[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | DECmcc user notes file. Does not replace IPMT. |
| Notice: | Use IPMT for problems. Newsletter location in note 6187 |
| Moderator: | TAEC::BEROUD |
|
| Created: | Mon Aug 21 1989 |
| Last Modified: | Wed Jun 04 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 6497 |
| Total number of notes: | 27359 |
5650.0. "Access rights ro register NODE ?" by KETJE::PACCO (Horum omnium fortissimi sunt Belgae) Fri Oct 08 1993 11:50
The discussions on the notes file seems to have declined very much,
specially after one quick reply.
Therefore I see me in the obligation to reiterate the following
problem (note 5627).
--------------------------------------------------------------------------------
I have ALL required rights to register and deregister DECnet nodes
with the decnet_dns_register procedure (on ULTRIX).
However, trying inext to register the node from DECmcc to add mcc attributes
to the (existing) dns object, fails.
I execute: REGISTER NODE <fullname> synonym <synonym>
and during the registration I get "NameSpace Access Denied"
What is preventing the registration_fm to get all the node child
entities being registered? Is there something more the registration FM
is trying to do, beside the modification of attributes of the node
object in DNS ?
mcc_admin, the group under which the DECmcc platform is known
in the network, has read, write, delete and test on the objects, and
node softlinks; and has read,write, test access on their directories.
e.g.mcc_admin has read, write, test in .DNA_NodeSynonym
mcc_admin has read, write, delete, test in .DNA_NodeSynonym.rbkc01
From the iconic map SHOW NODE <node> ALL REFERENCE
gives "Not Registered Entity"
Doing a "REGISTER NODE <node>" tells "The entity is already registered
with MCC."
> When you register a node (phaseV), DECmcc also tries to create
> a softlink in .DNA_BackTranslation.*.* directory in addition to
> a softlink in .DNA_NODESYNONYM.
> And, you need to have access rights in the .DNA_BackTranslation.*.*
> directory.
The protection is as follows:
sho dir .dna_backtranslation
DNS$ACS (set) = :
Flags = default, propagate, group
Rights = read, write, delete, test
Group = bc:.mcc_admin
DNS$ACS (set) = :
Flags = propagate, group
Rights = read, write, test
Group = bc:.mcc_admin
sho dir .dna_backtranslation.%x49
DNS$ACS (set) = :
Flags = propagate, group
Rights = read, write, test
Group = bc:.mcc_admin
DNS$ACS (set) = :
Flags = default, propagate, group
Rights = read, write, delete, test
Group = bc:.mcc_admin
sho dir .dna_backtranslation.%x49%x0004
DNS$ACS (set) = :
Flags = default, propagate, group
Rights = read, write, delete, test
Group = bc:.mcc_admin
DNS$ACS (set) = :
Flags = propagate, group
Rights = read, write, test
Group = bc:.mcc_admin
sho lin .dna_backtranslation.%x49.%x0004.%XAA0004000410
DNS$ACS (set) = :
Flags = propagate, group
Rights = read, write, delete, test
Group = bc:.mcc_admin
sho obj .dna_backtranslation.%x49.%x0004.%XAA0004000410
DNS$ACS (set) = :
Flags = group
Rights = read, write, delete, test
Group = bc:.mcc_admin
sho dir .dna_nodesynonym
DNS$ACS (set) = :
Flags = default, propagate, group
Rights = read, write, delete, test
Group = bc:.mcc_admin
DNS$ACS (set) = :
Flags = propagate, group
Rights = read, write, test
Group = bc:.mcc_admin
sho lin .dna_nodesynonym.mcar02
DNS$ACS (set) = :
Flags = propagate, group
Rights = read, write, delete, test
Group = bc:.mcc_admin
William,
I had access in these directories, because I can do
decnet_dns_register register without any problem
decnet_dns_register deregister without any problem
After the register I also find the nodesynonym and backtranslation
link!
The problem is that DECmcc PhaseV AM seems to require something
more; but what ?
Regards,
Dominique.
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 5650.1 | Need 'control' access on the node/node4 object | TOOK::KWAK | | Fri Oct 08 1993 12:56 | 14 |
|
RE: .0
By carefully reading the base note and note #5650, I noticed that the
Group .mcc_admin does not have "control" access to the object's
directory.
When you register node/node4, DECmcc tries to modify "DNS$ACS"
attribute - adding 'session control principal' name.
Modifying DNS$ACS attribute requires "control" access right.
Sorry for delay.
William
|
| 5650.2 | Why "CONTROL" right ? | KETJE::PACCO | Horum omnium fortissimi sunt Belgae | Mon Oct 11 1993 06:54 | 15 |
| William,
Thanks for this explanation.
What do you mean with 'session control principal' name ? Do you mean
the actual user which is doing the registration ?
But what is the "rationale" behind DECmcc modifying ACS on objects in
the namespace ? Why isn't it possible to thrust what has been set as
ACS to the objects , and work within the existing framework of
security. I do not understand why the registration will "on its own
initiative" try to force some security modifications of the namespace ?
Regards,
Dominique.
|
| 5650.3 | DECmcc tries to do DECnet registration procedure | TOOK::KWAK | | Mon Oct 11 1993 10:44 | 28 |
|
Hi Dominique,
> What do you mean with 'session control principal' name ? Do you mean
> the actual user which is doing the registration ?
DNA$SessCtrl is the session control. I think the name is owned by
DECnet Phase5.
> But what is the "rationale" behind DECmcc modifying ACS on objects in
> the namespace ? Why isn't it possible to thrust what has been set as
> ACS to the objects , and work within the existing framework of
> security. I do not understand why the registration will "on its own
> initiative" try to force some security modifications of the namespace ?
I do not know the historical background on this issue. But, I think
that the DECmcc modifies ACS of the object because phase4/phase5 nodes
can be registered in the DECdns namespace without using DECnet
registration tools (e.g. decnet_dns_register. NOTE: this procedure is
not available on phase4 systems). In this case, DECmcc has to set the
ACS of the phase4/phase5 object because the phase4/phase5 object is
not 'legal' in the namespace without the ACS attribute.
(The original goal of DECmcc registration might have been to replace
DECnet registration tools.)
Note that DECdns namespace is shared among different applications
(e.g. DECnet/OSI, DECmcc, DFS, etc.).
William
|