Nis+ [Archive] - Baanboard.com

Old Vens

24th January 2003, 08:19

Hi,

We are trying to implement 3-tier system having Oracle RDBMS on one host and baan application on other. It works but we have one serious problem - it's difficult to syncronize passwd table. We used NIS+ on our Solaris 8 it's OK but HOWTO ADD new uers? Simply adduser adds only to master host /etc/passwd.
Any ideas?

patvdv

24th January 2003, 18:52

Mmm, what's the reason for using NIS+ instead of ordinary NIS? Unless you have very strict security reasons and/or complex organization which requires your servers to be structured hierarchically. However NIS+ is so much more difficult to administer!

Here's a cookbook for adding a NIS user on Solaris. I have never used it myself so use it at your own risk!

1. Take a sample passwd and shadow file, make necessary account(s):

nisaddent -d passwd > passwd.x
nisaddent -d shadow > shadow.x

2. Edit passwd.x and shadow.x files setting up account information
like you would if editing the raw passwd and shadow files. After
editing, load the new account info into NIS+ databases:

cat passwd.x | nisaddent passwd
cat shadow.x | nisaddent shadow

3. Create home directories for new users, change ownerships
and permissions as appropriate.

4. Create LOCAL NIS+ credentials for new user(s) taking special
notes of the ending periods in domain names:

nisaddcred -p <uid> -P <login>.domain.com. local

For example,

nisaddcred -p 1001 -P user.domain.com. local

5. Add DES (encryped) credentials for new user(s) taking special
notes of the ending periods in domain names:

nisaddcred -p unix.<uid>@domain.com -P <login>.domain.com. des

For example,

nisaddcred -p unix.1001@domain.com -P user.domain.com. des

6. Set passwords:

nispasswd <login>

7. Login as new user and sync login passwd with DES authentication keys:

chkey -p

Old Vens

27th January 2003, 14:23

Thanks, Pat

While examining 'man nispasswd' i've read '
The use of nispasswd is STRONGLY discouraged. Even though it
is a hardlink to passwd(1), its operation is subtly dif
ferent and not desirable in a modern NIS+ domain.'

If Solaris itself tells such things i think it's time to think once again (i mean using NIS or NIS+).
Maybe LDAP server is better? Unfortunately i didn't try it before.