[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
Network Information Services (NIS and NIS+) Guide

Setting Up NIS+ Clients

This section provides step-by-step instructions for using the NIS+ command set to perform the following tasks:

Note: It is much easier to perform this task with the NIS+ installation scripts than with the NIS+ command set as described here. The methods described in this section should only be used by those administrators who are very familiar with NIS+ and who require some non-standard features or configurations not provided by the installation scripts.

See Configuration Worksheets for worksheets that you can use to plan your NIS+ namespace.

This section describes how to set up clients in both standard NIS+ domains and NIS-compatible domains.

The procedure describes each step in detail and provides related information. For those who do not need detailed instructions, a summary listing of the necessary commands is provided in NIS Client Setup Summary.

Note that in the client setup instructions you must choose which of three methods to use: broadcast, host name, or cold-start file. Since each method is implemented differently, each has its own task description. After initializing a client by one of these methods, you can continue setting up the client.

The last task in the section describes how to change a workstation's domain.

Changing a Workstation's Domain

This task changes a workstation's domain name. Since a workstation's domain name is usually set during installation, you should check it (type domainname without an argument) before you decide to perform this task.

Specifying a Domain Name After Installation

A workstation is usually assigned to its domain during installation. On an operating network, the installation script usually obtains the domain name automatically and simply asks the installer to confirm it. During the installation proper, the workstation's domain name is assigned to a variable called domainname, which is stored in the kernel. There, it is made available to any program that needs it.

However, when a workstation is rebooted, the setting of the domainname variable is lost. As a result, unless the domain name is saved somewhere else, the operating system no longer knows which domain the workstation belongs to. To solve this problem, the domain name is stored in a file called /etc/rc.nfs.

Note: When the workstation is rebooted, the kernel automatically obtains the domain name from this file and resets the domainname variable. Thus, if you change or set a workstation's domain name, you must also edit the /etc/rc.nfs file or run the chypdom command; if you do not, after the next reboot, the workstation will revert to its previous domain name.

Security Considerations

You must perform this task as superuser on the workstation whose domain name you will change.

Preqrequisities

Procedure

  1. Log in to the workstation and become superuser.

    The examples in this task use client1 as the workstation and Wiz.Com. as the new domain name.

    client1% su
    Password:
  2. Change the workstation's domain name.

    Type the new name with the domainname command. Do not use a trailing dot.

    client1# domainname Wiz.Com

    If the workstation was an NIS client, it may no longer be able to get NIS service.

  3. Verify the result.

    Run the domainname command again, this time without an argument, to display the server's current domain.

    client1# domainname 
    wiz.com.
  4. Save the new domain name.
    client1# chypdom -I Wiz.Com.
  5. At a convenient time, reboot the workstation.

    Even after entering the new domain name into the /etc/rc.nfs file, some processes may still operate with the old domain name. To ensure that all processes are using the new domain name, reboot the workstation.

    Since you may be performing this task in a sequence of many other tasks, examine the work remaining to be done on the workstation before rebooting. Otherwise, you might find yourself rebooting several times instead of just once.

Initializing an NIS+ Client

There are three different ways to initialize a NIS+ client:

  1. Broadcast method (see Broadcast Initialization)
  2. Host-name method (see Host-Name Initialization)
  3. Cold-start file method (see Cold-Start File Initialization)

Broadcast Initialization

This method initializes an NIS+ client by sending an IP broadcast on the client's subnet.

This is the simplest way to set up a client but is also the least secure. The NIS+ server that responds to the broadcast sends the client all the information that the client needs in its cold-start file, including the server's public key. Presumably, only an NIS+ server will respond to the broadcast. However, the client has no way of knowing whether the workstation that responded to the broadcast is indeed a trusted server. As a result, this method is only recommended for sites with small, secure networks.

Security Considerations

You must perform this task as superuser on the client.

Prerequisites

At least one NIS+ server must exist on the same subnet as the client.

Information You Need

You need the superuser password to the client.

Procedure

Initialize the client.

This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -B options.

client1# nisinit -c -B 
This machine is in the Wiz.Com. NIS+ domain.
Setting up NIS+ client ...
All done.

An NIS+ server on the same subnet will reply to the broadcast and add its location information into the client's cold-start file.

Host-Name Initialization

Initializing a client by host name consists of explicitly identifying the IP address of its trusted server. This server's name, location information, and public keys are then placed in the client's cold-start file.

This method is more secure than the broadcast method because it actually specifies the IP address of the trusted server, rather than relying on a server to identify itself. However, if a router exists between the client and the trusted server, it could intercept messages to the trusted IP address and route them to an untrusted server.

Security Considerations

You must perform this operation as superuser on the client.

Prerequisites

You need the name and IP address of the trusted server.

Procedure
  1. Check the client's /etc/hosts file.

    Make sure the client has an entry for the trusted server.

  2. Initialize the client.

    This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -H options. This example uses rootmaster as the trusted server.

    Client1# nisinit -c -H rootmaster 
    This machine is in the Wiz.Com. NIS+ domain.
    Setting up NIS+ client ...
    All done.

    The nisinit utility looks for the server's address in the client's /etc/hosts file, so do not append a domain name to the server. If you do, the utility will not be able to find its address.

Cold-Start File Initialization

This task initializes an NIS+ client by using the cold-start file of another NIS+ client, preferably one from the same domain. This is the most secure method of setting up an NIS+ client. It ensures that the client obtains its NIS+ information from a trusted server, something that cannot be guaranteed by the host-name or broadcast method.

Security Considerations

You must perform this task as superuser on the client.

Prerequisites

The servers specified in the cold-start file must already be set up and running NIS+.

You need the name and location of the cold-start file you will copy.

Procedure
  1. Copy the other client's cold-start file.

    Copy the other client's cold-start file into a directory in the new client. This may be easier to do while logged on as yourself rather than as superuser on the client. Be sure to switch back to superuser before initializing the client.

    Do not copy the NIS_COLD_START file into /var/nis, because that file gets overwritten during initialization. This example copies the cold-start file of previously initialized client1 into the /tmp directory of uninitialized client2.

    client2# exit
    client2% rcp client1:/var/nis/NIS_COLD_START /tmp
    client2% su
  2. Initialize the client from the cold-start file.

    Use the nisinit command with the -c and -C options.

    client2# nisinit -c -C /tmp/NIS_COLD_START 
    This machine is in the Wiz.Com. NIS+ domain.
    Setting up NIS+ client ...
    All done.

NIS+ Client Setup Summary

The following table shows a summary of the steps required to set up a client. It assumes the simplest case, so be sure you are familiar with the more thorough task descriptions before you use this summary as a reference. For the sake of brevity, this summary does not show the responses to each command.

Setting Up a Client: Command Summary
Tasks Commands
Log in to domain's master.
rootmaster%
Create DES credentials for client.
rootmaster% nisaddcred -p unix.client1.Wiz.Com  -P client1.Wiz.Com. des 
Log in, as superuser, to the client.
client1% su
Password: 
Assign the client a domain name.
client1# domainname Wiz.Com
client1# chypdom -I Wiz.Com.
Check the configuration file.
client# view /etc/irs.conf
Clean out /var/nis.
client1# rm -rf /var/nis/*
Initialize the client.
client1# nisinit -c -H rootmaster  
Kill and restart the keyserver.
client1# stopsrc -s keyserv
client1# startsrc -s keyserv 
Run keylogin on the client.
client1# keylogin -r
Password:  
Reboot the client.
client1# shutdown -Fr 

Client Setup

This section describes how to set up a typical NIS+ client in either the root domain or in a non-root domain. This procedure applies to regular NIS+ clients and to those clients that will later become NIS+ servers. It applies, as well, to clients in a standard NIS+ domain and those in an NIS-compatible domain.

Attention: Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution applies to subdomains; for example, if you have a machine named west you do not want to create a sales.west.myco.com subdirectory.

Setting up an NIS+ client involves the following tasks:

However, as with setting up the root domain, setting up a client is not as simple as carrying out these three tasks in order. To make the setup process easier to execute, these tasks have been broken down into individual steps, and the steps have been arranged in the most efficient order:

  1. Logging in to the domain's master server
  2. Creating DES credentials for the new client workstation
  3. Logging in as superuser to the client
  4. Assigning the client its new domain name
  5. Cleaning out leftover NIS+ material and processes.
  6. Initializing the client.
  7. Killing and restarting the keyserv daemon.
  8. Running keylogin.
  9. Rebooting the client.

Security Considerations

Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for them to be created by an administrator who has valid DES credentials and modify rights to the cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain or in the administrator's home domain.

Once an administrator creates the client's credentials, the client can complete the setup process. However, the client still needs read access to the directory object of its home domain. If you set up the client's home domain according to the instructions in either Setting Up the Root Domain, or Setting Up a Nonroot Domain, read access was provided to the world class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).

You can check the directory object's access rights by using the niscat -o command. This command displays the properties of the directory, including its access rights:

rootmaster# niscat -o Wiz.Com.
ObjectName    : wiz
Owner         : rootmaster.wiz.com.
Group         : admin.wiz.com.
Access Rights : r---rmcdr---r---
.
.
.

You can change the directory object's access rights, provided you have modify rights to it yourself, by using the nischmod command, described in Administering NIS+ Access Rights.

Prerequisites

The administrator setting up the client's credentials must have:

The client must have:

Procedure

  1. Log into the domain's master server.

    You can log in as superuser or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.

  2. Create DES credentials for the new client workstation.

    Use the nisaddcred command with the -p and -P arguments. Here is the syntax:

    nisaddcred -p secure-RPC-netname -P principal-name des [domain]

    The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.

    This example adds a DES credential for a client workstation named client1 in the Wiz.Com. domain:

    rootmaster% nisaddcred -p unix.client1@Wiz.Com -P client1.Wiz.Com. des 
    Adding key pair for unix.client1@Wiz.Com (client1.Wiz.Com.).
    Enter client1.Wiz.Com.'s root login passwd:  
    Retype password:

    For more information about the nisaddcred command, see Administering NIS+ Credentials.

  3. Log in as superuser to the client.

    Now that the client workstation has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.

  4. Assign the client its new domain name.

    There are three ways to assign a new domain name to a client. Those methods are described in Changing a Workstation's Domain. Use one of those methods to change the client's domain name and then return to the following step.

  5. Clean out leftover NIS+ material and processes.

    If the workstation you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis.

    client1# ls /var/nis
    NIS_COLD_START     NIS_SHARED_CACHE
    client1# rm -rf /var/nis/*
    client1# stopsrc -s nis_cachemgr

    This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this setup process. If you have stored any admin scripts in /var/nis, you may want to consider temporarily storing them elsewhere, until you finish setting up the root domain.

  6. Initialize the client.

    Initialize a client in one of three different ways: by host name, by cold-start file, or by broadcast (see Initializing an NIS+ Client).

  7. Kill and restart the keyserv daemon.

    This step stores the client's secret key on the keyserver.

    1. Kill the keyserv daemon.
      stopsrc -s keyserv

      This also has the side effect of updating the key server's switch information about the client.

    2. Remove the /etc/.rootkey file.
    3. Restart the keyserver.
      startsrc -s keyserv
  8. Run keylogin -r.

    This step stores the client's secret key with the keyserver. It also saves a copy in /etc/.rootkey, so that the superuser on the client does not have to run keylogin to use NIS+. Use keylogin with the -r option. When prompted for a password, type the client's superuser password. It must be the same as the password supplied to create the client's DES credentials:

    client1# keylogin -r 
    Password: 
    Wrote secret key into /etc/.rootkey
  9. Reboot the client.


[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]