System Administration Guide: Basic Administration

Using the Solaris Management Tools in a Name Service Environment (Task Map)

By default, the Solaris management tools are set up to operate in a local environment. For example, the Mounts and Shares tool enables you to mount and share directories on specific systems, but not in an NIS or NIS+ environment. However, you can manage information with the Users and Computers and Networks tools in a name service environment.

To work with a console tool in a name service environment, you need to create a name service toolbox, and then add the tool to that toolbox.

Task	Description	For Instructions
1. Verify prerequisites.	Verify you have completed the prerequisites before attempting to use the console in a name service environment.	Prerequisites for Using the Solaris Management Console in a Name Service Environment
2. Create a toolbox for the name service.	Use the New Toolbox wizard to create a toolbox for your name service tools.	How to Create a Toolbox for a Specific Environment
3. Add a tool to the name service toolbox.	Add the Users tool, or any other name service tool, to your name service toolbox.	How to Add a Tool to a Toolbox
4. Select the toolbox that was just created.	Select the toolbox you just created to manage name service information.	How to Start the Solaris Management Console in a Name Service Environment

RBAC Security Files

The RBAC security files that work with the Solaris Management Console are created when you upgrade to or install at least the Solaris 9 release. If you do not install the Solaris Management Console packages, the RBAC security files are installed without the necessary data for using RBAC. For information on the Solaris Management Console packages, see Troubleshooting the Solaris Management Console.

The RBAC security files if you are running at least the Solaris 9 release are included in your name service so that you can use the Solaris Management Console tools in a name service environment.

The security files on a local server are populated into a name service environment as part of a standard upgrade by the ypmake, nispopulate, or equivalent LDAP commands.

The following name services are supported:

NIS
NIS+
LDAP
files

The RBAC security files are created when you upgrade to or install Oracle Solaris 10.

This table briefly describes the predefined security files that are installed on a system that is running the Oracle Solaris release.

Table 2–3 RBAC Security Files


Local File Name	Table or Map Name	Description
`/etc/user_attr`	`user_attr`	Associates users and roles with authorizations and rights profiles
`/etc/security/auth_attr`	`auth_attr`	Defines authorizations and their attributes and identifies associated help files
`/etc/security/prof_attr`	`prof_attr`	Defines rights profiles, lists the rights profiles assigned to the authorizations, and identifies associated help files
`/etc/security/exec_attr`	`exec_attr`	Defines the privileged operations assigned to a rights profile

For unusual upgrade cases, you might have to use the smattrpop command to populate RBAC security files in the following instances:

When creating or modifying rights profiles
When you need to include users and roles by customizing the usr_attr file

For more information, see Role-Based Access Control (Overview) in System Administration Guide: Security Services.

Prerequisites for Using the Solaris Management Console in a Name Service Environment

The following table identifies what you need to do before you can use the Solaris Management Console in a name service environment.

Prerequisite	For More Information
Install the Oracle Solaris 10 release.	Oracle Solaris 10 9/10 Installation Guide: Basic Installations
Set up your name service environment.	System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
Select your management scope.	Management Scope
Make sure your `/etc/nsswitch.conf` file is configured, so that you can access your name service data.	`/etc/nsswitch.conf` File

Management Scope

The Solaris Management Console uses the term management scope to refer to the name service environment that you want to use with the selected management tool. The management scope choices for the Users tool and the Computers and Networks tool are LDAP, NIS, NIS+, or files.

The management scope that you select during a console session should correspond to the primary name service that is identified in the /etc/nsswitch.conf file.

`/etc/nsswitch.conf` File

The /etc/nsswitch.conf file on each system specifies the policy for name service lookups (where data is read from) on that system.

Note –

You must make sure that the name service accessed from the console, which you specify through the console Toolbox Editor, appears in the search path of the /etc/nsswitch.conf file. If the specified name service does not appear there, the tools might behave in unexpected ways, resulting in errors or warnings.

When you use the Solaris management tools in a name service environment, you might impact many users with a single operation. For example, if you delete a user in the NIS or NIS+ name service, that user is deleted on all systems that are using NIS or NIS+.

If different systems in your network have different /etc/nsswitch.conf configurations, unexpected results might occur. So, all systems to be managed with the Solaris management tools should have a consistent name service configuration.

How to Create a Toolbox for a Specific Environment

Applications for administering the Oracle Solaris operating system are called tools. Those tools are stored in collections referred to as toolboxes. A toolbox can be located on a local server where the console is located or on a remote machine.

Use the Toolbox Editor to do the following:

Add a new toolbox
Add tools to an existing toolbox
Change the scope of a toolbox

For example, use this tool to change the domain from local files to a name service.

Note –

You can start the Toolbox Editor as a regular user. However, if you plan to make changes and save them to the default console toolbox, /var/sadm/smc/toolboxes, you must start the Toolbox Editor as root.

Start the Toolbox Editor.
# /usr/sadm/bin/smc edit &

Select Open from the Toolbox menu.

In the Toolboxes window, select This Computer.

Click Open.

The This Computer toolbox opens.

In the Navigation pane, select the This Computer icon again.

From the Action menu, select Add Folder.

Use the Folder wizard to add a new toolbox for your name service environment.
1. Name and Description – Provide a name in the Full Name window, then click Next.
  
  For example, for the NIS environment, provide “NIS tools”.
2. Provide a description in the Description window, then click Next.
  
  For example, “tools for NIS environment” is an appropriate description.
3. Icons – Use the default value for the Icons, then click Next.
4. Management Scope – Select Override.
5. Under the Management Scope pull-down menu, Select your name service u.
6. Add the name service master name in the Server field, if necessary.
7. In the Domain field, add the domain that is managed by the server.
8. Click Finish.
  
  The new toolbox is displayed in the left Navigation pane.

Select the new toolbox icon, then select Save As from the Toolbox menu.

In the Local Toolbox Filename dialog, enter the toolbox path name.

Use the .tbx suffix.
/var/sadm/smc/toolboxes/this_computer/toolbox-name.tbx

Click Save.

The new toolbox is displayed in the Navigation pane in the console window.

How to Add a Tool to a Toolbox

In addition to the default tools that ship with the console, additional tools can be launched from the console. As these tools become available, you can add one or more tools to an existing toolbox.

You can also create a new toolbox for either local management or network management. Then, you can add tools to the new toolbox.

Become superuser or assume an equivalent role.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Start the Toolbox Editor, if necessary.
# /usr/sadm/bin/smc edit &

Select the toolbox.

If you want to work in a name service, select the toolbox that you just created in the Toolbox Editor. For more information, see How to Create a Toolbox for a Specific Environment.

From the Action menu, select Add Tool.

Use the Add Tool wizard to add the new tool.
1. Server Selection – Add the name service master in the Server window. Click Next.
2. Tools Selection – Select the tool you want to add from the Tools window. Click Next.
  
  If this toolbox is a name service toolbox, choose a tool that you want to work with in the name service environment. For example, choose the Users tool.
3. Name and Description – Accept the default values, then click Next.
4. Icons – Accept the default values, unless you have created custom icons. Click Next.
5. Management Scope – Accept the default value, “Inherit from Parent.” Click Next.
6. Tool Loading – Accept the default value, “Load tool when selected.” Click Finish.

To save the updated toolbox, Select Save.

The Local Toolbox window is displayed.

How to Start the Solaris Management Console in a Name Service Environment

After you have created a name service toolbox and added tools to it, you can start the Solaris Management Console and open that toolbox to manage a name service environment.

Before You Begin

Verify that the following prerequisites are met:

Ensure that the system you are logged in to is configured to work in a name service environment.
Verify that the /etc/nsswitch.conf file is configured to match your name service environment.

Start the Solaris Management Console.

For more information, see How to Start the Console as Superuser or as a Role.

Select the toolbox that you created for the name service

The toolbox is displayed in the Navigation pane.

For information about creating a toolbox for a name service, see How to Create a Toolbox for a Specific Environment.