× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. August 2016

Re: Security on NFS mounts.

Rob:

IBM i NFS also supports Kerberos, so I think you would be better served by implementing IBM i EIM/SSO, rather than trying to "sync. up" all of those UIDs and GIDs ... There is no added cost for the software for EIM/SSO -- it comes bundled with IBM i . You can start out by only using it for a few user profiles who need to access those NFS shares, so you can roll it out gradually, while you "get your feet wet" -- Once you are comfortable with EIM/SSO, you can start to "scale up" so eventually, all of your user profiles will use it. Then, the end-users only ever need to "sign-on" to "the network" once, (e.g. when they sign-on to WIndows). (If you have a Windows domain and Active Directory, you can use that as the Kerberos controller), and you then change all the user profiles on IBM i to Password = *NONE. So, those users then never have to keep typing in their passwords, and you no longer need t o use some Tivoli product(s) to "sync." all those passwords, because with EIM/SSO, this is "password elimination" rather than "password synchronization." NOTE: If you do not currently use a Windows domain, you can install some IBM software to act as the Kerberos server -- it is an AIX version that also runs in PASE.

Your comapny could even save some money by not paying for software maintenance for that Tivoli stuff any longer, once you are all converted to EIM/SSO. And, also, by reducing t he workload for your internal IT Help Desk, for dealing with lost or forgotten passwords -- never again having to re-enable *DISABLED IBM i user profiles, reset their passwords, etc. -- So, there is only "one version of the truth" --the one and only UserID and password maintained in the Windows Active Directory or using t he AIX LDAP server. IBM i EIM/SSO maintains the "mapping" from each Windows UserID to the corresponding IBM i user profile name . You just "set it (once) and forget it."

Let me know if you want more details or some links to various resources.

Hope that helps,

Mark S. Waterbury

> On 8/3/2016 3:31 PM, Rob Berendt wrote:
I think I'm getting you.
UID is for a 'user'
GID is for a 'group profile'
If it is a user then it must have *NONE for the GID.

So I ran the following on both lpars
CRTUSRPRF USRPRF(DUMMY) PASSWORD(...) UID(999999)
The passwords match.
Then I ran:
CHGAUT OBJ('/payroll') USER(DUMMY) DTAAUT(*RWX) OBJAUT(*ALL)
SUBTREE(*ALL)

On the target system I can sign on as dummy and look at the data.
On the source system I can do
WRKLNK '/tgtsystem/tgtdirectory'
and it works.

Thank you.

Now for the big security project of syncing up everyone's UID, which can
only be done when the user has no active jobs. (at least according to the
help on UID)

Rob Berendt



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.