Dear Sun-managers :
Many thanks to :
Stuart Kendrick
Richard Aures
Waqar Hafiz
Rich Kulawiec
The related documents are as following :
SunService Tip Sheet for Sun NIS+ availible on
http:/sunsolve.sun.com/sunsolve or for free on
http://www.batnet.com:80/stokely/sunservice.tips/11988.html
Further it's recommended to read SOLFAQ.TXT on
http://sunsolve.sun.com/cserve/X86-FAQ.
And last but not least don't forget to read the Solaris 2.5
answerbook chapter called NIS+ and DNS Setup and Configuration Guide
And there is a attachment form Mr. Stuart Kendrick which helps a lot
in setting up the Nis+ server and client :
Building the NIS+ domain from scratch
-------------------------------------
In this example, I assume that the root master is bug0.
Note that in NIS+ the absence or inclusion of a trailing dot is important.
Use /opt/local/sbin/nukenis to remove NIS+.
Whenever messing with NIS+, keep a separate window open with a “tail -f /var/log/syslog” running.
On bug0:
-Create a file called /etc/defaultdomain containing the single line “fhcrc.org” and reboot.
-nisserver -r -v -d fhcrc.org. -g admin.fhcrc.org.
-Edit /etc/nsswitch.conf and modify as necessary:
#
# /etc/nsswitch.nisplus:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses NIS+ (NIS Version 3) in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files nisplus
group: files nisplus
# consult /etc "files" only if nisplus is down.
#hosts: nisplus [NOTFOUND=return] files
#Uncomment the following line, and comment out the above, to use both DNS
#and NIS+. You must also set up the /etc/resolv.conf file for DNS name
#server lookup. See resolv.conf(4).
hosts: dns nisplus [NOTFOUND=return] files
services: nisplus [NOTFOUND=return] files
networks: nisplus [NOTFOUND=return] files
protocols: nisplus [NOTFOUND=return] files
rpc: nisplus [NOTFOUND=return] files
ethers: nisplus [NOTFOUND=return] files
netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
publickey: nisplus
netgroup: nisplus
automount: files nisplus
aliases: nisplus [NOTFOUND=return] files
sendmailvars: files nisplus
- Populate the tables
-mkdir /opt/local/config/files
-Copy the following files to /opt/local/config/files: auto_home, auto_master,
group, netmasks, networks, passwd, protocols, rpc, services, shadow, timezone. I skip ethers and bootparams because we don't use them. Leave out hosts and aliases for now. Edit passwd and group and remove all the system accounts (root et al). Leave “s
ysadmin” in group ... currently “sysadmin” includes four UIDs: jhjort, ptorng, rhood, sbk. I recommend leaving auto_home empty. (Otherwise, when NIS+ is broken ... you can’t log in.)
-nispopulate -v -F -d fhcrc.org. -l 1124cns5063 -p /opt/local/config/files
The ending message will say:
auto_home ethers hosts bootparams netgroup mail_aliases”
This is fine.
-Now copy hosts and aliases to /opt/local/config/files
-nisaddent -v -f /opt/local/config/files/hosts hosts
-nisaddent -v -f /opt/local/config/files/aliases aliases
-Now erase hosts and aliases from /opt/local/config/files (trust me, you want to do this to avoid messing yourself up on a future install)
[I don’t use “nispopulate” to import hosts and aliases into NIS+ because nispopulate adds *credentials* for all hosts and aliases ... and I don’t want to add credentials for *everybody*, just for the usrs in passwd. nisaddent just imports data into table
s; it doesn’t mess with credentials.]
-nisgrpadm -a admin.fhcrc.org. jhjort.fhcrc.org. ptorng.fhcrc.org. rhood.fhcrc.org. skendric.fhcrc.org.
[This adds these four users to the NIS+ “admin.fhcrc.org.” group. Members of this group are allowed to modify the NIS+ tables. Use “nisgrpadm -l admin.fhcrc.org.” to list the members of a group. When a machine is listed, that means that the root UID on
that machine is a member of the group.]
-nisping -C fhcrc.org.
-Edit /etc/passwd and /etc/group and remove all but the default entries
-To create credentials for users -- public/prviate key combinations -- each user needs to run the following. When prompted for the "Secure RPC network password", s/he needs to type "1124cns5063"
-nisclient -u
-nislog | more
bug0{root}: nislog | more
NIS Log printing facility.
NIS Log dump :
Log state : STABLE.
Number of updates : 3
Current XID : 5258
Size of Log in bytes : 516
*** UPDATES ***
@@@@@@@@@@@@@@@@ Transaction @@@@@@@@@@@@@@@@@@
#00000, XID : 5256
Time : Thu Nov 21 14:36:39 1996
Directory : groups_dir.fhcrc.org.
Entry type : UPDATE time stamp.
Entry timestamp : Thu Nov 21 14:36:39 1996
Principal : bug0.fhcrc.org.
Object name : groups_dir.fhcrc.org.
.................. Object .....................
Object Name :
Directory : groups_dir.fhcrc.org.
Owner :
Group :
Access Rights : ----------------
Time to Live : 0:0:0
Creation Time : Wed Dec 31 16:00:00 1969
Mod. Time : Wed Dec 31 16:00:00 1969
Object Type : NONE
...............................................
@@@@@@@@@@@@@@@@ Transaction @@@@@@@@@@@@@@@@@@
#00001, XID : 5257
Time : Thu Nov 21 14:26:27 1996
Directory : org_dir.fhcrc.org.
Entry type : UPDATE time stamp.
Entry timestamp : Thu Nov 21 14:26:27 1996
Principal : bug0.fhcrc.org.
Object name : org_dir.fhcrc.org.
.................. Object .....................
Object Name :
Directory : org_dir.fhcrc.org.
Owner :
Group :
Access Rights : ----------------
Time to Live : 0:0:0
Creation Time : Wed Dec 31 16:00:00 1969
Mod. Time : Wed Dec 31 16:00:00 1969
Object Type : NONE
...............................................
@@@@@@@@@@@@@@@@ Transaction @@@@@@@@@@@@@@@@@@
#00002, XID : 5258
Time : Thu Nov 21 14:36:33 1996
Directory : fhcrc.org.
Entry type : UPDATE time stamp.
Entry timestamp : Thu Nov 21 14:36:33 1996
Principal : bug0.fhcrc.org.
Object name : fhcrc.org.
.................. Object .....................
Object Name :
Directory : fhcrc.org.
Owner :
Group :
Access Rights : ----------------
Time to Live : 0:0:0
Creation Time : Wed Dec 31 16:00:00 1969
Mod. Time : Wed Dec 31 16:00:00 1969
Object Type : NONE
...............................................
This is what the nislog should look like. The key items are in front:
...
Log state : STABLE.
Number of updates : 3
Current XID : 5258
Size of Log in bytes : 516
...
Log state should be STABLE. If it is something else, either the master is busy performing updates (?) or something is wrong.
Number of updates should be “3”; this implies that there are no updates.
Size lof log in bytes: 516
If these last two parameters are anything else, then the master has updates waiting to be checkpointed (removed) from its logs. “nisping -C” should flush these updates. If it doesn’t, then either a replica is unavailable or something is wrong.
-Done creating the server
To create a NIS+ client machine (“gnat”, in this example), do the following:
-Log onto the master, bug0 in this example.
-nisaddcred -p unix.gnat@fhcrc.org -P gnat.fhcrc.org. des
-Log onto the client-to-be
-Create a file called /etc/defaultdomain containing the single line “fhcrc.org”
-nisclient -i -d fhcrc.org. -h bug0.fhcrc.org
-Edit /etc/nsswitch.conf as appropriate
reboot
-/usr/sbin/rpc.nisd -C
[On subsequent reboots, rpc.nisd will load automatically.]
To convert a NIS+ client into a NIS+ replica server, do the following:
Log onto the master
-nisserver -R -v -d fhcrc.org. -h client
[Client must be the box’s node name, e.g. not fully-qualified. This is because we carry only node names in our NIS+ tables, e.g. we don’t populate them with the fully-qualified versions of each name.]
-On the client, perform the following:
-keylogin -r
-Back on the master, type the following commands. Pause in between each, watching syslog on both machines. Wait for the nisd messages to stop before continuing with the next command. Semi-reassuring messages which include strings like “Finish handshak
e” and “1 updates, 0 errors” indicate successful completion of a step. The step which requires the longest to complete is the “nisping org_dir.fhcrc.org” command, which will use messages like “update_directory: 3000 objects, still running” to indicate p
rogress. Do NOT reboot or otherwise kill NIS+ processes during this procedure. Under Solaris 2.4, doing so incurred painful consequences.
-nisping fhcrc.org.
-nisping org_dir.fhcrc.org.
-nisping groups_dir.fhcrc.org.
-nisping -C fhcrc.org.
Here is a sample of the entire experience, from the master’s syslog:
{nisping fhcrc.org}
Nov 25 13:51:28 bug0 nisd[400]: killing read only child: pid #919
Nov 25 13:55:18 bug0 nisd[1055]: nis_dump_svc: sending full dump of
fhcrc.org. to gnat.fhcrc.org.
Nov 25 13:55:18 bug0 nisd[1055]: nis_dump_svc: good dump of fhcrc.org., 2
totalobjects.
Nov 25 13:55:22 bug0 nisd[1055]: nis_dump_svc: Finish handshake returned
RPC: Timed out
{nisping org_dir.fhcrc.org.}
Nov 25 13:55:44 bug0 nisd[1057]: nis_dump_svc: sending full dump of
org_dir.fhcrc.org. to gnat.fhcrc.org.
Nov 25 13:59:05 bug0 nisd[1057]: nis_dump_svc: good dump of
org_dir.fhcrc.org.,4924 total objects.
Nov 25 13:59:08 bug0 nisd[1057]: nis_dump_svc: Finish handshake returned RPC: Timed out
{nisping groups_dir.fhcrc.org.}
Nov 25 13:59:34 bug0 nisd[1059]: nis_dump_svc: sending full dump of
groups_dir.fhcrc.org. to gnat.fhcrc.org.
Nov 25 13:59:34 bug0 nisd[1059]: nis_dump_svc: good dump of
groups_dir.fhcrc.org., 1 total objects.
Nov 25 13:59:37 bug0 nisd[1059]: nis_dump_svc: Finish handshake returned
RPC: Timed out
{nisping -C fhcrc.org.}
Nov 25 14:07:50 bug0 nisd[400]: killing read only child: pid #1061
I’m screwing around on bug0, here is a record of what I am doing.
The NIS+ group “admin” controls who can modify NIS+ tables. Any member of “admin” can modify the NIS+ tables in any way.
To list the members of “admin”:
bug0{skendric}41: nisgrpadm -l admin.fhcrc.org.
Group entry for "admin.fhcrc.org." group:
Explicit members:
gnat.fhcrc.org.
bug0.fhcrc.org.
jhjort.fhcrc.org.
skendric.fhcrc.org.
ptorng.fhcrc.org.
rhood.fhcrc.org.
No implicit members
No recursive members
No explicit nonmembers
No implicit nonmembers
No recursive nonmembers
bug0{skendric}42:
Note that the “root” ID on a box is represented by that box’s name, rather than by the string “root”. Thus, the users who can modify the NIS+ tables in the NIS+ domain fhcrc.org. are: root on bug0, root on gnat, jhjort, skendric, ptorng, and rhood.
If I wanted to prevent root on bug0 from modifying the NIS+ tables, I could:
nisgrpadm -r admin.fhcrc.org. bug0.fhcrc.org.
e.g.
Another way to grant access to a table is to use the nischown command.
nischown hostops hosts.org_dir
would change owernship of the hosts table from bug0 (root) to hostops. This would allow hostops to modify the hosts table, without being a member of the admin group.
nischmod could be used to refine these privileges, e.g. hostops might be allowed to create new entries but not allowed to delete current entries, given the appropriate nischmod command.
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:17 CDT