Sharing Network Resources

Advanced Server enables you to designate the resources that you want to share with others. For example, when a directory is shared, authorized users can make connections to the directory and access its files from their workstations. And when a printer is shared, many users can print from it over the network.

After a resource is shared, you can restrict its availability over the network to certain users. These restrictions, called share permissions, can vary from user to user. With Advanced Server, you create the appropriate level of network resource security using a combination of resource sharing and resource permissions.

File and Directory Permissions

Advanced Server provides superior performance, reliability, and security for file sharing. You can set file permissions and directory permissions that specify which groups and users have access and at which level that access is permitted Share permissions work in combination with file and directory permissions. When a directory is shared, permissions set through the shared directory allow users to connect to the share. Using default permissions (Full Control) for shared directories, you can manage the security of files using directory and file permissions.

Advanced Server/9000 allows you to share any type of HP-UX file system — such as hfs, jfs, and nfs — with your LAN clients. Specific mapping characteristics are set in the fsmap parameter in the lanman.ini file. For information about HP-UX file systems and the lanman.ini file, see Advanced Server Administration.




	NOTE: Using Full Control permission for Everyone for all shared directories is the easiest way to manage file security. You can apply directory and file permissions and allow share access to Everyone through share permissions.

For information about setting share permissions see "Setting Permissions on Shared Directories" later in this chapter.

Sharing Resources With Network Users

The only way to make a file accessible over the network is to share one of its parent directories.

When you share a directory on the server, users theoretically can gain access to that directory, the files in it, all of the subdirectories in that directory and their contents, and all of the subdirectories in those subdirectories and their contents. Every point on the directory tree below the shared directory is available to network users.

You can use directory permissions to block access to some directories in a shared directory tree and allow access to others by setting permissions on them. A shared directory often is referred to simply as a share.

When you share a directory, you give it a share name by which network users refer to it. (A share name can be the same as the actual directory name but it does not have to be.)




	NOTE: Windows NT Server, Windows NT Workstation, and Windows 95 users can see share names by double-clicking on the names of computers in the network in Network Neighborhood. MS-DOS users can use the net view command to see share names. Windows for Workgroups users see share names in File Manager when they connect to a network drive.

You can share multiple directories on a directory tree. This makes them accessible to users in two ways: as a directory that actually is shared and as a subdirectory of another shared directory.

Connecting to Shared Directories

There are several ways to connect to shared directories. In Windows NT Server and Windows NT Workstation, Version 4.0, and Windows 95, you can use the Find command on the Start menu to connect to any computer or shared directory on the network, or double-click on a computer in Network Neighborhood.

To assign a drive letter in My Computer for a particular share, use the Map Network Drive command on the Tools menu in the Explorer. Type the server name and share name into the Path box using the form \\servername\sharename. For Drive you can use the next available letter or select a letter from the drop-down list.

For example, to connect to the shared directory Applications on the server named Dept35, type the location in the Path box as shown below:

\\Dept35\Applications

In the Explorer and My Computer, the mapped drive appears in the window as

Applications on `Dept35' (F:)

The share appears as a drive on your computer and the content of the shared directory can be viewed as if it was on your computer. You can have the connection re-established every time you log on or clear the Reconnect at Logon check box to disconnect automatically when you log off.

If you want to connect to a shared directory using a different user account, use the Connect As box to type the user name for that account. If the account is in a different domain, type the domain name followed by a back slash and then the user name; for example, projects\patc.

Users of Windows NT, Version 3.5x, Windows, and Windows for Workgroups can use File Manager to make network connections.

After a Windows user makes a connection to a directory, the drive letter assigned to that directory and an icon appear in the drive bar of File Manager.

For client computers running MS-DOS with LAN Manager client software (but without Windows), use the net use command to make network connections as follows:

net use f: \\dept35\applications

Considerations for MS-DOS Users

The following naming conventions apply to client computers running MS- DOS:

If a share will be accessed by users of MS-DOS (including users of Windows for Workgroups), follow the MS-DOS 8.3 naming convention for the share name. (The name can have up to eight characters, optionally followed by a period and up to three more characters.) MS-DOS computer users will be unable to access shares with share names that do not follow this convention.
On HP-UX system files and directories, you can have names of up to 255 characters. And to ensure access by MS-DOS users, Advanced Server provides name mapping: each file or directory with a name that does not conform to the MS-DOS 8.3 standard automatically is given a second name that does conform.
MS-DOS users connecting to the file or directory over the network see the name in the 8.3 format; Windows NT Workstation and Windows NT Server users see the long name. However, Advanced Server does not generate short names for share names that do not conform to MS-DOS naming standards, only for files and directories with long names. When naming a share, use the 8.3 standard.
Advanced Server name mapping also allows applications that do not support long file names to access files with such names. These applications refer to files that have long names by their shorter names.

For more information about Advanced Server file name space mapping, see the next section.




	NOTE: If an application that does not support long file names opens a file with a long name and then saves the file, the long name is lost and only the short name remains.

Advanced Server Name Space Mapping

Advanced Server file name space mapping lets client computers running MS-DOS or Window for Workgroups to access files with long file names created by Windows 95 and Windows NT clients.

File name space mapping allows different types of clients to access files residing in an HP-UX file system managed by Advanced Server/9000.

The file name space mapping feature is composed of the following three elements:

Mixed-case support
Mapping HP-UX system file names to the 8.3 convention
Mapping HP-UX system file names containing characters that are unacceptable in Windows NT to names that are acceptable to Windows NT.

The challenge of mapping between name spaces is resolved on HP-UX systems by concatenating a truncated file name with a pseudo-unique suffix, which is generated dynamically from the i-node number of the HP-UX system file.With file name mapping turned on, if a file is copied from one share to another, the client will dictate the file name under HP-UX. Windows NT clients will create long, mixed case names in the destination share. DOS clients will create shortened, mapped names in the destination share.

The following table lists the client computer software that uses only the 8.3 file naming convention:

8.3 File Naming Convention Client Computers

MS-DOS

Windows 3.1 (without "longfilenames=1" in WINFILE.INI)

Windows for Workgroups

The following table lists the client computer software that uses the Windows NT-style naming convention:

Windows NT-Style File Naming Client Computers

Windows NT

Windows 3.1 (with "longfilenames=1" in WINFILE.INI)

Windows 95

The following table lists the configuration keys that are used for file name space mapping in the Advanced Server Registry:

Key	Possible Values	Default Value
MixedCaseSupport	0 (disabled), 1	0
NameSpaceMapping	0 (none), 1 (DOS), 2 (NT), 3 (all)	0
UniqueSuffixLength	0 -7	3
TruncatedExtensions	0 (disabled), 1	1
MappingSeparator	Any string value less than 12 characters that uses valid Windows NT characters.	~

The registry path for these settings is as follows:

\SYSTEM\CurrentControlSet\Services\AdvancedServer\FileServiceParameters

The MixedCaseSupport key specifies whether mixed-case support is enabled on the server. Mixed-case support allows clients to access file names on the HP-UX system that contain uppercase characters. Enabling mixed-case file names may affect the server's performance negatively. Mixed-case support is disabled by default.

Windows NT preserves the case of the file names but is not case-sensitive (does not distinguish file names by their case). In Windows NT, you cannot have two files with the same name but different case in the name. HP-UX preserves the case of the file names. In HP-UX you can have two files with the same name but different case in the name.

AS/U allows file names to be stored in their native case but treats them case- insensitively otherwise. With mixed case support activated, the server may experience some performance degradation due to additional processing overhead.

With MixedCaseSupport turned on, filenames will be reported to clients as is, without checking for uniqueness. If case insensitively similar file names exist, only one of the files will be available to the client. Therefore, an NT-style client may see a directory containing file names differing only in case, and an 8.3-style client may see multiple files with the same name. Note that AS/U will not allow creation of files with case insensitively similar file names. Case insensitively similar file names will only occur if they were created via HP-UX.

The NameSpaceMapping key specifies the type of the mapping enabled on the server, as follows:

Value	Description
0	No name space mapping is enabled.
1	Only HP-UX system type name-to-8.3 type name mapping is enabled. This allows 8.3 file naming clients to access files with long file names and file names containing characters that are invalid in MS-DOS, such as ( ) + , ; = [ ] ? " \ < > * \| : . [space]
2	Only HP-UX system file name-to-Windows NT style file name mapping is enabled. This allows Windows NT-style naming clients (Windows 95, Windows NT) to access files with file names containing characters that are unacceptable on Windows NT (such as ? " \ < > * \| :).
3	Both HP-UX system file name-to-8.3 file type name mapping and HP-UX system file name-to-Windows NT style file name mapping are enabled.

For HP-UX system file name-to-8.3 type name mapping, the following rules apply:

Spaces are removed from the name.
Periods are removed, except for the last one followed by at least one character.
Invalid characters are replaced by underscores (_)
The name, not including extension, is truncated; a tilde (~) and a combination of numbers (0 - 9) and letters (A - Z) is appended.
The extension is truncated to 3 characters.

For example, the file name longfilename.txt and i-node number of 11455, would have a mapped name of long~8u7.txt.

For HP-UX system file name-to-Windows NT-style name file name mapping, the following rules apply:

Invalid characters are replaced by underscores (_).
A mapping separator (a tilde by default) and a combination of numbers (0 - 9) and letters (A - Z) are appended to the name, not including the extension.
The extension is preserved.

For example, the file name k<l<m.expression and i-node number of 8461 would have a mapped name of k_l_m~6j1.expression.

A file name which exceeds the 8.3 format will be truncated then concatenated with a pseudo-unique suffix. The suffix is dynamically generated from the i-node number of the HP-UX file.

Since the 8.3 name is dynamically generated based on the HP-UX i-node number of the file, the following operations on the file can change the i-node number and therefore change the mapped file name:

Copying or moving the file.
Replicating.
Backing up and restoring the file.

The following keys in the File Service Parameters section of the registry can be used to customize mapping behavior:

UniqueSuffixLength.
TruncatedExtensions.
MappingSeparator.

For more information about the Advanced Server registry, see the Advanced Server/9000 Administrator's Guide.

Considerations for Using File Name Space Mapping

A decision on whether your server should support mixed-case file names should be considered carefully. Mixed-case support allows clients to have access to file names on HP-UX systems that contain uppercase characters but this feature has a negative impact on server performance.

It is inadvisable to switch frequently between mixed-case support on the same server. While mixed-case support is enabled, clients can create files with mixed-case names. These files will become unavailable to them as soon as mixed-case support is disabled. If mixed-case support is changed from "on" to "off," every existing file name should be made lowercase.

Do not create file names that are case-insensitively identical in the same directory. Although the HP-UX system is case-sensitive, mixed-case support on Advanced Server/9000 causes the server to preserve case but behave in a case- insensitive way, just like Windows NT. Microsoft product users are not aware of the possibility of having case-insensitive similar file names in a directory because Windows NT does not allow such files. As a result, users may become confused if they access incorrect files or are denied access to files they need.

Do not use characters that are invalid in MS-DOS in the names of batch files or DOS executables. If one of those files is executed from a Windows NT or Windows 95 client, Command Shell will be invoked and it will interpret those file names incorrectly. This may result in actual file names not being found.

Setting "longfilenames=1" in WINFILE.INI on Windows 3.1 client computers should be done with great caution. Clients with this setting enabled are not able to view files on Windows NT (Versions 3.51 and 4.0) computers. Although these clients can access Advanced Server/9000 files, support for this feature on the client side is unreliable.

Using Replication with File Name Mapping

Long file names will be correctly replicated between Windows NT servers and AS/U version B.*.* servers or among AS/U version B.*.* servers. Mixed case file names will also be replicated correctly between Windows NT and AS/U version B.*.* servers or among AS/U version B.*.* servers when the MixedCaseSupport option is enabled on the AS/U servers.

Versions of AS/U prior to AS/U version B.*.* will correctly replicate long and mixed case file names to Windows NT servers. Long file names will be replicated from Windows NT to AS/U or from AS/U to AS/U using their 8.3 file names. The contents of the replicated files are correct, but the file name is converted. It is recommended that you limit replication to files with 8.3 names if the AS/U import server is prior to version B.*.*.

If NameSpaceMapping is not enabled, long file names will be ignored during replication. If MixedCaseSupport is not enabled, files with upper case characters in their names will be ignored during replication. If file names are converted during replication, the file name is converted on the export server according to the conversion algorithm. The file is then replicated using the converted name. The converted name on the import server is the file's actual name (both from HP-UX and as seen by the client) and is not dynamically created.

Sharing Directories

Sharing a directory makes the directory and the files located in it available to other network users. Advanced Server integrates two levels of permissions for shared files and directories: share permissions and directory access permissions.

Share permissions specify the maximum access possible for a user or group on all files and directories residing on that share. For example, setting share permissions to Read for Everyone would prevent any user from altering the contents. Share permissions are set using Server Manager.

Directory access permissions specify the access that a group or user is granted to a particular directory or file. Directory access permissions are set through the Security menu of the File Manager or the Properties menu of the Explorer. Generally it is more useful to control access by setting permissions on files and directories rather than on shares because this method provides more flexibility.

In addition to the two levels of permissions supported by Advanced Server/9000, the HP-UX file system imposes a set of permissions that must be considered when managing shared directories. Shared directories must have the appropriate HP-UX system permissions applied to them in order to grant access to Advanced Server/9000 users.

Advanced Server/9000 automatically creates special shares for administrative and system use. (The shared directory created for the root system is called C$.) Only members of the Administrators group can change properties for them. Removing these shares is inadvisable.

Sharing a Directory in Advanced Server

To share a directory in Advanced Server, you must be logged on as a member of the Administrators or Server Operators group.

If the directory to be shared does not exist, it will be created automatically when you attempt to share it — if you have Advanced Server permissions. If you do not have permissions to create this directory, you must following the procedure in the next section, "Sharing a Directory in the HP-UX System."

Sharing a Directory in the HP-UX System

If a directory to be shared does not exist and is not created automatically when you attempt to share it, you must create it in the HP-UX system as root and set appropriate HP-UX system ownership and permissions before it can be shared in Advanced Server.

For directories that will be owned by an Advanced Server user who has been mapped explicitly to an HP-UX system account, the following procedure is recommended. The example shares the home directory of an Advanced Server user (JohnPublic) who is mapped to an HP-UX system account (jqp) and is a member of the HP-UX system group sales.

To create a directory in the HP-UX system, use the mkdir command. Then use the chown, chgrp, and chmod commands to set the ownership and permissions, as described in the following procedure and example.

Map the Advanced Server user to that user's HP-UX system account name with the mapuname command. At the Advanced Server command prompt, type
mapuname -a domainname:JohnPublic jqp
Create the HP-UX system directory to be shared.
mkdir /home/jqp
Set the owner of the directory to be the user's HP-UX system ID using the chown command.
chown jqp /home/jqp
Set the HP-UX system group of the directory to be the HP-UX system group ID of the user's HP-UX system account using the chgrp command.
chgrp sales /home/jqp
Group DOS---- can be used if all Advanced Server/9000 users should have access to the directory. You may want to restrict this to the user's HP-UX system group in order to restrict access to only members of that group.
Set the HP-UX system permissions of the directory to 750 (rwx for owner, r-x for group, no access for others) using the chmod command.
chmod 750 /home/jqp

The results of sharing the home directory of an Advanced Server/9000 user who is mapped to an HP-UX system account are as follows:

The user is the owner of the directory and has full access to the directory.
Members of the user's HP-UX system group have read and execute access to the directory.
All other HP-UX system users, including Advanced Server users who are not in the designated HP-UX system group, have no access to the directory.

Different HP-UX system permissions can be set as appropriate. Access through Advanced Server can be restricted further by setting Advanced Server permissions using File Manager or Explorer.

To share directories not owned by a single Advanced Server/9000 user or if an Advanced Server/9000 user is not mapped explicitly to an HP-UX system user account, use the following procedure:

(The example prepares the /var/opt/asu/lanman/shares/sales HP-UX system directory to be shared with Advanced Server/9000 users.)

Create the HP-UX system directory to be shared if it does not already exist.
Set the owner of the directory to lmworld using the chown command.
chown lmworld /var/opt/asu/lanman/shares/sales
lmworld is an HP-UX system user account created by the Advanced Server/9000 for files and directories owned by Advanced Server/9000 users who have not been mapped explicitly to another HP-UX system account.
Set the group of the directory to be DOS---- using the chgrp command.
chgrp DOS---- /var/opt/asu/lanman/shares/sales
DOS---- is an HP-UX system group created by Advanced Server/9000 for file and directory sharing. All Advanced Server/9000 users automatically are made members of this group.
Set the permissions of the directory to be 770 using the chmod command.
chmod 770 /var/opt/asu/lanman/shares/sales

The results of preparing an HP-UX system directory to be shared by Advanced Server/9000 are as follows:

Full Control is granted to the special group Everyone; all Advanced Server/9000 users are members of the special group Everyone.
HP-UX system users who are not members of the DOS---- group will have no access to the directory.
Different HP-UX system permissions can be set as appropriate. Access through Advanced Server/9000 can be restricted further by setting Advanced Server/9000 permissions through Server Manager, File Manager, or Explorer.

The directory now is ready to be shared as an Advanced Server directory using Server Manager or the net share command. You can use Server Manager to view a computer's shares, add new shares, and stop sharing directories. Server Manager also allows you to monitor and control the use of shared files.

For information about sharing directories using Server Manager, see "Sharing a Directory," "Viewing Shared Resources," and "Stopping Directory Sharing" in Server Manager Help.

For information about sharing directories using the net share command, type net help share at the Advanced Server command prompt.

Advanced Server automatically creates special shares for administrative and system use. Depending on the configuration of the computer being administered, some or all of the following special shares may appear in this list. You should not remove or modify these special shares.

Share name	Represents
ADMIN$	A special administrative resource for remote administration. All share names that end in a dollar sign ($) are hidden; they do not appear when a user uses the net view command, File Manager, or Explorer to examine server resources.
ASTOOLS	Contains installable version of Windows NT Server Tools and Windows NT Administrative Tools program groups.
C$	A connection to the root of the file system. (On Advanced Server for HP-UX Systems, C$ is equivalent to root ( / ).
D$	Contains files and libraries required by MS-DOS and Windows NT computers.
DOSUTIL	Contains MS-DOS programs and utilities for using and administering the LAN.
IPC$	Supports interprocess communication.
LIB	Contains header files and link-time libraries needed to create Advanced Server applications.
NETLOGON	Advanced Server shares the directory specified by scripts with the share name NETLOGON.
PRINT$	Share for operation of printers.
PRINTLOG	Accumulates printer fault or error messages generated by the HP-UX system.
REPL$	Directory associated with the Directory Replicator service.
USERS	Contains user home directories.

For information about viewing shared resources, see "Viewing Shared Resources" in Server Manager Help.

Changing Share Properties

To change properties on a share, you must be logged on as a member of the Administrators or Server Operators group. Members of the Administrators group can change share properties on administrative shares as well (for example, C$).

In Server Manager you can select a shared directory and make changes to its properties. Use the Share Properties dialog box to change the directory path, add a comment, or change the number of users allowed to connect to the share at one time. Click on Permissions to see the users and groups who have permission to use the share and to change permissions.




	NOTE: Use directory and file permissions to control security over the network and to allow Full Control access to Everyone on the share.

For information about how to manage share permissions, see "To set, view, change, or remove permissions through a shared directory" in Windows NT Help.

Stopping Directory Sharing

When you stop sharing a directory, it no longer is available over the network. To stop sharing a directory, you must be logged on as a member of the Administrators or Server Operators group.

The Shared Directory dialog box displays shared directories you created, as well as shared directories created by the system. Generally, you should not stop sharing directories created by the system. Use Server Manager to stop sharing a directory.




	CAUTION: If you stop sharing a directory while users are connected, users may lose data.

Sharing Printers

Advanced Server printers can be shared by users who are:

Logged on a domain controller as members of the Administrators, Server Operators, or Print Operators local groups.
Logged on a domain account as members of domain Administrators local group.

After a printer has been added, it can be shared using the Sharing tab in the Printer Properties dialog box. Click on Printers in the Settings group on the Start menu to add printers, share printers, install printer drivers, configure printer ports, set printer properties, and set permissions.

For information about setting up and sharing printers, and about printer permissions, see Chapter 6, "Setting Up Print Servers."

For information about managing printer sharing, see "To set up a new printer," "To share your printer with other people," "To use a shared network printer," and "To stop sharing your printer" in Windows NT Help.

Sharing Advanced Server Resources With Other Network Computers

Computers running different operating systems that interact with other networks or with workgroups can share files and printers with Advanced Server network computers.

Domain computers running Windows for Workgroups can use and share directories and printers on an Advanced Server network.
LAN Manager, Version 2.2 clients can use and share directories and printers on an Advanced Server network. However, the LAN Manager 2.2 server cannot reside in the same domain as the Advanced Server/9000.
Windows 95 computers running Client for Microsoft Networks and File and Printer Sharing for Microsoft Networks can use and share directories and printers on an Advanced Server network.

For information about integrating other computers with Advanced Server, see Chapter 2, "Managing Advanced Server Domains."