You can share the following types of file systems as disk shares with domain users:
Advanced File System (AdvFS)
UNIX File System (UFS)
Network File System (NFS)
CDROM File System (CDFS), read only
This chapter describes how to share file systems with domain users.
4.1 Default Disk Share Attributes
You control how the ASU server creates disk shares by assigning values to registry value entries located in the following registry path:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/ AdvancedServer/FileServiceParameters
Entries in this path define:
Whether or not the ASU server automatically creates a disk share for file systems exported through network file system (NFS)
Whether or not Tru64 UNIX permissions are checked before a user can access files and directories in disk share
Whether or not the ASU server uses Tru64 UNIX groups or DOS groups
How the ASU server applies NTFS ACLs
See
Section B.1.2
for a complete list of
registry entries that effect disk shares.
4.1.1 Disk Shares Created By ASU for NFS Exported File Systems
By default, the ASU server automatically creates a disk share for NFS exported file systems. The ASU server creates the disk share using:
The name of the exported file system as the disk share name.
The path in the
/etc/exports
file, which
is converted to DOS format and preceded with
c:
as the
path to the disk share.
For example, if the
/etc/exports
entry is
/home/nfs/usr/src
, then the ASU server uses
c:\home\nfs\usr\src
as the path to the disk share.
If a disk share exists with the same name as the exported resource but
with a different path, a new disk share is created with an underscore followed
by numeric counter appended to the disk share name.
For example, if the entry
in the
/etc/exports
file is
/home/nfs/usr/src
and a disk share called
src
exists but with
a different path, then the ASU server creates a disk share called
src_0
with a path of
c:\home\nfs\usr\src
.
The
ASU server does not create a new disk share if a disk share exists with the
same name and path as the exported resource.
The number of users that can access the share is set to no limit.
4.1.1.1 Converting NFS Permissions
The following table describes how the ASU server converts NFS permissions to disk share permissions:
NFS Permission | Disk Share Permission |
Read
(r ) and
Write
(w ) |
Full Access |
Not specified |
Full Access |
Read Only
(ro ) |
Read and Execute (for the specified list of clients). |
None |
No Access |
The following table provides examples of how the ASU server converts NFS permissions to disk share permissions:
NFS Permission | Disk Share Permission |
/usr/local |
Full Access for all clients |
/usr/local -ro client1 |
Read and Execute for
client1
and
No Access for all other clients |
/usr/local client1 client2 client3 |
Full Access for
client1 ,
client2 , and
client3
and No Access for all other
clients |
/usr/local -rw=client1 |
Full Access for
client1
and Read
and Execute for all other clients |
/usr/local -access=client1:10.0.0.10 |
Full Access for
client1
from
10.0.0.10
and No Access for all other clients |
The ASU server does not create a share for NFS mount points with the following NFS permissions:
/usr/local -root=0 client1
/usr/local -root=client1
/usr/local -anon=0
Entries that contain NIS netgroups names
4.1.1.2 Managing NFS Related Disk Shares Created by ASU
By default, when the ASU server starts, it synchronizes the ASU disk shares with NFS export entries. If an exports entry does not have a corresponding disk share, the ASU server creates the disk share. If an exports entry no longer exists or is not supported (root=0), the ASU server deletes the corresponding disk share. If the NFS permissions for an NFS export entry changed, the ASU server updates the permissions on the corresponding disk share.
You use the
nfsshare
command to:
Delete one or all shares related to an NFS exported file system. If a share name is supplied on the command line, only that share is deleted. For example, to delete all shares relating to NFS exported file systems, enter:
#
nfsshare
-d
List one or all shares related to an NFS exported file system. If a share name is supplied on the command line, only that share is listed. For example, to list all shares relating to NFS exported file systems, enter:
#
nfsshare
-l
Synchronize NFS exported file systems with ASU disk shares, which creates a disk share for new NFS exported file system and removes disk shares for NFS exported file systems that no longer exist. For example, to synchronize all shares relating to NFS exported file systems, enter:
#
nfsshare
-s
See
nfsshare
(8)nfsshare
command.
4.1.1.3 Controlling the ASU Creation of NFS-Related Disk Shares
If the
ShareNFSExports
entry is enabled, which is
the default, then the creation of ASU disk shares for NFS exported file systems
depends on the values assigned to the NFS-related entries in the
FileServiceParameters
registry subkey.
Table 4-1
describes the NFS-related registry value entries.
Table 4-1: NFS-Related Disk Share Value Entries
Entry | Description and Default Value |
NFSExportFile |
Specifies the name of the NFS export file.
Default:
/etc/exports |
SyncNFSExports |
Determines whether or not NFS exports are synchronized with disk shares when the ASU server starts. If this entry is disabled, disk shares that were created from the NFS exports are deleted. Default: 1 (synchronize at ASU server startup) |
4.1.1.4 Configuring ASU to Not Create NFS-Related Disk Shares
You can configure the ASU server to not create disk shares for NFS exported file systems.
Follow these steps to use the
regconfig
registry
editor to configure the ASU server to not create disk shares for NFS exported
file systems.
The backslash ( \ ) at the end a line indicates continuation.
Enter the entire command, then press the Enter key.
Disable the
ShareNFSExports
entry by entering
the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/FileServiceParameters \ ShareNFSExports REG_DWORD 0
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
The ASU server automatically creates the special disk shares listed
in
Table 4-2.
The list might differ depending
on the installed ASU subsets.
Do not remove or modify these shares.
Table 4-2: ASU Special Disk Shares
Name of Disk Share | Contains |
ADMIN$ |
Administrative utilities for remote administration. |
IPC$ |
Named pipes that are used for communication with the server. |
C$ |
Directories and files located on the
root
( / ) file system. |
D$ |
Files and libraries that are required by MS-DOS, OS/2, and Windows NT computers. |
PRINT$ |
Printer drivers. |
ASTOOLS |
Microsoft client-based utilities that are used to administer the ASU server from a Microsoft client. |
DOSUTIL |
MS-DOS
clipcach
and
clispool administrative commands. |
NETLOGON |
Logon scripts. |
PRINTLOG |
LP printer messages. |
USERS |
Users home directories.
The default is the
/usr/users
directory. |
Disk shares with names ending with a dollar sign ($) are hidden and do not display when you browse the ASU server. You can connect to a hidden share if you specify the share name as follows:
\\servername\sharename$
4.3 Disk Share Attributes
A disk share is made up of mandatory and optional attributes.
Table 4-3
describes the mandatory disk share
attributes for which you must provide values when you create a disk share.
Table 4-3: Mandatory Disk Share Attributes
Attribute | Description |
Share name |
A unique name of up to 80 alphanumeric characters that users use to connect to the share. A share name cannot be: COMM, PRINT, DEV, PIPE, QUEUES, SEM, MAILSLOT, SHAREMEM Append a dollar sign ( $ ) to a share name to make it hidden when users browse the ASU server. |
Path |
The absolute path of a directory to be shared
(including the drive, which is always
|
Table 4-4
describes the optional attributes
for which you can provide values when you create a disk share.
Table 4-4: Optional Disk Share Attributes
Attribute | Description |
Users | The maximum number of users who can simultaneously access the share. |
Remark | A comment about the share. Comments must be enclosed in quotation marks. |
To create a disk share you can use:
The
lmshare
command.
Only the
lmshare
command allows you to configure on a per share basis the
default Tru64 UNIX permissions for newly created files and directories
in a share or whether or not the ASU server ignores Tru64 UNIX permission
checking on a share.
See
Section 4.4.1
for more information.
The
net share
command.
See
Section 4.4.2
for more information.
The Server Manager. See Section 4.4.3 for more information.
4.4.1 Using the lmshare Command
The
lmshare
command prompts you for information about
a share, including:
The default Tru64 UNIX permissions in octal format for newly created files and directories in the share.
Whether or not the ASU server ignores Tru64 UNIX permissions checking on the share.
See Section 4.5.3 for more information about Tru64 UNIX file and directory permissions.
To configure the ASU server to ignore Tru64 UNIX permission checking
on a per share basis, the
IgnoreUnixPermissions
registry
entry must be disabled, which it is by default.
If you enable the
IgnoreUnixPermissions
registry
entry, the ASU server ignores Tru64 UNIX permission checking on all disk
shares, regardless of the per share ignore Unix permissions setting on a share.
If you enable Tru64 UNIX quota checking, the Tru64 UNIX permissions
are enforced regardless of the
IgnoreUnixPermission
registry
entry settting, or the per share ignore Unix permissions settings.
Follow these steps to use the
regconfig
registry
editor to disable the
IgnoreUnixPermissions
registry entry.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the
entire command, then press the Enter key.
Disable the
IgnoreUnixPermissions
registry
entry if it was enabled:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/FileServiceParameters \ IgnoreUnixPermissions REG_DWORD 0
If you disabled the
IgnoreUnixPermissions
registry entry, restart the ASU server by entering the following commands:
#
net stop server
#
net start server
To create a share using the
lmshare
command, enter:
#
lmshare
-a
The
lmshare
command prompts you for the following
information about the share.
Press Enter for those fields that you do not
want to change the value of.
Sharename? test1 Type (d|p|c|i)? [d] d Local path? /home/test1 Remark? test1 Permissions(rwcxdaps)? [rwcxda] Per share Unix file permissions? [0] 664 Per share Unix directory permissions? [0] 777 Per share ignore Unix permissions? [0] Maximum users? [unlimited] Password?
Existing shares and shares not created by the
lmshare
command will have a default value of zero (0) for the per share Unix file
and directory permissions and will have Tru64 UNIX permissions checking
enabled by default.
Newly created files in shares with a zero value for the per share Unix
file permissions will get the Tru64 UNIX file permissions as defined
by the value of the
UnixFilePerms
registry entry.
Newly created directories in shares with a zero value for the per share
Unix directory permissions will get the TTru64 UNIX directory permissions
as defined by the value of the
UnixDirectoryPerms
registry
entry.
To display the current per share Unix file and directory permissions for a share, enter:
#
lmshare
-L
share_name
To set the default Tru64 UNIX file permissions for newly created files in a share, enter:
#
lmshare
-F
share_name
file_permissions
where share_name is the name of the share, and file_permissions are the Tru64 UNIX file permissions in octal format.
To set the default Tru64 UNIX directory permissions for newly created directories in a share, enter:
#
lmshare
-D
share_name
directory_permissions
where share_name is the name of the share, and directory_permissions are the Tru64 UNIX directory permissions in octal format.
To disable Tru64 UNIX permissions checking on a share, enter the following command. Connected users must reconnect to the share for the new setting to take effect.
#
lmshare
-I
share_name
1
To enable Tru64 UNIX permissions checking on a share, enter the following command. Connected users must reconnect to the share for the new setting to take effect.
#
lmshare
-I
share_name
0
See
lmshare
(8)4.4.2 Using the net share Command
You enter a
net
command in lowercase at the Tru64 UNIX
command prompt on a system running the ASU server.
Press the Enter key at
the end of the entire command.
Table 4-5
shows the disk share attributes and
the
net share
command option that you use to set the attribute.
Table 4-5: Setting Disk Share Attributes
Attribute | net share Option |
Share name | Enter the name after the
net share
command |
Path | Enter an equal sign (=) followed by the path after the share name |
Users | /users:#
or
/unlimited |
Remark | /remark:"text" |
To create a disk share called project that corresponds to the
/usr/net/servers/lanman/project
directory, enter:
# net share project=c:/usr/net/servers/lanman/shares/project
To create a hidden disk share, append a dollar sign ( $ ) to the share
name.
For example, to create a hidden share called project1 that corresponds
to the
/usr/net/servers/lanman/project1
directory, enter:
# net share project1$=c:/usr/net/servers/lanman/shares/project1
Hidden shares do not display when users browse the ASU server.
Note to csh Shell Users
The dollar sign ( $ ) is a special character when using the csh shell and therefore, you must precede the $ with a backslash escape character ( \ ), for example:
# net share project1\$=c:/usr/net/servers/lanman/shares/project1
To view information about all shares, including hidden shares, enter:
#
net share
To view information about a specific share, enter:
#
net share
share_name
4.4.3 Using the Server Manager
Follow these steps to create a disk share using the Server Manager:
Start the Server Manager (srvmgr.exe
).
Install the Server Manager GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the Server Manager GUI.
Choose Select Domain... from the Computer menu.
The Select Domain dialog box is displayed.
In the Domain: field, enter the name of the domain in which you want to create the disk share and click on the OK button.
Choose Shared Directories... from the Computer menu.
The Shared Directories dialog box is displayed.
Click on the New Share... button.
The New Share dialog box is displayed.
Enter the disk share information as shown in the following figure:
By default, a user must pass the following levels of security before they can access a file or directory in a disk share:
Windows NT share level security
Windows NT File System (NTFS) security
Standard UNIX file and directory security
The following steps describe how permissions are checked when a user maps a drive to a disk share and requests access to a file in the disk share:
From a system running the Windows operating system software, a user connects to a disk share. By default, all users have permission to connect to a share. Access to directories and files in the share is normally controlled through NTFS permissions.
The user's Windows system provides the ASU server with authentication information about the user, including the user's name, password, and security ID.
The ASU server checks the user's name and password in the user account database.
If the ASU server authenticates the user's information, a unique ID is assigned to the user's Windows system. The Windows system must present this ID when the user makes subsequent requests to shares.
The user attempts to open a file in the share.
The ASU
lmx.srv
process services the user's request.
Normally, the
lmx.srv
process runs as root, the highest Tru64 UNIX
privilege level.
The
lmx.srv
process determines if the user
has the correct Windows NT share permissions to access the share.
If the permissions are not correct, the
lmx.srv
returns
an access denied error to the Windows system.
The
lmx.srv
process determines if the user
has the correct NTFS permissions to access the file in the share.
If the permissions are not correct, the
lmx.srv
process
returns an access denied error to the Windows system.
The
lmx.srv
process determines Tru64 UNIX
access based on the mapping of the domain user account to a Tru64 UNIX
user account.
The
lmx.srv
process changes its effective
user ID from root to the ID of the corresponding Tru64 UNIX account and
tries to open the file.
The Tru64 UNIX operating system determines if the user has the correct Tru64 UNIX permissions.
If the permissions are correct, the file is opened.
If the permissions
are not correct, the
lmx.srv
process returns an access
denied error to the Windows system.
The Windows NT permissions that you can set for disk share are:
No Access, which prevents a user from accessing the disk share
Read, which allows users to:
View file and subdirectory names
Move to subdirectories
View data in files
Run application files
Change, which allows users to do everything Read allows, plus:
Add files and subdirectories
Change data in files
Delete subdirectories and files
Full control, which allows users to do everything Read and Change allows, plus:
Change Windows NT and NTFS permissions
Set Windows NT and NTFS permission to take ownership of files and subdirectories
When a directory is shared, the default is to grant the Everyone domain
user group Full Control permissions.
4.5.1.1 Setting Windows NT Permissions
To view and set Windows NT share permission you can use the:
The
net perms
command
Server Manager
4.5.1.1.1 Using the net perms Command
The syntax of the
net perms
command is:
# net perms \\sharename [/GRANT name:permissions | /CHANGE name:permissions | /REVOKE name | /TAKE]
To display the Windows NT permissions for a disk share called project1, enter:
#
net perms \\project1
To set the project1 Windows NT disk share permission to read for a user named peter, enter:
#
net perms \\project1 /grant
peter:read
4.5.1.1.2 Using the Server Manager Utility
Follow these steps to use the Server Manager utility to set Windows NT disk share permissions:
Start the Server Manager (srvmgr.exe
).
Install the Server Manager GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the Server Manager GUI.
In the Server Manager window, select a computer from the list and click Shared Directories on the Computer menu.
The Shared Directories dialog box is displayed.
In the Shared Directories dialog box, select a share name and click Properties.
The Shared Properties dialog box is displayed.
Click Permissions.
To change a permission, select a group or user account in the Name window, and then select a permission from the Type of Access list.
To add a group or user account to the list of those granted permissions for this shared directory, click Add, and then complete the Add Users and Groups dialog box that appears.
To remove a group or user account on the list of those granted permissions for this shared directory, select a group or user account in the Name window, and then click Remove.
4.5.2 Windows NTFS Permissions
When you create a disk share, an entry that associates a disk share with its corresponding Tru64 UNIX directory is created in the ASU share database. The Tru64 UNIX directory is created if it does not exist.
When a domain user requests access to the directory or a file in the directory, ASU checks its access control list (ACL) file to determine if the user has NTFS permission to access the file.
A file or directory in a disk share may or may not have its own ACL. For example, if you set explicit NTFS permissions on a file, an entry is added to the ACL listing that the file has its own ACL.
If you do not set explicit permissions for a file or directory, then
the file or directory inherits the ACL entry from its parent directory.
If
the parent directory does not have an entry in the ACL, the ASU server checks
higher-level directories until it finds one that does.
For example, suppose
you create a disk share called
projects
in the
/usr/net/servers/lanman/shares
directory.
By default, the
projects
directory does not have its own ACL; it inherits the ACL
from its parent directory (/usr/net/servers/lanman/shares
).
If the parent directory ACL grants the Everyone group Read permission to
subdirectories and files, then the same ACL applies to the
projects
subdirectory.
If you set NTFS permission on the
projects
subdirectory
to Change for the Everyone group, then an ACL is created for the
projects
directory and the Everyone group has the following permissions:
Read permission for the
/usr/net/servers/lanman/shares
directory
Change permission for the
/usr/net/servers/lanman/shares/projects
directory
The exception to the inherited ACL policy is the default home directory
for users.
By default, when you create a domain user account, a subdirectory
with the same name is created in the
/usr/users
directory
with an ACL that identifies the new user as the owner of the subdirectory
and grants them all the NTFS permissions to the subdirectory and its contents.
For example, if you create a domain user account named peter, a subdirectory
named
peter
is created in the
/usr/users
directory (/usr/users/peter
) and the peter user account
is granted all NTFS permissions to the directory.
The creation of an ACL for
a user's home directory is a feature that makes sharing a user's directory
easier.
There is a standard set of NTFS permissions that you can set or you
can customize NTFS permissions to meet you needs.
Table 4-6
describes the standard Windows NTFS permissions that you can set.
Table 4-7
describes the custom Windows NTFS permissions that you can set.
Table 4-6: NTFS Standard Permissions
Permission | For File | For Directory |
Add | Cannot read the contents of current files, change them, or list the files | Can add files to the directory |
AddRead | Can read and execute files but cannot change files | Can read, write, and execute files in the directory |
Change | Can change the contents of current files | Can read and add files |
Full control | Can read and change files, add new ones, change permissions for files, and take ownership of file | Change permissions for the directory and take ownership of the directory |
NoAccess | Not applicable | Cannot access the directory in any way, even if the user is a member of a group that has been granted access to the directory |
List | Cannot access files | List the files and subdirectories in this directory and change to a subdirectory of this directory |
Read | Can read the contents of files and run applications | Allows viewing the names of files and subdirectories |
Table 4-7: NTFS Custom Permissions
Permission | For File | For Directory |
Change Permissions (P) | Allows changing the file's permissions | Allows changing the directory's permissions |
Delete (D) | Allows deleting the file | Allows deleting the directory |
Execute (X) | Allows running the file if it is a program | Allows changing to subdirectories |
Read (R) | Allows viewing the file's data | Allows viewing the names of files and subdirectories |
Take Ownership (O) | Allows taking ownership of the file | Allows taking ownership of the directory |
Write (W) | Allows changing the file's data | Allows adding files and subdirectories |
When you set NTFS permissions, two sets of individual permissions are displayed: the permissions set on the directory and the permissions set on files in the directory. For example, the following output would display if you set AddRead permission on a share for a user name peter. The (RWX), signifying Read, Write, and Execute permissions on the share, and (RX), signifying Read and Execute permission on its files.
Resource: c:\usr\net\servers\lanman\shares\share1 Owner: server1.dom\Administrators Name: Permissions: ------------------------------------------------------------------------------- *Administrators FullControl(All)(All) *Everyone Read(RX)(RX) peter AddRead(RWX)(RX)
When ASU server displays resource permissions, it designates groups with an asterisk ( * )
NTFS Permissions on files in a directory can be set to NotSpecified. This means that by default no permissions will be set for that user or group to the files that are present in the directory or that are created after setting this permission. A group or user cannot use files in the directory unless access is granted by another method such as setting permissions that grant access on individual files.
When you are setting permissions on a directory, you can use the CREATOR OWNER special group to allow users to control only the subdirectories and files that they create within the directory. Permissions set on CREATOR OWNER are transferred to the user who creates a directory or file within the directory. To change permissions on the directory, you must be the owner of the directory or have been granted permission to do so by the owner.
Note
By default, Windows NTFS permissions grant read and execute permission to the Everyone group, of which every domain user account is a member. You must grant Windows NTFS write permission to the domain user or group account that will write files to the disk share.
4.5.2.1 Controlling ASU and ACLs
How the ASU server creates and uses ACLs depends on the values assigned
to the ACL-related entries in the
FileServiceParameters
registry subkey.
Table 4-8
describes ACL-related registry
value entries.
Table 4-8: ACL Value Entries
Entry | Description and Default Value |
AclCacheSize |
Specifies the number of entries in ACL cache, which tracks the results of recent access checks performed on ASU resources. Default: 6 |
ForceDirectoryAcl |
Determines whether or not the ASU server creates an access control list for a newly created directory if the client computer does not provide an explicit ACL. If an ACL is not created, one is inherited from its parent directory.Default: 1 (create new ACL) |
ForceFileAcl |
Determines whether or not the ASU server creates an access control list for a new file if the client computer did not provide an explicit access control list. If an access control list is not created, one is inherited from its parent directory. Default: 0 (will not create new ACL) |
HomeDirectoryAccess |
Specifies whether or not to add a full access (RWXDPO ) control entry for the user on the user's Tru64 UNIX
home directory when you create a domain user account.
Default:
1 (add access control entry for user) |
SyncAclFileOnWrite |
Determines whether or not changes to the ACL are forced
to disk using an
fsync (2) system call when the ACL is updated.Default:
0 (ACL changes are not forced) |
UnixAclSupport |
Allows the ASU server to use Tru64 ACLs in addition to NTFS user and group permissions. This entry is supported only on systems running the Tru64 UNIX Version 5.0A and higher software. Default: 0 (do not use Tru64 UNIX ACLs) |
Table 4-9
describes ASU ACL related commands.
Table 4-9: ASU ACL Commands
Command | Purpose |
/usr/sbin/acladm |
Create, check, manage, move, remove, and trim the ACL database. |
/usr/sbin/acldump |
Dump the ACL database to an ASCII file. |
/usr/sbin/chacl |
Change ACL information on objects. |
/usr/sbin/aclload |
Load the ACL database from an ASCII file. |
/usr/sbin/lsacl |
Display ACLs placed on objects (files and directories). |
/usr/sbin/rmacl |
Removes ACLs on objects. |
See
acladm
(8)acladm
command.
4.5.2.2 Restoring ASU ACLs
You can restore ASU ACLs from a backup copy of an ACL store. You do not need to stop the ASU server to restore ASU ACLs from backup. Follow these steps to restore a file and its corresponding ASU ACLs:
Restore the file from backup.
Restore the ACL store file (/usr/net/servers/lanman/datafiles/acl
) from the same date as the backed up file to a different filename,
for example
may10.acl
.
Enter the following command to restore the ASU ACLs:
# acladm -M -i ACL_store_file -v /path/filename
For example, to restore the ASU ACLs in the
may10.acl
file for the
/usr/temp
file, enter:
# acladm -M -i may10.acl -v /usr/temp
4.5.2.3 Setting Windows NTFS Permissions
You set Windows NTFS permissions by using either:
The
net perms
command
The Windows Explorer GUI
4.5.2.3.1 Using the net perms Command
The syntax of the
net perms
command to set Windows
NTFS permissions is as follows.
# net perms c:/path [/GRANT name:permissions | /CHANGE name:permissions | /REVOKE name | /TAKE]
To display the Windows NTFS permissions for a file or directory called
project1
, enter:
# net perms c:/usr/net/servers/lanman/shares/project
To grant the group called project1 the Windows NTFS write permission
to a file or directory called
project
, enter:
# net perms c:/usr/net/servers/lanman/shares/project /grant project1:w
4.5.2.3.2 Using the Windows Explorer GUI
Follow these steps to allow the project1 group the Windows NTFS write permission:
Start the Server Manager (srvmgr.exe
).
Install the Server Manager GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the Server Manager GUI.
Start the Windows Explorer (explorer.exe
).
Connect to the disk share (if necessary) and display its properties.
The Properties window is displayed for the disk share.
Click on the Security tab, then click Permissions.
The Directory Permissions window is displayed.
To change a permission, select a group or user account in the Name window, and then select either the Special Directory Access or Special File Access permission from the Type of Access list. A Special Directory or File Access dialog box is displayed from which you select Windows NTFS permissions.
To add a group or user account to the list of those granted permissions for this shared directory, click Add and complete the Add Users and Groups dialog box that appears.
To remove a group or user account from the list of those granted permissions for this shared directory, select a group or user account in the Name window, and then click Remove.
4.5.3 Setting Tru64 UNIX Permissions
By default, subdirectories created in a disk share have the following Tru64 UNIX permissions:
Owner has read and write permission
Group has read permission
Other has read permission
By default, files created in a disk share have the following Tru64 UNIX permissions:
Owner has read and write permission
Group has read permission
Other has read permission
When you use the
lmshare
command to create a share,
you can set the default Tru64 UNIX permissions in octal format for newly
created files and directories in the share.
The
lmshare
command prompts you for the per share Tru64 UNIX file and directory permissions.
You can selectively change the file and directory permissions in a share by using the following commands:
The
lmshare
command to change the default
permissions assigned to new files and directories that you create.
The default
permissions set by the
lmshare
command override the overall
system default file and directory permissions.
The
chmod
command to change the current
permissions on an existing file or directory.
For example, to allow the owner's
group the write permission to a file, enter:
#
chmod g+w
filename
See
lmshare
(8)chmod
(8)
You can permanently change the default permissions for new files and
directories created in all shares by changing the value of the registry value
entries described in
Table 4-10.
Permanently changing
the default permissions overrides the overall system default file and directory
permissions.
Table 4-10: Disk Share Permission Value Entries
Entry | Description and Default Value |
|
Specifies the default Tru64 UNIX system permissions
for newly created directories.Default: 0755 octal (493 decimal),
which translates to
Set the value to 0 (zero) to specify that directories created in ASU shares inherit the Tru64 UNIX permissions from the parent directory. |
|
Specifies the default Tru64 UNIX system permissions
for newly created files.Default: 0644 octal (420 decimal),
which translates to
Set the value to 0 (zero) to specify that files created in ASU shares inherit the Tru64 UNIX permissions from the parent directory. |
The registry editor uses decimal format to display the values of the
UnixDirectoryPerms
and
UnixFilePerms
entries.
The Tru64 UNIX software uses octal format to specify directory and file
permissions.
Changing the value of the
UnixFilePerms
and
UnixDirectoryPerms
registry entries will take effect when you restart
the ASU server and only applies to newly created files and directories.
Existing
and renamed files and directories will retain their original Tru64 UNIX
permissions.
The
UnixDirectoryCheck
registry entry, which
can be set to bypass Tru64 UNIX security checking, will not effect the
inheritence of permission.
Follow these steps to use the
regconfig
registry
editor to allow Tru64 UNIX permissions to be inherited from the parent
directory.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the entire command, then press the Enter key.
Change the value of the
UnixFilePerms
entry
by entering the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/FileServiceParameters \ UnixFilePerms REG_DWORD 0
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
4.5.3.1 Tru64 UNIX Groups or DOS Groups
By default, files created in a directory by a Tru64 UNIX user are owned by that user and the group ownership is listed as the user's default group.
Files created by domain users in a disk share are owned by the user's
corresponding Tru64 UNIX account, and the Tru64 UNIX group ownership
is listed as one of the ASU groups beginning with
DOS-
.
By default, the ASU server uses the
DOS-
groups to
maintain DOS attributes for a file.
For example, if the group ownership of
a file is
DOS-ash
, the DOS attributes (archive, system,
and hidden) are set.
The fourth attribute, ReadOnly, is maintained by setting
or clearing the Tru64 UNIX write permission.
You can configure the ASU server to use Tru64 UNIX groups instead
of using the
DOS-
groups.
However, users cannot set the
archive, system, or hidden attributes on any file shared on the ASU server.
User will only be able to set the ReadOnly attribute.
Follow these steps to use the
regconfig
registry
editor to configure the ASU server to use Tru64 UNIX groups instead of
DOS groups.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the entire command, then press the Enter key.
Enable the
UseUnixGroups
entry by entering
the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/FileServiceParameters \ UseUnixGroups REG_DWORD 1
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
4.5.3.2 Configuring the ASU Server to Not Check Tru64 UNIX Permissions
The ASU server must check Windows NT and Windows NTFS permissions; however you can configure the ASU server to not check Tru64 UNIX permissions.
Follow these steps to use the
regconfig
registry
editor to configure the ASU server to not check Tru64 UNIX permissions.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the
entire command, then press the Enter key.
Enable the
IgnoreUnixPermissions
entry
by entering the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/FileServiceParameters \ IgnoreUnixPermissions REG_DWORD 1
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
4.6 Creating Personal Disk Shares for Users
By default, when you create a domain user account, the ASU server creates
a subdirectory for the user in the
/usr/users
directory
using the user's Tru64 UNIX account name and grants the user all Windows
NT share, Windows NTFS, and Tru64 UNIX access permissions to their subdirectory.
By default, the
/usr/users
directory is associated
to the
USERS
special disk share, which means that you do
not need to create individual disk shares for each user because there is automatically
a subdirectory for each user in the
USERS
disk share.
Users connect to the
\\server\users
disk share from their Windows system and browse to their directory.
Users can view other users' directories, but have permission to access only
their own directory.
If you use a Tru64 UNIX directory other than
/usr/users
for the users' home directories, you should redirect the
USERS
disk share to the new location.
To redirect a share you must
delete the share and recreate it.
Optionally, you can configure the ASU server to automatically:
Create a personal disk share when you create a Tru64 UNIX user account or map a Tru64 UNIX user account to a domain user account.
Delete a personal disk share when you delete its associated domain user account.
Rename a personal disk share when you rename it associated domain user account.
The ASU server creates a personal disk share as a hidden disk share
mapped to the user's UNIX home directory.
The ASU server will not create a
personal disk share if the UNIX home directory does not exist or if there
is an existing disk share with the same name.
A hidden disk share has a name
that ends with a dollar sign ($) and does not display when browsing the ASU
server.
For example, creating a Tru64 UNIX user account named
peter
will automatically create a personal disk share called
peter$
mapped to peter's home directory.
A user can connect to a
hidden disk share by appending the dollar sign to the share name.
Follow these steps to use the
regconfig
registry
editor to configure the ASU server to create, delete, and rename personal
disk shares.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the entire command, then press the Enter key.
Ensure that the
CreateUnixUser
entry is
enabled, which it is by default.
See Section 2.2 for information on displaying registry entry values.
Enable the
CreatePersonalShare
entry by
entering the following command:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/UserServiceParameters \ CreatePersonalShare REG_DWORD 1
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
4.7 Creating a Disk Share for a Remote File System
On a Tru64 UNIX system that is running the ASU server, you can create a disk share for directories that are NFS-exported by systems other than Tru64 UNIX. To do so, you must:
Ensure that all UNIX systems are running the NFS service with
the
lock
option
Ensure that the ASU
UseNfsLocks
registry
entry is enabled
Ensure that the remote UNIX system is exporting the directory
Mount the remote directory on the Tru64 UNIX system on which the ASU server is running
Create the disk share with a path to the mounted remote directory
Optionally, you can set LanManager-only security. With LanManager-only security, ASU users are not restricted from accessing files and directories because of Tru64 UNIX permissions.
4.7.1 Running the NFS Service with the Lock Option
On most UNIX systems, you can enter the following command to determine if the NFS service is running:
#
ps
-ef
| grep nfs
Information similar to the following is displayed if the NFS service is running:
Root 297 1 0.0 May 01 ?? 0:00.01 /usr/sbin/nfsiod 7
Enter the following command to determine if NFS locking is enabled on a UNIX system:
#
ps
-ef
| grep lockd
Information similar to the following is displayed if locking is enabled:
Root 7417 1 0.1 08:33:57 ?? 0:00.08 /usr/sbin/rpc.lockd
4.7.2 Enabling the UseNfsLocks Entry
The
UseNfsLocks
entry specifies whether or not the
ASU server tries to set Tru64 UNIX system record locks in files as requested
by clients.
When this value entry is enabled, make sure that the
rpc.lockd
and
rpc.statd
daemons are running on the NFS
server or on the Tru64 UNIX system on which the ASU server is running.
If these daemons are not running, the ASU server might stall or data might
be lost.
By default, the
UseNfsLocks
entry is enabled.
To check the value of the
UseNfsLocks
entry, enter:
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/FileServiceParameters UseNfsLocks
Ensure that the UNIX system is exporting the file system.
To verify whether or not a file system is exported, enter:
#
/sbin/mount
A list of exported file systems is displayed. Follow these steps if the file system is not displayed:
Edit the
/etc/exports
file to add the entry.
Close the
/etc/exports
file.
Enter the following command:
#
exportfs
4.7.4 Mounting Remote Directories
To mount remote directories on a Tru64 UNIX system, use the following
syntax to include an entry for each remote directory in the
/etc/fstab
file:
file-spec mnt-point fs-type mnt-options
backup fsck
In this syntax statement:
The
file-spec
variable is the full pathname to the remote directory.
The
mnt-point
variable is the mount point for the remote directory.
The
fs-type
variable is the type of file system, which is
nfs
for the
purpose of this service.
The
mnt-options
variable is a list of options (separated with commas) associated with the
directory, such as the:
Type of access to the resource, for example the
ro
(Read Only) or
rw
(Read-Write) options.
Action to take if the directory fails to mount on the first
attempt, for example the
bg
option, which retries the mount
in the background.
Behavior that client systems experience if the NFS server
hosting the remote directory to which the client system is connected becomes
unavailable.
The
hard
option, which is the default, stalls
a client system and displays an hourglass.
The
soft
option
pauses the client system and generates an error message.
The
backup
option is used by the
dump
command to determine which file systems to back up.
This is not applicable
to NFS.
Set this option to zero (0).
The
fsck
option is used by the
fsck
command to determine the order in which to check file systems at reboot time.
This is not applicable to NFS.
Set this option to zero (0).
The following is a sample entry in the
/etc/fstab
file:
If necessary, create and then mount the remote directory by using the
mount
command or the
automount
utility.
The
mount
command mounts the directory in the
/etc/fstab
file that you specify.
For example:
#
mount /repository
The
automount
utility mounts all the entries in the
/etc/fstab
file.
You start the
automount
utility
from the command line or by running the
nfssetup
utility
and answering yes when prompted to run the
automount
daemon.
4.7.5 Enabling LanManager Only Security for NFS Shares
The ASU server now allows for LanManager-only security for NFS shares. With LanManager-only security, ASU users are not restricted from accessing files and directories because of Tru64 UNIX permissions. Files and directories created by an ASU user appear as if they were created by a Tru64 UNIX user.
To enable LanManager-only security:
Export the NFS file system (usually in the
/etc/exports
file) with the following entry:
/nfs
-root=0
Set the value for the ASU registry entries as described in the following table:
Registry Entry | Value |
IgnoreUnixPermissions |
1 |
UnixDirectoryCheck |
2 |
UseUnixGroups |
1 |
UseUnixLocks |
1 |
For example, to use the
regconfig
registry editor
to enable the
IgnoreUnixPermissions
entry, enter the following
command.
The backslash ( \ ) at the end of a line indicates continuation.
Enter the entire command, then press the Enter key.
# regconfig SYSTEM/CurrentControlSet/Services/\ AdvancedServer/FileServiceParameters \ IgnoreUnixPermissions REG_DWORD 1
Restart the ASU server by entering the following commands:
#
net stop server
#
net start server
When you delete a disk share, only the association of the share name to the Tru64 UNIX directory is deleted; the associated Tru64 UNIX directory and its contents are not deleted. To delete a disk share you can use either:
The
net share
command
The Server Manager
4.8.1 Using the net share Command
You enter a
net
command in lowercase at the Tru64 UNIX
command prompt on a system running the ASU software.
Press the Enter key at
the end of the entire command.
To delete a disk share, enter:
#
net share
sharename
/delete
For example, to delete a disk share called project, enter:
#
net share project /delete
4.8.2 Using the Server Manager
Follow these steps to delete a disk share using the Server Manager:
Start the Server Manager GUI (srvmgr.exe
).
Install the Server Manager GUI on the Windows system from which you will administer ASU. See Section 1.8 for information on installing the Server Manager GUI.
Choose Select Domain... from the Computer menu.
The Select Domain dialog box is displayed.
In the Domain: field, enter the name of the domain in which you want to create the group and click on the OK button.
Choose Shared Directories... from the Computer menu.
The Shared Directories dialog box is displayed.
Click on the name of the share that you want to delete.
Click on the Stop Sharing button.