CHAPTER 6
Setting Up NIS+ Clients

Security Considerations

Prerequisites

Steps for Setting Up NIS+ Client Credentials

Steps for Setting Up an NIS+ Client

Verification of the Setup

THIS CHAPTER DESCRIBES HOW TO SET UP A SUNOS 5.X SYSTEM AS AN NIS+ CLIENT WHEN NIS+ servers are running. To set up an NIS+ client, you first must create DES credentials for the client in the domain. Then, on the client system, you perform these tasks as the superuser:

1.  Assign the client its new domain name.

2.  Set up the nsswitch.conf file.

3.  nstall the /etc/resolv.conf file if you are using DNS.

4.  Check the /var/nis directory to make sure it's empty.

5.  Run the nisinit script to initialize the client.

6.  Kill and restart the keyserv daemon.

7.  Run keylogin -r to load root private key into /etc/.rootkey.

8.  Reboot the client.

These tasks are described in detail later in this chapter.

Security Considerations

Both the administrator and the client must have the proper credentials and access rights. The administrator can have either:

•  DES credentials in the client's home domain.

•  A combination of DES credentials in the administrator's home domain and LOCAL credentials in the client's domain.

See Chapter 5, "Introducing the NIS+ Environment," for more information about DES and LOCAL credentials.

After you create the client's credentials in the NIS+ domain, you can complete the setup process on the client system. The directory object for its home domain on the NIS+ server must have Read access for the World and Nobody categories. If you are adding a client to an NIS+ domain that has existing clients, the directory object probably has the proper access permissions.

You can check the access rights for the directory object with the niscat -o command. The access rights are displayed on the fifth line of the output. In this example, the World category has Read access, as shown by the r--- at the end of the access rights string:

rootmaster# niscat -o ESG.Eng.sun.COM.
Object Name   : ESG
Owner         : oak.ESG.Eng.sun.COM.
Group         : admin.ESG.Eng.sun.COM.
Domain        : Eng.sun.COM.
Access Rights : r---rmcdrmcdr---
Time to Live  : 12:Ø:Ø
Object Type   : DIRECTORY
Name : 'ESG.Eng.sun.COM.'
Type : NIS
Master Server :
        Name       : oak.ESG.Eng.sun.COM.
        Public Key : None.
        Universal addresses (6)
        [1] - udp, inet, 127.Ø.Ø.1.Ø.111
        [2] - tcp, inet, 127.Ø.Ø.1.Ø.111
        [3] - -, inet, 127.Ø.Ø.1.Ø.111
        [4] - -, loopback, oak.rpc
        [5] - -, loopback, oak.rpc
        [6] - -, loopback, oak.rpc
Time to live : 12:Ø:Ø
Default Access rights :

If you have Modify rights, you can change the access rights for the directory object using the nischmod command. See the nischmod(1) manual page for more information.

Prerequisites

Before you set up a SunOS 5.x system as an NIS+ client, the client's domain must be set up and running NIS+. If you need help setting up NIS+, refer to All About Administering NIS+ by Rick Ramsey.

Before you start the setup procedure, check the items on the following list:

•  You must have valid DES credentials and Modify rights to the Cred table in the client's home domain. Use either the nisls -l cred.org_dir or the niscat -o cred.org_dir command to check the access rights for the Cred table.

•  The client must have Read rights to the directory object of its home domain. Use either the nisls -l domain-name or the niscat -o domain-name command to check the access rights for the domain.

•  The master server for the domain must recognize the IP address for the client system. To recognize the client's IP address, you must have an entry for the client in either the /etc/hosts file or the NIS+ Hosts table for the domain. Use AdminSuite's Database Manager to display the contents of the Hosts database and, if needed, add the client name and IP address to the Hosts table.

•  The client must be able to resolve the IP address of the domain master or local NIS+ replica. One or both of these host names and IP addresses must be in the client's /etc/hosts file because the client cannot use NIS+ to find the domain master until after it is running.

Steps for Setting Up NIS+ Client Credentials

This section provides the steps needed for setting up NIS+ client credentials from the master server. Before you start performing the steps in this section, you need the following information:

•  The name of the master server for the client's domain.

•  The name of the client system; valid DES credentials.

•  Modify rights to the Cred table.

Follow these steps to set up the credentials for an NIS+ client on the master server:

1.  Log on to the master server.

2.  Type nisaddcred -p unix.client-name@net-name -P client-name.domain-name. des domain-name and then press Return. The first argument is the secure RPC name of the principal. Note that you do not type a dot (.) following the RPC net-name. The second argument associates the NIS+ principal name with the client system.

3.  When prompted, type the root login password for the client.

4.  When prompted, retype the root login password for the client.

In this example, credentials are added to the master server named oak for a client named seachild in the domain ESG.Eng.sun.COM.

oak% nisaddcred -p unix.seachild@esg.eng.sun.com -P
seachild.esg.eng.sun.com. des esg.eng.sun.com.
Adding key pair for unix.seachild@esg.eng.sun.com
(seachild.esg.eng.sun.com.).
Enter login password: <enter-root-password>
Retype password: <enter-root-password>