nisupdkeys - update the public keys in a NIS+ directory
/usr/lib/nis/nisupdkeys [-a | -C] [-H host] [directory]
/usr/lib/nis/nisupdkeys -s [-a | -C] -H host
This command updates the public keys in an NIS+ directory
object. When the public key(s) for a NIS+ server are
changed, nisupdkeys reads a directory object and attempts to
get the public key data for each server of that directory.
These keys are placed in the directory object and the object
is then modified to reflect the new keys. If directory is
present, the directory object for that directory is updated.
Otherwise the directory object for the default domain is
updated. The new key must be propagated to all directory
objects that reference that server.
On the other hand, nisupdkeys -s gets a list of all the
directories served by host and updates those directory
objects. This assumes that the caller has adequate permis-
sion to change all the associated directory objects. The
list of directories being served by a given server can also
be obtained by nisstat(1M). Before you do this operation,
make sure that the new address/public key has been pro-
pagated to all replicas. If multiple authentication mechan-
isms are configured using nisauthconf(1M), then the keys
for those mechanisms will also be updated or cleared.
The user executing this command must have modify access to
the directory object for it to succeed. The existing direc-
tory object can be displayed with the niscat(1) command
using the -o option.
This command does not update the directory objects stored in
the NIS_COLD_START file on the NIS+ clients.
If a server is also the root master server, then nisupdkeys
-s cannot be used to update the root directory.
-a Update the universal addresses of the NIS+ servers in
the directory object. Currently, this only works for
the TCP/IP family of transports. This option should
be used when the IP address of the server is changed.
The server's new address is resolved using
getipnodebyname(3SOCKET) on this machine. The
/etc/nsswitch.conf file must point to the correct
source for ipnodes and hosts for this resolution to
-C Specify to clear rather than set the public key(s).
Communication with a server that has no public key(s)
does not require the use of secure RPC.
Limit key changes only to the server named host. If
the hostname is not a fully qualified NIS+ name, then
it is assumed to be a host in the default domain. If
the named host does not serve the directory, no action
-s Update all the NIS+ directory objects served by the
specified server. This assumes that the caller has
adequate access rights to change all the associated
directory objects. If the NIS+ principal making this
call does not have adequate permissions to update the
directory objects, those particular updates will fail
and the caller will be notified. If the rpc.nisd on
host cannot return the list of servers it serves, the
command will print an error message. The caller would
then have to invoke nisupdkeys multiple times (as in
the first synopsis), once per NIS+ directory that it
Example 1: Using nisupdkeys
The following example updates the keys for servers of the
example% nisupdkeys foo.bar.
This example updates the key(s) for host fred that serves
the foo.bar. domain.
example% nisupdkeys -H fred foo.bar.
This example clears the public key(s) for host wilma in the
example% nisupdkeys -CH wilma foo.bar.
This example updates the public key(s) in all directory
objects that are served by the host wilma.
example% nisupdkeys -s -H wilma
See attributes(5) for descriptions of the following attri-
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
| Availability | SUNWnisu |
chkey(1), niscat(1), nisaddcred(1M), nisauthconf(1M),
nisstat(1M), getipnodebyname(3SOCKET), nis_objects(3NSL),
NIS+ might not be supported in future releases of the
SolarisTM Operating Environment. Tools to aid the migration
from NIS+ to LDAP are available in the Solaris 9 operating
environment. For more information, visit
Man(1) output converted with