NIS+ Credential Setup

Published   Read time 2 min(s) 35 sec(s)   (2960 views).  Solaris  

To gain authorisation to change NIS+ databases you need to create your security credentials for the NIS+ principals. These credentials are stored in the cred.org_dir table in the default NIS+ domain.

Root master

Setting Up Credentials for the Root Master Server

  1. Login as root on the root master server and create the credential for the root master at the highest security level 
    # nisaddcred des
  2. Create the group nisadmin and the master host to the group 
    # nisgrpadm -c nisadmin.<nisplus-domain>.
# nisgrpadm -a nisadmin.<nisplus-domain>. <master_host_name>.<nisplus-domain>.
  3. Update the NIS+ keys 
    # nisupdkeys <nisplus-domain>.
# nisupdkeys org_dir.<nisplus-domain>.
# nisupdkeys groups_dir.<nisplus-domain>.
  4. Kill and restart the rpc.nisd with the new security level enforced 
    # ps -ef | grep rpc.nisd
# kill rpc.nisd_pid_number
# rpc.nisd -r
  5. Set the permissions and group ownerships for the directories 
    # nischmod g=rmcd <nisplus-domain>. org_dir.<nisplus-domain>. groups_dir.<nisplus-domain>.
# nischgrp nisadmin.<nisplus-domain>. <nisplus-domain>.
  6. Set the environmental variable NIS_GROUP. To do this permanently add this variable to /.profile and /.login, e.g. 
    # setenv NIS_GROUP nisadmin.<nisplus-domain>.

Clients

Setting Up Credentials for Client Hosts

  1. Login as root on the root master server and define the client host as a principal. You'll be prompted for the root password of the client host. You can also add the client host to the group nisadmin.<nisplus-domain>. 
    # nisaddcred -p unix.host_name@<nisplus-domain> -P host_name.<nisplus-domain>. des
  2. To allow the root user on the client host to update the maps, add that host to the NIS+ group, nisadmin.<nisplus-domain>. 
    # nisgrpadm -a nisadmin.<nisplus-domain>. host_name.<nisplus-domain>.
  3. Login as root on the client host and enter the password for root of that host. 
    # keylogin -r
Password:
  4. If the root user on the client host is to update the maps, then on the client host set the environmental variable NIS_GROUP. To do this permanently add this variable to /.profile and /.login, e.g. 
    # setenv NIS_GROUP nisadmin.<nisplus-domain>.

Users

Setting Up Credentials for Users

  1. Login as root on the root master server and create the user account. This can be done with admintool. Add a password for the user account using the nispasswd command and add the credentials using nisaddcred. 
    # admintool
# nispasswd login_name
Password:
# nisaddcred -p uid# local
# nisaddcred -p unix.uid#@<nisplus-domain> -P login_name.<nisplus-domain>. des
Password:
  2. To allow the user to change the NIS+ maps, the user must be added to the NIS+ group, nisadmin.<nisplus-domain>. 
    # nisgrpadm -a nisadmin.<nisplus-domain>. login_name.<nisplus-domain>.
  3. If the user is to update the maps using admintool you must create the group sysadmin with gid=14 and then add this user as a member of the sysadmin group.
  4. Set the user's environment variable NIS_GROUP. To do this permanently add this variable to ~/.profile and ~/.login, e.g. 
    # setenv NIS_GROUP nisadmin.<nisplus-domain>.