IBM NFS?DFS User Manual

DFS for Solaris



NFS/DFS Secure Gatewa y Gui d e and Reference

Ve r s i o n 3 . 1

GC09-3993-00

DFS for Solaris



NFS/DFS Secure Gatewa y Guide and Reference

Ve r s i o n 3 . 1

GC09-3993-00

Note

Before using this information and the product it supports, be sure to read the general information under “Notices” on page 49.

First Edition (April 2000)

This edition applies to:

DFS for Solaris, Version 3.1

and to all subsequent releases and modiﬁcations until otherwise indicated in new editions. Order publications through your IBM representative or through the IBM branch office serving your locality.

US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

Contents

Preface ............. v

Audience ............ v

Applicability ........... v

Purpose ............. v

Document Organization ....... v

Related Documents

For information about DCE in general, and DCE administration for Solaris in particular, refer to the following documents:

v IBM Distributed Computing Environment for Solaris: Quick Beginnings v IBM Distributed Computing Environment for AIX and Solaris: Administration

Guide - Introduction

v IBM Distributed Computing Environment for AIX and Solaris: Administration

Guide - Core Components

v IBM Distributed Computing Environment for AIX and Solaris: Administration

Command Reference

For information about DFS administration and commands, refer to the following documents:

v IBM DFS for AIX and Solaris Administration Guide v IBM DFS for AIX and Solaris Administration Reference

Typographic and Keying Conventions

This guide uses the following typographic conventions: Bold Bold words or characters represent system elements that you must

use literally, such as commands, options, and pathnames.

Italic Italic words or characters represent variable values that you must

supply. Italic type is also used to introduce a new DCE term.

Constant width

Examples and information that the system displays appear in constant width typeface.

[] Brackets enclose optional items in format and syntax descriptions. {} Braces enclose a list from which you must choose an item in format

and syntax descriptions.

| A vertical bar separates items in a list of choices. <> Angle brackets enclose the name of a key on the keyboard. ... Horizontal ellipsis points indicate that you can repeat the preceding

item one or more times.

dcelocal

The OSF directory dcelocal in this document equates to the AIX directory /opt/dcelocal.

This guide uses the following keying conventions:

vi DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

<Ctrl- x>or|x

The notation <Ctrl- x> or |x followed by the name of a key indicates a control character sequence. For example, <Ctrl-C> means that you hold down the control key while pressing <C>.

The notation <Return> refers to the key on your terminal or workstation that is labeled with the word Return or Enter, or with a left arrow.

Preface vii

viii DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

Chapter 1. Overview of the NFS/DFS Secure Gateway

The Network File System (NFS) to DFS Secure Gateway provides a mechanism for granting authenticated access to the DFS ﬁlespace from an NFS client. The NFS/DFS Secure Gateway enables users to access data in the DFS ﬁlespace from a machine that is conﬁgured as an NFS client but not as a DCE client.

To use the NFS/DFS Secure Gateway for authenticated access to DFS, you must conﬁgure at least one Gateway Server machine. A Gateway Server machine must be a DFS client in the DCE cell to which access is to be provided. One function of a Gateway Server machine is to export the root of the DCE global namespace, /..., via NFS. Mount /... on each NFS client from which users are to access DFS to provide unauthenticated access to DFS.

The primary function of a Gateway Server machine is to provide DCE authentication to users of NFS clients. NFS users who have valid accounts in the registry database of the DCE cell authenticate to DCE to gain authenticated access to DFS. Depending on the needs of users and the security considerations of the DCE cell, you can provide local authentication to DCE from Gateway Server machines, remote authentication to DCE from NFS clients, or both. Local and remote authentication work as follows:

v Local authentication to DCE from Gateway Server machines is provided via

the dfsgw add command. With local authentication, you can enable users to issue the dfsgw add command to authenticate themselves, or you can control access to DFS by allowing only system administrators to provide authentication via the dfsgw add command. (The dfsgw command suite includes additional commands to provide for central administration from Gateway Server machines.)

Local authentication requires little conﬁguration, but it provides a limited approach to authentication. Conﬁguration consists only of installing the dfsgw commands on Gateway Server machines. However, authentication requires either administrative intervention or remote access to the Gateway Server machine (via the telnet program, for example); the latter approach results in user passwords being sent over the network in the clear.

v Remote authentication to DCE from NFS clients can be provided via the

dfs_login command, if the command is supplied by the NFS vendor. With remote authentication, users can issue the dfs_login command to authenticate themselves.

Remote authentication requires additional conﬁguration, but it provides a less burdensome and more secure approach to authentication. Conﬁguration consists of installing and conﬁguring the Gateway Server (dfsgwd) process

on the Gateway Server machines, installing the vendor-provided dfs_login and dfs_logout commands on the NFS clients, conﬁguring Kerberos on the NFS clients, and conﬁguring the remote authentication service on both the Gateway Server machines and the NFS clients. However, authentication requires no administrative measures, and user passwords are never sent in the clear.

Note: The dfs_login and dfs_logout commands are not provided with DFS;

these commands can be used only if they are available from your NFS vendor and have been installed on an NFS client. If these commands are not available, use the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and dfs_logout commands.

The dfsgw add and dfs_login commands both result in authenticated access to DFS from an NFS client. To provide a user with authenticated access, each command obtains a ticket-granting ticket (TGT) for the user from the DCE Security Service. The TGT is used to create a valid login context for the user. The login context includes a Process Activation Group (PAG), which DFS stores in the kernel of the Gateway Server machine. The PAG identiﬁes the user’s TGT; the TGT serves as the user’s DCE credentials.

On the Gateway Server machine, an association is created between the UNIX user identiﬁcation number (UID) of the user and the network address of the NFS client from which DFS access is desired. A mapping is then created between this pair and the PAG created for the user. The mapping is stored as an entry in a local authentication table, which, like the PAG, resides in the kernel of the machine. The mapping provides the user with authenticated access to DFS from the NFS client.

Each mapping grants a user authenticated access only from the speciﬁc NFS client for which the mapping exists. For authenticated access from a different NFS client, a user must use the dfsgw add or dfs_login command to create a new mapping for that client.

A user’s DCE credentials are good only for the lifetime of the TGT. The ticket lifetime is dictated by the registry database of the DCE cell. By default, each ticket receives the default ticket lifetime in effect in the registry database. The dfs_login command includes a -l option that can be used to request a different lifetime, but a requested lifetime is constrained by the policies in effect in the registry database. A user’s DCE credentials can be refreshed by using the dfsgw add command before the user’s TGT expires. If a user’s TGT expires, the user must obtain new DCE credentials. For more information on the dfsgw add command, see “Chapter 5. Conﬁguration File and Command Reference” on page 25.

2 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

Before establishing a new mapping between a remote user and DCE principal, the existing mapping must be deleted. A user who wants to end an authenticated session to DFS before the credentials expire can issue either the dfs_logout command from the NFS client for which the credentials were granted or the dfsgw delete command from the Gateway Server machine. Both commands remove the user’s entry for the NFS client from the authentication table on the Gateway Server machine. Either command can be used to end the authenticated session, regardless of which command was used to obtain the credentials. Because the authentication table resides in memory, all authenticated sessions are terminated if the Gateway Server is restarted.

“Chapter 2. Conﬁguring Gateway Server Machines” on page 5 and “Chapter 3. Conﬁguring NFS Clients to Access DFS” on page 13 provide complete instructions for conﬁguring Gateway Server machines and NFS clients to give NFS users either local or remote authentication to DCE. “Chapter 4. Accessing DFS from an NFS Client” on page 17 provides detailed information about how users authenticate to DCE and how they access DFS from an NFS client.

Chapter 1. Overview of the NFS/DFS Secure Gateway 3

4 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

Chapter 2. Conﬁguring Gateway Server Machines

A Gateway Server machine provides authenticated access to the DFS ﬁlespace to users on NFS clients. You can conﬁgure any machine that is conﬁgured as a DFS client and an NFS server as a Gateway Server. Following successful conﬁguration, the machine provides authenticated access to the DFS ﬁlespace, and it exports the root of the DCE namespace, /..., via NFS.

You can conﬁgure multiple Gateway Server machines to provide DFS access from multiple sources. However, users do not randomly select Gateway Server machines from NFS clients. By default, users on an NFS client contact the Gateway Server machine that exports /... to the client. If you want to balance the load among multiple Gateway Servers, you must conﬁgure your NFS clients so that each client mounts /... on a particular Gateway Server machine. (See “Chapter 3. Conﬁguring NFS Clients to Access DFS” on page 13 for information on conﬁguring NFS clients.)

Depending on how closely you want to control access to the DFS ﬁlespace, conﬁgure your Gateway Server machines in one of the following ways:

v Conﬁgure the Gateway Server machines so that users cannot issue the

dfs_login command to authenticate to DCE. This conﬁguration allows system administrators to manage all DCE

authentication from the Gateway Server machines. You can allow users to issue the dfsgw add command themselves, or you can limit use of the command to administrators only. To conﬁgure a Gateway Server machine without enabling remote authentication via the dfs_login command, follow the instructions in “Conﬁguring a Gateway Server Without Enabling Remote Authentication” on page 6.

v Conﬁgure the Gateway Server machines so that users can issue the

dfs_login command to remotely authenticate to DCE. This conﬁguration allows users of NFS clients to acquire their own DCE

credentials from the NFS clients. To conﬁgure a Gateway Server machine and enable remote authentication via the dfs_login command, follow the instructions in “Conﬁguring a Gateway Server and Enabling Remote Authentication” on page 7.

Note: The dfs_login and dfs_logout commands are not provided with DFS;

Before conﬁguring a Gateway Server machine, you must do the following:

v Conﬁgure a DCE cell that includes DFS. v Conﬁgure each machine that is to become a Gateway Server as a DFS client

and an NFS server.

v Ensure proper synchronization among the system clocks on machines that

are to become Gateway Servers, machines conﬁgured as NFS clients that are to contact the Gateway Servers, and machines in the DCE cell to be contacted. You must keep the system clocks on these machines synchronized at all times.

Conﬁguring a Gateway Server Without Enabling Remote Authentication

Perform the steps in this section to enable DCE authentication from a Gateway Server machine without enabling it from NFS clients that contact the Gateway Server. Users can authenticate only by issuing the dfsgw add command on the Gateway Server machine (or by having a system administrator issue the command for them).

1. Log in as the local superuser root on the machine.

2. Install the binary ﬁle for the dfsgw command suite in the directory

dcelocal/bin on the machine. The dfsgw command suite provides a local interface to the authentication table maintained on the Gateway Server machine. Commands in the dfsgw suite can be used to add, delete, and view mappings in the authentication table. (See “Authenticating to DCE from a Gateway Server Machine” on page 21, “Determining Whether a Speciﬁc User Is Authenticated to DCE” on page 22, and “Displaying Information About All Users Who Are Authenticated to DCE” on page 22 for information about using these commands.)

3. Export the DCE global root directory, /..., via NFS. This is typically

accomplished via the share command; the exact command and procedure depends on your vendor’s implementation of NFS, as detailed in the vendor documentation.

The Gateway Server machine is now conﬁgured to provide DCE authentication only via the dfsgw add command. Repeat these steps on each DFS client that is to be conﬁgured as a Gateway Server in this manner. If you later decide to allow users to authenticate to DCE from NFS clients that contact the Gateway Server, simply perform the steps in “Conﬁguring a Gateway Server and Enabling Remote Authentication” on page 7 on the Gateway Server machine.

6 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

Conﬁguring a Gateway Server and Enabling Remote Authentication

Perform the steps in this section to enable DCE authentication either from a Gateway Server machine or from NFS clients that contact the Gateway Server. Users authenticate from the Gateway Server machine by issuing the dfsgw add command; they authenticate from an NFS client by issuing the dfs_login command. A Gateway Server machine to be conﬁgured in this manner runs the Gateway Server process (dfsgwd). The steps in “Conﬁguring the Gateway Server Process” on page 9 conﬁgure the dfsgwd process on the Gateway Server machine.

It is recommended that a Gateway Server machine conﬁgured in this way also runs the Basic OverSeer (BOS) Server to monitor and simplify administration of the dfsgwd process. The steps in “Conﬁguring the BOS Server Process” conﬁgure a BOS Server process (bosserver) on the Gateway Server machine. Perform the steps in “Conﬁguring the BOS Server Process” only if the BOS Server is not already running on the machine. (Note that you typically run the BOS Server only on DFS servers, but you can run it on DFS clients. See the IBM DFS for AIX and Solaris Administration Guide for more information about the BOS Server.)

Conﬁguring the BOS Server Process

To conﬁgure the BOS Server process (bosserver), perform the following steps on the machine to be conﬁgured as a Gateway Server. In all cases, hostname is the hostname of the local machine. (Note that it can be necessary to install the bosserver binary ﬁle on the machine if it is not already present.)

1. Authenticate to DCE as a principal who has the following ACL

permissions on entries in the registry database:

v The i permission on the directory hosts/hostname. v The m, a, u, g, and c permissions on the principal

hosts/hostname/dfs-server. The principal is created during the conﬁguration steps.

v The t and M permissions on the group subsys/dce/dfs-admin. v The R, t, and M permissions on the organization none. v The r permission on the registry Policy object for the DCE cell.

This requirement is most easily met by authenticating to a privileged DCE identity (for example, cell_admin or a principal who is a member of the group acct-admin).

2. Create the principal hosts/hostname/dfs-server, and create an account for

the principal. In the commands, password is the password of the DCE identity to which you are authenticated.

Chapter 2. Conﬁguring Gateway Server Machines 7

$ dcecp dcecp> principal create hosts/hostname/dfs-server dcecp> account create hosts/hostname/dfs-server -group subsys/dce/dfs-admin

-org none -password password mypwd password

3. Grant the group subsys/dce/dfs-admin the appropriate permissions on

the ACL for the hosts/hostname/dfs-server principal in the registry database:

dcecp> acl mod /.:/sec/principal/hosts/hostname/dfs-server

-add {group subsys/dce/dfs-admin rcDnfmag} dcecp> exit

4. Use the su command to become the local superuser root on the machine:

$ su Password: root_password

5. Add a server key for the hosts/hostname/dfs-server principal to the

/krb5/v5srvtab keytab ﬁle on the machine. The dced process recognizes

the keytab ﬁle by the entry name self. The command creates the keytab ﬁle if the ﬁle does not already exist. In the commands, password is the

password of the DCE identity to which you were authenticated when you created the principal.

# dcecp dcecp> keytab add self -member hosts/hostname/dfs-server -key password dcecp> keytab add self -member hosts/hostname/dfs-server -random -registry dcecp> exit

6. Remove the BosConﬁg ﬁle and any administrative lists that possibly exist

from a previous conﬁguration of the BOS Server on the machine:

# rm -f dcelocal/var/dfs/BosConfig # rm -f dcelocal/var/dfs/admin.*

7. Start the bosserver process with DFS authorization checking disabled.

The process creates a new BosConﬁg ﬁle and a new admin.bos ﬁle, which is the administrative list for the BOS Server.

# dcelocal/bin/bosserver -noauth &

8. Add the group subsys/dce/dfs-admin to the admin.bos ﬁle:

# dcelocal/bin/bos addadmin -server /.:/hosts/hostname -adminlist admin.bos

-group subsys/dce/dfs-admin

9. Enable DFS authorization checking by the BOS Server:

# dcelocal/bin/bos setauth -server /.:/hosts/hostname -authchecking on

10. Conﬁgure the bosserver process to start automatically when the system is

restarted by removing the two number signs (#) from the following line of the /etc/rc.dfs ﬁle (or its equivalent):

##daemonrunning $DCELOCAL/bin/bosserver

The BOS Server is now fully conﬁgured on the machine.

8 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

Conﬁguring the Gateway Server Process

To conﬁgure the Gateway Server (dfsgwd) process, perform the following steps on the machine to be conﬁgured as a Gateway Server. The steps assume that the BOS Server is already running on the machine. In all of the steps, hostname is the hostname of the local machine.

Note: You need to perform some steps only when you conﬁgure the ﬁrst

Gateway Server process. Such steps are qualiﬁed with the phrase for the ﬁrst Gateway Server process.

1. If you have not already done so, perform all the steps in “Conﬁguring a

Gateway Server Without Enabling Remote Authentication” on page 6 to install the dfsgw binary ﬁle on the machine and to export /... from the machine.

2. If you have not already done so, log in as the local superuser root on the

machine.

3. Install the binary ﬁle for the dfsgwd process in the directory dcelocal/bin

on the machine. The dfsgwd process provides users of NFS clients with a remote interface to the authentication table maintained on the Gateway Server machine.

4. Add the dfsgw service to the Internet services database. The dfsgw

service provides the login facility for the NFS/DFS Secure Gateway. To add the service, do one of the following:

v If you use the /etc/services ﬁle in your environment, add an entry for

the dfsgw service to the /etc/services ﬁle on the machine.

v If you use a Network Information Service (NIS) services map in your

environment, add an entry for the dfsgw service to the NIS services map ﬁle on the NIS master. Add the entry to the services map only for the ﬁrst Gateway Server process; do not add the entry for additional Gateway Server processes or NFS clients.

In either case, you need to add the following entry for the service:

dfsgw 438/udp dlog

where dfsgw is the name of the service, 438 is the port at which the service receives RPCs, udp is the protocol the service uses to communicate, and dlog is an alias for the dfsgw service.

5. Authenticate to DCE as a principal who has the following ACL

permissions on entries in the registry database:

v The i permission on the directory hosts/hostname. v For the ﬁrst Gateway Server process, the i permission on the directory

subsys/dce.

Chapter 2. Conﬁguring Gateway Server Machines 9

v The m, a, u, and g permissions on the principal hosts/hostnamedfsgw-

server. The principal is created during the conﬁguration steps.

v The t and M permissions on the group subsys/dce/dfsgw-admin. The

group is created during the conﬁguration steps.

v The R, t, and M permissions on the organization none. v The r permission on the registry Policy object for the DCE cell.

This requirement is most easily met by authenticating to a privileged DCE identity (for example, cell_admin or a principal who is a member of the group acct-admin).

6. Invoke the dcecp command:

$ dcecp

7. For the ﬁrst Gateway Server process, create the group subsys/dce/dfsgw-

admin in the registry database. Use the following dcecp command to

create the group:

dcecp> group create subsys/dce/dfsgw-admin

8. Create the principal hosts/hostname/dfsgw-server, and create an account

for the principal. The Gateway Server process communicates as the principal hosts/hostname/dfsgw-server. In the commands, password is the password of the DCE identity to which you are authenticated.

dcecp> principal create hosts/hostname/dfsgw-server dcecp> account create hosts/hostname/dfsgw-server -group subsys/dce/dfsgw-admin

-org none -password password -mypwd password dcecp> exit

9. Use the su command to become the local superuser root on the machine:

$ su Password: root_password

10. Add a server key for the hosts/hostname/dfsgw-server principal to the

krb5/v5srvtab keytab ﬁle on the machine. The dced process recognizes

the keytab ﬁle by the entry name self. In the commands, password is the password of the DCE identity to which you were authenticated when you created the principal.

# dcecp dcecp> keytab add self -member hosts/hostname/dfsgw-server -key password dcecp> keytab add self -member hosts/hostname/dfsgw-server -random -registry dcecp> exit

11. Log out as the local superuser root to return to your authenticated DCE

identity.

12. If your current DCE identity is not included in the

dcelocal/var/dfs/admin.bos ﬁle on the machine, either add the identity to the ﬁle or authenticate to DCE as a principal that is included in the ﬁle. You can use the bos lsadmin command to list the principals and groups included in the admin.bos ﬁle:

$ dcelocal/bin/bos lsadmin -server /.:/hosts/hostname -adminlist admin.bos

10 DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

13. Create a simple BOS Server process named dfsgw to run the dfsgwd

server process:

$ dcelocal/bin/bos create -server /.:/hosts/hostname -process dfsgw

-type simple -cmd dcelocal/bin/dfsgwd

The Gateway Server process is now fully conﬁgured on the machine.

Chapter 2. Conﬁguring Gateway Server Machines 11

+ 46 hidden pages