Steps Required for a Client-Only Machine

You must perform the following steps to configure a DCE client that is not a DFS server machine of some type (for example, a File Server machine or a Backup Database machine) as a Tape Coordinator machine. For a client-only machine, perform these steps before you perform the steps in Steps Required for All Machines; perform the steps on the machine that is to be configured as a Tape Coordinator machine. Do not perform these steps for a machine that is configured as some type of DFS server machine.

1. Verify that the dcelocal/var/dfs and dcelocal/var/dfs/backup directories exist on the machine. Create the directories if they do not already exist.

2. Verify that you have the permissions necessary to create and modify principals and accounts in the Registry Database (for example, you need the i (insert) permission to create a principal in the hosts/hostname directory, where hostname is the name of the machine to be configured as a Tape Coordinator machine). If necessary, use the dcecp acl show command to determine your permissions for a directory.

3. Use the dcecp principal create command to create a DFS server principal for the client machine that is to be configured as a Tape Coordinator machine:

$ dcecp
dcecp> principal create hosts/hostname/dfs-server

In the command, hostname is the name of the machine to be configured as a Tape Coordinator machine (for example, client1). The DFS server principal created in this step is used in all subsequent steps that require the DFS server principal of the machine. (Machines configured as some type of DFS server machine receive DFS server principals when they are configured.)

4. Use the dcecp account create command to create an account for the DFS server principal of the machine:

dcecp> account create hosts/hostname/dfs-server
> -group subsys/dce/dfs-admin -org none
> -password acct_password -mypwd your_password

In the command, hosts/hostname/dfs-server is the DFS server principal for which an account is to be created. The remaining options provide the following information:

· The -group subsys/dce/dfs-admin option specifies that the primary group of the account is to be the group named subsys/dce/dfs-admin. (The DFS server principals of all machines configured as some type of DFS server machine are added to this group when the machines are configured.)

· The -org none option specifies that the organization of the account is to be the organization named none.

· The -password acct_password option provides the password for the account of the DFS server principal. Choose a string that you can remember. You use the dcecp keytab add command to generate a random password for the account later in these instructions, so you do not need to enter a complex password at this time.

· The -mypwd your_password option is your password (the password for the DCE account to which you are currently authenticated).

5. Use the dcecp keytab add command to add a server encryption key for the DFS server principal to the default local keytab file, /krb5/v5srvtab. The dced process recognizes the keytab file by the name self. The command creates the keytab file if the file does not already exist. Use the -member option to specify the name of the DFS server principal, and use the -key option to specify the password that you entered for the principal's account in the previous step.

dcecp> keytab add self -member hosts/hostname/dfs-server
> -key acct_password

6. Use the dcecp keytab add command to create a new server encryption key for the DFS server principal. Use the -member option to specify the name of the DFS server principal. The -random option directs the command to generate a random string for use as the principal's server encryption key, and the -registry option directs the command to update the password of the principal's account in the registry database to match the randomly generated encryption key.

dcecp> keytab add self -member hosts/hostname/dfs-server
> -random -registry

7. Use the dcecp acl modify command with the -add option to add an entry for the group subsys/dce/dfs-admin to the ACL of the entry for the DFS server principal in the security namespace. The -add option provides the ACL entry to be added to the ACL of the principal's entry. The permissions included in the ACL entry allow members of the specified group to perform all required operations on the principal's entry.

dcecp> acl modify /.../cellname/sec/principal/hosts/hostname/dfs-server
> -add {group subsys/dce/dfs-admin rcDnfmag}
dcecp> exit

Once you have completed these steps, perform all of the steps in Steps Required for All Machines.