openSolaris 2008 - Using the Solaris Management Tools in a Name Service Environment (Task Map) - System Administration Guide: Basic Administration

Using the Solaris Management Tools in a Name Service Environment (Task Map)

By default, the Solaris management tools are set up to operate in a local environment. For example, the Mounts and Shares tool enables you to mount and share directories on specific systems, but not in an NIS or NIS+ environment. However, you can manage information with the Users and Computers and Networks tools in a name service environment.

To work with a console tool in a name service environment, you need to create a name service toolbox, and then add the tool to that toolbox.

Task	Description	For Instructions
1. Verify prerequisites.	Verify you have completed the prerequisites before attempting to use the console in a name service environment.	Prerequisites for Using the Solaris Management Console in a Name Service Environment
2. Create a toolbox for the name service.	Use the New Toolbox wizard to create a toolbox for your name service tools.	How to Create a Toolbox for a Specific Environment
3. Add a tool to the name service toolbox.	Add the Users tool, or any other name service tool, to your name service toolbox.	How to Add a Tool to a Toolbox
4. Select the toolbox that was just created.	Select the toolbox you just created to manage name service information.	How to Start the Solaris Management Console in a Name Service Environment

RBAC Security Files

The RBAC security files that work with the Solaris Management Console are created when you upgrade to or install at least the Solaris 9 release. If you do not install the Solaris Management Console packages, the RBAC security files are installed without the necessary data for using RBAC. For information on the Solaris Management Console packages, see Troubleshooting the Solaris Management Console.

The RBAC security files if you are running at least the Solaris 9 release are included in your name service so that you can use the Solaris Management Console tools in a name service environment.

The security files on a local server are populated into a name service environment as part of a standard upgrade by the ypmake, nispopulate, or equivalent LDAP commands.

The following name services are supported:

NIS
NIS+
LDAP
files

Note - The projects database is not supported in the NIS+ environment.

The RBAC security files are created when you upgrade to or install at least the Solaris 9 release.

This table briefly describes the predefined security files that are installed on a system that is running at least the Solaris 9 release.

Table 2-3 RBAC Security Files

Local File Name	Table or Map Name	Description
`/etc/user_attr`	`user_attr`	Associates users and roles with authorizations and rights profiles
`/etc/security/auth_attr`	`auth_attr`	Defines authorizations and their attributes and identifies associated help files
`/etc/security/prof_attr`	`prof_attr`	Defines rights profiles, lists the rights profiles assigned to the authorizations, and identifies associated help files
`/etc/security/exec_attr`	`exec_attr`	Defines the privileged operations assigned to a rights profile

For unusual upgrade cases, you might have to use the smattrpop command to populate RBAC security files in the following instances:

When creating or modifying rights profiles
When you need to include users and roles by customizing the usr_attr file

For more information, see Role-Based Access Control (Overview) in System Administration Guide: Security Services.

Prerequisites for Using the Solaris Management Console in a Name Service Environment

The following table identifies what you need to do before you can use the Solaris Management Console in a name service environment.

Prerequisite	For More Information
Install at least the Solaris 9 release.	Solaris Express Installation Guide: Basic Installations
Set up your name service environment.	System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
Select your management scope.	Management Scope
Make sure your`/etc/nsswitch.conf` file is configured so that you can access your name service data.	`/etc/nsswitch.conf` File

Management Scope

The Solaris Management Console uses the term management scope to refer to the name service environment that you want to use with the selected management tool. The management scope choices for the Users tool and the Computers and Networks tool are LDAP, NIS, NIS+, or files.

The management scope that you select during a console session should correspond to the primary name service identified in the /etc/nsswitch.conf file.

`/etc/nsswitch.conf` File

The /etc/nsswitch.conf file on each system specifies the policy for name service lookups (where data is read from) on that system.

Note - You must make sure that the name service accessed from the console, which you specify through the console Toolbox Editor, appears in the search path of the /etc/nsswitch.conf file. If the specified name service does not appear there, the tools might behave in unexpected ways, resulting in errors or warnings.

When you use the Solaris management tools in a name service environment, you might impact many users with a single operation. For example, if you delete a user in the NIS name service, that user is deleted on all systems that are using NIS.

If different systems in your network have different /etc/nsswitch.conf configurations, unexpected results might occur. So, all systems to be managed with the Solaris management tools should have a consistent name service configuration.

How to Create a Toolbox for a Specific Environment

Applications for administering the Solaris Operating System are called tools. Those tools are stored in collections referred to as toolboxes. A toolbox can be located on a local server, where the console is located, or on a remote machine.

Use the Toolbox Editor to add a new toolbox, to add tools to an existing toolbox, or to change the scope of a toolbox. For example, use this tool to change the domain from local files to a name service.

Note - You can start the Toolbox Editor as a normal user. However, if you plan to make changes and save them to the default console toolbox, /var/sadm/smc/toolboxes, you must start the Toolbox Editor as root.

Start the Toolbox Editor.
```
# /usr/sadm/bin/smc edit &
```
Select Open from the Toolbox menu.
Select the This Computer icon in the Toolboxes: window.
Click Open.
The This Computer toolbox opens in the window.
Select the This Computer icon again in the Navigation pane.
Select Add Folder from the Action menu.
Use the Folder wizard to add a new toolbox for your name service environment.
1. Name and Description – Provide a name in the Full Name window. Click Next.
  For example, provide “NIS tools” for the NIS environment.
2. Provide a description in the Description window. Click Next.
  For example, “tools for NIS environment” is an appropriate example.
3. Icons – Use the default value for the Icons. Click Next.
4. Management Scope – Select Override.
5. Select your name service under the Management Scope pull-down menu.
6. Add the name service master name in the Server field, if necessary.
7. Add the domain managed by the server in the Domain field.
8. Click Finish.
  The new toolbox appears in the left Navigation pane.
Select the new toolbox icon and select Save As from the Toolbox menu.
Enter the toolbox path name in the Local Toolbox Filename dialog box. Use the .tbx suffix.
```
/var/sadm/smc/toolboxes/this_computer/toolbox-name.tbx
```
Click Save.
The new toolbox appears in the Navigation pane in the console window.

How to Add a Tool to a Toolbox

In addition to the default tools that ship with the console, additional tools that can be launched from the console are being developed. As these tools become available, you can add one or more tools to an existing toolbox.

You can also create a new toolbox, for either local management or network management. Then, you can add tools to the new toolbox.

Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Start the Toolbox Editor, if necessary.
```
# /usr/sadm/bin/smc edit &
```
Select the toolbox.
If you want to work in a name service, select the toolbox you just created in the Toolbox Editor. For more information, see How to Create a Toolbox for a Specific Environment.
Select Add Tool from the Action menu.
Use the Add Tool wizard to add the new tool.
1. Server Selection – Add the name service master in the Server window. Click Next.
2. Tools Selection – Select the tool you want to add from the Tools window. Click Next.
  If this toolbox is a name service toolbox, choose a tool you want to work in a name service environment. For example, choose the Users tool.
3. Name and Description – Accept the default values. Click Next.
4. Icons – Accept the default values, unless you have created custom icons. Click Next.
5. Management Scope – Accept the default value “Inherit from Parent.” Click Next.
6. Tool Loading – Accept the default “Load tool when selected.” Click Finish.
Select Save from the Toolbox menu to save the updated toolbox.
The Local Toolbox window is displayed.

How to Start the Solaris Management Console in a Name Service Environment

After you have created a name service toolbox and added tools to it, you can start the Solaris Management Console and open that toolbox to manage a name service environment.

Before You Begin

Verify that the following prerequisites are met:

Ensure that the system you are logged in to is configured to work in a name service environment.
Verify that the /etc/nsswitch.conf file is configured to match your name service environment.

Start the Solaris Management Console.
For more information, see How to Start the Console as Superuser or as a Role.
Select the toolbox you created for the name service, which appears in the Navigation pane.
For information on creating a toolbox for a name service, see How to Create a Toolbox for a Specific Environment.