The Network Information SystemLinux Network Administrators GuidePrevNextChapter 13. The Network Information SystemTable of ContentsGetting Acquainted with NISNIS Versus NIS+The Client Side of NISRunning an NIS ServerNIS Server SecuritySetting Up an NIS Client with GNU libcChoosing the Right MapsUsing the passwd and group MapsUsing NIS with Shadow SupportWhen you're running a local area network, your overall goal is usually to
provide an environment for your users that makes the network transparent. An
important stepping stone is keeping vital data such as user account
information synchronized among all hosts. This provides users with the freedom
to move from machine to machine without the inconvenience of having to remember
different passwords and copy data from one machine to another. Data that is
centrally stored doesn't need to be replicated, so long as there is some
convenient means of accessing it from a network-connected host. By storing
important administrative information centrally, you can make ensure
consistency of that data, increase flexibility for the users by
allowing them to move from host to host in a transparent way, and make the
system administrator's life much easier by maintaining a single copy of
information to maintain when required.We previously discussed an important example of this concept that is used on
the Internet—the Domain Name System (DNS). DNS serves a limited range of
information, the most important being the mapping between hostname and
IP address. For other types of information, there is no such specialized
service. Moreover, if you manage only a small LAN with no Internet
connectivity, setting up DNS may not seem to be worth the trouble.
This is why Sun developed the Network Information
System (NIS). NIS provides generic database access facilities that
can be used to distribute, for example, information contained in the
passwd and groups files to all
hosts on your network. This makes the network appear as a single system,
with the same accounts on all hosts. Similarly, you can use NIS
to distribute the hostname information from /etc/hosts
to all machines on the network.NIS is based on RPC, and comprises a server, a client-side library, and
several administrative tools. Originally, NIS was called Yellow
Pages, or YP, which is still used to refer to it.
Unfortunately, the name is a trademark of British Telecom, which required
Sun to drop that name. As things go, some names stick with people, and so
YP lives on as a prefix to the names of most NIS-related commands such as
ypserv and ypbind.
Today, NIS is available for virtually all Unixes, and there are even
free implementations. BSD Net-2 released one that has
been derived from a public domain reference implementation donated by
Sun. The library client code from this release had been in the Linux
libc for a long time, and the administrative programs
were ported to Linux by
Swen Thümmler.[1]
An NIS server is missing from the reference implementation, though.
Peter Eriksson developed a new
implementation called NYS.[2]
It supports both plain NIS and Sun's much enhanced NIS+. NYS not only
provides a set of NIS tools and a server, but also adds a whole new
set of library functions that need to be compiled into your
libc if you wish to use it. This includes a new
configuration scheme for hostname resolution that replaces the current
scheme using host.conf.
The GNU libc, known as libc6 in the Linux community,
includes an updated version of the traditional NIS support developed by
Thorsten Kukuk.[3] It supports all of the
library functions that NYS provided and also uses the enhanced configuration
scheme of NYS. You still need the tools and server, but using GNU libc saves
you the trouble of having to meddle with patching and recompiling the library.This chapter focuses on the NIS support included in the GNU libc rather than
the other two packages. If you do want to run any of these packages, the
instructions in this chapter may or may not be enough. For additional
information, refer to the NIS-HOWTO or a book such as Managing
NFS and NIS by Hal Stern (O'Reilly).Getting Acquainted with NIS
NIS keeps database information in files called maps,
which contain key-value pairs. An example of a key-value pair is a user's login
name and the encrypted form of their login password. Maps are stored on a
central host running the NIS server, from which clients may retrieve the
information through various RPC calls. Quite frequently, maps are stored in DBM
files.[4]
The maps themselves are usually generated from master text files such as
/etc/hosts or /etc/passwd. For
some files, several maps are created, one for each search key type. For
instance, you may search the hosts file for a hostname
as well as for an IP address. Accordingly, two NIS maps are derived from it,
called hosts.byname and hosts.byaddr.
Table 13-1 lists common maps and the files from
which they are generated.Table 13-1. Some Standard NIS Maps and Corresponding FilesMaster FileMap(s)Description/etc/hostshosts.byname, hosts.byaddrMaps IP addresses to host names/etc/networksnetworks.byname, networks.byaddrMaps IP network addresses to network names/etc/passwdpasswd.byname, passwd.byuidMaps encrypted passwords to user login names/etc/groupgroup.byname, group.bygidMaps Group IDs to group names/etc/servicesservices.byname, services.bynumberMaps service descriptions to service names/etc/rpcrpc.byname, rpc.bynumberMaps Sun RPC service numbers to RPC service names/etc/protocolsprotocols.byname, protocols.bynumberMaps protocol numbers to protocol names/usr/lib/aliasesmail.aliasesMaps mail aliases to mail alias namesYou may find support for other files and maps in other NIS packages.
These usually contain information for applications not discussed in this book,
such as the bootparams map that is used by Sun's
bootparamd server.
For some maps, people commonly use nicknames, which are
shorter and therefore easier to type. Note that these nicknames are understood
only by ypcat and ypmatch, two tools for
checking your NIS configuration. To obtain a full list of nicknames understood
by these tools, run the following command:
$ ypcat -x
Use "passwd" for "passwd.byname"
Use "group" for "group.byname"
Use "networks" for "networks.byaddr"
Use "hosts" for "hosts.byaddr"
Use "protocols" for "protocols.bynumber"
Use "services" for "services.byname"
Use "aliases" for "mail.aliases"
Use "ethers" for "ethers.byname"
The NIS server program is traditionally called ypserv. For
an average network, a single server usually suffices; large networks may
choose to run several of these on different machines and different segments
of the network to relieve the load on the server machines and routers.
These servers are synchronized by making one of them the master
server, and the others slave servers. Maps are
created only on the master server's host. From there, they are distributed to
all slaves.
We have been talking very vaguely about “networks.” There's a
distinctive term in NIS that refers to a collection of all hosts that share
part of their system configuration data through NIS: the
NIS domain. Unfortunately, NIS domains
have absolutely nothing in common with the domains we encountered in DNS. To
avoid any ambiguity throughout this chapter, we will therefore always specify
which type of domain we mean.
NIS domains have a purely administrative function. They are mostly
invisible to users, except for the sharing of passwords between all
machines in the domain. Therefore, the name given to an NIS domain is
relevant only to the administrators. Usually, any name will do, as long
as it is different from any other NIS domain name on your local network.
For instance, the administrator at the Virtual Brewery may choose to
create two NIS domains, one for the Brewery itself, and one for the
Winery, which she names brewery and
winery respectively. Another quite
common scheme is to simply use the DNS domain name for NIS as well.To set and display the NIS domain name of your host, you can use the
domainname command. When invoked without any argument, it
prints the current NIS domain name; to set the domain name, you must
become the superuser:
# domainname breweryNIS domains determine which NIS server an application will query. For
instance, the login program on a host at the Winery should,
of course, query only the Winery's NIS server (or one of them, if there
are several) for a user's password information, while an application on
a Brewery host should stick with the Brewery's server.
One mystery now remains to be solved: how does a client find out which
server to connect to? The simplest approach would use a configuration
file that names the host on which to find the server. However, this approach
is rather inflexible because it doesn't allow clients to use different servers
(from the same domain, of course) depending on their availability. Therefore,
NIS implementations rely on a special daemon called ypbind
to detect a suitable NIS server in their NIS domain. Before performing any
NIS queries, an application first finds out from
ypbind which server to use.ypbind probes for servers by broadcasting to the local IP
network; the first to respond is assumed to be the fastest one and
is used in all subsequent NIS queries. After a certain interval has
elapsed, or if the server becomes unavailable, ypbind
probes for active servers again.Dynamic binding is useful only when your network provides more than one
NIS server. Dynamic binding also introduces a security problem.
ypbind blindly believes whoever answers, whether it be a
humble NIS server or a malicious intruder. Needless to say, this
becomes especially troublesome if you manage your password databases over NIS.
To guard against this, the Linux ypbind program provides
you with the option of probing the local network to find the local NIS server,
or configuring the NIS server hostname in a configuration file.Notes[1]Swen can be reached at
swen@uni-paderborn.de. The NIS clients
are available as yp-linux.tar.gz from
metalab.unc.edu in
system/Network.[2]Peter may be reached at
pen@lysator.liu.se.
The current version of NYS is 1.2.8.[3]Thorsten may be reached at
kukuk@uni-paderborn.de.[4]DBM is a simple database management library that uses hashing techniques
to speed up search operations. There's a free DBM implementation from the
GNU project called gdbm, which is part of most Linux
distributions.PrevHomeNextConfiguring Remote Loginand Execution NIS Versus NIS+
Wyszukiwarka
Podobne podstrony:
x 087 2 nis shadowx 087 2 nis securenetsx 087 2 nis serverx 087 2 nis ypx 087 2 nis clientsx 087 2 nis passwdx 087 2 nis nsswitchx 087 2 nis nisplusNIS HOWTO pl 1 (2)x 087 2 accounting zeroing counterNIS HOWTO pl 8 (2)x 087 2 cnews miscx 087 2 cnews nfsx 087 2 mail deliveryx 087 2 masq namelookupsx 087 2 firewall filteringmethodsx 087 2 accountingwięcej podobnych podstron