Solaris: NIS installation and configuration
(This article has been updated from the original, which focused on Solaris 8 only, to include Solaris 10-specific entries. Where the commands or entries for Solaris 8 and Solaris 10 differ, they are written down in purple for Solaris 8 and green for Solaris 10. In addition, I have added an extra note about changing the NIS Makefile in the event that you're not going to use group passwords.)
This is a step-by-step account of the method I used to install and configure a NIS master and slaves on servers running Solaris 8 (and more recently, Solaris 10). The steps detailed for Solaris 8 should work fine on earlier versions of Solaris, but as I have not explicitly tested other versions (except as clients) you may encounter issues. The clients used with this setup ranged from Solaris 7 to Solaris 10. The installation was in a medium-sized Solaris-only farm (100+ hosts).
Configuring NIS on Solaris is not quite as straightforward as it is on other OSes (such as some Linux distros). This didn't really surprise me, even though NIS is Sun's product. What this does allow is a more tailored end product.
There are three points I'd like to emphasise concerning this article:
This is a step-by-step account of the method I used to install and configure a NIS master and slaves on servers running Solaris 8 (and more recently, Solaris 10). The steps detailed for Solaris 8 should work fine on earlier versions of Solaris, but as I have not explicitly tested other versions (except as clients) you may encounter issues. The clients used with this setup ranged from Solaris 7 to Solaris 10. The installation was in a medium-sized Solaris-only farm (100+ hosts).
Configuring NIS on Solaris is not quite as straightforward as it is on other OSes (such as some Linux distros). This didn't really surprise me, even though NIS is Sun's product. What this does allow is a more tailored end product.
There are three points I'd like to emphasise concerning this article:
- This article is not an definitive how-to; there is more than one way to implement NIS. This way works, it's relatively straightforward, and is more secure than a default NIS installation.
- This article is not an endorsement of NIS over other naming systems. My recommendation to the client was to use LDAP, but NIS had been used before, they were more or less happy with it *, and it did what they wanted it to. Having said that NIS is still used on many sites, it's versatile, it's easy to set up and maintain, and it can be made more secure without too much extra effort.
- This article describes the set up of NIS only. Administration is another matter altogether.
- master server: system files and NIS maps
- all nis servers and clients: /etc/nsswitch.conf
- master server: passwd, passwd.adjunct and shadow
- set up and start the NIS master server
- set up and start a NIS slave server
- set up and start a NIS client host
- useful links
master server: system files and NIS maps
The default location for NIS maps is under/etc
. I've used the existing system files apart from the passwd and shadow maps. These two need to be seperated from the master server host system files to prevent root and other system account entries in the NIS passwd map. Some files currently under /etc/security
may also need to be copied to /etc
. The following files need to be created (use touch), or copied from other locations if they do not exist. Note that most will exist.
/etc/auto_home | should already exist |
/etc/auto_master | should already exist |
/etc/bootparams | create if required |
/etc/ethers | create if required |
/etc/group | should already exist |
/etc/hosts | should already exist |
/etc/inet/ipnodes | should already exist |
/etc/mail/aliases | should already exist |
/etc/netgroup | create if required |
/etc/netid | create if required |
/etc/netmasks | should already exist |
/etc/networks | should already exist |
/etc/passwd | should already exist; will copy to a different location and edit |
/etc/protocols | should already exist |
/etc/publickey | should already exist |
/etc/rpc | should already exist |
/etc/services | should already exist |
/etc/shadow | should already exist; will copy to a different location and edit |
/etc/timezone | echo "GB yourdomain" > /etc/timezone where GB is your timezone and "yourdomain" is the name of your NIS domain |
/etc/auth_attr | copy from /etc/security/auth_attr if required |
/etc/exec_attr | copy from /etc/security/exec_attr if required |
/etc/prof_attr | copy from /etc/security/prof_attr if required |
/etc/audit_user | copy from /etc/security/audit_user if required |
all nis servers and clients: /etc/nsswitch.conf
Later on, we will be copying /etc/nsswitch.nis
to /etc/nsswitch.conf
. The existing /etc/nsswitch.nis
seems unusual to my eye, and I suggest the following changes. Whether or not you apply these changes depends on how your network is set up. # cp /etc/nsswitch.nis /etc/nsswitch.nis.orig
Edit
/etc/nsswitch.nis
: Change
hosts: nis [NOTFOUND=return] files
to read
hosts: files nis dns
and
automount: files nis
to read
automount: nis files
master server: passwd
, passwd.adjunct
and shadow
First we will create a seperate directory (/etc/nis_etc
) for the NIS passwd
and shadow
maps, plus another one (/etc/nis_etc/security
) for the passwd.adjunct
file. # mkdir -p /etc/nis_etc/security
# cd /etc
# chmod -R 700 nis_etc
# cp passwd nis_etc/
# cp shadow nis_etc/
# cp passwd nis_etc/security/passwd.adjunct
# cd nis_etc
Now we need to edit
/etc/nis_etc/passwd
: - Remove the following entries:
(Solaris 8 in purple, Solaris 10 in green.)- root
- daemon
- bin
- sys
- adm
- lp
- uucp
- nuucp
- listen
- nobody
- noaccess
- nobody4
- sysadmin
- sshd
- root
- daemon
- bin
- sys
- adm
- lp
- uucp
- nuucp
- smmsp
- listen
- gdm
- webservd
- nobody
- noaccess
- nobody4
- Edit each user entry, removing the password placeholder ("x" in the second field) and replacing it with two hashes and the username. E.g:
bloggf01:x:1001:10:Fred Bloggs:/export/home/bloggf01:/bin/ksh
becomesbloggf01:##bloggf01:1001:10:Fred Bloggs:/export/home/bloggf01:/bin/ksh
Doing this for a passwd file with 1000 entries can take a little while, so the following strategy may help:
# cd /etc/nis_etc
# mv passwd passwd.orig
# nawk -F ":" '{ printf "%s:##%s:%s:%s:%s:%s:%s\n", $1, $1, $3, $4, $5, $6, $7 }' passwd.orig > passwdDon't deletepasswd.orig
just yet! - The passwd.adjunct file can be generated using a similar awk script:
# cd /etc/nis_etc
# nawk -F ":" '{ printf "%s:%s:::::\n", $1, $2 }' passwd.orig > security/passwd.adjunctYou can deletepasswd.orig
now if you want. - Add the following two lines to the top of your NIS
passwd
map:AUpwdauthd:##AUpwdauthd:10:10::/var/tmp:/bin/true
AUyppasswdd:##AUyppasswdd:11:10::/var/tmp:/bin/true - And add the corresponding lines to your NIS
passwd.adjunct
map:AUpwdauthd:*:::::
AUyppasswdd:*:::: - Edit the NIS Makefile to reflect the new locations of the NIS
passwd
andshadow
maps:
# cd /var/yp
# cp Makefile Makefile.origEdit/var/yp/Makefile
so that the PWDIR variable is changed to/etc/nis_etc
. - If you're not using group passwords, (and I'm not in this instance), then you could also edit the NIS Makefile to prevent worrying (but harmless) error messages appearing each time you run the
make
command:
Change:c2secure: -@if [ -f $(PWDIR)/security/passwd.adjunct ]; then \ if [ ! $(NOPUSH) ]; then $(MAKE) $(MFLAGS) -k \ passwd.adjunct.time group.adjunct.time; \ else $(MAKE) $(MFLAGS) -k NOPUSH=$(NOPUSH) \ passwd.adjunct.time group.adjunct.time; \ fi; \ fi
toc2secure: -@if [ -f $(PWDIR)/security/passwd.adjunct ]; then \ if [ ! $(NOPUSH) ]; then $(MAKE) $(MFLAGS) -k \ passwd.adjunct.time; \ else $(MAKE) $(MFLAGS) -k NOPUSH=$(NOPUSH) \ passwd.adjunct.time; \ fi; \ fi
/etc/nis_etc/shadow
: - Remove the same entries as you did with
/etc/nis_etc/passwd
:- root
- daemon
- bin
- sys
- adm
- lp
- uucp
- nuucp
- listen
- nobody
- noaccess
- nobody4
- sysadmin
- sshd
- root
- daemon
- bin
- sys
- adm
- lp
- uucp
- nuucp
- smmsp
- listen
- gdm
- webservd
- nobody
- noaccess
- nobody4
- If you want to further tidy up
/etc/nis_etc/shadow
, you can. NIS only uses the first two fields, which are the user name and the encoded password.
set up and start the NIS master server
Now we need to set the domainname, make sure the correct nsswitch.conf file is in place, and start the NIS master server processes.# domainname yourdomain
# domainname > /etc/defaultdomain
The first time you start
ypinit
, it will need to get it's naming information from local files: # cp /etc/nsswitch.files /etc/nsswitch.conf
Add entries for all NIS slave servers to
/etc/hosts
. Start the NIS master server processes:
(Generic Solaris commands are in black, Solaris 8-specific are in purple, and Solaris 10-specific are in green.)
# /usr/sbin/ypinit -m
# cp /etc/nsswitch.nis /etc/nsswitch.conf
# /usr/lib/netsvc/yp/ypstart(or)
# svcadm enable nis/server
# svcadm enable nis/client
Check that the NIS server is working:
# ypcat passwd
The output should contain all the entries in
/etc/nis_etc/passwd
. set up and start a NIS slave server
On each prospective NIS slave server (and you'll need at least one):# domainname yourdomain
# domainname > /etc/defaultdomain
Edit
/etc/hosts
to include entries for the NIS master and any other slaves you plan to add. To get the initial copies of the maps from the newly-created master, each prospective slave needs to be set up as a client:
# /usr/sbin/ypinit -c
You will be asked for a list of NIS servers. Add the hostname of the slave you're working on (i.e the current host) first, then the master, then the remaining slaves, with those closest on the network first.
Stop ypbind if necessary.
(Generic Solaris commands are in black, Solaris 8-specific are in purple, and Solaris 10-specific are in green.)
# /usr/lib/netsvc/yp/ypstop(or)
# svcadm disable nis/client
Start it (again), and initialise the new slave:
# /usr/lib/netsvc/yp/ypstart(or)
# svcadm enable nis/client
# /usr/sbin/ypinit -s nismaster
Start
ypserv
and then put the correct nsswitch.conf
file in place. You ought to edit the original /etc/nsswitch.nis
beforehand (for example as described earlier), if you made changes to /etc/nsswitch.nis
on the master server. # /usr/lib/netsvc/yp/ypstop
# /usr/lib/netsvc/yp/ypstart(or)
# svcadm disable nis/server
# svcadm enable nis/server
# cp /etc/nsswitch.nis /etc/nsswitch.conf
set up and start a NIS client host
Remove a client from an existing NIS domain
# rm /etc/defaultdomain# cd /var/yp
# pwd
/var/yp
# vi aliases (remove any uncommented entries)
The resulting file should look something like this:
# Aliases file- database of full length and truncated length domain and #ident "@(#)aliases 1.2 92/07/14 SMI" #map names. Accessed by YP commands.# rm -r domainname (if this directory exists)
# rm -r *.time (if any of these files exists)
# cd /var/yp/binding
# pwd
/var/yp/binding
# rm -r *
# cp /etc/nsswitch.files /etc/nsswitch.conf
Reboot the server.
Add a client to the new NIS domain
First make sure that the potential NIS client does not belong to an existing NIS domain. Remove it using the instructions above if required.Edit
/etc/hosts
to include entries for the NIS master and all slaves. # domainname yourdomain
# domainname > /etc/defaultdomain
# ypinit -cAdd the following hosts:
- nis_master
- nis_slave
- nis_other_slave
- nis_master-a (other interface, if available)
- nis_slave-a (other interface, if available)
- nis_other_slave-a (other interface, if available)
Start NIS
(Generic Solaris commands are in black, Solaris 8-specific are in purple, and Solaris 10-specific are in green.)
# cp /etc/nsswitch.nis /etc/nsswitch.conf (edit the original
/etc/nsswitch.nis
beforehand as described earlier)# /usr/lib/netsvc/yp/ypstart (normally called from
/etc/init.d/rcp
)(or)
# svcadm enable nis/client
# ypwhich should return
nis_master
Also the following commands:
# ypcat hosts
# ypcat passwdshould return lots of relevant data.
useful links
Securing NIS by Doug Hughes. This is a very useful resource.Solaris Network Information Services (NIS) Implementation (Lots of links, FAQs, recommended reading, etc. Some of this is outdated, but there is some interesting stuff here.)
Solaris NIS Minitutorial (Linked in from above. Worth reading if you have little or no exposure to NIS on Solaris.)
docs.sun.com: System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)
If you modify entries in the /var/yp/securenets file, you must kill and restart the ypserv and ypxfrd daemons.
No comments:
Post a Comment