Killing /etc/.rootkey (on Sun's recommendation)

Michael J. Wargo michael at vision.mit.edu
Tue Mar 14 11:08:57 AEST 1989 

Boy, do I need help!

First, the background.  I set up a 386i as a master server on a subnet of
MIT's campus network (18.82 within 18).  When I "just turned on the second
386i to automatically configure it".... It was given a default name,
'oak', that I didn't want.  After working to get the name that we wanted,
'bohr', (guess what we teach), I found out that, yes, it had connected to
the existing YP domain (YP.emg.mit.edu) but after adding the first user at
bohr, the next user's home directory (that I wanted to add to bohr) had to
be added (by SNAP) to my original 386i (YP master, agricola).  Trying to
add it to bohr resulted in an error message indicating that there were
security problems, and that I should check the /var/adm/messages file on
bohr.  The file said that there might be a problem with the publickey file
on the YP master, agricola.  'oak' was still there in pubickey.  I killed
it and remade the YP database, but it didn't help in letting me add
another user to bohr.  (Same error message from SNAP.)

I had (I, thought) RTFM, but when things started going south, I re-read
(read) the 'Sun386i Administrator's & Developer's Notes - December 1988',
p.6 where it said that there was a problem with user accounts, public
credentials, secure RPC and the rest of the known universe.  The last
thing it says in the section (p. 7), is that "you must delete the
/etc/.rootkey file on that system, along with /etc/keystore, before you
reboot the system".

After doing just this, and rebooting, the system (bohr) informed me that
secure RPC's could not be provided since /etc/.rootkey was missing!  Time
Passes .....*further RTFM*.....  In the "Security Features Guide", 'Secure
Networking, 6.1 #4, p.72, it says: "Administrators should take care not to
delete /etc/keystore and /etc/.rootkey (the latter file contains the
private key for root)." Have I really screwed up, or is there an elegant
guru's out to this?  Is this a case of 'catch 22' (manual writer's
non-communication with themselves) or have I not *really* RTFM?

**SECOND AND THIRD QUESTIONS**

There seems to be no indication in TFM as to how to loadc SunOS
Applications onto a 386i without a tape drive (bohr) from one with one
(agricola).

One more question.  Is there a way to add a new 386i to our YP domain if
it's outside our subnet.  i.e. add a 386i (babel) in 18.80.**.** to my
386i YP master (agricola) in 18.82.**.**?  This option exists in the
start-up on a new 386i ('add to an existing YP network'), but when you
provide the YP domain (YP.emg.mit.edu) at the prompt, the new system
cannot go through the intervening gateways (2 of 'em) to get to my YP
master.

	Thanks for all the
	help, I've just been 
	a listener so far.

	Mike

ARPA:  michael at vision.mit.edu  	'the Masscomp that works'
       michael at agricola.mit.edu    'the 386i that should'

USPS:  Michael J. Wargo		'ma bell':  617-253-3295
       MIT, Room 13-4057
       Cambridge, MA 02139

More information about the Comp.sys.sun mailing list