System Administration Guide: Naming and Directory Services (NIS+)

Security Considerations When Configuring the NIS+ Client

Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for the credentials to be created by an administrator with valid DES credentials and modify rights to the cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain or in the administrator's home domain.

After an administrator creates the client's credentials, the client can complete the configuration process. However, the client still needs read access to the directory object of its home domain. If you configured the client's home domain according to the instructions in either Chapter 5, Setting Up the NIS+ Root Domain or Chapter 8, Configuring an NIS+ Non-Root Domain, read access was provided to the world class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).

You can check the directory object's access rights by using the niscat-o command. This command displays the properties of the directory, including its access rights:

rootmaster# niscat -o
ObjectName : Doc
Owner :
Group :
Domain : Com.
Access Rights : r---rmcdr---r---

You can change the directory object's access rights, provided you have modify rights to it yourself, by using the nischmod command, described in Chapter 15, Administering NIS+ Access Rights.