple Passwords with iManager

You can use ConsoleOne to assign the necessary rights so that users can change simple passwords with iManager.

  1. At the Administrator workstation, log in as a user with the Supervisor right.

    Make sure that the Administrator workstation meets the prerequisites described in Section 3.2, Administrator Workstation Prerequisites.

  2. Run consoleone.exe (located in the \public\mgmt\consoleone\1.2\bin directory).

  3. Right-click the User object, then click Trustees of This Object.

  4. Select the User object and click Assigned Rights > Add Property.

  5. Select the SAS:Login Configuration property from the list and click OK.

  6. Click Add Property, select SAS:Login Configuration Key and click OK.

  7. Enable Compare, Read, and Write rights for both of the properties you just added to the User object.

  8. Click OK > OK.

5.1.4 Understanding Synchronization of NetWare Passwords and Simple Passwords

Native File Access for Windows (CIFS) software allows users to change their own passwords from a client workstation. Of course, this applies only when Local authentication is being used because the Domain authentication method does not use simple passwords. When users change their simple passwords, their NetWare passwords will be affected differently, as described in the following scenarios:

  • If both the NetWare password and the simple password are already the same when the user changes the simple password, the NetWare password is synchronized and both passwords remain the same.

  • If the NetWare password and the simple password are not the same when the user changes the simple password, the NetWare password is not synchronized with the new simple password. The two passwords remain different.

  • Whenever a user changes the NetWare password, the simple password is not synchronized with the new NetWare password. The user must separately change the simple password for the two passwords to match.

NOTE:With the Universal password feature enabled in NetWare 6.5, there is no need to create separate simple passwords. The Universal password automatically keeps passwords synchronized.

5.1.5 Specifying Contexts in the Context Search File

An eDirectory search context is created automatically during the NetWare installation for Windows users who require access to the network. These contexts are saved in the context search file. When Windows users specify a username, the Native File Access component running on the server searches through each context in the list until it finds the correct User object.

NOTE:In Domain mode, if User objects with the same name exist in different contexts, each user object attempts authentication in order until one succeeds with the corresponding password.

You can add or remove contexts by editing the context search file.

  1. Using any text editor, edit the cifsctxs.cfg file stored in the sys:\etc directory of the server.

  2. On separate lines, specify the full contexts to search.

    For example if you had users with full eDirectory distinguished names such as Robert.sales.acme, Maria.graphics.marketing.acme, Sophia.graphics.marketing, and Ivan.marketing.acme, then you would specify the following contexts to the cifsctxs.cfg file:

    • sales.acme
    • graphics.marketing.acme
    • marketing.acme
  3. Save the file in the sys:\etc directory.

  4. At the server console, specify CIFSSTOP to unload the current context search file.

  5. Specify CIFSSTRT to load the new context search file and apply the changes.

When Windows users log in, they specify only a username and the simple password. The system finds the User object in the context specified in the cifsctxs.cfg file.

5.1.6 Managing Network Access with ConsoleOne

ConsoleOne helps you manage Novell Native File Access for each computer platform. You can create users and groups, assign and restrict rights to directories, and view the rights of specific users.

To provide rights to network access, do the following:

  1. From the Administrator workstation, log in to the NetWare server running Novell Native File Access Protocols software.

    You must use a Windows workstation that meets the prerequisites as described in Section 3.2, Administrator Workstation Prerequisites.

  2. Run consoleone.exe, located in \public\mgmt\consoleone\1.2\bin\.

  3. Set up and manage rights as described in the ConsoleOne 1.3.x User Guide.

5.1.7 Providing Network Access to Domain Users

You can provide access to users from an existing NT domain by importing them into eDirectory.

  1. Configure the Novell Native File Access Protocols software for Domain authentication.

    Importing users from an NT domain is not supported in Local Mode. In Local Mode, the main NetWare® Remote Manager page is displayed rather than the NFAP Import Users page.

  2. Run NetWare Remote Manager.

    The NetWare Remote Manager is launched by specifying the IP address of the server into the URL field of an Internet browser.

    See NW 6.5 SP8: Novell Remote Manager Administration Guidein the NetWare 6.5 documentation.

  3. In the left frame, click Manage eDirectory > NFAP Import Users.

  4. Browse to the eDirectory Context that you will import the users into.

    Any time you reach a valid context for importing users, a Start button will appear.

  5. Click Start to import users.

    The context that you select will be automatically written to the cifsctxs.cfg file, which contains all the contexts of all users.

    The status of the import is given on the interval that you select.

  6. When the import is complete, click Done to clear the screen.

5.1.8 Enabling and Disabling CIFS

Administrators can enable or disable CIFS on NetWare servers by using iManager. CIFS is enabled by default when NetWare 6.5 is installed.

  1. In a Web browser, specify the following in the address (URL) field:

    http://server_IP_address/nps/iManager.html
    

    For example:

    http://192.168.0.1/nps/iManager.html
    
  2. At the login prompt, specify the server administrator username and password.

  3. In the left frame, click File Protocols, then click CIFS.

  4. Type the NetWare server name where you want to enable or disable CIFS, or browse and select it.

  5. Select or deselect the Enable CIFS check box to enable or disable CIFS.

  6. Click Apply to save your changes.

5.1.9 Enabling and Disabling SMB Signing

SMB (or CIFS) signing is necessary to prevent "man-in-the-middle" attacks. It supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital signature into each SMB. The digital signature is then verified by both the client and the server.

To use SMB signing, you must enable it on both the client and the server. If SMB signing is required on the server, clients cannot establish sessions with the server unless they have SMB signing enabled.

SMB signing is disabled by default. It can be enabled or disabled and set to mandatory or optional mode using either server console commands, or iManager.

If SMB signing is set to optional mode (the default mode after enabling it using console commands) it automatically detects whether or not individual clients have SMB signing enabled. If a client does not have SMB signing enabled, the server does not use SMB signing for client communication. If a client has SMB signing enabled, the server uses SMB signing for client communication.

If you set SMB signing to mandatory mode, all clients must have SMB signing enabled or they cannot connect to the server.

Using Console Commands

To enable SMB signing on a NetWare 6.5 SP4 or later server, specify the following command at the server console:

cifs signatures enable

If you have enabled SMB signing and want to disable it, specify the following command at the server console:

cifs signatures disable

To set SMB signing to mandatory mode after enabling it, specify the following command at the server console:

cifs signatures mandatory

SMB signing is set to optional mode by default after enabling it using console commands. If you have set SMB signing to mandatory and want to change it back to optional, specify the following command at the server console:

cifs signatures optional

Using iManager

  1. In a Web browser, specify the following in the address (URL) field:

    http://server_IP_address/nps/iManager.html
    

    For example:

    http://192.168.0.1/nps/iManager.html
    
  2. At the login prompt, specify the server administrator username and password.

  3. In the left frame, click File Protocols, then click CIFS.

  4. Type the NetWare server name where you want to enable or disable SMB signing, or browse and select it.

  5. Click the Properties button, then click the Server tab.

  6. In the SMB Signature section of the page, select either Mandatory or Optional to enable SMB signing and to set it to either the optional or mandatory mode.

    After enabling SMB signing, you can select Disabled to disable it.

  7. Click the Apply button to save your changes.

IMPORTANT:After enabling or disabling SMB signing, or changing the mode to optional or mandatory, clients must reconnect in order for changes to take effect. For example, if you have enabled SMB signing on the server, SMB signing will not be in effect for individual clients until each of those clients reconnect.

Mounting a CIFS Share

If you want to use the Linux mount command to create a mount point to a CIFS share from a Linux client, you must use the mount -t cifs command. Using the mount -t smbfs command does not work properly due to a problem in the smbfs client.

5.1.10 Changing CIFS Configuration

Administrators can customize the network environment for Windows workstations (CIFS) using iManager.

  1. In a Web browser, specify the following in the address (URL) field:

    http://server_IP_address/nps/iManager.html
    

    For example:

    http://192.168.1.1/nps/iManager.html
    
  2. At the login prompt, specify the server administrator username and password.

  3. In the left frame, click File Protocols, then click CIFS.

  4. Type the NetWare server name where you want to change CIFS configuration, or browse and select it.

  5. Ensure that the Enable CIFS check box is selected.

  6. Create, edit, or delete CIFS shares as desired or click the Properties button to access additional configuration pages.

    See the descriptions below for details on the other configuration options.

  7. Click Apply to save your settings.

CIFS Server Property Page Parameters

In addition to the SMB signature options, the following parameter fields and options appear on the CIFS Properties page in iManager if you click the Server tab:

  • CIFS Virtual Server Name: is the name of the server running Novell Native File Access Protocols. The length can be a maximum of 15 characters. This name is displayed in Network Neighborhood. This server name must be different from the NetWare server name. The default server name is the NetWare server name with an added dash (-) and a W. For example, a NetWare server named ACME1 would default to ACME1-W.

    NOTE:On NetWare CIFS, the first 14 characters of the different virtual server names cannot be the same.

    For example: CSI-SSIG-TBETA2, CSI-SSIG-TBETAn

  • WINS IP Address: is the address of the WINS server to be used to locate the PDC, if the PDC and the server running Novell Native File Access Protocols are on different subnets.

  • Comment: is the comment associated with the server name discussed above. This comment is displayed when viewing details.

  • OpLocks (Opportunistic Locking): improves file access performance and is enabled by default for NetWare 6.5. You can disable or enable it by selecting or deselecting the check box.

  • DFS (Distributed File Services Support): lets CIFS clients use the volume junction features of NSS. See Installing DFS in the Novell Distributed File Services Administration Guide for more information. You can enable or disable DFS support on this server for CIFS clients.

CIFS Authentication Property Page Parameters

The following options and parameter fields appear on the CIFS Properties page in iManager if you click the Authentication tab:

  • Mode: indicates the method of authentication used by Novell Native File Access Protocols. You can select either eDirectory (Local) or Third Party Domain from the drop-down list:

    • Third Party Domain: Clients are members of a domain. A Windows domain controller performs user authentication.The username and password on the domain controller must match the username and password used to log in to the Windows workstation.

    • eDirectory Local: Clients are members of a workgroup. The server running Novell Native File Access Protocols performs the user authentication. The username and password on NetWare must match the username and password used to log in to the Windows workstation.

  • Work Group/Domain Name: is the domain or workgroup that the server will belong to. Workgroup and Domain can be used interchangeably.

  • Primary Domain Controller Name: is the name of the PDC server. This option should be used only when there is a valid reason for overriding WINS or DNS. This field can be changed only if Domain Mode is selected.

  • Primary Domain Controller IP Address: is the PDC server's static IP address. This is needed if the PDC is on a different subnet. This option should be used only when there is a valid reason for overriding WINS or DNS. This field can be changed only if Domain Mode is selected.

    IMPORTANT:The address of the PDC must be static; otherwise, if the PDC reboots and the address changes, the server running Novell Native File Access Protocols will not be able to contact the PDC.

Shares Parameters

The following fields appear if you click New or Edit on the CIFS Management page in iManager. Use the Shares page to add volumes or directories on the server to be specified as shared points and to be accessible via the Network Neighborhood.

NOTE:If no Shares are specified, then all mounted volumes are displayed.

  • Share Name: is the name by which the sharepoint is displayed on Windows computers. For example, if you specify Company Photos as the sharename associated with vol1\graphics, then Windows workstations browsing the network see "Company Photos" instead of "vol1\graphics".

  • Path: is the path to the server volume or directory which becomes the root of the sharepoint. Do not end the path with a backslash (\).

  • Comment: is a description for the sharepoint that appears in Network Neighborhood or My Network Places.

5.1.11 Viewing Configuration Details

You can view details about how Novell Native File Access Protocols are configured by specifying the following commands at the server console.