ITEM: E3835L

Six questions on DCE:




Question:

1) What is the organization field used for in the add accounts section?  
2) What is the LAN profile used for?  
3) How do we find out the privileges of a principle or a group?  
4) How do I add privileges to a group?  
5) What are the hierarchical relationships of the predefined groups?  
6) Is there a program to test DCE security?


Response:

1. The organization field is used to group accounts together to set DCE 
policies. These policies can be set on the registry as a whole or on an
organization. These policies include account lifetime, password lifetime, 
minimum password length, whether account passwords must contain all 
letters, and if the account passwords can contain spaces.

2. The LAN profile is used by DTS time servers. All systems configured as DTS
time servers will place an entry in their /.:/lan-profile.

3-4. The privileges of a principal as based on its UUID and the UUIDs 
of the groups it belongs to. All of these UUIDs are contained in a 
principal's Privilege Attribute Certificate (PAC). A principal's PAC 
is compared against the Access Control List of an object in DCE 
(like a DFS file, or a CDS Directory). So, the privilege of a principal 
or group is controlled by the ACL on the DCE object that is accessed.

5. Some of the predefined groups (those similar to UNIX default groups) 
have no real meaning in DCE. They are there for centralizing account and 
group information in a network. These will become more important when DCE
is integrated in to the AIX login process. The "-admin" groups in DCE 
have administrative permission on the relative DCE components. By default,
the DCE principal "cell_admin" is a member of all these groups. If you 
have a large DCE cell with different people as administrators for the 
Security Server, the CDS Server(s), the DFS Server(s), and/or DTS Servers,
you may want to add other principals to the specific groups. The 
"-servers" style groups will contain all the DCE principals that the 
respective servers authenticate as. They will also have administrative 
type access.

6. There are a few DCE example programs located /usr/lpp/dce/examples 
that utilize the DCE security server. The bank, timop, and type_mgr are 
good examples. There are README and makefiles provided to help run the 
programs.  


Support Line: Six questions on DCE: ITEM: E3835L
Dated: April 1994 Category: N/A
This HTML file was generated 99/06/24~13:30:54
Comments or suggestions? Contact us