Now that you've installed SFU, let's look at its configuration. SFU originated as several different products from various sources, which have been pulled together into a single package. Each product has a different interface and configuration mechanism, and as a result they don't have a cohesive look and feel. Even so, the functionality is all there and not, generally, dependent on the other pieces. The basic pieces of the product (most of which we've already covered briefly) fall into the following three categories:
The telnet client and server, NFS client and server, and UNIX utilities are discussed in more detail in the following sections. The Korn shell is explained later, toward the end of this chapter. Let's begin with connectivity services.
The telnet client and server provide an excellent method for communicating between Windows 2000 machines and UNIX machines. But the telnet services can also offer substantial benefits in daily administration of the Windows 2000 machines themselves. By adding a telnet service to your Windows 2000 Servers, you provide a simple, low-overhead command-line interface to the servers that will let you easily manage a variety of administrative tasks from a single desktop and even over a slow dial-up line.
As installed, the telnet server works optimally for most installations. It provides access from any server or workstation that has a telnet client installed, offering improved interoperability in the enterprise and improved manageability even in a pure Windows 2000 environment. It will accept logins from a variety of clients, including the graphical telnet client shipped with Windows NT and Microsoft Windows 95/98 and a variety of character-mode terminal clients from virtually any operating system. Additionally, it can meet specific site requirements to improve security, simplify logins, and so on.
The NT LAN Manager The SFU telnet server supports NT LAN Manager (NTLM) for authentication of client logins. NTLM automatically authenticates the user based on his or her Windows 2000 logon, giving a transparent connection to the host while ensuring that clear text passwords don't pass over the network. NTLM must be supported on both the client and server side, however, making this option viable only between Windows machines, not directly to or from UNIX machines.
When using NTLM logon, users are restricted to local drives on the machine they are logged on to. If they need to map network resources, they can do so by explicitly mapping with full credentials. For example,
net use g:\\server\share\user:domain\username.
Administration The telnet server is administered by using the tlntdmn.exe program, which is installed by default in <SFU Root>\telnet and provides a simple text menu that will run from virtually any character-mode window, including a remote telnet login. With the tlntadmn.exe program, you can list the current users, terminate a user or users, display (and modify) the registry settings for the server, and start and stop the service. The registry settings you can change include the following:
NOTE
Using a value of 2 (NTLM only) in a mixed UNIX and Windows 2000 environment would effectively lock out UNIX users from the Windows 2000 Servers because they wouldn't have a client that supports NTLM authentication. Forcing NTLM does, however, eliminate the passing of clear text passwords over the network.
Registry Settings You can use the provided telnet administration program to edit the registry settings for the telnet server, or you can edit them manually by using regedit or regedt32. The subkey for the telnet server is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\TelnetServer\1.0. The keys and their types, which correspond to the tlntadmn.exe settings explained in the previous section, are listed in Table 21-1.
Table 21-1. Registry settings for the telnet server
Registry Key | Type | Default Value |
---|---|---|
AllowTrustedDomain | REG_DWORD | 0x00000001 |
AltKeyMapping | REG_EXPAND_SZ | |
DefaultDomain | REG_EXPAND_SZ | |
DefaultShell | REG_EXPAND_SZ | %SystemRoot%\system32\cmd.exe/q/k |
LoginScript | REG_EXPAND_SZ | %SystemRoot%\system32\login.cmd |
MaxConnections | REG_DWORD | 0x0000003f (63) |
MaxFailedLogins | REG_DWORD | 0x00000003 |
NTLM | REG_DWORD | 0x00000002 (NTLM only) |
TelnetPort | REG_DWORD | 0x00000017 (23) |
Termcap | REG_DWORD | %SystemRoot%\system32\termcap |
In addition, a specific subkey exists for performance tuning: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\TelnetServer\1.0\Performance \NumThreadsPerProcessor. The minimum value for this setting is 2, and the default is 10 (0x0000000a). For most environments, the default value will optimize performance.
CAUTION
Use extreme care when editing the registry because changes can result in a computer that won't boot. Be sure to back up your registry before making any changes.
While Windows 2000 comes with a familiar graphical-mode telnet client, Windows 2000 includes the new SFU character-mode telnet client that provides greatly improved scroll bars and the ability to authenticate use of encrypted passwords when connecting to telnet servers that support NTLM authentication. It is both faster and better behaved than the graphical-mode client it has replaced.
Furthermore, the telnet client provides terminal emulations, including an ANSI emulation that supports colors correctly when connecting to servers that support it, such as those running the Santa Cruz Operation (SCO) variant of UNIX. There is also a new VTNT emulation that supports enhanced features when connecting between Windows NT and Windows 2000 machines—including the ability to run complex character-mode applications such as edit.exe that won't work with standard terminal emulations.
The telnet configuration is done from within a telnet session by "escaping" to the telnet prompt. Press Ctrl+right bracket (]) to bring up the telnet prompt once you've started a telnet session. From here, you can use the following:
REAL WORLD Terminal Emulation Choices
If you connect primarily to UNIX systems, set TERM to ANSI and set NTLM off, but if you connect frequently to both Windows NT and UNIX systems or primarily to Windows NT systems, you'll find the VTNT emulation a better choice, and you'll still fall back to ANSI when connecting to a system that doesn't support VTNT.
SFU provides additional file service connectivity beyond the native FTP client and server in Windows 2000. The addition of NFS client and server allows native connectivity in a way that looks and feels natural to both UNIX and Windows 2000 users.
By using the seamlessly integrated NFS client, you can map exported file systems from your UNIX servers just as if they were native Windows 2000 shares, using either the UNIX server:/export format or the Windows \\server\share format. And the NFS server allows you to share the file resources with your UNIX systems or with other NFS clients, including Windows 2000 clients. Let's look at NFS client first.
When you install the NFS client, it adds an applet to the Control Panel for administering NFS client settings. Open Control Panel and double-click Client For NFS to open the Client For NFS Properties window shown in Figure 21-4. The following sections detail the options you can select to administer the NFS client settings.
Authentication Set your authentication options according to the type of UNIX system and environment you'll be connecting to. The following are options on the Authentication tab:
Figure 21-4. The Authentication tab of the Client For NFS Properties window.
The following additional settings are available:
Mount Options The Client for NFS Properties window, shown in Figure 215, allows you to specify the size of read and write buffers (the default is 64 K), initial timeout, number of retries, and whether to use hard or soft mounts. Unless you have a compelling reason to change these settings, you should leave them alone. They are optimal for connections that will support them and will automatically fall back if necessary.
There are three additional mount settings in the Client for NFS Properties window:
Figure 21-5. The Mount Options tab of the Client For NFS Properties window.
File Access Permissions The default file access permissions for the NFS client are Read, Write, and Execute for the user (owner) of the file, but only Read and Execute for the Owner group and for other users (equivalent to a umask of 022).
Filename Mapping You can map how new filenames are created and how existing filenames are mapped between the remote NFS server and your NFS client, as shown in Figure 21-6. The choices for filenames you create from the client are as follows:
Figure 21-6. The Filenames tab of the Client For NFS Properties window.
The choices for mapping to existing filenames are the following:
NOTE
In a mixed environment where users will be accessing files from both Windows and UNIX, you'll find that setting filename mapping to convert automatically to lowercase but to match by ignoring case will provide the least disruption to both communities of users.
Configuring NFS LANs Before your NFS client can effectively browse the network for exported (shared) file systems, you need to configure your NFS LAN. You have two choices for configuring NFS LANs: FavoriteLAN and named broadcast LANs. You should use broadcast LANs to divide your network into logical segments to limit the broadcasts to only a specific portion of your network and cut down network traffic.
You can create a single FavoriteLAN that has the NFS servers you connect to most frequently. You enter these servers by name or IP address, regardless of which segment they are on. By using a FavoriteLAN, you limit the amount of network broadcast traffic and speed up connecting to your preferred resources. To create a FavoriteLAN and add a server to it, follow these steps:
Figure 21-7. The Configured NFS LANs tab of the Client For NFS Properties window.
Figure 21-8. The Add LAN dialog box.
Figure 21-9. The NFS Hosts dialog box.
Figure 21-10. The Add Host dialog box.
If the logon is successful and you have confirmation dialog boxes enabled, you'll see a message similar to that shown in Figure 21-11. If your name and password weren't authenticated, you'll see the message in Figure 21-12. You can try again or accept the anonymous logon. If you accept the anonymous logon, you'll still have access to the NFS host but only whatever access has been allowed for anonymous users.
Figure 21-11. The NFS Login Successful dialog box.
Figure 21-12. The NFS Login Failed dialog box.
Creating and using a named broadcast LAN is much the same process as using a FavoriteLAN, except that you must know something about the network segment on which the broadcast LAN resides. To create a broadcast LAN, follow these steps:
Figure 21-13. The Broadcasting dialog box.
TIP
To speed up the boot process, change the Broadcast Mode to When Browsing. However, this will slow down your initial browsing for NFS hosts, especially on large networks.
MORE INFO
See the Microsoft Windows 2000 Resource Kit (Microsoft Press, 1999) for more information on broadcast addresses, subnets, and TCP/IP masks.
Symbolic Links Symbolic links are a way for a file or directory to exist in one physical location but to be seen as existing in another location or locations. When a symbolic link references a file or directory that's local to the machine where the link is located, Client for NFS doesn't need to do any special manipulation to follow the link. But you can also create symbolic links on an NFS server that point to files or directories that actually reside on a remote machine.
To resolve these links, Client for NFS must have a mapping file that identifies the actual machine to which the link points. This mapping file can reside on the local client machine, or it can be located centrally on the network for easier administration. The mapping file is an ASCII text file and has this format:
# Lines beginning with a # sign are comments and are ignored mnt \machine\export |
Use the Symbolic Links tab to set your options.
CAUTION
By default, Client for NFS doesn't resolve or display unresolved links. It also won't allow a rename or a delete on a symbolic link. You should enable the Rename or Delete options of symbolic links only if you fully understand the consequences and know what mechanism or program will be doing the renaming or deleting. If you delete a symbolic link and replace it with a file of the same name, it will no longer be a symbolic link. Two files will now exist on the NFS server: the original file in its original location, and the replacement file in the link location.
Connecting to an NFS Export Connecting to an NFS export is the same as connecting to any shared file system resource on the network. Using Microsoft Windows Explorer, you'll find an NFS Network in addition to the Microsoft Windows Network and any other networks you have configured under My Network Places, as shown in Figure 21-14.
When you want to connect to an exported NFS file system, you can use standard Windows syntax (\\server\share) or standard UNIX syntax (server:/share). Using standard UNIX syntax is somewhat faster since it immediately resolves to the native NFS syntax and bypasses the need to look for a conventional Windows share of the same name.
Figure 21-14. An integrated NFS client.
You can also use the command-line Net Use commands to connect to a particular resource directly if you know where it is. For example, to map the next available drive letter to the exported /home file system on server1 of NFS server, you could use either of the following commands:
net use * server1:/home net use * \\server1\home |
You can use the robust SFU NFS server to provide resources from your Windows 2000 machines to any machine on your network that supports NFS. You could even use it to export file systems to other Windows 2000 machines running SFU NFS client, although we'd generally recommend that you stick to native Windows 2000 networking for that. The following sections describe the options available for NFS configuration.
Shares Shares are created using the Control Panel's Server for NFS Configuration shown in Figure 21-15. You can share either individual directories or an entire drive. You can't share a subdirectory of an already shared resource, since NFS doesn't support this, so you'll want to plan your shares to make sure you share from as far up the tree as necessary. Each drive letter is shared as the top of a file system.
In the UNIX environment, all file systems are viewed as being subdirectories of the root file system. Because Windows 2000 doesn't have this concept of a single root file system, each disk drive letter is shared as a separate file system. Driveletters in the form "D:" are converted to the syntax "/D/". So the share of your F:\UserHome folder would be visible to NFS clients on the network as: /F/UserHome. To create an NFS share, follow this procedure:
Figure 21-15. Server for NFS Configuration.
Figure 21-16. Adding a share name.
Figure 21-17. The default permissions on an NFS share—global Read-Write.
NFS Share Aliases You can create an alias for an NFS share to make your Windows 2000 NFS shares look more like what a UNIX user would expect to see. Keep in mind that NFS aliases require a reboot to take effect, so you should first create all your share points and then add all the aliases after the fact to reduce the number of reboots required. To create an alias, follow these steps:
Client Groups Server for NFS provides a mechanism for managing permissions and shares by groups of computers, known as Client groups. By creating Client groups, you can export (share) file system resources to specific groups of computers without having to specify each individual computer each time. This ability also improves management and administration by letting you manage a group's members from one location.
Changes to group membership (and thus permissions) are automatically changed for each shared NFS resource that references that client group. To create Client groups, follow this procedure:
Figure 21-18. The NFS Client Groups tab of the Server For NSF Configuration dialog box.
Figure 21-19. The New Group dialog box.
Figure 21-20. The New Member dialog box.
File Locking You can enable file locking for NFS clients, and you can enable it on a system-wide basis, being propagated both locally and across the network. The NFS File Locking tab of Server for NFS Configuration is shown in Figure 21-21. By default, locking is turned off, but if you expect to use applications across the NFS mount that require file locking, you'll probably want to enable it. Any changes to file locking require a reboot, so plan accordingly.
Security Server for NFS uses access control entries to simulate the permissions that are typical in the UNIX and NFS world. You can, however, inhibit certain behaviors that are normally possible in the UNIX permission set but not generally done in Windows 2000 or Windows NT. Specifically, you can inhibit the ability of an NFS client to deny access to the owner and group of a file. You can also set permissions for objects to more closely match the way Windows 2000 manages them by selecting the Implicit Permissions option and by selecting FULL Control (Group) and FULL Control (World), as shown in Figure 21-22.
Figure 21-21. The NFS File Locking tab.
Figure 21-22. The Security Permissions tab.
CAUTION
The UNIX and Windows 2000 security models have inherently different permissions sets. Any attempt to align them is merely an approximation.
UNIX users expect a bevy of command-line utilities that don't exist in the Windows 2000 world. However, SFU includes only a limited subset of the more common UNIX utilities based on the Mortice Kern Systems (MKS) Toolkit, including the MKS Korn shell to facilitate sharing scripts. If you require a full set of UNIX utilities, an MKS add-on (MKS Toolkit Services for UNIX Update Edition) provides the rest of the MKS Toolkit and more than 200 UNIX utilities.
The SFU utilities break down into four basic categories: file and directory utilities, text utilities, programming utilities, and security-related utilities. In each case, the most critical ones are available, but if you expect to use scripts from the UNIX world in Windows 2000, you'll likely find this list insufficient to meet your needs unless you're careful in crafting the script or you take advantage of the included Perl programming utility to jump beyond the limits of the Korn shell.
File and Directory Utilities The file system utilities included in SFU are as follows:
Text Utilities The text utilities included in SFU are as follows:
Programming Utilities The programming utilities included in SFU are as follows:
Security-Related Utilities The security utilities included in SFU are as follows:
REAL WORLD Utilities in Other Implementations
Both the full MKS Toolkit and the Interix subsystem include a far greater group of utilities than those that come natively with SFU. Interix also includes its own implementation of telnet (which is licensed per user, unfortunately, adding substantially to the cost). The MKS Toolkit includes several graphical utilities, including a rather good graphical version of vi and a number of other utilities that lend themselves well to a graphical implementation. Both MKS and Interix include versions of tar that will write to tape or floppy disk much as a UNIX administrator would expect.