IBM Distributed Computing Environment for AIX, Version 2.2; (C) IBM Corporation

Administration Guide -- Core Components

Creating Trust Relationships

To create peer-to-peer relationships, follow these steps:

Run the registry connect command to create cross-cell authentication accounts (an account in your cell's registry and another account in the foreign cell's registry).
Optionally, use the account modify command to fine tune the attributes of the account, which were assigned by default when the account was created. For example, the account's expiration date ( expdate attribute) defaults to none. You may want to enter a date to ensure that the account will be actively renewed after a period of time.
Ensure that the system administrator in the foreign cell changes the acctvalid flag of the account that represents your cell to yes in order to indicate that the account is valid. If one or both accounts are invalid, no cross-cell communications can take place.

Command Options for the registry connect Command

When you use the registry connect command, you must supply the fully qualified name of the foreign cell with which you will establish a peer-to-peer relationship. This name is stripped of the full pathname, prefixed with krbtgt, and used as the primary name of the account's principal. For example, if you enter a cell name of /.../dresden.com, the principal name is krbtgt/dresden.com. The unchanged cell name is stored as the principal's full name.

Note that registry connect uses your local cell name for the primary name of the local cell's account principal. This name is stripped of the full pathname and prefixed with krbtgt, just as the foreign cell name is.

You can supply the following options to the registry connect command:

-acctvalid, -facctvalid: The setting that marks an account as being valid. A valid local account ( -acctvalid) allows users from the foreign cell to log in to nodes in the local cell. A valid foreign account (-facctvalid ) allows users from the local cell to log in to nodes in the foreign cell. The default is invalid for each option.
-expdate: The time and date that both the local and the foreign cell's account expires, and the peer-to-peer relationship is ended, prohibiting any further authenticated communications between principals in the two cells. To renew the account, change the date in this field. The default is none.
-facct, -facctpw: The system administrator in the foreign cell must provide you with the name and password of an account in the foreign cell. The foreign account must have the permissions that are required to create principals and accounts. You need the account to access the foreign registry in order to create the account that represents your cell in the foreign account's registry. The lifetime and creation quota of this account should be limited to only that necessary to complete the task.
-group, -fgroup: The group name to be associated with the account in the local cell ( -group) and the foreign cell ( -fgroup). These groups have no meaning for the accounts and are not associated with any users in the foreign or local cell. You must enter them because it is a requirement of the registry that all accounts be associated with groups. If the group does not exist, it will be created.
-mypwd: The registry connect command does not prompt you for a password for the accounts that you are creating; it generates this password randomly. However, you must supply your password with the -mypw option as to validate your identity.
-org, -forg: The organization name to be associated with the account in the local cell ( -org) and the foreign cell ( -forg). These organizations have no meaning for the accounts and are not associated with any users in the foreign or local cell. You must enter them because it is a requirement of the registry that all accounts be associated with organizations. If the organization does not exist, it will be created.

Creating Cross-Cell Authentication Accounts Example

The following sample registry connect command is used to create an account for the foreign cell identified by /.../dresden.com. The local account is associated with the group named cell_group_local, the organization named cell_group_dres, and the organization named cell_org_dres. The expiration date for the accounts is allowed to default to none.

dcecp> registry connect /.../dresden.com -facct cell_log -facctpw music \ > -group cell_group_local -fgroup cell_group_dres \ > -org cell_org_local -forg cell_org_dres -mypwd cell_admin dcecp>

The Accounts Created by the registry connect Command

The accounts and principals that are created by the registry connect command are given default attribute values listed in Table 23. These attributes apply to all foreign principals when they access objects in your cell. Likewise, the attributes of the account created for your cell in the foreign cell apply to all principals in your cell when they access objects in the foreign cell.

Table 23. Default Attribute Values of Cross-Cell Authorization Principals and Accounts

Information Meaning
Account Principal Name The local cell name for the local cell's account, or foreign cell name for the foreign cell's account stripped of its full pathname and prefixed with krbtgt.
fullname
The cell's pathname.
quota
Set to none. This quota applies to all principals who use the cross-cell authentication accounts to access objects in foreign cells. For example, if you change the object creation quota to 10, the total number of objects that can be created in your cell's registry by all foreign users who use the account to access your cell cannot exceed 10. It is not 10 per foreign principal. The object creation quota that is set for your cell's account in the foreign cell places the same restriction on the number of objects that your cell's principals can create in the foreign cell's registry.
description, home, shell
Set to blank.
server
Set to yes; that is, the account is a server that can engage in authenticated communications.
client
Set to no.
pwdvalid
Set to yes (valid).
acctvalid
Set to no (not valid) unless the -acctvalid and -facctvalid options are used.
postdatedtkt
Set to yes; that is, the account can be issued tickets with a start time in the future.
forwardabletkt
Set to yes; that is, the account can be issued a new ticket-granting ticket with a network address that is different from the present ticket-granting ticket.
renewabletkt
Set to yes; that is, the account's tickets can be renewed.
proxiabletkt
Set to yes; that is, the account can be issued tickets with a different network address than the present tickets.
dupkey
Set to yes; that is, the account's ticket can have duplicate keys.
goodsince
Set to the date that the account was created.
maxtktlife
Set to the registry policy.
maxtktrenew
Set to the registry policy. The maxtktrenew attribute is not currently used by the DCE; any use of this option is unsupported at the present time.

Information	Meaning
Account Principal Name	The local cell name for the local cell's account, or foreign cell name for the foreign cell's account stripped of its full pathname and prefixed with krbtgt.
fullname	The cell's pathname.
quota	Set to none. This quota applies to all principals who use the cross-cell authentication accounts to access objects in foreign cells. For example, if you change the object creation quota to 10, the total number of objects that can be created in your cell's registry by all foreign users who use the account to access your cell cannot exceed 10. It is not 10 per foreign principal. The object creation quota that is set for your cell's account in the foreign cell places the same restriction on the number of objects that your cell's principals can create in the foreign cell's registry.
description, home, shell	Set to blank.
server	Set to yes; that is, the account is a server that can engage in authenticated communications.
client	Set to no.
pwdvalid	Set to yes (valid).
acctvalid	Set to no (not valid) unless the -acctvalid and -facctvalid options are used.
postdatedtkt	Set to yes; that is, the account can be issued tickets with a start time in the future.
forwardabletkt	Set to yes; that is, the account can be issued a new ticket-granting ticket with a network address that is different from the present ticket-granting ticket.
renewabletkt	Set to yes; that is, the account's tickets can be renewed.
proxiabletkt	Set to yes; that is, the account can be issued tickets with a different network address than the present tickets.
dupkey	Set to yes; that is, the account's ticket can have duplicate keys.
goodsince	Set to the date that the account was created.
maxtktlife	Set to the registry policy.
maxtktrenew	Set to the registry policy. The maxtktrenew attribute is not currently used by the DCE; any use of this option is unsupported at the present time.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]