This section provides step-by-step instructions for using the NIS+ command set to perform the following tasks:
Note: Perform this task with the NIS+ installation scripts (see Using NIS+ Setup Scripts) rather than with the NIS+ command set as described here. The methods described in this section should only be used by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.
See Configuration Worksheets for worksheets that you can use to plan your NIS+ namespace.
This section describes how to set up clients in both standard NIS+ domains and NIS-compatible domains.
The procedure describes each step in detail and provides related information. For those who do not need detailed instructions, a summary listing of the necessary commands is provided in NIS+ Client Setup Summary.
Note that in the client setup instructions you must choose which of three methods to use: broadcast, host name, or cold-start file. Since each method is implemented differently, each has its own task description. After initializing a client by one of these methods, you can continue setting up the client.
This task changes a workstation's domain name. Since a workstation's domain name is usually set during installation, check it before deciding whether to perform this task. To verify the name, type domainname.
A workstation is usually assigned to its domain during installation. On an operating network, the installation script usually obtains the domain name automatically and asks for confirmation. During the installation process, the workstation's domain name is assigned to a variable called domainname, which is stored in the kernel. There, it is made available to any program that needs it.
However, when a workstation is rebooted, the setting of the domainname variable is lost. As a result, unless the domain name is saved elsewhere, the operating system no longer knows which domain the workstation belongs to. To solve this problem, the domain name is stored in a file called /etc/rc.nfs.
Note: When the workstation is rebooted, the kernel automatically obtains the domain name from this file and resets the domainname variable. Thus, if you change or set a workstation's domain name, you must also edit the /etc/rc.nfs file or run the chypdom command. Otherwise, the workstation reverts to its previous domain name at next reboot.
For the following procedure, you need:
In the following example, client1 is the workstation and Wiz.Com. is the new domain name.
client1% su Password:
Type the new name with the domainname command. Do not use a trailing dot.
client1# domainname Wiz.Com
Note: If the workstation was an NIS client, it may no longer be able to get NIS service.
client1# domainname wiz.com.
client1# chypdom -I Wiz.Com.
Note: Because you may be performing this task in a sequence of many other tasks, examine the work remaining to be done on the workstation before you reboot. Otherwise, you might find yourself rebooting several times instead of just once.
After you enter the new domain name into the /etc/rc.nfs file, some processes may still operate with the old domain name. To ensure that all processes are using the new domain name, reboot the workstation.
Initialize a NIS+ client by any of the following ways:
This method initializes an NIS+ client by sending an IP broadcast on the client's subnet. Although this is the simplest way to set up a client, it is also the least secure. The NIS+ server that responds to the broadcast sends the client all the information that the client needs in its cold-start file, including the server's public key. Presumably, only an NIS+ server will respond to the broadcast. However, the client cannot determine whether the workstation that responded to the broadcast is indeed a trusted server. As a result, this method is only recommended for sites with small, secure networks.
Before you begin the following procedure, you need:
Use the nisinit command with the -c and -B options to initialize the client:
client1# nisinit -c -B This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.
This command initializes the client and creates a NIS_COLD_START file in its /var/nis directory. An NIS+ server on the same subnet replies to the broadcast and adds its location information to the client's cold-start file.
Initializing a client by host name consists of explicitly identifying the IP address of its trusted server. This server's name, location information, and public keys are then placed in the client's cold-start file.
Initializing by the host name method is more secure than the broadcast method because it specifies the IP address of the trusted server, rather than relying on a server to identify itself. However, if a router exists between the client and the trusted server, it can intercept messages to the trusted IP address and route the messages to an untrusted server.
Before you begin the following procedure, you need:
Client1# nisinit -c -H rootmaster This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.
This command initializes the client and creates an NIS_COLD_START file in its /var/nis directory. The nisinit utility looks for the server's address in the client's /etc/hosts file, so do not append a domain name to the server. Otherwise, the utility cannot locate its address.
This task initializes an NIS+ client by using the cold-start file of another NIS+ client, preferably one from the same domain. This is the most secure method of setting up an NIS+ client because it ensures that the client obtains its NIS+ information from a trusted server.
Before you begin the following procedure, you need:
Note: Do not copy the NIS_COLD_START file into /var/nis, because that file gets overwritten during initialization.
client2# exit client2% rcp client1:/var/nis/NIS_COLD_START /tmp client2% su
client2# nisinit -c -C /tmp/NIS_COLD_START This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.
The following table shows a summary of the steps required to set up a
client. Table entries are simplified. Refer to the more thorough
task descriptions for options, exceptions, and messages.
Setting Up a Client: Command Summary | |
---|---|
Tasks | Commands |
Log in to domain's master. |
rootmaster% |
Create DES credentials for client. |
rootmaster% nisaddcred \ -p unix.client1.Wiz.Com \ -P client1.Wiz.Com. des |
Log in, as root user, to the client. |
client1% su Password: |
Assign the client a domain name. |
client1# domainname Wiz.Com client1# chypdom -I Wiz.Com. |
Check the configuration file. |
client# view /etc/irs.conf |
Clean out /var/nis. |
client1# rm -rf /var/nis/* |
Initialize the client. |
client1# nisinit -c -H rootmaster |
Kill and restart the keyserver. |
client1# stopsrc -s keyserv client1# startsrc -s keyserv |
Run keylogin on the client. |
client1# keylogin -r Password: |
Reboot the client. |
client1# shutdown -Fr |
This section describes how to set up a typical NIS+ client in either the root domain or in a non-root domain. This procedure applies to regular NIS+ clients and to those clients that will later become NIS+ servers. It applies, as well, to clients in a standard NIS+ domain and those in an NIS-compatible domain.
Attention: Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution applies to subdomains; for example, if you have a machine named west you do not want to create a sales.west.myco.com subdirectory.
Setting up an NIS+ client involves the following tasks:
However, as with setting up the root domain, setting up a client is not as simple as carrying out these three tasks in order. To make the setup process easier to execute, these tasks have been broken down into individual steps, and the steps have been arranged in the most efficient order:
Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for them to be created by an administrator who has valid DES credentials and modify rights to the cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain or in the administrator's home domain.
Once an administrator creates the client's credentials, the client can complete the setup process. However, the client still needs read access to the directory object of its home domain. If you set up the client's home domain according to the instructions in either Setting Up the Root Domain, or Setting Up a Nonroot Domain, read access was provided to the world class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).
You can check the directory object's access rights by using the niscat -o command. This command displays the properties of the directory, including its access rights:
rootmaster# niscat -o Wiz.Com. ObjectName : wiz Owner : rootmaster.wiz.com. Group : admin.wiz.com. Access Rights : r---rmcdr---r--- . . .
You can change the directory object's access rights, provided you have modify rights to it yourself, by using the nischmod command, described in Administering NIS+ Access Rights.
The administrator setting up the client's credentials must have:
The client must have:
You can log in as root user or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.
Use the nisaddcred command with the -p and -P arguments. Here is the syntax:
nisaddcred -p secure-RPC-netname -P principal-name des [domain]
The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.
This example adds a DES credential for a client workstation named client1 in the Wiz.Com. domain:
rootmaster% nisaddcred -p unix.client1@Wiz.Com -P client1.Wiz.Com. des Adding key pair for unix.client1@Wiz.Com (client1.Wiz.Com.). Enter client1.Wiz.Com.'s root login passwd: Retype password:
For more information about the nisaddcred command, see Administering NIS+ Credentials.
Now that the client workstation has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.
There are three ways to assign a new domain name to a client. Those methods are described in Changing a Workstation's Domain. Use one of those methods to change the client's domain name and then return to the following step.
If the workstation you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis.
client1# ls /var/nis NIS_COLD_START NIS_SHARED_CACHE client1# rm -rf /var/nis/* client1# stopsrc -s nis_cachemgr
This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this setup process. If you have stored any admin scripts in /var/nis, you may want to consider temporarily storing them elsewhere, until you finish setting up the root domain.
Initialize a client in one of three different ways: by host name, by cold-start file, or by broadcast (see Initializing an NIS+ Client).
This step stores the client's secret key on the keyserver.
stopsrc -s keyserv
This also has the side effect of updating the key server's switch information about the client.
startsrc -s keyserv
This step stores the client's secret key with the keyserver. It also saves a copy in /etc/.rootkey, so that the root user on the client does not have to run keylogin to use NIS+. Use keylogin with the -r option. When prompted for a password, type the client's root user password. It must be the same as the password supplied to create the client's DES credentials:
client1# keylogin -r Password: Wrote secret key into /etc/.rootkey