Before you configure systems as NIS servers or clients, you must plan the NIS domain. Each domain has a domain name, and each system sharing the common set of maps belongs to that domain.
Exercise 23.1 Planning Your NIS Domain
Follow these steps to plan your domain:
Before configuring an NIS master server, be sure that the NIS package is installed. The package names are SUNWypu and SUNWypr. Use the pkginfo command to check for these packages. Both packages are part of the standard Solaris 9 release. The daemons that support the NIS service are described in Table 23.3.
The commands that you use to manage the NIS service are shown in Table 23.4. I’ll describe some of these commands in more detail later as I show examples of setting up NIS.
An NIS master server holds the source files for all the NIS maps in the domain. Any changes to the NIS maps must be made on the NIS master server. The NIS master server delivers information to NIS clients and supplies the NIS slave servers with up-to-date maps. Before the NIS master server is started, some of the NIS source files need to be created.
One of the primary uses of NIS is to manage user logins and host files in a large networked environment. In a large network of systems, with several hundred users, imagine trying to keep the /etc/hosts, /etc/passwd, and /etc/group files up-to-date. Without NIS, every time a new system is added or removed, the /etc/hosts file must be updated. It’s important to keep your /etc/hosts files in sync on every system on the network. Furthermore, without NIS, if a user changes a password, that user must notify the system administrator that his password has changed. The system administrator must then be sure that all the /etc/shadow files are updated across the network. If they aren’t, the user can’t log into another system using the new password.
The system administrator can manage the system configuration files, such as /etc/hosts and /etc/passwd, using NIS. With NIS, the system administrator sets up the /etc/hosts, /etc/passwd, and /etc/group files on one server. Rather than keeping a copy of the configuration file on each system, all systems look to this server for configuration information.
The first task in setting up an NIS master server is to prepare the source file for the passwd map. However, be careful with this source file. The source files can be located either in the /etc directory on the master server or in some other directory. Locating the source files in /etc is undesirable because the contents of the maps are then the same as the contents of the local files on the master server. This is a special problem for passwd and shadow files because all users would have access to the master server maps, and the root password would be passed to all YP clients through the passwd map.
Sun recommends that, for security reasons and to prevent unauthorized root access, the files used to build the NIS password maps not contain an entry for root. Therefore, the password maps should not be built from the files located in the master server’s /etc directory. The password files used to build the passwd maps should have the root entry removed from them, and they should be located in a directory that can be protected from unauthorized access.
For this exercise, copy all the source files from the /etc directory into the /var/yp directory. Because the source files are located in a directory other than /etc, modify the makefile in /var/yp by changing the DIR=/etc line to DIR=/var/yp. Also, modify the PWDIR password macro in the makefile to refer to the directory in which the passwd and shadow files reside by changing the line PWDIR=/etc to PWDIR=/var/yp.
Now, to create the passwd source file, use a copy of the /etc/passwd file on the system that becomes the master NIS server. Create a passwd file that has all the logins in it. This file is used to create the NIS map.
Exercise 23.2 Creating the Password Source File
Just like creating a master /var/yp/passwd file, the next task is to prepare one master /var/yp/group file to be used to create an NIS map.
Exercise 23.3 Creating the Master Group File
1. | |
2. |
Concatenate all the group files, including the master server’s group file, into a temporary group file: cd /var/yp cat group group.hostname1 group.hostname2 ... > group.temp |
3. | |
4. |
Examine /var/yp/group.temp for duplicate group names. If a group name appears more than once, merge the groups that have the same name into one group and remove the duplicate entries. |
5. |
Issue the following command to sort the temporary group file by GID: sort -o /var/yp/group.temp -t: -k 3n,3 /var/yp/group.temp |
6. |
Examine /var/yp/group.temp for duplicate GIDs. If you find multiple entries with the same GID, edit the file to change the GIDs so that no two groups have the same GID. |
7. |
Move /var/yp/group.temp (the sorted, edited file) to /var/yp/group. This file is used to generate the group map for your NIS domain. |
8. |
Now create the master /etc/hosts file the same way you created the master /var/yp/passwd and /var/yp/group files.
Exercise 23.4 Creating the Master hosts File
1. |
Copy the /etc/hosts file from each host in your NIS domain to the /var/ yp directory on the host that will be the master server. Name each copy /var/yp/hosts.<hostname>, in which <hostname> is the name of the host from which it came. |
2. |
Concatenate all the host files, including the master server’s host file, into a temporary hosts file, as follows: cd /var/yp cat hosts hosts.hostname1 hosts.hostname2 ... > hosts.temp |
3. |
Issue the following command to sort the temporary hosts file so that duplicate IP addresses are on adjacent lines: sort -o /var/yp/hosts.temp /var/yp/hosts.temp |
4. | |
5. |
Issue the following command to sort the temporary hosts file by hostname: sort -o /var/yp/hosts.temp -b -k 2,2 /var/yp/hosts.temp |
6. |
Examine /var/yp/hosts.temp for duplicate hostnames. A hostname can be mapped to multiple IP addresses only if the IP addresses belong to different LAN cards on the same host. If a hostname appears in multiple entries that are mapped to IP addresses on different hosts, remove all the entries but one. |
7. |
Examine the /var/yp/hosts.temp file for duplicate aliases. No alias should appear in more than one entry. |
8. |
Move /var/yp/hosts.temp (the sorted, edited file) to /var/yp/hosts. This file is used to generate the host’s map for your NIS domain. |
9. |
The following files can also be copied to the /var/yp directory to be used as source files for NIS maps. First be sure that they reflect an up-to-date picture of your system environment:
auto.home or auto_home
auto.master or auto_master
bootparams
ethers
netgroup
netmasks
networks
protocols
rpc
services
shadow
Unlike other source files, the /etc/mail/aliases file cannot be moved to another directory. This file must reside in the /etc/mail directory. Be sure that the /etc/mail/aliases source file is complete by verifying that it contains all the mail aliases that you want to have available throughout the domain.
After checking the source files and copying them into the source file directory, you need to convert those source files into the NDBM format maps that the NIS service uses. This is done automatically for you by ypinit.I describe how to set up ypinit in the next section.
The ypinit script calls the program make, which uses the makefile located in the /var/yp directory. A default makefile is provided for you in this directory. It contains the commands needed to transform the source files into the desired NDBM format maps.
The function of the makefile is to create the appropriate NIS maps for each of the databases listed under all. After passing through makedbm, the data is collected in two files: mapname.dir and mapname.pag. Both files are located in the /var/yp/<domainname> directory on the master server.
The makefile builds passwd maps from the /PWDIR/passwd, /PWDIR/ shadow, and /PWDIR/security/passwd.adjunct files, as appropriate.
The /usr/sbin/ypinit shell script sets up master and slave servers and clients to use NIS. It also initially runs make to create the maps on the master server.
Note
Don’t forget to set your domain name first, as described in the section titled “Planning Your NIS Domain.”
Exercise 23.5 Using ypinit to Set Up the Master Server
To use ypinit to build a fresh set of NIS maps on the master server, follow these steps:
1. | |
2. |
Edit the /etc/hosts file to add the name and IP address of each of the NIS servers. |
3. |
To build new maps on the master server, type this: /usr/sbin/ypinit –m ypinit prompts you for a list of other systems to become NIS slave servers. Type the name of the server you are working on, along with the names of your NIS slave servers. Enter the server name, and then press Enter. Do this for each server. Enter each server on a separate line. Press Ctrl+D when you’re finished. |
4. |
ypinit asks whether you want the procedure to terminate at the first nonfatal error or to continue despite nonfatal errors. Type y. If you typed y, ypinit exits upon encountering the first problem; you can then fix the problem and restart ypinit. This procedure is recommended if you are running ypinit for the first time. If you prefer to continue, you can manually try to fix all the problems that might occur and then restart ypinit. |
5. |
ypinit asks whether the existing files in the /var/yp/<domainname> directory can be destroyed. This message is displayed only if NIS was previously installed. You must answer yes to install the new version of NIS. |
6. |
After ypinit has constructed the list of servers, it invokes make. The make command uses the instructions contained in the makefile located in /var/yp. It cleans any remaining comment lines from the files you designated and then runs makedbm on them, creating the appropriate maps and establishing the name of the master server for each map. |
7. |
To enable NIS as the naming service, type this line: cp /etc/nsswitch.nis /etc/nsswitch.conf This command replaces the current switch file with the default NIS-oriented one. You can edit this file as necessary. See the section “Name Service Switch” for information on the contents of this file. |
Now that the master maps are created, you can start the NIS daemons on the master server.
To start up the NIS service on the master server, you need to start ypserv on the server and run ypbind. The daemon ypserv answers information requests from clients after looking them up in the NIS maps. You can start up the NIS service on the server by running the /usr/lib/netsvc/yp/ypstart script from the command line. After you configure the NIS master server by running ypinit, ypstart is automatically invoked to start up ypserv whenever the system is started up.
To stop the NIS service, run the ypstop command on the server as follows:
usr/lib/netsvc/yp/ypstop
The next step in setting up the NIS service is to set up the name service switch, which involves editing the /etc/nsswitch.conf file. The name service switch controls how a client workstation or application obtains network information. The name service switch is often simply referred to as the switch. The switch determines which naming services an application uses to obtain naming information, and in what order. It is a file called nsswitch.conf, which is stored in each system’s /etc directory.
Each workstation has a name service switch file in its /etc directory named nsswitch.conf. Also in every system’s /etc directory, you’ll find templates that can be used as the nsswitch.conf file, as described in Table 23.5. Whatever name service you choose, select the appropriate name service switch template, customize it, and rename it to nsswitch.conf.
Look for a template file called /etc/nsswitch.nis that was installed when you loaded Solaris 9. This template file contains the default switch configurations used by the NIS service and local files. When the Solaris 9 release software is first installed, if you designate NIS as the default name service, the template file is copied to /etc/nsswitch.conf. If during software installation you select files as the default name service, /etc/nsswitch.conf is created from nsswitch.files, which looks like this:
# /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; it # does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. passwd: files group: files hosts: files ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files printers: user files auth_attr: files prof_attr: files project: files
If you did not select NIS as your name service during software installation, you can move this file into place manually, as follows:
cp /etc/nsswitch.nis /etc/nsswitch.conf
The default / etc/nsswitch.nis file looks like this:
# /etc/nsswitch.nis: passwd: files nis group: files nis # consult /etc "files" only if nis is down. hosts: nis [NOTFOUND=return] files ipnodes: files # Uncomment the following line and comment out the above to resolve # both IPv4 and IPv6 addresses from the ipnodes databases. Note that # IPv4 addresses are searched in all of the ipnodes databases before # searching the hosts databases. Before turning this option on, consult # the Network Administration Guide for more details on using IPv6. #ipnodes: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis automount: files nis aliases: files nis # for efficient getservbyname() avoid nis services: files nis sendmailvars: files printers: user files nis auth_attr: files nis prof_attr: files nis project: files nis # /etc/nsswitch.nis: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses NIS (YP) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files nis group: files nis # consult /etc "files" only if nis is down. hosts: nis [NOTFOUND=return] files ipnodes: files # Uncomment the following line and comment out the above to resolve # both IPv4 and IPv6 addresses from the ipnodes databases. Note that # IPv4 addresses are searched in all of the ipnodes databases before # searching the hosts databases. Before turning this option on, consult # the Network Administration Guide for more details on using IPv6. #ipnodes: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis automount: files nis aliases: files nis # for efficient getservbyname() avoid nis services: files nis sendmailvars: files printers: user files nis auth_attr: files nis prof_attr: files nis project: files nis
Each line of the /etc/nsswitch.nis file identifies a particular type of network information, such as host, password, and group, followed by one or more sources, such as NIS maps, the DNS hosts table, or the local /etc files. The source is where the client looks for the network information. For example, the system should first look for the passwd information in the /etc/passwd file. Then, if it does not find the login name there, it needs to query the NIS server.
The name service switch file lists many types of network information, called databases, with their name service sources for resolution, and the order in which the sources are to be searched. Table 23.6 lists valid sources that can be specified in this file.
As shown in the previous nsswitch.nis template file, the name service switch file can contain action values for several of the entries. When the naming service searches a specified source, such as local files or NIS, the source returns a status code. These status codes are described in Table 23.7.
For each status code, two actions are possible:
Therefore, the default actions are as follows:
SUCCESS = return
UNAVAIL = continue
NOTFOUND = continue
TRYAGAIN = continue
For example, the following entry in the nsswitch.nis template states that only the NIS hosts table in the NIS map is searched:
hosts: nis [NOTFOUND=return] files
If the NIS map has no entry for the host lookup, the system would not reference the local /etc/hosts file. Remove the [NOTFOUND=return] entry if you want to search the NIS hosts table and the local /etc/hosts file.
As root, you must perform four tasks to set up a system as an NIS client:
Remove user account information from the /etc/passwd and /etc/group files on the client.
Set the domain name on the client.
Set up the nsswitch.conf file on the client, as described in the preceding section.
Configure the client to use NIS, as explained next.
The first step is to remove from the /etc/passwd file all the user entries that are managed by the NIS server. Don’t forget to update the /etc/shadow file. Also, remove entries from /etc/group, the /etc/hosts file, and any other network files that are now managed by NIS.
After setting up the nsswitch.conf file and setting your domain name as described in the section titled “Planning Your NIS Domain,”you configure each client system to use NIS by logging in as root and running the ypinit command, as follows:
ypinit –c
You are asked to identify the NIS servers from which the client can obtain name service information. Enter each server name, followed by a carriage return. You can list one master and as many slave servers as you want. The servers that you list can be located anywhere in the domain. It is good practice to first list the servers closest (in network terms) to the system, followed by the more distant servers on the net because the client attempts to bind to the first server on the list.
Test the NIS client by logging out and logging back in using a login name that is no longer in the /etc/passwd file and is managed by NIS. Test the host’s map by pinging a system that is not identified in the local /etc/ hosts file.
Before setting up the NIS slave server, you must set it up as an NIS client. After you’ve verified that the NIS master server is functioning properly by testing the NIS service on this system, you can set up the system as a slave server. Your network can have one or more slave servers. Having slave servers ensures the continuity of NIS services if the master server is unavailable. Before actually running ypinit to create the slave servers, you should run the domainname command on each NIS slave to be sure that the domain name is consistent with the master server. Remember: The domain name is set by adding the domain name to the /etc/defaultdomain file.
Exercise 23.6 Setting Up the NIS Slave Server