HP Visualize J5000 hp enterprise file system: planning and configuring hp DCE/ - Page 141
stored as an entry in a local authentication table AT, which, like the PAG
View all HP Visualize J5000 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 141 highlights
The DFS/NFS Secure Gateway Overview of the DFS/NFS Gateway • Remote authentication to DCE from NFS clients is provided via the dfs_login command. With remote authentication, you allow users to issue the dfs_login command to authenticate themselves. Remote authentication requires additional configuration, but it provides a less burdensome and more secure approach to authentication. Configuration consists of installing and configuring the Gateway Server (dfsgwd) process on the Gateway Server machines, installing the dfs_login command (and the dfs_logout command) on the NFS clients, configuring Kerberos on the NFS clients, and configuring the remote authentication service on both the Gateway Server machines and the NFS clients. However, authentication requires no administrative measures, and user passwords are never sent in the clear. The dfsgw add and dfs_login commands both result in authenticated access to DFS from an NFS client. To provide a user with authenticated access, each command obtains a ticket-granting ticket (TGT) for the user from the DCE Security Service. The TGT is used to create a valid login context for the user. The login context includes a Process Activation Group (PAG), which DFS stores in the kernel of the Gateway Server machine. The PAG identifies the user's TGT; the TGT serves as the user's DCE credentials. On the Gateway Server machine, an association is created between the UNIX user identification number (UID) of the user and the network address of the NFS client from which DFS access is desired. A mapping is then created between this pair and the PAG created for the user. The mapping is stored as an entry in a local authentication table (AT), which, like the PAG, resides in the kernel of the machine. The mapping provides the user with authenticated access to DFS from the NFS client. Each mapping grants a user authenticated access only from the specific NFS client for which the mapping exists. For authenticated access from a different NFS client, a user must use the dfs add or dfs_login command to create a new mapping for that client. A user's DCE credentials are good only for the lifetime of the TGT. The ticket lifetime is dictated by the registry database of the DCE cell. By default, each ticket receives the default ticket lifetime in effect in the registry database. The dfs_login command different lifetime, but a requested lifetime is constrained by the policies in effect in the registry database. Once a user's TGT expires, the user must obtain new DCE credentials. 141