Trusted Solaris Installation and Configuration

Chapter 6 Configuring a Name Service Client

This chapter provides procedures to configure the name service clients at your site interactively, after you have configured the name server.

Who Does What

Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the computer, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.

Client Configuration Tasks

Configuring a name service client is similar to configuring its master, except that configuration details the client receives from the master do not have to be repeated.

If the client machine was installed from a CD-ROM--you should expect to complete the configuration tasks in the following table. Depending on your site configuration, some procedures can be omitted.

Table 6-1 Task Map for Clients Installed from CD-ROM


Task	Described
"Initial Configuration"	Covers protecting the hardware, setting up the labels, and initializing the administration tools.
"(Optional) Configuring Routing"	Covers how to set up static routing.
"Configuring the Network"	Covers how to specify the hosts that are contacted during boot.
"Connecting to the Name Server"	Covers how to connect to the name service.
"Sharing Critical File Systems"	Covers how to share the home directory and mail server.
"Finish Configuring the System"	Points you to auditing setup information, how to share and mount file systems, and how to delete the install user.

If the client machine was installed over the network--you should expect to complete the configuration tasks in the following table in the appropriate role.

Table 6-2 Task Map for Clients Installed Over a Network


Role	Task Responsibility After Network Installation
secadmin role
	"SPARC: Protect Machine Hardware" or "IA: Protect the BIOS"
	"Install the Name Service Master's label_encodings File"
	"Copy the Name Service Master's Tnrhtp Database"
	"Initialize the SMC Server", then "Assign Templates to Remote Hosts"
	"Set Up Auditing to Match the Master Server"
	"(Optional) Set Security Attributes on Mounted File Systems"
admin role
	"Mount the Diskette With Configuration Files"
	"(Optional) Configuring Routing"
	"Initialize the SMC Server", then "Add Hosts to be Contacted During Booting"
	"(Optional) Remove the 0.0.0.0 Network"
	"Copy the SMC Name Server Toolbox Definitions to the Client"
	"Copy Network Files to the /etc Directory"

If the client machine was installed using JumpStart scripts--you should expect to complete the configuration tasks in the following table in the appropriate role.

Table 6-3 Task Map for Clients Installed Using JumpStart


Role	Task Responsibility After Network Installation
secadmin role
	"SPARC: Protect Machine Hardware" or "IA: Protect the BIOS"
	"Set Up Auditing to Match the Master Server"
admin role
	"Initialize the SMC Server"
	"Connecting to the Name Server"

Initial Configuration

Log In

Log in as install, assume the root role, and open a terminal.

See "Logging In and Launching a Terminal" for details.

SPARC: Protect Machine Hardware

In the terminal, enter the PROM security mode.

# eeprom security-mode=command

Changing PROM password:
	New password: password
	Retype new password: password

Choose the value command or full. See the eeprom(1M) man page for more details.

If you are not prompted to enter a PROM password, the system already has a PROM password. To change the PROM password, run the command:

# eeprom security-password=Return
Changing PROM password:
New password: password
Retype new password: password

The new PROM security mode and password are in effect immediately, but are most likely to be noticed at the next boot.

Do not forget this password. The hardware is unusable without it.

IA: Protect the BIOS

On Intel architecture, the equivalent to protecting the PROM is to protect the BIOS.

Refer to your machine's manuals for how to protect the BIOS.

Install the Name Service Master's label_encodings File

Caution -

The label_encodings file on the client machine must be identical to the one on the name service master. If you are sure it is identical, you may skip this step.

In the root role, create an ADMIN_HIGH workspace.

See "Create an Admin_High Workspace" for details.

In the ADMIN_HIGH workspace, allocate the floppy device, and insert the name service master's ADMIN_HIGH diskette containing the label_encodings file.

See "Allocate the Appropriate Device" for details.

Double-click the Check Encodings action in the System_Admin folder of the Application Manager and enter the full pathname of the label_encodings file.

Answer yes to install the the name service master's label_encodings file on the client.

Deallocate the floppy drive, and return to a root workspace labeled ADMIN_LOW.

Mount the Diskette With Configuration Files

You made a diskette for the client in "Copy Configuration Files for Distribution to Clients".

In the root role at label ADMIN_LOW, allocate the floppy device, insert the ADMIN_LOW diskette of selected files from the name service master, and mount it.

Leave up the File Manager that shows the diskette's mount point.

Initialize the SMC Server

In the root role in an ADMIN_LOW workspace, start the SMC server process in the terminal window.

# smc

Note -

The smc command initializes the SMC server. The first time the server is launched, it performs several registration tasks, which can take a few minutes.

If toolboxes do not load, see Step 2 in "Initializing the Solaris Management Console" for troubleshooting procedures. If the client was installed with the End User cluster, SMC will not run.

(Optional) Configuring Routing

If you configured the name service master to use static routing, you must configure the clients to use the same routing method.

Configure to Match the Name Server's Routing Method

If the name service master is configured for static routing, determine the appropriate static routing for the client.

Table 6-4 Client Static Routing Entry


Server Interfaces	Client on same subnet	Client on different subnet
Name service master has 1 network interface	Use same entry as master's	Static routing will be slightly different for the subnet
Name service master has >1 network interface	Enter master's other network interface(s) in static routing file

Configure the client to use the same static routing method as the one used on the master.

Configuring the Network

Add Hosts to be Contacted During Booting

Note that a name service client finds its file servers, home directory server, mail server, and other servers from the name service master.

In the root role at the label ADMIN_LOW, return to the Solaris Management Console or re-open it if it is closed.
# smc

Click this-host: Scope=Files, Policy=TSOL under Trusted Solaris Management Console in the Navigation pane.

See Figure 9-1 for what tools should display in the Navigation pane .

(Optional) Remove the 0.0.0.0 Network

The network wildcard 0.0.0.0 may present a security risk. See "Modifying the Boot-time Trusted Network Databases" in Trusted Solaris Administrator's Procedures for more information.

Follow the instructions in the "To Replace the 0.0.0.0 Entry in the Local Tnrhdb File" procedure under "Managing Trusted Networking (Tasks)" in Trusted Solaris Administrator's Procedures.

Copy the Name Service Master's Tnrhtp Database

You can skip this step if your site did not modify or replace the label_encodings file and the tnrhtp file that were installed from the Trusted Solaris 8 4/01 Installation CD.

Note -

The tnrhtp(4) template definition and name for the name service master must be identical on the client and master.

In the root role at label ADMIN_LOW, copy the tnrhtp file from the /diskette-mount-point/export/clientfiles directory to /etc/security/tsol/tnrhtp.

See "To Copy Files From a Diskette" if you are unsure how to copy using the File Manager.

Assign Templates to Remote Hosts

The clients get most of their template assignments from the name service. A client's local tnrhdb database must contain servers that are contacted during boot, such as the name service master (or its subnet), static routers, and any audit servers.

In the root role at the label ADMIN_LOW, double-click Security Families under Computers and Networks in the Trusted Solaris Configuration.

The remote host templates display in the View pane.

Double-click the remote host template, tsol.

Choose Add Host(s) from the Action menu, click Add Host, and enter the IP address and template name (tsol) of the Trusted Solaris name service master.

Add the audit server by choosing Add Host(s) from the Action menu. Then click Add Host and enter the IP address of the client's audit server and tsol host type.

Again choose Add Host(s) from the Action menu, click Add Host, and enter the IP address and host type of the static router(s).

A client with one defaultrouter and no audit server would have three entries in its tnrhdb:
1. The client and its host type (tsol),
2. The name service master and its host type (tsol) (or its subnet fallback IP address and tsol)
3. The defaultrouter and its host type.

Open a terminal to reload and verify the updated tnrhdb database.
# tnctl -H /etc/security/tsol/tnrhdb # tninfo -h

Summary of Client Network Files

These client files must be compatible with the name service master files:

/etc/security/tsol/label_encodings
/etc/security/tsol/tnrhtp

The client's local tnrhdb(4) file must have the IP address and host type of the NIS+ master (or the IP address and host type of the subnet), the client's static routers, and the client.

In addition, the client's address and name, the name service master's name and address, and the static routers' names and addresses must be in the local hosts database.

Connecting to the Name Server

Verify Communication with the Name Service Master

Skip this procedure if the client specified the name service, NIS or NIS+, during network install.

As root, at label ADMIN_LOW, check to see that you can ping the name service master.
# ping name-service-master

Check to see that you can rup the name service master.
# rup name-service-master
If the rup(1) command succeeds, you may proceed. If it fails, debug your network setup until the rup command succeeds.

Note -
If you have added a client that was not initially on the master, you must add it to the master and assign it a template. On the master, the ping and rup commands must work to contact the new client before continuing.

Add Client to the NIS+ Domain

Note -

Skip this procedure if the client specified a name service during network install. After JumpStart installation, you must do the procedure to add the client to the domain.

Prerequisite: The rup command must succeed in both directions: from client to master, and master to client.

In the root role at label ADMIN_LOW, add the host as a NIS+ client using the Create NIS+ Client action in the System_Admin folder.

Enter the NIS+ domain name and host name of the root master. There is a period at the end of the domain name.

For example,
```
   Domain Name: aviary.example.org.
   Hostname of NIS+ Master: eagle
```

Answer the prompts ( y, (your-master's-ip-address), nisplus, rootpassword).

You can ignore diagnostics printing out that certain files and directories cannot be located. The files and directories will be created.

Do not reboot when the program prints the message:
```
   Once initialization is done, you will need to reboot your machine.
```
You will reboot after setting up DNS.

Add Client to the NIS Domain

In the root role at label ADMIN_LOW, add the host as a NIS client using the Create NIS Client action in the System_Admin folder.

Note -
If this is a NIS slave server, make sure you enter this host name and the name of the master server at the prompts.

The action copies the nsswitch.nis file to the nsswitch.conf file.

Do not reboot until after you have set up DNS.

Copy the SMC Name Server Toolbox Definitions to the Client

Note -

Administrators who want to administer the name service using SMC from this client system must do this procedure

In the root role at label ADMIN_LOW, copy the name service master's tsol_nameservice.tbx file from the /diskette-mount-point/export/clientfiles directory to the /var/sadm/smc/toolboxes/tsol_nameservice directory.

If you did not copy the files to the client, do the "Edit SMC Toolbox Definitions for the Name Service" procedure on the client system.

Also copy the name service master's tsol_smc.tbx file from the /diskette-mount-point/export/clientfiles directory to the /var/sadm/smc/toolboxes/tsol_smc directory.

Copy Network Files to the /etc Directory

If you are using DNS to contact hosts outside of your domain, or if you have altered the resolv.conf and nsswitch.conf files on the name service master, set up DNS before rebooting.

In the root role at label ADMIN_LOW, set up the DNS nameservers and the name service switch by copying the files resolv.conf and nsswitch.conf from the /diskette-mount-point/export/clientfiles directory to the /etc directory.

If you did not copy the files to the client, follow the procedure in "(Optional) Set Up DNS".

Reboot the Computer

Skip this procedure if the client was installed over the network.

Shut down the system from the TP (Trusted Path) menu, and reboot it.

Enable the Slave Server (NIS domain only)

If this is a NIS slave server, log in, assume the root role, open a terminal, and enable ypinit.
# /usr/sbin/ypinit -s NIS-master-server

Before continuing, reboot the machine again to enable it to serve NIS clients.

Add the IMAP Server (NIS+ domain only)

If this is an IMAP mail server, go to the NIS+ master and log in.

This procedure enables the mail server to authenticate users.

Assume the admin role in an ADMIN_LOW workspace, and open the System_Admin folder in the Application Manager.

Double-click the Add to NIS+ Administrative Group action and enter the group name and the full name of your mail server.

Use your domain name with the format subdomain.domain.suffix. For example:
Group Name: admin Principal Name: pigeon.aviary.example.org.
Note -
Remember to type a period (.) at the end of the the principal name.

Sharing Critical File Systems

Share Home Directories

See "Administering NIS+ Groups" in Solaris Naming Administration Guide for ways to restrict home directory access to particular groups.

In the root role at label ADMIN_LOW, under Trusted Solaris Management Console, click this-host: Scope=Files, Policy=TSOL.

Note -
If toolbox icons display as red stop signs, the toolboxes will not load. To load them, see Step 2 in "Initialize the SMC Server".

Click Storage, provide a password if prompted, then double-click Mounts and Shares, then double-click Shares.

Choose Add Shared Directory from the Action menu.

Follow the online help to share the /export/home directory.

The tool shares the directory and starts the NFS daemons,

Verify that the directories are shared.

$ showmount -e
export list for homedir-server:
/export/home

Share Mail Server Directories

Repeat the above procedure to share the mail service directory.

For example, when the directories are shared, the showmount command would show something like the following:
$ showmount -e export list for mail-server: /export/post
If the users' home directories and email directories are on the same server, the command would show the following:
$ showmount -e export list for server: /export/home /export/post

If you have not finished configuring the name service master, return to "Creating Roles and Users". Otherwise, continue below.

Finish Configuring the System

If you are configuring a site that satisfies criteria for an evaluated configuration, read "Understanding Your Site's Security Policy". Users assume the roles that have been created -- security administrator and system administrator -- to complete system configuration.

Set Up Auditing to Match the Master Server

The client's audit configuration must be identical to the name service master's. The domain should collect auditing records as if one machine were being audited.

To ensure that every system and user is audited identically, in the root role at label ADMIN_LOW, copy the name service master's /etc/security/audit* configuration files to the system from the /diskette-mount-point/export/clientfiles directory.

In the secadmin role, customize the dir: entries for the local host in the audit_control file.

Follow the procedures in Trusted Solaris Audit Administration.

(Optional) Set Security Attributes on Mounted File Systems

To set security attributes on an unlabeled file system, assume the role secadmin, and in an ADMIN_LOW workspace, use the Admin Editor to enter the file system in the vfstab_adjunct file.

The vfstab_adjunct(4) file is saved and protected at the label ADMIN_HIGH.

(Optional) Mount and Share File Systems

The admin role handles file system management, and user account creation and deletion.

In the admin role in an ADMIN_LOW workspace, finish configuring the system.
- To share a file system, see "(Optional) Share File Systems".
- To mount a file system, see "(Optional) Mount File Systems".

(Optional) Delete the Install User

Read "(Optional) Delete the User install" before deleting the install user.