To configure the Gateway Server (dfsgwd) process, perform the following steps on the machine to be configured as a Gateway Server. The steps assume that the BOS Server is already running on the machine. In all of the steps, hostname is the hostname of the local machine.
Note: You need to perform some steps only when you configure the first Gateway Server process. Such steps are qualified with the phrase for the first Gateway Server process.
1. If you have not already done so, perform all of the steps in Configuring a Client Without Enabling Remote Authentication to install the dfsgw binary file on the machine and to export /... from the machine.
2. If you have not already done so, log in as the local root user on the machine.
3. Install the binary file for the dfsgwd process in the directory dcelocal/bin on the machine. The dfsgwd process provides users of NFS clients with a remote interface to the authentication table maintained on the Gateway Server machine.
4. Add the dfsgw service to the Internet services database. The dfsgw service provides the login facility for the DFS/NFS Secure Gateway. To add the service, do one of the following:
· If you use the /etc/services file in your environment, add an entry for the dfsgw service to the /etc/services file on the machine.
· If you use a Network Information Service (NIS) services map in your environment, add an entry for the dfsgw service to the NIS services map file on the NIS master. Add the entry to the services map only for the first Gateway Server process; do not add the entry for additional Gateway Server processes or NFS clients.
In either case, you need to add the following entry for the service:
dfsgw 438/udp dlog
where dfsgw is the name of the service, 438 is the port at which the service receives RPCs, udp is the protocol the service uses to communicate, and dlog is an alias for the dfsgw service. See the reference page for the services file for more information.
5. Authenticate to DCE as a principal who has the following ACL permissions on entries in the registry database:
· The i permission on the directory hosts/hostname.
· For the first Gateway Server process, the i permission on the directory subsys/dce.
· The m, a, u, and g permissions on the principal hosts/hostname/dfsgw-server. The principal is created during the configuration steps.
· The t and M permissions on the group subsys/dce/dfsgw-admin. The group is created during the configuration steps.
· The R, t, and M permissions on the organization none.
· The r permission on the registry Policy object for the DCE cell.
This requirement is most easily met by authenticating to a privileged DCE identity (for example, cell_admin or a principal who is a member of the group acct-admin).
6. Invoke the dcecp command:
$ dcecp
7. For the first Gateway Server process, create the group subsys/dce/dfsgw-admin in the registry database. Use the following dcecp command to create the group:
dcecp> group create subsys/dce/dfsgw-admin
8. Create the principal hosts/hostname/dfsgw-server, and create an account for the principal. The Gateway Server process communicates as the principal hosts/hostname/dfsgw-server. Use the following dcecp commands to create the principal and account in the registry database. In the commands, password is the password of the DCE identity to which you are authenticated.
dcecp> principal create hosts/hostname/dfsgw-serverdcecp> \
account create hosts/hostname/dfsgw-server \
> -group
subsys/dce/dfsgw-admin -org none -password password \
> -mypwd password dcecp> exit
9. Use the su command to become the local root user on the machine:
$ su
Password: root_password
10. Add a server key for the hosts/hostname/dfsgw-server principal to the /krb5/v5srvtab keytab file on the machine. The dced process recognizes the keytab file by the entry name self. In the commands, password is the password of the DCE identity to which you were authenticated when you created the principal.
# dcecp
dcecp> keytab add self -member hosts/hostname/dfsgw-server \
> -key password
dcecp>
keytab add self -member hosts/hostname/dfsgw-server \
> -random -registry
dcecp> exit
11. Log out as root to return to your authenticated DCE identity.
12. If your current DCE identity is not included in the dcelocal/var/dfs/admin.bos file on the machine, either add the identity to the file or authenticate to DCE as a principal who is included in the file. You can use the bos lsadmin command to list the principals and groups included in the admin.bos file:
$ dcelocal/bin/bos lsadmin -server /.:/hosts/hostname -adminlist admin.bos
13. Create a simple BOS Server process named dfsgw to run the dfsgwd server process:
$ dcelocal/bin/bos create -server /.:/hosts/hostname -process dfsgw \
-type simple -cmd dcelocal/bin/dfsgwd
The Gateway Server process is now fully configured on the machine.