NIS (Network Information Service) helps manage information centrally in a Unix envionment. "Information" can be user accounts, machine names, and various configuration settings. NIS first appeared on Solaris.*** Setting up the name service switch:
- In Solaris, you have to tell the system whether to pull information from files, NIS, NIS+, DNS, or another source.
Examples of "information" are: users, hosts, printers, aliases, etc.
- The basic lookup rules are found in /etc/nsswitch.conf. By default, the machine consults with files only.
- If you would like to change the lookup method, copy one of the alternate nsswitch files to nsswitch.conf:
cp /etc/nsswitch.nis /etc/nsswitch.conf <-- use NIS as a primary source of information
cp /etc/nsswitch.ldap /etc/nsswitch.conf <-- use LDAP
cp /etc/nsswitch.dns /etc/nsswitch.conf <-- use DNS
...and so on.
or, just edit /etc/nsswitch.conf to your liking.
- It is recommended (although not always necessary) to reboot the machine after modifying /etc/nsswitch.conf.
*** NIS setup and configuration:
* Prerequisites:
- Install properly configured nsswitch.conf files on all machines that will be using NIS.
- Plan your NIS domain -- it is a good idea to give it the name of your Internet domain -- for example somedomain.com.
- Set the machine name -- look at /etc/nodename. If empty: echo somemachine > /etc/nodename
- Set the NIS domain name -- look at /etc/defaultdomain. If empty: echo somedomain.com > /etc/defaultdomain
- Identify your NIS servers -- one master and (optionally) one or more slave servers.
- Identify your NIS clients -- all machines in your domain can be NIS clients, although this is not necessary.
* Setting up a NIS master server:
- You can create your maps straight from /etc files, but this is not recommeneded for password maps.
- Serving the master password maps (/etc/passwd, /etc/shadow) straight from /etc makes external root attacks possible.
- Decide what your default map directory is going to be (DIR in /var/yp/Makefile) -- /etc is ok.-
- Decide what your password map directory is going to be (PWDIR in /var/yp/Makefile) -- consider /var/yp/pwmaps/.
- Check the following files for correctness (all under /etc):
auto_home
auto_master
bootparams
ethers
group
hosts
ipnodes
netgroup
netmasks
networks
protocols
rpc
services
timezone
auth_attr
exec_attr
prof_attr
user_attr
audit_user
- If any of them do not exist, create them with "touch <filename>".
- Copy the files to your DIR directory as specified in /var/yp/Makefile -- skip this step if using /etc.
- Check passwd and shadow. Then copy then to PWDIR. Remove the entry for root from both files under PWDIR.
- Prepare the Makefile -- you may want to edit the following values in /var/yp/Makefile:
- DIR value -- only if your DIR is other than /etc.
- PWDIR value.
- Domain name resolver -- to use the domain name resolver for machines not in the current domain,
comment out "B=" and uncomment "B=-b" -- refer to the beginning of /var/yp/Makefile for details.
- Build new maps on the master server:
/usr/sbin/ypinit -m
- You may see non-fatal errors (about missing maps). You can ignore them if you do not plan on using the maps in question.
Otherwise, you have to create all the missing files under /etc and rerun ypinit.
- Note about qmail, etc: If you are using qmail, your old Sendmail binary is probably /usr/lib/sendmail.OLD (or similar).
Edit /var/yp/Makefile and repoint "sendmail" to your original Sendmail binary, as the one supplied with qmail
does not have the proper option for rebuilding aliases ("-bi").
- Starting the NIS service:
/usr/lib/netsvc/yp/ypstart
- This has already been set up by ypinit to start at boot.
- NOTE: When running this from scripts, allow a 5 sec delay after starting up before executing queries.
- Stopping the NIS service:
/usr/lib/netsvc/yp/ypstop
* Setting up NIS slave servers:
- Add all the other NIS servers to /etc/hosts.
- Before setting up a slave server as a NIS slave, you have to set it up as a NIS client:
cd /var/yp
/usr/sbin/ypinit -c <-- set up as a client
- Restart (or start, if not running) ypbind, and set up the server as a slave:
/usr/lib/netsvc/yp/ypstop
/usr/lib/netsvc/yp/ypstart
/usr/sbin/ypinit -s <master>
- Finally, restart the NIS service on the slave server:
/usr/lib/netsvc/yp/ypstop
/usr/lib/netsvc/yp/ypstart
* Setting up NIS clients:
- Make sure you have the correct domain in /etc/defaultdomain.
- You can also manually set the domain (temporarily): domainname somedomain.com
- Set up the machine to act as a NIS client:
/usr/sbin/ypinit -c <-- configure as a client
/usr/lib/netsvc/yp/ypstart <-- start ypbind
- An older way of setting up clients (NOT recommended, but possible):
domainname somedomain.com
/usr/lib/netsvc/yp/ypbind -broadcast
- This way, the client searches the local subnet for a NIS server.
- Finally, tell the client what type of information to pull from the NIS server. There are two options here:
- Edit /etc/nsswitch.conf to your liking (add "nis" to whatever you find appropriate).
- cp /etc/nsswitch.nis /etc/nsswitch.conf <-- this way, you will give first priority to NIS.
* Setting up FreeBSD NIS clients:
- Add the following to /etc/rc.conf:
nisdomainname="somedomain.com"
nis_client_enable="YES"
- Add the following line to /etc/passwd (by using "vipw"):
+:*::::: <-- be careful with the number of colons. It can vary, depending on your installation.
- Add the following line to /etc/master.passwd:
+:::::::::
- Add the following line to /etc/group:
+:*::
- Reboot the machine and it should be able to see all NIS maps.
* Common NIS-related commands and their meaning:
ypserv <-- this is the main NIS service.
ypbind <-- provides NIS server binding information to clients.
ypinit <-- Creates NIS maps from the input files. Sets up a NIS master server, slave server, or client.
make <-- updates NIS maps by reading /var/yp/Makefile -- ONLY to be run on the master server.
makedbm <-- takes an input file and converts is into dbm.dir and dbm.pag -- invoked by ypinit and make
ypxfr <-- pulls a NIS map from a remote server to the local /var/yp/<domain> directory.
ypxfrd <-- provides map transfer service for ypxfr requests by slave servers -- runs on the master server.
yppush <-- copies a new version of a NIS map from the master server to its slaves -- to be run manually on the master.
ypset <-- tells a ypbind process to bind to a particular NIS server.
yppoll <-- tell which version of a NIS map is running on a specified server; also lists the master server for the map.
ypcat <-- displays the contents of a NIS map.
ypmatch <-- prints the value for one or more specified keys in a NIS map.
ypwhich <-- shows which NIS server a client is using at the moment.
* NIS server information on a client machine is stored in /var/yp/binding/<domain>/ypservers.
You can modify the file manually (to remove servers), or by running "ypinit -c" (generally to add servers).
*** NIS Administration:
* When you have a non-default PWDIR (in this case, /var/yp/pwmaps), pushing passwd changes can be tedious.
You can automate the task by creating a script, for example /usr/local/bin/push_passwd:
#!/bin/sh
grep -v root /etc/passwd > /var/yp/pwmaps/passwd
grep -v root /etc/shadow > /var/yp/pwmaps/shadow
chmod 444 /var/yp/pwmaps/passwd
chmod 400 /var/yp/pwmaps/shadow
cd /var/yp
make passwd
- Then make it executable:
chmod 755 /usr/local/bin/push_passwd
- Whenever you make a user-related change (add users, change password, etc), execute this script.
* To change other maps, follow this procedure:
Edit the appropriate input files under /etc.
cd /var/yp
make <mapname> <-- or just "make", to rebuild all default maps
- Creating new maps from text files:
cd /var/yp
makedbm mymap.txt somedomain.com/mymap
yppush mymap <-- ONLY if there are slave servers you wish to push the map to.
- Adding a new slave server:
cd /var/yp/somedomain.com
makedbm -u ypservers > /tmp/temp_file <-- convert the ndbm serverlist to plain text
- Edit /tmp/temp_file and add the name of the new slave server.
makedbm /tmp/temp_file ypservers <-- convert the updated list back to ndbm
makedbm -u ypservers <-- verify the change
- Then follow the procedure for setting up a slave server (described above).
*** Turning off NIS services:
- Run these commands on each machine:
mv /usr/lib/netsvc/yp/ypbind /usr/lib/netsvc/yp/ypbind.OFF
mv /usr/lib/netsvc/yp/ypserv /usr/lib/netsvc/yp/ypserv.OFF
- In addition, you can stop the services immediately:
/usr/lib/netsvc/yp/ypstop
|