Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) |
Part I About Naming and Directory Services
1. Naming and Directory Services (Overview)
2. The Name Service Switch (Overview)
Part II DNS Setup and Administration
3. DNS Setup and Administration (Reference)
Part III NIS Setup and Administration
4. Network Information Service (NIS) (Overview)
5. Setting Up and Configuring NIS Service
Before You Begin Configuring NIS
NIS and the Service Management Facility
Identify Your NIS Servers and Clients
Passwd Files and Namespace Security
Preparing Source Files for Conversion to NIS Maps
How to Prepare Source Files for Conversion
Setting Up the Master Server With ypinit
Starting and Stopping NIS Service on the Master Server
Starting NIS Service Automatically
Starting and Stopping NIS From the Command Line
How to Start NIS on a Slave Server
Part IV LDAP Naming Services Setup and Administration
8. Introduction to LDAP Naming Services (Overview/Reference)
9. LDAP Basic Components and Concepts (Overview)
10. Planning Requirements for LDAP Naming Services (Tasks)
11. Setting Up Sun Java System Directory Server With LDAP Clients (Tasks)
12. Setting Up LDAP Clients (Tasks)
13. LDAP Troubleshooting (Reference)
14. LDAP General Reference (Reference)
15. Transitioning From NIS to LDAP (Overview/Tasks)
16. Transitioning From NIS+ to LDAP
A. Solaris 10 Software Updates to DNS, NIS, and LDAP
The following sections describe how to prepare the source files and the passwd files for the master server.
The source files should be located in the /etc directory, on the master server or in some other directory. Having them in /etc is undesirable because the contents of the maps are then the same as the contents of the local files on the master server. This is a special problem for passwd and shadow files because all users have access to the master server maps and the root password would be passed to all NIS clients through the passwd map. See Passwd Files and Namespace Security for additional information.
However, if you put the source files in some other directory, you must modify the Makefile in /var/yp by changing the DIR=/etc line to DIR=/your-choice, where your-choice is the name of the directory you will be using to store the source files. This allows you to treat the local files on the server as if they were those of a client. (It is good practice to first save a copy of the original Makefile.)
In addition, if audit_user, auth_attr, exec_attr and prof_attr are to be taken from a directory other than the default, you must amend the RBACDIR =/etc/security to RBACDIR=/your-choice.
The passwd map is a special case. In addition to the old Solaris 1 passwd file format, this implementation of NIS accepts the /etc/passwd and /etc/shadow file formats as input for building the NIS password maps.
For security reasons, the files used to build the NIS password maps should not contain an entry for root, to prevent unauthorized root access. Therefore, the password maps should not be built from the files located in the master server's /etc directory. The password files used to build the password maps should have the root entry removed from them and be located in a directory that can be protected from unauthorized access.
For example, the master server password input files should be stored in a directory such as /var/yp, or any directory of your choice, as long as the file itself is not a link to another file and its location is specified in the Makefile. The correct directory option is set automatically according to the configuration specified in your Makefile.
Caution - Be sure that the passwd file in the directory specified by PWDDIR does not contain an entry for root. |
If your source files are in a directory other than /etc, you must alter the PWDIR password macro in the Makefile to refer to the directory where the passwd and shadow files reside, changing the line PWDIR=/etc to PWDIR/your-choice, where your-choice is the name of the directory you will be using to store the passwd map source files.
Prepare the source files for conversion to NIS maps.
Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.
Check the following files:
auto.home or auto_home
auto.master or auto_master
audit_user
auth_attr
bootparams
ethers
exec_attr
group
hosts
ipnodes
netgroup
netmasks
networks
passwd
protocols
rpc
service
shadow
user_attr
Unlike other source files, the /etc/mail/aliases file cannot be moved to another directory. This file must reside in the /etc/mail directory. Refer to aliases(4) for more information.
Note - You can add a nis-specific mail aliases file by pointing the ALIASES = /etc/mail/aliases entry in /var/yp/Makefile to another location. When you then run a make, the ALIASES entry creates a mail.aliases map. The sendmail service uses this map in addition to the /etc/mail/aliases file when the /etc/nsswitch.conf file properly targets nis in addition to files. Refer to Modifying and Using the Makefile.
These operations can be done through a sed or awk script or with a text editor. The Makefile performs some file cleaning automatically for you, but it is good practice to examine and clean these files by hand before running.
Source file data needs to be in the correct format for that particular file. Check the man pages for the different files to make sure that each file is in the correct format.
After checking the source files and copying them into the source file directory, you now need to convert those source files into the ndbm format maps that the NIS service uses. This is done automatically for you by ypinit when called on the master server, as explained in Setting Up the Master Server With ypinit.
The ypinit script calls the program make, which uses the Makefile located in the /var/yp directory. A default Makefile is provided for you in the /var/yp directory and contains the commands needed to transform the source files into the desired ndbm format maps.
You can use the default Makefile as it is, or modify it if you want. (If you do modify the default Makefile, be sure to first copy and store the original default Makefile in case you need it for future use.) You might need to make one or more of the following modifications to the Makefile:
Nondefault maps
If you have created your own non-default source files and want to convert them to NIS maps, you must add those source files to the Makefile.
DIR value
If you want the Makefile to use source files stored in some directory other than /etc, as explained in Source Files Directory, you must change the value of DIR in the Makefile to the directory that you want to use. When changing this value in the Makefile, do not indent the line.
PWDIR value
If you want the Makefile to use passwd, shadow, and/or adjunct source files stored in some directory other than /etc, you must change the value of PWDIR in the Makefile to the directory that you want to use. When changing this value in the Makefile, do not indent the line.
Domain name resolver
If you want the NIS server to use the domain name resolver for machines not in the current domain, comment out the Makefile line B=, and uncomment (activate) the line B=-b.
The function of the Makefile is to create the appropriate NIS maps for each of the databases listed under all. After passing through makedbm the data is collected in two files, mapname.dir and mapname.pag. Both files are in the /var/yp/domainname directory on the master server.
The Makefile builds passwd maps from the /PWDIR/passwd, /PWDIR/shadow, and /PWDIR/security/passwd.adjunct files, as appropriate.
The ypinit script sets up master and slave servers and clients to use NIS. It also initially runs make to create the maps on the master server.
To use ypinit to build a fresh set of NIS maps on the master server, do the following.
Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.
# cp /etc/nsswitch.files /etc/nsswitch.conf
# /usr/sbin/ypinit -m
When you choose y, ypinit exits upon encountering the first problem; you can then fix it and restart ypinit. This is recommended if you are running ypinit for the first time. If you prefer to continue, you can try to manually fix all problems that occur, and then restart ypinit.
Note - A nonfatal error can appear when some of the map files are not present. This is not an error that affects the functionality of NIS. You might need to add maps manually if they were not created automatically. Refer to Default NIS Maps for a description of all default NIS maps.
This message is displayed only if NIS has been previously installed.
This program uses the instructions contained in the Makefile (either the default one or the one you modified) located in /var/yp. The make command cleans any remaining comment lines from the files you designated. It also runs makedbm on the files, creating the appropriate maps and establishing the name of the master server for each map.
If the map or maps being pushed by the Makefile correspond to a domain other than the one returned by the command domainname on the master, you can make sure that they are pushed to the correct domain by starting make in the ypinit shell script with a proper identification of the variable DOM, as follows:
# make DOM=domainname password
This pushes the password map to the intended domain, instead of the domain to which the master belongs.
# cp /etc/nsswitch.nis /etc/nsswitch.conf
This replaces the current switch file with the default NIS-oriented switch file. You can edit this file as necessary.
Normally, an NIS master server supports only one NIS domain. However, if you are using a master server to support multiple domains, you must slightly modify the steps, as described in Setting Up the Master Server With ypinit, when setting up the server to serve the additional domains.
Run the domainname command on the server. The domain name returned by the command is the server's default domain. The steps described in Setting Up the Master Server With ypinit will work properly for setting up service for that domain. To configure service for any other domain, you must modify the ypinit shell script as follows.
# make DOM=correct-domain passwd
correct-domain is the name of the other domain that you are setting up service for, and passwd is the make target. This command pushes the passwd map to the intended domain, instead of the domain to which the master belongs.