Administrator Tasks for Native File Access for Windows Services

Native File Access for Windows provides several ways to simplify your administration tasks and customize how Windows workstations interact with the network:

• Creating Simple Passwords for Windows Users
• Enabling Users to Change Their Simple Passwords with NetWare Remote Manager
• Understanding Synchronization of NetWare Passwords and Simple Passwords
• Specifying Contexts in the Context Search File
• Managing Network Access with ConsoleOne
• Providing Network Access to Domain Users
• Customizing the Network Environment for CIFS
• Viewing Configuration Details

Creating Simple Passwords for Windows Users

In order to take advantage of Novell^® Native File Access software, all users must have a NetWare^® User object created in eDirectory^TM.

NOTE:  A NetWare User object specifies attributes and information about which network resources the user can access. User objects are created using ConsoleOne^®. For more information, see the ConsoleOne Users Guide.

In addition, most users must also have a simple password created for them before they can access network resources using native protocols. The exception is when Native File Access for Windows software has been configured to use the Domain authentication method.

This section describes the two Windows authentication methods and password requirements and explains how to create simple passwords for Windows users.

NOTE:  For information about selecting an authentication method during the installation, see Step 4 of Installing the Software.

Windows Authentication Methods and Simple Passwords

The method that Windows workstations (using their native Common Internet File System, or CIFS, Protocol) use to authenticate to the CIFS-enabled NetWare server is determined by which authentication method was selected during installation. The two Windows authentication methods are Local and Domain.

If Local authentication is being used, each Windows user must have a simple password associated with their NetWare/NDS^® User object in order to access network resources using native protocols. However, if Domain authentication is being used, a simple password is not required. The reason is that Domain authentication uses passthrough authentication to the Windows Domain Contoller. As a result, when implementing Domain authentication, Novell Native File Access software does not support the change password feature from the client; the password must be changed using the Domain Controller User Manager tool.

In order to understand how the Novell Native File Access software incorporates the security of NetWare with the native operating system's security (such as Microsoft Networking), it is useful to first know the functionality and interrelation of the following four distinct passwords used in a mixed networking environment.

• Windows Local Password---The Windows operating system requires a username and password to log in to the computer. This password, called the local password, is stored on the computer's local hard disk.

• Windows Domain Controller Password---Windows networking uses a domain controller, which is a computer running Windows Server software that manages user access to the Microsoft network. When Windows users log in to the network using a Domain Controller, they are required to enter a username and password for authentication. This password, called the domain controller password, is stored on the domain controller computer.

• NetWare Password---To access the NetWare network, each user must have a user account created specifically for him. This account is called a User object and is stored in the Novell eDirectory data store. It consists of a NetWare username and a corresponding NetWare password.

  When the workstation is running Novell Client^TM software, users log in by entering their NetWare username (including context) and password. NetWare usernames and passwords are stored securely in the eDirectory structure on NetWare servers.

• Simple Password---The simple password is also associated with a corresponding User object and is required to provide network access from workstations which are not installed with Novell Client software. As with the NetWare password, the simple password is stored securely in eDirectory on the network.

IMPORTANT:  Remember that if Local authentication has been implemented, Windows users must have a simple password in order to access network resources using their native protocol (CIFS). However, if Domain authentication has been implemented for your server, a simple password is not required.

Two Methods for Creating Simple Passwords for Windows Users

You can create simple passwords either with ConsoleOne or NetWare Remote Manager.

Using ConsoleOne

The ConsoleOne management utility lets you create simple passwords for users one at a time by completing the following steps.

1. At the Administrator Workstation, log in as a user with the Supervisor right.

   Make sure that the Administrator Workstation meets the prerequisites described in Administrator Workstation Prerequisites.

2. Run CONSOLEONE.EXE (located in the \PUBLIC\MGMT\CONSOLEONE\1.2\BIN directory).

3. Right-click the User object and then click Properties.

4. Click the Login Methods tab and select Simple Password.

5. Create a simple password for the selected user by filling in the following fields:

   • Set Simple Password: Enter a unique password for the user.

   • Confirm Simple Password: Enter the same password for confirmation.

   NOTE:  If the simple password is different from the NetWare password, users enter the simple password when accessing the network with native protocols and they enter the NetWare password when logging in with Novell Client software.

6. Click OK.

7. Repeat Step 3 through Step 6 in order to create a simple password for each user that requires network access using Novell Native File Access software.

8. (Optional) If you want users to be able to change their own simple passwords after they log in the first time, check the Force Password Change check box.

Using NetWare Remote Manager

You can also use NetWare Remote Manager (previously known as NetWare Management Portal) to create simple passwords either for an individual user or for multiple users at once.

Accessing NetWare Remote Manager

1. In the Address field of your Web browser, enter the IP address of the server where you installed Novell Native File Access Protocols.

   If the NetWare Enterprise Web Server is installed on your server, you will have to add the port number 8008 at the end of the IP address. For example, if your Portal server's IP address were 137.65.123.11, you would enter http://137.65.123.11:8008 in the Address field of your browser.

2. At the login prompt, enter the server administrator username and password.

3. In the left frame, click Manage eDirectory > NFAP Security.

   The NFAP security page appears.

   HINT:  For more information about using NetWare Remote Manager, see the NetWare Remote Manager Administration Guide in the NetWare 6 documentation .

Creating Simple Passwords for Multiple Users

1. In the NFAP Multi-User Simple Password Set Utility section, select a method for designating which users on your network will receive simple passwords. There are two methods for selecting users:

   • To select all User objects in that particular context, enter a full context in the NDS Context field.
   • To select all User objects in the NDS tree, check the Traverse Context Tree for User Objects check box.

     NOTE:  Searching the entire NDS tree might take several minutes.

2. (Optional) If you want an automatic message to be sent to the selected users notifying them of their simple password, check the Send Password to User check box.

   IMPORTANT:  To use the Send Password to User feature, you must first use the Access Mail Notification Control Page to set up NetWare Remote Manager to perform e-mail notification.

   The Access Notification Control Page is available by clicking the configuration icon on the top of the screen.

3. Specify a common simple password for all users by checking the User Supplied Password check box and entering a password in the field provided.

4. Check the Generate Script File check box and enter a filename for the script file.

   The generated script file contains a list of users and will be processed by the utility to create the simple passwords for those users. You can choose any name for the script file.

5. (Optional) You can verify the contents of a generated script file before actually processing the script file. We recommend that you test the script file until it contains the appropriate list of users.

   1. Make sure the Process Script File check box is unchecked and then click Start.

      The contents of the script file displays in the right frame.

      
      

      IMPORTANT:  No file will be generated and you will get an error in the browser if you do not fill in a filename for the script file.

   2. If the list is what you want, go to the next step and process the script file. If the list is not correct, click the Back button on your browser, change the NDS context settings, and click Start again. Repeat this process until the script file contains the appropriate information.

6. When you are ready to process the script file, check the Process Script File check box and enter the name of the script file.

   The names in the Generate Script File and Process Script File fields must match exactly.

7. Click Start to process the script file.

   The utility creates simple passwords for all of the users listed in the script file.

Creating a Simple Password for a Single User

1. In the NFAP Single-User Simple Password Set Utility section, enter the username (including the full context) in the Username and Context field.

2. Enter the text to be used for the user's simple password in the New Password field.

3. Click Set.

IMPORTANT:  Remember to notify the user of the password.

Now that you have created simple passwords for User objects in NetWare, those users can use native protocols and familiar access methods (such as Network Neighborhood or My Network Places) to access and manipulate files on the server. When prompted to authenticate, users enter their NetWare username (without context) and their corresponding simple password.

Enabling Users to Change Their Simple Passwords with NetWare Remote Manager

You can use ConsoleOne to assign the necessary rights so that users can change simple passwords with the NetWare Remote Manager tool.

1. At the Administrator Workstation, log in as a user with the Supervisor right.

   Make sure that the Administrator Workstation meets the prerequisites described in Administrator Workstation Prerequisites.

2. Run CONSOLEONE.EXE (located in the \PUBLIC\MGMT\CONSOLEONE\1.2\BIN directory).

3. Right-click the User object and then click Trustees of This Object.

4. Select the User object and click Assigned Rights > Add Property.

5. Select the SAS:Login Configuration property from the list and click OK.

6. Click Add Property, select SAS:Login Configuration Key, and click OK.

7. Enable Compare, Read, and Write rights for both of the properties you just added to the User object.

8. Click OK > OK.

Understanding Synchronization of NetWare Passwords and Simple Passwords

Native File Access for Windows (CIFS) software allows users to change their own passwords from a client workstation. Of course, this applies only when Local authentication is being used since the Domain authentication method does not use simple passwords. When users change their simple passwords, their NetWare passwords will be affected differently, as described in the following scenarios:

• If both the NetWare password and the simple password are already the same when the user changes the simple password, the NetWare password is synchronized and both passwords remain the same.
• If the NetWare password and the simple password are not the same when the user changes the simple password, the NetWare password is not synchronized with the new simple password. The two passwords remain different.
• Whenever a user changes the NetWare password, the simple password is not synchronized with the new NetWare password. The user must separately change the simple password for the two passwords to match.

NOTE:  Password synchronization is simpler for Macintosh users. Native File Access for Macintosh (AFP) software keeps the simple password and the NetWare passwords synchronized. In other words, when a Mac user changes either password using the native client software, password synchronization is automatic and transparent.

Specifying Contexts in the Context Search File

During the installation, you specified the NDS contexts for Windows users who require access to the network. These contexts are saved in the context search file. When Windows users enter a username, the Native File Access component running on the server searches through each context in the list until it finds the correct User object.

NOTE:  In Domain mode, if User objects with the same name exist in different contexts, each user object attempts authentication in order until one succeeds with the corresponding password.

You can add or remove contexts by editing the context search file.

1. Using any text editor, edit the CIFSCTXS.CFG file stored in the SYS:\ETC directory of the server running Novell Native File Access Protocols.

2. On separate lines, enter the full contexts to search.

   For example if you had users with full NDS distinguished names such as Robert.sales.acme, Maria.graphics.marketing.acme, Sophia.graphics.marketing, and Ivan.marketing.acme, then you would enter the following contexts to the CIFSCTXS.CFG file:

   sales.acme

   graphics.marketing.acme

   marketing.acme

3. Save the file in the SYS:\ETC directory.

4. At the server console, enter CIFSSTOP to unload the current context search file.

5. Enter CIFSSTRT to load the new context search file and apply the changes.

When Windows users log in, they enter only a username and the simple password. The system finds the User object in the context specified in the CIFSCTXS.CFG file.

IMPORTANT:  Remember that users must have a simple password before they can access the network.

Managing Network Access with ConsoleOne

ConsoleOne helps you manage Novell Native File Access for each computer platform. You can create users and groups, assign and restrict rights to directories, and view the rights of specific users.

To provide rights to network access, do the following:

1. From the Administrator Workstation, log in to the NetWare server running Novell Native File Access Protocols software.

   You must use a Windows workstation that meets the prerequisites as described in Administrator Workstation Prerequisites.

2. Run CONSOLEONE.EXE located in \PUBLIC\MGMT\CONSOLEONE\1.2\BIN\.

3. Set up and manage rights as described in the ConsoleOne Users Guide .

Providing Network Access to Domain Users

You can provide access to users from an existing NT domain by importing them into NDS.

1. Configure the Novell Native File Access Protocols software for Domain authentication.

   Importing users from an NT domain is not supported in Local Mode. In Local Mode, the main NetWare^® Remote Manager page is displayed rather than the NFAP Import Users page.

2. Run NetWare Remote Manager.

   The NetWare Remote Manager is launched by entering the IP address of the server into the URL field of an Internet browser.

   See the NetWare Remote Manager Administration Guide in the NetWare 6 documentation .

3. In the left frame, click Manage eDirectory > NFAP Import Users.

4. Browse to the NDS Context that you will import the users into.

   Any time you reach a valid context for importing users, a Start button will appear.

5. Click Start to import users.

   The context that you select will be automatically written to the CIFSCTXS.TXT file, which contains all the contexts of all users.

   Status of the import is given on the interval that you select.

6. When the import is complete, click Done to clear the screen.

Customizing the Network Environment for CIFS

Administrators can customize the network environment for Windows workstations (CIFS) by using one of the following methods:

• Using ConsoleOne to Configure CIFS
• Using the CIFS.CFG File to Configure CIFS

IMPORTANT:  You can use ConsoleOne to configure CIFS only if you have installed the SP1 software on the server running Novell Native File Access Protocols. In fact, if SP1 software is installed on your server, the CIFS.CFG file will be disabled and contain a note to use ConsoleOne for configuration.

Using ConsoleOne to Configure CIFS

1. From the Administrator Workstation, log in as a user with the Supervisor right.

   Make sure that the Administrator Workstation meets the prerequisites described in Administrator Workstation Prerequisites.

2. Run CONSOLEONE.EXE (located in \PUBLIC\MGMT\CONSOLEONE\1.2\BIN\).

3. Right-click the Server object and then click Properties.

4. Click the CIFS tab and select one of the three CIFS pages: Config, Attach, or Shares.

5. Enter the desired parameters in the fields provided.

   See the page description sections below for details.

6. Click Apply to save your settings.

Config Page Parameters

The following parameter fields appear on the Config Page under the CIFS tab in ConsoleOne:

• Server Name is the name of the server running Novell Native File Access Protocols. The length can be a maximum of 15 characters. This name is displayed in Network Neighborhood. This server name must be different from the NetWare Server name.
• Comment is the comment associated with the server name discussed above. This comment is displayed when viewing details.
• WINS Address is the address of the WINS server to be used to locate the PDC, if the PDC and the server running Novell Native File Access Protocols are on different subnets.
• Unicode specifies whether Unicode character support is enabled. Unicode characters are used in double-byte languages.

  IMPORTANT:  To support Unicode, an additional file named UNINOMAP.TXT must be created and saved in the SYS:\ETC directory. When the -UNICODE value is set to On, the UNINOMAP.TXT file is used to resolve Unicode-to-ASCII "no-map" problems.

  To specify "no-map" cases in the UNINOMAP.TXT file, enter the first Unicode value to watch for and then the second value representing the ASCII replacement code. For example:

  0178 98

  20AC CC

  Save the values in the UNINOMAP.TXT file. If an unmappable character is encountered, the system uses the ASCII substitution character specified in the file.

• OpLocks is not functional in the NetWare 6 Support Pack 1 software release.
• Authentication Mode indicates the method of authentication used by Novell Native File Access Protocols. You can select either Domain or Local from the drop-down list:
  • Domain---Clients are members of a domain. A Windows domain controller performs user authentication.The username and password on the domain controller must match the username and password used to log in to the Windows workstation.
  • Local---Clients are members of a workgroup. The server running Novell Native File Access Protocols performs the user authentication. The username and password on NetWare must match the username and password used to log in to the Windows workstation.

• Authentication Workgroup Name is the domain or workgroup that the server will belong to. Workgroup and Domain can be used intergchangeably.
• Primary Domain Controller Name is the name of the PDC server. This is needed if the PDC is on a different subnet. This option should be used only when there is a valid reason for overriding WINS or DNS.
• Primary Domain Controller Address is the PDC server's static IP address. This is needed if the PDC is on a different subnet. This option should be used only when there is a valid reason for overriding WINS or DNS.

  IMPORTANT:  The address of the PDC must be static; otherwise, if the PDC reboots and the address changes, the server running Novell Native File Access Protocols will not be able to contact the PDC.

Attach Page Parameters

Use the Attach page to bind the CIFS protocol to the IP address specified.

• IP Addresses show a list of the addresses that are bound to the CIFS protocol. You can enter multiple addresses in the fields provided.

  By default, CIFS is bound to all IP addresses on the server.

Shares Page Parameters

Use the Shares page to add volumes or directories on the server to be specified as shared points and to be accessible via the Network Neighborhood.

NOTE:  If no Shares are specified, then all mounted volumes are displayed.

• Name is the name that the sharepoint is known by to the Windows computers.
• Path is the path to the server volume or directory which becomes the root of the sharepoint. This path must end with a backslash (\).
• Comment is a description for the sharepoint that appears in Network Neighborhood or My Network Places.
• Maximum Number of Connections is the number of connections allowed to the sharepoint. A zero (0) indicates an unlimited number of connections.

Using the CIFS.CFG File to Configure CIFS

1. Log in to the server running the Novell Native File Access Protocols.

2. Change to the SYS:\ETC\ directory.

3. Edit CIFS.CFG using a text editor.

   Enter the desired parameters following the rules for syntax (see the Configuration File Parameters section below for details).

4. Save the CIFS.CFG file to the same directory (SYS:\ETC).

5. Restart the server.

Configuration File Parameters

The following parameters can be set in the SYS:\ETC\CIFS.CFG file to customize the user experience for your environment.

HINT:  Any parameter can be excluded by placing a # at the beginning of the command line. If the parameter is excluded, the default value is used.

-SERVERNAME

The name of the server running Novell Native File Access Protocols. The length can be a maximum of 15 characters. This name is displayed in Network Neighborhood. This server name must be different from the NetWare Server name.

Value: 'Server_Name'

Default: None

-COMMENT

The comment associated with the server name listed above. This comment is displayed when viewing details.

Value: 'Comments'

Default: None

-AUTHENT

The method of authentication used by Novell Native File Access Protocols.

• Domain---Clients are members of a domain. A Windows domain controller performs user authentication.The username and password on the domain controller must match the username and password used to log in to the Windows workstation.
• Local---Clients are members of a workgroup. The server running Novell Native File Access Protocols performs the user authentication. The username and password on NetWare must match the username and password used to log in to the Windows workstation.

Value: Domain | Local

Default: Local

-DOMAIN

The domain or workgroup that the server will belong to.

Value: 'Domain_Name'

Default: Workgroup

-WORKGROUP

The domain or workgroup that the server will belong to. Workgroup and Domain can be used intergchangeably.

Value: 'Workgroup_Name'

Default: Workgroup

-PDC

The PDC server name and static IP address. This is needed if the PDC is on a different subnet. This option should be used only when there is a valid reason for overriding WINS or DNS.

NOTE:  The address of the PDC must be static; otherwise, if the PDC reboots and the address changes, the server running Novell Native File Access Protocols will not be able to contact the PDC.

Value: 'PDC_Name' Address

Default: None

-WINS

Address of WINS server to be used to locate the PDC, if the PDC and server running Novell Native File Access Protocols are on different subnets.

Value: IP_Address

Default: None

-ATTACH

Bind the CIFS protocol to the IP address specified. For multiple addresses, repeat the command as needed.

Value: IP_Address

Default: Bound to all addresses.

-SHARE

Allow any volumes or directories on the server to be specified as shared points and to be accessible via the Network Neighborhood. If no -SHARE line is specified (or is commented out), then all mounted volumes are displayed.

• Localpath is the path to the server volume or directory which becomes the root of the sharepoint. This path must end with a backslash (\).
• Sharename is the name by which the sharepoint is known to the Windows computers.
• Connection Limit is the number of connections allowed to the sharepoint (0 is unlimited).
• Comment is a description for the sharepoint that appears in Network Neighborhood or My Network Places.

Value: 'Localpath' 'Sharename' Connection Limit 'Comment'

Default: All mounted volumes are shared.

-UNICODE

When On (enabled), this command enables Unicode characters (used in double-byte languages).

Value: On | Off

Default: Off (disabled)

IMPORTANT:  To support Unicode, an additional file named UNINOMAP.TXT must be created and saved in the SYS:\ETC directory. When the -UNICODE value is set to On, the UNINOMAP.TXT file is used to resolve Unicode-to-ASCII "no-map" problems.

To specify "no-map" cases in the UNINOMAP.TXT file, enter the first Unicode value to watch for and then the second value representing the ASCII replacement code. For example:

0178 98

20AC CC

Save the values in the UNINOMAP.TXT file. If an unmappable character is encountered, the system uses the ASCII substitution character specified in the file.

Sample CIFS.CFG Configuration File

#This name will display in Network Neighborhood with the #following comment. 

-SERVERNAME 'NW6-NNFAP'

-COMMENT 'Server running Novell Native File Access Protocols'

#Novell Native File Access Protocols is configured to use Local #authentication.

-AUTHENT LOCAL

#The workgroup name is ONENET.

-WORKGROUP 'ONENET'

#When this volume is mounted, the local path CIFSVOL:\ will appear as a sharepoint named Graphics Volume with unlimited connections (0) and its corresponding comment.

-SHARE 'CIFSVOL:\' 'Graphics Volume' 0 'Lots of image files'

CIFS.CFG Configuration File Shortcuts

You can enter the following commands at the server console to modify the configuration file.

CIFS SHARE ADD 'localpath' 'sharename' connectionlimit 'comment' adds a new sharepoint and also adds the command to the CIFS.CFG file.

CIFS SHARE REMOVE 'sharename' removes the sharepoint and comments it out of the CIFS.CFG file.

Viewing Configuration Details

You can view details about how Novell Native File Access Protocols are configured by entering the following commands at the server console.

CIFS INFO displays operational information.

CIFS SHARE displays all active sharepoints.

CIFS SHARE sharename displays information about a specific sharepoint.