When an unauthenticated user creates an object, the object is owned by the user nobody and the group nogroup. The UID of the user nobody is -2, and the GID of the group nogroup is also -2. (Identities and ID numbers of an unauthenticated user and group can vary between systems; see your vendor’s documentation for more information.)

Unauthenticated access is provided with the NFS/DFS Secure Gateway as a side effect of configuring Gateway Server machines and NFS clients. Unauthenticated access is available without the NFS/DFS Secure Gateway. Simply export /... from a DFS client that is also an NFS Server, and mount /...

on each NFS client from which users are to access DFS.

Authenticated Access to DFS

Authenticated access is available to users who have accounts in the DCE cell. When an authenticated user accesses an object in the DFS filespace, the user receives the permissions associated with the DCE identity. When the user creates an object, the object is owned by the DCE principal and its primary group.

To authenticate to DCE, you can issue either of the following commands, both of which establish credentials recognized by the DCE Security Service:

vFrom an NFS client, issue the dfs_login command. (See “Authenticating to DCE from an NFS Client” on page 19 for more information.)

vFrom a Gateway Server machine, issue the dfsgw add command. (See

“Authenticating to DCE from a Gateway Server Machine” on page 21 for more information.)

Note: The dfs_login and dfs_logout commands are not provided with DFS; these commands can be used only if they are available from your NFS vendor and have been installed on an NFS client. If these commands are not available, use the dfsgw add and dfsgw delete commands, which work in a similar fashion. See your NFS vendor documentation for the availability and use of the dfs_login and dfs_logout commands.

A user who desires authenticated access to DFS must have a principal and account in the registry database of the DCE cell. An entry must exist for the user in the /etc/passwd file on the machine configured as a Gateway Server and on each NFS client from which the user is to access DCE. It is recommended that the user’s UID in the /etc/passwd file match the user’s UID in the DCE registry database. (On a DCE client, the passwd_export command can be used to keep /etc/passwd files current with respect to the registry database; see the IBM Distributed Computing Environment for AIX and Solaris: Administration Guide - Core Components for more information.)

18DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

Page 28
Image 28
IBM NFS/DFS Secure Gateway manual Authenticated Access to DFS