Indicates that DFS authorization checking is disabled
Description
The NoAuth file is a zero-length file that dictates whether DFS authorization checking is enabled or disabled on a server machine. The presence of the
NoAuth file in the dcelocal/var/dfs directory on a local disk indicates to all DFS server processes on that machine that DFS authorization checking is disabled. All DFS
server processes, including the BOS Server, check for the presence of the file when they are requested to perform an operation; they do not check for the necessary administrative privilege for a
requested operation when the file is present.
When the NoAuth file is present in dcelocal/var/dfs on a server machine, DFS authorization checking is disabled on that machine. The server processes on the machine perform any action for any user who requests it, including the unprivileged identity nobody. This is a serious security risk and should be used only in the following situations:
· During initial DFS installation
· If the Security Service is unavailable
· During server encryption key emergencies
· To view the actual keys stored in a keytab file
When the NoAuth file is not present in dcelocal/var/dfs on a server machine, DFS authorization checking is enabled on that machine. All DFS server processes on the machine check that the issuer of a command has the proper authorization (is included in the necessary administrative lists) before they perform the requested operation. By default, DFS authorization checking is always enabled on every server machine.
The bos status command can be used to determine whether DFS authorization checking is enabled or disabled on a server machine. The command displays the following message if DFS authorization checking is disabled on a machine (it does not display the message if DFS authorization checking is enabled):
Bosserver reports machine is not checking authorization.
The BOS Server on a server machine creates the NoAuth file when an authorized user (one listed in the admin.bos file on the machine) executes the bos setauth command with the -authchecking option set to off (the file can also be created with the -noauth option of the bosserver command used to start the BOS Server). The BOS Server removes the file when a user executes the bos setauth command with the -authchecking option set to on. Whenever the bos setauth command is used to change the state of DFS authorization checking, all server processes immediately recognize the changed state and respond accordingly to any subsequent commands.
Cautions
Always use the bos setauth command to create the dcelocal/var/dfs/NoAuth file. Do not create the file directly except when explicitly told
to do so by instructions for dealing with emergencies (such as server encryption key emergencies). Creating the file directly requires logging into the local operating system of a machine as
root and using the touch command (or its equivalent).
Related Information
Commands: bos setauth(8dfs)