HP-UX Reference (11i v1 05/09) - 1 User Commands N-Z (vol 2)
n
nis+(1) nis+(1)
specified for them. This owner field always contains an NIS+ principal name.
Group Names
Like NIS+ principal names, NIS+ group names take the form:
group_name.domain
All objects in the NIS+ namespace and all entries in NIS+ tables may optionally have a group owner
specified for them. This group owner field, when filled in, always contains the fully qualified NIS+ group
name.
The NIS+ client library defines several interfaces ( nis_groups(3N)) for dealing with NIS+ groups. These
interfaces internally map NIS+ group names into an NIS+ simple name which identifies the NIS+ group
object associated with that group name. This mapping can be shown as follows:
group.domain
-> group.groups_dir .domain
This mapping eliminates collisions between NIS+ group names and NIS+ directory names. For example,
without this mapping, a directory with the name engineering.foo.com., would make it impossible to have a
group named engineering.foo.com.. This is due to the restriction that within the NIS+ namespace, a name
unambiguously identifies a single object. With this mapping, the NIS+ group name engineering.foo.com.
maps to the NIS+ object name engineering.groups_dir.foo.com.
The contents of a group object is a list of NIS+ principal names and the names of other NIS+ groups. See
nis_groups(3N) for a more complete description of their use.
NIS+ SECURITY
NIS+ defines a security model to control access to information managed by the service. The service defines
access rights that are selectively granted to individual clients or groups of clients. Principal names and
group names are used to define clients and groups of clients that may be granted or denied access to NIS+
information. These principals and groups are associated with NIS+ domains as defined below.
The security model also uses the notion of a class of principals called nobody, which contains all clients,
whether or not they have authenticated themselves to the service. The class world includes any client who
has been authenticated.
Directories and Domains
Some directories within the NIS+ namespace are referred to as NIS+ Domains. Domains are those NIS+
directories that contain the subdirectories groups_dir and org_dir. Further, the subdirectory org_dir
should contain the table named cred. NIS+ Group names and NIS+ Principal names always include the
NIS+ domain name after their first label.
Authentication
The NIS+ name service uses Secure RPC for the integrity of the NIS+ service. This requires that users of
the service and their machines must have a Secure RPC key pair associated with them. This key is initially
generated with either the nisaddcred(1M) or nisclient(1M) commands and modified with the chkey(1) or
nispasswd(1) commands.
The use of Secure RPC allows private information to be stored in the name service that will not be available
to untrusted machines or users on the network.
In addition to the Secure RPC key, users need a mapping of their UID into an NIS+ principal name. This
mapping is created by the system administrator using the nisclient(1M) or nisaddcred(1M) command.
Users that will be using machines in several NIS+ domains must insure that they have a local credential
entry in each of those domains. This credential should be created with the NIS+ principal name of the user
in their ‘‘home’’ domain. For the purposes of NIS+ and Secure RPC, the home domain is defined to be the
one where your Secure RPC key pair is located.
Authorization
The NIS+ service defines four access rights that can be granted or denied to clients of the service. These
rights are read, modify, create, and destroy. These rights are specified in the object structure at creation
time and may be modified later with the nischmod(1) command. In general, the rights granted for an
object apply only to that object. However, for purposes of authorization, rights granted to clients reading
directory and table objects are granted to those clients for all of the objects ‘‘contained’’ by the parent object.
This notion of containment is abstract. The objects do not actually contain other objects within them. Note
that group objects do contain the list of principals within their definition.
Section 1−−610 Hewlett-Packard Company − 5 − HP-UX 11i Version 1: September 2005