This command updates the public keys in an NIS+ directory object. When the public key(s) for a NIS+ server are changed, nisupdkeys reads a directory object and attempts to get the public key data for each server of that directory. These keys are placed in the directory object and the object is then modified to reflect the new keys. If directory is present, the directory object for that directory is updated. Otherwise the directory object for the default domain is updated. The new key must be propagated to all directory objects that reference that server.

On the other hand, nisupdkeys -s gets a list of all the directories served by host and updates those directory objects. This assumes that the caller has adequate permission to change all the associated directory objects. The list of directories being served by a given server can also be obtained by nisstat(1M). Before you do this operation, make sure that the new address/public key has been propagated to all replicas. If multiple authentication mechanisms are configured using nisauthconf(1M), then the keys for those mechanisms will also be updated or cleared.

The user executing this command must have modify access to the directory object for it to succeed. The existing directory object can be displayed with the niscat(1) command using the -o option.

This command does not update the directory objects stored in the NIS_COLD_START file on the NIS+ clients.

If a server is also the root master server, then nisupdkeys -s cannot be used to update the root directory.

-a

Update the universal addresses of the NIS+ servers in the directory object. Currently, this only works for the TCP/IP family of transports. This option should be used when the IP address of the server is changed. The server's new address is resolved using getipnodebyname(3SOCKET) on this machine. The /etc/nsswitch.conf file must point to the correct source for ipnodes and hosts for this resolution to work.

-C

Specify to clear rather than set the public key(s). Communication with a server that has no public key(s) does not require the use of secure RPC.

-H host

Limit key changes only to the server named host. If the hostname is not a fully qualified NIS+ name, then it is assumed to be a host in the default domain. If the named host does not serve the directory, no action is taken.

-s

Update all the NIS+ directory objects served by the specified server. This assumes that the caller has adequate access rights to change all the associated directory objects. If the NIS+ principal making this call does not have adequate permissions to update the directory objects, those particular updates will fail and the caller will be notified. If the rpc.nisd on host cannot return the list of servers it serves, the command will print an error message. The caller would then have to invoke nisupdkeys multiple times (as in the first synopsis), once per NIS+ directory that it serves.

See attributes(5) for descriptions of the following attributes:

chkey(1), niscat(1), nisaddcred(1M), nisauthconf(1M), nisstat(1M), getipnodebyname(3SOCKET), nis_objects(3NSL), attributes(5)

NIS+ might not be supported in future releases of the Solaris Operating Environment. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment. For more information, visit http://www.sun.com/directory/nisplus/transition.html.