Solaris Naming Administration Guide

Part III Administering NIS+

This part of the manual describes how to administer an NIS+ namespace.

Chapter 7 Administering NIS+ Credentials

This chapter describes NIS+ credentials and how to administer them.

Note -

Some NIS+ security tasks can be performed more easily with Solstice AdminSuite tools if you have them available.

NIS+ Credentials

NIS+ credentials are used to identify NIS+ users. This chapter assumes that you have an adequate understanding of the NIS+ security system in general, and in particular of the role that credentials play in that system (see, for this information.)

For a complete description of NIS+ credential-related commands and their syntax and options, see the NIS+ man pages.

How Credentials Work

Note -

Some NIS+ security tasks can be performed more easily with Solstice AdminSuite tools, if you have them available.

The credential/authentication system prevents someone from assuming some other user's identity. That is, it prevents someone with root privileges on one machine from using the su command to assume the identity of a second user who is either not logged in at all or logged in on another machine and then accessing NIS+ objects with the second user's NIS+ access privileges.

Caution - Caution -

NIS+ cannot prevent someone who knows another user's login password from assuming that other user's identity and the other user's NIS+ access privileges. Nor can NIS+ prevent a user with root privileges from assuming the identity of another user who is currently logged in on the same machine.

See Chapter 6, Security Overview, for a description of how NIS+ credentials and authentication work with authorization and access rights to provide security for the NIS+ namespace.

Credential versus Credential Information

To understand how DES credentials are created and how they work, you need to distinguish between the credential itself and the information that is used to create and verify it.

Authentication Components

In order for the credential/authentication process to work the following components must be in place:

How Principals are Authenticated

There are three phases to the authorization process:

These three phases are described in detail in the following subsections.

Credentials Preparation Phase

The easiest way for an NIS+ administrator to create credential information for users is to use the nisclient script as described in Solaris Naming Setup and Configuration Guide. This section describes how to create client information using the NIS+ command set.

Prior to an NIS+ principal logging in, an NIS+ administrator must create DES credential information for that principal (user or machine). The administrator must:

Login Phase--Detailed Description

When a principal logs into the system the following steps are automatically performed:

  1. The keylogin program is run for the principal. The keylogin program gets the principal's encrypted private key from the cred table and decrypts it using the principal's login password.

Note -

When a principal's login password is different from his or her Secure RPC password, keylogin cannot decrypt it and the user starts getting "cannot decrypt" errors or the command fails without a message. For a discussion of this problem, see "Secure RPC Password versus Login Password Problem".

  1. The principal's decrypted private key is passed to the keyserver which stores it for use during the request phase.

Note -

The decrypted private key remains stored for use by the keyserver until the user does an explicit keylogout. If the user simply logs out (or goes home for the day without logging out), the decrypted private key remains stored in the server. If someone with root privileges on a user's machine switched to the user's login ID, that person would then have use of the user's decrypted private key and could access NIS+ objects using the user's access authorization. Thus, for added security, users should be cautioned to perform an explicit keylogout when they cease work. If they also log out of the system, all they need do is log back in when they return. If they do not explicitly log out, they will have to perform an explicit keylogin when they return to work.

Request Phase--Detailed Description

Every time an NIS+ principal requests access to an NIS+ object, the NIS+ software performs a multistage process to authenticate that principal:

  1. NIS+ checks the cred table of the object's domain. If:

    • The principal has LOCAL credential information, NIS+ uses the domain information contained in the LOCAL credential to find the principal's home domain cred table where it obtains the information it needs.

    • The principal has no credential information, the rest of the process is aborted and the principal is given the authorization access class of nobody.

  2. NIS+ gets the user's DES credential from the cred table of the user's home domain. The encrypted private key is decrypted with the user's password and saved by the keyserver.

  3. NIS+ obtains the server's public key from the NIS+ directory object.

  4. The keyserver takes the principal's decrypted private key and the public key of the object's server (the server where the object is stored) and uses them to create a common key.

  5. The common key is then used to generate an encrypted DES key. To do this, Secure RPC generates a random number which is then encrypted using the common key. For this reason, the DES key is sometimes referred to as the random key or the random DES key.

  6. NIS+ then takes the current time of the principal's server and creates a time stamp that is encrypted using the DES key.

  7. NIS+ then creates a 15-second window, which is encrypted with the DES key. This window is the maximum amount of time that is permitted between the time stamp and the server's internal clock.

  8. NIS+ then forms the principal's DES credential, which is composed of the following:

    • The principal's Secure RPC netname (unix.identifier@domain) from the principal's cred table.

    • The principal's encrypted DES key from the keyserver

    • The encrypted time stamp

    • The encrypted window

  9. NIS+ then passes the following information to the server where the NIS+ object is stored:

    • The access request (whatever it might be)

    • The principal's DES credential

    • Window verifier (encrypted), which is the encrypted window plus one

  10. The object's server receives this information.

  11. The object's server uses the Secure RPC netname portion of the credential to look up the principal's public key in the cred table of the principal's home domain.

  12. The server then uses the principal's public key and the server's private key to regenerate the common key. This common key must match the common key that was generated by the principal's private key and the server's public key.

  13. The common key is used to decrypt the DES key that arrived as part of the principal's credential.

  14. The server decrypts the principal's time stamp with the newly decrypted DES key and verifies it with the window verifier.

  15. The server then compares the decrypted and verified time stamp with the server's current time and proceeds as follows:

    1. If the time difference at the server exceeds the window limit, the request is denied and the process aborts with an error message. For example, suppose the time stamp is 9:00am and the window is one minute. If the request is received and decrypted by the server after 9:01am, it is denied.

    2. If the time stamp is within the window limit, the server checks to see if the time stamp is greater than the one previously received from the principal. This ensures that NIS+ requests are handled in the correct order.

      • Requests received out of order are rejected with an error message. For example, if the time stamp is 9:00am and the most recently received request from this principal had a time stamp of 9:02am, the request would be rejected.

      • Requests that have a time stamp equal to the previous one are rejected with an error message. This ensures that a replayed request is not acted on twice. For example, if the time stamp is 9:00am and the most recently received request from this principal also had a time stamp of 9:00am, this request would be rejected.

  16. If the time stamp is within the window limit, and greater than the previous request from that principal, the server accepts the request.

  17. The server then complies with the request and stores the time stamp from this principal as the most recently received and acted on request.

  18. To confirm to the principal that the information received from the server in answer to the request comes from a trusted server, the server encrypts the time stamp with the principal's DES key and sends it back to the principal along with the data.

  19. At the principal's end, the returned time stamp is decrypted with the principal's DES key.

    • If the decryption succeeds, the information from the server is returned to the requester.

    • If the decryption fails for some reason, an error message is displayed.

The DES Credential in Detail

The DES credential consists of:

DES Credential Secure RPC Netname

Note -

Remember that an NIS+ principal name always has a trailing dot, and a Secure RPC netname never has a trailing dot.

Table 7-1 Secure RPC Netname Format









Domain containing user's password entry and the DES credential itself 




The domain name returned by executing the domainname command on that workstation 

DES Credential Verification Field

The verification field is used to make sure the credential is not forged. It is generated from the credential information stored in the cred table.

The verification field is composed of:

How the DES Credential Is Generated

See Figure 7-2.

To generate its DES credential, the principal depends on the keylogin command, which must have been executed before the principal tries to generate its credential. The keylogin command (often referred to simply as a keylogin) is executed automatically when an NIS+ principal logs in.

Note -

Note that if the principal's login password is different from the principal's Secure RPC password, a successful keylogin cannot be performed. See "Secure RPC Password versus Login Password Problem" for a discussion of this situation.

The purpose of the keylogin is to give the principal access to the principal's private key. keylogin fetches the principal's private key from the cred table, decrypts it with the principal's Secure RPC password (remember that the private key was originally encrypted with the principal's Secure RPC password), and stores it locally with the keyserver for future NIS+ requests.

Figure 7-1 keylogin Generates a Principal's Private Key


To generate its DES credential, the principal still needs the public key of the server to which it will send the request. This information is stored in the principal's directory object. Once the principal has this information, it can form the verification field of the credential.

First, the principal generates a random DES key for encrypting various credential information. The principal uses its own private key (stored in the keyserver) and the server's public key to generate a common key that is used to generate and encrypt the random DES key. It then generates a time stamp that is encrypted with the DES key and combines it with other credential-related information into the verification field:

Figure 7-2 Creating the DES Credential


Secure RPC Password versus Login Password Problem

When a principal's login password is different from his or her Secure RPC password, keylogin cannot decrypt it at login time because keylogin defaults to using the principal's login password, and the private key was encrypted using the principal's Secure RPC password.

When this occurs, the principal can log in to the system, but for NIS+ purposes the principal is placed in the authorization class of nobody because the keyserver does not have a decrypted private key for that user. Since most NIS+ environments are set up to deny the nobody class create, destroy, and modify rights to most NIS+ objects, this results in "permission denied" errors when the user tries to access NIS+ objects.

Note -

In this context, network password is sometimes used as a synonym for Secure RPC password. When prompted for your "network password," enter your Secure RPC password.

To be placed in one of the other authorization classes, a user in this situation must explicitly run the keylogin program and give the principal's Secure RPC password when keylogin prompts for a password. (See "Keylogin".)

But an explicit keylogin provides only a temporary solution that is good only for the current login session. The keyserver now has a decrypted private key for the user, but the private key in the user's cred table is still encrypted using the user's Secure RPC password, which is different than the user's login password. The next time the user logs in, the same problem recurs. To permanently solve the problem the user needs to re-encrypt the private key in the cred table to one based on the user's login ID rather than the user's Secure RPC password. To do this, the user needs to run chkey -p as described in "Changing Keys for an NIS+ Principal".

Thus, to permanently solve problems related to a difference in Secure RPC password and login password, the user (or an administrator acting for the user) must perform these steps:

  1. Login using the login password.

  2. Run the keylogin program to temporarily get a decrypted private key stored in the keyserver and thus gain temporary NIS+ access privileges.

  3. Run chkey -p to permanently change the encrypted private key in the cred table to one based on the user's login password.

  4. When you are ready to finish this login session, run keylogout.

  5. Log off the system with logout.

Cached Public Keys Problems

Occasionally, you may find that even though you have created the proper credentials and assigned the proper access rights, some principal requests still get denied. The most common cause of this problem is the existence of stale objects with old versions of a server's public key. You can usually correct this problem by:

Where Credential-Related Information Is Stored

This section describes where credential-related information is stored throughout the NIS+ namespace.

Credential-related information, such as public keys, is stored in many locations throughout the namespace. NIS+ updates this information periodically, depending on the time-to-live values of the objects that store it, but sometimes, between updates, it gets out of sync. As a result, you may find that operations that should work, do not. lists all the objects, tables, and files that store credential-related information and how to reset it.

Table 7-2 Where Credential-Related Information Is Stored



To Reset or Change 

cred table 

NIS+ principal's public key and private key. These are the master copies of these keys. 

Use nisaddcred to create new credentials; it updates existing credentials. An alternative is chkey.

directory object 

A copy of the public key of each server that supports it. 

Run the /usr/lib/nis/nisupdkeys command on the directory object.


The secret key of the NIS+ principal that is currently logged in. 

Run keylogin for a principal user or keylogin -rfor a principal workstation.

NIS+ daemon 

Copies of directory objects, which in turn contain copies of their servers' public keys. 

Kill the rpc.nisd daemon and the cache manager and remove NIS_SHARED_DIRCACHE from /var/nis. Then restart both.

Directory cache 

A copy of directory objects, which in turn contain copies of their servers' public keys. 

Kill the NIS+ cache manager and restart it with the nis_cachemgr -i command. The -i option resets the directory cache from the cold-start file and restarts the cache manager.

cold-start file 

A copy of a directory object, which in turn contains copies of its servers' public keys. 

On the root master, kill the NIS+ daemon and restart it. The daemon reloads new information into the existing NIS_COLD_START file. On a client workstation, first remove the NIS_COLD_START and NIS_SHARED_DIRCACHE files from /var/nis, and kill the cache manager. Then re-initialize the principal with nisinit -c. The principal's trusted server reloads new information into the workstation's NIS_COLD_START file.

passwd table

A user's password. 

Use the passwd -r nisplus command. It changes the password in the NIS+ passwd table and updates it in the cred table.

passwd file

A user's password or a workstation's superuser password. 

Use the passwd -r nisplus command, whether logged in as super user or as yourself, whichever is appropriate.


map (NIS) 

A user's password 

Use the passwd -r nisplus command.

The cred Table in Detail

Credential information for principals is stored in a cred table. The cred table is one of the 16 standard NIS+ tables. Each domain has one cred table, which stores the credential information of client workstations that belong to that domain and client users who are allowed to log into them. (In other words, the principals of that domain.) The cred tables are located in their domains' org_dir subdirectory.

Caution - Caution -

Never link a cred table. Each org_dir directory must have its own cred table. Never use a link to some other org_dir cred table.

For users, the cred table stores LOCAL credential information for all users who are allowed to log into any of the machines in the domain. The cred table also stores DES credential information for those users that have the domain as their home domain.

You can view the contents of a cred table with the niscat command, described in Chapter 13, Administering NIS+ Tables.

The cred table as shown in Table 7-3 has five columns:

Table 7-3 cred Table Credential Information

NIS+ Principal Name 

Authentication Type 

Authentication Name 

Public Data 

Private Data 

Column Name 







Fully qualified principal name  



GID list 



Fully qualified principal name 


Secure RPC netname 

Public key 

Encrypted Private key 

The Authentication Type column, determines the types of values found in the other four columns.

Creating Credential Information

There are several methods of creating and administering credential information:

The nisaddcred Command

The command used to create credential information is nisaddcred.

Note -

You can also use the nispopulate and nisclient scripts to create credential information. They, in turn, use the nisaddcred command. These scripts are much easier to use, and more efficient, than the nisaddcred command. Unless your network requires special features, you should use the scripts.

The nisaddcred command creates, updates, and removes LOCAL and DES credential information. To create credential information, you must have create rights to the proper domain's cred table. To update a credential, you must have modify rights to the cred table or, at least, to that particular entry in the cred table. To delete a credential, you must have destroy rights to the cred table or the entry in the cred table.

Related Commands

In addition to the nisaddcred command described in this chapter, two other commands can provide some useful information about credentials:

Table 7-4 Additional Credential-Related Commands




niscat -o

Lists a directory's properties. By looking in the public key field of the directory's server, you can tell whether the directory object is storing a public key. 

"Listing the Object Properties of a Directory"


When run on the cred table, displays credential information for principal.

"The nismatch and nisgrep Commands "

How nisaddcred Creates Credential Information

LOCAL Credential Information

When used to create LOCAL credential information, nisaddcred simply extracts the principal user's UID (and GID) from the principal's login record and places it in the domain's cred table.

DES Credential Information

When used to create DES credential information, nisaddcred goes through a two-part process:

  1. Forming the principal's Secure RPC netname. A Secure RPC netname is formed by taking the principal's user ID number from the password record and combining it with the domain name (, for example).

  2. Generating the principal's private and public keys.

To encrypt the private key, nisaddcred needs the principal's Secure RPC password. When the nisaddcred command is invoked with the -des argument, it prompts the principal for a Secure RPC password. Normally, this password is the same as the principal's login password. (If it is different, the user will have to perform additional steps when logging in, as described in "Secure RPC Password versus Login Password Problem".)

The nisaddcred command generates a pair of random, but mathematically related 192-bit authentication keys using the Diffie-Hellman cryptography scheme. These keys are called the Diffie-Hellman key-pair, or simply key-pair for short.

One of these is the private key, and the other is the public key. The public key is placed in the public data field of the cred table. The private key is placed in the private data field, but only after being encrypted with the principal's Secure RPC password:

Figure 7-3 How nisaddcred Creates a Principal's Keys


The principal's private key is encrypted as a security precaution because the cred table, by default, is readable by all NIS+ principals, even unauthenticated ones.

The Secure RPC Netname and NIS+ Principal Name

When creating credential information, you will often have to enter a principal's rpc-netname and principal-name. Each has its own syntax:

Whether it identifies a client user or a client workstation, it begins with the principal's name, followed by a dot and the complete domain name, ending in a dot. (When used with nisaddcred to create credential information, it is always preceded by the -P (uppercase) flag. When used to remove credential information, it does not use the -P flag.)

Creating Credential Information for the Administrator

When a namespace is first set up, credential information is created first for the administrators who will support the domain. Once they have credential information, they can create credential information for other administrators, client workstations, and client users.

When you try to create your own credential information, you run into a problem of circularity: you cannot create your own credential information unless you have Create rights to your domain's cred table, but if the NIS+ environment is properly set up, you cannot have such rights until you have credentials. You have to step out of the loop somehow. You can do this in one of two ways:

In either case, your credential information is thus created by another NIS+ principal. To create your own credential information, follow the instructions in "Creating Credential Information for NIS+ Principals".

Creating Credential Information for NIS+ Principals

Credential information for NIS+ principals can be created any time after their domain has been set up; in other words, once a cred table exists.

To create credential information for an NIS+ principal:

Once those conditions are met, you can use the nisaddcred command with both the -p and -P options:

For LOCAL credentials

nisaddcred -p uid -P principal-name local

For DES credentials

nisaddcred -p rpc.netname -P principal-name des

Remember these principles:

For User Principals--Example

This example creates both LOCAL and DES credential information for an NIS+ user named morena who has a UID of 11177. She belongs to the domain, so this example enters her credential information from a principal machine of that domain:

client# nisaddcred -p 11177 -P local 
client# nisaddcred -p \
   -P des
Adding key pair for 
Enter login password:

The proper response to the Enter login password: prompt is morena's login password. (If you don't know her login password, you can use a dummy password that she can later change using chkey, as described in the next example.)

Using a Dummy Password and chkey--Example

If you don't know the user's login password, you can use a dummy password as described below.

Table 7-5shows how another administrator, whose credential information you create using a dummy password, can then use chkey to change his or her own password. In this example, you create credential information for an administrator named Eiji who has a UID of 119. Eiji, whose login ID is eiji, belongs to the root domain, so you would enter his credential information from the root master server which is named rootmaster.

Table 7-5 Creating Administrator Credentials: Command Summary



Create LOCAL credential information for Eiji. 

rootmaster# nisaddcred -p 119 -P local

Create DES credential information for Eiji. 

rootmaster# nisaddcred -p -P des
Adding key pair for (

Type dummy password for Eiji. 

Enter eiji's login password: 
nisaddcred: WARNING: password differs from login passwd

Re-enter dummy password. 

Retype password:

You tell Eiji the dummy password that you used. 

Eiji logs into rootmaster. 

rootmaster% login: eiji

Eiji enters real login password. 


Eiji gets error message but is allowed to log in anyway. 

Password does not decrypt secret key for

Eiji runs keylogin. 

rootmaster% keylogin

Eiji types dummy passwor 

Password: dummy-password

Eiji runs chkey

chkey -p 
Updating nisplus publickey database
Generating new key for''.

Eiji types real login password. 

Enter login password:

Eiji re-types real login password. 

Retype password:

First, you would create Eiji's credential information in the usual way, but using a dummy login password. NIS+ would warn you and ask you to re-type it. When you did, the operation would be complete. The domain's cred table would contain Eiji's credential information based on the dummy password. The domain's passwd table (or /etc/passwd file), however, would still have his login password entry so that he can log on to the system.

Then, Eiji would log in to the domain's master server, typing his correct login password (since the login procedure checks the password entry in the passwd table or /etc/passwd file). From there, Eiji would first run keylogin, using the dummy password (since a keylogin checks the cred table), and then use the chkey -p command to change the cred entry to the real thing.

Creating in Another Domain--Example

The two previous examples created credential information for a principal user while the principal user was logged in to the master server of the principal's home domain. However, if you have the proper access rights, you can create credential information in another domain. Simply append the domain name to this syntax:

For LOCAL credentials

nisaddcred -p uid -P principal-name local domain-name

For DES credentials

nisaddcred -p rpc-netname -P principal-name des domain-name 

The following example first creates LOCAL and DES credential information for an administrator named Chou in her home domain, which happens to be the root domain, then adds her LOCAL credential information to the domain. Chou's UID is 11155. This command is typed on from the root master server. For simplicity, it assumes you are entering Chou's correct login password.

rmaster# nisaddcred -p 11155 -P local
rmaster# nisaddcred -p -P des
Adding key pair for (
Enter login password: 
rootmaster# nisaddcred -p 11155 -P local

LOCAL credential information maps a UID to an NIS+ principal name. Although an NIS+ principal that is a client user can have different user IDs in different domains, it can have only one NIS+ principal name. So, if an NIS+ principal such as chou will be logging in from a domain other than her home domain, not only should she have a password entry in that domain, but also a LOCAL credential in that domain's cred table.

For Workstations--Example

This example creates credential information for a principal workstation. Its host name is starshine1 and it belongs to the root domain. Therefore, its credential information is created from the root master server. In this example, you create them while logged in as root to the root master; however, if you already have valid credential information and the proper access rights, you could create them while logged in as yourself.

rootmaster# nisaddcred -p -P des
Adding key pair for
Enter's root login password:
Retype password:

The proper response to the password prompt is the principal workstation's superuser password. Of course, you could use a dummy password that would later be changed by someone logged in as superuser to that principal workstation.

Administering NIS+ Credential Information

The following sections describe how to use the nisaddcred command to administer existing credential information. You must have create, modify, read, and destroy rights to the cred table to perform these operations.

Updating Your Own Credential Information

Updating your own credential information is considerably easier than creating it. Just type the simple versions of the nisaddcred command while logged in as yourself:

# nisaddcred des
# nisaddcred local

To update credential information for someone else, you simply perform the same procedure that you would use to create that person's credential information.

Removing Credential Information

The nisaddcred command removes a principal's credential information, but only from the local domain where the command is run.

Thus, to completely remove a principal from the entire system, you must explicitly remove that principal's credential information from the principal's home domain and all domains where the principal has LOCAL credential information.

To remove credential information, you must have modify rights to the local domain's cred table. Use the -r option and specify the principal with a full NIS+ principal name:

# nisaddcred -r principal-name

The following two examples remove the LOCAL and DES credential information of the administrator The first example removes both types of credential information from her home domain (, the second removes her LOCAL credential information from the domain. Note how they are each entered from the appropriate domain's master servers.

rootmaster# nisaddcred -r
salesmaster# nisaddcred -r

To verify that the credential information was indeed removed, run nismatch on the cred table, as shown below. For more information about nismatch, see Chapter 13, Administering NIS+ Tables.

rootmaster# nismatch cred.org_dir
salesmaster# nismatch cred.org_dir

Chapter 8 Administering NIS+ Keys

This chapter describes NIS+ keys and how to administer them.

Note -

Some NIS+ security tasks can be performed more easily with Solstice AdminSuite tools if you have them available.

NIS+ Keys

NIS+ keys are used to encrypt NIS+ related information.

This chapter assumes that you have an adequate understanding of the NIS+ security system in general, and in particular of the role that keys play in that system (see Chapter 6, Security Overview, for this information).

For a complete description of NIS+ key-related commands and their syntax and options, see the NIS+ man pages. (The nisaddcred command also performs some key-related operations. See "The nisaddcred Command" for more information.)


When a principal logs in, the login process prompts for a password. That password is used to pass the user through the login security gate and give the user access to the network. The login process also decrypts the user's private key stored in the user's home domain cred table and passes that private key to the keyserver. The keyserver then uses that decrypted private key to authenticate the user each time the user accesses an NIS+ object.

Normally, this is the only time the principal is asked to provide a password. However, if the principal's private key in the cred table was encrypted with a password that was different from the user's login password, login cannot decrypt it using the login password at login time, and thus cannot provide a decrypted private key to the keyserver. (This most often occurs when a user's private key in the cred table was encrypted with a Secure RPC password different from the user's login password.)

Note -

In this context, network password is sometimes used as a synonym for Secure RPC password.

To temporarily remedy this problem, the principal must perform a keylogin, using the keylogin command, after every login. (The -r flag is used to keylogin the superuser principal and to store the superuser's key in /etc/.rootkey on a host.)

For a principal user


For a principal machine (only once)

keylogin -r

Note, however, that performing an explicit keylogin with the original password provides only a temporary solution good for the current login session only. The private key in the cred table is still encrypted with a password different than the user's login password so the next time the user logs in the problem will reoccur. To permanently solve this problem, the user must run chkey to change the password used to encrypt the private key to the user's login password (see "Changing Keys for an NIS+ Principal").

Changing Keys for an NIS+ Principal

The chkey command changes an NIS+ principal's public and private keys that are stored in the cred table. It does not affect the principal's entry either in the passwd table or in the /etc/passwd file.

The chkey command:

See the man pages for more information on these subjects.

Note -

In an NIS+ environment, when you change your login password with any of the current administration tools or the passwd (or nispasswd) commands, your private key in the cred table is automatically re-encrypted with the new password for you. Thus, you do not need to explicitly run chkey after a change of login password.

The chkey command interacts with the keyserver, the cred table, and the passwd table. In order to run chkey, you:

To use the chkey command to re-encrypt your private key with your login password, you first run keylogin using the original password, and then use chkey -p as shown in Table 8-1which illustrates how to perform a keylogin and chkey for a principal user:

Table 8-1 Re-encrypting Your Private Key : Command Summary



Log in. 

Sirius% login Login-name

Provide login password. 


If login password and Secure RPC password are different, perform a keylogin.

Sirius% keylogin

Provide the original password that was used to encrypt the private key. 

Password: Secure RPC password

Run chkey.

Sirius% chkey -p
Updating nisplus publickey database
Updating new key for ''.

Enter login password. 

Enter login password: login-password

Re-enter login. password 

Retype password:

Changing the Keys

The following sections describe how to change the keys of an NIS+ principal.

Note -

Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information "

Changing Root Keys From Root

Table 8-2shows how to change the keys for the root master server from the root master (as root):

Table 8-2 Changing a Root Master's Keys: Command Summary



Create new DES credentials 

nisaddcred des

Find the Process ID of rpc.nisd

rootmaster# ps -e | grep rpc.nisd

Kill the NIS+ daemon 

rootmaster# kill pid

Restart NIS+ daemon with no security 

rootmaster# rpc.nisd -S0

Perform a keylogout (previous keylogin is now out of date). 

rootmaster# keylogout -f

Update the keys in the directories served by the master 

rootmaster# nisupdkeys dirs

Find the Process ID of rpc.nisd

rootmaster# ps -e | grep rpc.nisd

Kill the NIS+ daemon 

rootmaster# kill pid

Restart NIS+ daemon with default security 

rootmaster# rpc.nisd

Perform a keylogin 

rootmaster# keylogin


In the first step of the process outlined in Table 8-2, nisaddcred updates the cred table for the root master, updates /etc/.rootkey and performs a keylogin for the root master. At this point the directory objects served by the master have not been updated and their credential information is now out of synch with the root master. The subsequent steps described in Table 8-2 are necessary to successfully update all the objects.

Note -

Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information "

Changing Root Keys From Another Machine

To change the keys for the root master server from some other machine you must have the required NIS+ credentials and authorization to do so.

Table 8-3 Remotely Changing Root Master Keys: Command Summary



Create the new DES credentials 

nisaddcred -p principal -P nisprincipal des

Update the directory objects. 

othermachine%nisupdkeys dirs

Update /etc.roootkey.

othermachine% keylogin -r

Reinitialize othermachine as client 

othermachine% nisinit -cH


When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.

Note -

Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information "

Changing the Keys of a Root Replica from the Replica

To change the keys of a root replica from the replica, use these commands:

replica# nisaddcred des
replica# nisupdkeys dirs


When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.

Note -

Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information "

Changing the Keys of a Nonroot Server

To change the keys of a nonroot server (master or replica) from the server, use these commands:

subreplica# nisaddcred des
subreplica# nisupdkeys parentdir dirs


When running nisupdkeys be sure to update all relevant directory objects at the same time. In other words, do them all with one command. Separate updates may result in an authentication error.

Note -

Whenever you change a server's keys, you must also update the key information of all the clients in that domain as explained in "Updating Client Key Information "

Updating Public Keys

The public keys of NIS+ servers are stored in several locations throughout the namespace. When new credential information is created for the server, a new key pair is generated and stored in the cred table. However, namespace directory objects still have copies of the server's old public key. The nisupdkeys command is used to update those directory object copies.

The nisupdkeys Command

If a new keypair is generated because the old key pair has been compromised or the password used to encrypt the private key is forgotten, the nisupdkeys can be used to update the old public key in the directory objects.

The nisupdkeys command can:

However, nisupdkeys cannot update the NIS_COLD_START files on the principal workstations. To update their copies of a server's keys, NIS+ clients should run the nisclient command. Or, if the NIS+ cache manager is running and more than one server is available in the coldstart file, the principals can wait until the time-to-live expires on the directory object. When that happens, the cache manager automatically updates the cold-start file. The default time-to-live is 12 hours.

To use the nisupdkeys command, you must have modify rights to the NIS+ directory object.

Updating Public Keys Arguments and Examples

The nisupdkeys command is located in /usr/lib/nis. The nisupdkeys command uses the following arguments (for a complete description of the nisupdkeys command and a full list of all its arguments, see the nisupdkeys man page):

Table 8-4 nisupdkeys Arguments



(no argument) 

Updates all keys of servers for current domain 


Updates the keys of the directory object for the named directory. 

-H servername

Updates the keys of the named server for the current domain directory object. A fully qualified host name can be used to update the keys of servers in other domains. 

-s -H servername

Updates the keys of all the directory objects served by the named server. 


Clears the keys. 

Table 8-5gives an example of updating a public key:

Table 8-5 Updating a Public Key: Command Examples



Update all keys of all servers of the current domain (

rootmaster# /usr/lib/nis/nisupdkeys
Fetch Public key for server
Updating's public key.
Public key: public-key

Update keys of all servers supporting the domain directory object.

salesmaster# nisupdkeys
(Screen notices not shown)

Update keys for a server named master7 in all the directories that store them.

rootmaster# nisupdkeys -H master7

Clear the keys stored by the directory object.

rootmaster# nisupdkeys -C

Clear the keys for the current domain directory object for the server named master7.

rootmaster# nisupdkeys -C -H master7

Updating IP Addresses

If you change a server's IP address, or add additional addresses, you need to run nisupdkeys to update NIS+ address information.

To update the IP addresses of one or more servers, use the nisupdkeys command -a option.

To update the IP addresses of servers of a given domain

rootmaster# nisupdkeys -a domain

To update the IP address of a particular server

rootmaster# nisupdkeys -a -H server

Updating Client Key Information

Whenever you change any server's keys, you must update all of the clients as well. Remember, that all NIS+ servers are also NIS+ clients, so if you update the keys on one server, you must update key information on all other machines in the domain regardless of whether or not they are NIS+ servers or ordinary clients.

There are three ways to update client key information:

Globally Updating Client Key Information

After changing a server's keys, you can globally update client key information for all the machines in a domain by:

  1. Use the nischttl command to reduce the Time To Live (TTL) value of the domain's directory object so that the value expires almost immediately.

    For example, if you have changed the keys for a server in the domain, to reduce the directory's TTL value to one minute you would enter:

    client% nischttl 60
  2. When the directory's TTL value expires, the cache manager expires the entry and then obtains the new, updated information for clients.

  3. Once the directory object's TTL value has expired, reset the directory object's TTL to its default value.

    For example, to reset the TTL value to 12 hours for the domain's directory object, you would enter:

    client% nischttl 12h

    See "The nischttl Command" for more information on working with TTL values.

Chapter 9 Administering NIS+ Access Rights

This chapter describes NIS+ access rights and how to administer them.

Note -

Some NIS+ security tasks can be performed more easily with Solstice AdminSuite tools if you have them available.

NIS+ Access Rights

NIS+ access rights determine what operations NIS+ users can perform and what information they have access to. This chapter assumes that you have an adequate understanding of the NIS+ security system in general, and in particular of the role that access rights play in that system (see Chapter 6, Security Overview, for this information).

For a complete description of NIS+ access-related commands and their syntax and options, see the NIS+ man pages.

Introduction to Authorization and Access Rights

See "NIS+ Authorization and Access--Introduction " and Chapter 6, Security Overview" for a description of how authorization and access rights work with NIS+ credentials and authentication to provide security for the NIS+ namespace.

Authorization Classes--Review

As described more fully in "Authorization Classes", NIS+ access rights are assigned on a class basis. There are four different NIS+ classes:

Access Rights--Review

As described more fully in " NIS+ Access Rights", there are four types of NIS+ access rights:

Keep in mind that these rights logically evolve down from directory to table to table column and entry levels. For example, to create a new table, you must have create rights for the NIS+ directory object where the table will be stored. When you create that table, you become its default owner. As owner, you can assign yourself create rights to the table which allows you to create new entries in the table. If you create new entries in a table, you become the default owner of those entries. As table owner, you can also grant table level create rights to others. For example, you can give your table's group class table level create rights. In that case, any member of the table's group can create new entries in the table. The individual member of the group who creates a new table entry becomes the default owner of that entry.

Concatenation of Access Rights

Authorization classes are concatenated. In other words, the higher class usually belongs to the lower class and automatically gets the rights assigned to the lower class. It works like this:

The basic principle that governs this is that access rights override the absence of access rights. In other words, a higher class can have more rights than a lower class, but not fewer rights. (The one exception to this rule is that if the owner is not a member of the group, it is possible to give rights to the group class that the owner does not have.)

How Access Rights Are Assigned and Changed

When you create an NIS+ object, NIS+ assigns that object a default set of access rights for the owner and group classes. By default, the owner is the NIS+ principal who creates the object. The default group is the group named in the NIS_GROUP environment variable. (See "Default Access Rights" for details.)

Specifying Different Default Rights

NIS+ provides two different ways to change the default rights that are automatically assigned to an NIS+ object when it is created.

Changing Access Rights to an Existing Object

When an NIS+ object is created, it comes into existence with a default set of access rights (from either the NIS_DEFAULTS environment variable or as specified with the -D option). These default rights can be changed with the

Table, Column, and Entry Security

NIS+ tables allow you to specify access rights on the table three ways:

A field is the intersection between a column and an entry (row). All data values are entered in fields.

These column- and entry level access rights allow you to specify additional access to individual rows and columns that override table level restrictions, but column and entry level rights cannot be more restrictive than the table as a whole:

Table, Column, Entry Example

Column- or entry level access rights can provide additional access in two ways: by extending the rights to additional principals or by providing additional rights to the same principals. Of course, both ways can be combined. Following are some examples.

Assume a table object granted read rights to the table's owner:

Table 9-1 Table, Column, Entry Example 1






Table Access Rights: 





This means that the table's owner could read the contents of the entire table but no one else could read anything. You could then specify that Entry-2 of the table grant read rights to the group class:

Table 9-2 Table, Column, Entry Example 2






Table Access Rights: 





Entry-2 Access Rights: 





Although only the owner could read all the contents of the table, any member of the table's group could read the contents of that particular entry. Now, assume that a particular column granted read rights to the world class:

Table 9-3 Table, Column, Entry Example 3






Table Access Rights: 





Entry-2 Access Rights: 





Column-1 Access Rights: 





Members of the world class could now read that column for all entries in the table (light shading in Table 9-4). Members of the group class could read everything in Column-1 (because members of the group class are also members of the world class) and also all columns of Entry-2 (dark shading in Table 9-4). Neither the world nor the group classes could read any cells marked *NP* (for Nor Permitted).

Table 9-4 Table, Column, Entry Example 4


Col 1 

Col 2 

Col 2 





















Rights at Different Levels

This section describes how the four different access rights (read, create, modify, and destroy) work at the four different access levels (directory, table, column, and entry).

The objects that these various rights and levels act on are summarized in the table Table 9-5:

Table 9-5 Access Rights and Levels and the Objects They Act Upon







List directory contents 

View table contents 

View column contents 

View entry (row) contents 


Create new directory or table objects 

Add new entries (rows) 

Enter new data values in a column 

Enter new data values in an entry (row) 


Move objects and change object names 

Change data values anywhere in table 

Change data values in a column 

Change data values in an entry (row) 


Delete directory objects such as tables 

Delete entries (rows) 

Delete data values in a column 

Delete data values in an entry (row) 

Read Rights

Create Rights

Modify Rights

Destroy Rights

Where Access Rights Are Stored

An object's access rights are specified and stored as part of the object's definition. This information is not stored in an NIS+ table.

Viewing an NIS+ Object's Access Rights

The access rights can be viewed by using the niscat command:

niscat -o objectname

Where objectname is the name of the object whose access rights you want to view.

This command returns the following information about an NIS+ object:

Access rights for the four authorization classes are displayed as a list of 16 characters, like this:


Each character represents a type of access right:

The first four characters represent the access rights granted to nobody, the next four to the owner, the next four to the group, and the last four to the world:

Figure 9-1 Access Rights Display


Note -

Unlike UNIX file systems, the first set of rights is for nobody, not for the owner.

Default Access Rights

When you create an object, NIS+ assigns the object a default owner and group, and a default set of access rights for all four classes. The default owner is the NIS+ principal who creates the object. The default group is the group named in the NIS_GROUP environment variable. Initially, the default access rights are: I

Table 9-6 Default Access Rights











If you have the NIS_DEFAULTS environment variable set, the values specified in NIS_DEFAULTS will determine the defaults that are applied to new objects. When you create an object from the command line, you can use the -D flag to specify values other than the default values.

How a Server Grants Access Rights to Tables

This section discusses how a server grants access to tables objects, entries, and columns during each type of operation: read, modify, destroy, and create.

Note -

At security level 0, a server enforces no NIS+ access rights and all clients are granted full access rights to the table object. Security level 0 is only for administrator setup and testing purposes. Do not use level 0 in any environment where ordinary users are performing their normal work.

The four factors that a server must consider when deciding whether to grant access are:

After authenticating the principal making the request by making sure the principal has a valid DES credential, an NIS+ server determines the type of operation and the object of the request.

Specifying Access Rights in Commands

This section assume an NIS+ environment running at security level 2 (the default level).

This section describes how to specify access rights, as well as owner, group owner, and object, when using any of the commands described in this chapter.

Syntax for Access Rights

This subsection describes the access rights syntax used with the various NIS+ commands that deal with authorization and access rights.

Class, Operator, and Rights Syntax

Access rights, whether specified in an environment variable or a command, are identified with three types of arguments: class, operator, and right.

Table 9-7 Access Rights Syntax--Class




Nobody: all unauthenticated requests 


The owner of the object or table entry 


The group owner of the object or table entry 


World: all authenticated principals 


All: shorthand for owner, group, and world (this is the default) 

Table 9-8 Access Rights Syntax--Operator




Adds the access rights specified by right


Revokes the access rights specified by right


Explicitly changes the access rights specified by right; in other words, revokes all existing rights and replaces them with the new access rights.

Table 9-9 Access Rights Syntax--Rights




Reads the object definition or table entry 


Modifies the object definition or table entry 


Creates a table entry or column 


Destroys a table entry or column 

You can combine operations on a single command line by separating each operation from the next with a comma (,).

Table 9-10 Class, Operator, and Rights Syntax--Examples



Add read access rights to the owner class


Change owner. group, and world classes' access rights to modify only from whatever they were before 


Add read and modify rights to the world and nobody classes 


Remove all four rights from the group, world, and nobody classes 


Add create and destroy rights to the owner class and add read and modify rights to the world and nobody classes 


Syntax for Owner and Group


For group


Syntax for Objects and Table Entries

Objects and table entries use different syntaxes.

For objects


For table entries


Note -

In this case, the brackets are part of the syntax.

Indexed names can specify more than one column-value pair. If so, the operation applies only to the entries that match all the column-value pairs. The more column-value pairs you provide, the more stringent the search.

For example:

Table 9-11 Object and Table Entry--Examples




Table entry 


Two-value table entry 


Columns use a special version of indexed names. Because you can only work on columns with the nistbladm command, see "The nistbladm Command " for more information.

Displaying NIS+ Defaults--The nisdefaults Command

The nisdefaults command displays the seven default values currently active in the namespace. These default values are either

Any object that you create on this machine will automatically acquire these default values unless you override them with the -D option of the command you are using to create the object.

Table 9-12 The Seven NIS+ Default Values and nisdefaults Options








Displays the home domain of the workstation from which the command was entered. 



NIS_GROUP environment variable

Displays the group that would be assigned to the next object created from this shell. 



uname -n

Displays the workstation's host name. 




Displays the fully qualified user name or host name of the NIS+ principal who entered the nisdefaults command.

Access Rights 


NIS_DEFAULTS environment variable

Displays the access rights that will be assigned to the next object or entry created from this shell. Format: ----rmcdr---r---

Search path 


NIS_PATH environment variable

Displays the syntax of the search path, which indicate the domains that NIS+ will search through when looking for information. Displays the value of the NIS_PATH environment variable if it is set.



NIS_DEFAULTS environment variable

Displays the time-to-live that will be assigned to the next object created from this shell. The default is 12 hours. 

All (terse) 



Displays all seven defaults in terse format. 



Display specified values in verbose mode. 

You can use these options to display all default values or any subset of them:

master% nisdefaults
Principal Name :
Domain Name :
Host Name :
Group Name : salesboss
Access Rights : ----rmcdr---r---
Time to live : 12:00:00:00:00
Search Path :

Setting Default Security Values

This section describes how to perform tasks related to the nisdefaults command, the NIS_DEFAULTS environment variable, and the -D option. The NIS_DEFAULTS environment variable specifies the following default values:

The values that you set in the NIS_DEFAULTS environment variable are the default values applied to all NIS+ objects that you create using that shell (unless overridden by using the -D option with the command that creates the object).

You can specify the default values (owner, group, access rights, and time-to-live) specified with the NIS_DEFAULTS environment variable. Once you set the value of NIS_DEFAULTS, every object you create from that shell will acquire those defaults, unless you override them by using the -D option when you invoke a command.

Displaying the Value of NIS_DEFAULTS

You can check the setting of an environment variable by using the echo command, as shown below:

client% echo $NIS_DEFAULTS

You can also display a general list of the NIS+ defaults active in the namespace by using the nisdefaults command as described in "Displaying NIS+ Defaults--The nisdefaults Command".

Changing Defaults

You can change the default access rights, owner, and group, by changing the value of the NIS_DEFAULTS environment variable. Use the environment command that is appropriate for your shell (setenv for C-shell or $NIS_DEFAULTS=, export for Bourne and Korn shells) with the following arguments:

You can combine two or more arguments into one line separated by colons:


Table 9-13shows some examples:

Table 9-13 Changing Defaults--Examples



This command grants owner read access as the default access right. 

client% setenv NIS_DEFAULTS access=o+r

This command sets the default owner to be the user abe whose home 

domain is 

client% setenv NIS_DEFAULTS

This command combines the first two examples on one code line. 

client% setenv NIS_DEFAULTS

All objects and entries created from the shell in which you changed the defaults will have the new values you specified. You cannot specify default settings for a table column or entry; the columns and entries simply inherit the defaults of the table.

Resetting the Value of NIS_DEFAULTS

You can reset the NIS_DEFAULTS variable to its original values, by typing the name of the variable without arguments, using the format appropriate to your shell:

For C shell

client# unsetenv NIS_DEFAULTS

For Bourne or Korn shell


Specifying Nondefault Security Values at Creation Time

You can specify different (that is, nondefault) access rights, owner, and group, any time that you create an NIS+ object or table entry with any of the following NIS+ commands:

To specify security values other than the default values, insert the -D option into the syntax of those commands, as described in "Specifying Access Rights in Commands".

As when setting defaults, you can combine two or more arguments into one line. Remember that column and entry's owner and group are always the same as the table, so you cannot override them.

For example, to use the nismkdir command to create a directory and override the default access right by granting the owner only read rights you would type:

client% nismkdir -D access=o+r

Changing Object and Entry Access Rights

The nischmod command operates on the access rights of an NIS+ object or table entry. It does not operate on the access rights of a table column; for columns, use the nistbladm command with the -D option. For all nischmod operations, you must already have modify rights to the object or entry.

Using nischmod to Add Rights

To add rights for an object or entry use:

For object

nischmod class+right object-name

For table entry

nischmod class+right [column-name=value],table-name

For example, to add read and modify rights to the group of the directory object you would type.

client% nischmod g+rm

For example to add read and modify rights to group for the name=abe entry in the table you would type:

client% nischmod g+rm '[name=abe],'

Using nischmod to Remove Rights

To remove rights for an object or entry use:

For object

nischmod class-right object-name

For entry

nischmod class-right [column-name=value],table-name

For example, to remove create and destroy rights from the group of the directory object you would type:

client% nischmod g-cd

For example to remove destroy rights from group for the name=abe entry in the table, you would type:

client% nischmod g-d '[name=abe],'

Specifying Column Access Rights

The nistbladm command performs a variety of operations on NIS+ tables. Most of these tasks are described in "The nistbladm Command ". However, two of its options, -c and -u, enable you to perform some security-related tasks:

Setting Column Rights When Creating a Table

When a table is created, its columns are assigned the same rights as the table object. These table level, rights are derived from the NIS_DEFAULTS environment variable, or are specified as part of the command that creates the table. You can also use the nistbladm -c option to specify initial column access rights when creating a table with nistbladm. To use this option you must have create rights to the directory in which you will be creating the table. To set column rights when creating a table use:

nistbladm -c type `columname=[flags] [,access]... tablename'


To assign a column its own set of rights at table creation time, append access rights to each column's equal sign after the column type and a comma. Separate the columns with a space:

column=type, rights column=type, rights column=type, rights

The example below creates a table named depts in the directory, of type div, with three columns (Name, Site, and Manager), and adds modify rights for the group to the second and third columns:

rootmaster% nistbladm -c div Name=S Site=S,g+m Manager=S,g+m

For more information about the nistbladm and the-c option, see Chapter 13, Administering NIS+ Tables.

Adding Rights to an Existing Table Column

The nistbladm -u option allows you to add additional column access rights to an existing table column with the nistbladm command. To use this option you must have modify rights to the table column. To add additional column rights use:

nistbladm -u [column=access,...],tablename


Use one column=access pair for each column whose rights you want to update. To update multiple columns, separate them with commas and enclose the entire set with square brackets:

[column=access, column=access, column=access]

The full syntax of this option is described in "The nistbladm Command ".

The example below adds read and modify rights to the group for the name and addr columns in the table.

client% nistbladm -u `[name=g+rm,addr=g+rm],'

Removing Rights to a Table Column

To remove access rights to a column in an NIS+ table, you use the -u option as described above in "Adding Rights to an Existing Table Column" except that you subtract rights with a minus sign (rather than adding them with a plus sign).

The example below removes group's read and modify rights to the hostname column in the table.

client% nistbladm -u 'name=g-rm,'

Changing Ownership of Objects and Entries

The nischown command changes the owner of one or more objects or entries. To use it, you must have modify rights to the object or entry. The nischown command cannot change the owner of a column, since a table's columns belong the table's owner. To change a column's owner, you must change the table's owner.

Changing Object Owner With nischown

To change an object's owner, use the following syntax:

nischown new-owner object


Be sure to append the domain name to both the object name and new owner name.

The example below changes the owner of the hosts table in the domain to the user named lincoln whose home domain is

client% nischown

Changing Table Entry Owner With nischown

The syntax for changing a table entry's owner uses an indexed entry to identify the entry, as shown below (this syntax is fully described in ):

nischown new-owner [column=value,...],tablename


Be sure to append the domain name to both the new owner name and the table name.

The example below changes the owner of an entry in the hosts table of the domain to takeda whose home domain is The entry is the one whose value in the name column is virginia.

client% nischown '[name=virginia],'

Changing an Object or Entry's Group

The nischgrp command changes the group of one or more objects or table entries. To use it, you must have modify rights to the object or entry. The nischgrp command cannot change the group of a column, since the group assigned to a table's columns is the same as the group assigned to the table. To change a column's group owner, you must change the table's group owner.

Changing an Object's Group With nischgrp

To change an object's group, use the following syntax:

nischgrp group object


Be sure to append the domain name to both the object name and new group name.

The example below changes the group of the hosts table in the domain to

client% nischgrp

Changing a Table Entry's Group With nischgrp

The syntax for changing a table entry's group uses an indexed entry to identify the entry, as shown below (this syntax is fully described in "Syntax for Objects and Table Entries "):

nischgrp new-group [column=value,...],tablename


Be sure to append the domain name to both the new group name and the table name.

The example below changes the group of an entry in the hosts table of the domain to The entry is the one whose value in the host name column is virginia.

client% nischgrp '[name=virginia],'

Chapter 10 Administering Passwords

This chapter describes how to use the passwd command from the point of view of an ordinary user (NIS+ principal) and how an NIS+ administrator manages the password system.

Note -

Some NIS+ security tasks can be performed more easily with Solstice AdminSuite tools if you have them available.

Using Passwords

When logging in to a machine, users must enter both a user name (also known as a login ID) and a password. Although login IDs are publicly known, passwords must be kept secret by their owners.

Logging In

Logging in to a system is a two-step process:

  1. Type your login ID at the Login: prompt.

  2. Type your password at the Password: prompt.

    (To maintain password secrecy, your password is not displayed on your screen when you type it.)

    If your login is successful you will see your system's message of the day (if any) and then your command-line prompt, windowing system, or normal application.

The Login incorrect Message

The Login incorrect message indicates that:

The password expired Message

If you receive a Your password has expired message it means that your password has reached its age limit and expired. In other words, the password has been in use for too long and you must choose a new password at this time. (See "Choosing a Password", for criteria that a new password must meet.)

In this case, choosing a new password is a three-step process:

  1. Type your old password at the Enter login password (or similar) prompt.

    Your keystrokes are not shown on your screen.

  2. Type your new password at the Enter new password prompt.

    Your keystrokes are not shown on your screen.

  3. Type your new password again at the Re-enter new password prompt.

    Your keystrokes are not shown on your screen.

The will expire Message

If you receive a Your password will expire in N days message (where N is a number of days), or a Your password will expire within 24 hours message, it means that your password will reach its age limit and expire in that number of days (or hours).

In essence, this message is telling you to change your password now. (See "Changing Your Password".)

The Permission denied Message

After entering your login ID and password, you may get a Permission denied message and be returned to the login: prompt. This means that your login attempt has failed because an administrator has either locked your password, or terminated your account, or your password privileges have expired. In these situations you cannot log in until an administrator unlocks your password or reactivates your account or privileges. Consult your system administrator.

Changing Your Password

To maintain security, you should change your password regularly. (See "Choosing a Password" for password requirements and criteria.)

Note -

The passwd command now performs all functions previously performed by nispasswd. For operations specific to an NIS+ name space, use passwd -r nisplus.

Changing your password is a four-step process:

  1. Run the passwd command at a system prompt.

  2. Type your old password at the Enter login password (or similar) prompt.

    Your keystrokes are not shown on your screen.

    • If you receive a Sorry: less than N days since the last change message, it means that your old password has not been in use long enough and you will not be allowed to change it at this time. You are returned to your system prompt. Consult your system administrator to find out the minimum number of days a password must be in use before it can be changed.

    • If you receive a You may not change this password message, it means that your network administrator has blocked any change.

  3. Type your new password at the Enter new password prompt.

    Your keystrokes are not shown on your screen.

    At this point the system checks to make sure that your new password meets the requirements:

    • If it does meet the requirements, you are asked to enter it again.

    • If your new password does not meet the system requirements, a message is displayed informing you of the problem. You must then enter a new password that does meet the requirements.

    See "Password Requirements" for the requirements a password must meet.

  4. Type your new password again at the Re-enter new password prompt.

    Your keystrokes are not shown on your screen.

    If your second entry of the new password is not identical to your first entry, you are prompted to repeat the process.

    Note -

    When changing root's password, you must always run chkey -p immediately after changing the password. (See "Changing Root Keys From Root" and "Changing Root Keys From Another Machine" for information on using chkey -p to change root's keys.) Failure to run chkey -p after changing root's password will result in root being unable to properly log in.

Password Change Failures

Some systems limit either the number of failed attempts you can make in changing your password or the total amount of time you can take to make a successful change. (These limits are implemented to prevent someone else from changing your password by guessing your current password.)

If you (or someone posing as you) fails to successfully log in or change your password within the specified number of tries or time limit, you will get a Too many failures - try later or Too many tries: try again later message. You will not be allowed to make any more attempts until a certain amount of time has passed. (That amount of time is set by your administrator.)

Choosing a Password

Many breaches of computer security involve guessing another user's password. While the passwd command enforces some criteria for making sure the password is hard to guess, a clever person can sometimes figure out a password just by knowing something about the user. Thus, a good password is one that is easy for you to remember but hard for someone else to guess. A bad password is one that is so hard for you to remember that you have to write it down (which you are not supposed to do), or that is easy for someone who knows about you to guess.

Password Requirements

A password must meet the following requirements:

Bad Choices for Passwords

Bad choices for passwords include:

Good Choices for Passwords

Good choices for passwords include:

Administering Passwords

This section describes how to administer passwords in an NIS+ namespace. This section assumes that you have an adequate understanding of the NIS+ security system in general, and in particular of the role that login passwords play in that system (see Chapter 6, Security Overview, for this information).

Note -

The passwd command now performs all functions previously performed by nispasswd. For operations specific to an NIS+ namespace, use passwd -r nisplus.

nsswitch.conf File Requirements

In order to properly implement the passwd command and password aging on your network, the passwd entry of the nsswitch.conf file on every machine must be correct. This entry determines where the passwd command will go for password information and where it will update password information.

Only five passwd configurations are permitted:

Caution - Caution -

All of the nsswitch.conf files on all of your network's workstations must use one of the passwd configurations shown above. If you configure the passwd entry in any other way, users may not be able to log in.

The nispasswd Command

All functions previously performed by the nispasswd command are now performed by the passwd command. When issuing commands from the command line, you should use passwd, not nispasswd.

(The nispasswd command is still retained with all of its functionality for the purpose of backward compatibility.)

The yppasswd Command

All functions previously performed by the yppasswd command are now performed by the passwd command. When issuing commands from the command line, you should use passwd, not yppasswd.

(The yppasswd is still retained with all of its functionality for the purpose of backward compatibility.)

The passwd Command

The passwd command performs various operations regarding passwords. The passwd command replaces the nispasswd command. You should use the passwd command for all activities which used to be performed with the nispasswd command. (See the passwd command man page for a complete description of all passwd flags, options, and arguments.)

The passwd command allows users to perform the following operations:

Administrators can use the passwd command to perform the following operations:

passwd and the nsswitch.conf File

The name service switch determines where the passwd command (and other commands) obtains and stores password information. If the passwd entry of the applicable nsswitch.conf file points to:

The passwd -r Option

When you run the passwd command with the -r nisplus, -r nis, or -r files arguments, those options override the nsswitch.conf file setting. You will be warned that this is the case. If you continue, the -r option will cause the passwd command to ignore the nsswitch.conf file sequence and update the information in the password information storage location pointed to by the -r flag.

For example, if the passwd entry in the applicable nsswitch.conf file reads:

 passwd: files nisplus

files is the first (primary) source, and passwd run without the -r option will get its password information from the /etc/passwd file. If you run the command with the -r nisplus option, passwd will get its information from the appropriate NIS+ passwd table and make its changes to that table, not to the /etc/passwd file.

The -r option should only be used when you cannot use the nsswitch.conf file because the search sequence is wrong. For example, when you need to update password information that is stored in two places, you can use the order specified in the nsswitch.conf file for the first one, but for the second one you have to force the use of the secondary or tertiary source.

The message:

Your specified repository is not defined in the nsswitch file!

indicates that your change will be made to the password information in the repository specified by the -r option, but that change will not affect anyone until the nsswitch.conf file is changed to point to that repository. For example, suppose the nsswitch.conf file reads passwd: files nis and you use the -r nisplus option to establish password-aging limits in an NIS+ passwd table. Those password-aging rules will sit in that table unused because the nsswitch.conf file is directing everyone to other places for their password information.

The passwd Command and "NIS+ Environment"

In this chapter, the phrase NIS+ environment refers to situations where the passwd entry of the applicable nsswitch.conf file is set to nisplus, or the passwd command is run with the -r nisplus argument.

The passwd Command and Credentials

When run in an NIS+ environment (see above), the passwd command is designed to function with or without credentials. Users without credentials are limited to changing their own password. Other password operations can only be performed by users who have credentials (are authenticated) and who have the necessary access rights (are authorized).

The passwd Command and Permissions

In this discussion of authorization and permissions, it is assumed that everyone referred to has the proper credentials.

By default, in a normal NIS+ environment the owner of the passwd table can change password information at any time and without constraints. In other words, the owner of the passwd table is normally granted full read, modify, create, and destroy authorization (permission) for that table. An owner can also:

Note -

Regardless of what permissions they have, everyone in the world, and nobody classes are forced to comply with password-aging constraints. In other words, they cannot change a password for themselves or anyone else unless that password has aged past its minimum. Nor can members of the group, world, and nobody classes avoid having to change their own passwords when the age limit has been reached. However, age constraints do not apply to the owner of the passwd table.

To use the passwd command in an NIS+ environment, you must have the required authorization (access rights) for the operation:

Table 10-1 Access Rights for passwd Command

This Operation 

Requires These Rights 

To This Object 

Displaying information 


passwd table entry 

Changing Information 


passwd table entry 

Adding New Information 


passwd table 

The passwd Command and Keys

If you use passwd in an NIS+ environment to change a principal's password, it tries to update the principal's private (secret) key in the cred table.

The passwd Command and Other Domains

To operate on the passwd table of another domain, use:

passwd [options] -D domainname

The nistbladm Command

The nistbladm command allows you to create, change, and display information about any NIS+ table, including the passwd table.

Caution - Caution -

To perform password operations using the nistbladm command you must apply nistbladm to the shadow column of the passwd table. Applying nistbladm to the shadow column is complex and tricky. Therefore, you should not use the nistbladm command for any operation that can more easily be performed by the passwd command or by using the AdminTool or Solstice AdminSuite tools.

You should use the passwd command or Solstice AdminSuite tools to perform the following operations:

It is possible to use the nistbladm command to:

nistbladm and Shadow Column Fields

You use the nistbladm command to set password parameters by specifying the values of the different fields in the shadow column. These fields are entered in the format:



Caution - Caution -

When using nistbladm on the shadow column of the password table, all of the numeric fields must contain appropriate values. You cannot leave a field blank, or enter a zero, as a no change placeholder.

For example, to specify that the user amy last changed her password on day 9246 (May 1, 1995), cannot change her password until it has been in use for 7 days, must change her password after 30 days, will be warned to change her password after the 25th day, must not remain inactive more than 15 days, and has an account that will expire on day number 9255, you would type:

nistbladm And the Number of Days

Most password aging parameters are expressed in number of days. The following principles and rules apply:

Values are entered in both the lastchange the expire fields as a number of days since January 1, 1970. For example:

Table 10-2 Number of Days Since 1/1/70


Day Number 

January 1, 1970 

January 2, 1970 

January 2, 1971 


January 1, 1997 


Related Commands

The passwd and nistbladm commands provide capabilities that are similar to those offered by other commands. Table 10-3 summarizes their differences.

Table 10-3 Related Commands




Is now linked to the passwd command. Using yppasswd simply invokes the passwd command.


Is now linked to the passwd command. Using nispasswd simply invokes the passwd command.


Can be used to display the contents of the passwd table. 

Displaying Password Information

You can use the passwd command to display password information about all users in a domain or about one particular user:

For your password information

passwd -s

For all users in current domain

passwd -s -a

For a particular user

passwd -s username

Only the entries and columns for which you have read permission will be displayed. Entries are displayed with the following format:

Table 10-4 NIS+ Password Display Format



For Further Information 


The user's login name. 


The user's password status. PS indicates the account has a password. LK indicates the password is locked. NP indicates the account has no password. 

See "Locking a Password ".


The date, based on Greenwich mean time, that the user's password was last changed. 


The minimum number of days since the last change that must pass before the password can be changed again. 

See "Setting Minimum Password Life ".


The maximum number of days the password can be used without having to change it. 

See "Setting a Password Age Limit ".


The number of days' notice that users are given before their passwords have to be changed. 

See "Establishing a Warning Period ".


A date on which users loose the ability to log in to their accounts. 

See "Password Privilege Expiration".


A limit on the number of days that an account can go without being logged in to. Once that limit is passed without a log in users can no longer access their accounts. 

See "Specifying Maximum Number of Inactive Days".

To display entries from a passwd table in another domain, use the -D option:

For all users in another domain

passwd -s -a -D domainname

For a particular user

passwd -s -D domainname username

Changing Passwords

New passwords must meet the criteria described in "Password Requirements".

Changing Your Own Password

To change your password, type

station1% passwd

You will be prompted for your old password and then the new password and then the new password a second time to confirm it.

Changing Someone Else's Password

To change someone else' password, use:

To change another user's password in the same domain

passwd username

To change another user's password in a different domain

passwd -D domainname username

When using the passwd command in an NIS+ environment (see "The passwd Command and "NIS+ Environment" ") to change someone else's password you must have modify rights to that user's entry in the passwd table (this usually means that you are a member of the group for the passwd table and the group has modify rights). You do not have to enter either the user's old password or your password. You will be prompted to enter the new password twice to make sure that they match. If they do not match, you will be prompted to enter them again.

Changing Root's Password

When changing root's password, you must always run chkey -p immediately after changing the password with the passwd command. Failure to run chkey -p after changing root's password will result in root being unable to properly log in.

To change a root password, follow these steps:

  1. Log in as root.

  2. Change root's password using passwd.

    Do not use nispasswd.

  3. Run chkey -p.

    You must use the -p option.

Locking a Password

When operating in an NIS+ environment (see "The passwd Command and "NIS+ Environment" "), an administrator (a group member) with modify rights to a user's entry in the passwd table can use the passwd command to lock a password. An account with a locked password cannot be used. When a password is locked, the user will receive a Login incorrect message after each login attempt.

Keep in mind that locked passwords have no effect on users who are already logged in. A locked password only prevents users from performing those operations that require giving a password such as login, rlogin, ftp, or telnet.

Note also that if a user with a locked password is already logged in, and that user uses the passwd command to change passwords, the lock is broken.

You can use this feature to:

To lock a password, use:

passwd -l username

Unlocking a Password

To unlock a user's password, you simply change it. You can "change" it back to the exact same password that it was when it was locked. Or you can change it to something new.

For example, to unlock jody's password, you would enter:

station1% passwd jody

Managing Password Aging

Password aging is a mechanism you can use to force users to periodically change their passwords.

Password aging allows you to:

Keep in mind that users who are already logged in when the various maximums or dates are reached are not affected by the above features. They can continue to work as normal.

Password aging limitations and activities are only activated when a user logs in or performs one of the following operations:

These password aging parameters are applied on user-by-user basis. You can have different password aging requirements for different users. (You can also set general default password aging parameters as described in "The /etc/defaults/passwd File".)

Forcing Users to Change Passwords

There are two ways to force a user to change passwords the next time the user logs in:

Force change keeping password aging rules in effect

passwd -f username

Force change and turn off password aging rules

passwd -x 0 username

Setting a Password Age Limit

The -max argument to the passwd command sets an age limit for the current password. In other words, it specifies the number of days that a password remains valid. After that number of days, a new password must be chosen by the user. Once the maximum number of days have passed, the next time the user tries to login with the old password a Your password has been expired for too long message is displayed and the user is forced to choose a new password in order to finish logging in to the system.

The max argument uses the following format:

passwd -x max username


For example, to force the user schweik to change passwords every 45 days, you would type the command:

station1% passwd -x 45 schweik

Setting Minimum Password Life

The min argument to the passwd command specifies the number of days that must pass before a user can change passwords. If a user tries to change passwords before the minimum number of days has passed, a Sorry less than N days since the last change message is displayed.

The min argument uses the following format:

passwd -x max -n min username


For example, to force the user eponine to change passwords every 45 days, and prevent him from changing it for the first 7 days you would type the command:

station1% passwd -x 45 -n 7 eponine

The following rules apply to the min argument:

Establishing a Warning Period

The warn argument to the passwd command specifies the number of days before a password reaches its age limit that users will start to seeing a Your password will expire in N days message (where N is the number of days) when they log in.

For example, if a user's password has a maximum life of 30 days (set with the -max argument) and the warn value is set to 7 days, when the user logs in on the 24th day (one day past the warn value) the warning message Your password will expire in 7 days is displayed. When the user logs in on the 25th day the warning message Your password will expire in 6 days is displayed.

Keep in mind that the warning message is not sent by Email or displayed in a user's console window. It is displayed only when the user logs in. If the user does not log in during this period, no warning message is given.

Keep in mind that the warn value is relative to the max value. In other words, it is figured backwards from the deadline set by the max value. Thus, if the warn value is set to 14 days, the Your password will expire in N days message will begin to be displayed two weeks before the password reaches its age limit and must be changed.

Because the warn value is figured relative to the max value, it only works if a max value is in place. If there is no max value, warn values are meaningless and are ignored by the system.

The warn argument uses the following format:

passwd -x max -w warn username


For example, to force the user nilovna to change passwords every 45 days, and display a warning message 5 days before the password reaches its age limit you would type the command:

station1% passwd -x 45 -w 5 nilovna

The following rules apply to the warn argument:

Note -

You can also use Solstice AdminSuite to set a warn value for a user's password.

Turning Off Password Aging

There are two ways to turn off password aging for a given user:

Turn off aging while allowing user to retain current password

passwd -x -1 username

Force user to change password at next login, and then turn off aging

passwd -x 0 username

This sets the max value to either zero or -1 (see "Setting a Password Age Limit " for more information on this value).

For example, to force the user mendez to change passwords the next time he logs in and then turn off password aging you would type the command:

station% passwd -x 0 mendez

Note -

You can also use Solstice AdminSuite to set this parameter for a user's password.

You can also use the nistbladm command to set this value. For example, to turn off password aging for the user otsu and allow her to continue using her current password, you would type:

station1% nistbladm -m `shadow=0:0:-1:0:0:0:0' [name=otsu],passwd.org_dir

For additional information on using the nistbladm command, see "The nistbladm Command ".

Password Privilege Expiration

You can set a specific date on which a user's password privileges expires. When a user's password privilege expires, that user can no longer have a valid password at all. In effect, this locks the user out of the system after the given date because after that date the user can no longer log in.

For example, if you specify an expire date of December 31, 1997, for a user named pete, on January 1, 1998 he will not be able to log in under that user ID regardless of what password he uses. After each login attempt he will receive a Login incorrect message.

Password Aging versus Expiration

Expiration of a user's password privilege is not the same as password aging.

Setting an Expiration Date

Password privilege expiration dates only take effect when the user logs in. If a user is already logged in, the expiration date has no affect until the user logs out or tries to use rlogin or telnet to connect to another machine at which time the user will not be able to log in again. Thus, if you are going to implement password privilege expiration dates, you should require your users to log out at the end of each day's work session.

Note -

If you have Solstice AdminSuite tools available, do not use nistbladm to set an expiration date. Use Solstice AdminSuite tools because they are easier to use and provide less chance for error.

To set an expiration date with the nistbladm command:

nistbladm -m `shadow=n:n:n:n:n:n6:n' [name=login],passwd.org_dir


For example, to specify an expiration date for the user pete of December 31, 1995 you would type:

station1% nistbladm -m `shadow=n:n:n:n:n:9493:n' [name=pete],passwd.org_dir

Caution - Caution -

All of the fields must be filled in with valid values.

Turning Off Password Privilege Expiration

To turn off or deactivate password privilege expiration, you must use the nistbladm command to place a -1 in this field. For example, to turn off privilege expiration for the user huck, you would type:

station1% nistbladm -m `shadow=n:n:n:n:n:-1:n' [name=huck],passwd.org_dir

Or you can use the nistbladm command reset the expiration date to some day in the future by entering a new number of days in the n6 field.

Specifying Maximum Number of Inactive Days

You can set a maximum number of days that a user can go without logging in on a given machine. Once that number of days passes without the user logging in, that machine will no longer allow that user to log in. In this situation, the user will receive a Login incorrect message after each login attempt.

This feature is tracked on a machine-by-machine basis, not a network-wide basis. That is, in an NIS+ environment, you specify the number of days a user can go without logging in by placing an entry for that user in the passwd table of the user's home domain. That number applies for that user on all machines on the network. However, the date on which a user last logged in to a given machine is maintained on a machine-by-machine basis in the machine's /var/adm/utmp file.

For example, suppose you specify a maximum inactivity period of 10 days for the user sam. On January 1, sam logs in to both machine-A and machine-B, and then logs off both machines. Four days later on January 4, sam logs in on machine-B and then logs out. Nine days after that on January 13, sam can still log in to machine-B because only 9 days have elapsed since the last time he logged in on that machine, but he can no longer log in to machine-A because thirteen days have passed since his last log in on that machine.

Keep in mind that an inactivity maximum cannot apply to a machine the user has never logged in to. No matter what inactivity maximum has been specified or how long it has been since the user has logged in to some other machine, the user can always log in to a machine that the user has never logged in to before.

Caution - Caution -

Do not set inactivity maximums unless your users are instructed to log out at the end of each workday. The inactivity feature only relates to logins; it does not check for any other type of system use. If a user logs in and then leaves the system up and running at the end of each day, that user will soon pass the inactivity maximum because there has been no login for many days. When that user finally does reboot or log out, he or she won't be able to log in.

Note -

If you have Solstice AdminSuite tools available, do not use nistbladm to set an inactivity maximum. Use Solstice AdminSuite tools because they are easier to use and provide less chance for error.

To set a login inactivity maximum, you must use the nistbladm command in the format:

nistbladm -m `shadow=n:n:n:n:n5:n:n' [name=login],passwd.org_dir


For example, to specify that the user sam must log in at least once every seven days, you would type:

station1% nistbladm -m `shadow=n:n:n:n:n:7:n:n' [name=sam],passwd.org_dir

To clear an inactivity maximum and allow a user who has been prevented from logging in to log in again, use nistbladm to set the inactivity value to -1.

Specifying Password Criteria and Defaults

The following subsections describe various password-related defaults and general criteria that you can specify.

The /etc/defaults/passwd File

The /etc/defaults/passwd file is used to set four general password defaults for users whose nsswitch.conf file points to files. The defaults set by the /etc/defaults/passwd file apply only to users whose operative password information is taken from /etc files; they do not apply to anyone using either NIS maps or NIS+ tables. An /etc/defaults/passwd file on an NIS+ server only affects local users who happen to be obtaining their password information from those local files. An /etc/defaults/passwd file on an NIS+ server has no effect on the NIS+ environment or users whose nsswitch.conf file points to either nis or nisplus.

The four general password defaults governed by the /etc/defaults/passwd file are:

The following principles apply to defaults set with an /etc/defaults/passwd file:

By default, /etc/defaults/passwd files already contain the entries:


To implement an entry, simply type the appropriate number after the equal sign. Entries that do not have a number after the equal sign are inactive and have no affect on any user. Thus, to set a MAXWEEKS default of 4, you would change the /etc/defaults/passwd file to read:


Maximum Weeks

You can use the MAXWEEKS default in the /etc/defaults/passwd file to set the maximum number of weeks that a user's password is valid. To set a default maximum time period, type the appropriate number of weeks after the equal sign on the MAXWEEKS=line:


Where N is a number of weeks. For example, MAXWEEKS=9.

Minimum Weeks

You can use the MINWEEKS default in the /etc/defaults/passwd file to set the minimum number of weeks that must pass before a user can change passwords. To set a default minimum time period, type the appropriate number of weeks after the equal sign on the MINWEEKS= line:


Where N is a number of weeks. For example, MINWEEKS=2.

Warning Weeks

Note -

This is no point in setting a WARNWEEKS default unless you also set a MAXWEEKS default.

You can add a WARNWEEKS default to the /etc/defaults/passwd file to set the number of weeks prior to a password becoming invalid due to aging that the user is warned. For example, if you have set the MAXWEEKS default to 9, and you want users to be warned two weeks before their passwords become invalid, you would set the WARNWEEKS default to 7.

Remember that WARNWEEKS are counted forward from the date of the user's last password change, not backward from the MAXWEEKS expiration date. Thus, WARNWEEKS must always be less than MAXWEEKS and cannot be equal to or greater than MAXWEEKS.

Note -

A WARNWEEKS default will not work unless there is also a MAXWEEKS default.

To set the warning time period, type the appropriate number of weeks after the equal sign on the WARNWEEKS= line:


Where N is a number of weeks. For example, WARNWEEKS=1.

Minimum Password Length

By default, the passwd command assumes a minimum length of six characters. You can use the PASSLENGTH default in the /etc/defaults/passwd file to change that by setting the minimum number of characters that a user's password must contain to some other number.

To set the minimum number of characters to something other than six, type the appropriate number of characters after the equal sign on the PASSLENGTH= line:


Where N is a number of characters. For example, PASSLENGTH=7.

Password Failure Limits

You can specify a number-of-tries limit or an amount-of-time limit (or both) for a user's attempt to change passwords. These limits are specified by adding arguments when starting the rpc.nispasswdd daemon.

Limiting the number of attempts or setting a time frame provides a limited (but not foolproof) defense against unauthorized persons attempting to change a valid password to one that they discover through trial and error.

Maximum Number of Tries

To set the maximum number of times a user can try to change a password without succeeding, use the -a number argument with rpc.nispasswdd, where number is the number of allowed tries. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to limit users to no more than four attempts (the default is 3), you would type:

station1# rpc.nispasswdd -a 4

In this case, if a user's fourth attempt at logging in is unsuccessful, the message Too many failures - try later is displayed. No further attempts are permitted for that user ID until a specified period of time has passed.

Maximum Login Time Period

To set the maximum amount a time a user can take to successfully change a password, use the -c minutes argument with rpc.nispasswdd, where minutes is the number of minutes a user has to log in. (You must have superuser privileges on the NIS+ master server to run rpc.nispasswdd.)

For example, to specify that users must successfully log in within 2 minutes, you would type:

station1# rpc.nispasswdd -c 2

In this case, if a user is unable to successfully change a password within 2 minutes, the message is displayed at the end of the two-minute period. No further attempts are permitted for that user ID until a specified period of time has passed.

Chapter 11 Administering NIS+ Groups

This chapter describes NIS+ groups and how to administer them.

Note -

Some NIS+ security group tasks can be performed more easily with Solstice AdminSuite tools if you have them available.

Solaris Groups

In a Solaris-NIS+ environment, there are three kinds of groups: UNIX groups, net groups, and NIS+ groups.

NIS+ Groups

NIS+ groups are used to assign access rights to NIS+ objects to one or more NIS+ principles. These access rights are described in Chapter 6, Security Overview. Information about NIS+ groups is stored in tables located in the NIS+ groups_dir directory object. Information about each group is stored in a table of the same name. For example, information about the admin group is stored in admin.groups_dir.

It is recommended practice to create at least one NIS+ group called admin. The admin NIS+ group is normally used to designate those users who are to have NIS+ access rights. You can name this group anything you want, but the NIS+ manual set assumes that the group with NIS+ administrator privileges is named admin. You can also create multiple NIS+ groups with different sets of users and different sets of rights.

Note -

Always use the nisgrpadm command to work with NIS+ group membership. You can also use the nisls and nischgrp commands on the group table. Do not use the nistbladm command on the group table.

For a complete description of NIS+ group-related commands and their syntax and options, see the NIS+ man pages.

Related Commands

The nisgrpadm command performs most group administration tasks but several other commands affect groups as well:

Table 11-1 Commands That Affect Groups





Creates, among other things, the directory in which a domain's groups are stored: groups_dir.

Failed Cross Reference Format


Lists the contents of the groups_dir directory; in other words, all the groups in a domain. For each named groups there will be a table of that name in groups_dir.

"The nisls Commandniscat Command With Directories"


Changes or assigns a group to any NIS+ object. 

"Changing an Object or Entry's Group"


Lists the object properties and membership of an NIS+ group. 

"Using niscat With NIS+ Groups "


Lists, among other things, the group that will be assigned to any new NIS+ object. 

"Displaying NIS+ Defaults--The nisdefaults Command"

For a complete description of these commands and their syntax, and options, see the NIS+ man pages.

Note -

Do not use the nistbladm command to work with the NIS+ groups table.

NIS+ Group Member Types

NIS+ groups can have three types of members: explicit, implicit, and recursive; and three types of nonmembers, also explicit, implicit, and recursive. These member types are used when adding or removing members of a group as described in "The nisgrpadm Command".

Member Types

NIS+ groups also accept nonmembers in all three categories: explicit, implicit, and recursive. Nonmembers are principals specifically excluded from a group that they otherwise would be part of.

Nonmember Types

Nonmembers are identified by a minus sign in front of their name:

Group Syntax

The order in which inclusions and exclusions are entered does not matter. Exclusions always take precedence over inclusions. Thus, if a principal is a member of an included implicit domain and also a member of an excluded recursive group, then that principal is not included.

Thus, when using the nisgrpadm command, you can specify group members and nonmembers as shown in Table 11-2:

Table 11-2 Specifying Group Members and Nonmembers

Type of member 


Explicit member 


Implicit member 


Recursive member 


Explicit nonmember 


Implicit nonmember 


Recursive nonmember 


Using niscat With NIS+ Groups

The niscat -ocommand can be used to list the object properties and membership of an NIS+ group.

Listing the Object Properties of a Group

To list the object properties of a group, you must have read access to the groups_dir directory in which the group is stored. Use niscat -o and the group's fully qualified name, which must include its groups_dir subdirectory:

niscat -o group-name.groups_dir.domain-name

For example:

rootmaster# niscat -o
Object Name : sales
Owner :
Group :
Domain :
Access Rights : ----rmcdr---r---
Time to Live : 1:0:0
Object Type : GROUP
Group Flags :
Group Members :

Note -

A better list of members is provided by the nisgrpadm -l command.

Several of the group's properties are inherited from the NIS_DEFAULTS environment variable, unless they were overridden when the group was created. The group flags field is currently unused. In the list of group members, the * symbol identifies member domains and the @ symbol identifies member groups.

The nisgrpadm Command

The nisgrpadm command creates, deletes, and performs miscellaneous administration operations on NIS+ groups. To use nisgrpadm, you must have access rights appropriate for the operation,

Table 11-3 Rights Required for nisgrpadm Command

This Operation 

Requires This Access Right 

To This Object 

Create a group 


groups_dir directory

Destroy a group 


groups_dir directory

List the Members 


the group object 

Add Members 


the group object 

Remove Members 


the group object 

The nisgrpadm has two main forms, one for working with groups and one for working with group members.

To create or delete a group, or to lists its members use these forms:

nisgrpadm -c group-name.domain-name
nisgrpadm -d group-name
nisgrpadm -l group-name

To add or remove members, or determine if they belong to the group use this form (where member... can be any combination of the six membership types listed in Table 11-2):

nisgrpadm -a group-name member...
nisgrpadm -r group-name member...
nisgrpadm -t group-name member...

All operations except create (-c) accept a partially qualified group-name. However, even for the -c option, nisgrpadm does not require the use of groups_dir in the group-name argument. In fact, it won't accept it.

Creating an NIS+ Group

To create an NIS+ group, you must have create rights to the groups_dir directory of the group's domain. Use the -c option and a fully qualified group name:

nisgrpadm -c group-name.domainname

When you create a group, an NIS+ groups table with the name you have given is created in groups_dir. You can use nisls to confirm that the new group table now exists in groups_dir, and niscat to list the groups members listed in the table.

A newly created group contains no members. See "Adding Members to an NIS+ Group " for information on how to specify who belongs to a group.

The example below creates three groups named admin. The first is in the domain, the second in, and the third in All three are created on the master server of their respective domains.

rootmaster# nisgrpadm -c
Group created.
salesmaster# nisgrpadm -c
Group created.
manfmaster# nisgrpadm -c
Group created.

The group you create will inherit all the object properties specified in the NIS_DEFAULTS variable; that is, its owner, owning group, access rights, time-to-live, and search path. You can view these defaults by using the nisdefaults command (described in Chapter 9, Administering NIS+ Access Rights). Used without options, it provides this output:

rootmaster# nisdefaults
Principal Name :
Domain Name :
Host Name :
Group Name :
Access Rights : ----rmcdr---r---
Time to live : 12:0:0
Search Path :

The owner is listed in the Principal Name: field. The owning group is listed only if you have set the NIS_GROUP environment variable. For example, assuming a C-shell, to set NIS_GROUP to

rootmaster# setenv NIS_GROUP

You can override any of these defaults at the time you create the group by using the -D option:

salesmaster# nisgrpadm -D
Group created.

Deleting an NIS+ Group

To delete an NIS+ group, you must have destroy rights to the groups_dir directory in the group's domain. Use the -d option:

nisgrpadm -d group-name

If the default domain is set properly, you don't have to fully-qualify the group name. However, you should check first (use nisdefaults), because you could unintentionally delete a group in another domain. The example below deletes the group.

salesmaster% nisgrpadm -d
Group `' destroyed.

Adding Members to an NIS+ Group

To add members to an NIS+ group you must have modify rights to the group object. Use the -a option:

nisgrpadm -a group-name members. . .

As described in "NIS+ Group Member Types", you can add principals (explicit members), domains (implicit members), and groups (recursive members). You don't have to fully qualify the name of the group or the name of the members who belong to the default domain. This example adds the NIS+ principals panza and valjean, both from the default domain,, and the principal makeba, from the domain, to the group

client% nisgrpadm -a Ateam panza valjean
Added to group
Added to group
Added to group

To verify the operation, use the nisgrpadm -l option. Look for the members under the Explicit members heading.

This example adds all the NIS+ principals in the domain to the group. It is entered from a client in the domain. Note the * symbol and the dot in front of the domain name.

client% nisgrpadm -a Staff *
Added * to group

This example adds the NIS+ group to the group. It is entered from a client of the domain. Note the @ symbol in front of the group name.

client% nisgrpadm -a admin
Added to group

Listing the Members of an NIS+ Group

To list the members of an NIS+ group, you must have read rights to the group object. Use the -l option:

nisgrpadm -l group-name

This example lists the members of the group. It is entered from a client in the group:

client% nisgrpadm -l admin 
Group entry for group:
 No explicit members
 No implicit members:
 Recursive members:
 No explicit nonmembers
 No implicit nonmembers
 No recursive nonmembers

Removing Members From an NIS+ Group

To remove members from an NIS+ group, you must have modify rights to the group object. Use the -r option:

nisgrpadm -r group-name members. . .

This example removes the NIS+ principals allende and from the group. It is entered from a client in the domain:

client% nisgrpadm -r Ateam allende
Removed from group
Removed from group

This example removes the group from the group. It is entered from a client in the domain:

client% nisgrpadm -r admin
Removed from group

Testing for Membership in an NIS+ Group

To find out whether an NIS+ principal is a member of a particular NIS+ group you must have read access to the group object. Use the -t option:

nisgrpadm -t group-name members. . .

This example tests whether the NIS+ principal topadmin belongs to the group. It is entered from a client in the domain.

client% nisgrpadm -t admin topadmin is a member of group

This example tests whether the NIS+ principal jo, from the domain, belongs to the group. It is entered from a client in the domain.

client% nisgrpadm -t is a member of group

Chapter 12 Administering NIS+ Directories

This chapter describes NIS+ directory objects and how to administer them.

NIS+ Directories

NIS+ directory objects are used to store information related to an NIS+ domain. For each NIS+ domain, there is a corresponding NIS+ directory structure. See Chapter 4, The NIS+ Namespace, for more information about NIS+ directories.

For a complete description of NIS+ directory-related commands and their syntax and options, see the NIS+ man pages.

Using the niscat Command With Directories

The niscat -o command can be used to list the object properties of an NIS+ directory. To use it, you must have read access to the directory object itself.

Listing the Object Properties of a Directory

To list the object properties of a directory, use niscat -o and the directory's name:

niscat -o directory-name

For example:

rootmaster# niscat -o
Object Name : doc
Owner :
Group :
Domain : Com.
Access Rights : r---rmcdr---r---
Time to Live : 24:0:0
Object Type : DIRECTORY

The nisls Commandniscat Command With Directories

The nisls command lists the contents of an NIS+ directory. To use it, you must have read rights to the directory object.

To display in terse format, use:

nisls [-dgLmMR] directory-name

To display in verbose format, use:

nisls -l [-gm] [-dLMR] directory-name
Table 12-1 Options for the nisls Command




Directory object. Instead of listing a directory's contents, treat it like another object. 


Links. If the directory name is actually a link, the command follows the link and displays information about the linked directory. 


Master. Get the information from the master server only. Although this provides the most up-to-date information, it may take longer if the master server is busy. 


Recursive. List directories recursively. That is, if a directory contains other directories, their contents are displayed as well. 


Long. Display information in long format. Long format displays an object's type, creation time, owner, and access rights. 


Group. When displaying information in long format, display the directory's group owner instead of its owner. 


Modification time. When displaying information in long format, display the directory's modification time instead of its creation time. 

Listing the Contents of a Directory--Terse

To list the contents of a directory in the default short format, use one or more of the options listed below and a directory name. If you don't supply a directory name, NIS+ will use the default directory.

nisls [-dLMR] directory-name


nisls [-dLMR]

For example, this instance of nisls is entered from the root master server of the root domain

rootmaster% nisls

Here is another example entered from the root master server:

rootmaster% nisls -R

Listing the Contents of a Directory--Verbose

To list the contents of a directory in the verbose format, use the -l option and one or more of the options listed below. The -g and -m options modify the attributes that are displayed. If you don't supply a directory name, NIS+ will use the default directory.

nisls -l [-gm] [-dLMR] directory-name


nisls -l [-gm] [-dLMR]

Here is an example, entered from the master server of the root domain

rootmaster% nisls -l
D r---rmcdr---r--- date org_dir
D r---rmcdr---r--- date groups_dir

The nismkdir Command

Note -

This section describes how to add a nonroot server to an existing domain using the nismkdir command. An easier way to do this is with the nisserver script as described in Solaris Naming Setup and Configuration Guide

The nismkdir command creates a nonroot NIS+ directory and associates it with a master server. (To create a root directory, use the nisinit -r command, described in "The nisinit Command ".) The nismkdir command can also be used to add a replica to an existing directory.

There are several prerequisites to creating an NIS+ directory, as well as several related tasks. For a complete description, see Solaris Naming Setup and Configuration Guide.

To create a directory, use:

nismkdir [-m master-server] \

To add a replica to an existing directory, use:

nismkdir -s replica-server \
nismkdir -s replica-server \
nismkdir -s replica-server \

Creating a Directory

To create a directory, you must have create rights to its parent directory on the domain master server. First use the -m option to identify the master server and then the -s option to identify the replica, use:

nismkdir -m master directory
nismkdir -s replica directory

Caution - Caution -

Always run nismkdir on the master server. Never run nismkdir on the replica machine. Running nismkdir on a replica creates communications problems between the master and the replica.

this example creates the directory and specifies its master server, and its replica, It is entered from the root master server.

rootmaster% nismkdir -m
rootmaster% nismkdir -m
rootmaster% nismkdir -m
rootmaster% nismkdir -s
rootmaster% nismkdir -s
rootmaster% nismkdir -s

GraphicThe nismkdir command allows you to use the parent directory's servers for the new directory instead of specifying its own. However, this should not be done except in the case of small networks. Here are two examples:

GraphicThe second example creates the directory and specifies its own master server,

rootmaster% nismkdir -m

Since no replica server is specified, the new directory will have only a master server until you use nismkdir again to assign it a replica. If the domain already existed, the nismkdir command as shown above would have made its new master server and would have relegated its old master server to a replica.

Adding a Replica to an Existing Directory

This section describes how to add a replica server to an existing system using the nismkdir command. An easier way to do this is with the nisserver script as described in Solaris Naming Setup and Configuration Guide.

Keep in mind the following principles:

To assign a new replica server to an existing directory, use nismkdir on the master server with the -s option and the name of the existing directory, org_dir, and groups_dir:

nismkdir -s replica-server existing-directory-name
nismkdir -s replica-server org_dir. existing-directory-name
nismkdir -s replica-server groups_dir. existing-directory-name

The nismkdir command realizes that the directory already exists, so it does not recreate it. It only assigns it the additional replica. Here is an example with rep1 being the name of the new replica machine:

rootmaster% nismkdir -s
rootmaster% nismkdir -s
rootmaster% nismkdir -s

Caution - Caution -

Always run nismkdir on the master server. Never run nismkdir on the replica machine. Running nismkdir on a replica creates communications problems between the master and the replica.

After running the three iterations of nismkdir as shown above, you need to run nisping from the master server on the three directories:

rootmaster# nisping
rootmaster# nisping
rootmaster# nisping

You should see results similar to these:

rootmaster# nisping
Pinging replicas serving directory :
Master server is
 Last update occurred at Wed Nov 18 19:54:38 1995
Replica server is
 Last update seen was Wed Nov 18 11:24:32 1995
 Pinging ...

It is good practice to include nisping commands for each of these three directories in the master server's cron file so that each directory is "pinged" at least once every 24 hours after being updated.

The nisrmdir Command

The nisrmdir command can remove a directory or simply dissociate a replica server from a directory. (When a directory is removed or disassociated from a replica server, that machine no longer functions as an NIS+ replica server for that NIS+ domain.)

When it removes a directory, NIS+ first disassociates the master and replica servers from the directory, and then removes the directory.

If problems occur, see "Removal or Disassociation of NIS+ Directory from Replica Fails".

Removing a Directory

To remove an entire directory and dissociate its master and replica servers, use the nisrmdir command without any options:

nisrmdir directory-name
nisping domain

This example removes the directory from beneath the directory:

rootmaster% nisrmdir
rootmaster% nisping

Disassociating a Replica From a Directory

To disassociate a replica server from a directory, you must first remove the directory's org_dir and groups_dir subdirectories. To do this, use the nisrmdir command with the -s option. After each of the subdirectories are removed, you must run nisping on parent domain.

nisrmdir -s replicanameorg_dir.domain
nisrmdir -s replicanamegroups_dir.domain
nisrmdir -s replicaname domain
nisping domain

This example disassociates the manfreplica1 server from the directory:

rootmaster% nisrmdir -s manfreplica1
rootmaster% nisrmdir -s manfreplica1
rootmaster% nisrmdir -s manfreplica1
rootmaster% nisping

If the replica server you are trying to dissociate is down or out of communication, the nisrmdir -scommand returns a Cannot remove replicaname: attempt to remove a non-empty table error message. In such cases, you can run nisrmdir -f -s replicaname on the master to force the dissociation. Note, however, that if you use nisrmdir -f -s to dissociate an out-of-communication replica, you must run nisrmdir -f -s again as soon as the replica is back on line in order to clean up the replica's /var/nis file system. If you fail to rerun nisrmdir -f -s replicaname when the replica is back in service, the old out-of-date information left on the replica could cause problems.

The nisrm Command

The nisrm command is similar to the standard rm system command. It removes any NIS+ object from the namespace, except directories and nonempty tables. To use the nisrm command, you must have destroy rights to the object. However, if you don't, you can use the -f option, which tries to force the operation in spite of permissions.

You can remove group objects with the nisgrpadm -d command (see "Deleting an NIS+ Group "), and you can empty tables with nistbladm -r or nistbladm -R (see "Deleting a Table ").

To remove a nondirectory object, use:

nisrm [-if] object-name
Table 12-2 nisrm Syntax Options




Inquire. Asks for confirmation prior to removing an object. If the object-name you provide is not fully qualified, this option is used automatically.


Force. Attempts to force a removal even if you don't have the proper permissions. It attempts to change the permission by using the nischmod command, and then tries to remove the object again.

Removing Nondirectory Objects

To remove nondirectory objects, use the nisrm command and provide the object names:

nisrm object-name...

This example removes a group and a table from the namespace:

rootmaster% nisrm -i
Remove y
Remove y

The rpc.nisd Command

The rpc.nisd command starts the NIS+ daemon. The daemon can run in NIS-compatibility mode, which enables it to answer requests from NIS clients as well. You don't need any access rights to start the NIS+ daemon, but you should be aware of all its prerequisites and related tasks. They are described in Solaris Naming Setup and Configuration Guide.

By default, the NIS+ daemon starts with security level 2.

To start the daemon, use:


To start the daemon in NIS-compatibility mode, use:

rpc.nisd -Y [-B]

To start an NIS-compatible daemon with DNS forwarding capabilities, use:

rpc.nisd -Y -B
Table 12-3 Other rpc.nisd Syntax Options



-S security-level

Specifies a security level, where 0 means no NIS+ security and 2 provides full NIS+ security. (Level 1 is not supported.)


Forces a checkpoint of the directory served by the daemon. This has the side effect of emptying the directory's transaction log and freeing disk space. 

To start the NIS+ daemon on any server, use the command without options:


The daemon starts with security level 2, which is the default.

To start the daemon with security level 0, use the -S flag:

rpc.nisd -S 0

Starting a NIS-Compatible Daemon

You can start the NIS+ daemon in NIS-compatibility mode in any server, including the root master. Use the -Y (uppercase) option:

rpc.nisd -Y

If the server is rebooted, the daemon will not restart in NIS-compatibility mode unless you also uncomment the line that contains EMULYP=Y in the server's /etc/init.d/rpc file.

Starting a DNS-Forwarding NIS-Compatible Daemon

You can add DNS forwarding capabilities to an NIS+ daemon running in NIS-compatibility mode by adding the -B option to rpc.nisd:

rpc.nisd -Y -B

If the server is rebooted, the daemon will not restart in DNS-forwarding NIS-compatibility mode unless you also uncomment the line that contains EMULYP=-Y in the server's /etc/init.d/rpc file and change it to:


Stopping the NIS+ Daemon

To stop the NIS+ daemon, whether it is running in normal or NIS-compatibility mode, kill it as you would any other daemon: first find its process ID, then kill it:

rootmaster# ps -e | grep rpc.nisd
root 1081 1 61 16:43:33 ? 0:01 rpc.nisd -S 0
root 1087 1004 11 16:44:09 pts/1 0:00 grep rpc.nisd
rootmaster# kill 1081

The nisinit Command

This section describes how to initialize a workstation client using the nisinit command. An easier way to do this is with the nisclient script as described in Solaris Naming Setup and Configuration Guide.

The nisinit command initializes a workstation to be an NIS+ client or server. As with the rpc.nisd command, you don't need any access rights to use the nisinit command, but you should be aware of its prerequisites and related tasks. These are described in Solaris Naming Setup and Configuration Guide.

Initializing a Client

You can initialize a client in three different ways:

Each way has different prerequisites and associated tasks. For instance, before you can initialize a client by host name, the client's /etc/hosts file must list the host name you will use and nsswitch.conf file must have files as the first choice on the hosts line. Complete instructions for each method, including prerequisites and associated tasks, are provided in Solaris Naming Setup and Configuration Guide. Following is a summary of the steps that use the nisinit command.

To initialize a client by host name, use the -c and -H options, and include the name of the server from which the client will obtain its cold-start file:

nisinit -c -H hostname

To initialize a client by cold-start file, use the -c and -C options, and provide the name of the cold-start file:

nisinit -c -C filename

To initialize a client by broadcast, use the -c and -B options:

nisinit -c -B

Initializing the Root Master Server

To initialize the root master server, use the nisinit -rcommand:

nisinit -r

You will need the following information

Table 12-4 Internet Organizational Domains




Commercial organizations 


Educational institutions 


Government institutions 


Military groups 


Major network support centers 


Nonprofit organizations and others 


International organizations 

The nis_cachemgr Command

The nis_cachemgr command starts the NIS+ cache manager program, which should run on all NIS+ clients. The cache manager maintains a cache of location information about the NIS+ servers that support the most frequently used directories in the namespace, including transport addresses, authentication information, and a time-to-live value.

At start-up the cache manager obtains its initial information from the client's cold-start file, and downloads it into the /var/nis/NIS_SHARED_DIRCACHE file.

The cache manager makes requests as a client workstation. Make sure the client workstation has the proper credentials, or instead of improving performance, the cache manager will degrade it.

Starting and Stopping the Cache Manager

To start the cache manager, enter the nis_cachemgr command (with or without the -i option):

client% nis_cachemgr
client% nis_cachemgr -i

Without the -i option, the cache manager is restarted but it retains the information in the /var/nis/NIS_SHARED_DIRCACHE file. The information in the cold-start file is simply appended to the existing information in the file. The -i option clears the cache file and re-initializes it from the contents of the client's cold-start file.

To stop the cache manager, kill it as you would any other process.

The nisshowcache Command

The nisshowcache command displays the contents of a client's directory cache.

Displaying the Contents of the NIS+ Cache

The nisshowcache command is located in /usr/lib/nis. It displays only the cache header and the directory names. Here is an example entered from the root master server:

rootmaster# /usr/lib/nis/nisshowcache -v
Cold Start directory:
Name :
Type : NIS
Master Server :
 Name :
 Public Key : Diffie-Hellman (192 bits)
 Universal addresses (3)
 . .
 Name :
 Public Key : Diffie-Hellman (192 bits)
 Universal addresses (3)
Time to live : 12:0:0
Default Access Rights :

Pinging and Checkpointing

When a change is made to the NIS+ data set, that change is made in the memory of the master server for the NIS+ domain (or subdomain). A record of the change is also logged in the master server's transaction log (/var/nis/data/trans.log).

Normally, the master server transfers a change in the NIS+ data set to the domain's replica servers 120 seconds (2 minutes) after the change was made. This transfer process is called pinging. When the master server pings a replica, it updates the replica's data set with the change. The changed NIS+ data now resides in memory of the master and replica servers.

If a the automatic ping process fails to update one or more replica servers, you need to manually force a ping as described in "Forcing a Ping". If you suspect that a replica has not been correctly updated with the most current NIS+ data, you can check when the replica was last updated as described in "Displaying When Replicas Were Last Updated ".

Changes to the NIS+ data set stored in server memory and recorded in the transaction log need to be written into the NIS+ tables stored on disk. The process of updating the NIS+ tables is called checkpointing.

Checkpointing is not an automatic process. You must issue the checkpoint command as described in "Checkpointing a Directory".

The nisping Command

The nisping command is used to:

Displaying When Replicas Were Last Updated

When used with the -u option, the nisping command displays the update times for the master and replicas of the local domain.

/usr/lib/nis/nisping -u [domain]

To display the last updates in some other domain, specify the domain name in the command line. Note that when used with the -u option, the nisping command does not actually ping any replicas.

For example, to display the most recent replica update times for the local domain, you would enter:

rootmaster# /usr/lib/nisping -u
Last updates for directory
Master server is
 Last update occurred at Wed Nov 25 10:53:37 1992
Replica server is
 Last update seen was Wed Nov 25 10:53:37 1992

Forcing a Ping

If the nisping -u command reveals that a replica has not been properly updated, you can use the nisping command to force the master server to ping all the replicas in a domain, or one replica in particular.

To ping all the replicas, use the nisping command without options:


This forces the master server to ping all the replicas in the domain. Here is an example that pings all the replicas of the local domain:

rootmaster# /usr/lib/nis/nisping
Pinging replicas serving directory
Master server is
 Last update occurred at Wed Nov 25 10:53:37 1992
Replica server is
 Last update seen was Wed Nov 18 11:24:32 1992
 Pinging ...

To ping all the replicas in a domain other than the local domain, append a domain name:

/usr/lib/nis/nisping domainname

You can also ping all the tables in all the directories on a single specified host. To ping all the tables in all the directories of a particular host, us the -a option:

/usr/lib/nis/nisping -a hostname

Checkpointing a Directory

Each domain and subdomain should be checkpointed at least once every 24 hour, or more often if the transaction log grows too large in relationship to swap space or total disk space.

Note -

Checkpointing large domains, or any domain with a large transaction log, is a time-consuming process which ties up NIS+ servers and slows NIS+ service. While a server is checkpointing, it will still answer requests for service, but it will be unavailable for updates. If possible, checkpoint operations should be scheduled for times when system use is low. You can use the cron file to schedule checkpoint operations.

To perform a checkpoint operation, run nisping -C on the domain's master server. It is good practice to first ping all replicas before checkpointing. This ensures that the replicas are checkpointing data that is current and up to date.

rootmaster# /usr/lib/nis/nisping
rootmaster# /usr/lib/nis/nisping -C -a

Once a server has transferred information from the server's transaction log to the appropriate NIS+ tables, the transactions in the log file are erased to conserve disk space.

For example, to checkpoint all of the directories in the domain, you would enter:

rootmaster# /usr/lib/nis/nisping -C -a
Checkpointing replicas serving directory :
Master server is
 Last update occurred at Wed May 25 10:53:37 1995
Master server is
checkpoint has been scheduled with
Replica server is
 Last update seen was Wed May 25 10:53:37 1995
Replica server is
checkpoint has been scheduled with

The nislog Command

The nislog command displays the contents of the transaction log.

/usr/sbin/nislog -h [number]
/usr/sbin/nislog -t [number]
Table 12-5 Options for the nislog Command



-h [num]

Display transactions starting with the head (beginning) of the log. If the number is omitted, the display begins with the first transaction. If the number 0 is entered, only the log header is displayed 

-t [num]

Display transactions starting backward from the end (tail) of the log. If the number is omitted, the display begins with the last transaction. If the number 0 is entered, only the log header is displayed 


Verbose mode 

Displaying the Contents of the Transaction Log

Each transaction consists of two parts: the particulars of the transaction and a copy of an object definition.

Here is an example that shows the transaction log entry that was made when the directory was first created. "XID" refers to the transaction ID.

rootmaster# /usr/sbin/nislog -h 1
NIS Log printing facility.
NIS Log dump:
 Log state : STABLE
Number of updates : 48
Current XID : 39
Size of log in bytes : 18432
#00000, XID : 1
Time : Wed Nov 25 10:50:59 1992
Directory :
Entry type : ADD Name
Entry timestamp : Wed Nov 25 10:50:59 1992
Principal :
Object name :
Object Name : org_dir
Owner :
Group :
Domain :
Access Rights : r---rmcdr---r---
Time to Live : 24:0:0
Object Type : DIRECTORY
Name : `'
Type: NIS
Master Server :
#00000, XID : 2

The nischttl Command

The nischttl command changes the time-to-live value of objects or entries in the namespace. This time-to-live value is used by the cache manager to determine when to expire a cache entry. You can specify the time-to-live in total number of seconds or in a combination of days, hours, minutes, and seconds.

The time-to-live values you assign objects or entries should depend on the stability of the object. If an object is prone to frequent change, give it a low time-to-live value. If it is steady, give it a high one. A high time-to-live is a week; a low one is less than a minute. Password entries should have time-to-live values of about 12 hours to accommodate one password change per day. Entries in tables that don't change much, such as those in the RPC table, can have values of several weeks.

To change the time-to-live of an object, you must have modify rights to that object. To change the time-to-live of a table entry, you must have modify rights to the table, entry, or columns you wish to modify.

To display the current time-to-live value of an object or table entry, use the nisdefaults -t command, described in Chapter 9, Administering NIS+ Access Rights.

To change the time-to-live value of objects, use:

nischttl time-to-live object-name


nischttl [-L] time-to-live object-name

To change the time-to-live value of entries, use:

nischttl time-to-live \
 [column=value,...], \


nischttl [-ALP] time-to-live \
 [column=value,...], \

Where time-to-live is expressed as:

These values may be used in combination. For example, a TTL value of 4d3h2m1s would specify a time to live of four days, three hours, two minutes, and one second.

The following flags may also be used with the nischttl command:

Table 12-6 nischttl Syntax Options




All. Apply the change to all the entries that match the column=value specifications that you supply.


Links. Follow links and apply the change to the linked object rather than the link itself. 


Path. Follow the path until there is one entry that satisfies the condition. 

Changing the Time-to-Live of an Object

To change the time-to-live of an object, type the nischttl command with the time-to-live value and the object-name. You can add the -L command to extend the change to linked objects.

nischttl -L time-to-live object-name

You can specify the time-to-live in seconds by typing the number of seconds. Or you can specify a combination of days, hours, minutes, and seconds by using the suffixes s, m, h, and d to indicate the number of seconds, minutes, days, and hours. For example:

client% nischttl 86400
client% nischttl 24h
client% nischttl 2d1h1m1s

The first two commands change the time-to-live of the directory to 86,400 seconds, or 24 hours. The third command changes the time-to-live of all the entries in a hosts table to 2 days, 1 hour, 1 minute, and 1 second.

Changing the Time-to-Live of a Table Entry

To change the time-to-live of entries, use the indexed entry format. You can use any of the options, -A, -L, or -P.

nischttl [-ALP] time-to-live \
 [column=value,...], \

Note -

C-shell users should use quotes to prevent the shell from interpreting the square brackets ([]) around the column value as a meta character.

These examples are similar to those above, but they change the value of table entries instead of objects:

client% nischttl 86400 '[uid=99],'
client% nischttl 24h `[uid=99],'
client% nischttl 2d1h1m1s `[name=fred],'

Chapter 13 Administering NIS+ Tables

This chapter describes NIS+ tables and how to administer them. (See Appendix C, Information in NIS+ Tables, for detailed descriptions of the default NIS+ tables.)

NIS+ Tables

Information used by NIS+ is stored in NIS+ tables. (See Appendix C, Information in NIS+ Tables, for a description of each default NIS+ system tables supplied in Solaris 2.6 release.)

For a complete description of NIS+ table-related commands and their syntax and options, see the NIS+ man pages.

The nistbladm Command

Note -

Some NIS+ table administration tasks can be performed more easily with Solstice AdminSuitetools if you have them available.

The nistbladm command is the primary NIS+ table administration command. The nistbladm command is for use on NIS+ tables stored in an NIS+ directory object. With it, you can create, modify, and delete NIS+ tables and entries. To create a table, its directory must already exist. To add entries to the table, the table and columns must already be defined.

To create a table, you must have create rights to the directory under which you will create it. To delete a table, you must have destroy rights to the directory. To modify the contents of a table, whether to add, change, or delete entries, you must have modify rights to the table or the entries.

nistbladm Syntax Summary

The general syntax of the nistbladm command is:

nistbladm -a column="value" \
 column="value" \
 column="value" \
 ... tablename
nistbladm -a indexedname

nistbladm options \
 [columspec | columnvalue] \
 [tablename | indexedname]


Table 13-1 nistbladm Options



-a | -A

Add an entry to an existing NIS+ table. The -a option returns an error if execution of the command would result in overwritting any existing entry. The -A option forces execution of the command even if it results in overwriting an existing entry. (See "Adding Entries to a Table ".)

-D defaults

Specify a different set of default properties when creating an object. (See the nistbladm man page for details.)


Destroy a table. (See "Deleting a Table ".)


Create a table. (See "Creating a New Table ".)

-r | -R

Remove one or more entries from an existing NIS+ table. The -r option returns an error if execution of the command would result in removal of more than one entry. The -R option forces execution of the command even if it results in removing multiple entries. (See "Removing Table Entries ".)


An obsoleted option for modifying table entries that is still supported for backwards compatibility. The -e and -E options are the preferred method for editing entries.

-e | -E

Edit an entry in an existing NIS+ table. The -e option returns an error if execution of the command would affect more than one entry. The -A option forces execution of the command even if it results in changing an existing entry in such a way as to overwrite a different entry. (See "Modifying Table Entries ".)

nistbladm and Column Values

Column values are used to identify individual entries in tables using the format:

columname="value", \
 columnname="value", ...


For example, suppose you had a hosts table that listed machine names and IP addresses:

Table 13-2 Example Hosts Table

IP address 












In this example, your could identify the altair entry (row) in three different ways using the column=value of:

But notice in the table above that the machine regulus is multi-homed and has two IP addresses. In that case, the column=value of host=regulus identifies two rows. To identify just the first regulus row, you would enter either:

Note -

Some nistbladm operations require that you enter a column=value pair for every column in the table.

nistbladm, Searchable Columns, and Keysnistbladm and Column Values

When an NIS+ table is created, one or more columns are designated searchable with either the S or the I flags as described in "Specifying Table Columns ". You can use the niscat -o tablename command to display a list of a table's columns and their characteristics.

A table is keyed on its searchable columns. This means that each row in the table must have a unique combination of values in the searchable columns. For example, if a table has one searchable column, each table row must have a unique value in that column, no two rows may contain the same value.

For example, suppose you had a table containing one searchable column named city and a non-searchable column named country. The following rows would all be permitted:



San Francisco 

United States 

Santa Fe 

United States 



But you could not have two rows like:







If a table a table has multiple searchable columns, it is the combination of values that must be unique. For example, suppose you had a table containing two searchable columns, Lastname, Firstname and a non-searchable column named city. The following rows would all be permitted:













But you could not have two rows like this:










NIS+ commands use the values in the searchable columns to identify specific table rows.

nistbladm and Indexed Names

In the context of table administration, an NIS+ indexed name is a name that combines a table name with column value search criteria to identify and select particular entries in a table. Indexed names use the format:


Note that search_criteria must be enclosed in square brackets [ ]. The search_criteria use the format:

columname=value, \

Where columname=value pairs are column values from the table's searchable columns as described in "nistbladm and Column Values ".

For example, to identify the altair entry in Table 13-2 you could use the indexed name:


The nistbladm -R command allows you to remove all the entries in a table by using the two square brackets with nothing between them [ ] as a wildcard specifying all table rows.

nistbladm and Groups

In a Solaris-NIS+ environment, there are three types of groups:

Note -

Do not use nistbladm to administer NIS+ groups.

(See "Solaris Groups" for more information on the different types of groups and how to work with them.)

Creating a New Table

An NIS+ table must have at least one column and at least one of its columns must be searchable. To create an NIS+ table, use the nistbladm command with the -c option:

nistbladm -c tabletype columnspec \
 ... tablename


 nistbladm -c tabletype columnspec columnspec \
 columnspec tablename

Columnspec formats are described in "Specifying Table Columns ", below.

Specifying Table Columns

Each columnspec entry has two to four components in the format:

Table 13-3 Table Column Components




Name of the column 


An equal sign which is required. 


[Optional] The type of column specified by the letters S, I or C (see Table 13-4). This component is optional. If no type is specified, the column becomes the default type.


[Optional] Access rights. These access rights are over and above those granted to the table as a whole or to specific entries. If no access is specified, the column's access rights are those granted to the table as a whole, or to the entry. The syntax for access rights is described in "Specifying Access Rights in Commands".

A column can be one of the following types:

Table 13-4 Table Column Types




No column type specified after the = sign. The column is neither searchable nor encrypted.




Searchable, but case-insensitive. When NIS+ commands search through the column, they will ignore case. 



NIS+ commands search through the column and identify individual table rows based on the contents of the searchable columns. Searchable columns are designated with either the S or the I option. In database terminology, a searchable column is a key. The first column in each table must be searchable. The remaining columns do not have to be searchable. Because the table is keyed on the searchable columns, if you have more than one searchable column, they must be the first and subsequent columns and not skip any columns. For example, if only one column in a table is searchable, it has to be the first column. If two columns are searchable, they must be the first two columns. (see "nistbladm, Searchable Columns, and Keysnistbladm and Column Values " for more information on searchable columns.)

If you specify only access rights, you don't need to use a comma. If you include one or more of the -S, -I, or -C flags, add a comma before the access rights.

In the example below, a table is created with the addition of column-specific access rights applied to the first two columns:

master% nistbladm -c depts Name=I,w+m Site=w+m Name=C \

For more information about specifying column access rights when creating a table, see "Setting Column Rights When Creating a Table".

Note -

NIS+ assumes that all column entries are null terminated. Applications and routines that write information to NIS+ tables must be configured to null terminate each column entry.

Creating Additional Automount Table

If you are creating an automount table, the table can have only two columns. The first column must be named key and the second column must be named value. For example, to create an automount table named auto1, you would enter:

master% nistbladm -c key-value key=S value=

Deleting a Table

To delete a table, use the -d option and enter the table name:

nistbladm -d tablename

The table must be empty before you can delete it (see "Removing Table Entries "). This example deletes the divs table from the directory:

rootmaster% nistbladm -d

Adding Entries to a Table

To add new entries (rows) to a table, use nistbladm with either the -a or -A options followed by either one or more column=value pairs and the table name or an indexed name as described in "nistbladm and Indexed Names".

nistbladm [-a | -A] indexedname
nistbladm [-a | -A] column="value" \
column="value" \
... tablename

When adding new entry rows to a table with either -a or -A:

Note -

NIS+ is a naming service and its tables are designed to store references to objects, not the objects themselves. NIS+ is optimized to support 10,000 objects with a combined total size of all tables not more than 10M bytes. NIS+ does not support individual tables where the sum of field sizes in a single column are greater than approximately 7k. If a table is too large, rpc.nisd may fail.

Adding a Table Entry With the -a Option

The -a option adds an entry to a table unless the entry already exists, in which case it returns an error. An entry is defined as existing if its values in the searchable columns exactly match the values in the new entry's searchable columns. (The values in non-searchable columns are not taken into account.)

To use the -a option, you must specify a value for every column in the table:

nistbladm -a column="value" \
 column="value" \
 ... tablename
nistbladm -a indexedname

(To list the names and characteristics of table columns, use the niscat -o tablename command.)

For example, to add a new row to a table named depts using column=value pairs, you would enter:

rootmaster% nistbladm -a Name='R&D' Site='SanFran' \

To add the same entry using an indexed name, you would enter:

rootmaster% nistbladm -a [Name='R&D',Site='SanFran',\

Both examples would produce a table row that looked like this:







C-shell users should also use quotes to set off expressions using square brackets.

You can only add one entry with each instance of the nistbladm command. You must run nistbladm once for each entry row you want to add.

If a table row already exists with values in each column that are identical to the entry you are trying to create, nistbladm -a will return an error. You cannot have two identical entry rows in a table. In this context, rows are considered identical if the values in the searchable columns are identical, the values in none search able columns are not considered.

For example, if the Dept and Site columns are searchable, and the Name column is not searchable, nistbladm considers the following two rows to be identical:

Dept (searchable) 

Site (searchable) 

Name (not searchable) 







In this example, nistbladm -a would not allow you to create the Sales Vancouver Lincoln row.

However if just some of the searchable columns have values identical to the entry you are trying to create, nistbladm -a will create a new entry as specified. For example, you could run the following commands to create two similar, but not identical, rows in a depts table:

rootmaster% nistbladm -a Dept='Sales' \
   Site='Vancouver' Name='hosteen'
rootmaster% nistbladm -a Dept='Sales' \
   Site='SanFran' Name='lincoln'

Which would produce rows that had some, but not all identical values in the searchable columns:










Adding a Table Entry With the -A Option

The -A option is designed for applications where you need to force nistbladm to overwrite an existing entry. Like the -a option, -A adds a new entry to a table. However, if the entry already exists, instead of exiting with an error, it overwrites the existing entry row.

When using the -A option, you must specify all columns in the entry.

For example, suppose the following table exists and the Dept and Site columns are searchable:

Dept (searchable) 

Site (searchable) 





Now you run the following command:

rootmaster% nistbladm -A Name=Sales Site=SanFran \

The -a option would have returned an error, since the entry specified by Name=Sales Site=SanFran already exists. But the -A option allows you to overwrite the existing row.







Modifying Table Entries

Existing table entries are edited (modified) using either the -e or -E options. The Solaris 2.6 release release also supports use of the -m option for backwards compatibility with earlier releases. (All new applications and command line operations should use either the -e or -E options.)

To edit an existing entry (row) in a table, use nistbladm with either the -e or -E options followed by one or more column=value pairs that specify the new values and ending with an indexed name that identifies a particular row in a table as described in "nistbladm and Indexed Names".

nistbladm [-e | -E] column="value" \
 column="value" \
 ... indexedname

When adding new entry rows to a table with either -e or -E:

Editing a Table Entry With the -e Option

The -e option edits an entry in a table unless doing so would result in changing values in searchable columns in more than one entry row, in which case it returns an error. (The values in non-searchable columns are not taken into account.)

nistbladm column="value" \
 column="value" \
 ... indexedname

To use the -e option, you only need to specify the column values you are changing.

For example, suppose you had the table:







To change the value of the Name column to Chandar, you would enter:

master% nistbladm -e Name="Chandar" [Dept='Sales',Site='SanFran'],\

Now the table looks like this:







(Note that in the example above, the indexed name did not need to include the Name column because in these examples that column is not searchable.)

C-shell users should also use quotes to set off expressions using square brackets.

You can use the -e option to edit the values in searchable columns so long as the new values you specify affect only the single row identified by the indexed name. For example, to change the department to Manf, you would enter:

master% nistbladm -e Dept="Manf" [Dept='Sales',Site='SanFran'],\

Dept (searchable) 

Site (searchable) 





However, if an entry row already existed with Manf and SanFran in the searchable columns, the -e option would return an error.

You can specify changes to multiple columns so long as they all apply to a single entry row. For example, to change both the Dept and Name values, you would enter:

master% nistbladm -e Dept="Manf" Name="Thi" \

Dept (searchable) 

Site (searchable) 





Editing a Table Entry With the -E Option

The -E option is designed for applications where you need to force nistbladm to overwrite an existing entry even if doing so will affect more than one entry.

For example, suppose your table had the following rows:

Dept (searchable) 

Site (searchable) 








Now you run the following command:

master% nistbladm -E Site="Alameda" Mgr="Chu" \

Which would change the Sales SanFran Chandar row to Sales Alameda Chu. But Sales Alameda are the key values identifying the Sales Alameda Achmed row, so that row would also be changed. The result would be a single row where once there had been two rows:

Dept (searchable) 

Site (searchable) 





The -e option would have returned an error, since the edit would affect more than one row. But the -E option allows you to affect more than one entry row.

Removing Table Entries

Removing Single Table Entries

To remove a single entry from a table, use the -r option:

nistbladm -r indexed-name

This example removes the Manf-1 entry from the depts table:

rootmaster% nistbladm -r [Dept=Manf-1,Site=Emeryville,Name=hosteen],\

You can specify as few column values as you wish. If NIS+ finds duplicates, it does not remove any entry and returns an error message instead. Thus, you could have removed the Manf-1 by specifying only the Site column value, as in this example:

rootmaster% nistbladm -r [Site=Emeryville],

However, you could not have removed the Sales entry by specifying only the Site column value (SanFran), because two entries have that same value (R&D and Sales):
















Removing Multiple Entries From a Table

To remove multiple entries from a table, use the -R option:

nistbladm -R indexedname

As with the -r option, you can specify as few column values as you wish. Unlike the -r option, however, if NIS+ finds duplicates, it removes all of them. You can find the name of a table's column by using the niscat -o command. This example removes all entries in which the Site is SanFran:

rootmaster% nistbladm -R [Site=SanFran],










You can use the -R option to remove all the entries from a table. Simply do not specify any column values between the square brackets, as in this example:

rootmaster% nistbladm -R [],

When used with the nistbladm -R command, an empty set of square brackets is interpreted as a wildcard specifying all table rows.

The niscat Command

The niscat command displays the contents of an NIS+ table. However, you can also use it to display the object properties of the table. You must have read rights to the table, entries, or columns that you wish to display.


To display the contents of a table, use:

niscat [-hM] tablename

To display the object properties of a table, use:

niscat -o tablename
niscat -o entry
Table 13-5 niscat Options




Header. Displays a header line above the table entries, listing the name of each column. 


Master. Displays only the entries of the table stored on the Master server. This ensures you get the most up-to-date information and should be used only for debugging. 


Object. Displays object information about the table, such as column names, properties, and servers. 

Displaying the Contents of a Table

To display the contents of a table, use niscat with a table name:

niscat tablename

This example displays the contents of the table named depts.

rootmaster% niscat -h

Note -

The symbol *NP* indicates that you do not have permission to view that entry. Permissions are granted on a table, column, or entry (row) basis. For more on access permissions, see Chapter 9, Administering NIS+ Access Rights.

Displaying the Object Properties of a Table or Entry

To list the object properties of a table us niscat -o and the table's name:

niscat -o tablename.org_dir

To display the object properties of a table entry, use niscat -o and specify the entry with an indexed name:

entry ::=column=value \
 ... tablename | \

Here are two examples, one for a table and one for a table entry:


rootmaster# niscat -o
Object Name : hosts
Owner :
Group :
Domain :
Access Rights : ----rmcdr---r---
Time to Live : 12:0:0
Object Type : TABLE
Table Type : hosts_tbl
Number of Columns : 4
Character Separator :
Search Path :
Columns :
 [0] Name : cname
 Access Rights: ----------------
 [1] Name : name
 Access Rights: ----------------
 [2] Name : addr
 Access Rights: ----------------
 [3] Name : comment
 Attributes : (TEXTUAL DATA)
 Access Rights: ----------------

Table entry

rootmaster# niscat -o [name=rootmaster],
Object Name : hosts
Owner :
Group :
Domain :
Access Rights : ----rmcdr---r---
Time to Live : 12:0:0
Object Type : ENTRY
 Entry data of type hosts_tbl
 Entry has 4 columns.

The nismatch and nisgrep Commands

The nismatch and nisgrep commands search through NIS+ tables for entries that match a particular string or regular expression, respectively. They display either the entries themselves or a count of how many entries matched. The differences between the nismatch and nisgrep commands are highlighted in Table 13-6 below.

Table 13-6 Characteristics of nismatch and nisgrep




Search criteria 

Accepts text only 

Accepts regular expressions 




Searches through 

Searchable columns only 

All columns, whether searchable or not 

Syntax of search criteria 

column=string ... tablename[ column= string,...], tablename

column=exp ... tablename

The tasks and examples in this section describe the syntax for both commands.

To use either command, you must have read access to the table you are searching through.

The examples in this section are based on the values in the following table, named Only the first two columns are searchable.

Name (S) 

Site (S) 























About Regular Expressions

Regular expressions are combinations of text and symbols that you can use to search for special configurations of column values. For example, the regular expression `Hello' searches for a value that begins with Hello. When using a regular expression in the command line, be sure to enclose it in quotes, since many of the regular expression symbols have special meaning to the Bourne and C shells. For example:

rootmaster% nisgrep -h greeting='Hello'

The regular expression symbols are summarized in Table 13-7, below.

Table 13-7 Regular Expression Symbols




Find a value that begins with string.

string $

Find a value that ends with string.

Find a value that has a number characters equal to the number of periods. 


Find a value that contains any of the characters in the brackets. 


Find a value that has zero or more matches of the expr.


Find something that appears one or more times. 


Find any value. 


Find a special character, such as ? or $. 

x | y

Find a character that is either x or y.


To search through the first column, use:

nismatch string tablename  
nisgrep reg-exp tablename

To search through a particular column, use:

nismatch column=string tablename
nisgrep column=reg-exp tablename 

To search through multiple columns, use:

nismatch column=string tablename ...\
nismatch [column=string,...],tablename
nisgrep column=reg-exp ... \
Table 13-8 nismatch and nisgrep Options




Count. Instead of the entries themselves, displays a count of the entries that matched the search criteria. 


Header. Displays a header line above the entries, listing the name of each column. 


Master. Displays only the entries of the table stored on the master server. This ensures you get the most up-to-date information and should be used only for debugging. 

Searching the First Column

To search for a particular value in the first column of a table, simply enter the first column value and a tablename. In nismatch, the value must be a string. In nisgrep, the value must be a regular expression.

nismatch [-h] string tablename
nisgrep [-h] reg-expression tablename

This example searches through the depts table for all the entries whose first column has a value of R&D:

rootmaster% nismatch -h `R&D'
rootmaster% nisgrep -h `R&D'

Note -

Quotes are used in the 'R&D' expression above to prevent the shell from interpreting the ampersand (&) as a metacharacter.

Searching a Particular Column

To search through a particular column other than the first, use the following syntax:

nismatch column=string tablename
nisgrep column=reg-expression tablename

This example searches through the depts table for all the entries whose second column has a value of SanFran:

rootmaster% nismatch -h Site=SanFran
rootmaster% nisgrep -h Site=SanFran

Searching Multiple Columns

To search for entries with matches in two or more columns, use the following syntax:

nismatch [-h] [column=string, ... \
nisgrep [-h] column=reg-exp ... \

This example searches for entries whose second column has a value of SanFran and whose third column has a value of jhill:

rootmaster% nismatch -h [Site=SanFran,Name=jhill],
rootmaster% nisgrep -h Site=SanFran Name=jhill

The nisln Command

The nisln command creates symbolic links between NIS+ objects such as tables and directories. All NIS+ administration commands accept the -L flag, which directs them to follow links between NIS+ objects.

Note -

Do not link table entries. Tables may be linked to other tables, but do not link an entry in one table to an entry in another table.

To create a link to another object (table or directory), you must have modify rights to the source object; that is, the one that will point to the other object or entry.

Caution - Caution -

Never link a cred table. Each org_dir directory should have its own cred table. Do not use a link to some other org_dir cred table.


To create a link, use:

nisln source target
Table 13-9 nisln Options




Follow links. If the source is itself a link, the new link will not be linked to it, but to that link's original source.


Defaults. Specify a different set of defaults for the linked object. Defaults are described in "Specifying Nondefault Security Values at Creation Time".

Creating a Link

To create a link between objects such as tables and directories, specify both object names: first the source, and then the target. Do not link table entries.

nisln source-object target-object

The nissetup Command

The nissetup command expands an existing NIS+ directory object into a domain by creating the org_dir and groups_dir directories, and a full set of NIS+ tables. It does not, however, populate the tables with data. For that, you will need the nisaddent command, described in "The nisaddent Command". Expanding a directory into a domain is part of the process of setting up a domain.

Note -

When setting up a new NIS+ domain, the nisserverscript is easier to use than the nissetup command. See Solaris Naming Setup and Configuration Guide for a full description of using nisserver.

The nissetup command can expand a directory into a domain that supports NIS clients as well.

To use nissetup, you must have modify rights to the directory under which you'll store the tables.

Expanding a Directory Into an NIS+ Domain

You can use the nissetup command with or without a directory name. If you don't supply the directory name, it uses the default directory. Each object that is added is listed in the output.

rootmaster# /usr/lib/nis/nissetup created created created created created created created created created created created created created created created created created created created

Expanding a Directory Into an NIS-Compatible Domain

To expand a directory into a domain that supports NIS+ and NIS client requests, use the -Y flag. The tables are created with read rights for the nobody class so that NIS clients requests can access them.

rootmaster# /usr/lib/nis/nissetup -Y

The nisaddent Command

The nisaddent command loads information from text files or NIS maps into NIS+ tables. It can also dump the contents of NIS+ tables back into text files. If you are populating NIS+ tables for the first time, see the instructions in Solaris Naming Setup and Configuration Guide. It describes all the prerequisites and related tasks.

You can use nisaddent to transfer information from one NIS+ table to another (for example, to the same type of table in another domain), but not directly. First, you need to dump the contents of the table into a file, and then load the file into the other table. Be sure, though, that the information in the file is formatted properly. Appendix C, Information in NIS+ Tables, describes the format required for each table.

When you load information into a table, you can use any of three options: replace, append, or merge. The append option simply adds the source entries to the NIS+ table. With the replace option, NIS+ first deletes all existing entries in the table and then adds the entries from the source. In a large table, this adds a large set of entries into the table's .log file (one set for removing the existing entries, another for adding the new ones), taking up space in /var/nis and making propagation to replicas time consuming.

The merge option produces the same result as the replace option but uses a different process, one that can greatly reduce the number of operations that must be sent to the replicas. With the merge option, NIS+ handles three types of entries differently:

When updating a large table with a file or map whose contents are not greatly different from those of the table, the merge option can spare the server a great many operations. Because the merge option deletes only the entries that are not duplicated in the source (the replace option deletes all entries, indiscriminately), it saves one delete and one add operation for every duplicate entry.

If you are loading information into the tables for the first time, you must have create rights to the table object. If you are overwriting information in the tables, you must have modify rights to the tables.


To load information from text files, use:

/usr/lib/nis/nisaddent -f filename table-type\[domain]
/usr/lib/nis/nisaddent -f filename \
 -t tablename table-type [domain]

To load information from NIS maps, use:

/usr/lib/nis/nisaddent -y NISdomain table-type\
/usr/lib/nis/nisaddent -y NISdomain -t tablename table-type [domain]
/usr/lib/nis/nisaddent -Y map table-type [domain]
/usr/lib/nis/nisaddent -Y map -t tablename table-type [domain]

To dump information from an NIS+ table to a file, use:

/usr/lib/nis/nisaddent -d [-t tablename tabletype] \
 > filename

Loading Information From a File

You can transfer the contents of a file into an NIS+ table in several different ways:

nisaddent -f filename table-type

nisaddent -a -f filename table-type

nisaddent -m -f filename table-type

The following two examples load the contents of a text file named /etc/passwd.xfr into the NIS+ Passwd table. The first is into a table in the local domain, the second into a table in another domain:

rootmaster# /usr/lib/nis/nisaddent -f /etc/passwd.xfr passwd
rootmaster# /usr/lib/nis/nisaddent -f /etc/shadow.xfr shadow
rootmaster# /usr/lib/nis/nisaddent -f /etc/passwd.xfr passwd
rootmaster# /usr/lib/nis/nisaddent -f /etc/shadow.xfr shadow

Note -

When creating an NIS+ passwd table from /etc files, you must run nisaddent twice; once on the /etc/passwd file and once on the /etc/shadow file.

Another way is to use stdin as the source. However, you cannot use the -m option with stdin. You can use redirect (->) or pipe (-|), but you cannot pipe into another domain.




cat filename > nisaddent table-type

Redirect with append option 

cat filename > nisaddent -a table-type

Redirect with append into another domain 

cat filename > nisaddent -a table-type NIS+ domain


cat filename | nisaddent table-type

Pipe with append option 

cat filename | nisaddent -a table-type

If the NIS+ table is an automounter table or a nonstandard table, add the -t option and the complete name of the NIS+ table.

master# nisaddent -f /etc/auto_home.xfr \
master# nisaddent -f /etc/auto_home.xfr \
  -t key-value

Loading Data From an NIS Map

You can transfer information from an NIS map in two different ways; either by specifying the NIS domain or by specifying the actual NIS map. If you specify the domain, NIS+ will figure out which map file in /var/yp/nisdomain to use as the source, based on the table-type. Note that /var/yp/nisdomain must be local files.

NIS+ Table Type 

NIS Map Name 



















To transfer by specifying the NIS domain, use the -y (lowercase) option and provide the NIS domain in addition to the NIS+ table type.

Table replacement

nisaddent -y nisdomain table-type

Table append

nisaddent -a -y nisdomain table-type

Table merge

nisaddent -m -y nisdomain table-type

By default, nisaddent replaces the contents of the NIS+ table with the contents of the NIS map. Use the -a and -m options to append or merge. Here is an example that loads the NIS+ passwd table from its corresponding NIS map (passwd.byname) in the old-doc domain:

rootmaster# /usr/lib/nis/nisaddent -y old-doc passwd

This example does the same thing, but for the domain instead of the local domain,

rootmaster# /usr/lib/nis/nisaddent -y old-doc passwd

If the NIS+ table is an automounter table or a nonstandard table, add the -t option and the complete name of the NIS table, just as you would if the source were a file.

rootmaster# nisaddent -y old-doc \
  -t key-value
rootmaster# nisaddent -y old-doc \
  -t key-value

If instead of using the map files for a domain, you prefer to specify a particular NIS map, use the -Y (uppercase) option and specify the map name.

rootmaster# nisaddent -Y hosts.byname hosts
rootmaster# nisaddent -Y hosts.byname hosts

If the NIS map is an automounter map or a non standard map, combine the -Y option with the -t option:

rootmaster# nisaddent -Y auto_home 
 -t key-value
rootmaster# nisaddent -Y auto_home 
 -t key-value

Dumping the Contents of an NIS+ Table to a File

To dump the contents of an NIS+ table into a file, use the - d and -t options. The -d options tells the command to dump, and the -t option specifies the NIS+ table:

rootmaster# nisaddent -Y auto_home 
 -t key-value 
rootmaster# nisaddent -Y auto_home 
 -t  key-value

Chapter 14 Server-Use Customization

This chapter describes how to customize and control which servers NIS+ clients use.

NIS+ Servers and Clients

When client machines, users, applications, or processes need NIS+ information, they seek an active NIS+ server (master or replica) from which to get the needed data. On large networks, networks with many subnets, and networks that span wide-area links, you may be able to improve NIS+ performance by customizing server usage.

Default Client Search Behavior

By default, if no server preferences have been set with the nisprefadm command, a client will first try to obtain the information it needs from an NIS+ server on the client's local subnet. If the client finds an active server on the local subnet, it obtains the information it needs from the first local server that responds. If no server is available on the local subnet, the client searches outside the local subnet, and obtains the NIS+ information it needs from the first remote server that responds.

On large, busy networks, this default search behavior may reduce NIS+ performance for one of two reasons:

Designating Preferred Servers

The Solaris 2.6 release contains a new feature--server-use customization--that allows you to control the order in which clients search for NIS+ servers. With this new feature you can balance and customize server usage by:

The search criteria that you specify can be applied to all clients within a domain, all clients on a subnet, or to individual clients on a machine-by-machine basis.

Note -

When server-use preferences are set for a particular machine, those preferences apply to all users, applications, processes, or other clients running on that machine. You cannot set different server-use patterns for different clients on the same machine.

NIS+ Over Wide Area Networks

Server-use customization is particularly valuable for large networks with many subnets and networks that span multiple geographic sites connected by modems or leased lines. To maximize network performance, you want to minimize network traffic between subnets, and between sites linked by slower connections. You can do that by specifying which NIS+ servers the clients can use, and their order of server preference. In this way you confine as much NIS+ network traffic as possible to the local subnet.

Optimizing Server-Use--Overview

This section provides an overview of server-use customization.

nis_cachemgr is Required

Server-use customization requires that a client be running nis_cachemgr. If a client machine is not running nis_cachemgr, it cannot make use of server-use customization. If there is no nis_cachemgr running on a client machine, that client will use the first server it identifies as described in "Default Client Search Behavior".

Global Table or Local File

Depending on how you use the nisprefadm command, it creates either a local client_info file or a domain client_info table:

Caution - Caution -

Use only the nisprefadm command to make changes to client_info files and tables. Never use other NIS+ commands such as nistbladm.

When working with client_info tables or files, you must use either the -G or the -L option to specify that your command apply to either the global table (-G) or local file (-L) of the machine you are running the command on.

Preference Rank Numbers

Server preferences are controlled by giving each server a preference rank number. Clients search for NIS+ servers in order of numeric preference, querying servers with lower preference rank numbers before seeking servers with higher numbers.

Thus, a client will first try to obtain namespace information from NIS+ servers with a preference of zero. If there are no preference=0 servers available, then the client will query servers whose preference=1. If no 1's are available, it will try to find a 2, and then a 3, and so on until it either gets the information it needs or runs out of servers.

Preference rank numbers are assigned to servers with the nisprefadm command as described in "Specifying Global Server Preferences ".

Server preference numbers are stored in client_info tables and files. If a machine has its own /var/nis/client_info file, it uses the preference numbers stored in that file. If a machine does not have its own client_info file, it uses the preference numbers stored in the domain's client_info.org_dir table. These client_info tables and files are called "preferred server lists" or simply server lists.

You customize server usage by controlling the server preferences of each client. For example, suppose a domain has a client machine named mailer that makes heavy use of namespace information and the domain has both a master server (nismaster) and a replica server (replica1). You could assign a preference number of 1 to nismaster and a number of 0 to replica1 for the mailer machine. The mailer machine would then always try to obtain namespace information from replica1 before trying nismaster. You could then specify that for all the other machines on the subnet the nismaster server had a preference number of zero and replica1 the number 1. This would cause the other machine to always try nismaster first.

You can give the same preference number to more than one server in a domain. For example, you could assign both nismaster1 and replica2 a preference number of 0, and assign replica3, replica4, and replica5 a preference number of 1.

Default Server Preferences

If there is no client_info file or table, the cache manager automatically assigns all servers on the local subnet a default preference number of zero (0) and all servers outside the local subnet a preference of infinite. The purpose of nisprefadm is to change these default preference numbers to what you want them to be.

Efficiency and Server Preference Numbers

A client must seek all servers with a given preference number before searching for servers with the next higher number. It requires 5 or more seconds for a client to search for all the servers with a given preference number. This means that if you have a master server and 4 replicas in a domain, and you give each one a different preference number from 0 to 4, it could take a client more than 25 seconds to run through all of those preference levels.

To maximize performance, you should not use more than two or three levels of server preference. For example, in the case described above, it is better to give one of those five servers a preference=0 and all the others a preference of 1, or give two of them a preference of 1 and the remaining three a preference of 2.

Preferred Only Servers Versus All Servers

Server lists also specify what a client does if it cannot find any preferred servers. A preferred server is any server with a preference of zero, or any server that you have assigned a preference number with nisprefadm.

By default, if a client fails to reach a preferred server, it will then seek out any server it can find anywhere on the network using the search mode described in "Default Client Search Behavior". You can change this default behavior with the nisprefadm -o option to specify that a client can only use preferred servers and if no servers are available it cannot go to non-preferred servers. See "Specifying Preferred-Only Servers" for details.

Note -

This option is ignored when the machine's domain is not served by any preferred servers.

Viewing Preferences

To view the server preferences currently in effect for a particular client machine, you run nisprefadm with the -l option as described in "Viewing Current Server Preferences".

Server and Client Names

When specifying server or client machines, keep in mind the following points:

Server Preferences

To specify a server preference for:

When Server Preferences Take Effect

Changes you make to a machine or subnet's server preferences normally do not take effect on a given machine until that machine updates it nis_cachemgr data. When the nis_cachemgr of a machine updates its server-use information depends on whether the machine is obtaining its server preferences from a global client_info table or a local /var/nis/client_info file (see "Global Table or Local File "):

However, you can force server preference changes to take effect immediately by running nisprefadm with the -F option. The -F option forces nis_cachemgr to immediately update its information. See "How to Immediately Implement Preference Changes "for details.

Using the nisprefadm Command

The following sections describe how to use the nisprefadm command to set, modify, and delete server preferences.

The nisprefadm command is used to specify the servers that clients are to prefer.

The nisprefadm command has the following syntax:

nisprefadm -a|-m|-r|-u|-x|-l -L|-G [-o type] \
 [-d domain] \
 [-C machine] \
nisprefadm -F
Table 14-1 nisprefadm Command Options




Create a global client_info table stored in the domain's org_dir directory. In other words, create a global preferred server list. This option must be used with either -C subnet to specify preferences for all the machines on a given subnet, or -C machine to specify preferences for an individual machine.


Create a local client_info file stored in the local machine's /var/nis directory. In other words, create a preferred server list that applies only to the machine you are running the command on.

-o type

Specify an option. The valid options are: pref_type=all, which specifies that clients can use non-preferred servers if no preferred servers can be contacted, and pref_type=pref_only, which specifies that clients may only use the designated preferred servers.

-d domain

Create a global preferred server client_info table for the specified domain or subdomain. 

-C subnet

The number of a subnet to which the preferences will apply. 

-C machine

The name of a client machine. 


One or more NIS+ servers. These are the servers that are to be preferred. 


Add the specified servers to the server list. 


Modify the server list. For example, you can use the -m option to change the preference number given to one or more servers.


Remove the specified servers from the server list. 


Clear the server list, and then add the specified servers. (In other words, replace the current server list with a new list of preferred servers.) 


Remove the server list completely. 


List (display) the current preferred server information. 


Force changes to a preferred server list to take effect immediately. 

Note -

The -C machine option should not be used with the -L (local) flag because it has no effect. For example, suppose you are running nisprefadm on the altair machine. You use the -L flag to specify that the preferences you are specifying be written into altair's local client_info file. You also use a -C vega option to specify that the preferences you are creating be applied to the vega machine. The nisprefadmcommand then write your preferences for vega into altair's file. But vega will never see them because vega will always get its server preferences from either its own local client_info file or the domain's global client_info table. Thus, it only makes sense to use the -C option when running nisprefadm with the -G (global) flag

Viewing Current Server Preferences

To view current server preferences, run nisprefadm with the -l option.

How to View Preferences for a Machine

    Run nisprefadm with the -L and -l options on the machine.

sirius# nisprefadm -L -l

This displays any server preferences defined in the machine's local /var/nis/client_info file. If there is no local file, no information is displayed and you are returned to your shell prompt.

How to View Global Preferences for Single Machine

    Run nisprefadm with the -l, -G and -C machinename options.

sirius# nisprefadm -G -l -C machinename

Where machinename is the IP address (number) of the machine.

This displays the preferences set in the domain's global client_info table for that machine.

How to View Global Preferences for a Subnet

    Run nisprefadm with the -l, -G and -C subnet options.

sirius# nisprefadm -G -l -C subnet

Where subnet is the IP address (number) of the subnet.

This displays the preferences set in the domain's global client_info table for that machine.

How to Specify Preference Rank Numbers

By default, all servers listed after the -a option are given a preference number of zero. To specify a different preference number, enclose the number in parentheses immediately after the server name like this: -a name(n). Where name is the name of the server and n is the preference number.

For example, assign the replica2 server a preference number of 3:

# nisprefadm -G -a replica2(3)

Note -

With some shells you may have to enclose the element in quotes like this: "name(n)".

See "Preference Rank Numbers " for background information on the server preference rank numbers.

Specifying Global Server Preferences

You can set global server preferences for a local or remote domain. Preferences may be set for individual machines and all the machines on a subnet.

The procedures in this section describe how to specify server preferences in a global client_info table residing on the NIS+ domain's master server. Once the table exists on the master server, NIS+ replicates it on to any existing replica servers for the domain.

To assign server preference numbers, run nisprefadm with either the:

How to Set Global Preferences for a Subnet

To assign server preferences in the global table for all the machines on a subnet:

    Run nisprefadm with the -G and -C subnet options.

#nisprefadm -G -a -C subnet servers (preferences)


polaris# nisprefadm -a -G -C nismaster1 \
replica3 "manf.replica6(1)"

How to Set Global Preferences for an Individual Machine

    Run nisprefadm with the -G, and -C machine options.

#nisprefadm -G -a -C machine servers (preferences)


polaris# nisprefadm -u -G -C cygnus replica7 replica9

How to Set Global Preferences for a Remote Domain

To assign server preferences for an individual machine in a remote domain or all the machines on a subnet in a remote domain:

    Run nisprefadm with the -C, -G, and -d options.

#nisprefadm -a -G -C name \
 -d domain servers(preferences)


For example, to add the nismaster2 server with a default preference number of zero to the preferred server list of the subnet in the remote domain:

polaris# nisprefadm -a -G -C -d nismaster2

Specifying Local Server Preferences

These procedures explain how to create or change a local client_info file that specifies server preferences for the machine on which it resides.

If a machine has a local /var/nis/client_info file, that machine takes its server preferences from its local file rather than the global client_info tables on NIS+ servers. In other words, a local file overrides any global table.

To assign server preferences, run nisprefadm with either the:

How to Set Preferences on a Local Machine

To assign server preferences for the local machine that you are running the nisprefadm command on:

    Run nisprefadm with the -L option and either the -a or -u options.

#nisprefadm -a -L servers(preferences)

Where servers(preferences) are one or more servers with optional preference ranking numbers.

For example, to specify that the deneb machine first seek NIS+ information from the replica3 server with a default preference number of zero and then from the replica6 server (with a preference number of 1) in the domain:

deneb# nisprefadm -a -L replica3 replica6.manf(1)

Modifying Server Preferences

You can change a server's preference number and switch (replace) the preference numbers assigned to different servers.

To change preferred servers or the preference number assigned to a server, run nisprefadm with the -m oldserver-=newserver(n) option.

How to Change a Server's Preference Number

    Run nisprefadm with the -m server=server(new) option.

#nisprefadm -L|-G -C name -m oldserver=newserver(n)


For example, on the deneb machine, to change the number given to the replica6.manf server to 2 in deneb's local client_info file:

deneb# nisprefadm -L -m replica6.manf=replica6.manf(2)

How to Replace One Server With Another in a Preference List

To change one server for another in a preference list:

    Run nisprefadm with the -m oldserver=newserver option.

#nisprefadm -L|-G -C name -m \


Keep in mind that when you replace a server in a global client_info table using the -G option, the replacement only applies to the subnet or machine identified by the -C option. Other listings of the replaced server are not affected.

For example, suppose you have a domain with three subnets, and the replica1 server is listed as a preferred server for two of those subnets. If replica1 is obsolete and you take it out of service, you then run nisprefadm -m to replace it with the new server for the first subnet. Until you do the same for the second subnet, replica1 is still listed as a preferred server for that subnet. The same principle applies to preferred servers for individual machines.

For example, to replace the replica3 server with the replica6 server for subnet in the domain's global client_info table and assign replica6 a preference number of 1:

nismaster# nisprefadm -G -C -m replica3 replica6(1)

How to Remove Servers From Preference Lists

To remove one or more servers from a preference list:

    Run nisprefadm with the -r option.

#nisprefadm -L|-G -C name -r servers


For example, in the domain's global client_info table, to remove the replica3 and replica6.manf servers for the machine polaris:

polaris# nisprefadm -G -C polaris -r replica3 replica6.manf

How to Replace an Entire Preferred Server List

To replace an entire list of preferred servers for a subnet or machine in either a global client_info table or a machine in its local client_info file, run nisprefadm with the -u option.

The -u option operates the same way as the -a option, except that -u first deletes any existing server preferences for the machine or subnet before adding the new ones that you specify. (If there are existing preferences, the -a option adds the new ones to the old list.)

See "How to Set Global Preferences for an Individual Machine " for an example using the -u option.

Specifying Preferred-Only Servers

You can specify what clients do when no preferred servers are available.

By default, if a client cannot reach a preferred server, it uses whatever other server it can find. You can specify that clients may only use preferred servers by setting the preferred-only option. See "Preferred Only Servers Versus All Servers" for background information on the preferred-only and all servers options.

To specify what clients do when no preferred servers are available, run nisprefadm with the -o value option.

How to Specify Preferred-Only Servers

To specify that clients using a server list may only obtain NIS+ information from servers named in the list:

    Run nisprefadm with the -o pref_only option.

#nisprefadm -L|-G -o pref_only


Note -

This option is ignored for domains that are not served by any preferred servers.

For example, to specify in altair's local client_info file that altair must always use preferred servers and cannot use any server not on altair's preferred server list:

altair# nisprefadm -L -o pref_only

How to Revert to Using Non-Preferred Servers

To specify that clients using a server list may obtain NIS+ information from servers not named in the list if no preferred servers are available:

    Run nisprefadm with the -o all option.

#nisprefadm -L|-G -o all


Note -

This is the default behavior. You only need to use the -o all option if you have previously specified preferred-only servers with the -o pref_only option.

For example, to specify in altair's local client_info file that altair can now use non-preferred servers if no preferred servers can be reached:

altair# nisprefadm -L -o all

Ending Use of Server Preferences

You can stop using server-use customization and revert to the obtaining NIS+ information as described in "Default Client Search Behavior".

To end server preferences, run nisprefadm with the -x option.

Note -

When you end server preferences, clients do not stop using server preferences until the normal course of events as described "When Server Preferences Take Effect". You can force an immediate end to server preferences as described in"Putting Server Preferences Into Immediate Effect ".

How to Eliminate Global Server Preferences

    Run nisprefadm with the -G and -x options.

#nisprefadm -G -x

This eliminates global server preferences.

How to Eliminate Local Server Preferences

Ending local preferences can mean one of three different things:

How to Switch from Local to Global Subnet Preferences

    Remove the machine's /var/nis/client_info file.

# rm /var/nis/client_info

This causes the machine to use the preferences specified for the machine's subnet in the domain's global client_info table.

How to Switch from Local to Machine-Specific Global Preferences

  1. Remove the machine's /var/nis/client_info file.

    # rm /var/nis/client_info
  2. Specify preferences for the machine in the global table using the -G and -C options.

    See "How to Set Global Preferences for an Individual Machine ".

How to Stop a Machine from Using Any Server Preferences

  1. Remove the machine's /var/nis/client_info file.

    # rm /var/nis/client_info

    If the machine's domain does not have a global client_info table, this step is all you have to do. If the domain does have a client_info table, continue on to the next step.

  2. Create an empty /var/nis/client_info file.

    # touch /var/nis/client_info

    When a machine has its own /var/nis/client_info file, it does not use global preferences from any client_info table. If the machine has an empty /var/nis/client_info file, it will not use any preferences at all and will obtain NIS+ information as described in "Default Client Search Behavior".

Putting Server Preferences Into Immediate Effect

Server-use changes normally go into effect whenever the client machine is rebooted or updates its cache manager.

When you use nisprefadm to set or change server preferences on a local machine using a local client_info file (the -L option), your changes go into effect immediately.

For machines obtaining their server preferences from a global client_info table (the -G option) you can force server preference changes into immediate effect by running nisprefadm a particular with the -F option.

# nisprefadm -F

The -F option forces the machine's cache manager to immediately update its server preference information from the domain's global client_info table. (If the machine on which you run nisprefadm -F has its own local client_info file in /var/nis, running nisprefadm -F on it will have no effect.)

Note -

You cannot use the -F option with any other nisprefadm options. The nisprefadm -F command must always be run by itself on the machine you want it to apply to. You cannot use the -G option to update the cache managers of all machines in a domain. The nisprefadm -F command must be run on each machine individually.

How to Immediately Implement Preference Changes

To force a newly created or modified server list into immediate effect on a given machine:

    Run nisprefadm with the -F option on that machine.

# nisprefadm -F

For example, to force immediate implementation of changes to vega's preferred server list (whether local or global):

vega# nisprefadm -F

Chapter 15 NIS+ Backup and Restore

This chapter describes how to backup and restore an NIS+ namespace.

The NIS+ backup and restore capabilities provide a quick and easy method of preserving and reinstalling your NIS+ namespace. These features can also be used to simplify creation of new replica servers and reduce the time it takes to bring them online. These tasks are performed by two commands:

Backing Up Your Namespace With nisbackup

The nisbackup command backups up one or more NIS+ directory objects or an entire namespace to a specified UNIX file system directory.

Note -

The nisbackup command is always run on a master server. Never run it on a replica server.

The nisbackup command copies the NIS+ namespace data set as of the time the backup command is run. This recording includes all current NIS+ data and also any changes entered into the NIS+ namespace by an authorized network administrator but not yet checkpointed (posted) to the NIS+ tables. The back up operation does not check or correct NIS+ data. If data in a table is corrupt, the corrupt data is backed up as if it were valid data.

The nisbackup command only backs up those directory objects that the machine is master server for. In other words, you can only use nisbackup on a master server. You cannot use nisbackup on a replica server.

If the backup process is interrupted or unable to successfully complete its operation it halts and restores all previous backup files that were stored in the target directory.

nisbackup Syntax

The nisbackup command uses the following syntax:

nisbackup [-v][-a] backupdir objects


The nisbackup command takes the following options:

Table 15-1 Options for the nisbackup Command




Verbose mode. This mode provides additional information 


All. Backs up all NIS+ directory objects that the server is master of. This includes any sub-domain directory objects that this server is the master for. Note that directory objects of subdomains that have their own master servers will not be backed up. 

The nisbackup command must be run on the master server for the NIS+ directory objects you are backing up.

When specifying NIS+ directory objects to be backed up, you can use full or partially qualified directory names.

When you back up multi-level directories, the backup files for lower level directories are automatically placed in subdirectories of the target backup directory.

What nisbackup Backs Up

When using nisbackup, keep in mind that nisbackup is server specific. Regardless of whether or not you use the -a option, nisbackup only backs up those directories that the server you are running it on is master of. NIS+ directory objects that have some other master server will not be backed up.

For example, suppose the submaster1 server is master server for the directory objects and also a replica for the directory objects. When you run nisbackup on submaster1, only the directory objects will be backed up.

Some of the implications of this server specific principle are:

The Backup Target Directory

While the backup target directory must be available to the server being backed up, it is good practice to use a target directory that is not physically mounted on the server. That way you ensure that if the server is damaged the backup directory is still available.

A separate target directory must be used for each master server being backed up. It is good practice to avoid confusion by including the master server's machine name in the target directory name. For example, the target directory for a nisbackup run on the master1 machine might be named /var/master1_bakup

Caution - Caution -

Never back up more than one master server to a given target directory. Always use different target directories for different master servers. This is because each time you backup one or more NIS+ directory objects to a given target directory, previous backup files for those NIS+ directory objects in that directory are overwritten.

Maintaining a Chronological Sequence of NIS+ Backups

There are at least two ways to maintain an historic sequence of backup files:

Backing Up Specific NIS Directories

To back up specific NIS+ directory objects, you list those directories after the target backup directory.

For example, to backup the three org_dir directory objects for the root, sales, and manf domains to a /master1_bakup directory, you would run nisbackup on the master1 machine as follows:

master1# nisbackup /var/master1_bakup org_dir org_dir.sales org_dir.manf

Backing Up an Entire NIS+ Namespace

To back up an entire NIS+ namespace you run the nisbackup command on the root master server with the -a option.

When you use the -a option, you do not specify the NIS+ directory objects to be backed up. All NIS+ directory objects on the server and all those of subdomains below it will be automatically backed up.

For example, to backup the namespace to a /master1_bakup directory, you would run nisbackup on the root master as follows:

rootmaster# nisbackup -a /var/master1_bakup

Backup Directory Structure

When you perform a back up on a domain, a subdirectory for each NIS+ directory object is created in the backup target directory. The names of these subdirectories match the fully qualified NIS+ directory object name including the trailing period.

If you perform a full backup of an entire NIS+ object using the -a option, then all three of the associated directory objects (domain. org_dir.domain., and groups_dir.domain.) are backed up and three target subdirectories are created. If you are backing up multiple objects, subdirectories are created for every object that you are backing up.

Note that the backup subdirectories for multiple NIS+ directory object are all subdirectories of the parent target backup directory regardless of whether or not they are subdomains. In other words, nisbackup does not reproduce a domain hierarchy under the parent backup target directory, instead all of the back up subdirectories are simple subddirectories of the target directory.

For example, if you backed up the root, sales, and manf directory objects of to a /var/master1_bakup directory, nine subdirectories would be created in the /var/master1_bakup directory as shown in Figure 15-1:

Figure 15-1 Example directories created by nisbackup


Backup Files

The backup target directory contains a backup_list file that lists the NIS+ directory objects most recently backed up to this target directory.

Each of the subdirectories contain two files and a /data subdirectory. The three files are:

Each of the /data subdirectories contain one or more of the following files:

Restoring Your NIS+ Namespace With nisrestore

The nisrestore command recreates NIS+ directory objects to match the data stored in backup files created with the nisbackup command. This command can be used to restore NIS+ servers, replace directory objects that have become corrupted, or down load NIS+ data on to a new NIS+ server.

Prerequisites to Running nisrestore

In order to use nisrestore the target machine that will be receiving the NIS+ data from nisrestore must have already been set up as an NIS+ server. (See Solaris Naming Setup and Configuration Guide for a detailed description of setting up NIS+ servers.) This means that:

Caution - Caution -

In addition to the three pre-requisites listed above, the rpc.nisd daemon must not be running on the machine. If necessary, you must kill rpc.nisd before running nisrestore.

nisrestore Syntax

The nisrestore command uses the following syntax:

nisrestore [-fv][-a][-t] backupdir [directory_objects]


The nisrestore command takes the following options:

Table 15-2 Options for the nisbackup Command




All. Restores all of the NIS+ directory objects contained in the backup directory. 


Forces the restoration without validating that the server is listed in the directory object's serving list. This option must be used when restoring a root master server or if you get an "unable to lookup object" type of error. 


Verbose mode. This mode provides additional information 


This option lists all of the NIS+ directory objects stored in the backup directory. No restoration of objects takes place. 

Using nisrestore

To restore NIS+ data from NIS+ backup files, use the nisrestore command.

For example, to restore the directory object on the replica1 server, you would log in as root on replica1, make sure that the prerequisites described in "Prerequisites to Running nisrestore " have been met and then run nisrestore as shown below:

replica1# nisrestore /var/master1_bakup

The following points apply to nisrestore:

master1# nisrestore -f -a /var/master1_bakup

Using Backup/Restore to Set Up Replicas

The NIS+ backup and restore features can be used to quickly down load NIS+ data on to a new replica server. For large namespaces this is much faster than nisping to obtain data from the master server.

Using nisbackup and nisrestore to set up a new replica is described in detail in Solaris Naming Setup and Configuration Guide. Briefly, the steps are:

  1. Run nisserver on the master to create the new replica.

  2. Kill rpc.nisd on the new replica server.

    This interrupts the automatic transfer for namespace data from the master to the replica using the nisping command.

  3. Run nisbackup on the master server.

  4. Run nisrestore on the new replica to down load the NIS+ data.

  5. Restart rpc.nisd on the new replica

Replacing Server Machines

You can use nisbackup and nisrestore to quickly replace a machine that you are using as a server with another machine. For example, you want to improve network performance by replacing an older server with a newer, faster machine.

Machine Replacement Requirements

To replace a machine being used as an NIS+ server with another machine, you must:

How to Replace Server Machines

To replace a server machine, follow these steps:

  1. Run nisbackup on the master server for the domain that the old server serves.

    See "Backing Up an Entire NIS+ Namespace ". (Note that the old server you are replacing could be the master server for the domain, in which case you would run nisbackup on this old master server.)

  2. Copy the old server's /var/nis/NIS_COLD_START file to the backup directory.

  3. Copy the old server's /etc/.rootkey file to the backup directory.

  4. Disconnect the old server from the network.

  5. Connect the new server to the network.

  6. Assign the new server the same IP address (number) as the old server.

  7. Assign the new server the same machine name as the old server.

  8. If necessary, kill rpc.nisd on the new server.

  9. Run nisrestore on the new server to down load the NIS+ data.

    See "Restoring Your NIS+ Namespace With nisrestore".

  10. Copy the .rootkey file from the backup directory to /etc on the new server.

  11. Copy the NIS_COLD_START file from the backup directory to /var/nis on the new server.

  12. Reboot the new server.

Chapter 16 Removing NIS+

This chapter describes how to use the NIS+ directory administration commands to remove NIS+ from clients, servers, and the namespace as a whole.

For information on disassociating an NIS+ replica server from a directory so that it no longer acts as a replica for that domain, see "The nisrmdir Command ".

Removing NIS+ From a Client Machine

This section described how to remove NIS+ from a client machine. Keep in mind that removing NIS+ from a client machine does not remove the NIS+ name service from your network. See "Removing the NIS+ Namespace" for information on removing the NIS+ name service from a network and returning to either NIS or /etc files for name purposes.

Removing NIS+ That Was Installed Using nisclient

To remove NIS+ from a client machine that was set up as an NIS+ client using the nisclient -i script as described in Solaris Naming Setup and Configuration Guide, simply run nisclient with the -r option:

client# nisclient -r

nisclient -r simply undoes the most recent iteration of nisclient -i; it restores the previous naming system used by the client, such as NIS or /etc files.

Removing NIS+ That Was Installed Using NIS+ Commands

To remove NIS+ from a client machine that was set up as an NIS+ client using the nisaddcred, domainname, and nisinit commands as described in Solaris Naming Setup and Configuration Guide, perform the following steps:

  1. Remove the .rootkey file.

    client# rm -f /etc/.rootkey
  2. Locate and kill the keyserv, nis_cachemgr, and nscd processes.

    client# ps -ef | grep keyserv
     root 714 1 67 16:34:44 ? keyserv
    client# kill -9 714
    client# ps -ef | grep nis_cachemgr
     root 123 1 67 16:34:44 ? nis_cachemgr
    client# kill -9 123
    client# ps -ef | grep nscd
     root 707 1 67 16:34:44 ? nscd
    client# kill -9 707
  3. Remove the /var/nis directory and files.

    clientmachine# rm -rf /var/nis/*

Removing NIS+ From a Server

This section describes how to remove NIS+ from an NIS+ server.

Keep in mind that removing NIS+ from a server does not remove the NIS+ name service from your network. See "Removing the NIS+ Namespace" for information on removing the NIS+ name service from a network and returning to either NIS or /etc files for naming purposes.

Note -

You can replace a machine that you are using as an NIS+ server with another machine. See "Replacing Server Machines ".

To remove NIS+ from a server, follow these steps:

  1. Perform the steps necessary to remove NIS+ from a client.

    An NIS+ server is also an NIS+ client. This means that you must first remove the client-related part of NIS+. You can use nisclient -r as described in "Removing NIS+ That Was Installed Using nisclient" or the NIS+ command set as described in "Removing NIS+ That Was Installed Using NIS+ Commands".

  2. Remove the server's groups_dir and org_dir directories.

    server# nisrmdir -f groups_dir.domainname
    server# nisrmdir -f org_dir.domainname
  3. Locate and kill the keyserv, rpc.nisd, nis_cachemgr, and nscd processes on the server.

    server# ps -ef | grep rpc.nisd
     root 137 1 67 16:34:44 ? rpc.nisd
    server# kill -9 137
    server# ps -ef | grep keyserv
     root 714 1 67 16:34:44 ? keyserv
    server# kill -9 714
    server# ps -ef | grep nis_cachemgr
     root 123 1 67 16:34:44 ? nis_cachemgr
    server# kill -9 123
    server# ps -ef | grep nscd
     root 707 1 67 16:34:44 ? nscd
    server# kill -9 707
  4. Remove the /var/nis directory and files.

    rootmaster# rm -rf /var/nis/*

Removing the NIS+ Namespace

To remove the NIS+ namespace and return to using either NIS or /etc files for name services, follow these steps:

  1. Remove the .rootkey file from the root master.

    rootmaster# rm -f /etc/.rootkey
  2. Remove the groups_dir and org_dir subdirectories from the root master root domain.

    rootmaster# nisrmdir -f groups_dir.domainname
    rootmaster# nisrmdir -f org_dir.domainname

    Where domainname is the name of the root domain, for example,

  3. Remove the root domain.

    rootmaster# nisrmdir -f domainname

    Where domainname is the name of the root domain, for example,

  4. Locate and kill the keyserv, rpc.nisd, nis_cachemgr, and nscd processes.

    rootmaster# ps -ef | grep rpc.nisd
     root 137 1 67 16:34:44 ? rpc.nisd
    rootmaster# kill -9 137
    rootmaster# ps -ef | grep keyserv
     root 714 1 67 16:34:44 ? keyserv
    rootmaster# kill -9 714
    rootmaster# ps -ef | grep nis_cachemgr
     root 123 1 67 16:34:44 ? nis_cachemgr
    rootmaster# kill -9 123
    rootmaster# ps -ef | grep nscd
     root 707 1 67 16:34:44 ? nscd
    rootmaster# kill -9 707
  5. Create a new domain.

    rootmaster# domainname name

    Where name is the name of the new domain; for example, the name of the domain before you installed NIS+.

  6. Remove the existing /etc/defaultdomain file.

    rootmaster# rm /etc/defaultdomain
  7. Recreate the /etc/defaultdomain file with the new domain name.

    rootmaster# domainname > /etc/defaultdomain
  8. Replace the original nsswitch.conf file.

    If you set up this server with nisserver -r, you can use:

    rootmaster# cp /etc/nsswitch.conf.no_nisplus /etc/nsswitch.conf

    Alternatively, you can copy over one of the default switch template files. To use the default NIS switch file template, you would type:

    rootmaster# cp /etc/nsswitch.nis etc/nsswitch.conf

    To use the default /etc files switch file template, you would type:

    rootmaster# cp /etc/nsswitch.files etc/nsswitch.conf
  9. Restart the keyserv process.

    rootmaster# keyserv
  10. Remove the /var/nis directory and files.

    rootmaster# rm -rf /var/nis/*
  11. Now restart your other name service (NIS or /etc files).