Purpose
Changes NFS foreign identity mappings.
Syntax
For user
and group related foreign identity mappings
chnfsim -a | -l | -s | -x -u | -g [ -i Identity ] [ -n name -d domain ]
For realm-to-domain
mappings
chnfsim -a | -l | -x [ -r realm -d domain ]
To configure a system to use EIM
chnfsim -c -a | -l | -x [ -t type -h hostname[:port] -e EIMdomain -f EIMsuffix -b admin_DN -w admin_password -W access_password ]
To remove EIM configuration from a system
chnfsim -C
Description
The chnfsim command administers NFS foreign identity mappings using
the Enterprise Identity Mapping (EIM) layer of an LDAP server. To
use this command, the bos.eim.rte and ldap.client filesets must be installed. Additionally,
if the machine is to be the EIM LDAP server, the ldap.server fileset must also be installed.
After changing
identity mappings on the system, run the nfsrgyd -f command
to flush the systems' identity cache.
You must first configure
a system to use EIM with the -c and the -a flags before attempting to use any other function. All mapping
data are stored and retrieved from the EIM LDAP server.
The chnfsim command is used to add, list, and remove
an EIM configuration for NFS. The chnfsim command is then used to add and remove owner and owner group strings
to user and group identities. It can list the identity mappings associated
with a user or group, and can search for the mapping identity associated
with a name and domain.
The chnfsim command is also used to add and remove Kerberos realm to NFS domain
mappings, and can list the current realm to domain mappings.
Flags
| Item |
Description |
|---|
| -a |
Add operation. |
| -b |
Specifies the LDAP administrator distinguished
name. The default value is admin. |
| -c |
Configure operation. |
| -C |
Remove EIM configuration. |
| -d |
Specify the NFS domain part of a NFS V4 owner
string. |
| -e |
Specify the EIM domain of the EIM LDAP server
used for NFS mapping. |
| -f |
Specify the EIM directory suffix of the EIM
LDAP server used for NFS mapping. |
| -g |
Specify a group-based operation. |
| -h |
Specify the hostname and port of the EIM LDAP
server used for NFS mapping. |
| -i |
Specify the mapping identity. This is a unique
string that describes a particular owner or owner group. |
| -l |
List operation. |
| -n |
Specify the owner or owner group name of a NFS
V4 owner string. |
| -r |
Specify the Kerberos realm. |
| -s |
Search operation. |
| -t |
Specify the type of EIM LDAP server. - p | P
- Primary LDAP server.
- s | S
- Secondary (default) LDAP server.
|
| -u |
Specify a user-based operation. |
| -w |
Specify the EIM administrator password. |
| -W |
Specify the EIM access-only user password. |
| -x |
Remove operation. |
Action Matrix
| Item |
Description |
|---|
| Operation |
Flags (Optional flags in parentheses) |
| -c |
Displays current EIM configuration of the system. - -a -t -h -e -f -w (-b -W)
- Configures the system for EIM use. The -w flag is required if the specified hostname is the local system. If the hostname is
not the local system, at least one of the -w or the -W flag must be specified. The
NFS client or server can be configured for more than one EIM LDAP
replica server.
- -l -h
- Lists the configuration details of the server hostname[:port] from the configuration file.
- -x -h
- Deletes the configuration details of the server hostname[:port] from the configuration file.
|
| -a |
- -u -i (-n -d)
- Adds the user mapping identity. If the -n and -d flags are specified, that identity
mapping is associated to the user mapping identity.
- -g -i (-n -d)
- Adds the group mapping identity. If the -n and -d flags are specified, that identity
mapping is associated to the group mapping identity.
- -r -d
- Adds a realm-to-domain mapping.
|
| -x |
- -u -i (-n -d)
- Removes the user mapping identity. If the -n and -d flags are specified, only
that identity mapping is removed from the user mapping identity
- -g -i (-n -d)
- Removes the group mapping identity. If the -n and -d flags are specified, only
that identity mapping is removed from the group mapping identity
- -r -d
- Removes a realm-to-domain mapping.
|
| -l |
Lists all realm-to-domain mappings. - -u -i
- Lists all identity mappings associated with the specified user
mapping identity.
- -g -i
- Lists all identity mappings associated with the specified group
mapping identity.
|
| -s |
- -u -n -d
- Searches for user mapping identities associated with the specified
identity mapping.
- -g -n -d
- Searches for group mapping identities associated with the specified
identity mapping.
|
| -C |
Removes all of the EIM LDAP server entries
from the configuration file.
|
Exit Status
- 0
- Request was successful.
- EACCES
- Not enough permissions to access data.
- ENOENT
- The mapping identity, name, domain, or realm was not found in
the database; or the configuration file was not found.
- EBUSY
- EIM server is unable to allocate internal objects.
- ECONVERT
- Data conversion error.
- EINVAL
- Input parameter was not valid.
- ENOMEM
- Unable to allocate memory.
- ENOTCONN
- LDAP connection has not been made.
- EUNKNOWN
- Unknown exception occurred.
Examples
- To display the current EIM configuration for NFS, use the following
command:
chnfsim -c
- To configure a system to use EIM for NFS foreign identity mapping,
use the following command:
chnfsim -c -a -t P -h foos.com -e nfs -f nfseim -w mypasswd -W access_passwd
Note: If the hostname specified is the
local system, the chnfsim command also sets
up an LDAP server to run EIM.
- To configure a client system to use EIM for NFS foreign identity
mapping, use the following command:
chnfsim -c -a -t P -h foos.com -e nfs -f nfseim -W access_passwd
Note: This configures the client with the primary LDAP server (for
read-only access). Here, the specified host name is not the local
system.
- To list the configuration details of a server from the configuration
file, use the following command:
chnfsim -c -l -h foos.com:1080
- To delete the configuration details of a server from the configuration
file, use the following command:
chnfsim -c -x -h foos.com:1080
- To add a user identity mapping that specifies "John Doe" to "jdoe@com.com",
use the following command:
chnfsim -a -u -i "John Doe" -n jdoe -d com.com
Note: This command will create an EIM identity for "John Doe" if
one does not already exist.
- To remove the user identity mapping that specifies "John Doe"
to "jdoe@com.com", use the following command:
chnfsim -x -u -i "John Doe" -n jdoe -d com.com
- To remove all identity mappings for the user "John Doe", use the
following command:
chnfsim -x -u -i "John Doe"
- To list all identity mappings for the user "John Doe", use the
following command:
chnfsim -l -u -i "John Doe"
- To add a realm-to-domain mapping that specifies "realm1" maps
to "domain1", use the following command:
chnfsim -a -r realm1 -d domain1
- To remove the realm-to-domain mapping that specifies "realm1"
maps to "domain1", use the following command:
chnfsim -x -r realm1 -d domain1
- To list all realm-to-domain mappings, use the following command:
chnfsim -l
- To search for the user mapping identity associated with "jdoe@com.com",
use the following command:
chnfsim -s -u -n jdoe -d com.com
- To remove all EIM configuration from a system, use the following
command:
chnfsim -C
Note: This does not remove
the underlying LDAP database or entries.
Files
| Item |
Description |
|---|
| /usr/sbin/chnfsim |
Location of the chnfsim command. |
Security
Attention RBAC users and Trusted AIX® users: This command can
perform privileged operations. Only privileged users can run privileged
operations. For more information about authorizations and privileges,
see Privileged Command Database in Security. For a list of
privileges and the authorizations associated with this command, see
the lssecattr command or the getcmdattr subcommand.