NIS+ Commands

NIS+ Commands

Having reviewed the configuration of NIS+ and the main tables that are used to define a NIS+ domain, we now examine how to use NIS+ effectively to manage hosts and resources within a domain. As we have seen, many different objects can be managed and identified within a NIS+ domain, and there are several commands that are used to access them. In this section, we examine commands such as nisdefault, which displays the NIS+ settings for the local client system, and nischmod, which is used to set access rights on NIS+ objects. In addition, the nisls command is reviewed, which can be used for object lookups and queries. Finally, we will examine the niscat command, which displays the contents of table entries and can be used to examine NIS+ objects in detail.

nisdefaults

The current settings for a local client system and the active user can be displayed by using the nisdefaults command. The nisdefaults command is commonly used when attempting to troubleshoot an error, such as a user’s credentials not being correctly authenticated from the passwd table. As an example, let’s examine the nisdefaults for the host comorin when executed by the user walter:

comorin$ nisdefaults
Principal Name : walter.develop.panther.edu.
Domain Name    : develop.panther.edu.
Host Name      : comorin.develop.panther.edu.
Group Name     : develop
Access Rights  : ----rmcdr---r---
Time to live   : 11:00:00
Search Path    : develop.panther.edu. panther.edu.

The output of the nisdefaults command can be interpreted in the following way:

  • The principal user is walter, who belongs to the NIS+ domain develop.panther.edu.

  • The primary domain name is develop.panther.edu.

  • The hostname of the local system is comorin.develop.panther.edu.

  • The user walter’s primary group is develop.

  • The time-to-live setting is 11 hours.

  • The client’s access rights within the domain are stated.

  • The search path starts with the current nonroot domain (develop.panther.edu), followed by the root domain (panther.edu).

The access rights stated for the user in this example are outlined in more detail in the following section.

nischmod

Every user has a set of access rights for accessing objects within the network. The notation for setting and accessing object permissions is very similar to that used for Solaris file systems. The following permissions may be set on any object, or may be defined as the default settings for a particular client:

  • c Sets create permission

  • d Sets delete permission

  • m Sets modify permission

  • r Sets read permission

This nischmod command is used to set permissions on objects within the domain. The following operands are used to specify access rights for specific classes of users:

  • a All (all authenticated and unauthenticated users)

  • g Group

  • n Nobody (all unauthenticated users)

  • o Object owner

  • w World (all authenticated users)

There are two operators that can be used to set and remove permissions:

  • + Sets a permission

  • - Removes a permission

Some examples of how permissions strings are constructed will clarify how these operators and operands are combined for use with the nichmod command. The following command removes all modify (m) and create (c) access rights on the password table for all unauthenticated (n) users:

moorea# nischmod n-cm passwd.org_dir

Even unauthenticated users require read (r) access to the password table for authentication, which can be granted with the following command:

moorea# nischmod n+r passwd.org_dir

To grant modify and create access rights to the current user (in this case, root) and his or her primary group on the same table, we would use the following command:

moorea# nischmod og+cm passwd.org_dir

NIS+ permission strings are easy to remember, but hard to combine into single commands where some permissions are granted while others are removed—unlike the octal codes used to specify absolute permissions on Solaris file systems. However, it is possible to combine permissions strings by using a comma to separate individual strings. The following complex string is an example of how it is possible to set permissions within a single string, but equally shows how challenging it is to interpret:

moorea# nischmod o=rmcd,g=rmc,w=rm,n=r hosts.org_dir

This command grants the following permissions to four different categories of users:

  • owner Read, modify, create, and delete

  • group Read, modify, and create

  • world Read and modify

  • nobody Read only

nisls

The nisls command is used as a lookup and query command which can provide views on NIS+ directories and tables. For example, to view all of the NIS+ directories that have been populated within the local namespace, we can use the nisls command:

moorea# nisls
develop.panther.edu.:
org_dir
groups_dir

There are two directory object types listed here: the org_dir, which lists all of the tables that have been set up within the namespace, and the groups_dir, which stores details of all NIS+ groups. We can view a list of tables by using the nisls command once again on the org_dir directory:

moorea# nisls org_dir
org_dir.sales.panther.edu.:
auto_home
auto_master
bootparams
client_info
cred
ethers
group
hosts
mail_aliases
netgroup
netmasks
networks
passwd
protocols
rpc
sendmailvars
services
timezone

A large number of tables have been populated for this domain. The groups directory contains the admin group we created earlier, which lists all of the administrators, as well as several other groups that are based on distinct organizational units within the current domain:

moorea# nisls groups_dir
groups_dir.sales.panther.edu.:
admin
adverts
legal
media

niscat

The niscat command is used to retrieve the contents of objects within the domain, primarily the data contained within NIS+ tables. For example, all hosts listed within the domain can be listed by using the following command:

moorea$ niscat -h hosts.org_dir
moorea.panther.edu moorea 10.58.64.16
borabora.panther.edu borabora 10.58.64.17
tahiti.panther.edu tahiti 10.58.64.18
orana.panther.edu orana 10.58.64.19

Alternatively, we can use the niscat command to examine the contents of the passwd table:

moorea$ niscat passwd.org_dir
moppet:*LK*:1001:1:moppet:/staff/moppet:/bin/tcsh:10910:-1:-1:-1:-1::0
miki:*LK*:1002:1:miki:/staff/miki:/bin/bash:10920:-1:-1:-1:-1::0
maya:*LK*:1003:1:maya:/staff/maya:/bin/sh:10930:-1:-1:-1:-1::0
paul:*LK*:1004:1:paul:/staff/paul:/bin/csh:10940:-1:-1:-1:-1::0

Next, we can examine which groups these users belong to by using the niscat command once again:

moorea$ niscat group.org_dir
root::0:root
staff::1:moppet,miki,maya,paul
bin::2:root,bin,daemon
sys:*:3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root

All of the hosts that form part of the local domain can be examined based on their Ethernet address, which is extracted from the ethers table, as shown in the following example:

moorea$ niscat ethers.org_dir
1:4a:16:2f:13:b2 moorea.panther.edu.
1:02:1e:f4:61:2e borabora.panther.edu.
f4:61:2e:1:4a:16 tahiti.panther.edu.
2f:13:b2:1:02:1e orana.panther.edu.

In order to determine which services are offered within the local domain, we can also examine the services table:

moorea$ niscat services.org_dir
tcpmux tcpmux tcp 1
echo echo tcp 7
echo echo udp 7
discard discard tcp 9
discard sink tcp 9
discard null tcp 9
discard discard udp 9
discard sink udp 9
discard null udp 9
systat systat tcp 11
systat users tcp 11
daytime daytime tcp 13
daytime daytime udp 13

Every other table that is defined within the domain may be viewed by using the niscat command in this way.

EXAM TIP  

Read the man page for the niscat command and ensure that you can memorize all of the available options.



Part I: Solaris 9 Operating Environment, Exam I