This procedure configures a separate name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnet that runs at the label of the zone, and the subnetwork has its own naming server for that label. In a labeled zone, if you plan to install packages that require a user account at that label, you might configure a separate name service per zone. For background information, see Applications That Are Restricted to a Labeled Zone and Decisions to Make Before Creating Users in Trusted Extensions.
Before You Begin
The Labeled Zone Manager is displayed. To open this GUI, see How to Create Labeled Zones Interactively. You are in the root role in the global zone.
For assistance, see the nscd(1M) man page.
After the reboot, the account of the user who assumed the root role to run the Labeled Zone Manager in Step 1 is configured in each zone. Other accounts that are specific to a labeled zone must be manually added to the zone.
zone-name # svcs -x name-service/cache svc:/system/name-service/cache:default (name service cache) State: online since September 10, 2012 10:10:12 AM PDT See: nscd(1M) See: /var/svc/log/system-name-service-cache:default.log Impact: None.
zone-name # netstat -rn
After testing one name service daemon per zone, the system administrator decides to remove the name service daemons from the labeled zones and run the daemon in the global zone only. To return the system to the default name service configuration, the administrator opens the txzonemgr GUI, selects the global zone, and selects Unconfigure per-zone name service, then OK. This selection removes the nscd daemon in every labeled zone. Then, the administrator reboots the system.
When configuring user and role accounts for each zone, you have three options.
You can create LDAP accounts in a multilevel LDAP directory server.
You can create LDAP accounts in separate LDAP directory servers, one server per label.
You can create local accounts.
Separately configuring a name service daemon in each labeled zone has password implications for all users. Users must authenticate themselves to gain access to any of their labeled zones, including the zone that corresponds to their default label. Furthermore, either the administrator must create accounts locally in each zone, or the accounts must exist in an LDAP directory where the zone is an LDAP client.
In the special case where an account in the global zone is running the Labeled Zone Manager, txzonemgr, the account's information is copied into the labeled zones so that at least that account is able to log in to each zone. By default, this account is the initial user account.