IBM NFS/DFS Secure Gateway Bedienungsanleitung

DF S fo r So lar is N F S / D F S Secu re Gate w a y Gu i d e a n d Re f er en c e Ve r s i o n 3 . 1 GC09-3993-00 [...]

[...]

DF S fo r So lar is N F S / D F S Secu re Gate w a y Gu i d e a n d Re f er en c e Ve r s i o n 3 . 1 GC09-3993-00 [...]

Note Before using this information and the pr oduct it supports, be sure to read the general information under “Notices” on page 49. First Edition (April 2000) This edition applies to: DFS for Solaris, V ersion 3.1 and to all subsequent releases and modifications until otherwise indicated in new editions. Order publications thr ough your IBM r[...]

Contents Preface ............. v Audience ............ v Applicability ........... v Purpose ............. v Document Organization ....... v Related Documents ......... v i T ypographic and Keying Conventions . . . vi Chapter 1. Overview of the NFS/DFS Secure Gateway .......... 1 Chapter 2. Configuring Gateway Server Machines ............ 5 Con ?[...]

iv DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

Preface The IBM DFS for Solaris NFS/DFS Secure Gateway Guide and Refer ence contains guide and refer ence information about the NFS/DFS Secure Gateway for Solaris, which provides authenticated access to the DFS fi lespace to clients of the Network File System (NFS) by associating an NFS request with an authenticated DCE principal. Audience This gu[...]

Related Documents For information about DCE in general, and DCE administration for Solaris in particular , refer to the following documents: v IBM Distributed Computing Environment for Solaris: Quick Beginnings v IBM Distributed Computing Environment for AIX and Solaris: Administration Guide - Introduction v IBM Distributed Computing Environment fo[...]

<Ctrl- x >o r | x The notation <Ctrl- x > or | x followed by the name of a key indicates a control character sequence. For example, <Ctrl-C> means that you hold down the control key while pr essing <C> . <Return> The notation <Return> refers to the key on your terminal or workstation that is labeled with the word[...]

viii DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

Chapter 1. Overview of the NFS/DFS Secure Gateway The Network File System (NFS) to DFS Secure Gateway pr ovides a mechanism for granting authenticated access to the DFS fi lespace from an NFS client. The NFS/DFS Secure Gateway enables users to access data in the DFS fi lespace from a machine that is con fi gur ed as an NFS client but not as a DC[...]

on the Gateway Server machines, installing the vendor-pr ovided dfs_login and dfs_logout commands on the NFS clients, con fi guring Kerberos on the NFS clients, and con fi guring the remote authentication service on both the Gateway Server machines and the NFS clients. However , authentication requir es no administrative measures, and user passwo[...]

Before establishing a new mapping between a r emote user and DCE principal, the existing mapping must be deleted. A user who wants to end an authenticated session to DFS before the cr edentials expire can issue either the dfs_logout command from the NFS client for which the cr edentials were granted or the dfsgw delete command from the Gateway Serv[...]

4 DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

Chapter 2. Con fi guring Gateway Server Machines A Gateway Server machine provides authenticated access to the DFS fi lespace to users on NFS clients. Y ou can con fi gure any machine that is con fi gur ed as a DFS client and an NFS server as a Gateway Server . Following successful con fi guration, the machine provides authenticated access to [...]

Before con fi guring a Gateway Server machine, you must do the following: v Con fi gure a DCE cell that includes DFS. v Con fi gure each machine that is to become a Gateway Server as a DFS client and an NFS server . v Ensure pr oper synchronization among the system clocks on machines that are to become Gateway Servers, machines con fi gur ed as[...]

Con fi guring a Gateway Server and Enabling Remote Authentication Perform the steps in this section to enable DCE authentication either from a Gateway Server machine or from NFS clients that contact the Gateway Server . Users authenticate from the Gateway Server machine by issuing the dfsgw add command; they authenticate from an NFS client by issu[...]

$ dcecp dcecp> principal create hosts/ hostname /dfs-server dcecp> account create hosts/ hostname /dfs-server -group subsys/dce/dfs-admin -org none -password password mypwd password 3. Grant the group subsys/dce/dfs-admin the appr opriate permissions on the ACL for the hosts/ hostname / dfs-server principal in the registry database: dcecp>[...]

Con fi guring the Gateway Server Process T o con fi gure the Gateway Server ( dfsgwd ) process, perform the following steps on the machine to be con fi gured as a Gateway Server . The steps assume that the BOS Server is already r unning on the machine. In all of the steps, hostname is the hostname of the local machine. Note: Y ou need to perform[...]

v The m , a , u , and g permissions on the principal hosts/ hostname dfsgw- server . The principal is created during the con fi guration steps. v The t and M permissions on the group subsys/dce/dfsgw-admin . The group is cr eated during the con fi guration steps. v The R , t , and M permissions on the organization none . v The r permission on the[...]

13. Create a simple BOS Server pr ocess named dfsgw to run the dfsgwd server process: $ dcelocal /bin/bos create -server /.:/hosts/ hostname -process dfsgw -type simple -cmd dcelocal /bin/dfsgwd The Gateway Server process is now fully con fi gur ed on the machine. Chapter 2. Con fi guring Gateway Server Machines 11[...]

12 DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

Chapter 3. Con fi guring NFS Clients to Access DFS After you have con fi gured at least one Gateway Server machine accor ding to the instructions in “ Chapter 2. Con fi guring Gateway Server Machines ” on page 5, you can con fi gure your NFS clients to pr ovide access to the DFS fi lespace. Users who have DCE accounts can then authenticate[...]

Con fi guring a Client Without Enabling Remote Authentication If you con fi gured your Gateway Server machines so that users cannot issue the dfs_login command to authenticate to DCE, perform the steps in this section to con fi gure your NFS clients. The steps enable DFS access fr om an NFS client without enabling DCE authentication from the cli[...]

Note: The dfs_login and dfs_logout commands are not pr ovided with DFS; these commands can be used only if they are available fr om your NFS vendor . If these commands are not available, use the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and d[...]

.DEF.COM abc.com 6. If you use the /etc/services fi le in your environment, add the following entry for the dfsgw service to the /etc/services fi le on the machine: dfsgw 438/udp dlog where dfsgw is the name of the service, 438 is the port at which the service receives RPCs, udp is the pr otocol the service uses to communicate, and dlog is an ali[...]

Chapter 4. Accessing DFS from an NFS Client After a Gateway Server machine and one or more NFS clients ar e con fi gured according to the instr uctions in “ Chapter 2. Con fi guring Gateway Server Machines ” on page 5 and “ Chapter 3. Con fi guring NFS Clients to Access DFS ” on page 13, users of the NFS clients can access data in the DF[...]

When an unauthenticated user creates an object, the object is owned by the user nobody and the group nogroup . The UID of the user nobody is -2 , and the GID of the group nogroup is also -2 . (Identities and ID numbers of an unauthenticated user and group can vary between systems; see your vendor ’ s documentation for more information.) Unauthent[...]

The dfsgw add command can be used to refr esh DCE credentials. If they ar e not refr eshed, DCE credentials (tickets) expir e after the lifetime speci fi ed by the DCE Security Service. After they expire, the tickets can no longer be used for authenticated access. T o end an authenticated session before the ticket lifetime has passed, you can issu[...]

given for the dfs_login and dfs_logout commands can only be performed if your NFS vendor provides these commands. If these commands are not available, use the instr uctions for the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and dfs_logout comm[...]

T o end the authenticated session before the DCE credentials expir e, issue the dfs_logout command from the NFS client. The command r emoves the user ’ s entry from the authentication table on the Gateway Server machine. The command can be issued either by the user whose entry is to be removed fr om the authentication table or by a user who is lo[...]

provides the same functionality fr om a Gateway Server machine that the dfs_logout command provides fr om an NFS client. The dfsgw delete command can be issued either by the user whose entry is to be removed fr om the authentication table or by a user who is logged into the Gateway Server machine as the local superuser root . The command has no ef [...]

who has DFS access, and the date and time at which each user ’ s DCE credentials expir e. See the refer ence page for the dfsgw list command for more information about the command. Chapter 4. Accessing DFS from an NFS Client 23[...]

24 DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

Chapter 5. Con fi guration File and Command Reference This chapter contains con fi guration fi le and command refer ence information for the NFS/DFS Secure Gateway . © Copyright IBM Corp. 1989, 1999 25[...]

DfsgwLog Purpose Log fi le that contains messages generated by the Gateway Server process of the NFS/DFS Secure Gateway Description The DfsgwLog fi le contains messages generated by the Gateway Server ( dfsgwd ) process. The Gateway Server pr ocess runs on machines con fi gured as DFS clients to allow users to authenticate to DCE from NFS client[...]

dfsgw Purpose Introduction to the dfsgw command suite used with the NFS/DFS Secur e Gateway Options The following options are used with many dfsgw commands. They ar e also described with the commands that use them. -id networkID:userID Identi fi es an NFS client and the user whose DCE authentication from that client is to be manipulated. Specify e[...]

dfsgw list Displays a list of users who are authenticated to DCE via the Gateway Server machine. dfsgw query Determines whether a speci fi c user is authenticated to DCE via the Gateway Server machine. The command determines the user ’ s entry in the authentication table, if it exists. Commands in the dfsgw command suite provide a local administ[...]

Related Information Commands: dfsgw_add(8dfs) dfsgw_apropos(8dfs) dfsgw_delete(8dfs) dfsgw_help(8dfs) dfsgw_list(8dfs) dfsgw_query(8dfs) dfs_intro(8dfs) Chapter 5. Con fi guration File and Command Reference 29[...]

dfsgw add Purpose Adds an entry to the authentication table on the Gateway Server machine Synopsis dfsgw add -id networkID:userID [ -dceid login_name [: password ]] [ -sysname sysname ] [ -remotehost name ][ -af address_family ] [-help] Options -id networkID:userID Identi fi es an NFS client and the user who is to be authenticated to DCE from that[...]

Description The dfsgw add command authenticates a user to DCE. The command contacts the DCE Security Service to obtain a TGT for the user . T o obtain a TGT , a user must have a valid account in the registry database of the DCE cell. The TGT is used to create a valid login context for the user . The login context includes a Process Activation Group[...]

Output The dfsgw add command displays the following prompts to r equest a DCE principal and password: Enter Principal Name: principal Enter Password: password where principal is the name of the user to be authenticated to DCE, and password is the password of the named user; you supply both of these values. The command prompts for the principal name[...]

dfsgw apropos Purpose Displays the help entry for each dfsgw command that contains a speci fi ed string Synopsis dfsgw apropos -topic string [ -help ] Options -topic string Speci fi es the keyword string for which to sear ch. If it is more than a single word, surr ound the string with double quotes ( ″″ ) or other delimiters. T ype all string[...]

Related Information Commands: dfsgw help(8dfs) 34 DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

dfsgw delete Purpose Removes an entry from the authentication table on the Gateway Server machine Synopsis dfsgw delete -id networkID:userID [ -af address_family ][ -help ] Options -id networkID:userID Identi fi es an NFS client and the user whose authentication to DCE from that client is to be canceled. Specify either the network addr ess or the [...]

Privilege Required The issuer must be logged into the Gateway Server machine either as the user whose entry is to be removed fr om the authentication table or as the local superuser root . Examples The following command deletes the entry from the authentication table that grants authenticated access to the user named ludwig from the NFS client that[...]

dfsgw help Purpose Shows syntax of speci fi ed dfsgw commands or lists functional descriptions of all dfsgw commands Synopsis dfsgw help [ -topic string ][ -help ] Options -topic string Speci fi es each command whose syntax is to be displayed. Provide only the second part of the command name (for example, list , not dfsgw list ). If this option i[...]

dfsgw list: list all entries in the AT Usage: dfsgw list [-help] Related Information Commands: dfsgw apropos(8dfs) 38 DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

dfsgw list Purpose Lists all entries in the authentication table on the Gateway Server machine Synopsis dfsgw list [ -help ] Options -help Displays help information for this command. Description The dfsgw list command lists all entries from the local authentication table, which indicate which users on NFS clients have DCE credentials. Because each [...]

hostname Names the NFS client for which the entry grants authenticated access to DFS principal Displays the principal name of the user to whom the entry grants authenticated access PA G Identi fi es the Pr ocess Activation Group (P AG) that exists for the hostname / principal pair date/time Speci fi es the date and time at which the DCE credentia[...]

dfsgw_delete(8dfs) dfsgw_query(8dfs) Chapter 5. Con fi guration File and Command Reference 41[...]

dfsgw query Purpose Queries the authentication table on the Gateway Server machine Synopsis dfsgw query -id networkID:userID [ -af address_family ][ -help ] Options -id networkID:userID Identi fi es an NFS client and the user whose authentication from the client is to be determined. Specify either the network address or the hostname of the NFS cli[...]

Privilege Required The issuer must be logged into the Gateway Server machine either as the user whose entry in the authentication table is to be examined or as the local superuser root . Output The dfsgw query command displays the following line of output if the speci fi ed user has an entry for the speci fi ed NFS client in the authentication ta[...]

dfsgwd Purpose Initializes the Gateway Server process for the NFS/DFS Secur e Gateway Synopsis dfsgwd [ -service service_number ][ -sysname sysname ][ -nodomains ][ -file log_file ] [ -verbose ][ -help ] Options -service service_number Speci fi es the port number to be used to communicate with the dfsgwd process on the Gateway Server machine. By d[...]

Description The dfsgwd command initializes the Gateway Server process. The dfsgwd process r uns on machines con fi gured as DFS clients to enable remote authentication via the dfs_login command. The dfsgwd process works with the dfs_login command to obtain DCE credentials for users of NFS clients. The DCE credentials pr ovide users with authentica[...]

Privileges Required The issuer must be the local superuser root on the local machine. Files dcelocal /var/dfs/adm/DfsgwLog The default log fi le for the dfsgwd process. Y ou can use the - fi le option to specify a dif ferent pathname for the log fi le. Related Information Commands: bos getlog(8dfs) bosserver(8dfs) dfsgw(8dfs) Files: DfsgwLog(4df[...]

Index Special Characters @sys and @host variables 44, 45 A ACL permissions 7, 9 authenticating to DCE determining whether a speci fi c user is authenticated 22 displaying information about all authenticated users 22 local 1 remote 1 B BOS Server 9 bosserver process 8 con fi guring 7 BosCon fi g fi le 8 C commands dcecp 7, 10 dfs_login 1, 18, 19[...]

48 DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

Notices First Edition (April 2000) This information was developed for products and services of fered in the U.S.A. IBM may not of fer the products, services, or features discussed in this document in other countries. Consult your local IBM repr esentative for information on the products and services curr ently available in your area. Any refer ence[...]

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information her ein; these changes will be incorporated in new editions of the document. IBM may make improvements and/or changes in the pr oduct(s) and/or the program(s) described in this publication at any time without notice. Any r[...]

All statements regar ding IBM ’ s future dir ection or intent are subject to change or withdrawal without notice, and repr esent goals and objectives only . All IBM prices show are IBM ’ s suggested r etail prices, are curr ent and are subject to change without notice. Dealer prices may vary . This information is for planning purposes only . Th[...]

UNIX is a register ed trademark in the United States, other countries or both and is licensed exclusively through X/Open Company Limited. Other company , product, and service names may be trademarks or service marks of others. 52 DFS for Solaris: NFS/DFS Secure Gateway Guide and Refer ence[...]

Readers ’ Comments — We ’ d Like to Hear from Y ou DFS for Solaris NFS/DFS Secure Gateway Guide and Reference V ersion 3.1 Publication No. GC09-3993-00 Overall, how satis fi ed are you with the information in this book? V ery Satis fi ed Satis fi ed Neutral Dissatis fi ed V ery Dissatis fi ed Overall satisfaction hhhhh How satis fi ed a[...]

Readers ’ Comments — We ’ d Like to Hear from Y ou GC09-3993-00 GC09-3993-00  Cut or Fold Along Line Cut or Fold Along Line Fold and T ape Please do not staple Fold and T ape Fold and T ape Please do not staple Fold and T ape NO POST AGE NECESSARY IF MAILED IN THE UNITED ST A TES BUSINESS REPL Y MAIL FIRST -CLASS MAIL PERMIT NO. 4[...]

[...]

 Program Number: Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber . GC09-3993-00[...]

Spine information:  DFS for So lar i s N F S/DFS Secure Gatew a y Gu i de an d Reference V ersi on 3 . 1 GC09-3993-00[...]