Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Naming and Directory Services (NIS+) |
Part I About Naming and Directory Services
Part II NIS+ Setup and Configuration
4. Configuring NIS+ With Scripts
5. Setting Up the NIS+ Root Domain
8. Configuring an NIS+ Non-Root Domain
Append, Replace, and Merge Options to NIS+ Table Population
Populating NIS+ Tables From Files
Security Considerations When Populating NIS+ Tables From Files
How to Populate NIS+ Tables From Files
Populating NIS+ Tables From NIS Maps
Security Considerations When Populating Tables From NIS Maps
How to Populate Tables From Maps
Transferring Information From NIS+ to NIS
How to Transfer Information From NIS+ to NIS
NIS+ Table Population Summaries
10. NIS+ Tables and Information
12. Administering NIS+ Credentials
14. Administering Enhanced NIS+ Security Credentials
15. Administering NIS+ Access Rights
16. Administering NIS+ Passwords
18. Administering NIS+ Directories
20. NIS+ Server Use Customization
23. Information in NIS+ Tables
Common NIS+ Namespace Error Messages
This task describes how to limit read access to the password-related columns of the passwd table to the entry owner and the table administrators, without affecting the read access of other authenticated principals (including applications) to the remaining columns of the passwd table.
This task establishes the following rights:
Nobody Owner Group World Table Level Rights: ---- rmcd rmcd ---- Passwd Column Rights: ---- rm-- rmcd ---- Shadow Column Rights: ---- rm-- rmcd ----
Use NIS+ commands to modify passwd.org_dir to restrict access to the passwd column for owners and administrators.
The NIS+ principal performing this task must have modify rights to the passwd table.
The passwd table must have already been set up. It need not have any information in it, however.
The domain must not be running in NIS-compatibility mode.
All clients of the domain must have DES credentials.
All clients of the domain must be running at least the Solaris 2.3 release.
Users' network passwords (used to encrypt their DES credentials) must be the same directory as their login passwords.
The examples in this task use the root master server, rootmaster.
Use the niscat -o command.
rootmaster# niscat -o passwd.org_dir
This task assumes the existing permissions are:
Access Rights : ----rmcdrmcdr--- Columns : [0] Name : name Access Rights : r-----------r--- [1] Name : passwd Access Rights : -----m---------- [2] Name : uid Access Rights : r-----------r--- [3] Name : gid Access Rights : r-----------r--- [4] Name : gcos Access Rights : r----m------r--- [5] Name : home Access Rights : r-----------r--- [6] Name : shell Access Rights : r-----------r--- [7] Name : shadow Access Rights : r-----------r---
If your permissions are different, you may need to use a different syntax. For instructions, see Chapter 15, Administering NIS+ Access Rights.
Use the nischmod command to change the table's object-level permissions to ---- rmcdrmcd ----
rootmaster# nischmod og=rmcd,nw= passwd.org_dir
Use the nistbladm command with the -u option to change the permissions of the passwd and shadow columns to:
passwd ---- rm-- ---- ---- shadow ---- r--- ---- ---- rootmaster# nistbladm -u passwd=o+r, shadow=o+r passwd.org_dir
Use the niscat -o command, as you did in Step 2. The permissions should look the same as they do in that step's output.