Authenticating to DCE from an NFS Client

The dfs_login command authenticates a user to DCE from an NFS client. The command contacts the DCE Security Service to obtain a TGT and a service ticket for the Gateway Server (dfsgwd) process for the user. It encrypts the user's TGT with the service ticket and sends these to the Gateway Server process. It also sends the UID of the user who issues the command and the network address of the NFS client from which the command is issued. The Gateway Server process uses this information to create a valid login context, including a PAG, and an entry in the authentication table for the user.

The syntax of the dfs_login command follows:

dfs_login [-h hostname] [-l hh[:mm]] [dce_principal] [dce_password]

The command includes the following options and arguments:

-h hostname
Specifies the hostname of the Gateway Server machine. By default, the command uses the hostname of the machine that exports /... to the NFS client. Use this option to contact a different Gateway Server.

-l hours[:minutes]
Specifies the lifetime to be assigned to the service ticket obtained with the command. Enter the lifetime as a number of hours and, optionally, minutes. A value specified with this option is subject to the policies in effect in the registry database of the DCE cell. By default, the ticket is assigned the default lifetime assigned to tickets in the DCE cell.

dce_principal
Specifies the DCE principal name of the user who is to be logged into DCE. By default, the command uses the name of the issuer of the command.

dce_password
Provides the DCE password of the specified user. If you do not specify a password, the command prompts for a password if one of the following is true: You name a user other than yourself; you name yourself and you do not already have a valid TGT; or you do not name a user and you do not already have a valid TGT. The command does not prompt for a password if you do not name a different user and you already have a valid TGT.

For example, the user named ludwig issues the following dfs_login command to authenticate to DCE from an NFS client:

$ dfs_login

Password for ludwig@abc.com: password

where password is the DCE password of the user ludwig. In the example, the user ludwig does not already have a valid TGT, so the command prompts for the user's password and obtains a TGT for the user. If the login succeeds, the dfs_login command returns no messages.

To end the authenticated session before the DCE credentials expire, issue the dfs_logout command from the NFS client. The command removes the user's entry from the authentication table on the Gateway Server machine. The command can be issued either by the user whose entry is to be removed from the authentication table or by a user who is logged into the NFS client as the local root user. The command has no effect on authenticated access the user may have from other NFS clients.

The syntax of the dfs_logout command follows:

dfs_logout [-h hostname] [dce_principal]

The command includes the following option and argument:

-h hostname
Specifies the hostname of the Gateway Server machine. By default, the command uses the hostname of the machine that exports /... to the NFS client. Use this option to contact a different Gateway Server.

dce_principal
Specifies the DCE principal name of the user whose entry is to be removed from the authentication table. By default, the command deletes the entry for the user who issues the command.

For example, the following ends the authenticated session of the issuer of the command:

$ dfs_logout

See the reference pages for the dfs_login and dfs_logout commands for detailed information about the use and syntax of the commands.