Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

NETWORK APPLICATIONS

NIS

  • Network Information System (NIS)
    • NIS provides a simple network lookup service consisting of databases and processes.
    • It allows the distribution of information that resides on a server to all hosts on the network

    NIS is often used to distribute a central passwd file. In such a case NIS distributes /etc/passwd and /etc/groups to all hosts in the NIS domain allowing a user to use same password and username to log into all systems on the network.

    • When more than one NIS server exists for a domain one server is configured as a Master, the others as Slaves.
    • The NIS master server stores all canonical copies of all NIS information databases/maps.
    • NIS slave servers maintain backup copies of NIS maps that are periodically updated by the master.
    • NIS master and slave servers handle all NIS requests via the 'ypserv' daemon.
    NIS domain

    can be what you like though must be the same for all clients and servers (within the domain)

    /var/yp/[domainname]/ypservers

    The NIS ypservers map containing the names of all servers in a particular NIS domain.

    /etc/defaultdomain

    Set the NIS domain. Same as for client.

    NIS is not very secure - several steps may well be needed to beef up security, some of these are covered in later articles, others may well be distribution dependant so read your distro's documentation on the subject.

    NIS is dangerous - anyone who can get access to the daemon can dump your password lists.

    Since what security there is is IP address related - using dynamic IPs via DHCP is not recommend. At the very least use static IPs for client and servers.

  • NIS bindings file
    /etc/yp.conf
    • Used for client configuration as well
    • Contains NIS bindings. This is read by 'ypbind' on startup. Valid entries are:
    # Use server hostname for the domain nisdomain. You could have more then one 
    # entry of this type for a single domain. 
    domain <nisdomain> server <hostname>
    
    # Use broadcast on the local net for domain nisdomain. 
    domain <nisdomain> broadcast
    
    # Use server server for the local domain. 
    ypserver hostname
    
  • NIS server daemon
    /usr/sbin/ypserv
    • A NIS server - only runs on server systems with a complete NIS database.
    • The databases are 'gdbm' files in a directory tree rooted at /var/yp.
    • On startup or when receiving the signal SIGHUP, 'ypserv' parses the file /etc/ypserv.conf.
    • Usually invoked via an init.d script.
    ypserv [-d [path]] [-p port] [-i iface]
    
    Options:
     -d --debug [path]         Debug mode.
     -i --iface iface          Only provide services on 'iface'.  Default=all interfaces.
     -p --port port            Bind itself to this port.  Allows for router filtering.
     -v --version              Prints the version number
    
  • Updating NIS passwords
    rpc.yppasswdd
    • An RPC-based server process for updating NIS passwords.
    • It allows users to change their NIS passwords and certain other information using the 'yppasswd' and 'ypchpass' commands.
    • It accepts incoming password change requests, authenticates them, places the updated information in the /var/yp/master.passwd template file and then updates the NIS master.passwd and passwd maps.
    • Can only be run on a machine that is a NIS master server.
    rpc.yppasswdd [-t master.passwd template_file] 
                  [-d default domain]
                  [-p path] [-s] [-f] [-a] [-m] 
                  [-i] [-v] [-u] [-h]
    
    Options:
     -t master.passwd template_file      
                           By default assumes template file used to generates the
                           master.passwd and passwd maps for the default domain is
                           called /var/yp/master.passwd.
                           Override by specifying an alternate file name.
     -d domain             Can support multiple domains however it must choose one 
                           domain as a default. Will try to use the system default
                           domain name.  If this is not set a default domain must 
                           be specified on the command line. If the system default
                           domain is set, then this option can be used to override it.
     -p path               Override the default path to the location of the NIS map
                           databases. The compiled-in default path is /var/yp.
     -s                    Disallow changing of shell information.
     -f                    Disallow changing of full name ('GECOS') information.
     -a                    Allow additional/extra changes to be made to the NIS 
                           passwd databases (by Super-user).
     -m                    Enable multi-domain mode. Will search all domain maps for 
                           a match with a client.  Off by default.
     -i                    Perform map updates in place. Useful if the password maps 
                           are large - updates in seconds as opposed to minutes.
     -v                    Enable verbose logging mode.
     -u                    Disable privileged/reserved port checking.  Many commercial
                           yppasswd clients do not use a reserved port when sending 
                           requests to rpc.yppasswdd. The default behaviour is to 
                           ignore requests that do not use a reserved port. This flag
                           overrides the default.
     -h                    Display the list of flags and options understood by 
                           rpc.yppasswdd.
    
  • NIS map transfer server
    rpc.ypxfrd
    • NIS map transfer server.
    • Used to speed up the transfer of very large NIS maps from a NIS master to the NIS slave server.
    • It allows NIS slave servers to simply copy the master server's map files rather than building their own from scratch.
    • Uses an RPC-based file transfer protocol, so that there is no need for building a new map.
    • Could be started by 'inetd' but, since it starts very slowly, it should be started after 'ypserv' from '/etc/init.d/ypxfrd'.
    /usr/sbin/rpc.ypxfrd [-d path]
                         [-p port]
                         [--debug]
    
    /usr/sbin/rpc.ypxfrd --version
    
    Options:
     --debug                           Debug mode.
     -d directory                      Use this directory instead of /var/yp
     -p port                           Bind itself to this port, which makes 
                                       it possible to have a router filtering.
     --version
    
  • Domain access control
    /etc/ypserv.conf
    • The configuration file for 'ypserv' and 'rpc.ypxfrd'.
    • It contains access rules that can deny or restrict access to certain maps based on the originating host.

    Example entries

    # Format:
    # host:map:security:mangle[:field]
    
    # The following, when uncommented,  will give you shadow like passwords.
    # Master and Slave servers must run the same NIS server
    # Host                       : Map              : Security   : Passwd_mangle
    #
    # *                          : passwd.byname    : port       : yes
    # *                          : passwd.byuid     : port       : yes
    # *                          : *                : none
    # Default - restrict access to the shadow password file, allow access to all others
    10.1.0.0/255.255.255.0       : shadow.byname         : port
    10.1.0.0/255.255.255.0       : passwd.adjunct.byname : port
    10.1.0.0/255.255.255.0       : *                     : none
    

    The above is not very safe as you have to specify what is not allowed instead of what is. Safer to specify from which hosts access is allowed - one of two ways:

    (a) /etc/ypserv.securenets

    Sample entries - /etc/ypserv.securenets

    # <netmask> <network>
    255.255.255.255 127.0.0.1          # Allow localhost, can also write as   
                                      # host 127.0.0.1
    255.255.255.0   131.234.223.0      # Allow any host on the 131.234.223.0
    255.255.254.0   131.234.214.0      # Allow any host between 131.234.214.0
                                      # and 131.234.215.255
    

    Limits access to hosts listed. If '/etc/ypserv.securenets' does not exist connections from all host are ALLOWED.

    (b) TCP wrappers

    /etc/hosts.allow and /etc/hosts.deny (Support needs to be compiled into ypserv).

    Add to /etc/hosts.allow

    portmap ypserv ypbind : <list of IP addresses that are allowed access>
    

    See Network Applications, Internet daemon, TCP Wrappers

  • Creating NIS maps
    /var/yp/Makefile
    • NIS keeps database information in files called maps. These maps contain key-value pairs.
    • Run 'make' in the directory /var/yp/.
    • 'make' reads the file /var/yp/Makefile which contains the definitions of the NIS environment.
    • The various maps are held in */var/yp/<domainname>/<map-name>.

    Edit /var/yp/Makefile

    Customise location of master files before initialising.

    YPSRCDIR = /etc
    YPPWDDIR = /etc
    YPBINDIR = /usr/lib64/yp
    YPSBINDIR = /usr/sbin
    YPDIR = /var/yp
    YPMAPDIR = $(YPDIR)/$(DOMAIN)
    

    Default maps - /etc/yp/<domain>/

    rpc.bynumber
    group.bygid
    rpc.byname
    passwd.byuid
    protocols.byname
    passwd.byname
    ypservers
    services.byname
    mail.aliases
    group.byname
    hosts.byname
    services.byservicename
    netid.byname
    hosts.byaddr
    protocols.bynumber
    

    Run make

    # make -C /var/yp
    

    Initialise the server maps - one time only

    # /usr/lib/yp/ypinit -m
    

    '-m' if the local host is the NIS master.

  • Starting a NIS server
    • Dependent on the distribution. There is usually an 'init.d' script for each service that is required.
    • The services are usually started separately to prevent any delay however there may be a wrapper script (like nis) in 'init.d' that kicks them all off.
    #/etc/init.d/nis start             (Debian - NISSERVER=master in /etc/default/nis)
                                       (or)
    #/etc/init.d/ypserv start          (Redhat)
    #/etc/init.d/yppasswdd start
    #/etc/init.d/ypxfrd start
    #/etc/init.d/ypbind start
    

    Use 'stop' to stop ... 'initd' script options. Need to be root or have root privileges to start, stop, reload ...

  • NIS slave server

    To configure a slave server:

    • Needs to be a client first, then can be set up to be a slave.
    • Ensure slave is listed in master's /etc/hosts and vice versa
    • Configure slave's /var/yp/securenets file

    On master server in /var/yp/Makefile

    .....
    NOPUSH=false
    

    On master server

    # /usr/lib64/yp/ypinit -m
    

    Enter the hostname of the slave server when prompted.

    On slave start the server

    # /etc/init.d/nis stop                (debian - NISSERVER=slave in /etc/default/nis)
    # /etc/init.d/nis restart
                                          (or)
    # /etc/init.d/ypserv.start            (redhat)
    

    Initialise the slave server

    # /usr/lib64/yp/ypinit -s <master_server>
    

    '-s' set up a slave server with the database from <master_server>.

    Test

    # ypcat -h localhost passwd
    

    Print the values of all keys from the NIS database 'passwd' on localhost.

    NIS does not auto synchronise, create script(s) to run in cron to transfer/sync maps.

    The 'yppush' command will initiate a transaction between the master and slave during which the slave will transfer (pull) the specified maps from the master server using 'ypxfr'.

  • Distribute NIS maps from master to slave servers
    yppush
    • Distributes updated NIS databases (or maps) from an NIS master server to NIS slave servers within an NIS domain.
    • It is normally only run on the NIS master by /var/yp/Makefile whenever any of the NIS maps are updated.
    • The NOPUSH=True entry in the Makefile must first be commented out (as in the previous article - configure slave server).
    yppush [-d domain] 
           [-t timeout] [-j #parallel jobs]
           [-h host] [-p path] [-v]  mapname
    
    Options:
     -d  domain                Specify a particular domain, default is to use NIS domain
                               of the local host.  If the local host's domain name is 
                               not set must specify with this flag.
     -h host [-h host ...]     Specify particular server(s), default is for 'yppush' to
                               determine the names of the slave servers for a domain by
                               searching the 'ypservers' map file
     -p  path                  By default, expects all the local NIS maps to be stored
                               under /var/yp. Specify an alternate path
    
  • Copy a NIS db, map
    ypxfr
    • Copies a NIS db, map from one NIS server to the local host by using the NIS service.
    • Generally invoked by 'ypinit' or by 'ypserv' when 'ypserv' receives a map transfer request from 'yppush'.
    ypxfr [-f] [-c] [-d target-dom] 
          [-h src host] [-s src domain]
          [-p path] 
          [-C taskid prog-num ip port]
          mapname
    
    Options:
     -f                               Force a map transfer, usually no transfer if NIS master's copy
                                      is not newer than the existing copy.
     -c                               Do not send a 'clear current map' request to 'ypserv' running
                                      on the local host.  Normally used when invoking 'ypxfr' manually
                                      failure to contact the local on a machine that is not yet running
                                      ypserv without which, 
                                      NIS server will cause 'ypxfr' to abort the transfer.
     -d target-dom                    Specify a target domain other than the current NIS domain.
     -h src host                      Specify the name of the host from which to copy the NIS maps.
     -s src domain                    Specify the domain from which to transfer a map (transfer is being
                                      done across two different NIS domains).
     -p path                          Specify the top level directory containing the NIS maps, default
                                      is /var/yp.
     -C taskid prog-num ip port       Used only when 'ypxfr' is invoked by 'ypserv' in response to a map
                                      transfer request initiated by 'yppush'. 'ypxfr' needs to reference
                                      the calling program('yypush') in order to reply.
      mapname                         The name of the map to transfer.
    
  • Some additional NIS commands
    Command Brief description
    ypbind Finds the server for NIS domains and maintains the NIS binding information
    ypcat Prints the values of all keys from the NIS db by mapname (or map nickname)
    ypchfn Change user's GECOS info (on central server only)
    ypchsh Change user's shell (on central server only)
    yppasswd Change the users' NIS password (on central server only)
    ypdomainname Sets or displays the name of the current NIS domain
    ypmatch Prints the values of one or more keys from the NIS database specified by mapname
    yppoll Returns the version and master server of a NIS map
    yppush Forces the propagation of changed NIS databases
    ypserv Network Information Service (NIS) server daemon
    ypset Binds ypbind to a specific NIS server
    yptest Test configuration
    ypwhich Returns the name of the NIS server or the name of the master for a map
  • Debian default daemon settings
    /etc/defaults/nis

    Default settings

    # Configuration settings for the NIS daemons
    
    NISSERVER=false        # Type of NIS server if one - [ false | slave | master ]
    YPPWDDIR=/etc          # NIS master password file (for yppasswdd)
    YPCHANGEOK=chsh        # User can  - [ chsh | chfn | chsh,chfn ]
    

    'chsh' change login shell, 'chfn' change real user name and information.

  • Name Service Switch configuration
    /etc/nsswitch.conf

    System databases and NSSwitch configuration

    .....
    passwd:         compat
    group:          compat
    shadow:         compat
    
    # <DB name>: <service> [action] <service> .....
    hosts:          dns [!UNAVAIL=return] files
    networks:       nis [NOTFOUND=return] files
    ethers:         nis [NOTFOUND=continue] files
    protocols:      nis [NOTFOUND=return] files
    rpc:            nis [NOTFOUND=return] files
    services:       nis [NOTFOUND=return] files
    .....
    
    # <DB name>
    # aliases, ethers, group, hosts, netgroup, network, passwd, 
    # protocols, publickey, rpc, services, shadow
    #
    # <service>
    # compat, db, files, hesiod, nis, nisplus, dns
    #
    # [action]
    # Action items are placed within brackets and between two service names
    #    [( !STATUS = ACTION )+]      ! negates the STATUS and can be omitted
    #    [STATUS]                     success, notfound, unavail or tryagain
    #    [ACTION]                     return or continue
    

    For older systems set, modify lookup order in /etc/host.conf

    order hosts,nis,bind
    
  • Define groups of users and systems
    /etc/netgroup
    # Format:
    # <netgroup> (host,user,domain) | netgroup [, ...]
    
    nfsservers  (f64local,,)
    nfsclients  (g86local,,), nfsservers
    serverusers (,mark,)                # If using compat for passwd in /etc/nsswitch.conf
                                        # +@serverusers:::::: => mark has access
    
    # Examples from IBM
    machines  (venus, -, star)          # host venus belongs to the machines group in the star domain
    people    (-, bob, star)            # user bob belongs to the people group in the star domain
    

    The "-" character will not match any specific user-name or hostname, it is commonly used as a placeholder that will match only wildcarded membership queries.

    Create the map file

    # /usr/lib64/yp/makedbm /etc/netgroup /var/yp/markstest.com/netgrp.byname
    
  • Define aliases, nicknames for map files
    /var/yp/nicknames

    Sample entries

    # Format:
    # <nickname>  <map name>
    
    passwd          passwd.byname
    group           group.byname
    
  • NIS Client configuration
    /etc/yp.conf
    • A NIS client receives information held on NIS servers.
    • If the NIS server is on the same subnet then the client normally finds the server via a broadcast.
    • If the server is not on the same subnet then need to configure which server to use on client.
    • /etc/yp.conf is the NIS binding configuration file.

    Sample entries

    # Use the server <hostname> for the domain <nisdomain>.
    # You could have more then one entry of this type for a single domain.
    domain <nisdomain> server <hostname>
    
    # Use broadcast on the local net for domain <nisdomain>.
    domain <nisdomain> broadcast
    
    # Query the local running SLP server for hosts running ypserv and 
    # distributing <nisdomain>.
    # This option is only available, if ypbind was compiled 
    # with SLP support.
    domain <nisdomain> slp
    
    # Use server server for the local domain.
    ypserver <hostname>
    
    # If no other server is given or all of them are not reachable, try 
    # a broadcast call for the default domain to find a server.
    broadcast
    

    If both 'broadcast' and 'ypserver' line present, 'ypbind-mt tries the given servers first before falling back to broadcasting for a running server.

    When adding the servername in /etc/yp.conf make sure the server is also in /etc/hosts or use the server's IP. If you do not and if the network/dns is not up when the system boots, 'ypbind' will not be able to resolve the server(s) in /etc/yp.conf and will hang.

  • Set NIS client's domain
    /etc/defaultdomain

    Edit file /etc/defaultdomain

    <NIS-domain-name>
                                                      (or)
    # sysctl -w kernel.domainname=<NIS-domain-name>
    
  • NIS client
    stop, start
    # /etc/init.d/nis stop
    # /etc/init.d/nis start
    

    The 'init.d' script will also start the 'ypbind' daemon which binds a NIS client to a NIS domain. 'ypbind' must be running on any NIS client.