Jump to page titleUNITED STATES
hp.com home products and services support and drivers solutions how to buy
» contact hp

more options
hp.com home
End of Jump to page title
HP Services Software Patches
Jump to content

» software & drivers
» ask Compaq
» reference library
» forums & communities
» support tools
» warranty information
» contact support
» parts
» give us feedback

patches by topic
» OpenVMS
» Security
» Tru64 Unix
» Ultrix 32
» Windows
» Windows NT

associated links
» what's new
» contract access
» browse patch tree
» search patch tree
» join mailing list

connection tools
» nameserver lookup
» traceroute
» ping

Find Support Information and Customer Communities for Presario.
Content starts here
DCE DCEECO2030 DCE V3.0 for Tru64 UNIX ECO Summary
TITLE: DCE DCEECO2030 DCE V3.0 for Tru64 UNIX ECO Summary
Modification Date:  29-MAR-1999
Modification Type:  Updated Kit  Supersedes DCEECO1030

Copyright (c) Compaq Computer Corporation 1998, 1999.  All rights reserved.

PRODUCT:  Digital Distributed Computing Environment (DCE)

OP/SYS:   Compaq Tru64 UNIX[R] (formerly Digital UNIX)

SOURCE:   Compaq Computer Corporation


     ECO Kit Name:  DCEECO2030
     ECO Kits Superseded by This ECO Kit:  DCEECO1030
     ECO Kit Approximate Size:  28000 Blocks
                             14336000 Bytes
     Kit Applies To:  Digital Distributing Computing Environment V3.0
                      Compaq Tru64 UNIX V4.0 through V4.0D
     System Reboot Necessary:  See INSTALLATION NOTES
     Installation Rating:  Information Not Available 

     Kit Dependencies:

       The following remedial kit(s) must be installed BEFORE
       installation of this kit:


       In order to receive all the corrections listed in this
       kit, the following remedial kits should also be installed:



An ECO kit exists for Digital Distributing Computing Environment (DCE)
V3.0 on Compaq Tru64 UNIX V4.0 through V4.0D (formerly Digital UNIX).  

The release notes contain a complete explanation of the problems
addressed in this ECO.  Briefly, the following problems are addressed 
in DCEECO2030:

Corrections to DFS ... This ECO2 release includes a fix for a dfsbind 
core dump.

Note that all of the following DFS corrections require rebuilding a
kernel and rebooting.

  o  A fix was completed that restricts the range of UDP ports used
     by DFS. Part one of the implementation was included in the
     Version 2.1 release: dfsbind reads the environment variable,
     RPC_RESTRICTED_PORTS, and passes the restriction down to the kernel.
     This ECO release includes part two of the fix: the kernel allocates
     ports in accordance with the restriction. This fix affects

  o  A fix was made to 'ACL check' for DFS objects which was failing
     due to an improper data type being passed to pioctl.

  o  This release includes a fix for the premature umask application
     to the mode bits before they are passed to the server.  It affects
     dcedfs.mod. This fix works in conjunction with changes incorporated
     into Compaq Tru64 UNIX Version 4.0D.  Because of this, the patch is
     disabled by default.

     If you are running a version of Tru64 UNIX earlier than 4.0D, do
     not attempt to enable this fix.  An appropriate patch for versions
     earlier than 4.0D is under development.

     If you do not need the umask fix, no action is required.

     If you are running Version 4.0D of Tru64 UNIX or higher and need
     the umask fix, you can enable it with the following procedure:

     1. Enter:
        dbx -k /vmunix
        patch dfs_umask_rawmode_fix_present = 1

     2. Verify that the change has been made:
        dbx -k /vmunix
        print dfs_umask_rawmode_fix_present

     3. Reboot.

  o  The Cache Manager now passes through the setuid/setgid mode bits of
     directories without changing the bits.  These bits still get turned
     off on regular files unless the client explicitly enables the
     capability to leave the bits unchanged.  This capability can be set on
     a fileset with the cm setsetuid command.  This change affects

  o  This release includes a change to the token expiration time of freely
     given tokens.  The change was made in response to a problem that
     caused clients to hang occasionally for approximately 4 minutes, and
     then return a communications failure.  The change affects dcedfs.mod.
  o  Because of insufficient locking, it was previously possible for
     requests from the kernel to the dfsbind process to be lost.
     Eventually the kernel would run out of request space and hang.
     Two fixes were made:

     1. Sufficient locking was added to prevent the loss of requests.
     2. The request queue is periodically pruned of old requests.  This
        enables the administrator to restart dfsbind only, instead of all
        of DFS, in the event of a problem, and to reclaim the resources
        that the kernel was using.
  o  This ECO includes a workaround that treats the following symptom: the
     system panics on shutdown when unmounting the DFS file system.  The
     change affects dcedfs.mod.
  o  The setpag() functionality has been enhanced. A PAG can be passed to
     setpag().  The kernel uses this to set the process's pag instead of
     generating a new one.  This feature is used by Kerberos modifications
     that allow a Kerberized application daemon to access the distributed
     file system, using forwarded Kerberos credentials.
  o  In previous versions, applying the client command "dcecp -c acl
     check" to a DFS object gave the wrong results.  This has been fixed.
     The change affects dcedfs.mod.

  o  Previously, because of a race condition on multi-processor machines,
     NFS server activity would, in some cases, initiate a call into DFS
     that resulted in a panic. This has been fixed. The change affects

Enhancements to DFS ... This section describes improvements and changes 
to the DFS service including the use of Tru64 UNIX ACLs, Gateway Server 
authentication, and file system backup. It also contains solutions to 
common DFS problems.

DFS and Compaq Tru64 UNIX ACLs

In this release, DFS allows the use of Tru64 UNIX ACLs for authorization 

  o  Using Tru64 UNIX ACLs

     Tru64 UNIX supports the use of generic ACLs on its two supported
     filesystems (UFS and AdvFs). The ACLs follow the POSIX model,
     providing a sequence of ACL entries, each consisting of a tag
     (type), an identifier for entries whose type requires it, and a
     set of permission bits, as shown in the following table.

                  Compaq Tru64 UNIX ACLs
         Tag           Identifier      Permission Bits
         user             uid                rxw
         group            gid                rxw
         user_obj                            rxw
         group_obj                           rxw
         other_obj                           rxw

     ACL entries tagged as user or group identify persons or groups
     that might attempt to perform some action on the directory or file.
     The Identifier is a user id (uid) for user tags or a group
     identifier (gid) for group tags. ACL entries tagged as user_obj,
     group_obj, and other_obj  do not use identifiers because these are
     implicit in the metadata of the directory or file. (See Note below.)
     The permissions are the standard UNIX read (r), write (w), and
     execute (x) permissions.

     Note:  Because DFS in this release maps uids and gids to specific
     users and groups, password files must be synchronized with the DCE
     Security registry. Enabling Security Integration Architecture (SIA)
     offers one way to synchronize uid and gid information with the DCE
     cell registry.

     Default ACLs for containers and objects are created following the
     same method as in the standard DCE DFS implementation.

  o  Compaq Tru64 UNIX ACL Limitations

     Tru64 UNIX ACLs lack the following functionality that is available
     with generic DCE ACLs:

     -- A set of "foreign" tags supporting users, groups, and objects
        from foreign cells.
     -- A set of "delegation" tags supporting delegation from users,
        groups, and objects in the local cell and in foreign cells.
     -- An unauthenticated mask controlling access for unauthenticated
     -- A cell name included in ACL identifiers which is used for
        foreign cell user authentication.
     -- A wider set of permission bits: (c) control, (i) insert,
        (d) delete

     An additional limitation of Tru64 UNIX ACLs is that the ACL
     identifiers are uids or gids instead of full DCE UUIDs.

     This release of DCE for Tru64 UNIX handles these ACL limitations
     by providing appropriate responses to administrative or user
     actions that involve Tru64 UNIX ACLs. People or programs that
     use or administer DFS proceed as normal DCE clients. A transparent
     translation layer in DCE DFS intercepts and deals with ACL

  o  DCE Responses to Tru64 UNIX ACL Operations

     Due to the limitations of Tru64 UNIX ACLs, some operations
     involving ACLs behave differently or return an error. Specific
     responses to Tru64 UNIX ACL operations depend on whether the
     operation is unsupported, totally supported, or partially supported.
     Unsupported operations, such as adding an entry for foreign_user or
     group_delegate, return an error.

     Totally supported operations, such as a user in the local cell
     requesting write access to a file, behave in the standard manner.
     Some operations are partially supported. Tru64 UNIX provides
     appropriate responses to certain operations even though the features
     for their support is lacking from the Tru64 UNIX ACLs. For example,
     a user attempts to delete a file from DFS. Normally, DFS requires the
     d (delete) permission but Tru64 UNIX performs the delete operation
     if the user has write permission on the file.

  o  Mapping between DCE ACLs and Tru64 UNIX ACLs

     The mapping is done by a translation layer between DFS and the
     underlying physical file system at the server. In other words, none
     of this work has any bearing on the client portion of DFS.

     There is no space for a home cell uuid, so the server assigns the
     UUID of the cell that it belongs to as the home cell UUID of any ACL
     that it deals with.

     No "foreign" ACL entries are possible. The client can submit them,
     but the cell UUID is dropped before the mapping to a uid or gid is
     done (the mapping will fail in this case, since the foreign user or
     group UUID will not be found in the registry of this cell).
     The mapping between principal or group UUIDs on one hand and uid/gids
     on the other is done by querying the registry of the cell to which
     the file server belongs. It is assumed that the password files are
     synchronized with the registry or a scheme like SIA is used.

     The permission bits need to be mapped appropriately.

     DFS simulates a mask_obj tag to satisfy operations that require
     its presence. However, the simulated mask_obj does not mask any
     permissions (its permissions are rwxcid).

     The initial_container and initial_object ACLs behave normally.

  o  Disabling ACL Operations

     You can disable the ACL support in the DFS server by setting a
     kernel global variable using the dbx debugger. After a new kernel
     that includes DFS support has been built, specify the following:

            cd /usr/sys/
            dbx -k vmunix
            patch dfs_acls_enabled = 0

     where  is the name of the configuration you chose when
     executing doconfig. After disabling ACL, any remote ACL
     operations on DFS files return ENOTTY errors.

  o  NFS-DFS Secure Gateway Server Administration

     The NFS-DFS Secure Gateway server does not support the dfs_login
     and dfs_logout programs. For authenticated access to DFS, users
     of DCE-unaware NFS clients must authenticate to DCE from the
     Gateway Server machine using a dfsgw add operation. Refer to the
     OSF DCE DFS Administration Guide and Reference for information
     about authenticating from a Gateway Server machine.

  o  DFS Backup

     DFS in this release relies on Tru64 UNIX built-in file system
     backup rather than using the backup facility included with OSF DFS.
     Refer to your Tru64 UNIX documentation for instructions on using
     the Tru64 UNIX file system backup facility.

  o  Solutions to Common Problems with DCE DFS

     Here are solutions to a few common problems that you may encounter
     with DCE DFS.

     -  Running Commands Requiring the setuid Feature

        Commands that use the setuid feature (for example, the ps command)
        do not execute properly if used from the DFS namespace. Before
        running the commands, you must enable the setuid functionality on a
        per fileset basis by issuing the cm setsetuid command. Issue this
        command on each machine that needs to use these setuid commands
        after DFS has started, that is, after the system is in multiuser
        mode. See cm setsetuid(8dfs) in the OSF DCE DFS Administration
        Guide and Reference for more information.

     -  Running cron Jobs with DCE Credentials

        It is often necessary to run jobs asynchronously with DCE
        credentials. For example, you might run a job after hours that
        requires access to DFS. One way to have a job running under
        cron(1) or at(1) acquire DCE credentials is by using the -k option
        of the dce_login command. This option allows dce_login to acquire
        credentials by reading a key from a keytab file, rather than by
        getting a password interactively. Using the -k option along with
        the -e option, which allows an executable command to be specified
        on the command line, accomplishes the desired effect.

        The solution consists of two parts:

        First, decide on a principal with whose credentials the cron job
        should run. (Create a DCE user for this, if one does not exist
        already.) In the following example, the principal is designated
        with the placeholder PRINC. Then, as cell_admin, create a keytab
        file with a command similar to the following:

               dcecp -c keytab create PRINC.keytab \
                            -storage /PATH/NAME/OF/KEYTAB \
                            -data {PRINC plain 1 PASSWORD}

        where the PASSWORD is the same password that was specified when 
        the PRINC account was created in DCE. You may need the -noprivacy 
        option if you do not have the privacy kit installed on the machine. 
        The keytab file is created with root as the owner and 600 permis-
        sions.  The ownership of the file has to be changed to the UNIX 
        identity of the executor of the cron job.

        Next, you can add a line similar to the following to a crontab file
        to have cron run a script with the credentials of principal PRINC:

        5 20 o  o  1-5 dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e

        to run the indicated script with the credentials of PRINC at 8:05
        p.m., Monday through Friday. See crontab(5) for more details on

        You can verify that the first step above worked by issuing the
        following command:

              dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e klist

        and making sure that the principal listed is indeed PRINC.

Briefly, the following problems are addressed in DCEECO1030: 

  o  Errors in OSF DCE Release 1.2.2 corrected in Maintenance Release 1
     from The Open Group

  o  A libidlcxx.so problem in the RPC automatic object reclamation
     service that causes properly written DCE applications to experience
     memory access violations

  o  Inability to run a DCE split server configuration in a mixed
     environment of Compaq Tru64 UNIX and IBM AIX systems

  o  Inability to run the Kerberos 5 compliant network utilities with SIA

  o  Problem using DFS in firewall environments because the DFS kernel
     does not properly implement port restrictions set using the
     RPC_RESTRICTED_PORTS environment variable

  o  Inability to run DCE SIA on Tru64 UNIX 4.0c systems


Follow these steps to install the DCE for Compaq Tru64 UNIX Version 3.0 
ECO2 kit.

1. Verify a successful installation of DCE for Tru64 UNIX Version 3.0
   before installing the ECO2 kit.

2. Untar the ECO2 kit into a local directory, using the following

   % tar xvf /DCEECO2030.tar

3. Use the setld procedure to start the installation procedure:

   %  setld -l ./output

4. Select the subsets to install from the following choices:


To install multiple subsets, enter the number of each subset
separated by a space as follows:


The subsets listed below are optional:

There may be more optional subsets than can be presented on a single
screen.  If this is the case, you can choose subsets screen by screen
or all at once on the last screen.  All of the choices you make will
be collected for your confirmation before any subsets are installed.

        1) DCE Application Developers Kit V3.0 ECO 2
        2) DCE Cell Directory Server V3.0 ECO 2
        3) DCE DFS Base V3.0 ECO 2
        4) DCE DFS Kernel Binaries V3.0 ECO 2
        5) DCE Runtime Services V3.0 ECO 2
        6) DCE Security Server V3.0 ECO 2

Or you may choose one of the following options:

     7) ALL of the above
     8) CANCEL selections and redisplay menus
     9) EXIT without installing any subsets

Enter your choices or press RETURN to redisplay menus.

Choices (for example, 1 2 4-6):

5.  After the installation successfully completes, restart DCE by
    entering the following command:

    %  /usr/sbin/dcesetup/start

[R]  UNIX is a registered trademark in the United States and other
     countries, licensed exclusively through X/Open Company Ltd.
Files on this server are as follows:
privacy statement using this site means you accept its terms