|Skip Navigation Links|
|Exit Print View|
|System Administration Guide: Naming and Directory Services (NIS+)|
Note - It is much easier to perform this task with the NIS+ installation scripts, as described in Part 1, than with the NIS+ command set as described here. The methods described in this chapter should be used only by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.
You should not configure a non-root domain until after you have configured its servers.
Setting up a non-root domain involves the following tasks:
Establishing security for the domain
Creating the domain's directories
Creating the domain's tables
Designating the domain's servers
As with setting up the root domain, these tasks cannot be performed sequentially. To make the configuration process easier to execute, they have been broken down into individual steps and the steps have been arranged into the most efficient order.
The differences between NIS-compatible and standard NIS+ servers in subdomains are the same as they are for servers in the root domain (see Standard Configuration and NIS-Compatible NIS+ Configuration Procedures).
The NIS+ daemon for each server in an NIS-compatible domain should have been started with the -Y option, as instructed in Chapter 7, Configuring NIS+ Servers. An NIS-compatible domain also requires its tables to provide read rights for the nobody class, which allows NIS clients to access the information stored in them. This is accomplished with the -Y option to the nissetup command, shown in Step 4. (The standard NIS+ domain version uses the same command but without the -Y option, so it is described in the same step.)
Here is a summary of the entire configuration process:
Log in to the domain's master server.
Name the domain's administrative group.
Create the domain's directory and designate its servers.
Create the domain's subdirectories and tables.
Create the domain's admin group.
Assign full group access rights to the directory object.
Add the servers to the domain's admin group.
Add credentials for other administrators.
Add the administrators to the domain's admin group.
Note - The NIS+ security system is complex. If you are not familiar with NIS+ security, you might want to review Chapter 17, Administering NIS+ Groups before starting to configure your NIS+ environment.
At most sites, to preserve the security of the parent domain, only the parent domain's master server or an administrator who belongs to the parent domain's admin group is allowed to create a domain beneath it. Although this is a policy decision and not a requirement of NIS+, the instructions in this chapter assume that you are following that policy. Of course, the parent domain's admin group must have create rights to the parent directory object. To verify this, use the niscat -o command.
rootmaster# niscat -o doc.com. Object Name : Doc Owner : rootmaster Group : admin.doc.com. Domain : Com. Access Rights : r---rmcdrmcdr--- :
If you are more concerned about convenience than security, you can make the new domain's master server a member of its parent domain's admin group, then perform the entire procedure from the server. Use the nisgrpadm command, described in Chapter 17, Administering NIS+ Groups.
Use NIS+ commands to set up a non-root domain.
The parent domain must be configured and running.
The server that will be designated as this domain's master must be initialized and running NIS+.
If you plan to designate a replica server, the master server must be able to obtain the replica's IP address through its /etc/hosts file or from its NIS+ hosts table.
Note - Prior to the Solaris 10 7/07 release, the master server must be able to obtain an IPv6 replica's IP address through its /etc/inet/ipnodes file or from its ipnodes table.
You also need the following information:
The name of the new domain's master and replica servers
The name of the new domain's admin group (for Step 2)
The name of the new domain (for Step 3)
User IDs (UID) of the administrators who will belong to the new domain's admin group (for Step 8)
Log in to the server that you will designate as the new domain's master. The steps in this task use the server named smaster, which belongs to the doc.com. domain, and will become the master server of the sales.doc.com. subdomain. The administrator performing this task is nisboss.doc.com., a member of the admin.doc.com. group. That group has full access rights to the doc.com. directory object.
Although you won't actually create the admin group until Step 5, you need to identify it now. This enables the nismkdir command used in the following step to create the directory object with the proper access rights for the group. It does the same for the nissetup utility used in Step 4.
Set the value of the environment variable NIS_GROUP to the name of the domain's admin group. Here are two examples, one for C shell users and one for Bourne or Korn shell users. They both set NIS_GROUP to admin.sales.doc.com.
For C Shell
smaster# setenv NIS_GROUP admin.sales.doc.com.
For Bourne or Korn Shell
smaster# NIS_GROUP=admin.sales.doc.com. smaster# export NIS_GROUP
nismkdir -m master -s replica domain
The -m flag designates its master server, and the -s flag designates its replica.
smaster# nismkdir -m smaster -s salesreplica sales.doc.com.
The directory is loaded into /var/nis. Use the niscat -o command to view it (do not use cat or more).
smaster# niscat -o sales.doc.com. Object Name : Sales Owner : nisboss.doc.com. Group : admin.sales.doc.com. Domain : doc.com. Access Rights : ----rmcdr---r--- .
Unlike the root directory, this directory object does have the proper group assignment. As a result, you won't have to use nischgrp.
This step adds the org_dir and groups_dir directories and the NIS+ tables beneath the new directory object. Use the nissetup utility, but be sure to add the new domain name. And, for an NIS-compatible domain, include the -Y flag.
smaster# /usr/lib/nis/nissetup -Y sales.doc.com.
smaster# /usr/lib/nis/nissetup sales.doc.com.
Each object added by the utility is listed in the output:
smaster# /usr/lib/nis/nissetup org_dir.sales.doc.com. created groups_dir.sales.doc.com. created auto_master.org_dir.sales.doc.com. created auto_home.org.dir.sales.doc.com. created bootparams.org_dir.sales.doc.com. created cred.org_dir.sales.doc.com. created ethers.org_dir.sales.doc.com. created group.org_dir.sales.doc.com. created hosts.org_dir.sales.doc.com. created mail_aliases.org_dir.sales.doc.com. created sendmailvars.org_dir.sales.doc.com. created netmasks.org_dir.sales.doc.com. created netgroup.org_dir.sales.doc.com. created networks.org_dir.sales.doc.com. created passwd.org_dir.sales.doc.com. created protocols.org_dir.sales.doc.com. created rpc.org_dir.sales.doc.com. created services.org_dir.sales.doc.com. created timezone.org_dir.sales.doc.com. created
The -Y option creates the same tables and subdirectories as for a standard NIS+ domain, but assigns read rights to the nobody class so that requests from NIS clients, which are unauthenticated, can access information in the NIS+ tables.
You can verify the existence of the org_dir and groups_dir directories by looking in your master server's /var/nis/data directory. They are listed along with the root object and other NIS+ tables. The tables are listed under the org_dir directory. You can examine the contents of any table by using the niscat command, described in Chapter 9, Setting Up NIS+ Tables (although at this point the tables are empty).
This step creates the admin group named in Step 2. Use the nisgrpadm command with the -c option. This example creates the admin.sales.doc.com. group
smaster# nisgrpadm -c admin.sales.doc.com. Group admin.sales.doc.com. created.
This step only creates the group – it does not identify its members. That is done in Step 9.
By default, the directory object grants only its group read access, which makes the group no more useful than the world class. To make the configuration of clients and subdomains easier, change the access rights that the directory object grants its group from read to read, modify, create, and destroy. Use the nischmod command.
smaster# nischmod g+rmcd sales.doc.com.
Complete instructions for using the nischmod command are provided in Chapter 15, Administering NIS+ Access Rights.
At this point, the domain's group has no members. Add the master and replica servers, using the nisgrpadm command with the -a option. The first argument is the group name; the others are the names of the new members. This example adds smaster.doc.com. and salesreplica.doc.com. to the admin.sales.doc.com. group:
smaster# nisgrpadm -a admin.sales.doc.com. smaster.doc.com. salesreplica.doc.com. Added smaster.doc.com. to group admin.sales.doc.com. Added salesreplica.doc.com. to group admin.sales.doc.com.
To verify that the servers are indeed members of the group, use the nisgrpadm command with the -l option (see Chapter 17, Administering NIS+ Groups).
smaster# nisgrpadm -l admin.sales.doc.com. Group entry for admin.sales.doc.com. group: Explicit members: smaster.doc.com. salesreplica.doc.com. No implicit members No recursive members No explicit nonmembers No implicit nonmembers No recursive nonmembers
Add the credentials of the other administrators who will work in the domain.
smaster# nisaddcred -p 33355 -P nisboss.doc.com. local
For administrators who do not yet have credentials, you can proceed in two different ways.
One way is to ask them to add their own credentials. However, they will have to do this as superuser. Here is an example in which an administrator with a UID of 22244 and a principal name of juan.sales.doc.com. adds his own credentials to the sales.doc.com. domain.
smaster# nisaddcred -p 22244 -P juan.sales.doc.com. local smaster# nisaddcred -p email@example.com -P \ juan.sales.doc.com. des Adding key pair for firstname.lastname@example.org. Enter login password:
smaster# nisaddcred -p 22244 -P juan.sales.doc.com. local smaster# nisaddcred -p email@example.com -P \ juan.sales.doc.com. des Adding key pair for firstname.lastname@example.org. Enter juan's login password: nisaddcred: WARNING: password differs from login passwd. Retype password:
Note - In the two examples shown in Step 8, the domain name following the lower case -p flag must never end in a trailing dot, while the domain name following the upper case -P flag must always end in a trailing dot.
You don't have to wait for the other administrators to change their dummy passwords to perform this step. Use the nisgrpadm command with the -a option. The first argument is the group name, and the remaining arguments are the names of the administrators. This example adds the administrator juan to the admin.sales.doc.com. group:
smaster# nisgrpadm -a admin.sales.doc.com. juan.sales.doc.com. Added juan.sales.doc.com. to group admin.sales.doc.com.
Swap space should be double the size of the maximum size of rpc.nisd. To determine how much memory rpc.nisd is using, issue the following command:
rpc.nisd will under certain circumstances fork a copy of itself. If there is not enough memory, rpc.nisd fails.
You can also calculate the memory and swap space requirements for NIS+ tables. For example, if you have 180,000 users and 180,000 hosts in your NIS+ tables, those two tables occupy approximately 190 Mbytes of memory. When you add credentials for 180,000 users and 180,000 hosts, the cred table has 540,000 entries (one entry for each local user credential, one entry for each DES user credential, and one entry for each host). The cred table occupies approximately 285 Mbytes of memory. In this example, rpc.nisd occupies at least 190 Mbytes + 285 Mbytes = 475 Mbytes of memory. So, you will require at least 1 Gbyte swap space. You will also want at least 500 Mbytes of memory to hold rpc.nisd entirely in memory.