Very Computer

Don't fret though, because SCO has created a product just for you.
It is called VisionFS. Some people think it is a "mini" version of
APFS, but actually it is own unique product. In short, VisionFS will
allow you to "transparently" connect to SCO Unix "shared" files.
The user still has to click a button, but all the password stuff is
set up on the Client side.

For security reasons, I don't see any product which will absolutely
allow you to use just one user name and one password for the WHOLE
network. Anyways, try VisionFS and see if that is closer to what
you want.

Da Bobguy

I am currently playing around with OS5 and SCO's Advanced File and
Print Server.  Quick question in regards to user passwords.

How do you effectively control user passwords between their normal
Unix login, and the AFPS server login??

When you identify yourself to AFPS you need to supply a password as
you do when you login to SCO from the login prompt.  Trying to keep
everything simple for the end-user, I have previously setup users with
identical passwords.  This is quite messy when it comes to change them
as the user doesn't really know why their password should change to 2
different areas, ie AFPS and login.

How can you map a users password to be identical for both the AFPS and
the normal login prompt??  Under SCOAdmin when you create a user, you
can say that they are networked via the AFPS package.  I thought this
would synchronize their password between the 2 of them, Unix & AFPS.
This doesn't appear to be the case as I could not map a network drive
back to OS5 without first setting a password in AFPS for myself.

Any ideas would be greatly appreciated.
------------------------------------------------------------------------
Greg Wake                               |    Phone: +61 97 911 915
Systems Manager                 |
Geographe Replacement Parts             |      Fax: +61 97 911 916
P.O. Box 350                            |

Western Australia                       |
-----------------------------------------------------------------------

: > How do you effectively control user passwords between their normal
: > Unix login, and the AFPS server login??

: For security reasons, I don't see any product which will absolutely
: allow you to use just one user name and one password for the WHOLE
: network. Anyways, try VisionFS and see if that is closer to what
: you want.

Here is some technical background for folks to understand what is going
on:

The technique used to implement passwords is OWE (one way encryption).
Typically, you encrypt the password with itself as the key, and store
the results.  To verify someone's password, you just repeat the process
and compare the results.  The original password can't be recovered,
since decrypting the results requires knowing what the password was!

The bad news is that UNIX /etc/passwd (or equivalent) and Windows
Networking (ie SMB) have different encryption mechanisms.  To use the
SMB style passwords which are again encrypted on the wire, you have to have
an additional password database which is what AFPS does.  To use the
UNIX password and have the password in plaintext on the wire, you
can use VisionFS.

Unfortunately, neither solution has the best desired results, but the
SMB industry is moving forwards (there was an SMB conference last week
attended by both `factions' from SCO), which is aiming to move the
Windows networking authentication onto open standards (eg Kerberos and
GSS) so that the problem will be solved in the long term.

Additionally for AFPS, it supports Windows NT domains.  These are loosely
analagous to NIS in that a user/password database is replicated over
multiple cooperating hosts.  Needless to say, this also looks nothing
like `normal' UNIX.  This can result in the domain database being replicated
to machines where you don't have/want corresponding UNIX users, or where
you don't have the original password plaintext.  It all certainly keeps the
AFPS team in a lot of hard work, trying to make it all simple and sensible
for people buying the product :-)

I suggest you contact SCO technical support to see if either solution
could better solve your problems, or how the products could be improved
to do so.  Its always in our interests to make our products better for
our customers :-)

Roger
--

Software Engineer            | the unreasonable one persists in trying to
Client Integration Division  | to adapt the world to himself. Therefore all
SCO, Vision Park, Cambridge  | progress depends on the unreasonable man - GBS