test

Solaris Naming Setup and Configuration Guide

How to Configure an NIS+ Client

  1. Log into the domain's master server.

    You can log in as superuser or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.

  2. Create DES credentials for the new client workstation.

    Use the nisaddcred command with the -p and -P arguments. Here is the syntax: 


    nisaddcred -p secure-RPC-netname  principal-name des [domain]

    The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.

    This example adds a DES credential for a client workstation named client1 in the doc.com. domain:


    rootmaster% nisaddcred -p unix.client1@doc.com -P client1.doc.com. des 
Adding key pair for unix.client1@doc.com (client1.doc.com.).
Enter client1.doc.com.'s root login passwd:
Retype password:

    For more information about the nisaddcred command, see the credentials chapter of the Solaris Naming Administration Guide.

  3. Ascertain the Diffie-Hellman key length used on the master server.

    For example:


    rootmaster% nisauthconf dh640-0 des

  4. Log in as superuser to the client.

    Now that the client workstation has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.

  5. Assign the client its new domain name.

    See "Changing a Workstation's Domain Name" for information on how to assign (or change) a client's domain name, then return to Step 6.

  6. Check the client's nsswitch.conf file.

    Make sure the client is using a NIS+ version of the nsswitch.conf file. This ensures that the primary source of information for the client will be NIS+ tables. See "Default NIS+ Version of Switch File" for a description of a NIS+ switch file.

  7. If you made any changes to the nsswitch.conf file (or copied over a new file), you must now stop and restart nscd, as shown below. 


    client1# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
client1# sh /etc/init.d/nscd stop
client1# sh /etc/init.d/nscd start

    (Although the instructions in Chapter 1, Setting Up the Name Service Switch tell you to kill and restart the keyserver at this point, you do not need to do that here, since you will do so in Step 11.)

  8. Set the Diffie-Hellman key length on the client, using the information from step 3.

    For example:


    client# nisauthconf dh640-0 des

  9. Clean out leftover NIS+ material and processes.

    If the workstation you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis. 


    client1# ls /var/nis
NIS_COLD_START NIS_SHARED_CACHE
client1# rm -rf /var/nis/*
client1# ps -ef | grep nis_cachemgr
 root 295 260 10 15:26:58 pts/0 0:00 grep nis_cachemgr
 root 286 1 57 15:21:55 ? 0:01 /usr/sbin/nis_cachemgr
client1# kill -9 286

    This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this configuration process. If you have stored any admin scripts in /var/nis, you might want to consider temporarily storing them elsewhere, until you finish setting up the root domain.

  10. Initialize the client.

    You can initialize a client in three different ways: by host name, by cold-start file, or by broadcast. Choose and perform one of those methods. After initializing the client, proceed with Step 11.

  11. Kill and restart the keyserv daemon.

    This step stores the client's secret key on the keyserver.

    1. Kill the keyserv daemon.

      This also has the side effect of updating the key server's switch information about the client.

    2. Remove the /etc/.rootkey file.

    3. Restart the keyserver.

      This example shows the complete procedure in Step 11.


      client1# ps -e | grep keyserv
 root 145 1 67 16:34:44 ? keyserv
client1# kill 145
client1# rm -f /etc/.rootkey
client1# keyserv

    4. Run keylogin-r.

      This step stores the client's secret key with the keyserver. It also saves a copy in /etc/.rootkey, so that the superuser on the client does not have to run keylogin to use NIS+. Use keylogin with the -r option. When prompted for a password, type the client's superuser password. It must be the same as the password supplied to create the client's DES credentials: 


      client1# keylogin -r 
Password:
Wrote secret key into /etc/.rootkey

    5. Reboot the client.