===================================================== README ADDENDA FOR DCE 3.1 FOR SOLARIS (C) COPYRIGHT International Business Machines Corp. 1999 All Rights Reserved Licensed Materials - Property of IBM US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. This file contains additional changes and updates to the README file shipped with Distributed Computing Environment (DCE) Version 3.1 for Solaris. ===================================================== Contents A.1 Installation, Uninstallation, Migration, and Configuration A.1.1 File System Full During Migration A.1.2 Add System Settings for Semaphores A.1.3 DCE WebSecure and "dceback" or "uninstall" A.1.4 After "dcesetup upgrade_uninstall" Web Servers fail to Start A.1.5 Pluggable Authentication Module (PAM) Migration A.1.6 Port 135 in Use During Migration or Installation A.1.7 Backup of DCE 1.1 Before Migration A.1.8 Installing in a Non-English Locale A.1.9 "dcecp -c show cell" in Mixed DCE Environment A.1.10 Maximum Cellname Limitation A.1.11 100 Character PATH Limit Restriction Using DCEBACK A.1.12 Problem Configuring an idms Server on a Newly Configured Machine A.2 Security A.2.1 Setting "maxtktrenew" and "maxtktlife" Attributes A.2.2 Intercell and Password Strength Server A.2.3 Password Strength Server "mindiff", "histexpire", and "histsize" Rules A.2.4 New DCE Audit Actions with the Event Management Service A.2.5 Enhanced Password Strength Server Command Line Options ===================================================== A.1 Installation, Uninstallation, Migration, and Configuration ===================================================== A.1.1 File System Full During Migration Before migrating to DCE 3.1 and installing Solaris 7, it is advisable to back up your system and remove any unneeded files. ===================================================== A.1.2 Add System Settings for Semaphores When trying to start DCE you might see the following error message: No space left on device. This message indicates that no semaphore resources are available for the requested operation. To add semaphore resources, set the following Solaris kernel parameters in the /etc/system file: set semsys:seminfo_semns=100 set semsys:seminfo_semnu=50 set semesys:seminfo_semmsl=50 It is recommended that prior to starting DCE you have the settings mentioned above set for your system. ===================================================== A.1.3 DCE WebSecure and "dceback" or "uninstall" If you have DCE WebSecure Netscape servers configured, you must first unconfigure (rmdceweb) each DCE WebSecure Netscape server before doing any of the following: * uninstall Running "rmdceweb" for each DCE WebSecure Netscape server before running "dcesetup uninstall -all" ensures that there isn't any stale DCE WebSecure configuration data left in the Netscape server configuration files. * dceback Running "rmdceweb" for each DCE WebSecure Netscape server before running "dceback dumpmisc" when the Netscape server configuration will change before running "dceback restoremisc" ensures the DCE WebSecure configuration data that will be restored to the machine will be valid. This is necessary because part of the DCE WebSecure configuration information is in the Netscape configuration files and cannot be backed up with dceback. You will run into this situation if you will be reinstalling your Netscape servers after running "dceback dumpmisc". * upgrade_uninstall Because "dcesetup upgrade_uninstall" runs dceback, the same conditions for dceback in the previous item apply to upgrade_uninstall. If you ran "dceback dumpmisc" and configured the new DCE WebSecure servers before running "dceback restoremisc," you must unconfigure the added DCE WebSecure servers before running "dceback restoremisc". If you do not perform this unconfigure, the DCE WebSecure configuration for these servers will be lost and you will not be able to remove the DCE WebSecure entries in your Netscape servers obj.conf file with "rmdceweb." ===================================================== A.1.4 After "dcesetup upgrade_uninstall" Web Servers fail to Start If dceweb servers were configured when a "dcesetup upgrade_uninstall" was performed, the Netscape servers that dceweb had configured cannot be started until the "dcesetup upgrade-install" is performed. If you attempt to start one of these Netscape servers, the dceweb programs that are referenced in the server's obj.conf file will not be present and the server will not start. ===================================================== A.1.5 Pluggable Authentication Module (PAM) Migration If the Pluggable Authentication Module (PAM) is configured to use the DCE provided libraries, you must modify the /etc/pam.conf file to remove any references to the DCE libraries prior to rebooting the system during the migration process. The 'dcesetup upgrade_uninstall' command will remove the DCE libraries referenced in /etc/pam.conf. Without making the modifications you will not be able to login to the system after a reboot since PAM will attempt to locate the DCE libraries which were removed during the upgrade uninstall. If you wish to use PAM after migration, you can make a backup copy of /etc/pam.conf before removing the references to the DCE libraries. Then restore it after completing the 'dcesetup upgrade_install' process. Below is an example of the default /etc/pam.conf file that is configured on Solaris 7 that references only the UNIX libraries. # # PAM configuration # # Authentication management # login auth required /usr/lib/security/pam_unix.so.1 login auth required /usr/lib/security/pam_dial_auth.so.1 # rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1 rlogin auth required /usr/lib/security/pam_unix.so.1 # dtlogin auth required /usr/lib/security/pam_unix.so.1 # rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 other auth required /usr/lib/security/pam_unix.so.1 # # Account management # login account required /usr/lib/security/pam_unix.so.1 dtlogin account required /usr/lib/security/pam_unix.so.1 # other account required /usr/lib/security/pam_unix.so.1 # # Session management # other session required /usr/lib/security/pam_unix.so.1 # # Password management # other password required /usr/lib/security/pam_unix.so.1 If you forget to remove the DCE library references in /etc/pam.conf and reboot the system, you will not be able to login to the system with the default login. In this case you may reboot the system in single user mode. Save a backup copy of /etc/pam.conf. Remove the references to the DCE libraries from /etc/pam.conf. Reboot again in the normal mode. Log in to complete the rest of the migration. Then restore the backup copy of /etc/pam.conf to enable the PAM function again. ===================================================== A.1.6 Port 135 in Use During Migration or Installation If during migration or installation you encounter an error which indicates DCED cannot start because port 135 is already in use, the cause might be a License Manager which is already using the port. The solution is to kill the License Manager and restart it after DCE has been migrated. ===================================================== A.1.7 Backup of DCE 1.1 Before Migration DCE 1.1 upgrade_uninstall does not accept the -backdir option, so some manual steps must be done to backup your current DCE files before migration. These backup steps are not required when migrating DCE 2.0, which accepts the -backdir option. The files must be backed up to a directory of your choice, such as /backup. This is a precautionary step so you can recover the files in case of a failure during uninstall. The file names dceback.cds, dceback.misc, and dceback.security must be used as shown below. dceback dumpcds -host local -destfile /backup/dceback.cds dceback dumpmisc -host local -destfile /backup/dceback.misc dceback dumpsecurity -host local -destfile /backup/dceback.security Use the following command to stop DCE, back up DCE data, and uninstall the old DCE product: dcesetup upgrade_uninstall The above command makes some changes to files previously backed up, including a list of which files to reinstall. In order to pick up these changes, you must repeat the dceback commands, but use a different directory of your choice, such as newback. Note: If you just installed and configured a DCE client, and will be installing from the DCE Version 3.1 for Solaris, Base Services CD, make sure that you edit the /opt/dcelocal/etc/setup_state file before running the dceback command for the second time. After the "dcesetup upgrade_uninstall" is run, the setup_state file will list all components in the "reinstall_components" entry. Remove "cds" and "sec" from this entry, then run the dceback commands. The CDS and Security packages are not included on the Base Services CD. The "dcesetup upgrade_install" will fail if it tries to install packages that can not be found on the CD. dceback dumpcds -host local -destfile /newback/dceback.cds dceback dumpmisc -host local -destfile /newback/dceback.misc dceback dumpsecurity -host local -destfile /newback/dceback.security When you use the dcesetup upgrade_install command to re-install DCE after upgrading the operating system, you will need to specify the second directory (newback). ===================================================== A.1.8 Installing in a Non-English Locale When installing or uninstalling on Solaris 7, the language environment variables are ignored by pkgadd and pkgrm. This means that all messages displayed during the installation or uninstallation will be in English, even if the package that you are installing is NLS enabled. SUN is working on a fix for this. At this time, it is not known when a fix will be available. This problem only involves the pkg* programs. It does not affect the functioning of DCE. ===================================================== A.1.9 "dcecp -c show cell" in Mixed DCE Environment In a mixed DCE environment (for example, cds servers at Transarc DCE 1.1 and Transarc DCE 2.0) a DCE 3.1 client issuing a "dcecp -c show cell" to a DCE 1.1 server will receive only the IP address. To receive the fully-qualified IP address, the DCE client and server must be at the same DCE level. ===================================================== A.1.10 Maximum Cellname Limitation The maximum cellname that can be used when configuring a DCE cell will be calculated based on the maximum filename size of 255. The largest filename that is created by DCE is #_ch.checkpoint<10 digit number>. Due to this limitation, the cellname size will be calculated as (229 - ). This limit will be enforced when the Security Master server or an Initial or Additional CDS Server is configured. The maximum cellname size of 255 will be enforced when configuring a client, or any other servers into an existing cell. ===================================================== A.1.11 100 Character PATH Limit Restriction Using DCEBACK The "dceback" is limiting the fully-qualified path to 100 characters. This is a known problem in Transarc DCE 1.1 and DCE 2.0 and is being addressed. To obtain the fix, contact Transarc support and ask for the patch to fix defect number 24778. ===================================================== A.1.12 Problem Configuring an idms Server on a Newly Configured Machine Occasionally the configuration of an idms server fails to create an idmsd keytab. The keytable entry can not be created until dced has completed its initialization. One of the following can be done: * After configuring rpc, sec_cl, sec_srv (or sec_rep), and the cds_cl, wait a few minutes before configuring idms. (you should only need to wait 1-5 minutes) * Edit /opt/dcelocal/etc/usrstime.tcl and modify the time that config.dce will wait for the keytable create to complete successfully. Change the value of wait_for_keytab_to_work from 90 to some larger amount of time in seconds. * If config.dce fails during the configuration of idms, run "unconfig.dce idms", wait for a few moments and rerun the "config.dce idms" command again. (you should only need to wait 1-5 minutes) ===================================================== A.2 Security ===================================================== A.2.1 Setting "maxtktrenew" and "maxtktlife" Attributes When you use the dcecp "account modify" command to set the value of the "maxtktrenew" or "maxtktlife" attributes of a user's account, you may receive the error "msgID=0x17122084 Invalid data record". This may occur if you are setting either of these two account attributes for the first time, even when you specify valid values for these attributes. To set the "maxtktrenew" or "maxtktlife" attribute on an account for the first time, you must specify both attributes on the dcecp "account modify" command. Once both attributes have been set for the account, you can then use dcecp to modify either of them individually. ===================================================== A.2.2 Intercell and Password Strength Server To use intercell and password generation, the full canonical binding and the foreign cell name needs to specified in the pwd_mgmt_binding ERA for users with a pwd_val_type ERA of 2 or 3. For example, in the local cell you can specify: dcecp -c principal modify -add {pwd_mgmt_binding {{ dce /...//pwd_strengthd pktprivay secret name} /...//subsys/dce/pwd_mgmt/pwd_strengthd}} This command will direct to the password generation in the instead of the default local cell whenever password generation is requested. For more information on intercell connections or Password Strength Server Requirements consult the IBM DCE 3.1 for AIX and Solaris: Administration Guide - Core Components. ===================================================== A.2.3 Password Strength Server "mindiff", "histexpire", and "histsize" Rules The rules for "mindiff", "histexpire", and "histsize" comparing the new password against the current password require that one password change on the password strength server must have already occurred before the rules are successful. The checking routines retrieve the current password from the password strength history database. If the current password was not changed using the password strength server, it does not exist in the history database. In this case, the new password will be compared to blank and the operation may not be successful. ===================================================== A.2.4 New DCE Audit Actions with the Event Management Service When modifying and creating audit filters for the audit service, a new action, "ems", can be specified in filter guides. If "ems" is specified as an action in a filter guide, the audit event will be sent to the event management service. The "all" action in a filter guide now includes the new "ems" action, in addition to the "log" and "alarm" actions. If you created audit filters in previous releases of DCE and specified the "all" action when you migrate to DCE 3.1, the action will include only the "log" and "alarm" actions, but not "ems". When creating or modifying audit filters you should not specify the "ems" action in filter guides which include audit events for any of the DCE core services (for example, security or cds). This could cause the DCE core services to hang if you use audit filtering. ===================================================== A.2.5 Enhanced Password Strength Server Command Line Options This version of DCE provides a new enhanced Password Strength Server. Several command line options that were available on the Password Strength Server in previous DCE versions are now obsolete. These options are: +/-all_spaces +/-alpha_num -min_len Although these options continue to work on the enhanced server for compatibility purposes, you should avoid using them. Instead, the enhanced server can read similar password rules from the registry and use them to check user passwords. This can be done by setting registry-wide or organization-specific password policies, using the dcecp commands "registry modify" and "organization modify". To set the password minimum length you should set the "minlen" value in the IBM_pwd_comp_rules ERA. For more information and examples on how to set password rules for users with the enhanced Password Strength Server, consult the IBM DCE 3.1 for AIX and Solaris: Administration Guide - Core Components documentation. =====================================================