DHCP Client Systems and Name Services
Solaris systems support the following name services: DNS, NIS, NIS+, and a local
file store (/etc/inet/hosts). Each name service requires some configuration before it is usable.
The name service switch configuration file (see nsswitch.conf(4)) must also be set up
appropriately to indicate the name services to be used.
Before a DHCP client system can use a name service, you must
configure the system as a client of the name service.
The following table summarizes issues that are related to each name service and
DHCP. The table includes links to documentation that can help you set up
clients for each name service.
Table 16-1 Name Service Client Setup Information for DHCP Client Systems
Name Service |
Client Setup Information |
NIS |
If you are using
Solaris DHCP to send Solaris network install information to a client system, you
can use a configuration macro that contains the NISservs and NISdmain options.
These options pass the IP addresses of NIS servers and the NIS domain
name to the client. The client then automatically becomes an NIS client. If a
DHCP client system is already running the Solaris OS, the NIS client is
not automatically configured on that system when the DHCP server sends NIS information
to the client. If the DHCP server is configured to send NIS information
to the DHCP client system, you can see the values given to the
client if you use the dhcpinfo command on the client as follows: #
/sbin/dhcpinfo NISdmain # /sbin/dhcpinfo NISservs Use the values returned for the NIS domain name and NIS
servers when you set up the system as an NIS client. You set up
an NIS client for a Solaris DHCP client system in the standard way,
as documented in Chapter 5, Setting Up and Configuring NIS Service, in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
Tip - You can write a script that uses dhcpinfo
and ypinit to automate NIS client configuration on DHCP client systems.
|
NIS+ |
If the
DHCP client system receives a nonreserved IP address, the address might not always
be the same. You must set up the NIS+ client for a
DHCP client system in a nonstandard way, which is documented in Setting Up DHCP Clients as NIS+ Clients. This procedure
is necessary because NIS+ uses security measures to authenticate requests for service. The
security measures depend upon the IP address. If the DHCP client system has
been manually assigned an IP address, the client's address is always the same.
You can set up the NIS+ client in the standard way, which is
documented in Setting Up NIS+ Client Machines in System Administration Guide: Naming and Directory Services (NIS+). |
/etc/inet/hosts |
You must set up the /etc/inet/hosts file for a DHCP client
system that is to use /etc/inet/hosts for its name service. The DHCP client system's
host name is added to its own /etc/inet/hosts file by the DHCP
tools. However, you must manually add the host name to the /etc/inet/hosts files
of other systems in the network. If the DHCP server system uses /etc/inet/hosts
for name resolution, you must also manually add the client's host name on
the system. |
DNS |
If the DHCP client system receives the DNS domain name through DHCP, the
client system's /etc/resolv.conf file is configured automatically. The /etc/nsswitch.conf file is also automatically updated
to append dns to the hosts line after any other name services in
the search order. See System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)for more information about DNS. |
Setting Up DHCP Clients as NIS+ Clients
You can use the NIS+ name service on Solaris systems that are
DHCP clients. However, to do so requires you to partially circumvent one of
the security-enhancing features of NIS+, the creation of Data Encryption Standard (DES) credentials. When
you set up an NIS+ client that is not using DHCP, you add
unique DES credentials for the client to the NIS+ server. There are several
ways to create credentials, such as using the nisclient script or the nisaddcred
command.
For DHCP clients, you cannot use these methods. NIS+ credential generation requires a
client to have a static host name to create and store the credentials.
If you want to use NIS+ and DHCP, you must create identical credentials
to be used for all the host names of DHCP clients. In this
way, no matter what IP address and associated host name that a
DHCP client receives, the client can use the same DES credentials.
Caution - Before performing the following procedure, be aware that NIS+ was designed for increased
security. This procedure weakens that security by allowing random DHCP clients to receive
NIS+ credentials.
The following procedure shows you how to create identical credentials for all DHCP
host names. This procedure is valid only if you know the host names
that DHCP clients use. For example, when the DHCP server generates the host
names, you know the possible host names that a client can receive.
How to Set Up Solaris DHCP Clients as NIS+ Clients
A DHCP client system that is to be an NIS+ client must
use credentials that belong to another NIS+ client system in the NIS+ domain.
This procedure only produces credentials for the system, which apply only to the
superuser logged in to the system. Other users who log in to the
DHCP client system must have their own unique credentials in the NIS+ server.
These credentials are created according to a procedure in the System Administration Guide: Naming and Directory Services (NIS+).
- Create the credentials for a client by typing the following command on the
NIS+ server:
# nisgrep nisplus-client-name cred.org_dir > /tmp/file
This command writes the cred.org_dir table entry for the NIS+ client to a
temporary file.
- Use the cat command to view the contents of the temporary file.
Or, use a text editor.
- Copy the credentials to use for DHCP clients.
You must copy the public key and private key, which are long strings
of numbers and letters separated by colons. The credentials are to be pasted
into the command issued in the next step.
- Add credentials for a DHCP client by typing the following command:
# nistbladm -a cname=" dhcp-client-name@nisplus-domain" auth_type=DES \
auth_name="unix.dhcp-client-name@nisplus-domain" \
public_data=copied-public-key \
private_data=copied-private-key
For the copied-public-key, paste the public key information that you copied from the
temporary file. For the copied-private-key, paste the private key information that you
copied from the temporary file.
- Remote copy files from the NIS+ client system to the DHCP client system
by typing the following commands on the DHCP client system:
# rcp nisplus-client-name:/var/nis/NIS_COLD_START /var/nis
# rcp nisplus-client-name:/etc/.rootkey /etc
# rcp nisplus-client-name:/etc/defaultdomain /etc
If you get a “permission denied” message, the systems might not be set
up to allow remote copying. In this case, you can copy the
files as a regular user to an intermediate location. As superuser, copy the
files from the intermediate location to the proper location on the DHCP client
system.
- Copy the correct name service switch file for NIS+ by typing the following
command on the DHCP client system:
# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
- Reboot the DHCP client system.
The DHCP client system should now be able to use NIS+ services.
Example 16-1 Setting up a Solaris DHCP Client System as an NIS+ Client
The following example assumes that you have one system nisei, which is an
NIS+ client in the NIS+ domain dev.example.net. You also have one DHCP client
system, dhow, and you want dhow to be an NIS+ client.
(First log in as superuser on the NIS+ server)
# nisgrep nisei cred.org_dir > /tmp/nisei-cred
# cat /tmp/nisei-cred
nisei.dev.example.net.:DES:[email protected]:46199279911a84045b8e0
c76822179138173a20edbd8eab4:90f2e2bb6ffe7e3547346dda624ec4c7f0fe1d5f37e21cff63830
c05bc1c724b
# nistbladm -a cname="[email protected]." \
auth_type=DES auth_name="[email protected]" \
public_data=46199279911a84045b8e0c76822179138173a20edbd8eab4 \
private_data=90f2e2bb6ffe7e3547346dda624ec4c7f0fe1d5f37e21cff63830\
c05bc1c724b
# rlogin dhow
(Log in as superuser on dhow)
# rcp nisei:/var/nis/NIS_COLD_START /var/nis
# rcp nisei:/etc/.rootkey /etc
# rcp nisei:/etc/defaultdomain /etc
# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
# reboot
The DHCP client system dhow should now be able to use NIS+ services.
Example 16-2 Adding Credentials With a Script
If you want to set up a large number of DHCP client
systems as NIS+ clients, you can write a script. A script can quickly
add the entries to the cred.org_dir NIS+ table. The following example shows
a sample script.
#! /usr/bin/ksh
#
# Copyright (c) by Sun Microsystems, Inc. All rights reserved.
#
# Sample script for cloning a credential. Hosts file is already populated
# with entries of the form dhcp-[0-9][0-9][0-9]. The entry we're cloning
# is dhcp-001.
#
#
PUBLIC_DATA=6e72878d8dc095a8b5aea951733d6ea91b4ec59e136bd3b3
PRIVATE_DATA=3a86729b685e2b2320cd7e26d4f1519ee070a60620a93e48a8682c5031058df4
HOST="dhcp-"
DOMAIN="mydomain.example.com"
for
i in 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019
do
print - ${HOST}${i}
#nistbladm -r [cname="${HOST}${i}.${DOMAIN}."]cred.org_dir
nistbladm -a cname="${HOST}${i}.${DOMAIN}." \
auth_type=DES auth_name="unix.${HOST}${i}@${DOMAIN}" \
public_data=${PUBLIC_DATA} private_data=${PRIVATE_DTA} cred.org_Dir
done
exit 0