test

Trusted Solaris Installation and Configuration

Chapter 6 Configuring the NIS+ Domain

This chapter covers how to configure the NIS+ root master and the home directory server, the first workstations you install at a networked site.

Note -

Installation and configuration commands and actions are limited to particular roles and particular labels. Read each task for the administrative role that can perform it, and the label required.

Who Does What

Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the workstation, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.

NIS+ Root Master Configuration Tasks

The first workstation installed on a network has special status. It must be installed interactively from the CDROM, and it must be configured as the NIS+ root master.

Configuring a NIS+ root master involves entering security information, some of which is copied to the clients, and entering details local to the workstation itself.

Other administrative tasks, such as protecting file systems, handling mail, and setting up printing are covered in Trusted Solaris Administrator's Procedures.

If you are configuring a site that satisfies criteria for an evaluated configuration, please read "Understand Your Site's Security Policy".

The procedures are not numbered. Depending on your site configuration, some procedures can be omitted.

Log In and Launch a Terminal

  1. Log on to the workstation as the user install.

    See "How to Log In" if you have not logged in before.

  2. Assume the root role.

    See "How to Assume a Role" if you have not assumed a role before.

    You are in a new workspace named root, designed for the root role. The session label is still ADMIN_LOW, but the root role has more powers than the user install.

  3. Launch a terminal.

    See "How to Launch a Terminal" if you are unfamiliar with launching a terminal in the Solaris or Trusted Solaris environment. The terminal contains a profile shell that is specific to the root role.

Protect the Workstation

    Protect the PROM or the BIOS.

    See "How to Protect Machine Hardware" if you are unfamiliar with the steps.

Check and Install the label_encodings File

The Failed Cross Reference Format should be the same on every host in your domain. The Failed Cross Reference Format is responsible for preparing, checking, and maintaining the label_encodings file.

Note -

The default label_encodings file is useful for demos, but it is not a good choice for use by a customer site. However, if you plan to use it, you can skip this step.

You will use a copy of the label_encodings file on the NIS+ clients.

If you are familiar with label encodings files, you can use the following procedure. However, if you are not familiar with label encodings files, read the requirements and follow the procedures in Trusted Solaris Label Administration.

  1. Follow the procedure in "How to Install a Label Encodings File".

    Caution - Caution -

    You must successfully complete this step before continuing or the installation will fail.

  2. Set up a copy of the label_encodings file for the NIS+ clients in "Copy Configuration Files for Distribution to Clients".

Initialize the Solaris Management Console

    Follow the procedure "To Initialize the SMC Server".

Set Up Static Routing (Optional)

Note -

If you plan to use dynamic routing, skip this procedure.

    To set up static routing, complete one of the following procedures: "To Set Up Simple Static Routing" or "To Set Up Complex Static Routing".

Add Remote Hosts

    Follow the procedure "How to Add Hosts".

Add and Assign Remote Host Templates

Note -

If your site is using a site-specific label encodings file, you must ensure that the templates in the tnrhtp(4) accurately reflect the label_encodings file.

If you plan to mount file systems from unlabeled hosts at a label available to users, or enable communications using services such as ftp, or route through an unlabeled host, you must have a template to assign those unlabeled hosts. If you are using the label_encodings file provided on the Trusted Solaris installation CD, the tnrhtp shipped on the installation CD contains possible templates.

The tnrhdb should include the host type and IP addresses of the workstations on your network and the host type and IP addresses of any other subnets and hosts with which your Trusted Solaris 8 network can communicate. The system administrator collects the IP addresses. The security administrator determines what networks can contact the Trusted Solaris 8 network; for a list of host types, see Table 1-3.

Add an Unlabeled Remote Host Template to the tnrhtp

This procedure adds a new template, unlab_userlabel, to the tnrhtp(4) database. Creating a template for an unlabeled host type is a prerequisite to mounting an unlabeled host at a user label, such as Confidential.

Note -

You can skip this step if your site is using two files that are provided Trusted Solaris installation CD: the label_encodings file and the tnrhtp file. If you have installed your own label encodings file, you must ensure that the templates in the tnrhtp file accurately describe the hosts, labeled and unlabeled, that communicate with your site.

    Follow the procedure "How to Add a Remote Host Template".

Assign Templates to Remote Hosts

The following procedure is required to set up a working Trusted Solaris network.

    Follow the procedure "How to Assign a Remote Host Template".

Summary

The tnrhdb database must have an IP address and template name for every host or subnet that the computers in the Trusted Solaris 8 domain can communicate with:

  1. The NIS master server (that is, this host)

  2. Every NIS client that will be in the Trusted Solaris 8 domain, or its subnet wildcard mechanism nnn.nnn.nnn.0

  3. Every static router (open network only)

  4. Every other workstation with which the domain can communicate, or a wildcard address for its subnet (open network only)

Set Up the NIS+ Domain

Setting up the NIS+ root master sets up the NIS+ domain for the Trusted Solaris NIS+ clients. Several NIS+ tables have been created or modified to hold Trusted Solaris data about label configuration, users, roles, execution profiles, and remote hosts.

To Set the Stage

  1. As root, create a staging area for files you plan to use to populate the NIS+ databases.

    You can place the staging area wherever you have enough space. Usually a few megabytes is more than enough room to store some files temporarily.


    # mkdir -p /setup/files

  2. Copy the sample /etc files into the staging area.

    Most of the files you need already exist on the installed system and have enough data in them to get you started. The following files in the /etc directory are usually not found on a newly installed system: bootparams, ethers, netgroup, netmasks, and timezone. You can create these with an editor, load them from a backup diskette, or merely create empty versions of these files, so that the NIS+ tables are created all at once. If you choose not to create these files, you can create them later, but the nispopulate(1M) command may print out a few warning messages.


    # cd /etc
# touch bootparams ethers netgroup netmasks timezone

# cp bootparams ethers netgroup netmasks timezone \
aliases auto_home auto_master group hosts networks \
protocols publickey rpc services /setup/files

# cd security
# cp  auth_attr prof_attr exec_attr /setup/files/
# # 
# cd /etc/security/tsol
# cp tnrhdb tnrhtp /setup/files
# # 
# cd /etc/inet
# cp ipnodes /setup/files

  3. Create empty files in the staging area of files whose contents should not be distributed.


    # cd /setup/files
# touch audit_user passwd shadow user_attr

    All entries in the passwd, shadow, and user_attr files on a newly-installed system are local users who should be restricted to local access. The name service will create empty databases from the empty files, and will not print spurious warning messages.

  4. Check that all the files are now in your staging area; there are 25.


    # ls | wc -l
     25

  5. Edit the hosts file in your staging area.

    1. Open the Admin Editor and enter /setup/files/hosts for editing.

      For more detailed instructions, see "To Create or Open a File from the Trusted Editor".

      The file already contains the NIS+ root master (that is, this host's address) and the static routers, if any.

    2. Add every workstation that will be in the Trusted Solaris 8 domain.

      There is no wildcard mechanism here. The IP address of every workstation to be contacted must be in this file.

      Caution - Caution -

      Failure to include a workstation will cause client authentication to fail; the NIS+ client will have no credentials.

    3. Add every other workstation with which the domain can communicate.

    4. Use the :wq! command to write the file and exit the editor.

    There is enough information in your staging area to convert your host to a NIS+ master.

    Caution - Caution -

    If you have edited any files, you must be very careful to provide all of the information necessary in the correct formats before populating the NIS+ tables. Failure to do so can result in the inability to further administer or use the system.

To Set Up NIS+ with Databases from the Staging Area

For fuller descriptions of NIS+ setup and administration, see

  1. Double-click the Create NIS+ server action in the System_Admin folder.

    See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.

  2. Enter your NIS+ domain name.

    This workstation will be the root master. For example, 


    Domain Name: aviary.eco.org.

    There is a period at the end of the domain name.

  3. Answer the prompts ( y, y, rootpassword).

    You can ignore diagnostics printing out that the file /etc/defaultdomain cannot be located. The file will be created.

  4. In the /setup/files directory, make sure that you have added all NIS+ clients to the hosts file.


    # cd /setup/files
# more hosts

  5. Populate the standard NIS+ databases from the /setup/files directory by running the Populate NIS+ Tables action in the System_Admin folder.

  6. Enter your staging area when prompted. 


    Populate from which directory? /setup/files

  7. Answer the prompts (y, y).


    ...
Is this information correct? y
...
Do you want to continue? y

  8. Load any additional NIS+ tables you may have backed up, such as auto_home.

    Procedures vary depending on the format of the backup and on what types of NIS+ tables they are. Refer to the Solaris Naming Setup and Configuration Guide for details of how to load your tables.

  9. Do not reboot your system yet.

Set Up the NIS+ SMC Toolbox

The tsol_nisplus.tbx file on the NIS+ master must be edited before it can be used to administer the domain.

To Modify the NIS+ Toolbox for SMC

    Follow the procedure "To Edit Name Service Toolbox Definitions".

Set Up DNS

Note -

Skip this procedure if the security administrator has planned a closed network.

If you are using DNS to contact hosts outside of your domain, you must set it up. For detailed information about DNS, see the Solaris Naming Setup and Configuration Guide.

  1. Create a resolv.conf file with the appropriate name servers using the Set DNS Servers action.

    1. Enter the string nameserver followed by the IP address of one of your name servers, and repeat for all name servers.

      The file looks something like:


      nameserver nnn.nnn.nnn.nnn
nameserver nnn.nnn.nnn.nnn

    2. Write the file and exit the editor.

  2. Using the Name Service Switch action, change the hosts entry in the /etc/nsswitch.conf file to use DNS. 

    ~
#hosts:      nisplus [NOTFOUND=return] files
#Uncomment the following line, and comment out the above,
#to use both DNS and NIS+.  You must also set up the
#/etc/resolv.conf file for DNS name server lookup.
#See resolv.conf(4).
hosts:      files nisplus dns
~

Reboot the Workstation

    Shut down the workstation from the TP (Trusted Path) menu, as described in "To Reboot the Workstation".

Install and Configure the Home Directory Server

Install and configure the home directory server and mount the home directories before adding roles and users.

  1. Install the host that will become the home directory server.

    Follow the procedure described in "Installing a Trusted Solaris System from CD", then return here.

  2. Configure the home directory server as described in "Client Configuration Tasks" through the procedure, "Share Home Directories".

  3. Then, create the administrative roles on the NIS+ master as described in "Create Roles on the NIS+ Master".

    Note -

    The administrative roles are created as network-visible accounts, not as local accounts. Their home directories are mounted from the home directory server.

Create Roles on the NIS+ Master

The roles admin, secadmin, primaryadmin and oper must be created in the new NIS+ domain using the Administrative Roles tool in the Solaris Management Console.

Prerequisite: The home directory server has been created and the home directories are automounting.

  1. Log in to the NIS+ master as the user install and assume the root role.

  2. Follow the steps in "How to Create Administrative Roles".

    Note -

    If, after reboot, SMC complains that the server is not running, re-check your edits from "To Edit Name Service Toolbox Definitions". Look for misplaced periods, extra characters, and leftover < or > brackets.

Add Roles to the NIS+ Admin Group

The first admin argument is the name of a NIS+ table. The last two arguments are the names of Trusted Solaris administrative roles, admin, secadmin, and primaryadmin.

    Add the admin, secadmin, and primaryadmin roles to the NIS+ admin group.


    # nisgrpadm -a admin admin secadmin primaryadmin

Create Users to Assume Roles

The install team in the root role creates at least two users, to assume the roles secadmin and admin. It is also useful to create a user who can assume the primaryadmin role. Where site security permits, a user can be assigned more than one administrative role.

Note -

Prerequisite: The secadmin and admin administrative roles have been created.

    Still in the root role, follow the steps in "To Create a User", and select the name_server: Scope=NIS+, Policy=TSOL toolbox.

Log Out

    Log out by clicking the EXIT button on the Front Panel.

Verify that Users and Roles Work

    Log in as a user, assume an administrative role, and test the role for effectiveness.

    Using the name_server: Scope=NIS+, Policy=TSOL toolbox, follow the procedures in "How to Verify that Users and Roles Work" to ensure that every role is working.

Set Up Auditing

The security administrator is responsible for auditing decisions.

  1. If site security does not require auditing, disable it.

    To disable auditing in the Trusted Solaris environment, follow the procedures described in Trusted Solaris Audit Administration.

  2. After disabling auditing, go to the next task you plan to do.

To Configure Auditing

    Follow the procedures in Trusted Solaris Audit Administration to configure auditing at your site.

    Who is audited and for what events should be the same on every workstation. Copy any modified audit configuration files from the NIS+ root master to every NIS+ client using the procedure in "Copy Configuration Files for Distribution to Clients". Note that the /etc/security/audit_user file is governed by the NIS+ name service, so does not need to be copied.

Mount File Systems

    Use the SMC Mounts tool to mount the file system, as described in "How to Mount a File System".

Share File Systems

    To share file systems that other workstations may access, use the SMC Shares tool as described in "How to Share a File System".

Copy Configuration Files for Distribution to Clients

  1. As root at label ADMIN_LOW, create a directory that cannot be deleted between reboots.


    # mkdir /export/clientfiles

  2. As root at label ADMIN_HIGH, use the File Manager to copy your modified label_encodings file to the /export/clientfiles directory.

    See "How to Copy to and from a Portable Medium" if you are unsure of the procedure.

  3. If you modified other files, copy them to the /export/clientfiles directory. You must be root at label ADMIN_LOW.

    For example, most sites will want to copy the /var/sadm/smc/toolboxes/tsol_nameservice/tsol_nameservice.tbx file to the client machines. A site that is using a modified tnrhtp file, DNS, and auditing might copy the files /etc/security/audit_control, /etc/security/audit_startup, /etc/security/tsol/tnrhtp, /etc/resolv.conf, and /etc/nsswitch.conf.

  4. Transfer the label_encodings file to a diskette labeled ADMIN_HIGH.

    If you are unsure of the steps, see "To Copy to a Diskette".

  5. Transfer the other files to a diskette labeled ADMIN_LOW.

Delete the User install

The user install is useful for installing and initially configuring a workstation. Where site security demands, the admin role at label ADMIN_LOW removes the user.

Caution - Caution -

Do not remove the user install until you are satisfied that the client workstations can communicate with the NIS+ master.

    See "How to Delete a Local User" if you have not deleted a local user in the Trusted Solaris system before.