Data Network Resource
       Earn on the Web

Network Information Service (NIS)


Introduction


A user logging in to a Unix box is dealt with by the login process which uses the system call getpwuid. The login process references a previously built file such as /etc/passwd which contains a list of allowed users and their passwords. The problem with this system is that there is a separate file for each Unix box and new users that have access to more than one box will need to have their names added to each of the relevant files.

To get around this limitation, NIS was developed by Sun Microsystems in 1985, to provide a centralised authentication service so that a centrally administered NIS server could manage all the usernames and passwords and distribute this information to the other boxes when it was required.

The databases used in NIS are referenced with Keys that can point to any piece of data called a Value that you want. NIS uses Maps which are a set of Key-Value pairs that reference information. You can collate Maps into categories called Domains. The information that is stored in this hierarchical database is not limited to users and passwords, but can contain IP addresses, host names, telephone numbers etc.

NIS Operation


The process that performs this database operation on the NIS server is called ypserv. The letters 'yp' come from the original name for NIS which was Yellow Pages (this had to change because AT&T already had Yellow Pages as a trademark). This process serves authentication records from a database on disk, which are in the same format as those records in the /etc/passwd file. To speed NIS up, part of the database is cached in memory, also the database is not merely a text file, the data is more organised and uses keys to perform very fast lookups. One key-value per file is allowed, so if you wanted to perform a lookup on more than one field then more files will be required. You can use the command ypcat to display the names and encrypted passwords in the database. Another command ypx displays the NIS map.

The database is partly made up of text files that are appended to as new users are added. These text files could consist of some or all of /etc/passwd, /etc/group (for groups of users), /etc/hosts etc. The text files are then used to generate the organised database in DBM format used for the fast lookups. A DBM file is an Index Sequential File that uses keys to quickly find information and is called a map. Each map is made up of two files with extensions .pag and .dir. This is quicker than the normal character by character comparison through the text files to find a match. A program called makedbm is normally used on the server. This means that if new users are added, the lookup database has to be regenerated from scratch. The rebuild can be scheduled to occur at regular intervals if so desired.

During this database rebuild, this NIS server cannot be used to authenticate users, therefore it is a good idea to have at least one backup NIS server that can continue to authenticate existing users. These slave servers receive maps from the master server via the process yppush so that their databases are synchronised. You can have multiple NIS domains if you wish, each domain serving a different set of users and having a different set of slave servers. Running NIS can be quite processor intensive so a good rule of thumb is to avoid having more than 40 clients per server.

The NIS client requires ypbind and yptools in order to talk to a NIS server. The server also requires ypbind. The ypbind service provides ypserv addressing and domain name information for the clients to be able to gain access to the NIS servers. These tools provide ypset and ypwhich for communicating with ypserv, and ypcat, ypmatch and yppoll for accessing the maps, and ypchfn, ypchsh and yppasswd for accessing user information. The client obtains its information from the DBM database using an RPC call to modified system libraries on the server rather than the normal system call getpwuid.

There are two file types in NIS; Local Priority and Global Priority. Local Priority means that the local copy of the machine's system file info is used first before the NIS copy. Global Priority files use the NIS maps irrespective of the contents of the local files.

There follows a list of files maintained by NIS together with the type of priority file it is, either Global or Local:
  • /etc/bootparams (Local)
  • /etc/ethers (Global) - MAC address to host name mapping
  • /etc/group (Local) - Unix group definitions
  • /etc/hosts (Global after boot up) - IP address to Host name mapping
  • /etc/aliases (Local) - Mail alias definitions
  • /etc/netgroup (Global) - Collection of hosts, users and networks
  • /etc/netmasks (Global)
  • /etc/passwd (Local) - User accounts
  • /etc/protocols (Global) - Text Name to Protocol number mapping
  • /etc/rpc (Global) - ID numbers for RPC services
  • /etc/services (Global) - Port numbers for well-known network services

Frames


The NIS (from ypserv and ypbind) frames can contain the following commands:
  • no operation - Performs no operation.
  • domain serve query1 - Asks whether or not the specified domain is served.
  • domain serve query2 - Asks only for servers that serve the specified domain.
  • get key value - Asks for value associated with the specified key.
  • get first key pair - Requests the first key-value pair in map.
  • get next key pair - Requests the next key-value pair in map.
  • transfer map - Requests a new copy of the map to be transferred.
  • reset YP server - Requests the YP server to reset its internal state.
  • get all keys in map - Requests all key-value pairs in specified map.
  • get map master name - Requests the name of master YP database server.
  • get map number - Requests the creation time of the specified map.
  • get all maps - Requests all maps in the specified domain.
  • domain serve reply1 - Response to domain serve query1.
  • give key value - Returns value for specified key.
  • give first key pair - Returns the first key-value pair in map.
  • give next key pair - Returns the next key-value pair in map.
  • map transferred - Reports map transfer status.
  • YP server reset - Reports server reset status.
  • give all keys in map - Returns listing of all keys in map.
  • give map master name - Returns name of master YP database server.
  • give map number - Returns creation date of map.
  • give all maps - Returns listing of all maps in domain.
  • no operation - Performs no operation.
  • get current binding - Requests YP addressing information for the specified domain.
  • set domain binding - Installs YP addressing information for the specified domain.
  • give current binding - Returns YP addressing information for a domain.
  • domain binding set - Returns status of YP addressing installation.
These frames can contain the following parameters:
  • Bind address - IP address of the YP binder server.
  • Bind port - Transport port used by the YP binder server.
  • Created - Creation time of the map.
  • Domain - Domain name in use.
  • Key - Key index used to search for a value.
  • Map - Map name in use.
  • Master - Name of the master YP database server.
  • Peer - Server name of a peer YP server.
  • Transfer ID - Transfer ID used to reference map transfers.
  • Program - RPC program number used for map transfer.
  • Port - Transport layer port number used for map transfer.
  • Value - Value associated with a key.
  • Status - Map transfer status.
  • Version - YPbind protocol version
The ypserv Response frames can contain the following:
  • OK - Request completed successfully.
  • Bad request arguments - Request parameters invalid.
  • Domain not supported - Domain not supported by this YP server.
  • General failure - Unspecified failure.
  • Invalid operation - Request invalid.
  • No more entries in map - No more key-value pairs in map.
  • No such map in domain - Specified map not in domain.
  • No such key in map - Specified key not in map.
  • Server database is bad - Server database corrupt.
  • YP server error - Internal YP server error.
  • YP version mismatch - YP server versions do not match.
The ypbind Response frames can contain the following:
  • OK - Request completed successfully.
  • Internal error - Local YP binder error.
  • No bound server for domain - No YP database servers known for the domain.
  • Can't alloc system resource - YP binder resource error
The ypbind Transfer Status frames can contain the following:
  • Transfer successful - Transfer completed successfully.
  • Bad request arguments - Request parameters invalid.
  • Can't clear YP server - Cannot clear the local YP server.
  • Can't find server f/map - Cannot find YP server for map.
  • Can't get master addr. - Cannot get YP master server address.
  • Domain not supported - Domain not supported by this YP server.
  • Local database failure - Local YP server database failure.
  • Local file I/O error - Local YP server file I/O error.
  • Map version mismatch - Map versions skewed in transfer.
  • Master dbase not newer - Master database is not newer.
  • Must override defaults - Must override default settings.
  • Resource alloc failure - Resource allocation failure.
  • RPC to server failed - No RPC response from server.
  • Server/map dbase error - YP server or map database error.
  • Server refused transfer - YP server refused to transfer database.
  • YP transfer error - Error occurred during database transfer.

NIS Communication


Data is shared using RPC UDP/TCP datagrams. Sun's RPC uses UDP/TCP port 111 plus a number of ports over 1024. Refer to RPC for a discussion of RPC.

Slave Servers use the process ypxfr to pull the latest maps off the Master Servers. This pulling of the maps can be scheduled regularly using the cron utility. The server runs a program called ypxfrd that responds to the requests. The server can also run the program yppush when a change has been made to the database and you want to make sure that the slave servers have the latest information.

A NIS client normally uses an IP broadcast to request information from a NIS server which therefore needs to be on the same subnet as the client. The alternative is to use a Directed Bind, but this restricts the client to having just one specified server to query, although this server can be off the subnet.

NIS+


A replacement for NIS has been developed called NIS+. Enhancements include encryption (DES) and authentication over secure RPC (Remote Procedure Call) rather than the normal unauthenticated use of RPC. NIS+ is similar to NIS in name only, it is an entirely separately designed system.

NIS+ uses a tree structure for the database (Namespace). Each node in the tree can be one of six types Directory, Entry, Group, Link, Table and Private. The root of the Namespace is called the Root directory, in addition there are two special directories which are as follows:
  • org_dir - containing all the administration tables including passwd, hosts, mail_aliases etc.
  • groups_dir - containing group objects used for access control of user groups.

Home

Valid HTML 4.01 Transitional

Disclaimer



Earn on the Web    


All rights reserved. All trademarks, logos, and copyrights are property of their respective owners.