5.6 File Access for Users

NSS supports access via NCP and other protocols to eDirectory users and Linux-enabled eDirectory users.

IMPORTANT:NSS uses the Novell trustee model for file access. Users must be made file system trustees and granted trustee rights to data on the NSS volume that you want them to be able to access. Rights management can be done in multiple management tools, including iManager, Novell Remote Manager, the Novell Client and other NCP services, and command line commands. For information, see Section 22.1, Configuring File System Trustees, Trustee Rights, Inherited Rights Filters, and Attributes.

5.6.1 NCP

NCP (NetWare Core Protocol) is the default protocol for accessing data on NSS volumes. NCP Server is required for NSS even if users access the volume via other protocols. Users access data on NSS volumes by using the Novell Client software on their Windows, Vista*, or Linux workstations. This document refers collectively to those workstations as “Novell clients”.

IMPORTANT:NSS uses NCP Server by default and requires that NCP Server be running even if your users are accessing the volume via other protocols.

NCP Server for Linux is installed by selecting NCP Server and Dynamic Storage Technology from the OES Services menu in the YaST installation interface. For information about NCP Server for Linux, see the OES 2 SP2: NCP Server for Linux Administration Guide.

NCP Server for NetWare is automatically installed during the NetWare install. For information about NCP Server for NetWare, see the NW 6.5 SP8: Novell Remote Manager Administration Guide.

NCP Server works with Novell eDirectory, the Novell Client, and other NCP-based services such as NetStorage to authenticate and manage user sessions. When NCP Server is running, eDirectory users who have been granted file system trustee access can access an NSS volume with the Novell Client or NCP services. NSS cooperates with NCP Server to track file ownership and file system trustee assignments, trustee rights, and inherited rights based on the Novell trustee model.

The Linux file system interface uses UTF-8 encoding for all filenames. When accessing files with NCP, make sure to use the UTF-8 enabled NCP software that is available in the latest Novell Client. For more information, see Section 5.4.5, UTF-8 Naming Considerations in Mixed-Language Environments (NetWare).

For information about configuring and managing NCP Server, see the OES 2 SP2: NCP Server for Linux Administration Guide.

5.6.2 Novell AFP

NSS supports access to NSS volumes using the Novell AFP (Apple Filing Protocol). Novell AFP is installed automatically during the NetWare install. For OES 2 SP1 Linux and later, Novell AFP for Linux is installed by selecting Novell AFP from the OES Services menu in the YaST install interface.

For information about Novell AFP for Linux, see the OES 2 SP2: Novell AFP For Linux Administration Guide. For information about Novell AFP for NetWare, see Working with Macintosh Computers in the NW 6.5 SP8: AFP, CIFS, and NFS (NFAP) Administration Guide.

5.6.3 Novell CIFS

NSS supports access to NSS volumes using Novell CIFS. Novell CIFS for NetWare is installed automatically during the NetWare install. For OES 2 SP1 Linux and later, Novell CIFS for Linux is installed by selecting Novell CIFS from the OES Services menu in the YaST install interface.

For information about Novell CIFS for Linux, see the OES 2 SP2: Novell CIFS for Linux Administration Guide. For information about Novell CIFS for NetWare, see Working with UNIX Machines in the NW 6.5 SP8: AFP, CIFS, and NFS (NFAP) Administration Guide.

5.6.4 Novell Domain Services for Windows

NSS supports access to NSS volumes using Novell Domain Services for Windows (DSfW). DSfW configures Samba access for Samba/CIFS users. Administrators must export NSS volumes over Samba so that domain users (eDirectory users in the DSfW domain partition) can access NSS volumes over Samba/CIFS.

Samba/CIFS users under the domain are Linux-enabled with Linux User Management. The Domain Users group must be associated with the UNIX Workstation objects of the server (or servers if the volume is used in a cluster) where the volume is mounted in order to give the users access to the NSS volume via Samba/CIFS.

5.6.5 Samba

Because NSS controls access based on file system trustee rights, not by the POSIX permissions, Samba connections do not work until this trustee system has been configured for the Linux-enabled eDirectory users of the NSS file system. You cannot set up the ACLs and standard POSIX permissions for Samba access to an NSS volume. Instead, the Administrator user or Administrator user equivalent must set up users in eDirectory and make file system trustee assignments, grant trustee rights, and configure inherited rights masks on directories. The Samba service must also be enabled in LUM.

For information about configuring and managing Samba services for your OES 2 Linux server, see the OES2 SP2: Samba Administration Guide.

5.6.6 SSH (Secure Shell)

You can give users SSH (Secure Shell) access to NSS volumes by Linux-enabling users and the SSH utility in Linux User Management. For information, see see the OES 2 SP2: Novell Linux User Management Technology Guide.

In addition, SSH requires that the POSIX permissions on home directories be set so that the Other field has no permissions. By default, NSS sets the POSIX permissions to 0777 and SSH is disabled in Linux User Managerment. If you use NSS volumes for home directories and you want users to have SSH access to them, you must modify the POSIX permissions on NSS volumes to 0770. You must also enable SSH with Linux User Management.

Add the following command in the /etc/opt/novell/nss/nssstart.cfg file to turn off all of the bits corresponding to the Other field:

/PosixPermissionMask=0770

The setting applies to all NSS volumes on the server. If the volume is shared in a cluster, make sure to add the command to the nssstart.cfg file on all nodes and to Linux-enable SSH on all nodes.

5.6.7 Accessing Files with Linux Services, Utilities, and Protocols

Only the root user and Linux-enabled eDirectory users who have been granted trustee access can see and access the NSS volume from a Linux interface. Users must be Linux-enabled with Linux User Management in order to use any of the standard Linux protocols, utilities, commands, services, or APIs for the NSS volume.

IMPORTANT:Any Linux service or utility that you want users to have access to must also be enabled in Linux User Management.

For information about installing and configuring Linux User Management, enabling users and groups for Linux, and enabling Linux services and utilities, see the OES 2 SP2: Novell Linux User Management Technology Guide.