NIS+ principals are the entities (clients) that submit requests for NIS+ services.
An NIS+ principal may be someone who is logged in to a client machine as a regular user or someone who is logged in with root-user authority. In the first instance, the request actually comes from the client user; in the second instance, the request comes from the client workstation. Therefore, an NIS+ principal can be a client user or a client workstation.
Note: An NIS+ principal can also be the entity that supplies an NIS+ service from an NIS+ server. Since all NIS+ servers are also NIS+ clients, much of this discussion also applies to servers.
An NIS+ client is a workstation that has been set up to receive NIS+ service. Setting up an NIS+ client consists of the following:
An NIS+ client can access any part of the namespace, subject to security constraints. In other words, if it has been authenticated and has been granted the proper permissions, it can access information or objects in any domain in the namespace.
Although a client can access the entire namespace, a client belongs to only one domain, which is referred to as its home domain. A client's home domain is usually specified during installation, but it can be changed or specified later. All the information about a client, such as its IP address and its credentials, is stored in the NIS+ tables of its home domain.
There is a subtle difference between being an NIS+ client and being listed in an NIS+ table. Entering information about a workstation into an NIS+ table does not automatically make that workstation an NIS+ client. It simply makes information about that workstation available to all NIS+ clients. That workstation cannot request NIS+ service unless it is actually set up as an NIS+ client.
Conversely, making a workstation an NIS+ client does not enter information about that workstation into an NIS+ table. It simply allows that workstation to receive NIS+ service. If information about that workstation is not explicitly entered into the NIS+ tables by an administrator, other NIS+ clients cannot access it.
When a client requests access to the namespace, it is actually requesting access to a particular domain in the namespace. Therefore, it sends its request to the server that supports the domain it is trying to access.
How does the client know which server that is? By trial and error. Beginning with its home server, the client tries first one server, then another, until it finds the right one. When a server cannot answer the client's request, it sends the client information to help locate the right server. Over time, the client builds up its own cache of information and becomes more efficient at locating the right server. The next section describes this process.
When a client is initialized, it is given a cold-start file. The cold-start file gives a client a copy of a directory object that it can use as a starting point for contacting servers in the namespace. The directory object contains the address, public keys, and other information about the master and replica servers that support the directory. Normally, the cold-start file contains the directory object of the client's home domain.
As shown in the following figure, a cold-start file is used only to initialize a client's directory cache. The directory cache, managed by an NIS+ facility called the cache manager, stores the directory objects that enable a client to send its requests to the proper servers.
Figure 4-3. Cold-Start File Initializing Directory Cache. This illustration shows a network of domains in which the cold-start file initializes the directory cache for both clients and servers.
By storing a copy of the namespace's directory objects in its
directory cache, a client can know which servers support which domains.
(To view the contents of a client's cache, use the nisshowcache command.) The following table
is a simplified example.
|Example of Directory Cache|
|Domain||Directory Name||Supporting Server||IP Address|
To keep these copies up to date, each directory object has a time-to-live (TTL) field. Its default value is 12 hours. If a client looks in its directory cache for a directory object and finds that it has not been updated in the last 12 hours, the cache manager obtains a new copy of the object. You can change a directory object's time-to-live value with the nischttl command. However, keep in mind that the longer the time-to-live, the higher the likelihood that the copy of the object will be out of date; and the shorter the time to live, the greater the network traffic and server load.
How does the directory cache accumulate these directory objects? Because the cold-start file provides the first entry in the cache, when the client sends its first request, it sends the request to the server specified by the cold-start file. If the request is for access to the domain supported by that server, the server answers the request.
If the request is for access to another domain (for example, sales.wiz.com.), the server tries to help the client locate the proper server. If the server has an entry for that domain in its own directory cache, it sends a copy of the domain's directory object to the client, as shown in the following figure. The client loads that information into its directory cache for future reference and sends its request to that server.
Figure 4-4. Finding the Requested Server. This illustration shows RootMaster providing domain names through the directory server for client access.
In the unlikely event that the server does not have a copy of the directory object the client is trying to access, it sends the client a copy of the directory object for its own home domain, which lists the address of the server's parent. The client repeats the process with the parent server, and keeps trying until it finds the proper server or until it has tried all the servers in the namespace.
Over time, the client accumulates in its cache a copy of all the directory objects in the namespace and thus the IP addresses of the servers that support them. When it needs to send a request for access to another domain, it can usually find the name of its server in its directory cache and send the request directly to that server.
An NIS+ server is also an NIS+ client. Before you can set up a workstation as a server, you must initialize it as a client. The only exception is the root master server, which has its own unique setup process.
In addition to supporting a domain, a server also belongs to a domain. In other words, by virtue of being a client, a server has a home domain. Its host information is stored in the Hosts table of its home domain, and its DES credentials are stored in the cred table of its home domain. Like other clients, it sends its requests for service to the servers listed in its directory cache.
Except for the root domain, a server's home domain is the parent of the domain the server supports. In other words, a server supports clients in one domain, but is a client of another domain. A server cannot be a client of a domain that it supports, with the exception of the root domain. Because they have no parent domain, the servers that support the root domain belong to the root domain itself.
For example, consider the namespace shown in the following figure.
Figure 4-5. Example NIS+ Namespace. This illustration shows the domain hierarchy of an example NIS+ namespace. At top is the RootMaster server for wiz.com domain. Stemming from that is SalesMaster for sales.wiz.com. and ManfMaster for manf.wiz.com. Stemming from sales.wiz.com. is BigSalesMaster for big.sales.wiz.com. and SmallSalesMaster for small.sales.wiz.com.
The following table lists which domain each server supports and to which
domain it belongs:
|Example of Multiple Servers and Domains They Support|