Authenticated Access to DFS

To authenticate to DCE, you can issue either of the following commands, both of which establish credentials recognized by the DCE Security Service:

· From an NFS client, enter the dfs_login command. (See Authenticating to DCE from an NFS Client.)

· From a Gateway Server machine, enter the dfsgw add command. (See Authenticating to DCE from a Gateway Server Machine.)

A user who desires authenticated access to DFS must have a principal and account in the registry database of the DCE cell. An entry must exist for the user in the /etc/passwd file on the machine configured as a Gateway Server and on each NFS client from which the user is to access DCE. The user's UID in the /etc/passwd file must match the user's UID in the DCE registry database. (On a DCE client, the passwd_export command can be used to keep /etc/passwd files current with respect to the registry database; see the OSF DCE DFS Administration Guide--Core Components for more information.)

The dfs_login and dfsgw add commands do not obtain a new TGT if you already have a valid TGT in your current login context and you do not request DCE credentials for a different user. However, the commands do allow you to use your existing TGT to establish authenticated access to DFS from additional NFS clients. If you do not already have an entry in the authentication table for an NFS client from which you request authenticated access, the commands create a new entry for you, using the existing TGT as the basis of the new entry; if you already have an entry in the authentication table for the NFS client, the commands have no effect. In either case, the commands do not affect existing entries in the authentication table, and they do not affect the remaining ticket lifetime of your existing TGT.

DCE credentials (tickets) expire after the lifetime specified by the DCE Security Service. Once they expire, the tickets can no longer be used for authenticated access. To end an authenticated session before the ticket lifetime has passed, you can issue either of the following commands:

· From the NFS client from which authenticated access to DFS is provided, enter the dfs_logout command. (See Authenticating to DCE from an NFS Client .)

· From the Gateway Server machine via which DFS is accessed, enter the dfsgw delete command. (See Authenticating to DCE from a Gateway Server Machine .)

Both commands remove the entry from the authentication table that provides authenticated access from the NFS client. Regardless of which command you used to establish the DCE credentials (dfs_login or dfsgw add), you can end the authenticated session with the dfs_logout command or the dfsgw delete command. Neither command affects authenticated access from other NFS clients. If your DCE credentials are the basis of another entry in the authentication table, you still have authenticated access via that other entry.

To refresh your DCE credentials before they expire, use the kinit command to obtain new credentials, then use the dfs_login or dfsgw add command to replace your existing TGT with the new TGT. This procedure provides you with authenticated access to DFS for the ticket lifetime of your new TGT. If you do not have access to the kinit command, you cannot refresh your DCE credentials.

Note that if you configure multiple Gateway Server machines, each server machine houses its own authentication table. The dfs_login and dfs_logout commands affect entries only in the authentication table maintained on the Gateway Server machine they contact; commands in the dfsgw suite affect entries only in the authentication table on the machine on which they are issued.

More:

Authenticating to DCE from an NFS Client

Authenticating to DCE from a Gateway Server Machine

Determining Whether a Specific User is Authenticated to DCE

Displaying Information About All Users Who are Authenticated to DCE