IBM NFS/DFS Secure Gateway - Manual

Preface The IBM DFS for Solaris NFS/DFS Secure Gateway Guide and Reference containsguide and reference information about the NFS/DFS Secure Gateway forSolaris, which provides authenticated access to the DFS filespace to clients ofthe Network File System (NFS) by associating an NFS request with anaut...

Related Documents For information about DCE in general, and DCE administration for Solaris inparticular, refer to the following documents: v IBM Distributed Computing Environment for Solaris: Quick Beginnings v IBM Distributed Computing Environment for AIX and Solaris: AdministrationGuide - Introduc...

<Ctrl- x> or | x The notation <Ctrl- x> or | x followed by the name of a key indicates a control character sequence. For example, <Ctrl-C> means that youhold down the control key while pressing <C>. <Return> The notation <Return> refers to the key on your terminal...

viii DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

Chapter 1. Overview of the NFS/DFS Secure Gateway The Network File System (NFS) to DFS Secure Gateway provides amechanism for granting authenticated access to the DFS filespace from anNFS client. The NFS/DFS Secure Gateway enables users to access data in theDFS filespace from a machine that is confi...

on the Gateway Server machines, installing the vendor-provided dfs_loginand dfs_logout commands on the NFS clients, configuring Kerberos on theNFS clients, and configuring the remote authentication service on both theGateway Server machines and the NFS clients. However, authenticationrequires no adm...

Before establishing a new mapping between a remote user and DCE principal,the existing mapping must be deleted. A user who wants to end anauthenticated session to DFS before the credentials expire can issue either thedfs_logout command from the NFS client for which the credentials were granted or th...

Chapter 2. Configuring Gateway Server Machines A Gateway Server machine provides authenticated access to the DFS filespaceto users on NFS clients. You can configure any machine that is configured as aDFS client and an NFS server as a Gateway Server. Following successfulconfiguration, the machine pro...

Before configuring a Gateway Server machine, you must do the following: v Configure a DCE cell that includes DFS. v Configure each machine that is to become a Gateway Server as a DFS clientand an NFS server. v Ensure proper synchronization among the system clocks on machines thatare to become Gatewa...

Configuring a Gateway Server and Enabling Remote Authentication Perform the steps in this section to enable DCE authentication either from aGateway Server machine or from NFS clients that contact the Gateway Server.Users authenticate from the Gateway Server machine by issuing the dfsgwadd command; t...

$ dcecp dcecp> principal create hosts/ hostname /dfs-server dcecp> account create hosts/ hostname /dfs-server -group subsys/dce/dfs-admin -org none -password password mypwd password 3. Grant the group subsys/dce/dfs-admin the appropriate permissions onthe ACL for the hosts/hostname/dfs-server ...

Configuring the Gateway Server Process To configure the Gateway Server (dfsgwd) process, perform the followingsteps on the machine to be configured as a Gateway Server. The steps assumethat the BOS Server is already running on the machine. In all of the steps,hostname is the hostname of the local ma...

v The m, a, u, and g permissions on the principal hosts/hostnamedfsgw-server . The principal is created during the configuration steps. v The t and M permissions on the group subsys/dce/dfsgw-admin. Thegroup is created during the configuration steps. v The R, t, and M permissions on the organization...

13. Create a simple BOS Server process named dfsgw to run the dfsgwdserver process: $ dcelocal /bin/bos create -server /.:/hosts/ hostname -process dfsgw -type simple -cmd dcelocal /bin/dfsgwd The Gateway Server process is now fully configured on the machine. Chapter 2. Configuring Gateway Server Ma...

Chapter 3. Configuring NFS Clients to Access DFS After you have configured at least one Gateway Server machine according tothe instructions in “Chapter 2. Configuring Gateway Server Machines” onpage 5, you can configure your NFS clients to provide access to the DFSfilespace. Users who have DCE accou...

Configuring a Client Without Enabling Remote Authentication If you configured your Gateway Server machines so that users cannot issuethe dfs_login command to authenticate to DCE, perform the steps in thissection to configure your NFS clients. The steps enable DFS access from anNFS client without ena...

Chapter 4. Accessing DFS from an NFS Client After a Gateway Server machine and one or more NFS clients are configuredaccording to the instructions in “Chapter 2. Configuring Gateway ServerMachines” on page 5 and “Chapter 3. Configuring NFS Clients to Access DFS” on page 13, users of the NFS clients ...

When an unauthenticated user creates an object, the object is owned by theuser nobody and the group nogroup. The UID of the user nobody is -2, andthe GID of the group nogroup is also -2. (Identities and ID numbers of anunauthenticated user and group can vary between systems; see your vendor’sdocumen...

The dfsgw add command can be used to refresh DCE credentials. If they arenot refreshed, DCE credentials (tickets) expire after the lifetime specified bythe DCE Security Service. After they expire, the tickets can no longer be usedfor authenticated access. To end an authenticated session before the t...

given for the dfs_login and dfs_logout commands can only beperformed if your NFS vendor provides these commands. If thesecommands are not available, use the instructions for the dfsgw add anddfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availabilit...

To end the authenticated session before the DCE credentials expire, issue thedfs_logout command from the NFS client. The command removes the user’s entry from the authentication table on the Gateway Server machine. Thecommand can be issued either by the user whose entry is to be removed fromthe auth...

provides the same functionality from a Gateway Server machine that thedfs_logout command provides from an NFS client. The dfsgw delete command can be issued either by the user whose entry is to be removed fromthe authentication table or by a user who is logged into the Gateway Servermachine as the l...

Chapter 5. Configuration File and Command Reference This chapter contains configuration file and command reference informationfor the NFS/DFS Secure Gateway. © Copyright IBM Corp. 1989, 1999 25

dfsgw Purpose Introduction to the dfsgw command suite used with the NFS/DFS SecureGateway Options The following options are used with many dfsgw commands. They are alsodescribed with the commands that use them. -id networkID:userID Identifies an NFS client and the user whose DCE authentication fromt...

dfsgw list Displays a list of users who are authenticated to DCE via the GatewayServer machine. dfsgw query Determines whether a specific user is authenticated to DCE via theGateway Server machine. The command determines the user’s entryin the authentication table, if it exists. Commands in the dfsg...

Related Information Commands: dfsgw_add(8dfs) dfsgw_apropos(8dfs) dfsgw_delete(8dfs) dfsgw_help(8dfs) dfsgw_list(8dfs) dfsgw_query(8dfs) dfs_intro(8dfs) Chapter 5. Configuration File and Command Reference 29

dfsgw add Purpose Adds an entry to the authentication table on the Gateway Server machine Synopsis dfsgw add -id networkID:userID [ -dceid login_name [: password ]] [ -sysname sysname ] [ -remotehost name ] [ -af address_family ] [-help] Options -id networkID:userID Identifies an NFS client and the ...

Description The dfsgw add command authenticates a user to DCE. The command contactsthe DCE Security Service to obtain a TGT for the user. To obtain a TGT, a usermust have a valid account in the registry database of the DCE cell. The TGTis used to create a valid login context for the user. The login ...

Output The dfsgw add command displays the following prompts to request a DCEprincipal and password: Enter Principal Name: principal Enter Password: password where principal is the name of the user to be authenticated to DCE, andpassword is the password of the named user; you supply both of these val...

dfsgw apropos Purpose Displays the help entry for each dfsgw command that contains a specifiedstring Synopsis dfsgw apropos -topic string [ -help ] Options -topic string Specifies the keyword string for which to search. If it is more than asingle word, surround the string with double quotes ( ″ ″ ) ...

dfsgw delete Purpose Removes an entry from the authentication table on the Gateway Servermachine Synopsis dfsgw delete -id networkID:userID [ -af address_family ] [ -help ] Options -id networkID:userID Identifies an NFS client and the user whose authentication to DCEfrom that client is to be cancele...

dfsgw help Purpose Shows syntax of specified dfsgw commands or lists functional descriptions ofall dfsgw commands Synopsis dfsgw help [ -topic string ] [ -help ] Options -topic string Specifies each command whose syntax is to be displayed. Provideonly the second part of the command name (for example...

dfsgw list Purpose Lists all entries in the authentication table on the Gateway Server machine Synopsis dfsgw list [ -help ] Options -help Displays help information for this command. Description The dfsgw list command lists all entries from the local authentication table,which indicate which users o...

dfsgw query Purpose Queries the authentication table on the Gateway Server machine Synopsis dfsgw query -id networkID:userID [ -af address_family ] [ -help ] Options -id networkID:userID Identifies an NFS client and the user whose authentication from theclient is to be determined. Specify either the...

dfsgwd Purpose Initializes the Gateway Server process for the NFS/DFS Secure Gateway Synopsis dfsgwd [ -service service_number ] [ -sysname sysname ] [ -nodomains ] [ -file log_file ] [ -verbose ] [ -help ] Options -service service_number Specifies the port number to be used to communicate with the ...

Description The dfsgwd command initializes the Gateway Server process. The dfsgwdprocess runs on machines configured as DFS clients to enable remoteauthentication via the dfs_login command. The dfsgwd process works withthe dfs_login command to obtain DCE credentials for users of NFS clients.The DCE ...

Index Special Characters @sys and @host variables 44, 45 A ACL permissions 7, 9authenticating to DCE determining whether a specific user is authenticated 22 displaying information about all authenticated users 22 local 1remote 1 B BOS Server 9 bosserver process 8configuring 7 BosConfig file 8 C comm...

Notices First Edition (April 2000) This information was developed for products and services offered in theU.S.A. IBM may not offer the products, services, or features discussed in thisdocument in other countries. Consult your local IBM representative forinformation on the products and services curre...

All statements regarding IBM’s future direction or intent are subject to changeor withdrawal without notice, and represent goals and objectives only. All IBM prices show are IBM’s suggested retail prices, are current and aresubject to change without notice. Dealer prices may vary. This information i...

Readers’ Comments — We’d Like to Hear from You DFS for SolarisNFS/DFS Secure Gateway Guide and ReferenceVersion 3.1 Publication No. GC09-3993-00 Overall, how satisfied are you with the information in this book? Very Satisfied Satisfied Neutral Dissatisfied Very Dissatisfied Overall satisfaction h h ...

Readers’ Comments — We’d Like to Hear from You GC09-3993-00 GC09-3993-00 Cut or FoldAlong Line Cut or FoldAlong Line Fold and Tape Please do not staple Fold and Tape Fold and Tape Please do not staple Fold and Tape NO POSTAGENECESSARYIF MAILED IN THEUNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL...