beautypg.com

IBM NFS/DFS Secure Gateway User Manual

Page 20

background image

v The m, a, u, and g permissions on the principal hosts/hostnamedfsgw-

server

. The principal is created during the configuration steps.

v The t and M permissions on the group subsys/dce/dfsgw-admin. The

group is created during the configuration steps.

v The R, t, and M permissions on the organization none.
v The r permission on the registry Policy object for the DCE cell.

This requirement is most easily met by authenticating to a privileged
DCE identity (for example, cell_admin or a principal who is a member of
the group acct-admin).

6.

Invoke the dcecp command:

$ dcecp

7.

For the first Gateway Server process, create the group subsys/dce/dfsgw-
admin

in the registry database. Use the following dcecp command to

create the group:

dcecp> group create subsys/dce/dfsgw-admin

8.

Create the principal hosts/hostname/dfsgw-server, and create an account
for the principal. The Gateway Server process communicates as the
principal hosts/hostname/dfsgw-server. In the commands, password is the
password of the DCE identity to which you are authenticated.

dcecp> principal create hosts/hostname/dfsgw-server

dcecp> account create hosts/hostname/dfsgw-server -group subsys/dce/dfsgw-admin

-org none -password password -mypwd password

dcecp> exit

9.

Use the su command to become the local superuser root on the machine:

$ su

Password: root_password

10.

Add a server key for the hosts/hostname/dfsgw-server principal to the
krb5/v5srvtab

keytab file on the machine. The dced process recognizes

the keytab file by the entry name self. In the commands, password is the
password of the DCE identity to which you were authenticated when
you created the principal.

# dcecp

dcecp> keytab add self -member hosts/hostname/dfsgw-server -key password

dcecp> keytab add self -member hosts/hostname/dfsgw-server -random -registry

dcecp> exit

11.

Log out as the local superuser root to return to your authenticated DCE
identity.

12.

If your current DCE identity is not included in the
dcelocal/var/dfs/admin.bos file on the machine, either add the identity to
the file or authenticate to DCE as a principal that is included in the file.
You can use the bos lsadmin command to list the principals and groups
included in the admin.bos file:

$ dcelocal/bin/bos lsadmin -server /.:/hosts/hostname -adminlist admin.bos

10

DFS for Solaris: NFS/DFS Secure Gateway Guide and Reference

See also other documents in the category IBM Hardware: