NIS

 

This module discusses the actual set up of NIS. All information used in NIS is stored in binary databases (called "maps) on NIS master and slave servers.  Clients, and the servers themselves, can use this information to allow user access, locate hosts, automount directories etc.  NIS requires a domain name, which it uses to identify those machines it serves. The domain name used is normally the DNS domain name.  When a NIS client first requests service from a NIS master, it "binds" to that master, which then supplies all its name services.  Should that master become unavailable, it will retry the master several times before trying a slave server.  It will then bind to the slave server, and get all its services from that server, even if the master comes up again.  Thus, name services may be unavailable for a few minutes after a master server goes offline, even if a slave server is available.

 

Setting up a NIS client

 

files

 

When a NIS client needs information, such as that in /etc/passwd, it can get it from one of two places: the /etc/passwd file on its own disk, or the NIS databases.  Which location is used depends on a template file, /etc/nsswitch.conf.  This file is used by LDAP,  NIS and NIS+.  The system comes supplied with a template for each.  These files are stored as /etc/nsswitch.ldap, /etc/nsswitch.nis and /etc/nsswitch.nisplus.  Copy /etc/nsswitch.nis to /etc/nsswitch.conf to set up a NIS client. When you want to disable NIS, copy /etc/nsswitch.files to /etc/nsswitch.conf.

 

/etc/inet/hosts - NIS servers must have an entry in this file

 

/etc/nsswitch.conf

 

Each database used in NIS has an entry in /etc/nsswitch .conf.  The entries are in the form:

 

data:                            where_to_look

 

As an example: 

 

hosts                nis [NOTFOUND=return]       files

passwd            files     nis

 

These two nsswitch.conf entries show most of the possible permutations.  For hosts, which associates hostnames with IP addresses, the first entry in the "where to look" column is "nis", so the system looks first in the NIS databases on the NIS server.  If no NIS database entry is found, the action value NOTFOUND=return causes the system to stop looking for hosts.  No name resolution of hosts will be available.

 

For passwd, which associates usernames with UIDs, GIDs, etc, the first entry is file, so system looks first in the system file /etc/passwd.  If no entry is found in the local file /etc/passwd, the system then looks in the NIS map.

 

Every time a lookup is attempted, some kind of return is given.  If the system finds the requested information, the result is SUCCESS.  By default, if SUCCESS is returned, the system executes the action "return", which causes it to stop looking for the data.  If the server or map is unavailable, the return is UNAVAIL; if the server tells the client it's busy, the return is TRY AGAIN, and if the entry is not found, the return is NOT FOUND.  In all these cases, the system  executes the action "continue," which tries the next listed source for the entry.

 

It is possible to force the action you want to take place.  If you want the system to stop looking for the host data if the NIS map cannot be found, then after nis in the file /etc/nsswitch.conf, insert [NOTFOUND=return].  This forces the system to stop looking for the hosts database once it has unsuccessfully tried to locate it in on the NIS server.

 

For automounted resources, such as the direct map or the auto home map, NIS looks only at the first resource listed in the file /etc/nsswitch.conf.  Thus, if the first resource is "nis," only the nis maps will be used in automounting.  If the first resource listed is "files," the files /etc/auto_direct, /etc/auto_home and /etc/auto_master will be the only resources used, UNLESS they contain an entry such as +auto_master (for the master map), +auto_direct (for the direct map) or +auto_home (for the auto_home map).  These entries redirect name resolution to NIS, and have exactly the same result as listing "nis" first in the file /etc/nsswitch.conf.  It is therefore of no use to have two entries in the file /etc/nsswitch.conf for automounted resources.

 

commands to set up a NIS client

cp /etc/nsswitch.nis  /etc/nsswitch.conf  (customize as required).

domainname sets the NIS domain.  This should be the same as the DNS domain.

domainname rm4.ebay.sun.com

The domain name must be added to the file /etc/defaultdomain

domainname > /etc/defaultdomain

ypinit -c  which prompts for the list of servers.

svcadm enable nis/client  which starts the NIS daemon ypbind. Ypbind binds the client to the master server (or slave, if the master is unavailable) to get map information.

 

Setting up a NIS Master Server

 

files

 

The NIS Server is also a client, so the servers must be set up as a client up to the point where you run ypinit. 

1. Check /etc/hosts

2. Copy /etc/nsswitch.nis to /etc/nsswitch.conf and customize the file as you want.

3. Set the NIS domain with `domainname`

4. Populate the file /etc/defaultdomain with the domain name.

 

In addition, there are two important sets of files on the NIS master server.  First, there are the ASCII database files that will be transformed into the binary NIS maps listed in the book.  These include such files as /etc/hosts, /etc/passwd, /etc/auto_master and /etc/group.  When a NIS master is first set up, these files must be complete and correct, or wrong values will be included in the final NIS maps.  NIS requires a complete set of these maps to exist; some that do not already exist by default, namely /etc/ethers, /etc/bootparams, /etc/netgroup, /etc/timezone and /etc/audit_user must be created (by touch).  Generally on the master server, the passwd and shadow files should be located in some other directory than /etc, or the root login information and password will end up being passed to all the clients when /etc/shadow is turned into a NIS map. If you move the shadow and passwd files to another directory, the Makefile must be updated by changing PWDIR = /etc to  PWDIR=/newdir.  Then, copy the /etc/passwd and /etc/shadow files to the new directory,  but leave the original files in place. Remove the login information for root (and anyone else you do not want logging in from any client) from passwd and shadow in the new directory.  On the server, change the file /etc/nsswitch.conf so that it lists "files" and nothing else as the source for passwd. The daemon rpc.yppasswdd will automatically change passwords in $PWDIR. 

 

The second group of NIS files are the NIS maps, located in /var/yp/domainname.  These are constructed when a server is set up, from the existing ASCII database files.  A set of these maps allow NIS to look up values in varying ways.  Each map has a name with the format:

 

map.key.pag or  map.key.dir

 

Where "map" is the name of the data (hosts, passwd, etc.)

"key" is the way the data in the map are sorted, whether by name (byname) or by the address (byaddr) in the case of "hosts", and the type of map; actual data files end in .pag, while indexes of the data files end in .dir.

 

Each map contains entries consisting of 2 items: for "byname" maps, the first entry, called the "key," will be the name, and the second the numerical value; for "byaddr" maps, the IP address (for example) will be first and the name second. 

 

The creation of the maps is controlled by the file /var/yp/Makefile.  A make file is a file that controls compilation of a program.  It is used in programming when a program has multiple subroutines, uses a number of libraries and generally is complex.  Make files are ASCII files and can be altered to change the exact way that compilation occurs. The Makefile is run by ypinit –m, but can also be run after NIS is started using the command "make".  If changes are made to the NIS maps, this command must be issued for those changes to take effect.

 

cd /var/yp

/usr/ccs/bin/make

 

commands to set up a NIS master server

cp /etc/nsswitch.nis  /etc/nsswitch.conf  (customize as required).

touch /etc/ethers /etc/bootparams /etc/netgroup /etc/timezone /etc/audit_user /etc/auto_direct

domainname rm4.ebay.sun.com

domainname > /etc/defaultdomain

ypinit -m sets up the master server by building the master maps and setting up a list of slave servers.

svcadm enable nis/server  starts the NIS daemons ypserv, ypbind, and ypxfrd which make requests for name resolving (ypbind), answer requests from clients (ypserv) and transfer files from master to slave servers(ypxfrd). Rpc.yppasswd is also started, and updates and transfers changes to the shadow file. Rpc.ypupdated works with secure RPC.

 

Setting up a NIS slave server

 

NIS slave servers must be set up as clients, including running ypinit -c .

1. Check /etc/hosts

2. Copy /etc/nsswitch.nis to /etc/nsswitch.conf and customize the file as you want.

3. Set the NIS domain with `domainname`

4. Populate the file /etc/defaultdomain with the domain name.

5. ypinit -c

6.  svcadm enable nis/client.

7. svcadm disable nis/client

8. ypinit -s master_server_name  Pulls the NIS maps

9. svcadm enable nis/server starts the NIS server daemons.

 

files

 

The map files needed on the slave server are pulled over from the master server.

 

 

NIS maintenance commands

 

ypwhich                       lists the the name of the master server

ypwhich -m                  lists all the databases on the master server

 

ypcat map                   lists the contents of the database "map"

 

ypmatch key                lists all values of "key" from all map files.

ypmatch key map        lists the value of the key from a specific map file

                                    (used when more than one database contains that key value)

/usr/lib/netsvc/yp/ypstop        stops the NIS daemons

 

Updating NIS maps

 

When users or hosts are added or other changes are made, they have to be added to the NIS maps.  The reason NIS is useful is, in fact, because it allows such changes to be made on just one server.  When the main /etc databases are changed on the server, the NIS maps must be rebuilt, and then transferred to the slave servers.  The following commands are used:

 

1. To update the NIS maps and push them to the slave servers (sometimes fails):

cd /var/yp

/usr/ccs/bin/make

2. To transfer the NIS maps to the slave servers (if necessary):

On the slave server:

/usr/lib/netsvc/yp/ypxfr map_name

OR

ypinit -s master_server_name to transfer all maps (on the slave server)

OR automatically  using the scripts (usually set up as cron jobs on the slave server)

/usr/lib/netsvc/yp/ypxfr_1perhour

/usr/lib/netsvc/yp/ypxfr_1perday

/usr/lib/netsvc/yp/ypxfr_2perday

 

password maintenance

 

The file containing passwords is changed more often than any other file, and is the only database in NIS changed by users, so it can be set up to be automatically pushed. The daemon required is called rpc.yppasswdd and is started by ypinit  -m, but if it fails to start, or is killed, it can be restarted with the command:

 

/usr/lib/netsvc/yp/rpc.yppasswdd  -D <pwdir from makefile>  -m

 

where the –m option causes the make on passwd to be automatically performed whenever passwords are changed, and the –D is followed by the name of the directory containing the password and shadow files (usually the value of the macro PWDIR in the Makefile).

 

Passwd can now be changed normally by any user with passwd. Because NIS was originally based on Berkeley Unix, which did not support password aging, NIS also does not do password aging - that information in /etc/shadow is ignored.

 

At the end of the lab, remove NIS:

 

1. svcadm disable nis/server|client– stops the NIS daemons

2. domainname " "

3. rm /etc/defaultdomain

4. cp /etc/nsswitch.files /etc/nsswitch.conf

5. cd /var/yp

6. remove all files from /var/yp/domainname and /var/yp/binding.