Sun Microsystems, Inc.
spacerspacer
spacer www.sun.com docs.sun.com |
spacer
black dot
 
 
  Previous   Contents   Next 
   
 
Chapter 9

Administering NIS (Tasks)

This chapter describes how to administer NIS. The following topics are covered.

Password Files and Namespace Security

For security reasons, for these guidelines.

  • It is best to limit access to the NIS maps on the master server.

  • The files used to build the NIS password maps should not contain an entry for root to protect against unauthorized access. To accomplish this, the password files used to build the password maps should have the root entry removed from them and be located in a directory other than the master server's /etc directory. This directory should be secured against unauthorized access.

For example, the master server password input files could be stored in a directory such as /var/yp, or any directory of your choice, as long as the file itself is not a link to another file and is specified in the Makefile. The /usr/lib/netsvc/yp/ypstart script automatically sets the correct directory option according to the configuration specified in your Makefile.


Note - In addition to the older Solaris 1 version passwd file format, this implementation of NIS accepts the Solaris 2 passwd and shadow file formats as input for building the NIS password maps.


Administering NIS Users

This section includes information about setting user passwords, adding new users to an NIS domain, and assigning users to netgroups.

Adding a New User to an NIS Domain

How to Add a NIS User

  1. Become superuser on the master NIS server.

  2. Create the new user's login ID with the useradd command.

    # useradd userID

    userID is the login ID of the new user. This command creates entries in the /etc/passwd and /etc/shadow files on the master NIS server.

  3. Create the new user's initial password.

    To create an initial password that the new user can use to log in, run the passwd command.

    # passwd userID

    Where userID is the login ID of the new user. You will be prompted for the password to assign to this user.

    This step is necessary because the password entry created by the useradd command is locked, which means that the new user cannot log in. By specifying an initial password, you unlock the entry.

  4. If necessary, copy the new entry into the server's passwd map input files.

    The map source files on your master server should be in a directory other than /etc. Copy and paste the new lines from the /etc/passwd and /etc/shadow files into the passwd map input files on the server. See "Password Files and Namespace Security" for additional information.

    For example, if you added the new user brown, the line from /etc/passwd that you would copy to your passwd input file would look like the following.

    brown:x:123:10:User brown:/home/brown:/bin/csh:

    The line for brown that you would copy from /etc/shadow would look like:

    brown:W12345GkHic:6445::::::
  5. Make sure that the Makefile correctly specifies the directory where the password input file resides.

  6. If appropriate, delete the new user's entries from /etc/passwd and /etc/shadow input files.

    For security reasons, do not keep user entries in the NIS master server /etc/passwd and /etc/shadow files. After copying the entries for the new user to the NIS map source files that are stored in some other directory, use the userdel command on the master server to delete the new user.

    For example, to delete the new user brown from the master server's /etc files, you would enter the following.

    # userdel brown

    For more information about userdel, see the userdel man page.

  7. Update the NIS passwd maps.

    After you have updated the passwd input file on the master server, update the passwd maps by running make in the directory containing the source file.

    #userdel brown # cd /var/yp # /usr/ccs/bin/make passwd

  8. Tell the new user the initial password you have assigned to his or her login ID.

    After logging in, the new user can run passwd at any time to establish a different password.

Setting User Passwords

Users run passwd to change their passwords.

% passwd username

Before users can change their passwords, you must start the rpc.yppasswdd daemon on the master server to update the password file. The commands for starting the daemon are already present in the /usr/lib/netsvc/yp/ypstart file.

The rpc.yppasswdd daemon is started automatically by ypstart on the master server. Notice that when the -m option is given to rpc.yppasswdd, a make is forced in /var/yp immediately following a modification of the file. If you want to avoid having this make take place each time the passwd file is changed, remove the -m option from the rpc.yppasswd command in the ypstart script and control the pushing of the passwd maps through the crontab file.


Note - No arguments should follow the rpc.yppasswd -m command. Although you can edit the ypstart script file to achieve a different action, it is not recommended that you modify this file other than optionally removing the -m option. All commands and daemons invoked by this file with the proper set of command line parameters. If you choose to edit this file, be especially careful when editing the rpc.yppasswdd command. If you add an explicit call to the passwd.adjunct file, the exact $PWDIR/security/passwd.adjunct path must be used; otherwise, incorrect processing results.


 
 
 
  Previous   Contents   Next