SEARCH CONTACT US SUPPORT SERVICES PRODUCTS STORE
United States    
COMPAQ STORE | PRODUCTS | SERVICES | SUPPORT | CONTACT US | SEARCH
security patches support
.
.
.
associated links
.
} what's new
.
} contract access
.
} browse patch tree
.
} search patches
.
} join mailing list
.
connection tools
.
} nameserver lookup
.
} traceroute
.
} ping
.
photo of jumper
.
.
.
. .

DCE DCEECO2030 DCE V3.0 for Tru64 UNIX ECO Summary

TITLE: DCE DCEECO2030 DCE V3.0 for Tru64 UNIX ECO Summary Modification Date: 29-MAR-1999 Modification Type: Updated Kit Supersedes DCEECO1030 Copyright (c) Compaq Computer Corporation 1998, 1999. All rights reserved. PRODUCT: Digital Distributed Computing Environment (DCE) OP/SYS: Compaq Tru64 UNIX[R] (formerly Digital UNIX) SOURCE: Compaq Computer Corporation ECO INFORMATION: ECO Kit Name: DCEECO2030 ECO Kits Superseded by This ECO Kit: DCEECO1030 ECO Kit Approximate Size: 28000 Blocks 14336000 Bytes Kit Applies To: Digital Distributing Computing Environment V3.0 Compaq Tru64 UNIX V4.0 through V4.0D System Reboot Necessary: See INSTALLATION NOTES Installation Rating: Information Not Available Kit Dependencies: The following remedial kit(s) must be installed BEFORE installation of this kit: None In order to receive all the corrections listed in this kit, the following remedial kits should also be installed: None ECO KIT SUMMARY: An ECO kit exists for Digital Distributing Computing Environment (DCE) V3.0 on Compaq Tru64 UNIX V4.0 through V4.0D (formerly Digital UNIX). The release notes contain a complete explanation of the problems addressed in this ECO. Briefly, the following problems are addressed in DCEECO2030: Corrections to DFS ... This ECO2 release includes a fix for a dfsbind core dump. Note that all of the following DFS corrections require rebuilding a kernel and rebooting. o A fix was completed that restricts the range of UDP ports used by DFS. Part one of the implementation was included in the Version 2.1 release: dfsbind reads the environment variable, RPC_RESTRICTED_PORTS, and passes the restriction down to the kernel. This ECO release includes part two of the fix: the kernel allocates ports in accordance with the restriction. This fix affects dcedfs.mod. o A fix was made to 'ACL check' for DFS objects which was failing due to an improper data type being passed to pioctl. o This release includes a fix for the premature umask application to the mode bits before they are passed to the server. It affects dcedfs.mod. This fix works in conjunction with changes incorporated into Compaq Tru64 UNIX Version 4.0D. Because of this, the patch is disabled by default. If you are running a version of Tru64 UNIX earlier than 4.0D, do not attempt to enable this fix. An appropriate patch for versions earlier than 4.0D is under development. If you do not need the umask fix, no action is required. If you are running Version 4.0D of Tru64 UNIX or higher and need the umask fix, you can enable it with the following procedure: 1. Enter: dbx -k /vmunix patch dfs_umask_rawmode_fix_present = 1 quit 2. Verify that the change has been made: dbx -k /vmunix print dfs_umask_rawmode_fix_present {THIS SHOULD PRINT 1} quit 3. Reboot. o The Cache Manager now passes through the setuid/setgid mode bits of directories without changing the bits. These bits still get turned off on regular files unless the client explicitly enables the capability to leave the bits unchanged. This capability can be set on a fileset with the cm setsetuid command. This change affects dcedfs.mod. o This release includes a change to the token expiration time of freely given tokens. The change was made in response to a problem that caused clients to hang occasionally for approximately 4 minutes, and then return a communications failure. The change affects dcedfs.mod. o Because of insufficient locking, it was previously possible for requests from the kernel to the dfsbind process to be lost. Eventually the kernel would run out of request space and hang. Two fixes were made: 1. Sufficient locking was added to prevent the loss of requests. 2. The request queue is periodically pruned of old requests. This enables the administrator to restart dfsbind only, instead of all of DFS, in the event of a problem, and to reclaim the resources that the kernel was using. o This ECO includes a workaround that treats the following symptom: the system panics on shutdown when unmounting the DFS file system. The change affects dcedfs.mod. o The setpag() functionality has been enhanced. A PAG can be passed to setpag(). The kernel uses this to set the process's pag instead of generating a new one. This feature is used by Kerberos modifications that allow a Kerberized application daemon to access the distributed file system, using forwarded Kerberos credentials. o In previous versions, applying the client command "dcecp -c acl check" to a DFS object gave the wrong results. This has been fixed. The change affects dcedfs.mod. o Previously, because of a race condition on multi-processor machines, NFS server activity would, in some cases, initiate a call into DFS that resulted in a panic. This has been fixed. The change affects dcedfs.mod. Enhancements to DFS ... This section describes improvements and changes to the DFS service including the use of Tru64 UNIX ACLs, Gateway Server authentication, and file system backup. It also contains solutions to common DFS problems. DFS and Compaq Tru64 UNIX ACLs In this release, DFS allows the use of Tru64 UNIX ACLs for authorization purposes. o Using Tru64 UNIX ACLs Tru64 UNIX supports the use of generic ACLs on its two supported filesystems (UFS and AdvFs). The ACLs follow the POSIX model, providing a sequence of ACL entries, each consisting of a tag (type), an identifier for entries whose type requires it, and a set of permission bits, as shown in the following table. Compaq Tru64 UNIX ACLs Tag Identifier Permission Bits user uid rxw group gid rxw user_obj rxw group_obj rxw other_obj rxw ACL entries tagged as user or group identify persons or groups that might attempt to perform some action on the directory or file. The Identifier is a user id (uid) for user tags or a group identifier (gid) for group tags. ACL entries tagged as user_obj, group_obj, and other_obj do not use identifiers because these are implicit in the metadata of the directory or file. (See Note below.) The permissions are the standard UNIX read (r), write (w), and execute (x) permissions. Note: Because DFS in this release maps uids and gids to specific users and groups, password files must be synchronized with the DCE Security registry. Enabling Security Integration Architecture (SIA) offers one way to synchronize uid and gid information with the DCE cell registry. Default ACLs for containers and objects are created following the same method as in the standard DCE DFS implementation. o Compaq Tru64 UNIX ACL Limitations Tru64 UNIX ACLs lack the following functionality that is available with generic DCE ACLs: -- A set of "foreign" tags supporting users, groups, and objects from foreign cells. -- A set of "delegation" tags supporting delegation from users, groups, and objects in the local cell and in foreign cells. -- An unauthenticated mask controlling access for unauthenticated users. -- A cell name included in ACL identifiers which is used for foreign cell user authentication. -- A wider set of permission bits: (c) control, (i) insert, (d) delete An additional limitation of Tru64 UNIX ACLs is that the ACL identifiers are uids or gids instead of full DCE UUIDs. This release of DCE for Tru64 UNIX handles these ACL limitations by providing appropriate responses to administrative or user actions that involve Tru64 UNIX ACLs. People or programs that use or administer DFS proceed as normal DCE clients. A transparent translation layer in DCE DFS intercepts and deals with ACL operations. o DCE Responses to Tru64 UNIX ACL Operations Due to the limitations of Tru64 UNIX ACLs, some operations involving ACLs behave differently or return an error. Specific responses to Tru64 UNIX ACL operations depend on whether the operation is unsupported, totally supported, or partially supported. Unsupported operations, such as adding an entry for foreign_user or group_delegate, return an error. Totally supported operations, such as a user in the local cell requesting write access to a file, behave in the standard manner. Some operations are partially supported. Tru64 UNIX provides appropriate responses to certain operations even though the features for their support is lacking from the Tru64 UNIX ACLs. For example, a user attempts to delete a file from DFS. Normally, DFS requires the d (delete) permission but Tru64 UNIX performs the delete operation if the user has write permission on the file. o Mapping between DCE ACLs and Tru64 UNIX ACLs The mapping is done by a translation layer between DFS and the underlying physical file system at the server. In other words, none of this work has any bearing on the client portion of DFS. There is no space for a home cell uuid, so the server assigns the UUID of the cell that it belongs to as the home cell UUID of any ACL that it deals with. No "foreign" ACL entries are possible. The client can submit them, but the cell UUID is dropped before the mapping to a uid or gid is done (the mapping will fail in this case, since the foreign user or group UUID will not be found in the registry of this cell). The mapping between principal or group UUIDs on one hand and uid/gids on the other is done by querying the registry of the cell to which the file server belongs. It is assumed that the password files are synchronized with the registry or a scheme like SIA is used. The permission bits need to be mapped appropriately. DFS simulates a mask_obj tag to satisfy operations that require its presence. However, the simulated mask_obj does not mask any permissions (its permissions are rwxcid). The initial_container and initial_object ACLs behave normally. o Disabling ACL Operations You can disable the ACL support in the DFS server by setting a kernel global variable using the dbx debugger. After a new kernel that includes DFS support has been built, specify the following: cd /usr/sys/ dbx -k vmunix patch dfs_acls_enabled = 0 quit where is the name of the configuration you chose when executing doconfig. After disabling ACL, any remote ACL operations on DFS files return ENOTTY errors. o NFS-DFS Secure Gateway Server Administration The NFS-DFS Secure Gateway server does not support the dfs_login and dfs_logout programs. For authenticated access to DFS, users of DCE-unaware NFS clients must authenticate to DCE from the Gateway Server machine using a dfsgw add operation. Refer to the OSF DCE DFS Administration Guide and Reference for information about authenticating from a Gateway Server machine. o DFS Backup DFS in this release relies on Tru64 UNIX built-in file system backup rather than using the backup facility included with OSF DFS. Refer to your Tru64 UNIX documentation for instructions on using the Tru64 UNIX file system backup facility. o Solutions to Common Problems with DCE DFS Here are solutions to a few common problems that you may encounter with DCE DFS. - Running Commands Requiring the setuid Feature Commands that use the setuid feature (for example, the ps command) do not execute properly if used from the DFS namespace. Before running the commands, you must enable the setuid functionality on a per fileset basis by issuing the cm setsetuid command. Issue this command on each machine that needs to use these setuid commands after DFS has started, that is, after the system is in multiuser mode. See cm setsetuid(8dfs) in the OSF DCE DFS Administration Guide and Reference for more information. - Running cron Jobs with DCE Credentials It is often necessary to run jobs asynchronously with DCE credentials. For example, you might run a job after hours that requires access to DFS. One way to have a job running under cron(1) or at(1) acquire DCE credentials is by using the -k option of the dce_login command. This option allows dce_login to acquire credentials by reading a key from a keytab file, rather than by getting a password interactively. Using the -k option along with the -e option, which allows an executable command to be specified on the command line, accomplishes the desired effect. The solution consists of two parts: First, decide on a principal with whose credentials the cron job should run. (Create a DCE user for this, if one does not exist already.) In the following example, the principal is designated with the placeholder PRINC. Then, as cell_admin, create a keytab file with a command similar to the following: dcecp -c keytab create PRINC.keytab \ -storage /PATH/NAME/OF/KEYTAB \ -data {PRINC plain 1 PASSWORD} where the PASSWORD is the same password that was specified when the PRINC account was created in DCE. You may need the -noprivacy option if you do not have the privacy kit installed on the machine. The keytab file is created with root as the owner and 600 permis- sions. The ownership of the file has to be changed to the UNIX identity of the executor of the cron job. Next, you can add a line similar to the following to a crontab file to have cron run a script with the credentials of principal PRINC: 5 20 o o 1-5 dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e /path/name/of/script to run the indicated script with the credentials of PRINC at 8:05 p.m., Monday through Friday. See crontab(5) for more details on syntax. You can verify that the first step above worked by issuing the following command: dce_login PRINC -k /PATH/NAME/OF/KEYTAB -e klist and making sure that the principal listed is indeed PRINC. Briefly, the following problems are addressed in DCEECO1030: o Errors in OSF DCE Release 1.2.2 corrected in Maintenance Release 1 from The Open Group o A libidlcxx.so problem in the RPC automatic object reclamation service that causes properly written DCE applications to experience memory access violations o Inability to run a DCE split server configuration in a mixed environment of Compaq Tru64 UNIX and IBM AIX systems o Inability to run the Kerberos 5 compliant network utilities with SIA enabled o Problem using DFS in firewall environments because the DFS kernel does not properly implement port restrictions set using the RPC_RESTRICTED_PORTS environment variable o Inability to run DCE SIA on Tru64 UNIX 4.0c systems INSTALLATION NOTES: Follow these steps to install the DCE for Compaq Tru64 UNIX Version 3.0 ECO2 kit. 1. Verify a successful installation of DCE for Tru64 UNIX Version 3.0 before installing the ECO2 kit. 2. Untar the ECO2 kit into a local directory, using the following command: % tar xvf /DCEECO2030.tar 3. Use the setld procedure to start the installation procedure: % setld -l ./output 4. Select the subsets to install from the following choices: DCEADKECO2030 DCECDSECO2020 DCEDFSBINECO2030 DCEDFSECO2030 DCERTSECO2030 DCESECECO2030 To install multiple subsets, enter the number of each subset separated by a space as follows: DCEADKECO2030 DCECDSECO2020 DCEDFSECO2030 DCEDFSBINECO2030 DCERTSECO2030 DCESECECO2030 The subsets listed below are optional: There may be more optional subsets than can be presented on a single screen. If this is the case, you can choose subsets screen by screen or all at once on the last screen. All of the choices you make will be collected for your confirmation before any subsets are installed. 1) DCE Application Developers Kit V3.0 ECO 2 2) DCE Cell Directory Server V3.0 ECO 2 3) DCE DFS Base V3.0 ECO 2 4) DCE DFS Kernel Binaries V3.0 ECO 2 5) DCE Runtime Services V3.0 ECO 2 6) DCE Security Server V3.0 ECO 2 Or you may choose one of the following options: 7) ALL of the above 8) CANCEL selections and redisplay menus 9) EXIT without installing any subsets Enter your choices or press RETURN to redisplay menus. Choices (for example, 1 2 4-6): 5. After the installation successfully completes, restart DCE by entering the following command: % /usr/sbin/dcesetup/start [R] UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company Ltd.



This patch can be found at any of these sites:

Colorado Site
Georgia Site
European Site



Files on this server are as follows:

dceeco2030.README
dceeco2030.CHKSUM
dceeco2030.CVRLET_TXT
dceeco2030.tar
.
1.800.AT.COMPAQ .

privacy and legal statement