SUMMARY: NIS+ Problems.. (more info)

From: Mitchell D. Baker <Mitchell.D.Baker_at_rose-hulman.edu>
Date: Mon Jan 13 2003 - 11:25:56 EST
Thanks to the following for giving me some suggestions:

Jay Lessert <jayl@accelerant.net>
Gary P Carr <gcarr@lanl.gov>
Mr rich cole <rcole0424@yahoo.com>


After searching the FAQ some more
(http://www.eng.auburn.edu/users/rayh/solaris/NIS+_FAQ.html) and then
doing more searched on Sunsolve I found a procedure and it worked...

The most damaging condition in a NIS+ environment is the root on the
master server unable to authenticate to the nis+.

Backups and nisaddent dumps should be performed periodically as there is
not surefire method of getting out of this situation.

Reinitialising is the quickest and the cleanest way of getting back the
root master with clean database. If the root users on the replica
services are able to autheticate to NIS+ then nisaddent dump of the
database should be performed to backup the table in their natuaral text
format.  In 50% of the cases reinitialisation is the only possible
alternative.

The following method can be applied to restore the nis+ credentials for
the master, but Sun claims no responsibility for the outcomes.

On the NIS+ master server:
Do all the following as root in the bourne shell:

1) Kill the nis_cachemgr and rpc.nisd.

***** #kill <PID for rpc.nisd> on all NIS+ servers
***** #kill <PID nis_cachemgr> on all NIS+ servers

2) Restart rpc.nisd with "-S0" option

***** #rpc.nisd -S0

3) Create new credentilas for the master by running 'nisaddred' command

***** nisaddcred -p unix.host@FQDomainname -P host.domainname. des

***** enter the root passwd when prompted for passwd.

4) Update the keys in the directory objects using the nisupdkeys
command.
***** NOTE THE TRAILING DOT AT THE END OF THE DOMAINNAME *****

***** #nisupdkeys domainname.
***** #nisupdkeys org_dir.domainname.
***** #nisupdkeys groups_dir.domainname.

5) Perform check point on all the three directories on the master
***** NOTE THE TRAILING DOT AT THE END OF THE DOMAINNAME *****

***** #nisping -C domainname.
***** #nisping -C org_dir.domainname.
***** #nisping -C groups_dir.domainname.

6) keylogout with -f option.

   #keylogout -f

7) Kill the running rpc.nisd and restart with original options (-Y -B if
any.)

***** #kill (PID of rpc.nisd
***** #rpc.nisd
***** #nis_cachemgr -i

8) Perform a keylogin -r to update the secret key in the /etc/.rootkey.


At this point the root master and the client on the root master know
about the
updated credentials (as the cold start file onthe master is updated
immedately
on any change to the directory objects), the clients of the domain need
to
update their cold start files with the correct master credentilas.

11) Perform the steps spcified below in the  "Updating cold start file"
section of
    this SRDB, for the clients to authenticate the nis+ master.

==============================================================================

UPDATING COLD START FILE:
-------------------------

The cold start file is essential for the client server authentication. 
It is
the original repository of server and server keys for the client.  The
cache
is created based on the cold start file. The cache is use for run time
queries
and need to be refreshed when ever there are major changes take palace
in the
domain.  The cold start file is only read once while the cache is being
created
by the nis_cachemgr.

Perform following steps to update the coldstart file and the nis+ cache.

----> On all clients and replicas

1) kill the nis_Cachemgr

2) remove the /var/nis/*DIRCACHE files

3) run the 'nisinit' command to create a new cold start file

***** #nisinit -c -H <rootmaster>

4) start the nis_cachemgr.

Origial problem:

NIS master not responding to NIS requests....

Thanks to all 

See-ya
Mitch


-- 
/####################################################################/
/# Mitchell "Buzz" Baker               "To Infinity And Beyond..."  #/
/# Sr. Systems/Security Admin  Rose-Hulman Institute of Technology  #/     
/# Mitchell.D.Baker@rose-hulman.edu            www.rose-hulman.edu  #/
/#        For PGP Public key, check out www.keyserver.net           #/
/####################################################################/
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Jan 14 10:52:21 2003

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:01 EST