Managing the Security Service

· Creating and maintaining accounts by using the dcecp program

The dcecp program provides commands for creating and maintaining registry information, including persons, groups of users, and accounts.

Keep the following things in mind when administering DCE accounts:

- If you share files with other systems that do not use the registry, be sure that names, UNIX IDs, and account information are consistent between the registry and the foreign password and group files. Use passwd_import to identify and resolve any conflicts that exist. The OSF DCE Administration Guide - Core Components describes how passwd_import works.

- If you maintain /etc/passwd and /etc/group files in standard UNIX format, you need to run passwd_export to make password, group, and organization files on local machines consistent with the registry. See the OSF DCE Administration Guide - Core Components for more information about the passwd_export command.

- For principals in other cells to access objects in your cell, you need to set up a special account for the foreign cell in your cell's registry. This account indicates that you trust the Authentication Service in the foreign cell to correctly authenticate its users. Use the dcecp program's registry connect command to create an account for a foreign cell.

· Using ACLs

Use the dcecp program's acl commands to display, add, modify, and delete ACL entries for a specific object in the cell namespace. (See the OSF DCE Administration Guide - Core Components for detailed information on how to use the dcecp program's acl command.)

· Setting and maintaining registry policies

Registry policies include certain password and account information. Policies also include overrides, which are exceptions tied to a specific machine. Use the dcecp program's registry commands to set and maintain registry policies. Details on how to these commands are in the OSF DCE Administration Guide - Core Components.

Ticket expiration date, password life span, password format, and password expiration date are examples of registry policies that you can set. If both an organizational policy and a registry policy exist for password format, for example, the more restrictive policy applies.

You can establish overrides to the information contained in the registry. Override information is stored in the passwd_override and group_override files on a local machine. The passwd_override file contains the home directory, the login shell, entries for overriding the password, and GECOS information, which is general information that is used by users but not required by the system, such as office and phone numbers. For details about how to edit the passwd_override file, refer to the OSF DCE Administration Guide - Core Components .

· Backing up the registry

The OSF DCE Administration Guide - Core Components describes the back-up procedure to follow for the master registry site. When you restore the database, it is automatically propagated to the slaves.

· Setting up and maintaining Audit Service data

Audit Service data includes event numbers, event class numbers, event class files, audit filters, and audit trail files. Use the dcecp aud, audevents, audfilter, and audtrail objects to manage Audit Service data. The OSF DCE Command Reference provides descriptions of audit-related dcecp objects and commands. See the OSF DCE Administration Guide - Core Components for more information about Audit Service administration.

· Troubleshooting

When you encounter problems that cannot be resolved through routine management procedures, or when hardware failures stop the registry from operating, there are several troubleshooting procedures you can use. The OSF DCE Administration Guide - Core Components describes the following tasks:

- Recreating a registry replica

- Recovering the master registry

- Forcibly deleting a replica

- Adopting registry objects that are orphaned because their owner has been deleted