IBM Distributed Computing Environment for AIX, Version 2.2; (C) IBM Corporation

Administration Guide -- Core Components

First Edition (February 1998)

This edition applies to Version 2.2 of IBM Distributed Computing Environment for AIX and to all subsequent releases and modifications until otherwise indicated in new editions or technical newsletters.

Order publications through your IBM representative or the IBM branch office serving your locality. Publications are not stocked at the address below.

IBM welcomes your comments. Send your comments to the following address:

International Business Machines Corporation
Department VLXA
11400 Burnet Road
Austin, Texas
78758

When you send information to IBM, you grant IBM a nonexclusive right to use or distribute the information in any way it believes appropriate without incurring any obligation to you.

This documentation and the software to which it relates are derived in part from materials supplied by the following:

Copyright © 1995, 1996 Open Software Foundation, Inc.

Copyright © 1990, 1991, 1992, 1993, 1994, 1995, 1996 Digital Equipment Corporation

Copyright © 1990, 1991, 1992, 1993, 1994, 1995, 1996 Hewlett-Packard Company

Copyright © 1989, 1990, 1991, 1992, 1993, 1994, 1995, 1996 Transarc Corporation

Copyright © 1990, 1991 Siemens Nixdorf Informationssysteme AG

Copyright © 1988, 1989, 1995 Massachusetts Institute of Technology

Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California

Copyright © 1995, 1996 Hitachi, Ltd.

Licensee agrees that it will comply with and will require its Distributors to comply with all then applicable laws, rules and regulations (i) relating to the export or re-export of technical data when exporting or re-exporting a Licensed Program or Documentation, and (ii) required to limit a governmental agency's rights in the Licensed Program, Documentation or associated technical data by affixing a Restricted Rights notice to the Licensed Program, Documentation and/or technical data equivalent to or substantially as follows: "Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in DFARS 52.227-7013(c)(1)(i)-(ii); FAR 52.227-19; and FAR 52.227-14, Alternate III, as applicable or in the equivalent clause of any other applicable Federal government regulations."

© Copyright International Business Machines Corporation 1997. All rights reserved.
Note to U.S. government Users -- Documentation related to restricted rights -- Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule contract with IBM Corp.

Table of Contents

  • Figures

  • Tables

  • About This Book
  • Audience
  • Applicability
  • Purpose
  • Document Usage
  • Related Documents
  • Typographic and Keying Conventions
  • Problem Reporting
  • Pathnames of Directories and Files in DCE Documentation

    • The DCE Control Program

  • DCE Control Program Introduction
  • Flexible, Portable, and Extensible Administration
  • DCE Administration Objects
  • Using the DCE Control Program
  • Starting and Stopping dcecp
  • Invoking dcecp Operations
  • Doing More with dcecp
  • When to Use an Interactive Command or Script
  • Editing Command Lines
  • Editing the Current Command Line
  • Editing Command Lines with the history Command
  • Using the dcecp Help Facilities
  • Customizing dcecp Sessions
  • Adding Scripts to dcecp Sessions
  • Adding New Objects to the DCE Control Program
  • Environment Variables

  • Using the DCE Control Program Command Language
  • Chapter Preview
  • Variable Substitution
  • Command Substitution
  • Grouping Elements and Controlling Interpretation
  • Grouping Elements with Braces
  • Grouping Elements with Double Quotes
  • Including Special Characters with Backslashes
  • Documenting Scripts with Comments
  • Convenience Variables
  • Current Principal (User) Name (_u)
  • Current Cell Name (_c)
  • Current Host Name (_h)
  • Most Recent Operation Argument Name (_n)
  • Parent of _n (_p)
  • Last dcecp Object Name (_o)
  • Last Operation's Return Value (_r)
  • DCE Servers to Use (_s(xxx))
  • Last Security Server Used (_b(sec))
  • Most Recent Error Code (_e)
  • CDS Confidence Level (_conf)
  • Measuring and Counting with Expressions
  • Operating on Lists
  • Controlling Scripts
  • Conditionalizing with if Statements
  • Controlling Script Execution with Loops
  • Terminating Loops with continue and break
  • Testing with Patterns Before Execution with case
  • Creating Commands Dynamically
  • Reading Other Files as dcecp Scripts
  • Creating New Commands
  • String Manipulation
  • Constructing Strings
  • Parsing Strings
  • Other String Handling Operations
  • Dealing with Errors and Exceptions
  • Using Global Error Information Variables
  • Using catch to Trap Errors and Exceptions
  • Reissuing Complex Errors
  • Working with Files
  • Specifying Filenames
  • Reading and Writing Files
  • Spawning Subprocesses
  • Running Operating System Commands from a Script

  • Writing Scripts and dcecp Objects
  • Informal Administration Scripts
  • Formal Task Objects
  • A Model for Task Objects
  • Using the parseargs Procedure
  • Invoking Task Objects

    • DCE Administration Tasks

  • DCE Administration Task Objects
  • Using Task Objects to Simplify DCE Administration
  • Looking Beyond the Tools

  • Managing a DCE Cell
  • Showing All Configured DCE Servers and DCE Hosts
  • Testing Cell Operation
  • Backing Up the Security Service Registry and CDS
  • Changing the IP Address of a DCE Server
  • IP address Changes for Client Machines
  • Changing the IP Address of a DFS Server
  • Modifying or Extending the Cell Object

  • Managing DCE Hosts
  • Listing the DCE Hosts in a Cell
  • Showing All Servers Configured for a DCE Host
  • Testing Whether a DCE Host is Running
  • Starting Configured DCE Processes on a Host
  • Stopping DCE Processes Running on a Host
  • Configuring a DCE Host in a Cell
  • Removing a DCE Host from a Cell
  • Modifying or Extending the Host Object

  • Managing DCE Users
  • Creating a New User
  • Showing User Information
  • Deleting a User
  • Modifying or Extending the User Object

  • Event Management Service (EMS)
  • Starting the EMS Server
  • Logging EMS Events
  • Managing EMS Consumers
  • Managing EMS Event Filters
  • Managing EMS Event Queues
  • Managing the EMS Daemon
  • Setting Permission for the EMS Server
  • Event Type Security Management
  • Event Filter Security Management
  • Consumer Security Management
  • EMS Security Initialization

    • DCE Host and Application Administration

  • Managing DCE Host Services and Host Data
  • DCE Host Services
  • Starting and Stopping DCE Host Services
  • Managing Host Data
  • Permissions for Accessing Host Data
  • Modifying Host Cell Name Information
  • Manipulating Data in Other Host Files
  • Routing Serviceability Messages
  • Serviceability Message Severity Levels
  • How to Route Serviceability Messages

  • DCE Application Administration
  • Controlling Server Operation
  • Common Server Configuration Needs
  • Configuring Servers
  • Listing and Retrieving Server Configuration Information
  • Unconfiguring Servers
  • Starting and Stopping Servers
  • Disabling and Enabling Services
  • Extending Server Configurations
  • Changing Server Configurations
  • Checking Whether Servers Are Running
  • Managing Client/Server Binding Information
  • Using the Endpoint Map for Easy Application Development and Administration
  • Automatic Endpoint Map Administration
  • Restricting Endpoints
  • Viewing Information in the Endpoint Map
  • Managing Server Entries, Groups, and Profiles in CDS
  • Using Unique Server Entry Names to Identify Individual Servers and Objects
  • Using Group Entries to Help Balance Server Workloads
  • Using Profiles to Direct Client Searches for Servers
  • Client Administration
  • Determining the Entry Name
  • Providing the Entry Name to Clients

    • Cell Directory Service

  • Introduction to the DCE Directory Service
  • How the DCE Components Use the DCE Directory Service
  • How to Use DCE Directory Services
  • Directory Services and the Cell Environment
  • How Cells Determine Naming Environments
  • Global Names
  • Cell-Relative Naming in a Standalone Cell
  • Cell-Relative Naming in a Hierarchy of Cells
  • Local Filenames
  • An In-Depth Analysis of DCE Names
  • CDS Names
  • X.500 Names
  • LDAP Names
  • DNS Names
  • Names Outside of the DCE Directory Service

  • CDS Concepts
  • How CDS Works
  • Replicas and Their Contents
  • Object Entries
  • Soft Links
  • Child Pointers
  • Summary
  • Security in the Cell Directory Environment
  • CDS User Interfaces

  • How CDS Looks Up Names
  • Translating from Names to Resources
  • How CDS Finds Names
  • The Solicitation and Advertisement Protocol
  • Lookups
  • The cdscache create Command

  • How CDS Updates Data
  • Update Propagation
  • Skulk Operation
  • How Timestamps Help Keep Data Consistent

  • Managing the DCE Directory Service
  • Using the DCE Control Program
  • CDS Managed Objects
  • DCE Control Program Operations for CDS
  • CDS Object Attributes
  • Using dcecp to Maintain CDS

  • Controlling Access to CDS Names
  • Overview of DCE Authorization for CDS
  • ACL Types Supported by CDS
  • How Permissions Propagate to CDS Directories and Their Contents
  • ACL Entry Types Used for Principals
  • DCE Permissions Supported by CDS
  • Controlling Access to CDS Clerk and Server Management Operations
  • Control Program Commands and Required Permissions
  • Editing ACLs on CDS Names
  • How CDS Servers Gain Access to the Namespace
  • Setting Up Access Control in a New Namespace
  • Adding Members to the Namespace Authorization Group
  • Creating Additional Authorization Groups
  • Establishing Maximum Permissions for Unauthenticated Principals

  • Managing Clerks, Servers, and Clearinghouses
  • Monitoring Clerk, Server, and Clearinghouse Counters
  • Displaying Clerk Counters
  • Displaying Server Counters
  • Displaying Clearinghouse Counters
  • Monitoring Clerk Communications with Specific Clearinghouses
  • Displaying the Contents of a Clearinghouse
  • Forcing the Clearinghouse to Checkpoint to Disk
  • Disabling Clerks and Servers
  • Disabling a Clerk
  • Disabling a Server
  • Restarting Clerks and Servers
  • Restarting a Clerk
  • Restarting a Server
  • Preserving a Clearinghouse Across a Server System Upgrade
  • Backing Up Namespace Information
  • Using Replication to Back Up Namespace Information
  • Using Operating System Backups

  • Managing CDS Directories
  • Creating Directories
  • Permissions for Creating a Directory
  • Entering the directory create Command
  • Checking the ACL Entries for a New Directory
  • Upgrading the Directory Version on the Cell Root Directory
  • Upgrading the Directory Version on a Directory
  • Creating a Read-Only Replica
  • Before You Create a Replica
  • Permissions for Creating Replicas
  • Entering the directory create Command
  • Deleting a Read-Only Replica
  • Permissions for Deleting a Replica
  • Entering the directory delete Command
  • Skulking a Directory
  • Permissions for Skulking a Directory
  • Entering the directory synchronize Command
  • Synchronizing CDS Server Clocks
  • Modifying a Directory's Convergence
  • Before You Modify a Directory's Convergence
  • Permissions for Modifying a Directory's Convergence
  • Entering the directory modify Command

  • Viewing the Structure and Contents of a Namespace
  • Viewing the Namespace with the CDS Browser
  • Displaying the Default Namespace
  • Expanding and Collapsing Selected Directories
  • Expanding and Collapsing the Entire Cell Namespace
  • Filtering the Namespace Display
  • Navigating the Namespace
  • Listing the Contents of Directories
  • Displaying the Attribute Values of CDS Names
  • Displaying Clerk and Server Attribute Information

  • Using the CDS Subtree Commands to Restructure CDS Directories
  • Overview of the Merge and Append Procedures
  • Merging CDS Directories
  • Appending CDS Directories
  • Modifying ACLs at the Target Location
  • Handling Errors
  • Duplicate Names
  • Unreachable Name Failures
  • Insufficient Permissions
  • Merging CDS Directories into a Foreign Cell
  • Establishing Cross-Cell Authentication
  • Performing a Merge Operation into a Foreign Cell
  • Restoring Merged CDS Directories

  • Restructuring a Namespace
  • Managing Soft Links
  • Creating a Soft Link
  • Changing a Soft Link's Destination Name
  • Changing a Soft Link's Expiration or Extension Value
  • Deleting a Soft Link
  • Modifying a Directory's Replica Set
  • Before You Modify a Replica Set
  • Permissions Required for Modifying a Replica Set
  • Designating a New Master Replica
  • Excluding a Replica from a Replica Set
  • Deleting Directories
  • Deleting a Nonreplicated Directory
  • Deleting a Directory Replica
  • Relocating a Clearinghouse
  • Dissociating a Clearinghouse from Its Host Server System
  • Copying the Clearinghouse Database Files to the Target Server System
  • Starting the Clearinghouse on the Target Server
  • Deleting a Clearinghouse
  • Before You Delete a Clearinghouse
  • Permissions for Deleting a Clearinghouse
  • Deleting a Clearinghouse

  • Managing Intercell Naming
  • How the Global Directory Agent Works
  • Managing the Global Directory Agent
  • Enabling Other Cells to Find Your Cell
  • Defining a Cell in the Domain Name System
  • Defining a Cell in an LDAP Server

    • DCE Distributed Time Service

  • Introduction to DCE Distributed Time Service
  • DTS Advantages
  • Applications Support
  • External Time-Provider Support
  • Manageability
  • Quantitative Inaccuracy Measurement
  • Basic DTS Concepts
  • Time Measurement Factors
  • Inaccuracy Values
  • Synchronizing System Clocks
  • How DTS Adjusts System Clocks
  • DTS Time Representation
  • How DTS Works
  • Clerks
  • Servers

  • Planning Your DTS Implementation
  • General Planning Guidelines
  • Configuring DTS for a LAN
  • Configuring DTS for an Extended LAN
  • Configuring DTS for WANs and WAN Links
  • LANs with WAN Links to Remote Sites
  • LANs Connected by WAN Links
  • WAN Cells
  • Planning for External Time-Providers

  • Managing the DCE DTS
  • Using the DCE Control Program
  • DTS Objects
  • dcecp Operations for DTS
  • DTS Object Attributes and Counters
  • DTS Timestamp Format
  • Reconfiguring DTS on Nodes
  • Stopping an Existing Clerk or Server
  • Creating a New Clerk or Server
  • Setting Clerk and Server Attribute Values
  • Temporarily Reconfiguring DTS
  • Modifying Clerk and Server Attributes
  • The minservers Attribute
  • Use of minservers Attribute with Global Servers
  • Use of minservers Attribute with Systems on Point-to-Point Lines
  • The maxinaccuracy Attribute
  • The syncinterval Attribute
  • The tolerance Attribute
  • The localtimeout, globaltimeout, and queryattempts Attributes
  • The serverentry and serverprincipal Attributes
  • Management Tasks Specific to Servers
  • Designating Global and Courier Servers
  • Matching Server Epochs
  • Setting the checkinterval Attribute for Connection to a Time-Provider
  • Changing the System Time
  • Updating the Time Monotonically
  • Updating the Time Nonmonotonically
  • Forcing System Synchronization
  • Controlling Access to DTS

  • Interoperation with Network Time Protocol
  • Getting the Time from NTP Time Sources
  • Getting the Time from Local NTP Time Sources
  • Getting the Time from Remote NTP Time Sources
  • Giving the Time to NTP Nodes
  • Preventing Loops

    • DCE Security Service

  • Overview of DCE Security
  • DCE Authentication Service Servers and Clients
  • Preferred Security Server Replica
  • The Registry Database
  • Physical Security of the Database
  • How the Registry Database is Stored
  • Replicated Databases
  • How Updates Are Handled
  • Master and Slave Replicas
  • Handling Database Updates
  • Propagating Database Changes
  • Master/Slave Authentication
  • The /etc/passwd and /etc/group Files and the Registry
  • The Local Registry
  • Names for Security Objects
  • Using Names with dcecp Security Commands
  • Using Names with the dcecp acl Command

  • Using Access Control Lists
  • Authorization Overview
  • ACL Managers
  • ACL Interpretation
  • Credentials Inherited by Processes
  • ACL Entries and Masks
  • ACL Syntax
  • ACL Entry Types for Principals and Groups
  • Group Permissions and Project Lists
  • Using Principal and Group ACL Entries
  • ACL Entry Types for Masks
  • ACL Entry Types for Dissimilar DCE Releases
  • The Checking Sequence for ACL Entries
  • Denying Access
  • ACL Management Tasks
  • Copying ACLs
  • Generating ACLs from Files
  • Container ACLs
  • Objects and Containers
  • Initial ACLs for Objects and Containers
  • Effect of Masks When Editing ACLs

  • Control Programs for Managing the DCE Security Service
  • Using the DCE Control Program
  • Security Service Objects
  • DCE Control Program Operations for the DCE Security Service
  • Using the Registry Editor
  • Starting, Stopping, and Getting Help
  • rgy_edit Commands for Local Registry Maintenance

  • Creating and Maintaining Principals, Groups, and Organizations
  • Principal, Group, and Organization Names
  • Primary Names
  • Full Names
  • Aliases
  • Name Formats
  • Reserved Principals and Accounts
  • Object Creation Quotas
  • Universal Unique Identifiers and UNIX IDs
  • Adding and Maintaining Principals
  • Adding Principals
  • Changing Principals
  • Deleting Principals and Aliases
  • Extended Security Attributes for Principals
  • DCE Authentication
  • Managing Invalid Login Handling
  • Managing Password Strength and Password Generation
  • Managing Password Expiration
  • Adding and Maintaining Groups and Organizations
  • Project Lists
  • Adding Groups and Organizations
  • Changing Groups and Organizations
  • Deleting Groups and Organizations
  • Maintaining Membership Lists
  • Effects of Account Creation on Membership Lists
  • Adding and Deleting Group Members
  • Creating and Maintaining Aliases for Principals or Groups
  • Creating Aliases
  • Changing Primary Names to Aliases and Vice Versa

  • Creating and Maintaining Accounts
  • User Accounts
  • Server Accounts
  • Passwords for Server Accounts
  • Steps for Creating Server Accounts
  • Machine Accounts
  • How Identities Represented by Accounts Are Authenticated
  • Privilege Attributes
  • Ticket-Granting Tickets and Tickets to Services
  • Displaying Privilege Attributes and Tickets
  • Destroying a Principal's Tickets
  • Adding Accounts
  • Setting Ticket Lifetimes
  • Ticket-Granting Ticket Lifetimes and Service Ticket Lifetimes
  • Adding Accounts Example
  • Modifying Accounts
  • Deleting Accounts
  • Creating, Maintaining, and Deleting Keytab Files
  • The Keytab File
  • Creating and Maintaining Keys and Keytab Files
  • Removing Keytab Files
  • Changing Server and Machine Passwords in the Keytab File
  • Handling Compromised Server or Machine Passwords in the Keytab File
  • Maintaining the Local Registry
  • The Registry Capacity Property
  • Setting the Capacity and Lifespan Properties
  • Purging Expired Entries

  • Creating and Using Extended Registry Attributes
  • The xattrschema Object
  • Creating and Maintaining Attribute Types
  • Creating Attribute Types
  • Modifying Attribute Types
  • Renaming Attribute Types
  • Deleting Attribute Types
  • Defining the ACL Managers for Attributes
  • Defining Attribute Type Encoding
  • Defining Attribute Trigger Servers
  • The -trigtype Option
  • The -trigbind Option
  • Creating and Maintaining Attribute Instances
  • Attaching Attribute Instances to Objects
  • Modifying Attribute Instances
  • Deleting Attribute Instances
  • Using Attribute Sets

  • Administering a Multicell Environment
  • Trust Relationships
  • Direct Trust Relationships
  • Establishing Trust Relationships
  • Constraints on Transitive Trust Relationships
  • Creating Trust Relationships
  • Command Options for the registry connect Command
  • Creating Cross-Cell Authentication Accounts Example
  • The Accounts Created by the registry connect Command
  • Modifying Cross-Cell Authentication Accounts

  • Viewing Registry Information
  • Displaying Account Information
  • Displaying Group and Organization Information
  • Displaying Principal Information
  • Displaying xattrschema Information
  • Displaying ACL Information
  • Displaying keytab Information

  • Maintaining Policies and Properties
  • Policies
  • Standard Policy
  • Authentication Policy
  • Handling Conflicting Policies
  • The Effects of Changes on Existing Policies
  • Displaying and Setting Standard and Authentication Policies
  • Properties
  • Default Ticket Lifetime Property
  • Hidden Password Property
  • Minimum Group ID Property
  • Minimum Organization ID Property
  • Minimum UNIX ID Property
  • Maximum UNIX ID Property
  • Minimum Ticket Lifetime Property
  • Displaying and Setting Properties

  • Performing Routine Maintenance
  • Adding Accounts
  • Overriding Entries in the Local Registry
  • How Overrides Work
  • The passwd_override File Format
  • The group_override File Format
  • Creating Override File Entries
  • Leaving passwd_override File Fields Blank
  • Specifying Passwords for a Specific Machine
  • Preventing Login to a Machine
  • Omitting Users from the Local Password Files
  • Specifying a Home Directory and Login Shell for a Machine
  • Overriding a Principal's Group Affiliation
  • Applying Overrides to All Members of a Group
  • How passwd_override Handles Multiple Override Entries
  • Changing the Registry's Master Key
  • Validating the Authenticity of the DCE Security Service
  • Backing Up and Restoring the Registry Database
  • Procedures for Backing Up the Registry Database
  • Procedure for Restoring the Registry Database
  • Setting the _s(sec) Variable
  • Ensuring Consistent Local Files

  • Handling Network Reconfigurations
  • Changing the Master Replica Site
  • Removing a Server Machine from the Network
  • Handling Network Address Changes
  • Updating the pe_site File
  • Handling Simultaneous Address Changes

  • Setting Up the Registry
  • Planning Sites for DCE Security Service Components
  • Creating the Master Registry Database
  • The sec_create_db Command Format
  • An sec_create_db Run Example
  • The Results of sec_create_db
  • Starting the Master Replica
  • Populating the New Registry Database
  • Setting Policies and Properties
  • Adding Accounts
  • Creating Slave Replicas
  • Verifying that the Replicas Are Running

  • Importing UNIX Accounts to DCE
  • How passwd_import Works
  • The passwd_import Processing Steps
  • Registry Entries Created by passwd_import
  • The passwd_import Command Syntax
  • Using passwd_import
  • Using the Identical User Option
  • Using Check Mode
  • Resolving Conflicts
  • Answering Prompts
  • Sample passwd_import Session
  • Invoking passwd_import
  • Examining the Group File
  • Examining the Password File
  • Adding Members to Groups
  • Completing Processing

  • Troubleshooting Procedures
  • Mapping of DCE Daemon Core Locations and How to Symlink to a Separate Filesystem
  • Restarting Security Servers
  • Back up and Recovery of the System after Failure in the Security Server
  • Backing up the registry
  • Restoring the registry
  • Restarting the Master Server in Locksmith Mode
  • Automatic Changes to the Locksmith Account
  • Starting a Security Server in Locksmith Mode
  • Restarting a Security Server in Locksmith Mode
  • Recovering the Master Replica
  • Determining the Most Current Database
  • Converting a Slave to a Master
  • Recovering Slave Replicas
  • Converting a Master to a Slave
  • Forcibly Deleting a Slave Replica
  • Restoring a Duplicate Master
  • Adopting Registry Orphans
  • Accessing a Server Registered with User to User Protocol
  • Designating a New Master Replica When the Current Master Replica Has Failed

  • AIX/DCE Security Integration
  • More Detailed Information--Security Integration
  • Enabling DCE Access
  • The SYSTEM Attribute
  • The registry Attribute
  • Protecting Local Resources
  • Protecting Local Resources with the /etc/security/user File
  • Protecting Local Resources with the passwd_override and group_override Files
  • Configuring DCE Access on a Per-User Basis
  • Configuring and Protecting the Local Root User
  • Configuring and Protecting a Local-Only User
  • Configuring a Synchronized User
  • Supporting Wandering DCE Users
  • Access Method Identification
  • Changing Passwords
  • Troubleshooting
  • Steps--Security Integration
  • Restrictions--Security Integration
  • Examples--Security Integration
  • Intercell Considerations-- Security Integration
  • Intercell Administration-- Security Integration
  • UNIX IDs for shadow principals
  • Account Information
  • Shadow Groups
  • Manage UNIX IDs across cells
  • Security Integration on a Slim Client Configuration
  • Security Integration with Multiple Dceunixd Daemons

  • Accessing Registry Objects
  • The Registry Database
  • Registry Permissions
  • Management, Authentication, and User Information
  • Permission Required to Create Principals, Groups, or Organizations
  • Permissions Required to Delete Principals, Group, or Organizations
  • Permissions Required to Add Accounts
  • Permissions Required to Delete Accounts
  • Permissions Required to Add Members to Groups
  • Permissions Required to Add Members to Organizations
  • Permissions to Delete Members from Groups or Organizations
  • Permissions Required to Change a Principal's, Group's, or Organization's Full Name
  • Permissions Required to Change Management Information for Principals, Groups, or Organizations
  • Permissions Required to Change Management, Authentication, and User Information (Except Passwords) for Accounts
  • Permissions Required to Change Passwords for Accounts
  • Permissions Required to Change Authentication and Management Information for Registry Policies and Properties
  • Permissions Required to Execute Commands That Act on Replicas
  • Permissions Required to Create Extended Registry Attribute Types
  • Permissions Required to Delete Extended Registry Attribute Types
  • Permissions Required to View Extended Registry Attribute Types
  • Permissions Required to Modify Extended Registry Attribute Types
  • Permission Required to Change ACLs on Registry Objects
  • Permissions Required by Slave Replicas
  • Registry ACL Manager
  • Initial Registry ACLs

  • DCE Audit Service
  • Features of the DCE Audit Service
  • Components of the DCE Audit Service
  • DCE Audit Service Concepts
  • Audit Clients
  • Code Points
  • Audit Events
  • Event Numbers
  • Event Classes
  • Filters
  • Audit Trail File
  • Administration and Programming in DCE Audit
  • Programmer Tasks
  • Administrator Tasks

  • DCE Audit Service Administrative Tasks
  • Using DCE Auditing on AIX
  • Configure the auditd daemon
  • Stop and restart the DCE servers
  • Collect auditing records
  • Display audit trail
  • Setting DCE Audit Environment Variables
  • Starting the Audit Daemon
  • Controlling Access to the Audit Daemon
  • DCE Permissions Supported by the DCE Audit Service
  • Initial ACL of the Audit Daemon
  • Giving Permissions to Audit Clients and Administrators
  • Defining Event Classes
  • Steps in Defining an Event Class
  • Example Event Class File
  • Creating and Maintaining Filters
  • Creating Filters
  • Modifying Filters
  • Deleting Filters
  • Default Filters
  • Enabling Audit Filters
  • Enabling and Disabling the Audit Logging Service
  • Modifying and Querying Audit Daemon Attributes
  • Controlling and Displaying Audit Trails
  • Displaying Audit Trail Files
  • Controlling the Audit Trail Size
  • Changing the Audit Trail File Storage Option

  • Kerberos Interoperability with DCE and Secure Remote Utilities
  • KDC Interoperability
  • Credential Cache and Keytab File Compatibility

    • Appendixes

  • Appendix A. Valid Characters and Naming Rules for CDS
  • Metacharacters
  • Additional Rules
  • Maximum Name Sizes

  • Appendix B. Object Identifier Files
  • Origin of Object Identifiers
  • The cds_attributes File
  • Modifying the Files
  • Modifying a CDS Entity's Attributes
  • Adding a New Attribute
  • Modifying the Value of an Existing Attribute
  • Removing an Attribute

  • Appendix C. Time-Providers and Time Services
  • Criteria for Selecting a Time Source
  • Sources of Coordinated Universal Time
  • Telephone Services
  • Radio Transmissions
  • Network Time Protocol
  • Satellite
  • World Time Zone Map

  • Appendix D. DTS Extended BNF

  • Appendix E. Notices
  • Trademarks

  • Index

    • Figures

    1. Server Binding Information
    2. Possible Information in a Server Entry
    3. Possible Mappings of a Group
    4. Possible Mappings of a Profile
    5. Cell and Global Naming Environments
    6. Interaction of CDSs, GDAs, and Global Directory Services
    7. Sample CDS Namespace Hierarchy
    8. RDNs and Distinguished Names
    9. Comparison of CDS and X.500 Names
    10. Sample Portion of the BIND Namespace
    11. CDS Clerks and Servers on a LAN
    12. A Sample CDS Lookup
    13. Components of a CDS Server Node
    14. Logical and Physical Views of a Namespace
    15. Clearinghouse Object Entries and Clearinghouses
    16. A Soft Link and Its Resolution
    17. Child Pointers and Directories
    18. How the Clerk Finds a Name
    19. Example Namespace Hierarchy
    20. Example Namespace Before and After the Merge Operation
    21. Example Namespace Before and After the Append Operation
    22. Example Replica Set
    23. Example Replica Set After Master Redesignation
    24. Example Replica Set After Replica Exclusion
    25. How the CDS Clerk Finds a GDA
    26. How the GDA Helps CDS Find a Name
    27. Time and Inaccuracy
    28. Computed Time
    29. Adjustment of the Clock
    30. ISO-Compliant Time Format
    31. ISO-Compliant Time Format Variation
    32. Relative Time Format
    33. DTS Configuration--LAN
    34. DTS Configuration--LAN with WAN Links
    35. DTS Configuration--WAN Networks
    36. DTS Timestamp Format
    37. Local Fault
    38. Local Time Source
    39. Getting the Time from a Remote NTP Time Source (Scenario 1)
    40. Getting the Time from a Remote NTP Time Source (Scenario 2)
    41. Giving the Time to NTP
    42. Configuration Before Stratum 2 Node Fails
    43. Configuration After Stratum 2 Node Fails
    44. Machines, Servers, and the Database
    45. Disk Memory and Virtual Memory Copies of the Registry Database
    46. The Master Replica Update Process
    47. Slave Replica Update Process
    48. ACL Managers in Servers
    49. Sample ACL Entries
    50. Order of Checking ACLs and Applying Masks
    51. Initial ACLs for Objects Created in Containers
    52. Initial ACLs for Containers Created in Containers
    53. Direct and Transitive Trust Relationships
    54. Cell Traversal in Transitive Trust Relationships
    55. Limited Direct Trust Peer Traversal in Transitive Trust
    56. Transitive Trust Without Direct Trust Peer Traversal
    57. Limited Trust Traversal to Cell Ancestors
    58. Alternate Trust Traversal to Cell Ancestors
    59. The Registry Database Structure
    60. Permission Required to Create Principals, Groups, or Organizations
    61. Permissions Required to Delete Principals, Groups, or Organizations
    62. Permissions Required to Add an Account and the Account Principal to the Group and Organization
    63. Adding an Account For Which the Principal Is Already a Member of the Group and Organization
    64. Permissions to Add an Account and the Principal to the Group Only
    65. Permissions to Add an Account and the Principal to the Organization Only
    66. Permissions Required to Delete Accounts
    67. Permissions Required to Add Members to Groups
    68. Permissions Required to Add Members to Organizations
    69. Permissions to Delete Members From Groups or Organizations
    70. Permissions Required to Change a Principal's, Group's, or Organization's Full Name
    71. Permissions Required to Change Management Information For Principals, Groups, or Organizations
    72. Permissions Required to Change Management, Authentication, and User Information (Except Passwords) For Accounts
    73. Permissions Required to Change Passwords For Accounts
    74. Permissions Required to Change Authentication and Management Information For Registry Policies and Properties
    75. Permissions Required to Execute Commands That Act on Replicas
    76. Permissions Required to Create Extended Registry Attribute Types
    77. Permissions Required to Delete Extended Registry Attribute Types
    78. Permissions Required to View Extended Registry Attributes
    79. Permissions Required to Modify Extended Registry Attribute Types
    80. Permission Required to Change ACLs on Registry Objects
    81. Event Class Number Formats
    82. Override Relations Between Filter Types
    83. Valid Characters in CDS and DNS Names
    84. World Time Zone Map

    Tables

    1. EMSD Server Permission Bits
    2. Event Type Database Permission Bits
    3. Event Type Permission Bits
    4. Filter Database Permission Bits
    5. Event Filter Permission Bits
    6. Consumer Database Permission Bits
    7. Serviceability Message Severity Levels
    8. DCE Control Program Operations for CDS
    9. dcecp Commands that Control CDS
    10. ACL Entry Types Used for CDS Principals
    11. DCE Control Program Commands and Required Permissions
    12. Permissions Required To Create Target Objects
    13. dcecp Operations for DTS
    14. Settable DTS Object Attributes
    15. Unsettable DTS Object Attributes
    16. DCE Control Program Operations for the DCE Security Service
    17. rgy_edit Commands for Maintaining the Local Registry
    18. Attribute Options to Create Principals
    19. DCE Version 1.1/Pre-DCE Version 1.1 Authentication Interoperation
    20. Attribute Options to Create Groups and Organizations
    21. Attribute Options to Create Accounts
    22. The keytab create and keytab add Options
    23. Default Attribute Values of Cross-Cell Authorization Principals and Accounts
    24. Stricter Standard Policies
    25. Initial Persons, Groups, and Organizations
    26. Group Memberships Created by sec_create_db
    27. Locksmith Account Changes Made by the Security Server
    28. Registry Policy Changes Made by the Security Server
    29. Permissions for Registry Objects
    30. ACL managers and Valid Permissions and ACL Entry Types
    31. Credential Cache Files
    32. Keytab Files
    33. Metacharacters and Their Meanings
    34. Maximum Sizes of Directory Service Names
    35. Time-Provider Selection Criteria

    [ Top of Page | Previous Page | Next Page | Table of Contents | Index ]