Many tasks require that users, groups, and machines be added to one or more administrative lists. Summaries of the different DFS administrative lists and the types of tasks associated with each list follow:
· The admin.fl list is associated with the Fileset Location (FL) Server. It designates the users and groups permitted to create server entries and fileset entries in the Fileset Location Database (FLDB). Because the FLDB is usually replicated to several different machines in the cell, you need to ensure that the admin.fl lists on all machines that house the FLDB are identical; otherwise, an administrator may be able to execute a command from one machine but not from another. You also need to ensure that the abbreviated DFS server principals of all Fileset Database machines are included in the admin.fl list (they can be present as members of a group); otherwise, the synchronization site for the FLDB may not be able to propagate changes to the database to the secondary sites.
· The admin.ft list is associated with the Fileset Server. It designates the users and groups permitted to administer filesets on a machine. Because some fileset operations (such as moving filesets) affect multiple machines, the server principal names of the machines involved in the operations must also be in this administrative list. To simplify management, it is best that the server principal names of all server machines in the domain be represented in the admin.ft list on the System Control machine so that the list is distributed to all File Server machines in the domain. Note that the server principals can be included directly, or a group to which they belong can be included.
· The admin.up list is associated with the Update Server. It contains the server principals for all server machines in the domain, allowing the upclient processes on those machines to obtain files such as common configuration files, binary files, and administrative lists from the upserver process. The list should be stored on machines such as the System Control machine and the Binary Distribution machine, which run the upserver process.
· The admin.bos list is associated with the BOS Server. It designates the users and groups permitted to create, start, and stop DFS server processes and other processes to be controlled by the BOS Server on a machine. The BOS Server runs as root, so processes that it starts run with root privileges. Because they can direct the BOS Server to start any process, and because they can add and remove members from the other administrative lists on the machine, users in the admin.bos list are usually a subset of the users in the other lists for a machine or domain.
· The admin.bak list is associated with the Backup Server. It designates the users and groups allowed to issue commands in the bak command suite. These commands are used to configure the Backup System and to dump and restore data. The Backup Database, like the FLDB, is typically replicated to several different machines in the cell. Therefore, you need to ensure that the admin.bak lists on all machines that house the Backup Database are identical. You also need to ensure that the admin.bak list includes the abbreviated DFS server principals of all Backup Database machines to make sure that the synchronization site for the Backup Database can propagate changes to the secondary sites (the server principals can be present as members of a group).
Many tasks require that a user be included on multiple lists; for example, to move a fileset from one server machine to another, you must be included in the admin.ft file on the source machine, and you and the server principal for the source machine must be listed in the admin.ft list on the destination machine. You must also be included in the admin.fl list on all machines on which the FLDB is stored. The check by the DFS server processes to ensure that the issuer of a command is included in the proper administrative lists is referred to as DFS authorization checking.
In this guide, the specific privileges required to execute commands are detailed with each task. (See Part 2 of this guide and reference for complete information about the administrative privileges and permissions required to issue each DFS command.) Note that the names of the administrative lists are only recommendations; different names can be specified when the respective processes are started.