This chapter provides procedures to configure the name service clients at your site interactively, after you have configured the name server.
Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the computer, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.
Configuring a name service client is similar to configuring its master, except that configuration details the client receives from the master do not have to be repeated.
If the client machine was installed from a CD-ROM--you should expect to complete the configuration tasks in the following table. Depending on your site configuration, some procedures can be omitted.
Table 6-1 Task Map for Clients Installed from CD-ROM
Task |
Described |
---|---|
Covers protecting the hardware, setting up the labels, and initializing the administration tools. |
|
Covers how to set up static routing. |
|
Covers how to specify the hosts that are contacted during boot. |
|
Covers how to connect to the name service. |
|
Covers how to share the home directory and mail server. |
|
Points you to auditing setup information, how to share and mount file systems, and how to delete the install user. |
If the client machine was installed over the network--you should expect to complete the configuration tasks in the following table in the appropriate role.
Table 6-2 Task Map for Clients Installed Over a Network
Role |
Task Responsibility After Network Installation |
|
---|---|---|
secadmin role |
||
| ||
| ||
| ||
|
"Initialize the SMC Server", then "Assign Templates to Remote Hosts" |
|
| ||
|
"(Optional) Set Security Attributes on Mounted File Systems" |
|
admin role |
||
| ||
| ||
|
"Initialize the SMC Server", then "Add Hosts to be Contacted During Booting" |
|
| ||
|
"Copy the SMC Name Server Toolbox Definitions to the Client" |
|
|
If the client machine was installed using JumpStart scripts--you should expect to complete the configuration tasks in the following table in the appropriate role.
Table 6-3 Task Map for Clients Installed Using JumpStart
Role |
Task Responsibility After Network Installation |
|
---|---|---|
secadmin role |
||
| ||
| ||
admin role |
||
| ||
|
Log in as install, assume the root role, and open a terminal.
See "Logging In and Launching a Terminal" for details.
In the terminal, enter the PROM security mode.
# eeprom security-mode=command Changing PROM password: New password: password Retype new password: password |
Choose the value command or full. See the eeprom(1M) man page for more details.
If you are not prompted to enter a PROM password, the system already has a PROM password. To change the PROM password, run the command:
# eeprom security-password=Return Changing PROM password: New password: password Retype new password: password |
The new PROM security mode and password are in effect immediately, but are most likely to be noticed at the next boot.
Do not forget this password. The hardware is unusable without it.
On Intel architecture, the equivalent to protecting the PROM is to protect the BIOS.
Refer to your machine's manuals for how to protect the BIOS.
The label_encodings file on the client machine must be identical to the one on the name service master. If you are sure it is identical, you may skip this step.
In the root role, create an ADMIN_HIGH
workspace.
See "Create an Admin_High Workspace" for details.
In the ADMIN_HIGH
workspace, allocate the floppy device, and insert the name service master's ADMIN_HIGH
diskette containing the label_encodings file.
See "Allocate the Appropriate Device" for details.
Double-click the Check Encodings action in the System_Admin folder of the Application Manager and enter the full pathname of the label_encodings file.
Answer yes to install the the name service master's label_encodings file on the client.
Deallocate the floppy drive, and return to a root workspace labeled ADMIN_LOW
.
You made a diskette for the client in "Copy Configuration Files for Distribution to Clients".
In the root role at label ADMIN_LOW
, allocate the floppy device, insert the ADMIN_LOW
diskette of selected files from the name service master, and mount it.
Leave up the File Manager that shows the diskette's mount point.
In the root role in an ADMIN_LOW
workspace, start the SMC server process in the terminal window.
# smc |
The smc command initializes the SMC server. The first time the server is launched, it performs several registration tasks, which can take a few minutes.
If toolboxes do not load, see Step 2 in "Initializing the Solaris Management Console" for troubleshooting procedures. If the client was installed with the End User cluster, SMC will not run.
If you configured the name service master to use static routing, you must configure the clients to use the same routing method.
If the name service master is configured for static routing, determine the appropriate static routing for the client.
Table 6-4 Client Static Routing Entry
Server Interfaces |
Client on same subnet |
Client on different subnet |
---|---|---|
Name service master has 1 network interface |
Use same entry as master's |
Static routing will be slightly different for the subnet |
Name service master has >1 network interface |
Enter master's other network interface(s) in static routing file |
|
Configure the client to use the same static routing method as the one used on the master.
Note that a name service client finds its file servers, home directory server, mail server, and other servers from the name service master.
In the root role at the label ADMIN_LOW
, return to the Solaris Management Console or re-open it if it is closed.
# smc |
Click this-host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.
See Figure 9-1 for what tools should display in the Navigation pane .
The network wildcard 0.0.0.0 may present a security risk. See "Modifying the Boot-time Trusted Network Databases" in Trusted Solaris Administrator's Procedures for more information.
Follow the instructions in the "To Replace the 0.0.0.0 Entry in the Local Tnrhdb File" procedure under "Managing Trusted Networking (Tasks)" in Trusted Solaris Administrator's Procedures.
You can skip this step if your site did not modify or replace the label_encodings file and the tnrhtp file that were installed from the Trusted Solaris 8 4/01 Installation CD.
The tnrhtp(4) template definition and name for the name service master must be identical on the client and master.
In the root role at label ADMIN_LOW
, copy the tnrhtp file from the /diskette-mount-point/export/clientfiles directory to /etc/security/tsol/tnrhtp.
See "To Copy Files From a Diskette" if you are unsure how to copy using the File Manager.
The clients get most of their template assignments from the name service. A client's local tnrhdb database must contain servers that are contacted during boot, such as the name service master (or its subnet), static routers, and any audit servers.
In the root role at the label ADMIN_LOW
, double-click Security Families under Computers and Networks in the Trusted Solaris Configuration.
The remote host templates display in the View pane.
Double-click the remote host template, tsol.
Choose Add Host(s) from the Action menu, click Add Host, and enter the IP address and template name (tsol) of the Trusted Solaris name service master.
Add the audit server by choosing Add Host(s) from the Action menu. Then click Add Host and enter the IP address of the client's audit server and tsol host type.
Again choose Add Host(s) from the Action menu, click Add Host, and enter the IP address and host type of the static router(s).
A client with one defaultrouter and no audit server would have three entries in its tnrhdb:
The client and its host type (tsol),
The name service master and its host type (tsol) (or its subnet fallback IP address and tsol)
The defaultrouter and its host type.
Open a terminal to reload and verify the updated tnrhdb database.
# tnctl -H /etc/security/tsol/tnrhdb # tninfo -h |
These client files must be compatible with the name service master files:
/etc/security/tsol/label_encodings
/etc/security/tsol/tnrhtp
The client's local tnrhdb(4) file must have the IP address and host type of the NIS+ master (or the IP address and host type of the subnet), the client's static routers, and the client.
In addition, the client's address and name, the name service master's name and address, and the static routers' names and addresses must be in the local hosts database.
Skip this procedure if the client specified the name service, NIS or NIS+, during network install.
As root, at label ADMIN_LOW
, check to see that you can ping the name service master.
# ping name-service-master |
Check to see that you can rup the name service master.
# rup name-service-master |
If the rup(1) command succeeds, you may proceed. If it fails, debug your network setup until the rup command succeeds.
If you have added a client that was not initially on the master, you must add it to the master and assign it a template. On the master, the ping and rup commands must work to contact the new client before continuing.
Skip this procedure if the client specified a name service during network install. After JumpStart installation, you must do the procedure to add the client to the domain.
Prerequisite: The rup command must succeed in both directions: from client to master, and master to client.
In the root role at label ADMIN_LOW
, add the host as a NIS+ client using the Create NIS+ Client action in the System_Admin folder.
Enter the NIS+ domain name and host name of the root master. There is a period at the end of the domain name.
Domain Name: aviary.example.org. Hostname of NIS+ Master: eagle
Answer the prompts ( y, (your-master's-ip-address), nisplus, rootpassword).
You can ignore diagnostics printing out that certain files and directories cannot be located. The files and directories will be created.
Do not reboot when the program prints the message:
Once initialization is done, you will need to reboot your machine.
You will reboot after setting up DNS.
In the root role at label ADMIN_LOW
, add the host as a NIS client using the Create NIS Client action in the System_Admin folder.
If this is a NIS slave server, make sure you enter this host name and the name of the master server at the prompts.
The action copies the nsswitch.nis file to the nsswitch.conf file.
Do not reboot until after you have set up DNS.
Administrators who want to administer the name service using SMC from this client system must do this procedure
In the root role at label ADMIN_LOW
, copy the name service master's tsol_nameservice.tbx file from the /diskette-mount-point/export/clientfiles
directory to the /var/sadm/smc/toolboxes/tsol_nameservice directory.
If you did not copy the files to the client, do the "Edit SMC Toolbox Definitions for the Name Service" procedure on the client system.
Also copy the name service master's tsol_smc.tbx file from the /diskette-mount-point/export/clientfiles directory to the /var/sadm/smc/toolboxes/tsol_smc directory.
If you are using DNS to contact hosts outside of your domain, or if you have altered the resolv.conf and nsswitch.conf files on the name service master, set up DNS before rebooting.
In the root role at label ADMIN_LOW
, set up the DNS nameservers and the name service switch by copying the files resolv.conf and nsswitch.conf from the /diskette-mount-point/export/clientfiles directory to the /etc directory.
If you did not copy the files to the client, follow the procedure in "(Optional) Set Up DNS".
Skip this procedure if the client was installed over the network.
Shut down the system from the TP (Trusted Path) menu, and reboot it.
If this is a NIS slave server, log in, assume the root role, open a terminal, and enable ypinit.
# /usr/sbin/ypinit -s NIS-master-server |
Before continuing, reboot the machine again to enable it to serve NIS clients.
If this is an IMAP mail server, go to the NIS+ master and log in.
This procedure enables the mail server to authenticate users.
Assume the admin role in an ADMIN_LOW
workspace, and open the System_Admin folder in the Application Manager.
Double-click the Add to NIS+ Administrative Group action and enter the group name and the full name of your mail server.
Use your domain name with the format subdomain.domain.suffix. For example:
Group Name: admin Principal Name: pigeon.aviary.example.org. |
Remember to type a period (.) at the end of the the principal name.
See "Administering NIS+ Groups" in Solaris Naming Administration Guide for ways to restrict home directory access to particular groups.
In the root role at label ADMIN_LOW
, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.
If toolbox icons display as red stop signs, the toolboxes will not load. To load them, see Step 2 in "Initialize the SMC Server".
Click Storage, provide a password if prompted, then double-click Mounts and Shares, then double-click Shares.
Choose Add Shared Directory from the Action menu.
Follow the online help to share the /export/home directory.
The tool shares the directory and starts the NFS daemons,
Verify that the directories are shared.
$ showmount -e export list for homedir-server: /export/home |
Repeat the above procedure to share the mail service directory.
For example, when the directories are shared, the showmount command would show something like the following:
$ showmount -e export list for mail-server: /export/post |
If the users' home directories and email directories are on the same server, the command would show the following:
$ showmount -e export list for server: /export/home /export/post |
If you have not finished configuring the name service master, return to "Creating Roles and Users". Otherwise, continue below.
If you are configuring a site that satisfies criteria for an evaluated configuration, read "Understanding Your Site's Security Policy". Users assume the roles that have been created -- security administrator and system administrator -- to complete system configuration.
The client's audit configuration must be identical to the name service master's. The domain should collect auditing records as if one machine were being audited.
To ensure that every system and user is audited identically, in the root role at label ADMIN_LOW
, copy the name service master's /etc/security/audit* configuration files to the system from the /diskette-mount-point/export/clientfiles directory.
In the secadmin role, customize the dir: entries for the local host in the audit_control file.
Follow the procedures in Trusted Solaris Audit Administration.
To set security attributes on an unlabeled file system, assume the role secadmin, and in an ADMIN_LOW
workspace, use the Admin Editor to enter the file system in the vfstab_adjunct file.
The vfstab_adjunct(4) file is saved and protected at the label ADMIN_HIGH
.
The admin role handles file system management, and user account creation and deletion.
In the admin role in an ADMIN_LOW
workspace, finish configuring the system.
To share a file system, see "(Optional) Share File Systems".
To mount a file system, see "(Optional) Mount File Systems".
Read "(Optional) Delete the User install" before deleting the install user.