Today, almost all UN*X includes NIS, and there is even a free implementation version of it. One is the Net-2 distribution from BSD, which is derived from the public domain reference implementation donated by Sun. This version of the client library code has existed in GNU's libc for a long time, and the hypervisor has only recently been transplanted to Linux by Swentü mmler [1]. An NIS server program is missing from this reference implementation. Tobias Reber has compiled another NIS software package, which includes all tools and a server. This package is called yps. [2]
At present, a completely rewritten NIS code called NYS has been compiled by Peter Eriksson [3], which supports ordinary NIS and Sun's NIS+ with many modifications. NYS not only provides a NIS toolset and a server, but also adds a brand-new library function set, which may eventually be added to the standard libc. This includes a new setup scheme to replace the current hostname resolution using host.conf The characteristics of these functions will be discussed below.
this chapter will focus on NYS instead of the other two software packages, which I will call "traditional" NIS codes. If you really want to run any of these packages, the instructions in this chapter may or may not be enough. For additional information, please get a standard (authoritative) book about NIS, such as NFS and NIS like Hal Stern (see [Stern92]).
at present, NYS is still in the development stage, so standard Linux tools such as network programs or login programs have not noticed the configuration scheme of NYS. Only when NYS is merged into mainstream libc, if you want to make all these executors use NYS, you need to recompile them. In the Makefiles of any of these applications, before libc, specify -lnsl as the last option of the linker. This will connect the related functions from libnsl—NYS library instead of connecting from standard C library.
1.1 understanding NIS
NIS stores database information in so-called maps containing key-value pairs. Maps is stored in a central host running NIS server, from which customers can retrieve information through various RPC calls. Most frequently, maps is stored in a DBM file. [4]
Maps itself is generated from the main text file (such as /etc/hosts or /etc/passwd). For some files, several maps are generated, one for each search key type. For example, you can search the hosts file for the host name and IP address. Accordingly, two NIS maps will be generated, which are called hosts.byname and hosts.byaddr respectively. Table 1.1 lists general maps and the files they generate.
Master File Map(s)
/etc/hosts
/etc/networks
/etc/passwd
/etc/group
/etc/services
/etc/rpc
/etc/protocols
/usr/lib/ aliases Hosts.byname hosts.byaddr
Networks.byname networks.byaddr
Passwd.byname passwd.byuid
Group.byname group.bygid
Services.byname services. By number
RPC. by name RPC. by number
protocols. by name protocols. by number
mail.aliases
Table 1.1 Some standard NIS maps and corresponding files.
in some NIS packages or other software, there are some other files and maps that you may find useful. These files and maps may contain information about applications that are not discussed in this book, such as bootparams maps that may be used in some BOOTP servers, or files that currently do not contain any functions in Linux (like ethers.byname and ethers.byaddr maps).
for some maps, people usually use nicknames, which are short and easy to type. To get a complete list of nicknames that your NIS tool can understand, run the following command:
$ ypcat–x
NIS map nickname translation table:
"passwd"-> “passwd.byname”
“group” -> “group.byname”
“networks” -> “networks.byaddr”
“hosts” -> “hosts.byname”
“protocols” -> “protocols.bynumber”
“services” -> “services.byname”
“aliases” -> “mail.aliases”
“ethers” -> “ethers.byname”
“rpc” -> “rpc.bynumber”
“netmasks” -> “netmasks.byaddr”
“publickey” -> “publickey.byname”
“netid” -> “netid.byname”
“passwd.adjunct” -> “passwd.adjunct.byname”
“group.adjunct” -> “group.adjunct.byname”
“timezone” -> "timezone.byname"
NIS server is traditionally called ypserv. For a medium-sized network, a single server is usually enough; A large network may need to run several servers on different network segments and different machines to reduce the load on server machines and routers. By using one of these servers as a master server and the other servers as slave servers, these servers are synchronized. Maps will only be built on the main server. Distribute them from the primary server to all secondary servers.
You may have noticed that we have been talking about "network" vaguely; Of course, NIS that refers to such a network has a unique concept, that is, a collection of all hosts that enjoy part of their system configuration data through NIS***: NIS domain. Unfortunately, the NIS domain has absolutely nothing in common with the domains we encounter in DNS. In order to avoid ambiguity in this chapter, I will always point out which type of domain I am talking about.
NIS domain only has pure management function. They are mainly invisible to users, except for the * * * sharing of passwords among all machines in the domain. Therefore, the name given to the NIS domain is only related to the administrator. Generally, you can use any name as long as it is different from other NIS domain names on your local network. For example, the administrator of the virtual brewery can choose to establish two NIS domains, one for the brewery itself and the other for a winery, which she named Brewery and Winery respectively. Another very common scheme is to simply use DNS domain name as the domain name of NIS. To set and display the NIS domain name of your host, you can use the dommainname command. When it is called without any parameters, it prints out the current NIS domain name; To set this domain name, you must become a superuser and type:
# domainnamebrewery
The NIS domain determines which NIS server an application will query. For example, the login program on the host of the Winery will (of course) only query the NIS server of the winery (or one of them, if there are multiple servers) for the password information of the user; The application on the brewery host will only query the brewery server.
there is still a doubt to be solved, that is, how does a customer know which server to connect to? The simplest way is to have a configuration file, which gives the host name of the server on which to look. However, this method is very inflexible, because it does not allow customers to use different servers (from the same domain, of course) depending on whether these servers exist or not. Therefore, traditional NIS implementations rely on a special background program called ypbind to detect an appropriate NIS server in their NIS domain. Before any NIS query can be executed, any application must first find out which server to use from ypbind.
ypbind probes the server by broadcasting to the local IP network; The first responding server is basically the fastest one and will be used for subsequent NIS queries. After a certain interval has passed, or if the server is not working, ypbind will probe the running server again.
Now, the argument about dynamic binding is that you seldom need it, and it will bring security problems: ypbind blindly trusts any responder, and this responder may be a humble NIS server or a malicious intruder. Needless to say, if you manage your password database on NIS, it will become a particularly troublesome thing. To prevent this problem, NYS does not use ypbind by default, but obtains the host name of the server from a configuration file.
1.2 NIS has little in common with NIS+
NIS and NIS+ except that they share the same goal in name. NIS+ is constructed in a completely different way. It uses a hierarchical namespace similar to DNS, instead of a flat namespace and a loosely disjointed NIS domain. It uses a so-called tables composed of rows and columns instead of maps. In the NIS+ database, each row of the table represents an object, and the columns represent those properties of the objects that NIS+ knows and cares about. Each table of a given NIS+ domain consists of those of their parent domains. In addition, an entry in a table can contain a link to another table. These characteristics make it possible to construct information in many ways.
the RPC version number of traditional NIS is 2, while that of NIS+ is version 3.
NIS+ doesn't seem to be widely used so far, and I actually don't know much about it. Well, I hardly know anything about it. For this reason, we won't cover it here. If you are interested in it and want to learn more, please refer to Sun's NIS+ Management Manual ([NISPlus]).
1.3 NIS on the client side
If you are familiar with programming or porting network applications, you will notice that many NIS maps listed above correspond to library functions in C library. For example, to get the passwd information, you usually use the getpwnam(3) and getpwuid(3) functions, which return the account information corresponding to the given user name or numerical user id, respectively. Under normal circumstances, these functions will perform the requested lookup in a standard file (such as /etc/passwd).
however, the NIS(NIS-aware)-based implementation of these functions will change this behavior, and an RPC call will be enabled to let the NIS server query the user name or id. This operation is completely transparent to the application. This function can "attach" or "replace" the original file of NIS map. Of course, this does not actually modify the file, it just makes the application look as if the file has been replaced or attached.
for the traditional NIS implementation, there were some conventions about which maps were replaced and which were added to the original information. Some maps (such as passwd maps) need to make hash changes to the passwd file, and when it is wrong, it will open a security gap. In order to avoid this defect, NYS has a conventional configuration scheme, which determines whether a specific client function set uses the original file, NIS and NIS+, and in what order. This will be discussed later in this chapter.
1.4 running an NIS server
after so much theoretical chatter, now I'm going to do the actual configuration work. In this section, we will discuss the configuration of NIS server. If there is already an NIS server running on your network, you don't have to set up your own server; In this case, you can safely skip this section.
note, if you are just going to experiment with the server, please make sure that you have not set an NIS domain name that is already used on your network. Because it will paralyze the whole network service and make many people unhappy and angry.
there are currently two free NIS servers for Linux, one of which is included in Tobias Reber's yps package, and the other is in Peter Eriksson's ypserv package. As for which one you run.