This part introduces the naming and directory services for the Solaris Operating Environment. It also describes the nsswitch.conf file that you use to coordinate the use of the different services.
This chapter provides an overview of namespaces and naming services are and what they do. This chapter also briefly describes in brief the Solaris naming services: DNS, NIS, NIS+ and LDAP naming services. See System Administration Guide: Naming and Directory Services (FNS and NIS+) for detailed information about NIS+ and FNS.
Naming services store information in a central place, which enables users, machines, and applications to communicate across the network. This information can include the following.
Machine (host) names and addresses
User names
Passwords
Access permissions
Group membership, printers, and so on
Without a central naming service, each machine would have to maintain its own copy of this information. naming service information can be stored in files, maps, or database tables. Centrally locating this data makes it easier to administer large networks.
Naming services are fundamental to any computing network. Among other features, naming service provide functionality that does the following.
Associates (binds) names with objects
Resolves names to objects
Removes bindings
Lists names
Renames
A network information service enables machines to be identified by common names instead of numerical addresses. This makes communication simpler because users do not have to remember and try to enter cumbersome numerical addresses like 192.168.00.00.
For example, take a network of three machines named, pine, elm, and oak. Before pine can send a message to either elm or oak, it must know their numerical network addresses. For this reason, it keeps a file, /etc/hosts or /etc/inet/ipnodes, that stores the network address of every machine in the network, including itself.
Likewise, in order for elm and oak to communicate with pine or with each other, they must keep similar files.
In addition to addresses, machines store security information, mail data, information about their Ethernet interfaces, network services, groups of users allowed to use the network, services offered on the network, and so on. As networks offer more services, the list grows. As a result, each machine might need to keep an entire set of files similar to /etc/hosts or /etc/inet/ipnodes.
As this information changes, administrators must keep it current on every machine in the network. In a small network, this is tedious. On a medium or large network, the job becomes not only time-consuming but nearly unmanageable.
A network information service solves this problem. It stores network information on a server, which provides the information to any machine that queries it.
The machines are known as clients of the server. The following figure illustrates the client-server arrangement. Whenever information about the network changes, instead of updating each client's local file, an administrator updates only the information stored by the network information service. This reduces errors, inconsistencies between clients, and the sheer size of the task.
This arrangement, of a server providing centralized services to clients across a network, is known as client-server computing.
Although the main purpose of a network information service is to centralize information, another is to simplify network names. For example, assume your company has set up a network and connected it to the Internet. The Internet has assigned your network the network number 192.68.0.0 and the domain name doc.com. Your company has two divisions, Sales and Manufacturing (Manf), so its network is divided into a main net and two subnets, one for each division. Each net has its own address.
Each division could be identified by its network address, as shown above, but descriptive names made possible by naming services would be preferable.
Instead of addressing mail or other network communications to 129.44.1.0, they could be addressed to doc. Instead of addressing them to 192.68.2.0 or 192.68.3.0, they could be addressed to sales.doc or manf.doc.
Names are also more flexible than physical addresses. Physical networks tend to remain stable, but the organizations that use them tend to change. A network information service can act as a buffer between an organization and its physical network, as it is mapped and not hard-wired to it.
For example, assume that the doc.com network is supported by three servers, S1, S2, and S3, and that two of those servers, S1 and S3, support clients.
Clients C1, C2, and C3 would obtain their network information from server S1. Clients C4, C5, and C6 would obtain it from server S3. The resulting network is summarized in the following table. (The table is a generalized representation of that network but does not resemble an actual network information map.)
Table 1–1 Representation of doc.com Network
Network Address |
Network Name |
Server |
Clients |
---|---|---|---|
192.68.1.0 |
doc |
S1 |
|
192.68.2.0 |
sales.doc |
S2 |
C1, C2, C3 |
192.68.3.0 |
manf.doc |
S3 |
C4, C5, C6 |
Now assume that you create a third division, Testing, which borrowed some resources from the other two divisions, but did not create a third subnet. The physical network would then no longer parallel the corporate structure.
Traffic for the Test Division would not have its own subnet, but would instead be split between 192.68.2.0 and 192.68.3.0. However, with a network information service, the Test Division traffic could have its own dedicated network.
Thus, when an organization changes, its network information service can change its mapping as shown here.
Now clients C1 and C2 would obtain their information from server S2 and C3, C4 and C5 from server S3.
Subsequent changes in your organization would continue to be accommodated by changes to the “soft” network information structure without reorganizing the “hard” network structure.
The Solaris operating environment provides the following naming services.
DNS, the Domain Name System (see DNS)
/etc files, the original naming system (see /etc Files)
NIS, the Network Information Service (see NIS)
NIS+, the Network Information Service Plus (see System Administration Guide: Naming and Directory Services (FNS and NIS+))
FNS, the Federated Naming Service (see System Administration Guide: Naming and Directory Services (FNS and NIS+)
Most modern networks use two or more of these services in combination. When more than one service is used, they are coordinated by the nsswitch.conf file which is discussed in Chapter 2, The Name Service Switch (Overview).
DNS is the naming service provided by the Internet for TCP/IP networks. It was developed so that machines on the network could be identified with common names instead of Internet addresses. DNS performs naming between hosts within your local administrative domain and across domain boundaries.
The collection of networked machines that use DNS are referred to as the DNS namespace. The DNS namespace can be divided into a hierarchy of domains. A DNS domain is a group of machines. Each domain is supported by two or more name servers, a principal server and one or more secondary servers. Each server implements DNS by running a daemon called in.named. On the client's side, DNS is implemented through the “resolver.” The resolver's function is to resolve users' queries. It queries a name server, which then returns either the requested information or a referral to another server.
The original host-based UNIX naming system was developed for standalone UNIX machines and then adapted for network use. Many old UNIX operating systems and machines still use this system, but it is not well suited for large complex networks.
The Network Information Service (NIS) was developed independently of DNS and has a slightly different focus. Whereas DNS focuses on making communication simpler by using machine names instead of numerical IP addresses, NIS focuses on making network administration more manageable by providing centralized control over a variety of network information. NIS stores information about machine names and addresses, users, the network itself, and network services. This collection of network information is referred to as the NIS namespace.
NIS namespace information is stored in NIS maps. NIS maps were designed to replace UNIX /etc files, as well as other configuration files, so they store much more than names and addresses. As a result, the NIS namespace has a large set of maps. See Working With NIS Maps for more information.
NIS uses a client-server arrangement similar to DNS. Replicated NIS servers provide services to NIS clients. The principal servers are called master servers, and for reliability, they have backup, or slave servers. Both master and slave servers use the NIS information retrieval software and both store NIS maps. For more information on NIS Architecture and NIS Administration, see Chapter 8, Setting Up and Configuring NIS Service and Chapter 9, Administering NIS (Tasks).
The Network Information Service Plus (NIS+) is similar to NIS but with many more features. NIS+ is not an extension of NIS. It is a different software program.
The NIS+ naming service is designed to conform to the shape of the organization that installs it for almost any network configuration. Unlike NIS, the NIS+ namespace is dynamic because updates can occur and be put into effect at any time by any authorized user.
NIS+ enables you to store information about machine addresses, security information, mail information, Ethernet interfaces, and network services in central locations where all machines on a network can have access to it. This configuration of network information is referred to as the NIS+ namespace.
The NIS+ namespace is hierarchical and is similar in structure to the UNIX directory file system. The hierarchical structure allows an NIS+ namespace to be configured to conform to the logical hierarchy of an organization. The namespace's layout of information is unrelated to its physical arrangement. Thus, an NIS+ namespace can be divided into multiple domains that can be administered autonomously. Clients might have access to information in other domains in addition to their own if they have the appropriate permissions.
NIS+ uses a client-server model to store and have access to the information contained in an NIS+ namespace. Each domain is supported by a set of servers. The principal server is called the primary server and the backup servers are called secondary servers. The network information is stored in 16 standard NIS+ tables in an internal NIS+ database. Both primary and secondary servers run NIS+ server software and both maintain copies of NIS+ tables. Changes made to the NIS+ data on the master server are incrementally propagated automatically to the secondary servers.
NIS+ includes a sophisticated security system to protect the structure of the namespace and its information. It uses authentication and authorization to verify whether a client's request for information should be fulfilled. Authentication determines whether the information requester is a valid user on the network. Authorization determines whether a particular user is allowed to have or modify the information requested. See System Administration Guide: Naming and Directory Services (FNS and NIS+) for a more detailed description of NIS+ security and administering it.
See System Administration Guide: Naming and Directory Services (FNS and NIS+) for information about FNS.
Solaris 9 supports LDAP (Lightweight Directory Access Protocol) in conjunction with the iPlanetTM Directory Server 5.1, as well as other LDAP Directory Servers.
See Chapter 12, Introduction to the LDAP Naming Service (Overview/Reference) for more information.
|
DNS |
NIS |
NIS+ |
FNS |
LDAP |
---|---|---|---|---|---|
NAMESPACE |
Hierarchical |
Flat |
Hierarchical |
Hierarchical |
Hierarchical |
DATA STORAGE |
Files/ resource records |
2 column maps |
Multi-columned tables |
Maps |
Directories [varied] |
SERVER NAMES |
Master/slave |
Master/slave |
Root master/non-root master primary/secondary cache/stub |
N/A |
Master/replica |
SECURITY |
SSL |
None (root or nothing) |
DES Authentication |
None (root or nothing) |
SSL |
TRANSPORT |
TCP/IP |
LAN |
LAN |
LAN |
TCP/IP |
SCALE |
Global |
LAN |
LAN |
Global (w/ DNS)/LAN |
Global |
This chapter describes the name service switch, what it does, and how clients use it to obtain naming information from one or more sources. You use the name service switch to coordinate usage of different naming services.
The name service switch is a file named nsswitch.conf(4). It controls how a client machine or application obtains network information. It is used by client applications that call any of the getXbyY() interfaces such as the following.
Each machine has a switch file in its /etc directory. Each line of that file identifies a particular type of network information, such as host, password, and group, followed by one or more sources where the client is to look for that information.
A client can obtain naming information from one or more of the switch's sources. For example, an NIS+ client could obtain its hosts information from an NIS+ table and its password information from a local /etc file. In addition, it could specify the conditions under which the switch must use each source. See Table 2–1.
The Solaris operating environment automatically loads an nsswitch.conf file into every machine's /etc directory as part of the installation process. Four alternate (template) versions of the switch file are also loaded into /etc for LDAP, NIS, NIS+, or files. See The nsswitch.conf Template Files.
These four files are alternate default switch files. Each one is designed for a different primary naming service: /etc files, NIS, NIS+, or LDAP. When the Solaris software is first installed on a machine, the installer selects the machine's default naming service: NIS+, NIS, local files, or LDAP. During installation, the corresponding template file is copied to nsswitch.conf. For example, for a machine client using LDAP, the installation process copies nsswitch.ldap to nsswitch.conf. Unless you have an unusual namespace, the default template file as copied to nsswitch.conf should be sufficient for normal operation.
No default file is provided for DNS or IPv6, but you can edit any of these files to use DNS or IPv6. See DNS and Internet Access or IPv6 and Solaris Naming Services.
If you later change a machine's primary naming service, you copy the appropriate alternate switch file to nsswitch.conf. See The nsswitch.conf Template Files. You can also change the sources of particular types of network information used by the client by editing the appropriate lines of the /etc/nsswitch.conf file. The syntax for doing this is described below, and additional instructions are provided in Modifying the name service switch.
The nsswitch.conf file is essentially a list of 16 types of information and the sources that getXXbyYY() routines search for that information. The 16 types of information, not necessarily in this order, are the following.
aliases
bootparams
ethers
group
hosts
ipnodes
netgroup
netmasks
networks
passwd (includes shadow information)
protocols
publickey
rpc
services
automount
sendmailvars
The following table provides a description of the kind of sources that can be listed in the switch file for the information types above.
Table 2–1 Switch File Information Sources
Information Sources |
Description |
---|---|
files |
A file stored in the client's /etc directory. For example, /etc/passwd |
nisplus |
An NIS+ table. For example, the hosts table. |
nis |
An NIS map. For example, the hosts map. |
compat |
Compat can be used for password and group information to support old-style + or - syntax in /etc/passwd, /etc/shadow, and /etc/group files. |
dns |
Can be used to specify that host information be obtained from DNS. |
ldap |
Can be used to specify entries be obtained from the LDAP directory. |
Single Source. If an information type has only one source, such as nisplus a routine using the switch searches for the information in that source only. If it finds the information, it returns a success status message. If it does not find the information, it stops searching and returns a different status message. What the routine does with the status message varies from routine to routine.
Multiple Sources. If a table has more than one source for a given information type, the switch directs the routine to start searching for the information in the first source that is listed. If it finds the information, it returns a success status message. If it does not find the information in the first source, it tries the next source. The routine will search through all of the sources until it has found the information it needs, or it is halted by encountering a return specification. If all of the listed sources are searched without finding the information, the routine stops searching and returns a non-success status message.
If a routine finds the information, it returns a success status message. If it does not find the information for which it is looking, it returns one of three unsuccessful status messages, depending on the reason for not finding the information. Possible status messages are listed in the following table.
Table 2–2 Switch Search Status Messages
Status Message |
Meaning of Message |
---|---|
SUCCESS |
The requested entry was found in the specified source. |
UNAVAIL |
The source is not responding or is unavailable. That is, the NIS+ table, or NIS map, or /etc file could not be found or accessed. |
NOTFOUND |
The source responded with "No such entry." In other words, the table, map, or file was accessed but it did not contain the needed information. |
TRYAGAIN |
The source is busy; it might respond next time. In other words, the table, map, or file was found, but it could not respond to the query. |
You can instruct the switch to respond to status messages with either of these two actions shown in the following table.
Table 2–3 Responses to Switch Status Messages
Action |
Meaning |
---|---|
return |
Stop looking for the information. |
continue |
Try the next source, if there is one. |
The combination of nsswitch.conf file status message and action option determines what the routine does at each step. This combination of status and action is called the search criteria.
The switch's default search criteria are the same for every source. Described in terms of the status messages listed above, they are the following.
SUCCESS=return. Stop looking for the information and proceed using the information that has been found
UNAVAIL=continue. Go to the next nsswitch.conf file source and continue searching. If this is the last (or only) source, return with a NOTFOUND status
NOTFOUND=continue. Go to the next nsswitch.conf file source and continue searching. If this is the last (or only) source, return with a NOTFOUND status
TRYAGAIN=continue. Go to the next nsswitch.conf file source and continue searching. If this is the last (or only) source, return with a NOTFOUND status
Because these are the default search criteria, they are assumed. That is, you do not have to explicitly specify them in the switch file. You can change these default search criteria by explicitly specifying some other criteria using the STATUS=action syntax show above. For example, the default action for a NOTFOUND condition is to continue the search to the next source. To specify that for a particular type of information, such as networks, the search is to halt on a NOTFOUND condition, you would edit the networks line of the switch file to read as follows.
networks: nis [NOTFOUND=return] files |
The networks: nis [NOTFOUND=return] files line specifies a non-default criterion for the NOTFOUND status. Non-default criteria are delimited by square brackets.
In this example, the search routine behaves as follows
If the networks map is available and contains the needed information, the routine returns with a SUCCESS status message
If the networks map is not available, the routine returns with an UNAVAIL status message and by default continues on to search the appropriate /etc file
If the networks map is available and found, but it does not contain the needed information, the routine returns with a NOTFOUND message. But, instead of continuing on to search the appropriate /etc file, which would be the default behavior, the routine stops searching
If the networks map is busy, the routine returns with an TRYAGAIN status message and by default continues on to search the appropriate /etc file
Client library routines contain compiled-in default entries that are used if an entry in the nsswitch.conf file is either missing or syntactically incorrect. These entries are the same as the switch file's defaults.
The name service switch assumes that the spelling of table and source names is correct. If you misspell a table or source name, the switch uses default values.
The switch search criteria for the auto_home and auto_master tables and maps is combined into one category called automount.
The timezone table does not use the switch, so it is not included in the switch file's list.
Any nsswitch.conf file line beginning with a comment character (#) is interpreted as a comment line and is ignored by routines that search the file.
When a comment character (#) is included in the middle of the line, characters preceding the comment mark are interpreted by routines that search the nsswitch.conf file. Characters to the right of the comment mark are interpreted as comments and ignored.
Table 2–4 Switch File Comment Examples
Type of Line |
Example |
---|---|
Comment line (not interpreted). |
# hosts: nisplus [NOTFOUND=return] files |
Fully interpreted line. |
hosts: nisplus [NOTFOUND=return] file |
Partially interpreted line (the files element not interpreted) |
hosts: nisplus [NOTFOUND=return] # files |
You must restart the keyserver after you make a change to nsswitch.conf
The keyserver reads the publickey entry in the name service switch configuration file only when the keyserver is started. As a result, if you change the switch configuration file, the keyserver does not become aware of changes to the publickey entry until it is restarted.
Four nsswitch.conf(4) template files are provided with the Solaris operating environment to accommodate different naming services. Each of them provides a different default set of primary and subsequent information sources.
The four template files are the following.
LDAP template file. The nsswitch.ldap configuration file specifies the LDAP directory as the primary source of information for the machine.
In order to use LDAP naming services, you must also properly configure all LDAP client machines, in addition to modifying the nsswitch.conf. See Chapter 16, Client Setup (Task) for more information.
NIS+ template file. The nsswitch.nisplus configuration file specifies NIS+ as the primary source for all information except passwd, group, automount, and aliases. For those four files, the primary source is local /etc files and the secondary source is an NIS+ table. The [NOTFOUND=return] search criterion instructs the switch to stop searching the NIS+ tables if it receives a “No such entry” message from them. It searches through local files only if the NIS+ server is unavailable
NIS template file. The nsswitch.nis configuration file is almost identical to the NIS+ configuration file, except that it specifies NIS maps in place of NIS+ tables. Because the search order for passwd and group is files nis, you don't need to place the + entry in the /etc/passwd and /etc/group files
Files template file. The nsswitch.files configuration file specifies local /etc files as the only source of information for the machine. There is no “files” source for netgroup, so the client will not use that entry in the switch file
Copy the template file that most closely meets your requirements to thensswitch.conf configuration file and then modify the file as needed.
For example, to use the LDAP template file, you would type the following command.
mymachine# cp nsswitch.ldap nsswitch.conf
The following are the four switch files supplied with Solaris operating environment.
# # # /etc/nsswitch.nisplus: # # # An example file that could be copied over to /etc/nsswitch.conf; # it uses NIS+ (NIS Version 3) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. # the following two lines obviate the "+" entry in /etc/passwd # and /etc/group. passwd: files nisplus group: files nisplus # consult /etc "files" only if nisplus is down. hosts: nisplus [NOTFOUND=return] files # Uncomment the following line, and comment out the above, to use # both DNS and NIS+. You must also set up the /etc/resolv.conf # file for DNS name server lookup. See resolv.conf(4). # hosts: nisplus dns [NOTFOUND=return] files services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files publickey: nisplus netgroup: nisplus automount: files nisplus aliases: files nisplus sendmailvars: files nisplus |
# # /etc/nsswitch.nis: # # An example file that could be copied over to /etc/nsswitch.conf; # it uses NIS (YP) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. # # the following two lines obviate the "+" entry in /etc/passwd # and /etc/group. passwd: files nis group: files nis # consult /etc "files" only if nis is down. hosts: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis automount: files nis aliases: files nis # for efficient getservbyname() avoid nis services: files nis sendmailvars: files |
# # /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; # it does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. passwd: files group: files hosts: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; # the system will figure it out pretty quickly, and will notuse # netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files |
# # /etc/nsswitch.ldap: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap hosts: ldap [NOTFOUND=return] files networks: ldap [NOTFOUND=return] files protocols: ldap [NOTFOUND=return] files rpc: ldap [NOTFOUND=return] files ethers: ldap [NOTFOUND=return] files netmasks: ldap [NOTFOUND=return] files bootparams: ldap [NOTFOUND=return] files publickey: ldap [NOTFOUND=return] files netgroup: ldap automount: files ldap aliases: files ldap # for efficient getservbyname() avoid ldap services: files ldap sendmailvars: files |
The default nsswitch.conf file that is installed when you install the Solaris operating environment for the first time is determined by which naming service you select during the Solaris software installation process. Each line of that file identifies a particular type of network information, such as host, password, and group, followed by one or more sources, such as NIS+ tables, NIS maps, the DNS hosts table, or local /etc, where the client is to look for that information. When you chose a naming service, the switch template file for that service is copied to create the new nsswitch.conf file. For example, if you choose NIS+, the nsswitch.nisplus file is copied to create a new nsswitch.conf file.
An /etc/nsswitch.conf file is automatically loaded into every machine's /etc directory by the Solaris 9release software, along with the following alternate (template) versions.
These alternate template files contain the default switch configurations used by the NIS+ and NIS services, local files, and LDAP. No default file is provided for DNS, but you can edit any of these files to use DNS. See Chapter 5, DNS Administration (Reference). When the Solaris operating environment is first installed on a machine, the installer selects the machine's default naming service: NIS+, NIS, local files, or LDAP. During installation, the corresponding template file is copied to /etc/nsswitch.conf. For example, for a machine client using NIS+, the installation process copies nsswitch.nisplus to nsswitch.conf.
If your network is connected to the Internet and you want users to be able to access Internet hosts using DNS, you must enable DNS forwarding.
Unless you have an unusual namespace, the default template file as copied to nsswitch.confshould be sufficient for normal operation.
When you change a machine's naming service, you need to modify that machine's switch file accordingly. For example, if you change a machine's naming service from NIS to NIS+, you need to install a switch file appropriate for NIS+. You change switch files by copying the appropriate template file to nsswitch.conf.
If you are installing NIS+ on a machine using the NIS+ installation scripts, the NIS+ template script is copied to nsswitch.conf for you. In this case, you do not have to configure the switch file unless you want to customize it.
Before proceeding to change switch files, make sure the sources listed in the file are properly set up. In other words, if you are going to select the NIS+ version, the client must eventually have access to NIS+ service; if you are going to select the local files version, those files must be properly set up on the client.
To change to a switch file, follow these steps.
Become superuser.
Copy the alternate file appropriate for the machine's naming service over the nsswitch.conf file.
NIS+ Version (done automatically for you by NIS+ scripts)
client1# cd /etc
client1# cp nsswitch.nisplus nsswitch.conf
NIS Version
client1# cd /etc
client1# cp nsswitch.nis nsswitch.conf
Local /etc Files Version
client# cd /etc
client# cp nsswitch.files nsswitch.conf
Reboot the machine.
The nscd naming service cache daemon caches switch information. Some library routines do not periodically check the nsswitch.conf file to see whether it has been changed. You must reboot the machine to make sure that the daemon and those routines have the latest information in the file.
In order to use LDAP naming services, you must also properly configure all LDAP client machines, in addition to modifying the nsswitch.conf. See for Chapter 16, Client Setup (Task) more information.
The nsswitch.conf file also controls DNS forwarding for clients as described in the following subsections. DNS forwarding grants Internet access to clients. For information on how to set DNS forwarding for NIS and NIS+, see System Administration Guide: Naming and Directory Services (FNS and NIS+).
DNS and LDAP are IPv6 “compatible” in the sense that one can store IPv6 addresses. However, as of Solaris 9, one cannot use an IPv6 transport for client-server DNS or LDAP traffic. The LDAP naming service cannot yet function on an IPv6–only network.
NIS and NIS+ support storing IPv6 data, as well as using IPv6 transports for NIS/NIS+ protocol traffic.
The nsswitch.conf file controls search criteria for IPv6 addresses. IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy and provide a greater number of addressable nodes. For more information about IPv6, its configuration and implementation, see System Administration Guide: IP Services.
Use the new ipnodes source for IPv6 addresses. The /etc/inet/ipnodes file stores both IPv4 and IPv6 addresses. The /etc/inet/ipnodes file uses the same format convention as the /etc/hosts file.
IPv6 aware naming services use the new ipnodes source for its search forwarding. For instance, if LDAP is aware of IPv6 addresses, specify the following.
ipnodes: ldap [NOTFOUND=return] files |
ipnodes defaults to files. During the transition from IPv4 to IPv6, where all naming services are not aware of IPv6 addresses, accept the files default. Otherwise, unnecessary delays (such as boot timing delays) might result during the resolution of addresses.
An application searches all ipnodes databases for IPv4 addresses before searching for IPv4 addresses in the hosts databases. Before specifying ipnodes, consider the inherent delay of searching both databases for IPv4 addresses.
If +/- is used in /etc/passwd, /etc/shadow, and /etc/group files, you will need to modify the nsswitch.conffile to insure compatibility.
NIS+. To provide +/- semantics with NIS+, change the passwd and groups sources to compat and add a passwd_compat: nisplus entry to the nsswitch.conf file after the passwd or group entry as shown below.
passwd: compat passwd_compat: nisplus group: compat group_compat: nisplus |
The above specifies that client routines obtain their network information from /etc files and NIS+ tables as indicated by the +/- entries in the files.
NIS. To provide the same syntax as in the Sun Operating Environment 4.x release, change the passwd and groups sources to compat.
passwd: compat group: compat |
This specifies that /etc files and NIS maps as indicated by the +/- entries in the files.
Users working on a client machine being served by an NIS+ server running in NIS compatibility mode cannot run ypcat on the netgroup table. Doing so will give you results as if the table were empty even if it has entries.
files should be the first source in the nsswitch.conf file for passwd information. If files is not the first source, network security could be weakened and users could encounter log in difficulty.
For example, in an NIS+ environment, the passwd line of the nsswitch.conf file should look like the following.
passwd: files nisplus |
In an NIS environment, the passwd line of the nsswitch.conf file should look like the following.
passwd: files nis |