Enabling QNTC file system for Network Authentication Service

 

The QNTC file system enables System i™ platform access to Common Integrated File System (CIFS) servers that support the Kerberos V5 authentication protocol.

Rather than using a LAN manager type password to authenticate with each server, a properly configured System i platform will now be able to access supported CIFS servers with a single logon transaction.

To enable the Network Authentication Service (NAS) for use with QNTC, configure these items:

• Network Authentication Service (NAS)

• Enterprise Identity Mapping (EIM)

Once the above items have been configured, you can then enable a user to use NAS with the QNTC file system. The following steps are needed to allow a user to take advantage of the QNTC NAS support.

• The user's i5/OS^® user profile must have the local password management parameter, LCLPWDMGT, set to *NO. By specifying *NO, the user will not have a password to the server and will not be able to sign on to a 5250 session. The only access to the server will be through NAS-enabled applications, such as iSeries™ Navigator or iSeries Access 5250 Display Emulator.

  If the user specifies *YES, the password will be managed by the server and the user will be authenticated without NAS.

• You must have a Kerberos ticket and an iSeries Navigator connection.

• The Kerberos ticket for the System i platform you are using must be forwardable. To make a ticket forwardable, follow these steps:

  1. Access the Active Directory Users and Computers tool on the KDC for your NAS realm.

  2. Select users.

  3. Select the name that corresponds to the service principal name.

  4. Select Properties.

  5. Select the Account tab.

  6. Select Account is trusted for delegation.

 

Parent topic:

iSeries NetClient file system (QNTC)

 

Related information

Network authentication service
Enterprise Identity Mapping (EIM)