System Administration Guide: Naming and Directory Services (NIS+)

Security Considerations When Setting Up an NIS+ Non-Root Domain

Note –

The NIS+ security system is complex. If you are not familiar with NIS+ security, you might want to review Chapter 17, Administering NIS+ Groups before starting to configure your NIS+ environment.

At most sites, to preserve the security of the parent domain, only the parent domain's master server or an administrator who belongs to the parent domain's admin group is allowed to create a domain beneath it. Although this is a policy decision and not a requirement of NIS+, the instructions in this chapter assume that you are following that policy. Of course, the parent domain's admin group must have create rights to the parent directory object. To verify this, use the niscat -o command.

rootmaster# niscat -o
Object Name : Doc
Owner : rootmaster
Group :
Domain : Com.
Access Rights : r---rmcdrmcdr---

If you are more concerned about convenience than security, you can make the new domain's master server a member of its parent domain's admin group, then perform the entire procedure from the server. Use the nisgrpadm command, described in Chapter 17, Administering NIS+ Groups.