Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Naming and Directory Services (NIS+) |
Part I About Naming and Directory Services
Part II NIS+ Setup and Configuration
4. Configuring NIS+ With Scripts
NIS+ and the Service Management Facility
Modifying the /lib/svc/method/nisplus File
Creating a Sample NIS+ Namespace
Summary of NIS+ Scripts Command Lines
Prerequisites to Running nisserver to Set Up a Root Server
How to Create an NIS+ Root Master Server
Prerequisites to Running nispopulate to Populate Root Server Tables
How to Populate the NIS+ Root Master Server Tables
Setting Up NIS+ Client Machines
How to Initialize a New NIS+ Client Machine
Creating Additional NIS+ Client Machines
Initializing NIS+ Client Users
How to Initialize an NIS+ User
Configuring a Client as an NIS+ Server
How to Configure an NIS+ Server Without NIS Compatibility
How to Configure an NIS+ Server With NIS Compatibility
How to Configure an NIS+ Server With DNS Forwarding and NIS Compatibility
Creating Additional NIS+ Servers
Creating an NIS+ Root Replica Server
How to Create an NIS+ Root Replica
How to Set Up Multihomed NIS+ Replica Servers
How to Create a New Non-Root NIS+ Domain
Creating Additional NIS+ Domains
Populating the New NIS+ Subdomain's Tables
Prerequisites to Populating a NIS+ Subdomain's Tables
Populating the NIS+ Master Server Tables
How to Populate the NIS+ Tables From Files
How to Populate the NIS+ Tables From NIS Maps
Creating NIS+ Subdomain Replicas
Initializing NIS+ Subdomain Client Machines
How to Initialize an NIS+ Subdomain Client Machine
Initializing an NIS+ Subdomain Client Users
How to Initialize an NIS+ Subdomain User
Summary of Commands for the Sample NIS+ Namespace
5. Setting Up the NIS+ Root Domain
8. Configuring an NIS+ Non-Root Domain
10. NIS+ Tables and Information
12. Administering NIS+ Credentials
14. Administering Enhanced NIS+ Security Credentials
15. Administering NIS+ Access Rights
16. Administering NIS+ Passwords
18. Administering NIS+ Directories
20. NIS+ Server Use Customization
23. Information in NIS+ Tables
Common NIS+ Namespace Error Messages
Setting up the root master server is the first activity towards establishing NIS+ domain. This section shows you how to configure a root master server using the nisserver script with default settings.
The root master server uses the following defaults:
Security level 2 (DES) – the highest level of NIS+ security
NIS compatibility set to OFF (instructions for setting NIS compatibility are included)
System information files (/etc) or NIS maps as the source of name services information
admin.domainname as the NIS+ group
Note - The nisserver script modifies the name service switch file for NIS+ when it sets up a root master server. The /etc/nsswitch.conf file can be changed later. See Chapter 1, Name Service Switch for information on the name service switch.
Check to see that the /etc/passwd file on the machine you want to be root master server contains an entry for root.
You need the following information before running nisserver.
The superuser password of the machine that will become the root master server
The name of the new root domain. The root domain name must have at least two elements (labels) and end in a dot (for example, something.com.). The last element may be anything you want, but in order to maintain Internet compatibility, the last element must be either an Internet organizational name (as shown in Table 4-3), or a two or three character geographic identifier such as .jp. for Japan.
Table 4-3 Internet Organizational Domains
|
In the following example, the machine that is designated as the root master server is called master1, and doc.com. becomes the new root domain.
Note - Domains and hosts should not have the same name. For example, if you have doc.com. as a root domain, you should not have a machine named doc in any of your domains. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution also applies to subdomains. For example, if you have a machine named west, you do not want to create a sales.west.doc.com subdomain.
Either add this path to root's .cshrc or .profile file or set the variable directly.
To use 640–bit Diffie-Hellman keys as well as the default 192–bit keys, type:
nisauthconf dh640-0 des
To allow only 640–bit keys (rejects 192–bit keys), type:
nisauthconf dh640-0
The -r option indicates that a root master server should be configure. The -d option specifies the NIS+ domain name.
master1# nisserver -r -d doc.com. This script sets up this machine “master1” as an NIS+ root master server for domain doc.com. Domain name : doc.com. NIS+ group : admin.doc.com. NIS (YP) compatibility : OFF Security level : 2=DES Is this information correct? (type 'y' to accept, 'n' to change)
“NIS+ group” refers to the group of users who are authorized to modify the information in the doc.com. domain. (Domain names always end with a period.) Modification includes deletion. admin.domainname is the default name of the group. See How to Change Incorrect Information When Setting Up NIS+ for instructions on how to change this name.
“NIS compatibility” refers to whether an NIS+ server accepts information requests from NIS clients. When set to OFF, the default setting, the NIS+ server does not fulfill requests from NIS clients. When set to ON, an NIS+ server fulfills such requests. You can change the NIS-compatibility setting with this script. See How to Change Incorrect Information When Setting Up NIS+.
Note - This script sets machines up only at security level 2, the highest level of NIS+ security. You cannot change the security level when using this script. After the script has completed, you can change the security level with the appropriate NIS+ command. See the rpc.nisd man page for more information on changing security levels.
Typing n causes the script to prompt you for the correct information. (See How to Change Incorrect Information When Setting Up NIS+ for what you need to do if you type n.)
Is this information correct? (type 'y' to accept, 'n'' to change) y This script will set up your machine as a root master server for domain doc.com. without NIS compatibility at security level 2. Use "nisclient -r" to restore your current network service environment. Do you want to continue? (type `y' to continue, `n' to exit the script)
(Typing n safely stops the script.) If you interrupt the script after you have chosen y and while the script is running, the script stops running and leaves configured whatever it has created so far. The script does not do any automatic recovery or cleaning up. You can always rerun this script.
Do you want to continue? (type 'y' to continue, 'n' to exit the script y setting up domain information “doc.com.” ... setting up switch information ... running nisinit ... This machine is in the doc.com. NIS+ domain. Setting up root server ... All done. starting root server at security level 0 to create credentials... running nissetup ... (creating standard directories & tables) org_dir.doc.com. created Enter login password:
The nissetup command creates the directories for each NIS+ table.
In this case, the user typed the master1 machine's root password.
Wrote secret key into /etc/.rootkey setting NIS+ group to admin.doc.com. ... restarting root server at security level 2 ... This system is now configured as a root server for domain doc.com. You can now populate the standard NIS+ tables by using the nispopulate or /usr/lib/nis/nisaddent commands.
Your root master server is now configured and ready for you to populate the NIS+ standard tables. To continue with populating tables, skip to Populating NIS+ Tables.
If you typed n because some or all of the information returned to you was wrong in Step 4 in the above procedure, you will see the following:
Is this information correct? (type 'y' to accept, 'n' to change) n Domain name: [doc.com.]
In this example, Return was pressed, confirming that doc.com. is the desired domain name. The script then prompts for the NIS+ group name.
Is this information correct? (type 'y' to accept, 'n' to change) n Domain name: [doc.com.] NIS+ group: [admin.doc.com.]
In this example, the name was changed. The script then prompts for NIS compatibility.
NIS+ group: [admin.doc.com.] netadmin.doc.com. NIS (YP) compatibility (0=off, 1=on): [0]
In this example, Return was pressed, confirming that NIS compatibility status is correct. Once again, the script asks you if the information is correct.
Note - If you choose to make this server NIS compatible, you also need to edit a file and restart the rpc.nisd daemon before it will work. See Configuring a Client as an NIS+ Server for more information.
NIS (YP) compatibility (0=off, 1=on): [0] Domain name : doc.com. NIS+ group : netadmin.doc.com. NIS (YP) compatibility : OFF Security level : 2=DES Is this information correct? (type 'y' to accept, 'n' to change)
When the information is correct, continue with Step 3 in How to Create an NIS+ Root Master Server. You can keep choosing -n until the information is correct.
The procedure for setting up a multihomed NIS+ server is the same as setting up a single interface server. The only difference is that there are more interfaces that need to be defined in the hosts database, the /etc/hosts file and NIS+ hosts table.
Note - Prior to the Solaris 10 7/07 release, you also need to define interfaces in the /etc/inet/ipnodes file and ipnodes table.
Once the host information is defined, use the nisclient and nisserver scripts to set up the multihomed NIS+ server. For information about setting up a multihomed replica server, see How to Set Up Multihomed NIS+ Replica Servers.
Caution - When setting up a multihomed NIS+ server, the server's primary name must be the same as the nodename for the system. This is a requirement of both Secured RPC and nisclient.
If these names are different, Secure RPC authentication will fail to work properly causing NIS+ problems. |
The following procedure shows how to set up an NIS+ root master server:
Note - Prior to the Solaris 10 7/07 release, you must also add IPv6 host information to the /etc/inet/ipnodes file.
For example, the /etc/hosts file for the hostA system with three Ethernet interfaces looks like:
127.0.0.1 localhost loghost 192.168.10.x hostA hostA-10 hostA-eri0 192.168.11.y hostA hostA-11 hostA-eri1 192.168.12.z hostA hostA-12
hostA# nisserver -r -d sun.com
where our example shows sun.com as the root domain name. Issue the nisserver command using the name of your root domain name.
After completing the steps for setting up a multihome NIS+ root server, the remainder of the setup is exactly the same as for a single interface server.