- /etc Files
- Planning Your NIS Domain
- DES Authentication
Planning Your NIS Domain
Before you configure systems as NIS servers or clients, you must plan the NIS domain. Each domain has a domain name, and each system sharing the common set of maps belongs to that domain. Follow these steps to plan your domain:
Decide which systems will be in your NIS domain.
Choose a NIS domain name. A NIS domain name can be up to 256 characters long, although much shorter names are more practical. A good practice is to limit domain names to no more than 32 characters. Domain names are case-sensitive. For convenience, you can use your Internet domain name as the basis for your NIS domain name. For example, if your Internet domain name is pdesigninc.com, you can name your NIS domain pdesigninc.com.
Before a system can use NIS services, the correct NIS domain name and system name must be set. A system's name is set by the system's /etc/nodename file and the system's domain name is set by the system's /etc/defaultdomain file. These files are read at start up time and the contents are used by the uname -S and domainname commands, respectively. A sample /etc/nodename file would look like this:
The system responds with:
A sample /etc/defaultdomain file would look like this:
The system responds with:
You are now ready to configure your NIS master server.
Configuring a NIS Master Server
Before configuring a NIS master server, make sure the NIS package is installed. The package names are SUNWypu and SUNWypr. Use the pkginfo command to check for these packages. Both packages are part of the standard Solaris 2.6 release. The daemons that support the NIS service are described in Table 7-2.
Table 7-2 NIS Daemons
This daemon is the NIS database lookup server. The ypserv daemon's primary function is to look up information in its local database of NIS maps. If the /var/yp/ypserv.log file exists when ypserv starts up, log information is written to it if error conditions arise. At least one ypserv daemon must be present on the network for the NIS service to function.
This daemon is the NIS binding process that runs on all client systems that are set up to use NIS. The function of ypbind is to remember information that lets all NIS client processes on a node communicate with some NIS server process.
This daemon is the high-speed map transfer. ypxfr moves a NIS map in the default domain to the local host. It creates a temporary map in the directory /var/yp/ypdomain.
This daemon handles password change requests from the yppasswd command. It changes a password entry in the passwd, shadow, and security/passwd.adjunct files.
This daemon updates NIS information. ypupdated consults the updaters file in the /var/yp directory to determine which NIS maps should be updated and how to change them.
The commands that you use to manage the NIS service are shown in Table 7-3. I'll describe some of these commands in more detail later as I show examples of setting up NIS.
Table 7-3 NIS Commands
This command updates NIS maps by reading the Makefile (if run in the /var/yp directory). You can use make to update all maps based on the input files or to update individual maps.
This command creates a dbm file for a NIS map. The makedbm command takes the infile and converts it to a pair of files in ndbm format. When you run make in the /var/yp directory makedbm creates or modifies the default NIS maps from the input files.
This command lists data in a NIS map.
This command builds and installs a NIS database and initializes NIS client's ypservers list. ypinit is used to set up a NIS client system. You must be the super-user to run this command.
This command gets a map order number from a server. The yppoll command asks an ypserv process what the order number is and which host is the master NIS server for the named map.
This command propagates a new version of a NIS map from the NIS master server to NIS slave servers.
This command sets binding to a particular server. ypset is useful for binding a client node that is on a different broadcast network.
This command is used to start the NIS. After the host has been configured using the ypinit command, ypstart automatically determines the NIS status of the machine and starts the appropriate daemons.
This command is used to stop the NIS.
This command returns the name of the NIS server that supplies the NIS name services to a NIS client, or it returns the name of the master for a map.
A NIS master server holds the source files for all the NIS maps in the domain. Any changes to the NIS maps must be made on the NIS master server. The NIS master server delivers information to NIS clients and supplies the NIS slave servers with up-to-date maps. Before starting up the NIS master server, some of the NIS source files need to be created.
One of the primary uses of NIS is to manage user logins and host files in a large networked environment. In a large network of systems, with several hundred users, imagine trying to keep the /etc/hosts, /etc/passwd, and /etc/group files up to date. Without NIS, every time a new system is added or removed, the /etc/hosts file must be updated. It's important to keep your /etc/hosts files in sync on every system on the network. Furthermore, without NIS, if a user changes a password, then that user must notify the system administrator that his or her password has changed. The system administrator must then make sure that all the /etc/shadow files are updated across the network. If not, the user is not able to login to another system using the new password.
The system administrator can manage the system configuration files, such as /etc/hosts and /etc/passwd, using NIS. With NIS, the system administrator sets up the /etc/hosts, /etc/passwd, and /etc/group files on one server. Rather than keeping a copy of the configuration file on each system, all systems look to this server for configuration information.
Creating the Master passwd File
The first task in setting up a NIS master server is to prepare the source file for the passwd map. However, be careful with this source file. The source files can be located either in the /etc directory on the master server or in some other directory. Locating the source files in /etc is undesirable because the contents of the maps are then the same as the contents of the local files on the master server. This is a special problem for passwd and shadow files, because all users would have access to the master server maps and because the root password would be passed to all YP clients through the passwd map.
Sun recommends, that for security reasons, and to prevent unauthorized root access, the files used to build the NIS password maps should not contain an entry for root. Therefore, the password maps should not be built from the files located in the master server's /etc directory. The password files used to build the password maps should have the root entry removed from them and they should be located in a directory that can be protected from unauthorized access.
For this exercise, copy all the source files from the /etc directory into the /var/yp directory. Because the source files are located in a directory other than /etc, modify the Makefile in /var/yp by changing the DIR=/etc line to DIR=/var/yp. Also, modify the PWDIR password macro in the Makefile to refer to the directory, in which the passwd and shadow files reside, by changing the line PWDIR=/etc to PWDIR=/var/yp.
Now, to create the passwd source file, use a copy of the /etc/passwd file on the system that becomes the master NIS server. Create a passwd file that has all the logins in it. This file is used to create the NIS map. You can do this by following these steps:
Copy the /etc/passwd file from each host in your network to the /var/yp directory on the host that will be the master server. Name each copy /var/yp/passwd.<hostname>, in which hostname is the name of the host it came from.
Concatenate all the passwd files together into a temporary passwd file, as follows:
Issue the sort command to sort the temporary passwd file by user name, and then pipe it to the uniq command to remove duplicate entries:
sort t : -k 1,1 /var/yp/passwd.temp | uniq > /var/yp/passwd.temp
NIS does not require that the passwd file be sorted in any particular way. Sorting the passwd file simply makes it easier to find duplicate entries.
Examine /var/yp/passwd.temp for duplicate user names that were not caught by the previous uniq command. This could happen if a user login occurs twice but the lines are not exactly the same. If you find multiple entries for the same user, edit the file to remove redundant ones. Make sure each user in your network has a unique user name and UID (user ID).
Now, issue the following command to sort the temporary passwd file by UID:
Examine /var/yp/passwd.temp for duplicate UIDs once more. If you find multiple entries with the same UID, edit the file to change the UIDs so that no two users have the same UID.
Remove the root login from the /var/yp/passwd file. If you notice that the root login occurs more than once, remove all entries.
After you have a complete passwd file with no duplicates, move /var/yp/passwd.temp (the sorted, edited file) to /var/yp/passwd. This file is used to generate the passwd map for your NIS domain. Remove all the /var/yp/passwd.<hostname> files from the master server.
cd /var/yp cat passwd passwd.hostname1 passwd.hostname2 ... > passwd.temp
sort -o /var/yp/passwd.temp -t: -k 3n,3 /var/yp/passwd.temp
Creating the Master group File
Just like creating a master /var/yp/passwd file, the next task is to prepare one master /var/yp/group file to be used to create a NIS map as follows:
Copy the /etc/group file from each host in your NIS domain to the /etc directory on the host that will be the master server. Name each copy /var/yp/group.<hostname>, in which hostname is the name of the host it came from.
Concatenate all the group files together, including the master server's group file, into a temporary group file, as follows:
Issue the following command to sort the temporary group file by group name:
sort -o /var/yp/group.temp -t: -k1,1 /var/yp/group.temp
NIS does not require that the group file be sorted in any particular way. Sorting the group file simply makes it easier to find duplicate entries.
Examine /var/yp/group.temp for duplicate group names. If a group name appears more than once, merge the groups with the same name into one group and remove the duplicate entries.
Now, issue the following command to sort the temporary group file by GID:
Examine /var/yp/group.temp for duplicate GIDs. If you find multiple entries with the same GID, edit the file to change the GIDs so that no two groups have the same GID.
Move /var/yp/group.temp (the sorted, edited file) to /var/yp/group. This file is used to generate the group map for your NIS domain.
Remove the /var/yp/group.<hostname> files from the master server.
cd /var/yp cat group group.hostname1 group.hostname2 ... > group.temp
sort -o /var/yp/group.temp -t: -k 3n,3 /var/yp/group.temp
Creating the Master hosts File
Now create the master /etc/hosts file the same way you created the master /var/yp/passwd and /var/yp/group files by following these steps:
Copy the /etc/hosts file from each host in your NIS domain to the /etc directory on the host that will be the master server. Name each copy /var/yp/hosts.<hostname>, in which hostname is the name of the host from which it came.
Concatenate all the hosts files together, including the master server's host file, into a temporary hosts file, as follows:
Issue the following command to sort the temporary hosts file so that duplicate IP addresses are on adjacent lines:
Examine /var/yp/hosts.temp for duplicate IP addresses. If you need to map an IP address to multiple host names, include them as aliases in a single entry.
Issue the following command to sort the temporary hosts file by host name:
Examine /var/yp/hosts.temp for duplicate host names. A host name can be mapped to multiple IP addresses only if the IP addresses belong to different LAN cards on the same host. If a host name appears in multiple entries that are mapped to IP addresses on different hosts, remove all the entries but one.
Examine the /var/yp/hosts.temp file for duplicate aliases. No alias should appear in more than one entry.
Move /var/yp/hosts.temp (the sorted, edited file) to /var/yp/hosts. This file is used to generate the host's map for your NIS domain.
Remove the /var/yp/hosts.<hostname> files from the master server.
cd /var/yp cat hosts hosts.hostname1 hosts.hostname2 ... > hosts.temp
sort -o /var/yp/hosts.temp /var/yp/hosts.temp
sort -o /var/yp/hosts.temp -b k 2,2 /var/yp/hosts.temp
Other Source Files
The following files can also be copied to the /var/yp directory to be used as source files for NIS maps, but first make sure that they reflect an up-to-date picture of your system environment:
auto.home or auto_home
auto.master or auto_master
Unlike other source files, the /etc/mail/aliases file cannot be moved to another directory. This file must reside in the /etc/mail directory. Make sure the /etc/mail/aliases source file is complete by verifying that it contains all the mail aliases that you want to have available throughout the domain.
Preparing the Makefile
After checking the source files and copying them into the source file directory, you now need to convert those source files into the ndbm format maps the NIS service uses. This is done automatically for you by ypinit. I describe how to set up ypinit in the next section.
The ypinit script calls the program make, which uses the Makefile located in the /var/yp directory. A default Makefile is provided for you in this directory, and it contains the commands needed to transform the source files into the desired ndbm format maps.
The function of the Makefile is to create the appropriate NIS maps for each of the databases listed under all. After passing through makedbm, the data is collected in two files, mapname.dir and mapname.pag. Both files are located in the /var/yp/<domainname> directory on the master server.
The Makefile builds passwd maps from the /PWDIR/passwd, /PWDIR/shadow, and /PWDIR/security/passwd.adjunct files, as appropriate.
Setting Up the Master Server with ypinit
The /usr/sbin/ypinit shell script sets up master and slave servers and clients to use NIS. It also initially runs make to create the maps on the master server. To use ypinit to build a fresh set of NIS maps on the master server, follow these steps:
Become root on the master server and ensure that the name service receives its information from the /etc files, not from NIS, by typing:
Edit the /etc/hosts file to add the name and IP address of each of the NIS servers.
To build new maps on the master server, type:
ypinit prompts for a list of other systems to become NIS slave servers. Type the name of the server you are working on, along with the names of your NIS slave servers. Press CTRL+D when complete.
ypinit asks whether you want the procedure to terminate at the first nonfatal error or to continue despite nonfatal errors. Type:
If you choose y, ypinit exits upon encountering the first problem; you can then fix it and restart ypinit. This procedure is recommended if you are running ypinit for the first time. If you prefer to continue, you can manually try to fix all the problems that might occur, and then restart ypinit.
ypinit asks whether the existing files in the /var/yp/<domainname> directory can be destroyed.
This message is displayed only if NIS was previously installed. You must answer Yes to install the new version of NIS.
After ypinit has constructed the list of servers, it invokes make.
The make command uses the instructions contained in the Makefile located in /var/yp. The make command cleans any remaining comment lines from the files that you designated and then runs makedbm on them, creating the appropriate maps and establishing the name of the master server for each map.
To enable NIS as the naming service, type:
cp /etc/nsswitch.nis /etc/nsswitch.conf
This command replaces the current switch file with the default NIS-oriented switch file. You can edit this file as necessary. See the section titled "Name Service Switch" for information on the contents of this file.
cp /etc/nsswitch.files /etc/nsswitch.conf
A nonfatal error might be displayed if some of the map files are not present. These errors do not affect the functionality of NIS.
Now that the master maps are created, you can start the NIS daemons on the master server.
Starting and Stopping NIS on the Master Server
To start up the NIS service on the master server, you need to start ypserv on the server and run ypbind. The daemon ypserv answers information requests from clients after looking them up in the NIS maps. You can start up the NIS service on the server by running the /usr/lib/netsvc/yp/ypstart script from the command line. After the NIS master server has been configured by running ypinit, ypstart is automatically invoked to start up ypserv whenever the system is started up.
To stop the NIS service, run the ypstop command on the server as follows:
Name Service Switch
The next step in setting up the NIS service is to set up the name service switch, which involves editing the /etc/nisswitch.conf file. The name service switch controls how a client workstation or application obtains network information. The name service switch is often referred to simply as the switch. The switch determines which naming services an application uses to obtain naming information, and in what order. The switch is a file called nsswitch.conf, which is stored in each system's /etc directory.
Each workstation has a nsswitch.conf file in its /etc directory. In every system's /etc directory, you find a template file called /etc/nsswitch.nis that was installed when you loaded Solaris 2.6. This template file contains the default switch configurations used by the NIS service and local files. When Solaris 2.6 release software is first installed, if you select the default name service to be NIS, the template file is copied to /etc/nsswitch.conf. If during software installation you select "files" as the default name service, /etc/nsswitch.conf is created from nsswitch.files, which looks like this:
# # /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; it # does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. passwd: files group: files hosts: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files
If you did not select NIS as your name service during software installation, you can move this file into place manually as follows:
cp /etc/nsswitch.nis /etc/nsswitch.conf
The default /etc/nsswitch.nis file looks like this:
# # /etc/nsswitch.nis: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses NIS (YP) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files nis group: files nis # consult /etc "files" only if nis is down. hosts: xfn nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis automount: files nis aliases: files nis # for efficient getservbyname() avoid nis services: files nis sendmailvars: files
Each line of the /etc/nsswitch.nis file identifies a particular type of network information, such as host, password, and group, followed by one or more sources, such as NIS+ tables, NIS maps, the DNS hosts table, or local /etc. The source is where the client looks for the network information. For example, the system should first look for the passwd information in the /etc/passwd file and then, if it does not find the login name there, it needs to query the NIS server.
Setting Up NIS Clients
You must perform two tasks to set up a system as a NIS client:
Set up the nsswitch.conf file as described in the previous section.
Configure the system to use NIS as explained next.
After setting up the nsswitch.conf file, you configure each client system to use NIS by logging in as root and running the ypinit command as follows:
You will be asked to identify the NIS servers from which the client can obtain name service information. You can list as many master or slave servers as you want. The servers that you list can be located anywhere in the domain. It is a good practice to first list the servers closest (in network terms) to the system, followed by the more distant servers on the net.
Finally, on the NIS client, remove all the entries from the /etc/passwd file that are managed by the NIS server. Don't forget to update the /etc/shadow file. Also, remove entries from the /etc/group, /etc/hosts file, and any other network file that are now managed by NIS.
Test the NIS client by logging out and logging back in using a login name that is no longer in the /etc/passwd file and is managed by NIS. Test the host's map by pinging a system that is not identified in the local /etc/hosts file.
Setting Up NIS Slave Servers
Before setting up the NIS slave server, you must first set it up as a NIS client. After you've verified that the NIS master server is functioning properly by testing the NIS service on this system, you can set up the system as a slave server. Your network can have one or more slave servers. Having slave servers ensures the continuity of NIS services if the master server is not available. Before actually running ypinit to create the slave servers, you should run the domainname command on each NIS slave to make sure the domain name is consistent with the master server. Remember, the domain name is set by adding the domain name to the /etc/defaultdomain file. Follow these steps to set up the NIS slave server:
As root, edit the /etc/hosts file on the slave server to add the name and IP addresses of all the other NIS servers. This step is optional and for convenience only. At this point, I'm assuming you're not using DNS to manage hostnames (as will be explained later in this chapter). Step 3 prompts you for a hostname of the NIS server. You need an entry for this hostname in the local /etc/hosts file; otherwise, you need to specify the IP address of the NIS server.
Change directory to /var/yp on the slave server.
To initialize the slave server as a client, type the following:
The ypinit command prompts you for a list of NIS servers. Enter the name of the local slave you are working on first, then the master server, followed by the other NIS slave servers in your domain, in order, from the physically closest to the furthest (in network terms).
Next, you need to determine if ypbind is already running. If it is running, you need to stop and restart it. Check to see if ypbind is running by typing:
To initialize this system as a slave, type the following:
/usr/sbin/ypinit -s <master>
In this example, master is the system name of the existing NIS master server.
Repeat the procedures described in this section for each system you want configured as a NIS slave server.
Now you can start daemons on the slave server and begin the NIS service. First, all existing yp processes must be stopped by typing:
To start ypserv on the slave server and run ypbind, you can either restart the server or type:
You must first configure the new slave server as a NIS client so that it can receive the NIS maps from the master for the first time.
ps -ef | grep ypbin
If a listing is displayed, ypbind is running. If ypbind is running, stop it by typing:
Type the following to restart ypbind: