Solaris Name Services

Planning Your NIS Domain

Before you configure systems as NIS servers or clients, you must plan the NIS domain. Each domain has a domain name, and each system sharing the common set of maps belongs to that domain. Follow these steps to plan your domain:

1. Decide which systems will be in your NIS domain.

2. Choose a NIS domain name. A NIS domain name can be up to 256 characters long, although much shorter names are more practical. A good practice is to limit domain names to no more than 32 characters. Domain names are case-sensitive. For convenience, you can use your Internet domain name as the basis for your NIS domain name. For example, if your Internet domain name is pdesigninc.com, you can name your NIS domain pdesigninc.com.

3. Before a system can use NIS services, the correct NIS domain name and system name must be set. A system's name is set by the system's /etc/nodename file and the system's domain name is set by the system's /etc/defaultdomain file. These files are read at start up time and the contents are used by the uname -S and domainname commands, respectively. A sample /etc/nodename file would look like this:

   more /etc/nodename

   The system responds with:

   sparcserver

   A sample /etc/defaultdomain file would look like this:

   more /etc/defaultdomain

   The system responds with:

   pdesigninc.com

You are now ready to configure your NIS master server.

Configuring a NIS Master Server

Before configuring a NIS master server, make sure the NIS package is installed. The package names are SUNWypu and SUNWypr. Use the pkginfo command to check for these packages. Both packages are part of the standard Solaris 2.6 release. The daemons that support the NIS service are described in Table 7-2.

Table 7-2 NIS Daemons

The commands that you use to manage the NIS service are shown in Table 7-3. I'll describe some of these commands in more detail later as I show examples of setting up NIS.

Table 7-3 NIS Commands

A NIS master server holds the source files for all the NIS maps in the domain. Any changes to the NIS maps must be made on the NIS master server. The NIS master server delivers information to NIS clients and supplies the NIS slave servers with up-to-date maps. Before starting up the NIS master server, some of the NIS source files need to be created.

One of the primary uses of NIS is to manage user logins and host files in a large networked environment. In a large network of systems, with several hundred users, imagine trying to keep the /etc/hosts, /etc/passwd, and /etc/group files up to date. Without NIS, every time a new system is added or removed, the /etc/hosts file must be updated. It's important to keep your /etc/hosts files in sync on every system on the network. Furthermore, without NIS, if a user changes a password, then that user must notify the system administrator that his or her password has changed. The system administrator must then make sure that all the /etc/shadow files are updated across the network. If not, the user is not able to login to another system using the new password.

The system administrator can manage the system configuration files, such as /etc/hosts and /etc/passwd, using NIS. With NIS, the system administrator sets up the /etc/hosts, /etc/passwd, and /etc/group files on one server. Rather than keeping a copy of the configuration file on each system, all systems look to this server for configuration information.

Creating the Master passwd File

The first task in setting up a NIS master server is to prepare the source file for the passwd map. However, be careful with this source file. The source files can be located either in the /etc directory on the master server or in some other directory. Locating the source files in /etc is undesirable because the contents of the maps are then the same as the contents of the local files on the master server. This is a special problem for passwd and shadow files, because all users would have access to the master server maps and because the root password would be passed to all YP clients through the passwd map.

Sun recommends, that for security reasons, and to prevent unauthorized root access, the files used to build the NIS password maps should not contain an entry for root. Therefore, the password maps should not be built from the files located in the master server's /etc directory. The password files used to build the password maps should have the root entry removed from them and they should be located in a directory that can be protected from unauthorized access.

For this exercise, copy all the source files from the /etc directory into the /var/yp directory. Because the source files are located in a directory other than /etc, modify the Makefile in /var/yp by changing the DIR=/etc line to DIR=/var/yp. Also, modify the PWDIR password macro in the Makefile to refer to the directory, in which the passwd and shadow files reside, by changing the line PWDIR=/etc to PWDIR=/var/yp.

Now, to create the passwd source file, use a copy of the /etc/passwd file on the system that becomes the master NIS server. Create a passwd file that has all the logins in it. This file is used to create the NIS map. You can do this by following these steps:

1. Copy the /etc/passwd file from each host in your network to the /var/yp directory on the host that will be the master server. Name each copy /var/yp/passwd.<hostname>, in which hostname is the name of the host it came from.

2. Concatenate all the passwd files together into a temporary passwd file, as follows:

cd /var/yp
cat passwd passwd.hostname1 passwd.hostname2 ... > passwd.temp

3. Issue the sort command to sort the temporary passwd file by user name, and then pipe it to the uniq command to remove duplicate entries:

   sort –t : -k 1,1 /var/yp/passwd.temp | uniq > /var/yp/passwd.temp

   NIS does not require that the passwd file be sorted in any particular way. Sorting the passwd file simply makes it easier to find duplicate entries.

4. Examine /var/yp/passwd.temp for duplicate user names that were not caught by the previous uniq command. This could happen if a user login occurs twice but the lines are not exactly the same. If you find multiple entries for the same user, edit the file to remove redundant ones. Make sure each user in your network has a unique user name and UID (user ID).

5. Now, issue the following command to sort the temporary passwd file by UID:

sort -o /var/yp/passwd.temp -t: -k 3n,3 /var/yp/passwd.temp

6. Examine /var/yp/passwd.temp for duplicate UIDs once more. If you find multiple entries with the same UID, edit the file to change the UIDs so that no two users have the same UID.

7. Remove the root login from the /var/yp/passwd file. If you notice that the root login occurs more than once, remove all entries.

8. After you have a complete passwd file with no duplicates, move /var/yp/passwd.temp (the sorted, edited file) to /var/yp/passwd. This file is used to generate the passwd map for your NIS domain. Remove all the /var/yp/passwd.<hostname> files from the master server.

Creating the Master group File

Just like creating a master /var/yp/passwd file, the next task is to prepare one master /var/yp/group file to be used to create a NIS map as follows:

1. Copy the /etc/group file from each host in your NIS domain to the /etc directory on the host that will be the master server. Name each copy /var/yp/group.<hostname>, in which hostname is the name of the host it came from.

2. Concatenate all the group files together, including the master server's group file, into a temporary group file, as follows:

cd /var/yp
cat group group.hostname1 group.hostname2 ... > group.temp

3. Issue the following command to sort the temporary group file by group name:

   sort -o /var/yp/group.temp -t: -k1,1 /var/yp/group.temp

   NIS does not require that the group file be sorted in any particular way. Sorting the group file simply makes it easier to find duplicate entries.

4. Examine /var/yp/group.temp for duplicate group names. If a group name appears more than once, merge the groups with the same name into one group and remove the duplicate entries.

5. Now, issue the following command to sort the temporary group file by GID:

sort -o /var/yp/group.temp -t: -k 3n,3 /var/yp/group.temp

6. Examine /var/yp/group.temp for duplicate GIDs. If you find multiple entries with the same GID, edit the file to change the GIDs so that no two groups have the same GID.

7. Move /var/yp/group.temp (the sorted, edited file) to /var/yp/group. This file is used to generate the group map for your NIS domain.

8. Remove the /var/yp/group.<hostname> files from the master server.

Creating the Master hosts File

Now create the master /etc/hosts file the same way you created the master /var/yp/passwd and /var/yp/group files by following these steps:

1. Copy the /etc/hosts file from each host in your NIS domain to the /etc directory on the host that will be the master server. Name each copy /var/yp/hosts.<hostname>, in which hostname is the name of the host from which it came.

2. Concatenate all the hosts files together, including the master server's host file, into a temporary hosts file, as follows:

cd /var/yp
cat hosts hosts.hostname1 hosts.hostname2 ... > hosts.temp

3. Issue the following command to sort the temporary hosts file so that duplicate IP addresses are on adjacent lines:

sort -o /var/yp/hosts.temp /var/yp/hosts.temp

4. Examine /var/yp/hosts.temp for duplicate IP addresses. If you need to map an IP address to multiple host names, include them as aliases in a single entry.

5. Issue the following command to sort the temporary hosts file by host name:

sort -o /var/yp/hosts.temp -b –k 2,2 /var/yp/hosts.temp

6. Examine /var/yp/hosts.temp for duplicate host names. A host name can be mapped to multiple IP addresses only if the IP addresses belong to different LAN cards on the same host. If a host name appears in multiple entries that are mapped to IP addresses on different hosts, remove all the entries but one.

7. Examine the /var/yp/hosts.temp file for duplicate aliases. No alias should appear in more than one entry.

8. Move /var/yp/hosts.temp (the sorted, edited file) to /var/yp/hosts. This file is used to generate the host's map for your NIS domain.

9. Remove the /var/yp/hosts.<hostname> files from the master server.

Other Source Files

The following files can also be copied to the /var/yp directory to be used as source files for NIS maps, but first make sure that they reflect an up-to-date picture of your system environment:

• auto.home or auto_home

• auto.master or auto_master

• bootparams

• ethers

• netgroup

• netmasks

• networks

• protocols

• rpc

• service

• shadow

Unlike other source files, the /etc/mail/aliases file cannot be moved to another directory. This file must reside in the /etc/mail directory. Make sure the /etc/mail/aliases source file is complete by verifying that it contains all the mail aliases that you want to have available throughout the domain.

Preparing the Makefile

After checking the source files and copying them into the source file directory, you now need to convert those source files into the ndbm format maps the NIS service uses. This is done automatically for you by ypinit. I describe how to set up ypinit in the next section.

The ypinit script calls the program make, which uses the Makefile located in the /var/yp directory. A default Makefile is provided for you in this directory, and it contains the commands needed to transform the source files into the desired ndbm format maps.

The function of the Makefile is to create the appropriate NIS maps for each of the databases listed under all. After passing through makedbm, the data is collected in two files, mapname.dir and mapname.pag. Both files are located in the /var/yp/<domainname> directory on the master server.

The Makefile builds passwd maps from the /PWDIR/passwd, /PWDIR/shadow, and /PWDIR/security/passwd.adjunct files, as appropriate.

Setting Up the Master Server with ypinit

The /usr/sbin/ypinit shell script sets up master and slave servers and clients to use NIS. It also initially runs make to create the maps on the master server. To use ypinit to build a fresh set of NIS maps on the master server, follow these steps:

1. Become root on the master server and ensure that the name service receives its information from the /etc files, not from NIS, by typing:

cp /etc/nsswitch.files /etc/nsswitch.conf

2. Edit the /etc/hosts file to add the name and IP address of each of the NIS servers.

3. To build new maps on the master server, type:

   /usr/sbin/ypinit -m

   ypinit prompts for a list of other systems to become NIS slave servers. Type the name of the server you are working on, along with the names of your NIS slave servers. Press CTRL+D when complete.

4. ypinit asks whether you want the procedure to terminate at the first nonfatal error or to continue despite nonfatal errors. Type:

   y

   If you choose y, ypinit exits upon encountering the first problem; you can then fix it and restart ypinit. This procedure is recommended if you are running ypinit for the first time. If you prefer to continue, you can manually try to fix all the problems that might occur, and then restart ypinit.

NOTE

A nonfatal error might be displayed if some of the map files are not present. These errors do not affect the functionality of NIS.

5. ypinit asks whether the existing files in the /var/yp/<domainname> directory can be destroyed.

   This message is displayed only if NIS was previously installed. You must answer Yes to install the new version of NIS.

6. After ypinit has constructed the list of servers, it invokes make.

   The make command uses the instructions contained in the Makefile located in /var/yp. The make command cleans any remaining comment lines from the files that you designated and then runs makedbm on them, creating the appropriate maps and establishing the name of the master server for each map.

7. To enable NIS as the naming service, type:

   cp /etc/nsswitch.nis /etc/nsswitch.conf

   This command replaces the current switch file with the default NIS-oriented switch file. You can edit this file as necessary. See the section titled "Name Service Switch" for information on the contents of this file.

Now that the master maps are created, you can start the NIS daemons on the master server.

Starting and Stopping NIS on the Master Server

To start up the NIS service on the master server, you need to start ypserv on the server and run ypbind. The daemon ypserv answers information requests from clients after looking them up in the NIS maps. You can start up the NIS service on the server by running the /usr/lib/netsvc/yp/ypstart script from the command line. After the NIS master server has been configured by running ypinit, ypstart is automatically invoked to start up ypserv whenever the system is started up.

To stop the NIS service, run the ypstop command on the server as follows:

usr/lib/netsvc/yp/ypstop

Name Service Switch

The next step in setting up the NIS service is to set up the name service switch, which involves editing the /etc/nisswitch.conf file. The name service switch controls how a client workstation or application obtains network information. The name service switch is often referred to simply as the switch. The switch determines which naming services an application uses to obtain naming information, and in what order. The switch is a file called nsswitch.conf, which is stored in each system's /etc directory.

Each workstation has a nsswitch.conf file in its /etc directory. In every system's /etc directory, you find a template file called /etc/nsswitch.nis that was installed when you loaded Solaris 2.6. This template file contains the default switch configurations used by the NIS service and local files. When Solaris 2.6 release software is first installed, if you select the default name service to be NIS, the template file is copied to /etc/nsswitch.conf. If during software installation you select "files" as the default name service, /etc/nsswitch.conf is created from nsswitch.files, which looks like this:

#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

passwd:  files
group:  files
hosts:  files
networks: files
protocols: files
rpc:  files
ethers:  files
netmasks: files	
bootparams: files
publickey: files
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files

If you did not select NIS as your name service during software installation, you can move this file into place manually as follows:

 cp /etc/nsswitch.nis /etc/nsswitch.conf

The default /etc/nsswitch.nis file looks like this:

#
# /etc/nsswitch.nis:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses NIS (YP) in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:  files nis
group:  files nis

# consult /etc "files" only if nis is down.
hosts:  xfn nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc:  nis [NOTFOUND=return] files
ethers:  nis [NOTFOUND=return] files
netmasks: nis [NOTFOUND=return] files	
bootparams: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files

netgroup: nis

automount: files nis
aliases: files nis

# for efficient getservbyname() avoid nis
services: files nis
sendmailvars: files

Each line of the /etc/nsswitch.nis file identifies a particular type of network information, such as host, password, and group, followed by one or more sources, such as NIS+ tables, NIS maps, the DNS hosts table, or local /etc. The source is where the client looks for the network information. For example, the system should first look for the passwd information in the /etc/passwd file and then, if it does not find the login name there, it needs to query the NIS server.

Setting Up NIS Clients

You must perform two tasks to set up a system as a NIS client:

• Set up the nsswitch.conf file as described in the previous section.

• Configure the system to use NIS as explained next.

After setting up the nsswitch.conf file, you configure each client system to use NIS by logging in as root and running the ypinit command as follows:

ypinit -c

You will be asked to identify the NIS servers from which the client can obtain name service information. You can list as many master or slave servers as you want. The servers that you list can be located anywhere in the domain. It is a good practice to first list the servers closest (in network terms) to the system, followed by the more distant servers on the net.

Finally, on the NIS client, remove all the entries from the /etc/passwd file that are managed by the NIS server. Don't forget to update the /etc/shadow file. Also, remove entries from the /etc/group, /etc/hosts file, and any other network file that are now managed by NIS.

Test the NIS client by logging out and logging back in using a login name that is no longer in the /etc/passwd file and is managed by NIS. Test the host's map by pinging a system that is not identified in the local /etc/hosts file.

Setting Up NIS Slave Servers

Before setting up the NIS slave server, you must first set it up as a NIS client. After you've verified that the NIS master server is functioning properly by testing the NIS service on this system, you can set up the system as a slave server. Your network can have one or more slave servers. Having slave servers ensures the continuity of NIS services if the master server is not available. Before actually running ypinit to create the slave servers, you should run the domainname command on each NIS slave to make sure the domain name is consistent with the master server. Remember, the domain name is set by adding the domain name to the /etc/defaultdomain file. Follow these steps to set up the NIS slave server:

1. As root, edit the /etc/hosts file on the slave server to add the name and IP addresses of all the other NIS servers. This step is optional and for convenience only. At this point, I'm assuming you're not using DNS to manage hostnames (as will be explained later in this chapter). Step 3 prompts you for a hostname of the NIS server. You need an entry for this hostname in the local /etc/hosts file; otherwise, you need to specify the IP address of the NIS server.

2. Change directory to /var/yp on the slave server.

3. To initialize the slave server as a client, type the following:

   /usr/sbin/ypinit -c

   The ypinit command prompts you for a list of NIS servers. Enter the name of the local slave you are working on first, then the master server, followed by the other NIS slave servers in your domain, in order, from the physically closest to the furthest (in network terms).

NOTE

You must first configure the new slave server as a NIS client so that it can receive the NIS maps from the master for the first time.

4. Next, you need to determine if ypbind is already running. If it is running, you need to stop and restart it. Check to see if ypbind is running by typing:

ps -ef | grep ypbin

If a listing is displayed, ypbind is running. If ypbind is running, stop it by typing:

/usr/lib/netsvc/yp/ypstop

Type the following to restart ypbind:

/usr/lib/netsvc/yp/ypstart

5. To initialize this system as a slave, type the following:

   /usr/sbin/ypinit -s <master>

   In this example, master is the system name of the existing NIS master server.

   Repeat the procedures described in this section for each system you want configured as a NIS slave server.

6. Now you can start daemons on the slave server and begin the NIS service. First, all existing yp processes must be stopped by typing:

/usr/lib/netsvc/yp/ypstop

7. To start ypserv on the slave server and run ypbind, you can either restart the server or type:

/usr/lib/netsvc/yp/ypstart