Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) Oracle Solaris 11 Express 11/10 |
Part I About Naming and Directory Services
1. Naming and Directory Services (Overview)
2. The Name Service Switch (Overview)
Part II DNS Setup and Administration
3. DNS Setup and Administration (Reference)
Part III NIS Setup and Administration
4. Network Information Service (NIS) (Overview)
5. Setting Up and Configuring NIS Service
Password Files and Namespace Security
How to Add a New NIS User to an NIS Domain
Changing a Map's Master Server
How to Change a Map's Master Server
How to Modify Configuration Files
Modifying and Using the Makefile
Changing Makefile Macros/Variables
Updating and Modifying Existing Maps
How to Update Maps Supplied With the Default Set
Using Shell Scripts With cron and ypxfr
Using makedbm to Modify a Non-Default Map
Creating New Maps from Text Files
Adding Entries to a File-Based Map
Creating Maps From Standard Input
Modifying Maps Made From Standard Input
Binding to a Specific NIS Server
Changing a Machine's NIS Domain
How to Change a Machine's NIS Domain Name
Using NIS in Conjunction With DNS
How to Configure Machine Name and Address Lookup Through NIS and DNS
Dealing with Mixed NIS Domains
Part IV LDAP Naming Services Setup and Administration
8. Introduction to LDAP Naming Services (Overview/Reference)
9. LDAP Basic Components and Concepts (Overview)
10. Planning Requirements for LDAP Naming Services (Tasks)
11. Setting Up Sun Java System Directory Server With LDAP Clients (Tasks)
12. Setting Up LDAP Clients (Tasks)
13. LDAP Troubleshooting (Reference)
14. LDAP General Reference (Reference)
15. Transitioning From NIS to LDAP (Overview/Tasks)
Part V Active Directory Naming Service
This section contains the following information:
Users can obtain information from and about the maps at any time by using the ypcat, ypwhich, and ypmatch commands. In the examples that follow, mapname refers both to the official name of a map and to its nickname, if any.
To list all the values in a map, type the following.
% ypcat mapname
To list both the keys and the values (if any) in a map, type the following.
% ypcat -k mapname
To list all the map nicknames, type any of the following commands.
% ypcat -x % ypmatch -x % ypwhich -x
To list all the available maps and their master(s), type the following.
% ypwhich -m
To list the master server for a particular map, type the following.
% ypwhich -m mapname
To match a key with an entry in a map, type the following.
% ypmatch key mapname
If the item you are looking for is not a key in a map, type the following.
% ypcat mapname | grep item
where item is the information for which you are searching. To obtain information about other domains, use the -d domainname options of these commands.
If the machine requesting information for a domain other than its default does not have a binding for the requested domain, ypbindconsults the /var/yp/binding/domainname/ypservers file for a list of servers for that domain. If this file does not exist it issues an RPC broadcast for a server. In this case, there must be a server for the requested domain on the same subnet as the requesting machine.
To change the master server for a selected map, you first have to build the map on the new NIS master. Since the old master server name occurs as a key-value pair in the existing map (this pair is inserted automatically by makedbm), copying the map to the new master or transferring a copy to the new master with ypxfr is insufficient. You have to reassociate the key with the new master server name. If the map has an ASCII source file, you should copy this file to the new master.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
newmaster# cd /var/yp
newmaster# make sites.byname
newmaster# cd /var/yp newmaster# ypcat sites.byname | makedbm -domain-/sites.byname
After making the map on the new master, you must send a copy of the new map to the other slave servers. Do not use yppush, because the other slaves will try to get new copies from the old master, rather than the new one. A typical method for circumventing this is to transfer a copy of the map from the new master back to the old master. To do this, become superuser, or assume an equivalent role, on the old master server and type the following.
oldmaster# /usr/lib/netsvc/yp/ypxfr -h newmaster sites.byname
Now it is safe to run yppush. Any remaining slave servers still believe that the old master is the current master and will attempt to get the current version of the map from the old master. When clients do so, they will get the new map, which names the new master as the current master.
If this method fails, you can log in as root on each NIS server and execute the ypxfr command shown above.
NIS intelligently parses the setup files. Although this makes NIS administration easier, it does make the behavior of NIS more sensitive to changes in the setup and configuration files.
Use the procedures in this section when modifying any of the following.
Adding or deleting /etc/resolv.conf to allow or deny DNS forwarding
Adding or deleting $PWDIR/security/passwd.adjunct to allow or deny C2 security ($PWDIR is defined in /var/yp/Makefile)
You do not have to stop and start NIS when changing NIS maps or the map source files.
Keep the following in mind.
Deleting a map or source file from an NIS master server does not automatically result in corresponding deletions from slave servers. You must delete maps and source files from slave servers by hand.
New maps do not automatically get pushed to existing slave servers. You must run ypxfr from the slaves.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
# svcadm disable network/nis/server
# svcadm enable network/nis/server
You can modify the Makefile provided by default in /var/yp to suit your needs. You can add or delete maps, and you can change the names of some of the directories.
Tip - Keep an unmodified copy of the original Makefile for future reference.
To add a new NIS map, you must get copies of the ndbm files for the map into the /var/yp/domainname directory on each of the NIS servers in the domain. This is normally done for you by the Makefile. After deciding which NIS server is the master of the map, modify the Makefile on the master server so that you can conveniently rebuild the map. Different servers can be masters of different maps, but in most cases this leads to administrative confusion. Try to set only one server as the master of all maps.
Typically a human-readable text file is filtered through awk, sed, or grep to make it suitable for input to makedbm. Refer to the default Makefile for examples. See the make(1S) for general information about the make command.
Use the mechanisms already in place in the Makefile when deciding how to create dependencies that make will recognize. Be aware that make is very sensitive to the presence or absence of tabs at the beginning of lines within the dependency rules. A missing tab can invalidate an entry that is otherwise well formed.
Adding an entry to the Makefile involves the following.
Adding the name of the database to the all rule
Writing the time rule
Adding the rule for the database
For example, in order for the Makefile to work on automounter input files, you would have to add the auto_direct.time and auto_home.time maps to the NIS database.
To add these maps to the NIS database you need to modify the Makefile.
You can change the settings of the variables defined at the top of the Makefile by changing the value to the right of the equal sign (=). For instance, if you do not want to use the files located in /etc as input for the maps, but you would rather use files located in another directory, such as /var/etc/domainname, you should change DIR from DIR=/etc to DIR=/var/etc/domainname. You should also change PWDIR from PWDIR=/etc to PWDIR=/var/etc/domainname.
The variables are the following.
DIR= The directory containing all of the NIS input files except passwd and shadow. The default value is /etc. Since it is not good practice to use the files in the master server's /etc directory as NIS input files, you should change this value.
PWDIR= The directory containing the passwd and shadow NIS input files. Since it is not good practice to use the files in the master server's /etc directory as NIS input files, you should change this value.
DOM= The NIS domain name. The default value of DOM is set using the domainname command. However, most NIS commands use the current machine's domain which is set in the machine's /etc/defaultdomain file.
The following procedure describes how to add and delete databases from the Makefile.
For more information, see How to Obtain Administrative Rights in System Administration Guide: Security Services.
all: passwd group hosts ethers networks rpc services protocols \ netgroup bootparams aliases netid netmasks \ audit_user auth_attr exec_attr prof_attr \ auto_direct auto_home auto_direct.time auto_home.time
The order of the entries is not relevant, but the blank space at the beginning of the continuation lines must be a Tab, not spaces.
auto_direct: auto_direct.time auto_home: auto_home.time
auto_direct.time: $(DIR)/auto_direct @(while read L; do echo $$L; done < $(DIR)/auto_direct $(CHKPIPE)) | \ (sed -e "/^#/d" -e "s/#.*$$//" -e "/^ *$$/d" $(CHKPIPE)) | \ $(MAKEDBM) - $(YPDBDIR)/$(DOM)/auto_direct; @touch auto_direct.time; @echo "updated auto_direct"; @if [ ! $(NOPUSH) ]; then $(YPPUSH) auto_direct; fi @if [ ! $(NOPUSH) ]; then echo "pushed auto_direct"; fi
where
CHKPIPE makes certain that the operations to the left of the pipe (|) are successfully completed before piping the results to next commands. If the operations to the left of the pipe do not successfully complete, the process is terminated with a NIS make terminated message.
NOPUSH prevents the makefile from calling yppush to transfer the new map to the slave servers. If NOPUSH is not set, the push is done automatically.
The while loop at the beginning is designed to eliminate any backslash-extended lines in the input file. The sed script eliminates comment and empty lines.
The same procedure should be followed for all other automounter maps, such as auto_home, or any other nondefault maps.
# make mapname
Where mapname is the name of the map you want to make.
If you do not want the Makefile to produce maps for a specific database, edit the Makefile as follows.
For example, to delete the hosts database, the hosts.time entry should be removed.
For example, to delete the hosts database, the hosts: hosts.time entry should be removed.