sions, that is, when mask_obj and/or user_obj isn't rwxcid, one can either use commands like this if it's a directory, dcecp -c acl modify -change {mask_obj rwxcid} dcecp -c acl modify -io -change {mask_obj rwxcid} dcecp -c acl modify -ic -change {mask_obj rwxcid} or like this if it's a file dcecp -c acl modify -change {mask_obj rwxcid} Or if you would like a script to do all the files and directories from a given directory down, you could use something like this #!/bin/sh # Default starting directory to current directory (eg, ".") if not given. a=${1:-.} find $a -type d -print -exec dcecp -c acl modify {} -change {mask_obj rwxcid} \; \ -exec dcecp -c acl modify {} -io -change {mask_obj rwxcid} \; \ -exec dcecp -c acl modify {} -ic -change {mask_obj rwxcid} \; find $a -type f -print -exec dcecp -c acl modify {} -change {mask_obj rwxcid} \; --------------------------------------------------------------------------------------- A cute trick to copy ACL's from one directory or file, to another, is dcecp -c acl replace /dfs/Target_Dir_or_File -acl [acl show /dfs/From_Dir_File] Of course, you can tack on -io or -ic as necessary in either piece. --------------------------------------------------------------------------------------- Instead of using rmdce to undefine a client machine from a DCE domain, use unconfig.dfs & unconfig.dce instead. This was cut out of a smit.log on 5/4/1999. unconfig.dfs -cell_admin adminraj -config_type admin -dce_hostname litho2.almaden.ibm.com -host_id litho2.almaden.ibm.com -dependents -force all and unconfig.dce -cell_admin adminraj -config_type admin cds_cl sec_cl -dce_hostname litho2.almaden.ibm.com -host_id litho2.almaden.ibm.com -dependents -force all And if that doesn't work 'cause it can't talk to a DCE server, like on all the old Almaden patent server machines, then try umount /dfscache rmfs /dfscache rmdir /dfscache umount /var/dce rmfs /var/dce rm /etc/dce/cds.conf /etc/dce/cfg.dat installp -u dce rm -rf /etc/dce rm -rf /usr/lpp/dce rm -rf /usr/lib/dce rm -rf /lpp/save.config/etc/dce rm /dfs --------------------------------------------------------------------------------------- The DFS equivalent to the UNIX fsck command is salvage. When running salvage, use the -verbose option & pipe the output to a file (or tee it), and also use the -salvage option, which would get the salvage command to do its most extensive checking possible. E.G. salvage -aggregate scsi0 -salvage -verbose | tee /tmp/salvage.output --------------------------------------------------------------------------------------- To allow a user to login with an expired password, set this attribute in the DCE registry, dcecp -c principal modify adminraj -add {passwd_override 1} or dcecp -c principal modify adminraj -attribute {passwd_override 1} if it already exists. After you do this, whenever you authenticate with this userid, you'll see this msg This account is exempt from password expiration enforcement. --------------------------------------------------------------------------------------- For the Almaden DCE domain, - The master clearinghouse server is almdce1. - The master security server is almdce2. - Normally, clients are configured for cds_cl, dts_cl, rpc, & sec_cl. If you've got DCE 2.2, dceunixd is also configured. --------------------------------------------------------------------------------------- To run a job from "cron" or "at" and be DCE-authenticated, use start_batch, a tool from the diskette that comes with the "Administrating IBM DCE and DFS Version 2.1 for AIX (and OS/2 Clients)" book. To use, first login as root on the system you want to run on, and create a keytab entry for the user you want to run under. For example, for dbsys01 on as0103e1, I got under the rgy_edit program, rgy_edit and once there, used these subcommands, - ktlist This will tell you what keys exist now in your default key table, which is /krb5/v5srvtab. - ktadd -p dbsys01 Answer the password prompt with dbsys01's DCE password. Then you just have to use start_batch dbsys01 . On the Almaden Patent Server domain, start_batch is in /dfs/admin/dce_tools. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Or alternatively, to use Ed's buddy program (in /u/jasper/bin & /usr/local/bin, aka /dfs/apps/userlocal/bin). To set things up, create a keytab file, say in /krb5, that's owned by the user. For example, as root, rgy_edit - ktadd -p inst1 -pw inst1_password -f /krb5/inst1.ktab - quit chown inst1:dbadmin1 /krb5/inst1.ktab Then as inst1, you can buddy -p inst1 -k /krb5/inst1.ktab klist(or any command you want) ======================================================================================= DFS uses "lazy" notification, which means DFS client machines don't see new files in just-released filesets, like AFS clients do. To get a client machine to flush their cache so that the next time they read the file they see the new stuff, as root on the client machine, type cm checkf --------------------------------------------------------------------------------------- Some handy dcecp commands to display and modify attributes, Globally for the site, registry show -att registry mod -mintktlife +0-00:00:01.000 registry mod -deftktlife +0-00:00:10.000 registry mod -deftktlife +1-06:00:00.000 registry mod -mintktlife +0-00:05:00.000 Or for an individual userid, account show -policies Remember, a "user" is the combination of a "principal" and an "account". --------------------------------------------------------------------------------------- A link that has the DCE/DFS commands documented, http://felps.austin.ibm.com/besteam/studyguides/dss/dss_docs.htm The http://felps.austin.ibm.com/besteam/studyguides/a3u11mst/a3u11mst.htm is their DCE for AIX: Admin. Command Reference, which is where dcecp and others are documented. --------------------------------------------------------------------------------------- Some AFS commands and their DCE/DFS counterparts. AFS DCE/DFS ----------- ----------------------------- klog dce_login or kinit to refresh an existing ticket (token) tokens klist unlog kdestroy fs lq fts lsq (units are 1024 bytes, just like AFS) fs lsm fts lsm kpasswd passwd if you've got the integrated passwd command and your AUTHSTATE environment variable is set to DCE, else it's dcecp, then at the dcecp> prompt, account modify -mypwd -password , then quit. Be aware that (it appears that) only cell_admin can change a machine's principal's password, eg hosts/as0114e0/self. Even tho' jasper is priv, I couldn't do it from that id. What I had to do to change hosts/as0114e0/self's password was dce_login cell_admin dcecp account modify hosts/as0114e0/self -mypwd -password quit pts mem dcecp -c group list fs checks dcecp -c cell ping or cm statservers -all fs whereis cm whereis To Get To Yesterday's Files cd /u/jasper cd /d/jasper Start at your AFS/DFS home directory fs lq . fts lsq . To get one's volume/fileset name. fs crm yesterday user.jasper.backup fts crm yesterday users..j..jasper.backup fs delm yesterday fts delm yesterday rlidwka rwxcid ACL's See discussion below /var/vice/etc/ThisCell /var/dce/dced/cell_name ?? /var/vice/etc/CellServDB Other DCE/DFS commands ------------------------------------ --------------------------------- List information about a user dcecp -c user show List all dcecp objects dcecp -c help -verbose List commands for a dcecp object dcecp -c operations List all members of a group dcecp -c group list Command suites bak, bos, cm, fts ======================================================================================= ACL's in dfs are quite different than in afs. The output from one of the acl show commands (dcecp -c acl show or acl_edit -l) is {mask_obj rwxcid} # Ed says to avoid troubles, just keep this all on. {user_obj rwxcid} # Relates to the file's or directory's owner. {group_obj rwx-id} # Relates to the file's or directory's group. {group patent rwxcid} # Relates to the dce group, patent. {other_obj rwx-id} # Relates to dce-authenticated users (system:authuser). {any_other rwx-id} # Relates to unauthenticated users (system:anyuser). - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The permissions stand for read, write, execute, control, insert, and delete. You can type dcecp -c acl permissions some-object to see an english description of the ACLs for that object. For example, for a file, dcecp -c acl permissions .kshrc returns {r {read}} {w {write}} {x {execute}} {c {control}} {i {insert}} {d {delete}} For a group, the very confusing rctDnfmM, is nicely translated to dcecp -c acl permissions /.:/sec/group/delphion-admin {r {read}} {c {control}} {t {test}} {D {Delete object}} {n {name}} {f {fullname}} {m {management info}} {M {Member list}} - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The <|-io|-ic> used below refers to the three different kind of ACLs one can set on a directory. The default if you don't specify -io or -ic is the ACL on the directory itself. "-ic" stands for "Initial Container" and is the ACL a newly-created directory will inherit. Likewise, "-io" stands for "Initial Object" and is the ACL an initial file will inherit. AFS DCE/DFS ----------- ----------------------------- fs la dcecp -c acl show <|-io|-ic> or dcecp -c acl check to see just your permissions or acl_edit /dfs/patent/fpcache/68/99 -l <|-io|-ic> fs sa dcecp -c acl modify <|-io|-ic> -add '' or dcecp -c acl modify <|-io|-ic> -change '' or acl_edit <|-io|-ic> -f See below. ======================================================================================= Beware of truncated userids when doing a ls command. For example, ls -l build_SQL_commands_from_list.sh -rwxr-xr-x 1 hosts/a2 none 2743 Sep 08 16:12 build_SQL_commands_from_list.sh But "hosts/a2" is truncated. This file is actually owned by a201's root. You can see this with a ls -n build_SQL_commands_from_list.sh command to see the userid number (2157), then translate that number into the real userid with dcecp, like this # dcecp dcecp> principal show hosts/a201.sby/self {fullname {}} {uid 2157} {uuid 0000086d-52e1-21d0-8e00-02608ce89fbe} {alias no} {quota unlimited} {groups none subsys/dce/dts-servers} dcecp> quit # I don't know how to translate 2157 into hosts/a201.sby/self directly. ======================================================================================= Ed's /dfs/admin/bin/doit script sets ACLs for all directories & files starting at a given directory. It's invoked by doit where is where you want to start, and is the first part of the filename to use for the ACL's. The ending part of the filename gets filled in by the doit script. The doit script is simply 2 find commands that executes 3 acl_edit commands for directories & all subdirecties, setting the initial ACL for the directory itself, as well as the initial object (-io) and initial container (-ic) ACLs. For all files, it sets the ACL. The doit script is #!/bin/sh find $1 -type d -print -exec acl_edit {} -f $2-dir \; \ -exec acl_edit {} -io -f $2-file \; \ -exec acl_edit {} -ic -f $2-dir \; find $1 -type f -print -exec acl_edit {} -f $2-file \; For example, /dfs/admin/bin/doit /dfs/.rw/patent/admin/gsc /dfs/admin/acl/patgsc then /dfs/admin/bin/doit /dfs/.rw/patent/admin/gsc/logs /dfs/admin/acl/patgsclogs /dfs/admin/bin/doit /dfs/.rw/patent/cache /dfs/admin/acl/patcache /dfs/admin/bin/doit /dfs/.rw/patent/fpcache /dfs/admin/acl/patfpcache or /dfs/admin/bin/doit /dfs/.rw/apps /dfs/admin/acl/admin/adminacl where the file and the file /dfs/admin/acl/patcache-dir /dfs/admin/acl/admin/patcache-file contains contains --------------------------- ---------------------------------- mask_obj:rwxcid mask_obj:rwxcid user_obj:rwxcid user_obj:rwxcid group_obj:------ group_obj:------ group:admin:rwxcid group:admin:rwxcid group:patent:rwx-id group:patent:rwx-id group:root_principals:rwx-id group:root_principals:rwx-id other_obj:rwx-id other_obj:rwx-id any_other:rwx-id any_other:rwx-id ======================================================================================= To replicate volumes in patent.ibm.com, I fts setrepinfo -release fts addsite To get RO copy on RW aggregate fts addsite To get new RO copy on other srvr fts release ================================================================================== If you ever get the message Cannot export our token RPC interface: Cannot perform endpoint map operation (dce / rpc). when doing a privileged fts command, then you need to run the /etc/dce/dce.env script in your environment, i.e. . /etc/dce/dce.env which will export four RPC_* environment variables, which will get DCE to use the proper network interface for multi-homed machines. The /etc/dce/rc.dcestart script is generated by the /etc/dce/rc.dcestart script, which is run out of /etc/inittab to start dce & dfs. It's recommended you put the following line in /etc/profile somewhere, . /etc/dce/dce.env ================================================================================== The /spdata/sys1/install/default/lppsource/scripts/dce/mkdceadmin.sh script essentially does a cdsli /.:/hosts/ar0077e0 command to see if a client is defined to DCE yet or not, then does a mkdce -o admin -i ar0077e0 -h ar0077e0 -c ar0073e0.patent.ibm.com -s ar0073e0.patent.ibm.com -n patent.ibm.com sec_cl cds_cl command if it's not. ================================================================================ To activate an Almaden account, Dale has all AFS accounts defined to DCE, but with the acctvalid account attribute set to no. To change it, you can run Dale's /:/projects/dceadmin/bin/validate_account.tcl script. ================================================================================ To authorize adminraj to do privileged DCE things, I authenticated as cell_admin and added adminraj to these DCE groups with these dcecp commands, who=adminraj dcecp -c group add acct-admin -member $who dcecp -c group add subsys/dce/sec-admin -member $who dcecp -c group add subsys/dce/cds-admin -member $who dcecp -c group add subsys/dce/dfs-admin -member $who ================================================================================ When looking at ACL's for non-DFS things, i.e. CDS things like principals, you need to know how to specify the object on the dcecp -c acl show command. For Specify this, for example Comments ------------- -------------------------------- ------------------------ Principals acl show /.:/sec/principal/rsosa Hosts acl show /.:/hosts/ar0085e0 Groups acl show /.:/sec/group/patent Organizations acl show /.:/sec/org/none Replication acl show /.:/sec/replist The registry subcommand. Policy acl show /.:/sec/policy cdsclerk acl show /.:/hosts/ar0072e0/cds-clerk " entry acl show /.:/hosts/ar0072e0/cds-clerk -e Remember, /.: is simply short for /.../patent.ibm.com or /.../almaden.ibm.com. or /.../delphion.ibm.com. or /.../ips4db2. ================================================================================ Here are a few DCE/DFS debug tips from Ed one day. - dfstrace dump | more to see errors like this, for example, time 66.024241, pid 23872: dfs: server disk quota exceeded, fileset 0,,28 - fts lsft -fileset 0,,28 Tells you what that fileset is, what server and aggregate it is, and other stuff. ================================================================================ To configure DCE & DFS in the Almaden cell with smitty, - smitty dce - Configure DCE/DFS - Configure DCE/DFS Clients - Full DCE/DFS Client Configuration (if you want to exploit your knowledge of cell_admin's password) The screen you'll see starts with * CLIENTS to configure rpc sec_cl cds_cl dts_cl dfs_cl + (everything but slim_cl, the slim client) * CELL name [almaden.ibm.com] * Cell ADMINISTRATOR's account [cell_admin] Machine's DCE HOSTNAME [patws.almaden.ibm.com] * Start components at System restart Yes + (have to tab from "No" to "Yes") * Protocol udp + (have to tab from "tcp udp" to "udp") MASTER SECURITY Server [almdce2.almaden.ibm.com] CDS Server (If in a separate network) [almdce1.almaden.ibm.com] Synchronize Clocks Yes + Time Server to Synchronize Clocks with [almdce3.almaden.ibm.com] After that finishes, go back one smitty screen to - Configure DCE/DFS Clients - DCE UNIXD Server and accept all the defaults there. This configures dceunixd. ================================================================================ Some notes on upgrading client machines from DCE 2.1 to DCE 2.2, Before the conversion, mkdir /var/dce/tmp mkdir /var/dce/config mkdir /var/dce/dced/backup Comment out rccleancred from /etc/inittab Replace the rcdce line in /etc/inittab with rcdce:2:wait:/etc/rc.dce all > /dev/console 2>&1 # Start DCE/DFS Daemons and comment it out as well. Reboot the machine/node to get an IPL without DCE/DFS up. find /dfscache -type f -exec rm {} \; Remove unneeded parms on dfsd startup command, in /etc/dce/rc.dce Unneccessary parms are - callback $RPC_SUPPORTED_NETADDRS - blocks 20000 - cachedir /dfscache - chunksize 16 Un-comment-out the rcdce line in /etc/inittab. After the conversion, Replace the rcdce line in /etc/inittab with cleanupdce:2:wait:/usr/bin/clean_up.dce > /dev/console 2>&1 rcdce:2:wait:/etc/rc.dce all > /dev/console 2>&1 # Start DCE/DFS Daemons (or rcdce:2:wait:/usr/bin/start.dce all > /dev/console 2>&1 # Start DCE/DFS Daemons) Configure the dceunixd client daemon, with a config.dce dce_unixd command. If need be, to fix DFS Start dfsd by hand, e.g. /opt/dcelocal/bin/dfsd -verbose then run start.dce all again. ---------------------------------------------------------------------------------- Experience with 201 on 9/3/99 9/2: - mkdir /var/dce/tmp - mkdir /var/dce/dced/backup - Both dce lines commented from /etc/inittab - /dfscache directory cleaned out. 6:00 Upgraded AIX 4.2.1 to 4.3.2 & DCE 2.1 to 2.2, with 7:19 migcheck ran. Got chdir failure. 9/3: After the upgrade, since no DCE lines were in /etc/inittab, of course, DCE didn't try to come up & convert. 8:40 Ran lsdce -r. Got "Please run migrate.dce." 9:18 Ran start.dce all. DCE appeared to migrate ok, but when it called start.dfs, it got Attempting to migrate to the current level of DFS. Attempting to migrate to the current level of DCE. cdsclerk is running. dced is running. cdsadv is running. 0x11315b65: One or more DCE daemons are currently running. DCE Migration cannot be performed unless no DCE daemons are running. 0x11315b66: You can attempt to stop the daemons by running the command stop.dce, or you can stop them manually. 0x113159fb: Start did not complete successfully. 0x11315066: The system call (chdir) failed with a return code of -1 and error number of 2. This chdir error message is apparently due to /var/dce/config not being there. 9:44 Ran start.dce all again. Got the familiar ... Starting the DFSD daemon... The DFS kernel extension dfscore.ext has successfully loaded. readRPC_SUPPORTED_NETADDRS Waiting up to 120 seconds for the daemon to start. Waited 5 seconds. ... Waited 120 seconds. 0x113155ed: The following component is not running, and is not registered in DCED as running: DFS client. unknown math function "DCF_MESSAGE" 0x1138da69: Unable to start the DFS client. 0x1138da5d: The components on DFS host, as0201e0 did not start successfully. 0x113159fb: Start did not complete successfully. 10:24 Created /var/dce/config directory. 10:53 Ran start.dce all again. Still got ... Waited 120 seconds. 0x113155ed: The following component is not running, and is not registered in DCED as running: DFS client. unknown math function "DCF_MESSAGE" 0x1138da69: Unable to start the DFS client. 0x1138da5d: The components on DFS host, as0201e0 did not start successfully. 0x113159fb: Start did not complete successfully. 11:00 Removed "-callback $RPC_SUPPORTED_NETADDRS" from dfsd: line in /opt/dcelocal/etc/cfgarg.dat 11:01 Ran start.dce all again. This time, things seemed to work fine, except 11:45 after a reboot, I saw that /etc/dce/cfg.dat and /etc/dce/cfgarg.dat were zero-length. I copied the CWS's copy over & ran start.dce all again, and everything came up ok. ---------------------------------------------------------------------------------- It's interesting and sometimes valuable to understand how DFS moves a volume, but first a lesson in DFS (also true for AFS). - Each aggregate has a header that usually is kept in synch with the FLDB. - You can see what's in an aggregate's header by fts lsheader, e.g. fts lsheader -server ar0073e0 -aggregate ssa3 Total filesets on server ar0073e0 aggregate ssa3 (id 6): 1 patent.verity 0,,25 RW 57743082 K alloc 57743082 K quota On-line Total filesets on-line 1; total off-line 0; total busy 0 - You can see what's in the FLDB with fts lsfldb, e.g. fts lsfldb -server ar0073e0 -aggregate ssa3 patent.verity readWrite ID 0,,25 valid readOnly ID 0,,26 invalid backup ID 0,,27 invalid number of sites: 1 server flags aggr siteAge principal owner ar0073e0.patent.ibm RW ssa3 0:00:00 hosts/ar0073e0 ---------------------- Total FLDB entries that were successfully enumerated: 1 - When the header gets out of sync with the FLDB, you can either 1) Synchronize the header with the FLDB with fts syncserv, or 2) Synchronize the FLDB with the header with fts syncfldb. When might you need to do this? If an fts move operation gets interrupted, you'll have crap left over on both the source aggregate and the destination aggregate. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Here are the steps when you do a fts move command, e.g. fts move patent.verity ar0073e0 ssa1 ar0073e0 ssa3 1) Lock the patent.verity fileset on the source aggregate. 2) Clone the source fileset, naming the clone patent.verity.move-temp. 3) Create the destination fileset, naming it patent.verity.move-dest. 4) Copy the data from the cloned source fileset, to the newly-created destination fileset. You can watch the copy progress by doing fts aggrinfo commands to the destination aggregate, watching the "free" number go down. Alternatively, you can do a fts statfts command and watch the "Bytes copied so far:" number go up. 5) Delete the source fileset along with its readOnly & backup copies. 6) Rename the new fileset on the destination volume to what it should be. 7) Update the FLDB. While the fileset is being copied over, you normally don't see the names of the clone source fileset nor the destination fileset, even if you do a fts lsheader. During the copying, fts lsheader shows those filesets as "busy" and doesn't show you a name. If you abort the copy though (or it fails), that's when you can see the move-temp & move-dest names with fts lsheader. For example, this is what things looked like when I ctrl-c'd out of a fts move patent.pct ar0073e0 ssa0 ar0073e0 ssa3 command. fts lsheader -server ar0073e0 -aggregate ssa0 Total filesets on server ar0073e0 aggregate ssa0 (id 1): 5030 ... many lines deleted *** Fileset 0,,165258 is busy: copy the clone to a new location (dfs / xvl) *** Total filesets on-line 5029; total off-line 0; total busy 1 fts lsheader -server ar0073e0 -aggregate ssa3 Total filesets on server ar0073e0 aggregate ssa3 (id 6): 2 *** Fileset 0,,165259 is busy: copy the clone to a new location (dfs / xvl) *** patent.verity 0,,25 RW 57743082 K alloc 57743082 K quota On-line Total filesets on-line 1; total off-line 0; total busy 1 Afterward the copy stopped, the changed lines were patent.pct.move-temp 0,,165258 TEMP 2647838 K alloc 2647838 K quota On-line Total filesets on-line 5030; total off-line 0; total busy 0 and patent.pct.move-dest 0,,165259 RW 5248 K alloc 5248 K quota **Off-line (delete now) Total filesets on-line 1; total off-line 1; total busy 0 Note the move-temp is marked as On-line, but the move-dest is marked Off-line. Not even a salvage on the destination aggregate will clean that up. It reports In volume patent.pct.move-dest 0,,165259 (avl #5) Volume is marked as inconsistent, not walked for each orphaned move-dest fileset. What you have to do, is use fts zap 0,,165258 ar0073e0 ssa0 and fts zap 0,,165259 ar0073e0 ssa3 to get rid of them. When I looked around the Patent DFS cell for these orphaned move filesets, I found about a dozen that needed deleting. Try this quick & dirty script, function checkaggr { echo "Checking $1 $2 ..." fts lsheader -server $1 -aggregate $2 | grep move echo '' } checkaggr ar0071e0 scsi0 checkaggr ar0071e0 scsi1 checkaggr ar0071e0 ssa0 ... ---------------------------------------------------------------------------------- To restart the ftserver, /usr/bin/bos restart -server /.:/hosts/ar0073e0 -process ftserver For the Almaden cell, Dale has all the machine hosts defined in the CDS with the fully-qualified I.P. name, so it's /usr/bin/bos restart -server /.:/hosts/almdfs4.almaden.ibm.com -process ftserver ---------------------------------------------------------------------------------- To check the status of the CDS replicas, sec_admin sec_admin> lrep -all Look at everybody's "Last update's seqno:" field to insure they're the same. Another good debugging tool is to first get the list of clearinghouses via dcecp -c clearinghouse cat which returns /.../patent.ibm.com/ar0071e0_ch /.../patent.ibm.com/ar0072e0_ch /.../patent.ibm.com/ar0073e0_ch then for each clearinghouse, see if it responds via a dcecp -c clearinghouse show /.../patent.ibm.com/ar0071e0_ch On 4-20-2000, 72 & 73 were fine, returning about 60 lines, but 71 just hung. I had to recycle DCE, primarily the cdsclerk process. ---------------------------------------------------------------------------------- You don't fts move a replica. Instead, you fts addsite a new one, and fts rmsite the old one. ---------------------------------------------------------------------------------- Check out /etc/dce/security/pe_site and /opt/dcelocal/etc/cfgdce.log ---------------------------------------------------------------------------------- To configure dceunixd, do config.dce dce_unixd ---------------------------------------------------------------------------------- Here's a short & sweet script to see the UID numbers for each userid in your DCE cell. #!/bin/ksh for i in $(dcecp -c princ cat | sed 's?/.../patent.ibm.com/??') do echo "Userid $i is uid # $(dcecp -c principal show $i | grep '{uid' | sed 's?.*{uid \([0-9]*\)}?\1?')" done ---------------------------------------------------------------------------------- Here's how the DFS ACL permissions, map to the UNIX permissions when you do a ls -l command. This came from page 94 in my red cover, DFS System Admin class book. UNIX | User | Group | Other | | rwx | rwx | rwx | |------|-------|-------| /|\ DFS user_obj | other_obj | | An or-ing of group (as you'd expect), but also any user, group_obj, any_other, as well as any foreign_[user|group|other] ACL permissions. ---------------------------------------------------------------------------------- One day Danny's machine wouldn't synch its clock with the DTS server. Turns out that they had changed their DCE servers around and one needed to update the two *.inf files in the /opt/dcelocal/var/dced directory, namely /opt/dcelocal/var/dced/cdscache.inf and /opt/dcelocal/var/dced/clksynch.inf I had to change the 9.1.24.161, which was almdce1 to 9.1.24.202, which is almdce5. Warren was on the phone with the now-almost-worthless Support Center before he stumbled onto these files. ---------------------------------------------------------------------------------- Some random notes from one time when I called the Support Center and they had me do some DFS tracing. 1) dfstrace setset fx episode/vnopsBasic -active dfstrace setlog cmfx 100 dfstrace setlog xops 100 dfstrace setlog disk 100 2) dfs_icltrace.tcl ftserver _dfstrace _iclftserver 3) fts move patent.smartpatents.09 ar0072e0 ssa1 fts move patent.smartpatents.09 ar0072e0 ssa3 4) /var/dce/dfs/adm/Ftlog /dce_trace 5) anonymous ftp to transarc.com --------------------------------------------------------- Use dfsexport to see which aggregates are being exported by this machine. But to remove, use rmdfslfs -n aggregate_name e.g. rmdfslfs -n dfs1a This way, the line is removed from /var/dce/dfs/dfstab, whereas it isn't removed with dfsexport dfs1a -detach