Configuring the bos server process – IBM NFS/DFS Secure Gateway User Manual
Page 17

Configuring a Gateway Server and Enabling Remote Authentication
Perform the steps in this section to enable DCE authentication either from a
Gateway Server machine or from NFS clients that contact the Gateway Server.
Users authenticate from the Gateway Server machine by issuing the dfsgw
command; they authenticate from an NFS client by issuing the dfs_login
command. A Gateway Server machine to be configured in this manner runs
the Gateway Server process (dfsgwd). The steps in “Configuring the Gateway
Server Process” on page 9 configure the dfsgwd process on the Gateway
Server machine.
It is recommended that a Gateway Server machine configured in this way also
runs the Basic OverSeer (BOS) Server to monitor and simplify administration
of the dfsgwd process. The steps in “Configuring the BOS Server Process”
configure a BOS Server process (bosserver) on the Gateway Server machine.
Perform the steps in “Configuring the BOS Server Process” only if the BOS
Server is not already running on the machine. (Note that you typically run the
BOS Server only on DFS servers, but you can run it on DFS clients. See the
IBM DFS for AIX and Solaris Administration Guide for more information about
the BOS Server.)
Configuring the BOS Server Process
To configure the BOS Server process (bosserver), perform the following steps
on the machine to be configured as a Gateway Server. In all cases, hostname is
the hostname of the local machine. (Note that it can be necessary to install the
binary file on the machine if it is not already present.)
Authenticate to DCE as a principal who has the following ACL
permissions on entries in the registry database:
v The i permission on the directory hosts/hostname.
v The m, a, u, g, and c permissions on the principal
hostname/dfs-server. The principal is created during the
configuration steps.
v The t and M permissions on the group subsys/dce/dfs-admin.
v The R, t, and M permissions on the organization none.
v The r permission on the registry Policy object for the DCE cell.
This requirement is most easily met by authenticating to a privileged
DCE identity (for example, cell_admin or a principal who is a member
of the group acct-admin).
Create the principal hosts/hostname/dfs-server, and create an account for
the principal. In the commands, password is the password of the DCE
identity to which you are authenticated.
Chapter 2. Configuring Gateway Server Machines