Solstice AdminSuite 2.3 Administration Guide

Previous: How to Create Level 2 DES Security for Systems Using /etc Name Service
Next: How to Create Level 2 DES Security for Systems Using NIS+ Name Service

How to Create Level 2 DES Security for Systems Using NIS Name Service

On each system that runs the sadmind daemon, edit the /etc/inetd.conf file.

Change this line (or one similar to this):

100232/10	tli	rpc/udp wait root /usr/sbin/sadmind sadmind

to:

100232/10	tli	rpc/udp wait root /usr/sbin/sadmind sadmind -S 2

On each system that runs the sadmind daemon, set the /etc/nsswitch.conf entry for publickey to nis.

Change this entry (or one similar to this):
publickey: nis [NOTFOUND=return] files
to:
publickey: nis

Create credentials for all group 14 users and all of the systems that will run sadmind -S 2.
1. Log in as root on the NIS server.
2. Run the following command for each user that will run AdminSuite.
  # newkey -u username -s files
  Note -
  You must run this command even for users who are not in group 14. If you are not in group 14 and do not have credentials, you are not a user according to sadmind; you will not be able to run any methods, even those that do not require root. You will have to supply the user's password to the newkey program.
3. Run the following command for every host that you have configured to run secure sadmind.
  # newkey -h hostname
  You will have to provide the root password for each of these hosts to the newkey program.
4. Copy the /etc/publickey file on this system to the source file that is specified in /var/yp/Makefile; remake and push the nis maps.
  # cd /var/yp; make

Verify that you are a member of group 14 in the group/nis maps.
1. Login as root.
2. Change directories to the source file specified in /var/yp/Makefile.
3. Manually edit the group file and add yourself to group 14, just as you did in the /etc/group file.
4. Change directories to /var/yp and run make.
  # cd /var/yp; make
  You should see the group map pushed; a message appears indicating that this action has occurred.
  
  Note -
  The security system looks in the NIS maps for your group 14 access and will fail if you do not have group14 specified there, regardless if your /etc/nsswitch.conf file has group files nis.
  
  When sadmind is running in -S 2 mode, it uses the publickey entry to determine which name service to look at for user credentials. When the entry in /etc/nsswitch.conf is nis, it looks in the nis group map to ensure that the user is a member of group 14.

As root, enter the following command on each system to put root's private key in /etc/.rootkey.
# keylogin -r
By doing this, you will not have to keylogin as root on every system every time you want to run AdminSuite; this creates an automatic root keylogin at boot time.

To ensure that the nscd gets flushed, reboot all of the workstations.

On each system that you want to the application to run on, log in and then keylogin. (You must be a member of group 14.)

After the keylogin, you can safely log out; your key is stored in the keyserv daemon until you explicitly keylogout or the system reboots.

© 2010, Oracle Corporation and/or its affiliates