Friday, April 4, 2014

NIS maps' source files

The first (somewhat boring) step for installing a NIS master is the creation of the source files location and its appropriate contents at a stable location on the NIS master virtual file system hierarchy. Furthermore, for security reasons it's better to create 2 additional subdirectories within it in order to segregate user account information from RBAC information from general information. Instead of a traditional directory structure, I'll use two Solaris specific technologies, ZFS and VARSHARE together with a Revision Control System. Simply use ordinary directories isn't the best approach where management and control are required.

Create sub-datasets of rpool/VARSHARE which will provide boot environments (BEs) independence and allow for ZFS snapshots and specific properties such as ZFS compression and ZFS deduplication. If on an immutable zone, be aware that a preliminary boot -w will be required in order to take snapshots, which is probably an inconvenience; NIS maps need to be frequently changed and taking a ZFS snapshot before each change would require 2 reboots. Because of this, one could consider a Version Control System such as Mercurial in order to streamline the management of the source maps by not requiring any reboots leaving ZFS snapshots would be left for more long term backup strategy. But thinking twice, that's not a good idea because no NIS client should be pointing to the NIS master but instead to a NIS slave. Rebooting the NIS master isn't an issue after all.
  
# zfs create -p rpool/VARSHARE/nis/acct
# zfs create -p rpool/VARSHARE/nis/rbac

# zfs list -t all -r rpool/VARSHARE 
NAME                    USED AVAIL REFER MOUNTPOINT
rpool/VARSHARE          124K 13.9G   48K /var/share
rpool/VARSHARE/nis       95K 13.9G   33K /var/share/nis
rpool/VARSHARE/nis/acct  31K 13.9G   31K /var/share/nis/acct
rpool/VARSHARE/nis/rbac  31K 13.9G   31K /var/share/nis/rbac
 

  
# chmod -R 750 /var/share/nis
  
Following the Solaris best practice, a symbolic link is created.

# ln -s /var/share/nis /var/nis
# ls -lh /var | grep ^l
...
lrwxrwxrwx   1 root     root ... nis -> ../var/share/nis

... 
 
# ls -lh /var/share/nis
...
drwxr-x---   2 root     root ... acct
drwxr-x---   2 root     root ... rbac


Next the initial maps' sources are created.
   
# cd /var/share/nis 
 
# cp /etc/{group,project} .
# cp /etc/{passwd,shadow} acct
# cp /etc/security/{prof_attr,exec_attr,auth_attr} rbac
 
# touch ethers netgroup netid
# sed -e '/^[^#]/d' < /etc/mail/aliases > ./aliases
# sed -e '/^[^#]/d' < /etc/hosts > ./hosts  
# sed -e '/^[^#]/d' < /etc/auto_master > ./auto_master
# sed -e '/^[^#]/d' < /etc/auto_home > ./auto_home
# sed -e '/^[^#]/d' < /etc/networks > ./networks
# sed -e '/^[^#]/d' < /etc/netmasks > ./netmasks
# sed -e '/^[^#]/d' < /etc/protocols > ./protocols 
# sed -e '/^[^#]/d' < /etc/services > ./services
# sed -e '/^[^#]/d' < /etc/rpc > ./rpc
# sed -e '/^[^#]/d' < /etc/publickey > ./publickey  
# sed -e '/^[^#]/d' < /etc/user_attr > ./user_attr
# sed -e '/^[^#]/d' < /etc/sudoers > ./sudoers

# ln -s hosts ipnodes 
  
# chmod -R o= /var/share/nis

# ls -lh /var/nis/*
total ...
-rw-r-----   1 root     root ... aliases
-rw-r-----   1 root     root ... auto_home
-rw-r-----   1 root     root ... auto_master
-rw-r-----   1 root     root ... ethers
-rw-r-----   1 root     root ... group
-rw-r-----   1 root     root ... hosts

lrwxrwxrwx   1 root     root ... ipnodes -> hosts
-rw-r-----   1 root     root ... netgroup
-rw-r-----   1 root     root ... netid
-rw-r-----   1 root     root ... netmasks
-rw-r-----   1 root     root ... networks
-rw-r-----   1 root     root ... project
-rw-r-----   1 root     root ... protocols
-rw-r-----   1 root     root ... publickey
-rw-r-----   1 root     root ... rpc
-rw-r-----   1 root     root ... services
-r--r-----   1 root     root ... sudoers
-rw-r-----   1 root     root ... user_attr

/var/nis/acct:
total ...
-rw-r-----   1 root     root ... passwd
-r--------   1 root     root ... shadow
 

/var/nis/rbac:
total ...
-rw-r-----   1 root     root ... auth_attr
-rw-r-----   1 root     root ... exec_attr
-rw-r-----   1 root     root ... prof_attr


Now the contents of the copied files must be appropriately adjusted according to the best practices and requirements. I'm assuming all the defaults of a fresh installation so certain source files require cleanup:

# cd /var/nis 

# cat /dev/null > acct/passwd
# cat /dev/null > acct/shadow 

# cat /dev/null > ./group
# cat /dev/null > ./project

Now the source files and respective structure for the NIS maps are set.
Now proceed to install and configure the NIS master and its NIS slaves.