HP-UX Reference (11i v2 04/09) - 1M System Administration Commands N-Z (vol 4)
n
nisaddcred(1M) nisaddcred(1M)
NAME
nisaddcred - create NIS+ credentials
SYNOPSIS
nisaddcred [ -p principal ][-P
nis_principal ][-l
login_password ] auth_type
[ domain_name ]
nisaddcred -r [ nis_principal ][domain_name ]
DESCRIPTION
The
nisaddcred command is used to create security credentials for NIS+ principals. NIS+ credentials
serve two purposes. The first is to provide authentication information to various services; the second is to
map the authentication service name into an NIS+ principal name.
When the
nisaddcred command is run, these credentials get created and stored in a table named
cred.org_dir in the default NIS+ domain. If domain_name is specified, the entries are stored in the
cred.org_dir of the specified domain. Note that the credentials of normal users must be stored in the
same domain as their passwords.
It is simpler to add credentials using nisclient (1M) because it obtains the required information itself.
nispopulate (1M) can also be used to add credentials for entries in the
hosts and the passwd NIS+
tables.
NIS+ principal names are used in specifying clients that have access rights to NIS+ objects. For more
details, refer to the "Principal Names" subsection of the nis+ (1) manual page. See nischmod(1),
nischown(1), nis_objects (3N), and nis_groups (3N). Various other services can also implement access con-
trol based on these principal names.
The
cred.org_dir table is organized as follows :
cname auth_type auth_name public_data private_data
fred.foo.com. LOCAL 2990 10,102,44
fred.foo.com. DES unix.2990@foo.com 098...819 3b8...ab2
The cname column contains a canonical representation of the NIS+ principal name. By convention, this
name is the login name of a user or the host name of a machine, followed by a dot (‘‘.’’), followed by the
fully qualified ‘‘home’’ domain of that principal. For users, the home domain is defined to be the domain
where their DES credentials are kept. For hosts, their home domain is defined to be the domain name
returned by the domainname (1) command executed on that host.
There are two types of auth_type entries in the
cred.org_dir table: those with authentication type
LOCAL and those with authentication type DES. auth_type, specified on the command line in upper or
lower case, should be either local or des.
Entries of type LOCAL are used by the NIS+ service to determine the correspondence between fully
qualified NIS+ principal names and users identified by UIDs in the domain containing the
cred.org_dir table. This correspondence is required when associating requests made using the
AUTH_SYS RPC authentication flavor (see rpc_clnt_auth(3N)) to an NIS+ principal name. It is also
required for mapping a UID in one domain to its fully qualified NIS+ principal name whose home domain
may be elsewhere. The principal’s credentials for any authentication flavor may then be sought for
within the
cred.org_dir table in the principal’s home domain (extracted from the principal name).
The same NIS+ principal may have LOCAL credential entries in more than one domain. Only users, and
not machines, have LOCAL credentials. In their home domain, users of NIS+ should have both types of
credentials.
The auth_name associated with the LOCAL type entry is a UID that is valid for the principal in the
domain containing the
cred.org_dir table. This may differ from that in the principal’s home domain.
The public information stored in public_data for this type contains a list of GIDs for groups in which the
user is a member. The GIDs also apply to the domain in which the table resides. There is no private
data associated with this type. Neither a UID nor a principal name should appear more than once among
the LOCAL entries in any one cred.org_dir table.
The DES auth_type is used for Secure RPC authentication (see secure_rpc (3N)).
The authentication name associated with the DES auth_type is a Secure RPC netname. A Secure RPC
netname has the form
unix.id@domain, where domain must be the same as the domain of the principal.
For principals that are users, the id must be the UID of the principal in the principal’s home domain. For
principals that are hosts, the id is the host’s name. In Secure RPC, processes running under effective
Section 1M−−550 Hewlett-Packard Company − 1 − HP-UX 11i Version 2: September 2004