Patch Name: PHNE_17349 Patch Description: s700_800 10.26 NIS shell directory modification Creation Date: 99/01/12 Post Date: 99/02/03 Hardware Platforms - OS Releases: s700: 10.26 s800: 10.26 Products: N/A Filesets: InternetSrvcs.INETSVCS-INETD NFS.NFS-SERVER NFS.NIS-CLIENT NFS.NIS-SERVER Automatic Reboot?: No Status: General Release Critical: No Path Name: /hp-ux_patches/s700_800/10.X/PHNE_17349 Symptoms: PHNE_17349: The NIS shell directory can only be located on the NIS master server. Defect Description: PHNE_17349: The directory to use as the NIS shell filesystem was hardcoded to be exported from the NIS master server. Resolution: Make the NIS shell server more flexible, so that it can be hosted from any machine in the domain and can be any directory. SR: 0000000000 Patch Files: /etc/auth/system/files.fcdb/15.net/PHNE_17349.fcdb /sbin/init.d/nfs.server /sbin/init.d/nis.server.script /sbin/init.d/nis.shell /usr/newconfig/etc/rc.config.d/namesvrs what(1) Output: /etc/auth/system/files.fcdb/15.net/PHNE_17349.fcdb: None /sbin/init.d/nfs.server: $Revision: 1.5 services/NFS/scripts/nfs.server, hpux , hpux_10.26, ic5al $ $Date: 99/01/07 12:43: 52 $ Hewlett-Packard Co. 99/01/11 services/NFS/scripts/nfs.server, hpux, hpux _10.26, ic5al Revision 1.5 PATCH_10.26 (PHNE _17349) $Revision: SecureWare 1.11 services/NFS/scripts/nfs. server, hpuxinitscripts, vvos_davis, davis7 $ $Date: 95/10/17 09:08:29 $ /sbin/init.d/nis.server.script: $Revision: 1.10 services/NFS/scripts/nis.server.scri pt, hpux, hpux_10.26, ic5al $ $Date: 99/01/0 7 12:30:44 $ Hewlett Packard Co. 99/01/11 services/NFS/scripts/nis.server.script, hpu x, hpux_10.26, ic5al Revision 1.10 PATCH_10. 26 (PHNE_17349) /sbin/init.d/nis.shell: 99/01/11 services/NFS/scripts/nis.shell, hpux, hpux_ 10.26, ic5al Revision 1.4 PATCH_10.26 (PHNE_ 17349) /usr/newconfig/etc/rc.config.d/namesvrs: $Revision: 1.12 services/INETSVCS/scripts/namesvrs, hpux, hpux_10.26, ic5al $ $Date: 99/01/07 12 :35:52 $ Hewlett Packard Co. 99/01/11 services/INETSVCS/scripts/namesvrs, hpux, h pux_10.26, ic5al Revision 1.12 PATCH_10.26 ( PHNE_17349) cksum(1) Output: 2561633174 159 /etc/auth/system/files.fcdb/15.net/ PHNE_17349.fcdb 1036085349 8274 /sbin/init.d/nfs.server 1960565928 12621 /sbin/init.d/nis.server.script 2766497663 6377 /sbin/init.d/nis.shell 1320919103 3797 /usr/newconfig/etc/rc.config.d/namesvrs Patch Conflicts: None Patch Dependencies: s700: 10.26: PHNE_16947 s800: 10.26: PHNE_16947 Hardware Dependencies: None Other Dependencies: None Supersedes: None Equivalent Patches: None Patch Package Size: 90 KBytes Installation Instructions: Please review all instructions and the Hewlett-Packard SupportLine User Guide or your Hewlett-Packard support terms and conditions for precautions, scope of license, restrictions, and, limitation of liability and warranties, before installing this patch. ------------------------------------------------------------ 1. Back up your system before installing a patch. 2. Login as root. 3. Copy the patch to the /tmp directory. 4. Move to the /tmp directory and unshar the patch: cd /tmp sh PHNE_17349 5a. For a standalone system, run swinstall to install the patch: swinstall -x autoreboot=true -x match_target=true \ -s /tmp/PHNE_17349.depot 5b. For a homogeneous NFS Diskless cluster run swcluster on the server to install the patch on the server and the clients: swcluster -i -b This will invoke swcluster in the interactive mode and force all clients to be shut down. WARNING: All cluster clients must be shut down prior to the patch installation. Installing the patch while the clients are booted is unsupported and can lead to serious problems. The swcluster command will invoke an swinstall session in which you must specify: alternate root path - default is /export/shared_root/OS_700 source depot path - /tmp/PHNE_17349.depot To complete the installation, select the patch by choosing "Actions -> Match What Target Has" and then "Actions -> Install" from the Menubar. 5c. For a heterogeneous NFS Diskless cluster: - run swinstall on the server as in step 5a to install the patch on the cluster server. - run swcluster on the server as in step 5b to install the patch on the cluster clients. By default swinstall will archive the original software in /var/adm/sw/patch/PHNE_17349. If you do not wish to retain a copy of the original software, you can create an empty file named /var/adm/sw/patch/PATCH_NOSAVE. Warning: If this file exists when a patch is installed, the patch cannot be deinstalled. Please be careful when using this feature. It is recommended that you move the PHNE_17349.text file to /var/adm/sw/patch for future reference. To put this patch on a magnetic tape and install from the tape drive, use the command: dd if=/tmp/PHNE_17349.depot of=/dev/rmt/0m bs=2k Special Installation Instructions: ================================ What is the NIS Shell Directory? ================================ In the Trusted Operating System, local accounts have certain per user configuration files, such as the ksh's .profile. Some programs, such as the shells, have been modified to look for these files in /tcb/files/shell . In order to change these files, the user must have the chprof authorization. NIS accounts need to be subject to the same policy mechanisms as local accounts, as well as being available for all hosts in the domain. So, to be consistent with the above chprof implementation, NIS accounts access a special shell directory at /var/yp/NISClient/shell which is NFS exported from the NIS Shell server. ======================== How to use the NIS Shell ======================== In order to use this NIS shells mechanism, you must first configure the shell server, then the shell clients. On the NIS shell server, edit the /etc/rc.config.d/namesvrs file. Change the variable NIS_SHELL_SERVER to 1. Set the NIS_SHELL_NAME to the name of the NIS shell server. Set NIS_SHELL_PATH to the path that you will be exporting to the shell clients. We recommend /var/yp/NISClient/shell. ( Please see "Upgrading from earlier implementation", below. ) To activate the NIS shell server, execute '/sbin/init.d/nis.shell start'. This adds the NIS_SHELL_PATH to the exports(4) file, and exports this filesystem via exportfs(1M). On the NIS master server, it mounts the NIS_SHELL_PATH on /var/yp/NISServer/shell, so that existing applications, such as account creation from the role programs, work. It also mounts NIS_SHELL_PATH on /var/yp/NISClient/shell, so that client programs can continue to function. Now you can configure your NIS shell client systems. On each client, edit the /etc/rc.config.d/namesvrs file. Ensure that NIS_SHELL_SERVER is 0. Set NIS_SHELL_NAME to the name of the NIS shell server, and set NIS_SHELL_PATH to the directory exported by the server. Execute '/sbin/init.d/nis.shell start' to mount the filesystem. ===================================== Upgrading from earlier implementation ===================================== If you have created NIS users before installing the NIS shell server patch (PHNE_17349), some additional work is required. The older method used the directory /var/yp/NISServer/shell on the NIS master server as the NIS shell directory. If you choose to use some other directory or another machine, you must move all the existing data into the new location before starting up NIS shell service. Note: If you set the NIS_SHELL_PATH to the suggested /var/yp/NISClient/shell, and do not move your old data, it will become unaccessible when the nis.shell service is started. You may also need to unmount the old shell filesystem first. Once the data has been moved, you may continue setting up the NIS shell service. As cleanup, check the /etc/exports on your NIS master server and remove any filesystems that are no longer needed.