DFS authorization checking involves a server process checking the proper administrative list to ensure that the issuer of a command has the necessary administrative privilege to execute the command. If the issuer is a member of the list, the process performs the requested operation; if the issuer is not a member of the list, the process does not perform the operation.
By default, DFS authorization checking is enabled on every server machine. You can disable it on a machine by
· Including the -noauth option with the bosserver command when the BOS Server is started on the machine.
· Issuing the bos setauth command and specifying the machine with the command's -server option.
· Manually creating the zero-length file dcelocal/var/dfs/NoAuth on the local disk of the machine; the first two methods create this file automatically.
All DFS server processes, including the BOS Server, check for the presence of the NoAuth file when they are requested to perform an operation. They do not check for the necessary administrative privilege for a requested operation when the file is present. Consider disabling authorization checking on a machine in the following situations:
· During initial DFS installation, by including the -noauth option with the bosserver command. Before administrative lists have been created or users have been added to the lists, no one has the necessary privilege to issue an administrative command.
· If some component of the Security Service is unavailable, by manually creating the NoAuth file. If the secd process or a related security process is unavailable, the issuer of a command cannot acquire the security credentials necessary to allow DFS server processes to verify administrative privilege. In this case, the -noauth option must be included with a command to bypass the unavailable Security Service. (See Using the -noauth Option.)
· During server encryption key emergencies, by manually creating the NoAuth file. Improper keys may make it impossible for DFS server processes to verify a user's administrative privilege. The -noauth option can again be used to circumvent the security problems.
· To view the actual keys stored in a keytab file, by issuing the bos setauth command. If authorization checking is enabled, checksums are displayed rather than the actual keys. (See Using Keytab Files.)
Never disable DFS authorization checking for longer than is absolutely necessary. Disabling DFS authorization checking on a machine compromises security by allowing anyone, including the unprivileged identity nobody, to execute any DFS command on the machine. To enable DFS authorization checking (the normal state) once it has been disabled, use the bos setauth command. Use the bos status command to determine whether DFS authorization checking is enabled or disabled on a server machine.
More:
Disabling or Enabling DFS Authorization Checking