ECO NUMBER: DCEECO2030 ----------- PRODUCT: Distributed Computing Environment (DCE) for Digital UNIX -------- UPDATED PRODUCT: Distributed Computing Environment (DCE) for Digital UNIX 3.0 ---------------- APPRX BLCK SIZE: 28000 ---------------- COVER LETTER: February 1999 This document describes changes to DCE for DIGITAL UNIX Version 3.0 software contained in the ECO2 kit. Product and Version: DCE for DIGITAL UNIX Version 3.0 Operating System and Version: DIGITAL UNIX Version 4.0 or greater Compaq Computer Corporation Houston, Texas February 1999 Compaq Computer Corporation makes no representations that the use of its products in the manner described in this publication will not infringe on existing or future patent rights, nor do the descriptions contained in this publication imply the granting of licenses to make, use, or sell equipment or software in accordance with the description. Possession, use, or copying of the software described in this publication is authorized only pursuant to a valid written license from DIGITAL or an authorized sublicensor. c Compaq Computer Corporation 1999. All rights reserved. The following are trademarks of Compaq Computer Corporation: DIGITAL, DIGITAL UNIX, and the DIGITAL logo. COMPAQ and the Compaq logo Registered in U.S. Patent and Trademark Office. The following are third-party trademarks: Kerberos is a trademark of Massachusetts Institute of Technology. OSF is a trademark of Open Software Foundation, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks and registered trademarks are the property of their respective holders. Table of Contents 1. Overview of Kit Contents 1.1 Files Patched or Replaced 2. Installation Instructions 3. Problems Addressed in This Kit 3.1 Corrections to OSF DCE R1.2.2 from The Open Group 3.2 Corrections to DCE for DIGITAL UNIX 3.0 3.2.1 Correction to RPC 3.2.2 Correction to Kerberos 5 Support 3.2.3 Correction to Split Server Configuration 3.2.4 Correction to Problem Running SIA on DIGITAL UNIX Version 4.0c 3.3 Corrections to DFS 3.4 Enhancements to DFS 3.4.1. DFS and DIGITAL UNIX ACLs 3.4.2. NFS-DFS Secure Gateway Server Administration 3.4.3. DFS Backup 4. Known Problems and Restrictions 4.1 Known Problem in the DCE for DIGITAL UNIX DFS Client 1. Overview of Kit Contents DCE for DIGITAL UNIX Version 3.0 ECO2 provides corrections and enhancements to the DFS software component. Section 3 of this guide describes each of the ECO2 corrections in detail. 1.1 Files Patched or Replaced This section lists the DCE for DIGITAL UNIX Version 3.0 media kit files replaced in the ECO2 kit and the subset containing each software fix. File Name Subset Location ./usr/opt/DCE300/bin/auditd DCERTSECO2030 ./usr/opt/DCE300/bin/cdsadv DCERTSECO2030 ./usr/opt/DCE300/bin/cdsclerk DCERTSECO2030 ./usr/opt/DCE300/bin/cdscp DCERTSECO2030 ./usr/opt/DCE300/bin/cdsd DCECDSECO2030 ./usr/opt/DCE300/bin/dced DCERTSECO2030 ./usr/opt/DCE300/bin/dcesetup DCERTSECO2030 ./usr/opt/DCE300/bin/dtsd DCERTSECO2030 ./usr/opt/DCE300/bin/gdad DCECDSECO2030 ./usr/opt/DCE300/bin/rgy_edit DCERTSECO2030 ./usr/opt/DCE300/bin/rlogin DCERTSECO2030 ./usr/opt/DCE300/bin/rlogind DCERTSECO2030 ./usr/opt/DCE300/bin/rsh DCERTSECO2030 ./usr/opt/DCE300/bin/rshd DCERTSECO2030 ./usr/opt/DCE300/bin/sec_create_db DCESECECO2030 ./usr/opt/DCE300/bin/sec_salvage_db DCESECECO2030 ./usr/opt/DCE300/bin/secd DCESECECO2030 ./usr/opt/DCE300/bin/telnet DCERTSECO2030 ./usr/opt/DCE300/bin/telnetd DCERTSECO2030 ./usr/opt/DCE300/nls/msg/en_US.ASCII/dcedhd.cat DCERTSECO2030 ./usr/opt/DCE300/share/include/dce/aclif.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/cdsclerk.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/dbif.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/dce_msg.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/dce_utils.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/gssapi.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/svcfilter.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/svclog.h DCEADKECO2030 ./usr/opt/DCE300/share/include/dce/svcremote.h DCEADKECO2030 ./usr/opt/DCE300/sys/BINARY/dcedfs.mod DCEDFSBINECO2030 ./usr/opt/DCE300/usr/shlib/libdce.so DCERTSECO2030 ./usr/opt/DCE300/usr/shlib/libdcecp.so DCERTSECO2030 ./usr/opt/DCE300/usr/shlib/libdcesiad.so DCERTSECO2030 ./usr/opt/DCE300/usr/shlib/libidlcxx.so DCERTSECO2030 ./usr/opt/DCE300/usr/shlib/libdcedfs.so DCEDFSECO2030 2. Installation Instructions Follow these steps to install the DCE for DIGITAL UNIX Version 3.0 ECO2 kit. 1. Verify a successful installation of DCE for DIGITAL UNIX Version 3.0 before installing the ECO2 kit. 2. Untar the ECO2 kit into a local directory, using the following command: % tar xvf /DCEECO2030.tar 3. Use the setld procedure to start the installation procedure: % setld -l ./output 4. Select the subsets to install from the following choices: DCEADKECO2030 DCECDSECO2020 DCEDFSBINECO2030 DCEDFSECO2030 DCERTSECO2030 DCESECECO2030 To install multiple subsets, enter the number of each subset separated by a space as follows: DCEADKECO2030 DCECDSECO2020 DCEDFSECO2030 DCEDFSBINECO2030 DCERTSECO2030 DCESECECO2030 The subsets listed below are optional: There may be more optional subsets than can be presented on a single screen. If this is the case, you can choose subsets screen by screen or all at once on the last screen. All of the choices you make will be collected for your confirmation before any subsets are installed. 1) DCE Application Developers Kit V3.0 ECO 2 2) DCE Cell Directory Server V3.0 ECO 2 3) DCE DFS Base V3.0 ECO 2 4) DCE DFS Kernel Binaries V3.0 ECO 2 5) DCE Runtime Services V3.0 ECO 2 6) DCE Security Server V3.0 ECO 2 Or you may choose one of the following options: 7) ALL of the above 8) CANCEL selections and redisplay menus 9) EXIT without installing any subsets Enter your choices or press RETURN to redisplay menus. Choices (for example, 1 2 4-6): 5. After the installation successfully concludes, restart DCE by entering the following command: % /usr/sbin/dcesetup/start 3. Problems Addressed in This Kit This ECO2 release contains corrections made previously in the ECO1 release. These corrections to OSF DCE Release 1.2.2 and DCE for DIGITAL UNIX Version 3.0 are described in Sections 3.1 and 3.2. ECO2 also contains new corrections and enhancements to DFS, which are described in Sections 3.3 and 3.4. 3.1 Corrections to OSF DCE R1.2.2 from The Open Group This section summarizes the OSF DCE Release 1.2.2 Maintenance Release 1 software corrections that were applied to DCE for DIGITAL UNIX Version 3.0 in the ECO1 release. o The return status check from the iconv() call has been modified to conform to the XPG/4 specification. In accordance with XPG/4, if the call to iconv() fails, -1 will be returned and errno will be set. In addition, a successful conversion mandates that inbytesleft is set to zero; a non-zero value indicates that iconv() was unable to convert the entire contents of the buffer. Applications should check both of these return values upon return from iconv(). o Previously, dates were printed using the format %02d for a struct tm tm_year field or the format YY/MM/DD:HH:MM:SS. The ECO1 kit corrects this problem by changing the output format to YYYY-MM-DD-HH:MM:SS, which conforms to the DTS format as described in Appendix D of the OSF DCE Administration Guide - Core Components. o Previously, DCE configuration sometimes failed due to memory corruption in the PK pre-authorization code. The reply_keyP contents in krb5_pkinit_sign_as_rep was sometimes freed accidentally which caused the memory location pointed to by reply_keyP to be corrupted before the key was used. This problem has been corrected by not freeing reply_key at the end of the routine. o Previously, the ACL evaluation algorithms did not correctly adjust for access rights when a delegate (not the initiator) specified in an epac chain is not authorized by the target ACL. This was true of both the DCE API call, dce_acl_inq_permset_for_creds, and the security server ACL manager, sec_acl_mgr_get_access. The dce_acl_inq_permset_for_creds function returned because it incorrectly compared a pointer to a status and a constant status value. In addition, the dce_acl_inq_permset_for_creds function did not adjust the computed permissions by 'AND'ing the initiator permissions with those computed for the delegates. Similarly, when the sec_acl_mgr_get_access function determined that a delegate was not authorized, it stopped its evaluation, but neglected to reduce the returned permission set. These ACL problems have been corrected. o A coding error in the dce/utils/acldb/aclimpl.c file was corrected. o Due to the incorrect placement of a right paren ')', a status code from the dthread_create() call was not stored in a status variable. This problem has been corrected. o Previously, the rpc_list_element_alloc function did not return NULL if it failed to allocate memory. This problem has been corrected. o Corrections were made to a variety of .h files that required the cplusplus "C" directive to make it possible to bind the corresponding DCE API functions to a C++ application. o Previously, within the export_to_namespace() routine in main.c of dced, the call to dce_svc_printf to print the message DCED_S_CANT_EXPORT_YET_MSG was missing an argument. Therefore, the need to print this error resulted in a crash of dced. This problem has been corrected. o An entry-point (rs_prop_pgo_add_member_global) was added to the rs_prop_pgo interface. Unfortunately, it was not added to the end of the list of existing entry-points in the idl file, instead it was added before the rs_prop_pgo_delete_member entry. This bug introduced a problem when a 1.1 master sec server tried to propagate a pgo_delete_member update to an 1.2.2 replica, the replica tried to process it using the interface for rs_prop_pgo_add_member_global. The new entry-point was moved to the end of the interface list in the rs_prop_pgo.idl file to correct the problem. 3.2 Corrections to DCE for DIGITAL UNIX 3.0 This section describes corrections to problems with RPC, Kerberos 5 compliance, split server configuration, and SIA. 3.2.1 Correction to RPC The shared library, libidlcxx.so, has been replaced to eliminate a problem in the RPC automatic object reclamation service, defined in reclaim.idl, which sometimes caused a properly written DCE application to experience memory access violations and, therefore, terminate abnormally. 3.2.2 Correction to Kerberos 5 Support The Kerberos compliant tools have been updated to allow them to be used with the SIA authentication system. Therefore, customers with a DCE SIA enabled environment can now use the MIT Kerberos 5 network tools provided with DCE. 3.2.3 Correction to Split Server Configuration The dcesetup configuration tool was modified to correct a problem with split server configuration when the security server and CDS server were configured in a mixed environment of IBM AIX and DIGITAL UNIX systems. The problem was traced to an incompatibility in ACL manipulation between the IBM AIX DCE configuration tool (using dcecp acl modify -add) and DIGITAL UNIX dcesetup (acl_edit). Note that in a split server configuration where the security server is running on IBM AIX and the CDS server is running on DIGITAL UNIX, the CDS server configuration should not be resumed (there is a pause in the configuration) until after the security server and client configuration have completed on the IBM AIX machine. 3.2.4 Correction to Problem Running SIA on DIGITAL UNIX Version 4.0c DIGITAL UNIX Version 4.0c systems running DCE for DIGITAL UNIX Version 3.0 did not allow SIA to be enabled. This problem has been corrected. 3.3 Corrections to DFS o This ECO2 release includes a fix for a dfsbind core dump. Note that all of the following DFS corrections require rebuilding a kernel and rebooting. o A fix was completed that restricts the range of UDP ports used by DFS. Part one of the implementation was included in the Version 2.1 release: dfsbind reads the environment variable, RPC_RESTRICTED_PORTS, and passes the restriction down to the kernel. This ECO release includes part two of the fix: the kernel allocates ports in accordance with the restriction. This fix affects dcedfs.mod. o A fix was made to 'ACL check' for DFS objects which was failing due to an improper data type being passed to pioctl. o This release includes a fix for the premature umask application to the mode bits before they are passed to the server. It affects dcedfs.mod. This fix works in conjunction with changes incorporated into DIGITAL UNIX Version 4.0D. Because of this, the patch is disabled by default. If you are running a version of DIGITAL UNIX earlier than 4.0D, do not attempt to enable this fix. An appropriate patch for versions earlier than 4.0D is under development. If you do not need the umask fix, no action is required. If you are running Version 4.0D of DIGITAL UNIX or higher and need the umask fix, you can enable it with the following procedure: 1. Enter: dbx -k /vmunix patch dfs_umask_rawmode_fix_present = 1 quit 2. Verify that the change has been made: dbx -k /vmunix print dfs_umask_rawmode_fix_present {THIS SHOULD PRINT 1} quit 3. Reboot. o The Cache Manager now passes through the setuid/setgid mode bits of directories without changing the bits. These bits still get turned off on regular files unless the client explicitly enables the capability to leave the bits unchanged. This capability can be set on a fileset with the cm setsetuid command. This change affects dcedfs.mod. o This release includes a change to the token expiration time of freely given tokens. The change was made in response to a problem that caused clients to hang occasionally for approximately 4 minutes, and then return a communications failure. The change affects dcedfs.mod. o Because of insufficient locking, it was previously possible for requests from the kernel to the dfsbind process to be lost. Eventually the kernel would run out of request space and hang. Two fixes were made: 1. Sufficient locking was added to prevent the loss of requests. 2. The request queue is periodically pruned of old requests. This enables the administrator to restart dfsbind only, instead of all of DFS, in the event of a problem, and to reclaim the resources that the kernel was using. o This ECO includes a workaround that treats the following symptom: the system panics on shutdown when unmounting the DFS file system. The change affects dcedfs.mod. o The setpag() functionality has been enhanced. A PAG can be passed to setpag(). The kernel uses this to set the process's pag instead of generating a new one. This feature is used by Kerberos modifications that allow a Kerberized application daemon to access the distributed file system, using forwarded Kerberos credentials. o In previous versions, applying the client command "dcecp -c acl check" to a DFS object gave the wrong results. This has been fixed. The change affects dcedfs.mod. o Previously, because of a race condition on multi-processor machines, NFS server activity would, in some cases, initiate a call into DFS that resulted in a panic. This has been fixed. The change affects dcedfs.mod. 3.4 Enhancements to DFS This section describes improvements and changes to the DFS service including the use of DIGITAL UNIX ACLs, Gateway Server authentication, and file system backup. It also contains solutions to common DFS problems. 3.4.1. DFS and DIGITAL UNIX ACLs In this release, DFS allows the use of DIGITAL UNIX ACLs for authorization purposes. o Using DIGITAL UNIX ACLs DIGITAL UNIX supports the use of generic ACLs on its two supported filesystems (UFS and AdvFs). The ACLs follow the POSIX model, providing a sequence of ACL entries, each consisting of a tag (type), an identifier for entries whose type requires it, and a set of permission bits, as shown in the following table. DIGITAL UNIX ACLs Tag Identifier Permission Bits user uid rxw group gid rxw user_obj rxw group_obj rxw other_obj rxw ACL entries tagged as user or group identify persons or groups that might attempt to perform some action on the directory or file. The Identifier is a user id (uid) for user tags or a group identifier (gid) for group tags. ACL entries tagged as user_obj, group_obj, and other_obj do not use identifiers because these are implicit in the metadata of the directory or file. (See Note below.) The permissions are the standard UNIX read (r), write (w), and execute (x) permissions. Note: Because DFS in this release maps uids and gids to specific users and groups, password files must be synchronized with the DCE Security registry. Enabling Security Integration Architecture (SIA) offers one way to synchronize uid and gid information with the DCE cell registry. Default ACLs for containers and objects are created following the same method as in the standard DCE DFS implementation. o DIGITAL UNIX ACL Limitations DIGITAL UNIX ACLs lack the following functionality that is available with generic DCE ACLs: -- A set of "foreign" tags supporting users, groups, and objects from foreign cells. -- A set of "delegation" tags supporting delegation from users, groups, and objects in the local cell and in foreign cells. -- An unauthenticated mask controlling access for unauthenticated users. -- A cell name included in ACL identifiers which is used for foreign cell user authentication. -- A wider set of permission bits: (c) control, (i) insert, (d) delete An additional limitation of DIGITAL UNIX ACLs is that the ACL identifiers are uids or gids instead of full DCE UUIDs. This release of DCE for DIGITAL UNIX handles these ACL limitations by providing appropriate responses to administrative or user actions that involve DIGITAL UNIX ACLs. People or programs that use or administer DFS proceed as normal DCE clients. A transparent translation layer in DCE DFS intercepts and deals with ACL operations. o DCE Responses to DIGITAL UNIX ACL Operations Due to the limitations of DIGITAL UNIX ACLs, some operations involving ACLs behave differently or return an error. Specific responses to DIGITAL UNIX ACL operations depend on whether the operation is unsupported, totally supported, or partially supported. Unsupported operations, such as adding an entry for foreign_user or group_delegate, return an error. Totally supported operations, such as a user in the local cell requesting write access to a file, behave in the standard manner. Some operations are partially supported. DIGITAL UNIX provides appropriate responses to certain operations even though the features for their support is lacking from the DIGITAL UNIX ACLs. For example, a user attempts to delete a file from DFS. Normally, DFS requires the d (delete) permission but DIGITAL UNIX performs the delete operation if the user has write permission on the file. o Mapping between DCE ACLs and DIGITAL UNIX ACLs The mapping is done by a translation layer between DFS and the underlying physical file system at the server. In other words, none of this work has any bearing on the client portion of DFS. There is no space for a home cell uuid, so the server assigns the UUID of the cell that it belongs to as the home cell UUID of any ACL that it deals with. No "foreign" ACL entries are possible. The client can submit them, but the cell UUID is dropped before the mapping to a uid or gid is done (the mapping will fail in this case, since the foreign user or group UUID will not be found in the registry of this cell). The mapping between principal or group UUIDs on one hand and uid/gids on the other is done by querying the registry of the cell to which the file server belongs. It is assumed that the password files are synchronized with the registry or a scheme like SIA is used. The permission bits need to be mapped appropriately. DFS simulates a mask_obj tag to satisfy operations that require its presence. However, the simulated mask_obj does not mask any permissions (its permissions are rwxcid). The initial_container and initial_object ACLs behave normally. o Disabling ACL Operations You can disable the ACL support in the DFS server by setting a kernel global variable using the dbx debugger. After a new kernel that includes DFS support has been built, specify the following: cd /usr/sys/ dbx -k vmunix patch dfs_acls_enabled = 0 quit where is the name of the configuration you chose when executing doconfig. After disabling ACL, any remote ACL operations on DFS files return ENOTTY errors. 3.4.2. NFS-DFS Secure Gateway Server Administration The NFS-DFS Secure Gateway server does not support the dfs_login and dfs_logout programs. For authenticated access to DFS, users of DCE-unaware NFS clients must authenticate to DCE from the Gateway Server machine using a dfsgw add operation. Refer to the OSF DCE DFS Administration Guide and Reference for information about authenticating from a Gateway Server machine. 3.4.3. DFS Backup DFS in this release relies on DIGITAL UNIX built-in file system backup rather than using the backup facility included with OSF DFS. Refer to your DIGITAL UNIX documentation for instructions on using the DIGITAL UNIX file system backup facility. 3.4.4. Solutions to Common Problems with DCE DFS Here are solutions to a few common problems that you may encounter with DCE DFS. o Running Commands Requiring the setuid Feature Commands that use the setuid feature (for example, the ps command) do not execute properly if used from the DFS namespace. Before running the commands, you must enable the setuid functionality on a per fileset basis by issuing the cm setsetuid command. Issue this command on each machine that needs to use these setuid commands after DFS has started, that is, after the system is in multiuser mode. See cm setsetuid(8dfs) in the OSF DCE DFS Administration Guide and Reference for more information. o Running cron Jobs with DCE Credentials It is often necessary to run jobs asynchronously with DCE credentials. For example, you might run a job after hours that requires access to DFS. One way to have a job running under cron(1) or at(1) acquire DCE credentials is by using the -k option of the dce_login command. This option allows dce_login to acquire credentials by reading a key from a keytab file, rather than by getting a password interactively. Using the -k option along with the -e option, which allows an executable command to be specified on the command line, accomplishes the desired effect. The solution consists of two parts: First, decide on a principal with whose credentials the cron job should run. (Create a DCE user for this, if one does not exist already.) In the following example, the principal is designated with the placeholder PRINC. Then, as cell_admin, create a keytab file with a command similar to the following: dcecp -c keytab create PRINC.keytab \ -storage /PATH/NAME/OF/KEYTAB \ -data {PRINC plain 1 PASSWORD} where the PASSWORD is the same password that was specified when the PRINC account was created in DCE. You may need the -noprivacy option if you do not have the privacy kit installed on the machine. The keytab file is created with root as the owner and 600 permissions. The ownership of the file has to be changed to the UNIX identity of the executor of the cron job. Next, you can add a line similar to the following to a crontab file to have cron run a script with the credentials of principal PRINC: 5 20 o o 1-5 dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e /path/name/of/script to run the indicated script with the credentials of PRINC at 8:05 p.m., Monday through Friday. See crontab(5) for more details on syntax. You can verify that the first step above worked by issuing the following command: dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e klist and making sure that the principal listed is indeed PRINC. 4. Known Problems and Restrictions This section describes known problems in the DCE for DIGITAL UNIX Version 3.0 release that are not described in the DCE for DIGITAL UNIX Version 3.0 Release Notes. 4.1 Known Problem in the DCE for DIGITAL UNIX DFS Client A known problem exists in the DCE for DIGITAL UNIX DFS client for both Version 3.0 and Version 2.1. When a file is created, the user's umask is applied to the mode bits before they are sent to the server. This operation creates problems with ACL inheritance on ACL-capable servers. Patches for DCE DFS Version 3.0 and Version 2.1 are available that fix this problem on DIGITAL UNIX Version 4.0d systems. Use the procedure outlined in your software support agreement to obtain these patches. Unfortunately, no patch for this problem exists for earlier releases of DIGITAL UNIX at this time. Copyright (c) Compaq Computer Corporation 1999. All Rights reserved. This software is proprietary to and embodies the confidential technology of Compaq Computer Corporation. Possession, use, or copying of this software and media is authorized only pursuant to a valid written license from Compaq or an authorized sublicensor. This ECO has not been through an exhaustive field test process. Due to the experimental stage of this ECO/workaround, Compaq makes no representations regarding its use or performance. The customer shall have the sole responsibility for adequate protection and back-up data used in conjunction with this ECO/workaround.