|
|
On UNIX, ClearCase relies on user and group IDs to maintain access control. For details, see Chapter 3, Understanding ClearCase Access Controls. To access UNIX VOBs and views correctly:
Each Windows user's user name and primary group name must match that user's user name and primary group name on UNIX.
NOTE: UNIX and Windows place different restrictions on the length of user and group names, as well as on the characters that are allowed in them. Be sure the user and group names you create are acceptable in both environments.
Domain User and Group Accounts describes a special domain account, called the ClearCase server process user account, that ClearCase requires on Windows. ClearCase does not require a ClearCase server process user account on UNIX (it uses the root account for this purpose), but many of the cross-platform file access strategies described in Chapter will be easier to administer and use of you create a UNIX user account that has the same name and password as the ClearCase server process user account on Windows. ClearCase processes that run on UNIX computers do not use this account in the same way that ClearCase processes that run on Windows computers do, but some ClearCase operations on Windows computers require the ClearCase server process user to be authenticated on a UNIX host.
If you create a ClearCase server process user account on UNIX, it should be a member of any group that owns a VOB or view hosted on UNIX, and its primary group should be the group you have defined as the CLEARCASE_PRIMARY_GROUP. See Setting the ClearCase Primary Group for more information about this topic.
Whenever a user on one type of a computer tries to access an object under ClearCase control on another type of computer (for example, when a user logged in to a Windows computer tries to access a VOB or view on a UNIX computer), a credentials mapping server (credmap_server) authenticates the user in the other environment. The credmap_server is started automatically by the albd_server when the first such access occurs.
NOTE: Because Windows 98 and Windows Me computers cannot be members of a domain, they must explicitly specify a credentials server running on a Windows computer that is a member of a domain and is running ClearCase. This credentials server host name is usually specified during ClearCase site preparation. It can be confirmed or overridden by the user during the client install. If a Windows 98 or Windows Me computer is not configured with the name of a valid credentials server host, most ClearCase operations will fail on that computer.
Credentials mapping will not work for any user who has a different user name in the Windows domain and the NIS passwd map, or who logs on to Windows 98 or Windows Me with a name that is not valid in the domain in which the credentials server is running. See Users and Groups for more on this topic.
Individual users can check the validity of their current user and group assignments with the credmap and creds utilities in ccase-home-dir\etc\utils. If the primary group is incorrect, follow the procedure described in Setting the ClearCase Primary Group to set the CLEARCASE_PRIMARY_GROUP environment variable.
After your Windows primary group is established, you can verify that it matches the corresponding UNIX user and group IDs with ccase-home-dir\etc\utils\credmap. The credmap utility takes one argument: a target UNIX computer that is running the VOB or view server. The following command checks the user and group IDs for user anne on Windows against their counterparts on UNIX computer saturn:
ccase-home-dir\etc\utils> credmap saturn
Identity on local Windows system:
User: anne (0x1003f2)
Primary group: user (0x1003ff)
Groups:
Administrators (0x20220)
Domain Users (0x100201)
Identity on host "saturn":
User ID: 1149 (0x47d)
Primary group ID: 20 (0x14)
Group ID list:
-2 (0xfffffffe)
In this example, if Anne is unsure whether the UNIX user ID and primary group ID values are correct (they must correspond to UNIX user anne and group user), she can use the id command on a UNIX system:
id
uid=1149(anne) gid=20(user)
As it manages VOB access, ClearCase must routinely resolve VOB group list entries on both Windows and UNIX computers. Therefore, a domain administrator must use the User Manager for Domains program to add the primary and additional group names stored with each applicable UNIX VOB to the Windows domain.
For example, the following command, run on a UNIX host, displays the group names stored with UNIX VOB /vobs/libvob2:
cleartool describe vob:/vobs/libvob2
versioned object base "/vobs/libvob2"
created 01-Feb-96.10:54:35 by vobadm.user@saturn
"runtime libraries"
VOB storage host:pathname "venus:/usr1/vobstore/libvob.vbs"
VOB storage global pathname "/net/venus/usr1/vobstore/libvob.vbs"
VOB ownership:
owner: vobadm
group: user
Additional groups:
devel
gui
If the VOB is accessible from Windows, all three groups-user, devel, and gui-must be valid Windows domain groups, and Windows users must belong to at least one of these groups.
Note the following about group and user access between Windows and UNIX:
Although you can define an unlimited number of groups on Windows, only the first 32 Windows domain-level groups for each user are considered by UNIX.
In a Windows domain, user and group names are in the same namespace. Therefore, if a VOB on UNIX uses the same name for both a user and group name, a ClearCase host running Windows has trouble accessing this VOB.
|
|
Feedback on the documentation in this site? We welcome any comments!
Copyright © 2001 by Rational Software Corporation. All rights reserved. |
