1nisaddcred(1M)          System Administration Commands          nisaddcred(1M)
2
3
4

NAME

6       nisaddcred - create NIS+ credentials
7

SYNOPSIS

9       nisaddcred [-p principal] [-P nis_principal]
10            [-l login_password] auth_type [domain_name]
11
12
13       nisaddcred -r [nis_principal] [domain_name]
14
15

DESCRIPTION

17       The  nisaddcred command is used to create security credentials for NIS+
18       principals. NIS+ credentials serve two purposes. The first is  to  pro‐
19       vide  authentication  information to various services; the second is to
20       map the authentication service name into a NIS+ principal name.
21
22
23       When the nisaddcred command is run, these credentials get  created  and
24       stored  in  a  table  named cred.org_dir in the default NIS+ domain. If
25       domain_name is specified, the entries are stored in the cred.org_dir of
26       the  specified  domain.  The specified domain must either be the one to
27       which you belong, or one in which you are authenticated and  authorized
28       to  create credentials, that is, a subdomain. Note that the credentials
29       of normal users must be stored in the same domain as their passwords.
30
31
32       It is simpler  to  add  credentials  using  nisclient(1M),  because  it
33       obtains  the  required  information itself. nispopulate(1M) is used for
34       "bulk" updates and can also be used to add credentials for  entries  in
35       the hosts and the passwd NIS+ tables.
36
37
38       NIS+  principal  names  are used in specifying clients that have access
39       rights to NIS+ objects. For  more  details,  refer  to  the  "Principal
40       Names"   subsection  of  the  NIS+(1)  manual  page.  See  nischmod(1),
41       nischown(1),  nis_objects(3NSL), and  nis_groups(3NSL).  Various  other
42       services  can  also  implement  access control based on these principal
43       names.
44
45
46       The cred.org_dir table is organized as follows:
47
48
49
50
51       cname            auth_type   auth_name           public_data   private_data
52       ────────────────────────────────────────────────────────────────────────────
53       user1.foo.com.   LOCAL       2990                10,102,44
54       ────────────────────────────────────────────────────────────────────────────
55       user1.foo.com.   DES         unix.2990@foo.com   098...819     3b8...ab2
56       ────────────────────────────────────────────────────────────────────────────
57       user1.foo.com.   DHmmm-n     unix.2990@foo.com   248...428     a42...f32
58
59
60
61       The cname column contains a canonical representation of the NIS+  prin‐
62       cipal  name.  By  convention, this name is the login name of a user, or
63       the host name of a machine, followed by a dot  ('.')  followed  by  the
64       fully  qualified  "home"  domain of that principal. For users, the home
65       domain is defined to be the domain  where  their  DES  credentials  are
66       kept.  For  hosts,  their  home domain is defined to be the domain name
67       returned by the domainname(1M) command executed on that host.
68
69
70       There are two basic types of auth_type entries in the cred.org_dir  ta‐
71       ble,  those  with authentication type LOCAL, and those with authentica‐
72       tion type DES, auth_type, specified on the command  line  in  upper  or
73       lower case, should be either local or des.
74
75
76       However, the cred.org_dir table may also be used to hold data for other
77       values of auth_type. Currently,  this  is  limited  to  the  mechanisms
78       listed  on  the  nisauthconf(1M)  man  page,  for  which the nisaddcred
79       auth_type argument is the same as the  name  of  the  mechanism.  These
80       mechanisms  use  a modified form of Secure RPC, and they are similar to
81       the DES authentication type.
82
83
84       If the auth_type is des, and other authentication mechanisms  are  con‐
85       figured  with  nisauthconf(1M),  then  credential  entries are added or
86       updated for each mechanism configured. To only add or  update  1992-bit
87       Diffie  Hellman  credentials, that is, those with the auth_type of DES,
88       use dh192-0 on the command line. If there are no authentication  mecha‐
89       nisms configured, using des on the command line will only add or update
90       192-bit Diffie Hellman credentials.
91
92
93       Entries of type LOCAL are used by the NIS+  service  to  determine  the
94       correspondence  between  fully qualified NIS+ principal names and users
95       identified by UIDs in the domain  containing  the  cred.org_dir  table.
96       This  correspondence  is  required when associating requests made using
97       the AUTH_SYS RPC authentication flavor (see rpc_clnt_auth(3NSL))  to  a
98       NIS+  principal  name.  It  is  also required for mapping a  UID in one
99       domain to its fully qualified NIS+ principal name whose home domain may
100       be elsewhere. The principal's credentials for any authentication flavor
101       may then be sought for within the cred.org_dir table in the principal's
102       home  domain (extracted from the principal name). The same NIS+ princi‐
103       pal may have LOCAL credential entries in more  than  one  domain.  Only
104       users,  and not machines, have LOCAL credentials. In their home domain,
105       users of NIS+ should have both types of credentials.
106
107
108       The auth_name associated with the LOCAL type entry is  a  UID  that  is
109       valid  for  the principal in the domain containing the cred.org_dir ta‐
110       ble. This may differ from that in the principal's home domain. The pub‐
111       lic  information stored in public_data for this type contains a list of
112       GIDs for groups in which the user is a member. The GIDs also  apply  to
113       the domain in which the table resides. There is no private data associ‐
114       ated with this type. Neither a UID nor a principal name  should  appear
115       more than once among the LOCAL entries in any one cred.org_dir table.
116
117
118       The   DES   auth_type  is  used  for  Secure  RPC  authentication  (see
119       secure_rpc(3NSL)).
120
121
122       The authentication name associated with the DES auth_type is  a  Secure
123       RPC  netname.  A  Secure  RPC  netname has the form unix.id@domain.com,
124       where domain must be the same as the domain of the principal. For prin‐
125       cipals  that  are  users the id must be the UID of the principal in the
126       principal's home domain. For principals that are hosts, the id  is  the
127       host's  name.  In  Secure  RPC, processes running under effective UID 0
128       (root) are identified with the host principal. Unlike LOCAL, there can‐
129       not be more than one DES credential entry for one NIS+ principal in the
130       NIS+ namespace.
131
132
133       The public information in an entry of authentication type  DES  is  the
134       public  key for the principal. The private information in this entry is
135       the private key of the principal encrypted by the  principal's  network
136       password.
137
138
139       User  clients  of  NIS+  should have credentials of both types in their
140       home domain. In addition, a principal must have a LOCAL  entry  in  the
141       cred.org_dir  table  of  each domain from which the principal wishes to
142       make authenticated requests. A client of NIS+ that makes a request from
143       a  domain  in  which  it  does not have a LOCAL entry will be unable to
144       acquire DES credentials. A NIS+ service running at security level 2  or
145       higher  will  consider  such  users unauthenticated and assign them the
146       name nobody for determining access rights.
147
148
149       This command can only be run by those NIS+ principals  who  are  autho‐
150       rized to add or delete the entries in the cred table.
151
152
153       If  credentials are being added for the caller itself, nisaddcred auto‐
154       matically performs a keylogin for the caller.
155
156
157       You can list the cred entries for  a  particular  principal  with  nis‐
158       match(1).
159
160
161       The  cred.org_dir  NIS+  table  replaces  the maps publickey.byname and
162       netid.byname used in NIS (YP).
163

OPTIONS

165       The following options are supported:
166
167       -p principal          The name principal  specifies  the  name  of  the
168                             principal as defined by the naming rules for that
169                             specific mechanism. For example, LOCAL credential
170                             names  are supplied with this option by including
171                             a string specifying a UID. For  DES  credentials,
172                             the  name  should  be a Secure RPC netname of the
173                             form unix.id@domain.com, as described earlier. If
174                             the  -p  option  is  not specified, the auth_name
175                             field is constructed from the  effective  UID  of
176                             the  current  process  and  the name of the local
177                             domain.
178
179
180       -P nis_principal      Use the NIS+ principal name  nis_principal.  This
181                             option  should be used when creating LOCAL or DES
182                             credentials for users whose home domain  is  dif‐
183                             ferent than the local machine's default domain.
184
185                             Whenever  the -P option is not specified, nisadd‐
186                             cred constructs a principal name for the entry as
187                             follows. When it is not creating an entry of type
188                             LOCAL,  nisaddcred   calls   nis_local_principal,
189                             which  looks  for an existing LOCAL entry for the
190                             effective UID  of  the  current  process  in  the
191                             cred.org_dir  table and uses the associated prin‐
192                             cipal name for the new entry.  When  creating  an
193                             entry  of  authentication  type LOCAL, nisaddcred
194                             constructs a default NIS+ principal name by  tak‐
195                             ing  the  login name of the effective UID for its
196                             own process, and appending to it a dot ('.') fol‐
197                             lowed  by  the local machine's default domain. If
198                             the caller is a superuser, the  machine  name  is
199                             used instead of the login name.
200
201
202       -l login_password     Use  the login_password specified as the password
203                             to encrypt the  secret  key  for  the  credential
204                             entry.  This  overrides the prompting for a pass‐
205                             word from the shell. This option is intended  for
206                             administration scripts only. Prompting guarantees
207                             not only that no one can see your password on the
208                             command  line  using  ps(1) but it also checks to
209                             make  sure  you  have  not  made  any   mistakes.
210                             login_password  does  not  really  have to be the
211                             user's password but if it is, it simplifies  log‐
212                             ging in.
213
214
215       -r [nis_principal]    Remove  all credentials associated with the prin‐
216                             cipal nis_principal from the cred.org_dir  table.
217                             This option can be used when removing a client or
218                             user from the system.  If  nis_principal  is  not
219                             specified  the  default  is to remove credentials
220                             for the current user. If domain_name is not spec‐
221                             ified,  the  operation is executed in the default
222                             NIS+ domain.
223
224

EXAMPLES

226       Example 1 Adding the LOCAL and DES Credentials
227
228
229       The following examples illustrate how to add the LOCAL and DES  creden‐
230       tials  for  some  user,  user1, with a UID of 2990, who is an NIS+ user
231       principal in the some.domain.com. NIS+ domain:
232
233
234         example% nisaddcred -p 2990 -P user1.some.domain.com. local
235
236
237
238
239       Note that credentials are always added in the cred.org_dir table in the
240       domain  where nisaddcred is run, unless domain_name is specified as the
241       last parameter on the command line. If credentials are being added from
242       the  domain  server  for its clients, then domain_name should be speci‐
243       fied. The caller should have adequate permissions to create entries  in
244       the cred.org_dir table.
245
246
247
248       The  system  administrator  can add a DES credential for the same user,
249       using the following example:
250
251
252         example% nisaddcred -p unix.2990@some.domain.com -P user1.some.domain.com. des
253
254
255
256
257       Please note that DES credentials can be added only after the LOCAL cre‐
258       dentials have been added. Also, if the system is configured to use more
259       than one authentication mechanism, credentials will be  made  for  each
260       mechanism configured. See nisauthconf(1M).
261
262
263
264       Note  that  the  secure RPC netname does not end with a dot ('.') while
265       the NIS+ principal name, specified with the -P option, does. This  com‐
266       mand  should  be  executed  from a machine in the same domain as is the
267       user.
268
269
270
271       The following example shows how to add a machine's DES  credentials  in
272       the same domain:
273
274
275         example% nisaddcred -p unix.foo@some.domain.com -P foo.some.domain.com. des
276
277
278
279
280       Please note that no LOCAL credentials are needed in this case.
281
282
283
284       The following example illustrates how to add a NIS+ workstation's prin‐
285       cipal DES credential:
286
287
288         example% nisaddcred -p unix.host1@sub.some.domain.com \
289              -P newhost.sub.some.domain.com. des sub.some.domain.com.
290
291
292
293
294       This format is particularly useful if you are running this command from
295       a  server which is in a higher domain than sub.some.domain.com. Without
296       the last option for domain name, nisaddcred would fail because it would
297       attempt to use the default domain of some.domain.com.
298
299
300
301       The  following example illustrates adding DES credentials without being
302       prompted for the root login password:
303
304
305         example% nisaddcred -p unix.2990@some.domain.com \
306              -P user1.some.domain.com. -l login_password des
307
308
309
310
311       The following example shows how to add a credential for a user using  a
312       specific  authentication  mechanism that was previously configured with
313       nisauthconf(1M). See nisauthconf(1M) for a list of the valid values  of
314       auth_type:
315
316
317         example% nisaddcred -p unix.2990@some.domain.com \
318              -P user.1.some.domain.com dh640-0
319
320
321
322
323       The  password should be the same for all the credentials that belong to
324       the user. Otherwise, only the credentials  encrypted  with  the  user's
325       password  will be used at login, and the user will have to run chkey(1)
326       using the -p option.
327
328
329
330       The following example shows how to add  a  DES  credential  when  other
331       authentication mechanisms are configured on the system:
332
333
334         example% nisaddcred -p unix.2990@some.domain.com \
335              -P user1.some.domain.com dh192-0
336
337
338

EXIT STATUS

340       The following exit values are returned:
341
342       0    Successful operation.
343
344
345       1    Operation failed.
346
347

ATTRIBUTES

349       See attributes(5) for descriptions of the following attributes:
350
351
352
353
354       ┌─────────────────────────────┬─────────────────────────────┐
355       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
356       ├─────────────────────────────┼─────────────────────────────┤
357       │Availability                 │SUNWnisu                     │
358       └─────────────────────────────┴─────────────────────────────┘
359

SEE ALSO

361       chkey(1),  keylogin(1), NIS+(1), nischmod(1), nischown(1), nismatch(1),
362       nistbladm(1), ps(1),  domainname(1M),  nisclient(1M),  nispopulate(1M),
363       nis_groups(3NSL),       nis_local_names(3NSL),       nis_objects(3NSL),
364       rpc_clnt_auth(3NSL), secure_rpc(3NSL), attributes(5)
365

NOTES

367       NIS+ might not be supported in future releases of the Solaris operating
368       system.  Tools  to aid the migration from NIS+ to LDAP are available in
369       the   current   Solaris   release.   For   more   information,    visit
370       http://www.sun.com/directory/nisplus/transition.html.
371
372
373
374SunOS 5.11                        12 Dec 2001                   nisaddcred(1M)
Impressum