Trusted Solaris Installation and Configuration

Setting Up the Name Server and Domain

Setting up the name service master sets up the name service domain for the Trusted Solaris clients. Several name service databases have been created or modified to hold Trusted Solaris data about label configuration, users, and remote hosts.

Set Up Files to be Name Service Databases
  1. As root, create a staging area for files you plan to use to populate the name service databases.

    You can place the staging area wherever you have enough space. Usually a few megabytes is more than enough room to store some files temporarily.


    # mkdir -p /setup/files
    

  2. Copy the sample /etc files into the staging area.

    Most of the files that you need already exist on the installed system and have enough data in them to get you started. The following files in the /etc directory are usually not found on a newly installed system: bootparams, ethers, netgroup, netmasks, and timezone. You can create these with an editor, load them from a backup diskette, or merely create empty versions of these files, so that the name service databases are created all at once. If you choose not to create these files, you can create them later, but a few warning messages may print out.


    # cd /etc
    # touch bootparams ethers netgroup netmasks timezone
    
    # cp bootparams ethers netgroup netmasks timezone \
    aliases auto_home auto_master group hosts networks \
    protocols publickey rpc services /setup/files
    
    # cd security
    # cp  auth_attr prof_attr exec_attr /setup/files/
    # # 
    # cd /etc/security/tsol
    # cp tnrhdb tnrhtp /setup/files
    # # 
    # cd /etc/inet
    # cp ipnodes /setup/files
    

  3. Create empty files in the staging area of files whose contents should not be distributed.


    # cd /setup/files
    # touch audit_user passwd shadow user_attr
    

    All entries in the passwd, shadow, and user_attr files on a newly-installed system are local users who should be restricted to local access. The name service will create empty databases from the empty files, and will not print spurious warning messages.

  4. Check that all the files are now in your staging area. There are 25.


    # ls | wc -l
         25

  5. Edit the hosts file in your staging area.

    1. Open the Admin Editor and enter /setup/files/hosts for editing.

      The file already contains the name service master (that is, this host's address) and the static routers, if any.

    2. Add every system that will be in the Trusted Solaris domain.

      There is no wildcard mechanism here. The IP address of every host to be contacted must be in this file.


      Caution - Caution -

      Failure to include a host will cause client authentication to fail because the NIS+ client will have no credentials.


    3. Add every other host with which the domain can communicate.

    4. Use the :wq! command to write the file and exit the editor.

    There is enough information in your staging area to convert your host to a name service master.


    Caution - Caution -

    If you have edited any files, you must be very careful to provide all of the information necessary in the correct formats before populating the NIS+ tables. Failure to do so can result in the inability to further administer or use the system.


Modify the /yp/Makefile (NIS domains only)

The /var/yp/Makefile file must be modified to point to the staging area and its subdirectories.

  1. Edit the /var/yp/Makefile in the Admin Editor.

  2. Change four variables: PWDIR, DIR, INETDIR, and RBACDIR, to point to the /setup/files directory.

  3. To ensure that the NIS master server stores its mail aliases in a NIS map, change the line in the /var/yp/Makefile file that begins with ALIASES to point to the NIS map.

    The name is in the format ALIASES = /var/yp/mail-server.NIS-domain-name/mail.aliases. For example,


    ALIASES = /var/yp/pigeon.aviary.example.org/mail.aliases

    The /etc/mail/aliases file remains available for mail aliases specific to the NIS master server.

Create NIS Maps from the Staging Area (NIS domains only)
  1. Double-click the Create NIS Server action in the System_Admin folder.

  2. Enter your NIS domain name.

    For example,


    Domain Name: aviary.example.org
    

    This action creates the domain name, establishes this host as the NIS master server, and copies the /etc/nsswitch.nis file over /etc/nsswitch.conf.

  3. When prompted for other NIS servers, enter their host names one by one.

    For example,


    Host: tern
    

  4. Follow the instructions for ending the prompts.

    The action creates NIS maps from the /setup/files directory. It uses your modified /var/yp/Makefile to create the /var/yp/NIS_maps.

  5. Do not reboot your system yet.

Create NIS+ Tables from the Staging Area (NIS+ domains only)
  1. Double-click the Create NIS+ server action in the System_Admin folder.

  2. Enter your NIS+ domain name.

    This host will be the root master. For example,


    Domain Name: aviary.example.org.
    

    There is a period at the end of the domain name.

  3. Answer the prompts ( y, y, rootpassword).

    You can ignore diagnostics printing out that the file /etc/defaultdomain cannot be located. The file will be created.

  4. In the /setup/files directory, make sure that you have added all NIS+ clients to the hosts file.


    # cd /setup/files
    # more hosts
    

  5. Populate the standard NIS+ databases from the /setup/files directory by running the Populate NIS+ Tables action in the System_Admin folder.

  6. Enter your staging area when prompted.


    Populate from which directory? /setup/files
    
  7. Answer the prompts (y, y).


    ...
    Is this information correct? y
    ...
    Do you want to continue? y
    
  8. Load any additional NIS+ tables you may have backed up, such as auto_home.

    Procedures vary depending on the format of the backup and on what types of NIS+ tables they are. Refer to the Solaris Naming Setup and Configuration Guide for details of how to load your tables.

  9. Do not reboot your system yet.

Edit SMC Toolbox Definitions for the Name Service

If you are running a name service, you must edit two files: the tsol_smc.tbx, and the name service toolbox. These files must be edited on the name service master before it can be used on the domain.

  1. In the root role at the label ADMIN_LOW, list the toolbox directory.


    # cd /var/sadm/smc/toolboxes
    # ls tsol*/*tbx
    tsol_files/tsol_files.tbx        tsol_nis/tsol_nis.tbx
    tsol_smc/tsol_smc.tbx            tsol_nisplus/tsol_nisplus.tbx
    • If you are running the NIS+ name service, your toolbox files are tsol_smc/tsol_smc.tbx and tsol_nisplus/tsol_nisplus.tbx

    • If you are running the NIS name service, your toolbox files are tsol_smc/tsol_smc.tbx and tsol_nis/tsol_nis.tbx

  2. Open the Admin Editor from the System_Admin folder.

  3. Copy and paste the full pathname to the tsol_smc.tbx toolbox into the dialog box, as in:


    /var/sadm/smc/toolboxes/tsol_smc/tsol_smc.tbx
  4. Find your name service toolbox name in the file, and replace the Scope line with the name of the master and the name of the domain.

    For example, change


    <ToolBoxURL>
            <URL>../tsol_nisplus/tsol_nisplus.tbx</URL>
            <Scope>nisplus:/<?server?>/<?server?></Scope>
      </ToolBoxURL>

    To:


    <ToolBoxURL>
            <URL>../tsol_nisplus/tsol_nisplus.tbx</URL>
            <Scope>nisplus:/eagle/aviary.example.org</Scope>
      </ToolBoxURL>
  5. Save (:wq!) and close the file.

  6. Edit the name service toolbox in the Admin Editor.


    Example 5-1 NIS Toolbox


    /var/sadm/smc/toolboxes/tsol_nis/tsol_nis.tbx


    Example 5-2 NIS+ Toolbox


    /var/sadm/smc/toolboxes/tsol_nisplus/tsol_nisplus.tbx

  7. In the editor, in the line beginning with <Scope>, replace the first instance of <?server ?> with the name service master, and the second with the fully-qualified domain name.


    Example 5-3 NIS <Scope>


    <Scope>nis:/eagle/example.org</Scope>


    Example 5-4 NIS+ <Scope>


    <Scope>nisplus:/eagle/aviary.example.org</Scope>

  8. Replace every other instance of <?server?> or <?server ?> with the name service master, as in:


    Example 5-5 NIS <?server?>


    <Name>  eagle: Scope=NIS, Policy=TSOL</Name>
    services and configuration of eagle.</Description>
    and configuring eagle.</Description>
    <ServerName>eagle</ServerName>
    <ServerName>eagle</ServerName


    Example 5-6 NIS+ <?server?>


    <Name>  eagle: Scope=NIS+, Policy=TSOL</Name>
    services and configuration of eagle.</Description>
    and configuring eagle.</Description>
    <ServerName>eagle</ServerName>
    <ServerName>eagle</ServerName

  9. Write (:wq!) and quit the editor.

(Optional) Set Up DNS

Skip this procedure if the security administrator has planned a closed network. For detailed information about DNS, see the Solaris Naming Setup and Configuration Guide.

  1. If your system is going to use DNS, click the Set DNS Servers action in the System_Admin folder and enter the nameservers by IP address, one per line.

    The file looks something like:


    nameserver nnn.nnn.nnn.nnn
    nameserver nnn.nnn.nnn.nnn
    
  2. Using the Name Service Switch action, change the hosts entry in the /etc/nsswitch.conf file to use DNS.


    Example 5-7 NIS nsswitch.conf File


    ~
    #hosts:    nis [NOTFOUND=return] files
    hosts:   nis files dns
    ~


    Example 5-8 NIS+ nsswitch.conf File


    ~
    #hosts:    nisplus [NOTFOUND=return] files
    hosts:   files nisplus dns
    ~

Reboot the Computer

    Shut down the system from the TP (Trusted Path) menu, and reboot it.

Name Service References

For fuller descriptions of name service setup and administration, and DNS, see