HP OpenVMS Systems Documentation

With both PATHWORKS Advanced Server and PATHWORKS LAN Manager, primary and backup domain controllers are similar in concept; however, they interoperate differently in the PATHWORKS Advanced Server environment. For example:

• If the PATHWORKS Advanced Server is in the same domain as a PATHWORKS LAN Manager server, the Advanced Server must be the PDC.
• Similarly, if the Windows NT Server is in the same domain as a PATHWORKS LAN Manager server, the Windows NT Server must be the PDC.
• If a PATHWORKS Advanced Server is in the same domain as a Windows NT Server, either server can act as PDC and maintain the master copy of user account information.

PATHWORKS Advanced Server may be configured as a primary or backup domain controller. Standalone and member server roles are no longer supported.

• PDC --- This is a server that maintains the master copy of user account information and distributes it to BDCs and member servers in the same domain. A primary domain controller also validates domain logon requests made by clients.
  Only one PDC is allowed in a domain.
• BDC --- This is a server that receives user account information from the PDC. A BDC can also validate logon requests made by clients. If a PDC fails, a BDC can be promoted to a PDC.

The PATHWORKS Advanced Server introduces the implementation of trusts into the domain, similar to Windows NT Server software. You can set up trust relationships to allow users from other domains to access resources in the local domain, and local domain users may access resources in other domains. To do this, you must establish the trust relationship in both domains using domain trust passwords.

Refer to the Advanced Server for OpenVMS Concepts and Planning Guide for more information about trust relationships.

1.3.3 Users and Groups

Both PATHWORKS Advanced Server and LAN Manager servers support user groups, which are sets of users who share common permissions for one or more resources. Placing users into groups makes it easier and faster to grant multiple users access to a resource, and it simplifies network administration.

The PATHWORKS Advanced Server supports two types of groups: global and local. The following table describes their differences.

For more information about local and global groups, see the Advanced Server for OpenVMS Concepts and Planning Guide.

1.3.4 Server Administration

PATHWORKS LAN Manager provides a character-cell interface called ADMIN/PATH and the industry standard Net Admin command line interface. PATHWORKS Advanced Server provides a comprehensive DCL-conforming command line interface called ADMINISTER.

The PATHWORKS Advanced Server software package also includes Windows NT server administration tools.

1.3.4.1 New Command Line Interface

The PATHWORKS Advanced Server provides a new command line interface for managing PATHWORKS Advanced Server. The new interface conforms to standard DCL command syntax, and replaces the LAN Manager Net command line interface. For backward compatibility purposes, the new command line interface supports command translation for a subset of the Net commands.

To use the new command line interface, log in as the system administrator, then enter the following command at the OpenVMS prompt:

$ ADMINISTER

//domain/server>

The //domain/server> prompt shows the current domain name and server name. For online information, enter the HELP command.

Refer to the PATHWORKS for OpenVMS (Advanced Server) Server Administrator's Guide and the Advanced Server for OpenVMS Commands Reference Manual for more information about the ADMINISTER command interface.

1.3.4.2 Windows NT Server Administration Tools

You can remotely manage the PATHWORKS Advanced Server using the Windows NT server administration tools provided with the Windows NT Server. These administration tools are included in the PATHWORKS Advanced Server software kit for you to install on Windows 95, Windows NT, or Windows for Workgroups workstations. You can use these tools to manage the PATHWORKS Advanced Server from any computer within the domain.

The Windows NT server administration tools are generic network administration tools, including:

• Server Manager
• User Manager for Domains

For more detailed information, see the Windows NT Server product documentation.

1.3.5 Security

The PATHWORKS Advanced Server employs a user-level security model. User-level security provides precise control over access to shared resources, including disk devices, directories, and printers, basing its control on a password assigned to each user account. PATHWORKS Advanced Server security implementation is described as follows:

• Account Privileges --- With PATHWORKS LAN Manager, privileges (Administrative or Print Operator, for example) are set individually for each user within the user's account. PATHWORKS Advanced Server privileges are set by group membership. Predefined user groups (Print Operator, for example) have associated levels of access to manage resources. The Upgrade procedure will automatically make users with PATHWORKS LAN Manager privileges members of the appropriate predefined PATHWORKS Advanced Server groups.
• Implicit Right of a User with Administrative Privilege --- With PATHWORKS LAN Manager, a user with Administrative privilege has access to all files in the system by default. With PATHWORKS Advanced Server, a user in an administrator's group does not have access to files by default. Access to files with PATHWORKS Advanced Server is based on the permissions put on the files. Users with Administrative privilege can gain access to a file by taking ownership of the file and modifying the permissions. Therefore, users with Administrative privilege may not have access to files they had with LAN Manager unless permissions are set to allow file access.
• Groups --- To simplify administration of user accounts, you can set up a group (or multiple groups) of users and assign access permissions by group. When you make a change to the permissions to access a resource for a group --- for example, change group access permissions for a shared printer --- you change the permissions for all users belonging to the group. You do not have to apply modifications to each of the group's members individually.
• Logon validation --- PATHWORKS Advanced Server uses logon security to restrict access to users with valid accounts in the domain.
• Permission Based on Root Device access control lists (ACLs) --- With PATHWORKS LAN Manager, you can grant access to objects on a device by including a security ACL on the root device directory. This access control information is used when the access set on the object and the object's parent directory did not grant or deny access to the user attempting to access the file or directory. With PATHWORKS Advanced Server, the root device's directory is not used to determine access to file or directory. Therefore, files that were once accessible by LAN Manager users may no longer be accessible by the same users with PATHWORKS Advanced Server.
• Permission Based on Object's Parent ACLs --- With PATHWORKS LAN Manager, you can put a security ACL on an object's parent directory. This security access control entry (ACE) is checked if the ACL on the object did not contain any ACEs for the user trying to access the file. With PATHWORKS Advanced Server, the object's parent directory is checked:
  • when the object does not have an access control list.
  • to ensure no explicit deny access entry is specified.
  Therefore, users may lose access to files that they had access to when running PATHWORKS LAN Manager.
• Deny-access ACEs --- Access to files with PATHWORKS Advanced Server is based on the file's security access ACL. All deny-access ACEs take precedence over grant-access ACEs in the ACL. If there is an ACE in the ACL that denies a user access, and another ACE that grants the user access, the user will be denied access to the file. A deny-access ACE does not take precedence over a grant-access ACE with PATHWORKS LAN Manager. Therefore, users may lose access to files that they had when running LAN Manager.
• Full Access and Child Delete Permission on a Directory --- With PATHWORKS LAN Manager, if a user has full access to a directory, and has no access to a file in the directory, the user cannot access the file. With PATHWORKS Advanced Server, a user with full access to the directory also is granted a new access right called Child-delete. This access right allows the user to delete any file in the directory and disregards the access setting on the file. This difference in the PATHWORKS Advanced Server security model means users may have delete access to objects that they did not have when running PATHWORKS LAN Manager.
• Change Attribute (A) and Create (C) Permission Bits --- The Change Attribute (A) permission is not supported with PATHWORKS Advanced Server security. Any change attribute operation will be successful regardless of the file or directory permissions.
  The Create (C) file permission is not supported with PATHWORKS Advanced Server. This permission is mapped to the PATHWORKS Advanced Server Write (W) permission. This mapping may allow users access to files that were not accessible in PATHWORKS LAN Manager.

For more information on PATHWORKS Advanced Server security, refer to the Advanced Server for OpenVMS Concepts and Planning Guide.

1.3.5.1 Resource Permissions

Like PATHWORKS LAN Manager permissions, the PATHWORKS Advanced Server permissions can work in concert with standard OpenVMS file system protections. In addition, PATHWORKS Advanced Server allows you to apply a virtually unlimited number of user:permission or group:permission pairs to any file, directory, or resource.

Refer to the Advanced Server for OpenVMS Concepts and Planning Guide for detailed information on permissions.

1.3.5.2 Share Security

Like Windows NT Servers, the PATHWORKS Advanced Server does not support share-level security and operates in user-level security mode only. Share passwords are not required with the PATHWORKS Advanced Server. User accounts are granted access to resources based on their user account information and group membership.

You can set individual permissions for share access, however it is much easier to administer group permissions.

The recommended steps for granting user access to PATHWORKS Advanced Server shares are:

1. Modify the share to allow group access.
2. Assign users to the appropriate group.

For more information about PATHWORKS Advanced Server security, see the Advanced Server for OpenVMS Concepts and Planning Guide.

1.4 LAN Manager Features That Are Not Supported

This section summarizes the PATHWORKS LAN Manager features that are not supported with PATHWORKS Advanced Server:

• Member and standalone server domain roles --- PATHWORKS Advanced Server does not support the following domain roles:
  • Member server
  • Standalone server
  
  A PATHWORKS Advanced Server must be either a PDC or a BDC.
• FAT volumes --- FAT volumes are not supported by the PATHWORKS Advanced Server. To continue to provide FAT volume access to clients, maintain the PATHWORKS LAN Manager server on a separate system. Files held within shares on a FAT volume must be migrated to PATHWORKS Advanced Server shares prior to upgrading to PATHWORKS Advanced Server.
• Backward compatibility --- The PATHWORKS Advanced Server software does not support Backward Compatibility mode. This mode was used to ease the migration from PATHWORKS V4.x to PATHWORKS LAN Manager. Make sure all clients making use of this connection format are upgraded.
• Net commands --- The PATHWORKS Advanced Server does not support Net commands. ADMINISTER commands replace Net commands. A Net command interpreter accepts and translates most Net commands to the equivalent ADMINISTER command.
• Remote Boot Service --- The PATHWORKS Advanced Server does not support the Remote Boot Service. If clients depend on remote booting, you must maintain the PATHWORKS LAN Manager server on a separate system. Transfer this function to another server that supports Remote Boot Service prior to the upgrade.
• Share-Level Security --- PATHWORKS Advanced Server does not support share-level security. It manages access to all resources through user-level security. Therefore, share passwords are not required under Advanced Server. User accounts are granted access to resources based on their user account information and group membership.
• LAN Manager & Creator Security Mode --- PATHWORKS Advanced Server does not support the LAN Manager & Creator security mode. The server may be configured for PATHWORKS Advanced Server only security or for PATHWORKS Advanced Server & OpenVMS security.

The PATHWORKS Advanced Server is compatible with LAN Manager client software. Although LAN Manager servers need to be upgraded to benefit from PATHWORKS Advanced Server functionality, there is no need to change the networking software on each desktop. Users can benefit immediately from the new resources offered by the PATHWORKS Advanced Server without additional training because there is no change in the way users access network resources.

PATHWORKS Advanced Server supports connections from the following types of clients:

• Windows NT
• Windows 95
• Windows for Workgroups
• PATHWORKS for DOS and Windows
• PATHWORKS for Windows 95
• PATHWORKS 32
• PATHWORKS for Windows NT

To migrate from PATHWORKS LAN Manager to PATHWORKS Advanced Server without disrupting service, install only the Upgrade utility first. You cannot continue to run the PATHWORKS LAN Manager software once the PATHWORKS Advanced Server server has been installed. Install the PATHWORKS Advanced Server server only after completing the upgrade of server information.

1.7 Server License Requirements

The PATHWORKS Advanced Server requires that clients accessing file and print services be appropriately licensed. To conform to this requirement, one of the following must be true:

• The client must have an appropriate client-based license previous to connecting to a PATHWORKS Advanced Server.
• The PATHWORKS Advanced Server must have a server-based license available to assign to an unlicensed client attempting to use services of the PATHWORKS Advanced Server.

In both cases, the license required to access PATHWORKS Advanced Server services is the PATHWORKS Client-Access license: PWLMXXXCA06.00.

Refer to Chapter 6, Completing the Migration, for a description of the procedure.

1.7.1 Options for Upgrading Client-Based Licenses

When you plan the migration from PATHWORKS LAN Manager to PATHWORKS Advanced Server, assess the environment and decide the best procedure to ensure clients who need to access the PATHWORKS Advanced Server are sufficiently licensed. Upgrade options for client-based licenses include:

• Individually configuring clients to request a PATHWORKS Advanced Server client-access license.
• Removing all PATHWORKS LAN Manager licenses and loading new PATHWORKS Advanced Server licenses.
• Configuring the PATHWORKS license server to upgrade all PATHWORKS LAN Manager licenses presented to the PATHWORKS license server to PATHWORKS Advanced Server licenses automatically.

These options are described in more detail in Configuring Clients, Removing PATHWORKS LAN Manager Licenses, and Configuring Automatic Upgrade in this guide.

1.7.2 Configuring Clients

Individually configuring specific clients to request a PATHWORKS Advanced Server license requires visiting the clients and modifying their configuration for the licenses the client requests. This procedure works best in the following situations:

• There are very few clients that will access the PATHWORKS Advanced Server.
• Migration of clients to using the PATHWORKS Advanced Server will be completed over a long period of time.

The actual procedure for configuring clients varies depending on the client networking software. Refer to the Advanced Server for OpenVMS Guide to Managing Advanced Server Licenses for more detailed instructions.

1.7.3 Removing PATHWORKS LAN Manager Licenses

You can remove the PATHWORKS LAN Manager licenses from the license server system when you load the new PATHWORKS Advanced Server license PAKs. You remove licenses using the License Management Facility (LMF). After that, clients requesting server access will receive a PATHWORKS Advanced Server license.

When you remove a license, you revoke any previously assigned licenses. Therefore, when a client requests a license assignment or verification, the client is assigned a PATHWORKS Advanced Server license.

1.7.4 Configuring Automatic Upgrade

Configuring the PATHWORKS license server to upgrade licenses will affect all clients presenting or requesting a PATHWORKS LAN Manager license. If the PATHWORKS license server is configured to upgrade licenses, a PATHWORKS Advanced Server license is granted when either of the following occurs:

• A client requests assignment of a PATHWORKS LAN Manager license.
• A client requests verification of a previously assigned PATHWORKS LAN Manager license.

The PATHWORKS license server automatically assigns the client a PATHWORKS Advanced Server license (even though the client expects assignment or verification of a PATHWORKS LAN Manager license), and returns an equivalent PATHWORKS Advanced Server license to the client, if available.