Demand has caused me to post this summary of how to change root passwords on
clients, root master servers, and non root servers (replica's). Most of the
problems were caused by Sun themselves not telling their customers how
to do properly (I can quote patch-ids!).
From rob Thu Mar 16 15:59:48 1995
Subject: Re: root passwords
I gather that the workstations are NIS+ clients. If so, this is how I would
Change the passwords on the clients first. Remember that the clients should
have des credentials only. On the master server create new credentials,
this will create a new public and private key for the client.
It will ask you to enter in the clients root password. Make sure that this
is the NEW password.
Log onto the client and rm -rf /var/nis. Change the root password now.
Kill the cache manager and initialise the client, I usually do this by
broadcast as my clients are on the same subnet, if not do it by hostname.
nisinit -c -B
That should be it for the clients.
Because a nis replica is essentially a client of the master, use the
above method to change it's password. Remember after all of this to
propagate the server's tables by doing a nisping -C.
As for the master, take a backup copy of /var/nis/* and /etc/.rootkey
first. I personally would do this after hours or in a CC slot.
Change the root password, using passwd.
run chkey -p . This will generate a new private key, and update /etc/.rootkey
The root account keeps its private key in this file in case "keyserv" is
Thats it. The change will be propagated to the replica. You should not
have to change the replica at all only checkpoint the master.
Do not run "nisaddcred des" or nisupdkeys under any circumstances (unless
you have trashed nis). You will change the public key and even lock the
master out from itself! If you do accidently change the public key, do a
"nisaddcred des" on the root master server and propagate this using a
nisupdkeys on "org_dir.domain" "groups_dir.domain" and "domain". If you have
large tables this may take 5 to 10 minutes and your users will not be able
to see the name space (log in) until it is finished.
Good luck, hope this helps.
\ = ,-_|\
/\/(_)\|/|\ Systems Administrator phone: +61 9 2221733 *_,-._/
Police Perth, Western Australia v