sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Naming and Directory Services (FNS and NIS+) 

Previous Previous     Contents     Index     Next Next
Chapter 8

Configuring a Non-Root Domain

This chapter provides step-by-step instructions for using the NIS+ command set to configure a subdomain domain (also known as a non-root domain) including designating its master and replica servers.

Note - NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment (see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)). For more information, visit http://www.sun.com/directory/nisplus/transition.html.

Setting Up a Non-Root Domain

Note - It is much easier to perform this task with the NIS+ installation scripts, as described in Part 1, than with the NIS+ command set as described here. The methods described in this chapter should be used only by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.

You should not configure a non-root domain until after you have configured its servers.

Setting up a non-root domain involves the following tasks:

  • Establishing security for the domain

  • Creating the domain's directories

  • Creating the domain's tables

  • Designating the domain's servers

As with setting up the root domain, these tasks cannot be performed sequentially. To make the configuration process easier to execute, they have been broken down into individual steps and the steps have been arranged into the most efficient order.

Standard Versus NIS-Compatible Configuration Procedures

The differences between NIS-compatible and standard NIS+ servers in subdomains are the same as they are for servers in the root domain (see Standard Versus NIS-Compatible Configuration Procedures).

The NIS+ daemon for each server in an NIS-compatible domain should have been started with the -Y option, as instructed in Chapter 7, Configuring NIS+ Servers. An NIS-compatible domain also requires its tables to provide read rights for the nobody class, which allows NIS clients to access the information stored in them. This is accomplished with the -Y option to the nissetup command, shown in Step 4. (The standard NIS+ domain version uses the same command but without the -Y option, so it is described in the same step.)

Here is a summary of the entire configuration process:

  1. Log in to the domain's master server.

  2. Name the domain's administrative group.

  3. Create the domain's directory and designate its servers.

  4. Create the domain's subdirectories and tables.

  5. Create the domain's admin group.

  6. Assign full group access rights to the directory object.

  7. Add the servers to the domain's admin group.

  8. Add credentials for other administrators.

  9. Add the administrators to the domain's admin group.

Security Considerations

Note - The NIS+ security system is complex. If you are not familiar with NIS+ security, you might want to review Chapter 17, Administering NIS+ Groupsbefore starting to configure your NIS+ environment.

At most sites, to preserve the security of the parent domain, only the parent domain's master server or an administrator who belongs to the parent domain's admin group is allowed to create a domain beneath it. Although this is a policy decision and not a requirement of NIS+, the instructions in this chapter assume that you are following that policy. Of course, the parent domain's admin group must have create rights to the parent directory object. To verify this, use the niscat -o command.

rootmaster# niscat -o doc.com.
Object Name : Doc
Owner : rootmaster
Group : admin.doc.com.
Domain : Com.
Access Rights : r---rmcdrmcdr---
:

If you are more concerned about convenience than security, you can make the new domain's master server a member of its parent domain's admin group, then perform the entire procedure from the server. Use the nisgrpadm command, described in Chapter 17, Administering NIS+ Groups.

Prerequisites

  • The parent domain must be configured and running.

  • The server that will be designated as this domain's master must be initialized and running NIS+.

  • If you will designate a replica server, the master server must be able to obtain the replica's IP address through its /etc/hosts or /etc/inet/ipnodes file or from its NIS+ hosts table.

Information You Need

  • The name of the new domain (for Step 3)

  • The name of the new domain's master and replica servers

  • The name of the new domain's admin group (for Step 2)

  • User IDs (UID) of the administrators who will belong to the new domain's admin group (for Step 8)

Setting Up a Non-root Domain -- Task Map

Table 8-1 Setting Up a Non-root Domain

Task

Description

For Instructions, Go To

Setting Up a Non-root Domain

Use NIS+ commands to set up a non-root domain

How to Configure a Non-root Domain

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2002 Sun Microsystems