[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide


Setting Up NIS+ Clients

This section provides step-by-step instructions for using the NIS+ command set to perform the following tasks:

Note: Perform this task with the NIS+ installation scripts (see Using NIS+ Setup Scripts) rather than with the NIS+ command set as described here. The methods described in this section should only be used by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.

See Configuration Worksheets for worksheets that you can use to plan your NIS+ namespace.

This section describes how to set up clients in both standard NIS+ domains and NIS-compatible domains.

The procedure describes each step in detail and provides related information. For those who do not need detailed instructions, a summary listing of the necessary commands is provided in NIS+ Client Setup Summary.

Note that in the client setup instructions you must choose which of three methods to use: broadcast, host name, or cold-start file. Since each method is implemented differently, each has its own task description. After initializing a client by one of these methods, you can continue setting up the client.

Changing a Workstation's Domain

This task changes a workstation's domain name. Since a workstation's domain name is usually set during installation, check it before deciding whether to perform this task. To verify the name, type domainname.

Specifying a Domain Name After Installation

A workstation is usually assigned to its domain during installation. On an operating network, the installation script usually obtains the domain name automatically and asks for confirmation. During the installation process, the workstation's domain name is assigned to a variable called domainname, which is stored in the kernel. There, it is made available to any program that needs it.

However, when a workstation is rebooted, the setting of the domainname variable is lost. As a result, unless the domain name is saved elsewhere, the operating system no longer knows which domain the workstation belongs to. To solve this problem, the domain name is stored in a file called /etc/rc.nfs.

Note: When the workstation is rebooted, the kernel automatically obtains the domain name from this file and resets the domainname variable. Thus, if you change or set a workstation's domain name, you must also edit the /etc/rc.nfs file or run the chypdom command. Otherwise, the workstation reverts to its previous domain name at next reboot.

Prerequisities

For the following procedure, you need:

Procedure

  1. Log in to the workstation and become root user.

    In the following example, client1 is the workstation and Wiz.Com. is the new domain name.

    client1% su
    Password:
    
  2. Change the workstation's domain name.

    Type the new name with the domainname command. Do not use a trailing dot.

    client1# domainname Wiz.Com
    

    Note: If the workstation was an NIS client, it may no longer be able to get NIS service.
  3. Verify the result by running the domainname command again, this time without an argument, to display the server's current domain.

    client1# domainname 
    wiz.com.
    
  4. Save the new domain name.

    client1# chypdom -I Wiz.Com.
    
  5. At an appropriate time, reboot the workstation.

    Note: Because you may be performing this task in a sequence of many other tasks, examine the work remaining to be done on the workstation before you reboot. Otherwise, you might find yourself rebooting several times instead of just once.

    After you enter the new domain name into the /etc/rc.nfs file, some processes may still operate with the old domain name. To ensure that all processes are using the new domain name, reboot the workstation.

Initializing an NIS+ Client

Initialize a NIS+ client by any of the following ways:

Initializing with the Broadcast Method

This method initializes an NIS+ client by sending an IP broadcast on the client's subnet. Although this is the simplest way to set up a client, it is also the least secure. The NIS+ server that responds to the broadcast sends the client all the information that the client needs in its cold-start file, including the server's public key. Presumably, only an NIS+ server will respond to the broadcast. However, the client cannot determine whether the workstation that responded to the broadcast is indeed a trusted server. As a result, this method is only recommended for sites with small, secure networks.

Prerequisites

Before you begin the following procedure, you need:

Procedure

Use the nisinit command with the -c and -B options to initialize the client:

client1# nisinit -c -B 
This machine is in the Wiz.Com. NIS+ domain.
Setting up NIS+ client ...
All done.

This command initializes the client and creates a NIS_COLD_START file in its /var/nis directory. An NIS+ server on the same subnet replies to the broadcast and adds its location information to the client's cold-start file.

Initializing with the Host-Name Method

Initializing a client by host name consists of explicitly identifying the IP address of its trusted server. This server's name, location information, and public keys are then placed in the client's cold-start file.

Initializing by the host name method is more secure than the broadcast method because it specifies the IP address of the trusted server, rather than relying on a server to identify itself. However, if a router exists between the client and the trusted server, it can intercept messages to the trusted IP address and route the messages to an untrusted server.

Prerequisites

Before you begin the following procedure, you need:

Procedure
  1. Check the client's /etc/hosts file to verify the client has an entry for the trusted server.
  2. Use the nisinit command with the -c and -H options to initialize the client. The following example uses rootmaster as the trusted server.

    Client1# nisinit -c -H rootmaster 
    This machine is in the Wiz.Com. NIS+ domain.
    Setting up NIS+ client ...
    All done.
    

    This command initializes the client and creates an NIS_COLD_START file in its /var/nis directory. The nisinit utility looks for the server's address in the client's /etc/hosts file, so do not append a domain name to the server. Otherwise, the utility cannot locate its address.

Initializing with the Cold-Start File Method

This task initializes an NIS+ client by using the cold-start file of another NIS+ client, preferably one from the same domain. This is the most secure method of setting up an NIS+ client because it ensures that the client obtains its NIS+ information from a trusted server.

Prerequisites

Before you begin the following procedure, you need:

Procedure
  1. Copy the other client's cold-start file into a directory in the new client. (This step may be easier to do while logged on as yourself rather than as root user on the client. Be sure to switch back to root user before initializing the client.) The following example copies the cold-start file of the previously initialized client1 into the /tmp directory of an uninitialized client2.

    Note: Do not copy the NIS_COLD_START file into /var/nis, because that file gets overwritten during initialization.

    client2# exit
    client2% rcp client1:/var/nis/NIS_COLD_START /tmp
    client2% su
    
  2. Use the nisinit command with the -c and -C option to initialize the client from the cold-start file.

    client2# nisinit -c -C /tmp/NIS_COLD_START 
    This machine is in the Wiz.Com. NIS+ domain.
    Setting up NIS+ client ...
    All done.
    

NIS+ Client Setup Summary

The following table shows a summary of the steps required to set up a client. Table entries are simplified. Refer to the more thorough task descriptions for options, exceptions, and messages.

Setting Up a Client: Command Summary
Tasks Commands
Log in to domain's master.

rootmaster%
Create DES credentials for client.

rootmaster% nisaddcred \
  -p unix.client1.Wiz.Com  \
  -P client1.Wiz.Com. des
Log in, as root user, to the client.

client1% su
Password: 
Assign the client a domain name.

client1# domainname Wiz.Com
client1# chypdom -I Wiz.Com.
Check the configuration file.

client# view /etc/irs.conf
Clean out /var/nis.

client1# rm -rf /var/nis/*
Initialize the client.

client1# nisinit -c -H rootmaster  
Kill and restart the keyserver.

client1# stopsrc -s keyserv
client1# startsrc -s keyserv 
Run keylogin on the client.

client1# keylogin -r
Password:  
Reboot the client.

client1# shutdown -Fr 

Setting Up Clients

This section describes how to set up a typical NIS+ client in either the root domain or in a non-root domain. This procedure applies to regular NIS+ clients and to those clients that will later become NIS+ servers. It applies, as well, to clients in a standard NIS+ domain and those in an NIS-compatible domain.

Attention: Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution applies to subdomains; for example, if you have a machine named west you do not want to create a sales.west.myco.com subdirectory.

Setting up an NIS+ client involves the following tasks:

However, as with setting up the root domain, setting up a client is not as simple as carrying out these three tasks in order. To make the setup process easier to execute, these tasks have been broken down into individual steps, and the steps have been arranged in the most efficient order:

  1. Logging in to the domain's master server
  2. Creating DES credentials for the new client workstation
  3. Logging in as root user to the client
  4. Assigning the client its new domain name
  5. Cleaning out leftover NIS+ material and processes.
  6. Initializing the client.
  7. Killing and restarting the keyserv daemon.
  8. Running keylogin.
  9. Rebooting the client.

Security Considerations

Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for them to be created by an administrator who has valid DES credentials and modify rights to the cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain or in the administrator's home domain.

Once an administrator creates the client's credentials, the client can complete the setup process. However, the client still needs read access to the directory object of its home domain. If you set up the client's home domain according to the instructions in either Setting Up the Root Domain, or Setting Up a Nonroot Domain, read access was provided to the world class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).

You can check the directory object's access rights by using the niscat -o command. This command displays the properties of the directory, including its access rights:

rootmaster# niscat -o Wiz.Com.
ObjectName    : wiz
Owner         : rootmaster.wiz.com.
Group         : admin.wiz.com.
Access Rights : r---rmcdr---r---
.
.
.

You can change the directory object's access rights, provided you have modify rights to it yourself, by using the nischmod command, described in Administering NIS+ Access Rights.

Prerequisites

The administrator setting up the client's credentials must have:

The client must have:

Procedure

  1. Log into the domain's master server.

    You can log in as root user or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.

  2. Create DES credentials for the new client workstation.

    Use the nisaddcred command with the -p and -P arguments. Here is the syntax:

    nisaddcred -p secure-RPC-netname -P principal-name des [domain]
    

    The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.

    This example adds a DES credential for a client workstation named client1 in the Wiz.Com. domain:

    rootmaster% nisaddcred -p unix.client1@Wiz.Com -P client1.Wiz.Com. des 
    Adding key pair for unix.client1@Wiz.Com (client1.Wiz.Com.).
    Enter client1.Wiz.Com.'s root login passwd:  
    Retype password:
    

    For more information about the nisaddcred command, see Administering NIS+ Credentials.

  3. Log in as root user to the client.

    Now that the client workstation has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.

  4. Assign the client its new domain name.

    There are three ways to assign a new domain name to a client. Those methods are described in Changing a Workstation's Domain. Use one of those methods to change the client's domain name and then return to the following step.

  5. Clean out leftover NIS+ material and processes.

    If the workstation you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis.

    client1# ls /var/nis
    NIS_COLD_START     NIS_SHARED_CACHE
    client1# rm -rf /var/nis/*
    client1# stopsrc -s nis_cachemgr
    

    This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this setup process. If you have stored any admin scripts in /var/nis, you may want to consider temporarily storing them elsewhere, until you finish setting up the root domain.

  6. Initialize the client.

    Initialize a client in one of three different ways: by host name, by cold-start file, or by broadcast (see Initializing an NIS+ Client).

  7. Kill and restart the keyserv daemon.

    This step stores the client's secret key on the keyserver.

    1. Kill the keyserv daemon.

      stopsrc -s keyserv
      

      This also has the side effect of updating the key server's switch information about the client.

    2. Remove the /etc/.rootkey file.
    3. Restart the keyserver.

      startsrc -s keyserv
      
  8. Run keylogin -r.

    This step stores the client's secret key with the keyserver. It also saves a copy in /etc/.rootkey, so that the root user on the client does not have to run keylogin to use NIS+. Use keylogin with the -r option. When prompted for a password, type the client's root user password. It must be the same as the password supplied to create the client's DES credentials:

    client1# keylogin -r 
    Password: 
    Wrote secret key into /etc/.rootkey
    
  9. Reboot the client.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]