OSF DCE Administration Guide--Core Components
OSF DCE Administration Guide—Core Components
2. The authentication service does the following:
a. Receives the login request
b. Obtains the registry’s copy of the principal’s authentication key
c. Attempts to decrypt the login request with this key
If the decryption succeeds, the keys are the same; the principal is therefore authenticated
and the login is successful.
If the decryption fails, then the password supplied by the principal and used by the
security client to derive its version of the principal’s authentication key is invalid (that is,
different from the password used to derive the registry’s copy of the principal’s
authentication key), and login is denied.
This is a very general introductory description; see the for a detailed discussion of
principal authentication.
31.4.1 Privilege Attributes
After a principal is authenticated, the DCE Security Service helps obtain the principal’s
privilege attributes. Privilege attributes consist of UUIDs that represent the principal’s
network identity, the groups in which the principal is a member, and any extended
attributes associated with the principal. They are used when principals request access to
objects to determine their rights to those objects. Privilege attributes that are provided by
the DCE Security Service are authenticated. Authenticated privileges are accepted by
network services. Unauthenticated privilege attributes may not be accepted. This means
that the kinds of access to DCE objects that principals are allowed can differ, depending
on whether or not a principal’s privilege attributes are authenticated. (DCE ACLs, which
are used to control access to DCE objects based on a principal’s privilege attributes, are
described in Chapter 28.)
31.4.2 Ticket-Granting Tickets and Tickets to Services
A ticket-granting ticket allows a principal to request and receive tickets to DCE services,
such as to a Distributed File System server, to read a file. The tickets that let principals
access DCE services are called service tickets.
Both ticket-granting tickets and service tickets have lifetimes that are determined by the
settings for individual accounts and registry policies and properties. When a principal’s
ticket-granting ticket expires, the principal is no longer considered an authenticated user.
An unauthenticated principal’s access to objects other than those on the local machine is
severely curtailed, and the principal’s ability to use DCE services becomes extremely
limited. To remedy this, the principal must reauthenticate by running the kinit command
(see the kinit(8sec) reference page) or by logging out and logging in again to DCE.
If you flag an account as able to renew service tickets, the principal’s service tickets are
renewed automatically by the authentication service, requiring no action on the
31 − 4 Tandem Computers Incorporated 124243