NIS Installation and Configuration

AIX Version 4.3 System Management Guide: Communications and Networks

NIS Installation and Configuration

For information on installing the Network Information Service (NIS) and the Network File System (NFS), see the AIX Installation Guide.

Configuring NIS

For each NIS domain you want to configure on your network, do the following:

Decide which hosts on your network you want to include in this domain. Choose a domain name for the domain and make a note of it for use later in the configuration process.
Choose a host that has the characteristics described in "Master Servers". Then follow the instructions in "Configuring the NIS Master Server".
Decide which hosts, if any, will act as slave servers. Then, for each slave server, follow the instructions in "Configuring a NIS Slave Server".
Decide which hosts will be clients in this domain. Then, for each client, follow the instructions in "Configuring an NIS Client".

Notes:
If you want non-root users to be able to login to a server, you must configure the server as a NIS client as well.

If the file /var/yp/securenets exists, the server only provides NIS services to the hosts within the Internet Protocol (IP) range specified.

Configuring the NIS Master Server

To configure an NIS master server, do the following tasks on the master server host:

Follow the instructions in "Preparing a Host for NIS Configuration".
Set the domain name by following the instructions in "Setting the NIS Domain Name".
Decide what information you want to manage using NIS. By default, you will manage all the information contained in the files listed in "NIS Maps". You may want to customize how you manage users, groups, and host names, especially if you have already configured a domain name server (see "Planning for DOMAIN Name Resolution". To do so, follow the instructions in "Customizing NIS Map Input").

You will now create the directory for this domain, build the NIS maps, and start the NIS daemons. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

To use the System Management Interface Tool (SMIT):
1. Enter the fast path:
```
smit mkmaster
```
2. Specify in the HOSTS that will be slave servers field the names of the hosts, if any, that you want to act as slave servers.
3. Specify yes in the fields Can existing MAPS for the domain be overwritten? and EXIT on errors, when creating master server? because you will want to know if an error occurs.
4. If you want to configure your NIS domain for secure Remote Procedure Call (RPC) networking, specify yes in the START the yppasswdd daemon? and START the ypupdated daemon? fields. You should also configure secure NFS by following the instructions in "Configuring Secure NFS".
5. Specify yes in the START the ypbind daemon? field. This will configure the master server itself to use the NIS databases.
6. Specify both in the START the master server... field.
7. Accept your changes and exit SMIT.
  The system will now take a few minutes to perform several tasks for you. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the daemons to which you specified yes above. Finally, the system starts those same daemons.
  
  The ypinit command is actually a shell script that performs, essentially, two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the make command on the /var/yp/Makefile. This, in turn, creates all the NIS maps specified in the /var/yp/Makefile.
To do this procedure from the command line:
1. Enter the ypinit -m command. This command will prompt you for various information, including the names of any slave servers, and will take a few minutes to complete.
2. Start the ypserv and ypbind daemons (and the yppasswdd and ypupdated daemons if you wish) by following the instructions in "Starting and Stopping the NIS Daemons".
3. Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc commands to start these daemons. For example, delete the pound signs so that:
```
#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then
#       startsrc -s ypserv
#fi
```
  looks like:
```
if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then
       startsrc -s ypserv
fi
```

Further Considerations When Using the yppasswd Daemon

If you chose to use a password file other than /etc/passwd to build the passwd map (see "Customizing NIS Map Input"), you also need to specify to the yppasswdd daemon the path to that file. By default, the yppasswdd daemon changes passwords for entries in the /etc/passwd file. To change the default password file to some other file, do the following:

Edit the /etc/rc.nfs file, and locate the following stanza:

#Uncomment the following lines to start up the NIS 
#yppasswd daemon.
DIR=/etc
if [ -x /usr/etc/rpc.yppasswdd -a -f $DIR/passwd ]; then
        start rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd
        /etc/passwd ~m
fi

Change the DIR statement so that it specifies the path to your alternate passwd file. For example, if you use the /var/yp/passwd file, the DIR statement should look like:
```
DIR=/var/yp
```
Save the file and exit the editor.

Enter the following three commands:

stopsrc -s yppasswdd
 
chssys -s yppasswdd -a '/var/yp/passwd -m passwd'
 
startsrc -s yppasswdd

The yppasswdd daemon will now use your alternate password file.

Configuring an NIS Slave Server

Prerequisites

The NIS master server is configured.

Procedure

To configure an NIS slave server, do the following tasks on the slave server host:

Notes:
If you are configuring a slave server that is not on the same IP network, you have to set the slave as an NIS client first. Use the ypset command to explicitly point it at the NIS master. For example, ypset 129.23.22.1 where 129.23.22.1 is the IP address of the master server.

When using subnets, a slaver server must be configured on each subnet that has NIS clients for the given NIS domain. This allows clients to bind at startup and provides a fallback if the master goes down for any reason.

Follow the instructions in "Preparing a Host for NIS Configuration".
Set the domain name by following the instructions in "Setting the NIS Domain Name".

You will now create the directory for this domain, start the NIS daemons, and obtain copies of the NIS maps from the master server. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

To use SMIT:
1. Enter the fast path:
```
smit mkslave
```
2. Specify the hostname of the master server for this domain in the HOSTNAME of the master server field.
3. Specify yes in the fields Can existing MAPS for the domain be overwritten? and Quit if errors are encountered? because you will want to know if an error occurs.
4. Specify both in the START the slave server... field.
5. Accept your changes and exit SMIT.
  The system will now take a few minutes to perform several tasks for you. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the ypserv and ypbind daemons. Finally, the system starts these daemons.
  
  The ypinit command is actually a shell script that performs, essentially, two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the ypxfr command to obtain the NIS maps from the master server.
  Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:
```
ypset 129.23.22.1
```
  where 129.23.22.1 is the IP address of the NIS master server.
To do this procedure from the command line:
1. Start the ypbind daemon by following the instructions in "Starting and Stopping the NIS Daemons" to bind to the master server.
2. Enter the ypinit -s mastername command, where mastername is the hostname of the master server. This command will prompt you for various information, and will take a few minutes to complete.
3. Start the ypserv and ypbind daemons by following the instructions in "Starting and Stopping the NIS Daemons".
  Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:
```
ypset 129.23.22.1
```
  where 129.23.22.1 is the IP address of the NIS master server.
4. Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc commands to start these daemons. For example, delete the pound signs so that:
```
#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then
#       startsrc -s ypserv
#fi
```
  looks like:
```
if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then
       startsrc -s ypserv
fi
```

Note: If NIS users need to log into an NIS slave server, the slave server must also be configured as a client, and should have the following line as the last line in its /etc/passwd file:
+::::::

Configuring an NIS Client

Prerequisites

The NIS master server is configured.

Procedure

To configure an NIS client, do the following tasks on the client host:

Follow the instructions in "Preparing a Host for NIS Configuration".
Set the domain name by following the instructions in "Setting the NIS Domain Name".

You then START the client using NIS. Use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

To use SMIT:
1. Enter the fast path:
```
smit mkclient
```
2. Specify both in the START the NIS client... field.
3. Accept your changes and exit SMIT.
  The system will now perform two tasks for you. First, it will start the ypbind daemon. Second, it will uncomment the entry in the /etc/rc.nfs file for the ypbind daemon.
4. Follow the instructions in "Setting Up NIS Client Files to Use NIS Services".
To do this procedure from the command line:
1. Start the ypbind daemon by following the instructions in "Starting and Stopping the NIS Daemons".
2. Edit the /etc/rc.nfs file and uncomment the lines that use the startsrc command to start this daemon. Specifically, delete the pound signs so that:
```
#if [ -x /usr/etc/ypbind ]; then
#       startsrc -s ypbind
#fi
```
  looks like:
```
if [ -x /usr/etc/ypbind ]; then
       startsrc -s ypbind
fi
```

Preparing a Host for NIS Configuration

Before you configure NIS on a master server, slave server, or client, do the following:

Verify that the PATH variable in the /.profile file includes the /usr/sbin directory where the NIS commands reside.
Verify that Transmission Control Protocol/Internet Protocol (TCP/IP) is running by entering the command:
```
lssrc -s inetd
```
You should receive a message similar to:
```
Subsystem         Group            PID     Status 
 inetd            tcpip            4923    active
```
If the status does not indicate active, follow the instructions in "Configuring the inetd Daemon" for starting the inetd daemon.
Verify that the portmap daemon must be running by entering the command:
```
lssrc -s portmap
```
You should receive a message similar to:
```
Subsystem         Group            PID     Status 
 portmap          portmap          14003   active
```
If the status does not indicate active, enter the command:
```
startsrc -s portmap
```

You are now ready to configure NIS on this host.

Setting the NIS Domain Name

To set the NIS domain name of a host (whether client or server), use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

Using SMIT:
1. Enter the fast path:
```
smit chypdom
```
2. Enter the domain name in the Domain name of this host field.
3. Specify both in the CHANGE domain name take effect... field.
4. Accept your changes and exit SMIT. The NIS domain name is now set.
Using the command line:
1. Enter the command:
```
chypdom -B newdomainname
```

The Web-based System Manager, SMIT, and command line methods perform two actions. First, they run the domainname command, setting the NIS domain name. Second, they modify the /etc/rc.nfs file so that the NIS domain name is set when the system restarts.

Customizing NIS Map Input

The most common customizations made to NIS involve users, groups, and host names. However, you can customize any of the information managed by NIS. This article discusses how to specify various sources of input for use in generating NIS maps. Although this article focuses on users, groups, and host names, you can use the same techniques to customize input to other maps.

Note: You should perform all of these instructions on the master server host.

Users and Groups

By default, NIS uses the /etc/passwd and /etc/group files on the master server as the input for the passwd and group maps. All users and groups on the master server are thus included automatically in the maps. The simplest configuration is to add to these two files every user and group that you will need in this entire domain.

It is possible not to use NIS at all for managing users and groups. However, managing users and groups is the primary benefit of NIS (see "Benefits of NIS"). And, if you intend to use secure RPC networking, you must use NIS to maintain the password and group information.

Use Separate Password and Group Files as NIS Map Input

Either for security, accounting, or performance reasons, you may not want ordinary users to login to the master server. If so, you can build the passwd and group maps from other files, such as /var/yp/passwd and /var/yp/group, that are for NIS users and groups only. With this, /etc/passwd and /etc/group can contain only the minimum necessary entries. (Using a separate password file also affects the yppasswdd daemon. See "Configuring the NIS Master Server" for more information.) To configure the master server in this way, do the following:

Create the new file to be used instead of the /etc/group file (for clarity, assume that you name the file /var/yp/group) by entering the following command:
```
cp /etc/group /var/yp/group
```
(Actually, you can use a copy of any machine's /etc/group file, not just the /etc/group file on the master server.) Then, using an editor, remove from the /etc/group file all the non-local entries, and add the NIS escape sequence (+: ) as the last line in the file.
Create the new file to be used instead of the /etc/passwd file (for clarity, assume that you name the file /var/yp/passwd). Again, you can use a copy of any machine's /etc/passwd file, not just the /etc/passwd file on the master server. If fact, you can even use the password information from another NIS domain. To do so, enter the command:
```
ypcat passwd > passwd
```
at the command line of a client in the other domain. Then, copy the file passwd onto the master server in this domain, and place it in the /var/yp directory.
You can either preserve the current passwords or you can reset the passwords.
1. If you want to preserve existing passwords, you must merge the /etc/passwd file with the /etc/security/passwd file, where the encrypted passwords are stored. To do so, enter the following two commands:
```
cd /var/yp
/usr/sbin/mrgpwd > passwd
```
  The mrgpwd command combines each user's password from the /etc/security/passwd file with the entry for that user in the /etc/passwd file, and sends the output to stdout. (mrgpwd takes its input from the /etc/passwd and /etc/security/passwd files only.)
2. If you want to reset all the passwords, enter the following command:
```
cp /etc/passwd /var/yp/passwd
```
  Then, using an editor, remove the ! (exclamation point) from the password field in each entry in the /var/yp/passwd file. Finally, using an editor, remove from the /etc/passwd file all the non-local entries, and add the NIS escape sequence (+::0:0::: ) as the last line in the file.
  Note: User IDs (UIDs)screated in this way initially contain no passwords.
Change the /var/yp/Makefile file to reflect the new locations of the input files. You can do so using one of two methods:
1. The first method is to locate only the /etc/passwd and /etc/group files in /var/yp. Using an editor, open the /var/yp/Makefile file and create a new variable called PWDIR=/var/yp . In the passwd.time and group.time stanzas, replace every occurrence of the DIR variable with PWDIR .
2. The second method is to locate all the /etc files in /var/yp. Edit the Makefile file to modify the default DIR variable. Change DIR=/etc (the default configuration) to DIR=/var/yp . In contrast to the first method, you do not have to edit any of the Makefile stanzas.
  Note: The Web-based System Manager fast path, wsm users, and the SMIT fast paths smit mkuser and smit mkgroup can be used to create users and groups only in the /etc/passwd and /etc/group files.

Host Names

By default, NIS only uses the /etc/hosts file to build the hosts map. If you have configured a domain name server in your network, you can configure NIS to include in the hosts map domain name system (DNS) information as well as /etc/hosts information. (Including DNS information in the hosts map will save you the effort of re-entering all this information in the /etc/hosts file.) To do so, use an editor to change the /var/yp/Makefile file as follows:

Locate the hosts.time stanza in the /var/yp/Makefile file.

Change the two lines containing the word MAKEDBM:

...
| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byname; \
...
| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byaddr; \
...

so that they look like:

...
| $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byname; \
...
| $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byaddr; \
...

In other words, add the -b flag, with a space before and after, to both lines.

The ypserv and ypxfrd daemons use the file /var/yp/securenets, if it exists, and only respond to the IP addresses listed in the netmask netaddr pairs within that file.

Starting and Stopping NIS Daemons

Prerequisites

NFS must be installed on your system.
The portmap daemon must be running.

Procedure

The five NIS daemons are controlled by the System Resource Controller (SRC). As illustrated in the following table, four of the daemons have the SRC group name yp:

SRC Controlled NIS Daemons
Daemon Name	Subsystem Name	Group Name
keyserv	keyserv	keyserv
ypbind	ypbind	yp
yppasswdd	yppasswdd	yp
ypserv	ypserv	yp
ypupdated	ypupdated	yp

To start or stop NIS daemons, use the Web-based System Manager fast path, wsm network, or use one of the following procedures.

To use SMIT:
- Enter the SMIT fast path smit ypstartstop.
  Select the menu option you want, depending on whether you want to start or stop the ypserv, ypbind, yppasswdd, or ypupdated daemon. Once you make your selection, the daemon you specified will be started or stopped.
- To start the keyserv daemon, use the SMIT fast path smit mkkeyserv.
- To stop the keyserv daemon, use the SMIT fast path smit rmkeyserv.
To use the command line to start or stop the NIS daemons, use the startsrc or stopsrc command. You can start or stop the daemons individually or as a group. For example:
- To start all the daemons (not including the keyserv daemon), enter the command:
```
startsrc -g yp
```
- To stop all the daemons, enter the command:
```
stopsrc -g yp
```
- To start a single daemon, enter a command such as:
```
startsrc -s keyserv
```
- To stop a single daemon, enter a command such as:
```
stopsrc -s keyserv
```

Setting Up NIS Client Files to Use NIS Services

In this procedure, you will specify which NIS maps that this client will use by adding a special NIS marker to various system files. In general, the system configuration files on a NIS client should have a minimum number of entries because the client should rely primarily on a server for its information. However, you may want to configure a few local entries that you do not want defined throughout the entire domain.

Actually, NIS handles client configuration files in two ways. Some configuration files are completely ignored once the ypbind daemon starts, and other files are appended to. If NIS ignores a particular file, the client will only know what its server's map contains. If NIS appends map information to a file, the client can use local information that no other host knows as well as NIS map information.

Files that NIS Ignores

Once the ypbind daemon is running, the client will rely solely on the following NIS maps instead of their corresponding files:

Maps Used by the ypbind Daemon Instead of Files
Map	Nickname	File
hosts.byaddr	hosts	/etc/hosts
hosts.byname
ethers.byaddr	ethers	/etc/ethers
ethers.byname
networks.byaddr	networks	/etc/networks
networks.byname
rpc.bynumber		/etc/rpc
services.byname	services	/etc/services
protocols.byname	protocols	/etc/protocols
protocols.bynumber
netgroup.byhost		/etc/netgroup
netgroup.byuser
publickey.byname		/etc/publickey
netid.byname		/etc/passwd
		/etc/group
		/etc/hosts
		/etc/netid
netmasks.byaddr		/etc/netmasks

You do not need to perform any configuration on the above files in order to use their corresponding NIS maps; the ypbind daemon does this automatically. However, the /etc/hosts file should have entries for the local loopback name and client's host name. Use either an editor or the smit hosts fast path to verify that the /etc/hosts file has these entries. For example, the client's /etc/hosts file should look something like:

127.1         localhost   # local loopback name
200.10.2.101  zepher      # client's host name

The /etc/hosts file is accessed at boot time before NIS is available. After the system is running and the ypbind daemon is started, NIS ignores the /etc/hosts file.

Files Where NIS Appends Map Information

Each of the following subheadings explains how to configure a client's configuration files to use a particular NIS map. You may choose to use all the available maps, or only a few. Many NIS installations use all the available maps, especially the passwd and group maps.

passwd.byname and passwd.byuid map

These two maps together are referred to by the nickname passwd. Using either an editor or the smit lsuser fast path, verify that the /etc/passwd file contains entries for the root user and the other primary users on the machine (in other words the entries supplied in the default /etc/passwd file). Then, using an editor add the NIS escape entry, + (plus sign), to enable the use of the NIS password service. For example, the client's /etc/passwd file should look something like:

root:!.k:0:1:/:/usr/bin/csh
nobody:*:-2:-2::/:
daemon:*:1:1::/: 
sys:*:2:2::/:/usr/bin/csh
bin:*:3:3::/usr/bin:
uucp:*:4:4::/var/spool/uucppublic:
news:*:6:6::/var/spool/news:/usr/bin/csh
+::0:0:::

The NIS entry (the last line) instructs library routines to use the NIS password service after examining the local entries. So, when a program examines the /etc/passwd file, it first finds the local entries, and then it requests that NIS provide the password information.

In addition to using the entire passwd map, you can explicitly include (with a plus entry) and exclude (with a minus entry) NIS password information about specific users and groups.

There are three types of + (plus) and - (minus) entries that you may define. A + (plus) by itself means to include the entire contents of the NIS passwd map. A + (plus) with a name means to include that name from the NIS map. A + (plus) followed by a @ and a netgroup (that is +@netgroup_name ) means to insert the entries for all the members of the netgroup netgroup_name at that point. The - (minus) entries mean exclude the user or netgroup specified.

If the + (plus) entry contains data in one of the colon-separated fields (except for the UID and group ID, or GID, fields) of the password entry, that data overrides what is in the NIS map. Also, earlier entries in the file take precedence over later entries with the same user name or user ID. The following are some examples:

To remove the NIS password entry for a user, enter:

-user

To remove the NIS password for users in a netgroup, enter:

-@netgroup

The line that subtracts the netgroup or user must appear before any other /etc/passwd file entry that includes the netgroup or user. For example, to remove password entries for user cliffc and users in the bad-users netgroup, the password file entry must contain the user name, UID, and GID:

-cliffc:*:218:201::
-@bad-users
+::0:0:::

If user cliffc is a member of the good-users netgroup, the following example will not remove user cliffc from the /etc/passwd file:

+@good-users
-cliffc:*:218:201::
+::0:0:::

Once the routines that read the password's file find a match for cliffc , they stop parsing the file. Therefore, the -cliffc entry will never be found, because the good-users netgroup includes user cliffc .

group.byname and group.bygid maps

These two maps together are referred to by the nickname group. Using either an editor or the smit lsgroup fast path, verify that the /etc/group file contains entries for the system and other primary groups on the machine (in other words the entries supplied in the default /etc/group file). Then, using an editor, add the NIS escape entry (+, plus sign) to enable the use of the NIS group service. For example, the client's /etc/group file should look something like:

system:!:0:root
staff:!:1:root
bin:!:2:root,bin
sys:!:3:root,su,bin,sys
adm:!:4:root,su,bin,adm
uucp:!:5:root,uucp
mail:!:6:root,su
security:!:7:root
cron:!:8:root
printq:!:9:root
audit:!:10:root
+:

mail.aliases and mail.byaddr maps

These two maps together are referred to by the nickname aliases. To enable use of the NIS aliases mapping:

Uncomment Op (Opmail.aliases) in the sendmail.cf file and specify the map name for NIS aliases.
Recompile the sendmail.cf file with the command sendmail -bz.
Recompile the alias database with the command sendmail -bi.

netgroup.byhost and netgroup.byuser maps

As noted in "Files that NIS Ignores" on page 9-15, NIS uses these two maps automatically. However, you can configure two other system files to reference these maps, specifically, the /etc/hosts.equiv file and the /.rhosts file. Doing so can help you control remote logins more effectively.

For example, you can edit the /etc/hosts.equiv file and add a single line, with only the + (plus) character on it. This allows anyone to log on to the machine because all further entries are retrieved from NIS rather than the local file. Or, for more control over logins, add a list of trusted hosts to the /etc/hosts.equiv file. For example:

+@trusted_group1
+@trusted_group2
-@distrusted_group

The names to the right of the @ (at sign) should be netgroup names defined in the netgroup map.

You can also add a list of trusted hosts to the /.rhosts file. For example:

+@trusted_group1
+@trusted_group2
-@distrusted_group

Because this file controls remote root access to the local machine, unrestricted access is not recommended. You cannot use aliases for host names in the /.rhosts, hosts.equiv, or netgroup files, because they all enable local machines to access remote machines. You can, however, use aliases for host names in the /etc/hosts file.

Note: If none of the escape sequences are added to the /etc/hosts.equiv or /.rhosts files, NIS is not used when a program examines these files.