Download Print this page

IBM NFS/DFS Secure Gateway Reference Manual

Ibm nfs/dfs secure gateway guide and reference
Hide thumbs

Advertisement

Quick Links

DFS for Solaris
NFS/DFS Secure Gateway Guide and
Reference
V ersion 3. 1
GC09-3993-00

Advertisement

loading

  Summary of Contents for IBM NFS/DFS Secure Gateway

  • Page 1 DFS for Solaris NFS/DFS Secure Gateway Guide and Reference V ersion 3. 1 GC09-3993-00...
  • Page 3 DFS for Solaris NFS/DFS Secure Gateway Guide and Reference V ersion 3. 1 GC09-3993-00...
  • Page 4 DFS for Solaris, Version 3.1 and to all subsequent releases and modifications until otherwise indicated in new editions. Order publications through your IBM representative or through the IBM branch office serving your locality. © Copyright International Business Machines Corporation 1989, 1999. All rights reserved.
  • Page 5: Table Of Contents

    Configuring a Client and Enabling Remote Authentication Chapter 4. Accessing DFS from an NFS Client Unauthenticated Access to DFS . © Copyright IBM Corp. 1989, 1999 Authenticated Access to DFS . Authenticating to DCE from an NFS Client Authenticating to DCE from a Gateway Server Machine .
  • Page 6 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 7: Preface

    DFS v Using the NFS/DFS Secure Gateway Document Organization The IBM DFS for Solaris NFS/DFS Secure Gateway Guide and Reference is divided into the following chapters: v Chapter 1. Overview of the NFS/DFS Secure Gateway v Chapter 2. Configuring Gateway Server Machines v Chapter 3.
  • Page 8: Related Documents

    For information about DCE in general, and DCE administration for Solaris in particular, refer to the following documents: v IBM Distributed Computing Environment for Solaris: Quick Beginnings v IBM Distributed Computing Environment for AIX and Solaris: Administration Guide - Introduction v IBM Distributed Computing Environment for AIX and Solaris: Administration...
  • Page 9 <Ctrl- x> or |x The notation <Ctrl- x> or |x followed by the name of a key indicates a control character sequence. For example, <Ctrl-C> means that you hold down the control key while pressing <C>. <Return> The notation <Return> refers to the key on your terminal or workstation that is labeled with the word Return or Enter, or with a left arrow.
  • Page 10 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 11: Chapter 1. Overview Of The Nfs/Dfs Secure Gateway

    DFS filespace from an NFS client. The NFS/DFS Secure Gateway enables users to access data in the DFS filespace from a machine that is configured as an NFS client but not as a DCE client.
  • Page 12 TGT expires. If a user’s TGT expires, the user must obtain new DCE credentials. For more information on the dfsgw add command, see “Chapter 5. Configuration File and Command Reference” on page 25. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 13 NFS users either local or remote authentication to DCE. “Chapter 4. Accessing DFS from an NFS Client” on page 17 provides detailed information about how users authenticate to DCE and how they access DFS from an NFS client. Chapter 1. Overview of the NFS/DFS Secure Gateway...
  • Page 14 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 15: Chapter 2. Configuring Gateway Server Machines

    NFS client. If these commands are not available, use the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and dfs_logout commands. © Copyright IBM Corp. 1989, 1999...
  • Page 16: Configuring A Gateway Server Without Enabling Remote Authentication

    DCE from NFS clients that contact the Gateway Server, simply perform the steps in “Configuring a Gateway Server and Enabling Remote Authentication” on page 7 on the Gateway Server machine. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 17: Configuring A Gateway Server And Enabling Remote Authentication

    Server is not already running on the machine. (Note that you typically run the BOS Server only on DFS servers, but you can run it on DFS clients. See the IBM DFS for AIX and Solaris Administration Guide for more information about the BOS Server.) Configuring the BOS Server Process...
  • Page 18 (#) from the following line of the /etc/rc.dfs file (or its equivalent): The BOS Server is now fully configured on the machine. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference principal create hosts/hostname/dfs-server account create hosts/hostname/dfs-server -group subsys/dce/dfs-admin acl mod /.:/sec/principal/hosts/hostname/dfs-server...
  • Page 19: Configuring The Gateway Server Process

    Server machine. 4. Add the dfsgw service to the Internet services database. The dfsgw service provides the login facility for the NFS/DFS Secure Gateway. To add the service, do one of the following: v If you use the /etc/services file in your environment, add an entry for the dfsgw service to the /etc/services file on the machine.
  • Page 20 You can use the bos lsadmin command to list the principals and groups included in the admin.bos file: dcelocal/bin/bos lsadmin -server /.:/hosts/hostname -adminlist admin.bos DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference group create subsys/dce/dfsgw-admin principal create hosts/hostname/dfsgw-server account create hosts/hostname/dfsgw-server -group subsys/dce/dfsgw-admin...
  • Page 21 13. Create a simple BOS Server process named dfsgw to run the dfsgwd server process: dcelocal/bin/bos create -server /.:/hosts/hostname -process dfsgw -type simple -cmd dcelocal/bin/dfsgwd The Gateway Server process is now fully configured on the machine. Chapter 2. Configuring Gateway Server Machines...
  • Page 22 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 23: Chapter 3. Configuring Nfs Clients To Access Dfs

    Because the steps in each of these sections mount /... on an NFS client, users who do not have DCE accounts can still use the NFS client for unauthenticated access; see “Authenticated Access to DFS” on page 18 for more information about authenticated access.) © Copyright IBM Corp. 1989, 1999...
  • Page 24: Configuring A Client Without Enabling Remote Authentication

    DCE, perform the steps in this section to configure your NFS clients. The steps enable both DFS and DCE authentication from an NFS client. Users can authenticate via either the dfsgw add command or the dfs_login command. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 25 Note: The dfs_login and dfs_logout commands are not provided with DFS; these commands can be used only if they are available from your NFS vendor. If these commands are not available, use the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and dfs_logout commands.
  • Page 26 The NFS client is now configured to provide access to DFS and to allow users of the client to authenticate to DCE with the dfs_login command. Repeat these steps on each NFS client to be configured in this manner. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 27: Chapter 4. Accessing Dfs From An Nfs Client

    For objects in DCE LFS filesets, unauthenticated users receive the permissions granted by the any_other entry, if it exists, on the ACL of the object. The mask_obj entry filters permissions granted via the any_other entry. © Copyright IBM Corp. 1989, 1999...
  • Page 28: Authenticated Access To Dfs

    Unauthenticated access is provided with the NFS/DFS Secure Gateway as a side effect of configuring Gateway Server machines and NFS clients. Unauthenticated access is available without the NFS/DFS Secure Gateway.
  • Page 29: Authenticating To Dce From An Nfs Client

    The dfsgw add command can be used to refresh DCE credentials. If they are not refreshed, DCE credentials (tickets) expire after the lifetime specified by the DCE Security Service. After they expire, the tickets can no longer be used for authenticated access. To end an authenticated session before the ticket lifetime has passed, you can issue either of the following commands: v From the NFS client from which authenticated access to DFS is provided, enter the dfs_logout command.
  • Page 30 TGT, so the command prompts for the user’s password and obtains a TGT for the user. If the login succeeds, the dfs_login command returns no messages. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference -l hh[:mm] dce_principal...
  • Page 31: Authenticating To Dce From A Gateway Server Machine

    To end the authenticated session before the DCE credentials expire, issue the dfs_logout command from the NFS client. The command removes the user’s entry from the authentication table on the Gateway Server machine. The command can be issued either by the user whose entry is to be removed from the authentication table or by a user who is logged into the NFS client as the local superuser root.
  • Page 32: Determining Whether A Specific User Is Authenticated To Dce

    Note that the dfsgw list command provides additional information not available with the dfsgw query command, such as the hostname of the NFS client from which each user has DFS access, the principal name of each user DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 33 who has DFS access, and the date and time at which each user’s DCE credentials expire. See the reference page for the dfsgw list command for more information about the command. Chapter 4. Accessing DFS from an NFS Client...
  • Page 34 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 35: Chapter 5. Configuration File And Command Reference

    Chapter 5. Configuration File and Command Reference This chapter contains configuration file and command reference information for the NFS/DFS Secure Gateway. © Copyright IBM Corp. 1989, 1999...
  • Page 36: Dfsgwlog

    file to reconstruct failed operations. However, the contents of the log file can help in evaluating server process failures and other problems. Related Information Commands: bos getlog(8dfs) dfsgwd(8dfs) DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 37: Dfsgw

    dfsgw Purpose Introduction to the dfsgw command suite used with the NFS/DFS Secure Gateway Options The following options are used with many dfsgw commands. They are also described with the commands that use them. -id networkID:userID Identifies an NFS client and the user whose DCE authentication from that client is to be manipulated.
  • Page 38 To use the list command, no privileges are required. All dfsgw commands return an exit value of completion. Otherwise, they return a nonzero exit value. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference (zero) upon successful...
  • Page 39 Related Information Commands: dfsgw_add(8dfs) dfsgw_apropos(8dfs) dfsgw_delete(8dfs) dfsgw_help(8dfs) dfsgw_list(8dfs) dfsgw_query(8dfs) dfs_intro(8dfs) Chapter 5. Configuration File and Command Reference...
  • Page 40: Dfsgw Add

    (Internet). Displays the online help for this command. All other valid options -help specified with this option are ignored. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference -af address_family] [-help] -sysname sysname...
  • Page 41 Description The dfsgw add command authenticates a user to DCE. The command contacts the DCE Security Service to obtain a TGT for the user. To obtain a TGT, a user must have a valid account in the registry database of the DCE cell. The TGT is used to create a valid login context for the user.
  • Page 42 -id 15.27.32.40:7439 -dceid ludwig Related Information Commands: dfsgw_delete(8dfs) dfsgw_list(8dfs) dfsgw_query(8dfs) DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference principal password beethoven...
  • Page 43: Dfsgw Apropos

    dfsgw apropos Purpose Displays the help entry for each dfsgw command that contains a specified string Synopsis dfsgw apropos -topic string -help Options -topic string Specifies the keyword string for which to search. If it is more than a single word, surround the string with double quotes (″ ″) or other delimiters.
  • Page 44 Related Information Commands: dfsgw help(8dfs) DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 45: Dfsgw Delete

    dfsgw delete Purpose Removes an entry from the authentication table on the Gateway Server machine Synopsis dfsgw delete -id networkID:userID -af address_family Options -id networkID:userID Identifies an NFS client and the user whose authentication to DCE from that client is to be canceled. Specify either the network address or the hostname of the NFS client.
  • Page 46 NFS client that has network address 15.27.32.40. The command is issued by the user ludwig, who has UID 7439. dfsgw del -id 15.27.32.40:7439 Related Information Commands: dfsgw_add(8dfs) dfsgw_list(8dfs) dfsgw_query(8dfs) DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 47: Dfsgw Help

    dfsgw help Purpose Shows syntax of specified dfsgw commands or lists functional descriptions of all dfsgw commands Synopsis dfsgw help -topic string Options -topic string Specifies each command whose syntax is to be displayed. Provide only the second part of the command name (for example, list, not dfsgw list).
  • Page 48 Related Information Commands: dfsgw apropos(8dfs) DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 49: Dfsgw List

    dfsgw list Purpose Lists all entries in the authentication table on the Gateway Server machine Synopsis dfsgw list -help Options Displays help information for this command. -help Description The dfsgw list command lists all entries from the local authentication table, which indicate which users on NFS clients have DCE credentials.
  • Page 50 DFS to the user ludwig from the NFS client named nfs1.abc.com. The PAG associated with the user is 41ffffe4; the user’s DCE credentials expire at 5:59 a.m. on 17 Nov 1999. dfsgw list Related Information Commands: dfsgw_add(8dfs) DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 51 dfsgw_delete(8dfs) dfsgw_query(8dfs) Chapter 5. Configuration File and Command Reference...
  • Page 52: Dfsgw Query

    The dfsgw query command returns an exit value of entry for the specified user in the authentication table. Otherwise, it returns a nonzero exit value. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference -help (zero) if it finds an...
  • Page 53 Privilege Required The issuer must be logged into the Gateway Server machine either as the user whose entry in the authentication table is to be examined or as the local superuser root. Output The dfsgw query command displays the following line of output if the specified user has an entry for the specified NFS client in the authentication table: where PAG identifies the Process Activation Group (PAG) that exists for the...
  • Page 54: Dfsgwd

    Specifies the system name for this Gateway Server. The dfsgwd process can handle NFS clients that do not recognize the @sys and @host variables, using a system name of unknown. (See the IBM DFS for AIX and Solaris Administration Guide for more information on the @sys and @host variables.) This name can be set by starting the...
  • Page 55 Description The dfsgwd command initializes the Gateway Server process. The dfsgwd process runs on machines configured as DFS clients to enable remote authentication via the dfs_login command. The dfsgwd process works with the dfs_login command to obtain DCE credentials for users of NFS clients. The DCE credentials provide users with authenticated access to data in DFS.
  • Page 56 The default log file for the dfsgwd process. You can use the -file option to specify a different pathname for the log file. Related Information Commands: bos getlog(8dfs) bosserver(8dfs) dfsgw(8dfs) Files: DfsgwLog(4dfs) DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 57: Index

    33 delete 2, 19, 21, 31, 35 help 37 list 22, 39, 42 query 22, 42 © Copyright IBM Corp. 1989, 1999 dfsgwd process 1, 7, 19, 21, 26, 44 DfsgwLog file 26 Gateway Server authenticating to DCE 21 configuring 5...
  • Page 58 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 59: Notices

    Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead.
  • Page 60 Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
  • Page 61: Trademarks

    All statements regarding IBM’s future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices show are IBM’s suggested retail prices, are current and are subject to change without notice. Dealer prices may vary.
  • Page 62 UNIX is a registered trademark in the United States, other countries or both and is licensed exclusively through X/Open Company Limited. Other company, product, and service names may be trademarks or service marks of others. DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference...
  • Page 63: Readers' Comments - We'd Like To Hear From You

    Please tell us how we can improve this book: Thank you for your responses. May we contact you? When you send comments to IBM, you grant IBM a nonexclusive right to use or distribute your comments in any way it believes appropriate without incurring any obligation to you.
  • Page 64 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO. 40 ARMONK, NEW YORK POSTAGE WILL BE PAID BY ADDRESSEE IBM Corporation ATTN: File Systems Documentation Group 11 Stanwix Street Pittsburgh, PA...
  • Page 66 Program Number: Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber.
  • Page 67 NFS/DFS Secure Gateway Guide and Reference DFS for Solaris Version 3.1 GC09-3993-00...

This manual is also suitable for:

DfsNfs