chnfsim Command

Purpose

Changes NFS foreign identity mappings.

Syntax

For user and group related foreign identity mappings

chnfsim -a | -l | -s | -x -u | -g [ -i Identity ] [ -n name -d domain ]

For realm-to-domain mappings

chnfsim -a | -l | -x [ -r realm -d domain ]

To configure a system to use EIM

chnfsim -c -a | -l | -x [ -t type -h hostname[:port] -e EIMdomain -f EIMsuffix -b admin_DN -w admin_password -W access_password ]

To remove EIM configuration from a system

chnfsim -C

Description

The chnfsim command administers NFS foreign identity mappings using the Enterprise Identity Mapping (EIM) layer of an LDAP server. To use this command, the bos.eim.rte and ldap.client filesets must be installed. Additionally, if the machine is to be the EIM LDAP server, the ldap.server fileset must also be installed.

After changing identity mappings on the system, run the nfsrgyd -f command to flush the systems' identity cache.

You must first configure a system to use EIM with the -c and the -a flags before attempting to use any other function. All mapping data are stored and retrieved from the EIM LDAP server.

The chnfsim command is used to add, list, and remove an EIM configuration for NFS. The chnfsim command is then used to add and remove owner and owner group strings to user and group identities. It can list the identity mappings associated with a user or group, and can search for the mapping identity associated with a name and domain.

The chnfsim command is also used to add and remove Kerberos realm to NFS domain mappings, and can list the current realm to domain mappings.

Flags

Item	Description
-a	Add operation.
-b	Specifies the LDAP administrator distinguished name. The default value is `admin`.
-c	Configure operation.
-C	Remove EIM configuration.
-d	Specify the NFS domain part of a NFS V4 owner string.
-e	Specify the EIM domain of the EIM LDAP server used for NFS mapping.
-f	Specify the EIM directory suffix of the EIM LDAP server used for NFS mapping.
-g	Specify a group-based operation.
-h	Specify the hostname and port of the EIM LDAP server used for NFS mapping.
-i	Specify the mapping identity. This is a unique string that describes a particular owner or owner group.
-l	List operation.
-n	Specify the owner or owner group name of a NFS V4 owner string.
-r	Specify the Kerberos realm.
-s	Search operation.
-t	Specify the type of EIM LDAP server. p \| P Primary LDAP server. s \| S Secondary (default) LDAP server.
-u	Specify a user-based operation.
-w	Specify the EIM administrator password.
-W	Specify the EIM access-only user password.
-x	Remove operation.

Action Matrix

Item	Description
Operation	Flags (Optional flags in parentheses)
-c	Displays current EIM configuration of the system. -a -t -h -e -f -w (-b -W) Configures the system for EIM use. The -w flag is required if the specified hostname is the local system. If the hostname is not the local system, at least one of the -w or the -W flag must be specified. The NFS client or server can be configured for more than one EIM LDAP replica server. -l -h Lists the configuration details of the server hostname[:port] from the configuration file. -x -h Deletes the configuration details of the server hostname[:port] from the configuration file.
-a	-u -i (-n -d) Adds the user mapping identity. If the -n and -d flags are specified, that identity mapping is associated to the user mapping identity. -g -i (-n -d) Adds the group mapping identity. If the -n and -d flags are specified, that identity mapping is associated to the group mapping identity. -r -d Adds a realm-to-domain mapping.
-x	-u -i (-n -d) Removes the user mapping identity. If the -n and -d flags are specified, only that identity mapping is removed from the user mapping identity -g -i (-n -d) Removes the group mapping identity. If the -n and -d flags are specified, only that identity mapping is removed from the group mapping identity -r -d Removes a realm-to-domain mapping.
-l	Lists all realm-to-domain mappings. -u -i Lists all identity mappings associated with the specified user mapping identity. -g -i Lists all identity mappings associated with the specified group mapping identity.
-s	-u -n -d Searches for user mapping identities associated with the specified identity mapping. -g -n -d Searches for group mapping identities associated with the specified identity mapping.
-C	Removes all of the EIM LDAP server entries from the configuration file.

Exit Status

0: Request was successful.
EACCES: Not enough permissions to access data.
ENOENT: The mapping identity, name, domain, or realm was not found in the database; or the configuration file was not found.
EBUSY: EIM server is unable to allocate internal objects.
ECONVERT: Data conversion error.
EINVAL: Input parameter was not valid.
ENOMEM: Unable to allocate memory.
ENOTCONN: LDAP connection has not been made.
EUNKNOWN: Unknown exception occurred.

Examples

To display the current EIM configuration for NFS, use the following command:
```
chnfsim -c
```
To configure a system to use EIM for NFS foreign identity mapping, use the following command:
```
chnfsim -c -a -t P -h foos.com -e nfs -f nfseim -w mypasswd -W access_passwd
```
Note: If the hostname specified is the local system, the chnfsim command also sets up an LDAP server to run EIM.
To configure a client system to use EIM for NFS foreign identity mapping, use the following command:
```
chnfsim -c -a -t P -h foos.com -e nfs -f nfseim -W access_passwd
```
Note: This configures the client with the primary LDAP server (for read-only access). Here, the specified host name is not the local system.
To list the configuration details of a server from the configuration file, use the following command:
```
chnfsim -c -l -h foos.com:1080
```
To delete the configuration details of a server from the configuration file, use the following command:
```
chnfsim -c -x -h foos.com:1080
```
To add a user identity mapping that specifies "John Doe" to "jdoe@com.com", use the following command:
```
chnfsim -a -u -i "John Doe" -n jdoe -d com.com 
```
Note: This command will create an EIM identity for "John Doe" if one does not already exist.
To remove the user identity mapping that specifies "John Doe" to "jdoe@com.com", use the following command:
```
chnfsim -x -u -i "John Doe" -n jdoe -d com.com
```
To remove all identity mappings for the user "John Doe", use the following command:
```
chnfsim -x -u -i "John Doe"
```
To list all identity mappings for the user "John Doe", use the following command:
```
chnfsim -l -u -i "John Doe"
```
To add a realm-to-domain mapping that specifies "realm1" maps to "domain1", use the following command:
```
chnfsim -a -r realm1 -d domain1
```
To remove the realm-to-domain mapping that specifies "realm1" maps to "domain1", use the following command:
```
chnfsim -x -r realm1 -d domain1
```
To list all realm-to-domain mappings, use the following command:
```
chnfsim -l
```
To search for the user mapping identity associated with "jdoe@com.com", use the following command:
```
chnfsim -s -u -n jdoe -d com.com
```
To remove all EIM configuration from a system, use the following command:
```
chnfsim -C
```
Note: This does not remove the underlying LDAP database or entries.

Files

Item	Description
/usr/sbin/chnfsim	Location of the chnfsim command.

Security

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.