Enabling QNTC file system for Network Authentication Service
The QNTC file system enables IBM i platform access to Common Integrated File System (CIFS) servers that support the Kerberos V5 authentication protocol.
Rather than using a LAN manager type password to authenticate with each server, a properly configured IBM i platform will now be able to access supported CIFS servers with a single logon transaction.
To enable the Network Authentication Service (NAS) for use with QNTC, you must configure these items:
- Network Authentication Service (NAS)
- Enterprise Identity Mapping (EIM)
Once the above items have been configured, you can then enable a user to use NAS with the QNTC file system. The following steps are needed to allow a user to take advantage of the QNTC NAS support.
- The user's IBM i user profile must
have the local password management (LCLPWDMGT) parameter set to *NO.
By specifying *NO, the user does not have a password to the server
and cannot sign on to a 5250 session. The only access to the server
is through NAS-enabled applications, such as IBM Navigator
for i or IBM i
Access 5250 Display Emulator.
If the user specifies *YES, the password is managed by the server and the user is authenticated without NAS.
- You must have a Kerberos ticket and IBM Navigator for i connection.
- The Kerberos ticket for the IBM i platform you are using
must be forwardable. To make a ticket forwardable, follow these steps:
- Access the Active Directory Users and Computers tool on the KDC for your NAS realm.
- Select users.
- Select the name that corresponds to the service principal name.
- Select Properties.
- Select the Account tab.
- Select Account is trusted for delegation.