Solaris DHCP Administration Guide

Setting Up DHCP Clients as NIS+ Clients

You can use the NIS+ name service on Solaris systems that are DHCP clients, but to do so requires you to partially circumvent one of the security-enhancing features of NIS+ - the creation of DES credentials. When you set up a NIS+ client that is not using DHCP, you add unique DES credentials for the new NIS+ client system to the cred table on the NIS+ server. There are several ways to accomplish this, such as using the nisclient script or the nisaddcred command.

For DHCP clients, you cannot use these methods because they depend on a static host name to create and store the credentials. If you want to use NIS+ and DHCP, you must create identical credentials to be used for all the host names of DHCP clients. In this way, no matter what IP address (and associated host name) a DHCP client receives, it can use the same DES credentials.

Note –

Before you do this, remember that NIS+ was designed with security in mind, and this procedure weakens that security because it allows random DHCP clients to receive NIS+ credentials.

The following procedure shows you how to create identical credentials for all DHCP host names. This procedure is only valid if you know the host names that DHCP clients will use, such as when the host names are generated by the DHCP server.

How to Set Up Solaris DHCP Clients as NIS+ Clients

A DHCP client workstation that is to be a NIS+ client must use credentials copied from another NIS+ client workstation in the NIS+ domain. This procedure only produces credentials for the workstation, which apply only to the superuser logged in to the workstation. Other users logged in to the DHCP client workstation must have their own unique credentials in the NIS+ server, created according to the procedure in the Solaris Naming Administration Guide.

  1. Type the following command on the NIS+ server to write the cred table entry for the NIS+ client to a temporary file.

    # nisgrep nisplus-client-name cred.org_dir > /tmp/file
  2. View the contents of the temporary file so you can copy the credentials and use them to create credentials for DHCP clients.

    You must copy the public key and private key, which are long strings of numbers and letters separated by colons.

  3. Type the following commands to add credentials for a DHCP client. Copy the public and private key information from the temporary file.

    # nistbladm -a cname=" dhcp-client-name@nisplus-domain" auth_type=DES \
    auth_name="unix.dhcp-client-name@nisplus-domain" \
    public_data=copied-public-data \ 
  4. Type the following commands on each DHCP client system to remote copy NIS+ client files to the DHCP client system.

    # rcp nisplus-client-name:/var/nis/NIS_COLD_START /var/nis
    # rcp nisplus-client-name:/etc/.rootkey /etc
    # rcp nisplus-client-name:/etc/defaultdomain /etc

    If you get a “permission denied” message, the systems may not be set up to allow remote copying. You can copy the files as a regular user to an intermediate location and then copy them to the proper location as root on the DHCP client systems.

  5. Type the following command on the DHCP client system to use the correct name service switch file for NIS+:

    # cp /etc/nisswitch.nisplus /etc/nisswitch.conf
  6. Reboot the DHCP client system.

    The DHCP client system should now be able to use NIS+ services.

Example – Setting up a Solaris DHCP Client as an NIS+ Client

The following example assumes that you have one workstation, nisei, which is a NIS+ client in the NIS+ domain, and one DHCP client, dhow, that you want to be a NIS+ client.

(first log in as root on the NIS+ server)
# nisgrep nisei cred.org_dir > /tmp/nisei-cred
# cat /tmp/nisei-cred
# nistbladm -a cname="" \
auth_type=DES auth_name="" \
public_data=46199279911a84045b8e0c76822179138173a20edbd8eab4 \
# rlogin dhow
(log in as root on dhow)
# rcp nisei:/var/nis/NIS_COLD_START /var/nis
# rcp nisei:/etc/.rootkey /etc
# rcp nisei:/etc/defaultdomain /etc
# cp /etc/nisswitch.nisplus /etc/nisswitch.conf
# reboot

The DHCP client system dhow should now be able to use NIS+ services.

Adding Credentials With a Script

If you want to set up a large number of DHCP clients as NIS+ clients, you can write a script to quickly add the entries to the cred table. The following sample shows how this might be done.

Example 4–2 Sample Script for Adding Credentials for DHCP Clients

#! /usr/bin/ksh  
# Copyright (c) by Sun Microsystems, Inc. All rights reserved. 
# Sample script for cloning a credential. Hosts file is already populated  
# with entries of the form dhcp-[0-9][0-9][0-9]. The entry we're cloning 
# is dhcp-001. 
i in 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019
     print - ${HOST}${i}         
     #nistbladm -r [cname="${HOST}${i}.${DOMAIN}."]cred.org_dir         
     nistbladm -a cname="${HOST}${i}.${DOMAIN}." \
	    					auth_type=DES auth_name="unix.${HOST}${i}@${DOMAIN}" \
							public_data=${PUBLIC_DATA} private_data=${PRIVATE_DTA} cred.org_Dir
exit 0