Chapter 8 Configuring a NIS or NIS+ Client

This chapter provides procedures to configure the name service clients at your site interactively, after you have configured the NIS+ master.

Who Does What

Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the workstation, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.

Client Configuration Tasks

Configuring a name service client is similar to configuring its master, except that configuration details the client receives from the master do not have to be repeated.

Depending on your site configuration and installation method, some procedures can be omitted.

• "Log In and Protect the Workstation"

• "Copy Configuration Files from the Master"

• "Copy the Name Service Master's label_encodings File"

• "Initialize the Solaris Management Console"

• "Set Up Static Routing"

• "Add Remote Hosts"

• "Copy the Name Service Master's Tnrhtp Database"

• "Assign Templates to Remote Hosts"

• "Verify Communication with the Name Service Master"

• "Add the Client to the Name Service Domain"

• "Set Up DNS and the Name Service Switch"

• "Reboot the Workstation"

• "Share Home Directories"

• "Finish Configuring the Workstation"

Log In and Protect the Workstation

1. Log in as a user who can assume the root role and assume it.

   See "How to Log In" if you are unsure of the steps.

2. Protect the workstation.

   See "How to Protect Machine Hardware" if you are unsure of the steps.

Copy Configuration Files from the Master

For the NIS+ name service, you made a diskette for the client in "Copy Configuration Files for Distribution to Clients". For the NIS name service, you made a diskette for the client in "Copy Configuration Files for Distribution to Clients".

To Copy Master Files from Diskette

1. As root, at label ADMIN_LOW, make a temporary directory and go to it.

   # mkdir /export/clientfiles # cd /export/clientfiles

2. Copy the files from the diskette.

   See "To Copy from a Diskette" if you are unsure of the steps.

Copy the Name Service Master's label_encodings File

The label_encodings file on the client machine must be identical to the one on the name service master. If you are sure it is identical, you may skip this step.

1. As root, at label ADMIN_HIGH, copy the name service master's label_encodings file to the /etc/security/tsol directory.

   Follow the procedure in "To Copy from a Diskette".

2. Continue with "How to Install a Label Encodings File" to install and read the label encodings file into the environment.

Initialize the Solaris Management Console

1. Follow the procedure "To Initialize the SMC Server".

2. Use two File Managers to copy the name service master's toolbox file from /export/clientfiles to /var/sadm/smc/toolboxes/tsol_name_service/tsol_name_service.tbx.

Set Up Static Routing

If you set up static routing on the name service master, set it up on the clients.

1. Determine the appropriate static routing for the client.

   Table 8-1 Client Static Routing Entry

   	Client on same subnet	Client on different subnet
   Name service master has 1 network interface	Use same entry as master's	Static routing will be slightly different for the subnet
   Name service master has >1 network interface	Enter master's other network interface(s) in static routing file

2. To set up static routing, complete one of the following procedures: "To Set Up Simple Static Routing" or "To Set Up Complex Static Routing"

Add Remote Hosts

The install team enters every host that the local machine should contact upon booting into the local hosts database. If the local machine is a name service client, it will find its file servers, home directory server, and other servers from the name service master.

Follow the procedure "How to Add Hosts".

Copy the Name Service Master's Tnrhtp Database

You can skip this step if your site is using the label_encodings file and the tnrhtp file that were installed from the Trusted Solaris 8 Installation CD.

---

Note -

The tnrhtp(4) template definition and name for the name service master must be identical on the client and master when you create the client.

---

As root, at label ADMIN_LOW, use two File Managers to copy the tnrhtp file from the /export/clientfiles directory to /etc/security/tsol/tnrhtp.

Assign Templates to Remote Hosts

The clients get most of their template assignments from the name service. The local tnrhdb database must contain servers that are contacted during boot, such as the name service master (or its subnet), static routers, and any audit servers.

1. At the label ADMIN_LOW, in an administrative role, initially the root role, invoke the Solaris Management Console from the Application Manager.

2. Click this_host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.

3. Click Trusted Solaris Configuration, then Computers and Networks, then double-click Security Families.

   The remote host templates display in the View pane.

4. Double-click the tsol remote host template.

5. Choose Add Host(s) from the Action menu.

6. Click Add Host, then enter the IP address and template name (tsol) of the Trusted Solaris name service master

   See "How to Assign a Remote Host Template" if you are unsure of the steps.

7. If the client's audit records are stored on an audit server, add the audit server by choosing Action > Add Host(s), Add Host, and entering the audit servers's IP address and tsol host type.

8. Choose Add Host(s) from the Action menu, click Add Host, and enter the IP address and host type of the static router(s).

   A client with one defaultrouter and no audit server would have three entries in its tnrhdb:

   1. The client and its host type (tsol),

   2. The name service master and its host type (tsol) (or its subnet fallback IP address and tsol)

   3. The defaultrouter and its host type.

9. Open a terminal to reload and verify the updated tnrhdb database.

   # tnctl -H /etc/security/tsol/tnrhdb # tninfo -h

Verify Communication with the Name Service Master

---

Note -

Skip this procedure if the client specified the name service, NIS or NIS+, during network install.

---

1. As root, at label ADMIN_LOW, check to see that you can ping the name service master.

   # ping name-service-master

2. Check to see that you can rup the name service master.

   # rup name-service-master

   If the rup(1) command succeeds, you may proceed. If it fails, debug your network setup until the rup command succeeds.

   ---

   Note -

   If you have added a client that was not initially on the master, you must add it to the master and assign it a template. On the master, the ping and rup commands must work to contact the new client.

   ---

Summary

These client files must be compatible with the name service master files:

• /etc/security/tsol/label_encodings

• /etc/security/tsol/tnrhtp

The client's local tnrhdb(4) file must have the IP address and host type of the NIS+ master (or the IP address and host type of the subnet), the client's static routers, and the client.

In addition, the client's address and name, the NIS+ master's name and address, and the static routers' names and addresses must be in the local hosts database.

Add the Client to the Name Service Domain

---

Note -

Skip this procedure if the client specified a name service during network install. After JumpStart installation, you must do the procedure to add the client to the domain.

---

Add Client to the NIS+ Domain

Prerequisite: The rup command must succeed in both directions: from client to master, and master to client.

1. As root, at label ADMIN_LOW, add the workstation as a NIS+ client using the Create NIS+ Client action in the System_Admin folder.

   See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.

2. Enter the NIS+ domain name and hostname of the root master. There is a period at the end of the domain name.

   For example,

   ---

      Domain Name: aviary.eco.org.
      Hostname of NIS+ Master: toucan
   

   ---

3. Answer the prompts ( y, (your-master's-ip-address), nisplus, rootpassword).

   You can ignore diagnostics printing out that certain files and directories cannot be located. The files and directories will be created.

4. Do not reboot when the nisclient(1M) script prints out:

   ---

      Once initialization is done, you will need to reboot your machine.

   ---

   You will reboot after setting up DNS.

Add Client to the NIS Domain

1. As root, at label ADMIN_LOW, add the workstation as a NIS client using the Create NIS Client action in the System_Admin folder.

   ---

   Note -

   If this is a NIS slave server, make sure you enter this host name and the name of the master server at the prompts.

   ---

   See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.

   The action copies the nsswitch.nis file to the nsswitch.conf file.

2. Do not reboot until after you have set up DNS.

Set Up DNS and the Name Service Switch

If you are using DNS to contact hosts outside of your domain, or if you have altered the resolv.conf and nsswitch.conf files on the name service master, set up DNS before rebooting.

As root, at label ADMIN_LOW, set up the DNS nameservers and the name service switch by copying the files resolv.conf and nsswitch.conf from the /export/clientfiles diskette to the /etc directory.

Make a copy of the original file and use the File Manager, as described in "To Copy from a Diskette".

Reboot the Workstation

---

Note -

Skip this procedure if the client was installed over the network.

---

1. Shut down the workstation from the TP (Trusted Path) menu.

2. If this is a NIS slave server, do the following steps:

   1. Log in as install and assume the root role.

   2. Open a terminal and run the following command

      # /usr/sbin/ypinit -s master_server

   3. Reboot again to enable the slave server to serve clients.

Share Home Directories

1. If this client is the home directory server, share home directories by following the steps in "How to Share a File System".

2. Return to the procedure and chapter you are working from.

Finish Configuring the Workstation

If you are configuring a site that satisfies criteria for an evaluated configuration, read "Understand Your Site's Security Policy".

Security Administrator Responsibilities

The secadmin role handles auditing and security attributes on file systems.

• To configure or to disable auditing, see Trusted Solaris Audit Administration.

  ---

  Note -

  To ensure that every workstation and user is audited identically, in the root role at label ADMIN_LOW, copy the name service master's /etc/security/audit* configuration files to each workstation (see "Copy Configuration Files from the Master") . Modify the dir: entries as described in Trusted Solaris Audit Administration.

  ---

• To set security attributes on an unlabeled file system, enter the file system in the vfstab_adjunct(4) file.

System Administrator Responsibilities

The admin role handles file system management, and user account creation and deletion.

• To share a file system, see "How to Share a File System".

• To mount a file system, see "How to Mount a File System".

• To delete the install user, see "How to Delete a Local User" if you have not deleted a local user in the Trusted Solaris environment before.

Trusted Solaris Administrator's Procedures provides examples; Trusted Solaris Administration Overview provides background.