The candidate should be able to configure an NIS server and create NIS
maps for major configuration files. This objective includes configuring a
system as a NIS client, setting up an NIS slave server and configuring
the ability to search local files, DNS, NIS, etc. in
nsswitch.conf.
Key files, terms and utilities include:
| nisupdate, ypbind, ypcat, ypmatch, ypserv, ypswitch, yppasswd, yppoll, yppush, ypwhich, rpcinfo |
| nis.conf, nsswitch.conf, ypserv.conf |
| Contents of /etc/nis/: netgroup, nicknames, securenets |
| Makefile |
NIS stands for Network Information System. NIS was developed by Sun Microsystems and was originally named “Yellow Pages” but since that is a trademark of British Telecom, Sun Microsystems had to change that name and choose NIS. As a remnant of that former name, all NIS commands start with the letters “yp”.
NIS is based on RPC (Remote Procedure Calls) and consists of a server and one or more clients. Because NIS uses RPC calls, the portmapper (portmap) must be running. See the section called “Configuring an NFS Server (2.209.2)” for more information on the portmapper.
The purpose of NIS is to distribute information on the server to all hosts on the network, thus keeping the network transparent to the users. Let's say, for example, that you would like users to be able to log into any system on the LAN using the same userid and password.
This can be achieved by telling NIS to distribute the files
/etc/passwd and /etc/groups
to all hosts in the NIS domain.
The files distributed across the network can be any type of file, e.g., a text file that contains the phone numbers of your colleagues.
The NIS domain name, which is case-sensitive, must be set. This
is done either during the installation (when you are prompted for the
domainname) or afterwards by editing the file
/etc/defaultdomain.
Normally a client finds its NIS servers by broadcasting on the local
network. If the NIS server is not on that network, you must specify the
server(s) in /etc/yp.conf.
Then NIS can be started with the command /etc/init.d/nis start.
A NIS master-server uses the command yppush to copy its NIS databases to one or more slave servers. What actually happens is that the NIS master-server tells a slave to come and get the databases. The slave then uses ypxfr to do that.
A drawback is that this only works if the slave happens to be up and running at the moment that the server executes yppush. The ypxfr manual page suggests that you run ypxfr periodically in a cron job and make the frequency dependent on the mutation grade of the maps. Please consult this man page for further details (man 8 ypxfr).
There should be a HOWTO for your distribution that describes this.
On my Debian system, I found the information in the file
/usr/share/doc/nis.debian.howto.gz.
Set the NIS domain in the /etc/defaultdomain
file. It is common practice to use your DNS domain name for this.
The next thing to do is restrict access to your NIS domain because
everyone who knows your domain name can retrieve the contents of
your NIS maps. There are two files where access restrictions can be
configured: /etc/ypserv.conf and
/etc/ypserv.securenets.
If none of the access rules in /etc/ypserv.conf
matches the map name, ypserv checks if there is an
YP_SECURE key in the map. If so, access is allowed on a reserved
port, if not, access is allowed. An access rule has the following
format, please read the man page for further details
(man ypserv.conf):
host:map:security:mangle[:field]
This is not very safe because you have to specify what is not
allowed instead of what is. It is safer to specify from which
hosts access is allowed. This can be done in one of two ways, either
with tcpwrappers which involves the files
/etc/hosts.allow and
/etc/hosts.deny or with the securenets method of
ypserv which involves the file
/etc/ypserv.securenets.
Each line in the /etc/ypserv.securenets consists
of a netmask and a network, for instance:
255.255.255.0 101.102.103.0
This means that all machines in the 101.102.103.0 network are
allowed to connect to the NIS server. If none of the rules match
an incoming request, the request is logged and ignored. If, however,
the file /etc/ypserv.securenets does not exist,
connections from all host are allowed.
To use tcpwrapper support, this functionality needs to have been compiled into ypserv. If this is the case, tcpwrappers is used instead of the securenets functionality. To test if this is the case, type:
# ypserv --version
ypserv - NYS YP Server version 1.3.12 (with securenets)
Obviously, I have not compiled tcpwrappers into ypserv.
NIS maps are created by running make in the
directory /var/yp/.
make reads the file
/var/yp/Makefile which contains the definitions of
the NIS environment and the various maps.
The file /var/yp/Makefile explains itself, I
suggest you read through it at least once.
This section briefly describes the functionality of the yp* commands and related files as described in their man pages. Please consult those man pages for further details on command line options and other features.
The related yp* commands and file:
ypbind finds the server for NIS domains and maintains the NIS binding information.
ypcat prints the values of all keys from the NIS database specified by mapname, which may be a map name or a map nickname.
The standard passwd, chfn and chsh cannot be used under to change the users' NIS password, shell or GECOS information, because only the password file on the local host is modified. For changing the NIS information, they are replaced by their NIS counterparts: yppasswd, ypchfn and ypchsh.
ypdomainname sets or displays the name of the current NIS domain.
ypmatch prints the values of one or more keys from the NIS database specified by mapname.
This is the Network Information Service (NIS) server daemon.
ypwhich returns the name of the NIS server or the name of the master for a map.
All I could find about nisupdate is that it is a script that is part of the Webmin suite. Webmin is a web-based interface for system administration for Unix.
If you would like to know more about Webmin, go to the Webmin Website.
nis.conf
This seems to be distribution specific. The file is not present
on my Debian system. The file
/etc/defaults/nis contains the Configuration
settings for the NIS daemons as shown below:
#
# /etc/defaults/nis Configuration settings for the NIS daemons.
#
# Are we a NIS server and if so what kind (values: false, slave, master)
NISSERVER=false
# Location of the master NIS password file (for yppasswdd).
# If you change this make sure it matches with /var/yp/Makefile.
YPPWDDIR=/etc
# Do we allow the user to use ypchsh and/or ypchfn ? The YPCHANGEOK
# fields are passed with -e to yppasswdd, see it's manpage.
# Possible values: "chsh", "chfn", "chsh,chfn"
YPCHANGEOK=chsh
nsswitch.conf
/etc/nsswitch.conf is the System Databases
and Name Service Switch configuration file. Various functions in
the C Library need to be configured to work correctly in the
local environment. Traditionally, this was done by using files
(e.g. /etc/passwd), but other nameservices
(like the Network Information Service (NIS) and the Domain Name
Service (DNS)) became popular, and were hacked into the C
library, usually with a fixed search order. The Linux GNU C
Library 2.x (libc.so.6) contains a cleaner solution of this
problem. It's design is based upon a method used by Sun
Microsystems in the C library of Solaris 2. Sun calls this scheme
“Name Service Switch” (NSS). The sources for the “databases” and
their lookup order are specified in the
/etc/nsswitch.conf file.
The file /etc/nsswitch.conf consists of
one line per database. The first item on the line is the name of
the database followed by a colon (:). The rest of the line
specifies how the lookup is done and how lookup results are
treated. For example:
hosts: dns [!UNAVAIL=return] files
networks: nis [NOTFOUND=return] files
The available databases are: aliases, ethers, group, hosts, netgroup, network, passwd, protocols, publickey, rpc, services, shadow
Amongst the services are:
compat, db, files, hesiod, nis, nisplus
For every service there must be a file
/lib/libnss_<service>.so.<version>.
For glibc 2.0 the version number is “1”, for glibc 2.1 the version number is “2”.
The action items are placed within brackets and between two service names. The general form is:
[ ( !STATUS = ACTION )+ ] where
'!' negates the STATUS and can be omitted
STATUS can be: success, notfound, unavail or tryagain
ACTION can be: return or continue
Please consult the man page (man nsswitch.conf) for further details.
ypserv.conf
/etc/ypserv.conf is the configuration file
for ypserv and rpc.ypxfrd.