Network Information Services (NIS and NIS+) Guide

Setting Up NIS+ Tables

This section provides instructions for using the NIS+ command set to populate NIS+ tables on a root or nonroot master server from either /etc files or NIS maps. This section also describes how to transfer information back from NIS+ tables to NIS maps, a procedure that may be required during a transition from NIS to NIS+. Finally, it includes two tasks that describe how to limit access to the passwd column of the passwd table:

Notes:

Populate tables with the NIS+ installation scripts rather than with the NIS+ commands described in this section. This section should be used only by administrators who are very familiar with NIS+ and who require nonstandard features or configurations not provided by the installation scripts.
When populating tables from maps or files, the tables should have already been created in the process of setting up a root or subdomain as explained in Setting Up the Root Domain and Setting Up a Nonroot Domain. Although you can populate a domain's tables at any time after they are created, it is recommended that you do so immediately after setting up the domain. This enables you to add clients more easily, because the required information about the clients should already be available in the domain's tables.

See Configuration Worksheets for worksheets that you can use to plan your NIS+ namespace.

When you populate a table--whether from a file or an NIS map--you can use any of the following options:

Replace

First, deletes all existing entries in the table and then adds the entries from the source. In a large table, this adds a large set of entries into the master server's /var/nis/trans.log file (one set for removing the existing entries, another for adding the new ones), taking up space in /var/nis, Thus, propagation to replicas will take longer.

Append

Adds the source entries to the NIS+ table.

Merge

Produces the same result as the replace option but uses a different process that can greatly reduce the number of operations that must be sent to the replicas. With the merge option, NIS+ handles three types of entries differently:

Entries that exist only in the source are added to the table
Entries that exist in both the source and the table are updated in the table
Entries that exist only in the NIS+ table are deleted from the table

When updating a large table with a file or map whose contents are not vastly different from those of the table, the merge option can spare the server a great many operations. Because it deletes only the entries that are not duplicated in the source (the replace option deletes all entries, indiscriminately), it saves one delete and one add operation for every duplicate entry. Therefore, this is the preferred option.

Populating NIS+ Tables From Files

This task transfers the contents of an ASCII file, such as /etc/hosts, into an NIS+ table.

Security Considerations

You can perform this task from any NIS+ client, including the root master server, as long as you have the appropriate credentials and access rights. If you are going to replace or merge the entries in the table with the entries from the text file, you must have create and destroy rights to the table. If you are going to append the new entries, you only need create rights.

Note: If you are not familiar with NIS+ security, review the security-related sections of this book before starting this procedure.

When this procedure is finished, the table entries are owned by the NIS+ principal that performed the operation and the group specified by the NIS_GROUP environment variable.

Prerequisites

Before beginning the following procedure, ensure the following:

The domain is set up and its master server is running.
The domain's servers has enough swap space to accommodate the new table information. See Evaluate Disk Space and Memory Requirements.
The information in the file is formatted appropriately for the table into which it will be loaded. See the prereqisites to Populating NIS+ Tables for information on the format that a text file must have to be transferred into its corresponding NIS+ table. Local /etc files are usually formatted properly, but may have several comments that must be removed.
All user and machine names are unique. You cannot have a machine with the same name as a user.
Machine do not contain dots (periods). (For example, a machine named sales.alpha is not allowed, but you can convert the name to sales-alpha.)

You need the name and location of the text files that will be transferred.

Procedure

Check each file from which you will be transferring data to ensure there are no incorrect entries. Make sure that the correct data is in the appropriate place and formatted properly. Remove any outdated, invalid, incomplete, or corrupted entries. (It is easier to add incomplete entries after setup than to try transferring incomplete or damaged entries from the file.)
Make a working copy of each file you are transferring.
Use this working copy for the actual file transfer steps described in this section. Give each working copy the same file name extension (for example, .xfr).
```
rootmaster% cp /etc/hosts /etc/hosts.xfr
```
Log in to an NIS+ client.
Perform this task from any NIS+ client, but ensure that the client belongs to the same domain as the tables into which you want to transfer the information. The examples in this task use the root master server. Since the administrator in these examples is logged on as root user, the NIS+ principal actually performing this operation (and therefore needing the proper credentials and access rights) is the root master server.
Add /usr/lib/nis to the search path for this shell.
Because you will be using the /usr/lib/nis/nisaddent command once per table, adding its prefix to the search path eliminates having to type it each time.
```
rootmaster# PATH=$PATH:/usr/lib/nis
rootmaster# export PATH
```
Use nisaddent to transfer any of the following files, one at a time:
- aliases
- auto_home
- auto_master
- bootparams
- ethers
- group
- hosts
- netgroup
- netmasks
- networks
- protocols
- rpc
- services
By default, nisaddent appends (-a) the file information to the table information. Use the -a option when populating the tables for the first time. To synchronize the NIS+ tables with NIS maps or /etc files, use the -m (merge) option. To replace content, use the -r option.
To append:
```
rootmaster# nisaddent -a -f filename table [domain]
```
To merge:
```
rootmaster# nisaddent -m -f filename table [domain]
```
To replace:
```
rootmaster# nisaddent -r -f filename table [domain] 
```
where:

filename
Is the name of the file. The common convention is to append .xfr to the end of these file names to identify them as transfer files created with nisaddent.
table
Is the name of the NIS+ table.
domain
Is an optional argument; use it only to populate tables in a different domain.

The following are some examples, entered from the root domain's master server. The source files are edited versions of the /etc files:
```
rootmaster# nisaddent -m -f /etc/hosts.xfr hosts
rootmaster# nisaddent -m -f /etc/groups.xfr groups
```
If you perform this operation from a nonroot (subdomain) server, keep in mind that a non-root server belongs to the domain above the one it supports; therefore, it is a client of another domain. For example, the Sales.Wiz.Com. master server belongs to the Wiz.Com. domain. To populate tables in the Sales.Wiz.Com. domain from that master server, you would have to append the Sales.Wiz.Com. domain name to the nisaddent statement.
```
salesmaster# nisaddent -f /etc/hosts.xfr hosts Sales.Wiz.Com. 
```
If you perform this operation as a client of the Sales.Wiz.Com. domain, you do not need to append the domain name to the syntax.
To verify that the entries have been transferred into the NIS+ table, use the niscat command, as follows:
```
rootmaster# niscat group.org_dir
root::0:root
other::1::
bin::2:root,bin,daemon
.
.
.
```
Transfer the publickey file.
Note: Since the domain's cred table already stores some credentials, ensure those credentials are not overwritten by the contents of the publickey text file before you transfer it to the cred table. You can avoid overwriting by removing those credentials from the publickey text file. To do this for rootmaster, that line would be:
```
unix.rootmaster@Wiz.Com public-key:private-key
```
To transfer the contents of the publickey file to the cred table, use nisaddent with the -a option.
```
rootmaster# nisaddent -a -f /etc/publickey.xfr -t cred.org_dir publickey \
  [domain]
```
Note, however, that this operation only transfers DES credentials into the cred table. You will still need to create their LOCAL credentials to the cred table.
Transfer the automounter information to the auto_master and auto_home tables using the -t flag and specifying that the table is of type key-value, as shown in the following example:
```
rootmaster# nisaddent -f auto.master.xfr -t auto_master.org_dir key-value 
rootmaster# nisaddent -f auto.home.xfr   -t auto_home.org_dir  key-value
```
Build the NIS+ passwd table from the /etc/passwd file, as shown in the following example:
```
rootmaster# nisaddent -m -f /etc/passwd.xfr passwd
```
Checkpoint the tables to ensure that all servers transfer the new information from their .log files to the disk-based copies of the tables. If you have just set up the root domain, this step affects only the root master server, since the root domain does not yet have replicas. Use the nisping command with the -C option.
```
rootmaster# nisping -C org_dir 
Checkpointing replicas serving directory org_dir.Wiz.Com. :
Master server is rootmaster.Wiz.Com.
     Last update occurred at July 14, 1994
 
Master server is rootmaster.Wiz.Com.
checkpoint succeeded.
```
Attention: If you do not have enough swap space, the server cannot checkpoint properly, but it does not notify you. Verify the contents of a table with the niscat command. If you do not have enough swap space, the following error message displays:
```
can't list table: Server busy, Try Again.
```
This message indicates that you do not have enough swap space. Increase the swap space and checkpoint the domain again.

Populating NIS+ Tables From NIS Maps

This task transfers the contents of an NIS map into an NIS+ table.

Security Considerations

You can perform this task from any NIS+ client as long as you (or root user on the client) have the appropriate credentials and access rights. If you are going to replace or merge the entries in the table with the entries from the NIS map, you must have create and destroy rights to the table. If you are going to append the new entries, you only need create rights.

After you complete this operation, the table entries will be owned by the NIS+ principal that performed the operation (either you or, if logged on as root user, the client) and the group specified by the NIS_GROUP environment variable.

Prerequisites

Before you begin the following procedure, ensure the following:

The domain is already set up and its master server is running.
The dbm files (.pag and .dir files) for the NIS maps you are going to load into the NIS+ tables are in a subdirectory of /var/yp.
All user and machine names are unique.
Machine names cannot contain dots (periods). For example, you cannot have a machine named sales.alpha, but you can convert it to sales-alpha.

You need the name and location of the NIS maps.

Procedure

The following procedure transfers the contents of an NIS map into an NIS+ table.

Check each NIS map from which you will be transferring data to ensure there are no incorrect entries. Make sure that the correct data is in the appropriate place and formatted properly. Remove any outdated, invalid, incomplete, or corrupted entries. (It is easier to add incomplete entries after setup than to try transferring incomplete or damaged entries from the file.)
Log in to an NIS+ client. Perform this task from any NIS+ client--as long as that client belongs to the same domain as the tables into which you want to transfer the information. The examples in this task use the root master server. Since the administrator in these examples is logged in as root user, the NIS+ principal actually performing this operation (and therefore needing the proper credentials and access rights) is the root master server.
Add /usr/lib/nis to the search path for this shell because you will be using the /usr/lib/nis/nisaddent command once for each table, adding its prefix to the search path eliminates having to type it each time.
```
rootmaster# PATH=$PATH:/usr/lib/nis 
rootmaster# export PATH
```
Use nisaddent to transfer any of the following files, one at a time:
- aliases
- auto_home
- auto_master
- bootparams
- ethers
- group
- hosts
- netgroup
- netmasks
- networks
- protocols
- rpc
- services
By default, nisaddent appends (-a) the file information to the table information. Use the -a option when populating the tables for the first time. To synchronize the NIS+ tables with NIS maps or /etc files, use the -m (merge) option. To replace content, use the -r option.
To append:
```
rootmaster# nisaddent -a -y nisdomain table 
```
To merge:
```
rootmaster# nisaddent -m -y nisdomain table
```
To replace:
```
rootmaster# nisaddent -r -y nisdomain table 
```
where:

-y
Indicates an NIS domain instead of a text file.
nisdomain
Is the name of the NIS domain whose map you are going transfer into the NIS+ table. You do not have to name the actual map; the nisaddent utility automatically selects the NIS map that corresponds to the table argument.
table
Is the name of the NIS+ table.

The following are some examples:
```
rootmaster# nisaddent -m -y oldwiz hosts
rootmaster# nisaddent -m -y oldwiz passwd
rootmaster# nisaddent -m -y oldwiz groups
```
The first example transfers the contents of the hosts.byname and hosts.byaddr maps in the oldwiz (NIS) domain to the NIS+ hosts table in the root domain (NIS+). The second transfers the NIS maps that store password-related information into the NIS+ passwd table. The third does the same with group-related information.
Transfer the publickey file.
1. First, dump the contents of the publickey map into a file and then open that file with your text editor, as shown in the following example:
```
rootmaster# makedbm -u /var/yp/oldwiz/publickey.byname /etc/publickey.xfr 
rootmaster# vi /tmp/publickey.tmp
```
2. Remove the credentials of the workstation you are logged in to from the publickey map. To do this for rootmaster, that line would be:
```
unix.rootmaster@Wiz.Com public-key:private-key
```
3. Transfer the contents of the file--not the map--into the cred table. Use nisaddent, with the -a option, as shown in the following example:
```
rootmaster# nisaddent -a -f /etc/publickey.xfr -t cred.org_dir Publickey
```
This operation transfers only DES credentials into the cred table. You must still create their local credentials to the cred table.
Transfer the automounter information to the auto_master and auto_home tables using the following example:
```
rootmaster# nisaddent -y oldwiz -Y auto.master -t auto_master.org_dir key-value
rootmaster# nisaddent -y oldwiz -Y auto.home -t auto_home.org_dir key-value 
```
where:

-y
Indicates an NIS domain instead of a text file.
-Y
Is the name of the NIS map.
-t
Is the name of the NIS+ directory object (for example, auto_master.org_dir) and the type of table (key-value)
Checkpoint the tables to ensure that all servers transfer the new information from their .log files to the disk-based copies of the tables. If you have just set up the root domain, this step affects only the root master server, since the root domain does not yet have replicas. Use the nisping command with the -C option.
```
rootmaster# nisping -C org_dir 
Checkpointing replicas serving directory org_dir.Wiz.Com. :
Master server is rootmaster.Wiz.Com.
     Last update occurred at July 14, 1994
 
Master server is rootmaster.Wiz.Com.
checkpoint succeeded.
```
Attention: If you do not have enough swap space, the server cannot checkpoint properly, but it does not notify you. Verify the contents of a table with the niscat command. If you do not have enough swap space, the following error message displays:
```
can't list table: Server busy, Try Again.
```
This message indicates that you do not have enough swap space. Increase the swap space and checkpoint the domain again.

Transferring Information From NIS+ to NIS

This task transfers the contents of NIS+ tables into the NIS maps on an NIS master server.

Security Considerations

To perform this task, you must have read access to each table whose contents you transfer.

Prerequisites

The maps must have already been built on the NIS server.

Procedure

The following procedure transfers the contents of NIS+ tables into the NIS master server maps:

Log into the NIS+ server. The following example uses the server named dualserver.
Transfer the NIS+ tables to output files.
Use the nisaddent command with the -d option, once for each table.
```
dualserver% /usr/lib/nis/nisaddent -d -t table tabletype > filename
```
The -d option transfers the contents of table to filename, converting the contents back to standard /etc file format.
Transfer the contents of the output files to the NIS maps.
The NIS+ output files are ASCII files that you can use as input files for the NIS maps. Copy them into the NIS master's /etc directory, and then use the make command.
```
dualserver# cd /var/yp
dualserver# make
```

Limiting Access to the Passwd Column to Owners and Administrators

This task describes how to limit read access to the password-related columns of the passwd table to only the entry owner and the table administrators without affecting the read access of other authenticated principals (including applications) to the remaining columns of the passwd table.

This task establishes the following rights:

                        Nobody  Owner  Group  World
Table Level Rights   :  ----    rmcd   rmcd   ----
Passwd Column Rights :  ----    rm--   rmcd   ----
Shadow Column Rights :  ----    rm--   rmcd   ----

Prerequisites

Before beginning the following procedure, ensure the following:

The domain is not be running in NIS-compatibility mode.
All clients of the domain have DES credentials.
All clients of the domain are running AIX 4.3.3 or a later release.
Users' network passwords (used to encrypt their DES credentials) are the same as their login passwords.
The passwd table is set up. (It need not have any information in it.)
The NIS+ principal performing this task has modify rights to the passwd table.
You know the name of the passwd table.

This task assumes the existing permissions are:

Access Rights    : ----rmcdrmcdr---
Columns          :
        [0]  Name          : name
             Access Rights : r-----------r---
        [1]  Name          : passwd
             Access Rights : -----m----------
        [2]  Name          : uid
             Access Rights : r-----------r---
        [3]  Name          : gid
             Access Rights : r-----------r---
        [4]  Name          : gcos
             Access Rights : r----m------r---
        [5]  Name          : home
             Access Rights : r-----------r---
        [6]  Name          : shell
             Access Rights : r-----------r---
        [7]  Name          : shadow
             Access Rights : r-----------r---

If your permissions are different, you may need to use a different syntax than the one shown in this procedure's examples. For instructions, see Administering NIS+ Access Rights.

Procedure

The following procedure limits read access to the content of the passwd table.

Log in to the domain's master server. The examples in this task use the root master server, rootmaster.
Check the current table and column permissions using the niscat -o command, as follows:
```
rootmaster# niscat -o passwd.org_dir
```
Use the nischmod command to change the table's object-level permissions to ---- rmcdrmcd ----
```
rootmaster# nischmod og=rmcd,nw= passwd.org_dir
```

Use the nistbladm command with the -u option to change the permissions of the passwd and shadow columns to:

passwd    ---- rm-- ---- ----
shadow   ---- r--- ---- ----

rootmaster# nistbladm -u passwd=o+r, shadow=o+r passwd.org_dir

Verify the new permissions using the niscat -o command.

Table Population Summaries

The following table shows a summary of the steps required to populate NIS+ tables. Entries in the table below are simplified. Refer to the more thorough task descriptions for options, exceptions, and messages.

Transferring NIS Files Into NIS+ Tables: Command Summary
Tasks	Commands
Log in to an NIS+ client.	rootmaster%
Create working copies of the files to be transferred.	cp /etc/hosts /etc/hosts.xfr . . .
Add /usr/lib/nis to search path.	PATH=$PATH:/usr/lib/nis; export PATH
Transfer each file, one at a time.	nisaddent -m -f /etc/hosts.xfr hosts . .
Remove old server credentials from publickey file.	vi /etc/publickey.xfr . . .
Transfer it to the cred table.	nisaddent -a -f /etc/publickey.xfr cred
Transfer the automounter files.	nisaddent -f auto.master.xfr \ -t auto_master.org_dir key-value nisaddent -f auto.home.xfr \ -t auto_home.org_dir key-value
Checkpoint the table directory.	nisping -C org_dir

Transferring NIS Maps Into NIS+ Tables: Command Summary
Tasks	Commands
Log in to an NIS+ client.	rootmaster%
Add /usr/lib/nis to search path.	PATH=$PATH:/usr/lib/nis; export PATH
Transfer each map, one at a time.	nisaddent -m -y oldwiz hosts . . .
Dump publickey map to a file.	makedbm \ -u /var/yp/oldwiz/publickey.byname \ > /etc/publickey.xfr
Remove new credentials.	vi /etc/publickey.xfr . . .
Transfer the publickey file.	nisaddent -a -f /etc/publickey.xfr \ -t cred.org_dir publickey
Transfer the automounter maps.	nisaddent -y oldwiz \ -Y auto.master \ -t auto_master.org_dir key-value nisaddent -y oldwiz \ -Y auto.home \ -t auto_home.org_dir key-value
Checkpoint the table directory.	nisping -C org_dir

Transferring NIS+ Tables to NIS Maps: Command Summary
Tasks	Commands
Log in to NIS+ server.	dualserver%
Transfer NIS+ tables to files.	/usr/lib/nis/nisaddent \ -d [-t table] tabletype \ > filename . . .
Transfer files to NIS maps.	makedbm flags output-file NIS-dbm-file

Limiting Access to Passwd Column: Command Summary
Tasks	Commands
Log into the domain's master server.	rootmaster#
Check the table's existing rights.	niscat -o passwd.org_dir
Assign the table new rights.	nischmod og=rmcd,nw= passwd.org_dir
Assign the columns new rights	nistbladm -u passwd=o+r, shadow=n+r \ passwd.org_dir
Verify the new rights.	niscat -o passwd.org_dir