NIS+ Security
NIS+ protects the structure of the namespace, and the information it stores, by the complementary processes of authorization and authentication.
Authorization. Every component in the namespace specifies the type of operation it will accept and from whom. This is authorization.
Authentication. NIS+ attempts to authenticate every request for access to the namespace. Requests come from NIS+ principals. An NIS+ principal can be a process, machine, root, or a user. Valid NIS+ principals possess an NIS+ credential. NIS+ authenticates the originator of the request (principal) by checking the principal's credential.
If the principal possesses an authentic (valid) credential, and if the principal's request is one that the principal is authorized to perform, NIS+ carries out the request. If either the credential is missing or invalid, or the request is not one the principal is authorized to perform, NIS+ denies the request for access. An introductory description of the entire NIS+ security system is provided in Chapter 11, NIS+ Security Overview.
Solaris 1.x Releases and NIS-Compatibility Mode
NIS+ can be used by machines running NIS with Solaris 1x or 2x Release software. In other words, machines within an NIS+ domain can have their nsswitch.conf files set to nis rather than nisplus. To access NIS+ service on machines running NIS, you must run the NIS+ servers in NIS-compatibility mode.
NIS-compatibility mode enables an NIS+ server running Solaris operating environment to answer requests from NIS clients while continuing to answer requests from NIS+ clients. NIS+ does this by providing two service interfaces. One responds to NIS+ client requests, while the other responds to NIS client requests.
This mode does not require any additional setup or changes to NIS clients. In fact, NIS clients are not even aware that the server that is responding isn't an NIS server--except that an NIS+ server running in NIS-compatibility mode does not support the ypupdate and ypxfr protocols and thus it cannot be used as a replica or master NIS server. For more information on NIS-compatibility mode, see Chapter 26, Transitioning from NIS to NIS+.
Two more differences need to be pointed out. First, instructions for setting up a server in NIS-compatibility mode are slightly different than those used to set up a standard NIS+ server. . Second, NIS-compatibility mode has security implications for tables in the NIS+ namespace. Since the NIS client software does not have the capability to provide the credentials that NIS+ servers expect from NIS+ clients, all their requests end up classified as unauthenticated. Therefore, to allow NIS clients to access information in NIS+ tables, those tables must provide access rights to unauthenticated requests. This is handled automatically by the utilities used to set up a server in NIS-compatibility mode, as described in Part 2. However, to understand more about the authentication process and NIS-compatibility mode, see Chapter 26, Transitioning from NIS to NIS+.
NIS+ Administration Commands
NIS+ provides a full set of commands for administering a namespace. The table below, summarizes them.
Table 2-2 NIS+ Namespace Administration Commands
Command | Description |
|---|---|
nisaddcred | Creates credentials for NIS+ principals and stores them in the cred table. |
nisaddent | Adds information from /etc files or NIS maps into NIS+ tables. |
nisauthconf | Optionally configure Diffie-Hellman key length. |
nisbackup | Backs up NIS directories. |
nis_cachemgr | Starts the NIS+ cache manager on an NIS+ client. |
niscat | Displays the contents of NIS+ tables. |
nis_checkpoint | Forces service to checkpoint data that has been entered in the log but not checkpointed to disk. |
nischgrp | Changes the group owner of an NIS+ object. |
nischmod | Changes an object's access rights. |
nischown | Changes the owner of an NIS+ object. |
nischttl | Changes an NIS+ object's time-to-live value. |
nisclient | Initializes NIS+ principals. |
nisdefaults | Lists an NIS+ object's default values: domain name, group name, machine name, NIS+ principal name, access rights, directory search path, and time-to-live. |
nisgrep | Searches for entries in an NIS+ table. |
nisgrpadm | Creates or destroys an NIS+ group, or displays a list of its members. Also adds members to a group, removes them, or tests them for membership in the group. |
nisinit | Initializes an NIS+ client or server. |
nisln | Creates a symbolic link between two NIS+ tables. |
nislog | Displays the contents of NIS+ transaction log. |
nisls | Lists the contents of an NIS+ directory. |
nismatch | Searches for entries in an NIS+ table. |
nismkdir | Creates an NIS+ directory and specifies its master and replica servers. |
nispasswd | Changes password information stored in the NIS+ passwd table. (Rather than using nispasswd, you should use passwd or passwd -r nisplus.) |
nis_ping | Forces a replica to update its data from the master server. |
nispopulate | Populates the NIS+ tables in a new NIS+ domain. |
nisprefadm | Specifies the order in which clients are to seek NIS+ information from NIS+ servers. |
nisrestore | Restores previously backed up NIS+ directories and can also be used to quickly bring online new NIS+ replica servers. |
nisrm | Removes NIS+ objects (except directories) from the namespace. |
nisrmdir | Removes NIS+ directories and replicas from the namespace. |
nisserver | Shell script used to set up a new NIS+ server. |
nissetup | Creates org_dir and groups_dir directories and a complete set of (unpopulated) NIS+ tables for an NIS+ domain. |
nisshowcache | Lists the contents of the NIS+ shared cache maintained by the NIS+ cache manager. |
nisstat | Reports statistics and other information about an NIS+ server. |
nistbladm | Creates or deletes NIS+ tables, and adds, modifies or deletes entries in an NIS+ table. |
nistest | Reports the current state of the NIS+ namespace. |
nisupdkeys | Updates the public keys stored in an NIS+ object. |
passwd | Changes password information stored in the NIS+ Passwd table. Also administers password aging and other password-related parameters. |
NIS+ API
The NIS+ application programmer's interface (API) is a group of functions that can be called by an application to access and modify NIS+ objects. The NIS+ API has 54 functions that fall into nine categories:
Object manipulation functions (nis_names())
Table access functions (nis_tables())
Local name functions (nis_local_names())
Group manipulation functions (nis_groups())
Application subroutine functions (nis_subr())
Miscellaneous functions (nis_misc())
Database access functions (nis_db())
Error message display functions (nis_error())
Transaction log functions (nis_admin())
Setup and Configuration Preparation
Before configuring your NIS+ namespace, you must:
Install properly configured nsswitch.conf files on all the machines that use NIS+. See Chapter 1, The Name Service Switch for details.
Plan your NIS+ layout. This includes:
Planning your namespace. What will your domain name be? Will you have subdomains, and if so how will they be organized? Which machines will be in which domain? Will your domain be connected to a higher domain or to the Internet?
Determining your server requirements. How many replica servers will be needed for each domain? What type of server, processor speed, and memory is required? How much server disk space is needed?
See Chapter 26, Transitioning from NIS to NIS+ for a detailed description of these and other planning issues, and recommended guidelines.
Prepare your existing namespace (if any). See "Preparing the Existing Namespace".
Choose a root server machine.
Make sure that you have at least one system already running at your site that can be used as your root master server. This machine must contain at least one user (root) in the system information files, such as /etc/passwd. (Machines usually come with root in the system files, so this should not be a problem.)