test

Trusted Solaris Installation and Configuration

NIS Configuration Tasks

The first workstation installed on a network has special status. It must be installed interactively from the CD-ROM, and is configured as the NIS master server. Subsequent machines are installed as NIS clients.

Configuring a NIS master involves entering security information, some of which is copied to the clients, and entering details local to the workstation itself.

Other administrative tasks, such as protecting file systems, handling mail, and setting up printing are covered in Trusted Solaris Administrator's Procedures.

If you are configuring a site that satisfies criteria for an evaluated configuration, use NIS+, not NIS.

The procedures are not numbered. Depending on your site configuration, some procedures can be omitted.

Log In and Launch a Terminal

  1. Log on to the workstation as the user install.

    See "How to Log In" if you have not logged in before.

  2. Assume the root role.

    See "How to Assume a Role" if you have not assumed a role before.

    You are in a new workspace named root, designed for the root role. The session label is still ADMIN_LOW, but the root role has more powers than the user install.

  3. Launch a terminal.

    See "How to Launch a Terminal" if you are unfamiliar with launching a terminal in the Solaris or Trusted Solaris environment. The terminal contains a profile shell that is specific to the root role.

Protect the Workstation

    Protect the PROM or the BIOS.

    See "How to Protect Machine Hardware" if you are unfamiliar with the steps.

Check and Install the label_encodings File

The Failed Cross Reference Format should be the same on every host in your domain. The Failed Cross Reference Format is responsible for preparing, checking, and maintaining the label_encodings file.

You will use a copy of the label_encodings file on the NIS clients.

If you are familiar with label encodings files, you can use the following procedure. However, if you are not familiar with label encodings files, read the requirements and follow the procedures in Trusted Solaris Label Administration.

  1. Follow the procedure in "How to Install a Label Encodings File".

    Caution - Caution -

    You must successfully complete this step before continuing or the installation will fail.

  2. Set up a copy of the label_encodings file for the NIS clients in "Copy Configuration Files for Distribution to Clients".

Initialize the Solaris Management Console

    Follow the procedure "To Initialize the SMC Server".

Set Up Static Routing (Optional)

Note -

If you plan to use dynamic routing, skip this procedure.

    To set up static routing, complete one of the following procedures: "To Set Up Simple Static Routing" or "To Set Up Complex Static Routing".

Add Remote Hosts

    Follow the procedure "How to Add Hosts".

Add and Assign Remote Host Templates

Note -

If your site is using a site-specific label encodings file, you must ensure that the templates in the tnrhtp(4) accurately reflect the label_encodings file.

If you plan to mount file systems from unlabeled hosts at a label available to users, or enable communications using services such as ftp, or route through an unlabeled host, you must have a template to assign those unlabeled hosts. If you are using the label_encodings file provided on the Trusted Solaris installation CD, the tnrhtp shipped on the installation CD contains possible templates.

The tnrhdb should include the host type and IP addresses of the workstations on your network and the host type and IP addresses of any other subnets and hosts with which your Trusted Solaris 8 network can communicate. The system administrator collects the IP addresses. The security administrator determines what networks can contact the Trusted Solaris 8 network; for a list of host types, see Table 1-3.

  1. Follow the procedure for editing the tnrhtp described in "How to Add a Remote Host Template".

    Note -

    You can skip this step if your site is using two files that are provided Trusted Solaris installation CD: the label_encodings file and the tnrhtp file. If you have installed your own label encodings file, you must ensure that the templates in the tnrhtp file accurately describe the hosts, labeled and unlabeled, that communicate with your site.

  2. Follow the procedure for assigning templates to remote hosts described in "How to Assign a Remote Host Template".

    This step is required to set up a working Trusted Solaris network.

Summary

The tnrhdb database must have an IP address and template name for every host or subnet that the computers in the Trusted Solaris 8 domain can communicate with:

  1. The NIS master server (that is, this host)

  2. Every NIS client that will be in the Trusted Solaris 8 domain, or its subnet wildcard mechanism nnn.nnn.nnn.0

  3. Every static router (open network only)

  4. Every other workstation with which the domain can communicate, or a wildcard address for its subnet (open network only)

Set Up the NIS Domain on the Master Server

Setting up the NIS domain on the NIS master server starts the processes that enable the Trusted Solaris NIS clients to reach the server. Several NIS files have been created or modified to hold Trusted Solaris data about label configuration, users, roles, execution profiles, and remote hosts.

For fuller descriptions of NIS setup and administration, see

Set Up the Staging Area

  1. As root, create a staging area for files you plan to use to populate the NIS files.

    You can place the staging area wherever you have enough space. Usually a few megabytes is more than enough room to store some files temporarily.


    # mkdir -p /setup/files/security/tsol

  2. Copy the sample /etc files into the /setup/files directory of the staging area.

    Most of the files you need already exist on the installed system and have enough data in them to get you started. The following files in the /etc directory are usually not found on a newly installed system: bootparams, ethers, netgroup, netmasks, and timezone. You can create these with an editor, load them from a backup diskette, or merely create empty versions of these files, so that the NIS databases are created all at once. If you choose not to create these files, you can create them later, but the ypinit(1M) command may print out a few warning messages.


    # cd /etc
# touch bootparams ethers netgroup netmasks timezone

# cp bootparams ethers netgroup netmasks timezone \
aliases auto_home auto_master group hosts networks \
protocols publickey rpc services /setup/files

# cd /etc/inet
# cp ipnodes /setup/files

  3. Create empty files in the /setup/files directory of the staging area for files whose contents should not be distributed.


    # cd /setup/files
# touch passwd shadow user_attr

    All entries in the passwd, shadow, and user_attr files on a newly-installed system are users who should be restricted to local access. The name service will create empty databases from the empty files, and will not print spurious warning messages.

  4. Copy the *attr files from the /etc/security directory into the /setup/files/security directory of the staging area.


    # cd /setup/files/security
# cp /etc/security/*attr /setup/files/security

  5. Add an empty audit_user file to the /setup/files/security directory and count the files in the directory.


    # pwd
/setup/files/security
# touch audit_user
# ls -F /setup/files | grep -v "/" | wc -l
4

  6. Copy the tnrhdb and tnrhtp files from the /etc/security/tsol directory into the /setup/files/security/tsol directory of the staging area. List and count the files.


    # cd /setup/files/security/tsol
# cp /etc/security/tsol/tnrh* .
# ls ; ls | wc -l
tnrhdb tnrhtp
       2

  7. Check that a total of 25 files are now in your staging area.

    There are 4 in the security directory, 2 in the tsol directory, and 19 in the files directory.


    # cd /setup/files
# ls -F /setup/files | grep -v "/" | wc -l
      19

  8. Edit the hosts file in your staging area.

    1. Open the Admin Editor and enter /setup/files/hosts for editing.

      The file already contains the NIS master server (that is, this host's address) and the static routers, if any.

    2. Add every workstation that will be in the Trusted Solaris 8 domain.

      There is no wildcard mechanism here. The IP address of every workstation to be contacted must be in this file.

      Caution - Caution -

      Failure to include a workstation will cause client connection to fail.

    3. Add every other workstation with which the domain can communicate.

    4. Use the :wq! command to write the file and exit the editor.

    There is enough information in your staging area to convert your host to a NIS master.

    Caution - Caution -

    If you have edited any files, you must be very careful to provide all of the information necessary in the correct formats before populating the NIS maps. Failure to do so can result in the inability to further administer or use the system.

Modify the /yp/Makefile

The /var/yp/Makefile file must be modified to point to the staging area and its subdirectories.

  1. Edit the /var/yp/Makefile in the Admin Editor.

  2. Change three variables: PWDIR, DIR, and INETDIR to point to /setup/files.

  3. Change the RBACDIR variable to point to the $(DIR)/security directory.

  4. Change all four instances of $(DIR)/tnrhtp in the tnrhtp.time: target to $(DIR)/security/tsol/tnrhtp, as shown in the following lines: 

       tnrhtp.time:  $(DIR)/security/tsol/tnrhtp
      -@if [ -f $(DIR)/security/tsol/tnrhtp ]; then \
              sed -e "/^#/d" -e s/#.*$$// $(DIR)/security/tsol/tnrhtp \
              ...
              echo "couldn't find $(DIR)/security/tsol/tnrhtp"; \

    Note -

    Do not do a global replace. There are lines at the end of the Makefile that should not be changed.

  5. Change all four instances of $(DIR)/tnrhdb in the tnrhdb.time: target to $(DIR)/security/tsol/tnrhdb, as shown in the following lines: 

       tnrhdb.time:  $(DIR)/security/tsol/tnrhdb
     -@if [ -f $(DIR)/security/tsol/tnrhdb ]; then \
             sed -e "/^#/d" -e s/#.*$$// $(DIR)/security/tsol/tnrhdb \
             ...
             echo "couldn't find $(DIR)/security/tsol/tnrhdb"; \

    Note -

    Do not do a global replace. There are lines at the end of the Makefile that should not be changed.

Create NIS Maps from the Staging Area

  1. Double-click the Create NIS Server action in the System_Admin folder.

    See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.

  2. Enter your NIS domain name.

    For example, 


    Domain Name: aviary.eco.org

    This action creates the domain name, establishes this workstation as the NIS master server, and copies the /etc/nsswitch.nis file over /etc/nsswitch.conf.

  3. When prompted for other NIS servers, enter their host names one by one.

    For example, 


    Host: tern

  4. Follow the instructions for ending the prompts.

    The action creates NIS maps from the /setup/files directory. It uses your modified /var/yp/Makefile to create the /var/yp/NIS_maps.

  5. Do not reboot your system yet.

Set Up the NIS SMC Toolbox

The tsol_nis.tbx file on the NIS master server must be edited before it can be used to administer the domain.

To Modify the NIS Toolbox for SMC

    Follow the procedure "To Edit Name Service Toolbox Definitions".

Set Up DNS

Note -

Skip this procedure if the security administrator has planned a closed network.

If you are using DNS to contact hosts outside of your domain, you must set it up. For detailed information about DNS, see the Federated Naming Service Guide.

  1. Create a resolv.conf file with the appropriate name servers using the Set DNS Servers action.

    1. Enter the string nameserver followed by the IP address of one of your name servers, and repeat for all name servers.

      The file looks something like:


      nameserver nnn.nnn.nnn.nnn
nameserver nnn.nnn.nnn.nnn

    2. Write the file and exit the editor.

  2. Using the Name Service Switch action, change the hosts entry in the /etc/nsswitch.conf file to use DNS. 

    ~
#hosts:      nis [NOTFOUND=return] files
hosts:    nis files dns
~

Reboot the Workstation

    Shut down the workstation from the TP (Trusted Path) menu, as described in "To Reboot the Workstation".

Install and Configure the Home Directory Server

Install and configure the home directory server, reboot it, and share the home directories before adding roles and users.

  1. Install the host that will become the home directory server.

    Follow the procedure described in "Installing a Trusted Solaris System from CD", then return here.

  2. Configure the home directory server as described in "Client Configuration Tasks" through the procedure, "Share Home Directories".

  3. Then, create the administrative roles on the NIS master server, as described in "Create Roles on the NIS Master Server".

    Note -

    The administrative roles are created as network-visible accounts, not as local accounts.Their home directories are mounted from the home directory server.

Create Roles on the NIS Master Server

The roles admin, secadmin, and oper must be created in the new NIS domain using Administrative Roles in the Solaris Management Console.

Prerequisite: The home directory server has been created and the home directories are automounting.

  1. Log in to the NIS master server as the user install and assume the root role.

  2. Follow the steps in "How to Create Administrative Roles".

    Note -

    If, after reboot, SMC complains that the server is not running, re-check your edits from "To Edit Name Service Toolbox Definitions". Look for misplaced periods, extra characters, and leftover < or > brackets.

Create Users to Assume Roles

The install team in the root role creates at least two users, to assume the roles secadmin and admin. It is also useful to create a user who can assume the primaryadmin role. Where site security permits, a user can be assigned more than one administrative role.

Note -

Prerequisite: The secadmin and admin administrative roles have been created.

    Still in the root role, follow the steps in "To Create a User", and select the name_server: Scope=NIS, Policy=TSOL toolbox.

Log Out

    Log out by clicking the EXIT button on the Front Panel.

Verify that Users and Roles Work

    Log in as a user, assume an administrative role, and test the role for effectiveness.

    Using the name_server: Scope=NIS, Policy=TSOL toolbox, follow the procedures in "How to Verify that Users and Roles Work" to ensure that every role is working.

Set Up Auditing

The security administrator is responsible for auditing decisions.

  1. If site security does not require auditing, disable it.

    To disable auditing in the Trusted Solaris environment, follow the procedures described in Trusted Solaris Audit Administration.

  2. After disabling auditing, go to the next task you plan to do.

To Configure Auditing

    Follow the procedures in Trusted Solaris Audit Administration to configure auditing at your site.

    Who is audited and for what events should be the same on every workstation. Copy any modified audit configuration files from the NIS master to every NIS client using the procedure in "Copy Configuration Files for Distribution to Clients". Note that the /etc/security/audit_user file is governed by the NIS name service, so does not need to be copied.

Mount File Systems

    Use the SMC Mounts tool to mount the file system, as described in "How to Mount a File System".

Share File Systems

    To share file systems that other workstations may access, use the SMC Shares tool as described in "How to Share a File System".

Copy Configuration Files for Distribution to Clients

  1. As root at label ADMIN_LOW, create a directory that cannot be deleted between reboots.


    # mkdir /export/clientfiles

  2. As root at label ADMIN_HIGH, use the File Manager to copy your modified label_encodings file to the /export/clientfiles directory.

    See "How to Copy to and from a Portable Medium" if you are unsure of the procedure.

  3. If you modified other files, copy them to the /export/clientfiles directory. You must be root at label ADMIN_LOW.

    For example, most sites will want to copy the /var/sadm/smc/toolboxes/tsol_nameservice/tsol_nameservice.tbx file to the client machines. A site that is using a modified tnrhtp file, DNS, and auditing might copy the files /etc/security/audit_control, /etc/security/audit_startup, /etc/security/tsol/tnrhtp, /etc/resolv.conf, and /etc/nsswitch.conf.

  4. Transfer the label_encodings file to a diskette labeled ADMIN_HIGH.

    If you are unsure of the steps, see "To Copy to a Diskette".

  5. Transfer the other files to a diskette labeled ADMIN_LOW.

Delete the User install

The user install is useful for installing and initially configuring a workstation. Where site security demands, the admin role at label ADMIN_LOW removes the user.

Caution - Caution -

Do not remove the user install until you are satisfied that the client workstations can communicate with the NIS master server.

    See "How to Delete a Local User" if you have not deleted a local user in the Trusted Solaris system before.