Securely administer client access in a central location with NIS+

Introduction Network Information Service plus (NIS+), a service used for network naming and administration, expands the services provided by Network Information Service (NIS). NIS+ works on a client-server model, and it stores information at a central location that allows clients to access it over the network. This central location, called the NIS+ namespace, can store information such as security details, workstation addresses, mail information, and so on. The NIS+ namespace is hierarchical in nature, and it can be easily configured according to the logical structure of an organization. NIS+ also has a special security system to protect the structure of the namespace and its information; it checks both authentication and authorization to process a user's request.   This article summarizes the basic steps and commands for NIS+ installation, configuration, and administration. Installation and configuration The installation and configuration examples use the following machine names as root server and client: NIS+ server: server (9.124.111.62) NIS+ client: client (9.124.111.61)   Installation The installation of NIS+ requires the bos.net.nisplus fileset. Check the availability of the fileset using the following command:   # lslpp –l | grep bos.net.nisplus    Planning the NIS+ layout includes selecting the root domain name, root server machine, clients, and slave machines. Preparing a sketch of the domain hierarchy is also handy when configuring NIS+.   The /usr/lib/security/methods.cfg file should have the NISPLUS module defined in it, as follows:   NISPLUS: program = /usr/lib/security/NISPLUS    The NISPLUS load module should be available in /usr/lib/security. In the /etc/security/user file, define the SYSTEM attribute in the default section as NISPLUS or compat:   default: SYSTEM = NISPLUS OR compat    Include the /usr/lib/nis directory in the default PATH, as follows:   # export PATH=$PATH:/usr/lib/nis    Configuration Starting the configuration of NISPLUS server requires a root domain name. Let's use the root domain name isl.com. Execute the nisserver command, as follows:   # nisserver -r -d isl.com    You should see the following display: # nisserver -r -d isl.com. 0513-059 The keyserv Subsystem has been started. Subsystem PID is 303260. This script sets up this machine "indus29" as an NIS+ root master server for domain isl.com.. Domain name : isl.com NIS+ group : admin.isl.com NIS (YP) compatibility : OFF Security Level : 2=DES Is this information correct? (type 'y' to accept, 'n' to change)    Change the attributes defined above by selecting n, and select y to continue. You should see the following display: This script will set up your machine as a root master server for domain isl.com without NIS compatibility at security level 2. WARNING: this script removes directories and files related to NIS+ under /var/nis directory with the exception of the client_info NIS_COLD_START and NIS_SHARED_DIRCACHE files which will be renamed to <file>.no_nisplus. If you want to save these files, you should abort from this script now to save these files first. WARNING: once this script is executed, you will not be able to restore the existing NIS+ server environment. However, you can restore your NIS+ client environment using "nisclient -i" with the proper domain name and server information. Do you want to continue? (type 'y' to continue, 'n' to exit this script)    Select y to proceed, which triggers setting up the NIS+ server. The next step is to populate the NIS+ tables from the local files. You can use the following series of steps to copy the required files to the /var/tmp/nisplus directory, and then use the nispopulate command to populate the tables. This might take a long time, depending on the number of users in the system.   # mkdir -p /var/tmp/nisplus # cp /etc/passwd /var/tmp/nisplus/passwd # cp /etc/hosts /var/tmp/nisplus/hosts # cp /etc/group /var/tmp/nisplus/group # cp /etc/rpc /var/tmp/nisplus/rpc # cp /etc/protocols /var/tmp/nisplus/protocols # cp /etc/networks /var/tmp/nisplus/networks # cp /etc/services /var/tmp/nisplus/services # cd /var/tmp/nisplus # /usr/lib/nis/nispopulate -v -F -f -l <passwd>    You have to give a password with the nispopulate command, which is used later for communication between the clients and server. Add the root server to the hosts table using the following command:   nistbladm –A cname=<rootservername.domainname.> name=<rootservername> addr=<ipaddress of rootserver> hosts.org_dir.domainname    For example: nistbladm -A cname=server.isl.com. name=server addr=9.124.111.62 hosts.org_dir.isl.com |--10--------20--------30--------40--------50--------60--------70--------80--------9| |-------- XML error: The previous line is longer than the max of 90 characters ---------|    The addition of this entry to the host table completes the NIS+ server configuration. To check if the server is up, run the following commands:   # niscat passwd.org_dir # nisls    Use the following command to add clients to the hosts table on the NIS+ server:   # nistbladm –A cname=<clientname.domainname.> name=<clientname> addr=<ipaddress of the client> hosts.org_dir.domainname.    For example: # nistbladm -A cname=client.isl.com. name=client addr=9.124.111.61 hosts.org_dir.isl.com |--10--------20--------30--------40--------50--------60--------70--------80--------9| |-------- XML error: The previous line is longer than the max of 90 characters ---------|    After adding clients to the host table, go to a client and initialize the client by using the following series of commands:   # /usr/lib/nis/nisclient -D # stopsrc -s keyserv # /usr/lib/nis/nisclient -i -h <rootservername> -a <rootserverip> -d <domainname>    For example: # /usr/lib/nis/nisclient -i -h server -a 9.124.113.62 -d isl.com    Reboot the client:   # shutdown -Fr    Configuration of the NIS+ client is now complete. You can use the nisstat command from the client to check the server details. This ensures that the setup is correct.   # nisstat    Administration This section discusses general administration and basic commands for your NIS+ setup. To stop NIS+ and remove the domainname, enter the following:   # stopsrc -s nis_cachemgr # /usr/lib/nis/nisserver -D # stopsrc -s keyserv # /usr/lib/nis/nisclient –D    Remove all the files in the /var/nis/ directory. To create a group, check the domainname and use the nisgrpadm command to create a group (for example, testgrp).   # domainname isl.com # nisgrpadm -c testgrp.isl.com Group "testgrp.isl.com" created    To see if the groups formed, enter:   # nisls groups_dir groups_dir.isl.com: admin testgrp    To create an NIS+ user (for example, nispuser), enter:   # nismkuser nispuser    To display the users, enter:   # niscat passwd.org_dir    Similarly, you can use the niscat command to check several entries present in the NIS+ tables. For example, you can use it to display the host entries, as follows:   # niscat -h hosts.org_dir    To add the user to a group, enter:   # nisgrpadm -a testgrp nispuser    The command added nispuser.isl.com to the testgrp.isl.com group. To check the group entry for the testgrp group, enter:   # nisgrpadm -l testgrp.isl.com    To check the group entry for the testgrp.isl.com group, enter:   nispuser    Another useful command is nisls, which can be used to check the entries of the NIS+ tables. For example, to list the tables that have been populated, enter:   # nisls org_dir    To list the groups, enter:   # nisls groups_dir    Conclusion Though NIS+ has some advantages over NIS, it is important to note that there is no relation between NIS+ and NIS. The commands and the overall structure of NIS+ are different from NIS. The syntax for some commands in NIS+ is different from the commands for NIS. NIS+ was designed from scratch, and it is not an extension of NIS. See the Network Information Services (NIS and NIS+) Guide in the Resources section for detailed information on other commands used for NIS+ administration.