8    Network Information Service

The Network Information Service (NIS, formerly Yellow Pages) is a distributed data lookup service for sharing information on a local area network (LAN). NIS allows you to coordinate the distribution of database information throughout your networked environment.

This chapter describes:

• The NIS environment

• How to configure your system for NIS

• How to manage NIS servers and clients

For introductory information on NIS, see nis_intro(7). For troubleshooting information, see Section 14.9 for clients and Section 14.8 for servers.

8.1    NIS Environment

In a NIS environment, systems can have the following roles:

• Master server -- A system that stores the master copy of the NIS database files, or maps, for the domain in the /var/yp/DOMAIN directory and propagates them at regular intervals to the slave servers. Only the master maps can be modified. Each domain can have only one master server.

• Slave server -- A system that obtains and stores copies of the master server's NIS maps. These maps are updated periodically over the network. If the master server is unavailable, the slave servers continue to make the NIS maps available to clients. Each domain can have multiple slave servers distributed throughout the network.

• Client -- Any system that queries NIS servers for NIS database information. Clients do not store and maintain copies of the NIS maps locally for their domain.

Figure 8-1 shows a domain in which there is a master server, two slave servers, and some clients.

Figure 8-1:  NIS Configuration

By default, NIS distributes the aliases (mail.aliases), group, hosts, netgroup, networks, passwd, protocols, rpc, and services databases. (The mail.aliases and netgroup databases are created exclusively for NIS.) You can also create and distribute the enhanced security extended profile database, and site-specific customized databases, such as NFS automount maps.

To configure NIS with support for enhanced security, and optionally create secure versions of NIS maps, carefully read the instructions in the Creating and Maintaining Accounts chapter of the Security guide before proceeding with the setup described in this chapter. For information on creating automount maps for distribution by NIS, see Appendix B. For information on creating and distributing other site-specific NIS maps, see the Section 8.4.5.

8.2    Planning NIS

This section describes the tasks you must complete before configuring NIS.

8.2.1    Verifying That the Additional Networking Services Subset is Installed

For NIS servers, verify that the Additional Networking Services subset is installed by entering the following command:

# setld -i | grep OSFINET

If the subset is not installed, install it by using the setld command. For more information on installing subsets, see setld(8), the Installation Guide, or the System Administration manual.

8.2.2    Preparing for the Configuration

Figure 8-2 shows the NIS Setup Worksheet, which you can use to record the information required to configure NIS. If you are viewing this manual online, you can use the print feature to print a copy of this worksheet. The following sections explain the information you need to record on the worksheet.

Figure 8-2:  NIS Setup Worksheet

Domain name

The domain name (1 to 31 alphanumeric characters). All systems in the domain must declare the same domain name.

An NIS domain is an administrative entity that consists of a master server, one or more slave servers, and numerous clients. All systems in a domain share the same set of NIS database files.

Note

An NIS domain name is not the same as a DNS domain name. If you configure the system with an incorrect NIS domain name, all NIS-related operations (such as logging in and ls -l commands) hang for several minutes, then fail.

Host's role

NIS runs on each system in your network. You must decide what role each system will play within the NIS domain that you are creating. Select one host to be the master server; there can be only one master server for each domain. Select one or more hosts to be slave servers. The rest of the hosts should run as NIS clients.

Note

The master server and all slave servers are also considered to be NIS clients.

8.2.2.1    Master Server

Database files for NIS maps

The files you want to make into NIS maps. Choose from the following list:

• /etc/group

• /etc/hosts

• /etc/networks

• /etc/passwd

• /etc/protocols

• /etc/rpc

• /etc/services

/var/yp/src/mail.aliases file

The mail.aliases file, which is based on the /var/adm/sendmail/aliases file, defines network-wide mail aliases. If you want to define and distribute mail aliases on your network, check Yes; otherwise, check No.

If you choose not to create a mail.aliases file, the nissetup script issues an informational message that it cannot find the mail.aliases file while it is building the NIS maps. For information on defining mail aliases, see aliases(4).

/var/yp/src/netgroup file

The netgroup file defines network-wide groups and is used for permission checking when doing remote mounts, remote logins, and remote shells. If you want to define and distribute netgroup information on your network, check Yes; otherwise, check No.

If you choose not to create a netgroup file, the nissetup script issues an informational message that it cannot find the netgroup file while it is building the NIS maps. For information on defining network groups, see netgroup(4).

Setup options

The list of setup options for master servers is as follows. Write the options you want to use in the appropriate place in the worksheet.

• Run the yppasswdd daemon (master server only).

  The yppasswdd daemon runs on the master server and allows the master copy of the password file to be updated remotely using the yppasswd command. You should run the yppasswdd daemon.

• Create base or enhanced security versions of the NIS maps.

  Tru64 UNIX security can be configured in either base or enhanced authentication mode. Enhanced security includes an additional prpasswd map that contains extended user profile information. Before configuring NIS to distribute this prpasswd map, read Chapter 12 of the Security guide. It describes important operational differences and additional steps necessary for NIS configuration in a secure environment.

• Create NIS maps in btree format.

  If you serve very large maps, you might want to have NIS maintain these maps as btree files, which significantly reduces the time required to build and push very large maps. However, the use of btree files might degrade performance slightly for relatively small maps.

  If you intend to use enhanced security with NIS, you should maintain your maps in btree format.

• Run the ypbind daemon with the -s option, for secure mode, which requires the server to use a reserved port.

• Lock the ypbind daemon to a particular domain name and server list.

  Normally, hosts broadcast NIS requests on the network and the first available server answers the request. The -S option allows you to lock the ypbind daemon to a particular domain and set of servers. Requests are made directly to the specified servers, rather than being broadcast. It is best to run NIS with the -S option configured.

  If you choose to run NIS with the -S option configured, you must know the host names and IP addresses of the servers to which you are locking the ypbind daemon. You will add them to the local hosts file during configuration.

  Security Note

  When using the nissetup script to set up an NIS server that is running with enhanced security, you must answer Yes to the question about locking the domain name and authorized servers (the ypbind -S option). For a master server, the server is bound to itself by default.

• Run NIS with the -ypset option, the -ypsetme option, or with both options set.

  The -ypset option allows a user logged in as root on any system in your domain to bind your system to a particular server. The -ypsetme option allows ypbind to accept -ypset requests only from the local system. You should not run NIS with the -ypset and the -ypsetme options set.

• Create and distribute automount maps.

  The automount program, an alternative to mounting remote file systems, allows users to mount remote file systems on an as-needed basis. When you use NIS to distribute automount maps, you create the maps on the NIS master server and distribute them to NIS slave servers and clients. For information on creating automount maps, see Appendix B. For information on administering automount maps, see Section 9.1.2.

  Whether or not you use the automount program depends on your site's networking environment.

Slave name

The name of each slave server in the domain.

IP address

The IP address of each slave server in the domain.

8.2.2.2    Slave Server

Setup options

The list of setup options for slave servers is as follows. Write the options you want to use in the appropriate place in the worksheet.

• Maintain base or enhanced security versions of the NIS maps.

  Tru64 UNIX security can be configured in either base or enhanced authentication mode. Enhanced security includes an additional prpasswd map that contains extended user profile information. Before configuring NIS to distribute this prpasswd map, read Chapter 12 of the Security guide. It describes important operational differences and additional steps necessary for NIS configuration in a secure environment.

• Maintain NIS maps in btree format.

  If you serve very large maps, you might want NIS to maintain these maps as btree files, which significantly reduces the time required to push very large maps. However, it might degrade performance slightly for relatively small maps.

  If you intend to use enhanced security with NIS, you should maintain your maps in btree format.

• Run the ypbind daemon with the -s option, for secure mode, which requires the server to use a reserved port.

• Lock the ypbind daemon to a particular domain name and server list.

  Normally, hosts broadcast NIS requests on the network and the first available server answers the request. The -S option allows you to lock the ypbind daemon to a particular domain and set of servers. Requests are made directly to the specified servers, rather than being broadcast. For security purposes, you should run NIS with the -S option configured.

  If you choose to run NIS with the -S option configured, you must know the host names and IP addresses of the servers to which you are locking the ypbind daemon.

  Security Note

  When using the nissetup script to set up an NIS server that is running with enhanced security, you must answer Yes to the question about locking the domain name and authorized servers (the ypbind -S option). For a slave server, the server is bound to itself by default and optionally to the master server and any other slave servers.

• Run NIS with the -ypset option, the -ypsetme option, or with both options set.

  The -ypset option allows a user running as root on any system in your domain to bind your system to a particular server. The -ypsetme option allows ypbind to accept -ypset requests only from the local system. For security purposes, you should not run NIS with the -ypset or -ypsetme options.

• Distribute automount maps.

  The automount program, an alternative to mounting remote file systems, allows users to mount remote file systems on an as-needed basis. When you use NIS to distribute automount maps, you can configure the slave server to receive the maps from the master server, distribute them to clients, and use them to mount remote file systems. For information on creating automount maps, see Appendix B. For information on administering automount maps, see Section 9.1.2.

  Whether or not you use the automount program depends on your site's networking environment.

Master name

The host name of the master server in your domain.

IP address

The IP address of the master server in your domain.

Slave name

The name of another slave server in your domain. Specify several servers.

IP address

The IP address of a slave server in your domain.

8.2.2.3    Client

Setup options

The list of setup options for clients is as follows. Write the options you want to use in the appropriate place in the worksheet.

• Run the ypbind daemon with the -s option, for secure mode, which requires the server to use a reserved port.

• Lock the ypbind daemon to a particular domain name and server list.

  Normally, hosts broadcast NIS requests on the network and the first available server answers the request. The -S option allows you to lock the ypbind daemon to a particular domain and set of servers. Requests are made directly to the specified servers, rather than being broadcast. You should run NIS with the -S option configured.

  If you choose to run NIS with the -S option configured, you must know the host names and IP addresses of the servers to which you are locking the ypbind daemon.

• Run NIS with the -ypset option, the -ypsetme option, or with both options set.

  The -ypset option allows a user logged in as root on any system in your domain to bind your system to a particular server. The -ypsetme option allows ypbind to accept -ypset requests only from the local system. You should not run NIS with the -ypset or -ypsetme options set.

• Use the automount program and the associated maps.

  The automount program, an alternative to mounting remote file systems, allows users to mount remote file systems on an as-needed basis. When you use NIS to distribute automount maps, you can configure clients to receive the maps from the NIS master and slave servers and use the maps to mount remote file systems. For information on creating automount maps, see Appendix B. For information on administering automount maps, see Section 9.1.2.

  Whether or not you use the automount program depends on your site's networking environment.

Server name

The name of a master or slave server in your domain. Specify several servers.

8.3    Configuring NIS

You can use the SysMan Menu application of the Common Desktop Environment (CDE) Application Manager to configure NIS on master servers, slave servers, and clients. To invoke the SysMan Menu application, follow the instructions in Section 1.1.1.

8.3.1    Configuring an NIS Master Server

You must configure the NIS master server before you configure the other systems. Prior to using the SysMan Menu or the nissetup script, you must log in as root and complete the following tasks:

1. Copy into the /var/yp/src directory the local /etc files that you intend to make into NIS maps for distribution. If a file is absent from the /var/yp/src directory while it is building the default NIS maps, the nissetup script issues an informational message that it could not find that particular file and continues building the maps.

   Note

   If you copied the passwd file into the /var/yp/src directory, remove the root entry from the file.

2. Optionally, create the /var/yp/src/mail.aliases file. If you already have a /var/adm/sendmail/aliases file on your local system, you can copy it to the /var/yp/src directory and edit it, if necessary. For information on the format of this file, see aliases(4).

3. Optionally, create the /var/yp/src/netgroup file. For information on the format of this file, see netgroup(4).

4. Edit the /var/yp/Makefile file.

   If you are using the NIS master server to serve the /etc/auto.master and /etc/auto.home automount maps, you must remove the comment sign (#) from the beginning of each of the following lines. These lines were added to the Makefile for use by the automount daemon.

      
   .
   .
   .
   #all: passwd group hosts networks rpc services protocols netgroup \
   #     aliases auto.home auto.master
      
   .
   .
   .
   #$(YPDBDIR)/$(DOM)/auto.home.time: $(DIR)/auto.home
   #        -@if [ -f $(DIR)/auto.home ]; then \
   #               $(SED) -e "/^#/d" -e s/#.*$$// $(DIR)/auto.home | \
   #               $(MAKEDBM) -a $(METHOD) - $(YPDBDIR)/$(DOM)/auto.home; \
   #               $(TOUCH) $(YPDBDIR)/$(DOM)/auto.home.time; \
   #               $(ECHO) "updated auto.home"; \
   #               if [ ! $(NOPUSH) ]; then \
   #                       $(YPPUSH) auto.home; \
   #                       $(ECHO) "pushed auto.home"; \
   #               else \
   #                       : ; \
   #               fi \
   #       else \
   #               $(ECHO) "couldn't find $(DIR)/auto.home"; \
   #       fi
   #
   #$(YPDBDIR)/$(DOM)/auto.master.time: $(DIR)/auto.master
   #        -@if [ -f $(DIR)/auto.master ]; then \
   #              $(SED) -e "/^#/d" -e s/#.*$$// $(DIR)/auto.master | \
   #               $(MAKEDBM) -a $(METHOD) - $(YPDBDIR)/$(DOM)/auto.master; \
   #               $(TOUCH) $(YPDBDIR)/$(DOM)/auto.master.time; \
   #               $(ECHO) "updated auto.master"; \
   #               if [ ! $(NOPUSH) ]; then \
   #                       $(YPPUSH) auto.master; \
   #                       $(ECHO) "pushed auto.master"; \
   #               else \
   #                       : ; \
   #               fi \
   #       else \
   #               $(ECHO) "couldn't find $(DIR)/auto.master"; \
   #       fi
      
   .
   .
   .
   #auto.home: $(YPDBDIR)/$(DOM)/auto.home.time
   #auto.master: $(YPDBDIR)/$(DOM)/auto.master.time
      
   .
   .
   .
   #$(DIR)/auto.home:
   #$(DIR)/auto.master:
   

   Place a comment sign (#) in front of the following lines:

   all: passwd group hosts networks rpc services protocols netgroup \
   aliases
   

   If you are using the NIS master server to serve other site-specific maps, you must add entries for the maps to the Makefile. See Section 8.4.7.1 for information on adding entries for site-specific NIS maps, other than the /etc/auto.master and /etc/auto.home automount maps, to the /var/yp/Makefile file.

5. Copy the automount maps, or any other site-specific maps, to the /var/yp/src directory. For information on creating automount maps, see Appendix B. For information on creating other site-specific maps, see the Section 8.4.7.1.

To continue to set up the master server, invoke the SysMan Menu as documented in Section 1.1.1 and do the following:

1. From the SysMan Menu, select Networking-->Additional Network Services-->Configure Network Information Service (NIS). SysMan Menu invokes the nissetup script.

   Alternatively, enter the following command on a command line:

   # /usr/bin/sysman nis
   

   A message reminds you that your network must be established before setting up NIS, and that in order to set up an NIS server you must have the Additional Networking Services subset installed.

2. Enter c to continue.

3. Press Return following the script's explanation of nissetup, and then press Return again after the script explains the three types of systems in an NIS domain.

4. Enter and confirm your system's NIS domain name.

5. Choose option 1 to indicate that you are configuring the master server.

6. Following the nissetup script's explanation that there can be only one master server configured for each NIS domain, enter c and indicate whether or not you want to run the yppasswdd daemon. You should run the yppasswdd daemon on the NIS master server.

7. Indicate whether or not you intend to use enhanced security with NIS.

8. Indicate whether or not you want your NIS maps to be maintained as btree files.

9. Enter the names of hosts that will be slave servers for this domain. If you enter a host name that is not listed in the master server's /etc/hosts file, the nissetup script prompts you for its IP address.

   Enter the names of the SLAVE servers in the test_domain domain.
   Press Return to terminate the list.
    
      Host name of slave server: host2
      Host name of slave server: host3
         Cannot find host3 in the file /etc/hosts.
         To add host3 to the /etc/hosts file you MUST
                   know host3's Internet (IP) address.
    
     Would you like to add host3 to the /etc/hosts file
           (y/n) [y]? y
    
     What is host3's Internet (IP) address [no default] ? 
        120.105.1.28
    
     Is 120.105.1.28 correct (y/n) [no default] ? y
    
      Hostname of slave server: [Return]
   

   The nissetup script displays the list of servers that you entered. You can redo the list to correct errors or continue with the setup procedure.

   The nissetup script then creates the default NIS maps, displaying messages similar to the following as it does:

   Creating default NIS maps.  Please wait...
   updated passwd
   updated group
   updated hosts
   updated networks
   updated rpc
   updated services
   updated protocols
   updated netgroup
   Finished creating default NIS maps.
   

10. Indicate whether or not you want to use the -s security option.

    If you choose to run the -s option, the ypbind process runs in a secure mode.

11. Indicate whether or not you want to use the -S security option.

    If you choose to run the -S option, you must enter the names of up to four NIS servers.

    The nissetup script places the host name of the server you are configuring first. Press Return when you are done entering server names.

    You should use the -S option.

12. Indicate whether or not you want to allow ypset requests on your system.

    You should disallow all ypset requests. Press Return to accept the default, and confirm your choice.

13. Indicate whether or not you want your system to use all of the NIS databases served by the master server.

    It is best to use all of the NIS databases.

    If you choose to use all of the NIS databases, the nissetup script edits the /etc/svc.conf file to include the string yp for each database. It also edits the /etc/passwd and /etc/group files to include a plus sign followed by a colon (+:) at the end of each file. This enables your system to use NIS for each database listed. This symbol enables the files to be distributed by NIS. Continue with step 16.

    If you choose not to use all of the NIS databases, enter n and continue with the next step.

14. Indicate whether or not you want to add a plus sign followed by a colon (+:) to the end of the local /etc/passwd and /etc/group files.

    For your system to use the NIS-served passwd database, group database, or both, +: must be the last line in the file or files you want served by NIS. This applies to the passwd and group databases only.

    Note

    The service order selection for the passwd and group databases is handled by the Security Integration Architecture (SIA). If BSD is selected for passwd and group information in the /etc/sia/matrix.conf file, only the +: is required for your system to search NIS.

15. Indicate whether or not you want the nissetup script to invoke the svcsetup script.

    If you answer yes, the nissetup script invokes the svcsetup script, which allows you to modify the database services selection file (the svc.conf file). See Section 8.3.4 for information on modifying the svc.conf file.

    If you answer no, the nissetup script continues. You must edit the svc.conf file later if you want your system to use NIS to obtain database information other than passwd and group information.

16. Indicate whether or not to start the NIS daemons automatically.

    If you answer yes, nissetup starts the daemons.

    If you answer no, use the following command to start the daemons manually after nissetup exits and returns you to the system prompt (#):

    # /sbin/init.d/nis start
    

8.3.2    Configuring a Slave Server

To configure a slave server, invoke the SysMan Menu as documented in Section 1.1.1 and do the following:

1. From the SysMan Menu, select Networking-->Additional Network Services-->Configure Network Information Service (NIS). SysMan Menu invokes the nissetup script.

   Alternatively, enter the following command on a command line:

   # /usr/bin/sysman nis
   

2. A message reminds you that your network must be established before setting up NIS, and that in order to set up an NIS server you must have the Additional Networking Services subset installed. Enter c to continue.

3. Press Return following the script's explanation of nissetup, and then press Return again after the script explains the three types of systems in an NIS domain.

4. Enter and confirm your system's NIS domain name.

5. Choose option 2 to indicate that you are configuring a slave server.

6. Enter c to continue following the nissetup script's explanation that the master server's list must include each slave server, and that the master server must be established in order for maps to be copied to the slave server.

7. Enter the name of the master server for your domain.

8. Indicate whether or not you intend to use enhanced security with NIS.

9. Indicate whether or not you want your NIS maps to be maintained as btree files.

   After you indicate your choice, the script copies the default NIS maps from the master NIS server.

10. Indicate whether or not you want to use the -s security option.

    If you choose to run the -s option, the ypbind process runs in a secure mode.

11. Indicate whether or not you want to use the -S security option.

    If you choose to run the -S option, you must enter the names of up to four NIS servers.

    The nissetup script places the host name of the server you are configuring first. Press Return when you are finished entering server names.

    You should use the -S option.

    If you enter the name of a host that is not listed in the slave server's /etc/hosts file, the nissetup script prompts you for its IP address. When you finish entering the list of servers, enter c to continue configuring NIS on your system.

12. Indicate whether or not you want to allow ypset requests on your system.

    You should disallow all ypset requests. Press Return to accept the default and confirm your choice.

13. Indicate whether or not you want your system to use all of the NIS databases served by the master server.

    It is best to use all of the NIS databases.

    If you choose to use all of the NIS databases, the nissetup script edits the /etc/svc.conf file to include the string yp for each database. It also edits the /etc/passwd and /etc/group files to include a plus sign followed by a colon (+:) at the end of each file. This enables your system to use NIS for each database listed. This symbol enables the file to be distributed by NIS. Continue with step 16.

    If you choose not to use all of the NIS databases, enter n and continue with the next step.

14. Indicate whether or not you want to add +: to the end of the local /etc/passwd and /etc/group files.

    For your system to use the NIS-served passwd database, group database, or both, +: must be the last line in the file or files you want NIS to serve. This applies to the passwd and group databases only.

    Note

    The service order selection for the passwd and group databases is handled by the Security Integration Architecture (SIA). If BSD is selected for passwd and group information in the /etc/sia/matrix.conf file, the +: only is required for your system to search NIS.

15. Indicate whether or not you want the nissetup script to invoke the svcsetup script.

    If you answer yes, the nissetup script invokes the svcsetup script, which allows you to modify the database services selection file (the svc.conf file). See Section 8.3.4 for information on modifying the svc.conf file.

    If you answer no, the nissetup script continues. You must edit the svc.conf file later if you want your system to use NIS to obtain database information other than passwd and group information.

16. Indicate whether or not to start the NIS daemons automatically.

    If you answer yes, nissetup starts the daemons.

    If you answer no, use the following command to start the daemons manually after nissetup exits and returns you to the system prompt (#):

    # /sbin/init.d/nis start
    

8.3.3    Configuring an NIS Client

To configure an NIS client, invoke the SysMan Menu as documented in Section 1.1.1 and do the following:

1. From the SysMan Menu, select Networking-->Additional Network Services-->Configure Network Information Service (NIS). SysMan Menu invokes the nissetup script.

   Alternatively, enter the following command on a command line:

   # /usr/bin/sysman nis
   

2. A message reminds you that your network must be established before setting up NIS, and that in order to set up an NIS server you must have the Additional Networking Services subset installed. Enter c to continue.

3. Press Return following the script's explanation of nissetup, and then press Return again after the script explains the three types of systems in an NIS domain.

4. Enter and confirm your system's NIS domain name.

5. Press Return to accept the default that you are configuring a client.

6. Enter c to continue following the nissetup script's warning that at least one server must be configured for this domain.

7. Indicate whether or not you want to use the -s security option.

   If you choose to run the -s option, the ypbind process runs in a secure mode.

8. Indicate whether or not you want to use the -S security option.

   If you choose to run the -S option, you must enter the names of up to four NIS servers.

   If you enter the name of a server that is not listed in the client's /etc/hosts file, the nissetup script prompts you for its IP address. After you finish entering the list of servers, enter c to continue configuring NIS on your system.

9. Indicate whether or not you want to allow ypset requests on your system.

   You should disallow all ypset requests. Press Return to accept the default, and confirm your choice.

10. Indicate whether or not you want your system to use all of the NIS databases served by the master server.

    It is best to use all of the NIS databases.

    If you choose to use all of the NIS databases, the nissetup script edits the /etc/svc.conf file to include the string yp for each database. It also edits the /etc/passwd and /etc/group files to include a plus sign followed by a colon (+:) at the end of each file. This enables your system to use NIS for each database listed. This symbol enables the file to be distributed by NIS. Continue with step 13.

    If you choose not to use all of the NIS databases, enter n and continue with the next step.

11. Indicate whether or not you want to add +: to the end of the local /etc/passwd and /etc/group files.

    For your system to use the NIS served passwd database, group database, or both, +: must be the last line in the file or files you want served by NIS. This applies to the passwd and group databases only.

    Note

    The service order selection for the passwd and group databases is handled by the Security Integration Architecture (SIA). If BSD is selected for password and group information in the /etc/sia/matrix.conf file, only the +: is required for your system to search NIS.

12. Indicate whether or not you want the nissetup script to invoke the svcsetup script.

    If you answer yes, the nissetup script invokes the svcsetup script, which allows you to modify the database services selection file (the svc.conf file). See Section 8.3.4 for information on modifying the svc.conf file.

    If you answer no, the nissetup script continues. You must edit the svc.conf file later if you want your system to use NIS to distribute database information other than password and group information.

13. Indicate whether or not to start the NIS daemons automatically.

    If you answer yes, nissetup starts the daemons.

    If you answer no, use the following command to start the daemon manually after nissetup exits and returns you to the system prompt (#):

    # /sbin/init.d/nis start
    

8.3.4    Modifying the svc.conf File with svcsetup

If you choose not to use NIS for all of the default databases, you can edit the /etc/svc.conf file with the svcsetup script. If you answer yes when nissetup asks if you want to run svcsetup, it invokes the svcsetup script. Use the following procedure to edit the /etc/svc.conf file:

1. Press Return to choose the m option from the Configuration Menu.

2. Enter the numbers from the Change Menu that correspond to the databases whose entries you want to modify.

3. Enter the number that corresponds to the order in which you want to query the services on your system.

   If you choose the default (2), the local /etc files are searched first for the requested information. If the information is not found locally, then an NIS server are queried. This choice is valid for all of the databases that NIS serves.

   To have NIS serve hosts information if your system is also having hosts information served by DNS, choose either option 5 (local,bind,yp) or option 6 (bind,local,yp) for the hosts database. Note that options 3 (local,bind), 4 (bind,local), 5, and 6 are valid for the hosts database only.

8.3.5    Modifying or Removing an NIS Configuration

If you configure NIS and run the nissetup script, you can modify or remove the NIS configuration.

If you choose to modify the NIS configuration, the nissetup script proceeds as described in Section 8.3.1 to Section 8.3.3, resulting in a new configuration.

If you choose to remove the NIS configuration, the nissetup script prompts you to verify your choice, then removes the NIS information from the following files:

• /etc/rc.config.common

• /etc/passwd

• /etc/group

• /etc/svc.conf

• /var/yp/DOMAIN (where DOMAIN is the name of the current NIS domain)

  This directory and its contents are deleted (for NIS master and slave servers only).

8.4    Managing an NIS Server

This section describes how to perform the following NIS server tasks:

• Add an NIS slave server to a domain

• Remove an NIS slave server from a domain

• Add a user to an NIS domain

• Update an NIS map

• Add an NIS map to a domain

• Remove an NIS map from a domain

• Modify the /var/yp/Makefile file

• Restrict access to NIS data

8.4.1    Adding an NIS Slave Server to a Domain

Adding a slave server to a domain enables the slave server to receive updated NIS maps from the master server and serve them to NIS clients in a domain.

To add an NIS slave server to a domain, do the following:

1. Set up the system as a slave server. See Section 8.3.2 for information on setting up a slave server.

2. Log in to the NIS master server as root.

3. Change to the /var/yp directory by using the cd command.

4. Undo the ypservers map and direct the output to a file by using the following command:

   # makedbm -u domainname/ypservers > filename
   

5. Edit the file and add the host name of the new server.

6. Build a new ypservers map by using the makedbm command as follows:

   # makedbm filename ypservers
   

   You can combine steps 4, 5, and 6 into one command line. See the example at the end of this procedure.

7. Move the ypservers.dir and ypservers.pag map files to the domain subdirectory.

8. Distribute the updated ypservers map to the slave servers by using the yppush command.

9. Edit the NIS master server's master hosts file and add an entry for the slave server, if it is not already in the hosts file. Then update the map by entering the make command. The make command also distributes the updated map.

See makedbm(8) for more information on building maps.

The following example (illustrating steps 3 through 9) shows how to add slave server host8 to domain market:

# cd /var/yp
# /var/yp/makedbm -u market/ypservers ; echo host8\  [1]
 |/var/yp/makedbm - tmpmap
# mv tmpmap.dir market/ypservers.dir [2]
# mv tmpmap.pag market/ypservers.pag
# yppush ypservers [3]
# vi /var/yp/src/hosts  [4]
   
.
.
.
# make hosts  [5]

1. Represents the combination of steps 4, 5, and 6 in the preceding procedure. The output from the makedbm command with the -u option is displayed and the new server name, host8, is echoed on standard output to add it to the file. Then, the output is piped back into the makedbm command to build a new map named tmpmap.

   Note

   You can type the first and second lines as one command even if the line wraps on your screen, or you can use the backslash escape character (\), as shown.

   [Return to example]

2. Moves the tmpmap.dir and tmpmap.pag map files to the domain market subdirectory and renames them as ypservers map files. [Return to example]

3. Distributes the updated map to the slave servers. [Return to example]

4. Adds a new host to the hosts NIS map on the master server. [Return to example]

5. Updates the map and distributes the updated map to the slave servers. [Return to example]

Section C.1 contains a sample script you can copy that performs the steps involved in adding a slave server to a domain. You still have to set up the slave server and edit the master server's hosts file, adding a slave server entry, if necessary.

8.4.2    Removing an NIS Slave Server from the Domain

Removing a slave server from a domain means that the system will no longer receives updated NIS maps from the master server and serve them to NIS clients in a domain.

To remove an NIS slave server from the domain, do the following:

1. Log in to the NIS slave server.

   If the system will be an NIS client, configure it as an NIS client by using nissetup. See Section 8.3.3 for more information.

   If the system will no longer use NIS, turn off the NIS configuration flag in the /etc/rc.config.common file by using the following command:

   # /usr/sbin/rcmgr -c set NIS_CONF NO
   

2. Log in to the NIS master server as root.

3. Change to the /var/yp directory by using the cd command.

4. Undo the ypservers map and direct the output to a file by using the following command:

   # makedbm -u ypservers > filename
   

5. Edit the file and remove the host name of the new server.

6. Build a new map by using the makedbm command as follows:

   # makedbm filename ypservers
   

   You can combine steps 4, 5, and 6 into one command line. See the example following this procedure.

7. Move the ypservers.dir and ypservers.pag map files to the domain subdirectory.

8. Distribute the updated ypservers map to the slave servers by using the yppush command.

See makedbm(8) for more information on building maps.

The following example (illustrating steps 4 through 8) shows how to remove slave server host4 from domain market:

# /var/yp/makedbm -u market/ypservers |\ [1]
 grep -v host4 | /var/yp/makedbm - tmpmap
# mv tmpmap.dir market/ypservers.dir  [2]
# mv tmpmap.pag market/ypservers.pag
# yppush ypservers [3]

1. Represents the combination of steps 4, 5, and 6 in the preceding procedure. The output from the makedbm command with the -u option is piped into grep with the -v option to display all lines except the one containing the slave server name (host4). Then, the output is piped back into the makedbm command to build a new map named tmpmap.

   Note

   You can type the first and second lines as one command even if the line wraps on your screen, or you can use the backslash escape character (\), as shown.

   [Return to example]

2. Moves the tmpmap.pag and tmpmap.dir map files to the domain market subdirectory and renames them as ypservers map files. [Return to example]

3. Distributes the updated map to the slave servers. [Return to example]

Section C.2 contains a sample script you can copy that performs the steps involved in removing a slave server from a domain. You still have to reconfigure the slave server as an NIS client or as a system that does not use NIS.

8.4.3    Adding a New User to an NIS Domain

Adding a new user to an NIS domain includes the user in the passwd map and allows the user to participate in the NIS environment. A user has only one password on all systems that use NIS for their passwd map.

To add a user to an NIS domain, do the following:

1. Log in to the NIS master server as root.

2. Edit the NIS master server's master password file, /var/yp/src/passwd, and add an entry for the new user.

   The master passwd file is a readable ASCII file with a one-line entry for each valid user on the system. Here is a sample passwd file entry for a user named Jane Doe:

   doe:fnuTqqab.6yec:444:10:Jane Doe:/usr/staff/doe:/bin/csh
   

   See the System Administration manual for a description of how to edit the passwd file to add a new user.

   Note

   The remote systems on the network recognize a user by the user identification (UID) number. Therefore, it is important that each user have the same UID number on each system on the network.

3. Change to the /var/yp directory by using the cd command.

4. Update the passwd map by using the make command.

5. Create a home directory for the new user on the user's system, using the same directory name that you specified in the master passwd file.

6. Set up the new user's environment.

   You can define login environments for new users in several ways. See the System Administration manual, csh(1), and sh(1) for further information about setting up a user's environment.

   If the new user is a member of any groups at your site, add the user's login name to the master group and netgroup files on the NIS master server as necessary. See group(4), netgroup(4), and groups(1) for more information about user groups.

7. Change ownership of the directory to the new user by using the chown command.

8. Have the user set the NIS password by using the yppasswd command.

The following example (illustrating steps 2 through 4) shows how to add a new user to a domain:

# vi /var/yp/src/passwd  [1]
   
.
.
.
# cd /var/yp  [2]
# make passwd  [3]

1. Opens the /var/yp/src/passwd file for editing. [Return to example]

2. Changes to the /var/yp directory. [Return to example]

3. Updates the NIS passwd map and distributes the updated map to the slave servers. [Return to example]

Updating an NIS map involves making changes to an NIS map's master file, updating the Makefile file (if the map is not listed), and building and distributing the new map. Entries for the following standard maps are included in the Makefile file:

• passwd

• group

• hosts

• networks

• rpc

• services

• protocols

• netgroup

• aliases (mail.aliases)

The master files are located in /var/yp/src on the NIS master server.

To update an NIS map, do the following:

1. Log in to the NIS master server as root.

2. Change to the /var/yp directory by using the cd command.

3. Modify the Makefile file, if no entry exists in the /var/yp/Makefile file for the map you want to update.

   See Section 8.4.7 for information on modifying the Makefile file.

4. Change to the /var/yp/src directory by using the cd command.

5. Edit the master file of the map you want to update and make your changes.

6. Change to the /var/yp directory by using the cd command.

7. Update and distribute the map by using the make command as follows:

   # make map_name
   

The following example (illustrating steps 4 through 7) shows how to update the hosts map:

# cd var/yp/src  [1]
# vi hosts   [2]
   
.
.
.
# cd /var/yp  [3]
# make hosts  [4]

1. Changes to the /var/yp/src directory. [Return to example]

2. Opens the /var/yp/src/hosts file for editing. [Return to example]

3. Changes to the /var/yp directory. [Return to example]

4. Updates the map and distributes it to the slave servers. [Return to example]

Adding an NIS map to a domain allows the database information to be distributed throughout an NIS domain. You can create and distribute maps for any information you want to distribute.

To add an NIS map to a domain, do the following:

1. Log in to the NIS master server as root.

2. Create a master file for your new map.

   A master file is an ASCII text file containing individual entries. Each entry has fields separated by spaces. Some of these fields are used to build a key to each entry. Review some of the master files in the /var/yp/src directory to better understand the structure of a master file.

3. If you are using NIS to distribute NFS automount maps, create a file named auto.master in the /var/yp/src directory. If the file exists, add an entry for the NFS automount map you want to distribute.

   See Section 9.1.2 and Appendix B for more information on the auto.master map.

4. Edit /var/yp/Makefile file to include the new map in the default set of maps.

   See Section 8.4.7 for information on modifying the Makefile file.

5. Change to the /var/yp directory by using the cd command.

6. Update the map by using the make command as follows:

   # make map_name
   

The following example adds the phonelist map to a domain:

# vi /var/yp/src/phonelist  [1]
   
.
.
.
# vi /var/yp/Makefile  [2]
   
.
.
.
# cd /var/yp  [3]
# make phonelist  [4]

1. Creates a phonelist master file on the master server. [Return to example]

2. Modifies the Makefile file and adds phonelist entries. [Return to example]

3. Changes directory. [Return to example]

4. Updates the map and distributes the updated map to the slave servers. [Return to example]

Removing an NIS map from a domain prevents the database information from being distributed throughout an NIS domain.

To remove an NIS map from a domain, do the following:

1. Log in to the NIS master server as root.

2. If you are using NIS to distribute NFS automount maps, delete the entry for the NFS map you no longer want distributed in the auto.master file in the /var/yp/src directory.

   See Section 9.1.2 and Appendix B for more information on the auto.master map.

3. Edit the /var/yp/Makefile file to remove the map from the default set of maps.

   See Section 8.4.7 for information on modifying the Makefile file.

8.4.7    Modifying the /var/yp/Makefile File

Modifying the Makefile file means adding or deleting database entries in the /var/yp/Makefile file on the NIS master server. By adding a database entry to the Makefile file, you indicate that you want a map produced for the specific database when you use the make command. By deleting a database entry, you indicate that you do not want a map produced for the specific database.

As you edit the /var/yp/Makefile file, remember the following:

• The order of entries in the line that begins with all: is not important. However, in continuation lines, the blank space preceding the line must be a tab character; do not use spaces.

• Variables are defined at the top of the Makefile file.

8.4.7.1    Adding an Entry

To add an entry to the Makefile file, do the following:

1. Log in to the NIS master server as root.

2. Edit the /var/yp/Makefile file and add the database name to the line beginning with all:. Next, add a line with the following format to the end of the file:

   database_name:database_name.time
    
   

   Finally, add an entry with the following format to the middle of the file:

   database_name.time: various_commands
   

   To simplify the creation of this entry, copy the auto.home.time: entry in the file and make the necessary database name changes.

3. If you are using NIS to distribute NFS automount maps, uncomment any line that contains the auto.master string by deleting the comment character (#) that precedes it.

The following example shows the phonelist database added to the /var/yp/Makefile file. There is a tab character preceding the netgroup database name in the all: line.

all: passwd group hosts networks rpc services protocols \
        netgroup aliases phonelist
   
.
.
.
$(YPDBDIR)/$(DOM)/phonelist.time: $(DIR)/phonelist
 	     -@if [-f $(DIR)/phonelist ]; then \
	           $(SED) -e "/^#/d" -e s/#.*$$// $(DIR)/phonelist | \
	           $(MAKEDBM) -a $(METHOD) - $(YPDBDIR)/$(DOM)/phonelist; \
	           $(TOUCH) $(YPDBDIR)/$(DOM)/phonelist.time; \
	           $(ECHO) "updated phonelist"; \
	           if [ ! $(NOPUSH) ]; then \
	                   $(YPPUSH) phonelist; \
	                   $(ECHO) "pushed phonelist"; \
	           else \
	                   : ; \
	           fi \
	else \
	           $(ECHO) "couldn't find $(DIR)/phonelist"; \
	fi   
.
.
.
phonelist: phonelist.time

8.4.7.2    Deleting an Entry

To delete an entry from the Makefile file, do the following:

1. Log in to the NIS master server as root.

2. Edit the /var/yp/Makefile file, delete the database name from the line beginning with all:, and delete the line beginning with the database name (database_name:).

   Instead of deleting the database line, you could comment out the line by adding a number sign (#) to the beginning of the line.

8.4.8    Restricting Access to NIS Data

By default, the ypserv and ypxfrd daemons provide NIS information to anyone with network access to an NIS server who makes a request. However, you can restrict NIS database access to only those hosts in subnets you specify by completing the following steps:

1. Log in to the NIS server as root.

2. Create a /var/yp/securenets file.

3. Edit the /var/yp/securenets file and add an entry for each subnet from which the NIS server is to accept NIS requests. The format of each file entry is as follows:

   subnet_mask subnet_ip_address
   

   For example:

   255.255.0.0  128.30.0.0   [1]
   255.255.255.0 128.211.10.0    [2]
   255.255.255.255 128.211.5.6   [3]
   

   1. Allows IP addresses that are within the subnet 128.30 range to access the NIS files. The network mask is 255.255.0.0 and the corresponding network address is 128.30.0.0. [Return to example]

   2. Allows IP addresses that are within the subnet 128.211.10 range to access the NIS files. [Return to example]

   3. Allows one host with the IP address 128.211.5.6 to access the NIS files. [Return to example]

4. Save the file.

If the file does not exist or contains no entries, the server accepts any NIS request.

If the file exists and contains entries, the ypserv and ypxfrd daemons read the /var/yp/securenets file during initialization. When an NIS request is received, the requester's IP address is compared to the subnets in the /var/yp/securenets file. If it matches, the request is processed. If it does not match, NIS silently discards request. No message is logged (because malicious users could use these messages to fill up a system's disk).

On the system making the NIS request, NIS commands such as ypcat terminate with no error message. If a user is trying to log in to a system, the login times out after many retries.

Note

If the /var/yp/securenets file is modified, the you must kill and restart the ypserv and ypxfrd daemons.

You can also use a /var/yp/securenets file to restrict access to NIS data on a slave server. However, the NIS slave server's IP address must be in the authorization range of entries in the /var/yp/securenets file of the NIS master.

8.5    Managing an NIS Client

This section describes how to perform the following NIS client management tasks:

• Change an NIS password

• Obtain NIS map information

8.5.1    Changing an NIS Password

To change a user's password in the NIS passwd map, use the yppasswd command. If you receive an error message, ask the system administrator on the master server to verify that the rpc.yppasswdd daemon on the NIS master server is running.

If you try to change an NIS-distributed password with the passwd command, you receive the following error message:

Not in passwd file.

The root password is local and not in the NIS file. To change the root password, use the passwd command.

See yppasswd(1) and rpc.yppasswdd(8) for further information.

8.5.2    Obtaining NIS Map Information

NIS map information includes the following:

• Map names

• Map values

• Map keys

• Map master server

To obtain NIS map information, issue one of the commands listed in Table 8-1.

Table 8-1:  NIS Map Information Commands

Use the -x option with any of the commands shown in Table 8-1 to list all the map nicknames.

See ypcat(1), ypwhich(1), and ypmatch(1) for more information about these commands.

The following command lists all available maps and their master servers:

# ypwhich -m

The following command lists all values in the hosts map:

# ypcat hosts

The following command lists all occurrences in the hosts map that have the key apple:

# ypmatch apple hosts

The following command lists all occurrences in the hosts map that have the name jones associated with them. The name jones is not a key in this map.

# ypcat hosts | grep jones