Support User Manuals

IBM NFS/DFS Secure Gateway Network Router User Manual

Open as PDF

of 67

Conﬁguring a Gateway Server and Enabling Remote Authentication

Perform the steps in this section to enable DCE authentication either from a

Gateway Server machine or from NFS clients that contact the Gateway Server.

Users authenticate from the Gateway Server machine by issuing the dfsgw

add command; they authenticate from an NFS client by issuing the dfs_login

command. A Gateway Server machine to be conﬁgured in this manner runs

the Gateway Server process (dfsgwd). The steps in “Conﬁguring the Gateway

Server Process” on page 9 conﬁgure the dfsgwd process on the Gateway

Server machine.

It is recommended that a Gateway Server machine conﬁgured in this way also

runs the Basic OverSeer (BOS) Server to monitor and simplify administration

of the dfsgwd process. The steps in “Conﬁguring the BOS Server Process”

conﬁgure a BOS Server process (bosserver) on the Gateway Server machine.

Perform the steps in “Conﬁguring the BOS Server Process” only if the BOS

Server is not already running on the machine. (Note that you typically run the

BOS Server only on DFS servers, but you can run it on DFS clients. See the

IBM DFS for AIX and Solaris Administration Guide for more information about

the BOS Server.)

Conﬁguring the BOS Server Process

To conﬁgure the BOS Server process (bosserver), perform the following steps

on the machine to be conﬁgured as a Gateway Server. In all cases, hostname is

the hostname of the local machine. (Note that it can be necessary to install the

bosserver binary ﬁle on the machine if it is not already present.)

1. Authenticate to DCE as a principal who has the following ACL

permissions on entries in the registry database:

v The i permission on the directory hosts/hostname.

v The m, a, u, g, and c permissions on the principal

hosts/hostname/dfs-server. The principal is created during the

conﬁguration steps.

v The t and M permissions on the group subsys/dce/dfs-admin.

v The R, t, and M permissions on the organization none.

v The r permission on the registry Policy object for the DCE cell.

This requirement is most easily met by authenticating to a privileged

DCE identity (for example, cell_admin or a principal who is a member

of the group acct-admin).

2. Create the principal hosts/hostname/dfs-server, and create an account for

the principal. In the commands, password is the password of the DCE

identity to which you are authenticated.

Chapter 2. Conﬁguring Gateway Server Machines 7

previous next