HP-UX Reference (11i v1 05/09) - 1 User Commands N-Z (vol 2)
n
nis+(1) nis+(1)
tion path set in site-specific tables. Refer to nis_list(3N) for more details.
Namespaces
The NIS+ service defines two additional disjoint namespaces for its own use. These namespaces are the
NIS+ Principal namespace, and the NIS+ Group namespace. The names associated with the group and
principal namespaces are syntactically identical to simple names. However, the information they represent
cannot be obtained by directly presenting these names to the NIS+ interfaces. Instead, special interfaces
are defined to map these names into NIS+ names so that they may then be resolved.
Principal Names
NIS+ principal names are used to uniquely identify users and machines that are making NIS+ requests.
These names have the form:
principal.domain
Here domain is the fully qualified name of an NIS+ directory where the named principal’s credentials can
be found. See Directories and Domains for more information on domains. Note that in this name, princi-
pal, is not a leaf in the NIS+ namespace.
Credentials are used to map the identity of a host or user from one context such as a process UID into the
NIS+ context. They are stored as records in an NIS+ table named cred, which always appears in the
org_dir subdirectory of the directory named in the principal name.
This mapping can be expressed as a replacement function:
principal.domain ->
[cname=principal.domain ],cred.org_dir
.domain
This latter name is an NIS+ name that can be presented to the nis_list(3N) interface for resolution. NIS+
principal names are administered using the nisaddcred(1M) command.
The cred table contains five columns named cname, auth_name, auth_type, public_data, and private_data.
There is one record in this table for each identity mapping for an NIS+ principal. The current service sup-
ports two such mappings:
LOCAL This mapping is used to map from the UID of a given process to the NIS+ principal name associ-
ated with that UID. If no mapping exists, the name nobody is returned. When the effective UID
of the process is 0 (for example, the super-user), the NIS+ name associated with the host is
returned. Note that UIDs are sensitive to the context of the machine on which the process is exe-
cuting.
DES This mapping is used to map to and from a Secure RPC ‘‘netname’’ into an NIS+ principal name.
See secure_rpc(3N) for more information on netnames. Note that since netnames contain the
notion of a domain, they span NIS+ directories.
The NIS+ client library function nis_local_principal(3N) uses the cred.org_dir table to map the UNIX
notion of an identity, a process’ UID, into an NIS+ principal name. Shell programs can use the program
nisdefaults(1) with the
-p switch to return this information.
Mapping from UIDs to an NIS+ principal name is accomplished by constructing a query of the form:
[auth_type=LOCAL, auth_name=
uid],cred.org_dir.default-domain.
This query will return a record containing the NIS+ principal name associated with this UID in the
machine’s default domain.
The NIS+ service uses the DES mapping to map the names associated with Secure RPC requests into NIS+
principal names. RPC requests that use Secure RPC include the netname of the client making the request
in the RPC header. This netname has the form:
unix.UID@domain
The service constructs a query using this name of the form:
[auth_type=DES, auth_name= netname],cred.org_dir.domain.
where the domain part is extracted from the netname rather than using the default domain. This query is
used to look up the mapping of this netname into an NIS+ principal name in the domain where it was
created.
This mechanism of mapping UID and netnames into an NIS+ principal name guarantees that a client of the
NIS+ service has only one principal name. This principal name is used as the basis for authorization which
is described below. All objects in the NIS+ namespace and all entries in NIS+ tables must have an owner
HP-UX 11i Version 1: September 2005 − 4 − Hewlett-Packard Company Section 1−−609