Having reviewed the configuration of NIS+ and the main tables that are used to define a NIS+ domain, we now examine how to use NIS+ effectively to manage hosts and resources within a domain. As we have seen, many different objects can be managed and identified within a NIS+ domain, and there are several commands that are used to access them. In this section, we examine commands such as nisdefault, which displays the NIS+ settings for the local client system, and nischmod, which is used to set access rights on NIS+ objects. In addition, the nisls command is reviewed, which can be used for object lookups and queries. Finally, we will examine the niscat command, which displays the contents of table entries and can be used to examine NIS+ objects in detail.
The current settings for a local client system and the active user can be displayed by using the nisdefaults command. The nisdefaults command is commonly used when attempting to troubleshoot an error, such as a user’s credentials not being correctly authenticated from the passwd table. As an example, let’s examine the nisdefaults for the host comorin when executed by the user walter:
comorin$ nisdefaults Principal Name : walter.develop.panther.edu. Domain Name : develop.panther.edu. Host Name : comorin.develop.panther.edu. Group Name : develop Access Rights : ----rmcdr---r--- Time to live : 11:00:00 Search Path : develop.panther.edu. panther.edu.
The output of the nisdefaults command can be interpreted in the following way:
The principal user is walter, who belongs to the NIS+ domain develop.panther.edu.
The primary domain name is develop.panther.edu.
The hostname of the local system is comorin.develop.panther.edu.
The user walter’s primary group is develop.
The time-to-live setting is 11 hours.
The client’s access rights within the domain are stated.
The search path starts with the current nonroot domain (develop.panther.edu), followed by the root domain (panther.edu).
The access rights stated for the user in this example are outlined in more detail in the following section.
Every user has a set of access rights for accessing objects within the network. The notation for setting and accessing object permissions is very similar to that used for Solaris file systems. The following permissions may be set on any object, or may be defined as the default settings for a particular client:
c Sets create permission
d Sets delete permission
m Sets modify permission
r Sets read permission
This nischmod command is used to set permissions on objects within the domain. The following operands are used to specify access rights for specific classes of users:
a All (all authenticated and unauthenticated users)
n Nobody (all unauthenticated users)
o Object owner
w World (all authenticated users)
There are two operators that can be used to set and remove permissions:
+ Sets a permission
- Removes a permission
Some examples of how permissions strings are constructed will clarify how these operators and operands are combined for use with the nichmod command. The following command removes all modify (m) and create (c) access rights on the password table for all unauthenticated (n) users:
moorea# nischmod n-cm passwd.org_dir
Even unauthenticated users require read (r) access to the password table for authentication, which can be granted with the following command:
moorea# nischmod n+r passwd.org_dir
To grant modify and create access rights to the current user (in this case, root) and his or her primary group on the same table, we would use the following command:
moorea# nischmod og+cm passwd.org_dir
NIS+ permission strings are easy to remember, but hard to combine into single commands where some permissions are granted while others are removed—unlike the octal codes used to specify absolute permissions on Solaris file systems. However, it is possible to combine permissions strings by using a comma to separate individual strings. The following complex string is an example of how it is possible to set permissions within a single string, but equally shows how challenging it is to interpret:
moorea# nischmod o=rmcd,g=rmc,w=rm,n=r hosts.org_dir
This command grants the following permissions to four different categories of users:
owner Read, modify, create, and delete
group Read, modify, and create
world Read and modify
nobody Read only
The nisls command is used as a lookup and query command which can provide views on NIS+ directories and tables. For example, to view all of the NIS+ directories that have been populated within the local namespace, we can use the nisls command:
moorea# nisls develop.panther.edu.: org_dir groups_dir
There are two directory object types listed here: the org_dir, which lists all of the tables that have been set up within the namespace, and the groups_dir, which stores details of all NIS+ groups. We can view a list of tables by using the nisls command once again on the org_dir directory:
moorea# nisls org_dir org_dir.sales.panther.edu.: auto_home auto_master bootparams client_info cred ethers group hosts mail_aliases netgroup netmasks networks passwd protocols rpc sendmailvars services timezone
A large number of tables have been populated for this domain. The groups directory contains the admin group we created earlier, which lists all of the administrators, as well as several other groups that are based on distinct organizational units within the current domain:
moorea# nisls groups_dir groups_dir.sales.panther.edu.: admin adverts legal media
The niscat command is used to retrieve the contents of objects within the domain, primarily the data contained within NIS+ tables. For example, all hosts listed within the domain can be listed by using the following command:
moorea$ niscat -h hosts.org_dir moorea.panther.edu moorea 10.58.64.16 borabora.panther.edu borabora 10.58.64.17 tahiti.panther.edu tahiti 10.58.64.18 orana.panther.edu orana 10.58.64.19
Alternatively, we can use the niscat command to examine the contents of the passwd table:
moorea$ niscat passwd.org_dir moppet:*LK*:1001:1:moppet:/staff/moppet:/bin/tcsh:10910:-1:-1:-1:-1::0 miki:*LK*:1002:1:miki:/staff/miki:/bin/bash:10920:-1:-1:-1:-1::0 maya:*LK*:1003:1:maya:/staff/maya:/bin/sh:10930:-1:-1:-1:-1::0 paul:*LK*:1004:1:paul:/staff/paul:/bin/csh:10940:-1:-1:-1:-1::0
Next, we can examine which groups these users belong to by using the niscat command once again:
moorea$ niscat group.org_dir root::0:root staff::1:moppet,miki,maya,paul bin::2:root,bin,daemon sys:*:3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp mail::6:root
All of the hosts that form part of the local domain can be examined based on their Ethernet address, which is extracted from the ethers table, as shown in the following example:
moorea$ niscat ethers.org_dir 1:4a:16:2f:13:b2 moorea.panther.edu. 1:02:1e:f4:61:2e borabora.panther.edu. f4:61:2e:1:4a:16 tahiti.panther.edu. 2f:13:b2:1:02:1e orana.panther.edu.
In order to determine which services are offered within the local domain, we can also examine the services table:
moorea$ niscat services.org_dir tcpmux tcpmux tcp 1 echo echo tcp 7 echo echo udp 7 discard discard tcp 9 discard sink tcp 9 discard null tcp 9 discard discard udp 9 discard sink udp 9 discard null udp 9 systat systat tcp 11 systat users tcp 11 daytime daytime tcp 13 daytime daytime udp 13
Every other table that is defined within the domain may be viewed by using the niscat command in this way.
Read the man page for the niscat command and ensure that you can memorize all of the available options.