For information on installing the Network Information Service (NIS) and the Network File System (NFS), see the AIX 5L Version 5.1 Installation Guide.
For each NIS domain you want to configure on your network, do the following:
Notes:
To set the NIS domain name of a host (whether client or server), use the Web-based System Manager or use one of the following procedures.
Each of these methods perform two actions. First, they run the domainname command, setting the NIS domain name. Second, they modify the /etc/rc.nfs file so that the NIS domain name is set when the system restarts.
Attention: An NIS record has a maximum size of 1024 bytes. This limitation applies to all NIS map files. For example, a list of users in a group can contain a maximum of 1024 characters in single-byte character set file format. Before doing the following procedure, ensure that no configuration file is beyond this limit. NIS cannot operate correctly with map files that exceed this maximum.
To configure an NIS master server, do the following tasks on the master server host:
You will now create the directory for this domain, build the NIS maps, and start the NIS daemons. Use the Web-based System Manager or use one of the following procedures.
The system takes a few minutes to perform several tasks. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the daemons to which you specified yes above. Finally, the system starts these daemons.
The ypinit command is a shell script that performs two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the make command on the /var/yp/Makefile, which creates all the NIS maps specified in the /var/yp/Makefile.
#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then # startsrc -s ypserv #fi
Remove the pound signs so the file looks like:
if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then startsrc -s ypserv fi
If you chose to use a password file other than /etc/passwd to build the passwd map (see Customizing NIS Map Input), you must specify to the yppasswdd daemon the path to that file. By default, the yppasswdd daemon changes passwords for entries in the /etc/passwd file. To change the default password file to another file, do the following:
#Uncomment the following lines to start up the NIS #yppasswd daemon. DIR=/etc if [ -x /usr/etc/rpc.yppasswdd -a -f $DIR/passwd ]; then start rpc.yppasswdd /usr/lib/netsvc/yp/rpc.yppasswdd /etc/passwd ~m fi
DIR=/var/yp
stopsrc -s yppasswdd chssys -s yppasswdd -a '/var/yp/passwd -m passwd' startsrc -s yppasswdd
The yppasswdd daemon will now use your alternate password file.
After configuring the master server (see Configuring the NIS Master Server), you must decide which hosts are to act as slave servers. Slave servers keep exact replicas of the master server's maps and share the processing burden by answering queries when the master server is busy or unavailable. The following procedure must be done for each slave server.
The NIS master server is configured.
To configure an NIS slave server, do the following tasks on the slave server host:
Notes:
- If you are configuring a slave server that is not on the same IP network, you must configure the new server as an NIS client first (see Configuring an NIS Client). Use the ypset command to explicitly point the new server to the NIS master. For example, ypset 129.23.22.1, where 129.23.22.1 is the IP address of the master server.
- When using subnets, a slave server must be configured on each subnet that has NIS clients for the given NIS domain. This allows clients to bind at startup and provides a fall back if the master goes down for any reason.
You will now create the directory for this domain, start the NIS daemons, and obtain copies of the NIS maps from the master server. Use the Web-based System Manager or use one of the following procedures.
The system takes a few minutes to perform several tasks. First, it runs the ypinit command. If the ypinit command exits successfully, the system uncomments the entries in the /etc/rc.nfs file for the ypserv and ypbind daemons. Finally, the system starts these daemons.
The ypinit command is a shell script that performs two tasks. First, it creates the directory /var/yp/domainname, where domainname is the domain name you defined above. Second, it runs the ypxfr command to obtain the NIS maps from the master server.
Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:ypset 129.23.22.1where 129.23.22.1 is the IP address of the NIS master server.
Note: If this NIS slave server is not on same IP network as the NIS master server (that is, a gateway router is positioned between the slave server and the master server), you must explicitly identify the NIS master server by using the ypset command. For example, enter the command:ypset 129.23.22.1where 129.23.22.1 is the IP address of the NIS master server.
#if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then # startsrc -s ypserv #fi
if [ -x /usr/etc/ypserv -a -d /etc/yp/`domainname` ]; then startsrc -s ypserv fi
Note: If NIS users need to log into an NIS slave server, the slave server must also be configured as a client, and should have the following line as the last line in its /etc/passwd file:+::::::
NIS clients make up the majority of hosts in an NIS domain. Clients do not maintain maps, but rather query servers for information. (Clients do not distinguish between master and slave servers.) If you are configuring a slave server that is not on the same IP network as the master server, you must configure the new server as an NIS client first.
The NIS master server must be configured. For more information, see Configuring the NIS Master Server.
To configure an NIS client, do the following tasks on the client host:
You then start the client using NIS. Use the Web-based System Manager or use one of the following procedures.
The system performs two tasks. First, it starts the ypbind daemon. Second, it uncomments the entry in the /etc/rc.nfs file for the ypbind daemon.
#if [ -x /usr/etc/ypbind ]; then # startsrc -s ypbind #fi
if [ -x /usr/etc/ypbind ]; then startsrc -s ypbind fi
Before you configure NIS on a master server, slave server, or client, do the following:
lssrc -s inetd
A message similar to the following displays:
Subsystem Group PID Status inetd tcpip 4923 active
If the status does not indicate active, follow the instructions in Configuring the inetd Daemon for starting the inetd daemon.
lssrc -s portmap
A message similar to the following displays:
Subsystem Group PID Status portmap portmap 14003 active
If the status does not indicate active, enter the command:
startsrc -s portmap
You are now ready to configure NIS on this host. If you are configuring a master server, continue with the following section, Customizing NIS Map Input. If you are configuring a client or slave server, continue with Starting and Stopping NIS Daemons.
The most common customizations made to NIS involve users, groups, and host names. However, you can customize any of the information managed by NIS. Although this discussion focuses on users, groups, and host names, you can use the same techniques to customize input to other maps.
Note: Perform all of these instructions on the master server host.
Attention: An NIS record has a maximum size of 1024 bytes. This limitation applies to all NIS map files. For example, a list of users in a group can contain a maximum of 1024 characters in single-byte character set file format. Before doing the following procedure, ensure that no configuration file is beyond this limit. NIS cannot operate correctly with map files that exceed this maximum.
By default, NIS uses the /etc/passwd and /etc/group files on the master server as the input for the passwd and group maps. All users and groups on the master server are thus included automatically in the maps. The simplest configuration is to add every user and group in this entire domain to the /etc/passwd and /etc/group files.
Note: It is possible to manage users and groups without using NIS; however, managing users and groups is the primary benefit of NIS. For more secure methods of user and group management, see NIS+ Security Mechanisms.
Either for security, accounting, or performance reasons, you may not want certain users to log into the master server. If so, you can build the passwd and group maps from other files, such as /var/yp/passwd and /var/yp/group, that are for NIS users and groups only. With this, /etc/passwd and /etc/group can contain only the minimum necessary entries. (Using a separate password file also affects the yppasswdd daemon. See Configuring the NIS Master Server for more information.) To configure the master server in this way, do the following:
cp /etc/group /var/yp/group
You can use a copy of any machine's /etc/group file, not just the /etc/group file on the master server. Then, using an editor, remove from the /etc/group file all the non-local entries, and add the NIS escape sequence (+:) as the last line in the file.
You can either preserve the current passwords or reset the passwords.
cd /var/yp /usr/sbin/mrgpwd > passwd
mrgpwd takes its input from the /etc/passwd and /etc/security/passwd files only.
cp /etc/passwd /var/yp/passwd
Then, using an editor, remove the ! (exclamation point) from the password field in each entry in the /var/yp/passwd file. Finally, using an editor, remove from the /etc/passwd file all the non-local entries, and add the NIS escape sequence (+::0:0:::) as the last line in the file.
Note: User IDs (UIDs) created in this way initially contain no passwords.
Note: The Web-based System Manager or the SMIT fast paths smit mkuser and smit mkgroup can be used to create users and groups only in the /etc/passwd and /etc/group files.
By default, NIS only uses the /etc/hosts file to build the hosts map. If you have configured a domain name server in your network, you can configure NIS to include domain name system (DNS) information as well as /etc/hosts information in the hosts map. (Including DNS information in the hosts map eliminates re-entering all this information in the /etc/hosts file.) To do so, use an editor to change the /var/yp/Makefile file as follows:
... | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byname; \ ... | $(MAKEDBM) - $(YPDBDIR)/$(DOM)/hosts.byaddr; \ ...
... | $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byname; \ ... | $(MAKEDBM) -b - $(YPDBDIR)/$(DOM)/hosts.byaddr; \ ...
In other words, add the -b flag, with a space before and after, to both lines.
The ypserv and ypxfrd daemons use the file /var/yp/securenets, if it exists, and only respond to the IP addresses listed in the netmask netaddr pairs within that file.
Use Web-based System Manager, SMIT, or the following procedure to start or stop NIS daemons.
lssrc -s portmap
The result looks similar to the following:
Subsystem Group PID Status portmap portmap 4388 active
The five NIS daemons are
controlled by the System Resource Controller (SRC). As illustrated in
the following table, four of the daemons have the SRC group name
yp:
SRC Controlled NIS Daemons | ||
Daemon Name | Subsystem Name | Group Name |
keyserv | keyserv | keyserv |
ypbind | ypbind | yp |
yppasswdd | yppasswdd | yp |
ypserv | ypserv | yp |
ypupdated | ypupdated | yp |
To start or stop NIS daemons, use the Web-based System Manager or use one of the following procedures.
Select a menu option, depending on whether you want to start or stop the ypserv, ypbind, yppasswdd, or ypupdated daemon. Once you make your selection, the daemon you specified will be started or stopped.
In this procedure, you specify which NIS maps that this client will use by adding a special NIS marker to various system files. In general, the system configuration files on an NIS client should have a minimum number of entries because the client should rely primarily on a server for its information. However, you may want to configure a few local entries that you do not want defined throughout the entire domain.
Actually, NIS handles client configuration files in two ways. Some configuration files are completely ignored once the ypbind daemon starts, and other files are appended to. If NIS ignores a particular file, the client will only know what its server's map contains. If NIS appends map information to a file, the client can use local information that no other host knows as well as NIS map information.
Once the ypbind daemon
is running, the client relies solely on the following NIS maps instead of
their corresponding files:
Maps Used by the ypbind Daemon Instead of Files | ||
Map | Nickname | File |
hosts.byaddr | hosts | /etc/hosts |
hosts.byname | ||
ethers.byaddr | ethers | /etc/ethers |
ethers.byname | ||
networks.byaddr | networks | /etc/networks |
networks.byname | ||
rpc.bynumber | /etc/rpc | |
services.byname | services | /etc/services |
protocols.byname | protocols | /etc/protocols |
protocols.bynumber | ||
netgroup | /etc/netgroup | |
netgroup.byhost | ||
netgroup.byuser | ||
publickey.byname | /etc/publickey | |
netid.byname | /etc/passwd | |
/etc/group | ||
/etc/hosts | ||
/etc/netid | ||
netmasks.byaddr | /etc/netmasks |
You do not need to perform any configuration on the above files in order to use their corresponding NIS maps; the ypbind daemon does this automatically. However, the /etc/hosts file should have entries for the local loopback name and client's host name. Use either an editor or the smit hosts fast path to verify that the /etc/hosts file has these entries. For example, the client's /etc/hosts file should look similar to this example:
127.1 localhost # local loopback name 200.10.2.101 zepher # client's host name
The /etc/hosts file is accessed at boot time before NIS is available. After the system is running and the ypbind daemon is started, NIS ignores the /etc/hosts file.
Each of the following subheadings explains how to configure a client's configuration files to use a particular NIS map. You may choose to use all the available maps, or only a few. Many NIS installations use all the available maps, especially the passwd and group maps.
These two maps together are referred to by the nickname passwd. Using either an editor or the smit lsuser fast path, verify that the /etc/passwd file contains entries for the root user and the other primary users on the machine (in other words, the entries supplied in the default /etc/passwd file). Then, using an editor, add the NIS escape entry, + (plus sign), to enable the NIS password service. For example, the client's /etc/passwd file should look similar to the following:
root:!.k:0:1:/:/usr/bin/csh nobody:*:-2:-2::/: daemon:*:1:1::/: sys:*:2:2::/:/usr/bin/csh bin:*:3:3::/usr/bin: uucp:*:4:4::/var/spool/uucppublic: news:*:6:6::/var/spool/news:/usr/bin/csh +::0:0:::
The NIS entry (the last line) instructs library routines to use the NIS password service after examining the local entries. So, when a program examines the /etc/passwd file, it first finds the local entries, and then it requests that NIS provide the password information.
In addition to using the entire passwd map, you can explicitly include (with a plus entry) and exclude (with a minus entry) NIS password information about specific users and groups.
The following are the types of + (plus) and - (minus) entries that you may define:
If the + (plus) entry contains data in one of the colon-separated fields (except for the user ID, or UID, and group ID, or GID, fields) of the password entry, that data overrides what is in the NIS map. Also, earlier entries in the file take precedence over later entries with the same user name or user ID. The following are some examples:
To remove the NIS password entry for a user, enter:
-user
To remove the NIS password for users in a netgroup, enter:
-@netgroup
The line that subtracts the netgroup or user must appear before any other /etc/passwd file entry that includes the netgroup or user. For example, to remove password entries for user cliffc and users in the bad-users netgroup, the password file entry must contain the user name, UID, and GID:
-cliffc:*:218:201:: -@bad-users +::0:0:::
If user cliffc is a member of the good-users netgroup, the following example does not remove user cliffc from the /etc/passwd file:
+@good-users -cliffc:*:218:201:: +::0:0:::
Once the routines that read the password's file find a match for cliffc, they stop parsing the file. Therefore, the -cliffc entry will never be found, because the good-users netgroup includes user cliffc.
These two maps together are referred to by the nickname group. Using either an editor or the smit lsgroup fast path, verify that the /etc/group file contains entries for the system and other primary groups on the machine (in other words, the entries supplied in the default /etc/group file). Then, using an editor, add the NIS escape entry (+, plus sign) to enable the NIS group service. For example, the client's /etc/group file should look similar to the following:
system:!:0:root staff:!:1:root bin:!:2:root,bin sys:!:3:root,su,bin,sys adm:!:4:root,su,bin,adm uucp:!:5:root,uucp mail:!:6:root,su security:!:7:root cron:!:8:root printq:!:9:root audit:!:10:root +:
These two maps together are referred to by the nickname aliases. To enable use of the NIS aliases mapping:
As noted in Files that NIS Ignores, NIS uses these two maps automatically. However, you can configure two other system files to reference these maps, specifically, the /etc/hosts.equiv file and the /.rhosts file. Doing so can help you control remote logins more effectively.
For example, you can edit the /etc/hosts.equiv file and add a single line, with only the + (plus) character on it. This allows anyone to log into the machine because all further entries are retrieved from NIS rather than the local file. Or, for more control over logins, add a list of trusted hosts to the /etc/hosts.equiv file. For example:
+@trusted_group1 +@trusted_group2 -@distrusted_group
The names to the right of the @ (at sign) should be netgroup names defined in the netgroup map.
You can also add a list of trusted hosts to the /.rhosts file. For example:
+@trusted_group1 +@trusted_group2 -@distrusted_group
Because this file controls remote root access to the local machine, unrestricted access is not recommended. You cannot use aliases for host names in the /.rhosts, hosts.equiv, or netgroup files, because they all enable local machines to access remote machines. You can, however, use aliases for host names in the /etc/hosts file.
Note: If none of the escape sequences are added to the /etc/hosts.equiv or /.rhosts files, NIS is not used when a program examines these files.