Chapter 5 Configuring a Name Service Master

This chapter covers how to configure the name service server and the home directory server at a networked site.

---

Note -

Installation and configuration commands and actions are limited to particular roles and particular labels. Read each task for the administrative role that can perform it, and the label required.

---

Who Does What

Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the computer, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.

Name Service Master Configuration Tasks

The first system installed on a network has special status. It must be installed interactively from the CD-ROM, and it must be configured as the name service master.

If you are configuring a site that satisfies criteria for an evaluated configuration, please read "Understanding Your Site's Security Policy".

The procedures are listed in order. Depending on your site configuration, some procedures can be omitted.

Task	Description
"Logging In and Launching a Terminal" to "Protecting the Machine"	Covers how to protect the hardware, set up the labels, and initialize the administration tools.
"(Optional) Configuring Routing"	Covers how to set up static routing.
"Configuring the Network"	Covers how to specify all hosts that can communicate with the system.
"Setting Up the Name Server and Domain"	Covers how to set up the name service.
"Setting Up Critical Servers"	Covers how to create a separate home directory server.
"Creating Roles and Users"	Covers how to create administrative roles and users to assume those roles.
"Verifying That Roles Work"	Covers how to test that the roles are effective.
"Finishing Up Configuration"	Covers how to share and mount file systems, and how to delete the install user. Points you to auditing and further setup information,

Initial Configuration

Initially Configure the Machine

1. Do the following procedures in "No Name Service Configuration Tasks", then return to this chapter.

   • "Log In "

   • "Assume the root Role"

   • "Launch a Terminal"

   • One of: "SPARC: Protect Machine Hardware" or "IA: Protect the BIOS"

   • "Create an Admin_High Workspace"

   • "Allocate the Appropriate Device"

   • "Check and Install Your Label Encodings File"

   • "Deallocate the Device"

   • "Initialize the SMC Server"

   • "(Optional) Save the Current Toolbox"

(Optional) Configuring Routing

If you configure the name service master to use static routing, you must configure the clients to use the same routing method.

Set up static routing only if the security administrator has planned for an open network and you do not plan to use dynamic routing. Dynamic routing is the default, and requires no setup.

See "Administering Trusted Networking" in Trusted Solaris Administration Overview for more information.

For static routing, do one of "Set Up Simple Static Routing" or "Set up Static Routing Using Extended Metrics".

Set Up Simple Static Routing

For small networks, an /etc/defaultrouter file provides a simple routing method.

1. Double-click the Set Default Routes action in the System_Admin folder.

   See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.

   An empty /etc/defaultrouter file appears in the trusted editor.

2. Enter the name or the IP address of the defaultrouter. If there is more than one, enter them all, one per line, and then save the file.

   For example, if the hosts trustworthy and forwardho are routers, enter them, one per line:

   trustworthy forwardho

Set up Static Routing Using Extended Metrics

If your host or site accesses a complex network of gateways, the /etc/tsolgateways file offers more routing options. See the tsolgateways(4) man page for examples.

1. Double-click the Set TSOL Gateways action in the System_Admin folder.

   See "To Open a File that has a Defined Action" if you are unfamiliar with using trusted actions.

   An empty /etc/tsolgateways file appears in the trusted editor.

2. Enter the IP address of the subnet, the name of the gateway and its metric. Repeat for every gateway and save the file.

   For example, if the hosts trustworthy and forwardho are gateways:

   192.168.15.0 trustworthy 1 192.168.8.0 forwardho 2

   ---

   Note -

   If the system has an /etc/defaultrouter file and an /etc/tsolgateways file, only the /etc/tsolgateways file is used for routing decisions.

   ---

Configuring the Network

Add Hosts to a Machine's Known Network

1. In the root role at the label ADMIN_LOW, return to the Solaris Management Console or re-open it if it is closed.

   # smc

2. Click this-host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.

   See Figure 9-1 for what tools should display in the Navigation pane .

3. Display the computers known to this host by clicking Trusted Solaris Configuration, then clicking Computers and Networks,

4. Provide a password if prompted, then double-click Computers.

   ---

   Note -

   If toolbox icons display as red stop signs, the toolboxes will not load. To load them, see Step 2 in "Initialize the SMC Server".

   ---

   This computer should already be in the database. You should add the following hosts:

   1. Name service master, if any.

   2. Static routers, if any.

   3. Audit servers for this host.

5. Add every host that this computer may contact during boot by choosing Add Computer from the Action menu.

   1. Click Apply to add each host.

   2. Click OK when the entries are complete.

(Optional) Remove the 0.0.0.0 Network

The network wildcard 0.0.0.0 may present a security risk. See "Modifying the Boot-time Trusted Network Databases" in Trusted Solaris Administrator's Procedures for more information.

Follow the instructions in the "To Replace the 0.0.0.0 Entry in the Local Tnrhdb File" procedure under "Managing Trusted Networking (Tasks)" in Trusted Solaris Administrator's Procedures.

Add a Remote Host Template

If you used the Trusted Solaris label_encodings file, you can skip this step.

If this host is going to contact unlabeled hosts, the tnrhtp file must have an appropriate unlabeled template for those unlabeled hosts. See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.

The tnrhtp(4) file installed by the Trusted Solaris installation program contains examples of templates that match the label_encodings(4) file installed during Trusted Solaris installation. If you installed a site-specific label_encodings file, it is highly likely that the existing tnrhtp templates will not work with your file.

1. In the root role at the label ADMIN_LOW, double-click Security Families under Computers and Networks in the Solaris Management Console.

   The existing templates are displayed in the View pane.

   ---

   Caution -

   Sites that install a site-specific label_encodings file must create templates that reflect the labels of machines and networks that the Trusted Solaris network can contact.

   ---

   You should have templates for:

   1. The Trusted Solaris hosts that this machine can contact.

   2. Any unlabeled hosts/networks that this machine can contact..

2. To create a single-label template to assign to unlabeled hosts, choose Add Template from the Action menu.

   Consult the online help as you create the template.

   1. In the Basic Information tab, create a template named unlab_min-user-label, of host type Unlabeled, with an ADMIN_HIGH clearance and a process label of min-user-label.

      The default clearance must dominate the default label. The label ADMIN_HIGH dominates all labels.

   2. Click OK when the template is complete.

3. Create any other templates your site needs before continuing.

Assign a Template to a Remote Host

The trusted network remote host database, tnrhdb, enables this host to communicate with remote hosts. The tnrhdb(4) man page describes the format of the entries, and suggests how to minimize the number of entries required.

Assign a remote host template to every host or network that this machine may contact. Include every host in the /etc/hosts file.

See Table 1-3 in "Additional Planning for Open Networks" for host types and their associated templates provided by Trusted Solaris software.

1. In the root role at the label ADMIN_LOW, double-click Security Families under Computers and Networks in the Solaris Management Console.

2. Double-click the Trusted Solaris security family, tsol.

3. Choose Add Host(s) from the Action menu.

4. In the Add Host(s) dialog box, click Add Wildcard to assign this template to all hosts on your Trusted Solaris subnet.

   1. Enter the subnet IP address and choose the template name.

      For example, enter 192.168.10.0 and tsol. The final zero signifies a subnet address; all hosts on that subnet are recognized as tsol hosts.

      ---

      Note -

      The number zero (0) is the wildcard. Do not use a star (*).

      ---

   2. Click OK.

5. Choose Add Host(s) from the Action menu and click Add Host in the Add Host(s) dialog box to enter any exceptions to the subnet template assigment. Click OK to end the entry.

   For example, enter 192.168.10.3 and unlab_min-user-label. This host on the subnet is an unlabeled host, an exception to the tsol wildcard entry.

6. Choose Add Host(s) from the Action menu and click Add Host to enter the IP address of every host in your /etc/defaultrouter or /etc/tsolgateways file, and assign to each an appropriate template name. Click OK to end each entry.

7. Enter the details of other subnets and hosts.

   1. Enter the wildcard designation of each subnet and choose its appropriate template by choosing Add Host(s) -> Choose Wildcard.

   2. Individually assign a different template to any host that is an exception to its subnet's assigned template by choosing Add Host(s) -> Choose Host.

      Use the details provided by your system administrator, then choose the appropriate template name from the menu.

8. Open a terminal to reload and verify the updated tnrhdb database.

   # tnctl -H /etc/security/tsol/tnrhdb # tninfo -h

Trusted Network Summary

The tnrhdb database must have an IP address and template name for every host or subnet that the hosts in the Trusted Solaris domain can communicate with:

1. The master server (that is, this host)

2. Every client that will be in the Trusted Solaris domain, or its subnet wildcard mechanism nnn.nnn.nnn.0

3. Every static router (open network only)

4. Every other host with which the domain can communicate, or a wildcard address for its subnet (open network only)

Setting Up the Name Server and Domain

Setting up the name service master sets up the name service domain for the Trusted Solaris clients. Several name service databases have been created or modified to hold Trusted Solaris data about label configuration, users, and remote hosts.

Set Up Files to be Name Service Databases

1. As root, create a staging area for files you plan to use to populate the name service databases.

   You can place the staging area wherever you have enough space. Usually a few megabytes is more than enough room to store some files temporarily.

   # mkdir -p /setup/files

2. Copy the sample /etc files into the staging area.

   Most of the files that you need already exist on the installed system and have enough data in them to get you started. The following files in the /etc directory are usually not found on a newly installed system: bootparams, ethers, netgroup, netmasks, and timezone. You can create these with an editor, load them from a backup diskette, or merely create empty versions of these files, so that the name service databases are created all at once. If you choose not to create these files, you can create them later, but a few warning messages may print out.

   # cd /etc # touch bootparams ethers netgroup netmasks timezone # cp bootparams ethers netgroup netmasks timezone \ aliases auto_home auto_master group hosts networks \ protocols publickey rpc services /setup/files # cd security # cp auth_attr prof_attr exec_attr /setup/files/ # # # cd /etc/security/tsol # cp tnrhdb tnrhtp /setup/files # # # cd /etc/inet # cp ipnodes /setup/files

3. Create empty files in the staging area of files whose contents should not be distributed.

   # cd /setup/files # touch audit_user passwd shadow user_attr

   All entries in the passwd, shadow, and user_attr files on a newly-installed system are local users who should be restricted to local access. The name service will create empty databases from the empty files, and will not print spurious warning messages.

4. Check that all the files are now in your staging area. There are 25.

   # ls | wc -l 25

5. Edit the hosts file in your staging area.

   1. Open the Admin Editor and enter /setup/files/hosts for editing.

      The file already contains the name service master (that is, this host's address) and the static routers, if any.

   2. Add every system that will be in the Trusted Solaris domain.

      There is no wildcard mechanism here. The IP address of every host to be contacted must be in this file.

      ---

      Caution -

      Failure to include a host will cause client authentication to fail because the NIS+ client will have no credentials.

      ---

   3. Add every other host with which the domain can communicate.

   4. Use the :wq! command to write the file and exit the editor.

   There is enough information in your staging area to convert your host to a name service master.

   ---

   Caution -

   If you have edited any files, you must be very careful to provide all of the information necessary in the correct formats before populating the NIS+ tables. Failure to do so can result in the inability to further administer or use the system.

   ---

Modify the /yp/Makefile (NIS domains only)

The /var/yp/Makefile file must be modified to point to the staging area and its subdirectories.

1. Edit the /var/yp/Makefile in the Admin Editor.

2. Change four variables: PWDIR, DIR, INETDIR, and RBACDIR, to point to the /setup/files directory.

3. To ensure that the NIS master server stores its mail aliases in a NIS map, change the line in the /var/yp/Makefile file that begins with ALIASES to point to the NIS map.

   The name is in the format ALIASES = /var/yp/mail-server.NIS-domain-name/mail.aliases. For example,

   ALIASES = /var/yp/pigeon.aviary.example.org/mail.aliases

   The /etc/mail/aliases file remains available for mail aliases specific to the NIS master server.

Create NIS Maps from the Staging Area (NIS domains only)

1. Double-click the Create NIS Server action in the System_Admin folder.

2. Enter your NIS domain name.

   For example,

   Domain Name: aviary.example.org

   This action creates the domain name, establishes this host as the NIS master server, and copies the /etc/nsswitch.nis file over /etc/nsswitch.conf.

3. When prompted for other NIS servers, enter their host names one by one.

   For example,

   Host: tern

4. Follow the instructions for ending the prompts.

   The action creates NIS maps from the /setup/files directory. It uses your modified /var/yp/Makefile to create the /var/yp/NIS_maps.

5. Do not reboot your system yet.

Create NIS+ Tables from the Staging Area (NIS+ domains only)

1. Double-click the Create NIS+ server action in the System_Admin folder.

2. Enter your NIS+ domain name.

   This host will be the root master. For example,

   Domain Name: aviary.example.org.

   There is a period at the end of the domain name.

3. Answer the prompts ( y, y, rootpassword).

   You can ignore diagnostics printing out that the file /etc/defaultdomain cannot be located. The file will be created.

4. In the /setup/files directory, make sure that you have added all NIS+ clients to the hosts file.

   # cd /setup/files # more hosts

5. Populate the standard NIS+ databases from the /setup/files directory by running the Populate NIS+ Tables action in the System_Admin folder.

6. Enter your staging area when prompted.

   Populate from which directory? /setup/files

7. Answer the prompts (y, y).

   ... Is this information correct? y ... Do you want to continue? y

8. Load any additional NIS+ tables you may have backed up, such as auto_home.

   Procedures vary depending on the format of the backup and on what types of NIS+ tables they are. Refer to the Solaris Naming Setup and Configuration Guide for details of how to load your tables.

9. Do not reboot your system yet.

Edit SMC Toolbox Definitions for the Name Service

If you are running a name service, you must edit two files: the tsol_smc.tbx, and the name service toolbox. These files must be edited on the name service master before it can be used on the domain.

1. In the root role at the label ADMIN_LOW, list the toolbox directory.

   # cd /var/sadm/smc/toolboxes # ls tsol*/*tbx tsol_files/tsol_files.tbx tsol_nis/tsol_nis.tbx tsol_smc/tsol_smc.tbx tsol_nisplus/tsol_nisplus.tbx

   • If you are running the NIS+ name service, your toolbox files are tsol_smc/tsol_smc.tbx and tsol_nisplus/tsol_nisplus.tbx

   • If you are running the NIS name service, your toolbox files are tsol_smc/tsol_smc.tbx and tsol_nis/tsol_nis.tbx

2. Open the Admin Editor from the System_Admin folder.

3. Copy and paste the full pathname to the tsol_smc.tbx toolbox into the dialog box, as in:

   /var/sadm/smc/toolboxes/tsol_smc/tsol_smc.tbx

4. Find your name service toolbox name in the file, and replace the Scope line with the name of the master and the name of the domain.

   For example, change

   <ToolBoxURL> <URL>../tsol_nisplus/tsol_nisplus.tbx</URL> <Scope>nisplus:/<?server?>/<?server?></Scope> </ToolBoxURL>

   To:

   <ToolBoxURL> <URL>../tsol_nisplus/tsol_nisplus.tbx</URL> <Scope>nisplus:/eagle/aviary.example.org</Scope> </ToolBoxURL>

5. Save (:wq!) and close the file.

6. Edit the name service toolbox in the Admin Editor.

   ---

   Example 5-1 NIS Toolbox

   
   

   /var/sadm/smc/toolboxes/tsol_nis/tsol_nis.tbx

   ---

   ---

   Example 5-2 NIS+ Toolbox

   
   

   /var/sadm/smc/toolboxes/tsol_nisplus/tsol_nisplus.tbx

   ---

7. In the editor, in the line beginning with <Scope>, replace the first instance of <?server ?> with the name service master, and the second with the fully-qualified domain name.

   ---

   Example 5-3 NIS <Scope>

   
   

   <Scope>nis:/eagle/example.org</Scope>

   ---

   ---

   Example 5-4 NIS+ <Scope>

   
   

   <Scope>nisplus:/eagle/aviary.example.org</Scope>

   ---

8. Replace every other instance of <?server?> or <?server ?> with the name service master, as in:

   ---

   Example 5-5 NIS <?server?>

   
   

   <Name> eagle: Scope=NIS, Policy=TSOL</Name> services and configuration of eagle.</Description> and configuring eagle.</Description> <ServerName>eagle</ServerName> <ServerName>eagle</ServerName

   ---

   ---

   Example 5-6 NIS+ <?server?>

   
   

   <Name> eagle: Scope=NIS+, Policy=TSOL</Name> services and configuration of eagle.</Description> and configuring eagle.</Description> <ServerName>eagle</ServerName> <ServerName>eagle</ServerName

   ---

9. Write (:wq!) and quit the editor.

(Optional) Set Up DNS

Skip this procedure if the security administrator has planned a closed network. For detailed information about DNS, see the Solaris Naming Setup and Configuration Guide.

1. If your system is going to use DNS, click the Set DNS Servers action in the System_Admin folder and enter the nameservers by IP address, one per line.

   The file looks something like:

   nameserver nnn.nnn.nnn.nnn nameserver nnn.nnn.nnn.nnn

2. Using the Name Service Switch action, change the hosts entry in the /etc/nsswitch.conf file to use DNS.

   ---

   Example 5-7 NIS nsswitch.conf File

   
   

   ~ #hosts: nis [NOTFOUND=return] files hosts: nis files dns ~

   ---

   ---

   Example 5-8 NIS+ nsswitch.conf File

   
   

   ~ #hosts: nisplus [NOTFOUND=return] files hosts: files nisplus dns ~

   ---

Reboot the Computer

Shut down the system from the TP (Trusted Path) menu, and reboot it.

Name Service References

For fuller descriptions of name service setup and administration, and DNS, see

• Solaris Naming Setup and Configuration Guide

• Solaris Naming Administration Guide

Setting Up Critical Servers

Two servers are critical to the successful creation of users and roles: the home directory server and the mail server. If the name service master also serves as the home directory and mail server, you can skip this step. otherwise, install and configure the two critical servers, reboot them, and share them before adding roles and users.

Install and Configure the Home Directory and Mail Servers

1. Install the system that will become the home directory server and the mail server by following the installation instructions in "Installing From a CD-ROM".

2. Then configure each system to be a name service client (see "Client Configuration Tasks"), before making it a server. Return to configuring the name service master after completing "Sharing Critical File Systems".

3. Then, create the administrative roles on the name service master as described in "Creating Roles and Users".

   ---

   Note -

   The administrative roles are created as network-visible accounts, not as local accounts. Their home directories are mounted from the home directory server.

   ---

Creating Roles and Users

The install team creates the administrative roles (other than root) to be used at the site. The team assigns each role its rights profiles. Initial rights profiles are provided on the installation CD-ROM.

Prerequisite: The name service, home directory, and mail server must be set up before you create the administrative roles secadmin, admin, and oper.

---

Note -

In previous releases, roles were local. In the Trusted Solaris 8 4/01 operating environment, every role except root can be distributed. The roles are created by the install team.

---

Create Domain-wide Roles and Users

1. Create roles and users for the domain, following the procedures in "Creating Roles and Users" within the appropriate scope.

   • The appropriate scope for NIS domains is name-server: Scope=NIS, Policy=TSOL

   • The appropriate scope for NIS+ domains is name-server: Scope=NIS+, Policy=TSOL.

Add Roles to the NIS+ Admin Group (NIS+ domains only)

1. Open the System_Admin folder in the Application Manager.

2. Double-click the Add to NIS+ Administrative Group action.

3. Add the admin role to the NIS+ admin group.

   Use your domain name with the format subdomain.domain.suffix.. For example:

   Group Name: admin Principal Name: admin.aviary.example.org.

   ---

   Note -

   Remember to type a period (.) at the end of the principal name.

   ---

4. Double-click the Add to NIS+ Administrative Group action to add the secadmin role.

   For example:

   Group Name: admin Principal Name: secadmin.aviary.example.org.

5. Double-click the Add to NIS+ Administrative Group action to add the primaryadmin role.

   For example:

   Group Name: admin Principal Name: primaryadmin.aviary.example.org.

Verifying That Roles Work

In the following tests, the appropriate scope for NIS domains is name-server: Scope=NIS, Policy=TSOL. The appropriate scope for NIS+ domains is name-server: Scope=NIS+, Policy=TSOL.

Log Out

Log out by clicking the EXIT button on the Front Panel.

Verify that the Roles secadmin and admin Work

1. For each role, log in as a user who can assume the role and assume it.

2. In the role workspace, open the Solaris Management Console, select the Trusted Solaris Management Console with the appropriate scope for your site, and click Users.

3. Provide the role password when prompted, then double-click User Accounts.

4. Click a user.

   • The admin role should be able to modify fields under the tabs General, Home Directory, and Group.

   • The secadmin role should be able to modify fields under all tabs.

Verify that the Role primaryadmin Works

1. Log in as a user who can assume the primaryadmin role and assume it.

2. In the role workspace, open the Solaris Management Console, select the Trusted Solaris Management Console with the appropriate scope for your site, and click Users.

3. Provide the role password when prompted, and double-click Rights.

4. Creating a new right by choosing Add Right from the Action menu.

5. Save the new right, then delete it before continuing.

Finishing Up Configuration

Set Up Auditing

The security administrator is responsible for auditing decisions.

Configure or disable auditing by doing one of the following two procedures.

Disable auditing--if site security does not require auditing. To disable auditing in the Trusted Solaris environment, follow the procedures described in Trusted Solaris Audit Administration.

Configure auditing--by following the procedures in Trusted Solaris Audit Administration. Every Trusted Solaris system should audit users and events identically.

Copy Configuration Files for Distribution to Clients

1. As root at label ADMIN_LOW, create a directory that cannot be deleted between reboots.

   # mkdir /export/clientfiles

2. Copy modified files to the /export/clientfiles directory.

   For example, most sites will want to copy the /var/sadm/smc/toolboxes/tsol_smc/tsol_smc.tbx and the /var/sadm/smc/toolboxes/tsol_nameservice/tsol_nameservice.tbx files to the client machines. A site that is using a modified tnrhtp file, DNS, and auditing might copy the files /etc/security/audit_control, /etc/security/audit_startup, /etc/security/tsol/tnrhtp, /etc/resolv.conf, and /etc/nsswitch.conf.

3. Allocate a diskette at ADMIN_LOW, and transfer the files to it.

   Physically affix a label to the diskette that marks it as containing ADMIN_LOW information.

4. Use this diskette, and your label_encodings diskette, labeled ADMIN_HIGH, when configuring your clients.

(Optional) Share File Systems

If a directory is being shared before the admin role is created, the install team performs the procedure in the root role.

---

Caution -

Do not use proprietary names for shared file systems. The names of shared file systems are visible to every user.

---

1. In the admin role, (or root if the admin role does not exist), at label ADMIN_LOW, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.

2. Click Storage, and provide a password if prompted.

   .

3. Double-click Mounts and Shares, and then double-click Shares

4. Choose Add Shared Directory from the Action menu.

5. Follow the online help to share the directory.

   The tool shares the directory and starts the NFS daemons,

6. To modify the attributes of the shared directory, double-click the Properties tab and use the online help to guide you.

(Optional) Mount File Systems

In the Trusted Solaris environment, unlabeled and labeled hosts can be mounted on a Trusted Solaris labeled host.

---

Caution -

Do not use proprietary names for mounted file systems. The names of mounted file systems are visible to every user.

---

1. In the admin role at label ADMIN_LOW, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.

2. Click Storage and provide a password if prompted.

3. Double-click Mounts and Shares, and then double-click Mounts.

4. Choose Add NFS Mount from the Action menu.

5. Follow and answer the prompts to mount the file system.

   You are prompted to allow creation of the mount point if it does not exist. The tool adds an entry in the /etc/vfstab file, creates the mount point, and mounts the file system.

(Optional) Delete the User install

---

Caution -

Do not remove the user install until you are satisfied that the client systems can communicate with the name service master.

---

When a user is deleted from the system, the administrator must ensure that the user's home directory and any objects owned by that user are also deleted. As an alternative to deleting objects owned by the user, the administrator may change the ownership of these objects to another user who is defined on the system.

The administrator must also ensure that all batch jobs that are associated with the deleted user are also deleted. The administrator must ensure that there are no objects or processes belonging to a deleted user that remain on the system.

---

Note -

If you plan to use the tsolconvert utility, do not delete the install user until you have completed the required conversion steps on a Trusted Solaris 8 or Trusted Solaris 8 4/01 system. See "Saving and Restoring Trusted Solaris Databases" for more information on converting Trusted Solaris 7 to Trusted Solaris 8 4/01 databases.

---

1. In the admin role at label ADMIN_LOW, in the Solaris Management Console, choose the this-host: Scope=Files, Policy=TSOL, and click Users.

2. Provide a password if prompted, then double-click User Accounts.

   The user "install" is defined locally.

3. Select the user to be deleted and click the Delete button.

   For the user install, you do not have mail files to delete. Other local users may have home directories and mail files to delete.

Other Setup

See Trusted Solaris Administrator's Procedures for tasks such as handling mail, setting up printers, and protecting file systems.