|
Softpanorama
(slightly skeptical)
Open Source Software Educational Society |
May the
source be with you,
but remember the KISS principle ;-)
|
Solaris Network Information Services (NIS) Implementation
Due to its size mini-tutorial was moved to a
separate page
Notes:
- Those pages are written by people for whom English is not a
native language. Some amount of grammar and spelling errors
should be expected.
- This is a Spartan WHYFF (We Help You For Free) site. It
cannot replace the best teachers and
the
best books.
- The site contain some obsolete pages as it develops like a
living tree... Some links on older pages
are broken. Please
try to use Google, Open directory, etc. to find a replacement link
(see
HOWTO search the WEB for details).
We would appreciate if you can
mail us a correct link.
|
|
Dec 6, 2001.(
Prentice Hall) Reading this chapter is not an
absolute requirement for deployment of LDAP, but if you
become familiar with some of the architectural nuances,
you can better understand broader deployment strategies.
Each naming service has its own unique characteristics
which may dictate how you deploy them. Although the
focus of this BluePrint is LDAP, it is helpful to
understand the feature set of legacy Solaris naming
services to see how this new technology compares.
This
is a sample chapter from Solaris and LDAP Naming
Services: Deploying LDAP in the Enterprise.
Prior to the launch event I
got some suggestions from Solaris sysadmins who had
specific problems with previous versions of Solaris and
had switched to other operating systems where they
could. I took the issues mentioned in
this SysAdmin to SysAdmin column and the comment
attached to it, plus some other notes, and compiled the
following list of issues, which several Solaris
engineers addressed point by point:
- Solaris is too complex. This
was described by the Solaris hackers as being an
engineering problem that has been solved by
introducing better technology -- namely, DTrace to
replace other less specific command-line tools,
X.org to replace the aging Xsun server, a more
streamlined installation procedure, and better
documentation. "Documentation is never an
afterthought for us," Cantrill told me.
- If a user belongs to more than 15
groups, the system dies. Cantrill told me
that this has long been a tunable parameter in
Solaris. "Such that it exists at all, the limitation
is due to a protocol restriction in NFS. By default,
Solaris is configured to cooperate with other
vendors' NFS implementations -- which means setting
the number of supplementary groups to 15."
- NIS netgroups have a size limitation;
this forces messy netgroups. This is due to
an underlying DBM database issue; the database has a
size limit of 1,024 bytes. The best solution is to
use LDAP instead.
- If one machine is in two netgroups and
both groups have mount privileges, the NFS server
crashes. The Solaris engineers tested this
and didn't find the problem; furthermore they had no
record of this ever being a bug or problem with any
previous editions of Solaris.
- GNOME is poorly implemented.
GNOME support has been greatly improved in Solaris
10. The version that ships with the initial release
is 2.6.1, and it now uses the Java Desktop System
theme by default.
- The version of Netscape included with
Solaris is old. Sun has abandoned Netscape
in favor of Mozilla.
- Solaris has a poor LDAP implementation.
A great deal of work has gone into improving LDAP in
Solaris 10. The new implementation is of a much
higher quality and has expanded features over
previous Solaris implementations.
- If you set up the system to authenticate
to NIS, then start LDAP, the system crashes.
This bug has been fixed in Solaris 10.
- Solaris is slow. Solaris 10
includes an optimized TCP/IP stack, which now scales
much better on multi-CPU systems. Additionally,
Solaris 10 has specific performance enhancements for
UltraSPARC IIIi and IV systems that can increase
performance by as much as 20%.
Hello all,
Sometime ago, I posed a question about how to get Solaris to work with Active
Directory. After several false starts, I finally found the answer: Microsoft's
Services for UNIX (SFU). SFU is a software suite which extends the Active
Directory schema, allowing various services to run out of AD for UNIX servers,
including (wait for it....) NIS. So far, it's working fairly well, with some
limitations. Here's a list of the gotchas I've encountered so far:
1) If you have an existing AD tree, you have to modify each individual user to
use SFU by opening their properties, choosing the "UNIX Attributes" tag, and
adding their UNIX account information (UID, GID, home, shell, and NIS domain).
Needless to say, this is tedious in large organizations. I'm lucky, I only
have about 100 users, I can't imagine someone with 10,000 going through this
willingly.
2) Once the UNIX attributes have been set, you have to reset the password of
the user before you can sync their account up in NIS. Presumably because AD
stores passwords in a one way encryption, which is neither crypt nor MD5.
3) If you have/want multiple NIS domains, you'll have to have multiple NT
domains. Each NT domain gets mapped to a single NIS domain, which must be the
same name, which requires one PDC for each domain. You can, however, control
multiple domains through one AD forest, so the administration isn't too bad,
as long as you have extra machines for this purpose.
4) Not all of the common features of NIS are easily supported, but they are
all there. The passwd map is controlled through the user management GUI,
however all other maps (netgroup, hosts, ethers, etc.) must be edited on the
command line. Potentially a problem for organizations which want to
standardize on one management tool. It should be possible to extend the AD
schema to include these other maps, however I have not yet gotten to that.
5) The master NIS server *must* be the AD server. There is a tool for
migrating an existing master db into the AD server, but so far as I can tell,
this is only useful if you have an existing NIS network, with no existing AD
servers.
6) I encountered some problems getting the master to talk to the slaves
properly. I found you have to make sure, when you list the slave servers in
the SFU console, to supply their FQDN. Just using the hostname by itself lead
to inconsistent communication.
It was surprisingly easy to install and configure SFU, and since it was using
NIS it was trivial to set up on the Solaris servers. Unfortunately, SFU
doesn't support NIS+, so for those organizations requiring that, this isn't
the answer. But for a smallish shop like mine with a need to standardize
usernames and passwords on both the NT and UNIX sides of the house, it was the
answer.
r/
Corbett Waddingham
Senior Systems Administrator
National Clearing Corp.
310-385-2257 phone
310-385-2225 fax
cwaddingham@nationalclearing.com
IBM Redbooks
AIX - Migrating NIS Maps into LDAP
-
Chapter 10 NIS Network Information Service (NIS) is a distributed
database that allows you to maintain consistent configuration files
throughout your network. NIS replaces replicated copies of common
configuration files, such as /etc/passwd and /etc/hosts, with data maps
for each file located on a central server.
In this chapter the following topics are discussed:
- NIS configuration considerations.
- Startup of NIS.
- Managing NIS maps.
Freebsd handbook and freebsd beginners tutorial/NIS FreeBSD
Handbook. Chapter 19 Advanced Networking.
Written by Bill Swingle.
Enhanced by Eric Ogren
and Udo Erdelhoff.
SunService
Tip Sheet for Sun NIS also at
SunService Tip
Sheet for Sun NIS
Cisco -
Installing DNS on a Sun Running NIS
HP-UX-Sun Interoperability Cookbook - NIS
also at
HP-UX-Sun Interoperability Cookbook - NIS
Protocols.com/SUN
Protocols Family - MOUNT PMAP YP (NIS)
Using NIS in conjunction with DNS
8.16 nis -- Interface
to Sun's NIS (Yellow Pages) Python interface
Securing
NIS
IBM UNIX servers - Security for pSeries AIX 5L security enhancements
NIS/NIS+ enhancements
Network Information Services (NIS) infrastructure has been enhanced to support
netgroups in LDAP and client support for shadow passwords (encrypted passwords
in the /etc/security/passwd file).
1999 SUMMARY NIS
and Netgroups behaviour
From: Neal S. Pressman (nsp83273@melsud.res.ray.com)
Date: Tue Apr 13 1999 - 12:16:38 CDT
thanks to:
Ronald Loftin <reloftin@syr.edu>
"David W. Blaine" <blained@gdls.com>
"Salehi, Michael E" <Mike.Salehi@usa.xerox.com>
also thanks to:
Steve_Kilbane <Steve@gec-epl.co.uk>
who didnt respond to my e-mail but has posted a summary of this problem
to the archives:
<--- snip --->
Turns out that netgroup works only with NIS running, and that using
it in .rhosts files is no problem. I'll also make the tentative
observation that the wisdom that follows applies certainly to netgroup
usage in .rhosts files, but not necessarily in other places (e.g.,
hosts.equiv, exports) because some of the rules I have to follow
(e.g., don't use capital letters) are rules I've seen violated in
other places without problems. That having been said:
</--- snip --->
my problem was simply that our Netgroup was in UCASE this is not a
problem for 2.6 or 2.7 only earlier versions.
Neal...
<--- original question --->
-> I have an NIS question,
->
-> we have a mixed solaris environment mostly 2.5.1 and 2.6 with a couple of
-> solaris 7 boxes. we are trying to implement the use of netgroups for
-> /.rhosts and /etc/hosts.equiv . the man pages for all vers. of the OS
-> state this can be done with + and - @NETGROUP entries. we have been able
-> to get this to work on both 2.6 and solaris 7 but 2.5.1 doesnt seem to
-> work.
->
-> here are what my files have in them:
->
-> +@MELALL
->
-> MELALL is a netgroup containing all of our trusted systems.
->
-> has anyone been able to get this to work on 2.5.1????
->
-> thanks,
->
-> Neal...
->
</--- original question --->
--
\\|//
(0~0)
----------------------------oooO-(_)-Oooo----------------------------
Neal S. Pressman Raytheon Systems Company
System Administrator (MCAE) 528 Boston Post Road
phone: (978) 440-1273 Sudbury, MA 01776
fax: (978) 440-2684 ms 4-1-283
E-mail: nsp@melsud.res.ray.com / Neal_S_Pressman@res.raytheon.com
____________________________________Oooo.____________________________
.oooO (___)
Copyright © 1996-2007 by Dr. Nikolai Bezroukov.
www.softpanorama.org was
created as a service to the UN Sustainable Development Networking Programme (SDNP)
in the author free time.
Submit
comments This document is an industrial compilation designed and created
exclusively for educational use and is placed under the copyright of the
Open Content License(OPL).
Original materials copyright belong to respective owners. Quotes are made
for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on
this web page are those of the author and are not endorsed by, nor do they necessarily
reflect, the opinions of the author present and former employers, SDNP or any other
organization the author may be associated with. We do not warrant the correctness
of the information provided or its fitness for any purpose.
Last modified:
February 28, 2008
