Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ bos(8dfs) — DCE 3.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

addadmin(8dfs)

addkey(8dfs)

apropos(8dfs)

create(8dfs)

delete(8dfs)

gckeys(8ds)

genkey(8dfs)

getdates(8dfs)

getlog(8dfs)

getrestart(8dfs)

help(8dfs)

install(8dfs)

lsadmin(8dfs)

lscell(8dfs)

lskeys(8dfs)

prune(8dfs)

restart(8dfs)

rmadmin(8dfs)

rmkey(8dfs)

setauth(8dfs)

setrestart(8dfs)

shutdown(8dfs)

start(8dfs)

startup(8dfs)

status(8dfs)

stop(8dfs)

uninstall(8dfs)

dfs_intro(8dfs)

keytab(8dce)

admin.bak(4dfs)

admin.bos(4dfs)

admin.fl(4dfs)

admin.ft(4dfs)

admin.up(4dfs)

BosConfig(4dfs)

v5srvtab(5sec)

bos(8dfs)  —  Maintenance

NAME

bos − Introduction to the bos command suite

OPTIONS

The following options are used with many bos commands. They are also listed with the commands that use them.  Names the machine running the BOS Server that is to execute the command. To run a privileged bos command (a bos command that requires the issuer to have some level of administrative privilege) using a privileged identity, always specify the full DCE pathname of the machine (for example, /.../abc.com/hosts/fs1). 

To run an unprivileged bos command, you can use any of the following to specify the machine: The machine’s DCE pathname (for example, /.../abc.com/hosts/fs1) The machine’s host name (for example, fs1.abc.com or fs1) The machine’s IP address (for example, 11.22.33.44) If you specify the host name or IP address of the machine, the command executes using the unprivileged identity nobody (the equivalent of running the command with the −noauth option); unless DFS authorization checking is disabled on the specified machine, a privileged bos command issued in this manner fails. If you specify the machine’s host name or IP address, the command displays the following message (using the −noauth option suppresses the message): bos:  WARNING: short form for server used; no authentication information will be sent to the bosserver Directs the bos program to use the unprivileged identity nobody as the identity of the issuer of the command. Generally, the −noauth option is included with a command if DFS authorization checking is disabled on the server machine whose BOS Server is to execute the command or if the Security Service is unavailable. If DFS authorization checking is disabled, the BOS Server requires no administrative privilege to issue any command; any user, even the identity nobody, has sufficient privilege to perform any operation. If the Security Service is unavailable, a user’s security credentials cannot be obtained. 

DFS authorization checking is disabled with the bos setauth command or by including the −noauth option when the bosserver process is started on a machine. DFS authorization checking is typically disabled During initial DFS installation If the Security Service is unavailable During server encryption key emergencies To view the actual keys stored in a keytab file

Include the −noauth option with a command that requires administrative privilege only if DFS authorization checking is disabled on the necessary machine. A command that requires administrative privilege fails if the −noauth option is included and DFS authorization checking is not disabled. If you use this option, do not use the −localauth option.  Directs bos to use the DFS server principal of the machine on which the command is issued as the identity of the issuer. Each DFS server machine has a DFS server principal stored in the Registry Database. A DFS server principal is a unique, fully qualified principal name that ends with the string dfs-server; for example, /.../abc.com/hosts/fs1/dfs-server. (Do not confuse a machine’s DFS server principal with its unique self identity.) 

Use this option only if the command is issued from a DFS server machine. You must be logged into the server machine as root for this option to work.  If you use this option, do not use the −noauth option.  Prints the online help for the command. All other valid options specified with this option are ignored. For complete details about receiving help, see the dfs_intro(8dfs) reference page. 

DESCRIPTION

Commands in the bos command suite are used by system administrators to contact the Basic OverSeer (BOS) Server. The BOS Server runs on every DFS server machine to monitor the other DFS server processes on the machine. It restarts processes automatically if they fail. The BOS Server also provides an interface through which system administrators can start and stop processes and check on server status. 

The files described in the following sections are used to store configuration, administrative, and security information. 

The BosConfig File

The dcelocal/var/dfs/BosConfig file on the local disk of each DFS server machine contains information about the processes the BOS Server is to monitor. This information includes the process type, the command parameters associated with the process, and a status flag that tells the BOS Server to start the process at initialization or restart the process if the process fails. Whenever the BOS Server starts or restarts, it reads the file to learn which processes to monitor; this information is transferred into memory and the file is not read again until the BOS Server next restarts. 

The administrator can change the process status in the BOS Server’s memory with specific bos commands; therefore, it is possible for a process to stop running even if its status flag in the BosConfig file is set to Run.  Similarly, an administrator can start a process without setting its status flag in the BosConfig file to Run by changing its memory state flag to Run. 

Never edit the BosConfig file directly; always use the appropriate bos commands. Editing the file directly can introduce changes of which the BOS Server is unaware. The BOS Server does not recognize such changes until it is restarted and again reads the file. 

The admin.bos File

The dcelocal/var/dfs/admin.bos file on the local disk of each File Server machine contains the names of users who are allowed to issue bos commands on that machine. All users can list the contents of the file with the bos lsadmin command; only administrative users can edit the contents of the file with the bos addadmin and bos rmadmin commands. Because the admin.bos file is a binary file, you cannot edit it directly; you must use the appropriate bos commands. 

The Keytab File

A /krb5/v5srvtab keytab file is stored on the local disk of each File Server machine. A keytab file contains the list of server encryption keys used by a server process on that machine to decrypt tokens presented by clients.  The server process interacts only with clients possessing tokens encrypted with server encryption keys listed in the appropriate keytab file. 

The keys in a keytab file are marked with a unique key version number. All tokens presented by clients are also marked with a key version number; a server process uses the key version number to determine which key to use to decrypt a token. 

Only administrative users can examine, add, and remove keys in the keytab file. Never edit a keytab file directly; always use the appropriate bos commands. 

Receiving Help

There are several different ways to receive help about DFS commands. The following examples summarize the syntax for the different help options: Displays the reference page for the command suite.  Displays the reference page for an individual command. You must use an _ (underscore) to connect the command suite to the command name. Do not use the underscore when issuing the command in DFS.  Displays a list of commands in a command suite.  Displays the syntax for a single command.  Displays a short description of any commands that match the specified string. 

Consult the dfs_intro(8dfs) reference page for complete information about the DFS help facilities. 

Privilege Required

All bos commands can be issued by users listed in the admin.bos file on the machine whose BOS Server is executing the command. Specific privilege information is listed with each command’s description. In addition, if the BOS Server is running with DFS authorization checking disabled, no privilege is required to issue bos commands. 

CAUTIONS

Never directly edit a BosConfig file, a keytab file, an admin.bos file, or any administrative (admin) file; always use the appropriate commands from the bos command suite. 

RELATED INFORMATION

Commands: bos addadmin(8dfs), bos addkey(8dfs), bos apropos(8dfs), bos create(8dfs), bos delete(8dfs), bos gckeys(8ds), bos genkey(8dfs), bos getdates(8dfs), bos getlog(8dfs), bos getrestart(8dfs), bos help(8dfs), bos install(8dfs), bos lsadmin(8dfs), bos lscell(8dfs), bos lskeys(8dfs), bos prune(8dfs), bos restart(8dfs), bos rmadmin(8dfs), bos rmkey(8dfs), bos setauth(8dfs), bos setrestart(8dfs), bos shutdown(8dfs), bos start(8dfs), bos startup(8dfs), bos status(8dfs), bos stop(8dfs), bos uninstall(8dfs), dfs_intro(8dfs), keytab(8dce)

Files: admin.bak(4dfs), admin.bos(4dfs), admin.fl(4dfs), admin.ft(4dfs), admin.up(4dfs), BosConfig(4dfs), v5srvtab(5sec)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026