Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Naming and Directory Services (NIS+) |
Part I About Naming and Directory Services
Part II NIS+ Setup and Configuration
4. Configuring NIS+ With Scripts
5. Setting Up the NIS+ Root Domain
8. Configuring an NIS+ Non-Root Domain
10. NIS+ Tables and Information
12. Administering NIS+ Credentials
14. Administering Enhanced NIS+ Security Credentials
Transitioning NIS+ to a New Public Key-Based Security Mechanism
Configuring NIS+ Security Mechanisms
Creating New NIS+ Security Mechanism Credentials
New NIS+ Security Mechanism Credentials - Example
Adding New Keys to NIS+ Directory Objects
Adding New Public Keys to NIS+ Directory Objects - Example
Configuring NIS+ Servers to Accept New Security Mechanism Credentials
Configuring NIS+ Servers to Accept New Security Mechanism Credentials - Example
Configuring NIS+ Machines to Use New Security Mechanism Credentials
Configuring NIS+ Machines to Use New Security Mechanism Credentials - Examples
Changing the Password Protecting New NIS+ Credentials
Change Password Protecting New NIS+ Credentials - Example
Configuring NIS+ Servers to Accept Only New Security Mechanism Credentials
Configuring NIS+ Servers to Accept Only New Security Mechanism Credentials - Example
Removing Old Credentials From the NIS+ cred Table
Removing Old Credentials From the NIS+ cred Table - Example
15. Administering NIS+ Access Rights
16. Administering NIS+ Passwords
18. Administering NIS+ Directories
20. NIS+ Server Use Customization
23. Information in NIS+ Tables
Common NIS+ Namespace Error Messages
Now that the servers can accept the new credentials, the machines can be converted to authenticate by using the new credentials. To do this, run nisauthconf and keylogin as root and reboot.
In this example, the new mechanism is dh640-0 but the system will also attempt authentication with des credentials if the dh640-0 ones are not available or do not succeed.
workstation# nisauthconf dh640-0 des workstation# keylogin -r (screen notices not shown) workstation# /etc/reboot
In the next example, the new mechanism is dh640-0 and authentication will only be attempted with this mechanism. Before configuring any system to authenticate by using the new mechanism exclusively, the cached directory objects must be refreshed to include the keys for the new mechanism. This can be verified with nisshowcache. An alternative to waiting for the cached directory objects to time out and be refreshed is the following: stop the NIS+ service, then construct a new NIS_COLD_START by using nisinit, and then restart the NIS+ service.
To manually refresh directory objects, use the svcadm command. See the svcadm(1M) man page for more information.
# svcadm disable -t /network/rpc/nisplus:default # nisinit -cH masterserver # svcadm enable /network/rpc/nisplus:default
Caution - The machine principal and all users of this machine must have dh640-0 credentials in the cred table before the system can be configured to authenticate exclusively with dh640-0. |
workstation# nisauthconf dh640-0 workstation# keylogin -r (screen notices not shown) workstation# /etc/reboot