In this procedure you create credentials for the client, configure the client machine, and initialize it as an NIS+ client.
The NIS+ service is managed by the Service Management Facility (SMF). Administrative actions on this service, such as enabling, disabling, or restarting, can be performed by using the svcadm command. See NIS+ and the Service Management Facility for more information about using SMF with NIS+. For an overview of SMF, refer to Chapter 18, Managing Services (Overview), in System Administration Guide: Basic Administration. Also refer to the svcadm(1M) and svcs(1) man pages for more details.
Information you need to configure the client:
The name of the client's home domain
The superuser password of the machine that will become the client
The IP address of an NIS+ server in the client's home domain
The administrator setting up the client's credentials must have:
A valid DES credential
Modify rights to the cred table in the client's home domain
The client must have:
Read rights to the directory object of its home domain.
The client's home domain must already be configured and running NIS+.
An entry in either the master server's /etc/hosts or in its domain's hosts table.
Prior to the Solaris 10 7/07 release, an IPv6 client must have an entry in either the master server's /etc/inet/ipnodes file or in its domain's ipnodes table.
A unique machine name that does duplicate any user ID.
A machine name that does not contain any dots. (For example, a machine named sales.alpha is not allowed; a machine named sales-alpha is allowed.)
Log in to the domain's master server.
You can log in as superuser or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.
Create DES credentials for the new client machine.
nisaddcred -p secure-RPC-netname principal-name des [domain]
The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.
This example adds a DES credential for a client machine named client1 in the doc.com. domain:
rootmaster% nisaddcred -p email@example.com -P client1.doc.com. des Adding key pair for firstname.lastname@example.org (client1.doc.com.). Enter client1.doc.com.'s root login passwd: Retype password:
For more information about the nisaddcred command, see Chapter 12, Administering NIS+ Credentials.
Determine the Diffie-Hellman key length used on the master server.
rootmaster% nisauthconf dh640-0 des
Log in as superuser to the client.
Now that the client machine has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.
Assign the client its new domain name.
Check the client's nsswitch.conf file.
Make sure the client is using an NIS+ version of the nsswitch.conf file. This ensures that the primary source of information for the client will be NIS+ tables. See Example 1–1 for a description of an NIS+ switch file.
client1# svcadm restart /system/name-service-cache
(You do not need to stop and restart the keyserver at this point, as you will do so in Step 12.)
Set the Diffie-Hellman key length on the client, using the information from step 3.
client# nisauthconf dh640-0 des
Stop the NIS+ service.
client1# svcadm disable network/rpc/nisplus:default client1# svcs \*nisplus\* disabled Jan_12 svc:/network/rpc/nisplus:default
Clean out leftover NIS+ material and processes.
If the machine you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis. In this example, a cold-start file and a directory cache file still exist in /var/nis.
client1# ls /var/nis NIS_COLD_START NIS_SHARED_CACHE client1# rm -rf /var/nis/*
This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this configuration process. If you have stored any admin scripts in /var/nis, you might want to consider temporarily storing them elsewhere, until you finish setting up the root domain.
You can initialize a client in three different ways: by host name, by cold-start file, or by broadcast. Choose and perform one of those methods. After initializing the client, proceed with Step 12.
Delete the /etc/.rootkey file and restart the keyserv daemon.
client1# cp /etc/nsswitch.nisplus /etc/nsswitch.conf client1# svcs \*keyserv\* online Jan_12 svc:/network/rpc/keyserv:default client1# svcadm disable network/rpc/keyserv client1# rm -f /etc/.rootkey client1# svcadm enable network/rpc/keyserv