Trusted Solaris Installation and Configuration

Chapter 6 Configuring a NIS+ Client

This chapter provides procedures to configure the NIS+ clients at your site interactively, after you have configured the NIS+ master.

Who Does What

Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the workstation, the software enforces two-role task division. If two-person installation is not a site security requirement, you can assign the two administrative roles, secadmin and admin, to one person.

NIS+ Client Configuration Tasks

Configuring a NIS+ client is similar to configuring the NIS+ root master, except that configuration details the client receives from the NIS+ master do not have to be repeated.

Depending on your site configuration and installation method, some procedures can be omitted.

Log In and Protect the Workstation

Protect the workstation.

See "How to Protect Machine Hardware" if you are unsure of the steps.

Limit contact with other tsol hosts if required by site security.

See "How to Limit Contact During Booting" for an explanation and reference.

Copy Configuration Files from the NIS+ Master

You made a diskette with files for the client in "Copy Configuration Files for Distribution to Clients".

To Copy Master Files from Diskette

As root, at label admin_low, make a temporary directory and go to it.
# mkdir /export/clientfiles # cd /export/clientfiles

Copy the files from the diskette.

See "To Copy One or More Files from a Diskette" if you are unsure of the steps.

Copy the NIS+ Master label_encodings File

The label_encodings file on the client machine must be identical to the one on the NIS+ master. If you are sure it is identical, you may skip this step.

As root, at label admin_low, copy the NIS+ master's label_encodings file to the /etc/security/tsol directory.

Follow the procedure in "To Copy One or More Files from a Diskette".

Use the Check Encodings action to check the syntax of the file and install it.

Caution -
The label_encodings file must pass the Check Encodings test before you continue.

Read the new label_encodings file into your environment by clicking the right mouse button on the workspace background and choosing Windows > Restart Workspace Manager.

Set Up Static Routing

If you set up static routing on the NIS+ master, set it up on the clients.

Determine the appropriate static routing for the client.

Table 6-1 Client Static Routing Entry


	Client on same subnet	Client on different subnet
NIS+ master has 1 network interface	Use same entry as NIS+ master's	Static routing will be slightly different for the subnet
NIS+ master has >1 network interface	Enter NIS+ master's other network interface(s) in static routing file

As root, at label admin_low, enter the defaultrouter using the Set Default Routes action, or the tsolgateways using the Static Routing Configuration action.

See "Set Up Routing" for more explanation.

Save the file and exit the editor.

As root, at label admin_low, add the static routers and the NIS+ master to the client's local hosts database using the Database Manager.

See "To Open and Modify a Solstice_Apps Database" if you are unfamiliar with editing the Hosts database.

Exit the Database Manager.

Set Up Secondary Network Interfaces

Note -

Skip this procedure if the workstation has only one network interface.

Set up the workstation's network interfaces.

See "How to Add Network Interfaces" if you are unsure of the steps.

Copy the Tnrhtp Database (Example)

You need to do this step only if you assigned a template name for the NIS+ root master that is not one of the names supplied by the Trusted Solaris installation program, that is, not one of tsol, tsol_1, or tsol_2.

Note -

The tnrhtp(4) template definition and name for the NIS+ master must be identical on the client and master when you run the nisclient(1M) command.

As root, at label admin_low, use the File Manager to copy the tnrhtp file from the /export/clientfiles directory to /etc/security/tsol/tnrhtp.

As root, copy the original tnrhtp file to tnrhtp.orig:

# cd /etc/security/tsol/
# cp tnrhdb tnrhdb.orig
# rm tnrhdb

Double-click the File Manager icon in the Front Panel and navigate to the /export/clientfiles directory.

Open a second File Manager, and navigate to /etc/security/tsol.

Drag the file from the first File Manager to the /etc/security/tsol File Manager.

Edit the Tnrhdb Database

As root, at label admin_low, use the Database Manager to enter the IP address and template name (tsol) of the subnet into the tnrhdb(4) database.

For example, enter a subnet address, such as 129.150.110.0, and tsol. See "To Edit the Tnrhdb Database " if you are unsure of the steps.

Enter the IP address and host type of the static router(s).

A client with one defaultrouter would have three entries in its tnrhdb:
1. The client and its host type (tsol),
2. The NIS+ master and its host type (tsol) [or its subnet fallback IP address and tsol], and
3. The defaultrouter and its host type.

Exit the Database Manager to inform the kernel of the network change.

Verify Communication with the NIS+ Master

Note -

Skip this procedure if the client specified NIS+ during network install.

As root, at label admin_low, check to see that you can ping the NIS+ master.
# ping your-master

Check to see that you can rup the NIS+ master.
# rup your-master
If the rup(1) command succeeds, you may proceed. If it fails, debug your network setup until the rup command succeeds.

Summary

These NIS+ client files must be compatible with the NIS+ master files:

/etc/security/tsol/label_encodings
/etc/security/tsol/tnrhtp

The client's local tnrhdb(4) file must have the IP address and host type of the NIS+ master (or the IP address and host type of the subnet), the client's static routers, and the client.

In addition, the client's address and name, the NIS+ master's name and address, and the static routers' names and addresses must be in the local hosts database.

Set Up the NIS+ Name Service

Note -

Skip this procedure if the client specified NIS+ during network install.

As root, at label admin_low, add the workstation as a NIS+ client using the Create NIS+ Client action in the System_Admin folder.

See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.

There is a period after the domain name.

Enter the NIS+ domain name and hostname of the root master.

For example,
Domain Name: aviary.eco.org. Hostname of NIS+ Master: grebe
There is a period at the end of the domain name.

Answer the prompts ( y, (your-master's-ip-address), nisplus, rootpassword).

You can ignore diagnostics printing out that certain files and directories cannot be located. The files and directories will be created.

Do not reboot when the nisclient(1M) script prints out:
```
Once initialization is done, you will need to reboot your machine.
```
You will reboot after setting up DNS. If you are configuring the home directory server, you will reboot after sharing the home directories.

Set Up DNS and the Name Service Switch

If you are using DNS to contact hosts outside of your domain, or if you have altered the resolv.conf and nsswitch.conf files on the NIS+ master, set up DNS before rebooting.

As root, at label admin_low, set up the DNS nameservers and the name service switch by copying the files resolv.conf and nsswitch.conf from /export/clientfiles to the /etc directory.

Make a copy of the original file and use the File Manager, as described for the tnrhtp database in Step 1.

Set Up Home Directories

If this client is the home directory server, share home directories.

If you are unsure of the steps, see "How to Share a File System".

Reboot the Workstation

Note -

Skip this procedure if the client was installed over the network.

Shut down the workstation from the TP (Trusted Path) menu.

If you are unfamiliar with rebooting a Trusted Solaris workstation, see "To Reboot the Workstation".

Add Users

Note -

Skip this procedure if the client was installed over the network.

If you are configuring the home directory server and have not yet added users who can assume administrative roles, return to "Add Users to be Administrators".

Finish Configuring the Workstation

If you are configuring a site that satisfies criteria for an evaluated configuration, read "Understand Your Site's Security Policy."

Secadmin Responsibilities

The secadmin administrative role handles auditing and security attributes on file systems.

To configure or to disable auditing, see Trusted Solaris Audit Administration.

Note -
To ensure that every workstation and user is audited identically, as root at label admin_low, copy the NIS+ root master's /etc/security/audit* configuration files to each workstation (see "Copy Configuration Files from the NIS+ Master") and enter the correct dir: entries as described in Trusted Solaris Audit Administration.
To set security attributes on an unlabeled file system, see "How to Set the Label on an Unlabeled File System".

Admin Responsibilities

The admin administrative role handles file system management, and user account creation and deletion.

To share a file system, see "How to Share a File System".
To mount a file system, labeled or unlabeled, see "How to Mount a File System".
To delete the install user, see "To Delete a Local User" if you have not deleted a local user in the Trusted Solaris environment before.

Trusted Solaris Administrator's Procedures provides examples and background.