Document revision date: 15 October 2001
[Compaq] [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]
[OpenVMS documentation]

Compaq PATHWORKS for OpenVMS (Advanced Server)
Server Administrator's Guide


Previous Contents Index

3.1.17.3 Disabling External Authentication

If you want to disable external authentication, then before starting the Advanced Server, define the SYS$SINGLE_SIGNON logical in SYSTARTUP_VMS.COM to a value of 0, as in the following example:


$ DEFINE/SYSTEM/EXECUTIVE SYS$SINGLE_SIGNON 0 

For more information, refer to the OpenVMS Guide to System Security.

3.1.17.4 Bypassing External Authentication When the Network Is Down

External authentication cannot occur if a network connection is required and the network is down. However, as a temporary solution, privileged users can enter the /LOCAL_PASSWORD qualifier after the OpenVMS user name at the login prompt, to specify local authentication. Be sure to specify the OpenVMS user name and password when using the /LOCAL_PASSWORD qualifier.

Because using the /LOCAL_PASSWORD qualifier effectively overrides the security policy established by the system manager, it is allowed only when the user's account has SYSPRV as an authorized privilege. This allows the system manager to gain access to the system when the network is down.

When Bit 1 is set in the SYS$SINGLE_SIGNON logical name, nonprivileged users who are normally externally authenticated can log in locally (the /LOCAL_PASSWORD qualifier need not be specified).

For more information about the /LOCAL_PASSWORD qualifier for the login command line, refer to the OpenVMS Guide to System Security.

3.1.17.5 Logging On to Externally Authenticated Accounts

OpenVMS accepts the user name in one of the following formats for user accounts set for external authentication:

The form of the user name string determines the order in which OpenVMS verifies the logon:

3.1.17.6 Avoiding User Name Conflicts

Because external authentication depends on host mapping information, it is important to set up user accounts and host mapping carefully. For example, if the same user name exists in the Advanced Server and OpenVMS, but they are not the same user, external authentication may not work as you expect.

In the following examples, you have Advanced Server running on OpenVMS node VMS1 in the domain SaleOffice, with network users Smith and J_Smith and OpenVMS users Smith and V_Smith:

3.1.17.7 Setting Up External Authentication by a Trusted Domain

You can set up an OpenVMS account to be externally authenticated by a trusted domain in your network. To enable this feature, you must include the trusted domain name in the data field for the server configuration parameter HostMapDomains in LANMAN.INI. See Section 7.3, Using the LANMAN.INI File.

For example, if your OpenVMS system is in the SaleOffice domain, and this domain trusts the Marketing domain, set up OpenVMS user Jones to be externally authenticated by the Marketing domain as follows:

  1. Set the data field for the server configuration parameter HostMapDomains in the LANMAN.INI file (in the VMSSERVER section) to include the trusted domain name, as follows:


    HOSTMAPDOMAINS=Marketing 
    

  2. Ensure that a network user account with user name Jones exists in the Marketing Domain.
  3. Enable external authentication for OpenVMS user account Jones.
  4. To log on, the user must specify the user name in one of the following forms:


     
    Jones@Marketing 
    Marketing\Jones 
    

3.1.17.8 Changing the Default Domain for External Authentication

The local server's domain is the default domain for users when external authentication is established. If you want to change the default domain for users using external authentication, define the Advanced Server logical PWRK$ACME_DEFAULT_DOMAIN on the system as follows:


$ DEFINE/SYS/EXE PWRK$ACME_DEFAULT_DOMAIN domain_name

where domain_name is the name of the new default domain. After defining this logical, if a user does not specify a domain name at login, the system will use the specified default domain for external authentication.

3.1.17.9 Requirement for External Authentication Over DECnet-Plus

To allow users to be externally authenticated over DECnet-Plus for OpenVMS, set the system parameter NET_CALLOUTS to 255. This enables Advanced Server user ID mapping and authentication for network logins.

3.2 Managing Advanced Server Groups

Groups are collections of user accounts and other groups. When you add a user to a group, the user has all the rights and permissions granted to the group. This provides an easy way to grant common capabilities to sets of users. (For additional information about planning Advanced Server groups, refer to the Compaq Advanced Server for OpenVMS Concepts and Planning Guide.)

Note

OpenVMS system groups are unrelated to Advanced Server domain groups.

You use groups to manage access to resources like directories, files, and printers. To do this, assign permissions to the resource, specifying the group names, and add the user accounts to the groups. To change the permissions for a group, add or remove the permissions on the resource for the group, rather than for each user. Or, if you need to give a user access to specific resources (for example, certain directories and files), add the user's account to the appropriate group rather than changing permissions on each individual resource. Maintaining permissions for a group is simpler than maintaining permissions for individual user accounts.

Every group is either a global group or a local group.

Table 3-3 summarizes how to organize local and global groups.

Table 3-3 Uses of Local and Global Groups
Users and Needs Appropriate Group To Use
User accounts from this domain requiring access to the servers and workstations of this domain or of trusting domains Global group
User accounts from trusting domains requiring access to the servers of this domain Local group
Global groups from this domain requiring access to the servers of this domain Local group
Global groups from trusting domains requiring access to the servers of this domain Local group

3.2.1 Built-In Groups

The Advanced Server creates several built-in groups automatically during installation. Each built-in group has a unique set of access rights. To give one such set of access rights to a user account, add the user to the appropriate group. By default, all users belong to the built-in group Domain Users.

Table 3-4 lists the built-in groups, with their group type (global or local), and their default members.

Table 3-4 Built-In Groups
Group Name Group Type Description Default Members
Account Operators Local Members can administer domain user and group accounts. None
Administrators Local Members can fully administer the domain. Administrator, Domain Admins
Backup Operators Local Members can bypass file security to back up files. None
Domain Admins Global Designated administrators of the domain. Administrator
Domain Guests Global All domain guests. Guests
Domain Users Global All domain users. Administrator, user accounts
Guests Local Users granted guest access to the domain. Domain Guests
Print Operators Local Members can administer domain printers. None
Server Operators Local Members can administer domain servers. None
Users Local Ordinary users. Domain Users

3.2.2 Setting Up User Groups

To set up a new user group, use the ADD GROUP command. To create a local group, include the /LOCAL qualifier on the command line. For example, to add the local group MUNCHKINS, enter the following command. Note that the description of the group is enclosed in quotation marks. If you do not specify the group type, the default is to add the group as a global group.


LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/DESCRIPTION="Oz local group"/LOCAL 
%PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> SHOW GROUPS 
Groups in domain "LANDOFOZ": 
Group Name              Type          Description 
---------------------   -----------   ------------------------------------- 
Account Operators       Local         Members can administer domain user and 
                                      group accounts 
Administrators          Local         Members can fully administer the domain 
Backup Operators        Local         Members can bypass file security to back 
                                      up files 
DEVAS                   Global 
DEVIS                   Global 
Domain Admins           Global        Designated administrators of the domain 
Domain Guests           Global        All domain guests 
Domain Users            Global        All domain users 
Guests                  Local         Users granted guest access to the domain 
MONKEYS                 Global        Users in the Land of Oz 
MUNCHKINS               Local         Oz local group 
Print Operators         Local         Members can administer domain printers 
Replicator              Local         Supports file replication in a domain 
Server Operators        Local         Members can administer domain servers 
Users                   Local         Ordinary users 
 
   Total of 15 groups 
 
LANDOFOZ\\TINMAN> 

3.2.3 Adding Users to Groups

You can add users to groups in any of the following ways:

Local groups can include users from domains other than the one currently being administered. To specify a user account from another domain, a trust relationship must be established that allows the domain being administered to trust the domain where the user account is defined.

To specify a user account or global group in a trusted domain, enter a domain-qualified name (domain-name\member-name), such as KANSAS\DOLE, where KANSAS is the name of the trusted domain, and DOLE is the user or group name defined in the trusted domain. If you omit a domain name, the user or group is assumed to be defined in the domain being administered.

3.2.3.1 Adding Members to a New Group

To add members to a new group, include the /MEMBERS qualifier on the ADD GROUP command. For example, to add a new group MUNCHKINS and specify the group members SCARECROW and STRAWMAN, enter the following command:


LANDOFOZ\\TINMAN> ADD GROUP MUNCHKINS/MEMBERS=(SCARECROW,STRAWMAN) 
%PWRK-S-GROUPADD, group "MUNCHKINS" added to domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

3.2.4 Copying Groups

To simplify creating a new group, you can use the COPY GROUP command to copy an existing group to the new group, with a new name, keeping the members and description from the previous group. For example, to form a new group called QUADLINGS from an existing group called MUNCHKINS, use the following command:


LANDOFOZ\\TINMAN> COPY GROUP MUNCHKINS QUADLINGS 
%PWRK-S-GROUPCOPY, group "MUNCHKINS" copied to "QUADLINGS" in domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

This command copies the description and group members from MUNCHKINS to the new group named QUADLINGS. You can display information about the new group using the SHOW GROUPS/FULL command. For example, the following command displays the type, description, and members of the QUADLINGS group:


LANDOFOZ\\TINMAN> SHOW GROUPS QUADLINGS/FULL 
 
Groups in domain "LANDOFOZ": 
 
Group Name      Type             Description 
----------      ------           ----------------------------- 
QUADLINGS        Local            Oz local group 
    Members: [US]LION,[US]SCARECROW 
 
  Total of 1 group 
 
LANDOFOZ\\TINMAN> 

3.2.5 Modifying a Group

You can change the membership or description of an existing group.

3.2.5.1 Adding a Member to an Existing Group

To add a member to an existing group, use the MODIFY GROUP command with the /ADD_MEMBERS qualifier. For example, to add the user LION to the group MONKEYS, enter the following command:


LANDOFOZ\\TINMAN> MODIFY GROUP MONKEYS/ADD_MEMBERS=LION 
%PWRK-S-GROUPMOD, group "MONKEYS" modified on domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> SHOW GROUP MONKEYS 
 
Groups in domain "LANDOFOZ": 
 
Group Name      Full Name       Type     Description 
----------      ---------       ------- ------------------------ 
MONKEYS                         Global   Winged monkeys 
    Members: [US]LION 
 
 Total of 1 group) 
 
LANDOFOZ\\TINMAN> 

3.2.5.2 Removing a Member From a Group

To remove a member from a group, use the MODIFY GROUP command with the /REMOVE_MEMBERS qualifier. For example, to remove SCARECROW from the group MUNCHKINS, enter the following command:


LANDOFOZ\\TINMAN> MODIFY GROUP MUNCHKINS/REMOVE_MEMBERS=SCARECROW 
%PWRK-S-GROUPMOD, group "MUNCHKINS" modified on domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

3.2.5.3 Changing the Description of a Group

To change the group description, use the MODIFY GROUP/DESCRIPTION command, as in the following example:


LANDOFOZ\\TINMAN> MODIFY GROUP MUNCHKINS/DESCRIPTION="First Floor" 
%PWRK-S-GROUPMOD, group "MUNCHKINS" modified on domain "LANDOFOZ" 

3.2.6 Deleting a Group

Deleting a group removes only that group; it does not delete user accounts or global groups that are members of the deleted group. You cannot recover a deleted group.

Internally, the Advanced Server recognizes every group by its security identifier (SID), which is used when assigning permissions to a resource. If you delete a group and then create another group with the same group name, the new group does not inherit access to any resources available to the old group because the groups have different SIDs. To delete a group, use the REMOVE GROUP command, as in the following example:


LANDOFOZ\\TINMAN> REMOVE GROUP QUADLINGS 
 
Each group is represented by a unique identifier which is independent 
of the group name.  Once this group is deleted, even creating an 
identically named group in the future will not restore access to 
resources which currently name this group in the access control list. 
Remove "QUADLINGS" [YES or NO] (YES) : YES 
%PWRK-S-GROUPREM, group "QUADLINGS" removed from domain "LANDOFOZ" 
 
LANDOFOZ\\TINMAN> 

The command deletes the group QUADLINGS from the LANDOFOZ domain.


Previous Next Contents Index

  [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]  
  privacy and legal statement  
6556PRO_008.HTML