| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Administration: Naming and Directory Services Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Administration: Naming and Directory Services Oracle Solaris 11 Information Library |
Part I About Naming and Directory Services
1. Naming and Directory Services (Overview)
2. Name Service Switch (Overview)
4. Setting Up Oracle Solaris Active Directory Clients (Tasks)
Part II NIS Setup and Administration
5. Network Information Service (Overview)
6. Setting Up and Configuring NIS (Tasks)
Before You Begin Configuring NIS
NIS and the Service Management Facility
Identify Your NIS Servers and Clients
passwd Files and Namespace Security
How to Prepare Source Files for Conversion
How to Install the NIS Master Server Package
Starting and Stopping NIS Services on an NIS Server
Starting the NIS Service Automatically
How to Enable the NIS Server Services Manually
How to Disable the NIS Server Services
How to Refresh the NIS Server Service
How to Start NIS on a Slave Server
How to Configure an NIS Client in Broadcast Mode
How to Configure an NIS Client Using Specific NIS Servers
Disabling the NIS Client Services
9. Introduction to LDAP Naming Services (Overview)
10. Planning Requirements for LDAP Naming Services (Tasks)
11. Setting Up Oracle Directory Server Enterprise Edition With LDAP Clients (Tasks)
12. Setting Up LDAP Clients (Tasks)
13. LDAP Troubleshooting (Reference)
14. LDAP Naming Service (Reference)
The following sections describe how to prepare the source files and the passwd files for the master server.
The source files are typically located in the /etc directory on the master server. However, leaving them in /etc is undesirable because the contents of the maps are then the same as the contents of the local files on the master server. This is a special problem for passwd and shadow files because all users have access to the master server maps and the root password would be passed to all NIS clients through the passwd map. See passwd Files and Namespace Security for additional information.
However, if you put the source files in some other directory, you must modify the Makefile in /var/yp by changing the DIR=/etc line to DIR=/your-choice, where your-choice is the name of the directory you will be using to store the source files. This allows you to treat the local files on the server as if they were those of a client. (It is good practice to first save a copy of the original Makefile.)
In addition, the audit_user, auth_attr, exec_attr, and prof_attr NIS maps should be created from a directory other than the default. Amend /var/yp/Makefile by changing RBACDIR =/etc/security to RBACDIR=/your-choice.
For security reasons, the files used to build the NIS password maps should not contain an entry for root, to prevent unauthorized root access. Therefore, the password maps should not be built from the files located in the master server's /etc directory. The password files used to build the password maps should have the root entry removed from them and be located in a directory that can be protected from unauthorized access.
For example, the master server password input files should be stored in a directory such as /var/yp, or any directory of your choice, as long as the file itself is not a link to another file and its location is specified in the Makefile. The correct directory option is set automatically according to the configuration specified in your Makefile.
 | Caution - Be sure that the passwd file in the directory specified by PWDDIR does not contain an entry for root. |
If your source files are in a directory other than /etc, you must alter the PWDIR password macro in /var/yp/Makefile to refer to the directory where the passwd and shadow files reside. You change the line PWDIR=/etc to PWDIR=/your-choice, where your-choice is the name of the directory you that will use to store the passwd map source files.
This procedure explains how to prepare the source files for conversion to NIS maps.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
Check the following files:
audit_user
auth_attr
auto.home or auto_home
auto.master or auto_master
bootparams
ethers
exec_attr
group
hosts
ipnodes
netgroup
netmasks
networks
passwd
protocols
rpc
service
shadow
user_attr
The source directory is defined in /var/yp/Makefile by the DIR macro.
The password source directory is defined in the Makefile by the PWDIR macro.
The RBAC source directory is defined in /var/yp/Makefile by the RBACDIR macro. If desired, merge the contents of the files in the /etc/security/auth_attr.d directory into a copy of the auth_attr file before copying it. Similarly, combine the files in the exec_attr.d and prof_attr.d directories with exec_attr and prof_attr, if desired.
| Caution - Because these files will need to be remerged any time the system is upgraded, keep the local files separate from the release files in the/etc/security/*.d directories. |
Unlike other source files, the /etc/mail/aliases file cannot be moved to another directory. This file must reside in the /etc/mail directory. Refer to the aliases(4) man page for more information.
Note - You can add an NIS-specific mail aliases file by pointing the ALIASES = /etc/mail/aliases entry in /var/yp/Makefile to another location. When you then run the make command, the ALIASES entry creates a mail.aliases map. The sendmail service uses this map in addition to the /etc/mail/aliases file when the /etc/nsswitch.conf file properly targets nis in addition to files. Refer to Modifying and Using /var/yp/Makefile.
These operations can be done through a sed or awk script or with a text editor. /var/yp/Makefile performs some file cleaning automatically for you, but it is good practice to manually examine and clean these files before running the make command.
Source file data must be in the correct format for that particular file. Check the man pages for the different files to make sure that each file is in the correct format.
After checking the source files and copying them into the source file directory, you now need to convert those source files into the ndbm format maps that the NIS service uses. This is done automatically for you by ypinit when called on the master server, as explained in How to Set Up the Master Server.
The ypinit script calls the make program, which uses /var/yp/Makefile. A default copy of the file is provided for you in the /var/yp directory and contains the commands needed to transform the source files into the desired ndbm format maps.
You can use the default Makefile as is, or modify it. If you do modify the default Makefile, be sure to first copy and store the original default Makefile in case you need it for future use. You might need to make one or more of the following modifications to the Makefile:
Nondefault maps
If you have created your own non-default source files and want to convert them to NIS maps, you must add those source files to the Makefile.
DIR value
If you want the Makefile to use source files stored in some directory other than /etc, as explained in Source Files Directory, you must change the value of DIR in the Makefile to the directory that you want to use. When changing this value in the Makefile, do not indent the line.
PWDIR value
If you want the Makefile to use the passwd, shadow, and adjunct source files that are stored in some directory other than /etc, you must change the value of PWDIR in the Makefile to the directory that you want to use. When changing this value in the Makefile, do not indent the line.
RBACDIR value
If you want the Makefile to use the audit_user, auth_attr, exec_attr, and prof_attr source files that are stored in some directory other than /etc, you must change the value of RBACDIR in the Makefile to the directory that you want to use. When changing this value in the Makefile, do not indent the line.
Domain name resolver
If you want the NIS server to use the domain name resolver for machines not in the current domain, comment out the Makefile line B=, and uncomment (activate) the line B=-b.
The function of the Makefile is to create the appropriate NIS maps for each of the databases listed under all. After passing through makedbm the data is collected in two files, mapname.dir and mapname.pag. Both files are in the /var/yp/domainname directory on the master server.
The Makefile builds passwd maps from the /PWDIR/passwd, /PWDIR/shadow, and /PWDIR/security/passwd.adjunct files, as appropriate.
Normally, the NIS master server package is installed when appropriate with the Oracle Solaris release. If the package was not included when the system was installed, use the following procedure to install the package.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# pkg install pkg:/service/network/nis
The ypinit script sets up the master server and the slave servers and clients to use NIS. It also initially runs the make command to create the maps on the master server.
To use the ypinit command to build a fresh set of NIS maps on the master server, complete the following procedure.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
Add the host name and IP address of each NIS server. Use the following format: IPaddress FQDN-hostname aliases.
For example:
129.0.0.1 master.example.com master 129.0.0.2 slave1.example.com slave1 129.0.0.3 slave2.example.com slave2
# /usr/sbin/ypinit -m
When ypinit prompts for a list of other machines to become NIS slave servers, type the name of the server you are working on, along with the names of the NIS slave servers that you specified in the /etc/inet/hosts file.
# svcprop -p config/domainname svc:/network/nis/domain:default example.com
When ypinit asks whether you want the procedure to terminate at the first nonfatal error or continue despite nonfatal errors, type y. When you choose y, ypinit exits upon encountering the first problem. You can then fix it and restart ypinit. This is recommended if you are running ypinit for the first time. If you prefer to continue, you can try to manually fix all problems that occur, and then restart ypinit.
Note - A nonfatal error can appear when some of the map files are not present. This is not an error that affects the functioning of NIS. You might need to add maps manually if they were not created automatically. Refer to Default NIS Maps for a description of all default NIS maps.
The ypinit command asks whether the existing files in the /var/yp/domain-name directory can be destroyed. This message is displayed only if NIS has been previously installed. Normally, you would choose to delete the source files if you want to clean up the files from a previous installation.
This program uses the instructions contained in the Makefile (either the default file or the one you modified) located in /var/yp. The make command cleans any remaining comment lines from the files that you designated. It also runs makedbm on the files, creating the appropriate maps and establishing the name of the master server for each map.
If the map or maps being pushed by the Makefile correspond to a domain other than the one returned by the domainname command on the master, you can make sure that they are pushed to the correct domain by starting make in the ypinit shell script with a proper identification of the variable DOM, as follows:
# make DOM=domain-name passwd
This command pushes the passwd map to the intended domain, instead of the domain to which the master belongs.
Normally, an NIS master server supports only one NIS domain. However, if you are using a master server to support multiple domains, you must slightly modify the steps, as described in How to Set Up the Master Server, when setting up the server to serve the additional domains.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# svccfg -s svc:/network/nis/domain svc:/network/nis/domain: setprop config/domainname = hostname: sales.example.com svc:/network/nis/domain: quit
# svcadm refresh svc:/network/nis/domain
# make DOM=sales.example.com
|