Whats new with DCEDFS at SUNY Buffalo

1
Whats new with DCE/DFS at SUNY Buffalo?

• Daniel Arrasjid, Joel Murphy,
• Stephen Comings, Dan Deakin
• http//www.tks.buffalo.edu

2
Overview

• Whats new with DCE/DFS at UB?
• DCE Infrastructure
• DCE Server Management
• DFS Infrastructure
• Windows NT Integration
• Windows 2000 Integration
• Applications
• Discussion

3
Whats new with DCE/DFS at UB?

• Authentication, Authorization File Space for
• Public Labs
• Some Departmental Labs
• WTS/Citrix Servers
• Unix Timeshares
• User Home Pages
• Computer Based Training
• Software Distribution
• Web-based DCE/DFS tools for
• Administrative functions
• ACL Management / File Access
• Delegated account management functions

4
Whats new with DCE/DFS at UB?

• Secure Web Based Applications
• Registration
• Student Access to Records
• Final Grading
• Parking Permit
• Student Voting
• MyUB Student Portal
• DCE/COM Module
• ISAPI/NSAPI Filter

5
DCE Infrastructure

• We have recently upgraded our DCE servers to
  handle peak loads. We needed more CPU horsepower
  for secd.
• Our largest number of hits come from
  authentication requests from SOAR and WebReg CGI
  web applications.

6
DCE Infrastructure 2
7
DCE Infrastructure 3

• We are running Transarc DCE 2.0 on Solaris 2.6.
• Secd would deadlock and leak memory in the past,
  but both issues have been resolved by Transarc.
  DCE Cell is very stable.
• Our security registry has grown
• secd occupies 250meg resident in RAM
• configuring new security replicas is slow and
  painful
• we migrated to our new hardware by shutting down
  servers and using tar
• 87789 principals, 2510 groups, about 50000
  enabled users accounts
• We currently do not delete deactivated
  principals.
• We dont reassign usernames or uids to new users
  to avoid conflicts.
• We can reassign a person the same username if
  they leave and come back.
• Old accounts can linger on departmental machines
• We need to build username/uid reservation into
  account management system.

8
DCE Server Management

• Account Management System feeds DCE and other
  systems.
• All tools are locally written and enforce UB
  policies.
• Account Management Database maintains account
  status and drives other processes.
• DMS has an ACL manager restricting who can
  perform management functions.

9
DCE Server Management 2

• Monitoring
• Various health checks
• Ping core services, verify cds, administrative
  servers, etc
• Verify dce_login working
• Error Handling
• SNMP traps sent to 24x7 operators
• Trouble ticket logged automatically
• Alpha pages sent to systems administrators
• Backups
• We backup a nightly tar-ball of all DCE servers.
  (dceback)
• Auditing
• Security auditing enabled on security servers
• Logs used for diagnosing load spikes
• Audit trails backed up by ADSM as a secondary
  security trail to system logs.

10
DFS Infrastructure

• Services
• 15 MB file space per user, with larger shared
  areas available
• Automatic home directory and /public_html setup
• Web tools for users
• Un/authenticated web browsing of files
• High availability
• Nightly backups
• Disaster recovery

11
UBs DFS Directory Structure
12
DFS Servers and Functions

• 21 servers currently
• HA Clusters and inactive user servers
• FLDB servers
• Read-only servers
• Web servers
• Windows 9X gateways

13
DFS Backups and Disaster Recovery

• IBM Tivoli Storage Management (ADSM)
• Nightly logical (file by file) backups
• Bi-nightly physical (whole aggregates) backups

14
DFS Cost Estimates

• 650K on hardware
• 25K on consulting and staff training
• 250K on staff time (salaries)
• Plus license fees, service contracts
• Coming close to 1M
• Per UB user id 16.
• Per active UB user id 30.

15
UBs Desktop Strategy

• Public Computer Labs
• Gradient PC-DCE
• Transarc DFS Client
• UB NT GINA or UBFSLogon
• Faculty/Staff NT Desktops
• Gradient PC-DCE
• Transarc DFS Client
• UBFSLogon Application
• ResNet/Dialup/Open Ports (Win95/98)
• Gradient PC-DCE
• Samba DFS Gateway

16
Windows NT Integration

• We have integrated the following DCE apps into
  NT
• GINAs - for various campus labs
• UBFSLogon - for DCE/DFS through easy-to-use GUI
• UBFSHome - for Windows 95/98 DFS access

17
Whats New ???

• Redesigned UB Gina
• Based on NI_PAM (Freely Distributable)
• New PAM (Plugable Authentication Module) Design
• Easier to add other authentication interfaces
• Works on Windows Terminal Server
• Works on Windows Terminal Server w/ Metaframe
• Interface to Access Logging Server

18
Applications

• DCE COM Object
• DCE Authentication COM Object module
• Once Registered can be called for VB, FoxPro, C
  Apps
• Username/Password passed to module
• Returns Yes if successful authentication
• Optionally will return DCE group list

19
Applications

• ISAPI/NSAPI DCE Authentication Filter
• Used to add DCE authentication to NT Web Servers
• NSAPI (Netscapes API)
• ISAPI (Microsofts IIS API)
• Sparse ACL Manager using DCE Groups and Users
• Still in Development
• Looking for Guinea Pigs

20
Thank You

• CIC RPG (formerly Big Ten Joint Projects Group)
• University of Notre Dame
• Naomaru Itoi Author of NI_PAM Gina
• Steve Carmody (Brown Univ. Samba/DFS)
• Paul Henson (Cal Pomona)
• dfs-campus listserv list

21
Discussion