smtnrhdb(1M) System Administration Commands smtnrhdb(1M)NAMEsmtnrhdb - manage entries in the tnrhdb database
SYNOPSIS
/usr/sadm/bin/smtnrhdb subcommand [auth_args] -- subcommand_args]
DESCRIPTION
The smtnrhdb command adds, modifies, deletes, and lists entries in the
tnrhdb database.
The tnrhdb database specifies which remote-host template to use for
each host, including the local host, in the distributed system. If a
host's IP address cannot be matched to some entry in the tnrhdb data‐
base, communication with the host is not permitted.
The smtnrhdb command requires the Solaris Management Console to be ini‐
tialized for the command to succeed (see smc(1M)). After rebooting the
Solaris Management Console server, the first smc connection can time
out, so you might need to retry the command.
Valid Host Addresses and Wildcards
The trusted network software uses a network "longest prefix of matching
bits" mechanism when looking for a host. The software looks first for
the IP address of the host. If the software does not find this address,
then the software falls back to searching for an IP address with the
longest prefix of a matching bit pattern, and so on.
Note -
The actual numeric value of the subnet address or other subnetting
information on the system (for example, from the netmasks(4) file)
are not considered by this mechanism.
Using the "longest prefix of matching bits" mechanism, an IPv4 address
of 0.0.0.0 is a wildcard address with a prefix length of 0 and hence
matches any IPv4 address. For more information about prefi x lengths in
IPv4 and IPv6 addresses, see System Administration Guide: IP Services.
The smtnrhdb command accepts a hostname, IP address, and wildcard
address with as optional prefix as valid addresses. See subcom‐
mand_args, below, for the format of valid addresses.
SUB-COMMANDS
smtnrhdb subcommands are:
add
Adds a new entry to the tnrhdb database. To add an entry, the
administrator must have the solaris.network.host.write and
solaris.network.security.write authorizations.
delete
Deletes an entry from the tnrhdb database. To delete an entry, the
administrator must have the solaris.network.host.write and
solaris.network.security.write authorizations.
list
Lists all entries in the tnrhdb database. To list an entry, the
administrator must have the solaris.network.host.read and
solaris.network.security.read authorizations.
modify
Modifies an entry in the tnrhdb database. To modify an entry, the
administrator must have the solaris.network.host.write and
solaris.network.security.write authorizations.
OPTIONS
The smtnrhdb authentication arguments, auth_args, are derived from the
smc arg set. These arguments are the same regardless of which subcom‐
mand you use.
The subcommand-specific options, subcommand_args, must be preceded by
the -- option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all
optional. If no auth_args are specified, certain defaults will be
assumed and the user might be prompted for additional information, such
as a password for authentication purposes. These letter options can
also be specified by their equivalent option words preceded by a double
dash. For example, you can use either -D or --domain.
-D | --domain domain
Specifies the default domain that you want to manage. The syntax of
domain=type:/host_name/domain_name, where type is dns, ldap, or
file; host_name is the name of the server; and domain_name is the
name of the domain you want to manage.
If you do not specify this option, the Solaris Management Console
assumes the file default domain on whatever server you choose to
manage, meaning that changes are local to the server. Toolboxes can
change the domain on a tool-by-tool basis; this option specifies
the domain for all other tools.
-H | --hostname host_name:port
Specifies the host_name and port to which you want to connect. If
you do not specify a port, the system connects to the default port,
898. If you do not specify host_name:port, the Solaris Management
Console connects to the local host on port 898.
-l | --rolepassword role_password
Specifies the password for the role_name. If you specify a
role_name but do not specify a role_password, the system prompts
you to supply a role_password. Passwords specified on the command
line can be seen by any user on the system, hence this option is
considered insecure.
-p | --password password
Specifies the password for the user_name. If you do not specify a
password, the system prompts you for one. Passwords specified on
the command line can be seen by any user on the system, hence this
option is considered insecure.
-r | --rolename role_name
Specifies a role name for authentication. If you do not specify
this option, no role is assumed.
-u | --username user_name
Specifies the user name for authentication. If you do not specify
this option, the user identity running the console process is
assumed.
--
This option is required and must always follow the preceding
options. If you do not enter the preceding options, you must still
enter the -- option.
subcommand_args
Note: Descriptions and other arg options that contain white spaces must
be enclosed in double quotes.
-h
Displays the command's usage statement.
-H hostname
Specifies the name of the host. For the list subcommand, the host‐
name argument is not specified. This is not required if the ipad‐
dress subcommand argument is specified.
-i ipaddress
Specifies the IP address of the host. This is not required if the
hostname subcommand argument is specified. This option is not valid
with the -w option.
-n templatename
Specifies the name of an existing template.
-p prefixlen
Specifies the prefix length (in bits) of a wildcard representation
of the IP address. The prefix is the left-most portion of the IP
address. This option is valid only with the -w option. For example,
when the value of -w ipaddress-wildcard is 192.168.0.0, a prefixlen
value of 24 indicates that the wildcard matches all addresses on
the 192.168.0 network. With a prefixlen of 32, the wildcard
192.168.0.0 matches all addresses on the 192.168.0.0 network.
-w ipaddress-wildcard
Specifies the IP address of the subnet using a wildcard.
o One of the following sets of arguments must be specified for
subcommand add:
-H hostname -n templatename |
-i ipaddress -n templatename |
-w ipaddress-wildcard -n templatename [ -p prefixlen ] |
-h
o One of the following sets of arguments must be specified for
subcommand modify:
-H hostname -n templatename |
-i ipaddress -n templatename |
-w ipaddress-wildcard -n templatename [ -p prefixlen ] |
-h
o One of the following sets of arguments must be specified for
subcommand delete:
-H hostname |
-i ipaddress |
-w ipaddress-wildcard [ -p prefixlen ] |
-h
o The subcommand list takes the following argument:
-h
EXAMPLES
Example 1 Specifying the Template Name for a Wildcard IP Address
The admin role specifies the template name, cipso_lan, for a series of
hosts that use the IP address wildcard 192.168.113.0 on the local file
system. Since no authorization arguments were specified, the adminis‐
trator connects to port 898 of the local host on the local server with
the file domain type, which are the defaults. The administrator is
prompted for the admin password.
$ usr/sadm/bin/smtnrhdb add -- -w 192.168.113.0 -n cipso_lan
Example 2 Deleting an Entry in the tnrhdb Database
The admin role connects to port 898 (which happens to be the default)
of the LDAP server and deletes a host entry from the database by speci‐
fying its IP address, 192.168.113.8. Since the domain was not speci‐
fied, the file domain type and local server are used by default. The
administrator is prompted for the admin password.
# /usr/sadm/bin/smtnrhdb delete -D ldap:/example.domain -i 192.168.113.8
Example 3 Adding a Subnet to the tnrhdb Database
The following command adds all the addresses on the 192.168.55.0 sub‐
net, from 192.168.55.1 to 192.168.55.255, to the tnrhdb database:
# /usr/sadm/bin/smtnrhdb add \
-D file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM \
-- -w 192.168.55.0 -n cipso
Authenticating as user: root
Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password ::
Loading Tool: com.exampleco.admin.hostmgr.cli.smtnrhdb.HostMgrTnrhdbCli
from machine1.ExampleCo.COM
Login to machine1.ExampleCo.COM as user root was successful.
Download of com.exampleco.admin.hostmgr.cli.smtnrhdb.HostMgrTnrhdbCli
from machine1.ExampleCo.COM
was successful.
Example 4 Adding Subnet 192.168.0 to the tnrhdb Database
The following command adds all the addresses on the 192.168.0 subnet,
from 192.168.0.1 to 192.168.0.255 to the tnrhdb database. The prefix,
24, indicates that the first 24 bits (192.168.0) are fixed. Only the
final zero is a wildcard.
# /usr/sadm/bin/smtnrhdb add \
-D file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM \
-- -w 192.168.0.0 -p 24 -n cipso
Login to machine1.ExampleCo.COM as user root was successful.
Download of com.exampleco.admin.hostmgr.cli.smtnrhdb.HostMgrTnrhdbCli
from machine1.ExampleCo.COM was successful.
EXIT STATUS
The following exit values are returned:
0
Successful completion.
1
Invalid command syntax. A usage message displays.
2
An error occurred while executing the command. An error message
displays.
FILES
The following files are used by the smtnrhdb command:
/etc/security/tsol/tnrhdb
Trusted network remote-host database.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWmgts │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOsmc(1M), netmasks(4), attributes(5)
System Administration Guide: Security Services
NOTES
The functionality described on this manual page is available only if
the system is configured with Trusted Extensions.
SunOS 5.10 19 Dec 2008 smtnrhdb(1M)
