basically tech

95 Solaris: NIS installation and configuration

Wednesday 5th September, 2007

(This article has been updated from the original, which focused on Solaris 8 only, to include Solaris 10-specific entries. Where the commands or entries for Solaris 8 and Solaris 10 differ, they are written down in purple for Solaris 8 and green for Solaris 10. In addition, I have added an extra note about changing the NIS Makefile in the event that you're not going to use group passwords.)

This is a step-by-step account of the method I used to install and configure a NIS master and slaves on servers running Solaris 8 (and more recently, Solaris 10). The steps detailed for Solaris 8 should work fine on earlier versions of Solaris, but as I have not explicitly tested other versions (except as clients) you may encounter issues. The clients used with this setup ranged from Solaris 7 to Solaris 10. The installation was in a medium-sized Solaris-only farm (100+ hosts).

Configuring NIS on Solaris is not quite as straightforward as it is on other OSes (such as some Linux distros). This didn't really surprise me, even though NIS is Sun's product. What this does allow is a more tailored end product.

There are three points I'd like to emphasise concerning this article:

  • This article is not an definitive how-to; there is more than one way to implement NIS. This way works, it's relatively straightforward, and is more secure than a default NIS installation.
  • This article is not an endorsement of NIS over other naming systems. My recommendation to the client was to use LDAP, but NIS had been used before, they were more or less happy with it *, and it did what they wanted it to. Having said that NIS is still used on many sites, it's versatile, it's easy to set up and maintain, and it can be made more secure without too much extra effort.
  • This article describes the set up of NIS only. Administration is another matter altogether.

(* The client's existing NIS setup was very old and exhibited quirky behaviour on some rare occasions. In addition, it had allowed encoded password values to be seen when running ypcat passwd. This was not acceptable.)

master server: system files and NIS maps

The default location for NIS maps is under /etc. I've used the existing system files apart from the passwd and shadow maps. These two need to be seperated from the master server host system files to prevent root and other system account entries in the NIS passwd map. Some files currently under /etc/security may also need to be copied to /etc.

The following files need to be created (use touch), or copied from other locations if they do not exist. Note that most will exist.

/etc/auto_home should already exist
/etc/auto_master should already exist
/etc/bootparams create if required
/etc/ethers create if required
/etc/group should already exist
/etc/hosts should already exist
/etc/inet/ipnodes should already exist
/etc/mail/aliases should already exist
/etc/netgroup create if required
/etc/netid create if required
/etc/netmasks should already exist
/etc/networks should already exist
/etc/passwd should already exist; will copy to a different location and edit
/etc/protocols should already exist
/etc/publickey should already exist
/etc/rpc should already exist
/etc/services should already exist
/etc/shadow should already exist; will copy to a different location and edit
/etc/timezone echo "GB yourdomain" > /etc/timezone
where GB is your timezone and "yourdomain" is the name of your NIS domain
/etc/auth_attr copy from /etc/security/auth_attr if required
/etc/exec_attr copy from /etc/security/exec_attr if required
/etc/prof_attr copy from /etc/security/prof_attr if required
/etc/audit_user copy from /etc/security/audit_user if required

all nis servers and clients: /etc/nsswitch.conf

Later on, we will be copying /etc/nsswitch.nis to /etc/nsswitch.conf. The existing /etc/nsswitch.nis seems unusual to my eye, and I suggest the following changes. Whether or not you apply these changes depends on how your network is set up.

# cp /etc/nsswitch.nis /etc/nsswitch.nis.orig

Edit /etc/nsswitch.nis:

Change
hosts: nis [NOTFOUND=return] files
to read
hosts: files nis dns
and
automount: files nis
to read
automount: nis files

master server: passwd, passwd.adjunct and shadow

First we will create a seperate directory (/etc/nis_etc) for the NIS passwd and shadow maps, plus another one (/etc/nis_etc/security) for the passwd.adjunct file.

# mkdir -p /etc/nis_etc/security
# cd /etc
# chmod -R 700 nis_etc
# cp passwd nis_etc/
# cp shadow nis_etc/
# cp passwd nis_etc/security/passwd.adjunct
# cd nis_etc

Now we need to edit /etc/nis_etc/passwd:

  1. Remove the following entries:
    (Solaris 8 in purple, Solaris 10 in green.)
    • root
    • daemon
    • bin
    • sys
    • adm
    • lp
    • uucp
    • nuucp
    • listen
    • nobody
    • noaccess
    • nobody4
    • sysadmin
    • sshd
    • root
    • daemon
    • bin
    • sys
    • adm
    • lp
    • uucp
    • nuucp
    • smmsp
    • listen
    • gdm
    • webservd
    • nobody
    • noaccess
    • nobody4
  2. Edit each user entry, removing the password placeholder ("x" in the second field) and replacing it with two hashes and the username. E.g:
    bloggf01:x:1001:10:Fred Bloggs:/export/home/bloggf01:/bin/ksh
    becomes
    bloggf01:##bloggf01:1001:10:Fred Bloggs:/export/home/bloggf01:/bin/ksh
    Doing this for a passwd file with 1000 entries can take a little while, so the following strategy may help:
    # cd /etc/nis_etc
    # mv passwd passwd.orig
    # nawk -F ":" '{ printf "%25s:##%25s:%25s:%25s:%25s:%25s:%25s\n", $1, $1, $3, $4, $5, $6, $7 }' passwd.orig > passwd
    Don't delete passwd.orig just yet!
  3. The passwd.adjunct file can be generated using a similar awk script:
    # cd /etc/nis_etc
    # nawk -F ":" '{ printf "%25s:%25s:::::\n", $1, $2 }' passwd.orig > security/passwd.adjunct
    You can delete passwd.orig now if you want.
  4. Add the following two lines to the top of your NIS passwd map:
    AUpwdauthd:##AUpwdauthd:10:10::/var/tmp:/bin/true
    AUyppasswdd:##AUyppasswdd:11:10::/var/tmp:/bin/true
  5. And add the corresponding lines to your NIS passwd.adjunct map:
    AUpwdauthd:*:::::
    AUyppasswdd:*::::
  6. Edit the NIS Makefile to reflect the new locations of the NIS passwd and shadow maps:
    # cd /var/yp
    # cp Makefile Makefile.orig
    Edit /var/yp/Makefile so that the PWDIR variable is changed to /etc/nis_etc.
  7. If you're not using group passwords, (and I'm not in this instance), then you could also edit the NIS Makefile to prevent worrying (but harmless) error messages appearing each time you run the make command:
    Change:
    c2secure:
            -@if [ -f $(PWDIR)/security/passwd.adjunct ]; then \
                    if [ ! $(NOPUSH) ]; then $(MAKE)  $(MFLAGS) -k \
                    passwd.adjunct.time group.adjunct.time; \
                    else $(MAKE) $(MFLAGS) -k NOPUSH=$(NOPUSH) \
                    passwd.adjunct.time group.adjunct.time; \
    
                    fi; \
            fi
    
    to
    c2secure:
            -@if [ -f $(PWDIR)/security/passwd.adjunct ]; then \
                    if [ ! $(NOPUSH) ]; then $(MAKE)  $(MFLAGS) -k \
                    passwd.adjunct.time; \
                    else $(MAKE) $(MFLAGS) -k NOPUSH=$(NOPUSH) \
                    passwd.adjunct.time; \
                    fi; \
            fi
    

You also need to edit /etc/nis_etc/shadow:

  1. Remove the same entries as you did with /etc/nis_etc/passwd:
    • root
    • daemon
    • bin
    • sys
    • adm
    • lp
    • uucp
    • nuucp
    • listen
    • nobody
    • noaccess
    • nobody4
    • sysadmin
    • sshd
    • root
    • daemon
    • bin
    • sys
    • adm
    • lp
    • uucp
    • nuucp
    • smmsp
    • listen
    • gdm
    • webservd
    • nobody
    • noaccess
    • nobody4
  2. If you want to further tidy up /etc/nis_etc/shadow, you can. NIS only uses the first two fields, which are the user name and the encoded password.

set up and start the NIS master server

Now we need to set the domainname, make sure the correct nsswitch.conf file is in place, and start the NIS master server processes.

# domainname yourdomain
# domainname > /etc/defaultdomain

The first time you start ypinit, it will need to get it's naming information from local files:

# cp /etc/nsswitch.files /etc/nsswitch.conf

Add entries for all NIS slave servers to /etc/hosts.

Start the NIS master server processes:

(Generic Solaris commands are in black, Solaris 8-specific are in purple, and Solaris 10-specific are in green.)

# /usr/sbin/ypinit -m
# cp /etc/nsswitch.nis /etc/nsswitch.conf
# /usr/lib/netsvc/yp/ypstart
(or)
# svcadm enable nis/server
# svcadm enable nis/client

Check that the NIS server is working:

# ypcat passwd

The output should contain all the entries in /etc/nis_etc/passwd.

set up and start a NIS slave server

On each prospective NIS slave server (and you'll need at least one):

# domainname yourdomain
# domainname > /etc/defaultdomain

Edit /etc/hosts to include entries for the NIS master and any other slaves you plan to add.

To get the initial copies of the maps from the newly-created master, each prospective slave needs to be set up as a client:

# /usr/sbin/ypinit -c

You will be asked for a list of NIS servers. Add the hostname of the slave you're working on (i.e the current host) first, then the master, then the remaining slaves, with those closest on the network first.

Stop ypbind if necessary.

(Generic Solaris commands are in black, Solaris 8-specific are in purple, and Solaris 10-specific are in green.)

# /usr/lib/netsvc/yp/ypstop
(or)
# svcadm disable nis/client

Start it (again), and initialise the new slave:

# /usr/lib/netsvc/yp/ypstart
(or)
# svcadm enable nis/client
# /usr/sbin/ypinit -s nismaster

Start ypserv and then put the correct nsswitch.conf file in place. You ought to edit the original /etc/nsswitch.nis beforehand (for example as described earlier), if you made changes to /etc/nsswitch.nis on the master server.

# /usr/lib/netsvc/yp/ypstop
# /usr/lib/netsvc/yp/ypstart
(or)
# svcadm disable nis/server
# svcadm enable nis/server
# cp /etc/nsswitch.nis /etc/nsswitch.conf

set up and start a NIS client host

Remove a client from an existing NIS domain

# rm /etc/defaultdomain
# cd /var/yp
# pwd
/var/yp
# vi aliases
    (remove any uncommented entries)
The resulting file should look something like this:

# Aliases file- database of full length and truncated length domain and
#ident  "@(#)aliases    1.2     92/07/14 SMI"
#map names.  Accessed by YP commands.
# rm -r domainname     (if this directory exists)
# rm -r *.time     (if any of these files exists)
# cd /var/yp/binding
# pwd
/var/yp/binding
# rm -r *
# cp /etc/nsswitch.files /etc/nsswitch.conf

Reboot the server.

Add a client to the new NIS domain

First make sure that the potential NIS client does not belong to an existing NIS domain. Remove it using the instructions above if required.

Edit /etc/hosts to include entries for the NIS master and all slaves.

# domainname yourdomain
# domainname > /etc/defaultdomain
# ypinit -c
Add the following hosts:

  • nis_master
  • nis_slave
  • nis_other_slave
  • nis_master-a     (other interface, if available)
  • nis_slave-a     (other interface, if available)
  • nis_other_slave-a     (other interface, if available)

If one of the NIS slave servers is closer on the network , add it first in the list, then the next closest (slave or master), etc.

Start NIS
(Generic Solaris commands are in black, Solaris 8-specific are in purple, and Solaris 10-specific are in green.)
# cp /etc/nsswitch.nis /etc/nsswitch.conf     (edit the original /etc/nsswitch.nis beforehand as described earlier)
# /usr/lib/netsvc/yp/ypstart     (normally called from /etc/init.d/rcp)
(or)
# svcadm enable nis/client
# ypwhich
should return
nis_master
Also the following commands:
# ypcat hosts
# ypcat passwd
should return lots of relevant data.

useful links

Securing NIS by Doug Hughes. This is a very useful resource.

Solaris Network Information Services (NIS) Implementation (Lots of links, FAQs, recommended reading, etc. Some of this is outdated, but there is some interesting stuff here.)

Solaris NIS Minitutorial (Linked in from above. Worth reading if you have little or no exposure to NIS on Solaris.)

docs.sun.com: System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Home