Home » HP Manuals » Desktops » HP Visualize J5000 » Manual Viewer

HP Visualize J5000 hp enterprise file system: planning and configuring hp DCE/ - Page 141

stored as an entry in a local authentication table AT, which, like the PAG

Get HP Visualize J5000 - Workstation PDF manuals and user guides

Add to My Manuals
Save this manual to your list of manuals

Page 141 highlights

The DFS/NFS Secure Gateway Overview of the DFS/NFS Gateway • Remote authentication to DCE from NFS clients is provided via the dfs_login command. With remote authentication, you allow users to issue the dfs_login command to authenticate themselves. Remote authentication requires additional configuration, but it provides a less burdensome and more secure approach to authentication. Configuration consists of installing and configuring the Gateway Server (dfsgwd) process on the Gateway Server machines, installing the dfs_login command (and the dfs_logout command) on the NFS clients, configuring Kerberos on the NFS clients, and configuring the remote authentication service on both the Gateway Server machines and the NFS clients. However, authentication requires no administrative measures, and user passwords are never sent in the clear. The dfsgw add and dfs_login commands both result in authenticated access to DFS from an NFS client. To provide a user with authenticated access, each command obtains a ticket-granting ticket (TGT) for the user from the DCE Security Service. The TGT is used to create a valid login context for the user. The login context includes a Process Activation Group (PAG), which DFS stores in the kernel of the Gateway Server machine. The PAG identifies the user's TGT; the TGT serves as the user's DCE credentials. On the Gateway Server machine, an association is created between the UNIX user identification number (UID) of the user and the network address of the NFS client from which DFS access is desired. A mapping is then created between this pair and the PAG created for the user. The mapping is stored as an entry in a local authentication table (AT), which, like the PAG, resides in the kernel of the machine. The mapping provides the user with authenticated access to DFS from the NFS client. Each mapping grants a user authenticated access only from the specific NFS client for which the mapping exists. For authenticated access from a different NFS client, a user must use the dfs add or dfs_login command to create a new mapping for that client. A user's DCE credentials are good only for the lifetime of the TGT. The ticket lifetime is dictated by the registry database of the DCE cell. By default, each ticket receives the default ticket lifetime in effect in the registry database. The dfs_login command different lifetime, but a requested lifetime is constrained by the policies in effect in the registry database. Once a user's TGT expires, the user must obtain new DCE credentials. 141

Section	Page
HP Enterprise File System	1
HP Part No. B6863-IE002-E0302	1
Edition 1	1
© Hewlett-Packard Company, 2002. All rights reserved.	1
Legal Notices	2
The information in this document is subject to change without notice.	2
Hewlett-Packard makes no warranty of any kind with regard to this document, including, but not li...	2
Warranty. A copy of the specific warranty terms applicable to your Hewlett- Packard product and r...	2
Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to res...	2
HEWLETT-PACKARD COMPANY 3000 Hanover Street Palo Alto, California 94304 U.S.A.	2
Use of this document and the CD-ROM(s) supplied for this pack is restricted to this product only....	2
Copyright Notices. ©copyright 1983-2002 Hewlett-Packard Company, all rights reserved.	2
Reproduction, adaptation, or translation of this document without prior written permission is pro...	2
©copyright 1979, 1980, 1983, 1985-93 Regents of the University of California	2
This software is based in part on the Fourth Berkeley Software Distribution under license from th...	3
©copyright 1980, 1984, 1986 Novell, Inc. ©copyright 1986-1992 Sun Microsystems, Inc. ©copyright 1...	3
Trademark Notices UNIX is a registered trademark in the United States and other countries, licens...	3
X Window System is a trademark of the Massachusetts Institute of Technology.	3
MS-DOS and Microsoft are U.S. registered trademarks of Microsoft Corporation.	3
OSF/Motif is a trademark of the Open Software Foundation, Inc. in the U.S. and other countries.	3
About this document	9
1 About HP DCE/9000 Enhanced DFS	11
Overview of HP DCE/9000 Enhanced DFS Version 3.0	12
NOTE: For this version of Enhanced DFS 3.0, only the client is available.	12
Benefits	13
Features	14
Restriction of RPC Addresses	14
DCE/DFS TCL Configuration Functions	15
Global Variables	15
System Tuning Variables	15
Administration Tools for Enhanced DFS 3.0	16
NOTE: You can either run the efsstatus.dcp or sentinel command from the directory where that tool...	16
HP Enterprise File System Admin Web	17
Compatibility Information and Installation Requirements	18
Enhanced DFS 3.0 Interoperability	18
NIS and Integrated Login Interoperability	18
What Manuals are Available for This Version	19
2 Installing and Configuring Enhanced DFS 3.0	21
Planning for Enhanced DFS 3.0 Installation and Configuration	22
NOTE: Before you install and configure Enhanced DFS, be sure to make the planning decisions descr...	23
• Setting up your cell’s Enhanced DFS tree structure	23
Preparing to Administer DFS	24
Considerations for Enhanced DFS 3.0 Installation and Configuration	25
Before Installing and Configuring Enhanced DFS 3.0	27
To Install and Configure Enhanced DFS	28
NOTE: The execution of this command reboots your system when the installation is complete. It is ...	28
Enhanced DFS 3.0 Filesets	29
Migrating root.dfs from UFS to Episode	31
NOTE: This is a complete, but condensed procedure. For details about the files and commands used ...	31
1 Use the HP-UX Logical Volume Manager (LVM) to create the logical volume on which you want to st...	31
2 Add a line to the /var/opt/dce/dfs/dfstab file for the new Episode aggregate. For example:	31
3 Use the newaggr command to initialize an available disk partition (logical volume) as an Episod...	31
CAUTION: Executing the newaggr command will destroy all existing data on the specified logical vo...	31
NOTE: For this release of Enhanced DFS, HP recommends specifying a block size of 8192 and a fragm...	31
4 Use the dfsexport command to export the Episode aggregate so it is available for use in Enhance...	31
5 Use the dce_login command to become the administrator.	32
6 Use the fts create command to create a read/write fileset to be used as the new Episode root.dfs.	32
7 Use the fts lsheader command to make sure the Episode fileset is available on the server.	32
8 Use the fts lsfldb command to make sure the Episode fileset is in the FLDB.	32
9 Use the fts dump command to dump the original UFS root.dfs aggregate in bytestream format. Pipe...	32
10 Use fts rename to rename root.dfs to root.dfs.ufs.	32
11 Use fts rename to rename root.dfs.efs to root.dfs.	32
12 cd to /, then use the command cm checkfilesets to force the Cache Manager to update the filese...	32
13 Use the command fts lsquota /: to make sure the Episode root.dfs fileset is now mounted at /:.	32
14 Set up ACLs appropriately, including Initial Container Creation (IC) and Initial Object Creati...	33
15 Optionally use the command fts setquota /: to reset the root.dfs fileset quota. The default qu...	33
16 Use the command fts lsquota /: to view the result of the setquota command.	33
Replicating root.dfs Using “Cheap Replication”	34
NOTE: This is a complete, but condensed, procedure. For details about the files and commands used...	34
1 Use this command to create a read/write mountpoint for the root.dfs fileset:	34
NOTE: After you create the read/write mountpoint, the command ls -l /:/ will say that /:/.rw is n...	34
2 Use this command to check that the directory /:/.rw is a read/write mountpoint for the root.dfs...	34
3 Use this command to set the replication type of root.dfs to Release Replication:	34
4 Use the fts addsite command to create a cheap replication site for the root.dfs fileset; that i...	34
5 Use this command to make the replica:	34
6 Use this command to make sure that the replica (the read-only copy of root.dfs) is valid:	35
7 cd to /, then use this command to force the Cache Manager to update the fileset information:	35
8 Use this command to make sure the root.dfs.readonly fileset is now mounted at /::	35
9 Use this command to make sure /:/.rw is now valid:	35
NOTE: This command will say that /:/.rw/.rw is not found, even though it exists. This is normal b...	35
Handling of setuid Programs and Device Files in DFS	36
setuid Script	36
Additional DFS Cache Manager Commands	38
NAME	39
SYNOPSIS	39
OPTIONS	39
DESCRIPTION	39
Privilege Required	39
OUTPUT	40
EXAMPLES	40
RELATED INFORMATION	40
NAME	41
SYNOPSIS	41
OPTIONS	41
DESCRIPTION	42
Privilege Required	42
EXAMPLES	42
$ cm sethardmount -path /.../abc.com/fs/usr/jlw	42
RELATED INFORMATION	42
Stopping Enhanced DFS	43
Removing Enhanced DFS Configuration Information and DFS Cache Files	44
1 Use dce_config to unconfigure the node from the DCE cell. This removes the node's information f...	44
2 Reboot the node. Neither DCE nor Enhanced DFS will start (this is the desired behavior).	44
3 Use dce_config to remove DCE and Enhanced DFS from the node. This removes the DCE and Enhanced ...	44
NOTE: Do not remove DCE and Enhanced DFS without first unconfiguring the node, unless you are des...	44
Restricting RPC Addresses	45
Setting Global Variables	46
Using Tuning Variables	48
NOTE: Although you can pass any supported option to the various daemons using these variables, ma...	48
3 Running dce_config to Configure Enhanced DFS	49
Configuring a System Control Server	50
1 As root, run dce_config. From the DCE Main Menu, choose CONFIGURE:	50
2 From the DCE Configuration Menu, choose Additional Server Configuration:	50
3 From the DCE Additional Server Configuration Menu, choose DFS System Control Machine:	51
Configuring a DFS Fileset Location Database	52
NOTE: Set the CONFIG_DFS_FLDB_ONLY environment variable before starting dce_config if you want to...	52
1 From the Additional Server Configuration Menu, choose 6 (DFS Fileset Location Database Server):	52
2 dce_config prompts for the name of the System Control machine. If your cell does not use a Syst...	53
3 Reply to the prompt “Would you like to continue and configure a Fileset Server?”. If you want t...	53
4 dce_config prompts for the name of the DFS fileset. root.dfs is the default name. When configur...	53
5 dce_config prompts for the file system type for the DFS fileset. Choose Native File System or E...	53
6 dce_config prompts for the device name of the logical volume on which you want the Episode file...	53
7 dce_config prompts for the aggregate name. Enter a name of your choice. Common names are lfsx o...	53
8 dce_config prompts for a numerical aggregate ID. Enter a unique ID, corresponding to the type a...	54
9 dce_config displays information about the aggregate and about the fileset specified in Step 4:	54
Configuring a File Server and a Private File Server	55
1 From the Additional Server Configuration Menu, choose 4 (DFS Private File Server) or 5 (DFS Fil...	55
2 dce_config prompts for the name of the System Control machine. If your cell does not use a Syst...	55
3 dce_config prompts for the file system type of the aggregate to be exported. Choose 1 (Native F...	55
4 dce_config prompts for the device name of the aggregate to be exported. Enter a name of the for...	55
5 dce_config prompts for the fileset name. Enter a name of your choice.	56
6 dce_config prompts for the aggregate name. Enter a name of your choice. Common names are lfsx o...	56
7 dce_config prompts for a numerical aggregate ID. Enter a unique ID, corresponding to the type a...	56
8 dce_config displays information about the aggregate and about the servers it is starting:	56
Configuring a DFS Client	57
1 Start dce_config.	57
2 From the DCE Main Menu, choose CONFIGURE:	57
3 From the DCE Configuration Menu, choose 4 (DFS Client):	57
4 Choose whether the cache is in system memory or on the local disk.	58
5 Choose a cache size for the memory. The default cache size is 1MB.	58
6 Choose a cache size. The default cache size is 10MB. At least 10 MB of free disk space must be ...	58
7 Choose a directory to hold the cache (the default directory is a reasonable choice):	58
8 Choose whether to configure an NFS/DFS Gateway. See Chapter 1 in the Planning and Configuring H...	58
9 Reply to the prompt “Would you like to use BOS server to monitor and administer the dfsgwd proc...	59
dfs_config Environment Variables	60
A TCL Functions	63
DCE TCL Functions	64
Configuration Functions	64
NAME	65
SYNOPSIS	65
PARAMETERS	65
RETURNS	65
NAME	66
SYNOPSIS	66
PARAMETERS	66
RETURNS	66
NAME	67
SYNOPSIS	67
PARAMETERS	67
RETURNS	67
NAME	68
SYNOPSIS	68
PARAMETERS	68
RETURNS	68
NAME	69
SYNOPSIS	69
PARAMETERS	69
RETURNS	69
NAME	70
SYNOPSIS	70
PARAMETERS	70
RETURNS	70
NAME	71
SYNOPSIS	71
PARAMETERS	71
RETURNS	71
NAME	72
SYNOPSIS	72
PARAMETERS	72
RETURNS	72
NAME	73
SYNOPSIS	73
PARAMETERS	73
RETURNS	73
NAME	74
SYNOPSIS	74
PARAMETERS	74
RETURNS	74
Unconfiguration Function	75
NAME	75
SYNOPSIS	75
PARAMETERS	75
RETURNS	75
Cleanup Functions	76
NAME	77
tcl_cleanup - Attempts to clean up the host DCE configuration whenever CLEAN_UP = y.	77
SYNOPSIS	77
PARAMETERS	77
RETURNS	77
NAME	78
SYNOPSIS	78
PARAMETERS	78
RETURNS	78
NAME	79
SYNOPSIS	79
PARAMETERS	79
RETURNS	79
NAME	80
SYNOPSIS	80
PARAMETERS	80
RETURNS	80
NAME	81
SYNOPSIS	81
RETURNS	81
NAME	82
SYNOPSIS	82
PARAMETERS	82
RETURNS	82
NAME	83
SYNOPSIS	83
PARAMETERS	83
RETURNS	83
Miscellaneous Functions	84
NAME	86
SYNOPSIS	86
PARAMETERS	86
RETURNS	86
NAME	87
SYNOPSIS	87
PARAMETERS	87
RETURNS	87
NAME	88
SYNOPSIS	88
PARAMETERS	88
RETURNS	88
NAME	89
SYNOPSIS	89
PARAMETERS	89
RETURNS	89
NAME	90
SYNOPSIS	90
RETURNS	90
NAME	91
SYNOPSIS	91
PARAMETERS	91
RETURNS	91
NAME	92
SYNOPSIS	92
PARAMETERS	92
RETURNS	92
NAME	93
SYNOPSIS	93
PARAMETERS	93
RETURNS	93
NAME	94
SYNOPSIS	94
PARAMETERS	94
RETURNS	94
NAME	95
SYNOPSIS	95
PARAMETERS	95
RETURNS	95
NAME	96
SYNOPSIS	96
PARAMETERS	96
RETURNS	96
NAME	97
SYNOPSIS	97
PARAMETERS	97
RETURNS	97
NAME	98
SYNOPSIS	98
RETURNS	98
NAME	99
SYNOPSIS	99
RETURNS	99
NAME	100
SYNOPSIS	100
RETURNS	100
NAME	101
SYNOPSIS	101
PARAMETERS	101
RETURNS	101
NAME	102
SYNOPSIS	102
PARAMETERS	102
RETURNS	102
NAME	103
SYNOPSIS	103
PARAMETERS	103
RETURNS	103
NAME	104
SYNOPSIS	104
PARAMETERS	104
RETURNS	104
NAME	105
SYNOPSIS	105
PARAMETERS	105
RETURNS	105
NAME	106
SYNOPSIS	106
PARAMETERS	106
RETURNS	106
NAME	107
SYNOPSIS	107
PARAMETERS	107
RETURNS	107
NAME	108
SYNOPSIS	108
PARAMETERS	108
RETURNS	108
NAME	109
SYNOPSIS	109
RETURNS	109
NAME	110
SYNOPSIS	110
PARAMETERS	110
RETURNS	110
NAME	111
SYNOPSIS	111
PARAMETERS	111
RETURNS	111
DCE TCL Examples	112
Configuring a DCE Client	112
Configuring a Single-machine DCE Server	112
Configuring dced	113
Configuring secd	113
Configuring cdsd	114
Configuring dtsd	114
Configuring a Security Replica	114
Configuring a CDS Replica	115
Unconfiguring a Client (only) Machine from an Existing Cell	115
Removing a Machine from an Existing Cell	116
DFS TCL Functions	117
Configuration Functions	117
NAME	118
SYNOPSIS	118
PARAMETERS	118
RETURNS	118
NAME	119
SYNOPSIS	119
RETURNS	119
NAME	120
SYNOPSIS	120
PARAMETERS	120
RETURNS	120
NAME	121
SYNOPSIS	121
PARAMETERS	121
RETURNS	121
NAME	122
SYNOPSIS	122
PARAMETERS	122
RETURNS	122
NAME	123
SYNOPSIS	123
PARAMETERS	123
RETURNS	123
Unconfiguration Functions	124
NAME	125
SYNOPSIS	125
PARAMETERS	125
RETURNS	125
NAME	126
SYNOPSIS	126
PARAMETERS	126
RETURNS	126
NAME	127
SYNOPSIS	127
RETURNS	127
NAME	128
SYNOPSIS	128
PARAMETERS	128
RETURNS	128
NAME	129
SYNOPSIS	129
PARAMETERS	129
RETURNS	129
NAME	130
tcl_dfs_unconfig_repserver - Unconfigures a repserver on the local host.	130
SYNOPSIS	130
PARAMETERS	130
RETURNS	130
Miscellaneous Functions	131
NAME	132
SYNOPSIS	132
PARAMETERS	132
RETURNS	132
NAME	133
SYNOPSIS	133
PARAMETERS	133
RETURNS	133
NAME	134
SYNOPSIS	134
PARAMETERS	134
RETURNS	134
NAME	135
SYNOPSIS	135
PARAMETERS	135
RETURNS	135
Examples of Primary DFS Functions	136
B The DFS/NFS Secure Gateway	139
Overview of the DFS/NFS Gateway	140
Configuring Gateway Server Machines	143
Configuring a Gateway Server Without Enabling Remote Authentication	144
1 Log in as the local root user on the machine.	144
2 Install the binary file for the dfsgw command suite in the directory dcelocal/bin/ on the machi...	144
3 Export the DCE global root directory, /..., via NFS. This is typically accomplished via the exp...	145
Configuring a Gateway Server and Enabling Remote Authentication	145
Configuring the BOS Server Process	146
1 Authenticate to DCE as a principal who has the following ACL permissions on entries in the regi...	146
2 Create the principal hosts/hostname/dfs-server, and create an account for the principal. Use th...	146
3 Grant the group subsys/dce/dfs-admin the appropriate permissions on the ACL for the hosts/hostn...	146
4 Use the su command to become the local root user on the machine:	147
5 Add a server key for the hosts/hostname/dfs-server principal to the /krb5/v5srvtab keytab file ...	147
6 Remove the BosConfig file and any administrative lists that may exist from a previous configura...	147
7 Start the bosserver process with DFS authorization checking disabled. The process creates a new...	147
8 Add the group subsys/dce/dfs-admin to the admin.bos file:	147
9 Enable DFS authorization checking by the BOS Server:	147
10 Configure the bosserver process to start automatically when the system is rebooted by removing...	147
Configuring the Gateway Server Process	148
NOTE: You need to perform some steps only when you configure the first Gateway Server process. Su...	148
1 If you have not already done so, perform all of the steps in “Configuring a Gateway Server With...	148
2 If you have not already done so, log in as the local root user on the machine.	148
3 Install the binary file for the dfsgwd process in the directory dcelocal/bin on the machine. Th...	148
4 Add the dfsgw service to the Internet services database. The dfsgw service provides the login f...	148
5 Authenticate to DCE as a principal who has the following ACL permissions on entries in the regi...	149
6 Invoke the dcecp command:	149
7 For the first Gateway Server process, create the group subsys/dce/dfsgw-admin in the registry d...	149
8 Create the principal hosts/hostname/dfsgw-server, and create an account for the principal. The ...	149
9 Use the su command to become the local root user on the machine:	149
10 Add a server key for the hosts/hostname/dfsgw-server principal to the /krb5/v5srvtab keytab fi...	150
11 Log out as root to return to your authenticated DCE identity.	150
12 If your current DCE identity is not included in the dcelocal/var/dfs/admin.bos file on the mac...	150
13 Create a simple BOS Server process named dfsgw to run the dfsgwd server process:	150
Configuring NFS Clients to Access DFS	150
Configuring a Client Without Enabling Remote Authentication	151
1 Log in as the local root user on the machine.	151
2 Mount the root of the DCE namespace, /..., on the machine. In the command, hostname is the host...	151
3 Create a symbolic link from //: to the root of the DFS filespace for the host DCE cell, /.../ce...	152
4 Verify that the NFS mount of DCE was successful by using the ls command to list the contents of...	152
Configuring a Client and Enabling Remote Authentication	152
1 If you have not already done so, perform all of the steps in “Configuring a Client Without Enab...	152
2 If you have not already done so, log in as the local root user on the machine.	152
3 Install the binary files for the dfs_login and dfs_logout commands in the directory /usr/bin on...	152
4 Create the Kerberos configuration file named /krb5/krb.conf. The dfs_login command reads this f...	153
5 Create the Kerberos configuration file named /krb5/krb.realms. The Kerberos runtime uses the in...	153
6 If you use the /etc/services file in your environment, add the following entry for the dfsgw se...	153
Accessing DFS from an NFS Client	154
Unauthenticated Access to DFS	154
Authenticated Access to DFS	155
Authenticating to DCE from an NFS Client	157
NOTE: When using dfs_login, the DFS-NFS gateway server (which can be overridden with the -h optio...	158
Authenticating to DCE from a Gateway Server Machine	159
Determining Whether a Specific User is Authenticated to DCE	161

Match case Limit results 1 per page

141

The DFS/NFS Secure Gateway

Overview of the DFS/NFS Gateway

•

Remote authentication

to DCE from NFS clients is provided via the

dfs_login

command. With remote authentication, you allow users to issue the

dfs_login

command to authenticate themselves.

Remote authentication requires additional configuration, but it provides a less

burdensome and more secure approach to authentication. Configuration consists

of installing and configuring the Gateway Server (

dfsgwd

) process on the

Gateway Server machines, installing the

dfs_login

command (and the

dfs_logout

command) on the NFS clients, configuring Kerberos on the NFS

clients, and configuring the remote authentication service on both the Gateway

Server machines and the NFS clients. However, authentication requires no

administrative measures, and user passwords are never sent in the clear.

The

dfsgw add

and

dfs_login

commands both result in authenticated access

to DFS from an NFS client. To provide a user with authenticated access,

each command obtains a ticket-granting ticket (TGT) for the user from the

DCE Security Service. The TGT is used to create a valid login context for

the user. The login context includes a Process Activation Group (PAG),

which DFS stores in the kernel of the Gateway Server machine. The PAG

identifies the user’s TGT; the TGT serves as the user’s DCE credentials.

On the Gateway Server machine, an association is created between the

UNIX user identification number (UID) of the user and the network address

of the NFS client from which DFS access is desired. A mapping is then

created between this pair and the PAG created for the user. The mapping is

stored as an entry in a local authentication table (AT), which, like the PAG,

resides in the kernel of the machine. The mapping provides the user with

authenticated access to DFS from the NFS client.

Each mapping grants a user authenticated access only from the specific NFS

client for which the mapping exists. For authenticated access from a

different NFS client, a user must use the

dfs add

dfs_login

command to

create a new mapping for that client.

A user’s DCE credentials are good only for the lifetime of the TGT. The

ticket lifetime is dictated by the registry database of the DCE cell. By

default, each ticket receives the default ticket lifetime in effect in the registry

database. The

dfs_login

command different lifetime, but a requested lifetime

is constrained by the policies in effect in the registry database. Once a user’s

TGT expires, the user must obtain new DCE credentials.