DHCP Client Systems and Name Services

Oracle Solaris systems support the following name services: DNS, NIS, NIS+, and a local file store (/etc/inet/hosts). Each name service requires some configuration before it is usable. The name service switch configuration file (see nsswitch.conf(4)) must also be set up appropriately to indicate the name services to be used.

Before a DHCP client system can use a name service, you must configure the system as a client of the name service. By default, and unless configured otherwise during system installation, only local files are used.

The following table summarizes issues that are related to each name service and DHCP. The table includes links to documentation that can help you set up clients for each name service.

Table 16-1 Name Service Client Setup Information for DHCP Client Systems

Name Service	Client Setup Information
NIS	If you are using DHCP to send Oracle Solaris network install information to a client system, you can use a configuration macro that contains the `NISservs` and `NISdmain` options. These options pass the IP addresses of NIS servers and the NIS domain name to the client. The client then automatically becomes an NIS client. If a DHCP client system is already running Oracle Solaris, the NIS client is not automatically configured on that system when the DHCP server sends NIS information to the client. If the DHCP server is configured to send NIS information to the DHCP client system, you can see the values given to the client if you use the `dhcpinfo` command on the client as follows: # `/sbin/dhcpinfo NISdmain` # `/sbin/dhcpinfo NISservs` Note - For DHCPv6, include `-v6`, and different protocol keywords in the command. # `/sbin/dhcpinfo -v6 NISDomain` # `/sbin/dhcpinfo -v6 NISServers` Use the values returned for the NIS domain name and NIS servers when you set up the system as an NIS client. You set up an NIS client for an DHCP client system in the standard way, as documented in Chapter 5, Setting Up and Configuring NIS Service, in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). Tip - You can write a script that uses `dhcpinfo` and `ypinit` to automate NIS client configuration on DHCP client systems.
NIS+	If the NIS+ client for a DHCP client system is set up in the conventional way, then the DHCP server might give the client different addresses from time to time. This creates security issues, because NIS+ security includes IP address as part of the configuration. To assure that your client has the same address every time, set up the NIS+ client for a DHCP client system in a nonstandard way, which is documented in Setting Up DHCP Clients as NIS+ Clients. If the DHCP client system has been manually assigned an IP address, the client's address is always the same. You can set up the NIS+ client in the standard way, which is documented in Setting Up NIS+ Client Machines in System Administration Guide: Naming and Directory Services (NIS+).
`/etc/inet/hosts`	You must set up the `/etc/inet/hosts` file for a DHCP client system that is to use `/etc/inet/hosts` for its name service. The DHCP client system's host name is added to its own `/etc/inet/hosts` file by the DHCP tools. However, you must manually add the host name to the `/etc/inet/hosts` files of other systems in the network. If the DHCP server system uses `/etc/inet/hosts` for name resolution, you must also manually add the client's host name on the system.
DNS	If the DHCP client system receives the DNS domain name through DHCP, the client system's `/etc/resolv.conf` file is configured automatically. The `/etc/nsswitch.conf` file is also automatically updated to append `dns` to the `hosts` line after any other name services in the search order. See System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) for more information about DNS.

Setting Up DHCP Clients as NIS+ Clients

You can use the NIS+ name service on Oracle Solaris systems that are DHCP clients. However, if your DHCP server can provide different addresses at different times, this partially circumvents one of the security-enhancing features of NIS+, the creation of Data Encryption Standard (DES) credentials. For the sake of security, configure the DHCP server to provide the same address all the time. When you set up an NIS+ client that is not using DHCP, you add unique DES credentials for the client to the NIS+ server. There are several ways to create credentials, such as using the nisclient script or the nisaddcred command.

NIS+ credential generation requires a client to have a static host name to create and store the credentials. If you want to use NIS+ and DHCP, you must create identical credentials to be used for all the host names of DHCP clients. In this way, no matter what IP address and associated host name that a DHCP client receives, the client can use the same DES credentials.

The following procedure shows you how to create identical credentials for all DHCP host names. This procedure is valid only if you know the host names that DHCP clients use. For example, when the DHCP server generates the host names, you know the possible host names that a client can receive.

How to Set Up DHCP Clients as NIS+ Clients

A DHCP client system that is to be an NIS+ client must use credentials that belong to another NIS+ client system in the NIS+ domain. This procedure only produces credentials for the system, which apply only to the superuser logged in to the system. Other users who log in to the DHCP client system must have their own unique credentials in the NIS+ server. These credentials are created according to a procedure in the System Administration Guide: Naming and Directory Services (NIS+).

Create the credentials for a client by typing the following command on the NIS+ server:
```
# nisgrep nisplus-client-name cred.org_dir > /tmp/file
```
This command writes the cred.org_dir table entry for the NIS+ client to a temporary file.
Use the cat command to view the contents of the temporary file.
Or, use a text editor.
Copy the credentials to use for DHCP clients.
You must copy the public key and private key, which are long strings of numbers and letters separated by colons. The credentials are to be pasted into the command issued in the next step.
Add credentials for a DHCP client by typing the following command:
```
# nistbladm -a cname=" dhcp-client-name@nisplus-domain" auth_type=DES \
auth_name="unix.dhcp-client-name@nisplus-domain" \
public_data=copied-public-key \ 
private_data=copied-private-key
```
For the copied-public-key, paste the public key information that you copied from the temporary file. For the copied-private-key, paste the private key information that you copied from the temporary file.
Remote copy files from the NIS+ client system to the DHCP client system by typing the following commands on the DHCP client system:
```
# rcp nisplus-client-name:/var/nis/NIS_COLD_START /var/nis
# rcp nisplus-client-name:/etc/.rootkey /etc
# rcp nisplus-client-name:/etc/defaultdomain /etc
```
If you get a “permission denied” message, the systems might not be set up to allow remote copying. In this case, you can copy the files as a regular user to an intermediate location. As superuser, copy the files from the intermediate location to the proper location on the DHCP client system.
Copy the correct name service switch file for NIS+ by typing the following command on the DHCP client system:
```
# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
```
Reboot the DHCP client system.
The DHCP client system should now be able to use NIS+ services.

Example 16-1 Setting up an DHCP Client System as an NIS+ Client

The following example assumes that you have one system nisei, which is an NIS+ client in the NIS+ domain dev.example.net. You also have one DHCP client system, dhow, and you want dhow to be an NIS+ client.

(First log in as superuser on the NIS+ server)
# nisgrep nisei cred.org_dir > /tmp/nisei-cred
# cat /tmp/nisei-cred
nisei.dev.example.net.:DES:unix.nisei@dev.example.net:46199279911a84045b8e0
c76822179138173a20edbd8eab4:90f2e2bb6ffe7e3547346dda624ec4c7f0fe1d5f37e21cff63830
c05bc1c724b
# nistbladm -a cname="dhow@dev.example.net." \
auth_type=DES auth_name="unix.dhow@dev.example.net" \
public_data=46199279911a84045b8e0c76822179138173a20edbd8eab4 \
private_data=90f2e2bb6ffe7e3547346dda624ec4c7f0fe1d5f37e21cff63830\
c05bc1c724b
# rlogin dhow
(Log in as superuser on dhow)
# rcp nisei:/var/nis/NIS_COLD_START /var/nis
# rcp nisei:/etc/.rootkey /etc
# rcp nisei:/etc/defaultdomain /etc
# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
# reboot

The DHCP client system dhow should now be able to use NIS+ services.

Example 16-2 Adding Credentials With a Script

If you want to set up a large number of DHCP client systems as NIS+ clients, you can write a script. A script can quickly add the entries to the cred.org_dir NIS+ table. The following example shows a sample script.

#! /usr/bin/ksh  
# 
# Copyright (c) by Sun Microsystems, Inc. All rights reserved. 
# 
# Sample script for cloning a credential. Hosts file is already populated  
# with entries of the form dhcp-[0-9][0-9][0-9]. The entry we're cloning 
# is dhcp-001. 
#  
#  
PUBLIC_DATA=6e72878d8dc095a8b5aea951733d6ea91b4ec59e136bd3b3 
PRIVATE_DATA=3a86729b685e2b2320cd7e26d4f1519ee070a60620a93e48a8682c5031058df4
HOST="dhcp-" 
DOMAIN="mydomain.example.com"  
 
for 
i in 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019
do         
     print - ${HOST}${i}         
     #nistbladm -r [cname="${HOST}${i}.${DOMAIN}."]cred.org_dir         
     nistbladm -a cname="${HOST}${i}.${DOMAIN}." \
         auth_type=DES auth_name="unix.${HOST}${i}@${DOMAIN}" \
         public_data=${PUBLIC_DATA} private_data=${PRIVATE_DTA} cred.org_Dir
done  
 
exit 0

Skip Navigation Links
Exit Print View
	System Administration Guide: IP Services