Setting Up NIS+ Root Servers
Setting up the root master server is the first activity towards establishing NIS+ domain. This section shows you how to configure a root master server using the nisserver script with default settings.
The root master server uses the following defaults:
-
Security level 2 (DES) – the highest level of NIS+ security
-
NIS compatibility set to OFF (instructions for setting NIS compatibility are included)
-
System information files (/etc) or NIS maps as the source of name services information
-
admin.domainname as the NIS+ group
Note –
The nisserver script modifies the name service switch file for NIS+ when it sets up a root master server. The /etc/nsswitch.conf file can be changed later. See Chapter 1, Name Service Switch for information on the name service switch.
Prerequisites to Running nisserver to Set Up a Root Server
Check to see that the /etc/passwd file on the machine you want to be root master server contains an entry for root.
You need the following information before running nisserver.
-
The superuser password of the machine that will become the root master server
-
The name of the new root domain. The root domain name must have at least two elements (labels) and end in a dot (for example, something.com.). The last element may be anything you want, but in order to maintain Internet compatibility, the last element must be either an Internet organizational name (as shown in Table 4–3), or a two or three character geographic identifier such as .jp. for Japan.
|
Domain |
Purpose |
|---|---|
|
com |
Commercial organizations |
|
edu |
Educational institutions |
|
gov |
Government institutions |
|
mil |
Military groups |
|
net |
Major network support centers |
|
org |
Nonprofit organizations and others |
|
int |
International organizations |
In the following example, the machine that is designated as the root master server is called master1, and doc.com. becomes the new root domain.
Note –
Domains and hosts should not have the same name. For example, if you have doc.com. as a root domain, you should not have a machine named doc in any of your domains. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution also applies to subdomains. For example, if you have a machine named west, you do not want to create a sales.west.doc.com subdomain.
How to Create an NIS+ Root Master Server
-
Set the superuser's
PATHvariable to include /usr/lib/nis.Either add this path to root's .cshrc or .profile file or set the variable directly.
-
Optionally, if using DES authentication, specify the Diffie-Hellman key length.
To use 640–bit Diffie-Hellman keys as well as the default 192–bit keys, type:
nisauthconf dh640-0 des
To allow only 640–bit keys (rejects 192–bit keys), type:
nisauthconf dh640-0
-
Type the following command as superuser (root) to configure a root master server.
The -r option indicates that a root master server should be configure. The -d option specifies the NIS+ domain name.
master1# nisserver -r -d doc.com. This script sets up this machine “master1” as an NIS+ root master server for domain doc.com. Domain name : doc.com. NIS+ group : admin.doc.com. NIS (YP) compatibility : OFF Security level : 2=DES Is this information correct? (type 'y' to accept, 'n' to change)
“NIS+ group” refers to the group of users who are authorized to modify the information in the doc.com. domain. (Domain names always end with a period.) Modification includes deletion. admin.domainname is the default name of the group. See How to Change Incorrect Information When Setting Up NIS+ for instructions on how to change this name.
“NIS compatibility” refers to whether an NIS+ server accepts information requests from NIS clients. When set to OFF, the default setting, the NIS+ server does not fulfill requests from NIS clients. When set to ON, an NIS+ server fulfills such requests. You can change the NIS-compatibility setting with this script. See How to Change Incorrect Information When Setting Up NIS+.
Note –This script sets machines up only at security level 2, the highest level of NIS+ security. You cannot change the security level when using this script. After the script has completed, you can change the security level with the appropriate NIS+ command. See the rpc.nisd man page for more information on changing security levels.
-
Type y (if the information shown on the screen is correct).
Typing n causes the script to prompt you for the correct information. (See How to Change Incorrect Information When Setting Up NIS+ for what you need to do if you type n.)
Is this information correct? (type 'y' to accept, 'n'' to change) y This script will set up your machine as a root master server for domain doc.com. without NIS compatibility at security level 2. Use "nisclient -r" to restore your current network service environment. Do you want to continue? (type `y' to continue, `n' to exit the script)
-
Type y to continue NIS+ configuration.
(Typing n safely stops the script.) If you interrupt the script after you have chosen y and while the script is running, the script stops running and leaves configured whatever it has created so far. The script does not do any automatic recovery or cleaning up. You can always rerun this script.
Do you want to continue? (type 'y' to continue, 'n' to exit the script y setting up domain information “doc.com.” ... setting up switch information ... running nisinit ... This machine is in the doc.com. NIS+ domain. Setting up root server ... All done. starting root server at security level 0 to create credentials... running nissetup ... (creating standard directories & tables) org_dir.doc.com. created Enter login password:
The nissetup command creates the directories for each NIS+ table.
-
Type your machine's root password at the prompt and press Return.
In this case, the user typed the master1 machine's root password.
Wrote secret key into /etc/.rootkey setting NIS+ group to admin.doc.com. ... restarting root server at security level 2 ... This system is now configured as a root server for domain doc.com. You can now populate the standard NIS+ tables by using the nispopulate or /usr/lib/nis/nisaddent commands.
Your root master server is now configured and ready for you to populate the NIS+ standard tables. To continue with populating tables, skip to Populating NIS+ Tables.
How to Change Incorrect Information When Setting
Up NIS+
If you typed n because some or all of the information returned to you was wrong in Step 4 in the above procedure, you will see the following:
Is this information correct? (type 'y' to accept, 'n' to change) n Domain name: [doc.com.] |
-
Press Return if the domain name is correct; otherwise, type the correct domain name and press Return.
In this example, Return was pressed, confirming that doc.com. is the desired domain name. The script then prompts for the NIS+ group name.
Is this information correct? (type 'y' to accept, 'n' to change) n Domain name: [doc.com.] NIS+ group: [admin.doc.com.]
-
Press Return if NIS+ group is correct; otherwise, type the correct NIS+ group name and press Return.
In this example, the name was changed. The script then prompts for NIS compatibility.
NIS+ group: [admin.doc.com.] netadmin.doc.com. NIS (YP) compatibility (0=off, 1=on): [0]
-
Press Return if you do not want NIS compatibility; otherwise, type 1 and press Return.
In this example, Return was pressed, confirming that NIS compatibility status is correct. Once again, the script asks you if the information is correct.
Note –If you choose to make this server NIS compatible, you also need to edit a file and restart the rpc.nisd daemon before it will work. See Configuring a Client as an NIS+ Server for more information.
NIS (YP) compatibility (0=off, 1=on): [0] Domain name : doc.com. NIS+ group : netadmin.doc.com. NIS (YP) compatibility : OFF Security level : 2=DES Is this information correct? (type 'y' to accept, 'n' to change)
When the information is correct, continue with Step 3 in How to Create an NIS+ Root Master Server. You can keep choosing -n until the information is correct.
How to Set Up a Multihomed NIS+ Root Master Server
The procedure for setting up a multihomed NIS+ server is the same as setting up a single interface server. The only difference is that there are more interfaces that need to be defined in the hosts database, the /etc/hosts file and NIS+ hosts table.
Note –
Prior to the Solaris 10 7/07 release, you also need to define interfaces in the /etc/inet/ipnodes file and ipnodes table.
Once the host information is defined, use the nisclient and nisserver scripts to set up the multihomed NIS+ server. For information about setting up a multihomed replica server, see How to Set Up Multihomed NIS+ Replica Servers.
Caution – When setting up a multihomed NIS+ server, the server's primary name must be the same as the nodename for the system. This is a requirement of both Secured RPC and nisclient.
-
Secured RPC relies on the nodename to create the netname for authentication.
-
nisclient relies on the primary name to create the credential for the client.
If these names are different, Secure RPC authentication will fail to work properly causing NIS+ problems.
The following procedure shows how to set up an NIS+ root master server:
-
On the root master, add the server host information into the /etc/hosts file.
Note –Prior to the Solaris 10 7/07 release, you must also add IPv6 host information to the /etc/inet/ipnodes file.
For example, the /etc/hosts file for the hostA system with three Ethernet interfaces looks like:
127.0.0.1 localhost loghost 192.168.10.x hostA hostA-10 hostA-eri0 192.168.11.y hostA hostA-11 hostA-eri1 192.168.12.z hostA hostA-12
-
Set up the server as a multihome NIS+ root server with nisserver.
hostA# nisserver -r -d sun.com
where our example shows sun.com as the root domain name. Issue the nisserver command using the name of your root domain name.
After completing the steps for setting up a multihome NIS+ root server, the remainder of the setup is exactly the same as for a single interface server.
- © 2010, Oracle Corporation and/or its affiliates