Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
Previous Next

Preparing the Master Server

The following sections describe how to prepare the source files and the passwd files for the master server.

Source Files Directory

The source files should be located in the /etc directory, on the master server or in some other directory. Having them in /etc is undesirable because the contents of the maps are then the same as the contents of the local files on the master server. This is a special problem for passwd and shadow files because all users have access to the master server maps and the root password would be passed to all NIS clients through the passwd map. See Passwd Files and Namespace Security for additional information.

However, if you put the source files in some other directory, you must modify the Makefile in /var/yp by changing the DIR=/etc line to DIR=/your-choice, where your-choice is the name of the directory you will be using to store the source files. This allows you to treat the local files on the server as if they were those of a client. (It is good practice to first save a copy of the original Makefile.)

In addition, if audit_user, auth_attr, exec_attr and prof_attr are to be taken from a directory other than the default, you must amend the RBACDIR =/etc/security to RBACDIR=/your-choice.

Passwd Files and Namespace Security

The passwd map is a special case. In addition to the old Solaris 1 passwd file format, this implementation of NIS accepts the /etc/passwd and /etc/shadow file formats as input for building the NIS password maps.

For security reasons, the files used to build the NIS password maps should not contain an entry for root, to prevent unauthorized root access. Therefore, the password maps should not be built from the files located in the master server's /etc directory. The password files used to build the password maps should have the root entry removed from them and be located in a directory that can be protected from unauthorized access.

For example, the master server password input files should be stored in a directory such as /var/yp, or any directory of your choice, as long as the file itself is not a link to another file and its location is specified in the Makefile. The correct directory option is set automatically according to the configuration specified in your Makefile.

Caution - Be sure that the passwd file in the directory specified by PWDDIR does not contain an entry for root.

If your source files are in a directory other than /etc, you must alter the PWDIR password macro in the Makefile to refer to the directory where the passwd and shadow files reside, changing the line PWDIR=/etc to PWDIR/your-choice, where your-choice is the name of the directory you will be using to store the passwd map source files.

Preparing Source Files for Conversion to NIS Maps

Prepare the source files for conversion to NIS maps.

How to Prepare Source Files for Conversion
  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. Check the source files on the master server to make sure they reflect an up-to-date picture of your system.

    Check the following files:

    • auto.home or auto_home

    • auto.master or auto_master

    • audit_user

    • auth_attr

    • bootparams

    • ethers

    • exec_attr

    • group

    • hosts

    • ipnodes

    • netgroup

    • netmasks

    • networks

    • passwd

    • protocols

    • rpc

    • service

    • shadow

    • user_attr

  3. Copy all of these source files, except passwd, to the DIR directory that you have selected.
  4. Copy the passwd file to the PWDIR directory that you have selected.
  5. Copy audit_user, auth_attr, exec_attr, and prof_attr to the selected RBACDIR directory.
  6. Check the /etc/mail/aliases file.

    Unlike other source files, the /etc/mail/aliases file cannot be moved to another directory. This file must reside in the /etc/mail directory. Refer to aliases(4) for more information.

    Note - You can add a nis-specific mail aliases file by pointing the ALIASES = /etc/mail/aliases entry in /var/yp/Makefile to another location. When you then run a make, the ALIASES entry creates a mail.aliases map. The sendmail service uses this map in addition to the /etc/mail/aliases file when the /etc/nsswitch.conf file properly targets nis in addition to files. Refer to Modifying and Using the Makefile.

  7. Clean all comments and other extraneous lines and information from the source files.

    These operations can be done through a sed or awk script or with a text editor. The Makefile performs some file cleaning automatically for you, but it is good practice to examine and clean these files by hand before running.

  8. Make sure that the data in all the source files is correctly formatted.

    Source file data needs to be in the correct format for that particular file. Check the man pages for the different files to make sure that each file is in the correct format.

Preparing the Makefile

After checking the source files and copying them into the source file directory, you now need to convert those source files into the ndbm format maps that the NIS service uses. This is done automatically for you by ypinit when called on the master server, as explained in Setting Up the Master Server With ypinit.

The ypinit script calls the program make, which uses the Makefile located in the /var/yp directory. A default Makefile is provided for you in the /var/yp directory and contains the commands needed to transform the source files into the desired ndbm format maps.

You can use the default Makefile as it is, or modify it if you want. (If you do modify the default Makefile, be sure to first copy and store the original default Makefile in case you need it for future use.) You might need to make one or more of the following modifications to the Makefile:

  • Nondefault maps

    If you have created your own non-default source files and want to convert them to NIS maps, you must add those source files to the Makefile.

  • DIR value

    If you want the Makefile to use source files stored in some directory other than /etc, as explained in Source Files Directory, you must change the value of DIR in the Makefile to the directory that you want to use. When changing this value in the Makefile, do not indent the line.

  • PWDIR value

    If you want the Makefile to use passwd, shadow, and/or adjunct source files stored in some directory other than /etc, you must change the value of PWDIR in the Makefile to the directory that you want to use. When changing this value in the Makefile, do not indent the line.

  • Domain name resolver

    If you want the NIS server to use the domain name resolver for machines not in the current domain, comment out the Makefile line B=, and uncomment (activate) the line B=-b.

The function of the Makefile is to create the appropriate NIS maps for each of the databases listed under all. After passing through makedbm the data is collected in two files, mapname.dir and mapname.pag. Both files are in the /var/yp/domainname directory on the master server.

The Makefile builds passwd maps from the /PWDIR/passwd, /PWDIR/shadow, and /PWDIR/security/passwd.adjunct files, as appropriate.

Setting Up the Master Server With ypinit

The ypinit script sets up master and slave servers and clients to use NIS. It also initially runs make to create the maps on the master server.

To use ypinit to build a fresh set of NIS maps on the master server, do the following.

How to set up the master server using ypinit
  1. On the master server, become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

  2. Copy the contents of the nsswitch.files file to the nsswitch.conf file.
    # cp /etc/nsswitch.files /etc/nsswitch.conf
  3. Edit the /etc/hosts or /etc/inet/ipnodes file to add the name and IP address of each of the NIS servers.
  4. Build new maps on the master server.
    # /usr/sbin/ypinit -m
  5. When ypinit prompts for a list of other machines to become NIS slave servers, type the name of the server you are working on, along with the names of your NIS slave servers.
  6. When ypinit asks whether you want the procedure to terminate at the first nonfatal error or continue despite nonfatal errors, type y.

    When you choose y, ypinit exits upon encountering the first problem; you can then fix it and restart ypinit. This is recommended if you are running ypinit for the first time. If you prefer to continue, you can try to manually fix all problems that occur, and then restart ypinit.

    Note - A nonfatal error can appear when some of the map files are not present. This is not an error that affects the functionality of NIS. You might need to add maps manually if they were not created automatically. Refer to Default NIS Maps for a description of all default NIS maps.

  7. ypinit asks whether the existing files in the /var/yp/domainname directory can be destroyed.

    This message is displayed only if NIS has been previously installed.

  8. After ypinit has constructed the list of servers, it invokes make.

    This program uses the instructions contained in the Makefile (either the default one or the one you modified) located in /var/yp. The make command cleans any remaining comment lines from the files you designated. It also runs makedbm on the files, creating the appropriate maps and establishing the name of the master server for each map.

    If the map or maps being pushed by the Makefile correspond to a domain other than the one returned by the command domainname on the master, you can make sure that they are pushed to the correct domain by starting make in the ypinit shell script with a proper identification of the variable DOM, as follows:

    # make DOM=domainname password

    This pushes the password map to the intended domain, instead of the domain to which the master belongs.

  9. To enable NIS as the naming service, type the following.
    # cp /etc/nsswitch.nis /etc/nsswitch.conf

    This replaces the current switch file with the default NIS-oriented switch file. You can edit this file as necessary.

Master Supporting Multiple NIS Domains

Normally, an NIS master server supports only one NIS domain. However, if you are using a master server to support multiple domains, you must slightly modify the steps, as described in Setting Up the Master Server With ypinit, when setting up the server to serve the additional domains.

Run the domainname command on the server. The domain name returned by the command is the server's default domain. The steps described in Setting Up the Master Server With ypinit will work properly for setting up service for that domain. To configure service for any other domain, you must modify the ypinit shell script as follows.

# make DOM=correct-domain passwd

correct-domain is the name of the other domain that you are setting up service for, and passwd is the make target. This command pushes the passwd map to the intended domain, instead of the domain to which the master belongs.
Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire