[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide

Setting Up a Nonroot Domain

This section provides instructions for using NIS+ commands to set up a nonroot domain (also known as a subdomain). Do not set up a nonroot domain until after you have set up servers.

A summary of this task is provided by Subdomain Setup Summary.

Note: Perform this task with the NIS+ installation scripts (see Using NIS+ Setup Scripts) rather than with the NIS+ command set as described here. The methods described in this section should be used only by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.

See Configuration Worksheets for worksheets that you can use to plan your NIS+ namespace.

Setting up a nonroot domain involves the following tasks:

However, as with setting up the root domain, these tasks cannot be performed sequentially. To make the setup process, these tasks have been broken down into individual steps, and the steps have been arranged into the most efficient order.

Standard versus NIS-Compatible Setup Procedures

The differences between NIS-compatible and standard NIS+ servers in subdomains are the same as they are for servers in the root domain (see Standard versus NIS-Compatible Setup Procedures).

The NIS+ daemon for each server in an NIS-compatible domain should have been started with the -Y option, as instructed in Setting Up NIS+ Servers. An NIS-compatible domain also requires its tables to provide read rights for the nobody class, which allows NIS clients to access the information stored in them. NIS+ is made NIS compatible by using the -Y option with the nissetup command. (The standard NIS+ domain version uses the same setup command but without the -Y option.)

Security Considerations

At most sites, to preserve the security of the parent domain, only the parent domain's master server or an administrator who belongs to the parent domain's admin group has the authority to create a domain beneath it. The parent domain's admin group must have create rights to the parent directory object. To verify the object's rights, use the niscat -o command.

rootmaster# niscat -o Wiz.Com.
Object Name   : wiz
Owner         : rootmaster
Group         : admin.wiz.com.
Access Rights : r---rmcdrmcdr---

If you are more concerned about convenience than security, you could simply make the new domain's master server a member of its parent domain's admin group and then perform the entire procedure from the server. Use the nisgrpadm command.


Before continuing with the following procedure, ensure the following:

You also need the following information:


  1. Log in to the server that you will designate as the new domain's master.

    Note: The steps in this task use the server named smaster, which belongs to the Wiz.Com. domain, and will become the master server of the Sales.Wiz.Com. subdomain. The administrator performing this task is nisboss.Wiz.Com., a member of the admin.Wiz.Com. group. That group has full access rights to the Wiz.Com. directory object.
  2. Name the domain's administrative group.

    Although you do not actually create the admin group until later in this procedure, you must identify it now, which enables the nismkdir command used in the following step to create the directory object with the appropriate access rights for the group. It does the same for the nissetup utility.

    Set the value of the environment variable NIS_GROUP to the name of the domain's admin group. The following example sets NIS_GROUP to admin.Sales.Wiz.Com.

    smaster# NIS_GROUP=admin.Sales.Wiz.Com.
    smaster# export NIS_GROUP
  3. Create the domain's directory and designate its servers.

    The nismkdir command, creates the new domain's directory and designates its supporting servers. Run the command as follows:

    nismkdir -m master -s replica domain

    The -m flag designates its master server, and the -s flag designates its replica.

    Attention: Always run nismkdir on the master server. Never run nismkdir on the replica machine. Running nismkdir on a replica creates communications problems between the master and the replica.

    The directory is loaded into /var/nis. Use the niscat -o command to view it (do not use cat or more).

    smaster# niscat -o Sales.Wiz.Com.
    Object Name   : sales
    Owner         : nisboss.wiz.com.
    Group         : admin.sales.wiz.com.
    Access Rights : ----rmcdr---r---

    Unlike the root directory, this directory object does have the proper group assignment. As a result, you won't have to use nischgrp.

  4. Create the domain's subdirectories and tables.

    This step adds the org_dir and groups_dir directories and the NIS+ tables beneath the new directory object. Use the nissetup utility, but be sure to add the new domain name. To designate an NIS-compatible domain, include the -Y flag.

    For NIS compatibility:

    smaster# /usr/lib/nis/nissetup -Y Sales.Wiz.Com. 

    For standard NIS+:

    smaster# /usr/lib/nis/nissetup   Sales.Wiz.Com.

    Each object added by the utility is listed in the output. For example:

    smaster# /usr/lib/nis/nissetup
    org_dir.Sales.Wiz.Com. created
    groups_dir.Sales.Wiz.Com. created
    auto_master.org_dir.Sales.Wiz.Com. created
    auto_home.org_dir.Sales.Wiz.Com. created
    bootparams.org_dir.Sales.Wiz.Com. created
    cred.org_dir.Sales.Wiz.Com. created
    ethers.org_dir.Sales.Wiz.Com. created
    group.org_dir.Sales.Wiz.Com. created
    hosts.org_dir.Sales.Wiz.Com. created
    mail_aliases.org_dir.Sales.Wiz.Com. created
    sendmailvars.org_dir.Sales.Wiz.Com. created
    client_info.org.dir.Sales.Wiz.Com. created
    netmasks.org_dir.Sales.Wiz.Com. created
    netgroup.org_dir.Sales.Wiz.Com. created
    networks.org_dir.Sales.Wiz.Com. created
    passwd.org_dir.Sales.Wiz.Com. created
    protocols.org_dir.Sales.Wiz.Com. created
    rpc.org_dir.Sales.Wiz.Com. created
    services.org_dir.Sales.Wiz.Com. created
    timezone.org_dir.Sales.Wiz.Com. created

    The -Y option creates the same tables and subdirectories as for a standard NIS+ domain, but assigns read rights to the nobody class so that requests from NIS clients, which are unauthenticated, can access information in the NIS+ tables.

    You can verify the existence of the org_dir and groups_dir directories by looking in your master server's /var/nis/data directory. These directories are listed along with the root object and other NIS+ tables. The tables are listed under the org_dir directory. You can examine the contents of any table by using the niscat command (although at this point, the tables are empty).

  5. Create the domain's admin group named earlier. Use the nisgrpadm command with the -c option. This example creates the admin.Sales.Wiz.Com. group:

    smaster# nisgrpadm -c admin.Sales.Wiz.Com. 
    Group admin.Sales.Wiz.Com. created.

    This step only creates the group. You do not identify its members until later in this procedure.

  6. Assign full group access rights to the directory object.

    By default, the directory object only grants its group read access, which makes the group no more useful than the world class. To make the setup of clients and subdomains easier, change the read access rights that the directory object grants its group to read, modify, create, and destroy. Use the nischmod command.

    smaster# nischmod g+rmcd Sales.Wiz.Com. 
  7. Add the servers to the domain's admin group.

    At this point, the domain's group has no members. Add the master and replica servers, using the nisgrpadm command with the -a option. The first argument is the group name; the others are the names of the new members. This example adds smaster.Wiz.Com. and salesreplica.Wiz.Com. to the admin.Sales.Wiz.Com. group:

    smaster# nisgrpadm -a admin.Sales.Wiz.Com.   smaster.Wiz.Com. \
    Added smaster.Wiz.Com. to group admin.Sales.Wiz.Com.
    Added salesreplica.Wiz.Com. to group admin.Sales.Wiz.Com.

    To verify that the servers are indeed members of the group, use the nisgrpadm command with the -l option.

    smaster# nisgrpadm -l admin.Sales.Wiz.Com. 
    Group entry for admin.Sales.Wiz.Com. group:
        Explicit members:
        No implicit members
        No recursive members
        No explicit nonmembers
        No implicit nonmembers
        No recursive nonmembers
  8. Add the credentials of the other administrators who will work in the domain.

    For administrators who already have DES credentials in another domain, simply add local credentials. Use the nisaddcred command with both the -p and the -P flags.

    smaster# nisaddcred -p 33355 -P nisboss.Wiz.Com. local 

    For administrators who do not yet have credentials, you can proceed in either of two ways.

    Note: In both methods shown below, the domain name following the -p flag must never end in a trailing dot, while the domain name following the -P flag must always end in a trailing dot.

  9. Add the administrators to the domain's admin group.

    You don't have to wait for the other administrators to change their dummy passwords to perform this step. Use the nisgrpadm command with the -a option. The first argument is the group name, and the remaining arguments are the names of the administrators. The following example adds the administrator juan to the admin.Sales.Wiz.Com. group:

    smaster# nisgrpadm -a admin.Sales.Wiz.Com. juan.Sales.Wiz.Com.
    Added juan.Sales.Wiz.Com. to group admin.Sales.Wiz.Com.

Subdomain Setup Summary

The following table shows a summary of the steps required to set up a nonroot domain. Table entries are simplified. Refer to the more thorough task descriptions for options, exceptions, and messages.

Setting Up a Subdomain Command Summary
Tasks Commands
Log in as root user to domain master.

smaster% su
Name the domain's admin group.

export NIS_GROUP
Create the domain's directory and designate its servers.

nismkdir -m smaster \
-s salesreplica Sales.Wiz.Com.
Create org_dir, groups_dir, and tables. (For NIS-compatibility, use -Y.)

/usr/lib/nis/nissetup Sales.Wiz.Com.
Create the admin group.

nisgrpadm -c admin.Sales.Wiz.Com.
Assign full group rights to the domain's directory.

nischmod g+rmcd Sales.Wiz.Com.
Add servers to admin group.

nisgrpadm -a admin.Sales.Wiz.Com. \
  smaster.Wiz.Com. sreplica.Wiz.Com.
Add credentials for other admins.

nisaddcred -p 22244 \
  -P juan.Sales.Wiz.Com. local
nisaddcred -p unix.22244@Sales.Wiz.com. \ 
  juan.Sales.Wiz.Com. des
Add admins to domain's admin group.

nisgrpadm -a admin.Sales.Wiz.Com. \

[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]