The NCP Server Console (ncpcon(8)) is a management utility for NCP Server on Open Enterprise Server. The man page for NCPCON is located in the /usr/share/man/man8 directory. To view the man page when you are at the server console, enter man ncpcon at the terminal console prompt.
Section A.1.3, Starting and Stopping NCPCON Interactive Mode
Section A.1.11, Managing File System Trustees and Trustee Rights for NCP Volumes
Section A.1.13, Renaming a Mount Point Path for a Clustered NSS Volume
Section A.1.15, Managing NCP Server Wait Time for Trustee Cache Build
Section A.1.16, Purging Deleted Files on NSS Volumes on Linux
Section A.1.23, Managing Dynamic Storage Technology on OES Cluster Services for Linux Clusters
The NCPCON utility can be used in three modes:
Open a terminal console, log in as the root user, then enter
ncpcon
This opens the NCPCON interactive console in the terminal console where you can enter the NCP Server console commands. Enter exit to stop the interactive mode.
For command line mode, issue an NCP Server command at a terminal console prompt by prefacing the command with ncpcon:
ncpcon [command]
For example:
ncpcon mount sys
Escaping the quote character is not required when entering the command from the NCPCON prompt or console command prompt. For example, the send command is entered as follows from the NCPCON prompt:
send "hello world" to all
For example, the send command is entered as follows from the console command prompt:
ncpcon send "hello world" to all
For scripting mode, if the file path or trustee name contains space, enclose them with double quotation marks:
ncpcon "[command]"
For example:
ncpcon rights add vol1:"dir 1/dir2" "test user.novell" rwcmef ncpcon rights add "vol1:dir 1/dir2" "test user.novell" rwcmef
It's optional to use double quotation marks if the file path or trustee name does not contain space.
For example:
ncpcon rights add vol1:dir1/dir2 testuser.novell rwcmef ncpcon rights add "vol1:dir1/dir2" "testuser.novell" rwcmef
Use this command to list the NCPCON console commands. To get specific help for a command, type help and the command.
Examples
help
help mount
help remove volume
Use this command to start the NCPCON interactive mode.
Example
ncpcon
Use this command to exit the NCPCON application when you are in the interactive mode. The command is not used in the command line/scripting mode.
Example
exit
Use the commands in this section to manage the NCP Server service on your OES server.
Displays the NCP Server configuration information such as the server name, server version, product version, NCP version, mixed-mode paths status (yes/no), and commit files status (yes/no).
Example
config
Use this command to display NCP statistics, including the following:
Server up time
Packets in
Packets dumped
Packet receive buffer memory
Packet reply buffer memory
NCP requests
NCP connections in use
Connection table memory
Mounted volumes
Number of open files
Local ID tracking
File handle memory
Volume SYS: file and subdirectory caching memory
Volume SYS: trustee and inherited rights mask tracking memory
Example
stats
This command displays version information for all currently running OES NCP Server components, the OES build, and the hardware platform.
Example
version
Use this command to view or set current NCP server system parameters.
Example
set
NCPCON supports the bind and unbind commands for use with OES Cluster Services for Linux on an OES server.
Use these commands in load or unload scripts when you want to configure the NCP access for files in a cluster resource that can be moved or failed over to another node in the cluster. NCP is required for NSS volumes, NCP volumes on Linux POSIX file systems, and Dynamic Storage Technology shadow volumes.
SLP must be configured on the server where the bind command is issued. When the SLP daemon (slpd) is not installed and running on a cluster node, any cluster resource that contains the ncpcon bind command goes comatose when it is migrated or failed over to the node because the bind cannot be executed without SLP. For more information on software requirements for SLP for cluster services, see SLP
in the OES 23.4: OES Cluster Services for Linux Administration Guide
.
For information about configuring and managing OES Cluster Services for Linux, see the OES 23.4: OES Cluster Services for Linux Administration Guide.
Binds the specified cluster resource name. Use this command to assign an IP address to the NCP Server cluster resource name.
Example
bind oes_11_cluster 192.168.1.1
In a cluster load script, use the following syntax:
exit_on_error ncpcon bind --ncpservername=oes_11_cluster --ipaddress=192.168.1.1
Unbinds the specified cluster resource name. Use this command to remove the assignment of an IP address from the NCP Server cluster resource name.
Example
unbind oes_11_cluster 192.168.1.1
In a cluster unload script, use the following syntax:
ignore_error ncpcon unbind --ncpservername=oes_11_cluster --ipaddress=192.168.1.1
Use the commands in this section to configure the number of concurrent NCP threads and to verify the current NCP utilization.
This parameter indicates whether CPU affinity is enabled for NCP.
The administrator can enable CPU Affinity by considering other services hosted on the same system. On an OES system when the other file access protocol like CIFS and other services like GroupWise, DNS, DHCP, or iManager reduces the number of CPUs available to other services. The CPU affinity is applied to SSG threads in NCP Server for improving the encryption performance. When the Enabling CPU affinity, NCP will reserve 50% of system CPUs.
NOTE:To enable CPU Affinity, the number of system CPUs must be four or more.
For example, the total number of CPUs are 16, then 8 CPUs will be used with 8 Fixed SSG threads (by bringing down from fixed 40 number of SSG threads).
To enable this feature, set NCP_CPU_AFFINITY=1 from ncpcon and restart the ndsd. CPU Affinity has to be enabled on OES servers and used as a file server without enabling other services like DNS, DHCP, and Doing this, it is ensured that other services are not starved of CPUs.
Default: 0, Valid Values: 0 and 1.
The value ranges between 0 to 5000 in milliseconds. This avoids the lock collision when the LockTimeout is sent as 0 in a Byte Range Request from the client
Sets the number of additional SSG threads (above the fixed 25 NCP threads) that can be used to serve incoming NCP file service requests. These threads are used when the fixed 25 NCP threads are busy and taking more than expected time to finish.
Default: 25. Valid Range: 7 to 103.
Sets the maximum number of the Async eDirectory NCP request threads that can be created. Default: 50. Valid Range: 25 to 384.
Allows you to verify the current number of concurrent NCP threads running on the server. Use this command to verify the settings that you make for the ADDITIONAL_SSG_THREADS and CONCURRENT_ASYNC_REQUESTS settings.
Example - NCP SSG Thread Statistics
Total Number of Active SSG Threads: 13 Max Number of Additional SSG Threads (over and above fixed 25 NCP Threads): 12 Total Number of NCP Streams: 20 Current Average Load per Thread: 1.54 Peak Number of Active SSG Threads: 25 Peak Number of NCP Streams: 2148 Peak Average Load per Thread: 85.92
Total Number of Active SSG Threads: The currently active SSG threads.
Max Number of Additional SSG Threads (above the fixed 25 NCP threads): When all 25 fixed SSG threads are exhausted, this number defines the additional number of threads that can be created to serve other incoming NCP file service requests. This value can be modified by using the ncpcon set ADDITIONAL_SSG_THREADS=value command. Default=25. Valid Range: 7 to 103.
Total Number of NCP Streams: The current number of NCP connections that have been handled by the Active SSG threads.
Current Average Load per Thread: The current average load of NCP connections on the Active SSG threads.
Peak Number of Active SSG Threads: The highest number (peak) of the Active SSG threads.
Peak Number of NCP Streams: The highest number (peak) of NCP streams.
Peak Average Load per Thread: The highest number (peak) of streams per thread.
Example - Async (eDir) Threads and Requests Statistics
Number of Running Threads: 0 Max Thread Size: 25 Thread Peak Size: 25 Number of Queued Requests: 0 Queued Requests Peak Size: 174
Number of Running Threads: The currently running number of Async threads that can handle eDirectory requests.
Max Thread Size: The maximum number of the Async threads that can be created. This value can be modified by using the ncpcon set CONCURRENT_ASYNC_REQUESTS=value command. Default: 50. Valid Range: 25 to 384.
Thread Peak Size: The highest number (peak) of Async threads the server required so far. This number is reset when the service is restarted.
Number of Queued Requests: The number of queued eDirectory requests (after the Async threads are exhausted).
Queued Requests Peak Size: The highest number (peak) of eDirectory requests that have been queued so far (after the Async threads are exhausted).
Use this command to print information about mounted volumes.
Examples:
ncpcon volumes
This command displays a list of currently mounted NCP volumes.
ncpcon volume volume_name
This command displays details of the specified volume.
ncpcon volumes /v
This command displays a list of currently mounted NCP volumes along with the NCP volume IDs.
ncpcon volumes /s
Displays volume size details.
This parameter indicates whether auditing support is enabled for NCP. The default value is 0 and it indicates that auditing is turned off.
Default: 0. Valid Values: 0 and 1.
When an NCP volume lock is held more than the configured time, NCP server displays a message in the ncpserv.log file with the relevant details.
Default: 0. Valid Values: 0 to 10000 msec.
Use the commands in this section to create, manage, or remove NCP volumes for Ext3 and Reiser file systems on your OES Linux server. NCP volumes use the OES Trustee Model for controlling user access to files. Users access the volume by using the Client for Open Enterprise Server.
Display the current volume options setting for the specified volume, or change the setting for a specified option on the specified volume. Issuing the command is a toggle for the setting, turning it on or off, depending on its current value.You must dismount the volume before you can change its options settings with this command.
This command cannot be added to a cluster load script.
Option
This is disabled by default. When this setting is disabled, only the root user and the owner of the file can access the volume as local users in a Linux environment. Disabling the POSIX inheritance is the most secure setting because NCP volumes use the OES Trustee Model for file system access control.
If this option is enabled on a volume, the POSIX permissions are permitted to be inherited from parent directories. If POSIX inheritance is enabled, local access in the Linux environment by users who are not authenticated via NetIQ eDirectory can create security problems.
Examples
To view the current setting, enter the following at the console command prompt:
ncpcon change volume sys
To enable Inherit POSIX Permissions on the sys: volume, start NCPCON by entering ncpcon at the console command prompt, then enter the following at the ncpcon prompt:
dismount sys
change volume sys Inherit_POSIX_Permissions on
mount sys
exit
Use this command to create an NCP volume by defining an NCP share on an existing POSIX file system on your Linux server. This command creates a Volume object in NetIQ eDirectory, and associates the volume name to a path on your server when using file system types other than the Storage Services (NSS) file system.
This command does not remove or delete data in the mount point location. It adds the NCP volume’s volume name and mount information to the NCP Server configuration file (/etc/opt/novell/ncpserv.conf).
Replace ncp_volumename with the name for the volume.
Replace path with the path to an existing folder on the Linux server that is used as the mount point for the NCP volume. The folder must be on a Linux POSIX file system volume.
After creating the NCP volume, you must mount it to make it accessible to NCP clients.
Example
create volume vol1 /media/ncpvolumes/vol1
Use this command to dismount a specified NCP volume on your Linux server, or to dismount all NCP volumes on your Linux server.
Examples
To dismount the NCP volume named VOL1, enter
dismount VOL1
To dismount all NCP volumes, enter
dismount all
Use this command to mount an NCP volume on your Linux server. This command makes the NCP volume accessible to NCP clients.
Replace volumename with the name of the volume, such as VOL1. To mount all volumes, replace the volume name with all.
Replace volume_id with a value from 0 to 254 as the server volume ID. It is not necessary to manually specify a volume ID for a locally mounted volume. NCP automatically assigns unique volume IDs to locally mounted NCP volumes and NSS volumes in increasing order, from 0 to 254. IDs 0 and 1 are reserved for the sys and _admin volumes. When the command is used in a cluster resource script, the volume ID must be specified to ensure that the volume ID is unique across all cluster nodes where the volume will be mounted. By convention in clusters, the volume IDs are assigned in decreasing order, from 254 to 0.
For an NCP volume created on a Linux POSIX file system, replace /volume_mntpoint with the Linux path of the mount point for the NCP share. Typically, this path is mount point of the Linux volume; that is, the share is created at the root of the Linux volume.
If an NCP volume is mounted locally, the mount path is stored in the /etc/fstab file, so it is not necessary to specify a mount path. For example:
ncpcon mount VOL1
The mount path for the NCP volume is required in a cluster resource. For example, if you use NSSMU to create and NCP enable a clustered Linux LVM volume 'myvol' with a mount point of /usr/novell/myvol, the NCP volume name (share name) is MYVOL, and the resource load script includes the following definitions for variables used in the command:
# define the mount point path of the Linux volume
MOUNT_PATH=/usr/novell/myvol
# define the NCP volume name
NCP_VOLUME=MYVOL
exit_on_error ncpcon mount $NCP_VOL=253,path=$MOUNT_PATH
For an NSS volume, the default mount path is /media/nss/<nss_volume_name>. For example, if you create a volume named USERS, the default mount path is /media/nss/USERS. If you use the default path for NSS volumes, it is not necessary to include the path option for local mounts:
ncpcon mount USERS
A volume ID must be specified in a cluster load script:
exit_on_error ncpcon mount USERS=252
In a cluster, you cannot rename the mount point path. The default mount point path of /media/nss/<volume_name> applies.
exit_on_error ncpcon mount volumename=volume_ID
For example:
exit_on_error ncpcon mount USERS=252
The volume is mounted at /media/nss/USERS.
Use this command to remove the NCP volume and path association. This command does not remove or delete data from the mount location. This command removes the NCP volume mount information from /etc/opt/novell/ncpserv.conf configuration file.
Example
remove volume VOL1
Displays a list of currently mounted NCP volumes. You can also specify a specific volume name with the command to get information about that volume.
Examples
volumes
volume VOL1
Displays a list of currently mounted NCP volumes and information about them. For example, if the volume is a Dynamic Storage Technology shadow volume pair, it identifies the Linux paths of its primary and secondary volumes.
Example
volume data
This command disables write permission on files in the specified volume. The broadcast message is optional, but if any message is sent to all the clients accessing the specified volume.
NOTE:Executing this command closes any files that are opened for writing.
Example
disable write VOL1 Closing all open files on this volume.
Use this command to enable write permissions on a volume that has been previously disabled for writing by using the disable write command.
The broadcast message is optional, but if any message is sent to all the clients accessing the specified volume.
Example
enable write VOL1 Files on this volume can now be edited.
Use the commands in this section to manage file system trustees and trustee rights for NCP volumes for Linux POSIX file systems on your OES server. NCP volumes use the OES Trustee Model for controlling user access to files.
Allows you to view, add, or remove trustees and trustee rights for a specified path. Replace fdn with the typeless fully distinguished name (username.context) of the trustee, such as bob.example. Replace options with all, none, or the combination of rights to assign for the specified trustee. List the rights together without spaces or commas, such as RF. If the file path or trustee names contain spaces, ensure to enclose them within double or single quotes. For visibility, users need the Read and File Scan rights.
Options
All rights
No rights
Supervisor
Read
Write
Create
Erase
Modify
File scan
Access control
Examples
rights view sys:login
rights view "vol1:login dir1/dir2"
rights view "vol1:/login/dir 1/", rights view 'vol1:/login/dir 1/'
rights add users:bob bob.example RF
rights add "vol1:dir 1" bob.example RF
rights add "vol1:dir1" "bob christo.example" RF
rights add "vol1:dir 1" "bob christo.example" RF, rights add 'vol1:dir 1' 'bob christo.example' RF
rights remove users:bob bob:example
rights remove "vol1:dir 1" bob.example
rights remove vol1:dir1 "bob christo.example"
rights remove "vol1:dir 1" "bob christo.example", rights remove 'vol1:dir 1' 'bob christo.example'
Displays or sets the inherited rights mask on the specified path. Specify both the NCP volume and directory in the NetWare path format, such as volname:dir1/dir2. Replace mask with the mask options all, none, or the combination of rights to block from being inherited. List the rights together without spaces or commas, such as SAE. If the file path or trustee names contain spaces, ensure to enclose them within double or single quotes.
MASK OPTIONS
All rights
No rights
Supervisor
Read
Write
Create
Erase
Modify
File scan
Access control
Examples
irm view sys:login
irm view "vol1:login dir1/dir2"
irm view "vol1:/login/dir 1/", irm view 'vol1:/login/dir 1/'
irm set vol1: SA
irm set vol1:dir1 RF
irm set "vol1:dir 1/dir 2" RF, irm set 'vol1:dir 1/dir 2' RF
Use the following load script to mount NSS volumes in a cluster resource.
ncpcon mount <VOLUMENAME>=<VOLUMEID> ncpcon mount /opt=ns=LONG <VOLUMENAME>=<VOLUMEID> ncpcon mount /opt=ns=UNIX <VOLUMENAME>=<VOLUMEID>
You can modify the load and unload scripts to specify a non-standard mountpoint path for a clustered NSS volume. It requires using Linux commands in the scripts. For instructions, see Renaming the Mount Point Path for a Shared NSS Volume (Using a Custom Mount Point for a Shared NSS Volume) in the OES 23.4: OES Cluster Services for Linux Administration Guide.
This parameter allows you to configure the keep-alive timeout for all the TCP client connections accepted by the NCP server. Based on this parameter, the TCP keep-alive packet is sent by the server if the client is inactive for the configured amount of time.
This parameter also helps the NCP server to clear unwanted connections. The actual time taken to clear the unwanted NCP connections also depends on other system-wide TCP keep-alive parameters, like net.ipv4.tcp_keepalive_probes and net.ipv4.tcp_keepalive_intv.These parameters can be controlled using the sysctl command.
ncpcon set NCP_TCP_KEEPALIVE_INTERVAL=<value>
Default: 8 minutes. Valid Range: 3 minutes to 240 minutes.
This parameter allows you to configure the time in seconds that the NCP server waits for the completion of trustee cache build during volume mount. If trustee cache build takes a longer time, NCP server does not wait any longer than this configured time and continues with further activities of volume mount.
If the parameter is set to a lower value, the volume mount may complete faster but the users accessing the data on that volume may experience access failure. Because, the trustee cache build is not complete yet.
If the parameter is set to a higher value, the volume mount may take a longer time to complete but the users are unlikely to experience access failure on accessing the data on that volume. Because, the trustee cache build would be complete by the time the volume mounts.
In your environment if only CIFS is used for file access and not NCP, you can set this parameter to 1 so that the volume mount is completed faster. The users do not experience any access failure too.
This parameter can be helpful in reducing the time taken for a cluster resource migration.
ncpcon set NCP_TRUSTEE_BUILD_WAIT_TIME=<value>
Default: 7 seconds, Valid Range: 1 second to 30 seconds.
Use this command to purge or permanently remove deleted files from an NSS volume on Linux. This command works only with NSS volumes where the Salvage attribute has been previously enabled.
Example
purge volume vol1
Use the commands in this section to enable or disable login for NCP clients to the Linux server.
Use this command to prevent NCP clients from logging in to the Linux server.
Example
disable login
Use this command to allow NCP clients to log in to the Linux server.
Example
enable login
Use this command to send a message to logged-in NCP clients. Replace text_message with a message of up to 252 characters and spaces. Specify multiple logged-in stations by separating the connection numbers with commas and no spaces. Specify all to send the message to all logged-in users.
To find the connection number assigned to a user’s connection, use the connection commands in Section A.1.19, Managing NCP Server Connections.
Example
To issue the command at the ncpcon prompt:
send "Hello, world" to 1 send "Hello, world" to 1,2,4 send "Hello, world" to all
To issue the command at the terminal console prompt:
ncpcon send "Hello, world" to 1 ncpcon send "Hello, world" to 1,2,4 ncpcon send "Hello, world" to all
Use the connection commands in this section to display the NCP Server connection information for all current connections, or for a given connection. You can also display a list of the connections and clear the connections. The general syntax is:
connection [list | connection_number | clear connection_number | clearALL except connection_number]
Displays an overview of current NCP Server connection information.
Parameter |
Description |
---|---|
Connection Slots Allocated |
Displays the number of slots currently allocated for use. As connection slots are required on this server that exceed the current number of slots displayed here, new slots are allocated. Depending on the server’s memory, connection slots are usually allocated in blocks of 16. Connection slots are allocated as needed by users and other services. |
Connection Slots Being Used |
Displays the number of connection slots currently in use. As this number matches or exceeds the Connection Slots Allocated entry, more connection slots are allocated to the connection table. |
Signing Level |
Displays the level at which NCP packet signature signing is set on the server. NCP packet signatures prevent packet forgery by requiring the server and the workstation to sign each NCP packet. A higher packet signature number impacts the performance of your server. At some point, the need for security might outweigh certain performance issues. |
Login State |
Displays whether users are allowed to log in to the server. To disable users from being able to log in to the server (for server maintenance or other reasons), enter disable login at the NCPCON prompt, or enter ncpcon disable login at a terminal console prompt. To allow users to log in to the server, enter enable login at the NCPCON prompt, or enter ncpcon enable login at a terminal console prompt. |
Licensed Connections |
Displays the number of connections that are currently licensed. Licensed connections are authenticated, logged in, and consume a license. An unlicensed connection does not consume a license and can be authenticated or not. An unlicensed, authenticated connection can access the eDirectory database but cannot access any other resources. |
Not Logged In Connections |
Clears all user connections that are open, but not currently authenticated to the server. Use this parameter to clear all user that are not logged in. |
Example
connection
Displays a list of all current NCP Server connections along with connection type information.
The general syntax for the ncpcon connection list command is:
connection list [/m | /e | /n]
Operations: Only one option at a time can be used with connection list. For example, connection list /m.
Displays a list of Multi-factor Authentication (MFA) NCP connections including MFA encrypted and MFA non-encrypted connections.
Displays a list of encrypted NCP connections including MFA encrypted and non-MFA encrypted connections.
Displays a list of non-MFA and non-encrypted NCP connections.
Parameter |
Description |
---|---|
Station |
Shows the connection number for each connection. Connection 0 is the connection used by the server. The server’s operating system uses connection numbers to control each station’s communication with other stations. Remote Manager does not distinguish connections that don’t count against the server’s connection limit. |
Login Time |
Shows the login day, date, and time for the connection. |
Reads & Writes |
Shows the number of reads and writes (in bytes) made by the connection. |
Requests |
Shows the number of NCP requests made by the connection. |
Name |
Shows the name of the user, server, service, or login status and links to specific information about that user connection such as the login time, connection number, network address, login status, number of NCP requests, files in use, and security equivalence. Connections with an asterisk (*) displayed next to the name indicate an unlicensed connection (it does not consume a license). These licenses can be either authenticated or not authenticated. An unlicensed, authenticated connection can access the NetIQ eDirectory database but not other server resources. From this detailed Connection Information page, you can also clear the connection or send a message to the user. |
Encrypted |
Shows the encryption status of the connection. If "yes" the connection is encrypted and "no" then the connection is not encrypted. |
MFA |
Shows whether the connection is enabled for MFA. If "yes" the connection is MFA and "no" then the connection is non-MFA. |
Example
connection list /m
connection list /e
connection list /n
connection list
The switch /h interprets the number of bytes read or written in human readable format, that is, KB/MB/GB based on the size.
Examples
connection list /h
Displays detailed information about a specified NCP Server connection. Replace connection_number with the station of interest. You can find the station’s connection number from the report displayed by issuing the connection list command.
Parameter |
Description |
---|---|
Connection Number |
The station number for the connection. |
Authentication Method |
Shows the authentication method used if the connection is logged in. |
Login Time |
Shows the login day, date, and time for the connection. |
Encrypted |
Shows the encryption status of the connection. If "yes" the connection is encrypted and "no" then the connection is not encrypted. |
MFA |
Shows whether the connection is enabled for MFA. If "yes" the connection is MFA and "no" then the connection is non-MFA. |
Privileges |
Shows whether the connection has privileges, such as Supervisor or Console Operator. |
Connection Type |
Shows whether the connection is internal or external. |
Bytes Read |
Shows the total number of reads made by the connection. |
Bytes Written |
Shows the total number of writes made by the connection. |
NCP Requests |
Shows the total number of NCP requests made by the connection. |
IP Address |
Shows the IP address where the connection originates. |
Open Files |
Shows the files open for the connection. |
Security Equivalence |
Shows the name of the user, server, or service if it is logged in. |
Example
connection 1
Clears the NCP Server connection for a specified station. Replace connection_number with the station of interest. You can find the station’s connection number from the report displayed by issuing the connection list command.
Example
connection clear 1
These parameters help the NCP server to clear all user connections that are open. You can optionally specify connection numbers that you do not want to close in the exception list. NCP server exempts those connections from closing. Specify multiple connection numbers by separating them with commas.
This command will clear all connections except:
Connections that are mentioned in the exception list.
NCP server object connections.
Not Logged In connections (User connections that are open, but not currently authenticated to the server).
Even if you clear user connections using this command, connections get reestablished automatically. To use this command effectively, first disable users from being able to log in to the server, enter disable login at the NCPCON prompt, or enter ncpcon disable login at a terminal console prompt.
IMPORTANT:Use this command prudently. Otherwise, it might lead to unexpected complications.
Examples
To issue the command at the NCPCON prompt:
connection clearALL connection clearALL except 1 connection clearALL except 1,2
To issue the command at a terminal console prompt:
ncpcon connection clearALL ncpcon connection clearALL except 1 ncpcon connection clearALL except 1,2
Encryption and MFA enforcements on NCP servers allow security settings to be configured at the volume, path, and cluster resource levels. The NCP security options behave consistently across the tree and must be configured on all servers.
Grace Time option is introduced to gracefully terminate the non-encrypted connections. Grace time is not enforced at the volume, path, or cluster resource levels, but it is enforced at the server level. This eliminates data loss due to ungraceful file closures when the connections are closed. Established connections are secure, if encryption and multi-factor authentication (MFA) are enforced at the server level.
Data access is not terminated on unencrypted or non-MFA connections, however clear connections on encryption/MFA enforced channels are blocked. If all data in the enterprise requires an encrypted channel, enforce it at the server level. If only a portion of the data set requires encryption, enable it at the server level and enforce it at the volume or path level. Both encrypted and unencrypted connections are allowed.
MFA and encryption are applied on NSS volumes only.
NOTE:Beginning with OES 2018 SP3, NCP server-level encryption is enabled by default, and TLSv1.2 is supported. In OES 23.4, the encrypted connection between client and server supports both TLSv1.2 and TLSv1.3.
The encryption capability on NCP servers allows the client to establish a secure connection between the client and the server. The Client for Open Enterprise Server not having the encryption capability are blocked and connections originating from such clients are shutdown.
Use this command to enable, disable, or enforce encryption of file system communication on the NCP server.
Operation Options
Enables the encryption capability on the NCP server to establish a secure channel when the client is also encryption enabled. The clients without encryption (Clients older than Client for Open Enterprise Server 2 SP5) also can access files through unencrypted connection.
Disables the encryption capability on the NCP server. The client and server establishes a non-secure channel.
Enforces the encryption capability on the NCP server. This forces the clients to establish a secured channel with the server even if the client is not encryption enabled. This option is applicable only to file service requests and the drive mapping fails from non-encrypted Client for Open Enterprise Server.
IMPORTANT:Setting this option pulls down any unencrypted connections (existing or new) that sends the file service request. This in-turn may cause data loss if there are any open files on those connections.
During the grace period, encrypted or non encrypted connections are allowed based on the previous state. Once the grace period is over it will be in the enforced state.
Grace time option is applied only on changing state from:
Enable to Enforce
Disable to Enforce
Grace time should be specified in the range of 0 to 72 hrs.
NOTE:The send file support is not available when encryption is enabled or enforced. That is, setting SENDFILE_SUPPORT=1 with encryption enabled or enforced does not have any impact. Hence, it is recommended to set SENDFILE_SUPPORT=0, when encryption is enabled or enforced. Although for non-encrypted connections (with encryption disabled), SENDFILE_SUPPORT=1 will still be effective.
Syntax
To issue the command at the NCPCON prompt:
security encrypt enable
To issue the command at a terminal console prompt:
ncpcon security encrypt enable
Use this command to set the cipher’s ability to protect the data transmitted over the network. This is applicable when the encryption is enabled or enforced. This command at the cluster resource level individually enables or enforces encryption for all the volumes of cluster resources.
Operation Options
Sets the message authenticity security level to 64 bits or more. Key size limited to 128 bits cipher.
Sets the message authenticity security level to 80 bits or more. Key size is 128 bits or more.
Sets the message authenticity security level to 128 bits or more. Key size is 256 bit but due to the limitation of the TLS protocol the overall security level is 192 bits.
security cipher-strength high
The MFA capabilities on NCP servers allow the client (Client for Open Enterprise Server 2 SP5 or later) and the servers to establish a secure channel when Advanced Authentication is enabled. Multi-factor authentication support through Advanced Authentication Service integration.
Use this command to enforce Multi-factor Authentication (MFA) capability on the NCP server.
Operation Options
Enforces the MFA capability on the NCP server. The earlier Client for Open Enterprise Server even though having Advanced Authentication capability are blocked and connections originating from such clients are shutdown. This option is applicable only to file service requests and the drive mapping fails from non-MFA Client for Open Enterprise Server.
Disables the multi-factor authentication capability on the NCP server. The clients with or without Advanced Authentication establishes connection with the server and the file service requests continue as usual.
Use this command at volume level or path level and at cluster level on the NCP server individually to enable or enforce MFA for all the volumes of cluster resources.
During the grace period, MFA or non-MFA connections are allowed based on the previous state. Once the grace period is over it will be in the enforced state.
Grace time option is applied only on changing state from:
No to Enforce
Grace time should be specified in the range of 0 to 72 hrs.
NOTE:
To enforce encryption at a volume or path level the encryption must be enabled at server level. Encryption at server level is by default enabled in OES 23.4.
To enforce MFA at volume or path level the MFA capability must not be enforced at the server level. Both authenticated and non-authenticated connections are allowed if MFA is not enforced at the server level. This is by default not enforced at the server level.
Grace time feature is not available on enabling security enforce option.
If the Enforced/MFA folder is deleted from Client for OES, then the enforced/MFA setting on the folder gets revoked. On salvage operation, an administrator has to explicitly enforce the folder. Else the non-encryption/non-MFA clients will be able to access the enforced folder.
Security enforcement cannot be applied on SYS volume.
Operations
Enforces encryption on the volume/ cluster volume or path. On enforcing, only encrypted clients are able to access or perform file operations on the specified volume or path.
Encryption is no longer enforced on the volume/cluster volume or path. Encrypted and non-encrypted clients are able to access or perform file operations on the specified volume or path.
Enforces MFA on the volume/cluster volume or path. On enforcing, only MFA enabled clients are able to access or perform file operations on the specified volume or path.
MFA is no longer enforced on the volume/cluster volume or path. MFA and non-MFA enabled clients are able to access or perform file operations on the specified volume or path.
Enforces encryption and MFA on the volume/cluster volume or path. On enforcing, only encrypted and MFA enabled clients are able to access or perform file operations on the specified volume/cluster volume or path. Both /em or /me option can be used.
Encryption or MFA is no longer enforced on the volume/cluster volume or path. All clients are able to access or perform file operations on the specified volume or path. Both /em or /me option can be used.
NOTE:On enforcing MFA/encryption using cluster resource name, all the volumes under that resource are enforced. If volume /path is given, MFA/encryption is enforced only on a single volume/path. If cluster resource name is given, MFA/encryption is enforced on all the volumes under that cluster resource.
# ncpcon security enforce /e /a VOL1:FOL1 VOL1:FOL2
Encryption is enforced on folders FOL1 and FOL2. Only encrypted clients can now access these folders.
If the same command is executed again or if the volume or folder is already enabled for enforcement, then a message, “Encryption is not enforced on Volumes or Directories: VOL1/FOL1, VOL1/FOL2” is displayed. Run the command security view to verify if the volumes or folders are already enforced.
# ncpcon security enforce /e /a VOL1:JUNCTION1
Encryption is enforced on the DFS junction. If the DFS junction source is enforced then access to the target is blocked.
Use this command to view the current security configurations on the NCP server.
To issue the command at the NCPCON prompt:
security Enforce-MFA yes security enforce /e /a <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name>security enforce /e /r <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name> security enforce /m /a <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name> security enforce /m /r <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name> security enforce /em /a <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name> security enforce /em /r <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name> security view <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name>
For enforcing security on all the volumes under a cluster resource, syntax is followed by resource name.
security enforce /e /a <VOL1> <VOL1:fldr1/fldr2> <cluster-resource-name>
If the admin wants to enforce on a single cluster volume, then the syntax is the same as volume level enforcement.
security enforce /e /a <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name>
To issue the command at a terminal console prompt:
ncpcon security encrypt enable ncpcon security cipher-strength high ncpcon security Enforce-MFA yes ncpcon security enforce /e /a <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name> ncpcon security enforce /e /r <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name> ncpcon security enforce /m /a <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name> ncpcon security enforce /m /r <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name> ncpcon security enforce /em /a <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name> ncpcon security enforce /em /r <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name> ncpcon security view <VOL1> <VOL1:fldr1/fldr2> <cluster-volume-name>
Examples
MFA is enforced on folders FOL1 and FOL2. Only MFA-enabled clients can now access these folders.
If the same command is executed again or if the volume or folder is already enabled for enforcement, then a message, “MFA is not enforced on Volumes or Directories: VOL1/FOL1, VOL1/FOL2” is displayed. Run the command security view to verify if the volumes or folders are already enforced.
Encryption and MFA are disabled on folder FOL2.
Encryption is enforced on Volumes, Directories and Resource: CLSPOOL1_SERVER
Use this command to list or close open files on an NCP volume by volume, filename, or connection number. If the file path or trustee names contain spaces, ensure to enclose them within double or single quotes.
To find the connection number assigned to a user’s connection, use the connection commands in Section A.1.19, Managing NCP Server Connections.
Operation Options
Lists the open files for a specified NCP volume by volume, filename, or connection number.
Closes the open files for a specified NCP volume by volume, filename, or connection number.
Options
Replaces volumename with the name of the NCP volume.
Replaces filename with path on the Linux file system of the file you want to close, such as /usr/novell/sys/filename.ext.
Replaces connection_number with the station number of the connection whose open files you want to close.
Examples
files list v=sys
files list f=/usr/novell/sys/test.txt
files list "f=/usr/bob christo/novell/sys/test.txt"
files list c=9
files close v=sys
files close f=/usr/novell/sys/test.txt
files close 'f=/usr/bob christo/novell/sys/test.txt'
files close c=9
NCPCON supports the commands in this section for use with OES Dynamic Storage Technology. For information about configuring and managing shadow volumes and file systems, see the OES 23.4: Dynamic Storage Technology Administration Guide.
Creates a non-clustered shadow association between a primary NSS volume and secondary NSS volume, and adds the SHADOW_VOLUME mount information to the /etc/opt/novell/ncpserv.conf file. If the file path or trustee names contain spaces, ensure to enclose them within double or single quotes.
When you issue the command from the NCP Console, you do not need to restart ndsd in order for the changes to take effect. When you issue the command from a Linux prompt, you must restart ndsd in order for the changes to take effect.
Options
Specifies the volume name for the primary NSS volume, such as VOL1.
Specifies the Linux path of the mount location for the secondary NSS volume, such as /media/nss/ARCVOL1.
Examples
Creates a shadow volume where VOL1 is the primary storage area and /home/shadows/VOL1 is its mount point as a shadow volume.
Creates a shadow volume where VOL1 is the primary storage area and /home/bob christo/shadows/VOL1 is its mount point as a shadow volume.
Removes the non-clustered shadow relationship between a primary NSS volume and a secondary NSS volume, and removes the SHADOW_VOLUME command from the /etc/opt/novell/ncpserv.conf file. You must unmount the volume before you issue the command.
IMPORTANT:You can use this command as part of the process to unlink the primary and secondary volumes of a non-clustered DST shadow volume. For information, see Removing the Shadow Relationship for a Non-Clustered DST Shadow Volume
in the OES 23.4: Dynamic Storage Technology Administration Guide.
Typically, you specify the /l option, which leaves the files in place on the primary volume and secondary volume, and removes the shadow relationship. This is equivalent to the Volume Tasks > Remove Shadow Action Options > Remove Shadow option in OES Remote Manager.
When the /l option is not used, the command attempts to move all files on the secondary volume to the primary volume, and then removes the shadow relationship between the two volumes. Ensure that the primary volume has sufficient space to accommodate the files before you unmount the volume and issue the remove command. Moving the files can take some time, depending on how much data must be moved. If a file move fails, the unlinking of the shadow relationship also fails. You can use the /i option to ignore file move errors and allow the unlinking to succeed. After the files on the secondary volume have been moved to the primary volume, the shadow relationship is removed, and a summary report is created and displayed.
Options
Specifies the volume name for the primary NSS volume, such as VOL1.
Leaves the files in place on the two volumes and removes the shadow relationship.
Ignores any file move errors that might occur if you issue the command without the /l option, and allows the unlinking of the shadow relationship to succeed.
For example, if there are duplicate files on the volumes, the duplicate instance on the secondary volume cannot be moved to the primary volume, and the shadow relationship cannot be unlinked. Using the /i option ignores the file move error and allows the relationship to be unlinked.
Provides a full detail report of actions taken. Use this option to understand which file moves might be failing.
Examples
Issue the following commands from the NCP Console, or add ncpcon at the beginning of the command when issuing it from a script or at a terminal console prompt.
Removes the shadow relationship for shadow volume VOL1, and moves all files from the secondary storage area to the primary storage area. You must dismount VOL1 before you issue this command. File move errors are ignored. Full details of the actions taken are reported.
Removes the shadow relationship for shadow volume VOL1, and leaves files where they currently are on the secondary storage area and the primary storage area. You must dismount VOL1 before you issue this command.
Allows you to list files on the shadow volume, or to move files between the primary storage area and the secondary storage area based on specified criteria. All files on the selected shadow volume that match the criteria are moved. Use the command from within cron jobs to automate data partitioning. If the file path or trustee names contain spaces, ensure to enclose them within double or single quotes.
Operation Options
Lists primary files. Lists all files currently residing on the primary storage area.
Lists shadow files. Lists all files currently residing on the secondary storage area.
Moves files to primary. Moves files that match the specified criteria to the primary storage area from the secondary storage area.
Moves files to shadow. Moves files that match the specified criteria to the secondary storage area from the primary storage area.
Operations
Specifies the file pattern to match against.
Specifies the NetIQ eDirectory username and context of the owner of the files to match against.
Specifies the Linux user ID to match against.
Specifies which time field to match against, where the time_field is:
[m][a][c]
m: Last time modified (content)
a: Last time accessed
c: Last time changed (metadata)
Specifies which time period to match against, where the time_period is:
[a][b][c][d][e][f][g][h][i][j]
a: Within last day
b: 1 day to 1 week
c: 1 week to 2 weeks
d: 2 weeks to 1 month
e: 1 month to 2 months
f: 2 months to 4 months
g: 4 months to 6 months
h: 6 months to 1 year
i: 1 year to 2 years
j: More than 2 years
Specifies the size differential to match against, where the size_differential is:
[a][b][c][d][e][f][g][h][i][j][k]
a: Less than 1 KB
b: 1 KB to 4 KB
c: 4 KB to 16 KB
d: 16 KB to 64 KB
e: 64 KB to 256 KB
f: 256 KB to 1 MB
g: 1 MB to 4 MB
h: 4 MB to 16 MB
i: 16 MB to 64 MB
j: 64 MB to 256 MB
k: More than 256 MB
Output the search results to the specified file.
Examples
Lists all files of type EXE that currently reside on the secondary storage area for the shadow volume vol1.
Lists all files of sizes between 1 MB to 4 MB that currently reside on the primary storage area for the shadow volume vol1.
Moves all files on the primary storage area that have not been modified, accessed, or changed in more than 2 years from the primary storage area to the secondary storage area for the shadow volume vol1.
Returns the specified file’s location as being on the primary storage area or secondary storage area. Specify the primary or secondary options to move the specified file from its current location to the specified storage area.
The shift command works only at the command line, and not in ncpcon interactive mode. Enter the command as the root user at a terminal console prompt.
ncpcon shift "volumename:\path\filename" [primary | shadow]
OPTIONS
Moves the specified file from the secondary storage area to the primary storage area. The file must be closed when you issue the command; otherwise, the command fails.
Moves the specified file from the primary storage area to the secondary storage area. The file must be closed when you issue the command; otherwise, the command fails.
Examples
Enter the commands as the root user at a terminal console prompt.
Shows the specified file’s storage area location in the shadow volume as primary (the primary storage area) or shadow (the secondary storage area) for the shadow volume sys.
Shows the specified file’s storage area location in the shadow volume as primary (the primary storage area) or shadow (the secondary storage area) for the shadow volume vol1.
Moves the specified file’s storage area location from the secondary storage area to the primary storage area for the shadow volume sys.
Moves the specified file’s storage area location from the secondary storage area to the primary storage area for the shadow volume vol1.
Moves the specified file’s storage area location from the primary storage area to the secondary storage area for the shadow volume sys.
Moves the specified file’s storage area location from the primary storage area to the secondary storage area for the shadow volume vol1.
NCPCON supports the commands in this section for use with OES Dynamic Storage Technology in combination with OES Cluster Services for Linux clusters. For information about configuring and managing shadow volumes and file systems in a cluster, see the OES 23.4: Dynamic Storage Technology Administration Guide.
Use the following syntax in cluster load scripts to mount the volume in a cluster. With clustering, no changes are needed to the ncpserv.conf file for shadowing. The primary volume information is also not added to the ncpserv.conf file.
Use this command in a cluster load script when the primary volume is an NSS volume and the secondary volume is an NSS volume. Both NSS volumes must already exist and be mounted in NSS.
Replace volID with a value from 0 to 254 as the server volume ID to ensure that the volume has the same ID on all servers when it is mounted in a cluster resource.
Example
Mounts the NSS volume named VOL1 with a volume ID of 254. The primary volume is an existing NSS volume named VOL1 (/media/nss/VOL1). The secondary volume is an existing NSS volume named ARCHIVE1 (/media/nss/ARCHIVE1).
Use this command when the primary volume is a non-NSS volume and the secondary volume is a non-NSS volume.
Replace volID with a value from 0 to 254 as the server volume ID to ensure that the volume has the same ID on all servers when it is mounted in a cluster resource.
Example
Mounts the NCP volume named VOL1 with a volume ID of 254. The primary volume’s path is /media/ncpvolumes/VOL1. The secondary volume’s path is /media/ncpvolumes/ARCHIVE1.
Use this command when the primary volume is a non-NSS volume and the secondary volume is an NSS volume. The NSS volume must already exist on the system and be mounted in NSS.
Replace volID with a value from 0 to 254 as the server volume ID to ensure that the volume has the same ID on all servers when it is mounted in a cluster resource.
Example
Mounts the NCP volume named VOL1 with a volume ID of 254. The primary volume’s path is /media/ncpvolumes/VOL1. The secondary volume is an existing NSS volume named ARCHIVE1 (mounted at /media/nss/ARCHIVE1).
Use this command when the primary volume is an NSS volume and the secondary volume is a non-NSS volume. The NSS volume must already exist on the system and be mounted in NSS.
Replace volID with a value from 0 to 254 as the server volume ID to ensure that the volume has the same ID on all servers when it is mounted in a cluster resource.
Example
Mounts an NSS volume named VOL1 with a volume ID of 254. The primary volume is an existing NSS volume named VOL1 (/media/nss/VOL1). The secondary volume is an NCP volume named ARCHIVE1 that is mounted at /media/ncpvolumes/ARCHIVE1.
NCPCON supports the ncpcon quotas command for OES Dynamic Storage Technology volume pairs. For information, see the OES 23.4: Dynamic Storage Technology Administration Guide.
You can run NCPCON console commands without entering the console by prefacing the command with ncpcon.
Displays command help at the command prompt.
Shows the assigned NSS directory quotas or user quotas for a specified NSS volume that is used in a DST volume pair. Replace nss_volume_name with the name (such as VOL1) of the primary volume or the secondary volume.
Specify either directory (d) or user (u) after the volume name to indicate the type of quotas to display. You can use the combined (c) option to display the specified type of quotas for both volumes.
Options
(Optional) Shows a combined view for the specified type of quotas on the primary volume and secondary volume of a DST shadow volume pair.
Applies the operation to NSS directory quotas.
Applies the operation to NSS user quotas.
Examples
Shows the user quotas for NSS volume VOL_D. VOL_D can be the primary volume or secondary volume in a DST shadow volume pair.
Shows a combined view of the directory quotas on the primary volume and secondary volume of a specified DST shadow volume.
Synchronizes the NSS directory quotas or user quotas from the primary volume to the secondary volume of a DST shadow volume pair. Replace nss_volume_name with the name (such as VOL1) of the primary volume. You can specify to use the same settings, or specify a percentage to set smaller or larger quotas on the secondary volume. You can duplicate all settings, or duplicate settings only where they do not exist.
Specify either directory (d) or user (u) after the volume name to indicate the type of quotas to synchronize.
Operations
For all of the directory quotas or user quotas (whichever type is specified) that are currently set on the primary volume, duplicates the quotas settings on the secondary volume.
For each of the directory quotas or user quotas (whichever type is specified) that are currently set on the primary volume, if a quota is not set on the secondary volume, duplicates the quota setting on the secondary volume. This option does not overwrite existing quotas on the secondary volume.
For each of the directory quotas or user quotas (whichever type is specified) that are currently set on the primary volume, sets the quotas settings on the secondary volume as a specified percentage of the quota that exists on the primary volume. The percentage value must also be specified after the volume name.
A percent value of 100 is a one-to-one quota assignment. A percent value of 50 assigns a quota that is one-half the size of the quota set on the primary volume. A percent value of 200 assigns a quota that is twice the size of the quota set on the primary volume.
Options
Applies the operation to NSS directory quotas.
Applies the operation to NSS user quotas.
Required if the PERCENT operation is used. Specifies the value to use when calculating the quota for the secondary volume based on a percentage of the primary volume’s quota.
(Optional) Indicates quiet mode. No output appears in the execution window.
Examples
For all of the NSS user quotas that are currently set on the primary volume VOL D, duplicates the quotas setting on the secondary volume of a DST shadow volume pair.
For each of the NSS directory quotas that are currently set on the primary volume VOL1, sets a quota that is one-half that size on the secondary volume of a DST shadow volume pair.
For each of the NSS user quotas that are currently set on the primary volume VOL1, if a quota does not exist on the secondary volume, duplicates the quota setting on the secondary volume of a DST shadow volume pair.