[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide

Setting Up the Root Domain

This section provides step-by-step instructions for setting up the root domain with DES authentication using the NIS+ command set.

Note: Perform this task with the NIS+ installation scripts as described in Using NIS+ Setup Scripts rather than with the NIS+ command set described in this section. The methods described in this section should be used only by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.

See Configuration Worksheets, for worksheets that you can use to plan your NIS+ namespace.

This task describes how to set up the root domain with the root master server running at security level 2 (the normal level).

Setting up the root domain involves three major tasks:

In setting up the root domain, you must specify certain security parameters before you create the root directory. Other security parameters are set after the root directory is created. To make the root domain easier to set up, this section separates these tasks into individual steps.

Standard versus NIS-Compatible Setup Procedures

The steps in this section apply to both a standard NIS+ root domain and an NIS-compatible root domain. There are, however, some important differences. The NIS+ daemon for an NIS-compatible domain must be started with the -Y option, which allows the root master server to answer requests from NIS clients.

An NIS-compatible domain also requires read rights to the passwd table for the nobody class, which allows NIS clients to access the information stored in the table's passwd column. This is accomplished with the -Y option to the nissetup command. The standard NIS+ domain version uses the same command but without the -Y option.

Establishing the Root Domain

The procedure describes each step in detail and provides related information. For those who do not need detailed instructions, a summary listing of the necessary commands is provided on Root Domain Setup Summary.

Security Considerations

NIS+ provides preset security defaults for the root domain. The default security level is level 2.



Before proceeding, make sure that

To complete the following procedure, you need to know


Set up a root domain using the Web-based System Manager, the System Management Interface Tool (SMIT) smit nisplus fast path, or the following procedure:

Note: The examples in these steps use rootmaster as the root master server name and wiz.com. as the root domain name.
  1. Log in as root user on the machine to be the root master server.
  2. Use the domainname command to make sure the root master server is using the correct domain name. The domainname command returns a workstation's current domain name.

    Attention: Domains and hosts should not have the same name. For example, if you have a sales domain you should not have a machine named sales. Similarly, if you have a machine named home, you do not want to create a domain named home. This caution applies to subdomains; for example, if you have a machine named west, you do not want to create a sales.west.myco.com subdirectory.

    If the domain name is not correct, change it. The following example changes the domain name of the root master server from strange.domain to wiz.com. When you change or establish a domain name, make sure that the it has at least two labels; for example, wiz.com instead of wiz. For more detailed instructions, see Specifying a Domain Name After Installation.

    rootmaster# domainname 
    rootmaster# domainname wiz.com
    rootmaster# chypdom -I wiz.com.

    Note: Do not include a trailing dot for the domain name command argument. The domainname command is not an NIS+ command and does not follow the NIS+ convention of appending a dot to domain names.
  3. Check the root master server's /etc/irs.conf file.
  4. kill then restart keyserv as shown below.

    rootmaster# stopsrc -s keyserv
    rootmaster# startsrc -s keyserv
  5. If the workstation you are working on was previously used as an NIS+ server or client, remove any files that might exist in /var/nis and kill the cache manager, if it is still running. In this example, a cold-start file and a directory cache file still exist in /var/nis:

    rootmaster# stopsrc -g nisplus
    rootmaster# rm -rf /var/nis/*

    If running in NIS-compatibility mode, also enter the following command:

    rootmaster# rm -rf /var/yp/ypdomain

    Files left in /var/nis or directory objects stored by the cache manager are now completely erased so they cannot conflict with the new information generated during this setup process. If you have stored any admin scripts in /var/nis, you may want to temporarily store them elsewhere, until you finish setting up the root domain.

  6. If the workstation you are working on was previously used as an NIS+ server, check to see if rpc.nisd or rpc.nispasswdd is running. If either daemon is running, kill it.
  7. Name the root domain's admin group.

    Although you do not actually create the admin group until later in this procedure, you must identify it now. Identifying it now ensures that the root domain's org_dir directory object, groups_dir directory object, and all its table objects are assigned the proper default group when they are created. To name the admin group, set the value of the environment variable NIS_GROUP to the name of the root domain's admin group.

    rootmaster# NIS_GROUP=admin.wiz.com.
    rootmaster# export NIS_GROUP
  8. Create the root directory and convert the workstation into the root master server. Use the nisinit -r command, as shown below. (This is the only instance in which you create a domain's directory object and initialize its master server in one step. The nisinit -r command performs an automatic nismkdir for the root directory. Otherwise, these processes are performed as separate tasks.)

    rootmaster# nisinit -r 

    A directory with the name /var/nis/data is created, containing a file named root.object.

    rootmaster# ls -l /var/nis/data 
    -rw-rw-rw- 1 root other 384 date  root.object

    The root.object file is not the root directory object; it is a file that NIS+ uses to describe the root of the namespace for internal purposes. The NIS+ root directory object is created later in this procedure. Other files are then added beneath the directory.

    Attention: Do not rename the /var/nis or /var/nis/data directories or any of the files in these directories that were created by nisinit or any of the other NIS+ setup procedures.
  9. Use mk_nisd with the -I, -B, or -N option.

    • See mk_nisd to determine whether you should use the -I, -B, or -N option before continuing with this procedure.
    • Use the -y option if you are setting up the root domain in NIS-compatibility mode.

    For NIS compatibility with DNS forwarding, use:

    rootmaster# mk_nisd -y -b [-I|-B|-N]

    For NIS compatibility without DNS forwarding, use:

    rootmaster# mk_nisd -y [-I|-B|-N]

    To start the NIS+ daemon without NIS compatibility or DNS forwarding, use:

    rootmaster# mk_nisd [-I|-B|-N]
  10. At this point in the procedure, check that your namespace has the following:
  11. Use the nissetup utility to add the org_dir directory, the groups_dir directory, and the NIS+ tables beneath the root directory object. For an NIS-compatible domain, include the -Y flag.

    Standard NIS+ only:

    rootmaster# /usr/lib/nis/nissetup

    NIS-compatible only:

    rootmaster# /usr/lib/nis/nissetup -Y

    Each object added by the utility is listed in the output:

    rootmaster# /usr/lib/nis/nissetup
    org_dir.wiz.com. created
    groups_dir.wiz.com. created
    auto_master.org_dir.wiz.com. created
    auto_home.org_dir.wiz.com. created
    bootparams.org_dir.wiz.com. created
    cred.org_dir.wiz.com. created
    ethers.org_dir.wiz.com. created
    group.org_dir.wiz.com. created
    hosts.org_dir.wiz.com. created
    mail_aliases.org_dir.wiz.com. created
    sendmailvars.org_dir.wiz.com. created
    client_info.org_dir.wiz.com. created
    netmasks.org_dir.wiz.com. created
    netgroup.org_dir.wiz.com. created
    networks.org_dir.wiz.com. created
    passwd.org_dir.wiz.com. created
    protocols.org_dir.wiz.com. created
    rpc.org_dir.wiz.com. created
    services.org_dir.wiz.com. created
    timezone.org_dir.wiz.com. created

    The -Y option creates the same tables and subdirectories as for a standard NIS+ domain, but assigns the nobody class read rights to the passwd table so requests from NIS clients (which are unauthenticated) can access the encrypted password in that column.

    Use nisls to verify the root directory now has two subdirectories, as follows:

    rootmaster# nisls wiz.com.

    You can use the niscat -o command to examine the object properties of the subdirectories and tables.

  12. Use the nisaddcred command to create DES credentials for the root master server so the master server's own requests can be authenticated. When prompted, enter the server's root password.

    rootmaster# nisaddcred des 
    DES principal name: unix.rootmaster@wiz.com
    Adding key pair for unix.rootmaster@wiz.com 
    Enter login password:
    Wrote secret key into /etc/.rootkey 

    If you enter a password that is different from the server's root password, a warning message displays and you are prompted to repeat the password:

    Enter login password: 
    nisaddcred: WARNING: password differs from login password.
    Retype password:

    If you retype the same password, NIS+ still creates the credential. The new password is stored in /etc/.rootkey and used by the keyserver when it starts. To immediately use the new password, run keylogin -r, as described in Administering NIS+ Credentials.

    If you prefer to use your login password, press Control-c and start the sequence over. If you were to simply retype your login password as encouraged by the server, you would get the following error message, which is designed for another purpose and could be confusing.

    nisaddcred: WARNING: password differs from login password.
    Retype password: 
    nisaddcred: password incorrect.
    nisaddcred: unable to create credential.

    As a result of this step, the root server's private and public keys are stored in the root domain's cred table (cred.org_dir.wiz.com.) and its secret key is stored in /etc/.rootkey. You can verify the existence of its credentials in the cred table by using the niscat command. Since the default domain name is wiz.com., you do not have to enter the cred table's fully qualified name; the org_dir suffix is sufficient. You can locate the root master's credential by using the niscat command to look for its secure RPC netname. In the following example, rootmaster is the machine name of the root master server.

    niscat cred.org_dir.wiz.com rootmaster
  13. Create the root domain's admin group that was named earlier in this procedure by using the nisgrpadm command with the -c option. The example below creates the admin.wiz.com. group.

    rootmaster# nisgrpadm -c admin.wiz.com.
    Group admin.wiz.com. created.

    This step only creates the group--it does not identify its members. To observe the object properties of the group, use niscat -o, appending groups_dir in the group's name.

    rootmaster# niscat -o admin.groups_dir.wiz.com. 
    Object Name  : admin
    Owner     : rootmaster.wiz.com.
    Group     : admin.wiz.com.
    Domain    : groups_dir.wiz.com.
    Access Rights : ----rmcdr---r---
    Time to Live : 1:0:0
    Object Type  : GROUP
    Group Flags  :
    Group Members :
  14. Add the root master to the root domain's admin group. At this point, the root master server is the only NIS+ principal that has DES credentials. It is, therefore, the only member you should add to the admin group. Use the nisgrpadm command again, but with the -a option. The first argument is the group name, the second is the name of the root master server. The following example adds rootmaster.wiz.com. to the admin.wiz.com. group.

    rootmaster# nisgrpadm -a admin.wiz.com. rootmaster.wiz.com.
    Added rootmaster.wiz.com. to group admin.wiz.com.

    To verify that this step was successful, use the nisgrpadm command with the -l option (see Administering NIS+ Groups).

    Note: With group-related commands such as nisgrpadm, you do not have to include the groups_dir subdirectory in the name. The group-related commands are "targeted" at the groups_dir subdirectory.

    rootmaster# nisgrpadm -l admin.wiz.com. 
    Group entry for admin.wiz.com. group:
      Explicit members:
      No implicit members
      No recursive members
      No explicit nonmembers
      No implicit nonmembers
      No recursive nonmembers
  15. Update the root domain's public keys.

    Normally, directory objects are created by an NIS+ principal that already has DES credentials. In this case, however, the root master server could not acquire DES credentials until after it created the cred table (since there was no parent domain in which to store its credentials). As a result, three directory objects--root, org_dir, and groups_dir--do not have a copy of the root master server's public key. (You can verify this by using the niscat -o command with any of the directory objects. Look for the public key field. Instructions are provided in Administering NIS+ Directories.

    To propagate the root master server's public key from the root domain's cred table to those three directory objects, use the /usr/lib/nis/nisupdkeys utility for each directory object.

    rootmaster# /usr/lib/nis/nisupdkeys wiz.com. 
    rootmaster# /usr/lib/nis/nisupdkeys org_dir.wiz.com.
    rootmaster# /usr/lib/nis/nisupdkeys groups_dir.wiz.com.

    After each instance, a confirmation message similar to the following displays:

    Fetch Public key for server rootmaster.wiz.com.
     netname = 'unix.rootmaster@wiz.com.'
    Updating rootmaster.wiz.com.'s public key.
      Public key:

    Use niscat -o to see the following entry in the public key field:

    Public key: Diffie-Hellman (192 bits)
  16. Start the NIS+ cache manager with the following command:

    rootmaster# startsrc -s nis_cachemgr

    The cache manager maintains a local cache of location information for an NIS+ client (in this case, the root master server). It obtains its initial set of information from the client's cold-start file and downloads it into a file named NIS_SHARED_DIRCACHE in /var/nis.

    Once the cache manager has been started, you have to restart it only if you have explicitly killed it. You do not have to restart it if you reboot, because the NIS_COLD_START file in /var/nis starts it automatically when the client is rebooted. For more information about the NIS+ cache manager, see Administering NIS+ Directories.

  17. Stop the NIS+ daemon. Enter:

    rootmaster# stopsrc -s rpc.nisd
  18. Restart the NIS+ daemon with security level 2.

    Standard NIS+ domain only

    rootmaster# startsrc -s rpc.nisd

    For an NIS-compatible root domain, be sure to use the -Y flag:

    rootmaster# startsrc -s rpc.nisd -a "-Y"

    For NIS-compatible NIS+ domain and DNS forwarding, use the -Y and -B flags:

    rootmaster# startsrc -s rpc.nisd -a "-Y -B"

    Attention: Operational networks should always be run at security level 2. Security levels 0 and 1 are for setup and testing purposes only. Do not run an operational network at level 0 or 1 or you will be running in an unsecured NIS+ environment.
  19. Add your user to the root domain.

    Use the nismkuser command.

  20. Add your DES credentials to the root domain. Enter:

    nisaddcred -p SecureRPC-netname -P principal-name des

    The SecureRPC-netname consists of the prefix unix followed by your UID, the symbol @, and your domain name, but without a trailing dot. The principal-name is the same as for local credentials: your login name followed by your domain name, with a trailing dot.

    rootmaster# nisaddcred -p unix.11177@wiz.com -P topadmin.wiz.com. des 
    Adding key pair for unix.11177@wiz.com (topadmin.wiz.com.).
    Enter login password: 

    If after entering your login password you get a password differs from login password warning and yet the password you entered is your correct login password, ignore the message. (The message does not appear if you have no user password information stored in the /etc/passwd file.)

  21. Add the credentials, both local and DES, of the other administrators who will work in the root domain. To add other administrators' credentials, either:
  22. Add yourself and other administrators to the root domain's admin group.

    You do not have to wait for the other administrators to change their dummy passwords to perform this step. Use the nisgrpadm command with the -a option. The first argument is the group name, the remaining arguments are the names of the administrators. This example adds two administrators, topadmin and miyoko, to the admin.wiz.com. group:

    rootmaster# nisgrpadm -a admin.wiz.com. topadmin.wiz.com. miyoko.wiz.com. 
    Added topadmin.wiz.com. to group admin.wiz.com.
    Added miyoko.wiz.com. to group admin.wiz.com.

Root Domain Setup Summary

The following table shows a summary of the steps required to set up a root domain. Table entries are simplified. Refer to the more thorough task descriptions for options, exceptions, and messages.

Setting Up a Root Domain: Command Summary
Tasks Commands
Log in as root user to rootmaster.

rootmaster% su
Check domain name

Remove leftover NIS+ material.

rm -rf /var/nis*

If running in NIS-compatible mode, also remove NIS domain:

rm -rf /var/yp/ypdomain
Name the admin group.

NIS_GROUP=admin.wiz.com.; \
  export NIS_GROUP
Initialize the root master.

[NIS-compatibility with DNS forwarding only] Start daemon with -Y -B, -S 0.

[NIS+ Only] Start daemon with -S 0.

nisinit -r
# startsrc -s rpc.nisd -a "-Y -B -S 0"


startsrc -s rpc.nisd -a "-S 0"
Create org_dir, groups_dir, tables.

/usr/lib/nis/nissetup [-Y]
Create DES credentials for root master.

nisaddcred des
Enter login password:  
Create admin group.

nisgrpadm -c admin.wiz.com.
Assign full group rights to root directory

nischmod g+rmcd wiz.com.
Add root master to admin group.

nisgrpadm -a admin.wiz.com. \
Update root directory's keys.

/usr/lib/nis/nisupdkeys wiz.com.
Update org_dir's keys.

/usr/lib/nis/nisupdkeys org_dir.wiz.com.
Update groups_dir's keys.

/usr/lib/nis/nisupdkeys groups_dir.wiz.com.
Start NIS+ cache manager

startsrc -s nis_cachemgr
Kill existing NIS+ daemon.

stopsrc -s rpc.nisd
Restart the NIS+ daemon.

Use -y for NIS compatibility and -b for DNS forwarding.

mk_nisd [-y] [-b][-I|-B|-N]
Add your LOCAL credentials.

nisaddcred -p 11177 \
  -P topadmin.wiz.com. local
Add your DES credentials.

nisaddcred -p unix.11177@wiz.com  \
 -P topadmin.wiz.com. des
Enter login password: 
Add credentials for other admins. Add other admins to admin group.

nisaddcred ...
# nisgrpadm -a admin.wiz.com. member

[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]