Network Information Services (NIS and NIS+) Guide
Installing and Configuring NIS
For information on installing the Network Information Service (NIS) and the Network File System (NFS), see the AIX Installation Guide.
Configuring NIS
For each NIS domain you want to configure on your network, do the following:
- Decide which hosts on your network you want to include in this domain. Choose a domain name for the domain and make a note of it for use later in the configuration process.
- Choose a host that has the characteristics described in Master Servers. Then follow the instructions in Configuring the NIS Master Server.
- Decide which hosts, if any, will act as slave servers. Then, for each slave server, follow the instructions in Configuring an NIS Slave Server.
- Decide which hosts will be clients in this domain. Then, for each client, follow the instructions in Configuring an NIS Client.
Notes:
Setting the NIS Domain Name
To set the NIS domain name of a host (whether client or server), use the Web-based System Manager fast path, wsm network, or use one of the following procedures.
Using the System Management Interface Tool (SMIT):
Each of these methods perform two actions. First, they run the domainname command, setting the NIS domain name. Second, they modify the /etc/rc.nfs file so that the NIS domain name is set when the system restarts.
Configuring the NIS Master Server
Attention: An NIS record has a maximum size of 1024 bytes. This limitation applies to all NIS map files. For example, a list of users in a group can contain a maximum of 1024 characters in single-byte character set file format. Before doing the following procedure, ensure that no configuration file is beyond this limit. NIS cannot operate correctly with map files that exceed this maximum.
To configure an NIS master server, do the following tasks on the master server host:
- Follow the instructions in Preparing a Host for NIS Configuration.
- Set the domain name by following the instructions in Setting the NIS Domain Name.
- Decide what information you want to manage using NIS. By default, you manage all the information contained in the files listed in NIS Maps. You may want to customize how you manage users, groups, and host names, especially if you have already configured a domain name server. To do so, follow the instructions in Customizing NIS Map Input).
You will now create the directory for this domain, build the NIS maps, and start the NIS daemons. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.
Using SMIT, enter: smit mkmaster.
Specify in the HOSTS that will be slave servers field the names of the hosts, if any, that you want to act as slave servers.
Specify yes in the fields Can existing MAPS for the domain be overwritten? and EXIT on errors, when creating master server? because you will want to know if an error occurs.
If you want to configure your NIS domain for secure Remote Procedure Call (RPC) networking, specify yes in the START the yppasswdd daemon? and START the ypupdated daemon? fields. You should also configure secure NFS by following the instructions in AIX Version 4.3 System Management Guide: Communications and Networks.
Specify yes in the START the ypbind daemon? field to configure the master server to use the NIS databases.
Specify both in the START the master server... field.
Accept your changes and exit SMIT.
The system takes a few minutes to perform several tasks. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the daemons to which you specified yes above. Finally, the system starts these daemons.
The ypinit command is a shell script that performs two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the make command on the /var/yp/Makefile, which creates all the NIS maps specified in the /var/yp/Makefile.
- Enter the ypinit -m command. This command prompts you for various information, including the names of any slave servers, and takes a few minutes to complete.
- Start the ypserv and ypbind daemons (and the yppasswdd and ypupdated daemons if you want) by following the instructions in Starting and Stopping the NIS Daemons.
- Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc commands to start these daemons (delete the pound signs at the beginning of each line). For example, if the original lines look like the following:
#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then # startsrc -s ypserv #fi
Remove the pound signs so the file looks like:
if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then startsrc -s ypserv fi
Further Considerations When Using the yppasswd Daemon
If you chose to use a password file other than /etc/passwd to build the passwd map (see Customizing NIS Map Input), you must specify to the yppasswdd daemon the path to that file. By default, the yppasswdd daemon changes passwords for entries in the /etc/passwd file. To change the default password file to another file, do the following:
- Edit the /etc/rc.nfs file, and locate the following stanza:
- Change the DIR statement so that it specifies the path to your alternate passwd file. For example, if you use the /var/yp/passwd file, the DIR statement should look like:
- Save the file and exit the editor.
- Enter the following three commands:
#Uncomment the following lines to start up the NIS #yppasswd daemon. DIR=/etc if [ -x /usr/etc/rpc.yppasswdd -a -f $DIR/passwd ]; then start rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd /etc/passwd ~m fi
DIR=/var/yp
stopsrc -s yppasswdd chssys -s yppasswdd -a '/var/yp/passwd -m passwd' startsrc -s yppasswdd
The yppasswdd daemon will now use your alternate password file.
Configuring an NIS Slave Server
After configuring the master server, you must decide which hosts are to act as slave servers. Slave servers keep exact replicas of the master server's maps and share the processing burden by answering queries when the master server is busy or unavailable. The following procedure must be done for each slave server.
Prerequisites
The NIS master server is configured.
Procedure
To configure an NIS slave server, do the following tasks on the slave server host:
Notes:
- If you are configuring a slave server that is not on the same IP network, you must configure the new server as an NIS client first. Use the ypset command to explicitly point the new server to the NIS master. For example, ypset 129.23.22.1, where 129.23.22.1 is the IP address of the master server.
- When using subnets, a slave server must be configured on each subnet that has NIS clients for the given NIS domain. This allows clients to bind at startup and provides a fallback if the master goes down for any reason.
- Follow the instructions in Preparing a Host for NIS Configuration.
- Set the domain name by following the instructions in Setting the NIS Domain Name.
You will now create the directory for this domain, start the NIS daemons, and obtain copies of the NIS maps from the master server. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.
Using SMIT:
- Enter the fast path: smit mkslave.
- Specify the hostname of the master server for this domain in the HOSTNAME of the master server field.
- Specify yes in the fields Can existing MAPS for the domain be overwritten? and Quit if errors are encountered? because you will want to know if an error occurs.
- Specify both in the START the slave server... field.
- Accept your changes and exit SMIT.
The system takes a few minutes to perform several tasks. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the ypserv and ypbind daemons. Finally, the system starts these daemons.
The ypinit command is a shell script that performs two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the ypxfr command to obtain the NIS maps from the master server.
Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:
ypset 129.23.22.1
where 129.23.22.1 is the IP address of the NIS master server.
- Start the ypbind daemon by following the instructions in Starting and Stopping the NIS Daemons to bind to the master server.
- Enter the ypinit -s mastername command, where mastername is the host name of the master server. This command prompts you for various information and takes a few minutes to complete.
- Start the ypserv and ypbind daemons by following the instructions in Starting and Stopping the NIS Daemons.
- Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc commands to start these daemons. Delete the pound signs in the following example:
Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:
ypset 129.23.22.1
where 129.23.22.1 is the IP address of the NIS master server.
#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then # startsrc -s ypserv #fi
so it looks like:
if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then startsrc -s ypserv fi
Note: If NIS users need to log into an NIS slave server, the slave server must also be configured as a client, and should have the following line as the last line in its /etc/passwd file:
+::::::
Configuring an NIS Client
NIS clients make up the majority of hosts in an NIS domain. Clients do not maintain maps, but rather query servers for information. (Clients do not distinguish between master and slave servers.) If you are configuring a slave server that is not on the same IP network as the master server, you must configure the new server as an NIS client first.
Prerequisites
The NIS master server is configured.
Procedure
To configure an NIS client, do the following tasks on the client host:
- Follow the instructions in Preparing a Host for NIS Configuration
- .
- Set the domain name by following the instructions in Setting the NIS Domain Name.
You then start the client using NIS. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.
- Enter the fast path: smit mkclient.
- Specify both in the START the NIS client... field.
- Accept your changes and exit SMIT.
- Follow the instructions in Setting Up NIS Client Files to Use NIS Services.
The system performs two tasks. First, it starts the ypbind daemon. Second, it uncomments the entry in the /etc/rc.nfs file for the ypbind daemon.
- Start the ypbind daemon by following the instructions in Starting and Stopping the NIS Daemons.
- Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc command to start this daemon. Specifically, delete the pound signs in the following example:
#if [ -x /usr/etc/ypbind ]; then # startsrc -s ypbind #fi
so it looks like:
if [ -x /usr/etc/ypbind ]; then startsrc -s ypbind fi
Preparing a Host for NIS Configuration
Before you configure NIS on a master server, slave server, or client, do the following:
- Verify that the PATH variable in the /.profile file includes the /usr/sbin directory where the NIS commands reside.
- Verify that Transmission Control Protocol/Internet Protocol (TCP/IP) is running by entering the command:
- Verify that the portmap daemon is running by entering the command:
lssrc -s inetd
A message similar to the following displays:
Subsystem Group PID Status inetd tcpip 4923 active
If the status does not indicate active, follow the instructions in Configuring the inetd Daemon for starting the inetd daemon.
lssrc -s portmap
A message similar to the following displays:
Subsystem Group PID Status portmap portmap 14003 active
If the status does not indicate active, enter the command:
startsrc -s portmap
You are now ready to configure NIS on this host. If you are configuring a master server, continue with the following section, Customizing NIS Map Input. If you are configuring a client or slave server, continue with Starting and Stopping NIS Daemons.
Customizing NIS Map Input
The most common customizations made to NIS involve users, groups, and host names. However, you can customize any of the information managed by NIS. Although this discussion focuses on users, groups, and host names, you can use the same techniques to customize input to other maps.
Note: Perform all of these instructions on the master server host.
Users and Groups
Attention: An NIS record has a maximum size of 1024 bytes. This limitation applies to all NIS map files. For example, a list of users in a group can contain a maximum of 1024 characters in single-byte character set file format. Before doing the following procedure, ensure that no configuration file is beyond this limit. NIS cannot operate correctly with map files that exceed this maximum.
By default, NIS uses the /etc/passwd and /etc/group files on the master server as the input for the passwd and group maps. All users and groups on the master server are thus included automatically in the maps. The simplest configuration is to add every user and group in this entire domain to the /etc/passwd and /etc/group files.
Note:It is possible to manage users and groups without using NIS; however, managing users and groups is the primary benefit of NIS. For more secure methods of user and group management, see Post a Comment