IBM DFS Reference Manual Download Page 1

Page: 1 / 67

DFS for Solaris

NFS/DFS Secure Gateway Guide and

Reference

Version 3.1

GC09-3993-00

Summary of Contents for DFS

Page 1: ...DFS for Solaris NFS DFS Secure Gateway Guide and Reference V ersion 3 1 GC09 3993 00 ...

Page 2: ......

Page 3: ...DFS for Solaris NFS DFS Secure Gateway Guide and Reference V ersion 3 1 GC09 3993 00 ...

Page 4: ...1 and to all subsequent releases and modifications until otherwise indicated in new editions Order publications through your IBM representative or through the IBM branch office serving your locality Copyright International Business Machines Corporation 1989 1999 All rights reserved US Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM ...

Page 5: ...hout Enabling Remote Authentication 14 Configuring a Client and Enabling Remote Authentication 14 Chapter 4 Accessing DFS from an NFS Client 17 Unauthenticated Access to DFS 17 Authenticated Access to DFS 18 Authenticating to DCE from an NFS Client 19 Authenticating to DCE from a Gateway Server Machine 21 Determining Whether a Specific User Is Authenticated to DCE 22 Displaying Information About A...

Page 6: ...iv DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 7: ...ing knowledge of DCE and its requirements Applicability This revision applies to IBM DFS for Solaris Version 3 1 See your software license for details Purpose The purpose of this book is to provide information about v Understanding the relationship of the NFS DFS Secure Gateway to DCE and DFS v Using the NFS DFS Secure Gateway Document Organization The IBM DFS for Solaris NFS DFS Secure Gateway Gu...

Page 8: ...ng typographic conventions Bold Bold words or characters represent system elements that you must use literally such as commands options and pathnames Italic Italic words or characters represent variable values that you must supply Italic type is also used to introduce a new DCE term Constant width Examples and information that the system displays appear in constant width typeface Brackets enclose ...

Page 9: ...ndicates a control character sequence For example Ctrl C means that you hold down the control key while pressing C Return The notation Return refers to the key on your terminal or workstation that is labeled with the word Return or Enter or with a left arrow Preface vii ...

Page 10: ...viii DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 11: ...both Local and remote authentication work as follows v Local authentication to DCE from Gateway Server machines is provided via the dfsgw add command With local authentication you can enable users to issue the dfsgw add command to authenticate themselves or you can control access to DFS by allowing only system administrators to provide authentication via the dfsgw add command The dfsgw command sui...

Page 12: ...eway Server machine an association is created between the UNIX user identification number UID of the user and the network address of the NFS client from which DFS access is desired A mapping is then created between this pair and the PAG created for the user The mapping is stored as an entry in a local authentication table which like the PAG resides in the kernel of the machine The mapping provides...

Page 13: ... end the authenticated session regardless of which command was used to obtain the credentials Because the authentication table resides in memory all authenticated sessions are terminated if the Gateway Server is restarted Chapter 2 Configuring Gateway Server Machines on page 5 and Chapter 3 Configuring NFS Clients to Access DFS on page 13 provide complete instructions for configuring Gateway Serve...

Page 14: ...4 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 15: ...ssue the dfs_login command to authenticate to DCE This configuration allows system administrators to manage all DCE authentication from the Gateway Server machines You can allow users to issue the dfsgw add command themselves or you can limit use of the command to administrators only To configure a Gateway Server machine without enabling remote authentication via the dfs_login command follow the i...

Page 16: ...n on the machine The dfsgw command suite provides a local interface to the authentication table maintained on the Gateway Server machine Commands in the dfsgw suite can be used to add delete and view mappings in the authentication table See Authenticating to DCE from a Gateway Server Machine on page 21 Determining Whether a Specific User Is Authenticated to DCE on page 22 and Displaying Informatio...

Page 17: ... See the IBM DFS for AIX and Solaris Administration Guide for more information about the BOS Server Configuring the BOS Server Process To configure the BOS Server process bosserver perform the following steps on the machine to be configured as a Gateway Server In all cases hostname is the hostname of the local machine Note that it can be necessary to install the bosserver binary file on the machin...

Page 18: ...stname dfs server key password dcecp keytab add self member hosts hostname dfs server random registry dcecp exit 6 Remove the BosConfig file and any administrative lists that possibly exist from a previous configuration of the BOS Server on the machine rm f dcelocal var dfs BosConfig rm f dcelocal var dfs admin 7 Start the bosserver process with DFS authorization checking disabled The process crea...

Page 19: ...rver machine 4 Add the dfsgw service to the Internet services database The dfsgw service provides the login facility for the NFS DFS Secure Gateway To add the service do one of the following v If you use the etc services file in your environment add an entry for the dfsgw service to the etc services file on the machine v If you use a Network Information Service NIS services map in your environment...

Page 20: ...ate hosts hostname dfsgw server dcecp account create hosts hostname dfsgw server group subsys dce dfsgw admin org none password password mypwd password dcecp exit 9 Use the su command to become the local superuser root on the machine su Password root_password 10 Add a server key for the hosts hostname dfsgw server principal to the krb5 v5srvtab keytab file on the machine The dced process recognize...

Page 21: ...sgw to run the dfsgwd server process dcelocal bin bos create server hosts hostname process dfsgw type simple cmd dcelocal bin dfsgwd The Gateway Server process is now fully configured on the machine Chapter 2 Configuring Gateway Server Machines 11 ...

Page 22: ...12 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 23: ...the instructions in Configuring a Client Without Enabling Remote Authentication on page 14 v If you configured your Gateway Servers so that users can issue the dfs_login command to authenticate to DCE configured your NFS clients and enable DCE authentication via the dfs_login command follow the instructions in Configuring a Client and Enabling Remote Authentication on page 14 Note The dfs_login an...

Page 24: ...fs In the command cellname is the name of the DCE cell to be accessed from the NFS client the cell in which the machine that exports is configured as a DFS client ln s cellname fs 4 Verify that the NFS mount of DCE was successful by using the ls command to list the contents of which leads to the root directory of the DFS filespace The command yields the same output from the NFS client that it does...

Page 25: ...uthenticating to DCE from an NFS Client on page 19 for information about using this command The dfs_login and dfs_logout commands use version 5 of Kerberos to communicate with the DCE Security Service 4 Create the Kerberos configuration file named krb5 krb conf The dfs_login command reads this file to determine the name of a DCE Security Server that it can contact This file must be identical to th...

Page 26: ...n alias for the dfsgw service If you use an NIS services map in your environment you added an entry to the services map file when you configured the first Gateway Server process You do not need to add the entry to the services map when you configure NFS clients The NFS client is now configured to provide access to DFS and to allow users of the client to authenticate to DCE with the dfs_login comma...

Page 27: ...sed from File Server machines When accessing DFS data from an NFS client NFS background I O daemons cache local copies of files accessed via the NFS server The caching of information by the NFS daemons can affect how quickly changes you make to data in DFS become visible to other users Unauthenticated Access to DFS Unauthenticated access is provided to users who access DFS without first authentica...

Page 28: ...issue the dfs_login command See Authenticating to DCE from an NFS Client on page 19 for more information v From a Gateway Server machine issue the dfsgw add command See Authenticating to DCE from a Gateway Server Machine on page 21 for more information Note The dfs_login and dfs_logout commands are not provided with DFS these commands can be used only if they are available from your NFS vendor and...

Page 29: ... DCE credentials before they expire use the dfsgw add command which refreshes the ticket lifetime of your existing TGT to obtain new credentials then use the dfs_login or dfsgw add command to replace your existing TGT with the new TGT Note that if you configure multiple Gateway Server machines each server machine houses its own authentication table The dfs_login and dfs_logout commands affect entr...

Page 30: ...efault the ticket is assigned the DCE cell s default lifetime dce_principal Specifies the DCE principal name of the user for whom to obtain a ticket By default the command uses the name of the issuer of the command dce_password Provides the DCE password of the specified user If you do not specify a password the command prompts for a password if one of the following is true You name a user other th...

Page 31: ...he issuer of the command dfs_logout Authenticating to DCE from a Gateway Server Machine The dfsgw add command authenticates a user to DCE from a Gateway Server machine Users can use the dfsgw add command if the dfs_login command is not installed on the NFS client from which they desire access to DFS System administrators can use the command to administer authenticated access to DFS from a Gateway ...

Page 32: ...ment includes multiple Gateway Server machines you must issue the command on the Gateway Server machine whose authentication table is to be examined The command displays information about a user s entry regardless of whether the user authenticated via the dfs_login command or the dfsgw add command See the reference page for the dfsgw query command for more information about the command Displaying ...

Page 33: ...FS access and the date and time at which each user s DCE credentials expire See the reference page for the dfsgw list command for more information about the command Chapter 4 Accessing DFS from an NFS Client 23 ...

Page 34: ...24 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 35: ...Chapter 5 Configuration File and Command Reference This chapter contains configuration file and command reference information for the NFS DFS Secure Gateway Copyright IBM Corp 1989 1999 25 ...

Page 36: ...e DfsgwLog old file in the same directory overwriting the current DfsgwLog old file if it exists before creating a new version to which to append messages The process can write different types of output to the file depending on the actions it performs and any problems it encounters The file can be viewed with the bos getlog command Because it is an ASCII file it can also be viewed with the more co...

Page 37: ... currently supported inet Internet help Displays the online help for the command All other valid options specified with this option are ignored Description The dfsgw command suite provides commands to manipulate entries in the local authentication table on a Gateway Server machine The table contains an entry for each user who has DCE credentials on the Gateway Server machine Each entry maps the us...

Page 38: ...mands The following examples summarize the syntax for the different help options dfsgw help Displays a list of commands in a command suite dfsgw help command Displays the syntax for a single command dfsgw command help Displays the syntax for a single command dfsgw apropos topic string Displays a short description of commands that match the specified string Consult the dfs_intro 8dfs reference page...

Page 39: ...Related Information Commands dfsgw_add 8dfs dfsgw_apropos 8dfs dfsgw_delete 8dfs dfsgw_help 8dfs dfsgw_list 8dfs dfsgw_query 8dfs dfs_intro 8dfs Chapter 5 Configuration File and Command Reference 29 ...

Page 40: ...pecify a principal name and password the command prompts for them only if you do not already have a valid ticket granting ticket TGT in the current login context If you omit only your password the command prompts for your password The command s interactive prompt provides for secure entry of the password sysname sysname Specifies the system name for networkID This option defaults to the system nam...

Page 41: ...uthentication table Otherwise it returns a nonzero exit value DCE credentials obtained with the command are valid for the default ticket lifetime in effect in the registry database of the DCE cell DCE credentials can be refreshed by issuing the dfsgw add command before they expire In this case the command automatically associates the user with the DCE principal it does not have to be supplied Afte...

Page 42: ...valid TGT If it succeeds in creating the entry in the authentication table the command displays the following Mapping added successfully PAG is PAG where PAG identifies the PAG created with the command Examples The following command creates an entry in the authentication table to grant authenticated access to DFS to the user named ludwig The user whose UID is 7439 is requesting access from the NFS...

Page 43: ...or any dfsgw command that contains the string specified by the topic option in its name or short description To display the syntax for a command use the dfsgw help command Privilege Required No privileges are required Output The first line of an online help entry for a command names the command and briefly describes its function This command displays the first line for any dfsgw command where the ...

Page 44: ...Related Information Commands dfsgw help 8dfs 34 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 45: ...d options specified with this option are ignored Description The dfsgw delete command cancels a user s authenticated access to DFS The command removes the entry for the specified user and NFS client from the authentication table on the Gateway Server machine Because each Gateway Server machine maintains its own authentication table you must issue the command on the Gateway Server machine from whic...

Page 46: ...lowing command deletes the entry from the authentication table that grants authenticated access to the user named ludwig from the NFS client that has network address 15 27 32 40 The command is issued by the user ludwig who has UID 7439 dfsgw del id 15 27 32 40 7439 Related Information Commands dfsgw_add 8dfs dfsgw_list 8dfs dfsgw_query 8dfs 36 DFS for Solaris NFS DFS Secure Gateway Guide and Refer...

Page 47: ...first line name and short description of the online help entry for every dfsgw command if the topic option is not provided For each command name specified with the topic option the output lists the entire help entry Use the dfsgw apropos command to show each help entry that contains a specified string Privilege Required No privileges are required Output The online help entry for each dfsgw command...

Page 48: ...dfsgw list list all entries in the AT Usage dfsgw list help Related Information Commands dfsgw apropos 8dfs 38 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 49: ... that the dfsgw list command provides some additional information not displayed by the dfsgw query command For example it displays the hostname of the NFS client for which the DCE credentials are granted the principal name of the user to whom the credentials are granted the date and time at which the credentials expire and the system name and remote hostname used for the client The dfsgw list comm...

Page 50: ...ns no entries No mappings exist Examples The following command displays the current entries from the authentication table on the local Gateway Server machine The first entry grants secure access to DFS to the user ludwig from the NFS client named nfs1 abc com The PAG associated with the user is 41ffffe4 the user s DCE credentials expire at 5 59 a m on 17 Nov 1999 dfsgw list Mapping nfs1 abc com lu...

Page 51: ...dfsgw_delete 8dfs dfsgw_query 8dfs Chapter 5 Configuration File and Command Reference 41 ...

Page 52: ...iption The dfsgw query command checks the local authentication table to determine whether the user has an entry for the NFS client Because each Gateway Server machine maintains its own authentication table you must issue the command on the Gateway Server machine that houses the authentication table to be queried The command determines only whether the user has an entry for the specified client the...

Page 53: ...n entry for the NFS client in the authentication table the dfsgw query command displays the following line of output instead No mapping found Examples The following command determines whether the authentication table on the local Gateway Server machine includes an entry for the user named ludwig from the NFS client that has network address 15 27 32 40 The user ludwig has UID 7439 The command repor...

Page 54: ... host variables This name can be set by starting the dfsgwd process with the sysname option The sysname argument is a unique name derived from the uname function that describes the machine architecture and OS type such as sparc_sunos57 nodomains Uses the base hostname without the domain portion for the host variable file log_file Specifies the full pathname of the log file in which the dfsgwd proc...

Page 55: ... the authentication table on a machine configured as a Gateway Server The Gateway Server process recognizes the sys and host variables on the NFS client system This allows the Gateway Server to resolve pathnames to binaries and other system dependent files correctly based on the user s login system name and system type The binary file for the dfsgwd process resides in dcelocal bin The process is n...

Page 56: ...cal var dfs adm DfsgwLog The default log file for the dfsgwd process You can use the file option to specify a different pathname for the log file Related Information Commands bos getlog 8dfs bosserver 8dfs dfsgw 8dfs Files DfsgwLog 4dfs 46 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 57: ...1 6 19 27 receiving help 28 dfsgw commands add 1 2 5 6 7 14 18 19 21 30 35 apropos 33 delete 2 19 21 31 35 help 37 list 22 39 42 query 22 42 dfsgwd process 1 7 19 21 26 44 DfsgwLog file 26 G Gateway Server authenticating to DCE 21 configuring 5 configuring and enabling remote authentication 7 configuring dfsgwd process 9 configuring without enabling remote authentication 6 K kinit command 19 L loc...

Page 58: ...48 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 59: ...he furnishing of this document does not give you any license to these patents You can send license inquiries in writing to IBM Director of Licensing IBM Corporation North Castle Drive Armonk NY 10504 1785 U S A For license inquiries regarding double byte DBCS information contact the IBM Intellectual Property Department in your country or send inquiries in writing to IBM World Trade Asia Corporatio...

Page 60: ...2 U S A Such information may be available subject to appropriate terms and conditions including in some cases payment of a fee The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM International Program License Agreement or any equivalent agreement between us Any performance data contained herein was determined in a co...

Page 61: ... used by an actual business enterprise is entirely coincidental If you are viewing this information softcopy the photographs and color illustrations may not appear Trademarks The following terms are trademarks of International Business Machine Corporation in the United States other countries or both AFS AIX AS 400 CICS CICS OS 2 CICS 400 CICS 6000 CICS ESA CICS MVS CICS VSE CICSPlex DB2 DCE Encina...

Page 62: ...ited States other countries or both and is licensed exclusively through X Open Company Limited Other company product and service names may be trademarks or service marks of others 52 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Page 63: ...this book is Very Satisfied Satisfied Neutral Dissatisfied Very Dissatisfied Accurate h h h h h Complete h h h h h Easy to find h h h h h Easy to understand h h h h h Well organized h h h h h Applicable to your tasks h h h h h Please tell us how we can improve this book Thank you for your responses May we contact you h Yes h No When you send comments to IBM you grant IBM a nonexclusive right to us...

Page 64: ...RESSEE IBM Corporation ATTN File Systems Documentation Group 11 Stanwix Street Pittsburgh PA 15222 1312 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ...

Page 65: ......

Page 66: ... Program Number Printed in the United States of America on recycled paper containing 10 recovered post consumer fiber GC09 3993 00 ...

Page 67: ...Spine information DFS for Solaris NFS DFS Secure Gateway Guide and Reference Version 3 1 GC09 3993 00 ...

Search results

Summary of Contents for DFS

Reviews:

Related manuals for DFS

Brands by name

Popular brands

IBM DFS, Reference Manual

Search results

Summary of Contents for DFS

Reviews:

Related manuals for DFS

Brands by name

Popular brands