System Administration Guide: Naming and Directory Services (NIS+)

Configuring the NIS+ Client

This section describes how to configure a typical NIS+ client in either the root domain or a non-root domain. This procedure applies to regular NIS+ clients and to those clients that will later become NIS+ servers. It applies, as well, to clients in a standard NIS+ domain and those in an NIS-compatible domain.

Caution – Caution –

Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution also applies to subdomains. For example, if you have a machine named west you do not want to create a subdomain.

Setting up an NIS+ client involves the following tasks:

However, as with setting up the root domain, setting up a client is not as simple as carrying out these three tasks in order.

    To make the configuration process easier to execute, these tasks have been broken down into individual steps, and the steps have been arranged in the most efficient order:

  1. Logging in to the domain's master server

  2. Creating DES credentials for the new client machine

  3. Ascertaining the Diffie-Hellman key length used on the master server

  4. Logging in as superuser to the client

  5. Assigning the client its new domain name

  6. Stopping and restarting nscd

  7. Checking the client's nsswitch.conf file

  8. Setting the client's Diffie-Hellman key

  9. Cleaning out leftover NIS+ material and processes

  10. Initializing the client

  11. Removing the /etc/.rootkey file and restarting the keyserv daemon

  12. Running keylogin

  13. Rebooting the client

Security Considerations When Configuring the NIS+ Client

Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for the credentials to be created by an administrator with valid DES credentials and modify rights to the cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain or in the administrator's home domain.

After an administrator creates the client's credentials, the client can complete the configuration process. However, the client still needs read access to the directory object of its home domain. If you configured the client's home domain according to the instructions in either Chapter 5, Setting Up the NIS+ Root Domain or Chapter 8, Configuring an NIS+ Non-Root Domain, read access was provided to the world class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).

You can check the directory object's access rights by using the niscat-o command. This command displays the properties of the directory, including its access rights:

rootmaster# niscat -o
ObjectName : Doc
Owner :
Group :
Domain : Com.
Access Rights : r---rmcdr---r---

You can change the directory object's access rights, provided you have modify rights to it yourself, by using the nischmod command, described in Chapter 15, Administering NIS+ Access Rights.

ProcedureHow to Configure an NIS+ Client

In this procedure you create credentials for the client, configure the client machine, and initialize it as an NIS+ client.

Note –

The NIS+ service is managed by the Service Management Facility (SMF). Administrative actions on this service, such as enabling, disabling, or restarting, can be performed by using the svcadm command. See NIS+ and the Service Management Facility for more information about using SMF with NIS+. For an overview of SMF, refer to Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration. Also refer to the svcadm(1M) and svcs(1) man pages for more details.

Before You Begin

Information you need to configure the client:

The administrator setting up the client's credentials must have:

The client must have:

  1. Log in to the domain's master server.

    You can log in as superuser or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.

  2. Create DES credentials for the new client machine.

    Use the nisaddcred command with the -p and -P arguments. Here is the syntax:

    nisaddcred -p secure-RPC-netname principal-name des [domain]

    The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.

    This example adds a DES credential for a client machine named client1 in the domain:

    rootmaster% nisaddcred -p -P des
    Adding key pair for (
    Enter's root login passwd:
    Retype password:

    For more information about the nisaddcred command, see Chapter 12, Administering NIS+ Credentials.

  3. Determine the Diffie-Hellman key length used on the master server.

    For example:

    rootmaster% nisauthconf dh640-0 des
  4. Log in as superuser to the client.

    Now that the client machine has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.

  5. Assign the client its new domain name.

    See Changing an NIS+ Machine's Domain Name for information on how to assign (or change) a client's domain name, then return to Step 6.

  6. Check the client's nsswitch.conf file.

    Make sure the client is using an NIS+ version of the nsswitch.conf file. This ensures that the primary source of information for the client will be NIS+ tables. See Example 1–1 for a description of an NIS+ switch file.

  7. If you made any changes to the nsswitch.conf file (or copied over a new file), you must now restart nscd.

    client1# svcadm restart /system/name-service-cache

    (You do not need to stop and restart the keyserver at this point, as you will do so in Step 12.)

  8. Set the Diffie-Hellman key length on the client, using the information from step 3.

    For example:

    client# nisauthconf dh640-0 des
  9. Stop the NIS+ service.

    client1# svcadm disable network/rpc/nisplus:default
    client1# svcs \*nisplus\*
    disabled   Jan_12   svc:/network/rpc/nisplus:default
  10. Clean out leftover NIS+ material and processes.

    If the machine you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis. In this example, a cold-start file and a directory cache file still exist in /var/nis.

    client1# ls /var/nis
    client1# rm -rf /var/nis/*

    This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this configuration process. If you have stored any admin scripts in /var/nis, you might want to consider temporarily storing them elsewhere, until you finish setting up the root domain.

  11. Initialize the client.

    You can initialize a client in three different ways: by host name, by cold-start file, or by broadcast. Choose and perform one of those methods. After initializing the client, proceed with Step 12.

  12. Delete the /etc/.rootkey file and restart the keyserv daemon.

    This step stores the client's secret key on the keyserver.

    client1# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
    client1# svcs \*keyserv\*
    online     Jan_12   svc:/network/rpc/keyserv:default
    client1# svcadm disable network/rpc/keyserv
    client1# rm -f /etc/.rootkey
    client1# svcadm enable network/rpc/keyserv