IBM Books

Diagnosis Guide

Requisite function

This is a list of the software and operating system resources directly used by the remote command component of PSSP. Problems within the requisite software or resources may manifest themselves as error symptoms in remote command processing. If you perform all the diagnostic routines and error responses listed in this chapter, and still have problems with remote command processing, you should consider the following components as possible sources of the error. They are listed with the most likely candidate first, least likely candidate last.

Using AIX rsh and rcp commands

The rsh and rcp commands on the SP system depend on a number of varied configuration actions and user actions:

  1. SP System Security Services

    Principal and group names for DCE entities use the default SP chosen names. These may not be the actual names on the system if you have overridden them using the spsec_overrides file.

  2. The proper authentication methods must be installed and configured. Issue this command on the control workstation: 
    splstdata -p

    The entry "ts_auth_methods" lists the authentication methods in use.

  3. The authentication database must be configured for SP system use and have the proper identification for SP services and users. For Kerberos V5 (through DCE) or Kerberos V4, this equates to a principal name in the correct format in the database or registry.
  4. The authentication method is enabled on the source and target hosts, on the hosts themselves, and in the partition if applicable. This means that one authentication method must be in common between the source and target host pair.
  5. The SP service or user has obtained the proper tickets and credentials to pass authentication.
  6. An authorization file is present, and principal is present in the file to allow access on the target system.

The rsh and rcp commands also depend on outside services such as inetd, proper network configuration, and reliable name serving and resolution.

Therefore, the SP remote commands have a dependency on the following for the source/target hosts depending on which methods you have installed and enabled.


Table 50. Remote commands - rsh and rcp dependencies

Mechanism Required Comments
Kerberos V5 through DCE lsauthent shows Kerberos V5

lsauthpar shows Kerberos V5

.k5login authorization file

DCE clients installed only on nodes via SP Install/Config scripts.
Kerberos V4 lsauthent shows Kerberos V4

lsauthpar shows Kerberos V4

.klogin authorization file


Standard AIX lsauthent shows Standard AIX

lsauthpar shows Standard AIX

.rhosts authorization file

Not installed or configured by SP system. Authorization file created or updated and distributed if authorization method selected.

The setting of the authentication choices on the local hosts is done through SP configuration of your security selections. However, if those choices are changed via the chauthent command on one of the source/target host pairs, the remote commands may fail depending on the authentication methods in effect.

The Kerberos V4 support in the AIX remote commands is supplied through an SP system library which is called from the AIX remote commands. The library contains the "client" portion of the remote command and depends on the "server" portion as supplied by AIX. This server is named krshd.

There may be times when fixes for both the "client" side and "server" side are required. This means installing PTFs for both the SP system and AIX, to obtain a complete fix.

See Using secure remote commands instead of AIX rsh and rcp commands for a discussion on secure remote commands, and the Authorization for AIX Remote Commands option of AIX.

[ Top of Page | Previous Page | Next Page | Table of Contents | Index ]