This chapter gives step-by-step instructions for setting up NIS+ clients using the NIS+ command set and three different initialization methods. These instructions apply to clients in both the root domain and subdomains, whether all-NIS+ or NIS-compatible.
NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment (see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)). For more information, visit http://www.sun.com/directory/nisplus/transition.html.
This chapter describes how to configure clients in both standard NIS+ domains and NIS-compatible domains. The procedure describes each step in detail and provides related information. For those who do not need detailed instructions, a summary listing of the necessary commands is provided in Table 6–6.
It is much easier to perform this task with the NIS+ installation scripts, as described in Part 1, than with the NIS+ command set as described here. The methods described in this chapter should only be used by those administrators who are very familiar with NIS+ and who require some non-standard features or configurations not provided by the installation scripts. If you have them available, the Solstice AdminSuiteTM tools also provide easier methods of adding and setting up NIS+ client machines.
At Step 10 in the client configuration instructions you must choose which of three methods to use: broadcast, host name, or cold-start file. Because each method is implemented differently, each has its own task description. After initializing a client by one of these methods, you can continue setting up the client by returning to Step 11.
The last task in the chapter describes how to change a machine's domain.
This section describes how to configure a typical NIS+ client in either the root domain or a non-root domain. This procedure applies to regular NIS+ clients and to those clients that will later become NIS+ servers. It applies, as well, to clients in a standard NIS+ domain and those in an NIS-compatible domain.
Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution applies to subdomains; for example, if you have a machine named west you do not want to create a sales.west.myco.com subdomain.
Setting up an NIS+ client involves the following tasks:
Creating credentials for the client
Preparing the machine
Initializing the machine as an NIS+ client.
However, as with setting up the root domain, setting up a client is not as simple as carrying out these three tasks in order. To make the configuration process easier to execute, these tasks have been broken down into individual steps, and the steps have been arranged in the most efficient order:
Logging in to the domain's master server
Creating DES credentials for the new client machine
Ascertaining the Diffie-Hellman key length used on the master server
Logging in as superuser to the client
Assigning the client its new domain name
Stopping and restarting nscd
Setting the client's Diffie-Hellman key
Cleaning out leftover NIS+ material and processes
Initializing the client
Killing and restarting the keyserv daemon
Running keylogin
Rebooting the client
Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for the credentials to be created by an administrator with valid DES credentials and modify rights to the cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain or in the administrator's home domain.
After an administrator creates the client's credentials, the client can complete the configuration process. However, the client still needs read access to the directory object of its home domain. If you configured the client's home domain according to the instructions in either Chapter 5, Setting Up the Root Domain or Chapter 8, Configuring a Non-Root Domain, read access was provided to the world class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).
You can check the directory object's access rights by using the niscat-o command. This command displays the properties of the directory, including its access rights:
rootmaster# niscat -o doc.com. ObjectName : Doc Owner : rootmaster.doc.com. Group : admin.doc.com. Domain : Com. Access Rights : r---rmcdr---r--- |
You can change the directory object's access rights, provided you have modify rights to it yourself, by using the nischmod command, described in Chapter 15, Administering NIS+ Access Rights.
The administrator setting up the client's credentials must have:
A valid DES credential
Modify rights to the cred table in the client's home domain
The client must have:
Read rights to the directory object of its home domain.
The client's home domain must already be configured and running NIS+.
An entry in either the master server's /etc/hosts or /etc/inet/ipnodes file or in its domain's hosts or ipnodes table.
A unique machine name that does duplicate any user ID.
A machine name that does not contain any dots. (For example, a machine named sales.alpha is not allowed; a machine named sales-alpha is allowed.)
The name of the client's home domain
The superuser password of the machine that will become the client
The IP address of an NIS+ server in the client's home domain
Task |
Description |
For Instructions, Go To |
|
---|---|---|---|
Configuring the Client” |
Create credentials fpr the client. Prepare the client machine and initialize it as an NIS+ client. |
Log into the domain's master server.
You can log in as superuser or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.
Create DES credentials for the new client machine.
Use the nisaddcred command with the -p and -P arguments. Here is the syntax:
nisaddcred -p secure-RPC-netname principal-name des [domain] |
The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.
This example adds a DES credential for a client machine named client1 in the doc.com. domain:
rootmaster% nisaddcred -p unix.client1@doc.com -P client1.doc.com. des Adding key pair for unix.client1@doc.com (client1.doc.com.). Enter client1.doc.com.'s root login passwd: Retype password: |
For more information about the nisaddcred command, see Chapter 12, Administering NIS+ Credentials.
Ascertain the Diffie-Hellman key length used on the master server.
For example:
rootmaster% nisauthconf dh640-0 des |
Log in as superuser to the client.
Now that the client machine has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.
Assign the client its new domain name.
See Changing a machine's Domain Name for information on how to assign (or change) a client's domain name, then return to Step 6.
Check the client's nsswitch.conf file.
Make sure the client is using an NIS+ version of the nsswitch.conf file. This ensures that the primary source of information for the client will be NIS+ tables. See Example 1–1 for a description of an NIS+ switch file.
If you made any changes to the nsswitch.conf file (or copied over a new file), you must now stop and restart nscd, as shown below.
client1# cp /etc/nsswitch.nisplus /etc/nsswitch.conf client1# sh /etc/init.d/nscd stop client1# sh /etc/init.d/nscd start |
(You do not need to kill and restart the keyserver at this point, as you will do so in Step 11.)
Set the Diffie-Hellman key length on the client, using the information from step 3.
For example:
client# nisauthconf dh640-0 des |
Clean out leftover NIS+ material and processes.
If the machine you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis.
client1# ls /var/nis NIS_COLD_START NIS_SHARED_CACHE client1# rm -rf /var/nis/* client1# ps -ef | grep nis_cachemgr root 295 260 10 15:26:58 pts/0 0:00 grep nis_cachemgr root 286 1 57 15:21:55 ? 0:01 /usr/sbin/nis_cachemgr client1# kill -9 286 |
This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this configuration process. If you have stored any admin scripts in /var/nis, you might want to consider temporarily storing them elsewhere, until you finish setting up the root domain.
You can initialize a client in three different ways: by host name, by cold-start file, or by broadcast. Choose and perform one of those methods. After initializing the client, proceed with Step 11.
Kill and restart the keyserv daemon.
This step stores the client's secret key on the keyserver.
Kill the keyserv daemon.
This also has the side effect of updating the key server's switch information about the client.
Restart the keyserver.
This example shows the complete procedure in Step 11.
client1# ps -e | grep keyserv root 145 1 67 16:34:44 ? keyserv client1# kill 145 client1# rm -f /etc/.rootkey client1# keyserv |
Run keylogin-r.
This step stores the client's secret key with the keyserver. It also saves a copy in /etc/.rootkey, so that the superuser on the client does not have to run keylogin to use NIS+. Use keylogin with the -r option. When prompted for a password, type the client's superuser password. It must be the same as the password supplied to create the client's DES credentials:
client1# keylogin -r Password: Wrote secret key into /etc/.rootkey |
Reboot the client.
Login as superuser.
Properly configure the hosts line in the /etc/resolve.conf file to read: hosts:nisplus dns files.
In this implementation of NIS, if a /etc/resolve.conf file exists on the server, ypstart automatically starts the ypserv daemon with the -d option to forward requests to DNS. (To stop forwarding to DNS, edit the /usr/lib/netsvc/yp/ypstart script to remove the -d option from the ypserv command. You must then reboot the machine.)
This task changes a machine's domain name. Since a machine's domain name is usually set during installation, you should check it (type domainname without an argument) before you decide to perform this task.
You must perform this task as superuser on the machine whose domain name you are changing.
The machine's superuser password
The new domain name
Task |
Description |
For Instructions, Go To |
|
---|---|---|---|
Changing a machine's Domain |
Use the domainname command to change the client machine domain |
Log in to the machine and become superuser.
The examples in this task use client1 as the machine and doc.com. as the new domain name.
client1% su Password: |
Change the machine's domain name.
Type the new name after the domainname command. Do not use a trailing dot. For example, to change a machine's domain to the doc.com domain, you enter:
client1# domainname doc.com |
If the machine had been an NIS client, it may no longer be able to get NIS service.
Verify the result.
Run the domainname command again, this time without an argument, to display the server's current domain.
client1# domainname doc.com |
Save the new domain name.
Redirect the output of the domainname command into the /etc/defaultdomain file.
client1# domainname > /etc/defaultdomain |
At a convenient time, reboot the machine.
Even after entering the new domain name into the /etc/defaultdomain file, some processes may still operate with the old domain name. To ensure that all processes are using the new domain name, reboot the machine.
Because you may be performing this task in a sequence of many other tasks, examine the work remaining to be done on the machine before rebooting. Otherwise, you might find yourself rebooting several times instead of just once.
Although restarting individual daemons, such as mountd may solve an NFS problem, it is strongly recommended that you reboot to synchronize configuration changes across daemons. This minimizes application failures caused by unknown changes to the configuration.
The three different ways to initialize an NIS+ client are:
Broadcast method (see Broadcast Initialization)
Host-name method (see Initializing a Client by Host Name)
Cold-start file method (see Initializing Client Using a Cold-Start File)
This method initializes an NIS+ client by sending an IP broadcast on the client's subnet.
This is the simplest way to configure a client but is also the least secure. The NIS+ server that responds to the broadcast sends the client all the information that the client needs in its cold-start file, including the server's public key. Presumably, only an NIS+ server will respond to the broadcast. However, the client has no way of knowing whether the machine that responded to the broadcast is indeed a trusted server. As a result, this method is only recommended for sites with small, secure networks.
You must perform this task as superuser on the client.
At least one NIS+ server must exist on the same subnet as the client. The client must use the same Diffie-Hellman key lengths as those on the master server. See nisauthconf(1M).
You need the superuser password to the client.
Task |
Description |
For Instructions, Go To |
|
---|---|---|---|
Initializing an NIS+ Client |
Use nisclient command to initialize an NIS+ client |
Initialize the client.
This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -B options.
client1# nisinit -c -B This machine is in the doc.com. NIS+ domain. Setting up NIS+ client ... All done. |
An NIS+ server on the same subnet will reply to the broadcast and add its location information into the client's cold-start file.
Initializing a client by host name consists of explicitly identifying the IP address of its trusted server. This server's name, location information, and public keys are then placed in the client's cold-start file.
This method is more secure than the broadcast method because it actually specifies the IP address of the trusted server, rather than relying on a server to identify itself. However, if a router exists between the client and the trusted server, it could intercept messages to the trusted IP address and route them to an untrusted server.
You must perform this operation as superuser on the client.
The NIS+ service must be running in the client's domain.
The client must have an entry in its /etc/hosts or /etc/inet/ipnodes file for the trusted server.
The client must use the same Diffie-Hellman key lengths as those on the master server. See nisauthconf(1M).
You need the name and IP address of the trusted server.
Task |
Description |
For Instructions, Go To |
|
---|---|---|---|
Initializing a Client by Host Name |
Use nisinit command to initialize an NIS+ client by host name. |
Check the client's /etc/hosts or /etc/inet/ipnodes file.
Make sure the client has an entry for the trusted server.
Initialize the client.
This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -H options. This example uses rootmaster as the trusted server.
Client1# nisinit -c -H rootmaster This machine is in the doc.com. NIS+ domain. Setting up NIS+ client ... All done. |
The nisinit utility looks for the server's address in the client's /etc/hosts or /etc/inet/ipnodes file, so do not append a domain name to the server. If you do, the utility will not be able to find its address.
This task initializes an NIS+ client by using the cold-start file of another NIS+ client, preferably one from the same domain. This is the most secure method of setting up an NIS+ client. It ensures that the client obtains its NIS+ information from a trusted server, something that cannot be guaranteed by the host-name or broadcast method.
You must perform this task as superuser on the client.
The servers specified in the cold-start file must already be configured and running NIS+.
The client must use the same Diffie-Hellman key lengths as those on the master server. See nisauthconf(1M).
You need the name and location of the cold-start file you will copy.
Task |
Description |
For Instructions, Go To |
|
---|---|---|---|
InitializingClient via Cold-Start File |
Use nisinit command to initialize an NIS+ client via a cold-start file |
Copy the other client's cold-start file.
Copy the other client's cold-start file into a directory in the new client. This may be easier to do while logged on as yourself rather than as superuser on the client. Be sure to switch back to superuser before initializing the client.
Don't copy the NIS_COLD_START file into /var/nis, because that file gets overwritten during initialization. This example copies the cold-start file of previously initialized client1 into the /tmp directory of uninitialized client2.
client2# exit client2% rcp client1:/var/nis/NIS_COLD_START /tmp client2% su |
Initialize the client from the cold-start file.
Use the nisinit command with the -c and -C options.
client2# nisinit -c -C /tmp/NIS_COLD_START This machine is in the doc.com. NIS+ domain. Setting up NIS+ client ... All done. |
Table 6–6 shows a summary of the steps required to configure a client named client1 in the doc.com domain. It assumes the simplest case, so be sure you are familiar with the more thorough task descriptions before you use this summary as a reference. For the sake of brevity, this summary does not show the responses to each command.
Table 6–6 Setting Up a Client: Command Summary
Tasks |
Commands |
---|---|
Log in to domain's master. |
rootmaster% |
Create DES credentials for client. |
rootmaster% nisaddcred -p unix.client1.doc.com -P client1.doc.com. des |
Ascertain the Diffie-Hellman .key length. |
rootmaster% nisauthconf |
Log in, as superuser, to the client. |
client1% su Password: |
Assign the client a domain name. |
client1# domainname doc.com client1# domainname > /etc/defaultdomain |
Check that the client's switch configuration file has the correct settings. |
client1# more /etc/nsswitch.conf |
Set the Diffie-Hellman key length. |
client1# nisauthconf dh640-0 des |
Clean out /var/nis. |
client1# rm -rf /var/nis/* |
Initialize the client. |
client1# nisinit -c -H rootmaster |
Kill and restart the keyserver. |
client1# ps -ef | grep keyserv client1# kill -9 process-id client1# keyserv |
Run keylogin on the client. |
client1# keylogin -r password: |
Reboot the client. |
client1# init 6 |