1NIS+(1)                          User Commands                         NIS+(1)
2
3
4

NAME

6       NIS+, nis+, nis - a new version of the network information name service
7

DESCRIPTION

9       NIS+ is a new version of the network information nameservice. This ver‐
10       sion differs in several significant  ways  from  version  2,  which  is
11       referred  to  as  NIS  or  YP  in  earlier  releases. Specific areas of
12       enhancement include the ability to scale to larger networks,  security,
13       and the administration of the service.
14
15
16       The man pages for NIS+ are broken up into three basic categories. Those
17       in section 1 are the user commands that are most often executed from  a
18       shell  script  or  directly from the command line. Section 1M man pages
19       describe utility commands that can be used by the network administrator
20       to administer the service itself. The NIS+ programming API is described
21       by man pages in section 3NSL.
22
23
24       All commands and functions that use NIS version 2 are prefixed  by  the
25       letters   yp   as   in   ypmatch(1),   ypcat(1),   yp_match(3NSL),  and
26       yp_first(3NSL). Commands and functions that  use  the  new  replacement
27       software  NIS+  are  prefixed  by  the  letters  nis as in nismatch(1),
28       nischown(1), nis_list(3NSL), and nis_add_entry(3NSL). A  complete  list
29       of NIS+ commands is in the LIST OF COMMANDS section.
30
31
32       This  man  page  introduces the NIS+ terminology. It also describes the
33       NIS+ namespace, authentication, and authorization policies.
34

NIS+ NAMESPACE

36       The naming model of NIS+ is based upon a tree structure. Each  node  in
37       the  tree  corresponds  to an  NIS+ object. There are six types of NIS+
38       objects: directory, table, group, link, entry, and private.
39
40   NIS+ Directory Object
41       Each NIS+ namespace has at least one NIS+  directory  object.  An  NIS+
42       directory  is  like  a  UNIX file system directory which contains other
43       NIS+ objects including NIS+ directories. The NIS+ directory that  forms
44       the  root of the NIS+ namespace is called the root directory. There are
45       two special NIS+  directories:  org_dir  and  groups_dir.  The  org_dir
46       directory  consists  of all the system-wide administration tables, such
47       as passwd, hosts, and  mail_aliases. The groups_dir directory  consists
48       of NIS+ group objects which are used for access control. The collection
49       of org_dir, groups_dir and their parent directory is referred to as  an
50       NIS+  domain. NIS+ directories can be arranged in a tree-like structure
51       so that the NIS+ namespace can match the organizational or  administra‐
52       tive hierarchy.
53
54   NIS+ Table Object
55       NIS+  tables  (not files), contained within NIS+ directories, store the
56       actual information about some particular type. For example,  the  hosts
57       system  table  stores  information about the IP address of the hosts in
58       that domain. NIS+ tables are multicolumn and the tables can be searched
59       through  any  of  the searchable columns. Each table object defines the
60       schema for its table. The NIS+ tables consist of  NIS+  entry  objects.
61       For  each  entry in the NIS+ table, there is an NIS+ entry object. NIS+
62       entry objects conform to the schema defined by the NIS+ table object.
63
64   NIS+ Group Object
65       NIS+ group objects are used for access control  at  group  granularity.
66       NIS+  group  objects,  contained  within  the groups_dir directory of a
67       domain, contain a list of all the NIS+ principals within a certain NIS+
68       group. An NIS+ principal is a user or a machine making NIS+ requests.
69
70   NIS+ Link Object
71       NIS+ link objects are like UNIX symbolic file-system links and are typ‐
72       ically used for shortcuts in the NIS+ namespace.
73
74
75       Refer  to  nis_objects(3NSL)  for  more  information  about  the   NIS+
76       objects.
77

NIS+ NAMES

79       The  NIS+  service defines two forms of names, simple names and indexed
80       names. Simple names are used by the service to  identify  NIS+  objects
81       contained within the NIS+ namespace. Indexed names are used to identify
82       NIS+ entries contained within NIS+ tables. Furthermore, entries  within
83       NIS+  tables are returned to the caller as NIS+ objects of type  entry.
84       NIS+ objects are implemented as a union structure which is described in
85       the  file  <rpcsvc/nis_object.x>.  The  differences between the various
86       types and the meanings of the components of these objects are described
87       in  nis_objects(3NSL).
88
89   Simple Names
90       Simple  names  consist of a series of labels that are  separated by the
91       `.'(dot) character. Each label is composed of printable characters from
92       the ISO  Latin 1 set. Each label can be of any nonzero length, provided
93       that the fully qualified  name  is  fewer  than  NIS_MAXNAMELEN  octets
94       including the separating dots. (See <rpcsvc/nis.h> for the actual value
95       of NIS_MAXNAMELEN in the current release.) Labels that contain  special
96       characters (see Grammar) must be quoted.
97
98
99       The  NIS+  namespace is organized as a singly rooted tree. Simple names
100       identify nodes within this tree. These names are constructed such  that
101       the  leftmost  label  in a name identifies the leaf node and all of the
102       labels to the right of the leaf identify that object's parent node. The
103       parent  node  is  referred to as the leaf's directory. This is a naming
104       directory and should not be confused with a file system directory.
105
106
107       For example, the name example.simple.name. is a simple name with  three
108       labels,  where  example is the leaf node in this name, the directory of
109       this leaf is simple.name. which by itself is a simple name. The leaf of
110       which is simple and its directory is simply name.
111
112
113       The  function  nis_leaf_of(3NSL)  returns  the  first label of a simple
114       name. The function nis_domain_of(3NSL) returns the name of  the  direc‐
115       tory  that  contains the leaf. Iterative use of these two functions can
116       break a simple name into each of its label components.
117
118
119       The name `.' (dot) is reserved to name the  global root of  the  names‐
120       pace.  For systems that are connected to the Internet, this global root
121       is served by a Domain Name Service.  When an NIS+ server is  serving  a
122       root directory whose name is not `.'(dot) this directory is referred to
123       as a local root.
124
125
126       NIS+ names are said to be fully qualified when the name includes all of
127       the  labels identifying all of the directories, up to the  global root.
128       Names without the trailing dot are called partially qualified.
129
130   Indexed Names
131       Indexed names are compound names that are composed of a  search  crite‐
132       rion  and  a  simple  name.  The  search criterion component is used to
133       select entries from a table; the simple name component is used to iden‐
134       tify  the  NIS+ table that is to be searched. The search criterion is a
135       series of column names and their desired  values  enclosed  in  bracket
136       `[]'  characters. These criteria take the following form:
137
138
139       [column_name=value, column_name =value , ... ]
140
141
142       A  search  criterion  is combined with a simple name to form an indexed
143       name by concatenating the two parts, separated by a `,'(comma)  charac‐
144       ter as follows.
145
146
147       [ search-criterion ],table.directory
148
149
150       When  multiple column name/value pairs are present in the search crite‐
151       rion, only those entries in the table that have the  appropriate  value
152       in  all columns specified are returned. When no column name/value pairs
153       are specified in the search criterion, [], all entries in the table are
154       returned.
155
156   Grammar
157       The  following  text represents a context-free grammar that defines the
158       set of legal  NIS+ names. The terminals in this grammar are the charac‐
159       ters  `.'  (dot), `[' (open bracket), `]' (close bracket), `,' (comma),
160       `=' (equals) and whitespace. Angle brackets (`<' and `>'), which delin‐
161       eate  non-terminals,  are  not  part  of the grammar. The character `|'
162       (vertical bar) is used to separate alternate productions and should  be
163       read as ``this production OR this production''.
164
165
166
167
168       name               ::=     . | <simple name> | <indexed name>
169       simple name        ::=     <string>. | <string>.<simple name>
170       indexed name       ::=     <search criterion>,<simple name>
171       search criterion   ::=     [ <attribute list> ]
172       attribute list     ::=     <attribute>  | <attribute>,<attribute
173                                  list>
174       attribute          ::=     <string> = <string>
175       string             ::=     ISO Latin 1 character set except  the
176                                  character  '/'  (slash).  The initial
177                                  character can not be a terminal char‐
178                                  acter or the characters '@' (at), '+'
179                                  (plus), or (`−') hyphen.
180
181
182
183       Terminals that appear in strings  must  be  quoted   with  `"'  (double
184       quote). The `"' character can be quoted by quoting it with itself `""'.
185
186   Name Expansion
187       The  NIS+  service  only  accepts fully qualified names. However, since
188       such names can be unwieldy, the  NIS+ commands in section  1  employ  a
189       set  of  standard expansion rules that  attempt to fully qualify a par‐
190       tially qualified name. This expansion is  actually  done  by  the  NIS+
191       library  function  nis_getnames(3NSL)  which  generates a list of names
192       using the default  NIS+ directory search path or the NIS_PATH  environ‐
193       ment variable. The default  NIS+ directory search path includes all the
194       names  in  its  path.  nis_getnames()  is  invoked  by  the   functions
195       nis_lookup(3NSL) and nis_list(3NSL) when the EXPAND_NAME flag is used.
196
197
198       The  NIS_PATH  environment  variable contains an ordered list of simple
199       names. The names are separated by the  `:' (colon)  character.  If  any
200       name  in  the  list  contains  colons,  the  colon  should be quoted as
201       described in the  Grammar section.  When the  list  is  exhausted,  the
202       resolution  function  returns the error NIS_NOTFOUND. This can mask the
203       fact that the name existed but a server for it was unreachable.  If the
204       name  presented to the list or lookup interface is fully qualified, the
205       EXPAND_NAME flag is ignored.
206
207
208       In the list of names from the NIS_PATH environment  variable,  the  '$'
209       (dollar  sign)  character  is treated specially.  Simple names that end
210       with the label '$' have this character replaced by the  default  direc‐
211       tory  (see nis_local_directory(3NSL)). Using "$" as a name in this list
212       results in this name being replaced by the list of directories  between
213       the  default  directory  and  the global root that contain at least two
214       labels.
215
216
217       Below is an example of this expansion. Given the default  directory  of
218       some.long.domain.name.,    and    the    NIS_PATH   variable   set   to
219       fred.bar.:org_dir.$:$. This path is initially broken up into the list:
220
221       1    fred.bar.
222
223
224       2    org_dir.$
225
226
227       3    $
228
229
230
231       The dollar sign in the second component  is  replaced  by  the  default
232       directory.  The dollar sign in the third component is replaced with the
233       names of the directories between the default directory and  the  global
234       root  that  have  at least two labels in them. The effective path value
235       becomes:
236
237       1     fred.bar.
238
239
240       2a    org_dir.some.long.domain.name.
241
242
243       3a    some.long.domain.name.
244
245
246       3b    long.domain.name.
247
248
249       3c    domain.name.
250
251
252
253       Each of these simple names is appended to the partially qualified  name
254       that  was  passed to the nis_lookup(3NSL) or  nis_list(3NSL) interface.
255       Each is tried in turn until  NIS_SUCCESS is returned  or  the  list  is
256       exhausted.
257
258
259       If the NIS_PATH variable is not set, the path ``$'' is used.
260
261
262       The  library  function  nis_getnames(3NSL) can be called from user pro‐
263       grams to generate the list of names that would be attempted.  The  pro‐
264       gram  nisdefaults(1)  with  the  -s option can also be used to show the
265       fully expanded path.
266
267   Concatenation Path
268       Normally, all the entries for a certain type of information are  stored
269       within  the table itself. However, there are times when it is desirable
270       for the table to point to other tables where entries can be found.  For
271       example, you might want to store all the IP addresses in the host table
272       for their own domain, and yet want to be able to resolve hosts in  some
273       other  domain  without  explicitly specifying the new domain name. NIS+
274       provides a mechanism for concatenating  different  but  related  tables
275       with  a  "NIS+  Concatenation Path". With a concatenation path, you can
276       create a sort of flat namespace from a hierarchical structure. You  can
277       also  create  a  table  with no entries and just point the hosts or any
278       other table to its parent domain. Notice that with such  a  setup,  you
279       are moving the administrative burden of managing the tables to the par‐
280       ent domain. The concatenation path slows down the request response time
281       because  more  tables  and more servers are searched. It also decreases
282       the availability if all the servers are incapacitated for a  particular
283       directory in the table path.
284
285
286       The  NIS+  Concatenation  Path is also referred to as the "table path".
287       This path is set up at table creation time  through  nistbladm(1).  You
288       can  specify  more  than  one  table  to  be  concatenated and they are
289       searched in the given order. Notice that the NIS+ client libraries,  by
290       default,  do  not  follow  the  concatenation path set in site-specific
291       tables. Refer to nis_list(3NSL) for more details.
292
293   Namespaces
294       The NIS+ service defines two additional disjoint namespaces for its own
295       use.  These  namespaces  are the NIS+ Principal namespace, and the NIS+
296       Group namespace.  The names associated with  the  group  and  principal
297       namespaces  are   syntactically identical to simple names. However, the
298       information they represent  cannot be obtained by  directly  presenting
299       these  names  to  the  NIS+ interfaces. Instead, special interfaces are
300       defined to map these names into NIS+ names so that  they  can  then  be
301       resolved.
302
303   Principal Names
304       NIS+  principal  names are used to uniquely identify users and machines
305       that are making NIS+ requests. These names have the form:
306
307
308       principal.domain
309
310
311       Here domain is the fully qualified name of an NIS+ directory where  the
312       named principal's credentials can be found. See Directories and Domains
313       for more information on domains. Notice that in this  name,  principal,
314       is not a leaf in the NIS+ namespace.
315
316
317       Credentials  are  used  to  map the identity of a host or user from one
318       context such as a process UID into the NIS+ context. They are stored as
319       records  in  an  NIS+  table  named  cred,  which always appears in the
320       org_dir subdirectory of the directory named in the principal name.
321
322
323       This mapping can be expressed as a replacement function:
324
325         principal.domain ->[cname=principal.domain ],cred.org_dir.domain
326
327
328
329
330       This latter name  is  an  NIS+  name  that  can  be  presented  to  the
331       nis_list(3NSL)  interface  for  resolution.  NIS+  principal  names are
332       administered using the nisaddcred(1M) command.
333
334
335       The cred table contains five columns named cname, auth_name, auth_type,
336       public_data,  and  private_data.  There is one record in this table for
337       each identity mapping for an NIS+ principal. The current  service  sup‐
338       ports three types of mappings:
339
340       LOCAL       This mapping is used to map from the UID of a given process
341                   to the NIS+ principal name associated with that UID. If  no
342                   mapping  exists,  the  name  nobody  is  returned. When the
343                   effective UID of the process is 0 (for example,  the  supe‐
344                   ruser), the NIS+ name associated with the host is returned.
345                   Notice that  UIDs are  sensitive  to  the  context  of  the
346                   machine on which the process is executing.
347
348
349       DES         This mapping is used to map to and from a Secure RPC ``net‐
350                   name'' into an NIS+ principal  name.  See  secure_rpc(3NSL)
351                   for  more  information  on netnames. Notice that since net‐
352                   names contain the notion of a domain, they span NIS+ direc‐
353                   tories.
354
355
356       DHnnn-m     Example:  DH640-0,  DH1024-0.  Analogous  to  DES mappings,
357                   these are used to map netnames and NIS+ principal names for
358                   extended  Diffie-Hellman keys. See nisauthconf(1M) for fur‐
359                   ther information.
360
361
362
363       The NIS+ client library  function  nis_local_principal(3NSL)  uses  the
364       cred.org_dir  table  to  map the UNIX notion of an identity, a process'
365       UID, into an NIS+ principal name. Shell programs can  use  the  program
366       nisdefaults(1) with the -p switch to return this information.
367
368
369       Mapping  from   UIDs  to an NIS+ principal name is accomplished by con‐
370       structing a query of the form:
371
372
373       [auth_type=LOCAL, auth_name=uid],cred.org_dir.default-domain.
374
375
376       This query returs a record containing the NIS+ principal  name  associ‐
377       ated with this  UID, in the machine's default domain.
378
379
380       The NIS+ service uses the  DES mapping to map the names associated with
381       Secure RPC requests into NIS+ principal names. RPC  requests  that  use
382       Secure  RPC include the netname of the client making the request in the
383       RPC header. This netname has the form:
384
385
386       unix.UID@domain
387
388
389       The service constructs a query using this name of the form:
390
391
392       [auth_type=DES, auth_name=netname],cred.org_dir.domain.
393
394
395       where the domain part is extracted from the netname rather  than  using
396       the  default  domain. This query is used to look up the mapping of this
397       netname into an NIS+ principal name in the domain where it was created.
398
399
400       This mechanism of mapping UID and netnames into an NIS+ principal  name
401       guarantees  that  a  client  of the NIS+ service has only one principal
402       name. This principal name is used as the basis for authorization  which
403       is  described  below. All objects in the NIS+ namespace and all entries
404       in NIS+ tables must have an owner specified for them. This owner  field
405       always contains an NIS+ principal name.
406
407   Group Names
408       Like NIS+ principal names, NIS+ group names take the form:
409
410
411       group_name.domain
412
413
414       All  objects  in  the NIS+ namespace and all entries in NIS+ tables can
415       optionally have a group owner specified  for  them.  This  group  owner
416       field,  when  filled in, always contains the fully qualified NIS+ group
417       name.
418
419
420       The NIS+ client library defines several  interfaces  (nis_groups(3NSL))
421       for  dealing  with  NIS+  groups.  These interfaces internally map NIS+
422       group names into an NIS+ simple name which identifies  the  NIS+  group
423       object  associated  with  that group name. This mapping can be shown as
424       follows:
425
426
427       group.domain −> group.groups_dir.domain
428
429
430       This mapping eliminates collisions between NIS+ group  names  and  NIS+
431       directory  names.  For  example, without this mapping, a directory with
432       the name engineering.foo.com., would make it impossible to have a group
433       named  engineering.foo.com.. This is due to the restriction that within
434       the  NIS+ namespace, a name unambiguously identifies a  single  object.
435       With this mapping, the NIS+ group name engineering.foo.com. maps to the
436       NIS+ object name engineering.groups_dir.foo.com.
437
438
439       The contents of a group object is a list of NIS+ principal  names,  and
440       the  names  of  other NIS+ groups. See nis_groups(3NSL) for a more com‐
441       plete description of their use.
442

NIS+ SECURITY

444       NIS+ defines a security model to control access to information  managed
445       by  the service. The service defines access rights that are selectively
446       granted to individual clients or groups of clients. Principal names and
447       group  names  are used to define clients and groups of clients that can
448       be granted or denied access to NIS+ information.  These principals  and
449       groups are associated with NIS+ domains as defined below.
450
451
452       The security model also uses the notion of a class of principals called
453       nobody, which contains all clients, whether or not they have  authenti‐
454       cated  themselves  to the service.  The class world includes any client
455       who has been authenticated.
456
457   Directories and Domains
458       Some directories within the NIS+ namespace  are  referred  to  as  NIS+
459       Domains.  Domains are those NIS+ directories that contain the subdirec‐
460       tories groups_dir and org_dir. Further, the subdirectory org_dir should
461       contain the table named cred. NIS+ Group names and NIS+ Principal names
462       always include the NIS+ domain name after their first label.
463
464   Authentication
465       The NIS+ name service uses Secure RPC for the integrity  of  the   NIS+
466       service.  This  requires  that  users of the service and their machines
467       must have a Secure RPC key pair associated with them. This key is  ini‐
468       tially  generated  with either the nisaddcred(1M) or nisclient(1M) com‐
469       mands and modified with the chkey(1) or nispasswd(1) commands.
470
471
472       The use of Secure RPC allows private information to be  stored  in  the
473       name  service  that  is not available to untrusted machines or users on
474       the network.
475
476
477       In addition to the Secure RPC key, users need a mapping  of  their  UID
478       into  an  NIS+  principal  name.  This mapping is created by the system
479       administrator using either the nisclient(1M) or the nisaddcred(1M) com‐
480       mand.
481
482
483       Users  that are using machines in several NIS+ domains must insure that
484       they have a local credential entry in each of those domains.  This cre‐
485       dential  should  be created with the NIS+ principal name of the user in
486       the user's ``home'' domain. For the purposes of NIS+  and  Secure  RPC,
487       the  home  domain  is defined to be the one where the user's Secure RPC
488       key pair is located.
489
490
491       Although extended Diffie-Hellman keys  use  an  alternative  to  Secure
492       RPC,  administration  is  done  through the same commands. See nisauth‐
493       conf(1M).
494
495   Authorization
496       The NIS+ service defines four access rights  that  can  be  granted  or
497       denied  to clients of the service.  These rights are read, modify, cre‐
498       ate, and destroy. These rights are specified in the object structure at
499       creation  time  and can be modified later with the nischmod(1) command.
500       In general, the rights granted for an object apply only to that object.
501       However, for purposes of authorization, rights granted to clients read‐
502       ing directory and table objects are granted to those clients for all of
503       the   objects  ``contained''  by the parent object. This notion of con‐
504       tainment is abstract. The objects do not actually contain other objects
505       within  them.  Notice that group objects do contain the list of princi‐
506       pals within their definition.
507
508
509       Access rights are interpreted as follows:
510
511       read       This right grants read access to an  object.  For  directory
512                  and  table  objects, having read access on the parent object
513                  conveys read access to all of the objects  that  are  direct
514                  children of a directory, or entries within a table.
515
516
517       modify     This right grants modification access to an existing object.
518                  Read access is not required for modification.   However,  in
519                  many  applications, one needs to read an object before modi‐
520                  fying it. Such modify operations fail unless read access  is
521                  also granted.
522
523
524       create     This  right  gives a client permission to create new objects
525                  where one had not previously existed. It  is  only  used  in
526                  conjunction with  directory and table objects. Having create
527                  access for a  table  allows  a   client  to  add  additional
528                  entries  to  the table. Having create access for a directory
529                  allows a client to add new objects to an NIS+ directory.
530
531
532       destroy    This right gives a client permission to destroy or remove an
533                  existing  object or entry. When a client attempts to destroy
534                  an entry or object by removing it, the service first  checks
535                  to  see  if  the  table  or directory containing that object
536                  grants the client destroy access. If it does, the  operation
537                  proceeds, if the containing object does not grant this right
538                  then the object itself is checked to see if it  grants  this
539                  right  to  the  client. If the object grants the right, then
540                  the operation proceeds; otherwise the request is rejected.
541
542
543
544       Each of these rights can be granted to any one of four different  cate‐
545       gories.
546
547       owner           A right can be granted to the  owner of an object.  The
548                       owner is the NIS+ principal  identified  in  the  owner
549                       field.   The  owner can be changed with the nischown(1)
550                       command. Notice that if the owner does not have modifi‐
551                       cation  access   rights to the object, the owner cannot
552                       change any access rights  to  the  object,  unless  the
553                       owner  has  modification  access  rights  to its parent
554                       object.
555
556
557       group owner     A right can be  granted  to  the   group  owner  of  an
558                       object.  This grants the right to any principal that is
559                       identified as a member of the group associated with the
560                       object.   The  group owner can be changed with the nis‐
561                       chgrp(1) command. The object owner need not be a member
562                       of this group.
563
564
565       world           A  right can be granted to everyone in the  world. This
566                       grants the right to all clients who have  authenticated
567                       themselves with the service.
568
569
570       nobody          A  right  can be granted to the  nobody principal. This
571                       has the effect of granting the right to any client that
572                       makes  a  request of the service, regardless of whether
573                       they are authenticated or not.
574
575
576
577       Notice that for bootstrapping reasons, directory objects that are  NIS+
578       domains, the org_dir subdirectory and the cred table within that subdi‐
579       rectory must have read access to the nobody principal. This makes navi‐
580       gation  of  the  namespace  possible when a client is in the process of
581       locating its credentials. Granting this access does not allow the  con‐
582       tents of other tables within org_dir to be read (such as the entries in
583       the password table) unless the table itself gives "real" access  rights
584       to the nobody principal.
585
586   Directory Authorization
587       Additional  capabilities  are  provided  for granting access rights  to
588       clients for directories. These rights are contained within  the  object
589       access  rights  (OAR) structure of the directory. This structure allows
590       the NIS+ service to grant rights that are not granted by the  directory
591       object  to  be granted for objects contained by the directory of a spe‐
592       cific type.
593
594
595       An example of this capability is a  directory  object  which  does  not
596       grant   create  access  to all clients, but does grant create access in
597       the OAR structure for group type objects to clients who are members  of
598       the  NIS+ group associated with the directory. In this example the only
599       objects that could be created as children of the directory  would  have
600       to be of the type group.
601
602
603       Another example is a directory object that grants create access only to
604       the owner of the directory, and then additionally grants create  access
605       through  the  OAR structure for objects of type table, link, group, and
606       private to any member of the directory's group. This has the effect  of
607       giving nearly complete create access to the group with the exception of
608       creating subdirectories.  This  restricts  the  creation  of  new  NIS+
609       domains  because creating a domain requires creating both a  groups_dir
610       and org_dir subdirectory.
611
612
613       Notice that there is currently no command  line  interface  to  set  or
614       change the OAR of the directory object.
615
616   Table Authorization
617       As  with directories, additional capabilities are provided for granting
618       access to entries within tables. Rights granted  to  a  client  by  the
619       access rights field in a table object apply to the table object and all
620       of the entry objects ``contained'' by that table. If an access right is
621       not  granted  by the table object, it can be granted by an entry within
622       the table. This holds for all rights except create.
623
624
625       For example, a table can not grant read access to a client performing a
626       nis_list(3NSL) operation on the table. However, the access rights field
627       of entries within that table can  grant  read  access  to  the  client.
628       Notice  that  access  rights  in  an entry are granted to the owner and
629       group owner of the entry and not the owner or group of the table.  When
630       the  list  operation is performed, all entries that the client has read
631       access to are returned. Those entries that do not grant read access are
632       not  returned.  If  none of the entries that match the search criterion
633       grant read access to the client making  the  request,  no  entries  are
634       returned and the result status contains the NIS_NOTFOUND error code.
635
636
637       Access  rights  that  are  granted  by the rights field in an entry are
638       granted for the entire entry. However, in the  table  object  an  addi‐
639       tional set of access rights is maintained for each column in the table.
640       These rights apply to the equivalent column in the  entry.  The  rights
641       are  used  to  grant access when neither the table nor the entry itself
642       grant access. The access rights in a column specification apply to  the
643       owner  and  group  owner  of  the entry rather than the owner and group
644       owner of the table object.
645
646
647       When a read operation is performed, if read access is  not  granted  by
648       the table and is not granted by the entry but  is granted by the access
649       rights in a column, that entry is returned with the correct  values  in
650       all  columns  that  are readable and the string *NP* (No Permission) in
651       columns where read access is not granted.
652
653
654       As an example, consider a client that has performed a list operation on
655       a  table  that  does  not  grant read access to that client. Each entry
656       object that satisfied the search criterion specified by the  client  is
657       examined  to see if it grants read access to the client. If it does, it
658       is included in the returned result. If it does not, then each column is
659       checked  to  see if it grants read access to the client. If any columns
660       grant read access to the client, data in  those  columns  is  returned.
661       Columns  that  do not grant read access have their contents replaced by
662       the string  *NP*. If none of the columns grant read  access,  then  the
663       entry is not returned.
664
665   Protocol Operation Authorization
666       Most  NIS+  operations  have implied access control through the permis‐
667       sions on the objects that they manipulate. For  example,  in  order  to
668       read  an entry in a table, you must have read permission on that entry.
669       However, some NIS+ operations by default perform no access checking  at
670       all and so are allowed for anyone.
671
672       Operation         Example of commands that use the operation
673
674
675       NIS_CHECKPOINT    nisping -C
676
677
678       NIS_CPTIME        nisping, rpc.nisd
679
680
681       NIS_MKDIR         nismkdir
682
683
684       NIS_PING           nisping,  rpc.nisd
685
686
687       NIS_RMDIR         nisrmdir
688
689
690       NIS_SERVSTATE     nisbackup,   nisrestore
691
692
693       NIS_STATUS        nisstat,  rpc.nispasswdd
694
695
696
697       See  nisopaccess(1)  for a description of how to enforce access control
698       to these NIS+ operations.
699

LIST OF COMMANDS

701       The following lists all commands and programming functions  related  to
702       NIS+:
703
704   NIS+ User Commands
705       nisaddent(1M)        add   /etc  files  and  NIS maps into their corre‐
706                            sponding  NIS+ tables
707
708
709       niscat(1)            display NIS+ tables and objects
710
711
712       nischgrp(1)          change the group owner of a NIS+ object
713
714
715       nischmod(1)          change access rights on a NIS+ object
716
717
718       nischown(1)          change the owner of a NIS+ object
719
720
721       nischttl(1)          change the time to live value of a NIS+ object
722
723
724       nisdefaults(1)       display NIS+ default values
725
726
727       niserror(1)          display NIS+ error messages
728
729
730       nisgrep(1)           utilities for searching NIS+ tables
731
732
733       nisgrpadm(1)         NIS+ group administration command
734
735
736       nisln(1)             symbolically link NIS+ objects
737
738
739       nisls(1)             list the contents of a NIS+ directory
740
741
742       nismatch(1)          utilities for searching  NIS+ tables
743
744
745       nismkdir(1)          create NIS+ directories
746
747
748       nisopaccess(1)       access control for protocol operations
749
750
751       nispasswd(1)         change NIS+ password information
752
753
754       nisrm(1)             remove NIS+ objects from the namespace
755
756
757       nisrmdir(1)          remove NIS+ directories
758
759
760       nisshowcache(1M)     NIS+ utility to print  out  the  contents  of  the
761                            shared cache file
762
763
764       nistbladm(1)         NIS+ table administration command
765
766
767       nistest(1)           return  the  state  of  the NIS+ namespace using a
768                            conditional expression
769
770
771   NIS+ Administrative Commands
772       aliasadm(1M)            manipulate the NIS+ aliases map
773
774
775       nis_cachemgr(1M)        NIS+  utility  to  cache  location  information
776                               about NIS+ servers
777
778
779       nisaddcred(1M)          create NIS+ credentials
780
781
782       nisaddent(1M)           create   NIS+  tables  from  corresponding /etc
783                               files or NIS+ maps
784
785
786       nisauthconf(1M)         configure extended Diffie-Hellman keys
787
788
789       nisbackup(1M)           backup NIS+ directories
790
791
792       nisclient(1M)           initialize NIS+ credentials for NIS+ principals
793
794
795       nisd(1M)                NIS+ service daemon
796
797
798       nisd_resolv(1M)         NIS+ service daemon
799
800
801       nisinit(1M)             NIS+ client and server initialization utility
802
803
804       nislog(1M)              display the contents of  the  NIS+  transaction
805                               log
806
807
808       nisping(1M)             send ping to NIS+ servers
809
810
811       nispopulate(1M)         populate the  NIS+ tables in a NIS+ domain
812
813
814       nisprefadm(1M)          NIS+ utility to set server preferences for NIS+
815                               clients
816
817
818       nisrestore(1M)          restore NIS+ directory backup
819
820
821       nisserver(1M)           set up  NIS+ servers
822
823
824       nissetup(1M)            initialize a NIS+ domain
825
826
827       nisshowcache(1M)        NIS+ utility to print out the contents  of  the
828                               shared cache file
829
830
831       nisstat(1M)             report NIS+ server statistics
832
833
834       nisupdkeys(1M)          update  the  public  keys  in  a NIS+ directory
835                               object
836
837
838       rpc.nisd(1M)            NIS+ service daemon
839
840
841       rpc.nisd_resolv(1M)     NIS+ service daemon
842
843
844       sysidns(1M)             system configuration
845
846
847   NIS+ Programming API
848       nis_add(3NSL)
849
850           NIS+ namespace functions
851
852
853       nis_add_entry(3NSL)
854
855           NIS+ table functions
856
857
858       nis_addmember(3NSL)
859
860           NIS+ group manipulation functions
861
862
863       nis_checkpoint(3NSL)
864
865           misellaneous NIS+ log administration functions
866
867
868       nis_clone_object(3NSL)
869
870           NIS+ subroutines
871
872
873       nis_creategroup(3NSL)
874
875           NIS+ group manipulation functions
876
877
878       nis_destroy_object(3NSL)
879
880           NIS+ subroutines
881
882
883       nis_destroygroup(3NSL)
884
885           NIS+ group manipulation functions
886
887
888       nis_dir_cmp(3NSL)
889
890           NIS+ subroutines
891
892
893       nis_domain_of(3NSL)
894
895           NIS+ subroutines
896
897
898       nis_error(3NSL)
899
900           display  NIS+ error messages
901
902
903       nis_first_entry(3NSL)
904
905           NIS+ table functions
906
907
908       nis_freenames(3NSL)
909
910           NIS+ subroutines
911
912
913       nis_freeresult(3NSL)
914
915           NIS+ namespace functions
916
917
918       nis_freeservlist(3NSL)
919
920           miscellaneous  NIS+ functions
921
922
923       nis_freetags(3NSL)
924
925           miscellaneous  NIS+ functions
926
927
928       nis_getnames(3NSL)
929
930           NIS+ subroutines
931
932
933       nis_getservlist(3NSL)
934
935           miscellaneous  NIS+ functions
936
937
938       nis_groups(3NSL)
939
940           NIS+ group manipulation functions
941
942
943       nis_ismember(3NSL)
944
945           NIS+ group manipulation functions
946
947
948       nis_leaf_of(3NSL)
949
950           NIS+ subroutines
951
952
953       nis_lerror(3NSL)
954
955           display some NIS+ error messages
956
957
958       nis_list(3NSL)
959
960           NIS+ table functions
961
962
963       nis_local_directory(3NSL)
964
965           NIS+ local names
966
967
968       nis_local_group(3NSL)
969
970           NIS+ local names
971
972
973       nis_local_host(3NSL)
974
975           NIS+ local names
976
977
978       nis_local_names(3NSL)
979
980           NIS+ local names
981
982
983       nis_local_principal(3NSL)
984
985           NIS+ local names
986
987
988       nis_lookup(3NSL)
989
990           NIS+ namespace functions
991
992
993       nis_mkdir(3NSL)
994
995           miscellaneous  NIS+ functions
996
997
998       nis_modify(3NSL)
999
1000           NIS+ namespace functions
1001
1002
1003       nis_modify_entry(3NSL)
1004
1005           NIS+ table functions
1006
1007
1008       nis_name_of(3NSL)
1009
1010           NIS+ subroutines
1011
1012
1013       nis_names(3NSL)
1014
1015           NIS+ namespace functions
1016
1017
1018       nis_next_entry(3NSL)
1019
1020           NIS+ table functions
1021
1022
1023       nis_objects(3NSL)
1024
1025           NIS+ object formats
1026
1027
1028       nis_perror(3NSL)
1029
1030           display  NIS+ error messages
1031
1032
1033       nis_ping(3NSL)
1034
1035           miscellaneous NIS+ log administration functions
1036
1037
1038       nis_print_group_entry(3NSL)
1039
1040           NIS+ group manipulation functions
1041
1042
1043       nis_print_object(3NSL)
1044
1045           NIS+ subroutines
1046
1047
1048       nis_remove(3NSL)
1049
1050           NIS+ namespace functions
1051
1052
1053       nis_remove_entry(3NSL)
1054
1055           NIS+ table functions
1056
1057
1058       nis_removemember(3NSL)
1059
1060           NIS+ group manipulation functions
1061
1062
1063       nis_rmdir(3NSL)
1064
1065           miscellaneous NIS+ functions
1066
1067
1068       nis_server(3NSL)
1069
1070           miscellaneous  NIS+ functions
1071
1072
1073       nis_servstate(3NSL)
1074
1075           miscellaneous NIS+ functions
1076
1077
1078       nis_sperrno(3NSL)
1079
1080           display NIS+ error messages
1081
1082
1083       nis_sperror(3NSL)
1084
1085           display NIS+ error messages
1086
1087
1088       nis_sperror_r(3NSL)
1089
1090           display NIS+ error messages
1091
1092
1093       nis_stats(3NSL)
1094
1095           miscellaneous NIS+ functions
1096
1097
1098       nis_subr(3NSL)
1099
1100           NIS+ subroutines
1101
1102
1103       nis_tables(3NSL)
1104
1105           NIS+ table functions
1106
1107
1108       nis_verifygroup(3NSL)
1109
1110           NIS+ group manipulation functions
1111
1112
1113   NIS+ Files and Directories
1114       nisfiles(4)     NIS+ database files and directory structure
1115
1116

FILES

1118       <rpcsvc/nis_object.x>     protocol description of an NIS+ object
1119
1120
1121       <rpcsvc/nis.x>            defines the NIS+ protocol using the RPC  lan‐
1122                                 guage  as  described in the  ONC+ Developer's
1123                                 Guide
1124
1125
1126       <rpcsvc/nis.h>            should be included by all clients of the NIS+
1127                                 service
1128
1129

SEE ALSO

1131       nischown(1), nisdefaults(1), nismatch(1), nisopaccess(1), nispasswd(1),
1132       newkey(1M), nisaddcred(1M),  nisauthconf(1M),  nisclient(1M),  nispopu‐
1133       late(1M),   nisserver(1M),   nis_add_entry(3NSL),  nis_domain_of(3NSL),
1134       nis_getnames(3NSL),        nis_groups(3NSL),         nis_leaf_of(3NSL),
1135       nis_list(3NSL),       nis_local_directory(3NSL),      nis_lookup(3NSL),
1136       nis_objects(3NSL)
1137
1138       System Administration Guide: Naming and Directory Services (DNS, NIS,
1139       and LDAP)
1140
1141           Describes how to make the transition from NIS to  NIS+.
1142
1143
1144       ONC+ Developer's Guide
1145
1146           Describes  the  application  programming  interfaces  for  networks
1147           including NIS+.
1148
1149
1150       System Administration Guide: Naming and Directory Services (DNS, NIS,
1151       and LDAP)
1152
1153           Describes how to plan for and configure an NIS+ namespace.
1154
1155
1156       System Administration Guide: IP Services
1157
1158           Describes IPv6 extensions to Solaris name services.
1159
1160

NOTES

1162       NIS+ might not be supported in future releases of the Solaris operating
1163       system. Tools to aid the migration from NIS+ to LDAP are  available  in
1164       the    current   Solaris   release.   For   more   information,   visit
1165       http://www.sun.com/directory/nisplus/transition.html.
1166
1167
1168
1169SunOS 5.11                        2 Dec 2005                           NIS+(1)
Impressum