Name Service Environment

Administration Tool can be used to manage information on the local system or across the network via a name service. The sources of information that can be managed by Administration Tool are:

• Network Information Service (NIS) maps (display only)
• Network Information Service Plus (NIS+) tables
• /etc files

See the section called "Using Administration Tool in a Name Service Environment" on page 12 for information on using Administration Tool with or without a name service environment.

Selecting a Name Service Environment

After you start Administration Tool and click on an application icon, the Select Name Service window is displayed. Choose the name service that is appropriate for your environment from.

This example is from User Account Manager's Load window.

---

Note - The NIS and NIS+ environments are not available for Serial Port Manager and Printer Manager.

---

Using Administration Tool in a Name Service Environment

The following procedures describe how to use Administration Tool in each name service environment.

In the NIS+ Environment

The requirements for viewing and modifying NIS+ table information are:

• Membership in the UNIX^(R) group, sysadmin, which allows use of the Administration Tool applications.

• Modify permissions on the NIS+ tables to be managed. These permissions are usually given to the NIS+ group members. See Name Services Administration Guide for information on adding users to a NIS+ group.

· How to Add Authorized Users to the sysadmin Group

1. Log in as root on the NIS+ master server.

2. Type admintool & in a shell or command tool window. The Administration Tool main window is displayed.

3. Click on the Database Manager icon.

   The Database Manager Load Database window is displayed.

4. Select the NIS+ naming service.

5. Select the Group file.

6. Click on Load.

   The Group file is displayed.

7. Select Modify Entry from the Edit menu.

   The Modify Entry window is displayed.

8. Add comma separated members (user names) to the sysadmin group (group ID=14) entry.

9. Click on Modify.

Without a Name Service

· How to Add Authorized Users to the sysadmin Group

This procedure assumes you will be using Administration Tool on the local system only.

1. Become superuser on your system.

2. Edit the /etc/group file.

   Add an entry for the sysadmin group with a group ID of 14 and a comma separated list of members (user names).

sysadmin::14:user_name,user_name,user_name

3. Log out and back in to activate this new group membership.

Additional Administration Tool Security Information

Administration Tool uses the distributed system administration daemon (admind) to carry out security tasks when you perform administrative tasks across the network. The admind daemon executes the request on the server on behalf of the client process and controls who can access Administration Tool.

Administering security involves authentication of the user ID (UID) and authorization of permissions.

• Authentication means that the admind daemon must authenticate the client identity to the server. Before the admind daemon can execute a request, it must verify the identity of the client making the request.
• Authorization means that admind verifies the authenticated user has permission to execute Administration Tool on the server. After the client identity is verified, admind uses this identity to perform authorization checks.

  If you have permission to use Administration Tool, you also need to have create, delete, or modify permission before you can change an NIS+ file. See Name Services Administration Guide for a description of NIS+ security.

User and group identities are used for authorization checking as follows:

• Root identity - The root identity has superuser privileges (to access and update data) only on the local system. If the server is the local system (in other words, if the user has logged in as root on the server), the user will be allowed to perform Administration Tool functions on the server under the root identity.
• User ID - A regular user can view, but not change, information using Administration Tool.
• User ID who is a member of sysadmin group (group ID=14) -

  Administration Tool permissions are granted to users who are members of the sysadmin group (group ID=14). This means that a user modifying administration data must be a member of the sysadmin group on the system where the task is being executed.

Security Levels

Each request to change administration data contains a set of credentials with a user ID (UID) and a set of group IDs (GIDs) to which the user belongs. The server uses these credentials to perform identity and permission checks. Three levels of authentication security are available.

The security levels are described in Table 2-1.

Table 2-1

Level Level Name		Description
0	NONE	No identity checking is done by the server. All user IDs are set to the nobody identity. This level is used mostly for testing.
1	SYS	The server accepts the original user and group identities from the client system and uses them as the identities for the authorization checks. There is no checking to be sure that the user ID of the client represents the same user on the server system. That is, it is assumed the administrator has made the user IDs and group IDs consistent on all systems in the network. Checks are made to see if the client has permission to execute the request.
2	DES	Credentials are validated using DES authentication, and checks are made to be sure that the client has permission to execute the request. The user and group identities are obtained from files on the server system by mapping the user's DES network identity to a local user ID and set of group IDs. The file used depends on which name service is selected on the server system. Level 2 requires that a publickey entry exists for all server systems where the admind daemon is running, and for all users accessing the tools. This levels provides the most secure environment for performing administrative tasks.

---

Note - Level 1 is the default security used by admind.

---

Changing the Security Level

You can change the security level from level 1 to level 2 by editing the /etc/inetd.conf file on each system, and adding the -S 2 option to the admind entry. If you do this, make sure that the servers on the domain are set up to use security level 2.

You do not need to maintain the same level of security on all systems in the network. You can run some systems, such as file servers requiring strict security, at security level 2, while running other systems, such as workstations, at the default level 1 security.

See the description of how to set up security for NIS+ in Name Services Administration Guide.

Name Service Information

The admind daemon uses information held by the name service. The three sources of information are:

• Files in the /etc directory such as passwd, group, and shadow, referred to by the keyword files
• The NIS name service referred to by the keyword nis
• The NIS+ name service referred to by the keyword nisplus

On each system, the /etc/nsswitch.conf file lists several administrative files, followed by a list of one or more keywords that represent the name services to be searched for information. If more than keyword is listed, they are searched in the order given. For example, the entry

group: files nisplus

indicates that the security mechanism looks first in the local /etc/group file for an entry. If the entry exists, it uses the information in this entry. If it doesn't exist, the NIS+ group file is searched.

By default, systems do not have an entry for the sysadmin group in the local /etc/group file. If you want to set up your system to use network-wide information, do not add a sysadmin group to the local system. Remove it if it exists.

When running under Level 2 security, the security mechanisms use the public/private key information. Make sure that the entry for publickey is followed by either nis or nisplus (depending on which name service you are using), and remove the files designation. See Name Services Administration Guide for more information about the nsswitch.conf file.

Creating a Security Policy for Administration Tool

Consider the following when creating a security policy for using Administration Tool in a name service environment.

• Determine how much trust is needed.

  If your network is secure and you do not need to use authentication security, you can use the Administration Tool applications with the default level 1 security.

  If you need to enforce a higher level of security, you can set the security level of admind to level 2. Level 2 security is primarily used with the NIS+ name service.

• Determine which name service will be used.

  The name service determines where the security methods get information about user and group identities. The name services are designated in the /etc/nsswitch.conf file (see "Name Service Information" on page 17).

• Decide which users have access to Administration Tool.

  Decide which users will perform administrative functions over the network with Administration Tool. List these users as members of the sysadmin group accessed by the server system as defined in the /etc/nsswitch.conf configuration file.

• Determine global and local policies.

  The global policy affects all hosts in the network. For example, you can create a sysadmin group in the NIS or NIS+ group file. Members of this group will have permission to perform administrative tasks on all server systems that list the network name service as the primary source of information. For more information about the nsswitch.conf file, see "Name Service Information" on page 17.

  A user can establish a local policy that is different from the global policy by creating a sysadmin group in the local /etc/group file and listing the users who should have access to the local system. The members of this group will have permission to use Administration Tool applications on the user's local system.

• Set up permissions for NIS+ management.

You need the proper permissions when using Administration Tool to modify or update the NIS+ files. In addition to the permissions required by Administration Tool, the NIS+ security mechanisms impose their own set of access permissions. The NIS+ security mechanisms are described in Name Services Administration Guide.

• Set up access for NIS management.

  In addition to the permissions required by Administration Tool, a user must have a .rhosts entry on the NIS master server to modify the NIS files.

• Set up initial security.

  When a system is first installed, no UNIX group with a group ID of 14 exists. It must be created. You can use Administration Tool by logging in to the server system as root.