System Administration Guide: IP Services
Previous Next

Document Information

Preface

Part I TCP/IP Administration

1.  Solaris TCPIP Protocol Suite (Overview)

2.  Planning an IPv4 Addressing Scheme (Tasks

3.  Planning an IPv6 Addressing Scheme (Overview)

4.  Planning an IPv6 Network (Tasks)

5.  Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)

6.  Administering Network Interfaces (Tasks)

7.  Enabling IPv6 on a Network (Tasks)

8.  Administering a TCP/IP Network (Tasks)

9.  Troubleshooting Network Problems (Tasks)

10.  TCP/IP and IPv4 in Depth (Reference)

11.  IPv6 in Depth (Reference)

Part II DHCP

12.  About Solaris DHCP (Overview)

13.  Planning for DHCP Service (Tasks)

14.  Configuring the DHCP Service (Tasks)

15.  Administering DHCP (Tasks)

16.  Configuring and Administering DHCP Clients

About the Solaris DHCP Client

Enabling and Disabling a Solaris DHCP Client

How to Enable the Solaris DHCP Client

How to Disable a Solaris DHCP Client

DHCP Client Administration

DHCP Client Systems With Multiple Network Interfaces

DHCP Client Host Names

How to Enable a Solaris Client to Request a Specific Host Name

DHCP Client Systems and Name Services

DHCP Client Event Scripts

17.  Troubleshooting DHCP (Reference)

18.  DHCP Commands and Files (Reference)

Part III IP Security

19.  IP Security Architecture (Overview)

20.  Configuring IPsec (Tasks)

21.  IP Security Architecture (Reference)

22.  Internet Key Exchange (Overview)

23.  Configuring IKE (Tasks)

24.  Internet Key Exchange (Reference)

25.  Solaris IP Filter (Overview)

26.  Solaris IP Filter (Tasks)

Part IV Mobile IP

27.  Mobile IP (Overview)

28.  Administering Mobile IP (Tasks)

29.  Mobile IP Files and Commands (Reference)

Part V IPMP

30.  Introducing IPMP (Overview)

31.  Administering IPMP (Tasks)

Part VI IP Quality of Service (IPQoS)

32.  Introducing IPQoS (Overview)

33.  Planning for an IPQoS-Enabled Network (Tasks)

34.  Creating the IPQoS Configuration File (Tasks)

35.  Starting and Maintaining IPQoS (Tasks)

36.  Using Flow Accounting and Statistics Gathering (Tasks)

37.  IPQoS in Detail (Reference)

Glossary

Index

DHCP Client Systems and Name Services

Solaris systems support the following name services: DNS, NIS, NIS+, and a local file store (/etc/inet/hosts). Each name service requires some configuration before it is usable. The name service switch configuration file (see nsswitch.conf(4)) must also be set up appropriately to indicate the name services to be used.

Before a DHCP client system can use a name service, you must configure the system as a client of the name service.

The following table summarizes issues that are related to each name service and DHCP. The table includes links to documentation that can help you set up clients for each name service.

Table 16-1 Name Service Client Setup Information for DHCP Client Systems

Name Service

Client Setup Information

NIS

If you are using Solaris DHCP to send Solaris network install information to a client system, you can use a configuration macro that contains the NISservs and NISdmain options. These options pass the IP addresses of NIS servers and the NIS domain name to the client. The client then automatically becomes an NIS client.

If a DHCP client system is already running the Solaris OS, the NIS client is not automatically configured on that system when the DHCP server sends NIS information to the client.

If the DHCP server is configured to send NIS information to the DHCP client system, you can see the values given to the client if you use the dhcpinfo command on the client as follows:

# /sbin/dhcpinfo NISdmain

# /sbin/dhcpinfo NISservs

Use the values returned for the NIS domain name and NIS servers when you set up the system as an NIS client.

You set up an NIS client for a Solaris DHCP client system in the standard way, as documented in Chapter 5, Setting Up and Configuring NIS Service, in System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

Tip - You can write a script that uses dhcpinfo and ypinit to automate NIS client configuration on DHCP client systems.

NIS+

If the DHCP client system receives a nonreserved IP address, the address might not always be the same. You must set up the NIS+ client for a DHCP client system in a nonstandard way, which is documented in Setting Up DHCP Clients as NIS+ Clients. This procedure is necessary because NIS+ uses security measures to authenticate requests for service. The security measures depend upon the IP address.

If the DHCP client system has been manually assigned an IP address, the client's address is always the same. You can set up the NIS+ client in the standard way, which is documented in Setting Up NIS+ Client Machines in System Administration Guide: Naming and Directory Services (NIS+).

/etc/inet/hosts

You must set up the /etc/inet/hosts file for a DHCP client system that is to use /etc/inet/hosts for its name service.

The DHCP client system's host name is added to its own /etc/inet/hosts file by the DHCP tools. However, you must manually add the host name to the /etc/inet/hosts files of other systems in the network. If the DHCP server system uses /etc/inet/hosts for name resolution, you must also manually add the client's host name on the system.

DNS

If the DHCP client system receives the DNS domain name through DHCP, the client system's /etc/resolv.conf file is configured automatically. The /etc/nsswitch.conf file is also automatically updated to append dns to the hosts line after any other name services in the search order. See System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)for more information about DNS.

Setting Up DHCP Clients as NIS+ Clients

You can use the NIS+ name service on Solaris systems that are DHCP clients. However, to do so requires you to partially circumvent one of the security-enhancing features of NIS+, the creation of Data Encryption Standard (DES) credentials. When you set up an NIS+ client that is not using DHCP, you add unique DES credentials for the client to the NIS+ server. There are several ways to create credentials, such as using the nisclient script or the nisaddcred command.

For DHCP clients, you cannot use these methods. NIS+ credential generation requires a client to have a static host name to create and store the credentials. If you want to use NIS+ and DHCP, you must create identical credentials to be used for all the host names of DHCP clients. In this way, no matter what IP address and associated host name that a DHCP client receives, the client can use the same DES credentials.

Caution - Before performing the following procedure, be aware that NIS+ was designed for increased security. This procedure weakens that security by allowing random DHCP clients to receive NIS+ credentials.

The following procedure shows you how to create identical credentials for all DHCP host names. This procedure is valid only if you know the host names that DHCP clients use. For example, when the DHCP server generates the host names, you know the possible host names that a client can receive.

How to Set Up Solaris DHCP Clients as NIS+ Clients

A DHCP client system that is to be an NIS+ client must use credentials that belong to another NIS+ client system in the NIS+ domain. This procedure only produces credentials for the system, which apply only to the superuser logged in to the system. Other users who log in to the DHCP client system must have their own unique credentials in the NIS+ server. These credentials are created according to a procedure in the System Administration Guide: Naming and Directory Services (NIS+).

  1. Create the credentials for a client by typing the following command on the NIS+ server:
    # nisgrep nisplus-client-name cred.org_dir > /tmp/file

    This command writes the cred.org_dir table entry for the NIS+ client to a temporary file.

  2. Use the cat command to view the contents of the temporary file.

    Or, use a text editor.

  3. Copy the credentials to use for DHCP clients.

    You must copy the public key and private key, which are long strings of numbers and letters separated by colons. The credentials are to be pasted into the command issued in the next step.

  4. Add credentials for a DHCP client by typing the following command:
    # nistbladm -a cname=" dhcp-client-name@nisplus-domain" auth_type=DES \
auth_name="unix.dhcp-client-name@nisplus-domain" \
public_data=copied-public-key \ 
private_data=copied-private-key

    For the copied-public-key, paste the public key information that you copied from the temporary file. For the copied-private-key, paste the private key information that you copied from the temporary file.

  5. Remote copy files from the NIS+ client system to the DHCP client system by typing the following commands on the DHCP client system:
    # rcp nisplus-client-name:/var/nis/NIS_COLD_START /var/nis
# rcp nisplus-client-name:/etc/.rootkey /etc
# rcp nisplus-client-name:/etc/defaultdomain /etc

    If you get a “permission denied” message, the systems might not be set up to allow remote copying. In this case, you can copy the files as a regular user to an intermediate location. As superuser, copy the files from the intermediate location to the proper location on the DHCP client system.

  6. Copy the correct name service switch file for NIS+ by typing the following command on the DHCP client system:
    # cp /etc/nsswitch.nisplus /etc/nsswitch.conf
  7. Reboot the DHCP client system.

    The DHCP client system should now be able to use NIS+ services.

Example 16-1 Setting up a Solaris DHCP Client System as an NIS+ Client

The following example assumes that you have one system nisei, which is an NIS+ client in the NIS+ domain dev.example.net. You also have one DHCP client system, dhow, and you want dhow to be an NIS+ client.

(First log in as superuser on the NIS+ server)
# nisgrep nisei cred.org_dir > /tmp/nisei-cred
# cat /tmp/nisei-cred
nisei.dev.example.net.:DES:[email protected]:46199279911a84045b8e0
c76822179138173a20edbd8eab4:90f2e2bb6ffe7e3547346dda624ec4c7f0fe1d5f37e21cff63830
c05bc1c724b
# nistbladm -a cname="[email protected]." \
auth_type=DES auth_name="[email protected]" \
public_data=46199279911a84045b8e0c76822179138173a20edbd8eab4 \
private_data=90f2e2bb6ffe7e3547346dda624ec4c7f0fe1d5f37e21cff63830\
c05bc1c724b
# rlogin dhow
(Log in as superuser on dhow)
# rcp nisei:/var/nis/NIS_COLD_START /var/nis
# rcp nisei:/etc/.rootkey /etc
# rcp nisei:/etc/defaultdomain /etc
# cp /etc/nsswitch.nisplus /etc/nsswitch.conf
# reboot

The DHCP client system dhow should now be able to use NIS+ services.

Example 16-2 Adding Credentials With a Script

If you want to set up a large number of DHCP client systems as NIS+ clients, you can write a script. A script can quickly add the entries to the cred.org_dir NIS+ table. The following example shows a sample script.

#! /usr/bin/ksh  
# 
# Copyright (c) by Sun Microsystems, Inc. All rights reserved. 
# 
# Sample script for cloning a credential. Hosts file is already populated  
# with entries of the form dhcp-[0-9][0-9][0-9]. The entry we're cloning 
# is dhcp-001. 
#  
#  
PUBLIC_DATA=6e72878d8dc095a8b5aea951733d6ea91b4ec59e136bd3b3 
PRIVATE_DATA=3a86729b685e2b2320cd7e26d4f1519ee070a60620a93e48a8682c5031058df4
HOST="dhcp-" 
DOMAIN="mydomain.example.com"  
 
for 
i in 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019
do         
     print - ${HOST}${i}         
     #nistbladm -r [cname="${HOST}${i}.${DOMAIN}."]cred.org_dir         
     nistbladm -a cname="${HOST}${i}.${DOMAIN}." \
         auth_type=DES auth_name="unix.${HOST}${i}@${DOMAIN}" \
         public_data=${PUBLIC_DATA} private_data=${PRIVATE_DTA} cred.org_Dir
done  
 
exit 0
Previous Next