Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
431432433434435436437438439440
Chapter 33. Administering a Multicell
Environment
Previous chapters in this guide described the DCE administration tasks that are
performed within individual cells. The administration of a multicell environment, which
is one in which principals from foreign cells access objects in the local cell, has
additional tasks and considerations that arise from the interaction of principals across
different cells.
In fact, you can have two types of system administrators: one for local cell
administration and one for intercell administration of the multicell environment. If you
set up groups for the two types of administrators, you can set the ACL for the krbtgt
directory, which contains cell principals, in the registry database to allow updating only
by the group of intercell administrators. Be sure, however, to allow all other users read
access to the krbtgt directory or intercell access will be denied to those users. Note that,
if you protect the krbtgt directory in this way, ensure that all directories below the
krbtgt directory also have the proper ACLs. The easiest way to accomplish this is to
change the Object ACL and the Initial Creation ACLs on the krbtgt directory after the
registry is created.
This chapter describes the trust relationships between cells that allow principals from
foreign cells access to objects in your cell and vice versa.
33.1 Trust Relationships
Note: The DCE Version 1.1. code does not provide support for the transitive trust
relationships discussed in this section.
To give explicit permission for principals in other cells to engage in authenticated access
to objects in your cell, you must establish a trust relationship with that cell. You do this
using the dcecp registry connect command to create two special accounts: one in your
cell’s registry to represent the foreign cell and one in the foreign cell’s registry to
represent your cell. Establishing these accounts indicates that you trust the foreign cell’s
authentication service to correctly authenticate foreign users, and, therefore, you
consider all users from this cell to be authenticated if they are marked as authenticated
by the foreign cell’s authentication service.
124243 Tandem Computers Incorporated 331