NIS Maps

Language:

The information in NIS maps is stored in ndbm format. The ypfiles(4) and ndbm(3C) man pages explain the format of the map file.

NIS maps extend access to UNIX /etc data and other configuration files, such as passwd, shadow and group so that the same data can be shared between a network of systems. Sharing these files simplifies administrative updates and management of those data files. NIS is deployable with minimal effort. However, larger enterprises, especially those with security requirements should consider using LDAP naming services instead. On a network running NIS, the NIS master server for each NIS domain maintains a set of NIS maps for other machines in the domain to query. NIS slave servers also maintain duplicates of the master server's maps. NIS client machines can obtain namespace information from either master or slave servers.

NIS maps are essentially two-column tables. One column is the key and the other column is information related to the key. NIS finds information for a client by searching through the keys. Some information is stored in several maps because each map uses a different key. For example, the names and addresses of machines are stored in two maps: hosts.byname and hosts.byaddr. When a server has a machine's name and needs to find its address, it looks in the hosts.byname map. When it has the address and needs to find the name, it looks in the hosts.byaddr map.

An NIS Makefile is stored in the /var/yp directory of machines designated as an NIS server at installation time. Running make in that directory causes makedbm to create or modify the default NIS maps from the input files.

Note - Always create maps on the master server, as maps created on a slave will not automatically be pushed to the master server.

Default NIS Maps

A default set of NIS maps are provided in the Oracle Solaris system. You might want to use all these maps or only some of them. NIS can also use whatever maps you create or add when you install other software products.

Default maps for an NIS domain are located in each server's /var/yp/domain–name directory. For example, the maps that belong to the domain test.com are located in each server's /var/yp/test.com directory.

The following table describes the default NIS maps and lists the appropriate source file name for each map.

Table 5-3 NIS Map Descriptions

Map Name	Corresponding Source File	Description
`audit_user`	`audit_user`	Contains user auditing preselection data.
`auth_attr`	`auth_attr`	Contains authorization names and descriptions.
`bootparams`	`bootparams`	Contains path names of files that clients need during boot: root, swap, possibly others.
`ethers.byaddr`	`ethers`	Contains machine names and Ethernet addresses. The Ethernet address is the key in the map.
`ethers.byname`	`ethers`	Same as `ethers.byaddr`, except the key is machine name instead of the Ethernet address.
`exec_attr`	`exec_attr`	Contains profile execution attributes.
`group.bygid`	`group`	Contains group security information with group ID as key.
`group.byname`	`group`	Contains group security information with group name as key.
`hosts.byaddr`	`hosts`	Contains machine name, and IP address, with IP address as key.
`hosts.byname`	`hosts`	Contains machine name and IP address, with machine (host) name as key.
`mail.aliases`	`aliases`	Contains aliases and mail addresses, with aliases as key.
`mail.byaddr`	`aliases`	Contains mail address and alias, with mail address as key.
`netgroup.byhost`	`netgroup`	Contains group name, user name and machine name.
`netgroup.byuser`	`netgroup`	Same as `netgroup.byhost`, except that key is user name.
`netgroup`	`netgroup`	Same as `netgroup.byhost`, except that key is group name.
`netid.byname`	`passwd`, `hosts` `group`	Used for UNIX-style authentication. Contains machine name and mail address (including domain name). If there is a `netid` file available it is consulted in addition to the data available through the other files.
`publickey.byname`	`publickey`	Contains the public key database used by secure RPC.
`netmasks.byaddr`	`netmasks`	Contains network mask to be used with IP submitting, with the address as key.
`networks.byaddr`	`networks`	Contains names of networks known to your system and their IP addresses, with the address as key.
`networks.byname`	`networks`	Same as `networks.byaddr`, except key is name of network.
`passwd.adjunct.byname`	`passwd` and `shadow`	Contains auditing information and the hidden password information for C2 clients.
`passwd.byname`	`passwd` and `shadow`	Contains password information with user name as key.
`passwd.byuid`	`passwd` and `shadow`	Same as `passwd.byname`, except that key is user ID.
`prof_attr`	`prof_attr`	Contains attributes for execution profiles.
`protocols.byname`	`protocols`	Contains network protocols known to your network.
`protocols.bynumber`	`protocols`	Same as `protocols.byname`, except that key is protocol number.
`rpc.bynumber`	`rpc`	Contains program number and name of RPCs known to your system. Key is RPC program number.
`services.byname`	`services`	Lists Internet services known to your network. Key is port or protocol.
`services.byservice`	`services`	Lists Internet services known to your network. Key is service name.
`user_attr`	`user_attr`	Contains extended attributes for users and roles.
`ypservers`	N/A	Lists NIS servers known to your network.

The ageing.byname mapping contains information that is used by the yppasswdd daemon to read and write password aging information to the directory information tree (DIT) when the NIS-to-LDAP transition is implemented. If password aging is not being used, then it can be commented out of the mapping file. For more information about the NIS-to-LDAP transition, see Chapter 8, Transitioning From NIS to LDAP, in Working With Oracle Solaris 11.2 Directory and Naming Services: LDAP .

Using NIS Maps

NIS makes updating network databases much simpler than with the /etc files system. You no longer have to change the administrative /etc files on every machine each time you modify the network environment.

However, NIS provides no additional security than that provided by the /etc files. If additional security is needed, such as restricting access to the network databases, sending the results of searches over the network by using SSL, or using more advanced features such as Kerberos secured searches, then LDAP naming services should be used instead.

For example, when you add a new user to a network running NIS, you only have to update the input file in the master server and run the makecommand. This command automatically updates the passwd.byname and passwd.byuid maps. These maps are then transferred to the slave servers and are available to all of the domain's client machines and their programs. When a client machine or application requests information by using the user name or UID, the NIS server refers to the passwd.byname or passwd.byuid map, as appropriate, and sends the requested information to the client.

You can use the ypcat command to display the values in a map. The ypcat basic format is the following.

% ypcat mapname

where mapname is the name of the map you want to examine or its nickname. If a map is composed only of keys, as in the case of ypservers, use ypcat –k. Otherwise, ypcat prints blank lines. The ypcat(1) man page describes more options for ypcat.

You can use the ypwhich command to determine which server is the master of a particular map. Type the following.

% ypwhich -m mapname

where mapname is the name or the nickname of the map whose master you want to find. ypwhich responds by displaying the name of the master server. For complete information, refer to the ypwhich(1) man page.

NIS Map Nicknames

Nicknames are aliases for full map names. To obtain a list of available map nicknames, such as passwd for passwd.byname, type ypcat –x or ypwhich –x.

Nicknames are stored in the /var/yp/nicknames file, which contains a map nickname followed by the fully specified name for the map, separated by a space. This list can be added to or modified. Currently, there is a limit of 500 nicknames.