Configuring NIS Clients

This section describes how to configure NIS clients to receive authentication, authorization, and network information through the Delinea Network Information Service.

Specifying the Server for NIS Clients to Use

After you install and configureadnisd on a computer, you must configure other computers or devices to send their NIS lookup requests to the computer running adnisd. The specific steps for configuring the NIS client are slightly different in different operating environments. In general, configuring NIS clients involves:

• Stopping the connection to any existing NIS server.
• Identifying the zone and computer name of the computer whereadnisd is installed in the client’s NIS configuration file.
• Binding to the new Delinea NIS server.
• Restarting services that use NIS, or rebooting the computer.

For information about configuring the NIS client in different operating environments, see the appropriate section below.

The client configuration instructions assume that you are using the zone name as the NIS domain name. If not, substitute the NIS domain name you specified when you created the zone where applicable. For more information about configuring NIS clients on any specific platform and OS version, consult the documentation for that platform.

Configuring NIS Clients on Linux

To configure the NIS client on a Linux computer:

1. Stop any running NIS service and remove all files from the /var/yp/binding directory. For example, run the following commands:

   /sbin/service ypbind stop
   rm -rf /var/yp/binding/*

2. Set the NIS domain name for the client to the zone name or NIS domain name of the computer where theadnisd process is running.

   domainname zone_name

   For example, if you have installedadnisd on a computer in the corpHQ zone:

   domainname corpHQ

3. Edit the NIS configuration file, /etc/yp.conf, to specify the Delinea zone and the name of the computer whereadnisd is installed.

   domain zonename server hostname

   For example, add a line similar to this to /etc/yp.conf:

   domain corpHQ server localhost

   If your NIS clients are configured for broadcast discovery, this step may not be necessary.

4. Start the ypbind service.

   On Red Hat Linux, run:

   /sbin/service ypbind start

   On Debian 3.1, run the nis script (controlled using the file /etc/default/nis). By default, the script starts the NIS client, ypbind. For example, run the following command:

   /etc/init.d/nis start

   One SuSE Linux 9.3 Professional, run:

   /etc/init.d/ypbind start

5. Modify the passwd, group, and shadow lines in /etc/nsswitch.conf file to use compat as the source:

   passwd: compat  
   group: compat  
   shadow: compat

6. Restart services that rely on the NIS domain, or reboot the computer to restart all services. The most common services to restart are autofs, NSCD, cron and sendmail.

Configuring NIS Clients on Solaris

To configure the NIS client on a Solaris computer:

1. Stop any running NIS service and remove all files from the /var/yp/binding directory. For example, run the following commands on Solaris 8 or 9:

   kill ypbind  
   rm -rf /var/yp/binding/*

   On Solaris 10, stop the service by running:

   svcadm disable network/nis/client

2. Set the NIS domain name for the client to the zone name of the computer whereadnisd is running.

   domainname zone_name

   For example, if you have installedadnisd on a computer in the corpHQ zone:

   domainname corpHQ

3. Run the ypinit -c command and enter the name of the computer whereadnisd is installed.

This step is not required if you use the broadcast option to locate the server when you run the ypbind command. You must use ypinit, however, if your network topology would prevent a broadcast from reaching the desired servers. For example, if the router does not transmit broadcasts across subnets, use the ypinit -c command to specify a server on a different subnet.

Start the ypbind service. On most versions of Solaris, run:

/usr/lib/netsvc/yp/ypbind

If you are using the broadcast option to locate the server, start the service with that option. For example:

/usr/lib/netsvc/yp/ypbind -broadcast

On Solaris 10, run:

svcadm enable network/nis/client

Modify the passwd, group, and shadow lines in /etc/nsswitch.conf file to use compat as the source:

passwd: compat  
group: compat  
shadow: compat

Restart services that rely on the NIS domain or reboot the computer to restart all services. The most common services to restart are autofs, NSCD, cron and sendmail.

Configuring NIS Clients on HP-UX

To configure the NIS client on an HP-UX computer:

1. Stop any running NIS service and remove all files in the /var/yp/binding directory. For example, run the following commands:

   /sbin/init.d/nis.client stop  
   rm -rf /var/yp/binding/*

2. Edit the NIS configuration file, /etc/rc.config.d/namesvrs, to set the NIS_CLIENT to 1 and the NIS_DOMAIN to the name of the Delinea zone. For example:

   NIS_CLIENT=1  
   NIS_DOMAIN="zone-name"

3. Add the -ypset option to the YPBIND_OPTIONS variable and set the YPSET_ADDR variable to the IP address of the computer whereadnisd is installed. For example:

   YPBIND_OPTIONS="-ypset"
   YPSET_ADDR="15.13.115.168"

   This step is not required if you want to use the broadcast option to locate the server when you run the ypbind command.

4. Set the NIS domain name for the client to the zone name of the computer where theadnisd process is running.

   domainname zone_name

5. Start the ypbind service. On HP-UX, you can start the service by running:

   /sbin/init.d/nis.client start

6. Modify the passwd, group, and shadow lines in /etc/nsswitch.conf file to use compat as the source:

   passwd: compat  
   group: compat  
   shadow: compat

7. Restart services that rely on the NIS domain or reboot the computer to restart all services. The most common services to restart are autofs, pwgrd, cron and sendmail.

Configuring NIS Clients on AIX

To configure the NIS client on an AIX computer:

1. Stop any running NIS service and remove all files from the /var/yp/binding directory. For example, run:

   stopsrc –s ypbind

   If the computer is not already a NIS client, you can use the System Management Interface Tool (smit) and the mkclient command to add adnisd to the computer.

2. Open the /etc/rc.nfs file and verify that the startsrc command is configured to start the ypbind daemon:

   if [ -x /usr/etc/ypbind ]; then  
    startsrc -s ypbind  
   fi

3. Set the client’s NIS domain name to the zone name of the computer whereadnisd is running. For example:

   domainname zone_name

4. Start the ypbind service:

   startsrc -s ypbind

5. Restart services that rely on the NIS domain or reboot the computer to restart all services. The most common services to restart are autofs,NSCD, cron and sendmail.

   Theadnisd service is not supported in a workload partitioning (WPAR) environment (Ref: CS-30588c).

Verifying the Client Configuration

Run the domainname command to verify that the client is configured to use the appropriate Delinea zone or NIS domain name. For example, if you have configured a computer to service NIS requests for the sanfrancisco zone and are using the zone name as the NIS domain name:

   domainname  
   sanfrancisco

To test that the client can connect to the Delinea Network Information Service, run one or more NIS client request commands; for example:

   ypwhich  
   ypwhich -m  
   ypcat -k mapname

Checking the Derived passwd and Group Maps

On a computer you have configured as an NIS client, verify that the NIS maps required for agentless authentication are available by running the following command:

ypwhich -m

At a minimum, you should see the passwd.* and group.* map names, followed by the name of the computer you are using as the NIS server. For example, if the computer running adclient andadnisd is iceberg-hpux, you should see output similar to this:

  passwd.byuid iceberg-hpux  
   passwd.byname iceberg-hpux  
   group.byname iceberg-hpux  
   group.bygid iceberg-hpux

These passwd.* and group.* maps are automatically generated based on the information stored in Active Directory for the zone, including all Active Directory users and groups granted access to the zone. You can view information from any of these maps using a command like ypcat passwd.byname. The output displayed should look similar this:

   paul:Xq2UvSkNngA:10000:10000:paul:/home/paul:/bin/bash  
   mlopez:!:10002:10000:Marco Lopez:/home/mlopez:/bin/bash  
   jsmith:!:10001:10000:John Smith:/home/jsmith:/bin/bash

In this example, the user paul has a password hash, but users mlopez and jsmith do not.

If a user account is new, disabled, locked, requires a password change, or is not enabled for a zone, the Delinea NIS server sets the user’s hash field to “!”

On some platforms, you may see ABCD!efgh12345$67890 as the password hash for users who need to set their password.