Trusted Solaris Installation and Configuration

Set Up the NIS Domain on the Master Server

Setting up the NIS domain on the NIS master server starts the processes that enable the Trusted Solaris NIS clients to reach the server. Several NIS files have been created or modified to hold Trusted Solaris data about label configuration, users, roles, execution profiles, and remote hosts.

For fuller descriptions of NIS setup and administration, see

Set Up the Staging Area

  1. As root, create a staging area for files you plan to use to populate the NIS files.

    You can place the staging area wherever you have enough space. Usually a few megabytes is more than enough room to store some files temporarily.


    # mkdir -p /setup/files/security/tsol
    

  2. Copy the sample /etc files into the /setup/files directory of the staging area.

    Most of the files you need already exist on the installed system and have enough data in them to get you started. The following files in the /etc directory are usually not found on a newly installed system: bootparams, ethers, netgroup, netmasks, and timezone. You can create these with an editor, load them from a backup diskette, or merely create empty versions of these files, so that the NIS databases are created all at once. If you choose not to create these files, you can create them later, but the ypinit(1M) command may print out a few warning messages.


    # cd /etc
    # touch bootparams ethers netgroup netmasks timezone
    
    # cp bootparams ethers netgroup netmasks timezone \
    aliases auto_home auto_master group hosts networks \
    protocols publickey rpc services /setup/files
    
    # cd /etc/inet
    # cp ipnodes /setup/files
    

  3. Create empty files in the /setup/files directory of the staging area for files whose contents should not be distributed.


    # cd /setup/files
    # touch passwd shadow user_attr
    

    All entries in the passwd, shadow, and user_attr files on a newly-installed system are users who should be restricted to local access. The name service will create empty databases from the empty files, and will not print spurious warning messages.

  4. Copy the *attr files from the /etc/security directory into the /setup/files/security directory of the staging area.


    # cd /setup/files/security
    # cp /etc/security/*attr /setup/files/security
    

  5. Add an empty audit_user file to the /setup/files/security directory and count the files in the directory.


    # pwd
    /setup/files/security
    # touch audit_user
    # ls -F /setup/files | grep -v "/" | wc -l
    4

  6. Copy the tnrhdb and tnrhtp files from the /etc/security/tsol directory into the /setup/files/security/tsol directory of the staging area. List and count the files.


    # cd /setup/files/security/tsol
    # cp /etc/security/tsol/tnrh* .
    # ls ; ls | wc -l
    tnrhdb tnrhtp
           2

  7. Check that a total of 25 files are now in your staging area.

    There are 4 in the security directory, 2 in the tsol directory, and 19 in the files directory.


    # cd /setup/files
    # ls -F /setup/files | grep -v "/" | wc -l
          19

  8. Edit the hosts file in your staging area.

    1. Open the Admin Editor and enter /setup/files/hosts for editing.

      The file already contains the NIS master server (that is, this host's address) and the static routers, if any.

    2. Add every workstation that will be in the Trusted Solaris 8 domain.

      There is no wildcard mechanism here. The IP address of every workstation to be contacted must be in this file.


      Caution - Caution -

      Failure to include a workstation will cause client connection to fail.


    3. Add every other workstation with which the domain can communicate.

    4. Use the :wq! command to write the file and exit the editor.

    There is enough information in your staging area to convert your host to a NIS master.


    Caution - Caution -

    If you have edited any files, you must be very careful to provide all of the information necessary in the correct formats before populating the NIS maps. Failure to do so can result in the inability to further administer or use the system.


Modify the /yp/Makefile

The /var/yp/Makefile file must be modified to point to the staging area and its subdirectories.

  1. Edit the /var/yp/Makefile in the Admin Editor.

  2. Change three variables: PWDIR, DIR, and INETDIR to point to /setup/files.

  3. Change the RBACDIR variable to point to the $(DIR)/security directory.

  4. Change all four instances of $(DIR)/tnrhtp in the tnrhtp.time: target to $(DIR)/security/tsol/tnrhtp, as shown in the following lines:


       tnrhtp.time:  $(DIR)/security/tsol/tnrhtp
          -@if [ -f $(DIR)/security/tsol/tnrhtp ]; then \
                  sed -e "/^#/d" -e s/#.*$$// $(DIR)/security/tsol/tnrhtp \
                  ...
                  echo "couldn't find $(DIR)/security/tsol/tnrhtp"; \


    Note -

    Do not do a global replace. There are lines at the end of the Makefile that should not be changed.


  5. Change all four instances of $(DIR)/tnrhdb in the tnrhdb.time: target to $(DIR)/security/tsol/tnrhdb, as shown in the following lines:


       tnrhdb.time:  $(DIR)/security/tsol/tnrhdb
         -@if [ -f $(DIR)/security/tsol/tnrhdb ]; then \
                 sed -e "/^#/d" -e s/#.*$$// $(DIR)/security/tsol/tnrhdb \
                 ...
                 echo "couldn't find $(DIR)/security/tsol/tnrhdb"; \


    Note -

    Do not do a global replace. There are lines at the end of the Makefile that should not be changed.


Create NIS Maps from the Staging Area

  1. Double-click the Create NIS Server action in the System_Admin folder.

    See "To Run a Script from the System_Admin Folder" if you are unfamiliar with using trusted actions.

  2. Enter your NIS domain name.

    For example,


    Domain Name: aviary.eco.org
    

    This action creates the domain name, establishes this workstation as the NIS master server, and copies the /etc/nsswitch.nis file over /etc/nsswitch.conf.

  3. When prompted for other NIS servers, enter their host names one by one.

    For example,


    Host: tern
    

  4. Follow the instructions for ending the prompts.

    The action creates NIS maps from the /setup/files directory. It uses your modified /var/yp/Makefile to create the /var/yp/NIS_maps.

  5. Do not reboot your system yet.