Wednesday, July 28, 2010

Nis


ypcat (group, passwd)
ypstart         # linux
ypbind
ypinit          # client, specify machines to bind to
# server, specify whether master or slave
ypwhich         # tell what NIS server machine is bound to.
passwd
yppasswd (obsolete, for combatibility only)
ypcat -k auto.master    (-k to display the key name too!)
ypcat -k auto.direct    (the direct map, use /-)
/var/yp/binding/DOMAIN/ypservers        # list of ypservers that can be used (non broadcast mode)
passwd 
pwconv  update shadow file based on new user additon to passwd (does not set password)
passwd  [uid]           change password for user
chown   [uid]:[gid]     /home/[user]    change user home dir ownership
shadow fields (all numbers are in days):
eg: username:cV5MnNBnaUIbM:13362:0:99999:7:::
[---1--] [-----2-----] [-3-] 4 [-5-] 6 (78)
1: username 
2: encrypted password 
3: last password change - days since 1970/01/01.  Substract this number by:
12775 = days since 2005/01/01
13140 = days since 2006/01/01
13505 = days since 2007/01/01 
4: password next change      - 0 means password can change at any time.
5: password req change in X days   - 99999 means next life time :)
6: warning for expiration
7: account disactivation in X days - usually empty
8: acc expiration       - usually empty
9: reserved
w change : allowed next change : 
---
NIS+
nismatch  -M name=tin passwd.org_dir
nismatch  tinh        passwd 
nismatch  grpname     netgroup.org_dir
nisgrep ...

NIS server setup

vi map files
make
(eg /var/ypmaps, /var/yp).
NIS client
/etc/defaultdomain
/etc/hosts  list of all nis servers
ypinit -c 
setup NIS client.
Use a predefined list nis servers,  thus avoid the need to use broadcast.
NOTE: a user can belongs to a max of 16 groups, surplus will not be recongnized by the system
and suffer non group membership error.  
Client OS specific, defined in limits.h ::
limits.h:#define        NGROUPS_MAX     16      /* max number of groups for a user */
---
master server
domainname NISdomainName
ypinit -m
ypserv
removing old slaves, p69:
ypcat -k ypservers | grep -v oldsvr | makedbm - /var/yp/`domainname`/ypservers
Hon's approach (-u = undo)
/usr/lib/yp/makedbm -u ypservers /tmp/ypservers
vi /tmp/ypservers   # update file, need all slave and master
makdebm /tmp/ypservers ypservers # recreate the ypservers map
makdebm ypservers /tmp/ypservers # not sure of param seq
# at the end, ypcat -k ypservers need to list the master server as well.
in practice, I did:
cat /var/ypmaps/yp_slave.txt | makedbm - ypservers
or
cd /var/yp/arbor..com
cat yp_slave.txt | makedbm - ypservers
ypstop; ypstart # maybe needed, kill all yp* process, expecially yppush
and that will recreate ypservers.pag and timestamp ypservers.dir
yp_slave.txt is a text file that I create myself.  List all the slave servers, 
hostname should be okay if they are in /etc/hosts, but sometime used IP.
update the db w/o pushing the maps to the clients, which maybe down:
./make NOPUSH=true passwd
2004/01 getting issues about after update NIS master passwd, make and stuff
client don't see the latest changes, even if they appear on ypcat.
Seems to be client side resolver, editing nsswitch remove/readd nis seems to reset things.
Not sure if cuz NIS master need to timestamp other things.
1996/11/03 geneusa
ypservers.txt need to have key and actual entry, so file needed to be:
(and no # comments, # is not treated specially)
verso           verso.geneusa.com
papp-bapp1 papp-bapp1.geneusa.com
pdir-nis01 pdir-nis01.geneusa.com
and watch out for tailing space at the end of the line, which will be incorporated into the server name!
and result in host not found!!
cat ypservers.txt | /usr/lib/yp/makedbm - ypservers
the final dbdump file named ypservers need to be in the folder of the domain name, eg
/var/yp/tularik.com/ypservers
Hmm... very strange... more testing using make reveals that the makdebm for ypservers is not needed!
all that make wants is that there is a plain text file in /var/yp/ypservers
one host per line, no other format.  make depend on this to do push.
eg:
# cat ypservers   # the orig file
verso.geneusa.com
firth.geneusa.com
---
setting up slave server
domainname ...
ypinit -s MASTER-hostname
ypserv
don't forget /etc/nsswitch.conf
Linux:
http://www.linux.org/docs/ldp/howto/NIS-HOWTO/ypserv.html
/etc/sysconfig/network 
/etc/yp.conf
need to be setup correctly to be in NIS DOMAIN to begin with.
get ypserv rpm
/usr/lib/yp/ypinit -s MASTER_SVR_HOSTNAME
start ypserv (from init.d, may need to link rc3.d...)
rpcinfo -u localhost ypserv # test it
update slave's crontab to grp info using ypxfr
---
Adding new maps.
On master server, edit 
auto_master
plus any additional files, such as auto_products
Then, need to update Makefile to create dbm file out of the source.
Remember the pickiness of Makefile req Tab as separator in many places!
Then, after the Makefile is updated, the slave servers need to be updated also.
On the NIS slave, redo ypinit -s 
so that it will reread what maps are available and load them all.
Otherwise, they will never get the new maps!!
----
NIS client setup for RH9 in brio.  (2003/07)
vi /etc/sysconfig/network :
HOSTNAME=
NISDOMAIN=brio.com
DOMAINNAME=brio.com
vi /etc/nsswitch.conf, edit lines to match the following:
passwd:     files nis
shadow:     files nis
group:      files nis
automount:  files nis
# create startup scripts
cd /etc/rc.d/rc3.d
ln -s ../init.d/ypbind ./S27ypbind
cd /etc/rc.d/rc5.d
ln -s ../init.d/ypbind ./S27ypbind
start NIS client:
/etc/init.d/ypbind start
start automounter:
/etc/init.d/autofs start
restart ssh daemon (if you forget to do this, NIS user will NOT be able to loing!):
/etc/init.d/sshd restart