6.6 File Access for Users

NSS supports access via NCP and other protocols to eDirectory users and Linux-enabled eDirectory users.

IMPORTANT:NSS uses the OES trustee model for file access. Users must be made file system trustees and granted trustee rights to data on the NSS volume that you want them to be able to access. Rights management can be done in multiple management tools, including Unified Management Console, iManager, OES Remote Manager, the Client for Open Enterprise Server and other NCP services, and command line commands. For information, see Section 21.1, Configuring File System Trustees, Trustee Rights, Inherited Rights Filters, and Attributes.

6.6.1 NCP

NCP (NetWare Core Protocol) is the default protocol for accessing data on NSS volumes. NCP Server is required for NSS even if users access the volume via other protocols. Users access data on NSS volumes by using the Client for Open Enterprise Server software on their Windows or Vista workstations. This document refers collectively to those workstations as “Clients for Open Enterprise Server”.

NCP Server is installed by selecting NCP Server and Dynamic Storage Technology from the OES Services menu in the YaST installation interface. For information about NCP Server, see the OES 23.4: NCP Server for Linux Administration Guide.

NCP Server works with NetIQ eDirectory, the Client for Open Enterprise Server, and other NCP-based services such as NetStorage to authenticate and manage user sessions. When NCP Server is running, eDirectory users who have been granted file system trustee access can access an NSS volume with the Client for Open Enterprise Server or NCP services. NSS cooperates with NCP Server to track file ownership and file system trustee assignments, trustee rights, and inherited rights based on the OES trustee model.

The Linux file system interface uses UTF-8 encoding for all filenames. When accessing files with NCP, ensure to use the UTF-8 enabled NCP software that is available in the latest Novell Client.

If you are converting NSS volumes from NetWare to Linux, make sure you have resolved any UTF-8 problems before moving the volume to Linux. For information, see Supporting Mixed Language Environments with Novell NetWare (TID 10097059) in the OpenText Support Knowledgebase.

For information about configuring and managing NCP Server, see the OES 23.4: NCP Server for Linux Administration Guide.

6.6.2 OES CIFS

NSS supports access to NSS volumes using CIFS. For OES 2 SP1 and later, OES CIFS is installed by selecting OES CIFS from the OES Services menu in the YaST install interface.

For information about OES CIFS, see the OES CIFS for Linux Administration Guide.

6.6.3 OES Domain Services for Windows

NSS supports access to NSS volumes using OES Domain Services for Windows (DSfW). DSfW configures Samba access for Samba/CIFS users. Administrators must export NSS volumes over Samba so that domain users (eDirectory users in the DSfW domain partition) can access NSS volumes over Samba/CIFS.

Samba/CIFS users under the domain are Linux-enabled with Linux User Management. The Domain Users group must be associated with the UNIX Workstation objects of the server (or servers if the volume is used in a cluster) where the volume is mounted in order to give the users access to the NSS volume via Samba/CIFS.

6.6.4 SSH (Secure Shell)

You can give users SSH (Secure Shell) access to NSS volumes by Linux-enabling users and the SSH utility in Linux User Management. For information, see the OES 23.4: Linux User Management Administration Guide.

In addition, SSH requires that the POSIX permissions on home directories be set so that the Other field has no permissions. By default, NSS sets the POSIX permissions to 0777 and SSH is disabled in Linux User Management. If you use NSS volumes for home directories and you want users to have SSH access to them, you must modify the POSIX permissions on NSS volumes to 0770. You must also enable SSH with Linux User Management.

Add the following command in the /etc/opt/novell/nss/nssstart.cfg file to turn off all of the bits corresponding to the Other field:

/PosixPermissionMask=0770

The setting applies to all NSS volumes on the server. If the volume is shared in a cluster, make sure to add the command to the nssstart.cfg file and to Linux-enable SSH on all the nodes.

6.6.5 Accessing Files with Linux Services, Utilities, and Protocols

Only the root user and Linux-enabled eDirectory users who have been granted trustee access can see and access the NSS volume from a Linux interface. Users must be Linux-enabled with Linux User Management in order to use any of the standard Linux protocols, utilities, commands, services, or APIs for the NSS volume.

IMPORTANT:Any Linux service or utility that you want users to have access to must also be enabled in Linux User Management.

For information about installing and configuring Linux User Management, enabling users and groups for Linux, and enabling Linux services and utilities, see the OES 23.4: Linux User Management Administration Guide.