DFS for Solaris NFS/DFS Secure Gateway Guide and Reference Version 3.
DFS for Solaris NFS/DFS Secure Gateway Guide and Reference Version 3.
Note Before using this information and the product it supports, be sure to read the general information under “Notices” on page 49. First Edition (April 2000) This edition applies to: DFS for Solaris, Version 3.1 and to all subsequent releases and modifications until otherwise indicated in new editions. Order publications through your IBM representative or through the IBM branch office serving your locality. © Copyright International Business Machines Corporation 1989, 1999. All rights reserved.
Contents Preface . . . . . . Audience . . . . . Applicability . . . . Purpose . . . . . . Document Organization Related Documents . . Typographic and Keying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions. . . . . . . . . . . . . . . v v v v v vi vi Chapter 1. Overview of the NFS/DFS Secure Gateway. . . . . . . . . . 1 Chapter 2. Configuring Gateway Server Machines . . . . . . . . . . . . Configuring a Gateway Server Without Enabling Remote Authentication . . . .
iv DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Preface The IBM DFS for Solaris NFS/DFS Secure Gateway Guide and Reference contains guide and reference information about the NFS/DFS Secure Gateway for Solaris, which provides authenticated access to the DFS filespace to clients of the Network File System (NFS) by associating an NFS request with an authenticated DCE principal. Audience This guide and reference is intended for DFS users or administrators who need to know how to provide authenticated access to the DFS filespace for NFS clients.
Related Documents For information about DCE in general, and DCE administration for Solaris in particular, refer to the following documents: v IBM Distributed Computing Environment for Solaris: Quick Beginnings v IBM Distributed Computing Environment for AIX and Solaris: Administration Guide - Introduction v IBM Distributed Computing Environment for AIX and Solaris: Administration Guide - Core Components v IBM Distributed Computing Environment for AIX and Solaris: Administration Command Reference For informa
or |x The notation or |x followed by the name of a key indicates a control character sequence. For example, means that you hold down the control key while pressing . The notation refers to the key on your terminal or workstation that is labeled with the word Return or Enter, or with a left arrow.
viii DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Chapter 1. Overview of the NFS/DFS Secure Gateway The Network File System (NFS) to DFS Secure Gateway provides a mechanism for granting authenticated access to the DFS filespace from an NFS client. The NFS/DFS Secure Gateway enables users to access data in the DFS filespace from a machine that is configured as an NFS client but not as a DCE client. To use the NFS/DFS Secure Gateway for authenticated access to DFS, you must configure at least one Gateway Server machine.
on the Gateway Server machines, installing the vendor-provided dfs_login and dfs_logout commands on the NFS clients, configuring Kerberos on the NFS clients, and configuring the remote authentication service on both the Gateway Server machines and the NFS clients. However, authentication requires no administrative measures, and user passwords are never sent in the clear.
Before establishing a new mapping between a remote user and DCE principal, the existing mapping must be deleted. A user who wants to end an authenticated session to DFS before the credentials expire can issue either the dfs_logout command from the NFS client for which the credentials were granted or the dfsgw delete command from the Gateway Server machine. Both commands remove the user’s entry for the NFS client from the authentication table on the Gateway Server machine.
4 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Chapter 2. Configuring Gateway Server Machines A Gateway Server machine provides authenticated access to the DFS filespace to users on NFS clients. You can configure any machine that is configured as a DFS client and an NFS server as a Gateway Server. Following successful configuration, the machine provides authenticated access to the DFS filespace, and it exports the root of the DCE namespace, /..., via NFS. You can configure multiple Gateway Server machines to provide DFS access from multiple sources.
Before configuring a Gateway Server machine, you must do the following: v Configure a DCE cell that includes DFS. v Configure each machine that is to become a Gateway Server as a DFS client and an NFS server. v Ensure proper synchronization among the system clocks on machines that are to become Gateway Servers, machines configured as NFS clients that are to contact the Gateway Servers, and machines in the DCE cell to be contacted. You must keep the system clocks on these machines synchronized at all times.
Configuring a Gateway Server and Enabling Remote Authentication Perform the steps in this section to enable DCE authentication either from a Gateway Server machine or from NFS clients that contact the Gateway Server. Users authenticate from the Gateway Server machine by issuing the dfsgw add command; they authenticate from an NFS client by issuing the dfs_login command. A Gateway Server machine to be configured in this manner runs the Gateway Server process (dfsgwd).
$ dcecp dcecp> principal create hosts/hostname/dfs-server dcecp> account create hosts/hostname/dfs-server -group subsys/dce/dfs-admin -org none -password password mypwd password 3. Grant the group subsys/dce/dfs-admin the appropriate permissions on the ACL for the hosts/hostname/dfs-server principal in the registry database: dcecp> acl mod /.:/sec/principal/hosts/hostname/dfs-server -add {group subsys/dce/dfs-admin rcDnfmag} dcecp> exit 4.
Configuring the Gateway Server Process To configure the Gateway Server (dfsgwd) process, perform the following steps on the machine to be configured as a Gateway Server. The steps assume that the BOS Server is already running on the machine. In all of the steps, hostname is the hostname of the local machine. Note: You need to perform some steps only when you configure the first Gateway Server process. Such steps are qualified with the phrase for the first Gateway Server process. 1.
v The m, a, u, and g permissions on the principal hosts/hostnamedfsgwserver. The principal is created during the configuration steps. v The t and M permissions on the group subsys/dce/dfsgw-admin. The group is created during the configuration steps. v The R, t, and M permissions on the organization none. v The r permission on the registry Policy object for the DCE cell.
13. Create a simple BOS Server process named dfsgw to run the dfsgwd server process: $ dcelocal/bin/bos create -server /.:/hosts/hostname -process dfsgw -type simple -cmd dcelocal/bin/dfsgwd The Gateway Server process is now fully configured on the machine. Chapter 2.
12 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Chapter 3. Configuring NFS Clients to Access DFS After you have configured at least one Gateway Server machine according to the instructions in “Chapter 2. Configuring Gateway Server Machines” on page 5, you can configure your NFS clients to provide access to the DFS filespace. Users who have DCE accounts can then authenticate to DCE for authenticated access to DFS from the NFS clients. Authenticating to DCE provides these users with the privileges and permissions associated with their DCE identities.
Configuring a Client Without Enabling Remote Authentication If you configured your Gateway Server machines so that users cannot issue the dfs_login command to authenticate to DCE, perform the steps in this section to configure your NFS clients. The steps enable DFS access from an NFS client without enabling DCE authentication from the client. Users can authenticate only via the dfsgw add command. 1. Log in as the local superuser root on the machine. 2. Mount the root of the DCE namespace, /...
Note: The dfs_login and dfs_logout commands are not provided with DFS; these commands can be used only if they are available from your NFS vendor. If these commands are not available, use the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and dfs_logout commands. 1.
.DEF.COM abc.com 6. If you use the /etc/services file in your environment, add the following entry for the dfsgw service to the /etc/services file on the machine: dfsgw 438/udp dlog where dfsgw is the name of the service, 438 is the port at which the service receives RPCs, udp is the protocol the service uses to communicate, and dlog is an alias for the dfsgw service.
Chapter 4. Accessing DFS from an NFS Client After a Gateway Server machine and one or more NFS clients are configured according to the instructions in “Chapter 2. Configuring Gateway Server Machines” on page 5 and “Chapter 3. Configuring NFS Clients to Access DFS” on page 13, users of the NFS clients can access data in the DFS filespace. Users can access files and directories in DFS by full /.../cellname/fs pathnames or by abbreviated pathnames that use the /: link to the DFS filespace.
When an unauthenticated user creates an object, the object is owned by the user nobody and the group nogroup. The UID of the user nobody is -2, and the GID of the group nogroup is also -2. (Identities and ID numbers of an unauthenticated user and group can vary between systems; see your vendor’s documentation for more information.) Unauthenticated access is provided with the NFS/DFS Secure Gateway as a side effect of configuring Gateway Server machines and NFS clients.
The dfsgw add command can be used to refresh DCE credentials. If they are not refreshed, DCE credentials (tickets) expire after the lifetime specified by the DCE Security Service. After they expire, the tickets can no longer be used for authenticated access. To end an authenticated session before the ticket lifetime has passed, you can issue either of the following commands: v From the NFS client from which authenticated access to DFS is provided, enter the dfs_logout command.
given for the dfs_login and dfs_logout commands can only be performed if your NFS vendor provides these commands. If these commands are not available, use the instructions for the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and dfs_logout commands.
To end the authenticated session before the DCE credentials expire, issue the dfs_logout command from the NFS client. The command removes the user’s entry from the authentication table on the Gateway Server machine. The command can be issued either by the user whose entry is to be removed from the authentication table or by a user who is logged into the NFS client as the local superuser root. The command has no effect on authenticated access that the user has established with other NFS clients.
provides the same functionality from a Gateway Server machine that the dfs_logout command provides from an NFS client. The dfsgw delete command can be issued either by the user whose entry is to be removed from the authentication table or by a user who is logged into the Gateway Server machine as the local superuser root. The command has no effect on authenticated sessions the user has with other NFS clients.
who has DFS access, and the date and time at which each user’s DCE credentials expire. See the reference page for the dfsgw list command for more information about the command. Chapter 4.
24 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Chapter 5. Configuration File and Command Reference This chapter contains configuration file and command reference information for the NFS/DFS Secure Gateway. © Copyright IBM Corp.
DfsgwLog Purpose Log file that contains messages generated by the Gateway Server process of the NFS/DFS Secure Gateway Description The DfsgwLog file contains messages generated by the Gateway Server (dfsgwd) process. The Gateway Server process runs on machines configured as DFS clients to allow users to authenticate to DCE from NFS clients. If the DfsgwLog file does not already exist when the Gateway Server process starts, the process creates the file in the directory named dcelocal/var/dfs/adm.
dfsgw Purpose Introduction to the dfsgw command suite used with the NFS/DFS Secure Gateway Options The following options are used with many dfsgw commands. They are also described with the commands that use them. -id networkID:userID Identifies an NFS client and the user whose DCE authentication from that client is to be manipulated. Specify either the network address or the hostname of the NFS client. Specify the user’s UNIX user identification number (UID) rather than a username.
dfsgw list Displays a list of users who are authenticated to DCE via the Gateway Server machine. dfsgw query Determines whether a specific user is authenticated to DCE via the Gateway Server machine. The command determines the user’s entry in the authentication table, if it exists. Commands in the dfsgw command suite provide a local administrative interface to the authentication table on a machine configured as a Gateway Server.
Related Information Commands: dfsgw_add(8dfs) dfsgw_apropos(8dfs) dfsgw_delete(8dfs) dfsgw_help(8dfs) dfsgw_list(8dfs) dfsgw_query(8dfs) dfs_intro(8dfs) Chapter 5.
dfsgw add Purpose Adds an entry to the authentication table on the Gateway Server machine Synopsis dfsgw add -id networkID:userID [-dceid login_name[:password]] [-sysname sysname] [-remotehost name] [-af address_family] [-help] Options -id networkID:userID Identifies an NFS client and the user who is to be authenticated to DCE from that client. Specify either the network address or the hostname of the NFS client. Specify the user’s UNIX user identification number (UID) rather than a username.
Description The dfsgw add command authenticates a user to DCE. The command contacts the DCE Security Service to obtain a TGT for the user. To obtain a TGT, a user must have a valid account in the registry database of the DCE cell. The TGT is used to create a valid login context for the user. The login context includes a Process Activation Group (PAG), which DFS stores in the kernel of the Gateway Server machine to identify the user’s TGT.
Output The dfsgw add command displays the following prompts to request a DCE principal and password: Enter Principal Name: principal Enter Password: password where principal is the name of the user to be authenticated to DCE, and password is the password of the named user; you supply both of these values. The command prompts for the principal name only if you do not specify a principal name with the -dceid option and you do not already have a valid TGT.
dfsgw apropos Purpose Displays the help entry for each dfsgw command that contains a specified string Synopsis dfsgw apropos -topic string [-help] Options -topic string Specifies the keyword string for which to search. If it is more than a single word, surround the string with double quotes (″ ″) or other delimiters. Type all strings in lowercase letters. -help Displays the online help for this command. All other valid options specified with this option are ignored.
Related Information Commands: dfsgw help(8dfs) 34 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
dfsgw delete Purpose Removes an entry from the authentication table on the Gateway Server machine Synopsis dfsgw delete -id networkID:userID [-af address_family] [-help] Options -id networkID:userID Identifies an NFS client and the user whose authentication to DCE from that client is to be canceled. Specify either the network address or the hostname of the NFS client. Specify the user’s UNIX user identification number (UID) rather than the username.
Privilege Required The issuer must be logged into the Gateway Server machine either as the user whose entry is to be removed from the authentication table or as the local superuser root. Examples The following command deletes the entry from the authentication table that grants authenticated access to the user named ludwig from the NFS client that has network address 15.27.32.40. The command is issued by the user ludwig, who has UID 7439. $ dfsgw del -id 15.27.32.
dfsgw help Purpose Shows syntax of specified dfsgw commands or lists functional descriptions of all dfsgw commands Synopsis dfsgw help [-topic string] [-help] Options -topic string Specifies each command whose syntax is to be displayed. Provide only the second part of the command name (for example, list, not dfsgw list). If this option is omitted, the output provides short descriptions of all dfsgw commands. -help Displays the online help for this command.
dfsgw list: list all entries in the AT Usage: dfsgw list [-help] Related Information Commands: dfsgw apropos(8dfs) 38 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
dfsgw list Purpose Lists all entries in the authentication table on the Gateway Server machine Synopsis dfsgw list [-help] Options -help Displays help information for this command. Description The dfsgw list command lists all entries from the local authentication table, which indicate which users on NFS clients have DCE credentials.
hostname Names the NFS client for which the entry grants authenticated access to DFS principal Displays the principal name of the user to whom the entry grants authenticated access PAG Identifies the Process Activation Group (PAG) that exists for the hostname/principal pair date/time Specifies the date and time at which the DCE credentials identified by the PAG expire remotehost Identifies the remote hostname used for the hostname/principal pair sysname Identifies the system name used for the hostname/pri
dfsgw_delete(8dfs) dfsgw_query(8dfs) Chapter 5.
dfsgw query Purpose Queries the authentication table on the Gateway Server machine Synopsis dfsgw query -id networkID:userID [-af address_family] [-help] Options -id networkID:userID Identifies an NFS client and the user whose authentication from the client is to be determined. Specify either the network address or the hostname of the NFS client. Specify the user’s UNIX user identification number (UID) rather than the username.
Privilege Required The issuer must be logged into the Gateway Server machine either as the user whose entry in the authentication table is to be examined or as the local superuser root. Output The dfsgw query command displays the following line of output if the specified user has an entry for the specified NFS client in the authentication table: Mapping found, PAG is PAG where PAG identifies the Process Activation Group (PAG) that exists for the user.
dfsgwd Purpose Initializes the Gateway Server process for the NFS/DFS Secure Gateway Synopsis dfsgwd [-service service_number] [-sysname sysname] [-nodomains] [-file log_file] [-verbose] [-help] Options -service service_number Specifies the port number to be used to communicate with the dfsgwd process on the Gateway Server machine.
Description The dfsgwd command initializes the Gateway Server process. The dfsgwd process runs on machines configured as DFS clients to enable remote authentication via the dfs_login command. The dfsgwd process works with the dfs_login command to obtain DCE credentials for users of NFS clients. The DCE credentials provide users with authenticated access to data in DFS. The Gateway Server process manipulates mappings for authenticated users in the authentication table on the Gateway Server machine.
Privileges Required The issuer must be the local superuser root on the local machine. Files dcelocal/var/dfs/adm/DfsgwLog The default log file for the dfsgwd process. You can use the -file option to specify a different pathname for the log file.
Index Special Characters @sys and @host variables 44, 45 A DfsgwLog file 1, 7, 19, 21, 26, 44 26 G ACL permissions 7, 9 authenticating to DCE determining whether a specific user is authenticated 22 displaying information about all authenticated users 22 local 1 remote 1 B BOS Server 9 bosserver process configuring 7 BosConfig file 8 dfsgwd process Gateway Server authenticating to DCE 21 configuring 5 configuring and enabling remote authentication 7 configuring dfsgwd process 9 configuring without e
48 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference
Notices First Edition (April 2000) This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites.
All statements regarding IBM’s future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices show are IBM’s suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available.
UNIX is a registered trademark in the United States, other countries or both and is licensed exclusively through X/Open Company Limited. Other company, product, and service names may be trademarks or service marks of others.
Readers’ Comments — We’d Like to Hear from You DFS for Solaris NFS/DFS Secure Gateway Guide and Reference Version 3.1 Publication No.
GC09-3993-00 _________________________________________________________________________________ Readers’ Comments — We’d Like to Hear from You Cut or Fold Along Line Fold and Tape Please do not staple Fold and Tape __________________________________________________________________________ NO POSTAGE NECESSARY IF MAILED IN THE UNITED STATES BUSINESS REPLY MAIL FIRST-CLASS MAIL PERMIT NO.
Program Number: Printed in the United States of America on recycled paper containing 10% recovered post-consumer fiber.
Spine information: DFS for Solaris NFS/DFS Secure Gateway Guide and Reference Version 3.
