Setting Up NIS+ Clients

This task describes how to set up a typical NIS+ client, whether in the root domain or in a non-root domain. It applies to regular NIS+ clients and to those clients that will later become NIS+ servers. It applies, as well, to clients in a standard NIS+ domain and those in an NIS-compatible domain. Setting up an NIS+ client involves the following tasks:

• Creating credentials for the client
• Preparing the workstation
• Initializing the workstation as an NIS+ client.

However, as with setting up the root domain, setting up a client is not as simple as carrying out these three tasks in order. To make the set up process easier to execute, these tasks have been broken down into individual steps, and the steps have been arranged into the most efficient order. They are

1. Log on to the domain's master server.

2. Create DES credentials for the new client workstation.

3. Log on --as superuser--to the client.

4. Assign the client its new domain name.

5. Check the client's Switch configuration file.

6. Clean out leftover NIS+ material and processes.

7. Initialize the client.

8. Kill and restart the keyserv daemon.

9. Run keylogin.

10. Reboot the client.

Security Considerations

Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for them to be created by an administrator who has valid DES

credentials and Modify rights to the Cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain, or in his or her own home domain.

Once an administrator creates the client's credentials, the client can complete the setup process. However, the client still needs Read access to the directory object of its home domain. If you set up the client's home domain according to the instructions in either Chapter 1 or Chapter 4, Read access was provided to the World class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).

You can check the directory object's access rights by using the niscat -o command. It displays the properties of the directory, including its access rights. Here is an example:

rootmaster# niscat -o Wiz.Com. ObjectName : Wiz Owner : rootmaster.Wiz.Com. Group : admin.Wiz.Com. Domain : Com. Access Rights : r---rmcdr---r--- . . .

You can change the directory object's access rights, provided you have Modify rights to it yourself, by using the nischmod command, described in Chapter 9, "Administering NIS+ Access Rights."

Prerequisites

• The administrator setting up the client's credentials must have valid DES credentials and Modify rights to the Cred table in the client's home domain.
• The client must have Read rights to the directory object of its home domain.
• The client's home domain must already be set up and running NIS+.
• The client must have an entry either in the master server's /etc/hosts file or in its domain's Hosts table.

Information You Need

• The name of the client's home domain

• The superuser password of the workstation that will become the client
• The IP address of an NIS+ server in the client's home domain.

· How to Set up an NIS+ Client

1. Log on to the domain's master server.

   You can log on as superuser or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's Cred table.

2. Create DES credentials for the new client workstation.

   Use the nisaddcred command with the -p and -P arguments. Here is the syntax, followed by an example:

   nisaddcred -p secure-RPC-netname -P principal-name des [domain]

The secure RPC netname consists of the prefix "unix." followed by the client's hostname, the symbol "@" and the client's domain name, but without a trailing dot. The principal name consists of the client's hostname and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.

This example adds a DES credential for a client workstation named client1 in the Wiz.Com. domain:

rootmaster% nisaddcred -p unix.client1@Wiz.Com \ -P client1.Wiz.Com. des Adding key pair for unix.client1@Wiz.Com (client1.Wiz.Com.). Enter client1.Wiz.Com.'s root login passwd: enter-password Retype password: enter-password

For more information about the nisaddcred command, see Chapter 8, "Administering NIS+ Credentials."

3. Log on --as superuser-- to the client.

   Now that the client workstation has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.

4. Assign the client its new domain name.

   Assign the client its new domain name, (see "Changing a Client's Domain Name") using the task listed below. Then return to Step 5.

5. Check the client's Switch configuration file.

   Make sure the client is using the NIS+ version of the nsswitch.conf file. This ensures that the primary source of information for the client will be NIS+ tables. Figure 2-1 shows the correct version of the file.

client1# more /etc/nsswitch.conf # # /etc/nsswitch.nisplus: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses NIS+ (NIS Version 3) in conjuction with files. # # "hosts:" and "services:" in this file are used only if the /etc/netconfig # file contains "switch.so" as a nametoaddr library for "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files nisplus group: files nisplus # consult /etc "files" only if nisplus is down. hosts: nisplus [NOTFOUND=return] files #Uncomment the following line, and comment out the above, to use both DNS and NIS+ #hosts: nisplus dns [NOTFOUND=return] files services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files publickey: nisplus netgroup: nisplus automount: files nisplus aliases: files nisplus

Figure 2-1 NIS+ Version of nsswitch.conf File

If the file does not look like the one above, change it to the version recommended for NIS+. Complete instructions are provided in Chapter 6,

"Setting Up the Name Service Switch," but here is an example.

client1# cp /etc/nsswitch.nisplus /etc/nsswitch.conf

Although the instructions in Chapter 6 tell you to kill and restart the keyserver, you don't need to at this point, since you'll do so in Step 8.

6. Clean out leftover NIS+ material and processes.

   If the workstation you are working on was previously used as an NIS+ server or client and you no longer want to retain those bindings, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a coldstart file and a directory cache file still exist in /var/nis:

client1# ls /var/nis NIS_COLD_START NIS_SHARED_CACHE client1# rm -rf /var/nis/* client1# ps -ef | grep nis_cachemgr root 295 260 10 15:26:58 pts/0 0:00 grep nis_cachemgr root 286 1 57 15:21:55 ? 0:01 /usr/sbin/nis_cachemgr client1# kill -9 286

This step makes sure files left in /var/nis or directory objects stored by the cache manager are completely erased so they do not conflict with the new information generated during this setup process. If you have stored any admin scripts in /var/nis, you may want to consider storing them elsewhere temporarily, until you finish setting up the root domain.

7. Initialize the client.

   You can initialize a client in three different ways: by hostname, by coldstart file, or by broadcast. (See "Initializing an NIS+ Client by Broadcast", "Initializing an NIS+ Client by Hostname", or "Initializing an NIS+ Client by Coldstart File".) Select a method then proceed with Step 8.

8. Kill and restart the keyserv daemon.

   The following step stores the client's secret key on the keyserver. Before that can be done, you must kill and restart the keyserv daemon. This also has the side effect of updating the key server's Switch information about the client.

   First kill the keyserv daemon, then remove the /etc/.rootkey file, then restart the keyserver. Here is an example:

client1# ps -e | grep keyserv root 145 1 67 16:34:44 ? keyserv . . . client1# kill 145 client1# rm -f /etc/.rootkey client1# keyserv

9. Run keylogin.

   This step stores the client's secret key with the keyserver. It also saves a copy in /etc/.rootkey, so that the superuser on the client does not have to do a keylogin to use NIS+. Use keylogin with the -r option. When prompted for a password, enter the client's superuser password. It must be the same as the password supplied to create the client's DES credentials:

client1# keylogin -r Password: enter-superuser-password Wrote secret key into /etc/.rootkey

10. Reboot the client.

    This step completes this task.

Initializing an NIS+ Client by Broadcast

This method initializes an NIS+ client by sending an IP broadcast on the client's subnet.

This is the simplest way to set up a client, but also the least secure. The NIS+ server that responds to the broadcast sends the client all the information that the client needs in its coldstart file, including the server's public key. Presumably, only an NIS+ server will respond to the broadcast. However, since

the client has no way of knowing whether the workstation that responded to the broadcast is indeed a trusted server, this is the least secure method of setting up a client. As a result, this method is only recommended for sites with small, secure networks.

Security Considerations

You must perform this task as superuser on the client.

Prerequisites

At least one NIS+ server must exist on the same subnet as the client.

Information You Need

You need the superuser password to the client.

· How to Initialize an NIS+ Client -- Broadcast Method

1. Initialize the client.

   This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -B options:

Client1# nisinit -c -B This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.

An NIS+ server on the same subnet will reply to the broadcast and add its location information into the client's coldstart file.

This step completes this task.

Initializing an NIS+ Client by Hostname

Initializing a client by hostname consists of explicitly identifying the IP address of its trusted server. This server's name, location information, and public keys are then placed in the client's coldstart file.

This method is more secure than the broadcast method because it actually specifies the IP address of the trusted server, rather than relying on a server to identify itself. However, if a router exists between the client and the trusted server, it could intercept messages to the "trusted" IP address and route them to an untrusted server.

Security Considerations

You must perform this operation as superuser on the client.

Prerequisites

• The NIS+ service must be running in the client's domain.
• The client must have an entry in its /etc/hosts file for the trusted server.

Information You Need

You need the name and IP address of the trusted server.

· How to Initialize an NIS+ Client -- Hostname Method

1. Check the client's /etc/hosts file.

   Make sure the client has an entry for the trusted server.

2. Initialize the client.

   This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -H options. This example uses rootmaster as the trusted server:

Client1# nisinit -c -H rootmaster This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.

The nisinit utility looks for the server's address in the client's /etc/hosts file, so don't append a domain name to the server. If you do, the utility won't be able to find its address.

This step completes this task.

Initializing an NIS+ Client by Coldstart File

This task initializes an NIS+ client by using the coldstart file of another NIS+ client -- preferably from the same domain. This is the most secure method of setting up an NIS+ client. It ensures that the client obtains its NIS+ information from a trusted server -- something that cannot be guaranteed by the hostname or broadcast method.

Security Considerations

You must perform this task as superuser on the client.

Prerequisites

The servers specified in the coldstart file must already be set up and running NIS+.

Information You Need

You need the name and location of the coldstart file you will copy.

· How to Initialize an NIS+ Client -- Coldstart Method

1. Copy the other client's coldstart file.

   Copy the other client's coldstart file into a directory in the new client. This may be easier to do while logged on as yourself rather than as superuser on the client. Be sure to switch back to superuser before initializing the client.

   Don't copy the NIS_COLD_START file into /var/nis though, because during initialization that file gets overwritten. This example copies the coldstart file of "client1" into the /tmp directory of "client2."

client2# exit client2% rcp client1:/var/nis/NIS_COLD_START /tmp client2% su

2. Initialize the client from the coldstart file.

   Use the nisinit command with the -c and -C options, as shown below.

client2# nisinit -c -C /tmp/NIS_COLD_START This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.

This step completes this task.

Changing a Client's Domain Name

This task changes a workstation's domain name. Since a workstation's domain name is usually set during installation, you should check it (just enter domainname without an argument) before you decide to use this task.

Specifying a Domain Name After Installation

A workstation is usually assigned to its domain during installation. On an operating network, the installation script usually obtains the domain name automatically and simply asks the installer to confirm it. During the installation proper, the workstation's domain name is assigned to a variable called domainname, and stored in the kernel. There, it is made available to any program that needs it.

However, when a workstation is rebooted, the setting of the domainname variable is lost. As a result, unless the domain name is saved somewhere, the operating system no longer knows which domain the workstation belongs to. To solve this problem, the domain name is stored in a file called /etc/defaultdomain.

When the workstation is rebooted, the kernel automatically obtains the domain name from this file and resets the domainname variable. However, only at reboot is the variable updated automatically. If you change a workstation's domain name sometime after installation, you must also edit the /etc/defaultdomain file; if you don't, after the next reboot, the workstation will revert to its previous domain name.

Security Considerations

You must perform this task as superuser on the workstation whose domain name you will change.

Information You Need

• The workstation's superuser password
• The new domain name.

· How to Change a Client's Domain Name

1. Log on to the workstation and become superuser.

   The examples in this task use "client1" as the workstation and "Wiz.Com." as the new domain name.

   client1% su Password: enter-password

2. Change the workstation's domain name.

   Enter the new name with the domainname command, as shown below. Do not use a trailing dot.

client1# domainname Wiz.Com

If the workstation was an NIS client, it may no longer be able to get NIS service.

3. Verify the result.

   Use the domainname command again, this time without an argument, to display the server's current domain.

client1# domainname Wiz.Com

4. Save the new domain name.

   Redirect the output of the domainname command into the /etc/defaultdomain file.

client1# domainname > /etc/defaultdomain

5. At a convenient time, reboot the workstation.

   Even after entering the new domain name into the /etc/defaultdomain file, some processes may still operate with the old domain name. To ensure that all processes are using the new domain name, reboot the workstation.

   Since you may be performing this task in a sequence of many other tasks, examine the work remaining to be done on the workstation before rebooting. Otherwise, you might find yourself rebooting several times instead of just once.

   This step completes this task.

NIS+ Client Set Up Summary

Figure 2-2 shows a summary of the steps required to set up a client. It assumes the simplest case, so be sure you are familiar with the more thorough task descriptions before you use this summary as a reference. For brevity, this summary does not show the responses to each command.

rootmaster% rootmaster% nisaddcred -p unix.client1.Wiz.Com \ -P client1.Wiz.Com. des client1% su	1. Log on to domain's master. 2. Create DES credentials for client. 3. Log on, as superuser, to the client.
Password: enter-password client1# domainname Wiz.Com	4. Assign the client a domain name.
client1# domainname /etc/defaultdomain client1# more /etc/nsswitch.conf client1# rm -rf /var/nis/* client1# nisinit -c -H rootmaster client1# ps -ef | grep keyserv	5. Check the swich configuration file. 6. Clean out /var/nis. 7. Initialize the client. 8. Kill and restart the keyserver.
client1# kill -9 process-id client1# keyserv client1# keylogin -r	9. Keylogin the client.
Password: enter-superuser-password client1# init 6	10. Reboot the client.

Figure 2-2 Summary: How to Set Up a Client