Chapter 3 Using Solstice AutoClient in a Name Service Environment

The Solstice AutoClient software can be used in different name service environments. When you use each application or command-line equivalent, you must specify the name service environment data you wish to modify.

This is a list of the overview information in this chapter.

• "Available Name Service Environments"

• "The /etc/nsswitch.conf File and the Solstice AutoClient Product"

• "Selecting a Name Service Environment"

• "Working With the Name Services Transition Kit 1.2"

• "Setting Up User Permissions to Use the Solstice AutoClient Software"

• "Adding Users to the sysadmin Group"

• "Setting Up Solstice AutoClient Name Service Policy"

Available Name Service Environments

The Solstice AutoClient software can be used to manage information on the local system or across the network using a name service. The sources of information that can be managed by the Solstice AutoClient software are described in Table 3-1.

See "Setting Up User Permissions to Use the Solstice AutoClient Software" for information on using the Solstice AutoClient software with or without a name service environment.

The /etc/nsswitch.conf File and the Solstice AutoClient Product

The Solstice AutoClient software allows you to select which name service databases will be updated (written to) when you make modifications with Host Manager. However, the /etc/nsswitch.conf file on each system specifies the policy for name service lookups (where data will be read from) on that system.

It is up to the user to make sure that the name service they select from Host Manager is consistent with the specifications in the /etc/nsswitch.conf file. If the selections are not consistent, Host Manager may behave in unexpected ways, resulting in errors or warnings. See "Selecting a Name Service Environment" for an example of the window from which you select a name service.

The /etc/nsswitch.conf file has no effect on how the system configuration files get updated. In the /etc/nsswitch.conf file, more than one source can be specified for the databases, and complex rules can be used to specify how a lookup can be performed from multiple sources. There is no defined syntax for using the rules in the /etc/nsswitch.conf file to perform updates.

Because of this, updates are controlled by the name service selection that is made when the Host Manager is started. The administrator must decide where the update is to take place.

When using Host Manager, administrative operations can take place on multiple systems with a single operation. It is possible that each of these systems could have a different /etc/nsswitch.conf configuration. This situation can make it very difficult to administer your network. It is recommended that all of the systems have a consistent set of /etc/nsswitch.conf files and that the Solstice AutoClient software is used to administer the primary name service specified in the standard /etc/nsswitch.conf file.

With this release of the Solstice AutoClient product, you can define a more complex update policy for Host Manager by using the admtblloc command. For more information on this command, refer to the admtblloc(1M) man page and see "The admtblloc Command".

Selecting a Name Service Environment

After you start the Solstice Launcher and click on an application icon, a window is displayed prompting you to select a name service. Select the name service that is appropriate for your environment.

This example is from Host Manager's Load window.

Working With the Name Services Transition Kit 1.2

The Name Services Transition Kit 1.2 is designed to allow you to support a NIS server running Solaris 2.x. Installing the software and setting up the Solaris 2.x NIS servers is described in the Naming Services Transition Kit 1.2 Administrator's Guide. The Solstice AutoClient software can manage information using the NIS name service supported by Solaris 2.x NIS servers installed with the Name Services Transition Kit 1.2 software.

On NIS servers installed with the Solaris 2.x OS Release, the Name Service Transition Kit 1.2, and the Solstice AutoClient software, the configuration files stored in /etc directory are modified by the Solstice AutoClient applications (these files are in turn automatically converted to NIS maps). If the NIS server is not installed with the Solstice AutoClient software, then the directory location specified by the $DIR variable in the /var/yp/Makefile is used.

Setting Up User Permissions to Use the Solstice AutoClient Software

To use the Solstice AutoClient software, membership in the sysadmin group (group 14) is required. See "Adding Users to the sysadmin Group" for more information.

Following are additional requirements to use the Solstice AutoClient software for each name service.

User Permissions in the NIS+ Environment

The requirements for using the Solstice AutoClient software are:

• Membership in the NIS+ admin group.

• Modify permissions on the NIS+ tables to be managed. These permissions are usually given to the NIS+ group members.

See Solaris Naming Administration Guide for information on adding users to a NIS+ group and granting permissions on NIS+ tables.

User Permissions in the NIS Environment

The requirements for using the Solstice AutoClient software are:

• An entry for your host name and user name in root's .rhosts file on the NIS master server if the server is running the Solaris 1.x OS Release. If the NIS master server is running the Solaris 2.x OS Release and Name Services Transition Kit 1.2 software, this entry is not required as long as Solstice AdminSuite is also installed.

• Running ypbind with the -broadcast option, which is the default form, if you want to manage NIS map information in domains other than your own.

In order to manager NIS map information in domains other than your own, the other NIS domain masters need to be on directly attached networks.

Adding Users to the sysadmin Group

The following procedures describe how to add users to the sysadmin group for each name service. If you have access to the Solstice AdminSuite software, you should use Group Manager instead of these procedures to add users to the sysadmin group.

How to Add a User to the sysadmin Group Using NIS+

1. Log in to a system in your NIS+ domain as an authorized user with read and write access rights to the group table.

2. Save the group table to a temporary file.

   $ niscat group.org_dir > /var/tmp/group-file

3. Edit the file, adding the users you want to authorize to use the Solstice AutoClient software.

   The following sample shows users added to the sysadmin entry in the group file.

   . . . sysadmin::14:user1,user2,user3 nobody::60001: noaccess::60002:

   In this example,

   user1,user2,user3

   Represent the user IDs you are adding to the sysadmin group.

4. Merge the file with the NIS+ group table.

   $ /usr/lib/nis/nisaddent -mv -f /var/tmp/group-file group

   The results of the merge are displayed.

5. Remove the temporary file.

   $ rm /var/tmp/group-file

Verification of Adding Users to the sysadmin Group

Verify that the user is a member of the sysadmin group by entering the following commands. Perform this step for each user you added to the file.

# su - user1
$ groups
staff sysadmin
$ exit

How to Add a User to the sysadmin Group Using NIS

1. Log in as root on the NIS master server.

2. Edit the group file (the default directory location is /etc).

   Add a comma-separated list of members to the sysadmin group.

   . . . sysadmin::14:user1,user2,user3

   ---

   Note -

   The directory location of the group file is specified in the NIS makefile using the $DIR variable. Consult this file if you are uncertain of the location of the group file.

   ---

3. Change directory to the location of the NIS makefile (the default is /var/yp) and remake the NIS map.

   # cd /var/yp # make group

   ---

   Note -

   Depending on the size of the NIS map, it may take several minutes or several hours to update the maps and propagate the changes throughout the network.

   ---

4. (Optional) If the NIS master server is running the Solaris 1.x OS Release, create a .rhosts entry in the root (/) directory on the NIS master server for users authorized to modify NIS maps. Use the following format:

   host-name user-name

How to Add a User to the sysadmin Group Without a Name Service

Use this procedure if you will use the Solstice AutoClient software on the local system only.

1. Become root on your system.

2. Edit the /etc/group file.

   Add a comma-separated list of members to the sysadmin group.

   . . . sysadmin::14:user1,user2,user3

Setting Up Solstice AutoClient Name Service Policy

A name service policy is used to specify the location of system and network information managed by the Solstice AutoClient software. This information can be located in the /etc directory for a local system, or in the NIS+ or NIS name service.

The Solstice AutoClient software supports a mixed-mode name service policy. A mixed-mode name service policy enables you to specify different name services for configuration information.

You can use the admtblloc(1M) command to choose a mixture of name services for the Solstice AutoClient tools to populate. For example, you can set up Host Manager to populate local /etc files for bootparams information and to populate the NIS+ tables for the other host configuration information, as shown in Figure 3-1.

Figure 3-1 Example Mixed-Mode Name Service Policy

If you choose to implement a mixed-mode name service policy, you must run the Solstice AutoClient software from the system containing information in the /etc directory.

The admtblloc Command

The admtblloc command is used to implement a mixed-mode name service policy in the Solstice AutoClient software. To use this command, you must have permission to use the software for each name service as described in "Setting Up User Permissions to Use the Solstice AutoClient Software".

The admtblloc command has no relation to the /etc/nsswitch.conf file used to set the system-wide name service selection policy in the Solaris 2.x operating environment. The admtblloc command is used to set the policy for all users of the Solstice AutoClient software graphical user interface tools or command line interfaces.

Specifying the Name Service Policy Using admtblloc

This example shows how to specify the name service policy specified in Figure 3-1 using the admtblloc command:

$ admtblloc -c NIS+ -d solar.com bootparams NONE

In this example,

After setting the mixed-mode name service policy specified in Figure 3-1, the Solstice AutoClient software will use the bootparams information stored in the /etc directory on the current host running the Solstice AutoClient tool whenever the name service (specified in the Load window) is NIS+. The name service policy for the other configuration files (hosts, ethers, timezone and credential) is NIS+, unless you specify otherwise using admtblloc again. The mixed-mode name service policy remains in effect for all users of the Solstice AutoClient software in the name service until you change it using the admtblloc command once again.

If you specify that the name service location of a configuration file is NONE using the admtblloc command, the /etc file on the current host running the Solstice AutoClient application or command-line interface is modified. You should log in to the host where you want to use the local /etc file and perform operations using the Solstice AutoClient on that system.

Viewing the Name Service Policy Using admtblloc

This example shows how to display the name service policy using the admtblloc command:

$ admtblloc
Name           Name Service  Path
 
Aliases        NIS+
Hosts          NIS+
Group          NIS+
Netgroup       NIS+
Protocols      NIS+
Bootparams     NONE
Auto.home      NIS+
RPC            NIS+
Timezone       NIS+
Netmasks       NIS+
Ethers         NIS+
Passwd         NIS+
Services       NIS+
Networks       NIS+
Locale         NIS+

In this example output,

By default, the admtblloc command displays the policy for the name service to which the current host belongs. To display the name service policy for a different name service, specify the name service context.

This example shows how to display the name service policy for the NONE or local /etc files name service context domain using the admtblloc command:

$ admtblloc -c NONE
Name           Name Service  Path
Aliases        NONE
Hosts          NONE
Group          NONE
Auto_home      NONE
Netgroup       NONE
Protocols      NONE
Bootparams     NONE
RPC            NONE
Timezone       NONE
Netmasks       NONE
Ethers         NONE
Passwd         NONE
Services       NONE
Networks       NONE
Locale         NONE

In this example,

You can also use the admtblloc command to display the name service policy for a specified configuration file. This example shows how to display the name service policy for the hosts file in the default name service:

$ admtblloc Hosts
Hosts          NIS+

The configuration file names are case-sensitive.

Configuration Supported by the admtblloc Command

Following is a list of the configuration files the Solstice AutoClient software can use in a mixed-mode name service environment.

• Aliases

• Hosts

• Group

• Auto_home

• Credentials

• Netgroup

• Protocols

• Bootparams

• Rpc

• Timezone

• Netmasks

• Ethers

• Passwd

• Services

• Networks

• Locale

The admtblloc command can be used to set the name service policy for only the configuration files present in this list.

Refer to the admtblloc(1M) man page for more information about how to use this command.