forbidden to their pro®les. It is important to become aware of which users from

which groups have access to your data. GIDs can help a user from a powerful

group gain unauthorized access to sensitive data.

 

The various IDs a user has and the attached authorities can create NFS security

 

hazards. This is particularly crucial when dealing with the CHGNFSEXP command

 

options for making ®le system available to clients. For more information regarding

 

exporting safely, see ªSecurely Exporting File Systemsº on page 87.

Mapping User Identi®cations

Whenever users successfully log onto a server, the server automatically and immediately grants the authorities for their user pro®les on that server.

When users access remote server ®les through local client systems, their requests are sent to that remote server. The server will check the user's UID and authority with each request, due to the statelessness of NFS. As a user accesses a remote server, the request carries only the UID and not the user pro®le name (nor any password). The server then maps the UID to a matching authority no matter what user pro®le name it actually has. This can cause problems if UIDs from different systems match each other, yet belong to different users. See ªUID Mapping Examplesº on page 85 for more information about improper UID mapping.

Potential User Identi®cation Mapping Scenarios

There are four possibilities for UID mapping across a distributed network:

1.The UID of a user on a client and server map to the same user pro®le. There is no con¯ict.

2.The UID of a user exists on both the client and server, but is mapped to different pro®les. This can cause security con¯icts because users can be mapped to pro®les with more or less authority than what is required.

3.The UID of a user exists on the client, but does not exist on the server. In this case, the export entry is checked for an entry for the ANON parameter. If a pro®le is found for mapping anonymous users, then the UID of the user will be mapped to this pro®le. If the server does not allow the mapping of anonymous users, then a user making this request will receive the EACCES error condition. See ªAnonymous Usersº on page 88 for more information about the ANON parameter and allowing anonymous users access to your exports.

Because of differing UID mapping across a network, users may have problems working with ®les on a remote system. This occurs because users do not have the same authority on the remote system as on the local system.

Administrating User Identi®cations

The administrator of an NFS namespace must be ready to:

1.Set up matching authorities, whenever possible, for users. This ensures that they will not become confused while crossing mount points and working on both local and remote systems. This includes properly mapping UIDs and GIDs throughout the network.

2.Create appropriate individual authorities that are tailored to both the system and the user. These authorities need not be matching, but they should be

84OS/400 Network File System Support V4R4

Page 101 Page 103
Page 102
Image 102
IBM AS/400E Mapping User Identications, Potential User Identication Mapping Scenarios, Administrating User Identications
Page 101 Page 103

AS/400E specifications

The IBM AS/400E, now more commonly known as IBM i, is a robust and versatile midrange server that has been designed to provide a comprehensive computing solution for businesses of all sizes. First introduced in the late 1980s, the AS/400 series has undergone multiple enhancements and rebranding, with the AS/400E being one of the notable iterations. This powerful platform is closely associated with IBM's commitment to reliability, scalability, and integrated business solutions.

One of the main features of the AS/400E is its highly integrated architecture that combines hardware and software into a cohesive system. This integration allows for seamless operations, reducing the complexity typically associated with managing disparate systems. The system is powered by IBM's proprietary OS/400 operating system, which has evolved into IBM i, featuring advanced capabilities like object-oriented programming, integrated database management, and security features that are essential for enterprise environments.

A key characteristic of the AS/400E is its robust database support, primarily through the use of DB2 for i. This integrated database management system enables efficient data handling and retrieval, facilitating real-time business analytics and reporting. Furthermore, the platform supports a variety of programming languages, including RPG, COBOL, and Java, making it flexible for developers who require diverse tools for application development.

The AS/400E is also known for its exceptional reliability and uptime, making it a preferred choice for critical business applications in industries such as finance, healthcare, and manufacturing. This reliability is backed by advanced error detection and correction mechanisms, as well as redundancy features that help prevent data loss and minimize downtime.

In terms of scalability, the AS/400E can effortlessly expand to accommodate growing business demands. Organizations can increase processing power by adding more resources without significant disruption. This scalability, combined with the system’s built-in virtualization capabilities, allows businesses to optimize resource usage and streamline operations.

Security is another defining feature of the AS/400E. The platform incorporates various layers of security measures, including user authentication, encryption, and comprehensive auditing capabilities, ensuring that sensitive business data is protected against unauthorized access.

Overall, the IBM AS/400E remains a powerful tool in the enterprise computing landscape, providing businesses with an integrated, reliable, and secure solution for their technological needs. Its enduring popularity is a testament to its capability to evolve with changing business requirements while maintaining its core attributes of high performance and stability.
Top Page Image Contents