HP-UX Reference (11i v2 03/08) - 1 User Commands N-Z (vol 2)
n
nis+(1) nis+(1)
tion path set in site-specific tables. Refer to nis_list (3N) for more details.
Namespaces
The NIS+ service defines two additional disjoint namespaces for its own use. These namespaces are the
NIS+ Principal namespace, and the NIS+ Group namespace. The names associated with the group and
principal namespaces are syntactically identical to simple names. However, the information they
represent cannot be obtained by directly presenting these names to the NIS+ interfaces. Instead, special
interfaces are defined to map these names into NIS+ names so that they may then be resolved.
Principal Names
NIS+ principal names are used to uniquely identify users and machines that are making NIS+ requests.
These names have the form:
principal .domain
Here domain is the fully qualified name of an NIS+ directory where the named principal’s credentials can
be found. See Directories and Domains for more information on domains. Note that in this name, princi-
pal, is not a leaf in the NIS+ namespace.
Credentials are used to map the identity of a host or user from one context such as a process UID into the
NIS+ context. They are stored as records in an NIS+ table named cred, which always appears in the
org_dir subdirectory of the directory named in the principal name.
This mapping can be expressed as a replacement function:
principal.domain ->
[cname=principal.domain ],cred.org_dir
.domain
This latter name is an NIS+ name that can be presented to the nis_list (3N) interface for resolution. NIS+
principal names are administered using the nisaddcred (1M) command.
The cred table contains five columns named cname, auth_name, auth_type , public_data , and
private_data . There is one record in this table for each identity mapping for an NIS+ principal. The
current service supports two such mappings:
LOCAL This mapping is used to map from the UID of a given process to the NIS+ principal name asso-
ciated with that UID. If no mapping exists, the name nobody is returned. When the effective
UID of the process is 0 (for example, the super-user), the NIS+ name associated with the host is
returned. Note that UIDs are sensitive to the context of the machine on which the process is
executing.
DES This mapping is used to map to and from a Secure RPC ‘‘netname’’ into an NIS+ principal
name. See secure_rpc (3N) for more information on netnames. Note that since netnames contain
the notion of a domain, they span NIS+ directories.
The NIS+ client library function nis_local_principal(3N) uses the cred.org_dir table to map the UNIX
notion of an identity, a process’ UID, into an NIS+ principal name. Shell programs can use the program
nisdefaults (1) with the
-p switch to return this information.
Mapping from UIDs to an NIS+ principal name is accomplished by constructing a query of the form:
[auth_type=LOCAL, auth_name=uid],cred.org_dir.
default-domain.
This query will return a record containing the NIS+ principal name associated with this UID in the
machine’s default domain.
The NIS+ service uses the DES mapping to map the names associated with Secure RPC requests into
NIS+ principal names. RPC requests that use Secure RPC include the netname of the client making the
request in the RPC header. This netname has the form:
unix.UID@domain
The service constructs a query using this name of the form:
[auth_type=DES, auth_name=netname],cred.org_dir.domain.
where the domain part is extracted from the netname rather than using the default domain. This query is
used to look up the mapping of this netname into an NIS+ principal name in the domain where it was
created.
This mechanism of mapping UID and netnames into an NIS+ principal name guarantees that a client of
the NIS+ service has only one principal name. This principal name is used as the basis for authorization
which is described below. All objects in the NIS+ namespace and all entries in NIS+ tables must have an
Section 1−−590 Hewlett-Packard Company − 4 − HP-UX 11i Version 2: August 2003