Previous | Contents | Index |
To display information about user accounts, use the SHOW USERS command. For example:
LANDOFOZ\\TINMAN> SHOW USERS User accounts in domain "LANDOFOZ": User Name Full Name Type Description -------------- ----------- ------ ------------------------ Administrator Global Built-in account for administering the domain Guest Global Built-in account for guest access to the domain LION Lion,Cowardly Global Cowardly Lion SCARECROW Man, Straw Global The Straw Man Total of 4 user accounts LANDOFOZ\\TINMAN> |
To sort the display by user full name, use the SHOW USERS/SORT=FULLNAME command, as in the following example:
LANDOFOZ\\TINMAN> SHOW USERS/SORT=FULLNAME User accounts in domain "LANDOFOZ:" Full Name User Name Type Description -------------- ------------- ------ --------------------------- Administrator Global Built-in account for administering the domain Guest Global Built-in account for guest access to the domain Lion, Cowardly LION Global Cowardly Lion Man, Straw SCARECROW Global The Straw Man Total of 4 user accounts LANDOFOZ\\TINMAN> |
To display user account settings for a specific user, use the SHOW USERS/FULL command. For example, the following display shows the settings for user LION.
LANDOFOZ\\TINMAN> SHOW USERS LION/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description --------------- --------------- ------- ------------- LION Lion, Cowardly Global Cowardly Lion User profile: Logon script: Home Path: D: Path: \\TINMAN\USERS\LION Primary Group: Domain Users Member of groups: Domain Users, MUNCHKINS Workstations: No workstation restrictions Logon Flags: Logon script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours (All hours) Last Log On: 08/23/00 05:07 PM Password Last Set: 06/30/00 11:03 AM Password Changeable: 06/30/00 11:03 AM Password Expires: 09/11/00 11:03 AM Total of 1 user account LANDOFOZ\\TINMAN> |
Use the MODIFY USER command to change the attributes of an existing user account. You can:
To add an existing user to a group, use the MODIFY USER/ADD_TO_GROUPS command, as in the following example:
LANDOFOZ\\TINMAN> MODIFY USER SCARECROW/ADD_TO_GROUPS=MUNCHKINS %PWRK-S-USERMOD, user "SCARECROW" modified on domain "LANDOFOZ" |
You can then enter the SHOW GROUPS/FULL command to see that the group MUNCHKINS now includes the user SCARECROW:
LANDOFOZ\\TINMAN> SHOW GROUPS MUNCHKINS/FULL Groups in domain "LANDOFOZ": Group Name Type Description -------------------- ------ ------------------------------------ MUNCHKINS Global Users in the Land of Oz Members: [US]LION, [US]SCARECROW) Total of 1 group) LANDOFOZ\\TINMAN> |
To change the hours when a user can log on, use the MODIFY USER/HOURS command. For example, to restrict a user to logging on only on Monday from 8 a.m. to 9 a.m. and from 3 p.m. to 8 p.m., specify /HOURS=(MON=(8-9,15-20)).
For example, to modify LION's logon hours, use the MODIFY USER command, as follows.
LANDOFOZ\\TINMAN> MODIFY USER LION/HOURS=(MON=(8-9,15-20)) %PWRK-S-USERMOD, user "LION" modified on domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
You can verify that the change was made correctly using the SHOW USERS/FULL command. For example:
LANDOFOZ\\TINMAN> SHOW USERS LION/FULL User accounts in domain "LANDOFOZ": User Name Full Name Type Description --------------- --------------- ------- ------------- LION Lion, Cowardly Global Cowardly Lion User profile: Logon script: Home Path: D: Path: \\TINMAN\USERS\LION Primary Group: Domain Users Member of groups: Domain Users, MUNCHKINS Workstations: No workstation restrictions Logon Flags: Logon script is executed, Password is expired Account Type: Global Account Expires: Never Logon hours: 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 2 2 2 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 Sunday: - - - - - - - - - - - - - - - - - - - - - - - - Monday: - - - - - - - - X X - - - - - X X X X X X - - - Tuesday: - - - - - - - - - - - - - - - - - - - - - - - - Wednesday: - - - - - - - - - - - - - - - - - - - - - - - - Thursday: - - - - - - - - - - - - - - - - - - - - - - - - Friday: - - - - - - - - - - - - - - - - - - - - - - - - Saturday: - - - - - - - - - - - - - - - - - - - - - - - - Last Log On: 08/23/00 05:07 PM Password Last Set: 06/30/00 11:03 AM Password Changeable: 06/30/00 11:03 AM Password Expires: 09/11/00 11:03 AM Total of 1 user account LANDOFOZ\\TINMAN> |
A user's ability to log on can be rescinded by either disabling or removing the user account. A disabled user account still exists, but the user is not permitted to log on. It continues to appear in the user accounts list. It can be restored to enabled status at any time. A removed account is permanently removed and cannot be recreated with the same security settings.
Each user in a domain is identified by a unique security identifier
(SID). The SID is created when a user account is created and is used
when assigning permissions to a resource. Because a SID is unique to an
account, a new account, even with the same user name, is assigned a new
SID. Therefore, if you delete a user account and then need to create
another user account for the same user with the same user name, the new
user account will not have the rights or permissions that previously
were granted to the old user account, because the user account will
have a different SID. To avoid problems, first disable a user account
you want to remove and then remove it after a reasonable time.
3.1.15.1 Disabling a User Account
Set the account to Disabled, using the MODIFY USER/FLAGS=(DISUSER)
command.
3.1.15.2 Deleting a User Account
To delete a user account, use the REMOVE USER command. You are prompted for confirmation before the command executes.
A deleted user account is removed from the user accounts list and cannot be restored or recreated. Make sure that you want to delete a user account before doing so. For example:
LANDOFOZ\\TINMAN> REMOVE USER LION Each user account is represented by a unique identifier which is independent of the user name. Once the user account is deleted, even creating an identically named user account in the future will not restore access to resources which currently name this user account in the access control list. Remove user "LION" [YES or NO] (YES) : YES %PWRK-S-USERREM, user "LION" removed from domain "LANDOFOZ" LANDOFOZ\\TINMAN> |
Advanced Server provides user account host mapping, which associates a network user account with an OpenVMS user account, simplifying the management of both user accounts. Host mapping is required for users who are externally authenticated, as described in Section 3.1.17, External Authentication.
Every file on an OpenVMS system must have an owner. Host mapping
establishes which OpenVMS account is assigned as the owner when an
Advanced Server user creates files or directories. Host mapping is also
used to determine the OpenVMS user name when logging on to OpenVMS
using external authentication. Additionally, when the Advanced Server
and OpenVMS security model is enabled, host mappings are used to
determine the OpenVMS access rights permitted to the user. The security
models are selected using the Configuration Manager, as described in
Section 7.1, Managing File Server Parameters Affecting System Resources.
3.1.16.1 Implicit and Explicit Host Mapping
The Advanced Server supports both explicit and implicit host mapping between OpenVMS and Advanced Server user accounts. You can explicitly map a network user name to an OpenVMS user name using the ADMINISTER command ADD HOSTMAP.
Implicit host mapping is established when:
Host mapping is used to determine the OpenVMS user name when logging on to OpenVMS using external authentication. The user account Administrator is implicitly mapped to the OpenVMS user account SYSTEM. Therefore, if you enable the OpenVMS user account SYSTEM for external authentication, you can log in to the SYSTEM account using the Administrator user name and password, without explicitly defining any host map information. See Section 3.1.17, External Authentication, for more information.
Implicit host mapping is based on the user account names. Therefore, if
you copy the Administrator account or the Guest account, you must
specifically set up host mapping for the new user accounts. If you
rename the Administrator or Guest account, the implicit mapping is not
preserved. You must explicitly map the newly renamed account name to
the OpenVMS SYSTEM account using the ADMINISTER command ADD HOSTMAP.
3.1.16.2 Establishing User Account Host Mapping
By default, if a user name for a network user account is identical to the user name for an OpenVMS user account, the user accounts are host mapped. Files created by the network user are automatically designated with the OpenVMS owner setting. This feature is controlled by a set of server configuration parameters, described in Section 7.2, Managing Server Configuration Parameters Stored in the OpenVMS Registry, and listed in Appendix A, Server Configuration Parameters, including:
When a user creates a file or directory using the Advanced Server, the
resource is assigned the OpenVMS ownership associated with the user's
mapped account. The mapped account is used for OpenVMS resource
ownership. (For more information about enabling this security model,
see Section 7.1, Managing File Server Parameters Affecting System Resources.)
3.1.16.2.1 Setting Up Explicit Host Mapping
To set up explicit host mapping, use the ADD HOSTMAP command in the following form:
ADD HOSTMAP network-user-name OpenVMS-user-name
In the following example, the network user account for SCARECROW is host mapped to the user's OpenVMS user account STRAWMAN. If SCARECROW creates a file, the file is assigned the RMS ownership attributes associated with the OpenVMS account STRAWMAN.
LANDOFOZ\\TINMAN> ADD HOSTMAP SCARECROW STRAWMAN %PWRK-S-HOSTMAPADD, user "SCARECROW" mapped to host user "STRAWMAN" LANDOFOZ\\TINMAN> |
To display host mapping, use the SHOW HOSTMAP command. For example:
LANDOFOZ\\TINMAN> SHOW HOSTMAP Host Mappings for server "TINMAN": User Name Host Name ---------------------------- ----------- Guest PWRK$GUEST SCARECROW STRAWMAN LION CLION Total of 3 host mappings LANDOFOZ\\TINMAN> |
External authentication allows the OpenVMS system manager to set up an OpenVMS user account for which login authentication is verified by the Advanced Server domain security. External authentication allows the Advanced Server to do the user authentication for both Advanced Server domain user and OpenVMS user accounts.
External authentication is an option for users who have both OpenVMS and Advanced Server domain user accounts. It is not required. User host mapping provides the link between these two accounts, as described in Section 3.1.16, User Account Host Mapping.
With external authentication, users get automatic password
synchronization between their OpenVMS account and their corresponding
Advanced Server domain account.
The passwords are synchronized whenever a user logs in to the OpenVMS
account, provided that an Advanced Server domain controller is available
to service the request. Externally authenticated users are considered
to have a single password and are not subject to OpenVMS password
policies, such as password expiration, password history, and minimum
and maximum password length restrictions. Users are, however, subject
to the Advanced Server domain user account policy that is defined. All
other OpenVMS account restrictions remain in effect, such as disabled
accounts, time restrictions, and quotas. For information on enabling
external authentication, refer to the Compaq Advanced Server for OpenVMS Server Installation and Configuration Guide. For information
about setting up the system and enabling OpenVMS user accounts for
external authentication, refer to the OpenVMS Guide to System Security.
3.1.17.1 Configuring the Server Capacity for External Authentication
By default, the Advanced Server can support up to 10 simultaneous
external authentication logon requests (signons). You can modify this
maximum to suit the server requirements, using the Configuration
Manager. For more details, see Section 7.1.4.4, Specifying the Maximum Number of Concurrent Signons.
3.1.17.2 Synchronizing Passwords
The password of an externally authenticated OpenVMS user is automatically synchronized with the host mapped Advanced Server domain user, regardless of the role of the Advanced Server in the domain.
When a user changes the OpenVMS password using the OpenVMS command SET PASSWORD, and external authentication is set for the user, OpenVMS forwards the password change request to the Advanced Server. When the password change request is successfully processed, OpenVMS updates the OpenVMS user password. If Advanced Server is not running when the OpenVMS command SET PASSWORD is executed, the domain password is not changed.
When users change their passwords from their client workstations, or the server administrator changes a password with the ADMINISTER command SET PASSWORD, the Advanced Server processes the password change as usual. The OpenVMS password is synchronized when the user next logs in to OpenVMS. All password changes are synchronized. When an OpenVMS user no longer has the external authentication flag set, the password for the OpenVMS user account is the same as the one that was last set by Advanced Server.
When users change their password on the OpenVMS system or on their client computer, they should use the new password to log in to OpenVMS. If, for some reason, the Advanced Server software is down at the time of the OpenVMS login, users can use their old OpenVMS password to log in, but only if you have enabled overriding of external authentication. In this case, privileged users can enter the /LOCAL_PASSWORD qualifier after their OpenVMS user name at the login prompt, as explained in Section 3.1.17.3, Bypassing External Authentication When the Network Is Down. This causes OpenVMS to perform local authentication.
Password synchronization may fail due to the different sets of valid characters allowed by OpenVMS and Advanced Server. Keep this in mind when changing the password of an externally authenticated user. |
External authentication cannot occur if a network connection is required and the network is down. However, as a temporary solution, privileged users can enter the /LOCAL_PASSWORD qualifier after the OpenVMS user name at the login prompt, to specify local authentication. Be sure to specify the OpenVMS user name and password when using the /LOCAL_PASSWORD qualifier.
Because using the /LOCAL_PASSWORD qualifier effectively overrides the security policy established by the system manager, it is allowed only when the user's account has SYSPRV as an authorized privilege. This allows the system manager to gain access to the system when the network is down.
When Bit 1 is set in the SYS$SINGLE_SIGNON logical name, nonprivileged users who are normally externally authenticated can log in locally (the /LOCAL_PASSWORD qualifier need not be specified).
For more information about the /LOCAL_PASSWORD qualifier for the login
command line, refer to the OpenVMS Guide to System Security.
3.1.17.4 Logging On to Externally Authenticated Accounts
OpenVMS accepts the user name in one of the following formats for user accounts set for external authentication:
The form of the user name string determines the order in which OpenVMS verifies the logon:
Because external authentication depends on host mapping information, it is important to set up user accounts and host mapping carefully. For example, if the same user name exists in the Advanced Server and OpenVMS, but they are not the same user, external authentication may not work as you expect.
In the following examples, you have Advanced Server running on OpenVMS node VMS1 in the domain SaleOffice, with network users Smith and J_Smith and OpenVMS users Smith and V_Smith:
$ ADMINISTER ADD HOSTMAP SMITH V_SMITH $ ADMINISTER ADD HOSTMAP J_SMITH SMITH |
$ ADMINISTER ADD HOSTMAP SMITH V_SMITH |
You can set up an OpenVMS account to be externally authenticated by a trusted domain in your network. To enable this feature, you must include the trusted domain name in the data field for the server configuration parameter HostMapDomains in the OpenVMS Registry. See Section 7.2, Managing Server Configuration Parameters Stored in the OpenVMS Registry.
For example, if your OpenVMS system is in the SaleOffice domain, and this domain trusts the Marketing domain, set up OpenVMS user Jones to be externally authenticated by the Marketing domain as follows:
$ REGUTL :== $SYS$SYSTEM:PWRK$REGUTL $ REGUTL SET PARAM/CREATE VMSSERVER HOSTMAPDOMAINS Marketing |
Jones@Marketing Marketing\Jones |
Previous | Next | Contents | Index |