Sets advisory DCE remote procedure call (RPC) authentication levels for a specified fileset.
Synopsis
fts setprotectlevels -fileset {name|ID} [-minlocalprotectlevel level] [-maxlocalprotectlevel level]
[-minremoteprotectlevel level] [-maxremoteprotectlevel level] [-cell cellname] [-verbose] [-noauth |
-localauth] [-help]
Options
-fileset {name|ID}
Specifies a fileset either by its name or volume ID.
-minlocalprotectlevel level
Specifies the advisory lower bound DCE RPC authentication level for the specified fileset (used by DFS client Cache Managers within the same
cell). The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a description of the
various DCE RPC levels, see the Description topic.
-maxlocalprotectlevel level
Specifies the advisory upper bound DCE RPC authentication level for the specified fileset (used by DFS client Cache Managers within the same
cell). The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a description of the
various DCE RPC levels, see the Description topic.
-minremoteprotectlevel level
Specifies the advisory lower bound DCE RPC authentication level for the specified fileset (used by DFS client Cache Managers within foreign
cells). The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a description of the
various DCE RPC levels, see the Description topic.
-maxremoteprotectlevel level
Specifies the advisory upper bound DCE RPC authentication level for the specified fileset (used by DFS client Cache Managers within foreign
cells). The level is set either as an integer value between 0 and 6, the complete string defining the authentication level, or an abbreviation of that string. For a description of the
various DCE RPC levels, see the Description topic.
-cell cellname
Specifies the cell as cellname within which the specified fileset resides.
-noauth
Directs fts to use the unprivileged identity nobody as the identity of the issuer of the command. If you use this option, do not use the
localauth option.
-localauth
Directs fts to use the DFS server principal name of the machine on which the command is issued as the identity of the issuer. Use this option only if the
command is issued from a DFS server machine (a machine that has a DFS server principal in the local Registry Database). You must be logged into the server machine as root for this option to
work. If you use this option, do not use the -noauth option.
-verbose
Directs fts to provide detailed information about its actions as it executes the command.
-help
Prints the online help for this command. All other valid options specified with this option are ignored.
Description
The fts setprotectlevels command adjusts the minimum and maximum advisory DCE RPC authentication level bounds for a specified fileset. These bounds are used to bias a Cache Manager to a higher or lower security level when accessing the specified fileset. However, the bounds are simply advisory in that if the Cache Manager's security level settings are outside of the advisory bounds, the Cache Manager can cross the advisory and continue negotiating with a File Server. In this case, the Cache Manager's minimum security level (set with the dfsd or cm setprotectlevels command) and the File Server's maximum security bound (set with the fxd command) become the "hard" limits. Note that if the fts setprotectlevels bounds fall outside of File Server bounds, the File Server bounds take precedence.
In practice, when a Cache Manager must access a given fileset it first consults a Fileset Location (FL) Server for the location of that fileset (or any replicas if it is replicated read-only fileset). Along with the location, the Cache Manager also receives the applicable minimum and maximum advisory bounds for that fileset. The Cache Manager then checks its initial authentication level and compares that to the range defined by the bounds. The Cache Manager then adjusts its initial authentication level as follows:
· If the Cache Manager's initial authentication level is within the range defined by the advisory bounds, the initial level is used without adjustment.
· If the Cache Manager's initial authentication level is above the maximum advisory bound, the Cache Manager adjusts the initial level to match the advisory upper bound. However, the Cache Manager will not adjust its authentication level below its own minimum setting.
· If the Cache Manager's initial authentication level is below the minimum advisory bound, the Cache Manager adjusts the initial level to match the advisory lower bound.
The negotiation process to set an RPC authentication level now occurs as usual between the Cache Manager and File Server. The Cache Manager sends an RPC using the initial authentication level (which may have been adjusted because of the advisory bounds) to the File Server. If the initial authentication level is outside the minimum or maximum bounds set at the File Server, the File Server returns a response to the Cache Manager specifying that the authentication level is either too low or too high. The Cache Manager then decreases or increases its authentication level accordingly and retries the RPC. This process continues until the Cache Manager either adjusts its RPCs to an acceptable security level or the File Server requests a security level below the minimum set at the Cache Manager (causing the Cache Manager to refuse communications with the File Server). Once the Cache Manager and File Server have negotiated a security level, the Cache Manager stores this information so that it does not need to renegotiate this level for further communications with the File Server.
Note that the use of this command does not preclude communication with Cache Managers running earlier versions of DCE.
The various authentication levels are set by specifying either an integer value between 0 and 6, a complete string specifying the authentication level, or an abbreviation of that string as the level argument for the various command options. The following lists the various authentication levels:
· 0 or default or rpc_protect_level_default
Use the DCE default authentication level.
· 1 or none or rpc_protect_level_none
Perform no authentication.
· 2 or connect or rpc_protect_level_connect
Authenticate only when the Cache Manager establishes a connection with the File Server.
· 3 or call or rpc_protect_level_call
Authenticate only at the beginning of each RPC received.
· 4 or pkt or rpc_protect_level_pkt
Ensure that all data received is from the expected host.
· 5 or pkt_integrity or rpc_protect_level_pkt_integrity
Authenticate and verify that none of the data transferred has been modified.
· 6 or pkt_privacy or rpc_protect_level_pkt_privacy
Perform authentication as specified by all of the previous levels and also encrypt
each RPC argument value.
Note that there is a trade-off between selecting higher security and performance. The higher levels of security require more overhead and increase the response time in file operations with File Servers.
Privilege Required
The issuer must have FLDB administration privileges or must be in the owner group for the File Server.
Examples
The following command sets the following authentication values:
· The maximum advisory authentication level for communication with Cache Managers in the local cell is set to packet integrity.
· The minimum advisory authentication level for communication with Cache Managers in the local cell is set to packet.
· The maximum advisory authentication level for communication with Cache Managers in foreign cells is set to packet security.
· The minimum advisory authentication level for communication with Cache Managers in foreign cells is set to packet security.
$ fts setprotectlevels -fileset richland.12 -maxlocalprotectlevel 5 -minlocalprotectlevel 4 -maxremoteprotectlevel 6 -minremoteprotectlevel 6
Related Information
Commands: