71 lines
5.0 KiB
HTML
71 lines
5.0 KiB
HTML
<?xml version="1.0" encoding="utf-8"?>
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-13" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow"/>
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<title>SBMNWSCMD and file level backup support for Kerberos v5 and EIM</title>
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
|
</head>
|
|
<body>
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
|
|
|
|
|
<a name="rzahqsbmnwscmdandkerberos"></a>
|
|
<h3 id="rzahqsbmnwscmdandkerberos">SBMNWSCMD and file level backup support for Kerberos v5 and EIM</h3>
|
|
<p>File level backup operations to an integrated Windows server utilize the iSeries™ NetClient and Submit Network Server Command (SBMNWSCMD) functions. In i5/OS™ V5R3 or later, these functions provide limited Kerberos v5 support (also
|
|
known as iSeries Network Authentication). Thus, there are some considerations
|
|
to keep in mind if you want to use network authentication with these functions.</p>
|
|
<ol type="1">
|
|
<li>In order to enable iSeries to use Kerberos authentication, you must configure
|
|
these things on the iSeries server:
|
|
<ul>
|
|
<li><a href="../rzahl/rzahlkrbinstlsecopt.htm" target="_blank">iSeries Navigator Security option </a></li>
|
|
<li><a href="../rzakh/rzakh000.htm" target="_blank">Network authentication service </a></li>
|
|
<li><a href="../rzalv/rzalvmst.htm" target="_blank">Enterprise Identity Mapping
|
|
(EIM)</a></li>
|
|
<li><a href="../rzakh/rzakhplanwrkshts.htm" target="_blank">Cryptographic Access Provider
|
|
(5722-AC2 or AC3)</a></li></ul></li>
|
|
<li>The iSeries NetServer™ should be configured to use Password/Kerberos
|
|
v5 authentication and NetServer must be active.</li>
|
|
<li><img src="delta.gif" alt="Start of change" />The Kerberos KDC must be a Windows Active Directory domain
|
|
controller (Windows 2000 Server or Windows Server 2003). For more information,
|
|
see <a href="rzahqenableqntcaccess.htm#rzahqenableqntcaccess">Enabling Kerberos with a Windows Server 2003 Active Directory Server</a>.<img src="deltaend.gif" alt="End of change" /></li>
|
|
<li>Kerberos authentication will only be used when the i5/OS job's user
|
|
profile has the LCLPWDMGT attribute set to <tt>*NO</tt>.
|
|
When LCLPWDMGT is set to <tt>*YES</tt>, then password authentication
|
|
will always be used.</li>
|
|
<li>User Enrollment supports using EIM to map a Windows user name to a different i5/OS profile name. Thus, user enrollment can look for an EIM registry which
|
|
is named for the Windows Active Directory domain name, or for a EIM registry
|
|
which is named for the integrated server name as appropriate. User enrollment
|
|
will use the EIM mapping regardless of whether Kerberos authentication can
|
|
be used. However, SBMNWSCMD and NetClient will <span class="bold">only</span> use
|
|
an EIM mapped name when Kerberos authentication is used. So, user enrollment
|
|
may create a local windows user with a different name than the i5/OS profile as
|
|
specified by the EIM mapping. But, SBMNWSCMD and NetClient will only use the
|
|
different windows name when Kerberos authentication is performed (When LCLPWDMGT
|
|
= *NO). Otherwise, they attempt to authenticate with a Windows name equal
|
|
to the i5/OS profile name.</li>
|
|
<li>For SBMNWSCMD submitted windows commands to be able to connect to other
|
|
network servers when Kerberos authentication is used, the target windows server
|
|
must be <span class="italic">trusted for delegation</span>. In Windows 2000, this
|
|
is enabled by default for domain controllers. However, it is disabled by default
|
|
for domain member servers. It may be enabled via the Administration Tool: <span class="bold">Active Directory User and Computers</span> on a domain controller.
|
|
Within this tool, click <span class="bold">Computers</span> and select the correct
|
|
computer. Then click <span class="bold">Computer properties –> General</span>. Then check <span class="bold">Trust computer for delegation</span>.</li></ol>
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
|
</body>
|
|
</html>
|