IMPORTANT:Beginning with OES 2015 SP1 and NSS-AD integration support, Novell CIFS now supports Kerberos authentication for Active Directory users accessing NSS volumes. For more information, see the OES 2015 SP1: NSS AD Administration Guide.
OES supports a number of options for service access, including:
Web browsers.
File managers and applications on Linux, Macintosh, and Windows workstations.
Novell Client software.
Personal digital assistants (PDAs) and other electronic devices that are enabled for Web access.
You control which of these options can be used through the services you offer and the ways you configure those services.
This section can help you understand access control at a high level so that you can plan, implement, and control access to services. More detail about the items discussed is contained in individual service guides.
The topics that follow are:
The following sections present overviews of methods for accessing Open Enterprise Server 2015 or later services.
Figure 16-1 illustrates the access methods supported by OES 2015 SP1 services. NetIQ eDirectory provides authentication to each service.
Figure 16-1 Access Interfaces and the Services They Can Access
The interfaces available for each service are largely determined by the protocols supported by the service.
Browsers and personal digital assistants require support for the HTTP protocol.
Each workstation type has file access protocols associated with it. Linux uses NFS as its native protocol for file services access, Macintosh workstations communicate using AFP or CIFS, and Windows workstations use the CIFS protocol for file services.
Novell Client software for both Windows and Linux uses the NetWare Core Protocol (NCP) to provide the file services for which Novell is well known.
Understanding the protocol support for OES services can help you begin to plan your OES implementation. For more information, see Matching Protocols and Services to Check Access Requirements.
Because OES offers both traditional Novell access control and POSIX access control, you have a variety of approaches available to you, including combining the two models to serve various aspects of your network services.
Table 16-1 provides links to documentation that discusses OES access control features.
Table 16-1 General File System Access Control
Feature |
To Understand |
See |
---|---|---|
Access Control Lists (ACLs) on Linux |
How ACLs are supported on the most commonly used Linux POSIX file systems, and how they let you assign file and directory permissions to users and groups who do not own the files or directories. |
|
Aligning NCP and POSIX access rights |
How to approximate the Novell access control model on POSIX file systems. |
|
Directory and file attributes |
Directory and file attributes on NSS volumes. |
|
File system trustee rights |
File system trustee rights on NetWare (NSS and traditional volumes), including how file system trustee rights work. |
|
Novell trustee rights and directory and file attributes |
How to control who can see which files and what they can do with them. |
|
POSIX file system rights and attributes on Linux |
How to configure file system attributes on OES 2015 SP1 servers. |
|
Security Equivalence in eDirectory |
The concept of Security Equivalence in eDirectory. |
|
NetWare is known for its rich access control. OES makes these controls available on Linux through NSS volume support. In addition, some of the controls are available on Linux POSIX file systems through NCP volume creation. NCP volume access controls are not equivalent to NSS because they are constrained by Linux POSIX access controls, which offer only a subset of the directory and file attributes that NSS offers.
In the Novell access control model, eDirectory objects, such as users and groups, are assigned File System Trustee Rights to directories and files on NSS and NCP volumes. These trustee rights determine what the user or group can do with a directory or file, provided that the directory or file attributes allow the action.
This is illustrated in Figure 16-2.
Figure 16-2 Directory and File Access under the NetWare Access Control Model
Table 16-2 explains the effective access rights illustrated in Figure 16-2.
Table 16-2 Access Rights Explanation
eDirectory or Active Directory Users and Groups |
File System Trustee Rights |
Directory and File Attributes |
Directories and Files |
---|---|---|---|
eDirectory and AD users and groups gain access to the file system through their respective authentication mechanisms. |
File system trustee rights govern access and usage for the directory or file to which the rights are granted. Trustee rights are overridden by directory and file attributes. For example, even though Nancy has the Supervisor (all) trustee right at the directory (and, therefore, to the files it contains), she cannot delete File2 because it has the Read Only attribute set. Of course, because she has the Supervisor right, Nancy could modify the file attributes so that File2 could then be deleted. |
Each directory and file has attributes associated with it. These attributes apply universally to all trustees regardless of the trustee rights an object might have. For example, a file that has the Read Only attribute is Read Only for all users. Attributes can be set by any trustee that has the Modify trustee right to the directory or file. |
The possible actions by the users and group shown in this example are as follows:
|
Table 16-3 provides links to documentation that discusses the various NSS-specific access control features.
Table 16-3 Summary of NSS Access Control Documentation Links
Feature |
To Understand |
See |
---|---|---|
Independent Mode vs. NetWare Mode This applies only to OES servers, not NetWare. |
The difference between Independent Mode access and NetWare Mode access. |
|
POSIX directory and file attributes on NSS volumes on OES This describes what is displayed. POSIX permissions are not actually used for access control to NSS volumes. |
How NSS file attributes are reflected in Linux directory and file permissions viewable through POSIX. |
|
If you have not already determined whether to use the Novell Client on your network, we recommend that you consider the following information:
The Novell Client extends the capabilities of Windows and Linux desktops with access to NetWare and OES servers.
After installing Novell Client software, users can enjoy the full range of Novell services, such as
Authentication via NetIQ eDirectory
Network browsing and service resolution
Secure and reliable file system access
Support for industry-standard protocols
The Novell Client supports the traditional Novell protocols (NDAP, NCP, and RSA) and interoperates with open protocols (LDAP, CIFS, and NFS).
Although Novell offers services that don’t require Novell Client, (such as NetStorage, Novell iFolder 3.9.2, and iPrint), many network administrators prefer that their network users access the network through the client for the following reasons:
They prefer eDirectory authentication to LDAP authentication because they believe it is more secure.
They prefer the NetWare Core Protocol (NCP) over the Microsoft CIFS protocol because they believe that CIFS is more vulnerable to the propagation of viruses on the network.
Conversely, other network administrators are equally adamant that their users function better without the added overhead of running an NCP client on each workstation.
We can’t determine what is best for you or your network, but we do provide you with viable choices.
There are some differences between the Linux and Windows clients. These are documented in Understanding How the Novell Client for Linux Differs from the Novell Client for Windows 2000/XP
in the Novell Client 2.0 SP3 for Linux Administration Guide.
eDirectory users have access to services on OES servers just like they do on NetWare, with one additional consideration—to access some of the services, users must have Linux user credentials, such as a user ID (UID) and primary group ID (GID).
Because eDirectory users don’t have Linux user credentials by default, Novell provides the Linux User Management (LUM) technology. Users and groups who need access to the affected services, must be enabled for eDirectory LDAP authentication to the local server. For more information, see Linux User Management: Access to Linux for eDirectory Users.
Beginning in OES 2015 SP1, Novell also provides the Novell Identity Translator (NIT). For more information, see Section 1.18, Novell Identity Translator (NIT).
Active Directory users can be granted access to Novell CIFS shares on NSS volumes. The NSS AD integration service must be installed and the Novell Identity Translator must be configured to provide user IDs (UIDs) for AD users. For more information, see the OES 2015 SP1: NSS AD Administration Guide.
After you understand the access options available to your network users, you can decide which will work best on your network.
Planning tips for network services are contained in the following sections:
As you plan which file services to provide, be aware of the file service/volume and feature support limitations outlined in the following sections.
Supported combinations are outlined in Table 16-4.
Table 16-4 Service Access to Volume Types
File Service |
Linux POSIX Volumes |
NSS Volumes on Linux |
---|---|---|
AFP |
No |
Yes-Novell AFP |
CIFS |
Yes-Novell Samba |
Yes-Novell CIFS, Novell Samba |
NetStorage |
Yes |
Yes |
NetWare Core Protocol (NCP) |
Yes |
Yes |
NFS |
Yes |
Yes-NFSv3 |
Novell iFolder 2.1x |
No |
No |
Novell iFolder 3.9.2 |
Yes |
Yes |
Details about the file systems supported by each file service are explained in the documentation for the service.
Be aware that file services support different sets of access protocols. A summary of the protocols available for access to the various OES file services is presented in Matching Protocols and Services to Check Access Requirements.
Table 16-5 Features Supported on Each Volume Type
Feature |
Linux POSIX Volumes |
NSS Volumes on Linux |
---|---|---|
Directory quotas |
No |
Yes |
Login scripts |
Yes (if also defined as an NCP volume) |
Yes |
Mapped drives |
Yes (if configured as an NCP volume) |
Yes |
Novell directory and file attributes |
No |
Yes |
Purge/Salvage |
No |
Yes |
Trustee rights |
Yes (if configured as an NCP volume) |
Yes |
User space quotas |
No |
Yes |
Novell iPrint has access control features that let you specify the access for each eDirectory User, Group, or container object to your printing resources.
You can also use iPrint to set up print services that don’t require authentication.
NOTE:Access control for printers is supported only on the Windows iPrint Client.
For more information on access control and iPrint, see Setting Access Control for Your Print System
in the OES 2015 SP1: iPrint Linux Administration Guide
Figure 16-3 illustrates the access interfaces available to users in OES and the services that each interface can connect to. It also shows the protocols that connect access interfaces with network services.
To use this for planning:
Review the different access interfaces in the left column.
In the middle column, review the protocols each interface supports.
In the right column, view the services available to the interfaces via the protocols.
Figure 16-3 Access Interfaces and Services, and the Protocols That Connect Them
Because NetWare Core Protocol (NCP) is available in OES, your Novell Client users can attach to OES servers as easily as they have been able to attach to NetWare servers. In fact, they probably won’t notice any changes.
NCP Server for Linux enables support for login scripts, mapping drives to OES servers, and other services commonly associated with Novell Client access. This means that Windows users with the Novell Client installed can now be seamlessly transitioned to file services on OES. And with the Novell Client for Linux, Windows users can be moved to SUSE Linux Enterprise Desktop with no disruption in NCP file services.
For more information, see the OES 2015 SP1: NCP Server for Linux Administration Guide.
After you plan and install OES services, be sure to provide clear access instructions to your network users. For a summary of access methods, see Section D.0, Quick Reference to OES User Services.
The following sections discuss administering access to services.
Many network administrators let users administer their own passwords. For more information on password self management, see Password Self-Service
in the NetIQ Password Management Administration Guide.
Access control to Linux POSIX file systems is controlled through POSIX file system access rights or attributes associated with directories and files. In general, the directories and files can be accessed by three POSIX entities:
The user who owns the directory or file
The group who owns the directory or file
All other users defined on the system
These users and the affected group are each assigned (or not assigned) a combination of three attributes for each directory and file:
Table 16-6 Linux Access Rights
Attribute |
Effect on Directory when Assigned |
Effect on File when Assigned |
---|---|---|
Read |
Lets the user or group view the directory's contents. |
Lets the user or group open and read the file. |
Write |
Lets the user or group create or delete files and subdirectories in the directory. |
Lets the user or group modify the file. |
Execute |
Lets the user or group access the directory by using the cd command. |
Lets the user or group run the file as a program. |
For more information, see Configuring Trustees and File System Attributes
in the OES 2015 SP1: File Systems Management Guide.
The OES 2015 SP1: File Systems Management Guide contains a thorough discussion of file and directory trustee management in its Configuring Trustees and File System Attributes
section.
The following sections present brief information about managing trustees on NSS volumes.
You can use the NetStorage Web browser interface to change attributes and trustees for directories and files on NSS volumes, but you can’t change them by using a WebDAV connection to NetStorage.
You can use the iManager 2.7 Files and Folders plug-in to manage directories and files on NCP and NSS volumes. For more information, see the plug-in help.
Use the attrib command to change file and directory attributes on an NSS volume.
The attrib command is also documented in Using the Attrib Utility to Set NSS File System Attributes
in the OES 2015 SP1: File Systems Management Guide.
You can also enter the following command at the command prompt:
attrib --help
To grant NSS trustee rights to an NSS volume, enter the following command:
rights -f /full/directory/path -r rights_mask trustee full.object.context
where /full/directory/path is the path to the target directory on the NSS volume, rights_mask is the list of NSS rights, and full.object.context is the object (User or Group) in its full eDirectory context including the tree name.
For example, you might enter the following:
rights -f /data/groupstuff -r rwfc trustee mygroup.testing.example_tree
For a complete list of command options, enter rights at the command prompt.
The rights command is also documented in Using the Rights Utility to Set Trustee Rights for the NSS File System
in the OES 2015 SP1: File Systems Management Guide.
For information, see the OES 2015 SP1: NSS AD Administration Guide.