4    Creating ASU Disk Shares

You can share the following types of file systems as disk shares with domain users:

This chapter describes how to share file systems with domain users.

4.1    Default Disk Share Attributes

You control how the ASU server creates disk shares by assigning values to registry value entries located in the following registry path:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/ AdvancedServer/FileServiceParameters

Entries in this path define:

See Section B.1.2 for a complete list of registry entries that effect disk shares.

4.1.1    Disk Shares Created By ASU for NFS Exported File Systems

By default, the ASU server automatically creates a disk share for NFS exported file systems. The ASU server creates the disk share using:

4.1.1.1    Converting NFS Permissions

The following table describes how the ASU server converts NFS permissions to disk share permissions:

NFS Permission Disk Share Permission
Read (r) and Write (w) Full Access
Not specified Full Access
Read Only (ro) Read and Execute (for the specified list of clients).
None No Access

The following table provides examples of how the ASU server converts NFS permissions to disk share permissions:

NFS Permission Disk Share Permission
/usr/local Full Access for all clients
/usr/local -ro client1 Read and Execute for client1 and No Access for all other clients
/usr/local client1 client2 client3 Full Access for client1, client2, and client3 and No Access for all other clients
/usr/local -rw=client1 Full Access for client1 and Read and Execute for all other clients
/usr/local -access=client1:10.0.0.10 Full Access for client1 from 10.0.0.10 and No Access for all other clients

The ASU server does not create a share for NFS mount points with the following NFS permissions:

4.1.1.2    Managing NFS Related Disk Shares Created by ASU

By default, when the ASU server starts, it synchronizes the ASU disk shares with NFS export entries. If an exports entry does not have a corresponding disk share, the ASU server creates the disk share. If an exports entry no longer exists or is not supported (root=0), the ASU server deletes the corresponding disk share. If the NFS permissions for an NFS export entry changed, the ASU server updates the permissions on the corresponding disk share.

You use the nfsshare command to:

See nfsshare(8) for more information on the nfsshare command.

4.1.1.3    Controlling the ASU Creation of NFS-Related Disk Shares

If the ShareNFSExports entry is enabled, which is the default, then the creation of ASU disk shares for NFS exported file systems depends on the values assigned to the NFS-related entries in the FileServiceParameters registry subkey. Table 4-1 describes the NFS-related registry value entries.

Table 4-1:  NFS-Related Disk Share Value Entries

Entry Description and Default Value
NFSExportFile Specifies the name of the NFS export file. Default: /etc/exports
SyncNFSExports Determines whether or not NFS exports are synchronized with disk shares when the ASU server starts. If this entry is disabled, disk shares that were created from the NFS exports are deleted. Default: 1 (synchronize at ASU server startup)

4.1.1.4    Configuring ASU to Not Create NFS-Related Disk Shares

You can configure the ASU server to not create disk shares for NFS exported file systems.

Follow these steps to use the regconfig registry editor to configure the ASU server to not create disk shares for NFS exported file systems. The backslash ( \ ) at the end a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Disable the ShareNFSExports entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/FileServiceParameters \     
    ShareNFSExports REG_DWORD 0
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

4.2    Special Disk Shares

The ASU server automatically creates the special disk shares listed in Table 4-2. The list might differ depending on the installed ASU subsets. Do not remove or modify these shares.

Table 4-2:  ASU Special Disk Shares

Name of Disk Share Contains
ADMIN$ Administrative utilities for remote administration.
IPC$ Named pipes that are used for communication with the server.
C$ Directories and files located on the root ( / ) file system.
D$ Files and libraries that are required by MS-DOS, OS/2, and Windows NT computers.
PRINT$ Printer drivers.
ASTOOLS Microsoft client-based utilities that are used to administer the ASU server from a Microsoft client.
DOSUTIL MS-DOS clipcach and clispooladministrative commands.
NETLOGON Logon scripts.
PRINTLOG LP printer messages.
USERS Users home directories. The default is the /usr/users directory.

Disk shares with names ending with a dollar sign ($) are hidden and do not display when you browse the ASU server. You can connect to a hidden share if you specify the share name as follows:

\\servername\sharename$

4.3    Disk Share Attributes

A disk share is made up of mandatory and optional attributes.

Table 4-3 describes the mandatory disk share attributes for which you must provide values when you create a disk share.

Table 4-3:  Mandatory Disk Share Attributes

Attribute Description

Share name

A unique name of up to 80 alphanumeric characters that users use to connect to the share.

A share name cannot be: COMM, PRINT, DEV, PIPE, QUEUES, SEM, MAILSLOT, SHAREMEM

Append a dollar sign ( $ ) to a share name to make it hidden when users browse the ASU server.

Path

The absolute path of a directory to be shared (including the drive, which is always c:). For example, the path to a directory called project1, which is a subdirectory of market, is c:/market/project1

Table 4-4 describes the optional attributes for which you can provide values when you create a disk share.

Table 4-4:  Optional Disk Share Attributes

Attribute Description
Users The maximum number of users who can simultaneously access the share.
Remark A comment about the share. Comments must be enclosed in quotation marks.

4.4    Creating a Disk Share

To create a disk share you can use:

4.4.1    Using the lmshare Command

The lmshare command prompts you for information about a share, including:

See Section 4.5.3 for more information about Tru64 UNIX file and directory permissions.

To configure the ASU server to ignore Tru64 UNIX permission checking on a per share basis, the IgnoreUnixPermissions registry entry must be disabled, which it is by default.

If you enable the IgnoreUnixPermissions registry entry, the ASU server ignores Tru64 UNIX permission checking on all disk shares, regardless of the per share ignore Unix permissions setting on a share.

If you enable Tru64 UNIX quota checking, the Tru64 UNIX permissions are enforced regardless of the IgnoreUnixPermission registry entry settting, or the per share ignore Unix permissions settings.

Follow these steps to use the regconfig registry editor to disable the IgnoreUnixPermissions registry entry. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Disable the IgnoreUnixPermissions registry entry if it was enabled:

    # regconfig SYSTEM/CurrentControlSet/Services/\
    AdvancedServer/FileServiceParameters \
    IgnoreUnixPermissions REG_DWORD 0
    

  2. If you disabled the IgnoreUnixPermissions registry entry, restart the ASU server by entering the following commands:

    # net stop server

    # net start server

To create a share using the lmshare command, enter:

# lmshare -a

The lmshare command prompts you for the following information about the share. Press Enter for those fields that you do not want to change the value of.

Sharename? test1
Type (d|p|c|i)? [d] d
Local path? /home/test1
Remark? test1
Permissions(rwcxdaps)? [rwcxda]
Per share Unix file permissions? [0] 664
Per share Unix directory permissions? [0] 777
Per share ignore Unix permissions? [0]
Maximum users? [unlimited] 
Password?

Existing shares and shares not created by the lmshare command will have a default value of zero (0) for the per share Unix file and directory permissions and will have Tru64 UNIX permissions checking enabled by default.

Newly created files in shares with a zero value for the per share Unix file permissions will get the Tru64 UNIX file permissions as defined by the value of the UnixFilePerms registry entry.

Newly created directories in shares with a zero value for the per share Unix directory permissions will get the TTru64 UNIX directory permissions as defined by the value of the UnixDirectoryPerms registry entry.

To display the current per share Unix file and directory permissions for a share, enter:

# lmshare -L share_name

To set the default Tru64 UNIX file permissions for newly created files in a share, enter:

# lmshare -F share_name file_permissions

where share_name is the name of the share, and file_permissions are the Tru64 UNIX file permissions in octal format.

To set the default Tru64 UNIX directory permissions for newly created directories in a share, enter:

# lmshare -D share_name directory_permissions

where share_name is the name of the share, and directory_permissions are the Tru64 UNIX directory permissions in octal format.

To disable Tru64 UNIX permissions checking on a share, enter the following command. Connected users must reconnect to the share for the new setting to take effect.

# lmshare -I share_name 1

To enable Tru64 UNIX permissions checking on a share, enter the following command. Connected users must reconnect to the share for the new setting to take effect.

# lmshare -I share_name 0

See lmshare(8) for more information.

4.4.2    Using the net share Command

You enter a net command in lowercase at the Tru64 UNIX command prompt on a system running the ASU server. Press the Enter key at the end of the entire command.

Table 4-5 shows the disk share attributes and the net share command option that you use to set the attribute.

Table 4-5:  Setting Disk Share Attributes

Attribute net share Option
Share name Enter the name after the net share command
Path Enter an equal sign (=) followed by the path after the share name
Users /users:# or /unlimited
Remark /remark:"text"

To create a disk share called project that corresponds to the /usr/net/servers/lanman/project directory, enter:

# net share project=c:/usr/net/servers/lanman/shares/project

To create a hidden disk share, append a dollar sign ( $ ) to the share name. For example, to create a hidden share called project1 that corresponds to the /usr/net/servers/lanman/project1 directory, enter:

# net share project1$=c:/usr/net/servers/lanman/shares/project1

Hidden shares do not display when users browse the ASU server.

Note to csh Shell Users

The dollar sign ( $ ) is a special character when using the csh shell and therefore, you must precede the $ with a backslash escape character ( \ ), for example:

# net share project1\$=c:/usr/net/servers/lanman/shares/project1

To view information about all shares, including hidden shares, enter:

# net share

To view information about a specific share, enter:

# net share share_name

4.4.3    Using the Server Manager

Follow these steps to create a disk share using the Server Manager:

  1. Start the Server Manager (srvmgr.exe).

    Install the Server Manager GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the Server Manager GUI.

  2. Choose Select Domain... from the Computer menu.

    The Select Domain dialog box is displayed.

  3. In the Domain: field, enter the name of the domain in which you want to create the disk share and click on the OK button.

  4. Choose Shared Directories... from the Computer menu.

    The Shared Directories dialog box is displayed.

  5. Click on the New Share... button.

    The New Share dialog box is displayed.

  6. Enter the disk share information as shown in the following figure:

4.5    Disk Share Permissions

By default, a user must pass the following levels of security before they can access a file or directory in a disk share:

The following steps describe how permissions are checked when a user maps a drive to a disk share and requests access to a file in the disk share:

  1. From a system running the Windows operating system software, a user connects to a disk share. By default, all users have permission to connect to a share. Access to directories and files in the share is normally controlled through NTFS permissions.

    The user's Windows system provides the ASU server with authentication information about the user, including the user's name, password, and security ID.

  2. The ASU server checks the user's name and password in the user account database.

    If the ASU server authenticates the user's information, a unique ID is assigned to the user's Windows system. The Windows system must present this ID when the user makes subsequent requests to shares.

  3. The user attempts to open a file in the share.

    The ASU lmx.srv process services the user's request. Normally, the lmx.srv process runs as root, the highest Tru64 UNIX privilege level.

  4. The lmx.srv process determines if the user has the correct Windows NT share permissions to access the share.

    If the permissions are not correct, the lmx.srv returns an access denied error to the Windows system.

  5. The lmx.srv process determines if the user has the correct NTFS permissions to access the file in the share.

    If the permissions are not correct, the lmx.srv process returns an access denied error to the Windows system.

  6. The lmx.srv process determines Tru64 UNIX access based on the mapping of the domain user account to a Tru64 UNIX user account.

  7. The lmx.srv process changes its effective user ID from root to the ID of the corresponding Tru64 UNIX account and tries to open the file.

  8. The Tru64 UNIX operating system determines if the user has the correct Tru64 UNIX permissions.

    If the permissions are correct, the file is opened. If the permissions are not correct, the lmx.srv process returns an access denied error to the Windows system.

4.5.1    Windows NT Permissions

The Windows NT permissions that you can set for disk share are:

When a directory is shared, the default is to grant the Everyone domain user group Full Control permissions.

4.5.1.1    Setting Windows NT Permissions

To view and set Windows NT share permission you can use the:

4.5.1.1.1    Using the net perms Command

The syntax of the net perms command is:

# net perms \\sharename [/GRANT name:permissions | /CHANGE name:permissions | /REVOKE name | /TAKE]

To display the Windows NT permissions for a disk share called project1, enter:

# net perms \\project1

To set the project1 Windows NT disk share permission to read for a user named peter, enter:

# net perms \\project1 /grant peter:read

4.5.1.1.2    Using the Server Manager Utility

Follow these steps to use the Server Manager utility to set Windows NT disk share permissions:

  1. Start the Server Manager (srvmgr.exe).

    Install the Server Manager GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the Server Manager GUI.

  2. In the Server Manager window, select a computer from the list and click Shared Directories on the Computer menu.

    The Shared Directories dialog box is displayed.

  3. In the Shared Directories dialog box, select a share name and click Properties.

    The Shared Properties dialog box is displayed.

  4. Click Permissions.

    To change a permission, select a group or user account in the Name window, and then select a permission from the Type of Access list.

    To add a group or user account to the list of those granted permissions for this shared directory, click Add, and then complete the Add Users and Groups dialog box that appears.

    To remove a group or user account on the list of those granted permissions for this shared directory, select a group or user account in the Name window, and then click Remove.

4.5.2    Windows NTFS Permissions

When you create a disk share, an entry that associates a disk share with its corresponding Tru64 UNIX directory is created in the ASU share database. The Tru64 UNIX directory is created if it does not exist.

When a domain user requests access to the directory or a file in the directory, ASU checks its access control list (ACL) file to determine if the user has NTFS permission to access the file.

A file or directory in a disk share may or may not have its own ACL. For example, if you set explicit NTFS permissions on a file, an entry is added to the ACL listing that the file has its own ACL.

If you do not set explicit permissions for a file or directory, then the file or directory inherits the ACL entry from its parent directory. If the parent directory does not have an entry in the ACL, the ASU server checks higher-level directories until it finds one that does. For example, suppose you create a disk share called projects in the /usr/net/servers/lanman/shares directory. By default, the projects directory does not have its own ACL; it inherits the ACL from its parent directory (/usr/net/servers/lanman/shares). If the parent directory ACL grants the Everyone group Read permission to subdirectories and files, then the same ACL applies to the projects subdirectory.

If you set NTFS permission on the projects subdirectory to Change for the Everyone group, then an ACL is created for the projects directory and the Everyone group has the following permissions:

The exception to the inherited ACL policy is the default home directory for users. By default, when you create a domain user account, a subdirectory with the same name is created in the /usr/users directory with an ACL that identifies the new user as the owner of the subdirectory and grants them all the NTFS permissions to the subdirectory and its contents. For example, if you create a domain user account named peter, a subdirectory named peter is created in the /usr/users directory (/usr/users/peter) and the peter user account is granted all NTFS permissions to the directory. The creation of an ACL for a user's home directory is a feature that makes sharing a user's directory easier.

There is a standard set of NTFS permissions that you can set or you can customize NTFS permissions to meet you needs. Table 4-6 describes the standard Windows NTFS permissions that you can set. Table 4-7 describes the custom Windows NTFS permissions that you can set.

Table 4-6:  NTFS Standard Permissions

Permission For File For Directory
Add Cannot read the contents of current files, change them, or list the files Can add files to the directory
AddRead Can read and execute files but cannot change files Can read, write, and execute files in the directory
Change Can change the contents of current files Can read and add files
Full control Can read and change files, add new ones, change permissions for files, and take ownership of file Change permissions for the directory and take ownership of the directory
NoAccess Not applicable Cannot access the directory in any way, even if the user is a member of a group that has been granted access to the directory
List Cannot access files List the files and subdirectories in this directory and change to a subdirectory of this directory
Read Can read the contents of files and run applications Allows viewing the names of files and subdirectories

Table 4-7:  NTFS Custom Permissions

Permission For File For Directory
Change Permissions (P) Allows changing the file's permissions Allows changing the directory's permissions
Delete (D) Allows deleting the file Allows deleting the directory
Execute (X) Allows running the file if it is a program Allows changing to subdirectories
Read (R) Allows viewing the file's data Allows viewing the names of files and subdirectories
Take Ownership (O) Allows taking ownership of the file Allows taking ownership of the directory
Write (W) Allows changing the file's data Allows adding files and subdirectories

When you set NTFS permissions, two sets of individual permissions are displayed: the permissions set on the directory and the permissions set on files in the directory. For example, the following output would display if you set AddRead permission on a share for a user name peter. The (RWX), signifying Read, Write, and Execute permissions on the share, and (RX), signifying Read and Execute permission on its files.

Resource:    c:\usr\net\servers\lanman\shares\share1
Owner:       server1.dom\Administrators
Name:                               Permissions:
-------------------------------------------------------------------------------
*Administrators                     FullControl(All)(All)
*Everyone                           Read(RX)(RX)
peter                               AddRead(RWX)(RX)

When ASU server displays resource permissions, it designates groups with an asterisk ( * )

NTFS Permissions on files in a directory can be set to NotSpecified. This means that by default no permissions will be set for that user or group to the files that are present in the directory or that are created after setting this permission. A group or user cannot use files in the directory unless access is granted by another method such as setting permissions that grant access on individual files.

When you are setting permissions on a directory, you can use the CREATOR OWNER special group to allow users to control only the subdirectories and files that they create within the directory. Permissions set on CREATOR OWNER are transferred to the user who creates a directory or file within the directory. To change permissions on the directory, you must be the owner of the directory or have been granted permission to do so by the owner.

Note

By default, Windows NTFS permissions grant read and execute permission to the Everyone group, of which every domain user account is a member. You must grant Windows NTFS write permission to the domain user or group account that will write files to the disk share.

4.5.2.1    Controlling ASU and ACLs

How the ASU server creates and uses ACLs depends on the values assigned to the ACL-related entries in the FileServiceParameters registry subkey. Table 4-8 describes ACL-related registry value entries.

Table 4-8:  ACL Value Entries

Entry Description and Default Value
AclCacheSize Specifies the number of entries in ACL cache, which tracks the results of recent access checks performed on ASU resources. Default: 6
ForceDirectoryAcl Determines whether or not the ASU server creates an access control list for a newly created directory if the client computer does not provide an explicit ACL. If an ACL is not created, one is inherited from its parent directory.Default: 1 (create new ACL)
ForceFileAcl Determines whether or not the ASU server creates an access control list for a new file if the client computer did not provide an explicit access control list. If an access control list is not created, one is inherited from its parent directory. Default: 0 (will not create new ACL)
HomeDirectoryAccess Specifies whether or not to add a full access (RWXDPO) control entry for the user on the user's Tru64 UNIX home directory when you create a domain user account. Default: 1 (add access control entry for user)
SyncAclFileOnWrite Determines whether or not changes to the ACL are forced to disk using an fsync(2) system call when the ACL is updated.Default: 0 (ACL changes are not forced)
UnixAclSupport

Allows the ASU server to use Tru64 ACLs in addition to NTFS user and group permissions.

This entry is supported only on systems running the Tru64 UNIX Version 5.0A and higher software.

Default: 0 (do not use Tru64 UNIX ACLs)

Table 4-9 describes ASU ACL related commands.

Table 4-9:  ASU ACL Commands

Command Purpose
/usr/sbin/acladm Create, check, manage, move, remove, and trim the ACL database.
/usr/sbin/acldump Dump the ACL database to an ASCII file.
/usr/sbin/chacl Change ACL information on objects.
/usr/sbin/aclload Load the ACL database from an ASCII file.
/usr/sbin/lsacl Display ACLs placed on objects (files and directories).
/usr/sbin/rmacl Removes ACLs on objects.

See acladm(8) for more information on the acladm command.

4.5.2.2    Restoring ASU ACLs

You can restore ASU ACLs from a backup copy of an ACL store. You do not need to stop the ASU server to restore ASU ACLs from backup. Follow these steps to restore a file and its corresponding ASU ACLs:

  1. Restore the file from backup.

  2. Restore the ACL store file (/usr/net/servers/lanman/datafiles/acl) from the same date as the backed up file to a different filename, for example may10.acl.

  3. Enter the following command to restore the ASU ACLs:

    # acladm -M -i ACL_store_file -v /path/filename
    

    For example, to restore the ASU ACLs in the may10.acl file for the /usr/temp file, enter:

    # acladm -M -i may10.acl -v /usr/temp
    

4.5.2.3    Setting Windows NTFS Permissions

You set Windows NTFS permissions by using either:

4.5.2.3.1    Using the net perms Command

The syntax of the net perms command to set Windows NTFS permissions is as follows.

# net perms c:/path [/GRANT name:permissions | /CHANGE name:permissions | /REVOKE name | /TAKE]

To display the Windows NTFS permissions for a file or directory called project1, enter:

# net perms c:/usr/net/servers/lanman/shares/project

To grant the group called project1 the Windows NTFS write permission to a file or directory called project, enter:

# net perms c:/usr/net/servers/lanman/shares/project /grant project1:w

4.5.2.3.2    Using the Windows Explorer GUI

Follow these steps to allow the project1 group the Windows NTFS write permission:

  1. Start the Server Manager (srvmgr.exe).

    Install the Server Manager GUI on the Windows system from which you will administer the ASU server. See Section 1.8 for information on installing the Server Manager GUI.

  2. Start the Windows Explorer (explorer.exe).

  3. Connect to the disk share (if necessary) and display its properties.

    The Properties window is displayed for the disk share.

  4. Click on the Security tab, then click Permissions.

    The Directory Permissions window is displayed.

    To change a permission, select a group or user account in the Name window, and then select either the Special Directory Access or Special File Access permission from the Type of Access list. A Special Directory or File Access dialog box is displayed from which you select Windows NTFS permissions.

    To add a group or user account to the list of those granted permissions for this shared directory, click Add and complete the Add Users and Groups dialog box that appears.

    To remove a group or user account from the list of those granted permissions for this shared directory, select a group or user account in the Name window, and then click Remove.

4.5.3    Setting Tru64 UNIX Permissions

By default, subdirectories created in a disk share have the following Tru64 UNIX permissions:

By default, files created in a disk share have the following Tru64 UNIX permissions:

When you use the lmshare command to create a share, you can set the default Tru64 UNIX permissions in octal format for newly created files and directories in the share. The lmshare command prompts you for the per share Tru64 UNIX file and directory permissions.

You can selectively change the file and directory permissions in a share by using the following commands:

See lmshare(8) and chmod(8) for more information on these commands.

You can permanently change the default permissions for new files and directories created in all shares by changing the value of the registry value entries described in Table 4-10. Permanently changing the default permissions overrides the overall system default file and directory permissions.

Table 4-10:  Disk Share Permission Value Entries

Entry Description and Default Value

UnixDirectoryPerms

Specifies the default Tru64 UNIX system permissions for newly created directories.Default: 0755 octal (493 decimal), which translates to -rwxr-xr-x

Set the value to 0 (zero) to specify that directories created in ASU shares inherit the Tru64 UNIX permissions from the parent directory.

UnixFilePerms

Specifies the default Tru64 UNIX system permissions for newly created files.Default: 0644 octal (420 decimal), which translates to -rw-r--r--

Set the value to 0 (zero) to specify that files created in ASU shares inherit the Tru64 UNIX permissions from the parent directory.

The registry editor uses decimal format to display the values of the UnixDirectoryPerms and UnixFilePerms entries. The Tru64 UNIX software uses octal format to specify directory and file permissions.

Changing the value of the UnixFilePerms and UnixDirectoryPerms registry entries will take effect when you restart the ASU server and only applies to newly created files and directories. Existing and renamed files and directories will retain their original Tru64 UNIX permissions. The UnixDirectoryCheck registry entry, which can be set to bypass Tru64 UNIX security checking, will not effect the inheritence of permission.

Follow these steps to use the regconfig registry editor to allow Tru64 UNIX permissions to be inherited from the parent directory. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Change the value of the UnixFilePerms entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\ 
    AdvancedServer/FileServiceParameters \        
    UnixFilePerms REG_DWORD 0
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

4.5.3.1    Tru64 UNIX Groups or DOS Groups

By default, files created in a directory by a Tru64 UNIX user are owned by that user and the group ownership is listed as the user's default group.

Files created by domain users in a disk share are owned by the user's corresponding Tru64 UNIX account, and the Tru64 UNIX group ownership is listed as one of the ASU groups beginning with DOS-.

By default, the ASU server uses the DOS- groups to maintain DOS attributes for a file. For example, if the group ownership of a file is DOS-ash, the DOS attributes (archive, system, and hidden) are set. The fourth attribute, ReadOnly, is maintained by setting or clearing the Tru64 UNIX write permission.

You can configure the ASU server to use Tru64 UNIX groups instead of using the DOS- groups. However, users cannot set the archive, system, or hidden attributes on any file shared on the ASU server. User will only be able to set the ReadOnly attribute.

Follow these steps to use the regconfig registry editor to configure the ASU server to use Tru64 UNIX groups instead of DOS groups. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Enable the UseUnixGroups entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\  
    AdvancedServer/FileServiceParameters \       
    UseUnixGroups REG_DWORD 1
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

4.5.3.2    Configuring the ASU Server to Not Check Tru64 UNIX Permissions

The ASU server must check Windows NT and Windows NTFS permissions; however you can configure the ASU server to not check Tru64 UNIX permissions.

Follow these steps to use the regconfig registry editor to configure the ASU server to not check Tru64 UNIX permissions. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Enable the IgnoreUnixPermissions entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\  
    AdvancedServer/FileServiceParameters \  
    IgnoreUnixPermissions REG_DWORD 1
    

  2. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

4.6    Creating Personal Disk Shares for Users

By default, when you create a domain user account, the ASU server creates a subdirectory for the user in the /usr/users directory using the user's Tru64 UNIX account name and grants the user all Windows NT share, Windows NTFS, and Tru64 UNIX access permissions to their subdirectory.

By default, the /usr/users directory is associated to the USERS special disk share, which means that you do not need to create individual disk shares for each user because there is automatically a subdirectory for each user in the USERS disk share.

Users connect to the \\server\users disk share from their Windows system and browse to their directory. Users can view other users' directories, but have permission to access only their own directory.

If you use a Tru64 UNIX directory other than /usr/users for the users' home directories, you should redirect the USERS disk share to the new location. To redirect a share you must delete the share and recreate it.

Optionally, you can configure the ASU server to automatically:

The ASU server creates a personal disk share as a hidden disk share mapped to the user's UNIX home directory. The ASU server will not create a personal disk share if the UNIX home directory does not exist or if there is an existing disk share with the same name. A hidden disk share has a name that ends with a dollar sign ($) and does not display when browsing the ASU server. For example, creating a Tru64 UNIX user account named peter will automatically create a personal disk share called peter$ mapped to peter's home directory. A user can connect to a hidden disk share by appending the dollar sign to the share name.

Follow these steps to use the regconfig registry editor to configure the ASU server to create, delete, and rename personal disk shares. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

  1. Ensure that the CreateUnixUser entry is enabled, which it is by default.

    See Section 2.2 for information on displaying registry entry values.

  2. Enable the CreatePersonalShare entry by entering the following command:

    # regconfig SYSTEM/CurrentControlSet/Services/\  
    AdvancedServer/UserServiceParameters \  
    CreatePersonalShare REG_DWORD 1
    

  3. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

4.7    Creating a Disk Share for a Remote File System

On a Tru64 UNIX system that is running the ASU server, you can create a disk share for directories that are NFS-exported by systems other than Tru64 UNIX. To do so, you must:

4.7.1    Running the NFS Service with the Lock Option

On most UNIX systems, you can enter the following command to determine if the NFS service is running:

# ps -ef | grep nfs

Information similar to the following is displayed if the NFS service is running:

Root 297 1 0.0 May 01 ?? 0:00.01 /usr/sbin/nfsiod 7

Enter the following command to determine if NFS locking is enabled on a UNIX system:

# ps -ef | grep lockd

Information similar to the following is displayed if locking is enabled:

Root 7417 1 0.1 08:33:57 ?? 0:00.08 /usr/sbin/rpc.lockd

4.7.2    Enabling the UseNfsLocks Entry

The UseNfsLocks entry specifies whether or not the ASU server tries to set Tru64 UNIX system record locks in files as requested by clients.

When this value entry is enabled, make sure that the rpc.lockd and rpc.statd daemons are running on the NFS server or on the Tru64 UNIX system on which the ASU server is running. If these daemons are not running, the ASU server might stall or data might be lost.

By default, the UseNfsLocks entry is enabled.

To check the value of the UseNfsLocks entry, enter:

# regconfig SYSTEM/CurrentControlSet/Services/\
 AdvancedServer/FileServiceParameters UseNfsLocks

4.7.3    Exporting File Systems

Ensure that the UNIX system is exporting the file system.

To verify whether or not a file system is exported, enter:

# /sbin/mount

A list of exported file systems is displayed. Follow these steps if the file system is not displayed:

  1. Edit the /etc/exports file to add the entry.

  2. Close the /etc/exports file.

  3. Enter the following command:

    # exportfs

4.7.4    Mounting Remote Directories

To mount remote directories on a Tru64 UNIX system, use the following syntax to include an entry for each remote directory in the /etc/fstab file:

file-spec mnt-point fs-type mnt-options backup fsck

In this syntax statement:

The file-spec variable is the full pathname to the remote directory.

The mnt-point variable is the mount point for the remote directory.

The fs-type variable is the type of file system, which is nfs for the purpose of this service.

The mnt-options variable is a list of options (separated with commas) associated with the directory, such as the:

The backup option is used by the dump command to determine which file systems to back up. This is not applicable to NFS. Set this option to zero (0).

The fsck option is used by the fsck command to determine the order in which to check file systems at reboot time. This is not applicable to NFS. Set this option to zero (0).

The following is a sample entry in the /etc/fstab file:

If necessary, create and then mount the remote directory by using the mount command or the automount utility.

The mount command mounts the directory in the /etc/fstab file that you specify. For example:

# mount /repository

The automount utility mounts all the entries in the /etc/fstab file. You start the automount utility from the command line or by running the nfssetup utility and answering yes when prompted to run the automount daemon.

4.7.5    Enabling LanManager Only Security for NFS Shares

The ASU server now allows for LanManager-only security for NFS shares. With LanManager-only security, ASU users are not restricted from accessing files and directories because of Tru64 UNIX permissions. Files and directories created by an ASU user appear as if they were created by a Tru64 UNIX user.

To enable LanManager-only security:

  1. Export the NFS file system (usually in the /etc/exports file) with the following entry:

    /nfs -root=0

  2. Set the value for the ASU registry entries as described in the following table:

    Registry Entry Value
    IgnoreUnixPermissions 1
    UnixDirectoryCheck 2
    UseUnixGroups 1
    UseUnixLocks 1

    For example, to use the regconfig registry editor to enable the IgnoreUnixPermissions entry, enter the following command. The backslash ( \ ) at the end of a line indicates continuation. Enter the entire command, then press the Enter key.

    # regconfig SYSTEM/CurrentControlSet/Services/\
    AdvancedServer/FileServiceParameters \
    IgnoreUnixPermissions REG_DWORD 1 
    
    

  3. Restart the ASU server by entering the following commands:

    # net stop server

    # net start server

4.8    Deleting a Disk Share

When you delete a disk share, only the association of the share name to the Tru64 UNIX directory is deleted; the associated Tru64 UNIX directory and its contents are not deleted. To delete a disk share you can use either:

4.8.1    Using the net share Command

You enter a net command in lowercase at the Tru64 UNIX command prompt on a system running the ASU software. Press the Enter key at the end of the entire command.

To delete a disk share, enter:

# net share sharename /delete

For example, to delete a disk share called project, enter:

# net share project /delete

4.8.2    Using the Server Manager

Follow these steps to delete a disk share using the Server Manager:

  1. Start the Server Manager GUI (srvmgr.exe).

    Install the Server Manager GUI on the Windows system from which you will administer ASU. See Section 1.8 for information on installing the Server Manager GUI.

  2. Choose Select Domain... from the Computer menu.

    The Select Domain dialog box is displayed.

  3. In the Domain: field, enter the name of the domain in which you want to create the group and click on the OK button.

  4. Choose Shared Directories... from the Computer menu.

    The Shared Directories dialog box is displayed.

  5. Click on the name of the share that you want to delete.

  6. Click on the Stop Sharing button.