PreviousNext

DCE Security Service Administration

There are two types of DCE Security administration: local and cellwide. The administrator of a DCE machine controls the local passwd_override file. This file determines some security aspects that are specific to the local machine, such as which principals may use the machine, the password for a local account (such as root), and so forth. The local security administrator also controls the local file that contains user and password information, if it exists. (This file may contain a copy of information from the security database to be used in case the security server cannot be reached, or for already existing applications that expect such a local file.) If the machine runs DCE servers that use the audit service (application servers, the DTS server, or the security server) the local security administrator also manages the audit daemon (auditd).

The cell-wide security administrator manages the cell's security server(s). This includes managing the secd process, which provides security services on the security server machine, creating and editing the security database using dcecp, and controlling replication of security data. The cell-wide security administrator can also carry out remote administration of the audit daemons running on hosts in the cell. The cell-wide security administrator is also responsible for administering audit service event numbers and event class numbers to ensure that unique numbers are being issued.

The cell-wide security administrator is also involved in cross-cell authentication. It is possible for clients in one cell to communicate securely with servers in another cell. In order for this to happen, the security administrators in the two cells must register each other's authentication service in their registry. This enables clients in one cell to authenticate to servers in another cell. In this way, it is possible for authorized clients in one cell to access services in a foreign cell.