The following information describes how to debug issues with the Network Information Service (NIS) (pronounced "niss" in this guide). Before attempting to debug a NIS server or a client problem, review Chapter 5, About the Network Information Service in Working With Oracle Solaris 11.4 Directory and Naming Services: DNS and NIS.
This section contains the following topics:
The following are common symptoms of NIS binding problems:
Commands on a client limp along in background mode or function much slower than normal.
Commands on a client crash with obscure messages or no messages at all.
If only one or two clients are experiencing symptoms that indicate NIS binding difficulty, the problems probably are on those clients. However, if many NIS clients are failing to bind properly, the problem probably exists on one or more of the NIS servers. See Troubleshooting NIS Issues That Affect Multiple Clients.
The following are common NIS issues that affect a single client:
ypbind daemon not running on the NIS client
One client has problems, but the other clients on the same subnet are operating normally. On the problem client, run the ls –l command on a directory that contains files that are owned by many users (such as /usr), including files that are not in the client /etc/passwd file. If the resulting display lists file owners who are not in the local /etc/passwd file as numbers rather than names, the NIS service is not working on the client.
These symptoms usually indicate that the client's ypbind process is not running. Verify whether the NIS client services are running as follows:
client# svcs \*nis\* STATE STIME FMRI disabled Sep_01 svc:/network/nis/domain:default disabled Sep_01 svc:/network/nis/client:default
If the services are in a disabled state, log in and become the root role, then start the NIS client service as follows:
client# svcadm enable network/nis/domain client# svcadm enable network/nis/client
Missing or incorrect domain name
One client has problems and other clients are operating normally, but the ypbind daemon is running on that client. In this case, the client might have an incorrectly set domain.
Run the domainname command on the client to determine which domain name is set:
client# domainname example.com
Compare the output with the actual domain name in the /var/yp directory on the NIS master server. As shown in the following example, the actual NIS domain is shown as a subdirectory in the /var/yp directory:
client# ls -l /var/yp -rwxr-xr-x 1 root Makefile drwxr-xr-x 2 root binding drwx------ 2 root example.com
If the domain name that is displayed in the output of the domainname command on the client is not the same as the server domain name that is listed as a subdirectory in the /var/yp directory, the domain name in the config/domain property of the nis/domain service is incorrect. Reset the NIS domain name. For instructions, see How to Set a System’s NIS Domain Name in Working With Oracle Solaris 11.4 Directory and Naming Services: DNS and NIS.
NIS Client not bound to server
If your domain name is set correctly and the ypbind daemon is running, yet commands still hang, make sure that the client is bound to a server by running the ypwhich command. If you have just started the ypbind daemon, then run the ypwhich command. You might need to run the ypwhich command several times. Typically, the first time you run the command, it reports that the domain is not bound. The second time you run the command, it should proceed normally.
No NIS server available
If your domain name is set correctly and the ypbind daemon is running, but you receive messages indicating the client cannot communicate with the server, check the following:
Does the client have a /var/yp/binding/domainname/ypservers file that contains a list of NIS servers to bind to? To view the selected NIS servers, use the svcprop –p config/ypservers nis/domain command. If not, run the ypinit –c command to specify which NIS servers this client should bind to, in order of preference.
If the client does have a /var/yp/binding/domainname/ypservers file, are there enough servers listed, in case one or two servers become unavailable? To view the selected NIS servers, use the svcprop –p config/ypservers nis/domain command. If not, add additional servers to the list by running the ypinit –c command.
Do the selected NIS servers have entries in the /etc/inet/hosts file? To view the selected NIS servers, use the svcprop –p config/ypservers nis/domain command. If these servers are not in the local /etc/inet/hosts file, add the servers to the hosts NIS maps and rebuild your maps by running the ypinit –c or ypinit –s command. For information, see Working With NIS Maps in Working With Oracle Solaris 11.4 Directory and Naming Services: DNS and NIS.
Is the name service switch set up to check the system's local hosts file, in addition to NIS? For more information, see Chapter 2, About the Name Service Switch in Working With Oracle Solaris 11.4 Directory and Naming Services: DNS and NIS.
Is the name service switch set up to check files first for services and then rpc?
ypwhich displays are inconsistent
If you run the ypwhich command several times on the same NIS client, the resulting display varies because the NIS server changes. This behavior is normal. The binding of the NIS client to the NIS server changes over time when the network or the NIS servers are busy. Whenever possible, the network becomes stable at the point when all clients receive an acceptable response time from the NIS servers. As long as the client receives the NIS service, it does not matter where the service comes from. For example, one NIS server can receive NIS services from another NIS server on the network.
What to do when server binding is not possible
When local server binding is not possible, use the ypset option with the ypbind command to temporarily allow binding to another server on another network or subnet, if available. Note that to use the –ypset option, you must start the ypbind daemon by using either the –ypset or –ypsetme option. See the ypbind(8) man page.
# /usr/lib/netsvc/yp/ypbind -ypset
Caution - For security reasons, using the –ypset or –ypsetme option is not recommended. Only use these options for debugging purposes under controlled circumstances. Using the –ypset or –ypsetme option can result in serious security breaches. While the daemons are running, anyone can alter server bindings, which can permit unauthorized access to sensitive data. If you must start the ypbind daemon by using either of these options, kill the ypbind process after you have corrected the problem, then restart it without specifying these options. Restart the ypbind daemon as follows:
# svcadm enable -r svc:/network/nis/client:defaultSee the ypset(8) man page.
ypbind daemon crashes
If the ypbind daemon crashes almost immediately each time you start it, look for a problem in the svc:/network/nis/client:default service log. Check the rpcbind daemon as follows:
% ps -e |grep rpcbind
From a system that is functioning normally, you can communicate with the rpcbind daemon on the problematic client.
Run the following command from a functioning system:
% rpcinfo client
If the rpcbind daemon on the problematic system is fine, the following output is displayed:
program version netid address service owner 100007 3 udp6 ::.191.161 ypbind 1 100007 3 tcp6 ::.135.200 ypbind 1 100007 3 udp 0.0.0.0.240.221 ypbind 1 100007 2 udp 0.0.0.0.240.221 ypbind 1 100007 1 udp 0.0.0.0.240.221 ypbind 1 100007 3 tcp 0.0.0.0.250.107 ypbind 1 100007 2 tcp 0.0.0.0.250.107 ypbind 1 100007 1 tcp 0.0.0.0.250.107 ypbind 1 100007 3 ticlts 2\000\000\000 ypbind 1 100007 2 ticlts 2\000\000\000 ypbind 1 100007 3 ticotsord 9\000\000\000 ypbind 1 100007 2 ticotsord 9\000\000\000 ypbind 1 100007 3 ticots @\000\000\000 ypbind 1 ...
If no addresses are displayed (your system will have different addresses), the ypbind daemon was unable to register its services. Reboot the system and run the rpcinfo command again. If the ypbind processes are there and they change each time you attempt to restart the NIS service, reboot the system, even if the rpcbind daemon is running.
If only one or two clients are experiencing symptoms that indicate NIS binding difficulty, the problems probably are on those clients. See Troubleshooting Issues That Affect a Single NIS Client. However, if several NIS clients are failing to bind properly, the problem most likely exists on one or more of the NIS servers.
The following are common NIS issues that can affect multiple clients:
rpc.yppasswdd considers a non-restricted shell that begins with r to be restricted
To resolve this problem, do the following:
Create a /etc/default/yppasswdd file that contains a special string: "check_restricted_shell_name=1".
If the "check_restricted_shell_name=1" string is commented out, the r check does not occur.
Network or servers unreachable
NIS can hang if the network or NIS servers are so overloaded that the ypserv daemon cannot receive a response back from the client's ypbind process within the timeout period. NIS can also hang if the network is down.
Under both of these circumstances, every client that is on the network experiences the same or similar problems. In most cases, the condition is temporary. The messages usually go away when the NIS server reboots and restarts the ypserv daemon, when the load on the NIS servers or the network decreases, or when the network resumes normal operations.
Make sure the servers are up and running. If you are not physically near the servers, use the ping command to determine if the server is reachable.
NIS daemons not running
If the servers are up and running, try to find a client that is behaving normally and run the ypwhich command on it. If the ypwhich command does not respond, kill it. Then, become the root role on the NIS server and check whether the NIS process is running as follows:
# ptree |grep ypbind 100759 /usr/lib/netsvc/yp/ypbind -broadcast 527360 grep yp
If neither the ypserv daemon (NIS server) nor the ypbind daemon (NIS client) daemons are running, restart them as follows:
# svcadm restart network/nis/client
If both the ypserv and ypbind processes are running on the NIS server, then run the ypwhich command. If the command does not respond, the ypserv daemon is probably hung and should be restarted.
On the server, restart the NIS service as follows:
# svcadm restart network/nis/server
Servers have different versions of a NIS map
Because NIS propagates maps among servers, occasionally you might find different versions of the same map on various NIS servers that are on the network. This version discrepancy is normal and acceptable if the differences do not last too long.
The most common cause of map discrepancy is when normal map propagation is prevented. For example, a NIS server or router that is located between NIS servers is down. When all NIS servers and the routers between them are running, the ypxfr command should succeed.
If the servers and routers are functioning properly, proceed as follows:
Check the ypxfr log output. See Example 26, Logging ypxfr Command Output.
Check the svc:/network/nis/xfr:default log file for errors.
Check the crontab file and yupxfr shell script.
Check the ypservers map on the master server.
ypserv process crashes
When the ypserv process crashes almost immediately and does not stay up even after repeated activations, the debugging process is virtually the same as the debugging process for ypbind crashes.
First, run the following command to see if any errors are being reported:
# svcs -vx nis/server
Check for the existence of the rpcbind daemon as follows:
# ptree |grep rpcbind
Reboot the server if you do not find the daemon. Otherwise, if the daemon is running, run the following command and look for similar output:
# rpcinfo -p ypserver
program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100068 2 udp 32813 cmsd ... 100007 1 tcp 34900 ypbind 100004 2 udp 731 ypserv 100004 1 udp 731 ypserv 100004 1 tcp 732 ypserv 100004 2 tcp 32772 ypserv
In the previous example, the following four entries represent the ypserv process:
100004 2 udp 731 ypserv 100004 1 udp 731 ypserv 100004 1 tcp 732 ypserv 100004 2 tcp 32772 ypserv
If there are no entries, and ypserv is unable to register its services with rpcbind, reboot the system. If there are entries, deregister the service from rpcbind before restarting ypserv. For example, you can deregister the service from rpcbind as follows:
# rpcinfo -d number 1 # rpcinfo -d number 2
number is the ID number that is reported by rpcinfo (100004 in the preceding example).
If a particular slave server has problems updating the maps, log in to that server and run the ypxfr command interactively.
If the command fails, a message about why it failed is displayed to enable you to fix the problem. If the command succeeds, but you suspect it has occasionally failed, create a log file on the slave server to enable the logging of messages as follows:
ypslave# cd /var/yp ypslave# touch ypxfr.log
The output of the log file resembles the output of the ypxfr command when you run it interactively, with the exception that each line in the log file is time stamped. If you notice unusual ordering in the timestamps that is because it shows each time that the ypxfr command was actually run. If copies of ypxfr ran simultaneously but took differing amounts of time to finish, each copy might write a summary status line to the log file in a different order than when the command was run. Any pattern of intermittent failure shows up in the log.
Check the crontab file and ypxfr shell script.
Inspect the root crontab file and check the ypxfr shell script that it invokes. Typographical errors in these files can cause propagation problems. Failures to refer to a shell script within the /var/spool/cron/crontabs/root file or failures to refer to a map within any shell script can also cause errors.
Check the ypservers map.
Also, make sure that the NIS slave server is listed in the ypservers map on the master server for the domain. If it is not listed, the slave server still operates perfectly as a server, but yppush does not propagate map changes to the slave server.
Update the maps on a broken slave server.
If the NIS slave server problem is not obvious, you can perform a workaround while debugging the problem by using the scp or ssh command. These commands copy a recent version of the inconsistent map from any healthy NIS server.
The following example shows how to transfer the problem map:
ypslave# scp ypmaster:/var/yp/mydomain/map.\* /var/yp/mydomain
In the previous example, the * character has been escaped in the command line so that it will be expanded on ypmaster instead of locally on ypslave.