Configuring a name service client is similar to configuring its master, except that configuration details the client receives from the master do not have to be repeated.
Depending on your site configuration and installation method, some procedures can be omitted.
Log in as a user who can assume the root role and assume it.
See "How to Log In" if you are unsure of the steps.
Protect the workstation.
See "How to Protect Machine Hardware" if you are unsure of the steps.
For the NIS+ name service, you made a diskette for the client in "Copy Configuration Files for Distribution to Clients". For the NIS name service, you made a diskette for the client in "Copy Configuration Files for Distribution to Clients".
As root, at label ADMIN_LOW
, make a temporary directory and go to it.
# mkdir /export/clientfiles # cd /export/clientfiles |
Copy the files from the diskette.
See "To Copy from a Diskette" if you are unsure of the steps.
The label_encodings file on the client machine must be identical to the one on the name service master. If you are sure it is identical, you may skip this step.
As root, at label ADMIN_HIGH
, copy the name service master's label_encodings file to the /etc/security/tsol directory.
Follow the procedure in "To Copy from a Diskette".
Continue with "How to Install a Label Encodings File" to install and read the label encodings file into the environment.
Follow the procedure "To Initialize the SMC Server".
Use two File Managers to copy the name service master's toolbox file from /export/clientfiles to /var/sadm/smc/toolboxes/tsol_name_service/tsol_name_service.tbx.
If you set up static routing on the name service master, set it up on the clients.
Determine the appropriate static routing for the client.
Table 8-1 Client Static Routing Entry
|
Client on same subnet |
Client on different subnet |
---|---|---|
Name service master has 1 network interface |
Use same entry as master's |
Static routing will be slightly different for the subnet |
Name service master has >1 network interface |
Enter master's other network interface(s) in static routing file |
|
To set up static routing, complete one of the following procedures: "To Set Up Simple Static Routing" or "To Set Up Complex Static Routing"
The install team enters every host that the local machine should contact upon booting into the local hosts database. If the local machine is a name service client, it will find its file servers, home directory server, and other servers from the name service master.
Follow the procedure "How to Add Hosts".
You can skip this step if your site is using the label_encodings file and the tnrhtp file that were installed from the Trusted Solaris 8 Installation CD.
The tnrhtp(4) template definition and name for the name service master must be identical on the client and master when you create the client.
As root, at label ADMIN_LOW
, use two File Managers to copy the tnrhtp file from the /export/clientfiles directory to /etc/security/tsol/tnrhtp.
The clients get most of their template assignments from the name service. The local tnrhdb database must contain servers that are contacted during boot, such as the name service master (or its subnet), static routers, and any audit servers.
At the label ADMIN_LOW
, in an administrative role, initially the root role, invoke the Solaris Management Console from the Application Manager.
Click this_host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.
Click Trusted Solaris Configuration, then Computers and Networks, then double-click Security Families.
The remote host templates display in the View pane.
Double-click the tsol remote host template.
Choose Add Host(s) from the Action menu.
Click Add Host, then enter the IP address and template name (tsol) of the Trusted Solaris name service master
See "How to Assign a Remote Host Template" if you are unsure of the steps.
If the client's audit records are stored on an audit server, add the audit server by choosing Action > Add Host(s), Add Host, and entering the audit servers's IP address and tsol host type.
Choose Add Host(s) from the Action menu, click Add Host, and enter the IP address and host type of the static router(s).
A client with one defaultrouter and no audit server would have three entries in its tnrhdb:
The client and its host type (tsol),
The name service master and its host type (tsol) (or its subnet fallback IP address and tsol)
The defaultrouter and its host type.
Open a terminal to reload and verify the updated tnrhdb database.
# tnctl -H /etc/security/tsol/tnrhdb # tninfo -h |
Skip this procedure if the client specified the name service, NIS or NIS+, during network install.
As root, at label ADMIN_LOW
, check to see that you can ping the name service master.
# ping name-service-master |
Check to see that you can rup the name service master.
# rup name-service-master |
If the rup(1) command succeeds, you may proceed. If it fails, debug your network setup until the rup command succeeds.
If you have added a client that was not initially on the master, you must add it to the master and assign it a template. On the master, the ping and rup commands must work to contact the new client.
These client files must be compatible with the name service master files:
/etc/security/tsol/label_encodings
/etc/security/tsol/tnrhtp
The client's local tnrhdb(4) file must have the IP address and host type of the NIS+ master (or the IP address and host type of the subnet), the client's static routers, and the client.
In addition, the client's address and name, the NIS+ master's name and address, and the static routers' names and addresses must be in the local hosts database.
Skip this procedure if the client specified a name service during network install. After JumpStart installation, you must do the procedure to add the client to the domain.
Prerequisite: The rup command must succeed in both directions: from client to master, and master to client.
As root, at label ADMIN_LOW
, add the workstation as a NIS+ client using the Create NIS+ Client action in the System_Admin folder.
See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.
Enter the NIS+ domain name and hostname of the root master. There is a period at the end of the domain name.
Domain Name: aviary.eco.org. Hostname of NIS+ Master: toucan
Answer the prompts ( y, (your-master's-ip-address), nisplus, rootpassword).
You can ignore diagnostics printing out that certain files and directories cannot be located. The files and directories will be created.
Do not reboot when the nisclient(1M) script prints out:
Once initialization is done, you will need to reboot your machine.
You will reboot after setting up DNS.
As root, at label ADMIN_LOW
, add the workstation as a NIS client using the Create NIS Client action in the System_Admin folder.
If this is a NIS slave server, make sure you enter this host name and the name of the master server at the prompts.
See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.
The action copies the nsswitch.nis file to the nsswitch.conf file.
Do not reboot until after you have set up DNS.
If you are using DNS to contact hosts outside of your domain, or if you have altered the resolv.conf and nsswitch.conf files on the name service master, set up DNS before rebooting.
As root, at label ADMIN_LOW
, set up the DNS nameservers and the name service switch by copying the files resolv.conf and nsswitch.conf from the /export/clientfiles diskette to the /etc directory.
Make a copy of the original file and use the File Manager, as described in "To Copy from a Diskette".
Skip this procedure if the client was installed over the network.
If this client is the home directory server, share home directories by following the steps in "How to Share a File System".
Return to the procedure and chapter you are working from.
If you are configuring a site that satisfies criteria for an evaluated configuration, read "Understand Your Site's Security Policy".
The secadmin role handles auditing and security attributes on file systems.
To configure or to disable auditing, see Trusted Solaris Audit Administration.
To ensure that every workstation and user is audited identically, in the root role at label ADMIN_LOW
, copy the name service master's /etc/security/audit* configuration files to each workstation (see "Copy Configuration Files from the Master")
. Modify the dir: entries as described in Trusted Solaris Audit Administration.
To set security attributes on an unlabeled file system, enter the file system in the vfstab_adjunct(4) file.
The admin role handles file system management, and user account creation and deletion.
To share a file system, see "How to Share a File System".
To mount a file system, see "How to Mount a File System".
To delete the install user, see "How to Delete a Local User" if you have not deleted a local user in the Trusted Solaris environment before.