The DCE Cell

A cell has its own security service, Cell Directory Service, and optionally, Distributed File Service; these services are available cell-wide. The security service for a cell manages the cell's registry, where user account information is kept. Each cell has its own namespace; the Cell Directory Service for the cell manages that namespace and its hierarchy. If DFS is present in the cell, the Distributed File Service allows remote access to files from anywhere in the cell. Each cell also has its own Distributed Time Service, which keeps the clocks on all of the machines in the cell synchronized.

A cell provides a single security domain. Users log into accounts in a cell. Access control lists (ACLs) identify users and groups in the cell (they can also refer to users and groups in other cells). A cell also provides a single naming domain. Each cell has a name, and all objects in the cell share that name.

DCE cells can be connected so that they can communicate with each other. Going back to the example, if the different departments' cells are connected, then a user in one department's cell may be able to access resources in another department's cell, although this access would typically be less frequent and more restricted than access to resources within the user's own cell.

Cells connect to each other by means of a global directory service. A cell's name is registered in a global directory service, and the cell is then able to contact other cells registered in that global service. Note that communication between DCE cells is not automatic. Cells that wish to communicate with each other must first establish a trust relationship between their cells' Security Services; this process is called cross-cell authentication and is described in more detail in DCE Technology Components.

A cell can have more than one name. In this case, one of the cell's names is designated its primary name while the other names are the cell's alias names. The cell's primary name is the default name for the cell; that is, it is the name that DCE services return. Cell name aliasing permits a cell to be registered in more than one global namespace. It also provides a way to change a cell's name if the need arises, for example, to respond to organizational changes within the company. For more information on how to create cell name aliases for a cell, see the OSF DCE Administration Guide - Introduction and the OSF DCE Administration Guide - Core Components.

A DCE cell can be configured in many ways, depending on its users' requirements. A cell consists of a network connecting three kinds of nodes: DCE user machines, DCE administrator machines, and DCE server machines. DCE user machines are general-purpose DCE machines. They contain software that enables them to act as clients to all of the DCE services. DCE administrator machines contain software that enables a DCE administrator to manage DCE system services remotely.

The DCE server machines are equipped with special software enabling them to provide one or more of the DCE services. Every cell must have at least one each of the following servers in order to function:

· Cell Directory Server

· Security Server

· Distributed Time Server

Other DCE servers may be present in a given DCE cell to provide additional functionality; a Global Directory Agent may be present to enable the cell's directory server to communicate with other cells' directory servers; a Global Directory Server may be present to provide X.500 directory service; and Distributed File Servers may be present to provide storage of files and the special functions of the Local File System. (See DCE Configuration of this manual for more detailed information on DCE cell configuration.)