NIS Master Server Configurations

NIS Master Server Config

NIS maps are located in /var/yp/domainname directory(where domainname is the name of the NIS domain). There are two files (.pag and .dir files) for each map in this directory. Eg.
/var/yp/training/hosts.byname.pag file
/var/yp/training/hosts.byname.dir file
/var/yp/training/hosts.byaddr.pag file
/var/yp/training/hosts.byaddr.dir file

The syntax for the NIS map is map.key.pag and map.key.dir

Ypcat [-k] mname -- To retrieve values from NIS name service map, mname can be either a
map name or a map nickname
# ypcat hosts
localhost 127.0.0.1 localhost
sysprint 192.168.30.70 sysprint
sys44 192.168.30.44 sys44 loghost

ypmatch [-k] value mname -- Prints values associated with one or more keys from the NIS
name services map specified by the mname argument.
# ypmatch sys44 hosts
sys44: 192.168.30.44 sys44 loghost
# ypmatch usera passwd
usera: usera:LojyTdiQev5i:3001:10::/export/home/usera:/bin/ksh

NIS Domain Contains
One NIS Master Server
NIS Slave Servers (Optional)
NIS Clients

The NIS Master Server

Contains the original /etc/ASCII files used to build the NIS maps
Contains the NIS maps generated from the ASCII files
Provides a single point-of control for the entire NIS domain

NIS Slave Servers

Do not contain the original /etc/ASCII files
Contains copied of the NIS maps copied from the NIS Master Server
Provides a a backup repository for NIS map information
Provides redundancy in case of server failure
Provides load sharing on large networks

NIS Clients

Do not contain original /etc/ASCII files
Do not contain any NIS maps
Bind to the master server or to a Slave Server to obtain access to the administrative file information contained in that server’s NIS maps
Dynamically rebind to another server in case of server failure
Make all appropriate system calls aware of NIS

NIS Processes

The main daemons involved in the running of an NIS domain are
The ypserv daemon -- Responds to client information requests
The ypbind daemon -- Client to server binding
The rpc.yppasswd daemon -- Password change update in master server
The ypxfrd daemon -- Push the map to slave servers (sync)
The rpc.ypupdated domain -- Update NIS maps using the config stored in /var/yp/updates

The NIS Slave Server contains upserv and ypbind daemon

The NIS Clients contains only ypbind daemon

The three most common search orders are
Search files and then NIS
Search NIS and then files
Forward hosts lookup requests from NIS to DNS



Introducing NIS Security

The /var/yp/securenets file to restrict access to a single host or to a subnetwork, and using the passwd.adjunct file to limit access to the password information across the network.

The /var/yp/securenets File

If exist on an NIS server, the server only answers queries or supplies maps to hosts and networks whose IP Address exist in the file. The server must be part of the subnet to access itself.
# cat /var/yp/securenets
# Two methods of giving access to a system. Using the netmask followed by the IP Address
# or host keyword followed by the IP Address
host 127.0.0.1
255.255.255.0 150.10.1.0
host 13.13.14.1
host 13.13.14.2

If you modify entries in the /var/yp/securenets file. You must kill and restart the ypserv and ypxfrd daemons.
# /usr/lib/netsvc/yp/ypstop (or) ypstart

The passwd.adjunct File

Encrypted password are normally hidden from the user in the /etc/shadow file. With the default NIS configuration, however the encrypted password string is shown as part of passwd maps. This file prevents unauthorized users from seeing the encrypted passwords.
# ypmatch –k usera passwd
usera: usera:LojyTdiQev512:3001:10:/export/home/usera:/bin/ksh

The passwd.adjunct file contains the account name preceded by ## in the password field. Subsequent attempts to gain account ino, using the ypcat or ypmatch commands, returnds the password entry from the passwd adjunct file.
# ypmatch –k usera passwd
usera: usera:##usera:3001:10:/export/home/usera:/bin/ksh

Configuring NIS Domain

To locate the source file in another directory, modify the /var/yp/Makefile file:
Change the DIR=/etc line to DIR=Your choice
Change the PWDIR=/etc line to PWDIR=/your-choice

Before you make any modification to the /var/yp/Makefile, save a copy of the original Makefile file.

The NIS configuration script /usr/sbin/ypinit and the make utility generate NIS maps. The ypinit command reads the Makefile for source file locations, and converts ASCII scource files into NIS maps.The /etc/defaultdomain file sets the NIS domain name during system boot.

Important files on the NIS Master (Part 1) -- hosts, passwd & shadow

Important files on the NIS Master (Part 2)
The /var/yp/domainname directory is the repository for the NIS maps created by the ypinit script.
The /var/yp/binding/domainname directory contains the ypservers file where the names of NIS Master server and NIS Slave server are stored.

Important files on the NIS Master (Part 3) -- The /usr/netsvc/yp directory contains the ypstop and ypstart commands that stop and start NIS services respectively

# /usr/sbin/ypinit –m -- This command prompts for a list of other machies to become NIS
slave servers.


Configuring the NIS Master Server

Core, End User or Developer software configuration cluster do not have all necessary files in the /usr/lib/netsvc/yp directory to allow a host to function as an NIS server.

1. Copy the /etc/nsswitch.nis file to the /etc/nsswitch.conf file. If necessary, modify the file
2. Enter the domainname command to set the local NIS domain
# domainname classroom.central.sun.com
3. Create an /etc/defaultdomain file with the domain name
4. If the files do not already exist, use the touch command to create zero-length files.
/etc/ethers, /etc/bootparams, /etc/locale, /etc/timezone, /etc/netgroup and /etc/netmasks.
These files are necessary for the creation of the complete set of NIS maps.
5. Install and update Makefile file in the /var/yp directory.
6. Create or populate the /etc/locale file, and make an entry for each domain on your network
using the following format
domainname locale eg. Classroom.central.sun.com en_us
7. Initialize the master server by using the local /etc files
# ypinit –m -- Provide slave server names and Ctrl+D to save the details. Press n for
“Terminate it on the first fatal error”
Note: If you have to restart the ypinit program, You are prompted to destroy the
/var/yp/domainname directory. Answer Y
8. # /usr/lib/netsvc/yp/ypstart

Testing the NIS Service

$ ypcat hosts -- Prints value from an NIS map
# ypmatch sys41 localhost hosts
192.168.30.41 sys41
127.0.0.1 localhost loghost
$ ypwhich -- To identify the master server
sys41

Configure the NIS Client

1. Copy the /etc/nsswitch.nis file to the /etc/nsswitch.conf file
2. Edit the /etc/inet/hosts file to ensure NIS master and slave servers have been defined.
3. # domainname domainname -- To set the local NIS domain
4. Create and populate the /etc/defaultdomain file with the domain name
5. # ypinit –c -- To initialize the system as an NIS client
6. Enter the names of the NIS Master and all Slave Servers
7. # /usr/lib/netsvc/yp/ypstart
8. # ypwhich –m -- To test the functionality



Configuring NIS Slave Server

Follow the client configuration steps and perform the below command
# ypinit –s master -- Command to initialize the system as an NIS slave server. Where master is the name of the NIS master. Start the service and test the functionality

Updating the NIS Map

1. Updates the text files in your source directory (typically /etc, unless it was changed in the Makefile file)
2. # cd /var/yp
3. # /usr/ccs/bin/make -- Refresh the NIS database maps using the make utility

Updating NIS Password Map

If the NIS master is running the rpc.yppasswdd daemon, any client system can update the NIS password map by using the yppasswd or passwd commands.
1. Run the rpc.yppasswdd daemon on the NIS master server
# /usr/lib/netsvc/yp/rpc.yppassed /$PWDIR/passwd –m passwd

Updating the NIS Slave Server Map

The following steps manually update the NIS timezone map on the master server and propagate all maps to the slave servers
1. Edit the source file on the NIS Master
# vi /etc/timezone
2. Remake and push the NIS maps to slave servers
# cd /var/yp; /usr/ccs/bin/make
3. If the push fails. Manually pull only the timezone map from the master server by
performing the below command in Slave server
# /usr/lib/netsvc/yp/ypxfr timezone.byname
# ypinit –s nis_master -- To pull all of the maps at once

Sometimes maps fail to propagate, and you must manually use the ypxfr command to retrieve new map information. You can use shell scripts to run cron jobs for automatic update. The Solaris OE provides several template scripts in the /usr/lib/netsvc/yp directory that you can use and modify to meet your local site requirement.

ypxfr_lperhour script -- To sync NIS Slave Servers passwd map
ypxfr_lperday script -- To sync NIS Slave Servers NIS maps for the group, protocols,
networks, services, and upservers keys.
Ypxfr_2perday script -- To sync NIS Slave servers nIS maps for the hosts, ethers, netfroups keys, and mail aliases.


Quick Reference

# domainname digit.com -- Create domain name

# domainname > /etc/defaultdomain -- Creating domainname file

# cp /etc/nsswitch.nis /etc/nsswitch.conf

# /var/yp/Makefie -- Config file

Makefile 4 parts

1 – Declaration
2 – Details of centralization
3 – Coding for mapping
4 – Declaration of original path

# cd /var/yp

# ypinit –m -- Initializing the master server
# ypinit –s -- Initializing the slave server
# ypinit –c -- Initializing the client
Ctrl+D -- To save the file
Is this correct? [y/n] y
Non fatal error [y/n] n

 If there is any error follow the below procedure

# cd /etc
# touch ethers bootparams netgroup netmasks timezone
# cd /var/yp
# ypinit –m
# /usr/lib/netsvc/yp/ypstart -- To start the daemons

# ypwhich -- Shows the map server details
Solaris

# ypwhich –m -- Full details of map

 A directory will be created with domain name

# cd /var/yp/digit.com -- Contains all config file with .pag & .dir extensions

# ypcat to read the file

# ypcat –k passwd -- With arguments print keys as well as values

# ypmatch –k root passwd

Solaris Zones configuration and set up

Solaris Zones Features :-

1.Virtualization like VMware
2.Solaris Zones can hosts only instances of solaris. Not other Os's
3.Limit of 8192 Zones per solaris Host
4.Primary Zone(Global) has access to all zones
5.non-global zones, do not have access to other non-global zones
6.Default non global zones derive oackages from global Zone
7.Program Isolation like zone1 for apache zone2 for mysql zone3 for databases.
8.Provides 'Z' commands to manage Zones : Zlogin zonecfg zoneadm zonename

Features of Global Zone
1.Solaris Always boots(cold/warm) to the global zone.
2.Knows about All Hardware devices attach to system
3.Knows about all non global Zones

Features of Non-Global Zones.
1.Installed at a location on the filesystem of the Global Zone
'Zone root path' /export/home/zones/zones1 {Zone2,Zone3----} this is as root directory for this zones.
2.Share Packages with Global Zone.
3.Manage distinct hostname and table files.
4.cannot communicate with other non-global zones by default.NIC must be used, which means use standard network API(TCP)
5.Global Zone admin can delegatenon-global zone administration

Zones Commands example :-

#which zonename - to check if you os has zonename commands
/usr/bin/zonename

#zonename - by default will show global zonename.
global

#z - "z' commands

Zone Configuration.

#zonecfg - to configure zones

note - zonecfg can run interactively , non -interactively, command-file modes

Requirements for non-global zones;
1.Hostname of
2.Zone root path ie /export/home/zones/testzone1
3.IP Adress - bound to logical or physical interfaces.

Zones Types:-

1.sparse Root Zones - share key fileswith global zones.
2.Whole Root Zones - require more storage

#df -k and select a slice which has more space lets example /export/home has 5GB

Steps for Configuring non-global-zone:

1.mkdir /export/home/zones/testzone1
2.chmod 700 /export/home/zones/testzone1 - for user restriction of global zone users.
3.ls -ltr /export/homes/zones

4#zonecfg -z testzone1
no such zone configured create one This error will pop when you first create a zone
>create - to create a zone
>set zonepath=/export/home/zones/testzone1 - This is the Root path for zone
>add net
>set address=192.168.1.0 - ip address
>set physocal=el000g0 - physical name of network card check with 'ifconfig -a'
> - If you are ready with you parameters press end before you can exit
>info- to see what we have set
>set autoboot=true - test zone will started automatically when system start
>info
>add attr - to add some extra parameters
attr>set name=commnet
attr>set type=string
attr>value =TestZone1
>end
>verify - verify if any error check the parameter again.
>commit - commit changes
>exit.

#list -iv - to list zones

#zoneadmin -z testzone1 install

Zone testzone1 in to installed in not ready for production so we have to get it in ready state now

#zoneadm list -iv - still u can see testzone1 has not got any id assigned like global one so now

#zoneadm -z testzone1 boot - boots the zone , changing its state from installed to ready

Simple is we are restarting the Testzone1

#zoneadm list -iv - now you can see an id is assigned and status is running.

#ps -ef | grep z
zoneadmd -z testzone1 - this process is responsible for this zone to run.

zlogin - is used to login to zones
Note - each non - global maintain a console, use 'zlogin -C testzone1' to acces that zone.

Note - zlogin permits login to non - global zone via the following messages
1.Interactive - i.e zlogin -l username zonename
2.Non -Interactive - zlogin options command
3.Console Mode - zlogin -C zonename
4.Safe Mode - zlogin -S

#zoneadm list -iv

#zlogin -C testzone1
select a laguage - 0 English
Vt100 - terminal
testzone1 press F2
Configure Kerbose - yes
name service - nis

Enter from this procure its same like installation of solaris so specify all details as required.
like dns names, nis services location places etc etc

#enter with root user and passwd
#zonename
testzone1

#zoneadm list -iv - shows all zones global and non - global

# once u r in testzone1 check /etc/passwd file u can see the system user but not users of the main system

#netstat -anp tcp

#Zoneadm -z testzone1 reboot - reboots the zone

#zlogin testzone1 shutdown - to shutdown the zone

Once Zones are created you can ssh or telnet from remote machine to connect that zone

How to Configure Name Service Clients

Configuring a DNS Client
The client resolver code is controlled by the following files
/etc/resolv.conf -- Contains directive to specify the scope of a query
/etc/nsswitch.conf -- Contains the reference to DNS for the hosts entry

Configuring the DNS Client During Installation

-- Select DNS -- Give Domain Name -- Enter IP Address -- Enter search Domains -- Confirm

Editing DNS Client Configuration Files

# vi /etc/resolv.conf
domain digigeeks.com
nameserver 140.40.40.152
search digigeeks.com -- List the local domain as the first argument to the search

Copying the /etc/nsswitch.dns File to the /etc/nsswitch.conf

# cp /etc/nsswitch.dns /etc/nsswitch.conf
# cat /etc/nsswitch.conf
………
hosts files dns
……..

If you want to add DNS name resolution to a system currently running a name service, such as NIS or NIS+. You must place the dns keyword on the hosts line in the specific location, along with other keywords.

# cat /etc/nsswitch.conf
…..
hosts: nfs files dns
…..
Setting up an LDAP Client

The LDAP server cannot be a client of itself. Getting this configuration to work properly requires changes to the LDAP server and the LDAP client. The ldap_cachemgr daemon is responsible for maintaining and updating the changes to the client profile information.

Configuring LDAP Client During Installation
-- Select LDAP -- Enter Domain Name -- Enter Profile Name & Profile Server IP Address -- Confirm

Initializing the Native LDAP Client

You execute the ldapclient command on the client system once to initiate the client as a native LDAP client. The ldapclient command creates two files in the ./var/ldap directory on the LDAP client. These files contain info that the LDAP client use when binding to and accessing LDAP data.
/var/ldap/ldap_client_cred -- The proxy agent info that the client uses for LDAP authentication
/var/ldap/ldap_client_file -- The config info from the client profile in the LDAP server DB

# ldapclient init –a proxy password=proxy –a proxy DN=cn=proxyagent, ou=profile, dc=suned.com, dc=sun –a domainname=suned.com 192.168.0.100

# ldapclient list

Copying the /etc/nsswitch.ldap to the /etc/nsswitch.conf

During LDAP client initialization the /etc/nsswitch.ldap file is copied over the /etc/nsswitch.conf file

# ldaplist -- To list naming info from LDAP server

# ldapclient uninit -- Unconfiguring LDAP Client

Jump start and Boot Only Server

Four Main Services - Boot Services, Identification Services, Configuration Services, Installation Services

Implementing a Basic Jumpstart Server

1. Spool the OS image
2. Edit the sysidcfg file
3. Edit the rules and profile files
4. Run the check script
5. Run the add_install_client scripts
6. Boot the client


# cd /export
# mkdir config
# mkdir sol_dump
# cd /cdrom/cdrom0/s0/Solaris_9/Misc/Jumpstart_sample/
# cp –r * /export/config/
# cd /cdrom/cdrom0/s0/Solaris_8/Tools
# ./setup_install_server /export/home/sol_dump -- Copying solaris dump to local directory
# cd /cdrom/cdrom0/Solaris_9/Tools/
# ./add_to_install_server /export/home/sol_dump -- Appending 2nd CD content
# cd /etc

# vi ethers
8:0:20:a6:aa:2b ultra5 (hostname)

# vi /etc/hosts
140.40.40.154 ultra5

# vi /etc/timezone
Asia/Calcutta ultra5

# cd /export/config/

# vi rules
hostname ultra5 - host_class finish_script

- Pre Install script
host_class -- Config details like partition
finish_script -- Post install scripts


# vi host_class
install_type initial_install
system_type standalone
partitioning explicit
Cluster SUNWXall
filesys c0t0d0s0 10000 /
filesys c0t0d0s1 550 swap
filesys c0t0d0s7 free /export/home

# vi finish_script
touch /a/noaushutdown
rm /a/etc/defaultdomain
rm –r /a/var/yp/digit.com
cp /a/etc/nsswitch.files /a/etc/nsswitch.conf

# vi sysidcfg -- System identification & configuration. Timezone can also be given here
security_policy=none
name_service=none
network_interface=primary [netmask=255.255.0.0 protocol_ipv6=no]
timezone= Asia/Calcutta
system_locale=en_US

-- Time zone are listed in the directory structure below the /usr/share/lib/zoneinfo directory.
-- Locales are listed in the /usr/lib/locale directory

# chmod 755 finish_script
# ./check -- To check the config

# vi /etc/dfs/dfstab
share –o anon=0 /export/home/sol_dump
share –o anon=o /export/config

# cd /var/yp
# /usr/ccs/bin/Make
# cd /export/home/sol_dump/solaris_9/Tools
# ./add_install_client –c 140.40.40.151:/export/config –p 140.40.40.151:/export/config ultra5(hostname) sun4u
# update the NIS file with make command

From Client

ok boot net –install -- Will search the network and start the installation automatically

-- Before a Jumpstart client can boot and obtain all of the NFS resourctes it requires, every directory listed as an argument to the add_install_client script must be shared by the server on which it resides.


Setting Up a Boot-Only Server

A boot server responds to RARP, TFTP, and bootparams requests from jumpstart clients and provides a boot image using the NFS service.
1. Running the setup_install_server script with the –b option to spool a boot image from CD-Rom or DVD
2. Running the add_install_client script with options and argument that shows a list of servers and the identification config, and installation services that they provide.

Executing the setup_install_server script
# mkdir /export/install
# cd /cdrom/cdrom0/s0/Solaris_9/Tools
# ./setup_install_server –b /export/install
Executing the add_install_client script
Before you run the script, update the hosts and ethers information for the jumpstart client

/etc/inet/hosts
192.10.10.4 client1

/etc/ethers
8:0:20:9c:88:5b client1

The boot server must have entry in /etc/inet/hosts file for each server you specify while you run add_install_client script.
# cd /export/install/Solaris_9/Tools
# ./add_install_client –c server1:/export/config –p server1:/export/config client1 sun4u

Name Services / Using

/etc/rc2.d/S72inetsvc script -- Starts DNS during system boot.
/etc/rc2.d/S71rpc script -- Starts NIS & NIS+ during system boot
/etc/rc2.d/S72directory script -- Starts iPlanet Server during system boot.

Name Services -- DNS, NIS, NIS+, LDAP

The name service switch file determines which services a system users to search for information and in which order the name services are searched. All Solaris OE systems uses the /etc/nsswitch.conf file as the name service switch file. The nsswitch.conf is loaded with the contents of a template file during the installation of the Solaris OE depending on the name service that is selected.

Name Service Name Service Template
Local Files /etc/nsswitch.files
DNS /etc/nsswitch.dns
NIS /etc/nsswitch.nis
NIS+ /etc/nsswitch.nisplus
LDAP /etc/nsswitch.ldap

Configuring the Name Service Cache Daemo (nscd)

The nscd daemon is a process that provides a cache for the most common name service requests. The /etc/nscd.conf file controls the behavior of the nscd daemon. The nscd daemon provides caching for passwd, group, hosts, ipnodes, exec_attr, prof_attr and user_attr databases. Each line specifies either an attribute and a value or an attribute, a cache name, and a value.

# /etc/init.d.nscd stop (or) start

The getent command provides generic retrieval interface to search many name service database. As a system administrator, you can query name service information sources with tools, such as the
ypcat NIS namespace
nslookup DNS
ldaplist LDAP
Bt these tools are not consulting nsswitch.conf file. Whereas getent command searches the information sources in the order in which they are configured in the name service switch file. So if there is any error in the file will be identified with this command.

getent database [key]…..
database -- The name of the database to be examined. This name can be passwd, group, hosts, ipnodes, services, protocols, ethers, networkds, or netmasks.

# getent passwd lp
lp:x:71:8:Line Printer Admin:/usr/spool/lp:

# getent group 10
staff::10:

# getent hosts sys44
192.168.38.44 sys44 loghost (loghost will be absent if the NIS is searched first)