ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzahq_5.4.0.1/rzahqsbmnwscmdandkerberos.htm

71 lines
5.0 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>SBMNWSCMD and file level backup support for Kerberos v5 and EIM</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="rzahqsbmnwscmdandkerberos"></a>
<h3 id="rzahqsbmnwscmdandkerberos">SBMNWSCMD and file level backup support for Kerberos v5 and EIM</h3>
<p>File level backup operations to an integrated Windows server utilize the iSeries&trade; NetClient and Submit Network Server Command (SBMNWSCMD) functions. In i5/OS&trade; V5R3 or later, these functions provide limited Kerberos v5 support (also
known as iSeries Network Authentication). Thus, there are some considerations
to keep in mind if you want to use network authentication with these functions.</p>
<ol type="1">
<li>In order to enable iSeries to use Kerberos authentication, you must configure
these things on the iSeries server:
<ul>
<li><a href="../rzahl/rzahlkrbinstlsecopt.htm" target="_blank">iSeries Navigator Security option </a></li>
<li><a href="../rzakh/rzakh000.htm" target="_blank">Network authentication service </a></li>
<li><a href="../rzalv/rzalvmst.htm" target="_blank">Enterprise Identity Mapping
(EIM)</a></li>
<li><a href="../rzakh/rzakhplanwrkshts.htm" target="_blank">Cryptographic Access Provider
(5722-AC2 or AC3)</a></li></ul></li>
<li>The iSeries NetServer&trade; should be configured to use Password/Kerberos
v5 authentication and NetServer must be active.</li>
<li><img src="delta.gif" alt="Start of change" />The Kerberos KDC must be a Windows Active Directory domain
controller (Windows 2000 Server or Windows Server 2003). For more information,
see <a href="rzahqenableqntcaccess.htm#rzahqenableqntcaccess">Enabling Kerberos with a Windows Server 2003 Active Directory Server</a>.<img src="deltaend.gif" alt="End of change" /></li>
<li>Kerberos authentication will only be used when the i5/OS job's user
profile has the LCLPWDMGT attribute set to <tt>*NO</tt>.
When LCLPWDMGT is set to <tt>*YES</tt>, then password authentication
will always be used.</li>
<li>User Enrollment supports using EIM to map a Windows user name to a different i5/OS profile name. Thus, user enrollment can look for an EIM registry which
is named for the Windows Active Directory domain name, or for a EIM registry
which is named for the integrated server name as appropriate. User enrollment
will use the EIM mapping regardless of whether Kerberos authentication can
be used. However, SBMNWSCMD and NetClient will <span class="bold">only</span> use
an EIM mapped name when Kerberos authentication is used. So, user enrollment
may create a local windows user with a different name than the i5/OS profile as
specified by the EIM mapping. But, SBMNWSCMD and NetClient will only use the
different windows name when Kerberos authentication is performed (When LCLPWDMGT
= *NO). Otherwise, they attempt to authenticate with a Windows name equal
to the i5/OS profile name.</li>
<li>For SBMNWSCMD submitted windows commands to be able to connect to other
network servers when Kerberos authentication is used, the target windows server
must be <span class="italic">trusted for delegation</span>. In Windows 2000, this
is enabled by default for domain controllers. However, it is disabled by default
for domain member servers. It may be enabled via the Administration Tool: <span class="bold">Active Directory User and Computers</span> on a domain controller.
Within this tool, click <span class="bold">Computers</span> and select the correct
computer. Then click <span class="bold">Computer properties &ndash;> General</span>. Then check <span class="bold">Trust computer for delegation</span>.</li></ol>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>