DCE Secure Core and DFS System Administration;
Lab / Homework Exercise 1:
Establishing and Examining DCE Identities and ACLs

A. Logging in and checking credentials:

login to justdoit.dccs with your Unix username password.
see if you have a DCE identity
dce_login with your DCE username "class/<username>", where <username> is the same as your Unix username, using you DCE password. (yes, "/"'s in usernames are ugly as sin, but doing this will let us do some system administration stuff later -- just try not to send mail to this account. :-) )
now check out your DCE identity, noting your principal and group names. Write down the expiration time for your DCE credentials identity, and the pathname of your credentials file.
familiarize yourself with the basic sanity checks from the notes by running them.

view the ACL on your principal name, /.:/sec/principal/class/<your username>. Write down your permissions to this object.
Write down the names of all the permission you could have for this object. Feel free to use the help command.
now view the ACL for /.:/sec/principal/class. Note that this is a container that is part of your principal name. How many kinds of ACLs does it have?
Looking at all of the ACLs, which one looks most like the ACL in 1)?

Looking back to A.4), where are the credentials files stored?
How many credentials files can you find that belong to you? What are they called?
Now refresh your DCE credentials. Where are your credentials stored now? Is this the same or different than in A.4)?
enter the Unix command "set" and write down the line for the KRB5CCNAME=FILE environment variable.
exit the dce_login shell with Control-D.
how is your DCE identity doing?
challenge: can you resume (re-obtain) your DCE identity without dce_login?
now destroy your DCE identity, before exiting the dce_login shell.

So ends homework / lab exercise 1. Hope you enjoyed it!

Please send comments and corrections to Noam Arzt, arzt@isc.upenn.edu