NIS Elements

Language:

The NIS naming service is composed of the following elements:

NIS Domain

An NIS domain is a collection of hosts which share a common set of NIS maps. Each domain has a domain name, and each machine sharing the common set of maps belongs to that domain.

NIS domains and DNS domains are not necessarily the same. In some environments, NIS domains are defined based on enterprise-wide network subnet administrative layouts. DNS names and domains are defined by Internet DNS naming standards and hierarchies. The two naming domain naming systems might be or might not be configured to match up identically. The domain name for the two services are controlled separately and might be configured differently.

Any host can belong to a given domain, as long as there is a server for that domain's maps in the same network or subnet. NIS domain lookups use remote procedure calls (RPCs). Therefore, NIS requires that all the clients and all the server machines that provide direct services to those clients must exist on the same accessible subnet. It is not uncommon to have each administrative subnet managed as a separate NIS domain (distinct from an enterprise-wide DNS domain) but using common databases managed from a common master machine. You can use the svc:/network/nis/domain SMF service to manage the NIS domain name and all the shared NIS configuration information.

NIS Daemons

The NIS service is managed by SMF. Administrative actions on this service, such as enabling, disabling, or restarting, can be performed by using the svcadm command. For an overview of SMF, refer to Chapter 1, Introduction to the Service Management Facility in Managing System Services in Oracle Solaris 11.3. Also refer to the svcadm(1M) and svcs(1) man pages for more details. The following table describes the daemons that provide the NIS service.

Table 5 NIS Daemons

Daemon	Function
`nscd`	The NIS client service that provides a cache for most name service requests, which is managed by the `svc:/system/name-service/cache` service
`rpc.yppasswdd`	The NIS password update daemon managed by the `svc:/network/nis/passwd` service Note - The `rpc.yppasswdd` daemon considers all shells that begin with an `r` to be restricted. For example, if you are in `/bin/rksh`, you are not allowed to change from that shell to another shell. If you have a shell that begins with `r` but is not intended to be restricted as such, refer to Troubleshooting Network Information System for the workaround.
`rpc.ypupdated`	A daemon that modifies other maps such as `publickey` and is managed by the `svc:/network/nis/update` service
`ypbind`	The binding process managed by the `svc:/network/nis/client` service
`ypserv`	The NIS server process managed by the `svc:/network/nis/server` service
`ypxfrd`	A high-speed map transfer daemon managed by the `svc:/network/nis/xfr` service

NIS Commands

The following table describes the commands that support the NIS service:

Table 6 NIS Command Summary

Command	Description
`make`	Updates NIS maps by reading the `/var/yp/Makefile` file when the command is run in the `/var/yp` directory. You can use `make` to update all maps based on the input files or to update individual maps. For information about the functionality of `make` for NIS, see the `ypmake`(1M) man page.
`makedbm`	Takes an input file and converts it into `dbm.dir` and `dbm.pag` files. NIS uses valid `dbm` files as maps. You can also use `makedbm` `–u` to disassemble a map so that you can see the key-value pairs that comprise it.
`ypcat`	Displays the contents of an NIS map.
`ypinit`	Automatically creates maps for an NIS server from the input files. It is also used to construct the initial `/var/yp/binding/domain/ypservers` file on the clients. Use `ypinit` to set up the master NIS server and the slave NIS servers for the first time.
`ypmatch`	Prints the value for one or more specified keys in a NIS map. You cannot specify which version of the NIS server map you are seeing.
`yppoll`	Shows which version of an NIS map is running on a server that you specify. It also lists the master server for the map.
`yppush`	Copies a new version of an NIS map from the NIS master server to its slaves. You run the `yppush` command on the master NIS server.
`ypset`	Instructs a `ypbind` process to bind to a named NIS server. This command is not for casual use, and its use is discouraged because of security implications. See the `ypset`(1M) and `ypbind`(1M) man pages for information about the `–ypset` and `–ypsetme` options to the `ypbind` process.
`ypwhich`	Shows which NIS server a client is using at the moment for NIS services. If invoked with the `–m` `mapname` option, this command shows which NIS server is master of each map. If only `–m` is used, the command displays the names of all the available maps and their respective master servers.
`ypxfr`	Pulls an NIS map from a remote server to the local `/var/yp/domain` directory by using NIS itself as the transport medium. You can run `ypxfr` interactively or periodically from a `crontab` file. It is also called by `ypserv` to initiate a transfer.

NIS Maps

The information in NIS maps is stored in ndbm format. For more information about the format of the map file, see the ypfiles(4) and ndbm(3C) man pages.

NIS maps extend access to UNIX /etc data and other configuration files, such as passwd, shadow, and group, so that the same data can be shared between a network of systems. Sharing these files simplify administrative updates and management of the data files. You can deploy NIS with minimal effort. However, larger enterprises, especially those with security requirements should consider using LDAP naming services instead. On a network running NIS, the NIS master server for each NIS domain maintains a set of NIS maps for other machines in the domain to query. NIS slave servers also maintain duplicates of the master server's maps. NIS client machines can obtain namespace information from either master or slave servers.

NIS maps are essentially two-column tables. One column is the key and the other column is information related to the key. NIS finds information for a client by searching through the keys. Some information is stored in several maps because each map uses a different key. For example, the names and addresses of machines are stored in two maps: hosts.byname and hosts.byaddr. When a server has a machine's name and needs to find its address, it looks in the hosts.byname map. When a server has the address and needs to find the name, it looks in the hosts.byaddr map.

An NIS Makefile is stored in the /var/yp directory of machines designated as an NIS server at installation time. Running make in that directory causes makedbm to create or modify the default NIS maps from the input files.

Note - Always create maps on the master server, as maps created on a slave will not automatically be pushed to the master server.

Default NIS Maps

A default set of NIS maps are provided in the Oracle Solaris system. You might want to use all these maps or only some of them. NIS can also use whatever maps you create or add when you install other software products.

Default maps for an NIS domain are located in each server's /var/yp/domain–name directory. For example, the maps that belong to the domain test.com are located in each server's /var/yp/test.com directory.

The following table describes the default NIS maps and lists the appropriate source file name for each map.

Table 7 NIS Map Descriptions

Map Name	Corresponding Source File	Description
`audit_user`	`audit_user`	Contains user auditing preselection data.
`auth_attr`	`auth_attr`	Contains authorization names and descriptions.
`bootparams`	`bootparams`	Contains path names of files that clients need during boot: root, swap, possibly others.
`ethers.byaddr`	`ethers`	Contains machine names and Ethernet addresses. The Ethernet address is the key in the map.
`ethers.byname`	`ethers`	Contains machine names and Ethernet addresses. Machine name is the key in the map.
`exec_attr`	`exec_attr`	Contains profile execution attributes.
`group.bygid`	`group`	Contains group security information. Group ID is the key in the map.
`group.byname`	`group`	Contains group security information. Group name is the key in the map.
`hosts.byaddr`	`hosts`	Contains machine name and IP address. IP address is the key in the map.
`hosts.byname`	`hosts`	Contains machine name and IP address. Machine name is the key in the map.
`mail.aliases`	`aliases`	Contains aliases and mail addresses. Aliases is the key in the map.
`mail.byaddr`	`aliases`	Contains mail address and alias. Mail address is the key in the map.
`netgroup.byhost`	`netgroup`	Contains group name, user name and machine name.
`netgroup.byuser`	`netgroup`	Contains group name, user name and machine name. User name is the key in the map.
`netgroup`	`netgroup`	Contains group name, user name and machine name. Group name is the key in the map.
`netid.byname`	`passwd`, `hosts` `group`	Contains machine name and mail address including domain name. If there is a `netid` file available it is consulted in addition to the data available through the other files. Used for UNIX-style authentication.
`publickey.byname`	`publickey`	Contains the public key database used by secure RPC.
`netmasks.byaddr`	`netmasks`	Contains network mask to be used with IP submitting. Address is the key in the map.
`networks.byaddr`	`networks`	Contains names of networks known to the system and their IP addresses. Address is the key in the map.
`networks.byname`	`networks`	Contains names of networks known to the system and their IP addresses. Name of the network is the key in the map.
`passwd.adjunct.byname`	`passwd` and `shadow`	Contains auditing information and the hidden password information for C2 clients.
`passwd.byname`	`passwd` and `shadow`	Contains password information. User name is the key in the map.
`passwd.byuid`	`passwd` and `shadow`	Contains password information. User ID is the key in the map.
`prof_attr`	`prof_attr`	Contains attributes for execution profiles.
`protocols.byname`	`protocols`	Contains network protocols known to your network.
`protocols.bynumber`	`protocols`	Contains network protocols known to your network. Protocol number is the key in the map.
`rpc.bynumber`	`rpc`	Contains program number and name of RPCs known to your system. RPC program number is the key in the map.
`services.byname`	`services`	Lists Internet services known to your network. Port or protocol is the key in the map.
`services.byservice`	`services`	Lists Internet services known to your network. Service name is the key in the map.
`user_attr`	`user_attr`	Contains extended attributes for users and roles.
`ypservers`	N/A	Lists NIS servers known to your network.

The ageing.byname mapping contains information that is used by the yppasswdd daemon to read and write password aging information to the directory information tree (DIT) when the NIS-to-LDAP transition is implemented. If you are not using password aging, then ageing.byname can be commented out of the mapping file. For more information about the NIS-to-LDAP transition, see Chapter 8, Transitioning From NIS to LDAP in Working With Oracle Solaris 11.3 Directory and Naming Services: LDAP.

Using NIS Maps

NIS makes updating network databases much simpler than with the /etc files system. You no longer have to change the administrative /etc files on every machine each time you modify the network environment.

However, NIS provides no additional security than that provided by the /etc files. If additional security is needed, such as restricting access to the network databases, sending the results of searches over the network by using SSL, or using more advanced features such as Kerberos secured searches, then LDAP naming services should be used.

For example, when you add a new user to a network running NIS, you only have to update the input file in the master server and run the make command. This command automatically updates the passwd.byname and passwd.byuid maps. These maps are then transferred to the slave servers and are available to all of the NIS domain’s clients and their programs. When a client machine or application requests information by using the user name or UID, the NIS server refers to the passwd.byname or passwd.byuid map, as appropriate, and sends the requested information to the client.

You can use the ypcat command to display the values in a map.

% ypcat mapname

where mapname is the name of the map you want to examine or its nickname. If a map is composed only of keys, as in the case of ypservers, use ypcat –k. Otherwise, ypcat prints blank lines. For more information about the ypcat command options, see ypcat(1) man page.

You can use the ypwhich command to determine which server is the master of a particular map.

% ypwhich -m mapname

where mapname is the name or the nickname of the map whose master you want to find. The output of the ypwhich command displays the name of the master server. For more information, see the ypwhich(1) man page.

NIS Map Nicknames

Nicknames are aliases for full map names, such as passwd for passwd.byname. To obtain a list of available map nicknames, type ypcat –x or ypwhich –x.

Nicknames are stored in the /var/yp/nicknames file, which contains a map nickname followed by the fully specified name for the map, separated by a space. You can modify and update this file. Currently, there is a limit of 500 nicknames.