This chapter describes the differences in managing a name service in a Trusted Solaris environment. This chapter includes the following procedures:
Setting up a name service master and clients (NIS and NIS+) is described in Trusted Solaris Installation and Configuration.
To achieve uniformity of user, host, and network attributes within a security domain with multiple Trusted Solaris computers, a naming service is used for distributing most configuration information. If a name service is not used, administrators should ensure that configuration information for users, hosts, and networks is identical in the local files on all hosts and any changes made on one host are made on all. See "Administering Remote Systems", if needed.
A Trusted Solaris NIS or NIS+ master can manage data for Trusted Solaris and Solaris NIS or NIS+ clients.
A Trusted Solaris NIS+ master can also manage data for NIS clients (such as hosts running the Trusted Solaris 1.x operating environment) if NIS compatibility mode is used. NIS compatibility mode requires slightly different setup procedures than for a standard NIS+ server. NIS compatibility mode has security implications for NIS+ tables. For the differences and security implications, see "Using NIS-Compatibility Mode" in the NIS+ Transition Guide.
Trusted Solaris computers cannot be clients of Solaris NIS or NIS+ masters.
Trusted Solaris computers may or may not be connected to a network with computers running other operating environments. A standalone Trusted Solaris computer may either be configured as its own name service master server or configured with no name service. If a Trusted Solaris standalone computer is configured without a name service, the configuration information is maintained in the /etc, /etc/security, and /etc/security/tsol directories. The administrative tools in the Trusted Solaris version of the Solaris Management Console enable the administrative role to specify Files scope so that the information is stored locally.
If site security policy allows, root's capabilities can be extended to allow the root role to do administration from a client, although this is not recommended.
For root to administer NIS+ from a NIS+ client, the name of the NIS+ client must be added to the NIS+ admin group using the nisgrpadm(1) command. If a new administrative role is created to administer NIS+ tables, an entry also must be added to the NIS+ admin group with the role's principal name. See "To Enable a Role to Administer NIS+" for an example.
Besides the standard databases listed in the "Information in NIS+ Tables" in Solaris Naming Administration Guide, Trusted Solaris software includes the following NIS maps/NIS+ tables: tnrhdb(4) and tnrhtp(4).
As in the Solaris operating environment, the administrator role can add NIS maps or NIS+ tables with protected data fields. As an administrative role, follow the procedures in the following books:
Do not add new rows to the default NIS+ tables or modify the access rules defined for existing table fields.
The root role does this during initial configuration of the system, as described in "Configuring a NIS or NIS+ Client" in Trusted Solaris Installation and Configuration
Assume the System Administrator role and go to an ADMIN_LOW
workspace.
Follow the procedures in "Connecting to the Name Server".
NIS+ ONLY: For root to administer NIS+ from a NIS+ client, go to the NIS+ client and add the NIS+ client to the admin group by double-clicking the Add to NIS+ Administrative Group action and filling in the fields.
For example, the following two invocations of the Add to NIS+ Administrative Group action enable root to administer the NIS+ domain from the good and good1 computers in the security.example.com domain.
Group Name: admin Principal Name: good.security.example.com. |
Group Name: admin Principal Name: good1.security.example.com. |
Before installing a new Trusted Solaris release, you can save the information in your name service and restore it to the system after installation.
Use ypcat(1) to dump NIS maps into flat files and then propagate NIS maps from the files.
See "Administering NIS" in Solaris Naming Administration Guide for how to propagate NIS maps from files.
Before installing a new Trusted Solaris release, you can save the information in your name service and restore it to the system after installation.
Create a script or use another means to dump the NIS+ tables into text files.
It is a good idea to dump the NIS+ tables into text files routinely, at least every time you make a change to NIS+.
To create a script, assume the security administrator role and use the Admin Editor action to create the script file at ADMIN_LOW
.
The following example shows a script called nisscript that the administrator role can create to do the dumps and to create a list of group members for later re-creation of the groups table.
#!/bin/sh # nisscript # nisplus tables into text files # mkdir -p /var/nis-backup chmod 700 /var/nis-backup cp /etc/.rootkey /var/nis-backup/dot-rootkey # standard Solaris and Trusted Solaris tables # NOTE: Add any tables created at your site cd /var/nis/data for i in audit_user auth_attr aliases bootparams ethers \ exec_attr group hosts netgroup netmasks networks passwd \ prof_attr protocols rpc services timezone tnrhdb tnrhtp \ user_attr shadow do echo $i /usr/lib/nis/nisaddent -d $i >/var/nis-backup/$i done # Use the following if you have any key value tables for i in sendmailvars tntime do echo $i /usr/lib/nis/nisaddent -d -t $i.org_dir key-value >/var/nis-backup/$i done # get a list of each group and list each member in each group mkdir -p /var/nis-backup/groups.list chmod 700 /var/nis-backup/groups.list for i in `nisls groups_dir | grep -v `:'` do nisgrpadm -l $i >> /var/nis-backup/groups.list/group.members done |
Assume the root role and run the nisscript created in the previous step at ADMIN_LOW
.
For each group, execute the nisgrpadm -l command to list each of its members and save the output for use in Step 7.
$ nisgrpadm -l group_name |
Copy the directory containing the text dump files to a partition that you plan not to overwrite during installation or use tar to copy the files to tape or floppy.
After installation, if you did not save the text dump files in a saved partition, as root at ADMIN_LOW
, create a staging directory for the text file dumps of NIS+ tables and restore the files from tape or floppy.
The screen example illustrates what to do when restoring the text NIS+ files to a /setup/files directory from a tape.
# cd /setup/files # tar xv bootparams ethers . . . |
At the appropriate point in "Configuring the NIS+ Domain" in Trusted Solaris Installation and Configuration, re-create the NIS+ environment.
# nisserver -r -d domain-name. |
Make sure to include the final period (.) in the domain's name.
In the Security Administrator role, at ADMIN_LOW
, after running the nisserver command, run the nispopulate command in a profile shell with the -F and -p options followed by the name of
the directory where the text dump files reside.
$ nispopulate -F -p /setup/files |
Re-create the NIS+ groups and add members manually from the list of group members saved from the nisscript as described in Step 2.
There is no easy way to recreate the NIS+ groups automatically.
In an administrative role, open the System_Admin folder in the Application Manager.
To view the contents of tables or maps, use the actions View Table Contents or View NIS Map. Supply the table or map name when prompted.
To view the attributes of NIS+ tables, use the action View Table Attributes. Supply the table name when prompted.
To add a name service client, use the Create NIS+ Client or Create NIS Client actions.
To manage NIS+ administrative groups, use one of the following actions:
List Administrative Group
Add to NIS+ Administrative Group
Create NIS+ Administrative Group
Delete from NIS+ Administrative Group
Delete NIS+ Administrative Group