Recently I got to setup NIS for the first time in a mixed Solaris 2.5/8 and Linux environment. Having studiously avoided NIS all my life because of it's gaping security issues it was a little humbling to discover that it wasn't as easy as it had always been made out to be. I also found that Suns docs on their web site were next to useless and most of the stuff that was online was for SunOS not Solaris ... here are my notes. -- AdamShand
Contents
Contents
Setting up the Master NIS Server (Solaris 8)
Prepare for NIS
- The first step is to decide which files you want to be controlled by NIS, and to copy them to the NIS directory:
# mkdir /var/yp/maps # cd /etc; cp passwd shadow group auto_* hosts /var/yp/maps
Once they are copied there you need to clean them up in preparation for NIS. This means removing all the system accounts and information from the passwd, shadow and group files in /var/yp/maps (you don't want things like the root account in your NIS maps for security and reliability reasons).
Clean up Makefile
- You now need to customize the NIS makefile for your environment. This means making sure that these lines are set up correctly:
# cd /var/yp # vi Makefile
B=-b DIR =/var/yp/maps INETDIR=/etc/inet PWDIR =/var/yp/maps
I found that the makefile that came with Solaris 8 would always error out halfway through. I messed around with it for a while and eventually decided that the easyist thing to do was to just comment out the blocks I wasn't using in the "all:" section. For me that mean that the "all:" section went from looking like this:all: passwd group hosts ipnodes ethers networks rpc services protocols \ netgroup bootparams aliases publickey netid netmasks c2secure \ timezone auto.master auto.home \ auth.attr exec.attr prof.attr user.attr audit.userto this:all: passwd group hosts netgroup auto.master auto.home
Turn on NIS
# domainname nisdomain # domainname > /etc/defaultdomain # cd /var/yp # ypinit -m # /usr/lib/netsvc/yp/ypstart
Test:# ypwhich -m (you should see the name of the NIS server) # ypcat passwd.byname (you should see the merged contents of the passwd/shadow files)
Add custom maps:# vi Makefile
cut'n'paste closest stanza# make
Setup as client: Make sure that these four lines are set (more if you need them):# vi /etc/nsswitch.conf
passwd: files nis group: files nis netgroup: nis automount: nis
Setting Up NIS Client (Solaris 8)
Configure NIS
# echo nisdomain > /etc/defaultdomain # domainname `cat /etc/defaultdomain` # ypinit -c (list all NIS servers as prompted) # /usr/lib/netsvc/yp/ypstop; /usr/lib/netsvc/yp/ypstart
Convert System to NIS
# cd /etc; mkdir /etc/nisbackup # cp passwd shadow group hosts auto_* /etc/nisbackup
Now edit the passwd, shadow, group and hosts file to only contain system accounts (eg. enough so that if something goes wrong with NIS you can still boot the system into single user mode and login as root). The hosts file should only contain the lookback, it's own address and the address of the NIS servers# vi /etc/nsswitch.conf
And make sure that these values are set like this:passwd: files nis group: files nis netgroup: nis automount: nis
Adding a NIS Client (Redhat 7.2)
- First make sure that you aren't using MD5 passwords (you will be by default) as that will break interoperability with Solaris which uses crypt instead. Note that if you have any users with passwords in the passwd/shadow files (eg. root) you'll need to change their password or they won't be able to log in.
# authconfig
The Redhat /etc/nsswitch.conf file comes setup for NIS and NIS+ so you shouldn't have to change anything there.
# vi /etc/yp.conf
And add two lines like this (I have verified that this does indeed failover from one to the other (faster then Solaris 8 actually) by using "ypbind -d" and watching it as the clients main NIS server becomes unavailable (who pulled out that cat5 cable? ;)):domain nisdomain server 192.168.1.100 domain nisdomain server 192.168.2.100
Adding Custom Maps (Solaris 8)
This is really pretty easy, but there are a few gotcha's. All I can say is thank god for years and years of Sun Managers Summaries! So the first new map I wanted to add was for /etc/printers.conf. I could see printers listed in the nsswitch.conf file but had a hard time finding any information on how to actually set it all up.
Basically the steps are that you need to copy the new source file (in this case /etc/printers.conf) to /var/yp/maps, then edit the make file to parse the source file into a NIS map and then finally setup the slaves. So ...
# cd /var/yp # cp /etc/printers.conf /var/yp/maps # cat /usr/lib/print/Makefile.yp >> /var/yp/Makefile # vi /var/yp/Makefile (the additions to the makefile require some fairly obvious modifications that I'll leave as an exercise for you) # make (this will hang after updating printers.conf, that's okay, just go ahead and ctrl-c it)
Now on the slave server:# /usr/lib/netsvc/yp/ypxfr -h <nis master> printers.conf.byname
Now back on the master server:# make (and the changes should push out sucessfully)
Tips and Tricks
If you create a group with too many members the make will complain and truncate the membership with an error like:
Updating group.byname... makedbm: warning: data too long:
The only way to solve this is to split the membership across multiple groups which share the same GID like so:
group1::1000:user1,user2,user3 group2::1000:user4,user5,user6 group3::1000:user7,user8,user9
Because they all share the same GID when you do an "ls -l" any files group owned by GID 1000 (ie. group1, group2 and group3) will all show up as the first entry in the /etc/group file or "group1".
More Information
http://webcache.ibu.de/BSN/Support/Tips/NIS.sunservice.tip.html
O'Reilly "Managing NFS and NIS" book (BookIsbn:1565925106)