Changing the Keys
The following sections describe how to change the keys of an NIS+ principal.
Note -
Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information".
Changing Root Keys From Root
Table 8-2, shows how to change the keys for the root master server from the root master (as root):
Table 8-2 Changing a Root Master's Keys: Command Summary|
Tasks |
Commands |
|---|---|
|
Create new DES credentials |
rootmaster# nisaddcred des |
|
Find the Process ID of rpc.nisd |
rootmaster# ps -e | grep rpc.nisd |
|
Kill the NIS+ daemon |
rootmaster# kill pid |
|
Restart NIS+ daemon with no security |
rootmaster# rpc.nisd -S0 |
|
Perform a keylogout (previous keylogin is now out of date). |
rootmaster# keylogout -f |
|
Update the keys in the directories served by the master |
rootmaster# nisupdkeys dirs |
|
Find the Process ID of rpc.nisd |
rootmaster# ps -e | grep rpc.nisd |
|
Kill the NIS+ daemon |
rootmaster# kill pid |
|
Restart NIS+ daemon with default security |
rootmaster# rpc.nisd |
|
Perform a keylogin |
rootmaster# keylogin |
Where:
-
pid is the process ID number reported by the ps -e | grep rpc.nisd command.
-
dirs are the directory objects you wish to update. (That is, the directory objects that are served by rootmaster.)
In the first step of the process outlined in Table 8-2, nisaddcred updates the cred table for the root master, updates /etc/.rootkey and performs a keylogin for the root master. At this point the directory objects served by the master have not been updated and their credential information is now out of synch with the root master. The subsequent steps described in Table 8-2 are necessary to successfully update all the objects.
Note -
Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information".
Changing Root Keys From Another Machine
To change the keys for the root master server from some other machine you must have the required NIS+ credentials and authorization to do so.
Table 8-3 Remotely Changing Root Master Keys: Command Summary|
Tasks |
Commands |
|---|---|
|
Create the new DES credentials |
othermachine% nisaddcred -p principal -P nisprincipal des |
|
Update the directory objects. |
othermachine% nisupdkeys dirs |
|
Update /etc.roootkey. |
othermachine% keylogin -r |
|
Reinitialize othermachine as client |
othermachine% nisinit -cH |
Where:
-
principal is the root machine's Secure RPC netname. For example: unix.rootmaster@doc.com (no dot at the end).
-
nis-principal is the root machine's NIS+ principal name. For example, rootmaster.doc.com. (a dot at the end).
-
dirs are the directory objects you want to update (that is, the directory objects that are served by rootmaster).
When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.
Note -
Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information".
Changing the Keys of a Root Replica From the Replica
To change the keys of a root replica from the replica, use these commands:
replica# nisaddcred des replica# nisupdkeys dirs |
Where:
-
dirs are the directory objects you wish to update, (that is, the directory objects that are served by replica).
When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.
Note -
Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information"
Changing the Keys of a Nonroot Server
To change the keys of a nonroot server (master or replica) from the server, use these commands:
subreplica# nisaddcred des subreplica# nisupdkeys parentdir dirs |
Where:
-
parentdir is the non-root server's parent directory (that is, the directory containing subreplica's NIS+ server).
-
dirs are the directory objects you want to update (that is, the directory objects that are served by subreplica).
When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.
Note -
Whenever you change a server's keys, you must also update the key information of all the clients in that domain, as explained in "Updating Client Key Information"
- © 2010, Oracle Corporation and/or its affiliates