If you configured your Gateway Server machines so that users can issue the dfs_login command to authenticate to DCE, perform the steps in this section to configure your NFS clients. The steps enable both DFS access and DCE authentication from an NFS client. Users can authenticate via either the dfsgw add command or the dfs_login command.
To provide users of an NFS client with access to both DFS and the dfs_login command, perform the following steps on the client:
1. If you have not already done so, perform all of the steps in Configuring a Client Without Enabling Remote Authentication to mount /... on the machine.
2. If you have not already done so, log in as the local root user on the machine.
3. Install the binary files for the dfs_login and dfs_logout commands in the directory /usr/bin on the machine. These commands provide the following functionality:
dfs_login
Allows users of the NFS client to establish an authenticated session by obtaining DCE credentials on a Gateway Server machine. (See
Authenticating to DCE from an NFS Client for information about using this command.)
dfs_logout
Allows users on the NFS client to end an authenticated session established with the dfs_login command. (See
Authenticating to DCE from an NFS Client for information about using this command.)
The dfs_login and dfs_logout commands use version 5 of Kerberos to communicate with the DCE Security Service.
4. Create the Kerberos configuration file named /krb5/krb.conf. The dfs_login command reads this file to determine the name of a DCE Security Server that it can contact. This file must be identical to the /krb5/krb.conf file on machines in the host DCE cell; copy it from a machine in the DCE cell.
5. Create the Kerberos configuration file named /krb5/krb.realms. The Kerberos runtime uses the information in this file to translate Internet domains to the corresponding Kerberos realms. In the file, the Kerberos realm has the same name as the DCE cell. Each line of the file must have the following format:
domain krb-realm
where domain is the name of the local Internet domain, and krb-realm is the name of the Kerberos realm (the name of the DCE cell to be accessed). For example, in the following krb.realms file, def.com is the name of the Internet domain, and abc.com is the name of the DCE cell. If machines from multiple domains are to contact the DCE cell, you need a separate line for each domain. Note that realm names are case-sensitive.
.DEF.COM abc.com
6. If you use the /etc/services file in your environment, add the following entry for the dfsgw service to the /etc/services file on the machine:
dfsgw 438/udp dlog
where dfsgw is the name of the service, 438 is the port at which the service receives RPCs, udp is the protocol the service uses to communicate, and dlog is an alias for the dfsgw service.
If you use an NIS services map in your environment, you added an entry to the services map file when you configured the first Gateway Server process. You do not need to add the entry to the services map when you configure NFS clients.
The NFS client is now configured to provide access to DFS and to allow users of the client to authenticate to DCE with the dfs_login command. Repeat these steps on each NFS client to be configured in this manner.