IBM DFS Скачать руководство пользователя страница 12 | Manualshive

Страница: 12 / 67

background image

on the Gateway Server machines, installing the vendor-provided dfs_login
and dfs_logout commands on the NFS clients, configuring Kerberos on the
NFS clients, and configuring the remote authentication service on both the
Gateway Server machines and the NFS clients. However, authentication
requires no administrative measures, and user passwords are never sent in
the clear.

Note:

The dfs_login and dfs_logout commands are not provided with DFS;
these commands can be used only if they are available from your NFS
vendor and have been installed on an NFS client. If these commands
are not available, use the dfsgw add and dfsgw delete commands,
which work in a similar fashion. See your NFS vendor documentation
for the availability and use of the dfs_login and dfs_logout commands.

The dfsgw add and dfs_login commands both result in authenticated access
to DFS from an NFS client. To provide a user with authenticated access, each
command obtains a ticket-granting ticket (TGT) for the user from the DCE
Security Service. The TGT is used to create a valid login context for the user.
The login context includes a Process Activation Group (PAG), which DFS
stores in the kernel of the Gateway Server machine. The PAG identifies the
user’s TGT; the TGT serves as the user’s DCE credentials.

On the Gateway Server machine, an association is created between the UNIX
user identification number (UID) of the user and the network address of the
NFS client from which DFS access is desired. A mapping is then created
between this pair and the PAG created for the user. The mapping is stored as
an entry in a local authentication table, which, like the PAG, resides in the
kernel of the machine. The mapping provides the user with authenticated
access to DFS from the NFS client.

Each mapping grants a user authenticated access only from the specific NFS
client for which the mapping exists. For authenticated access from a different
NFS client, a user must use the dfsgw add or dfs_login command to create a
new mapping for that client.

A user’s DCE credentials are good only for the lifetime of the TGT. The ticket
lifetime is dictated by the registry database of the DCE cell. By default, each
ticket receives the default ticket lifetime in effect in the registry database. The
dfs_login

command includes a -l option that can be used to request a

different lifetime, but a requested lifetime is constrained by the policies in
effect in the registry database. A user’s DCE credentials can be refreshed by
using the dfsgw add command before the user’s TGT expires. If a user’s TGT
expires, the user must obtain new DCE credentials. For more information on
the dfsgw add command, see “Chapter 5. Configuration File and Command
Reference” on page 25.

2

DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

«
...
10
11
12
13
14
...
»

Содержание DFS

Страница 1: ...DFS for Solaris NFS DFS Secure Gateway Guide and Reference V ersion 3 1 GC09 3993 00 ...

Страница 2: ......

Страница 3: ...DFS for Solaris NFS DFS Secure Gateway Guide and Reference V ersion 3 1 GC09 3993 00 ...

Страница 4: ...1 and to all subsequent releases and modifications until otherwise indicated in new editions Order publications through your IBM representative or through the IBM branch office serving your locality Copyright International Business Machines Corporation 1989 1999 All rights reserved US Government Users Restricted Rights Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM ...

Страница 5: ...hout Enabling Remote Authentication 14 Configuring a Client and Enabling Remote Authentication 14 Chapter 4 Accessing DFS from an NFS Client 17 Unauthenticated Access to DFS 17 Authenticated Access to DFS 18 Authenticating to DCE from an NFS Client 19 Authenticating to DCE from a Gateway Server Machine 21 Determining Whether a Specific User Is Authenticated to DCE 22 Displaying Information About A...

Страница 6: ...iv DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 7: ...ing knowledge of DCE and its requirements Applicability This revision applies to IBM DFS for Solaris Version 3 1 See your software license for details Purpose The purpose of this book is to provide information about v Understanding the relationship of the NFS DFS Secure Gateway to DCE and DFS v Using the NFS DFS Secure Gateway Document Organization The IBM DFS for Solaris NFS DFS Secure Gateway Gu...

Страница 8: ...ng typographic conventions Bold Bold words or characters represent system elements that you must use literally such as commands options and pathnames Italic Italic words or characters represent variable values that you must supply Italic type is also used to introduce a new DCE term Constant width Examples and information that the system displays appear in constant width typeface Brackets enclose ...

Страница 9: ...ndicates a control character sequence For example Ctrl C means that you hold down the control key while pressing C Return The notation Return refers to the key on your terminal or workstation that is labeled with the word Return or Enter or with a left arrow Preface vii ...

Страница 10: ...viii DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 11: ...both Local and remote authentication work as follows v Local authentication to DCE from Gateway Server machines is provided via the dfsgw add command With local authentication you can enable users to issue the dfsgw add command to authenticate themselves or you can control access to DFS by allowing only system administrators to provide authentication via the dfsgw add command The dfsgw command sui...

Страница 12: ...eway Server machine an association is created between the UNIX user identification number UID of the user and the network address of the NFS client from which DFS access is desired A mapping is then created between this pair and the PAG created for the user The mapping is stored as an entry in a local authentication table which like the PAG resides in the kernel of the machine The mapping provides...

Страница 13: ... end the authenticated session regardless of which command was used to obtain the credentials Because the authentication table resides in memory all authenticated sessions are terminated if the Gateway Server is restarted Chapter 2 Configuring Gateway Server Machines on page 5 and Chapter 3 Configuring NFS Clients to Access DFS on page 13 provide complete instructions for configuring Gateway Serve...

Страница 14: ...4 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 15: ...ssue the dfs_login command to authenticate to DCE This configuration allows system administrators to manage all DCE authentication from the Gateway Server machines You can allow users to issue the dfsgw add command themselves or you can limit use of the command to administrators only To configure a Gateway Server machine without enabling remote authentication via the dfs_login command follow the i...

Страница 16: ...n on the machine The dfsgw command suite provides a local interface to the authentication table maintained on the Gateway Server machine Commands in the dfsgw suite can be used to add delete and view mappings in the authentication table See Authenticating to DCE from a Gateway Server Machine on page 21 Determining Whether a Specific User Is Authenticated to DCE on page 22 and Displaying Informatio...

Страница 17: ... See the IBM DFS for AIX and Solaris Administration Guide for more information about the BOS Server Configuring the BOS Server Process To configure the BOS Server process bosserver perform the following steps on the machine to be configured as a Gateway Server In all cases hostname is the hostname of the local machine Note that it can be necessary to install the bosserver binary file on the machin...

Страница 18: ...stname dfs server key password dcecp keytab add self member hosts hostname dfs server random registry dcecp exit 6 Remove the BosConfig file and any administrative lists that possibly exist from a previous configuration of the BOS Server on the machine rm f dcelocal var dfs BosConfig rm f dcelocal var dfs admin 7 Start the bosserver process with DFS authorization checking disabled The process crea...

Страница 19: ...rver machine 4 Add the dfsgw service to the Internet services database The dfsgw service provides the login facility for the NFS DFS Secure Gateway To add the service do one of the following v If you use the etc services file in your environment add an entry for the dfsgw service to the etc services file on the machine v If you use a Network Information Service NIS services map in your environment...

Страница 20: ...ate hosts hostname dfsgw server dcecp account create hosts hostname dfsgw server group subsys dce dfsgw admin org none password password mypwd password dcecp exit 9 Use the su command to become the local superuser root on the machine su Password root_password 10 Add a server key for the hosts hostname dfsgw server principal to the krb5 v5srvtab keytab file on the machine The dced process recognize...

Страница 21: ...sgw to run the dfsgwd server process dcelocal bin bos create server hosts hostname process dfsgw type simple cmd dcelocal bin dfsgwd The Gateway Server process is now fully configured on the machine Chapter 2 Configuring Gateway Server Machines 11 ...

Страница 22: ...12 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 23: ...the instructions in Configuring a Client Without Enabling Remote Authentication on page 14 v If you configured your Gateway Servers so that users can issue the dfs_login command to authenticate to DCE configured your NFS clients and enable DCE authentication via the dfs_login command follow the instructions in Configuring a Client and Enabling Remote Authentication on page 14 Note The dfs_login an...

Страница 24: ...fs In the command cellname is the name of the DCE cell to be accessed from the NFS client the cell in which the machine that exports is configured as a DFS client ln s cellname fs 4 Verify that the NFS mount of DCE was successful by using the ls command to list the contents of which leads to the root directory of the DFS filespace The command yields the same output from the NFS client that it does...

Страница 25: ...uthenticating to DCE from an NFS Client on page 19 for information about using this command The dfs_login and dfs_logout commands use version 5 of Kerberos to communicate with the DCE Security Service 4 Create the Kerberos configuration file named krb5 krb conf The dfs_login command reads this file to determine the name of a DCE Security Server that it can contact This file must be identical to th...

Страница 26: ...n alias for the dfsgw service If you use an NIS services map in your environment you added an entry to the services map file when you configured the first Gateway Server process You do not need to add the entry to the services map when you configure NFS clients The NFS client is now configured to provide access to DFS and to allow users of the client to authenticate to DCE with the dfs_login comma...

Страница 27: ...sed from File Server machines When accessing DFS data from an NFS client NFS background I O daemons cache local copies of files accessed via the NFS server The caching of information by the NFS daemons can affect how quickly changes you make to data in DFS become visible to other users Unauthenticated Access to DFS Unauthenticated access is provided to users who access DFS without first authentica...

Страница 28: ...issue the dfs_login command See Authenticating to DCE from an NFS Client on page 19 for more information v From a Gateway Server machine issue the dfsgw add command See Authenticating to DCE from a Gateway Server Machine on page 21 for more information Note The dfs_login and dfs_logout commands are not provided with DFS these commands can be used only if they are available from your NFS vendor and...

Страница 29: ... DCE credentials before they expire use the dfsgw add command which refreshes the ticket lifetime of your existing TGT to obtain new credentials then use the dfs_login or dfsgw add command to replace your existing TGT with the new TGT Note that if you configure multiple Gateway Server machines each server machine houses its own authentication table The dfs_login and dfs_logout commands affect entr...

Страница 30: ...efault the ticket is assigned the DCE cell s default lifetime dce_principal Specifies the DCE principal name of the user for whom to obtain a ticket By default the command uses the name of the issuer of the command dce_password Provides the DCE password of the specified user If you do not specify a password the command prompts for a password if one of the following is true You name a user other th...

Страница 31: ...he issuer of the command dfs_logout Authenticating to DCE from a Gateway Server Machine The dfsgw add command authenticates a user to DCE from a Gateway Server machine Users can use the dfsgw add command if the dfs_login command is not installed on the NFS client from which they desire access to DFS System administrators can use the command to administer authenticated access to DFS from a Gateway ...

Страница 32: ...ment includes multiple Gateway Server machines you must issue the command on the Gateway Server machine whose authentication table is to be examined The command displays information about a user s entry regardless of whether the user authenticated via the dfs_login command or the dfsgw add command See the reference page for the dfsgw query command for more information about the command Displaying ...

Страница 33: ...FS access and the date and time at which each user s DCE credentials expire See the reference page for the dfsgw list command for more information about the command Chapter 4 Accessing DFS from an NFS Client 23 ...

Страница 34: ...24 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 35: ...Chapter 5 Configuration File and Command Reference This chapter contains configuration file and command reference information for the NFS DFS Secure Gateway Copyright IBM Corp 1989 1999 25 ...

Страница 36: ...e DfsgwLog old file in the same directory overwriting the current DfsgwLog old file if it exists before creating a new version to which to append messages The process can write different types of output to the file depending on the actions it performs and any problems it encounters The file can be viewed with the bos getlog command Because it is an ASCII file it can also be viewed with the more co...

Страница 37: ... currently supported inet Internet help Displays the online help for the command All other valid options specified with this option are ignored Description The dfsgw command suite provides commands to manipulate entries in the local authentication table on a Gateway Server machine The table contains an entry for each user who has DCE credentials on the Gateway Server machine Each entry maps the us...

Страница 38: ...mands The following examples summarize the syntax for the different help options dfsgw help Displays a list of commands in a command suite dfsgw help command Displays the syntax for a single command dfsgw command help Displays the syntax for a single command dfsgw apropos topic string Displays a short description of commands that match the specified string Consult the dfs_intro 8dfs reference page...

Страница 39: ...Related Information Commands dfsgw_add 8dfs dfsgw_apropos 8dfs dfsgw_delete 8dfs dfsgw_help 8dfs dfsgw_list 8dfs dfsgw_query 8dfs dfs_intro 8dfs Chapter 5 Configuration File and Command Reference 29 ...

Страница 40: ...pecify a principal name and password the command prompts for them only if you do not already have a valid ticket granting ticket TGT in the current login context If you omit only your password the command prompts for your password The command s interactive prompt provides for secure entry of the password sysname sysname Specifies the system name for networkID This option defaults to the system nam...

Страница 41: ...uthentication table Otherwise it returns a nonzero exit value DCE credentials obtained with the command are valid for the default ticket lifetime in effect in the registry database of the DCE cell DCE credentials can be refreshed by issuing the dfsgw add command before they expire In this case the command automatically associates the user with the DCE principal it does not have to be supplied Afte...

Страница 42: ...valid TGT If it succeeds in creating the entry in the authentication table the command displays the following Mapping added successfully PAG is PAG where PAG identifies the PAG created with the command Examples The following command creates an entry in the authentication table to grant authenticated access to DFS to the user named ludwig The user whose UID is 7439 is requesting access from the NFS...

Страница 43: ...or any dfsgw command that contains the string specified by the topic option in its name or short description To display the syntax for a command use the dfsgw help command Privilege Required No privileges are required Output The first line of an online help entry for a command names the command and briefly describes its function This command displays the first line for any dfsgw command where the ...

Страница 44: ...Related Information Commands dfsgw help 8dfs 34 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 45: ...d options specified with this option are ignored Description The dfsgw delete command cancels a user s authenticated access to DFS The command removes the entry for the specified user and NFS client from the authentication table on the Gateway Server machine Because each Gateway Server machine maintains its own authentication table you must issue the command on the Gateway Server machine from whic...

Страница 46: ...lowing command deletes the entry from the authentication table that grants authenticated access to the user named ludwig from the NFS client that has network address 15 27 32 40 The command is issued by the user ludwig who has UID 7439 dfsgw del id 15 27 32 40 7439 Related Information Commands dfsgw_add 8dfs dfsgw_list 8dfs dfsgw_query 8dfs 36 DFS for Solaris NFS DFS Secure Gateway Guide and Refer...

Страница 47: ...first line name and short description of the online help entry for every dfsgw command if the topic option is not provided For each command name specified with the topic option the output lists the entire help entry Use the dfsgw apropos command to show each help entry that contains a specified string Privilege Required No privileges are required Output The online help entry for each dfsgw command...

Страница 48: ...dfsgw list list all entries in the AT Usage dfsgw list help Related Information Commands dfsgw apropos 8dfs 38 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 49: ... that the dfsgw list command provides some additional information not displayed by the dfsgw query command For example it displays the hostname of the NFS client for which the DCE credentials are granted the principal name of the user to whom the credentials are granted the date and time at which the credentials expire and the system name and remote hostname used for the client The dfsgw list comm...

Страница 50: ...ns no entries No mappings exist Examples The following command displays the current entries from the authentication table on the local Gateway Server machine The first entry grants secure access to DFS to the user ludwig from the NFS client named nfs1 abc com The PAG associated with the user is 41ffffe4 the user s DCE credentials expire at 5 59 a m on 17 Nov 1999 dfsgw list Mapping nfs1 abc com lu...

Страница 51: ...dfsgw_delete 8dfs dfsgw_query 8dfs Chapter 5 Configuration File and Command Reference 41 ...

Страница 52: ...iption The dfsgw query command checks the local authentication table to determine whether the user has an entry for the NFS client Because each Gateway Server machine maintains its own authentication table you must issue the command on the Gateway Server machine that houses the authentication table to be queried The command determines only whether the user has an entry for the specified client the...

Страница 53: ...n entry for the NFS client in the authentication table the dfsgw query command displays the following line of output instead No mapping found Examples The following command determines whether the authentication table on the local Gateway Server machine includes an entry for the user named ludwig from the NFS client that has network address 15 27 32 40 The user ludwig has UID 7439 The command repor...

Страница 54: ... host variables This name can be set by starting the dfsgwd process with the sysname option The sysname argument is a unique name derived from the uname function that describes the machine architecture and OS type such as sparc_sunos57 nodomains Uses the base hostname without the domain portion for the host variable file log_file Specifies the full pathname of the log file in which the dfsgwd proc...

Страница 55: ... the authentication table on a machine configured as a Gateway Server The Gateway Server process recognizes the sys and host variables on the NFS client system This allows the Gateway Server to resolve pathnames to binaries and other system dependent files correctly based on the user s login system name and system type The binary file for the dfsgwd process resides in dcelocal bin The process is n...

Страница 56: ...cal var dfs adm DfsgwLog The default log file for the dfsgwd process You can use the file option to specify a different pathname for the log file Related Information Commands bos getlog 8dfs bosserver 8dfs dfsgw 8dfs Files DfsgwLog 4dfs 46 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 57: ...1 6 19 27 receiving help 28 dfsgw commands add 1 2 5 6 7 14 18 19 21 30 35 apropos 33 delete 2 19 21 31 35 help 37 list 22 39 42 query 22 42 dfsgwd process 1 7 19 21 26 44 DfsgwLog file 26 G Gateway Server authenticating to DCE 21 configuring 5 configuring and enabling remote authentication 7 configuring dfsgwd process 9 configuring without enabling remote authentication 6 K kinit command 19 L loc...

Страница 58: ...48 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 59: ...he furnishing of this document does not give you any license to these patents You can send license inquiries in writing to IBM Director of Licensing IBM Corporation North Castle Drive Armonk NY 10504 1785 U S A For license inquiries regarding double byte DBCS information contact the IBM Intellectual Property Department in your country or send inquiries in writing to IBM World Trade Asia Corporatio...

Страница 60: ...2 U S A Such information may be available subject to appropriate terms and conditions including in some cases payment of a fee The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM International Program License Agreement or any equivalent agreement between us Any performance data contained herein was determined in a co...

Страница 61: ... used by an actual business enterprise is entirely coincidental If you are viewing this information softcopy the photographs and color illustrations may not appear Trademarks The following terms are trademarks of International Business Machine Corporation in the United States other countries or both AFS AIX AS 400 CICS CICS OS 2 CICS 400 CICS 6000 CICS ESA CICS MVS CICS VSE CICSPlex DB2 DCE Encina...

Страница 62: ...ited States other countries or both and is licensed exclusively through X Open Company Limited Other company product and service names may be trademarks or service marks of others 52 DFS for Solaris NFS DFS Secure Gateway Guide and Reference ...

Страница 63: ...this book is Very Satisfied Satisfied Neutral Dissatisfied Very Dissatisfied Accurate h h h h h Complete h h h h h Easy to find h h h h h Easy to understand h h h h h Well organized h h h h h Applicable to your tasks h h h h h Please tell us how we can improve this book Thank you for your responses May we contact you h Yes h No When you send comments to IBM you grant IBM a nonexclusive right to us...

Страница 64: ...RESSEE IBM Corporation ATTN File Systems Documentation Group 11 Stanwix Street Pittsburgh PA 15222 1312 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ...

Страница 65: ......

Страница 66: ... Program Number Printed in the United States of America on recycled paper containing 10 recovered post consumer fiber GC09 3993 00 ...

Страница 67: ...Spine information DFS for Solaris NFS DFS Secure Gateway Guide and Reference Version 3 1 GC09 3993 00 ...

Отзывы:

Нет отзывов

Похожие инструкции для DFS

Бренд: NetComm Страницы: 16

Бренд: XiNCOM Страницы: 56

Бренд: Doepke Страницы: 44

Бренд: OpenVox Страницы: 76

Бренд: Adman Technologies Страницы: 26

BlueBeacon Gateway D

Бренд: BlueUp Страницы: 28

DIRIS Digiware M-50

Бренд: socomec Страницы: 60

Бренд: Smartenit Страницы: 2

Бренд: Technicolor Страницы: 19

Бренд: National Instruments Страницы: 18

Бренд: ZyXEL Communications Страницы: 162

Бренд: ADT Pulse Страницы: 15

Бренд: ActionTec Страницы: 2

Бренд: ActionTec Страницы: 4

Бренд: Watchguard Страницы: 16

Бренд: Arris Страницы: 51

Бренд: SICK Страницы: 4

SMRT Logic LPLUS

Бренд: Unique Lighting Systems Страницы: 4

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды