Setting Up an NIS+ Server

This task applies to any NIS+ server except the root master; that is, to a root replica, a non-root master, or a non-root replica, whether running in NIS-compatibility mode or not.

Standard versus NIS-Compatible Setup Procedures

The differences between an NIS-compatible and a standard NIS+ server are the same as for the root master server. The NIS+ daemon for an NIS-compatible server must be started with the -Y option (and the -B option for DNS forwarding), which allows the server to answer requests from NIS clients. This is described in Step 2. The equivalent step for standard NIS+ servers is Step 3.

---

Note - Whenever rpc.nisd is started with either the -Y, or -B, or both options, a secondary daemon named rpc.nisd_resolv is spawned to provide name resolution. This secondary daemon must be separately killed whenever you kill the primary rpc.nisd daemon.

---

As you may recall, the instructions for setting up the root master server in NIS-compatibility mode (Chapter 1) also required a -Y flag with the nissetup utility, which creates the NIS+ tables with the proper permissions for an NIS-compatible domain. That step is not included in this task because with every server other than the root master, the nissetup utility is not used until the server is associated with a domain (as described in Chapter 4, "Setting Up a Non-Root Domain.).

Here is a summary of the entire setup process:

1. Log on as superuser to the new replica server.

2. --NIS-Compatiblity Only-- Start the NIS+ daemon with -Y.

3. --Standard NIS+ Only-- Start the NIS+ daemon.

Security Considerations

You must perform this operation as superuser on the server. The security level at which you start the server (Step 4) determines the credentials that its clients must have. For instance, if the server is set up with security level 2, the clients in the domain it supports must have DES credentials. If you have set up the client according to the instructions in this book, the client has DES credentials in the proper domain, and you can start the server with security level 2.

Prerequisites

• The root domain must already be set up -- see Chapter 1, "Setting Up the Root Domain."
• The server must have already been initialized as an NIS+ client -- see Chapter 2, "Setting Up NIS+ Clients."
• If the server will run in NIS-compatibility mode and support DNS forwarding, it must have a properly configured /etc/resolv.config file (described in Name Services Configuration Guide.")

Information You Need

You need the superuser password of the client that you will convert into a server.

· How to Set Up an NIS+ Server

1. Log on as superuser to the new replica server.

   The following steps assume you rebooted the workstation after you set it up as an NIS+ client, as instructed in "Setting Up NIS+ Clients" on page 26". Rebooting, among other things, starts the cache manager, which is a recommended prerequisite to the following step. If you did not reboot the workstation, restart the cache manager now, using nis_cachemgr.

2. --NIS-Compatibility Only-- Start the NIS+ daemon with -Y.

   Perform this step only if you are setting up the server in NIS-compatibility mode; if setting up a standard NIS+ server, perform Step 3 instead. This step includes instructions for supporting the DNS forwarding capabilities of NIS clients.

   This step consists of two sub-steps, a and b. Step a starts the NIS+ daemon in NIS-compatibility mode and Step b makes sure that when the server is rebooted, the NIS+ daemon restarts in NIS-compatibility mode.

a. Use rpc.nisd with the -Y and -B flags.

compatserver# rpc.nisd -Y -B

The -Y option invokes an interface that answers NIS requests in addition to NIS+ requests. The -B option supports DNS forwarding.

b. Edit the /etc/init.d/rpc file.

Search for the string EMULYP="-Y" in the /etc/init.d/rpc file. Uncomment the line and, to retain DNS forwarding capabilities, add a -B flag:

compatserver# vi /etc/init.d/rpc . . . # EMULYP="-Y" . . -------uncomment and change to------ EMULYP="-Y -B"

If you don't need to retain DNS forwarding capabilities, uncomment the line, but don't add the -B flag.

This step creates a directory with the same name as the server and the server's .log file. They are placed in /var/nis, as you can see:

compatserver# ls -F /var/nis NIS_COLD_START compatserver/ compatserver.log

The compatserver.log file is a transaction log. You can examine the contents of the transaction log by using the nislog command, described in Chapter 11, "Administering NIS+ Directories."

3. --Standard NIS+ Only-- Start the NIS+ daemon.

   Use the rpc.nisd command.

server# rpc.nisd

To verify that the NIS+ daemon is indeed running, use the ps command, as shown below:

server# ps -ef | grep rpc.nisd root 1081 1 61 16:43:33 ? 0:01 rpc.nisd root 1087 1004 11 16:44:09 pts/1 0:00 grep rpc.nisd

This step creates a directory with the same name as the server and the server's .log file. They are placed in /var/nis, as you can see:

server# ls -F /var/nis NIS_COLD_START server/ server.log

The compatserver.log file is a transaction log. You can examine the contents of the transaction log by using the nislog command, described in Chapter 11, "Administering NIS+ Directories."

Now this server is ready to be designated a master or replica of a domain, as described in Chapter 4, "Setting Up a Non-Root Domain." This step completes this task. A task summary is provided at the end of the chapter.

Adding a Replica to an Existing Domain

This task describes how to add a replica server to an existing domain, whether root or non-root. Here is a list of the steps:

1. Log on to the domain's master server.

2. Add the replica to the domain.

3. Ping the replica.

Security Considerations

The NIS+ principal performing this operation must have Modify rights to the domain's directory object.

Prerequisites

• The server that will be designated a replica must have already been set up.
• The domain must have already been set up and assigned a master server.

Information You Need

• The name of the server
• The name of the domain.

· How to Add a Replica Server

1. Log on to the domain's master server.

2. Add the replica to the domain.

   Use the nismkdir command with the -s option, as shown in the example below. The example adds the replica "rootreplica" to the "Wiz.Com." domain.

rootmaster# nismkdir -s rootreplica Wiz.Com. rootmaster# nismkdir -s rootreplica org_dir.Wiz.Com. rootmaster# nismkdir -s rootreplica group_dir.Wiz.Com.

When you use the nismkdir command on a directory object that already exists, it does not recreate the directory, it simply modifies it according to the flags you provide. In this case, the -s flag assigns the domain an additional replica server. You can verify that the replica was added by examining the directory object's definition, using the niscat -o command.

3. Ping the replica

   This step sends a message (a "ping") to the new replica, telling it to ask the master server for an update. If the replica does not belong to the root domain, be sure to specify its domain name. (The example below includes

the domain name only for completeness; since the example used throughout this task adds a replica to the root domain, the "Wiz.Com." domain name in the example below is not necessary.)

rootmaster# nisping Wiz.Com. rootmaster# nisping org_dir.Wiz.Com. rootmaster# nisping group_dir.Wiz.Com.

You should see results similar to these:

rootmaster# /usr/lib/nis/nisping Wiz.Com. Pinging replicas serving directory Wiz.Com. : Master server is rootmaster.Wiz.Com. Last update occured at Wed Nov 25 10:53:37 1992 Replica server is rootreplica.Wiz.Com. Last update seen was Wed Nov 18 11:24:32 1992 Pinging ... rootreplica.Wiz.Com.

If you have set up the domain's tables immediately after completing the domain setup, this step propagates the tables down to the replica. For more information about nisping, see Chapter 11, "Administering NIS+ Directories."

This step completes this task. A summary is provided at the end of this chapter.

Changing a Server's Security Level

This task changes the security level of a previously set up NIS+ server. You can assign it security level 0 (lowest), 1, or 2 (highest). The default is 2. Here is a list of the steps:

1. Log on --as superuser-- to the server.

2. Kill the NIS+ daemon.

3. Restart the NIS+ daemon with the desired security level.

Security Considerations

You must perform this task as superuser on the server. If changing to security level 1, at least one NIS+ principal must have LOCAL credentials in the Cred table of the server's home domain. Otherwise, the server will be unable to authenticate anyone and no one will be able to operate on that domain. If changing to security level 2, at least one NIS+ principal must have DES credentials in the domain's Cred table. Security level 0 requires no credentials.

· How to Change a Server's Security Level

1. Log on --as superuser-- to the server.

2. Kill the NIS+ daemon.

   Find the daemon's process ID and then kill it, using the kill command as shown below. Note that this will interrupt NIS+ service.

server# ps -e | grep rpc.nisd root 1081 1 61 16:43:33 ? 0:01 rpc.nisd root 1386 1004 11 16:44:09 pts/1 0:00 grep rpc.nisd server# kill 1081

If you reinvoke the ps command, it should no longer list the daemon process.

server# ps -ef | grep rpc.nisd root 1094 1004 11 16:54:28 pts/1 0:00 grep rpc.nisd

3. Restart the NIS+ daemon with the desired security level.

   Use the rpc.nisd command as shown below.

server# rpc.nisd -S security-level

Security-level can be 0 (lowest), 1, or 2 (highest). Security level 2 is the default; to select it, you don't have to use the -S option. If the server is running in NIS-compatibility mode, make sure you use the -Y (and -B for DNS forwarding) options.

To verify that the NIS+ daemon is indeed running, use the ps command, as shown below:

server# ps -ef | grep rpc.nisd root 1081 1 61 16:43:33 ? 0:01 rpc.nisd -S 0 root 1087 1004 11 16:44:09 pts/1 0:00 grep rpc.nisd

This step completes this task. A summary is provided below.

Summary

Below is a summary of the tasks described in this chapter. It assumes the simplest case, so be sure you are familiar with the more thorough task descriptions before you use this summary as a reference. Also, this summary does not show the server's responses to each command.

server% su		1. Log on to the server.
compatserver# rpc.nisd -Y - B compatserver# vi /etc/inet.d/rpc		2. NIS-compat only: a. Start daemon with -Y -B b. Change to EMULYP="-Y -B"
server# rpc.nisd		3. NIS+-Only: Start daemon.

Figure 3-1 To Set up an NIS+ Server

rootmaster% su # nismkdir -s rootreplica Wiz.Com. # nismkdir -s rootreplica org_dir.Wiz.Com. # nismkdir -s rootreplica groups_dir.Wiz.Com. #/usr/lib/nis/nisping Wiz.Com #/usr/lib/nis/nisping org_dir.Wiz.Com #/usr/lib/nis/nisping groups_dir.Wiz.Com

1. Log on as superuser to domain master. 2. Designate the new replica. 3. Ping the replica.

Figure 3-2 To Add a Replica to an Existing Domain

server% su server# ps -ef | grep rpc.nisd server# kill process-id server# rpc.nisd -S security-level

1. Log on as superuser to the server. 2. Kill the daemon. 3. Restart the NIS+ daemon. Use -r for root domain servers. Use -Y and -B as appropriate

Figure 3-3 To Change a Server's Security Level