JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration Guide     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone in Trusted Extensions

Check and Install Your Label Encodings File

Enable IPv6 Networking in Trusted Extensions

Configure the Domain of Interpretation

Create ZFS Pool for Cloning Zones

Reboot and Log In to Trusted Extensions

Initialize the Solaris Management Console Server in Trusted Extensions

Make the Global Zone an LDAP Client in Trusted Extensions

Creating Labeled Zones

Run the txzonemgr Script

Configure the Network Interfaces in Trusted Extensions

Name and Label the Zone

Install the Labeled Zone

Boot the Labeled Zone

Verify the Status of the Zone

Customize the Labeled Zone

Copy or Clone a Zone in Trusted Extensions

Adding Network Interfaces and Routing to Labeled Zones

Add a Network Interface to Route an Existing Labeled Zone

Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

Configure a Name Service Cache in Each Labeled Zone

Creating Roles and Users in Trusted Extensions

Create Rights Profiles That Enforce Separation of Duty

Create the Security Administrator Role in Trusted Extensions

Create a Restricted System Administrator Role

Create Users Who Can Assume Roles in Trusted Extensions

Verify That the Trusted Extensions Roles Work

Enable Users to Log In to a Labeled Zone

Creating Home Directories in Trusted Extensions

Create the Home Directory Server in Trusted Extensions

Enable Users to Access Their Home Directories in Trusted Extensions

Adding Users and Hosts to an Existing Trusted Network

Add an NIS User to the LDAP Server

Troubleshooting Your Trusted Extensions Configuration

netservices limited Was Run After Trusted Extensions Was Enabled

Cannot Open the Console Window in a Labeled Zone

Labeled Zone Is Unable to Access the X Server

Additional Trusted Extensions Configuration Tasks

How to Copy Files to Portable Media in Trusted Extensions

How to Copy Files From Portable Media in Trusted Extensions

How to Remove Trusted Extensions From the System

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

A.  Site Security Policy

B.  Using CDE Actions to Install Zones in Trusted Extensions

C.  Configuration Checklist for Trusted Extensions



Adding Users and Hosts to an Existing Trusted Network

If you have users who are defined in NIS maps, you can add them to your network.

To add hosts and labels to hosts, see the following procedures:

Add an NIS User to the LDAP Server

Before You Begin

You must be superuser, in the root role, or in the Primary Administrator role.

  1. From the NIS database, gather the information that you need.
    1. Create a file from the user's entry in the aliases database.
      % ypcat -k aliases | grep login-name >
    2. Create a file from the user's entry in the passwd database.
      % ypcat -k passwd | grep "Full Name" >
    3. Create a file from the user's entry in the auto_home_ database.
      % ypcat -k auto_home | grep login-name > auto_home_label
  2. Reformat the information for LDAP and Trusted Extensions.
    1. Use the sed command to reformat the aliases entry.
      % sed 's/ /:/g' aliases.login-name > aliases
    2. Use the nawk command to reformat the passwd entry.
      % nawk -F: '{print $1":x:"$3":"$4":"$5":"$6":"$7}' > passwd
    3. Use the nawk command to create a shadow entry.
      % nawk -F: '{print $1":"$2":6445::::::"}' > shadow
    4. Use the nawk command to create a user_attr entry.
      % nawk -F: '{print $1"::::lock_after_retries=yes-or-no;profiles=user-profile, ...;
      auths=auth-name,..."}' > user_attr
  3. Copy the modified files to the /tmp directory on the LDAP server.
    # cp aliases auto_home_internal passwd shadow user_attr /tmp/name
  4. Add the entries in the files in Step 3 to the databases on the LDAP server.
    # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
    -a simple -f /tmp/name/aliases aliases
    # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
    -a simple -f /tmp/name/auto_home_internal auto_home_internal
    # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
    -a simple -f /tmp/name/passwd passwd
    # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
    -a simple -f /tmp/name/shadow shadow
    # /usr/sbin/ldapaddent -D "cn=directory manager" -w DM-password \
    -a simple -f /tmp/name/user_attr user_attr

Example 4-8 Adding a User From an NIS Database to the LDAP Server

In the following example, the administrator adds a new user to the trusted network. The user's information is stored originally in an NIS database. To protect the LDAP server password, the administrator runs the ldapaddent commands on the server.

In Trusted Extensions, the new user can allocate devices and assume the Operator role. Because the user can assume a role, the user account does not get locked out. The user's minimum label is PUBLIC. The label at which the user works is INTERNAL, so jan is added to the auto_home_internal database. The auto_home_internal database automounts jan's home directory with read-write permissions.