Listing the Directories Servered by a Server

The nisupdkeys -s command can be used to list the directories that have been served by a particular master or replica server. The full syntax is:

/usr/lib/nis/nisupdkeys -s [-a|-C] -H servername

Using niscat With Directories

The niscat -o command can be used to list the object properties of an NIS+ directory. To use it, you must have Read access to the directory object itself.

Listing the Object Properties of a Directory

To list the object properties of a directory, use niscat -o and the directory's name:

niscat -o directory-name

For example:

rootmaster# niscat -o Wiz.Com. Object Name : Wiz Owner : rootmaster.Wiz.Com. Group : Domain : Com. Access Rights : r---rmcdr---r--- Time to Live : 24:0:0 Object Type : DIRECTORY . . .

The nisls Command

The nisls command lists the contents of an NIS+ directory. To use it, you must have Read rights to the directory object.

Syntax

--To display in terse format:

nisls
nisls [-dgLmMR] directory-name

--To display in verbose format:

nisls -l [-gm] [-dLMR] directory-name

-- Options:

Table 11-1 Options for the nisls Command

Option Purpose

-d	Directory Object. Instead of listing a directory's contents, treat it like another object.
-L	Links. If the directory name is actually a link, the command follows the link and displays information about the linked directory.
-M	Master. Get the information from the Master server only. Although this provides the most up to date information, it may take longer if the master server is busy.
-R	Recursive. List directories recursively. That is, if a directory contains other directories, their contents are displayed as well.
-l	Long. Display information in long format. Long format displays an object's type, creation time, owner, and access rights.
-g	Group. When displaying information in long format, display the directory's group owner instead of its owner.
-m	Modification time. When displaying information in long format, display the directory's modification time instead of its creation time.

· Listing the Contents of a Directory -- Terse

To list the contents of a directory in the default short format, use one or more of the options listed below and a directory name. If you don't supply a directory name, NIS+ will use the default directory.

nisls [-dLMR]
nisls [-dLMR] directory-name

For example, this instance of nisls is entered from the root master server of the root domain "Wiz.Com.":

rootmaster% nisls Wiz.Com.: org_dir groups_dir

Here is another example entered from the root master server:

rootmaster% nisls -R Sales.Wiz.Com. Sales.Wiz.Com.: org_dir groups_dir groups_dir.Sales.Wiz.Com.: admin org_dir.Sales.Wiz.Com.: auto_master auto_home bootparams cred . . .

Listing the Contents of a Directory -- Verbose

To list the contents of a directory in the verbose format, use the -l option and one or more of the options listed below. The -g and -m options modify the attributes that are displayed. If you don't supply a directory name, NIS+ will use the default directory.

nisls -l [-gm] [-dLMR]
nisls -l [-gm] [-dLMR] directory-name

Here is an example, entered from the master server of the root domain "Wiz.Com.":

rootmaster% nisls -l Wiz.Com.: D r---rmcdr---r--- rootmaster.Wiz.Com. date org_dir D r---rmcdr---r--- rootmaster.Wiz.Com. date groups_dir

The nismkdir Command

The nismkdir command creates a non-root NIS+ directory and associates it with a master server. (To create a root directory, use the nisinit -r command, described on page 178.) The nismkdir command can also be used to add a replica to an existing directory.

There are several prerequisites to creating an NIS+ directory, as well as several related tasks. For a complete description, see Chapter 4, "Setting Up a Non-Root Domain."

Syntax

--To create a directory:

nismkdir [-m master-server] directory-name

-- To add a replica to an existing directory:

nismkdir -s replica-server directory-name

nismkdir -s replica-server org_dir.directory-name

nismkdir -s replica-server groups_dir.directory-name

Creating a Directory

To create a directory, you must have Create rights to its parent directory. First use the -m option to identify the master server and then the -s option to identify the replica:

nismkdir -m master directory
nismkdir -s replica directory

This example creates the Sales.Wiz.Com. directory and specifies its master server, "salesmaster.Wiz.Com." and its replica, "rep1.Wiz.Com." It is entered from the root master server.

rootmaster% nismkdir -m salesmaster.Wiz.Com. Sales.Wiz.Com. rootmaster% nismkdir -s rep1.Wiz.Com. Sales.Wiz.Com. rootmaster% nismkdir -s rep1.Wiz.Com. org_dir.Sales.Wiz.Com. rootmaster% nismkdir -s rep1.Wiz.Com. groups_dir.Sales.Wiz.Com.

The nismkdir command allows you to use the parent directory's servers for the new directory, instead of specifying its own. However, this should not be done except in the case of small networks. Here are two examples:

rootmaster% nismkdir Sales.Wiz.Com.

The first example creates the "Sales.Wiz.Com." directory and associates it with its parent directory's master and replica servers.

rootmaster% nismkdir -m salesmaster.Wiz.Com. Sales.Wiz.Com.

The second example creates the "Sales.Wiz.Com." directory and specifies its own master server, "salesmaster.Wiz.Com." Since no replica server is specified, the new directory will have only a master server until you use nismkdir again to assign it a replica. If the "Sales.Wiz.Com." domain already existed, the nismkdir command as shown above would have made

"salesmaster.Wiz.Com." its new master server and would have relegated its old master server to a replica.

Adding a Replica to an Existing Directory

To assign a new replica server to an existing directory, use the -s option and the name of the existing directory:

nismkdir -s replica-server existing-directory-name

nismkdir -s replica-server org_dir.existing-directory-name

nismkdir -s replica-server groups_dir.existing-directory-name

The nismkdir command realizes that the directory already exists, so it does not recreate it. It only assigns it the additional replica. Here is an example:

rootmaster% nismkdir -s rep1.Wiz.Com. Wiz.Com. rootmaster% nismkdir -s rep1.Wiz.Com. org_dir.Wiz.Com. rootmaster% nismkdir -s rep1.Wiz.Com. groups_dir.Wiz.Com.

Note that you cannot assign a server to support its parent domain --unless, of course, it belongs to the root domain.

The nisrmdir Command

The nisrmdir command can remove a directory or simply disassociate a replica server from a directory. When it removes a directory, NIS+ first disassociates the master and replica servers from the directory, and then removes the directory. To remove the directory, you must have Destroy rights to its parent directory. To disassociate a replica server from a directory, you must have Modify rights to the directory.

Removing a Directory

To remove an entire directory and disassociate its master and replica servers, use the nisrmdir command without any options:

nisrmdir directory-name

This example removes the Eng.Wiz.Com. directory from beneath the Wiz.Com. directory:

rootmaster% nisrmdir Eng.Wiz.Com.

Disassociating a Replica From a Directory

To disassociate a replica server from a directory, use the nisrmdir command with the -s option:

nisrmdir -s servername directory

This example disassociates the engreplica1 server from the Eng.Wiz.Com. directory:

rootmaster% nisrmdir -s engreplica1 Eng.Wiz.Com.

The nisrm Command

The nisrm command is similar to the standard rm system command. It removes any NIS+ object from the namespace, except directories and non-empty tables. To use the nisrm command, you must have Destroy rights to the object. However, if you don't, you can use the -f option, which tries to force the operation in spite of permissions.

You can remove group objects with the nisgrpadm -d command (see page 163), and you can empty tables with nistbladm -r or nistbladm -R (see page 192).

Syntax

-- To remove a non-directory object:

nisrmdir [-if] object-name

-- Options:

Table 11-2 nisrmdr Syntax Options

-i Inquire. Asks for confirmation prior to removing an object. If the object-name you provide is not fully qualified, this option is used automatically.

-f Force. Attempts to force a removal even if you don't have the proper permissions. It attempts to change the permission by using the nischmod command, and then tries to remove the object again.

Removing Non-Directory Objects

To remove non-directory objects, use the nisrm command and provide the object names:

nisrm object-name...

This example removes a group and a table from the namespace:

rootmaster% nisrm -i admins.Wiz.Com. groups.org_dir.Wiz.Com. Remove admins.Wiz.Com.? y Remove groups.org_dir.Wiz.Com.? y

The rpc.nisd Command

The rpc.nisd command starts the NIS+ daemon. The daemon can run in NIS-compatibility mode, which enables it to answer requests from NIS clients as well. You don't need any access rights to start the NIS+ daemon, but you should be aware of all its prerequisites and related tasks. They are described in Chapter 1, "Setting Up the Root Domain," and Chapter 3, "Setting Up NIS+ Servers."

By default, the NIS+ daemon starts with security level 2.

Syntax

-- To start the daemon:

rpc.nisd [-r]

-- To start the daemon in NIS-compatibility mode:

rpc.nisd [-r] -Y [-B]

-- To start an NIS-compatible daemon with DNS forwarding capabilities:

rpc.nisd [-r] -Y -B

-- Options:

Table 11-3 rpc.nisd Syntax Options

-S security- Specifies a security level.

level

-f......Forces a checkpoint of the directory served by the daemon. This has the side effect of emptying the directory's transaction log and freeing disk space.

Starting the NIS+ Daemon

To start the NIS+ daemon on any server except the root master, use the command without options:

  rpc.nisd

The daemon starts with security level 2, which is the default.

To start the daemon with security level 0 or 1, use the -S flag:

  rpc.nisd -S level

Starting a NIS-Compatible Daemon

You can start the NIS+ daemon in NIS-compatibility mode in any server, including the root master. Use the -Y (uppercase) option:

  rpc.nisd -Y

If the server is rebooted, the daemon will not restart in NIS-compatibility mode unless you also uncomment the line that contains 'EMULYP="Y"' in the server's /etc/init.d/rpc file.

To start the daemon with a security level 0 or 1, use the -S flag:

rpc.nisd -Y -S level

Start a DNS-Forwarding NIS-Compatible Daemon

You can add DNS forwarding capabilities to an NIS+ daemon running in NIS-compatibility mode by adding the -B option to rpc.nisd:

  rpc.nisd -Y -B

If the server is rebooted, the daemon will not restart in DNS-forwarding NIS-compatibility mode unless you also uncomment the line that contains 'EMULYP="-Y"' in the server's /etc/init.d/rpc file and change it to:

EMULYP="-Y -B"

Stopping the NIS+ Daemon

To stop the NIS+ daemon, whether it is running in normal or NIS-compatibility mode, kill it like you would any other daemon. First find its process ID, then kill it. Here is an example:

rootmaster# ps -e | grep rpc.nisd root 1081 1 61 16:43:33 ? 0:01 rpc.nisd -S 0 root 1087 1004 11 16:44:09 pts/1 0:00 grep rpc.nisd rootmaster# kill 1081

The nisinit Command

The nisinit command initializes a workstation to be an NIS+ client. As with the rpc.nisd command, you don't need any access rights to use the nisinit command, but you should be aware of its prerequisites and related tasks. They are described in Chapter 1, "Setting Up the Root Domain," and Chapter 2, "Setting Up NIS+ Clients."

Syntax

--To initialize a client:

nisinit -c -B
nisinit -c -H hostname
nisinit -c -C filename

--To initialize a root master server:

nisinit -r

Initializing a Client

You can initialize a client in three different ways:

• By hostname
• By broadcast
• By coldstart file

Each way has different prerequisites and associated tasks. For instance, before you can initialize a client by hostname, the client's /etc/hosts file must list the hostname you will use. Complete instructions for each method, including prerequisites and associated tasks, are provided in Chapter 2, "Setting Up NIS+ Clients." Following is a summary of the steps that use the nisinit command.

To initialize a client by hostname, use the -c and -H options, and include the name of the server from which the client will obtain its coldstart file:

  nisinit -c -H hostname

To initialize a client by coldstart file, use the -c and -C options, and provide
the name of the coldstart file:

  nisinit -c -C filename

To initialize a client by broadcast, use the -c and -B options:

  nisinit -c -B

Initializing the Root Master Server

To initialize the root master server use the nisinit -r command:

nisinit -r

The nis_cachemgr Command

The nis_cachemgr command starts the NIS+ cache manager program, which should run on all NIS+ clients. The cache manager maintains a cache of location information about the NIS+ servers that support the most frequently used directories in the namespace, including transport addresses, authentication information, and a time-to-live value.

When started, the cache manager obtains its initial information from the client's coldstart file, and downloads it into the /var/nis/NIS_SHARED_DIRCACHE file.

The cache manager makes requests as a client workstation. Make sure the client workstation has the proper credentials, or instead of improving performance, the cache manager will degrade it.

Starting the Cache Manager

To start the cache manager, simply enter the nis_cachemgr command:

client% nis_cachemgr client% nis_cachemgr -i

Without the -i option, the cache manager is restarted, but it retains the information in the /var/nis/NIS_SHARED_DIRCACHE file. The information in the coldstart file is simply appended to the existing information in the file. The -i option clears the cache file and re-initializes it from the contents of the client's coldstart file.

To stop the cache manager, kill it as you would any other process.

The nisshowcache Command

The nisshowcache command displays the contents of a client's directory cache.

Displaying the Contents of the NIS+ Cache

The nisshowcache command is located in /usr/lib/nis. It displays only the cache header and the directory names. Here is an example entered from the root master server:

rootmaster# /usr/lib/nis/nisshowcache Cold Start directory: Name : 'Wiz.Com.' Type : NIS Master Server : Name : rootmaster.Wiz.Com. Public Key : Diffie-Hellman (196 bits) Universal addresses (6) . . . Replicate: Name : rootreplica1.Wiz.Com. Public Key : Diffie-Hellman (196 bits) Universal addresses (6) . . . Time to live : 12:0:0 Default Access Rights :

The nisping Command

The nisping command sends a ping to replica servers, telling them to ask the master server for updates immediately. (The replicas normally wait a couple of minutes before executing this request.) Before pinging, the command checks the time of the last update received by each replica. If it is the same as the last update sent by the master, it does not send the ping to the replica.

The nisping command can also checkpoint a directory. This consists of telling each server in the directory, including the master, to update its information on disk from the domain's transaction log.

Syntax

To display the time of the last update:

/usr/lib/nis/nisping -u [domain]

To ping replicas:

/usr/lib/nis/nisping [domain]
/usr/lib/nis/nisping -H hostname [domain]

To checkpoint a directory:

/usr/lib/nis/nisping -C hostname [domain]

Displaying the Time of the Last Update

Use the -u option. It displays the update times for the master and replicas of the local domain, unless you specify a different domain name.

/usr/lib/nis/nisping -u [domain]

Here is an example:

rootmaster# /usr/lib/nisping -u Last updates for directory Wiz.Com.: Master server is rootmaster.Wiz.Com. Last update occurred at Wed Nov 25 10:53:37 1992 Replica server is rootreplica1.Wiz.Com. Last update seen was Wed Nov 18 11:24:32 1992

Pinging Replicas

You can ping all the replicas in a domain, or one in particular. To ping all the replicas, use the command without options:

  /usr/lib/nis/nisping

To ping all the replicas in a domain other than the local domain, append a domain name:

/usr/lib/nis/nisping domainname

Here is an example that pings all the replicas of the local domain, Wiz.Com.:

rootmaster# /usr/lib/nis/nisping Pinging replicas serving directory Wiz.Com. : Master server is rootmaster.Wiz.Com. Last update occurred at Wed Nov 25 10:53:37 1992 Replica server is rootreplica1.Wiz.Com. Last update seen was Wed Nov 18 11:24:32 1992 Pinging ... rootreplica1.Wiz.Com.

Since the update times were different, it proceeds with the ping. If the times had been identical, it would not have sent a ping.

You can also ping all the tables in all the directories on a single specified host. To ping all the tables in all the directories of a particular host, us the -A option:

/usr/lib/nis/nisping -A hostname

Checkpointing a Directory

To checkpoint a directory, use the -C option:

/usr/lib/nis/nisping -C directory-name

All the servers that support a domain, including the master, transfer their information from their .log files to disk. This erases the log files and frees more disk space. While a server is checkpointing, it will still answer requests for service, but it is unavailable for updates.

Here is an example of nisping output:

rootmaster# /usr/lib/nis/nisping -C Checkpointing replicas serving directory Wiz.Com. : Master server is rootmaster.Wiz.Com. Last update occurred at Wed Nov 25 10:53:37 1992 Master server is rootmaster.Wiz.Com. checkpoint has been scheduled with rootmaster.Wiz.Com. Replica server is rootreplica1.Wiz.Com. Last update seen was Wed Nov 18 11:24:32 1992 Replica server is rootreplica1.Wiz.Com. checkpoint has been scheduled with rootmaster.Wiz.Com.

The nislog Command

The nislog command displays the contents of the transaction log.

Syntax

/usr/sbin/nislog
/usr/sbin/nislog -h [number]
/usr/sbin/nislog -t [number]

Displaying the Contents of the Transaction Log

To display the entire contents of the transaction log, use the nislog command without options:

/usr/sbin/nislog

To display the first (head) or last (tail) entry in the log, use the -h or -t options:

/usr/sbin/nislog -h
/usr/sbin/nislog -t

To display the first or last n entries, use the -h and -t options, but specify a number:

/usr/sbin/nislog -h number
/usr/sbin/nislog -t number

Each transaction consists of two parts: the particulars of the transaction and a copy of an object definition. Here is an example that shows the transaction log entry that was made when the Wiz.Com. directory was first created. "XID" refers to the transaction ID.

rootmaster# /usr/sbin/nislog -h 2 NIS Log printing facility. NIS Log dump: Log state : STABLE Number of updates : 48 Current XID : 39 Size of log in bytes : 18432 ***UPDATES*** @@@@@@@@@@@@@@TRANSACTION@@@@@@@@@@@@@@ #00000, XID : 1 Time : Wed Nov 25 10:50:59 1992 Directory : Wiz.Com. Etry type : ADD Name Entry timestamp : Wed Nov 25 10:50:59 1992 Principal : rootmaster.Wiz.Com. Object name : org_dir.Wiz.Com. ...................Object...................... Object Name : org_dir Owner : rootmaster.Wiz.Com. Group : admin.Wiz.Com. Domain : Wiz.Com. Access Rights : r---rmcdr---r--- Time to Live : 24:0:0 Object Type : DIRECTORY Name : 'org_dir.Wiz.Com.' Type: NIS Master Server : rootmaster.Wiz.Com. . . ................................................ @@@@@@@@@@@@@@TRANSACTION@@@@@@@@@@@@@@ #00000, XID : 2

The nischttl Command

The nischttl command changes the time-to-live value of objects or entries in the namespace. This time-to-live value is used by the Cache Manager to determine when to expire a cache entry. You can specify the time-to-live in total number of seconds, or in a combination of days, hours, minutes, and seconds.

The time-to-live values you assign objects or entries should depend on the stability of the object. If an object is prone to frequent change, give it a low time-to-live value. If it is steady, give it a high one. A high time-to-live is a week. A low one is less than a minute. Password entries should have time-to-live values of about 12 hours to accommodate one password change per day. Entries in tables that don't change much, such as those in the RPC table, can have values of several weeks.

To change the time-to-live of an object, you must have modify rights to that object. To change the time-to-live of a table entry, you must have modify rights to the table; failing that, to the entry; failing that, to the columns you wish to modify.

To display the current time-to-live value of an object or table entry, use the nisdefaults -t command, described in Chapter 9, "Administering NIS+ Access Rights."

Syntax

-- To change the time-to-live value of objects:

nischttl time-to-live object-name nischttl [-L] time-to-live object-name

-- To change the time-to-live value of entries:

nischttl time-to-live [column=value,...],table-name nischttl [-ALP] time-to-live [column=value,...],table-name

time-to-live ::= seconds | days d hours h minutes m seconds s

-- Options:

Table 11-4 nischttl Syntax Options

-A	All. Apply the change to all the entries that match the [column=value] specifications that you supply.
-L	Links. Follow links and apply the change to the linked object or entry rather than the link itself.
-P	Path. Follow the path until there is one entry that satisfies the condition.

Changing the Time-to-Live of an Object

To change the time-to-live of an object, enter the nischttl command with the time-to-live value and the object-name. You can add the -L command to extend the change to linked objects.

nischttl -L time-to-live object-name

You can specify the time-to-live in seconds or a combination of days, hours, minutes, and seconds. For the former, just enter the number of seconds. For the latter, add the suffixes "d, h, m, and s" to the number of days, hours, minutes, and seconds. Here are two pairs of examples that accomplish the same thing:

client% nischttl 86400 Sales.Wiz.Com. client% nischttl 24h Sales.Wiz.Com. client% nischttl 176461 hosts.org_dir.Sales.Wiz.Com. client% nischttl 2d1h1m1s hosts.org_dir.Sales.Wiz.Com.

The first pair changes the time-to-live of the Sales.Wiz.Com. directory to 86,400 seconds, or 24 hours. The second pair changes the time-to-live of all the entries in a Hosts table to 176,461 seconds, or 2 days, 1 hour, 1 minute, and 1 second.

Changing the Time-to-Live of a Table Entry

To change the time-to-live of entries, use the indexed entry format. You can use any of the options, -A, -L, or -P.

nischttl [-ALP] time-to-live [column=value,...],table-name

These examples are similar to those above, but they change the value of table entries instead of objects:

client% nischttl 86400 [uid=99],passwd.org_dir.Wiz.Com. client% nischttl 24h [uid=99],passwd.org_dir.Wiz.Com. client% nischttl 176461 [name=fred],hosts.org_dir.Wiz.Com. client% nischttl 2d1h1m1s [name=fred],hosts.org_dir.Wiz.Com.