Enables or disables DFS authorization checking for all DFS server processes on a machine
Synopsis
bos setauth -server machine -authchecking {on | off} [{-noauth | -localauth}] [-help]
Options
-server machine
Names the server machine on which the status of DFS authorization checking is to change. The BOS Server on this machine executes the command. To run
this command using a privileged identity, specify the full DCE path name of the machine. To run this command using the unprivileged identity nobody (the equivalent of running the command
with the -noauth option), specify the machine's host name or IP address.
-authchecking
Determines whether or not server processes on the machine check for DFS authorization. A value of on enables DFS authorization checking; a value of
off disables it.
-noauth
Directs bos to use the unprivileged identity nobody as the identity of the issuer of the command. The command fails if you use this option and DFS
authorization checking is not disabled on the machine specified by -server (the option can be used only when enabling authorization checking). If you use this option, do not use the
-localauth option.
-localauth
Directs bos to use the DFS server principal name of the machine on which the command is issued as the identity of the issuer. Use this option only if the
command is issued from a DFS server machine (a machine that has a DFS server principal in the local Registry Database). You must be logged into the server machine as root for this option to
work. If you use this option, do not use the -noauth option.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The bos setauth command enables or disables DFS authorization checking on the server machine specified by the -server option. If DFS authorization
checking is enabled on a server machine, all DFS server processes running on the machine check that the issuer of a command is correctly authorized (is included in the necessary administrative lists)
to execute the command. If DFS authorization checking is disabled on a server machine, the DFS server processes on the machine perform any action for any user, even the unprivileged user
nobody.
By default, DFS authorization checking is enabled on every server machine. Disabling it on a server machine is a serious security risk. It is typically disabled for the briefest possible time and only in the following situations:
· During initial DFS installation
· If the Security Service is unavailable
· During server encryption key emergencies
· To view the actual keys stored in a keytab file
To indicate to all DFS server processes (including itself) that DFS authorization checking is disabled on a server machine, the BOS Server creates the zero-length file dcelocal/var/dfs/NoAuth on the local disk of the machine. All DFS server processes, including the BOS Server, check for the presence of this file when they are requested to perform an operation; they do not check for the necessary administrative privilege for a requested operation when the file is present. To indicate that DFS authorization checking is enabled, the BOS Server removes the file.
Enter this command with the -authchecking option and an argument of off to disable DFS authorization checking on a server machine. (DFS authorization checking can also be disabled by including the -noauth option with the bosserver command used to start the BOS Server.) Issue the command with the -authchecking option and an argument of on to enable DFS authorization checking on a server machine. It is not necessary to restart currently running server processes when you change the state of DFS authorization checking; server processes immediately obey the current state of DFS authorization checking and act accordingly.
The bos status command can be used to determine whether DFS authorization checking is enabled or disabled on a server machine. The command displays the following message if DFS authorization checking is disabled on a machine. (It does not display the message if DFS authorization checking is enabled.)
Bosserver reports machine is not checking authorization.
The -noauth option available with many bos and fts commands is used when authentication information is unnecessary or unavailable. Use the -noauth option if DFS authorization checking is disabled on a server machine on which administrative privilege is required or if the Security Service is unavailable.
Privilege Required
The issuer must be listed in the admin.bos file on the machine specified by -server to disable DFS authorization checking on that machine.
(No privilege is required to enable DFS authorization checking if it is currently disabled.)
Cautions
Always use the bos setauth command to create the dcelocal/var/dfs/NoAuth file. Do not create the file directly except when explicitly told
to do so by instructions for dealing with emergencies (such as emergencies involving server encryption keys). Creating the file directly requires logging into the local operating system of a machine
as root and using the touch command (or its equivalent).
Examples
The following command disables DFS authorization checking for all DFS server processes on the server machine named fs7:
$ bos seta /.../abc.com/hosts/fs7 off
Related Information
Commands: bos status(8dfs)
Files: NoAuth(4dfs)