DCE Installation and Configuration Guide v4.2

3 — Configuring DCE

3.1 Overview of New Cell Configuration

The following steps explain how to create a cell and configure the Security server and CDS server on the same system.

To begin your initial cell creation and server configuration, log in as root and invoke dcesetup (/usr/sbin/dcesetup). If you are not logged in as root, the dcesetup utility can perform only the Show and Version choices. The dcesetup utility displays the following menu:

             ***  DCE Setup Main Menu  ***

                 Version V4.0(Rev. 635)

1)  Configure         Configure DCE services on this system

2)  Show              Show DCE configuration and active daemons

3)  Stop              Terminate all active DCE daemons

4)  Start             Start all DCE daemons

5)  Restart           Terminate and restart all DCE daemons

6)  Clean             Terminate all active DCE daemons and remove

                      all temporary local DCE databases

7)  Clobber           Terminate all active DCE daemons and remove

                      all permanent local DCE databases

8)  CVP               Run Configuration Verification Program

9)  Version           Show DCE Version number

X)  Exit

Please enter your selection:

NOTE: For troubleshooting during configuration, open an additional window after you invoke dcesetup, and enter the following command: # tail -f /opt/dcelocal/dcesetup.log This window allows you to track the configuration procedure as it executes. The file dcesetup.log captures most configuration errors. If you are not logged in as root, the log file is named /tmp/dcesetup .username.log.

If you are creating a new cell or adding a CDS server, choose option 3 (Terminate all active DCE daemons) to stop the DCE daemons in a controlled manner. Be sure to back up your security and CDS databases before proceeding if this has not been done.

Choose option 1 from the DCE Setup Main Menu to configure DCE services on your system. You must have system privileges to modify the DCE system configuration.

The procedure displays the following menu:

					  ***  Configuration Choice Menu  ***

        1) Configure this system as a DCE Client

        2) Create a new DCE cell

        3) Add Master CDS server

        4) Configure DCE Distributed File Service (DFS)

        5) Modify DCE Cell Configuration

        6) Configure this system for RPC only

        7) Configure DCE in TruCluster

        R) Return to previous menu

Please enter your selection (or '?' for help):

Choose option 2 to create a new DCE cell.
At each prompt, you can press <Return> to take the default displayed in brackets or enter a question mark (?) for help. When prompted, select a cell name and hostname; the name is used again when you configure DCE client systems.
The configuration utility asks if you want to configure the host as a CDS server. Answer yes to configure the CDS and security servers on the same system. Answer no to perform a split server installation in which you configure the security server on the current host and the CDS server on a different host.
If you answered yes to configure the CDS and security servers on the same system, the utility asks:
```
Will there be any DCE pre-R1.1 CDS servers in this cell? (y/n/?) [n]:
```
If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower (equivalent to DCE for DIGITAL UNIX Version 1.3b or lower), you should answer yes. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This setting disables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on.

If all CDS servers in your cell will be based on DCE for Tru64 UNIX Version 2.0 (or higher) and based on OSF DCE Release 1.1 (or higher), answer no.

The configuration utility sets the directory version number to 4.0 for compatibility with DCE for Tru64 UNIX Version 2.0 (or higher) CDS servers (OSF DCE Releases 1.1 and 1.2.2). This enables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on, and OSF DCE Release 1.2.2 features. Once the directory version is set to 4.0, you cannot set it back to 3.0.
You are prompted to confirm the system time; it is important that you check the current time before you respond.

If DECnet/OSI is installed on your system, the configuration utility displays the following message and then asks several questions about configuring a DCE Distributed Time Service server on your system.

You seem to have DECnet/OSI installed on this system. DECnet/OSI includes 
a distributed time synchronization service (DECdts), which does not 
currently support the DCE Distributed Time Service (DCE DTS) 
functionality. The DCE DTS in this release provides full DECdts 
functionality.  This installation will stop DECdts and use DCE DTS 
instead.  For further clarification, please consult the DCE for Tru64 UNIX 
Product Guide.

Even though DCE DTS will be used, it is possible to accept time from 
DECdts servers.

Should this node accept time from DECdts servers? (y/n) [n]:

Do you want this system to be a DTS Server (y/n/?) [y]:

Do you want this system to be a DTS Global Server (y/n/?) [n]:

Does this cell use multiple LANs? (y/n/?) [n]:

Answer the questions appropriately.

The configuration utility asks whether you want to run this system as a PKSS server. Answering yes configures the system to run as a PKSS server.
```
Do you want this system to be a PKSS server (y/n/?) [y]
```
The dcesetup configuration utility asks whether you want to enable DCE SIA (Security Integration Architecture). The default answer is no. Answering yes configures security-sensitive commands such as login, su, telnet, ftp, and so on, to perform DCE authentication in addition to usual local security operations performed by these commands. For more information about DCE SIA, refer to the Gradient DCE for Tru64 UNIX Product Guide.
```
Do you want to enable DCE SIA? (y/n/?) [n]:
```
The configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. A yes answer runs the configuration utility and (optionally) installs the `Kerberized' version of telnet, rsh, and rlogin on the system.
```
Do you intend to run MIT Kerberos 5 services on this machine? [y] 
```
The configuration utility asks if you want to configure the LDAP name service on this system. A yes answer prompts the question, "Do you want to configure the system as an LDAP client?" and requires that you enter further information regarding LDAP services.
```
Do you want to configure the LDAP name service? (y/n/?) [n]
```
The configuration utility asks if you want to configure gdad to use LDAP. (gdad is the daemon for Global Directory Agent.)
```
Do you want to configure gdad to use LDAP? (y/n/?) [n] 
```
Next, the screen displays your selections and asks whether to save them as your DCE system configuration. Answer yes.
After the gda daemon is started, you are prompted to run the DCE Configuration Verification Program (CVP). Press <Return> to start the CVP. After the procedure runs the CVP, the procedure automatically updates the system startup procedure so the daemons restart automatically whenever the system is rebooted.
To verify that all requested services are configured, choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu. The screen displays all configured DCE services and active DCE daemons.

You have completed creating a cell.

3.2 Configuring Your System as a DCE Client with Runtime Services

If you want to add your system to an existing cell:

Choose option 1 (Configure this system as a DCE Client) from the Configuration Choice Menu. This option configures the runtime services subset on your system.

NOTE: During initial DCE client configuration, the client software may have problems locating the Cell Directory Service server if the Internet protocol netmask for your client machine is not consistent with the netmask used by other machines operating on the same LAN segment. You might need to consult with your network administrator to determine the correct value to use as a netmask on your network.

When you choose option 1, the procedure displays the following messages:
```
At each prompt, enter <RETURN> to take the default displayed in [braces] 
or enter '?' for help.
```
```
Press <RETURN> to continue:
```
```
Shutting down DCE services
```
```
DCE services stopped
```
```
Removing temporary local DCE databases and configuration files
```
```
Removing permanent local DCE databases and configuration files
```
```
    Starting client configuration
```
```
        Initializing dced (dced)...
```
```
        Starting dced (dced)...
```
The configuration utility asks whether to search the LAN for known cells within broadcast range of your system.
```
Would you like to search the LAN for known cells? (y/n) [y] :
```
If you know the name of your DCE cell, answer no. As prompted, supply the name of your DCE cell, your DCE hostname, and the hostname of your cell's master CDS server. You also need to specify whether your host can broadcast to the host where the master CDS server is installed.

Answer yes to see a list of available DCE cells. As prompted, supply your DCE hostname. At the next prompt, supply the appropriate DCE cell name from the list.
```
        Gathering list of currently accessible cells
```
```
Please enter your DCE hostname [dcehost]:
```
```
The following cells were discovered within broadcast range of this 
system:
```
```
        buster_cell
```
```
        kauai_cell
```
```
        myhost_cell
```
```
        tahoe_cell
```
```
Please enter the name of your DCE cell
```
```
(or '?' for help) [buster_cell]: myhost_cell
```
If you do not know the name of the cell you wish to join, consult your network administrator. Do not add the /.../ prefix to the cell name; the procedure automatically adds it.

The prompt might contain a cell name which is the last configured cell name for this host or the first cell name from the alphabetical list of available cells. If you enter a cell name that is not on the list of cell names, the procedure assumes you are performing a WAN configuration, and asks you to enter the hostname of the master CDS server for your cell.

After you enter your cell name, the procedure continues, displaying information similar to the following, but dependent upon your configuration:
```
        Stopping dced...
```
```
        Initializing dced (dced)...
```
```
        Starting dced (dced)...
```
```
        Starting CDS advertiser daemon (cdsadv)...
```
```
        Testing access to CDS clerk (please wait).....
```
```
        Attempting to locate security server
```
```
        Found security server
```
```
        Creating /opt/dcelocal/etc/security/pe_site file
```
```
        Checking local system time
```
```
        Looking for DTS servers in this LAN
```
```
        Found DTS server
```
```
    The local system time is: Wed Mar 11 12:01:14 1998
```
```
Is this time correct?  (y/n):
```
Make sure you check that the correct time is displayed before you continue with the configuration.

If the time is incorrect, specify no, and the procedure exits to the operating system to allow you to reset the system time. After you correct or verify the time, specify yes, and the procedure resumes.

You seem to have DECnet/OSI installed on this system. DECnet/OSI includes 
a distributed time synchronization service (DECdts), which does not 
currently support the DCE Distributed Time Service (DCE DTS) 
functionality.  The DCE DTS in this release provides full DECdts 
functionality.  This installation will stop DECdts and use DCE DTS 
instead.  For further clarification, please consult the DCE for Tru64 UNIX 
Product Guide.

Even though DCE DTS will be used, it is possible to accept time from 
DECdts servers.

Should this node accept time from DECdts servers? (y/n) [n]:

Specify yes to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify no, this system accepts time only from DCE time servers.

If DECnet/OSI is not installed on your system, the configuration utility omits the previous DECdts questions and instead, asks:
```
Do you need the Distributed Time Service (y/n/?) [y]:
```
Answer yes to configure the host as a DTS client.
If you want to use DCE Security Integration Architecture (SIA), specify yes to the following:
```
Do you want to enable DCE SIA? (y/n/?) [n]:
```
After you respond to the prompt, the procedure stops the CDS advertiser and asks you to perform a dce_login operation, as follows:
```
        Stopping dcesetup...
```
```
This operation requires that you be authenticated as a member of the 
sec-admin group.  Please login.
```
```
    Enter Principal Name: cell_admin
```
```
    Password:
```
Obtain the password from your system administrator. After you perform the dce_login operation, the procedure begins configuring the security client software. If this system was previously configured as a DCE client or your cell has another host with the same name, the configuration utility also displays a list of client principals that already exist for this system and asks whether to delete the principals.

You must delete these principals to continue with the configuration.

Configuring security client

        Creating /krb5/krb.conf file

        Adding kerberos5 entry to /etc/services

The following principal(s) already exist under /hosts/dcehost/:

        hosts/dcehost/self

Do you wish to delete these principals? (y/n/?) [y]:

        Deleting client principals

        Creating ktab entry for client

        Stopping dced...

        Initializing dced (dced)...

        Starting dced (dced)...

        Starting sec_client service (please wait).

    This machine is now a security client.

If your cell uses multiple LANs, you are prompted with the next question:
```
Please enter the name of your LAN (or '?' for help) []:
```
If your LAN has not been defined in the namespace, you are asked whether you want to define it.
The configuration utility asks whether you want to configure gdad to connect to LDAP.
```
Do you want to configure gdad to use LDAP? (y/n/?) [n]:
```

The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing:

Configuring CDS client

        Creating the cds.conf file

        Starting CDS advertiser daemon (cdsadv)...

        Testing access to CDS server (please wait).

        Deleting known hosts/dcehost objects from name space

        Creating hosts/dcehost objects in name space

This machine is now a CDS client.

        Stopping sec_client service...

        Starting sec_client service (please wait).

        Modifying acls on /.:/hosts/dcehost/config

            secval

            xattrschema

            srvrexec

            keytab

            keytab/self

            hostdata

            hostdata/dce_cf.db

            hostdata/cell_name

            hostdata/pe_site

            hostdata/cds_attributes

            hostdata/cds_globalnames

            hostdata/host_name

            hostdata/cell_aliases

            hostdata/post_processors

            hostdata/svc_routing

            hostdata/cds.conf

            hostdata/passwd_override

            hostdata/group_override

            hostdata/krb.conf

            srvrconf

    Configuring DTS daemon as client (dtsd)

        Starting DTS daemon (dtsd)...

        Waiting for DTS daemon to synchronize (please wait)

    This machine is now a DTS clerk.

    Configuring Kerberos and telnetd

Enabling DCE SIA....

Do you want to run the DCE Configuration Verification Program? (y/n) [y]:

The DCE Configuration Verification Program (CVP) exercises the components of DCE that are running in this cell. It requires approximately 1 to 2 minutes to run.

If you type yes to run the CVP at this time, you see the following display:

Executing DIGITAL DCE V4.0 (Rev. 635) for DIGITAL UNIX CVP (please wait)

Copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved.

Verifying...........

DIGITAL DCE V4.0 (Rev. 635) for DIGITAL UNIX CVP completed successfully

Modifying system startup procedure...

The DCE components that you have configured are added to your system startup procedure so the daemons restart automatically whenever the system is rebooted. When the procedure is completed, the DCE Setup Main Menu appears again.

If the client system and a CDS server are on the same subnet, the client can automatically locate the CDS server. In this case, the client configuration is complete.

However, if the client system does not share a subnet with a CDS server, you must manually enter a CDS server's location information into the client's CDS cache.

Press X to exit dcesetup.
Then enter CDS server location information into the client's CDS cache.
```
#  dcecp -c cdscache create  <name> -binding <protseq>:<ip_addr>
```
where

<name> is the simple name of the cached server machine.

<protseq> is a CDS server's protocol sequence.

<ip_addr> is the Internet Protocol address of <name>.

For example:
```
 #   dcecp -c cdscache create pelican  \ 
```
```
-binding ncacn_ip_tcp:16.20.15.25
```

3.3 Configuring DCE Clients in a Cluster

The configuration script will prompt you once, at the beginning, concerning the following items. The script will use that information repeatedly, at the configuration of every member.

Before configuration, be ready to answer the following:

Cell Name
Host name, machine that is running the CDS Master Server
Cell administration account
Cell administration Password

3.3.1 Configuring Time Services

Do not configure DTS in a cluster. TruClusters use the NTP time service to maintain clock synchronization between cluster members. Be sure the cluster and the DCE cell's DTS servers obtain time from the same NTP time source. Make sure that the clock reference for the cluster is within three minutes of the DCE cell clock time. This will prevent time related problems either during client configuration or operation.

3.3.2 Configuring Cluster Members

NOTE: Before configuring a DCE client on Sierra Cluster 2.0, be sure to refer to section 9.4 of the Compaq Alpha ServerTM SC 2.0 Installation Guide. Follow that guide to make sure the local /tmp directory is available before you start configuration.

Navigate to the Configure DCE in TruCluster Menu as in the first steps of Section 3.1

You must be logged in as root to configure your DCE system.

Invoke dcesetup,
```
 	 #  /usr/sbin/dcesetup  
```
At the DCE Setup Main Menu, choose option 1:
```
	 Configure DCE services on this system
```
At the Configuration Choice Menu, choose option 7:
```
	 Configure DCE in TruCluster 
```
At the Cluster Configuration Choice Menu, choose option 2:
```
	 1) Configure this member as a DCE Client
```
```
	 2) Configure all cluster members as DCE Clients
```
```
	 R) Return to previous menu
```
```
	 Please enter your selection (or `?' for help)
```
General directions follow. Have the answers ready, from the four questions listed above. For information about determining these names, see your cell administrator or Chapter 2.1 on page 57
```
At each prompt, enter <RETURN> to take the default displayed in [braces]
```
```
or enter `?' for help.
```
In the following example (for only configuring DCE), where defaults were overridden, the choice taken shows to the right of the colon. Where the braces are empty, provide your answers, then enter <RETURN> .

Press <RETURN> to continue:
```
Beginning of remote client configuration
```

Enter your decisions.

Please enter the name of your DCE cell [] : t40g_test_cell

What is the hostname of the Master CDS Server for this cell []: reeses

Do you want to enable DCE SIA? (y/n/?) [n]:

Do you intend to run MIT Kerberos 5 services on this machine [y] : n

Does this cell use multiple LANs? (y/n/?) [n]:

Do you want to configure this host as an LDAP client? (y/n/?) [n]:

Do you wish to overwrite existing DCE configurations on ALL cluster 
members? (y/n)

[y]:

Enter your Principal Name and Password.

Remote configuration requires that you be authenticated as a member

of the sec-admin group. Please supply the principal and password.

     Enter Principal Name: cell_admin

     Password:

Choose to verify configuration after each client.

Do you want to run the DCE Configuration Verification Program after 
configuring each

client? (y/n/?) [y]:

     Configuration Options

Cell name:                       t40g_test_cell

CDS server machine:              reeses

CDS server IP:                   204.164.67.165

SIA:                             DISABLED

SIA forwarding:                  DISABLED

KRB services:                    DISABLED

Single LAN cell

LDAP client:                     DISABLED

Remote configuration overwrite:  YES

Cell admin account:              cell_admin

Cell admin password:             -dce-

Run CVP after configuration:     YES

Confirm the configuration choices (y/n) [y] : y

Confirm or reject the Configuration Options.

The configuration script (Example is only configuring DCE) reports the progress as follows:

Configuring Cluster Member: clu1

clu1:

clu1:       Remote configuring machine into DCE cell: t40g_test_cell

clu1:

clu1:       Cleaning up any old configuration information

clu1:

clu1:

clu1:           Shutting down DCE services

clu1:

clu1:           DCE services stopped

clu1:

clu1:           Removing temporary local DCE databases and configuration 
files

clu1:

clu1:           Removing permanent local DCE databases and configuration 
files

clu1:

clu1:           Starting remote client configuration

clu1:               Initializing dced (dced)...

clu1:               Starting dced (dced)...

clu1:               Configuring PKSS client...

clu1:               Starting CDS advertiser daemon (cdsadv)...

clu1:

clu1:               Attempting to locate security server

clu1:               Found security server

clu1:               Creating /opt/dcelocal/etc/security/pe_site file

clu1:               Checking local system time

clu1:               Looking for DTS servers in the LAN profile

clu1:               Looking for Global DTS servers in this cell

clu1:               No DTS servers found in cell

clu1:               (If you have other LAN profiles, DTS servers may still 
be available)

clu1:

clu1:

clu1:               Stopping cdsadv...

clu1:

clu1:           Configuring security client

clu1:               Creating /krb5/krb.conf file

clu1:               Adding kerberos5 entry to /etc/services

clu1:               Creating ktab entry for client

clu1:

clu1:               Stopping dced...

clu1:               Initializing dced (dced)...

clu1:               Starting dced (dced)...

clu1:               Starting sec_client service (please wait) .

clu1:

clu1:           This machine is now a security client.

clu1:

clu1:           Configuring CDS client

clu1:               Creating the cds.conf file

clu1:               Starting CDS advertiser daemon (cdsadv)...

clu1:               Testing access to CDS server (please wait) .

clu1:               Creating hosts/clu1 objects in name space

clu1:

clu1:           This machine is now a CDS client.

clu1:               Stopping sec_client service...

clu1:               Starting sec_client service (please wait) .

clu1:       	Modifying acls on /.:/hosts/clu1/config

clu1:       	    secval

clu1:       	    xattrschema

clu1:       	    srvrexec

clu1:       	    keytab

clu1:       	    keytab/self

clu1:       	    hostdata

clu1:       	    hostdata/dce_cf.db

clu1:       	    hostdata/cell_name

clu1:       	    hostdata/pe_site

clu1:       	    hostdata/cds_attributes

clu1:       	    hostdata/cds_globalnames

clu1:       	    hostdata/host_name

clu1:       	    hostdata/cell_aliases

clu1:       	    hostdata/post_processors

clu1:       	    hostdata/svc_routing

clu1:       	    hostdata/krb.conf

clu1:       	    hostdata/dfs-cache-info

clu1:       	    hostdata/cds.conf

clu1:       	    hostdata/passwd_override

clu1:       	    hostdata/group_override

clu1:       	    srvrconf

clu1:

clu1:           Unconfiguring Kerberos...

clu1:

clu1:           Executing Entegrity Gradient DCE V4.1 for Tru64 UNIX V5.1 
(Rev.

1381) CVP (please wait)

clu1:           Copyright (c) Entegrity Solutions, Inc. 2001. All 
RightsReserved

clu1:           Copyright (c) Digital Equipment Corporation. 1996. All 
Rights Reserved.

clu1:

clu1:           Verifying...........

clu1:

clu1:            Entegrity Gradient DCE V4.1 for Tru64 UNIX V5.1 (Rev. 
1381) CVP completed successfully

clu1:

clu1:           Modifying system startup procedure...

clu1:

clu1:       Remote configuration completed

Press <RETURN> to continue:

Press <RETURN> to continue :

The DCE components that you have configured are added to each of the cluster member's system startup procedure so the daemons restart automatically whenever the cluster member is rebooted. After all of the cluster members are configured, then the DCE Setup Main Menu appears again.

3.4 Split Server Configuration (Adding a Master CDS Server)

This section discusses a split server installation in which a new cell and the master security server are created on one system and the master CDS server is configured on another system. The master CDS server maintains the master replica of the cell root directory.

A split server configuration has four phases:

Begin creating the new cell and master security server on one system.
Begin creating the master CDS server on another system.
Complete creating the new cell and master security on the first system.
Complete creating the master CDS server on the second system.

3.4.1 Creating a New Cell and Master Security Server

This is the first phase of a split server configuration. Begin this phase by creating the new cell on the machine where the master security server will reside.

Choose option 2 (Create a new DCE cell) from the Configuration Choice Menu. Answer the prompts appropriately for the cellname and hostname. Then answer no at the following prompt:
```
Do you wish to configure myhost as a CDS server?  (y/n/?) [y]: n
```

Verify the system time at the following message and prompt:

*********************************************************

* If the system clocks on the machines running the      *

* security and CDS servers differ more than one or two  *

* minutes from other systems in the cell, configuration *

* anomalies can occur. Since this system's time will be *

* used as a reference, please make sure that the system *

* time is correct.												        *

*********************************************************

System time for <myhost>: Wed Jun 12 13:39:24 EDT 1998

Is this correct? (y/n/?):

Make sure you validate the time before you specify yes. If the system time is incorrect, answer no; the configuration procedure exits to the operating system to allow you to correct the system time. You can then reconfigure.

Do you need the Distributed Time Service? (y/n/?) [y]:

If you will be using any distributed applications that depend on synchronized time, type yes or press <Return> to participate in the Distributed Time Service (DTS).

The DECnet/OSI DECdts daemon (dtssd) and the DCE DTS daemon (dtsd) are incompatible and cannot be used on the same host. If your machine is running DECnet/OSI, the configuration procedure next displays the following message:

You seem to have DECnet/OSI installed on this system.  DECnet/OSI includes 
a distributed time synchronization service (DECdts), which does not 
currently support the DCE Distributed Time Service (DCE DTS) 
functionality.  The DCE DTS in this release provides full DECdts 
functionality.  This installation will stop DECdts and use DCE DTS 
instead.  For further clarification, please consult the DCE for Tru64 UNIX 
Product Guide.

Even though DCE DTS will be used, it is possible to accept time from 
DECdts servers.

Should this node accept time from DECdts servers? (y/n) [n]:

Specify yes to accept time from any DECdts server; however, time from this source is unauthenticated. If you specify no, this system accepts time only from DCE time servers.

Do you want this system to be a DTS Server (y/n/?) [y]:

Do you want this system to be a DTS Global Server (y/n/?) [n]:

If DECnet/OSI is not installed, this system must be configured as either a DTS clerk or a DTS server. Briefly, there should be three DTS servers per cell.

The configuration utility asks if you want to run this system as a PKSS server. Answering yes configures the system to run as a PKSS server.
```
Do you want this system to be a PKSS Server (y/n/?) [y]:
```
Next, the procedure asks whether to enable DCE Security Integration Architecture (SIA).
```
Do you want to enable DCE SIA? (y/n/?) [n]:
```
Next, the configuration utility asks if you want to run the MIT Kerberos 5 services on this machine. A yes answer will run the Kerberos config utility and (optionally) install the "Kerberized" version of telnet on the system.
```
Do you intend to run MIT Kerberos 5 services on this machine [y] :
```
The utility asks if you want to configure the LDAP name service on this system. A yes answer prompts a query to ask if you want to configure the system as a LDAP client and ask if you would enter further information regarding the LDAP services you want.
```
Do you want to configure the LDAP name service? (y/n/?) [n]: 
```

The configuration utility asks whether you want to configure gdad to use LDAP.

Do you want to configure gdad to use LDAP? (y/n/?) [n]:

After you respond to the last prompt, the following messages appear:

    DCE Cellname:  myhost_cell

    DCE Hostname:  myhost

    Use myhost as a CDS Server?   No

    Use myhost as the Security Server?   Yes

    Use dhaka as a DTS Local Server?   Yes

    Use myhost as the PKSS Server?   Yes

    Enable Kerberos 5 services?   Yes

    Enable DCE SIA?  No

    Enable LDAP GDA?   No

    Configure myhost as an LDAP client?   No

Do you want to save this as your DCE system configuration? (y/n/?) [y]:

Answer no to change your selections. Answer yes to accept your selections. The procedure configures myhost as a Security server and then prompts you to enter a keyseed value (enter several random keystrokes):

*************************************************************

*   Starting the security server requires that you supply   *

*   a 'keyseed.'  When asked for a 'keyseed,' type some     *

*   random, alphanumeric keystrokes, followed by RETURN.    *

*   (You won't be required to remember what you type.)      *

*************************************************************

Enter keyseed for initial database master key:

You are prompted to enter and then confirm the cell_admin password. Remember this password.

Please type new password for cell_admin (or '?' for help):

Type again to confirm:

The procedure configures more services and then pauses for you to configure the master CDS server on another system.

********************************************************************

This system has now been configured as a security server.

Since you chose not to configure this system as a CDS server, you

must now configure another system as the Master CDS Server for this

cell (Option 1 on the dcesetup Main Menu, Option 3 on the

Configuration Choice Menu.)

When the Master CDS server has been installed and configured,  *

press the  <RETURN>  key to continue configuring this system.  *

********************************************************************

Go to the machine where you will configure the master CDS server.

3.4.2 Creating a Master CDS Server on Another System

This is the second phase of a split server configuration. You must have created a new cell and begun configuring the security server on another machine.

Log on to the system on which you want to install the CDS master server, and choose option 3 (Add Master CDS Server) from the Configuration Choice Menu. The following messages appear:

******************************************************************

*  If the system clocks on the machines running the security     *

*  and CDS servers differ more than one or two minutes from      *

*  other systems in the cell, configuration anomalies can occur. *

*  Since this system's time will be used as a reference, please  *

*  make sure that the system time is correct.                    *

******************************************************************

System time for cdshost.abc.dec.com: Wed Jun 12 13:52:28 EDT 1998

Is this correct? (y/n/?)

Verify the correct time before answering yes.

Answer the following prompts:
```
Please enter the name of your DCE cell []:
```
```
Please enter your DCE hostname [myhost2]:
```
The procedure asks:
```
Will there be any DCE pre-R1.1 CDS servers in this cell? (y/n/?) [n]:
```
If your cell will be running any CDS servers based on OSF DCE Release 1.0.3a or lower, you should answer yes. The configuration utility sets the directory version number to 3.0 for compatibility with pre-R1.1 servers. This disables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on.

If all CDS servers in your cell will be based on DCE for Tru64 UNIX Version 2.0 or higher (or an equivalent DCE version based on OSF DCE Release 1.1) answer no. The configuration utility sets the directory version number to 4.0 for compatibility with DCE for Tru64 UNIX (Version 2.0 or higher OSF DCE Release 1.1) CDS servers. This enables the use of OSF DCE Release 1.1 features such as cell aliasing, CDS delegation ACLs, and so on. Once the directory version is set to 4.0, you cannot set it back to 3.0.

The procedure configures accordingly and prompts you to enter the hostname of the security server that you just configured.

What is the hostname of the Security Server for this cell? []:

The procedure continues with the following messages:
```
    Creating /opt/dcelocal/etc/security/pe_site file
```
```
***********************************************************
```
```
*    Ensure the opt/dcelocal/etc/security/pe_site file    *
```
```
*    matches that on the server.                          *
```
```
***********************************************************
```
NOTE: If the procedure cannot find the IP address for the host, you will be prompted for the address. Usually, when the procedure cannot find the IP address of the host, it indicates that you may have misspelled the name.

The procedure displays the following messages and asks you to perform a dce_login operation.
```
        Creating /krb5/krb.conf file
```
```
        Adding kerberos5 entry to /etc/services
```
```
This operation requires that you be authenticated as a member
```
```
of the sec-admin group.  Please login.
```
```
     Enter Principal Name:  cell_admin
```
```
     Password:
```
The procedure continues, asking the same questions as when you configured the Security server.
```
Do you need the Distributed Time Service? (y/n/?) [y]:
```
If your machine is running DECnet/OSI, the configuration procedure next displays the following message:
```
You seem to have DECnet/OSI installed on this system. DECnet/OSI includes 
a distributed time synchronization service (DECdts), which does not 
currently support the DCE Distributed Time Service (DCE DTS) 
functionality. The DCE DTS in this release provides full DECdts 
functionality.  This installation will stop DECdts and use DCE DTS 
instead.  For further clarification, please consult the DCE for Tru64 UNIX 
Product Guide.
```
```
Even though DCE DTS will be used, it is possible to accept time from 
DECdts servers.
```
```
Should this node accept time from DECdts servers? (y/n) [n]:
```
Specify yes to accept time from any DECnet/OSI DECdts server; however, time from this source is unauthenticated. If you specify no, this system accepts time only from DCE DTS servers.
The procedure next asks whether you want your system to be a DTS local server:
```
Do you want this system to be a DTS Local Server (y/n/?) [y]:
```
NOTE: If you answer yes, this machine becomes a DTS local server; if you answer no, this machine does not become a DTS local server, and you should configure some other system as the DTS server. Entegrity recommends that you configure three DTS servers per cell. Next, the procedure asks whether your cell uses multiple LANs.

The procedure next asks whether this cell uses multiple LANs:

Does this cell use multiple LANs? (y/n/?) [n]:

If your cell uses multiple LANs, you are prompted with the next question:

Please enter the name of your LAN (or  '?' for help) []:

If your LAN has not been defined in the namespace, you are asked whether you want to define it.

The procedure configures the requested services, and then prompts you to complete the configuration of the security server on the other machine before continuing:

********************************************************************

*    This system has now been configured as the Master CDS Server. *

*                                                                  *

*    Before continuing, complete the configuration of the Security *

*    Server...                                                     *

********************************************************************

Press  <RETURN>  to continue:

Return to the system on which you configured the security server.

3.4.3 Completing the Security Server Configuration

This is the third phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. Now you will complete the security server configuration on the first machine.

Return to the system on which you configured the security server and press the <Return> key. The following prompt appears:
```
What is the hostname of the Master CDS Server for this cell [ ]:
```
Provide the hostname of the system you just configured as the master CDS server for this cell. After you enter the hostname of the master CDS server, the following prompt is displayed:
```
Can myhost broadcast to cds_master_server? (y/n/?) [y]:
```
If you respond n to this prompt, the procedure asks you to specify the IP address of the CDS server. You can find the IP address either by performing a grep operation for the hostname in the /etc/host file, or by performing an nslookup operation for the hostname. Once it has been determined that myhost can broadcast to cds_master_server, the procedure displays the following messages and asks whether you want to run the configuration verification program. This operation requires that you be authenticated as a member of the sec-admin group. Please login.
```
     Enter Principal Name:  cell_admin
```
```
     Password:
```
```
    Configuring CDS client
```
```
        Creating the cds.conf file
```
```
        Starting CDS advertiser daemon (cdsadv)...
```
```
        Testing access to CDS server (please wait)....
```
```
        Creating hosts/myhost objects in name space
```
```
    Configuring DTS daemon as server (dtsd)
```
```
        Stopping sec_client service...
```
```
        Starting sec_client service (please wait).
```
```
        Starting DTS daemon (dtsd)...
```
```
        Waiting for DTS daemon to synchronize (please wait)
```
If you enabled DCE SIA, the procedure also displays the following message:
```
        Enabling DCE SIA
```
The procedure asks whether you want to run the configuration verification program:
```
Do you want to run the DCE Configuration Verification Program? (y/n) [y]:
```
You can run the CVP now by answering yes, or you can run the CVP at a later time by answering no. The procedure completes the configuration and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu to verify your configuration choices.
Return to the host on which you are configuring the master CDS server and complete the installation.

3.4.4 Completing the CDS Master Server Configuration

This is the fourth and final phase of a split server configuration. You must have created a new cell and begun configuring the security server on one machine. Then you created a master CDS server on another machine. You completed the security server configuration on the first machine. Now you will complete the CDS master server configuration.

Completion of this phase consists of running the configuration verification program:

Do you want to run the DCE Configuration Verification Program? (y/n) [y]:

You can run the CVP now by answering yes, or you can run the CVP at a later time by answering no. The procedure completes the configuration and returns to the DCE Setup Main Menu. Choose option 2 (Show DCE configuration and active daemons) from the DCE Setup Main Menu to verify your configuration choices.

3.5 Using DCE SIA Security

The Tru64 UNIX operating system provides two local security mechanisms: Berkeley Standard Distribution (BSD) security and C2 class security. The default Tru64 UNIX configuration has BSD security enabled.

When you use dcesetup to enable or disable SIA, an SIA configuration file, /etc/sia/matrix.conf, selects the appropriate configured security mechanism. This configuration file contains entries for a set of siad routines. The operating system is provided with a default matrix.conf file that contains only BSD entries. Layered products that choose to use another security mechanism must modify this configuration file.

Depending on how matrix.conf is set up on the local system, the SIA layer calls the corresponding siad routines in each of the configured mechanisms in order. Therefore, the siad_ses_init routine from DCE is called before the routine from BSD if the matrix.conf file includes the following line:

siad_ses_init=(DCE,/usr/shlib/libdcesiad.so),(BSD,libc.so)

3.6 Migrating Your Cell

Some DCE cells may be running security or CDS servers on hosts with different versions of DCE. This might happen because a cell has DCE software from multiple vendors, each supplying upgrades at different times. Or perhaps upgrading all the hosts simultaneously is not feasible.

DCE for Tru64 UNIX Version 2.0 (or higher) security servers and CDS servers can interoperate with older servers (based on OSF DCE Release 1.0.3a, 1.0.2, and so on). However, new DCE security features associated with OSF DCE Release 1.1 and DCE Release 1.2.2 will generally not be available until all security server replicas in your cell are based on OSF DCE Release 1.1 and 1.2.2. Additionally, new CDS capabilities will not be available until all security servers and some or all CDS servers are based on OSF DCE Release 1.1 and 1.2.2.

If your cell contains older versions of security or CDS servers, you will need to migrate (gradually upgrade) older servers until all of them are running DCE server software based on OSF DCE Release 1.1 and 1.2.2. Once all security or CDS servers have been upgraded, you must perform some additional steps so that your servers can provide the new security and CDS capabilities.

Security servers and CDS servers use separate procedures to complete migration. Section 3.6.1 on page 91 provides the instructions for completing Security server migration. Section 3.6.2 on page 92 provides the instructions for completing CDS server migration.

3.6.1 Security Migration

After you install the new security server version on a host where an older version security replica (master or slave) exists, that replica will operate with the new security server, but with the behavior of the older version server.

A server based on OSF DCE 1.1 or higher cannot create a new replica and operate it as an older version replica. Once OSF DCE Release 1.1 or higher has been installed on all hosts that have security replicas, you must issue a single cell-wide command that simultaneously migrates all the replicas to operate at the level of DCE 1.1. At this point, the cell will support new security features such as extended registry attributes.

NOTE: Once you have migrated the security servers to DCE 1.1 or higher, it is not possible to create a replica on a host running an earlier version.

If all of the Security server replicas in your cell are based on OSF DCE Release 1.1 or higher, you can perform the final migration steps in this section.

NOTE: If your cell is still running any security servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database attributes. Older servers cannot operate on newer version databases.

Once you have installed and configured this version of Gradient DCE for Tru64 UNIX Security servers in your cell, perform the following actions as cell administrator:

Ensure that at least one security replica can write to the cell profile. Use the following operation to check the cell-profile ACL for: user:dce-rgy:rw-t---.
```
#  dcecp -c acl show -io /.:/cell-profile
```
On all Security servers, set the server version to: secd.dce.1.1.
```
#  dcecp -c registry modify -version secd.dce.1.1 
```
Verify that the version has been set to secd.dce.1.1.
```
# dcecp -c registry show
```
NOTE: If you have not updated all 1.0.3 security replicas to DCE 1.1, any original 1.0.3 replicas will be stopped when you move the registry version forward to DCE 1.1. You may wish to verify that any original 1.0.3 replicas are no longer running.

3.6.2 CDS Migration

If you have installed and configured this version of Gradient DCE for Tru64 UNIX CDS servers in your cell, you might need to perform additional steps to complete the upgrade process.

If you created a new DCE cell and, during the dcesetup process, you set the default directory version information for each CDS server to Version 4.0, you do not need to perform the migration steps in this section.

If your cell is still running any security or CDS servers based on a DCE release prior to OSF DCE Release 1.1, do not complete the upgrade steps in this section. The upgrade steps will advance some security database and CDS directory attributes. Older servers cannot operate on newer version databases or directories.

Gradient DCE for Tru64 UNIX features, such as hierarchical cells and cell aliasing features, will be available only when all of your cell's security and CDS servers are running DCE for Tru64 UNIX Version 2.0 or higher and the upgrade steps have been completed. Refer to the Gradient DCE for Tru64 UNIX Product Guide and to the OSF DCE documentation for descriptions of available features.

Once the necessary DCE servers have been upgraded to DCE software based on OSF DCE Release 1.1 or higher, you can perform the migration steps in this section. The migration steps will enable the use of hierarchical cells, cell aliasing, and delegation.

NOTE: Directory version information can only be set forward. If you migrate a CDS server to OSF DCE 1.1 or higher behavior, you cannot revert that server to 1.0.3 behavior.

Once you have installed and configured Gradient DCE for Tru64 UNIX security servers and CDS servers, perform the following actions as cell administrator:

If you have not done so, perform the security migration steps in Section 3.6.1 on page 91.
For all CDS clearinghouses manually update the CDS_UpgradeTo attribute to 4.0. The following two operations ensure that new directories created in this clearinghouse will receive the correct directory version number:
```
# dcecp -c clearinghouse modify chname \
-add \{CDS_UpgradeTo 4.0 \}
# dcecp -c clearinghouse verify chname  
```
Manually upgrade all older directory version information to 4.0 as follows:
```
#   dcecp -c directory modify /.: -upgrade -tree 
```
The -tree option operates recursively on all subdirectories (in this example, it operates on the entire cell). This command does not work unless all CDS servers housing the affected directories are running DCE for Tru64 UNIX Version (2.0 or higher). This command can take a long time to execute depending on the size of the namespace.

3.7 Running the DCE Configuration Verification Program

Once the DCE daemons are started, you can run the DCE Configuration Verification Program (CVP) to ensure that the DCE services are properly installed. The procedure prompts you with the following message:

Do you want to run the DCE Configuration Verification Program?(y/n)[y]:

If you type yes or press <Return>, the procedure indicates that the CVP is running.

Executing DIGITAL DCE V4.0 (Rev.635) for DIGITAL UNIX CVP (please wait)

Copyright (c) Digital Equipment Corporation. 1998. All Rights Reserved.

  Verifying...........

The CVP invokes tests of the 10 DCE RPC interfaces, printing a dot (.) as each test is successful. A completely successful test execution results in 10 dots printed in succession. When the CVP tests are completed successfully, you receive the following message:

DIGITAL DCE V4.0 (Rev. 635) for Compaq Tru64 UNIX CVP completed successfully

NOTE: You can repeat the CVP whenever you want by choosing option 8 (Run Configuration Verification Program) from the DCE Setup Main Menu.

After you run the CVP, the configuration procedure updates your system startup procedure so that the daemons restart automatically whenever the system is rebooted.

3.8 Error Recovery During Configuration

If the procedure encounters any errors during DCE system configuration, it displays error messages. Some errors are not fatal, and the procedure attempts to continue. Other errors are fatal, and the procedure terminates. If a fatal error is encountered while the procedure is starting the DCE daemons, the procedure attempts to stop any daemons that have already been started. This returns the system to its original state before you began the configuration.

If you receive an error message at any time while running the DCE System Configuration utility, you can get more detailed information about the cause of the error by examining the associated log file in /opt/dcelocal/dcesetup.log. (If dcesetup is run without root privileges, the log file will be located in tmp/dcesetup.username.log.) This log file contains a record of the operations invoked by the System Configuration utility the last time it was executed, and may help you diagnose the cause of the problem.

Sometimes the cause of an error is transitory and may not recur if you repeat the operation. Use the command /usr/sbin/dcesetup restart to retry if errors are encountered during the startup of the DCE daemons. For more information about this command, see the Gradient DCE for Tru64 UNIX Product Guide.

[Previous] [Next] [Contents] [Index]

To make comments or ask for help, contact support@entegrity.com.