Client Setup

This section describes how to set up a typical NIS+ client in either the root domain or in a non-root domain. This procedure applies to regular NIS+ clients and to those clients that will later become NIS+ servers. It applies, as well, to clients in a standard NIS+ domain and those in an NIS-compatible domain.

---

Caution - Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution applies to subdomains; for example, if you have a machine named west you don't want to create a sales.west.myco.com subdirectory.

---

Setting up an NIS+ client involves the following tasks:

• Creating credentials for the client
• Preparing the workstation
• Initializing the workstation as an NIS+ client.

However, as with setting up the root domain, setting up a client is not as simple as carrying out these three tasks in order. To make the setup process easier to execute, these tasks have been broken down into individual steps, and the steps have been arranged in the most efficient order:

1. Logging in to the domain's master server

2. Creating DES credentials for the new client workstation

3. Logging in as superuser to the client

4. Assigning the client its new domain name

5. Checking the client's nsswitch.conf file

6. Cleaning out leftover NIS+ material and processes.

7. Initializing the client.

8. Killing and restarting the keyserv daemon.

9. Running keylogin.

10. Rebooting the client.

Security Considerations

Setting up a client has two main security requirements: both the administrator and the client must have the proper credentials and access rights. Otherwise, the only way for a client to obtain credentials in a domain running at security level 2 is for them to be created by an administrator who has valid DES credentials and modify rights to the cred table in the client's home domain. The administrator can either have DES credentials in the client's home domain or in the administrator's home domain.

Once an administrator creates the client's credentials, the client can complete the setup process. However, the client still needs read access to the directory object of its home domain. If you set up the client's home domain according to the instructions in either Chapter 4, "Setting Up the Root Domain," or Chapter 7, "Setting Up a Nonroot Domain," read access was provided to the world class by the NIS+ commands used to create the directory objects (nisinit and nismkdir, respectively).

You can check the directory object's access rights by using the niscat -o command. This command displays the properties of the directory, including its access rights:

rootmaster# niscat -o Wiz.Com. ObjectName : Wiz Owner : rootmaster.Wiz.Com. Group : admin.Wiz.Com. Domain : Com. Access Rights : r---rmcdr---r--- . . .

You can change the directory object's access rights, provided you have modify rights to it yourself, by using the nischmod command, described in the rights chapter of NIS+ and FNS Administration Guide.

Prerequisites

The administrator setting up the client's credentials must have:

• A valid DES credential
• Modify rights to the cred table in the client's home domain

The client must have:

• Read rights to the directory object of its home domain
• The client's home domain must already be set up and running NIS+
• An entry in either the master server's /etc/hosts file or in its domain's hosts table
• A unique machine name that does duplicate any user ID
• A machine name that does not contain any dots. (For example, a machine named sales.alpha is not allowed; a machine named sales-alpha is allowed)

Information You Need

• The name of the client's home domain
• The superuser password of the workstation that will become the client
• The IP address of an NIS+ server in the client's home domain

· How to Set Up an NIS+ Client

1. Log into the domain's master server.

   You can log in as superuser or as yourself, depending on which NIS+ principal has the proper access rights to add credentials to the domain's cred table.

2. Create DES credentials for the new client workstation.

   Use the nisaddcred command with the -p and -P arguments. Here is the syntax:

nisaddcred -p secure-RPC-netname -P principal-name des [domain]

The secure-RPC-netname consists of the prefix unix followed by the client's host name, the symbol @ and the client's domain name, but without a trailing dot. The principal-name consists of the client's host name and domain name, with a trailing dot. If the client belongs to a different domain than the server from which you enter the command, append the client's domain name after the second argument.

This example adds a DES credential for a client workstation named client1 in the Wiz.Com. domain:

rootmaster% nisaddcred -p unix.client1@Wiz.Com -P client1.Wiz.Com. des Adding key pair for unix.client1@Wiz.Com (client1.Wiz.Com.). Enter client1.Wiz.Com.'s root login passwd: Retype password:

For more information about the nisaddcred command, see the credentials chapter of NIS+ and FNS Administration Guide.

3. Log in as superuser to the client.

   Now that the client workstation has credentials, you can log out of the master server and begin working from the client itself. You can do this locally or remotely.

4. Assign the client its new domain name.

   There are three ways to assign a new domain name to a client. Those methods are described in "Changing a Workstation's Domain" on page 96. Use one of those methods to change the client's domain name and then return to Step 5 below.

5. Check the client's nsswitch.conf file.

   Make sure the client is using the NIS+ version of the nsswitch.conf file. This ensures that the primary source of information for the client will be NIS+ tables. Code Example 5-1 shows the correct version of the file.

Code Example 5-1 NIS+ Version of nsswitch.conf File

# /etc/nsswitch.nisplus: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses NIS+ (NIS Version 3) in conduction with files. # # hosts: and services: in this file are used only if the /etc/netconfig # file contains switch.so as a nametoaddr library for inet transports. # the following two lines obviate the + entry in /etc/passwd and /etc/group. passwd: files nisplus group: files nisplus # consult /etc files only if nisplus is down. hosts: nisplus [NOTFOUND=return] files #Uncomment the following line, and comment out the above, to use both DNS and NIS+ #hosts: nisplus dns [NOTFOUND=return] files services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files publickey: nisplus netgroup: nisplus automount: files nisplus aliases: files nisplus

If the file does not look like the one above, change it to the version recommended for NIS+. (Complete instructions are provided in Chapter 9, "Setting Up the Name Service Switch," and an example is shown in Step 6 below).

6. If you made any changes to the nsswitch.conf file (or copied over a new file), you must now stop and restart nscd as shown below.

client1# cp /etc/nsswitch.nisplus /etc/nsswitch.conf client1# sh /etc/init.d/nscd stop client1# sh /etc/init.d/nscd start

(Although the instructions in Chapter 9, "Setting Up the Name Service Switch," tell you to kill and restart the keyserver at this point, you don't need to do that in this case, since you will do so in Step 9.)

7. Clean out leftover NIS+ material and processes.

   If the workstation you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis.

client1# ls /var/nis NIS_COLD_START NIS_SHARED_CACHE client1# rm -rf /var/nis/* client1# ps -ef | grep nis_cachemgr root 295 260 10 15:26:58 pts/0 0:00 grep nis_cachemgr root 286 1 57 15:21:55 ? 0:01 /usr/sbin/nis_cachemgr client1# kill -9 286

This step makes sure that files left in /var/nis or directory objects stored by the cache manager are completely erased so that they do not conflict with the new information generated during this setup process. If you have stored any admin scripts in /var/nis, you may want to consider temporarily storing them elsewhere, until you finish setting up the root domain.

8. Initialize the client.

   You can initialize a client in three different ways: by host name, by cold-start file, or by broadcast (see "Initializing an NIS+ Client" on page 98). Choose and perform one of those methods. After initializing the client, proceed with Step 9.

9. Kill and restart the keyserv daemon.

   This step stores the client's secret key on the keyserver.

a. Kill the keyserv daemon. This also has the side effect of updating the key server's switch information about the client.

b. Remove the /etc/.rootkey file.

c. Restart the keyserver.

This example shows the complete procedure in Step 9.

client1# ps -e | grep keyserv root 145 1 67 16:34:44 ? keyserv . . . client1# kill 145 client1# rm -f /etc/.rootkey client1# keyserv

10. Run keylogin -r.

    This step stores the client's secret key with the keyserver. It also saves a copy in /etc/.rootkey, so that the superuser on the client does not have to run keylogin to use NIS+. Use keylogin with the -r option. When prompted for a password, type the client's superuser password. It must be the same as the password supplied to create the client's DES credentials:

client1# keylogin -r Password: Wrote secret key into /etc/.rootkey

11. Reboot the client.

Changing a Workstation's Domain

This task changes a workstation's domain name. Since a workstation's domain name is usually set during installation, you should check it (type domainname without an argument) before you decide to perform this task.

Specifying a Domain Name After Installation

A workstation is usually assigned to its domain during installation. On an operating network, the installation script usually obtains the domain name automatically and simply asks the installer to confirm it. During the installation proper, the workstation's domain name is assigned to a variable called domainname, which is stored in the kernel. There, it is made available to any program that needs it.

However, when a workstation is rebooted, the setting of the domainname variable is lost. As a result, unless the domain name is saved somewhere else, the operating system no longer knows which domain the workstation belongs to. To solve this problem, the domain name is stored in a file called /etc/defaultdomain.

When the workstation is rebooted, the kernel automatically obtains the domain name from this file and resets the domainname variable. Thus, if you change a workstation's domain name, you must also edit the /etc/defaultdomain file; if you don't, after the next reboot, the workstation will revert to its previous domain name.

Security Considerations

You must perform this task as superuser on the workstation whose domain name you will change.

Information You Need

• The workstation's superuser password
• The new domain name

· How to Change a Client's Domain Name

1. Log in to the workstation and become superuser.

   The examples in this task use client1 as the workstation and Wiz.Com. as the new domain name.

client1% su Password:

2. Change the workstation's domain name.

   Type the new name with the domainname command. Do not use a trailing dot.

client1# domainname Wiz.Com

If the workstation was an NIS client, it may no longer be able to get NIS service.

3. Verify the result.

   Run the domainname command again, this time without an argument, to display the server's current domain.

client1# domainname Wiz.Com

4. Save the new domain name.

   Redirect the output of the domainname command into the /etc/defaultdomain file.

client1# domainname > /etc/defaultdomain

5. At a convenient time, reboot the workstation.

   Even after entering the new domain name into the /etc/defaultdomain file, some processes may still operate with the old domain name. To ensure that all processes are using the new domain name, reboot the workstation.

   Since you may be performing this task in a sequence of many other tasks, examine the work remaining to be done on the workstation before rebooting. Otherwise, you might find yourself rebooting several times instead of just once.

Initializing an NIS+ Client

There are three different ways to initialize a NIS+ client:

• Broadcast method (see "Broadcast Initialization" on page 99)
• Host-name method (see "Host-Name Initialization" on page 100)

• Cold-start file method (see "Cold-Start File Initialization" on page 101)

Broadcast Initialization

This method initializes an NIS+ client by sending an IP broadcast on the client's subnet.

This is the simplest way to set up a client but is also the least secure. The NIS+ server that responds to the broadcast sends the client all the information that the client needs in its cold-start file, including the server's public key. Presumably, only an NIS+ server will respond to the broadcast. However, the client has no way of knowing whether the workstation that responded to the broadcast is indeed a trusted server. As a result, this method is only recommended for sites with small, secure networks.

Security Considerations

You must perform this task as superuser on the client.

Prerequisites

At least one NIS+ server must exist on the same subnet as the client.

Information You Need

You need the superuser password to the client.

· How to Initialize a Client--Broadcast Method

* Initialize the client.

This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -B options.

client1# nisinit -c -B This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.

An NIS+ server on the same subnet will reply to the broadcast and add its location information into the client's cold-start file.

Host-Name Initialization

Initializing a client by host name consists of explicitly identifying the IP address of its trusted server. This server's name, location information, and public keys are then placed in the client's cold-start file.

This method is more secure than the broadcast method because it actually specifies the IP address of the trusted server, rather than relying on a server to identify itself. However, if a router exists between the client and the trusted server, it could intercept messages to the trusted IP address and route them to an untrusted server.

Security Considerations

You must perform this operation as superuser on the client.

Prerequisites

• The NIS+ service must be running in the client's domain.
• The client must have an entry in its /etc/hosts file for the trusted server.

Information You Need

You need the name and IP address of the trusted server.

· How to Initialize a Client--Host-name Method

1. Check the client's /etc/hosts file.

   Make sure the client has an entry for the trusted server.

2. Initialize the client.

   This step initializes the client and creates a NIS_COLD_START file in its /var/nis directory. Use the nisinit command with the -c and -H options. This example uses rootmaster as the trusted server.

Client1# nisinit -c -H rootmaster This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.

The nisinit utility looks for the server's address in the client's /etc/hosts file, so don't append a domain name to the server. If you do, the utility won't be able to find its address.

Cold-Start File Initialization

This task initializes an NIS+ client by using the cold-start file of another NIS+ client, preferably one from the same domain. This is the most secure method of setting up an NIS+ client. It ensures that the client obtains its NIS+ information from a trusted server, something that cannot be guaranteed by the host-name or broadcast method.

Security Considerations

You must perform this task as superuser on the client.

Prerequisites

The servers specified in the cold-start file must already be set up and running NIS+.

Information You Need

You need the name and location of the cold-start file you will copy.

· How to Initialize a Client--Cold-Start Method

1. Copy the other client's cold-start file.

   Copy the other client's cold-start file into a directory in the new client. This may be easier to do while logged on as yourself rather than as superuser on the client. Be sure to switch back to superuser before initializing the client.

   Don't copy the NIS_COLD_START file into /var/nis, because that file gets overwritten during initialization. This example copies the cold-start file of previously initialized client1 into the /tmp directory of uninitialized client2.

client2# exit client2% rcp client1:/var/nis/NIS_COLD_START /tmp client2% su

2. Initialize the client from the cold-start file.

   Use the nisinit command with the -c and -C options.

client2# nisinit -c -C /tmp/NIS_COLD_START This machine is in the Wiz.Com. NIS+ domain. Setting up NIS+ client ... All done.

NIS+ Client Setup Summary

Table 5-1 shows a summary of the steps required to set up a client. It assumes the simplest case, so be sure you are familiar with the more thorough task descriptions before you use this summary as a reference. For the sake of brevity, this summary does not show the responses to each command.

Table 5-1

Tasks	Commands
Log in to domain's master. Create DES credentials for client.	rootmaster% rootmaster% nisaddcred -p unix.client1.Wiz.Com -P client1.Wiz.Com. des
Log in, as superuser, to the client.	client1% su Password:
Assign the client a domain name. Check the switch configuration file.	client1# domainname Wiz.Com client1# domainname > /etc/defaultdomain client1# more /etc/nsswitch.conf
Clean out /var/nis. Initialize the client.	client1# rm -rf /var/nis/* client1# nisinit -c -H rootmaster
Kill and restart the keyserver.	client1# ps -ef | grep keyserv client1# kill -9 process-id client1# keyserv
Run keylogin on the client.	client1# keylogin -r
Reboot the client.	Password: client1# init 6