IBM NFS/DFS Secure Gateway, Reference Manual

Page 1: ...DFS for Solaris NFS DFS Secure Gateway Guide and Reference V ersion 3 1 GC09 3993 00...

Page 2: ......

Page 3: ...DFS for Solaris NFS DFS Secure Gateway Guide and Reference V ersion 3 1 GC09 3993 00...

Page 4: ...and to all subsequent releases and modifications until otherwise indicated in new editions Order publications through your IBM representative or through the IBM branch office serving your locality Co...

Page 5: ...out Enabling Remote Authentication 14 Configuring a Client and Enabling Remote Authentication 14 Chapter 4 Accessing DFS from an NFS Client 17 Unauthenticated Access to DFS 17 Authenticated Access to...

Page 6: ...iv DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 7: ...ng knowledge of DCE and its requirements Applicability This revision applies to IBM DFS for Solaris Version 3 1 See your software license for details Purpose The purpose of this book is to provide inf...

Page 8: ...g typographic conventions Bold Bold words or characters represent system elements that you must use literally such as commands options and pathnames Italic Italic words or characters represent variabl...

Page 9: ...dicates a control character sequence For example Ctrl C means that you hold down the control key while pressing C Return The notation Return refers to the key on your terminal or workstation that is l...

Page 10: ...viii DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 11: ...oth Local and remote authentication work as follows v Local authentication to DCE from Gateway Server machines is provided via the dfsgw add command With local authentication you can enable users to i...

Page 12: ...way Server machine an association is created between the UNIX user identification number UID of the user and the network address of the NFS client from which DFS access is desired A mapping is then cr...

Page 13: ...end the authenticated session regardless of which command was used to obtain the credentials Because the authentication table resides in memory all authenticated sessions are terminated if the Gateway...

Page 14: ...4 DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 15: ...sue the dfs_login command to authenticate to DCE This configuration allows system administrators to manage all DCE authentication from the Gateway Server machines You can allow users to issue the dfsg...

Page 16: ...on the machine The dfsgw command suite provides a local interface to the authentication table maintained on the Gateway Server machine Commands in the dfsgw suite can be used to add delete and view m...

Page 17: ...See the IBM DFS for AIX and Solaris Administration Guide for more information about the BOS Server Configuring the BOS Server Process To configure the BOS Server process bosserver perform the followin...

Page 18: ...tname dfs server key password dcecp keytab add self member hosts hostname dfs server random registry dcecp exit 6 Remove the BosConfig file and any administrative lists that possibly exist from a prev...

Page 19: ...ver machine 4 Add the dfsgw service to the Internet services database The dfsgw service provides the login facility for the NFS DFS Secure Gateway To add the service do one of the following v If you u...

Page 20: ...te hosts hostname dfsgw server dcecp account create hosts hostname dfsgw server group subsys dce dfsgw admin org none password password mypwd password dcecp exit 9 Use the su command to become the loc...

Page 21: ...gw to run the dfsgwd server process dcelocal bin bos create server hosts hostname process dfsgw type simple cmd dcelocal bin dfsgwd The Gateway Server process is now fully configured on the machine Ch...

Page 22: ...12 DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 23: ...he instructions in Configuring a Client Without Enabling Remote Authentication on page 14 v If you configured your Gateway Servers so that users can issue the dfs_login command to authenticate to DCE...

Page 24: ...s In the command cellname is the name of the DCE cell to be accessed from the NFS client the cell in which the machine that exports is configured as a DFS client ln s cellname fs 4 Verify that the NFS...

Page 25: ...thenticating to DCE from an NFS Client on page 19 for information about using this command The dfs_login and dfs_logout commands use version 5 of Kerberos to communicate with the DCE Security Service...

Page 26: ...alias for the dfsgw service If you use an NIS services map in your environment you added an entry to the services map file when you configured the first Gateway Server process You do not need to add...

Page 27: ...ed from File Server machines When accessing DFS data from an NFS client NFS background I O daemons cache local copies of files accessed via the NFS server The caching of information by the NFS daemons...

Page 28: ...ssue the dfs_login command See Authenticating to DCE from an NFS Client on page 19 for more information v From a Gateway Server machine issue the dfsgw add command See Authenticating to DCE from a Gat...

Page 29: ...DCE credentials before they expire use the dfsgw add command which refreshes the ticket lifetime of your existing TGT to obtain new credentials then use the dfs_login or dfsgw add command to replace y...

Page 30: ...fault the ticket is assigned the DCE cell s default lifetime dce_principal Specifies the DCE principal name of the user for whom to obtain a ticket By default the command uses the name of the issuer o...

Page 31: ...e issuer of the command dfs_logout Authenticating to DCE from a Gateway Server Machine The dfsgw add command authenticates a user to DCE from a Gateway Server machine Users can use the dfsgw add comma...

Page 32: ...ent includes multiple Gateway Server machines you must issue the command on the Gateway Server machine whose authentication table is to be examined The command displays information about a user s entr...

Page 33: ...S access and the date and time at which each user s DCE credentials expire See the reference page for the dfsgw list command for more information about the command Chapter 4 Accessing DFS from an NFS...

Page 34: ...24 DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 35: ...Chapter 5 Configuration File and Command Reference This chapter contains configuration file and command reference information for the NFS DFS Secure Gateway Copyright IBM Corp 1989 1999 25...

Page 36: ...DfsgwLog old file in the same directory overwriting the current DfsgwLog old file if it exists before creating a new version to which to append messages The process can write different types of outpu...

Page 37: ...currently supported inet Internet help Displays the online help for the command All other valid options specified with this option are ignored Description The dfsgw command suite provides commands to...

Page 38: ...ands The following examples summarize the syntax for the different help options dfsgw help Displays a list of commands in a command suite dfsgw help command Displays the syntax for a single command df...

Page 39: ...Related Information Commands dfsgw_add 8dfs dfsgw_apropos 8dfs dfsgw_delete 8dfs dfsgw_help 8dfs dfsgw_list 8dfs dfsgw_query 8dfs dfs_intro 8dfs Chapter 5 Configuration File and Command Reference 29...

Page 40: ...ecify a principal name and password the command prompts for them only if you do not already have a valid ticket granting ticket TGT in the current login context If you omit only your password the comm...

Page 41: ...thentication table Otherwise it returns a nonzero exit value DCE credentials obtained with the command are valid for the default ticket lifetime in effect in the registry database of the DCE cell DCE...

Page 42: ...alid TGT If it succeeds in creating the entry in the authentication table the command displays the following Mapping added successfully PAG is PAG where PAG identifies the PAG created with the command...

Page 43: ...r any dfsgw command that contains the string specified by the topic option in its name or short description To display the syntax for a command use the dfsgw help command Privilege Required No privile...

Page 44: ...Related Information Commands dfsgw help 8dfs 34 DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 45: ...options specified with this option are ignored Description The dfsgw delete command cancels a user s authenticated access to DFS The command removes the entry for the specified user and NFS client fr...

Page 46: ...owing command deletes the entry from the authentication table that grants authenticated access to the user named ludwig from the NFS client that has network address 15 27 32 40 The command is issued b...

Page 47: ...irst line name and short description of the online help entry for every dfsgw command if the topic option is not provided For each command name specified with the topic option the output lists the ent...

Page 48: ...dfsgw list list all entries in the AT Usage dfsgw list help Related Information Commands dfsgw apropos 8dfs 38 DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 49: ...that the dfsgw list command provides some additional information not displayed by the dfsgw query command For example it displays the hostname of the NFS client for which the DCE credentials are grant...

Page 50: ...s no entries No mappings exist Examples The following command displays the current entries from the authentication table on the local Gateway Server machine The first entry grants secure access to DFS...

Page 51: ...dfsgw_delete 8dfs dfsgw_query 8dfs Chapter 5 Configuration File and Command Reference 41...

Page 52: ...ption The dfsgw query command checks the local authentication table to determine whether the user has an entry for the NFS client Because each Gateway Server machine maintains its own authentication t...

Page 53: ...entry for the NFS client in the authentication table the dfsgw query command displays the following line of output instead No mapping found Examples The following command determines whether the authe...

Page 54: ...host variables This name can be set by starting the dfsgwd process with the sysname option The sysname argument is a unique name derived from the uname function that describes the machine architecture...

Page 55: ...the authentication table on a machine configured as a Gateway Server The Gateway Server process recognizes the sys and host variables on the NFS client system This allows the Gateway Server to resolve...

Page 56: ...al var dfs adm DfsgwLog The default log file for the dfsgwd process You can use the file option to specify a different pathname for the log file Related Information Commands bos getlog 8dfs bosserver...

Page 57: ...6 19 27 receiving help 28 dfsgw commands add 1 2 5 6 7 14 18 19 21 30 35 apropos 33 delete 2 19 21 31 35 help 37 list 22 39 42 query 22 42 dfsgwd process 1 7 19 21 26 44 DfsgwLog file 26 G Gateway Se...

Page 58: ...48 DFS for Solaris NFS DFS Secure Gateway Guide and Reference...

Page 59: ...e furnishing of this document does not give you any license to these patents You can send license inquiries in writing to IBM Director of Licensing IBM Corporation North Castle Drive Armonk NY 10504 1...

Page 60: ...U S A Such information may be available subject to appropriate terms and conditions including in some cases payment of a fee The licensed program described in this document and all licensed material...

Page 61: ...used by an actual business enterprise is entirely coincidental If you are viewing this information softcopy the photographs and color illustrations may not appear Trademarks The following terms are tr...

Page 62: ...ted States other countries or both and is licensed exclusively through X Open Company Limited Other company product and service names may be trademarks or service marks of others 52 DFS for Solaris NF...

Page 63: ...his book is Very Satisfied Satisfied Neutral Dissatisfied Very Dissatisfied Accurate h h h h h Complete h h h h h Easy to find h h h h h Easy to understand h h h h h Well organized h h h h h Applicabl...

Page 64: ...ESSEE IBM Corporation ATTN File Systems Documentation Group 11 Stanwix Street Pittsburgh PA 15222 1312 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _...

Page 65: ......

Page 66: ...Program Number Printed in the United States of America on recycled paper containing 10 recovered post consumer fiber GC09 3993 00...

Page 67: ...Spine information DFS for Solaris NFS DFS Secure Gateway Guide and Reference Version 3 1 GC09 3993 00...