(Sun Microsystems, Inc.)(1997).iso/products/Cobb/sunlogo.gif)
If you decide to use the NIS+ naming service for your Solaris 2.x network, you'll find that you spend twice as much time adding user credentials to your system than you do setting up hardware. Even with small networks, you can have 20 to 30 users who'll need to have their NIS+ credentials configured. In addition, if you have more than one administrator, you must add those users to the root domain's admin group.
There are two methods for adding user credentials to an NIS+ server.
The first method involves using NIS+ commands. The second method,
which we won't demonstrate here, uses OpenWindows and Admintool
to create user credentials with an easy-to-use interface. In this
article, we'll show you how to use NIS+ commands to add user credentials
to your NIS+ root domain server.
When adding users with credentials to an NIS+ root domain, you'll need to log in to your system as the superuser. When adding a new user's credentials, make sure the root domain server has an entry in the /etc/passwd file for each new user credential before adding an account.
You'll also need to know the user's UID number to set up LOCAL
or DES credentials for a user. If you've configured NIS+ with
more than one domainname, you should be aware of which domain
contains a user account. You should gather all of this information
before you begin adding users and their credentials to your NIS+
root domain server. Now let's look at how you add LOCAL credentials
to your NIS+ root domain.
To configure a client user with LOCAL credentials, you'll use the nisaddcred command.
For a user with an entry in the NIS+ root domain server's /etc/passwd
file, get the UID number for the user and log on to the root domain
server as the superuser. At the command prompt, enter the command
#nisaddcred -p UID -P principal-name
local
to add LOCAL credentials for a client user account.
The principal-name consists of the client user's login
name and the domain name. For example, the user john on the domain
cobb.com. would have a principal-name in the above
nisaddcred command line of john.cobb.com.. For each
additional client user who needs LOCAL credentials on your root
domain, make sure you have the UID for the new principal's LOCAL
credentials.
In the same way that you added LOCAL credentials to your root domain server, you'll use the nisaddcred command for adding DES credentials. However, because you can assign DES credentials to both client users and client workstations, the information on the nisaddcred command line is different.
Instead of supplying the client's UID number to establish DES credentials, you'll supply the client's secure RPC (Remote Procedure Call) netname. The secure RPC netname consists of the client's UID number and the client's domain, separated by the @ symbol.
Add the prefix unix. to complete the secure RPC netname
for a client. For example, a client with a UID of 12345 and a
domain of cobb.com would have the secure RPC netname
unix.12345@cobb.com
Notice that the secure RPC netname doesnÃt use the trailing period like other NIS+ addresses do.
As with LOCAL credentials, the nisaddcred command also
uses the principal's name. The nisaddcred command to add
DES credentials for the client with the secure RPC netname of
unix.12345@cobb.com and a principal name of john.cobb.com.
would look like this:
#nisaddcred -p unix.12345@cobb.com -P
john.cobb.com. des
Notice that the principal name uses the trailing period like other
NIS+ names do. When you enter the command to add DES credentials,
you'll be prompted to enter the principal's login password. Even
if you've already made sure that the principal's login password
is contained in the root domain server's /etc/passwd file,
you may see the error
nisaddcred: WARNING: password differs from login password
Retype password:
when you enter the principal's login password the first time.
If so, re-enter the principal's login password. This message wouldn't
appear if the principal had no entry in the root domain server's
etc/passwd file.
When using NIS+, you'll find that you may want to have more than just one user in your admin group to work in the root domain. When this happens, you'll need to add both LOCAL and DES credentials for the client user and then add the new administrator to the root domain's admin group.
To demonstrate this procedure, we'll add credentials for the principal
john.cobb.com. to the root domain server's admin.cobb.com..
The principal's UID is 66623. To add this client to the root domain
with LOCAL and DES credentials, enter the following commands from
the root domain server's console while logged in as the superuser:
#nisaddcred -p 66623 -P john.cobb.com. local
#nisaddcred -p unix.66623@cobb.com
-P john.cobb.com. des
When you add the DES credentials, enter the user's login password when prompted. With the LOCAL and DES credentials added, the only thing left to do is to add the new NIS+ administrator to the root domain's admin group. You'll do this by using the nisgrpadm command.
The nisgrpadm command lets you administer NIS+ groups. To add the administrator john.cobb.com. to the root domain's admin group admin.cobb.com., use the nisgrpadm command with the -a option. The command
#nisgrpadm -a admin.cobb.com.
john.cobb.com.
will add john.cobb.com. to the admin group of the root domain cobb.com.. When the command is executed, your system should respond with the confirmation
Added "john.cobb.com."
to group "admin.cobb.com."
For many Solaris 2.x administrators, the NIS+ naming service provides the necessary tools for organizing an enterprise network. NIS+ also gives your Solaris systems excellent security through authentication and authorization of NIS+ clients. In order for any user on an NIS+ system to have access to network devices, he or she must have the appropriate NIS+ credentials.
In this article, we've shown you how to add client credentials to your NIS+ root domain. We discussed the differences between LOCAL and DES credentials and demonstrated how to add users with both. We also showed you how to add NIS+ administrators to your root domain with the appropriate credentials.
[Return to Index for Inside Solaris - January Issue]
Copyright (c) 1996 The Cobb Group, a division of Ziff-Davis Publishing Company. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of Ziff-Davis
Publishing Company is prohibited. The Cobb Group and The Cobb Group logo are trademarks of
Ziff-Davis Publishing Company.