Solaris NIS Minitutorial

(Draft, version 0.33)

Acknowledgements

The following tutorial is based largely on publicly available Sun Solaris 9 materials including some quotes from Sun Student Guide for SA-299. Troubleshooting part is based on Sun NIS FAQ largely available from other sources on Internet. Also some of material from O'Reilly Practical Unix and Internet Security were used in security part. This tutorial was used a couple of times as a material for lectures, but generally is still pretty raw... It is provided "as is" in a hope that some may found it useful...

Contents

Introduction

Network Information Service (NIS) is a distributed database that allows you to maintain consistent configuration files throughout your network. It was initially released by Sun in the early 80's and called Sun Yellow Pages, but later had to be renamed for legal reasons due to trademark protection of the term "yellow pages" by British Telecom. NIS commands still begin with the prefix yp. All Unix vendors have licensed Sun's code, making NIS a the most widely supported naming service after DNS. Even today Solaris NIS is one of the oldest and best known and most reliable distributed database for Unix configuration files Like NFS NIS implementation is based on RPC, so this far more then a file synchronization services.

Note: NIS was later enhanced by Sun to more complex and less reliable implementation called NIS+. Paradoxically NIS+ became obsolete even before NIS. NIS+ won't be covered in this class. For those that are interested in it, there is an IBM red book that contains a lot of information. NIS+ is still is available in Solaris and even is a default naming service during the installation in Solaris 9.

While sufficiently simpler than NIS+ NIS is still obscure enough to create a lot of problems for administrators. For example it treats the passwd database as a special case (and actually not in completely secure way, defeating Solaris shadow file mechanism). Unlike similar implementation on AIX and Linux Solaris implementation does not understand the symbol plus as the frist symbol of the line to be a start in "NIS include". Solaris NIS uses /etc/nsswitch to determine in what order the information sources for a particular name should be queried.

The following terms are crucial for an understanding of NIS:

A NIS server is a machine which responds to requests for NIS service.
There are two types of NIS servers: master and slaves. Master server can be only one for a NIS domain and it can feed with information any number of optional slave servers. The NIS database called NIS maps is built on master server and propagated to slave servers. It can also be pulled by slave servers. Slave servers are expected to contain exact copies of maps of the master server.
The YPSERV daemon is run on both servers and clients. It is what answers NIS requests.
YPXFRD daemon is usually run on the master server, to speed up transfers to the slaves. Responds to requests, generated in the slave servers by using the ypxfr command to pull the maps from the master. Transfers NIS maps at a high speed
A NIS CLIENT is any machine which is allowed to access the NIS maps. The YPBIND daemon that is running of client machine is making all NIS requests on behave of the client.

While NIS does simplifies synchronization of user accounts and configuration files on multiple servers, currently 80% of NIS functionality can be achieved using other protocols, for example ssh or Tivoli Configuration Manager. With the availability of ssh and scp that can perform the push of arbitrary files to arbitrary number of servers in a secure way NIS makes slightly less sense due to security concerns, especially for files that does not change often. Still not all NIS functionality can be completely replicated via other protocols. We already mentioned ssh, but while very convenient for regular configuration files it is not very convenient for replicating passwd files as it requires special efforts to provide the possibility of updating the passwd locally. NIS provides this possibility out of the box. Lately LDAP emerged as a better fit for integrating of /etc/passwd into the central database in the enterprise environment. But is has its share of problems. See IBM Redbooks AIX - Migrating NIS Maps into LDAP

However, even though NIS has been deprecated, it is still widely used in many environments. Also it can serve as a poor man bridge between Microsoft Active Directory and Unix world (via Microsoft SFU NIS implementation).

NIS is a distributed database system that lets many computers share configuration files like password files, group files, host tables, etc from the central network server (master server). NIS makes network administration more manageable by providing centralized control over a variety of network information. This collection of network information is called the NIS namespace.

NIS maps can replace or be used with the configuration files that exist on each UNIX system.
NIS maps are located in the /var/yp/domainname directory (where domainname is the name of the NIS domain). For each map in this directory there are two files:
- .pag file
- .dir file

It understands passwd files as a special case but other then that can be used for synchronizing arbitrary files. If the rpc.yppasswdd daemon is running you can enter the passwd command on any NIS client: passwd in Solaris 2.6 and higher check to see if the password file is managed by NIS, and invoke yppasswd if this is the case. After changing your password you should see the message "NIS entry changed on alpha" where alpha is the name of a NIS master. The following session illustrates this point:

$ passwd
Changing NIS password for joeuser on server1.
Old password:
New password:
Retype new password:
NIS entry changed on alpha

You can view it as specialized NFS for configuration files although it is more than that as it permits dynamically combine the parts of the file stored on the client server with the parts of the file stored in the networked master server (so called maps). It also optimized for fast performance of this particular function and can scale to hundreds of computers.

Like in NFS although the files appear to be available on every computer, they are actually stored on only on NIS master server (in NIs case they are replicated from the master and possibly replicated on a backup, secondary server, or slave server). While you can update files on the master NIS clients will use those modified files as if they were stored locally. Files stored on the master server not directly but in special format called NIS maps. NIS maps are compiled form regular files using Unix make.

With NIS, configuration files can be managed more easily because all or part of the configuration information can be stored and maintained on a single machine yet used on all the systems in the network.

For example in case of passwd file this can be Unix administrator group that should have account on each server. Moreover in some NIS implementation (but not in Solaris) there are capabilities similar to grep: you can restrict NIS to importing only accounts of particular users by following the + symbol with a particular username.

In Solaris /etc/nsswitch file provided information about whether a particular file should be taken from NIS or not and in what order the files are appended to each other. Think about it as a primitive meta file that specified several includes:

hosts: nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
ethers: nis [NOTFOUND=return] files
netmasks: nis [NOTFOUND=return] files
bootparams: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files

Note:

In some old implementations of NIS (for example in Solaris 1) the capabilities are closer to include files well known in C macroprocessor. Syntax is different, though. NIS uses the plus sign (+) in the first column to mark in the include. The plus sign instructs the Unix daemon that reads in this configuration file to query the NIS server for the included fragment, for example:

root::0:1:Root:/:/bin/sh
+nick::120:5:::

Note that UID and GID for this user are included are not used and will be replaced from NIS on each access: getpwuid ( ) actually goes to the NIS map and overrides the UID and GID values that you specify. So the whole record will be overwritten from the map. In those implementations you also have a rudimentary capability to exclude certain usernames from being imported from the inserted fragment by inserting a line that begins with a minus sign (-). For example, to exclude account and include the others from the server, you might use the following /etc/passwd file:
root::0:1:Root:/:/bin/sh
-joeuser::2005:2005:::
+::9999:9999:::

Contents

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: February 28, 2008