test

Solaris Naming Setup and Configuration Guide

Chapter 5 Setting Up the Root Domain

This chapter provides step-by-step instructions for setting up the root domain and DES authentication using the NIS+ command set.

See Solaris Naming Administration Guide for information on how to take an existing root master server out of service and replace it with a new machine.

Introduction to Setting Up the Root Domain

This task describes how to configure the root domain with the root master server running at security level 2 (the normal level).

Note -

It is much easier to perform this task with the NIS+ installation scripts as described in Part 1 than with the NIS+ command set as described here. The methods described in this chapter should be used only by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.

Setting up the root domain involves three major tasks:

However, setting up the root domain is not as simple as performing these three tasks in order; they are intertwined with one another. For instance, you must specify some security parameters before you create the root directory, the rest, after. To make the root domain easier to configure, this chapter separates these tasks into individual steps and arranges them into their most efficient order.

Standard Versus NIS-Compatible Configuration Procedures

The steps in this chapter apply to both a standard NIS+ root domain and an NIS-compatible root domain. There are, however, some important differences. The NIS+ daemon for an NIS-compatible domain must be started with the -Y option, which allows the root master server to answer requests from NIS clients. This is described in Step 11. The equivalent step for standard NIS+ domains is Step 12.

An NIS-compatible domain also requires read rights to the passwd table for the nobody class, which allows NIS clients to access the information stored in the table's passwd column. This is accomplished with the -Y option to the nissetup command, in Step 14. The standard NIS+ domain version uses the same command but without the -Y option.

Establishing the Root Domain

The procedure describes each step in detail and provides related information. For those who do not need detailed instructions, a summary listing of the necessary commands is provided on "Root Domain Configuration Summary".

Summary of Steps

Here is a summary of the entire configuration process:

  1. Log in as superuser to the root master server.

  2. Check the root master server's domain name.

  3. Check the root master server's switch-configuration file.

  4. Optionally, configure the Diffie-Hellman key length.

  5. Clean out leftover NIS+ material and processes.

  6. Name the root domain's admin group.

  7. Create the root directory and initialize the root master server.

  8. [NIS-compatibility Only] Start the NIS+ daemon with -Y. [Standard NIS+ Only] Start the NIS+ daemon.

  9. Verify that the daemon is running.

  10. Create the root domain's subdirectories and tables.

  11. Create DES credentials for the root master server.

  12. Create the root domain's admin group.

  13. Add the root master to the root domain's admin group.

  14. Update the root domain's public keys.

  15. Start the NIS+ cache manager.

  16. Restart the NIS+ daemon with security level 2.

  17. Add your LOCAL credentials to the root domain.

  18. Add your DES credentials to the root domain.

  19. Add credentials for other administrators.

  20. Add yourself and other administrators to the root domain's admin group.

Establishing the Root Domain--Task Map

Table 5-1 Establishing the Root Domain
 

Task 

 

Description 

 

For Instructions, Go To 
 

Establishing the Root Domain 

 

Use the domainname command to establish the root domain. Optionally extend the Diffie-Hellman key length. Stop and start the ncsd daemon. Kill and restart keyserv. Clean out leftover NIS+ information.

 

"How to Configure a Root Domain"

 
      

Security Considerations

NIS+ provides preset security defaults for the root domain. The default security level is level 2. Operational networks with actual users should always be run at security level 2. Security levels 0 and 1 are for configuring and testing purposes only. Do not run an operational network at level 0 or 1.

Note -

The NIS+ security system is complex. If you are not familiar with NIS+ security, you might want to review the security-related chapters of Solaris Naming Administration Guide before starting to configure your NIS+ environment.

Prerequisites

Before proceeding, make sure that:

Information You Need

In order to complete this task you need to know:

How to Configure a Root Domain

  1. Log in as superuser on the machine designated to be the root master server.

    The examples in these steps use rootmaster as the root master server and doc.com. as the root domain.

  2. Check the root master server's domain name.

    Use the domainname command to make sure the root master server is using the correct domain name. The domainname command returns a workstation's current domain name.

    Caution - Caution -

    Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution applies to subdomains; for example, if you have a machine named west, you don't want to create a sales.west.myco.com subdirectory.

    If the name is not correct, change it.


    rootmaster# domainname 
strange.domain
rootmaster# domainname doc.com
rootmaster# domainname
rootmaster# doc.com
rootmaster# rm -f /etc/defaultdomain
rootmaster# domainname > /etc/defaultdomain

    (Do not include a trailing dot with the domainname command. The domainname command is not an NIS+ command, so it does not follow the NIS+ conventions of a trailing dot.)

    The above example changes the domain name of the root master server from strange.domain to doc.com. When changing or establishing a domain name, make sure that it has at least two elements; for example, doc.com instead of doc. The final element should end in either an Internet organizational name (such as .com) or a geographical identifier (such as .jp or .uk).

  3. Check the root master server's switch-configuration file.

    Make sure the root master server is using the NIS+ version of the nsswitch.conf file, even if it will run in NIS-compatibility mode. This step ensures that the primary source of information for the root master are NIS+ tables. 


    rootmaster# more /etc/nsswitch.conf

    This command displays the current nsswitch.conf file. The primary name service referenced by this file should be nisplus. If the root master server's configuration file does not use nisplus as the primary name service, exchange it for one that does, as explained in "Selecting a Different Configuration File".

  4. Optionally, configure the Diffie-Hellman key length.

    If you are using DES authentication, you can elect to increase the Diffie-Hellman key length from the default 192 bits. For example, to allow both 640 and 192-bit keys type the following:


    rootmaster# nisauthconf dh640-0 des

  5. If you made any changes at all to the nsswitch.conf file, stop and restart the nscd daemon.

    Because nscd caches the contents of the nsswitch.conf file, it is necessary to stop and restart nscd after any change to the switch file.

    Complete instructions are provided in Chapter 1, Setting Up the Name Service Switch.

  6. Now kill and restart keyserv, as shown below. 


    rootmaster# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
rootmaster# sh /etc/init.d/nscd stop
rootmaster# sh /etc/init.d/nscd start
rootmaster# ps -e | grep keyserv
 root 145 1 67 16:34:44 ? keyserv
 .
 .
rootmaster# kill -9 145
rootmaster# rm -f /etc/.rootkey
rootmaster# keyserv

  7. Clean out leftover NIS+ material and processes.

    If the workstation you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis: 


    rootmaster# ls /var/nis 
NIS_COLD_START NIS_SHARED_CACHE
rootmaster# rm -rf /var/nis/*
rootmaster# ps -ef | grep nis_cachemgr
 root 295 260 10 15:26:58 pts/0 0:00 grep nis_cachemgr
 root 286 1 57 15:21:55 ? 0:01 /usr/sbin/nis_cachemgr
rootmaster# kill -9 286

    This step makes sure files left in /var/nis or directory objects stored by the cache manager are completely erased so they do not conflict with the new information generated during this configuration process. If you have stored any admin scripts in /var/nis, you might want to consider temporarily storing them elsewhere, until you finish setting up the root domain.

  8. Kill server daemons

    If the workstation you are working on was previously used as an NIS+ server, check to see if rpc.nisd or rpc.nispasswdd is running. If either of these daemons is running, kill them.

  9. Name the root domain's admin group.

    Although you won't actually create the admin group until Step 16, you must identify it now. Identifying it now ensures that the root domain's org_dir directory object, groups_dir directory object, and all its table objects are assigned the proper default group when they are created in Step 14.

    To name the admin group, set the value of the environment variable NIS_GROUP to the name of the root domain's admin group. Here are two examples, one for csh users, and one for sh/ksh users. They both set NIS_GROUP to admin.doc.com..

    For C Shell


    rootmaster# setenv NIS_GROUP admin.doc.com.

    For Bourne or Korn Shell


    rootmaster# NIS_GROUP=admin.doc.com.
rootmaster# export NIS_GROUP

  10. Create the root directory and initialize the root master server.

    This step creates the first object in the namespace--the root directory--and converts the workstation into the root master server. Use the nisinit -r command, as shown below. (This is the only instance in which you will create a domain's directory object and initialize its master server in one step. In fact, nisinit -r performs an automatic nismkdir for the root directory. In any case, except the root master, these two processes are performed as separate tasks.) 


    rootmaster# nisinit -r 
This machine is in the doc.com. NIS+ domain
Setting up root server ...
All done.

    A UNIX directory with the name /var/nis/data is created.

    Within the /var/nis directory is a file named root.object. 


    rootmaster# ls -l /var/nis/data 
-rw-rw-rw- 1 root other 384 date root.object

    This is not the root directory object; it is a file that NIS+ uses to describe the root of the namespace for internal purposes. The NIS+ root directory object is created in Step 11 or Step 12.

    In subsequent steps, other files are added beneath the directory created in this step. Although you can verify the existence of these files by looking directly into the UNIX directory, NIS+ provides more appropriate commands. They are called out where applicable in the following steps.

    Caution - Caution -

    Do not rename the /var/nis or /var/nis/data directories or any of the files in these directories that were created by nisinit or any of the other NIS+ configuration procedures. In Solaris Release 2.4 and earlier, the /var/nis directory contained two files named hostname. It also contained a subdirectory named /var/nis/hostname. In Solaris Release 2.5, the two files are named trans.log and data.dict, and the subdirectory is named /var/nis/data. In Solaris Release 2.5, the content of the files has also been changed and they are not backward compatible with Solaris Release 2.4 or earlier. Thus, if you rename either the directories or the files to match the Solaris Release 2.4 patterns, the files will not work with either the Solaris Release 2.4 or the Solaris Release 2.5 version of rpc.nisd. Therefore, you should not rename either the directories or the files.

  11. [NIS-Compatibility only] Start the NIS+ daemon with -Y.

    Perform this step only if you are setting up the root domain in NIS-compatibility mode; if setting up a standard NIS+ domain, perform Step 12 instead. This step includes instructions for supporting the DNS forwarding capabilities of NIS clients.

    Substep a starts the NIS+ daemon in NIS-compatibility mode. Substep b makes sure that when the server is rebooted, the NIS+ daemon restarts in NIS-compatibility mode. After substep b of Step b, go to Step 14.

    1. Use rpc.nisd with the -Y, -B, and -S 0 options.


      rootmaster# rpc.nisd -Y -B -S 0 options

      The -Y option invokes an interface that answers NIS requests in addition to NIS+ requests. The -B option supports DNS forwarding. The -S 0 flag sets the server's security level to 0, which is required at this point for bootstrapping. Because no cred table exists yet, no NIS+ principals can have credentials; if you used a higher security level, you would be locked out of the server.

    2. Edit the /etc/init.d/rpc file.

      Search for the string EMULYP="Y" in the /etc/init.d/rpc file. Uncomment the line and, to retain DNS forwarding capabilities, add the -B flag.

      An rpc file with DNS forwarding contains:


      EMULYP="-Y -B"

      An rpc file without DNS forwarding contains:


      EMULYP="-Y"

      If you do not need to retain DNS forwarding capabilities, uncomment the line but do not add the -B flag.

  12. [Standard NIS+ only] Start the NIS+ daemon.

    Use the rpc.nisd and be sure to add the -S 0 flag. 


    rootmaster# rpc.nisd -S 0

    The -S 0 flag sets the server's security level to 0, which is required at this point for bootstrapping. Because no cred table exists yet, no NIS+ principals can have credentials, and if used with a higher security level, you would be locked out of the server.

  13. Verify that the root objects have been properly created.

    As a result of Step 11 or Step 12, your namespace should now have:

    • A root directory object (root.dir)

    • A root master server (rootmaster) running the NIS+ daemon (rpc.nisd)

    • A cold start file for the master server (NIS_COLD_START)

    • A transaction log file (trans.log)

    • A table dictionary file (data.dict).

    The root directory object is stored in the directory created in Step 10. Use the ls command to verify that it is there.


    rootmaster# ls -l /var/nis/data 
-rw-rw-rw- 1 root other 384 date root.object
-rw-rw-rw- 1 root other 124 date root.dir

    At this point, the root directory is empty; in other words, it has no subdirectories. You can verify this by using the nisls command.


    rootmaster# nisls -l doc.com.
doc.com.:

    However, it has several object properties, which you can examine using niscat -o:


    rootmaster# niscat -o doc.com.
 Object Name : doc
Owner : rootmaster.doc.com.
Group : admin.doc.com.
Domain : Com.
Access Rights : r---rmcdrmcdr---

    Notice that the root directory object provides full (read, modify, create, and destroy) rights to both the owner and the group, while providing only read access to the world and nobody classes. (If your directory object does not provide these rights, you can change them using the nischmod command.)

    To verify that the NIS+ daemon is running, use the ps command.


    rootmaster# ps -ef | grep rpc.nisd
root 1081 1 61 16:43:33 ? 0:01 rpc.nisd -S 0
root 1087 1004 11 16:44:09 pts/1 0:00 grep rpc.nisd

    The root domain's NIS_COLD_START file, which contains the Internet address (and, eventually, public keys) of the root master server, is placed in /var/nis. Although there is no NIS+ command that you can use to examine its contents, its contents are loaded into the server's directory cache (NIS_SHARED_DIRCACHE). You can examine those contents with the /usr/lib/nis/nisshowcache command.

    Also created are a transaction log file (trans.log) and a dictionary file (data.dict). The transaction log of a master server stores all the transactions performed by the master server and all its replicas since the last update. You can examine its contents by using the nislog command. The dictionary file is used by NIS+ for internal purposes; it is of no interest to an administrator.

  14. Create the root domain's subdirectories and tables.

    This step adds the org_dir and groups_dir directories, and the NIS+ tables, beneath the root directory object. Use the nissetup utility. For an NIS-compatible domain, be sure to include the -Y flag. Here are examples for both versions:

    For standard NIS+ only


    rootmaster# /usr/lib/nis/nissetup

    NIS-compatible only 


    rootmaster# /usr/lib/nis/nissetup -Y

    Each object added by the utility is listed in the output:


    rootmaster# /usr/lib/nis/nissetup 
org_dir.doc.com. created
groups_dir.doc.com. created
auto_master.org_dir.doc.com. created
auto_home.org_dir.doc.com. created
bootparams.org_dir.doc.com. created
cred.org_dir.doc.com. created
ethers.org_dir.doc.com. created
group.org_dir.doc.com. created
hosts.org_dir.doc.com. created
mail_aliases.org_dir.doc.com. created
sendmailvars.org_dir.doc.com. created
netmasks.org_dir.doc.com. created
netgroup.org_dir.doc.com. created
networks.org_dir.doc.com. created
passwd.org_dir.doc.com. created
protocols.org_dir.doc.com. created
rpc.org_dir.doc.com. created
services.org_dir.doc.com. created
timezone.org_dir.doc.com. created

    The -Y option creates the same tables and subdirectories as for a standard NIS+ domain, but assigns read rights to the passwd table to the nobody class so that requests from NIS clients, which are unauthenticated, can access the encrypted password in that column.

    Recall that when you examined the contents of the root directory with nisls (in Step 12), it was empty. Now, however, it has two subdirectories.


    rootmaster# nisls doc.com.
doc.com.:
org_dir
groups_dir

    You can examine the object properties of the subdirectories and tables by using the niscat -o command. You can also use the niscat option without a flag to examine the information in the tables, although at this point they are empty.

  15. Create DES credentials for the root master server.

    The root master server requires DES credentials so that its own requests can be authenticated. To create those credentials, use the nisaddcred command, as shown below. When prompted, enter the server's root password. 


    rootmaster# nisaddcred des 
DES principal name: unix.rootmaster@doc.com
Adding key pair for unix.rootmaster@doc.com
 (rootmaster.doc.com.).
Enter login password:
Wrote secret key into /etc/.rootkey

    If you enter a password that is different from the server's root password, you receive a warning message and a prompt to repeat the password: 


    Enter login password:
nisaddcred: WARNING: password differs from login password.
Retype password:

    If you persist and retype the same password, NIS+ will still create the credential. The new password will be stored in /etc/.rootkey and be used by the keyserver when it starts up. To give the keyserver the new password right away, run keylogin -r, as described in the credentials chapter of Solaris Naming Administration Guide.

    If you decide to use your login password after all, press Control-c and start the sequence over. If you were to retype your login password as encouraged by the server, you would get an error message designed for another purpose, but which in this instance could be confusing.


    nisaddcred: WARNING: password differs from login password.
Retype password:
nisaddcred: password incorrect.
nisaddcred: unable to create credential.

    As a result of this step, the root server's private and public keys are stored in the root domain's cred table (cred.org_dir.doc.com.) and its secret key is stored in /etc/.rootkey. You can verify the existence of its credentials in the cred table by using the niscat command. Since the default domain name is doc.com., you don't have to enter the cred table's fully qualified name; the org_dir suffix is enough. You can locate the root master's credential by looking for its secure RPC netname.

  16. Create the root domain's admin group.

    This step creates the admin group named in Step 9. Use the nisgrpadm command with the -c option. The example below creates the admin.doc.com. group. 


    rootmaster# nisgrpadm -c admin.doc.com.
 Group admin.doc.com. created.

    This step only creates the group--it does not identify its members. That is done in Step 17. To observe the object properties of the group, use niscat -o, but be sure to append groups_dir in the group's name.


    doc.com. 
Object Name : admin
Directory : groups_dir.doc.com
Owner : rootmaster.doc.com.
Group : admin.doc.com.
Domain : groups_dir.doc.com.
Access Rights : ----rmcdr---r---
Time to Live : 1:0:0
Object Type : GROUP
Group Flags :
Group Members :

  17. Add the root master to the root domain's admin group.

    Since at this point the root master server is the only NIS+ principal that has DES credentials, it is the only member you should add to the admin group. Use the nisgrpadm command again, but with the -a option. The first argument is the group name, the second is the name of the root master server. This example adds rootmaster. doc.com. to the doc.com domain. 


    rootmaster# nisgrpadm -a admin.doc.com.
 rootmaster.doc.com.
Added rootmaster.doc.com. to group admin.doc.com.

    To verify that the root master is indeed a member of the group, use the nisgrpadm command with the -l option (see the groups chapter of Solaris Naming Administration Guide).

    Note -

    With group-related commands such as nisgrpadm, you don't have to include the groups_dir subdirectory in the name. You need to include that directory with commands like niscat because they are designed to work on NIS+ objects in general. The group-related commands are "targeted" at the groups_dir subdirectory.


    rootmaster# nisgrpadm -l admin.doc.com.
 Group entry for admin.doc.com. group:
 Explicit members:
 rootmaster.doc.com.
 No implicit members
 No recursive members
 No explicit nonmembers
 No implicit nonmembers
 No recursive nonmembers

  18. Update the root domain's public keys.

    Normally, directory objects are created by an NIS+ principal that already has DES credentials. In this case, however, the root master server could not acquire DES credentials until after it created the cred table (since there was no parent domain in which to store its credentials). As a result, three directory objects--root, org_dir, and groups_dir--do not have a copy of the root master server's public key. (You can verify this by using the niscat -o command with any of the directory objects. Look for the public key field. Instructions are provided in the directories chapter of Solaris Naming Administration Guide.)

    To propagate the root master server's public key from the root domain's cred table to those three directory objects, use the /usr/lib/nis/nisupdkeys utility for each directory object. 


    rootmaster# /usr/lib/nis/nisupdkeys doc.com.
rootmaster# /usr/lib/nis/nisupdkeys org_dir.doc.com.
rootmaster# /usr/lib/nis/nisupdkeys groups_dir.doc.com.

    After each instance, you will receive a confirmation message such as this one:


    Fetch Public key for server rootmaster.doc.com.
 netname = 'unix.rootmaster@doc.com.'
Updating rootmaster.doc.com.'s public key.
 Public key:

    If you look in any of those directories (use niscat -o), you can find one or more entries like the following in the public key field: 


    Public key: Diffie-Hellman (192 bits)

  19. Start the NIS+ cache manager.

    The cache manager maintains a local cache of location information for an NIS+ client (in this case, the root master server). It obtains its initial set of information from the client's cold-start file (created in Step 11 or Step 12), and downloads it into a file named NIS_SHARED_DIRCACHE in /var/nis.

    To start the cache manager, enter the nis_cachemgr command as shown below. 


    rootmaster# nis_cachemgr

    After the cache manager has been started, you have to restart it only if you have explicitly killed it. You don't have to restart it if you reboot, since the NIS_COLD_START file in /var/nis starts it automatically when the client is rebooted. For more information about the NIS+ cache manager, see the directories chapter of Solaris Naming Administration Guide.

  20. Restart the NIS+ daemon with security level 2.

    Now that the root master server has DES credentials and the root directory object has a copy of the root master's public key, you can restart the root master with security level 2. First kill the existing daemon, then restart with security level 2.

    For a standard NIS+ domain only:


    rootmaster# ps -e | grep rpc.nisd
1081 ? 0:03 rpc.nisd -s 0
rootmaster# kill 1081
rootmaster# rpc.nisd

    For an NIS-compatible root domain, be sure to use the -Y (and -B) flags:

    For a NIS-compatible NIS+ domain:


    rootmaster# ps -e | grep rpc.nisd
1081 ? 0:03 rpc.nisd -Y -B -s 0
rootmaster# kill 1081
rootmaster# rpc.nisd -Y -B

    Since security level 2 is the default, you don't need to use an -S 2 flag.

    Note -

    Operational networks with actual users should always be run at security level 2. Security levels 0 and 1 are for configuration and testing purposes only. Do not run an operational network at level 0 or 1.

  21. Add your LOCAL credentials to the root domain.

    Because you don't have access rights to the root domain's cred table, you must perform this operation as superuser. In addition, the root master's /etc/passwd file must contain an entry for you. Use the nisaddcred command with the -p and -P flags as shown below. 


    nisaddcred -p uid -P principal-name local

    The principal-name consists of the administrator's login name and domain name. This example adds a LOCAL credential for an administrator with a UID of 11177 and an NIS+ principal name of topadmin.doc.com. 


    rootmaster# nisaddcred -p 11177 -P topadmin.doc.com. local

    For more information about the nisaddcred command, see the credentials chapter of Solaris Naming Administration Guide.

  22. Add your DES credentials to the root domain.

    Use the nisaddcred command again, but with the following syntax: 


    nisaddcred -p secure-RPC-netname- P principal-name des

    The secure-RPC-netname consists of the prefix unix followed by your UID, the symbol @, and your domain name, but without a trailing dot. The principal-name is the same as for LOCAL credentials: your login name followed by your domain name, with a trailing dot. 


    rootmaster# nisaddcred -p unix.11177@doc.com -P topadmin.doc.com. des
Adding key pair for unix.11177@doc.com (topadmin.doc.com.).
Enter login password:

    If, after entering your login password, you get a password that differs from the login password warning, yet the password you entered is your correct login password, ignore the error message. The message appears because NIS+ cannot read the protected /etc/shadow file that stores the password, as expected. The message would not have appeared if you had no user password information stored in the /etc/passwd file.

  23. Add credentials for other administrators.

    Add the credentials, both LOCAL and DES, of the other administrators who will work in the root domain. You can do this in the following ways.

    • An easy way to create temporary credentials for the other administrators is to use Solstice AdminSuite (if you have it available) running in NIS+ mode.

    • A second way is to ask them to add their own credentials. However, they will have to do this as superuser. Here is an example that adds credentials for an administrator with a UID of 33355 and a principal name of miyoko.doc.com. 


      rootmaster# nisaddcred -p 33355 -P miyoko.doc.com. local 
rootmaster# nisaddcred -p unix.33355@doc.com -P miyoko.doc.com. des 
Adding key pair for unix.33355@doc.com (miyoko.doc.com.).
 Enter login password:

    • A third way is for you to create temporary credentials for the other administrators, using dummy passwords. (Note that the other administrator, in this example miyoko, must have an entry in the NIS+ passwd table. If no such entry exists, you must first create one with nistbladm. The example below includes that step.) 


      rootmaster# nistbladm -D owner=miyoko.doc.com. name=miyoko uid=33355 gcos=miyoko 
home=/home/miyoko shell=/bin/tcsh passwd.org_dir
rootmaster# nisaddent -a -f /etc/passwd.xfr passwd 
rootmaster# nisaddent -a -f /etc/shadow.xfr shadow
rootmaster# nisaddcred -p 33355 -P miyoko.doc.com. local
rootmaster# nisaddcred -p unix.33355@doc.com -P miyoko.doc.com. des
Adding key pair for unix.33355@doc.com (miyoko.doc.com.).
Enter miyoko's login password:
nisaddcred: WARNING: password differs from login passwd.
Retype password:
rootmaster# nischown miyoko.doc.com. '[name=miyoko],passwd.org_dir'

      In this case, the first instance of nisaddent populates the passwd table--except for the password column. The second instance populates the shadow column. Each administrator can later change his or her network password using the chkey command. The credentials chapter of Solaris Naming Administration Guide describes how to do this.

  24. Add yourself and other administrators to the root domain's admin group.

    You don't have to wait for the other administrators to change their dummy passwords to perform this step. Use the nisgrpadm command with the -a option. The first argument is the group name, the remaining arguments are the names of the administrators. This example adds two administrators, topadmin and miyoko, to the admin.doc.com. group: 


    rootmaster# nisgrpadm -a admin.doc.com. topadmin.doc.com. miyoko.doc.com.
Added topadmin.doc.com. to group admin.doc.com.
Added miyoko.doc.com. to group admin.doc.com.

  25. Allocate sufficient swap space to accomodate NIS+ tables.

    Swap space should be double the size of the maximum size of rpc.nisd. To determine how much memory rpc.nisd is using, issue the following command:


    rootmaster# /usr/lib/nis/nisstat

    rpc.nisd will under certain circumstances fork a copy of itself. If there is not enough memory, rpc.nisd fails.

    You can also calculate the memory and swap space requirements for NIS+ tables. For example, if you have 180,000 users and 180,000 hosts in your NIS+ tables, those two tables occupy approximately 190 Mbytes of memory. When you add credentials for 180,000 users and 180,000 hosts, the cred table has 540,000 entries (one entry for each local user credential, one entry for each DES user credential, and one entry for each host). The cred table occupies approximately 285 Mbytes of memory. In this example, rpc.nisd occupies at least 190 Mbytes + 285 Mbytes = 475 Mbytes of memory. So, you will require at least 1 Gbyte swap space. You will also want at least 500 Mbytes of memory to hold rpc.nisd entirely in memory.

Root Domain Configuration Summary

Table 5-2 summarizes the steps required to configure a root domain. The summary assumes a simple case. Be sure you are familiar with the complete task descriptions before you use this summary as a reference. This summary does not show the server's responses to each command.

Table 5-2 Setting Up a Root Domain: Command Summary

Tasks 

Commands 

Log in as superuser to rootmaster.

rootmaster% su

Password:

Check domain name 

# domainname

Check Switch file. 

# more /etc/nsswitch.conf

Remove leftover NIS+ material. 

# rm -rf /var/nis*

Name the admin group. 

# NIS_GROUP=admin.doc.com.; export NIS_GROUP

Initialize the root master. 

# nisinit -r

[NIS-compat only] 

Start daemon with -Y -B, S 0.

Change to EMULYP=-Y -B.

# rpc.nisd -Y -B -S 0

# vi /etc/inet.d/rpc

[NIS+ Only] Start daemon with -S 0.

# rpc.nisd -S 0

Create org_dir and groups_dir tables.

# /usr/lib/nis/nissetup [-Y]

Create DES credentials for root master. 

#nisaddcred des

Enter login password:

Create admin group.

# nisgrpadm -c admin.doc.com.

Assign full group rights to root directory 

# nischmod g+rmcd doc.com.

Add rootmaster to admin group.

# nisgrpadm -a admin.doc.com. rootmaster.doc.com.

Update root directory's keys. Update org_dir's keys. Update groups_dir's keys.

# /usr/lib/nis/nisupdkeys doc.com.

# /usr/lib/nis/nisupdkeys org_dir.doc.com.

# /usr/lib/nis/nisupdkeys groups_dir.doc.com.

Start NIS+ cache manager 

# nis_cachemgr

Kill existing daemon. 

# ps -ef | grep rpc.nisd

# kill -9 process-id

Restart the NIS+ daemon. (Use -Y for NIS compat and -B for DNS.)

# rpc.nisd [-Y] [-B]

Add your LOCAL credentials. 

# nisaddcred -p 11177 -P topadmin.doc.com. local

Add your DES credentials. 

# nisaddcred -p unix.11177@doc.com -P topadmin.doc.com. des Enter login password:

Add credentials for other admins. 

Add other admins to admin group.

# nisaddcred ... nisgrpadm -a admin.doc.com members