I have tried to exemplify each feature and functionality.
But I think a more real example would be useful.
I intend to give an example dealing with new logins.
A login is an account that is used to directly access the system.
Along with its credential, its home directory is an essential resource.
Those resources are conveniently centrally managed by NIS services.
Unfortunately NIS can't provide nowadays security requirements.
Nevertheless, it may still be very useful on restricted scenarios.
Beyond defaults I make the following assumptions for the example:
- There's no DNS infrastructure in place yet.
- The RPC domain is business.corp.
- The nis-1 host is the NIS master.
- The nis-2 and nis-3 hosts are the NIS slaves.
- The desktop-1 host is the NIS client.
- The nfs-1 host is the NFSv4 server.
- The automounter is used accordingly.
- The new login to be created is user2.
- The group is customer (gid=1000)
- The default project is project1.
- The pam_list allowed users on NIS master doesn't list user2.
- Customized versions of .profile and .bashrc exist.
- The hosts, notably nis-1, aren't immutable zones.
As a best practice, before doing any changes, take a backup.
I prefer ZFS snapshots but they aren't allowed on immutable zones.
On an immutable zone, user management tools won't work either.
I consider worthwhile reboot the zones in temporary write mode (-w).
Another possibility is to use a Revision Control System.
Create the login account locally on the NIS master:
nis-1# useradd -c "User 2" user2
nis-1# getent passwd user2
user2:x:102:10:User 2:/export/home/user2:/usr/bin/bash
nis-1# passwd user2
New Password:
Re-enter new Password:
passwd: password successfully changed for user2
nis-1# passwd -l user2
passwd: password information changed for user2
Copy the login basic configuration to the account maps' sources:
nis-1# grep user2 /etc/passwd >> /var/nis/acct/passwd
nis-1# grep user2 /etc/shadow >> /var/nis/acct/shadow
Clean up the local login account from the NIS master:
nis-1# userdel user2
Edit the group and home directory configurations on the passwd map.
It should look like as follows:
nis-1# grep user2 /var/nis/acct/passwd
user2:x:102:1000:User 2:/home/user2:/usr/bin/bash
nis-1# grep user2 /var/nis/acct/shadow
user2:*LK*$5$...:0::::::
Edit the netgroup configuration.
It should look somewhat similar to:
nis-1# cat /var/nis/netgroup
...
users ... (-,user2,business.corp) ...
...
Edit the project configuration on the project map.
It should look like as follows:
nis-1# grep user2 /var/nis/project
project1:100:Project 1:user1,user2::
nis-1# grep user2 /var/nis/user_attr
user2::::project=project1
Edit the automounter configuration on the auto_home map.
It should look like as follows:
nis-1# grep user2 /var/nis/auto_home
user2 nfs-1.business.corp:/export/home/&
Run make on the updated sources:
nis1:/var/yp# make
updated passwd
pushed passwd
updated ageing
updated netid
pushed netid
updated project
pushed project
updated netgroup
pushed netgroup
updated auto.home
pushed auto.home
updated user_attr
pushed user_attr
Verify that the maps were correctly updated:
nis-2$ ypmatch -k user2 passwd
user2: user2::102:1000:User 2:/home/user2:/usr/bin/bash
nis-2$ ypmatch -k user2 auto.home
user2: nfs-1.business.corp:/export/home/&
nis-2$ ypmatch -k project1 project
project1: project1:100:Project 1:user1,user2::
nis-2$ ypmatch -k user2 user_attr
user2: user2::::project=project1
nis-2$ ypcat -k netgroup | grep user2
users ... (-,user2,business.corp) ...
Create and export the home directory:
nfs-1# zfs create \
> -o quota=1g \
> -o share.nfs.sec.sys.rw="desktops:servers" \
> rpool/export/home/user2
nfs-1# cp /etc/skel/.profile /export/home/user2
nfs-1# cp /etc/skel/.bashrc /export/home/user2
nfs-1# chown -R user2:customer /export/home/user2
nfs-1# ll -a /export/home/user2
total 11
drwxr-xr-x 5 root root ... ..
drwxr-xr-x 2 user2 customer ... .
-rw-r--r-- 1 user2 customer ... .profile
-r--r--r-- 1 user2 customer ... .bashrc
nfs-1# zfs set share.nfs=on rpool/export/home/user2
nfs-1# zfs get -o value share rpool/export/home/user2
VALUE
name=...,path=/export/home/user2,...,rw=servers:desktops
In addition to the update of NIS maps, if there were changes on any NIS netgroup that's referenced on some NFS share, then it's necessary to refresh the NFS service:
nfs-1# svcadm refresh nfs/server
Finally, unlock the account (remove the *LK* prefix) so it can be used:
nis-1# grep user2 /var/nis/acct/shadow
user2:$5$...:0::::::
nis-1:/var/yp# make
...
NOTE
If user2 is going to be used on a Solaris 11 desktop, then, to avoid the remote directory bug in Login Assistant, make sure that the Gnome file .dmrc exists in the home directory and contains the following:
nfs-1$ cat /export/home/user2/.dmrc
[Desktop]
Language=en_US.UTF-8
Layout=us
For an variation of this post see also NIS & roles.
NOTE
It's important to note that during this processes there were no disruption of service to clients as all NIS clients should have been associated only to NIS slave servers.
