5.6 File Access for Users

NSS supports access via NCP and other protocols to eDirectory users and Linux-enabled eDirectory users.

IMPORTANT:NSS uses the Novell trustee model for file access. Users must be made file system trustees and granted trustee rights to data on the NSS volume that you want them to be able to access. Rights management can be done in multiple management tools, including iManager, Novell Remote Manager, the Novell Client and other NCP services, and command line commands. For information, see Section 20.1, Configuring File System Trustees, Trustee Rights, Inherited Rights Filters, and Attributes.

5.6.1 NCP

NCP (NetWare Core Protocol) is the default protocol for accessing data on NSS volumes. NCP Server is required for NSS even if users access the volume via other protocols. Users access data on NSS volumes by using the Novell Client software on their Windows, Vista, or Linux workstations. This document refers collectively to those workstations as “Novell clients”.

NCP Server is installed by selecting NCP Server and Dynamic Storage Technology from the OES Services menu in the YaST installation interface. For information about NCP Server, see the OES 11 SP2: NCP Server for Linux Administration Guide.

NCP Server works with NetIQ eDirectory, the Novell Client, and other NCP-based services such as NetStorage to authenticate and manage user sessions. When NCP Server is running, eDirectory users who have been granted file system trustee access can access an NSS volume with the Novell Client or NCP services. NSS cooperates with NCP Server to track file ownership and file system trustee assignments, trustee rights, and inherited rights based on the Novell trustee model.

The Linux file system interface uses UTF-8 encoding for all filenames. When accessing files with NCP, make sure to use the UTF-8 enabled NCP software that is available in the latest Novell Client.

If you are converting NSS volumes from NetWare to Linux, make sure you have resolved any UTF-8 problems before moving the volume to Linux. For information, see Supporting Mixed Language Environments with Novell NetWare (TID 10097059) in the Novell Support Knowledgebase.

For information about configuring and managing NCP Server, see the OES 11 SP2: NCP Server for Linux Administration Guide.

5.6.2 Novell AFP

NSS supports access to NSS volumes using the Novell AFP (Apple Filing Protocol). For OES 2 SP1 and later, Novell AFP for Linux is installed by selecting Novell AFP from the OES Services menu in the YaST install interface.

For information about Novell AFP, see theOES 11 SP2: Novell AFP for Linux Administration Guide.

5.6.3 Novell CIFS

NSS supports access to NSS volumes using Novell CIFS. For OES 2 SP1 and later, Novell CIFS is installed by selecting Novell CIFS from the OES Services menu in the YaST install interface.

For information about Novell CIFS, see the OES 11 SP2: Novell CIFS for Linux Administration Guide.

5.6.4 Novell Domain Services for Windows

NSS supports access to NSS volumes using Novell Domain Services for Windows (DSfW). DSfW configures Samba access for Samba/CIFS users. Administrators must export NSS volumes over Samba so that domain users (eDirectory users in the DSfW domain partition) can access NSS volumes over Samba/CIFS.

Samba/CIFS users under the domain are Linux-enabled with Linux User Management. The Domain Users group must be associated with the UNIX Workstation objects of the server (or servers if the volume is used in a cluster) where the volume is mounted in order to give the users access to the NSS volume via Samba/CIFS.

5.6.5 Samba

Because NSS controls access based on file system trustee rights, not by the POSIX permissions, Samba connections do not work until this trustee system has been configured for the Linux-enabled eDirectory users of the NSS file system. You cannot set up the ACLs and standard POSIX permissions for Samba access to an NSS volume. Instead, the Administrator user or Administrator user equivalent must set up users in eDirectory and make file system trustee assignments, grant trustee rights, and configure inherited rights masks on directories. The Samba service must also be enabled in LUM.

For information about configuring and managing Samba services for your OES 11 SP2 server, see the OES 11 SP2: Novell Samba Administration Guide.

5.6.6 SSH (Secure Shell)

You can give users SSH (Secure Shell) access to NSS volumes by Linux-enabling users and the SSH utility in Linux User Management. For information, see the OES 11 SP2: Novell Linux User Management Administration Guide.

In addition, SSH requires that the POSIX permissions on home directories be set so that the Other field has no permissions. By default, NSS sets the POSIX permissions to 0777 and SSH is disabled in Linux User Management. If you use NSS volumes for home directories and you want users to have SSH access to them, you must modify the POSIX permissions on NSS volumes to 0770. You must also enable SSH with Linux User Management.

Add the following command in the /etc/opt/novell/nss/nssstart.cfg file to turn off all of the bits corresponding to the Other field:

/PosixPermissionMask=0770

The setting applies to all NSS volumes on the server. If the volume is shared in a cluster, make sure to add the command to the nssstart.cfg file and to Linux-enable SSH on all the nodes.

5.6.7 Accessing Files with Linux Services, Utilities, and Protocols

Only the root user and Linux-enabled eDirectory users who have been granted trustee access can see and access the NSS volume from a Linux interface. Users must be Linux-enabled with Linux User Management in order to use any of the standard Linux protocols, utilities, commands, services, or APIs for the NSS volume.

IMPORTANT:Any Linux service or utility that you want users to have access to must also be enabled in Linux User Management.

For information about installing and configuring Linux User Management, enabling users and groups for Linux, and enabling Linux services and utilities, see the OES 11 SP2: Novell Linux User Management Administration Guide.