Skip to ContentSun and Oracle Channel Sun How to Buy Log In

Name Services Administration Guide

Innerhalb

Solaris 2.4 System Administrator AnswerBook

Nach weiteren Dokumenten suchen

Support-Ressourcen

Dieses Buch im PDF-Format herunterladen

Setting Up a Non-Root Domain

4

This chapter provides step-by-step instructions for setting up a non-root domain (also known as a subdomain). You should not set up a non-root domain until after you have set up its servers.


  Setting Up a Non-Root Domain                                    page 51

A summary of the task is provided at the end of the chapter.

Setting Up a Non-Root Domain

This task describes how to set up a non-root domain, whether in NIS-compatibility mode or in standard NIS+ mode. Setting up a non-root domain involves the following tasks:

Establishing security for the domain
Creating the domain's directories
Creating the domain's tables
Designating the domain's servers

However, as with setting up the root domain, these tasks cannot be performed sequentially. To make the set up process easier to execute, they have been broken down into individual steps, and the steps have been arranged into the most efficient order.

Standard versus NIS-Compatible Setup Procedures

The differences between an NIS-compatible and a standard NIS+ server are the same as for the root domain. The NIS+ daemon for each server in an NIS-compatible domain should have been started with the -Y option, as instructed in Chapter 3.

An NIS compatible domain also requires its tables to provide Read rights for the Nobody class, which allows NIS clients to access the information stored in them. This is accomplished with the -Y option to the nissetup command, in Step 4. The standard NIS+ domain version uses the same command but without the -Y option, so it is described in the same step.

Here is a summary of the entire setup process:

Log on to the domain's master server.
Name the domain's administrative group.
Create the domain's directory and designate its servers.
Create the domain's subdirectories and tables.
Create the domain's admin group.
Assign full group access rights to the directory object.
Add the servers to the domain's admin group.
Add credentials for other administrators.
Add the administrators to the domain's admin group.

Security Considerations

In most sites, to preserve the security of the parent domain, only the parent domain's master server or an administrator who belongs to the parent domain's admin group is allowed to create a domain beneath it. Although this is a policy decision and not a requirement of NIS+, the instructions in this

chapter assume that you are following that policy. Of course, the parent domain's admin group must have Create rights to the parent directory object. To verify this, use the niscat -o command:


  rootmaster# niscat -o Wiz.Com.  
  Object Name   : Wiz  
  Owner         : rootmaster  
  Group         : admin.Wiz.Com.  
  Domain        : Com.  
  Access Rights : r---rmcdrmcdr---  
  .  
  .  
  .

If you are more concerned about convenience than security, you could simply make the new domain's master server a member of its parent domain's admin group and then perform the entire procedure from the server. Use the nisgrpadm command, described in Chapter 10, "Administering NIS+ Groups."

Prerequisites

The parent domain must be set up and running.
The server that will be designated as this domain's master must be initialized and running NIS+.
If you will designate a replica server, the master server must be able to obtain the replica's IP address through its /etc/hosts file or from its NIS+ Hosts table.

Information You Need

The name of the new domain (for Step 3)
The name of the new domain's master and replica servers
The name of the new domain's admin group (for Step 2)
UserIDs (UID) of the administrators who will belong to the new domain's admin group (for Step 8).

· How to Set Up a Non-Root Domain

Log on to the domain's master server.
Log on to the server that you will designate as the new domain's master. The steps in this task use the server named "salesmaster," which belongs to the Wiz.Com. domain, and will become the master server of the Sales.Wiz.Com. domain. The administrator performing this task is "topadmin.Wiz.Com.," a member of the admin.Wiz.Com. group. That group has full access rights to the Wiz.Com. directory object.
Name the domain's administrative group.
Although you won't actually create the admin group until Step 5, you need to identify it now. This enables the nismkdir command used in the following step to create the directory object with the proper access rights for the group. It does the same for the nissetup utility used in Step 4.
Set the value of the environment variable NIS_GROUP to the name of the domain's admin group. Here are two examples, one for csh users, and one for sh/ksh users. They both set NIS_GROUP to "admin.Sales.Wiz.Com."


  salesmaster# setenv NIS_GROUP admin.Sales.Wiz.Com.              # for csh  
  
  salesmaster# NIS_GROUP=admin.Sales.Wiz.Com.                   # for sh/ksh  
  salesmaster# export NIS_GROUP                                 # for sh/ksh

Create the domain's directory and designate its servers.
The nismkdir command, in one step, creates the new domain's directory and designates its supporting servers. It has the following syntax:

   nismkdir -m master -s replica domain

The -m flag designates its master server, and the -s flag designates its replica. Here is an example:


  salesmaster# nismkdir -m salesmaster -s salesreplica \  
               Sales.Wiz.Com.

The directory is loaded into /var/nis, but to view it, use the niscat -o command:


  salesmaster# niscat -o Sales.Wiz.Com.  
  Object Name   : Sales  
  Owner         : topadmin.Wiz.Com.  
  Group         : admin.Sales.Wiz.Com.  
  Domain        : Wiz.Com.  
  Access Rights : ----rmcdr---r---  
  .  
  .  
  .

Unlike the root directory, this directory object does have the proper group assignment. As a result, you won't have to use nischgrp.

Create the domain's subdirectories and tables.
This step adds the "org_dir" and "groups_dir" directories, and the NIS+ tables, beneath the new directory object. Use the nissetup utility, but be sure to add the new domain name. And, for an NIS-compatible domain, include the -Y flag. Here are examples of both versions:


  salesmaster# /usr/lib/nis/nissetup -Y Sales.Wiz.Com.  
       --OR--  
  salesmaster# /usr/lib/nis/nissetup Sales.Wiz.Com.

Each object added by the utility is listed in the output:


  salesmaster# /usr/lib/nis/nissetup  
  org_dir.Sales.Wiz.Com. created  
  groups_dir.Sales.Wiz.Com. created  
  auto_master.org_dir.Sales.Wiz.Com. created  
  auto_home.org_dir.Sales.Wiz.Com. created  
  bootparams.org_dir.Sales.Wiz.Com. created  
  cred.org_dir.Sales.Wiz.Com. created  
  ethers.org_dir.Sales.Wiz.Com. created  
  group.org_dir.Sales.Wiz.Com. created  
  hosts.org_dir.Sales.Wiz.Com. created  
  mail_aliases.org_dir.Sales.Wiz.Com. created  
  sendmailvars.org_dir.Sales.Wiz.Com. created  
  netmasks.org_dir.Sales.Wiz.Com. created  
  netgroup.org_dir.Sales.Wiz.Com. created  
  networks.org_dir.Sales.Wiz.Com. created  
  passwd.org_dir.Sales.Wiz.Com. created  
  protocols.org_dir.Sales.Wiz.Com. created  
  rpc.org_dir.Sales.Wiz.Com. created  
  services.org_dir.Sales.Wiz.Com. created  
  timezone.org_dir.Sales.Wiz.Com. created

The -Y option creates the same tables and subdirectories as for a standard NIS+ domain, but assigns Read rights to the Nobody class so that requests from NIS clients, which are unauthenticated, can access information in the NIS+ tables.

If you are curious, you can verify the existence of the org_dir and

groups_dir directories by looking in your master's equivalent of /var/nis/salesmaster. They are listed along with the root object and other NIS+ files. The tables are listed under the org_dir directory. You can examine the contents of any table by using the niscat command, described in C hapter 5 (although at this point the tables are empty).

Create the domain's admin group.
This step creates the admin group named in Step 2. Use the nisgrpadm command with the -c option. The example below creates the "admin.Sales.Wiz.Com." group:


  salesmaster# nisgrpadm -c admin.Sales.Wiz.Com.  
  Group "admin.Sales.Wiz.Com." created.

This step only creates the group -- it does not identify its members. That is done in Step 9.

Assign full group access rights to the directory object.
By default, the directory object only grants its group Read access, which makes the group no more useful than the World class. To make the setup of clients and subdomains easier, change the access rights that the directory object grants its group from Read to Read, Modify, Create, and Destroy. Use the nischmod command, as shown below:


  salesmaster# nischmod g+rmcd Sales.Wiz.Com.

Complete instructions for using the nischmod command are provided in Chapter 9, "Administering NIS+ Access Rights."

Add the servers to the domain's admin group.
At this point, the domain's group has no members. Add the master and replica servers, using the nisgrpadm command with the -a option. The first argument is the group name, the rest are the names of the new members. This example adds "salesmaster.Wiz.Com." and "salesreplica.Wiz.Com." to the "admin.Sales.Wiz.Com." group:


  salesmaster# nisgrpadm -a admin.Sales.Wiz.Com. \  
                  salesmaster.Wiz.Com. salesreplica.Wiz.Com.  
  Added "salesmaster.Wiz.Com." to group "admin.Sales.Wiz.Com."  
  Added "salesreplica.Wiz.Com." to group "admin.Sales.Wiz.Com."

To verify that the servers are indeed members of the group, use the nisgrpadm command with the -l option (see Chapter 10, "Administering NIS+ Groups"):


  salesmaster# nisgrpadm -l admin.Sales.Wiz.Com.  
  Group entry for "admin.Sales.Wiz.Com." group:  
      Explicit members:  
          salesmaster.Wiz.Com.  
          salesreplica.Wiz.Com.  
      No implicit members  
      No recursive members  
      No explicit nonmembers  
      No implicit nonmembers  
      No recursive nonmembers

Add credentials for other administrators.
Add the credentials of the other administrators who will work in the domain.
For administrators who already have DES credentials in another domain, simply add LOCAL credentials. Use the nisaddcred command with both the -p and the -P flags. For example:


  salesmaster# nisaddcred -p 33355 -P topadmin.Wiz.Com. local

For administrators that do not yet have credentials, you can proceed in two different ways.

One way is to ask them to add their own credentials. However, they will have to do this as superuser. Here is an example in which an administrator with a UID of 22244 and a principal name of "moe.Sales.Wiz.Com."adds his own credentials to the Sales.Wiz.Com. domain.


  salesmaster# nisaddcred -p 22244 -P moe.Sales.Wiz.Com. local  
  salesmaster# nisaddcred -p unix.22244@Sales.Wiz.Com \  
                               -P moe.Sales.Wiz.Com. des  
  Adding key pair for unix.22244@Sales.Wiz.Com.  
  Enter login password:        enter-moe's-login-password

The other way is for you to create temporary credentials for the other administrators, using dummy passwords (note that each administrator must have an entry in the NIS+ Passwd table):


  salesmaster# nisaddcred -p 22244 -P moe.Sales.Wiz.Com. local  
  salesmaster# nisaddcred -p unix.22244@Sales.Wiz.Com \  
                               -P moe.Sales.Wiz.Com. des  
  Adding key pair for unix.22244@Sales.Wiz.Com.  
  Enter moe's login password: enter-dummy-password  
  nisaddcred: WARNING: password differs from login passwd.  
  Retype password: re-enter-dummy-password

Each administrator can later change his or her network password using the chkey command. Chapter 8, "Administering NIS+ Credentials," describes how to do this.

Add the administrators to the domain's admin group.
You don't have to wait for the other administrators to change their dummy passwords to perform this step. Use the nisgrpadm command with the -a option. The first argument is the group name, the remaining arguments are the names of the administrators. This example adds the administrator "moe" to the "admin.Sales.Wiz.Com." group:


  salesmaster# nisgrpadm -a admin.Sales.Wiz.Com. \  
                              moe.Sales.Wiz.Com.  
  Added "moe.Sales.Wiz.Com." to group "admin.Sales.Wiz.Com.".

This step completes this task. A summary of this task is provided below.

Summary

This is a summary of the steps required to set up a non-root domain. It assumes the simplest case, so be sure you are familiar with the more thorough task descriptions before you use this summary as a reference. Also, this summary does not show the server's responses to each command.

salesmaster% su

# NIS_GROUP=admin.Sales.Wiz.Com. # export NIS_GROUP

# nismkdir -m salesmaster -s salesreplica \ Sales.Wiz.Com. # /usr/lib/nis/nissetup Sales.Wiz.Com. # nisgrpadm -c admin.Sales.Wiz.Com. # nischmod g+rmcd Sales.Wiz.Com.

1. Log on as superuser to domain master. 2. Name the domain's admin group. 3. Create the domain's directory and designate its servers. 4. Create org_dir, groups_dir, and tables.

For NIS-compatibility, use -Y. 5. Create the admin group.

# nisgrpadm -a admin.Sales.Wiz.Com. \
salesmaster.Wiz.Com. \
salesreplica.Wiz.Com.
# nisaddcred -p 22244 -P moe.Sales.Wiz.Com. local

6. Assign full group rights to the
domain's directory.
7. Add servers to admin group.

8. Add credentials for other admins.

# nisaddcred -p unix.22244@Sales.Wiz.Com. \
-P moe.Sales.Wiz.Com. des
# nisgrpadm -a admin.Sales.Wiz.Com. \
moe.Sales.Wiz.Com.

9. Add admins to domain's admin group.

Figure 4-1 Summary of Steps of How to Set Up a Non-Root Domain