Resumen del contenido incluido en la página 1
DFS for Solaris
NFS/DFS Secure Gateway Guide and
Reference
Version 3.1
GC09-3993-00
Resumen del contenido incluido en la página 2
Resumen del contenido incluido en la página 3
DFS for Solaris NFS/DFS Secure Gateway Guide and Reference Version 3.1 GC09-3993-00
Resumen del contenido incluido en la página 4
Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page 49. First Edition (April 2000) This edition applies to: DFS for Solaris, Version 3.1 and to all subsequent releases and modifications until otherwise indicated in new editions. Order publications through your IBM representative or through the IBM branch office serving your locality. © Copyright International Business Machines Corporation 1989, 1999. All rights reserved.
Resumen del contenido incluido en la página 5
Contents Preface............. v Authenticated Access to DFS...... 18 Audience ............ v Authenticating to DCE from an NFS Applicability ........... v Client ............ 19 Purpose............. v Authenticating to DCE from a Gateway Document Organization ....... v Server Machine ......... 21 Related Documents......... vi Determining Whether a Specific User Is Typographic and Keying Conventions. . . vi Authenticated to DCE....... 22 Displaying Information About All Users Who Are Authenticated
Resumen del contenido incluido en la página 6
iv DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Resumen del contenido incluido en la página 7
Preface The IBM DFS for Solaris NFS/DFS Secure Gateway Guide and Reference contains guide and reference information about the NFS/DFS Secure Gateway for Solaris, which provides authenticated access to the DFS filespace to clients of the Network File System (NFS) by associating an NFS request with an authenticated DCE principal. Audience This guide and reference is intended for DFS users or administrators who need to know how to provide authenticated access to the DFS filespace for NFS clients. Thi
Resumen del contenido incluido en la página 8
Related Documents For information about DCE in general, and DCE administration for Solaris in particular, refer to the following documents: v IBM Distributed Computing Environment for Solaris: Quick Beginnings v IBM Distributed Computing Environment for AIX and Solaris: Administration Guide - Introduction v IBM Distributed Computing Environment for AIX and Solaris: Administration Guide - Core Components v IBM Distributed Computing Environment for AIX and Solaris: Administration Command Reference
Resumen del contenido incluido en la página 9
or |x The notation or |x followed by the name of a key indicates a control character sequence. For example, means that you hold down the control key while pressing . The notation refers to the key on your terminal or workstation that is labeled with the word Return or Enter, or with a left arrow. Preface vii
Resumen del contenido incluido en la página 10
viii DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Resumen del contenido incluido en la página 11
Chapter 1. Overview of the NFS/DFS Secure Gateway The Network File System (NFS) to DFS Secure Gateway provides a mechanism for granting authenticated access to the DFS filespace from an NFS client. The NFS/DFS Secure Gateway enables users to access data in the DFS filespace from a machine that is configured as an NFS client but not as a DCE client. To use the NFS/DFS Secure Gateway for authenticated access to DFS, you must configure at least one Gateway Server machine. A Gateway Server machine must
Resumen del contenido incluido en la página 12
on the Gateway Server machines, installing the vendor-provided dfs_login and dfs_logout commands on the NFS clients, configuring Kerberos on the NFS clients, and configuring the remote authentication service on both the Gateway Server machines and the NFS clients. However, authentication requires no administrative measures, and user passwords are never sent in the clear. Note: The dfs_login and dfs_logout commands are not provided with DFS; these commands can be used only if they are available fro
Resumen del contenido incluido en la página 13
Before establishing a new mapping between a remote user and DCE principal, the existing mapping must be deleted. A user who wants to end an authenticated session to DFS before the credentials expire can issue either the dfs_logout command from the NFS client for which the credentials were granted or the dfsgw delete command from the Gateway Server machine. Both commands remove the user’s entry for the NFS client from the authentication table on the Gateway Server machine. Either command can be u
Resumen del contenido incluido en la página 14
4 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Resumen del contenido incluido en la página 15
Chapter 2. Configuring Gateway Server Machines A Gateway Server machine provides authenticated access to the DFS filespace to users on NFS clients. You can configure any machine that is configured as a DFS client and an NFS server as a Gateway Server. Following successful configuration, the machine provides authenticated access to the DFS filespace, and it exports the root of the DCE namespace, /..., via NFS. You can configure multiple Gateway Server machines to provide DFS access from multiple sources
Resumen del contenido incluido en la página 16
Before configuring a Gateway Server machine, you must do the following: v Configure a DCE cell that includes DFS. v Configure each machine that is to become a Gateway Server as a DFS client and an NFS server. v Ensure proper synchronization among the system clocks on machines that are to become Gateway Servers, machines configured as NFS clients that are to contact the Gateway Servers, and machines in the DCE cell to be contacted. You must keep the system clocks on these machines synchronized at all
Resumen del contenido incluido en la página 17
Configuring a Gateway Server and Enabling Remote Authentication Perform the steps in this section to enable DCE authentication either from a Gateway Server machine or from NFS clients that contact the Gateway Server. Users authenticate from the Gateway Server machine by issuing the dfsgw add command; they authenticate from an NFS client by issuing the dfs_login command. A Gateway Server machine to be configured in this manner runs the Gateway Server process (dfsgwd). The steps in “Configuring the G
Resumen del contenido incluido en la página 18
$ dcecp dcecp> principal create hosts/hostname/dfs-server dcecp> account create hosts/hostname/dfs-server -group subsys/dce/dfs-admin -org none -password password mypwd password 3. Grant the group subsys/dce/dfs-admin the appropriate permissions on the ACL for the hosts/hostname/dfs-server principal in the registry database: dcecp> acl mod /.:/sec/principal/hosts/hostname/dfs-server -add {group subsys/dce/dfs-admin rcDnfmag} dcecp> exit 4. Use the su command to become the local superuser root on
Resumen del contenido incluido en la página 19
Configuring the Gateway Server Process To configure the Gateway Server (dfsgwd) process, perform the following steps on the machine to be configured as a Gateway Server. The steps assume that the BOS Server is already running on the machine. In all of the steps, hostname is the hostname of the local machine. Note: You need to perform some steps only when you configure the first Gateway Server process. Such steps are qualified with the phrase for the first Gateway Server process. 1. If you have not alre
Resumen del contenido incluido en la página 20
v The m, a, u, and g permissions on the principal hosts/hostnamedfsgw- server. The principal is created during the configuration steps. v The t and M permissions on the group subsys/dce/dfsgw-admin. The group is created during the configuration steps. v The R, t, and M permissions on the organization none. v The r permission on the registry Policy object for the DCE cell. This requirement is most easily met by authenticating to a privileged DCE identity (for example, cell_admin or a principal who