[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
Network Information Services (NIS and NIS+) Guide

Setting Up NIS+ Tables

This section provides step-by-step instructions for using the NIS+ command set to populate NIS+ tables on a root or nonroot master server from /etc files or NIS maps. This section also describes how to transfer information back from NIS+ tables to NIS maps, a procedure that may be required during a transition from NIS to NIS+. Finally, it includes two tasks that describe how to limit access to the passwd column of the passwd table:

Note: It is much easier to perform this task with the NIS+ installation scripts than with the NIS+ command set as described here. The methods described in this section should be used only by those administrators who are very familiar with NIS+ and who require some nonstandard features or configurations not provided by the installation scripts.

See Configuration Worksheets for worksheets that you can use to plan your NIS+ namespace.

You can populate NIS+ tables in four ways:

When populating tables from maps or files, the tables should have already been created in the process of setting up a root or subdomain as explained in Setting Up the Root Domain, and Setting Up a Nonroot Domain. Although you can populate a domain's tables at any time after they are created, it is recommended that you do so immediately after setting up the domain. This enables you to add clients more easily, since the required information about the clients should already be available in the domain's tables.

When you populate a table--whether from a file or an NIS map--you can use any of three options:

When updating a large table with a file or map whose contents are not vastly different from those of the table, the merge option can spare the server a great many operations. Because it deletes only the entries that are not duplicated in the source (the replace option deletes all entries, indiscriminately), it saves one delete and one add operation for every duplicate entry. Therefore, this is the preferred option.

Populating NIS+ Tables From Files

This task transfers the contents of an ASCII file, such as /etc/hosts, into an NIS+ table.

Here is an outline of the procedure:

  1. Checking the content of each file that you will be transferring data from.
  2. Making a copy of each file. Using this copy to make the actual transfer from. (In this guide, copies of files to be transferred have names ending in xfr (for example, hosts.xfr).
  3. Logging in to an NIS+ client. (You must have credentials and permissions allowing you to update the tables. See Security Considerations.)
  4. Adding /usr/lib/nis to the search path for this shell (if not already done).
  5. Using nisaddent to transfer any of these files one at a time: aliases, bootparams, ethers, group, hosts, netgroup, netmasks, networks, passwd, protocols, rpc, services.
  6. Transferring the publickey file.
  7. Transferring the automounter information.
  8. Checkpointing the tables.

Security Considerations

You can perform this task from any NIS+ client, including the root master server, as long as you have the proper credentials and access rights. If you are going to replace or merge the entries in the table with the entries from the text file, you must have create and destroy rights to the table. If you are going to append the new entries, you only need create rights.

Note: The NIS+ security system is complex. If you are not familiar with NIS+ security, you may wish to review the security-related sections of this book before starting to set up your NIS+ environment.

After you complete this operation, the table entries will be owned by the NIS+ principal that performed the operation and the group specified by the NIS_GROUP environment variable.

Prerequisites

You need the name and location of the text files that will be transferred.

Procedure

  1. Check each file that you will be transferring data from.

    Make sure that there are no spurious or incorrect entries. Make sure that the right data is in the correct place and format properly. Remove any outdated, invalid, or corrupt entries. You should also remove any incomplete or partial entries. (It is easier to add incomplete entries after setup than to try transferring incomplete or damaged entries from the file.)

  2. Make a working copy of each file you will be transferring.

    Use this working copy for the actual file transfer steps described in this section. Give each working copy the same filename extension (for example, .xfr).

    rootmaster% cp /etc/hosts /etc/hosts.xfr
  3. Log in to an NIS+ client.

    You can perform this task from any NIS+ client--just be sure that the client belongs to the same domain as the tables into which you want to transfer the information. The examples in this task use the root master server. Since the administrator in these examples is logged on as superuser, the NIS+ principal actually performing this operation (and therefore needing the proper credentials and access rights) is the root master server.

  4. Add /usr/lib/nis to the search path for this shell.

    Since you will be using the /usr/lib/nis/nisaddent command once per table, adding its prefix to the search path will save you the trouble of typing it each time.

    rootmaster# PATH=$PATH:/usr/lib/nis
    rootmaster# export PATH
  5. Use nisaddent to transfer any of these files, one at a time:

    aliases, auto_home, auto_master, bootparams, ethers, group, hosts, netgroup, netmasks, networks, protocols, rpc, services

    The publickey, automounter, and passwd files require slightly different procedures; each is described separately in the following steps.

    By default, nisaddent appends the file information to the table information. To replace or merge instead, use the -r or -m options.

    To replace:

    rootmaster# nisaddent -r -f filename table [domain] 

    To append:

    rootmaster# nisaddent -a -f filename table [domain]

    To merge:

    rootmaster# nisaddent -m -f filename table [domain]

    The best option for populating the tables for the first time is the -a option, the default. The best option to synchronize the NIS+ tables with NIS maps or /etc files is the -m (merge) option.

    If you perform this operation from a non-root server, keep in mind that a non-root server belongs to the domain above the one it supports; therefore, it is a client of another domain. For example, the Sales.Wiz.Com. master server belongs to the Wiz.Com. domain. To populate tables in the Sales.Wiz.Com. domain from that master server, you would have to append the Sales.Wiz.Com. domain name to the nisaddent statement.

    salesmaster# nisaddent -f /etc/hosts.xfr hosts Sales.Wiz.Com. 

    If you performed this operation as a client of the Sales.Wiz.Com. domain, you would not need to append the domain name to the syntax.

  6. To verify that the entries were transferred into the NIS+ table, use the niscat command.
    rootmaster# niscat group.org_dir
    root::0:root
    other::1::
    bin::2:root,bin,daemon
    .
    .
    .
  7. Transfer the publickey file.

    Since the domain's cred table already stores some credentials, you need to make sure they are not overwritten by the contents of the publickey text file that you transfer into the cred table. You can avoid this by removing those credentials from the publickey text file. For rootmaster, that line would be:

    unix.rootmaster@Wiz.Com public-key:private-key

    Then you can transfer the contents of the publickey file to the cred table. Use nisaddent, with the -a (add) option.

    rootmaster# nisaddent -a -f /etc/publickey.xfr -t cred.org_dir publickey \
      [domain]

    Note, however, that this operation only transfers DES credentials into the cred table. You will still need to create their LOCAL credentials to the cred table.

  8. Transfer the automounter information.

    Although the nissetup utility creates auto_master and auto_home tables, they are not considered standard NIS+ tables. Therefore, transferring information into them requires a slightly different syntax; in particular, you must use the -t flag and specify that the table is of type key-value.

    rootmaster# nisaddent -f auto.master.xfr -t auto_master.org_dir key-value 
    rootmaster# nisaddent -f auto.home.xfr   -t auto_home.org_dir   key-value
  9. Build the NIS+ passwd table.

    The NIS+ passwd table is composed of data drawn from the /etc/passwd file.

    rootmaster# nisaddent -m -f /etc/passwd.xfr passwd
  10. Checkpoint the tables.

    This step ensures that all the servers supporting the domain transfer the new information from their .log files to the disk-based copies of the tables. If you have just set up the root domain, this step affects only the root master server, since the root domain does not yet have replicas. Use the nisping command with the -C (uppercase) option.

    rootmaster# nisping -C org_dir 
    Checkpointing replicas serving directory org_dir.Wiz.Com. :
    Master server is rootmaster.Wiz.Com.
         Last update occurred at July 14, 1994
     
    Master server is rootmaster.Wiz.Com.
    checkpoint succeeded.
    Attention: If you do not have enough swap space, the server cannot checkpoint properly, but it does not notify you. One way to make sure all went well is to list the contents of a table with the niscat command. If you do not have enough swap space, you see this error message:
    can't list table: Server busy, Try Again.

    Even though it does not seem to, this message indicates that you do not have enough swap space. Increase the swap space and checkpoint the domain again.

Populating NIS+ Tables From NIS Maps

This task transfers the contents of an NIS map into an NIS+ table. Here is a list of the steps:

  1. Checking the content of each NIS map that you will be transferring data from.
  2. Logging in to an NIS+ client.
  3. Adding /usr/lib/nis to the search path for this shell.
  4. Using nisaddent to transfer any of these maps, one at a time: aliases, auto_home, auto_master, bootparams, ethers, group, hosts, netgroup, netmasks, networks, passwd, protocols, rpc, services.
  5. Transferring the publickey map.
  6. Transferring the automounter information.
  7. Checkpointing the tables.

Security Considerations

You can perform this task from any NIS+ client as long as you (or superuser on the client) have the proper credentials and access rights. If you are going to replace or merge the entries in the table with the entries from the NIS map, you must have create and destroy rights to the table. If you are going to append the new entries, you only need create rights.

After you complete this operation, the table entries will be owned by the NIS+ principal that performed the operation (either you or, if logged on as superuser, the client) and the group specified by the NIS_GROUP environment variable.

Prerequisites

You need the name and location of the NIS maps.

Procedure

  1. Check each NIS map that you will be transferring data from.

    Make sure that there are no spurious or incorrect entries. Make sure that the right data is in the correct place and format properly. Remove any outdated, invalid, or corrupt entries. You should also remove any incomplete or partial entries. (It is easier to add incomplete entries after setup than to try transferring incomplete or damages entries from the map.)

  2. Log in to an NIS+ client.

    You can perform this task from any NIS+ client--so long as that client belongs to the same domain as the tables into which you want to transfer the information. The examples in this task use the root master server. Since the administrator in these examples is logged in as superuser, the NIS+ principal actually performing this operation (and therefore needing the proper credentials and access rights) is the root master server.

  3. Add /usr/lib/nis to the search path for this shell.

    Since you will be using the /usr/lib/nis/nisaddent
    command once for each table, adding its prefix to the search path will save you the trouble of typing it each time.

    rootmaster# PATH=$PATH:/usr/lib/nis 
    rootmaster# export PATH
  4. Use nisaddent to transfer any of these maps, one at a time:

    aliases, auto_home, auto_master, bootparams, ethers, group, hosts, netgroup, netmasks, networks, passwd, protocols, rpc, services.

    By default, nisaddent appends the file information to the table information. To replace or merge instead, use the -r or -m options: To replace:

    rootmaster# nisaddent -r -y nisdomain   table 

    To append:

    rootmaster# nisaddent -a -y nisdomain   table 

    To merge:

    rootmaster# nisaddent -m -y nisdomain   table 

    The best option for populating the tables for the first time is the -a option, which is the default. The best option to synchronize the NIS+ tables with NIS maps or /etc files is the -m (merge) option.

    The -y (lowercase) option indicates an NIS domain instead of a text file. The nisdomain argument is the name of the NIS domain whose map you are going transfer into the NIS+ table. You do not have to name the actual map; the nisaddent utility automatically selects the NIS map that correspond to the table argument. Here are some examples:

    rootmaster# nisaddent -m -y oldwiz hosts
    rootmaster# nisaddent -m -y oldwiz passwd
    rootmaster# nisaddent -m -y oldwiz groups

    The first example transfers the contents of the hosts.byname and hosts.byaddr maps in the oldwiz (NIS) domain to the NIS+ hosts table in the root domain (NIS+). The second transfers the NIS maps that store password-related information into the NIS+ passwd table. The third does the same with group-related information.

  5. Transfer the publickey map.

    Since the domain's cred table already stores some credentials, you need to make sure they are not overwritten by the contents of the publickey map that you transfer into the cred table.

  6. First, dump the publickey map to a file and then open that file with your text editor.
    rootmaster# makedbm -u /var/yp/oldwiz/publickey.byname /etc/publickey.xfr 
    rootmaster# vi /tmp/publickey.tmp
  7. Now remove the credentials of the workstation you are logged in to from the publickey map.

    For rootmaster, that line would be:

    unix.rootmaster@Wiz.Com public-key:private-key
  8. Now you can transfer the contents of the file--not the map--into the cred table. Use nisaddent, with the -a (add) option.
    rootmaster# nisaddent -a -f /etc/publickey.xfr -t cred.org_dir Publickey

    Note, however, that this operation transfers only DES credentials into the cred table. You will still need to create their LOCAL credentials to the cred table.

  9. Transfer the automounter information.

    Although the nissetup utility creates auto_master and auto_home tables, they are not considered standard NIS+ tables. Therefore, transferring information into them requires a slightly different syntax:

    rootmaster# nisaddent -y oldwiz -Y auto.master -t auto_master.org_dir key-value
    rootmaster# nisaddent -y oldwiz -Y auto.home -t auto_home.org_dir key-value 

    The -m and -y options are still required, as is the NIS domain name (in this instance, oldwiz). However, you must precede the name of the NIS map (for example, auto.master) with a -Y (uppercase).Then, as is required when transferring automounter text files, you must use the -t option, which indicates that this is a nonstandard NIS+ table. Its arguments are the name of the NIS+ directory object (auto_master.org_dir) and the type of table (key-value). Be sure to append the org_dir suffixes to the NIS+ table names.

  10. Checkpoint the tables.

    This step ensures that all the servers supporting the domain transfer the new information from their .log files to the disk-based copies of the tables. If you just finished setting up the root domain, this step affects only the root master server, since the root domain does not yet have replicas. Use the nisping command with the -C (uppercase) option.

    rootmaster# nisping -C org_dir
    Checkpointing replicas serving directory org_dir.wiz.com. :
    Master server is rootmaster.wiz.com.
         Last update occurred at July 14, 1994
     
    Master server is rootmaster.wiz.com.
    checkpoint succeeded.

    If you do not have enough swap space, the server will be unable to checkpoint properly, but it will not notify you. One way to make sure all went well is to use list the contents of a table with the niscat command. If you do not have enough swap space, you will see this error message:

    can't list table: Server busy, Try Again.

    Even though it does not seem to, this message indicates that you do not have enough swap space. Increase the swap space and checkpoint the domain again.

Transferring Information From NIS+ to NIS

This task transfers the contents of NIS+ tables into the NIS maps on an NIS master server. Here is a an outline of the procedure:

  1. Logging into the NIS+ server.
  2. Transferring the NIS+ tables into output files.
  3. Transferring the contents of the output files to the NIS maps.

Security Considerations

To perform this task, you must have read access to each table whose contents you transfer.

Prerequisites

The maps must have already been built on the NIS server.

Procedure

  1. Log into the NIS+ server.

    This example uses the server named dualserver.

  2. Transfer the NIS+ tables into output files.

    Use the nisaddent command with the -d option, once for each table.

    dualserver% /usr/lib/nis/nisaddent -d -t table tabletype > filename

    The -d option transfers the contents of table to filename, converting the contents back to standard /etc file format.

  3. Transfer the contents of the output files into the NIS maps.

    The NIS+ output files are ASCII files that you can use as input files for the NIS maps. Copy them into the NIS master's /etc directory, and then use make as usual.

    dualserver# cd /var/yp
    dualserver# make

Limiting Access to the Passwd Column to Owners and Administrators

This task describes how to limit read access to the password-related columns of the passwd table only to the entry owner and the table administrators without affecting the read access of other authenticated principals (including applications) to the remaining columns of the passwd table.

This task establishes the following rights:

                        Nobody  Owner  Group  World
Table Level Rights   :  ----    rmcd   rmcd   ----
Passwd Column Rights :  ----    rm--   rmcd   ----
Shadow Column Rights :  ----    rm--   rmcd   ----

Security Considerations

Prerequisites

All you need is the name of the passwd table.

Procedure

  1. Log in to the domain's master server.

    The examples in this task use the root master server, rootmaster.

  2. Check the current table and column permissions.

    Use the niscat -o command.

    rootmaster# niscat -o passwd.org_dir

    This task assumes the existing permissions are:

    Access Rights    : ----rmcdrmcdr---
    Columns          :
            [0]  Name          : name
                 Access Rights : r-----------r---
            [1]  Name          : passwd
                 Access Rights : -----m----------
            [2]  Name          : uid
                 Access Rights : r-----------r---
            [3]  Name          : gid
                 Access Rights : r-----------r---
            [4]  Name          : gcos
                 Access Rights : r----m------r---
            [5]  Name          : home
                 Access Rights : r-----------r---
            [6]  Name          : shell
                 Access Rights : r-----------r---
            [7]  Name          : shadow
                 Access Rights : r-----------r---

    If your permissions are different, you may need to use a different syntax. For instructions, see Administering NIS+ Access Rights.

  3. Change the table permissions.

    Use the nischmod command to change the table's object-level permissions to ---- rmcdrmcd ----

    rootmaster# nischmod og=rmcd,nw= passwd.org_dir
  4. Change the column permissions.

    Use the nistbladm command with the -u option to change the permissions of the passwd and shadow columns to:

    passwd    ---- rm-- ---- ----
    shadow   ---- r--- ---- ----
    rootmaster# nistbladm -u passwd=o+r, shadow=o+r passwd.org_dir 
  5. Verify the new permissions.

    Use the niscat -o command as you did earlier in this procedure. The permissions should look the same as they did before.

Table Population Summaries

Following are summaries of the steps required to populate NIS+ tables. They assume the simplest case, so be sure you are familiar with the more thorough task descriptions before you use this summary as a reference. For brevity, these summaries do not show the server's responses to each command.

Transferring NIS Files Into NIS+ Tables: Command Summary
Tasks Commands
Log in to an NIS+ client.
rootmaster%
Create working copies of the files to be transferred.
% cp /etc/hosts /etc/hosts.xfr
% .
Add /usr/lib/nis to search path.
% PATH=$PATH:/usr/lib/nis; export PATH
Transfer each file, one at a time.
% nisaddent -m -f /etc/hosts.xfr hosts
% .
% .
Remove old server credentials from publickey file.
% vi /etc/publickey.xfer
% .
Transfer it to the cred table.
% nisaddent -a -f /etc/publickey.xfr cred
Transfer the automounter files.
% nisaddent -f auto.master.xfr -t auto_master.org_dir key-value
% nisaddent -f auto.home.xfr -t auto_home.org_dir key-value
Checkpoint the table directory.
% nisping -C org_dir
Transferring NIS Maps Into NIS+ Tables: Command Summary
Tasks Commands
Log in to an NIS+ client.
rootmaster%
Add /usr/lib/nis to search path.
% PATH=$PATH:/usr/lib/nis; export PATH
Transfer each map, one at a time.
% nisaddent -m -y oldwiz hosts
% .
% .
% .
Dump publickey map to a file.
% makedbm -u /var/yp/oldwiz/publickey.byname > /etc/publickey.xfr
Remove new credentials.
% vi /etc/publickey.xfr
% .
Transfer the publickey file.
% nisaddent -a -f /etc/publickey.xfr  -t cred.org_dir publickey
Transfer the automounter maps.
% nisaddent -y oldwiz -Y auto.master -t auto_master.org_dir key-value
% nisaddent -y oldwiz -Y auto.home -t auto_home.org_dir key-value
Checkpoint the table directory.
% nisping -C org_dir
Transferring NIS+ Tables to NIS Maps: Command Summary
Tasks Commands
Log in to NIS+ server.
dualserver%
Transfer NIS+ tables to files.
% /usr/lib/nis/nisaddent -d [-t table] tabletype > filename
% .
% .
% .
Transfer files to NIS maps.
% makedbm flags output-file NIS-dbm-file
Limiting Access to Passwd Column: Command Summary
Tasks Commands
Log into the domain's master server.
rootmaster#
Check the table's existing rights.
# niscat -o passwd.org_dir
Assign the table new rights.
# nischmod og=rmcd,nw=  passwd.org_dir
Assign the columns new rights
# nistbladm -u  passwd=o+r, shadow=n+r  passwd.org_dir
Verify the new rights.
# niscat -o passwd.org_dir


[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]