|
|
 |
DCE DCEECO2030 DCE V3.0 for Tru64 UNIX ECO Summary
|
TITLE: DCE DCEECO2030 DCE V3.0 for Tru64 UNIX ECO Summary
Modification Date: 29-MAR-1999
Modification Type: Updated Kit Supersedes DCEECO1030
Copyright (c) Compaq Computer Corporation 1998, 1999. All rights reserved.
PRODUCT: Digital Distributed Computing Environment (DCE)
OP/SYS: Compaq Tru64 UNIX[R] (formerly Digital UNIX)
SOURCE: Compaq Computer Corporation
ECO INFORMATION:
ECO Kit Name: DCEECO2030
ECO Kits Superseded by This ECO Kit: DCEECO1030
ECO Kit Approximate Size: 28000 Blocks
14336000 Bytes
Kit Applies To: Digital Distributing Computing Environment V3.0
Compaq Tru64 UNIX V4.0 through V4.0D
System Reboot Necessary: See INSTALLATION NOTES
Installation Rating: Information Not Available
Kit Dependencies:
The following remedial kit(s) must be installed BEFORE
installation of this kit:
None
In order to receive all the corrections listed in this
kit, the following remedial kits should also be installed:
None
ECO KIT SUMMARY:
An ECO kit exists for Digital Distributing Computing Environment (DCE)
V3.0 on Compaq Tru64 UNIX V4.0 through V4.0D (formerly Digital UNIX).
The release notes contain a complete explanation of the problems
addressed in this ECO. Briefly, the following problems are addressed
in DCEECO2030:
Corrections to DFS ... This ECO2 release includes a fix for a dfsbind
core dump.
Note that all of the following DFS corrections require rebuilding a
kernel and rebooting.
o A fix was completed that restricts the range of UDP ports used
by DFS. Part one of the implementation was included in the
Version 2.1 release: dfsbind reads the environment variable,
RPC_RESTRICTED_PORTS, and passes the restriction down to the kernel.
This ECO release includes part two of the fix: the kernel allocates
ports in accordance with the restriction. This fix affects
dcedfs.mod.
o A fix was made to 'ACL check' for DFS objects which was failing
due to an improper data type being passed to pioctl.
o This release includes a fix for the premature umask application
to the mode bits before they are passed to the server. It affects
dcedfs.mod. This fix works in conjunction with changes incorporated
into Compaq Tru64 UNIX Version 4.0D. Because of this, the patch is
disabled by default.
If you are running a version of Tru64 UNIX earlier than 4.0D, do
not attempt to enable this fix. An appropriate patch for versions
earlier than 4.0D is under development.
If you do not need the umask fix, no action is required.
If you are running Version 4.0D of Tru64 UNIX or higher and need
the umask fix, you can enable it with the following procedure:
1. Enter:
dbx -k /vmunix
patch dfs_umask_rawmode_fix_present = 1
quit
2. Verify that the change has been made:
dbx -k /vmunix
print dfs_umask_rawmode_fix_present
{THIS SHOULD PRINT 1}
quit
3. Reboot.
o The Cache Manager now passes through the setuid/setgid mode bits of
directories without changing the bits. These bits still get turned
off on regular files unless the client explicitly enables the
capability to leave the bits unchanged. This capability can be set on
a fileset with the cm setsetuid command. This change affects
dcedfs.mod.
o This release includes a change to the token expiration time of freely
given tokens. The change was made in response to a problem that
caused clients to hang occasionally for approximately 4 minutes, and
then return a communications failure. The change affects dcedfs.mod.
o Because of insufficient locking, it was previously possible for
requests from the kernel to the dfsbind process to be lost.
Eventually the kernel would run out of request space and hang.
Two fixes were made:
1. Sufficient locking was added to prevent the loss of requests.
2. The request queue is periodically pruned of old requests. This
enables the administrator to restart dfsbind only, instead of all
of DFS, in the event of a problem, and to reclaim the resources
that the kernel was using.
o This ECO includes a workaround that treats the following symptom: the
system panics on shutdown when unmounting the DFS file system. The
change affects dcedfs.mod.
o The setpag() functionality has been enhanced. A PAG can be passed to
setpag(). The kernel uses this to set the process's pag instead of
generating a new one. This feature is used by Kerberos modifications
that allow a Kerberized application daemon to access the distributed
file system, using forwarded Kerberos credentials.
o In previous versions, applying the client command "dcecp -c acl
check" to a DFS object gave the wrong results. This has been fixed.
The change affects dcedfs.mod.
o Previously, because of a race condition on multi-processor machines,
NFS server activity would, in some cases, initiate a call into DFS
that resulted in a panic. This has been fixed. The change affects
dcedfs.mod.
Enhancements to DFS ... This section describes improvements and changes
to the DFS service including the use of Tru64 UNIX ACLs, Gateway Server
authentication, and file system backup. It also contains solutions to
common DFS problems.
DFS and Compaq Tru64 UNIX ACLs
In this release, DFS allows the use of Tru64 UNIX ACLs for authorization
purposes.
o Using Tru64 UNIX ACLs
Tru64 UNIX supports the use of generic ACLs on its two supported
filesystems (UFS and AdvFs). The ACLs follow the POSIX model,
providing a sequence of ACL entries, each consisting of a tag
(type), an identifier for entries whose type requires it, and a
set of permission bits, as shown in the following table.
Compaq Tru64 UNIX ACLs
Tag Identifier Permission Bits
user uid rxw
group gid rxw
user_obj rxw
group_obj rxw
other_obj rxw
ACL entries tagged as user or group identify persons or groups
that might attempt to perform some action on the directory or file.
The Identifier is a user id (uid) for user tags or a group
identifier (gid) for group tags. ACL entries tagged as user_obj,
group_obj, and other_obj do not use identifiers because these are
implicit in the metadata of the directory or file. (See Note below.)
The permissions are the standard UNIX read (r), write (w), and
execute (x) permissions.
Note: Because DFS in this release maps uids and gids to specific
users and groups, password files must be synchronized with the DCE
Security registry. Enabling Security Integration Architecture (SIA)
offers one way to synchronize uid and gid information with the DCE
cell registry.
Default ACLs for containers and objects are created following the
same method as in the standard DCE DFS implementation.
o Compaq Tru64 UNIX ACL Limitations
Tru64 UNIX ACLs lack the following functionality that is available
with generic DCE ACLs:
-- A set of "foreign" tags supporting users, groups, and objects
from foreign cells.
-- A set of "delegation" tags supporting delegation from users,
groups, and objects in the local cell and in foreign cells.
-- An unauthenticated mask controlling access for unauthenticated
users.
-- A cell name included in ACL identifiers which is used for
foreign cell user authentication.
-- A wider set of permission bits: (c) control, (i) insert,
(d) delete
An additional limitation of Tru64 UNIX ACLs is that the ACL
identifiers are uids or gids instead of full DCE UUIDs.
This release of DCE for Tru64 UNIX handles these ACL limitations
by providing appropriate responses to administrative or user
actions that involve Tru64 UNIX ACLs. People or programs that
use or administer DFS proceed as normal DCE clients. A transparent
translation layer in DCE DFS intercepts and deals with ACL
operations.
o DCE Responses to Tru64 UNIX ACL Operations
Due to the limitations of Tru64 UNIX ACLs, some operations
involving ACLs behave differently or return an error. Specific
responses to Tru64 UNIX ACL operations depend on whether the
operation is unsupported, totally supported, or partially supported.
Unsupported operations, such as adding an entry for foreign_user or
group_delegate, return an error.
Totally supported operations, such as a user in the local cell
requesting write access to a file, behave in the standard manner.
Some operations are partially supported. Tru64 UNIX provides
appropriate responses to certain operations even though the features
for their support is lacking from the Tru64 UNIX ACLs. For example,
a user attempts to delete a file from DFS. Normally, DFS requires the
d (delete) permission but Tru64 UNIX performs the delete operation
if the user has write permission on the file.
o Mapping between DCE ACLs and Tru64 UNIX ACLs
The mapping is done by a translation layer between DFS and the
underlying physical file system at the server. In other words, none
of this work has any bearing on the client portion of DFS.
There is no space for a home cell uuid, so the server assigns the
UUID of the cell that it belongs to as the home cell UUID of any ACL
that it deals with.
No "foreign" ACL entries are possible. The client can submit them,
but the cell UUID is dropped before the mapping to a uid or gid is
done (the mapping will fail in this case, since the foreign user or
group UUID will not be found in the registry of this cell).
The mapping between principal or group UUIDs on one hand and uid/gids
on the other is done by querying the registry of the cell to which
the file server belongs. It is assumed that the password files are
synchronized with the registry or a scheme like SIA is used.
The permission bits need to be mapped appropriately.
DFS simulates a mask_obj tag to satisfy operations that require
its presence. However, the simulated mask_obj does not mask any
permissions (its permissions are rwxcid).
The initial_container and initial_object ACLs behave normally.
o Disabling ACL Operations
You can disable the ACL support in the DFS server by setting a
kernel global variable using the dbx debugger. After a new kernel
that includes DFS support has been built, specify the following:
cd /usr/sys/
dbx -k vmunix
patch dfs_acls_enabled = 0
quit
where is the name of the configuration you chose when
executing doconfig. After disabling ACL, any remote ACL
operations on DFS files return ENOTTY errors.
o NFS-DFS Secure Gateway Server Administration
The NFS-DFS Secure Gateway server does not support the dfs_login
and dfs_logout programs. For authenticated access to DFS, users
of DCE-unaware NFS clients must authenticate to DCE from the
Gateway Server machine using a dfsgw add operation. Refer to the
OSF DCE DFS Administration Guide and Reference for information
about authenticating from a Gateway Server machine.
o DFS Backup
DFS in this release relies on Tru64 UNIX built-in file system
backup rather than using the backup facility included with OSF DFS.
Refer to your Tru64 UNIX documentation for instructions on using
the Tru64 UNIX file system backup facility.
o Solutions to Common Problems with DCE DFS
Here are solutions to a few common problems that you may encounter
with DCE DFS.
- Running Commands Requiring the setuid Feature
Commands that use the setuid feature (for example, the ps command)
do not execute properly if used from the DFS namespace. Before
running the commands, you must enable the setuid functionality on a
per fileset basis by issuing the cm setsetuid command. Issue this
command on each machine that needs to use these setuid commands
after DFS has started, that is, after the system is in multiuser
mode. See cm setsetuid(8dfs) in the OSF DCE DFS Administration
Guide and Reference for more information.
- Running cron Jobs with DCE Credentials
It is often necessary to run jobs asynchronously with DCE
credentials. For example, you might run a job after hours that
requires access to DFS. One way to have a job running under
cron(1) or at(1) acquire DCE credentials is by using the -k option
of the dce_login command. This option allows dce_login to acquire
credentials by reading a key from a keytab file, rather than by
getting a password interactively. Using the -k option along with
the -e option, which allows an executable command to be specified
on the command line, accomplishes the desired effect.
The solution consists of two parts:
First, decide on a principal with whose credentials the cron job
should run. (Create a DCE user for this, if one does not exist
already.) In the following example, the principal is designated
with the placeholder PRINC. Then, as cell_admin, create a keytab
file with a command similar to the following:
dcecp -c keytab create PRINC.keytab \
-storage /PATH/NAME/OF/KEYTAB \
-data {PRINC plain 1 PASSWORD}
where the PASSWORD is the same password that was specified when
the PRINC account was created in DCE. You may need the -noprivacy
option if you do not have the privacy kit installed on the machine.
The keytab file is created with root as the owner and 600 permis-
sions. The ownership of the file has to be changed to the UNIX
identity of the executor of the cron job.
Next, you can add a line similar to the following to a crontab file
to have cron run a script with the credentials of principal PRINC:
5 20 o o 1-5 dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e
/path/name/of/script
to run the indicated script with the credentials of PRINC at 8:05
p.m., Monday through Friday. See crontab(5) for more details on
syntax.
You can verify that the first step above worked by issuing the
following command:
dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e klist
and making sure that the principal listed is indeed PRINC.
Briefly, the following problems are addressed in DCEECO1030:
o Errors in OSF DCE Release 1.2.2 corrected in Maintenance Release 1
from The Open Group
o A libidlcxx.so problem in the RPC automatic object reclamation
service that causes properly written DCE applications to experience
memory access violations
o Inability to run a DCE split server configuration in a mixed
environment of Compaq Tru64 UNIX and IBM AIX systems
o Inability to run the Kerberos 5 compliant network utilities with SIA
enabled
o Problem using DFS in firewall environments because the DFS kernel
does not properly implement port restrictions set using the
RPC_RESTRICTED_PORTS environment variable
o Inability to run DCE SIA on Tru64 UNIX 4.0c systems
INSTALLATION NOTES:
Follow these steps to install the DCE for Compaq Tru64 UNIX Version 3.0
ECO2 kit.
1. Verify a successful installation of DCE for Tru64 UNIX Version 3.0
before installing the ECO2 kit.
2. Untar the ECO2 kit into a local directory, using the following
command:
% tar xvf /DCEECO2030.tar
3. Use the setld procedure to start the installation procedure:
% setld -l ./output
4. Select the subsets to install from the following choices:
DCEADKECO2030
DCECDSECO2020
DCEDFSBINECO2030
DCEDFSECO2030
DCERTSECO2030
DCESECECO2030
To install multiple subsets, enter the number of each subset
separated by a space as follows:
DCEADKECO2030 DCECDSECO2020 DCEDFSECO2030 DCEDFSBINECO2030
DCERTSECO2030 DCESECECO2030
The subsets listed below are optional:
There may be more optional subsets than can be presented on a single
screen. If this is the case, you can choose subsets screen by screen
or all at once on the last screen. All of the choices you make will
be collected for your confirmation before any subsets are installed.
1) DCE Application Developers Kit V3.0 ECO 2
2) DCE Cell Directory Server V3.0 ECO 2
3) DCE DFS Base V3.0 ECO 2
4) DCE DFS Kernel Binaries V3.0 ECO 2
5) DCE Runtime Services V3.0 ECO 2
6) DCE Security Server V3.0 ECO 2
Or you may choose one of the following options:
7) ALL of the above
8) CANCEL selections and redisplay menus
9) EXIT without installing any subsets
Enter your choices or press RETURN to redisplay menus.
Choices (for example, 1 2 4-6):
5. After the installation successfully completes, restart DCE by
entering the following command:
% /usr/sbin/dcesetup/start
[R] UNIX is a registered trademark in the United States and other
countries, licensed exclusively through X/Open Company Ltd.
|
Files on this server are as follows:
|
»dceeco2030.README
»dceeco2030.CHKSUM
»dceeco2030.CVRLET_TXT
»dceeco2030.tar
|
