Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Naming and Directory Services (NIS+) |
Part I About Naming and Directory Services
Part II NIS+ Setup and Configuration
4. Configuring NIS+ With Scripts
5. Setting Up the NIS+ Root Domain
8. Configuring an NIS+ Non-Root Domain
10. NIS+ Tables and Information
12. Administering NIS+ Credentials
Changing Keys for an NIS+ Principal
Changing NIS+ Root Keys From Root
Changing Root Keys From Another NIS+ Machine
Changing the Keys of an NIS+ Root Replica From the Replica
Changing the Keys of an NIS+ Non-Root Server
Updating NIS+ Client Key Information
Globally Updating NIS+ Client Key Information
How to Update Client Key Information
14. Administering Enhanced NIS+ Security Credentials
15. Administering NIS+ Access Rights
16. Administering NIS+ Passwords
18. Administering NIS+ Directories
20. NIS+ Server Use Customization
23. Information in NIS+ Tables
Common NIS+ Namespace Error Messages
The public keys of NIS+ servers are stored in several locations throughout the namespace. When new credential information is created for the server, a new key pair is generated and stored in the cred table. However, namespace directory objects still have copies of the server's old public key. The nisupdkeys command is used to update those directory object copies.
If a new keypair is generated because the old key pair has been compromised or the password used to encrypt the private key is forgotten, the nisupdkeys can be used to update the old public key in the directory objects.
Update the key of one particular server
Update the keys of all the servers that support an NIS+ directory object
Remove a server's public key from the directory object
Update a server's IP address, if that has changed
However, nisupdkeys cannot update the NIS_COLD_START files on the principal machines. To update their copies of a server's keys, NIS+ clients should run the nisclient command. Or, if the NIS+ cache manager is running and more than one server is available in the cold-start file, the principals can wait until the time-to-live expires on the directory object. When that happens, the cache manager automatically updates the cold-start file. The default time-to-live is 12 hours.
To use the nisupdkeys command, you must have modify rights to the NIS+ directory object.
The nisupdkeys command is located in /usr/lib/nis. The nisupdkeys command uses the following arguments (for a complete description of the nisupdkeys command and a full list of all its arguments, see the nisupdkeys man page).
Table 13-4 nisupdkeys Arguments
|
Table 13-5 gives an example of updating a public key.
Table 13-5 Updating an NIS+ Public Key: Command Examples
|
If you change a server's IP address, or add additional addresses, you need to run nisupdkeys to update NIS+ address information.
To update the IP addresses of one or more servers, use the nisupdkeys command -a option.
To update the IP addresses of servers of a given domain
rootmaster# nisupdkeys -a domain
To update the IP address of a particular server
rootmaster# nisupdkeys -a -H server