By default, the ASU server and Tru64 UNIX operating system software must authenticate a user's name and password before a user can access an ASU share. Therefore, a Windows user must have a domain user account that the ASU server uses for user authentication and a Tru64 UNIX user account that the Tru64 UNIX operating system uses for user authentication.
By default, when you create a domain user account, the ASU server automatically
creates a Tru64 UNIX user account in the local
/etc/passwd
file if an account with the same name does not exit.
The Tru64 UNIX
operating system software uses the local user account information for authentication
if you did not configure it to direct authentication requests to a Windows
2000 Server or to a Windows NT Server Version 4.0 as described in
Section 1.1.3.
This chapter describes how to change the default ASU server behavior
and how to create and manage domain user accounts and Tru64 UNIX user
accounts created by the ASU server.
3.1 Domain User Account Attributes
A domain user account is the same whether you create it on an ASU server or a Windows NT server.
A domain user account is made up of three categories of attributes:
Mandatory attributes for which you must provide values
Mandatory attributes that are assigned default values that you can change
Optional attributes for which you can provide values
Table 3-1
describes the mandatory domain
user account attributes for which you must provide values when you create
a domain user account.
Table 3-1: Mandatory Domain User Account Attributes
Attribute | Specifies | Restrictions/Default |
User name | The name of the user account | A user name must be unique.Can contain up to 20 alphanumeric characters. However, 8 or fewer is recommended because by default, this user name maps to a Tru64 UNIX user name that is limited to 8 alphanumeric characters. |
Password | The password assigned to the user account | Can contain up to 14 alphanumeric characters. |
Table 3-2
describes the mandatory attributes
that are assigned default values.
You can change the default value when you
create an domain account.
Table 3-2: Mandatory Domain User Account Attributes
Attribute | Specifies | Possible/Default Values |
Account type | If the user account is global (for regular user accounts in this domain) or local (for user accounts on a member server that are not in the domain) | Global or localDefault: Global |
Active | If the user account is activated or deactivated | Yes or noDefault: Yes (activated) |
Country code | The language files for a user's help and error messages | A numeric value that the operating system uses for a country codeDefault: 0 (same as the operating system) |
Expires | The date that the user account expires | A date or neverDefault: Never |
Must change password | If the user must change password at next logon | Yes or noDefault: When using the
net user
command the default is no (do not force a password change).
When using the User Manager for Domains GUI the default is yes (force a password
change). |
Password change | If the user can change the password | Yes or noDefault: Yes (allow change) |
Password expires | If the password expires based on the maximum password age | Yes or noDefault: Yes (password expires) |
Password must change | If the user must change the password at next logon | Yes or noDefault: No (do not have to change password) |
Password required | If a user account requires a password | Yes or noDefault: Yes (requires a password) |
Primary group | The primary group for the user | Any global group to which the user belongsDefault: Domain Users |
Times | The times when the user is allowed to use the ASU server | A specified time or AllDefault: All |
Workstations | Up to eight computer names from which a user can log on to the network | A comma-separated list or an asterisk (*) or no list to allow log on from any clientDefault: * (all) |
Table 3-3
describes the optional attributes
for which you can provide values when you create a domain user account.
Table 3-3: Optional Domain User Account Attributes
Attribute | Specifies | Possible Values |
Comment | A comment about the user's account | Can contain up to 48 alphanumeric characters enclosed in quotation marks |
Full name | A user's full name (rather than user name) | Can contain up to 256 alphanumeric characters enclosed in quotation marks |
Home directory | The pathname for the user's home directory | A path nameDefault: none |
Home directory drive | A network drive letter; for example z:, to connect the user's remote home directory as a local drive. | An alpha character followed by a colon. Default: none |
Profile path | A path for the user's logon profile | A path nameDefault: none |
Script path | The path to the user's login script | A path nameDefault: none |
User comment | An administrative comment | Can contain up to 48 alphanumeric characters enclosed in quotation marks |
3.2 Tru64 UNIX User Accounts Created by ASU
By default, when you create a domain user account, the ASU server automatically
creates a Tru64 UNIX user account (using lowercase letters) in the local
/etc/passwd
file if an account with the same name does not exist.
You control if and how the ASU server creates Tru64 UNIX user accounts by assigning values to registry value entries located in the following registry path:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/ AdvancedServer/UserServiceParameters
If the
CreateUnixUser
value entry is enabled, which
it is by default, then how and where the ASU server creates Tru64 UNIX
user accounts depends on the values assigned to other entries in the
UserServiceParameters
registry subkey.
For example, entries that
define:
Whether or not the ASU server creates a Tru64 UNIX user account using the same case that you entered to create a domain user account
The default user account and login attributes that are assigned to all Tru64 UNIX user accounts created by the ASU server
How the ASU server creates Tru64 UNIX user account home directories
If the ASU server creates Tru64 UNIX user accounts in
the local
/etc/passwd
file or in a Network Information
Service (NIS) database
If a user's Tru64 UNIX user account password is automatically synchronized to their domain user account password when the user changes their domain user account password
The following sections describe some of the registry value entries that
effect the setup and behavior of Tru64 UNIX user accounts that are created
by the ASU server.
See
Section B.1.9
for a complete
list of registry value entries that effect how the ASU server creates Tru64 UNIX
user account.
3.2.1 ASU and Tru64 UNIX User Account Attributes
By default, the ASU server creates a Tru64 UNIX user account using
the same name in lowercase letters as the domain user account.
However, domain
user account names can contain up to 20 characters; the maximum number of
characters for a Tru64 UNIX user account is 8.
If a domain user account
name exceeds 8 characters, then the ASU server creates a Tru64 UNIX user
account using the first 6 characters and substitutes random characters for
the last 2 characters.
For example, if a domain user account name is
longusername
, then the corresponding Tru64 UNIX user account
that the ASU server creates might be named
longush3
.
If you are using Tru64 UNIX for user account authentication, then you must set Tru64 UNIX passwords for users before they can log in to the Tru64 UNIX system.
Table 3-4
describes the registry value
entries that effect how the ASU server creates Tru64 UNIX user accounts.
Table 3-4: User Account Value Entries
Entry | Specifies/Default |
Exclude |
A range of Tru64 UNIX user IDs that the ASU server cannot assign. If the ASU server attempts to create a Tru64 UNIX account with a name that matches a user ID in the exclude list, then the ASU server generates a new Tru64 UNIX user account. Default: 0 - 100 |
ForceUniqueUnixUserAccount |
Whether to automatically assign an existing Tru64 UNIX user account if one exists when the ASU server creates a Tru64 UNIX user account, or to create a unique Tru64 UNIX user account. Default: 0 (Assign existing accounts) |
NewUserShell |
The login shell for new Tru64 UNIX user accounts.
Set this key to
/bin/false
to prevent users from logging
in to the Tru64 UNIX system.
Default:
/bin/sh |
|
Whether or not the ASU server creates Tru64 UNIX user accounts using the same case that you enter to create domain user accounts. Default: 0 (do not preseve the case; create Tru64 UNIX user accounts using lowercase letters) |
|
Specifies the comment associated with the USERS shared directory.Default: Users Directory |
You use a registry editor to change the values of these entries.
For
example, follow these steps to use the
regconfig
editor
to change the
UserRemark
entry to display
ASU
user home directories
.
The backslash ( \ ) at the end of a line
indicates continuation.
Enter the entire command, then press the Enter key.
Change the text associated with the
UserRemark
entry to
ASU user home directories
by entering the following
command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters \ UserRemark REG_SZ 'ASU user home directories'
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
3.2.2 ASU and Tru64 UNIX User Account Home Directories
Table 3-5
describes the registry value entries
that define how the ASU server effects Tru64 UNIX user directories:
Table 3-5: User Directory Value Entries
Entry | Specifies/Default |
|
Whether or not the ASU server creates a user's Tru64 UNIX home directory when it creates a Tru64 UNIX user account. Default: 1 (create Tru64 UNIX home directory) |
|
Whether or not the ASU server deletes a user's Tru64 UNIX home directory when it deletes the Tru64 UNIX user account. Note: The ASU server only deletes Tru64 UNIX user accounts that it created. Default: 0 (do not delete home directories) |
|
Whether or not the ASU server creates Tru64 UNIX
user home directories in a one-letter subdirectory that corresponds to the
first letter of the user name.
For example, whether or not the Tru64 UNIX
home directory for a user named peter is created as
|
|
Whether or not the ASU server changes the Tru64 UNIX home directory of a user account if the home directory of the associated domain user account changes. Default: 0 (do not synchronize home directories) |
You use a registry editor to change the values of these keys.
For example,
follow these steps to use the
regconfig
registry editor
to delete a user's Tru64 UNIX home directory when you delete their domain
user account.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the entire command, then press the Enter key.
Enable the
DeleteUnixHomeDirectory
entry
by entering the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters \ DeleteUnixHomeDirectory REG_DWORD 1
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
3.2.3 Local or NIS Tru64 UNIX User Accounts
By default, the ASU server creates Tru64 UNIX user accounts in
the local
/etc/passwd
file.
If the Tru64 UNIX system
is configured as the ASU PDC and the network information service (NIS) master,
you can configure the ASU server to use NIS when creating Tru64 UNIX
user accounts.
Table 3-6
describes the registry value
entries that specify if the ASU server creates Tru64 UNIX user accounts
with NIS.
Table 3-6: User Account NIS Value Entries
Registry Value Entry | Specifies/Default |
|
Whether or not the ASU server uses NIS to create Tru64 UNIX user account. Enable this value entry only on a Tru64 UNIX system that is configured as an ASU PDC and as a NIS master.Default: 0 (not enabled) |
|
The directory path to the NIS password file.Default:
|
Use a registry editor to change the values of these entries.
For example,
follow these steps to use the
regconfig
registry editor
to enable the ASU server to use NIS when creating Tru64 UNIX user accounts.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the
entire command, then press the Enter key.
Ensure that the ASU server is configured as the PDC. To display the role of the ASU server, enter:
#
net computer
See Chapter 1 if you need to reconfigure the role of the ASU server.
On the PDC, ensure that the system is the NIS master. To display and change a system's NIS configuration, enter:
#
nissetup
On the PDC, enable the
UseNIS
entry by
entering the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters UseNIS REG_DWORD 1
On the PDC, display the value of the
NISPasswordFile
entry and, if necessary, change the value.
To display the value
of the
NISPasswordFile
entry, enter:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters NISPasswordFile
On BDCs, ensure that the
CreateUnixUser
entry is disabled so that it does not create Tru64 UNIX user accounts.
To display the value of the
CreateUnixUser
entry, enter:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters CreateUnixUser
To disable the
CreateUnixUser
entry, enter:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters \ CreateUnixUser REG_DWORD 0
On each system for which you changed a registry value, restart the ASU server by entering the following commands:
#
net stop server
#
net start server
3.2.4 Tru64 UNIX and Domain Password Synchronization
The ASU software associates the domain and Tru64 UNIX user accounts; however, the accounts are independently stored and managed and users can set different passwords for each account. To coordinate user passwords, the ASU software provides the following options:
The
SyncUnixPassword
registry entry
The
SyncUnixPassword
registry entry specifies whether
or not Tru64 UNIX user passwords are synchronized to their domain user
account password when their domain password is changed.
The Change Password utility
The Change Password utility is a Windows-based interface that you install on a Windows system to allow users to set their domain user account and Tru64 UNIX user account or NIS passwords at the same time.
3.2.4.1 Enabling the
SyncUnixPassword
Entry
To configure the ASU server to synchronize passwords, you must enable
the
SyncUnixPassword
entry.
If the
UseNIS
entry is enabled, the ASU server synchronizes Tru64 UNIX
passwords in the file defined by the
NISPasswordFile
entry.
Otherwise, the ASU server synchronizes passwords in the local
/etc/passwd
file.
See Section 3.2.3 for more information on NIS.
The Tru64 UNIX user account must have a valid password.
For example,
the ASU server will not synchronize a Tru64 UNIX password of
NoLogin
or asterisk (*).
You must use Tru64 UNIX commands or
utilities to change the password to a valid Tru64 UNIX password.
Follow these steps to use the
regconfig
registry
editor to configure the ASU server to synchronize Tru64 UNIX passwords
to domain user account passwords.
The backslash ( \ ) at the end of a line
indicates continuation.
Enter the entire command, then press the Enter key.
On the PDC, enable the
SyncUnixPassword
registry entry.
To enable the
SyncUnixPassword
registry
entry, enter:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters \ SyncUnixPassword REG_DWORD 1
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
3.2.4.2 Installing the Change Password Utility
You install the Password Management utility independently of the Windows Administrative interfaces.
Follow these steps to install the Change Password utility on a system running the Windows operating system software:
On the Tru64 UNIX system, ensure that the Client-based Advanced Server Administration Tools subset is installed. To display installed ASU subsets, enter:
#
setld
-i
|grep ASU |grep
-v
not |grep installed
Look for the
ASUADMnnn
(nnn
reflects the current ASU version) subset in the output.
If
ASUADMnnn
is displayed, the subset is installed.
Otherwise, you must install the
ASUADMnnn
subset.
See
Section 1.3
for information on installing ASU subsets.
Connect a network drive to the
astools
disk share.
Select the
asdupass
folder.
Change to the
i386
directory.
Run the
setup.exe
program and follow the
instructions on the screen.
3.2.4.2.1 Using the Password Management Utility on a Windows 95 System
The Password Management utility is integrated with the Windows 95 password utility. Follow these steps to use the Change Password utility:
Start the Password Management utility by selecting the Passwords icon from the Control Panel.
The Password Properties dialog box is displayed
Click on the Change Other Passwords... button.
The Select Password dialog box is displayed
Select either the ASDU UNIX or NIS password option to change your Tru64 UNIX or NIS password, or select the Microsoft Networking option to change your domain user account password, and click on the Change... button.
With either option, a Change Password dialog box is displayed.
Enter your old, new, and confirmed new passwords in the Change Password dialog box.
See the Password Management utility online help for more information
about the Password Management utility.
3.2.4.2.2 Using the Password Management Utility on a Windows NT System
Follow these steps to start the Password Management utility on a system running the Windows NT operating system software:
Expand the Programs option from the Start button.
Select the ASDU Password option to start the Password Management utility.
Enter your old and new passwords in the password fields, then choose the account to which you want to apply the change and click on:
The Setup... button next to the Windows section to change the domain user account password.
The Setup... button next to the UNIX section to change the Tru64 UNIX or NIS password.
In either case a dialog box is displayed in which users supply specific user and server information.
See the Password Management utility online help for more information
about the Password Management utility.
3.3 Disabling ASU from Creating Tru64 UNIX User Accounts
You can configure the ASU server to not create Tru64 UNIX user accounts when you create domain user accounts. This is recommended if you are running NIS and the ASU server is configured as a BDC.
Follow these steps to use the
regconfig
registry
editor to configure the ASU server to not create Tru64 UNIX user accounts.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the
entire command, then press the Enter key.
Disable the
CreateUnixUser
entry by entering
the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters \ CreateUnixUser REG_DWORD 0
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
If you disable the
CreateUnixUser
entry, you can
follow these steps to use the
regconfig
registry editor
to enable the
MapExistingUnixUser
entry to map a newly
created domain user account to an existing Tru64 UNIX user account with
the same name in lowercase letters.
The backslash ( \ ) at the end of a line
indicates continuation.
Enter the entire command, then press the Enter key.
Enable the
MapExistingUnixUser
entry by
entering the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters \ MapExistingUnixUser REG_DWORD 1
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
3.4 Creating a Domain User Account
You can use either of the following interfaces to create a domain user account:
The
net user
command with the
/add
option
The User Manager for Domains GUI
You can also use the following Tru64 UNIX interfaces to create a domain user account when you create a Tru64 UNIX user account:
Account Manager (dxaccounts
)
The
useradd
,
usermod
,
and
userdel
commands
See System Administration for more information on creating domain user accounts using Tru64 UNIX interfaces.
Caution
On a Tru64 UNIX Version 5.0 or higher system, a lock file called
/etc/.AM_is_running
prevents you from using two different interfaces (or two instances of the same interface) at the same time. This might happen in large environments in which many administrators are managing user accounts. If the lock file exists, only one process can access the system files that relate to user and group data. If you attempt to invoke a second instance of any Tru64 UNIX account management interface, an error message informs you that the data file is locked.If the lock file exists, neither the
net
command nor the User Manager for Domain GUI inform you about the presence of the lock file and creates only the domain user account. The associated Tru64 UNIX user account is not created. A message indicating that the associated Tru64 UNIX user account was not created or a lock file error message is displayed. When using thenet
command or the User Manager Manager for Domain GUI, you must check the/etc/passwd
file to verify that the associated Tru64 UNIX user account was created.
3.4.1 Using the net user Command
You enter a
net
command in lowercase at the Tru64 UNIX
command prompt on a system running the ASU server.
Press the Enter key at
the end of the entire command.
Table 3-7
shows the user account attributes
and the
net user
command option that you use to set the
attribute.
See
Section 3.1
for more information on
these attributes.
Table 3-7: Setting User Account Attributes
Attribute | net user Option |
User name | Enter the user name after the
net user
command |
Password | Enter the password or an asterisk (*) to be prompted for the password |
Account type | /accounttype:{global | local} |
Active | /active:{yes | no} |
Comment | /comment:"value" |
Country code | /countrycode:value |
Expires | /expires:{date | never} |
Full name | /fullname:"value" |
Home directory | /homedir:pathname |
Home directory drive | /homedirdrive:letter |
Must change password | /passwordmustchg:{yes | no} |
Password required | /passwordreq:{yes | no} |
Password change | /passwordchg:{yes | no} |
Password expires | /passwordexp:{yes | no} |
Primary group | /primarygroup:[groupname] |
Profile path | /profilepath:[pathname] |
Script path | /scriptpath:[pathname] |
Times | /times:{times | all} |
User name | /username:"new_name" |
User comment | /usercomment:"text" |
Workstation | /workstations:{computername[,...] | *} |
To create a domain user account named peter and a password of temporary, enter:
#
net user peter temporary
/add
To create a domain user account named peter and be prompted for the password, enter:
#
net user peter \* /add
Enter the following command to create a domain user account named peter with a password of temporary, a comment of Office 3C, and force the user to change the password when first connecting to an ASU share. The backslash (\) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.
# net user peter temporary /comment:"Office 3C"\ /passwordmustchg:yes /add
3.4.2 Using the User Manager for Domains
Follow these steps to create a domain user account using the User Manager for Domains GUI:
Start the User Manager for Domains GUI (usrmgr.exe
).
You must install the User Manager for Domains GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the User Manager for Domains GUI.
The main User Manager for Domains windows is displayed.
From the User menu, choose Select Domain.
The Select Domain dialog box is displayed.
Choose the name of the domain in which you want to create the account by either entering the name in the Domain: field or by browsing and clicking on the domain name in the Select Domain: window.
A dialog box is displayed that shows user account names in the domain.
Choose New User from the Users menu.
A New Users dialog box displays where you enter user information as shown in the following figure:
Enter the user name, password, and other user account attributes in the appropriate fields. Click on the Groups, Profiles, Hours, Logon To, Account, or Dialin button to provide information for those related attributes.
Click on the Add button to create the user account.
3.5 Domain and Tru64 UNIX User Account Mapping
The ASU server stores the mapping of a user's domain user account to their corresponding Tru64 UNIX user account. By default, one domain user account is mapped to one Tru64 UNIX user account. You can map one or many domain user accounts to a Tru64 UNIX user account. You cannot map a domain user account to multiple Tru64 UNIX user accounts.
The following are special mappings of domain user accounts to Tru64 UNIX user accounts:
The domain administrator's user account is mapped to the Tru64 UNIX
lmxadmin
user account and is assigned the user ID of 200.
The domain guest user account is mapped to the
lmxguest
Tru64 UNIX user account and is assigned the user ID of 201.
A domain user account that is not mapped to a specific Tru64 UNIX
user account or an account from a trusted domain that is not mapped to a local Tru64 UNIX
user account, is mapped to the
lmworld
Tru64 UNIX
user account and is assigned the user ID of 202.
The ASU server assigns the
lmxadmin
,
lmxguest
, and
lmworld
Tru64 UNIX user accounts the
next available user ID if 200, 201, or 202 are assigned to other accounts.
You use the
mapuname
command to view and change the
mapping between a user's domain user account and their corresponding Tru64 UNIX
user account.
To display domain user account to Tru64 UNIX account mappings, enter:
#
mapuname
Information similar to the following is displayed that shows the mappings for the built-in accounts and the user accounts in a domain. In the following example, the domain is called asudoc.dom.
Builtin:Account Operators lmxadmin asudoc.dom:john john asudoc.dom:evan evan asudoc.dom:Administrator lmxadmin Builtin:Server Operators lmxadmin :SYSTEM root asudoc.dom:sam sam asudoc.dom:stan stan asudoc.dom:peter peter asudoc.dom:Domain Admins lmxadmin Builtin:Print Operators lmxadmin Builtin:Guests lmxguest asudoc.dom:Domain Guests lmxguest asudoc.dom:Guest lmxguest Builtin:Administrators lmxadmin Builtin:Backup Operators lmxadmin
Follow these steps to change the mapping between a domain user account and a Tru64 UNIX user account:
Delete the current mapping. To delete the current mapping for a user named peter, enter:
#
mapuname
-d
peter
Add the new mapping. To map peter's account to the lmxadmin Tru64 UNIX account in a domain called asudoc.dom, enter:
#
mapuname
-a
asudoc.dom:peter lmxadmin
Instruct the user to disconnect and reconnect to shares to effect the change. To verify that the user is disconnected, enter:
#
net session \\pc_name
In this example,
\\pc_name
is the name of the user's system.
A user is disconnected if
a message indicates that there are no sessions for the computer.
See
mapuname
(8)mapuname
command.
3.6 Using Windows NT Server Version 4.0 Authentication
This section describes
how users can log in to a Tru64 UNIX application and can change their
passwords if you installed the ASU SIA software to configure the Tru64 UNIX
operating system software use a Windows NT Version 4.0 Server for authentication,
as described in
Section 1.1.3.2.
3.6.1 Logging In To a Tru64 UNIX Application
Users can log in to a Tru64 UNIX application using their domain user account information by including the name of the domain that contains their user account information and their domain user name, for example:
\\domain_name\user_name
The double backslashes (\\
) are optional.
Users
can omit the
\\domain_name
if they are logged in to the domain that contains their domain
user account.
To specify a default domain, edit the
lanman.ini
file and add the following entry under the [
workstation
] section:
[ workstation ] defaultdomain=domain_name
Replace
domain_name
with the name of the default domain.
The ASU SIA module checks user name and password requests. If the ASU SIA module cannot authenticate the request, the request is passed to the local Tru64 UNIX security module.
If ASU SIA authenticates the request, the
domain_name
is stored in the
NTUSERDOMAIN
environment variable and the
user_name
is stored in the
NTUSERNAME
environment variable.
A user can use either their domain or Tru64 UNIX user account name
and password with the Tru64 UNIX
su
command using
the following format:
su [-f] | [-] \\domain_name\user_name
The double backslashes (\\
) are optional.
Users
can omit the
\\domain_name
if they are logged in to the default ASU domain.
If the user
omits the
user_name
,
the default is root.
3.6.2 Specifying Only Tru64 UNIX Authentication
Users can specify only Tru64 UNIX authentication when logging in to a Tru64 UNIX application by entering a colon ( : ) before their user name, for example:
:user_name
You can specify only Tru64 UNIX authentication for a user by entering
the account name in the
/etc/asusiausers
file.
The
/etc/asusiausers
file is a text file that you edit to enter one
user account name per line.
User account names must exactly match the user
account name in the
/etc/passwd
file.
In the
/etc/asusiausers
file white space is prohibited and a pound sign
(#) must precede a comment line.
By default, the
/etc/asusiausers
file contains the
root account.
A user whose Tru64 UNIX user account name is in the
/etc/asusiausers
file must log in to a UNIX application using the
following format:
\\domain_name\user_name
3.6.3 Changing Passwords
Users change their domain or Tru64 UNIX password by entering the Tru64 UNIX
passwd
command with the name of the domain that contains their user
account information and their user name, for example:
passwd '\\domain_name\user_name'
The single quotes surrounding the domain and user names are necessary
to prevent a shell from interpreting the backslash as an escape character.
The double backslashes (\\
) are optional.
Users can
omit the
\\domain_name
if they are logged in to their ASU domain.
If the user omits
the
user_name
,
the default name is the value in the
NTUSERNAME
environment
variable.
If the
NTUSERNAME
is not set, the default name
is the associated Tru64 UNIX user account name.
The user is either prompted for password information or a menu is displayed
from which users choose a password to change.
The menu is displayed if the
user's name is recognized by more than one security module.
Users choose
ASU to change a domain password or BSD to change a Tru64 UNIX password.
3.7 Deleting a Domain User Account
To delete a domain user account you can use either:
The
net user
command with the
/delete
option.
For example, to delete a domain user account named
peter, enter:
#
net user peter /delete
The User Manager for Domains GUI.
Follow these steps to delete a user account:
Start the User Manager for Domains GUI (usrmgr.exe
).
You must install the User Manager for Domains GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the User Manager for Domains GUI.
The main User Manager for Domains window is displayed.
From the User menu, choose Select Domain.
The Select Domain dialog box is displayed.
Choose the name of the domain in which you want to delete the account by either entering the name in the Domain: field or by browsing and clicking on the domain name in the Select Domain: window.
A dialog box is displayed that shows the user account names in the domain.
Click on a user account name.
Choose Delete from the User menu.
3.8 Grouping Domain User Accounts
To ease administration, you can group domain user accounts and administer the group as one unit. Users added to a group become members of the group and immediately acquire the rights and permissions granted to the group. Changes made to the group effect each member.
Like user accounts, ASU and the Tru64 UNIX operating system software maintain separate repositories for group information. However, there is no mapping between ASU groups and Tru64 UNIX groups.
By default, a domain user account is a member of the Windows
Everyone
group and the
Domain Users
group.
You
cannot administer, that is, add users to or remove users from, the
Everyone
group.
You can administer the
Domain Users
group or any other group that you create.
Tru64 UNIX user accounts created
by the ASU server are members of the Tru64 UNIX
users
group.
Certain ASU files are assigned DOS attributes.
The ASU server uses the Tru64 UNIX
group field and group numbers 91 through 99 to store DOS attributes.
If, during
the ASU installation, group numbers 91 to 99 groups are available, then the
ASU server creates the following entries in the
/etc/group
file:
DOS----::99: DOS-a--::98: DOS--s-::97: DOS---h::96: DOS-as-::95: DOS-a-h::94: DOS--sh::93: DOS-ash::92: Other::91:
If, during the ASU installation, the group numbers 91 to 99 are not
available, then the ASU server selects the next available range of group numbers
and assigns them to the DOS attributes entries.
3.8.1 Creating and Administering a Domain Group
To create a domain group you must create the group, then add domain user accounts to the group. To create a domain group, you can use either:
The
net group
command with the
/add
option
The User Manager for Domains GUI
Enter a
net
command in lowercase at the Tru64 UNIX
command prompt on a system running the ASU server.
Press the Enter key at
the end of the entire command.
To create a group called project1, enter:
#
net group project1 /add
To add the peter, jen, mike, and sue domain user accounts as members to the project1 group, enter:
#
net group project1 peter
jen mike sue /add
To view project1 group information, enter:
#
net group project1
3.8.1.2 Using the User Manager for Domains
Follow these steps to use the User Manager for Domains:
Start the User Manager for Domains GUI (usrmgr.exe
).
You must install the User Manager for Domains GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the User Manager for Domains GUI.
The main User Manager for Domains window is displayed.
Choose Select Domain... from the User menu.
The Select Domain dialog box is displayed.
In the Domain: field, enter the name of the domain in which you want to create the group and click on the OK button.
The User Manager main window is displayed. The top half of the window displays user names, the bottom half displays group names.
Choose New Global Group from the User menu. The New Global Group box is displayed.
Enter the name of the group and an optional group description. To add members to the group, click on a name in the Not Members window then click on the Add button, as shown in the following figure:
To delete a domain group, you can use either:
The
net group
command with the
/delete
option
The User Manager for Domains GUI
Enter a
net
command in lowercase at the Tru64 UNIX
command prompt on a system running the ASU server.
Press the Enter key at
the end of the entire command.
To delete the project1 group, enter:
#
net group project1 /delete
3.8.2.2 Using the User Manager for Domains
Follow these steps to use the User Manager for Domains:
Start the User Manager for Domains GUI (usrmgr.exe
).
Install the User Manager for Domains GUI on the Windows NT system from which you will administer the ASU server. See Section 1.8 for information on installing the User Manager for Domains GUI.
The User Manager for Domains window is displayed.
Choose Select Domain... from the User menu.
The Select Domain dialog box is displayed.
In the Domain: field, enter the name of the domain in which you want to delete the group and click on the OK button.
The User Manager main window is displayed. The top half of the window displays user names, the bottom half displays group names.
Click on the name of the group that you want to delete.
Choose Delete from the User Menu.