Configuring a Gateway Server and Enabling Remote Authentication

Perform the steps in this section to enable DCE authentication either from a Gateway Server machine or from NFS clients that contact the Gateway Server. Users authenticate from the Gateway Server machine by issuing the dfsgw add command; they authenticate from an NFS client by issuing the dfs_login command. A Gateway Server machine to be configured in this manner runs the Gateway Server process (dfsgwd). The steps in “Configuring the Gateway Server Process” on page 9 configure the dfsgwd process on the Gateway Server machine.

It is recommended that a Gateway Server machine configured in this way also runs the Basic OverSeer (BOS) Server to monitor and simplify administration of the dfsgwd process. The steps in “Configuring the BOS Server Process” configure a BOS Server process (bosserver) on the Gateway Server machine. Perform the steps in “Configuring the BOS Server Process” only if the BOS Server is not already running on the machine. (Note that you typically run the BOS Server only on DFS servers, but you can run it on DFS clients. See the IBM DFS for AIX and Solaris Administration Guide for more information about the BOS Server.)

Configuring the BOS Server Process

To configure the BOS Server process (bosserver), perform the following steps on the machine to be configured as a Gateway Server. In all cases, hostname is the hostname of the local machine. (Note that it can be necessary to install the bosserver binary file on the machine if it is not already present.)

1.Authenticate to DCE as a principal who has the following ACL permissions on entries in the registry database:

v The i permission on the directory hosts/hostname.

vThe m, a, u, g, and c permissions on the principal

hosts/hostname/dfs-server. The principal is created during the configuration steps.

vThe t and M permissions on the group subsys/dce/dfs-admin.

vThe R, t, and M permissions on the organization none.

vThe r permission on the registry Policy object for the DCE cell.

This requirement is most easily met by authenticating to a privileged DCE identity (for example, cell_admin or a principal who is a member of the group acct-admin).

2.Create the principal hosts/hostname/dfs-server, and create an account for the principal. In the commands, password is the password of the DCE identity to which you are authenticated.

Chapter 2. Configuring Gateway Server Machines 7

Page 17
Image 17
IBM NFS/DFS Secure Gateway manual Configuring the BOS Server Process