HP j6750 Supplementary Manual page 141

Enterprise file system, planning and configuring hp dce/9000 enhanced dfs version 3.0
Hide thumbs Also See for j6750:
Table of Contents

Advertisement

Remote authentication to DCE from NFS clients is provided via the dfs_login
command. With remote authentication, you allow users to issue the dfs_login
command to authenticate themselves.
Remote authentication requires additional configuration, but it provides a less
burdensome and more secure approach to authentication. Configuration consists
of installing and configuring the Gateway Server (dfsgwd) process on the
Gateway Server machines, installing the dfs_login command (and the
dfs_logout command) on the NFS clients, configuring Kerberos on the NFS
clients, and configuring the remote authentication service on both the Gateway
Server machines and the NFS clients. However, authentication requires no
administrative measures, and user passwords are never sent in the clear.
The dfsgw add and dfs_login commands both result in authenticated access
to DFS from an NFS client. To provide a user with authenticated access,
each command obtains a ticket-granting ticket (TGT) for the user from the
DCE Security Service. The TGT is used to create a valid login context for
the user. The login context includes a Process Activation Group (PAG),
which DFS stores in the kernel of the Gateway Server machine. The PAG
identifies the user's TGT; the TGT serves as the user's DCE credentials.
On the Gateway Server machine, an association is created between the
UNIX user identification number (UID) of the user and the network address
of the NFS client from which DFS access is desired. A mapping is then
created between this pair and the PAG created for the user. The mapping is
stored as an entry in a local authentication table (AT), which, like the PAG,
resides in the kernel of the machine. The mapping provides the user with
authenticated access to DFS from the NFS client.
Each mapping grants a user authenticated access only from the specific NFS
client for which the mapping exists. For authenticated access from a
different NFS client, a user must use the dfs add or dfs_login command to
create a new mapping for that client.
A user's DCE credentials are good only for the lifetime of the TGT. The
ticket lifetime is dictated by the registry database of the DCE cell. By
default, each ticket receives the default ticket lifetime in effect in the registry
database. The dfs_login command different lifetime, but a requested lifetime
is constrained by the policies in effect in the registry database. Once a user's
TGT expires, the user must obtain new DCE credentials.
The DFS/NFS Secure Gateway
Overview of the DFS/NFS Gateway
141

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents