Description

The dfsgw add command authenticates a user to DCE. The command contacts the DCE Security Service to obtain a TGT for the user. To obtain a TGT, a user must have a valid account in the registry database of the DCE cell. The TGT is used to create a valid login context for the user. The login context includes a Process Activation Group (PAG), which DFS stores in the kernel of the Gateway Server machine to identify the user’s TGT. The TGT serves as the user’s DCE credentials to provide authenticated access to files and directories in the DFS filespace from the specified NFS client.

The dfsgw add command adds an entry for the user to the authentication table on the local Gateway Server machine. The entry is a mapping that pairs the user’s UID and the network address of the NFS client for which the user has DCE credentials with the user’s PAG. Because each Gateway Server machine maintains its own authentication table, you must issue the command on the Gateway Server machine on which an entry is to be added to the authentication table.

The dfsgw add command returns an exit value of 0 (zero) if it adds an entry for the user to the authentication table. Otherwise, it returns a nonzero exit value.

DCE credentials obtained with the command are valid for the default ticket lifetime in effect in the registry database of the DCE cell. DCE credentials can be refreshed by issuing the dfsgw add command before they expire. In this case, the command automatically associates the user with the DCE principal; it does not have to be supplied. After the credentials expire, they can no longer be used for authenticated access to DFS. You must obtain new credentials by issuing the dfsgw add command.

The dfsgw add command does not obtain a new TGT if you do not name a principal other than yourself on the command line and you already have a valid TGT in the current login context. If you do not already have an entry in the authentication table for the specified NFS client, the command uses your existing PAG to create a new entry for you. If you already have an entry in the authentication table for the NFS client, the command refreshes your DCE credentials.

Use the dfsgw delete command to end an authenticated session by removing an entry from the authentication table.

Privileges Required

The issuer must be logged into the Gateway Server machine either as the user for whom credentials are to be created or as the local superuser root.

Chapter 5. Configuration File and Command Reference 31

Page 40 Page 42
Page 41
Image 41
IBM NFS/DFS Secure Gateway manual Privileges Required
Page 40 Page 42
Top Page Image Contents