What Is a Name Service?

Name services store information that users, workstations, and applications must have to communicate across the network. Without a name service, each workstation would have to maintain its own copy of this information. This information includes machine addresses, user names, passwords, and network access permissions. The information may be stored in files or database tables. Centrally locating this data makes it easier to administer large networks.

For example, take a simple network of three workstations, pine, elm, and oak:

Before pine can send a message to either elm or oak, it must know their network addresses. For this reason, it keeps a file, /etc/hosts, that stores the network address of every workstation in the network, including itself.

Likewise, in order for elm and oak to communicate with pine or with each other, they must keep similar files.

Addresses are not the only network information that workstations need to store. They also need to store security information, mail information, information about their Ethernet interfaces, network services, groups of users allowed to use the network, services offered on the network, and so on. As networks offer more services, the list grows. As a result, each workstation may need to keep an entire set of files similar to /etc/hosts:

As this information changes, administrators must keep it current on every workstation in the network. In a small network this is simply tedious, but on a medium or large network, the job becomes not only time-consuming but nearly unmanageable.

A network information service solves this problem. It stores network information on servers and provides it to any workstation that asks for it:

The workstations are known as clients of the server. Whenever information about the network changes, instead of updating each client's local file, an administrator updates only the information stored by the network information service. This reduces errors, inconsistencies between clients, and the sheer size of the task.

This arrangement, of a server providing centralized services to clients across a network, is known as client-server computing.

Although the chief purpose of a network information service is to centralize information, another is to simplify network names. A network information service enables workstations to be identified by common names instead of numerical addresses. (This is why these services are sometimes called "name services.") This makes communication simpler because users don't have to remember and try to enter cumbersome numerical addresses like "129.44.3.1." Instead, they can use descriptive names like Sales, Lab1, or Arnold.

For example, assume that a fictitious company called Wizard, Inc., has set up a network and connected it to the Internet. The Internet has assigned Wizard, Inc. the network number of 129.44.0.0. Wizard, Inc. has two divisions, Sales and Eng, so its network is divided into two subnets, one for each division. Each subnet has its own address:

Each division could be identified by its network address, as shown above, but descriptive names made possible by name services would be preferable:

So, instead of addressing mail or other network communications to 129.44.1.0, they could be addressed simply to Wiz. Instead of addressing them to 129.44.2.0 or 129.44.3.0, they could be addressed to sales.wiz or eng.wiz.

Names are also more flexible than physical addresses. While physical networks tend to remain stable, the organizations that use them tend to change. A network information service can act as a buffer between an organization and its physical network. This is because a network information service is mapped to the physical network, not hard-wired to it. For example,

assume that the Wiz network is supported by three servers, S1, S2, and S3, and that two of those servers, S1 and S3, support clients:

Clients C1, C2, and C3 would obtain their network information from server S1. Clients C4, C5, and C6 would obtain it from server S3. The resulting network is summarized in Table 1-1. (The table is a generalized representation of that network but does not resemble an actual network information map.)

Table 1-1

Network Address	Network Name	Server	Clients
129.44.1.0	wiz	S1
129.44.2.0	sales.wiz	S2	C1, C2, C3
129.44.3.0	eng.wiz	S3	C4, C5, C6

Now assume that Wizard, Inc. created a third division, Testing, which borrowed some resources from the other two divisions, but did not create a third subnet. The physical network would then no longer parallel the corporate structure:

Traffic for the Test Division would not have its own subnet, but would instead be split between 129.44.2.0 and 129.44.3.0. However, with a network information service, the Test Division traffic could have its own dedicated network:

Thus, when an organization changes, its network information service can simply change its mapping:

Now clients C1 and C2 would obtain their information from server S2; C3 and C4 from server S4; and C5 and C6 from server S3.

Subsequent changes in the Wizard Inc., organization would continue to be accommodated by changes to the "soft" network information structure without reorganizing the "hard" network structure.

DNS

DNS, the Domain Name System, is the name service provided by the Internet for TCP/IP networks. It was developed so that workstations on the network could be identified with common names instead of Internet addresses. DNS performs naming between hosts within your local administrative domain and across domain boundaries.

The collection of networked workstations that use DNS are referred to as the DNS namespace. The DNS namespace can be divided into a hierarchy of domains. A DNS domain is simply a group of workstations. Each domain is supported by two or more name servers: a principal server and one or more secondary servers. Each server implements DNS by running a daemon called in.named. On the client's side, DNS is implemented through the "resolver." The resolver's function is to resolve users' queries; to do that, it queries a name server, which then returns either the requested information or a referral to another server.

FNS

FNS, the Federated Naming Service, supports the use of different autonomous naming systems in a single Solaris environment. FNS allows you to use a single, simple naming system interface for all of the different name services on your network.

NIS

NIS, a network information service, was developed independently of DNS and had a slightly different focus. Whereas DNS focused on making communication simpler by using workstation names instead of addresses, NIS focused on making network administration more manageable by providing centralized control over a variety of network information. As a result, NIS

stores information not only about workstation names and addresses, but also about users, the network itself, and network services. This collection of network information is referred to as the NIS namespace.

NIS Architecture

NIS uses a client-server arrangement similar to DNS. Replicated NIS servers provide services to NIS clients. The principal servers are called master servers, and for reliability, they have backup, or replica servers (sometimes referred to as slave server). Both master and replica servers use the NIS information retrieval software and both store NIS maps.

NIS, like DNS, uses domains to arrange the workstations, users, and networks in its namespace. However, it does not use a domain hierarchy; an NIS namespace is flat. Thus, this physical network:

would be arranged into one NIS domain:

An NIS domain can't be connected directly to the Internet. However, organizations that want to use NIS and be connected to the Internet can combine NIS with DNS. They use NIS to manage all local information and

DNS for host name resolution. NIS provides special client routines for this purpose ("DNS forwarding"). When a client needs access to any type of information except IP addresses, the request goes to the client's NIS server. When a client needs name resolution, the request goes to the DNS server. From the DNS server, the client has access to the Internet in the usual way.

NIS Maps

NIS stores information in a set of files called maps. NIS maps were designed to replace UNIX^(R) /etc files, as well as other configuration files, so they store much more than names and addresses. As a result, the NIS namespace has a large set of maps, as shown in Table 1-2.

NIS maps are essentially two-column tables. One column is the key and the other column is information about the key. NIS finds information for a client by searching through the keys. Thus, some information is stored in several maps because each map uses a different key. For example, the names and addresses of workstations are stored in two maps: hosts.byname and hosts.byaddr. When a server has a workstation's name and needs to find its address, it looks in the hosts.byname map. When it has the address and needs to find the name, it looks in the hosts.byaddr map.

Table 1-2

NIS Map	Description
bootparams	Lists the names of the diskless clients and the location of the files they need during booting
ethers.byaddr	Lists the Ethernet addresses of workstations and their corresponding names
ethers.byname	Lists the names of workstations and their corresponding Ethernet addresses
group.bygid	Provides membership information about groups, using the group id as the key
group.byname	Provides membership information about groups, using the group name as the key
hosts.byaddr	Lists the names and addresses of workstations, using the address as the key
hosts.byname	Lists the names and addresses of workstations, using the name as the key

Table 1-2 (Continued)

NIS Map	Description
mail.aliases	Lists the mail aliases in the namespace and all the workstations that belong to them
mail.byaddr	Lists the mail aliases in the namespace, using the address as the key
netgroup	Contains netgroup information, using group name as the key
netgroup.byhost	Contains information about the netgroups in the namespace, using workstation names as the key
netgroup.byuser	Contains netgroup information, using user as the key
netid.byname	Contains the Secure RPC netname of workstations and users, along with their UIDs and GIDs
netmasks.byaddr	Contains network masks used with IP subnetting, using address as the key
networks.byaddr	Contains the names and addresses of the networks in the namespace, and their Internet addresses
networks.byname	Contains the names and addresses of the networks in the namespace, using the names as the key
passwd.byname	Contains password information, with username as the key
passwd.byuid	Contains password information, with userid as the key
protocols.byname	Lists the network protocols used
protocols.bynumber	Lists the network protocols used but uses their number as the key
publickey.byname	Contains public and secret keys for Secure RPC
rpc.bynumber	Lists the known program name and number of RPCs
services.byname	Lists the available Internet services
ypservers	Lists the NIS servers in the namespace, along with their IP addresses

NIS+

NIS+ is a network name service similar to NIS but with more features. NIS+ is not an extension of NIS. It is a new software program.

NIS+ enables you to store information about workstation addresses, security information, mail information, Ethernet interfaces, and network services in central locations where all workstations on a network can have access to it. This configuration of network information is referred to as the NIS+ namespace.

The NIS+ namespace is hierarchical, and is similar in structure to the UNIX directory file system. The hierarchical structure allows an NIS+ namespace to be configured to conform to the logical hierarchy of an organization. The namespace's layout of information is unrelated to its physical arrangement. Thus, an NIS+ namespace can be divided into multiple domains that can be administered autonomously. Clients may have access to information in other domains in addition to their own if they have the appropriate permissions.

NIS+ uses a client-server model to store and have access to the information contained in an NIS+ namespace. Each domain is supported by a set of servers. The principal server is called the master server and the backup servers are called replicas. The network information is stored in 16 standard NIS+ tables in an internal NIS+ database. Both master and replica servers run NIS+ server software and both maintain copies of NIS+ tables. Changes made to the NIS+ data on the master server are incrementally propagated automatically to the replicas.

NIS+ includes a sophisticated security system to protect the structure of the namespace and its information. It uses authentication and authorization to verify whether a client's request for information should be fulfilled. Authentication determines whether the information requester is a valid user on the network. Authorization determines whether a particular user is allowed to have or modify the information requested.

Solaris clients use the name service switch (/etc/nsswitch.conf file) to determine from where a workstation will retrieve network information. Such information may be stored in local /etc files, NIS, DNS, or NIS+. You can specify different sources for different types of information in the name service switch.

What NIS+ Can Do for You

NIS+ has some major advantages over NIS:

• Secure data access
• Hierarchical and decentralized network administration

• Very large namespace administration
• Access to resources across domains
• Incremental updates

With the security system described in "NIS+ Security" on page 16, you can control a particular user's access to an individual entry in a particular table. This approach to security helps to keep the system secure and administration tasks to be more broadly distributed without risking damage to the entire NIS+ namespace or even to an entire table.

The NIS+ hierarchical structure allows for multiple domains in one namespace. Division into domains makes administration easier to manage. Individual domains can be administered completely independently, thereby relieving the burden on system administrators who would otherwise each be responsible for very large namespaces. As mentioned above, the security system in combination with decentralized network administration allows for a sharing of administrative work load.

Even though domains may be administered independently, all clients can be granted permission to access information across all domains in a namespace. Since a client can only see the tables in its own domain, the client can only have access to tables in other domains by explicitly addressing them.

Incremental updates mean faster updates of information in the namespace. Since domains are administered independently, changes to master server tables only have to be propagated to that master's replicas and not to the entire namespace. Once propagated, these updates are visible to the entire namespace immediately.

How NIS+ Differs From NIS

NIS+ differs from NIS in several ways. It has many new features and the terminology for similar concepts is different. Look in the Glossary if you see a term you don't recognize. Table 1-3 gives an overview of the major differences between NIS and NIS+.

Table 1-3

NIS	NIS+
Flat domains--no hierarchy	Hierarchical layout--data stored in different levels in the namespace
Data stored in two column maps	Data stored in multicolumn tables
Uses no authentication	Uses DES authentication
Single choice of network information source	Name service switch--lets client choose information source: NIS, NIS+, DNS, or local /etc files
Updates delayed for batch propagation	Incremental updates propagated immediately

NIS+ was designed to replace NIS. NIS addresses the administration requirements of client-server computing networks prevalent in the 1980s. At that time client-server networks did not usually have more than a few hundred clients and a few multipurpose servers. They were spread across only a few remote sites, and since users were sophisticated and trusted, they did not require security.

However, client-server networks have grown tremendously since the mid- 1980s. They now range from 100-10,000 multivendor clients supported by 10- 100 specialized servers located in sites throughout the world, and they are connected to several "untrusted" public networks. In addition, the information they store changes much more rapidly than it did during the time of NIS. The size and complexity of these networks required new, autonomous administration practices. NIS+ was designed to address these requirements.

The NIS namespace, being flat, centralizes administration. Because networks in the 1990s require scalability and decentralized administration, the NIS+ namespace was designed with hierarchical domains, like those of DNS:

This design enables NIS+ to be used in a range of networks, from small to very large. It also allows the NIS+ service to adapt to the growth of an organization. For example, if a corporation splits itself into two divisions, its NIS+ namespace could be divided into two domains that could be administered autonomously. Just as the Internet delegates administration of domains downward, NIS+ domains can be administered more or less independently of each other.

Although NIS+ uses a domain hierarchy similar to that of DNS, an NIS+ domain is much more than a DNS domain. A DNS domain only stores name and address information about its clients. An NIS+ domain, on the other hand, is a collection of information about the workstations, users, and network services in a portion of an organization.

Although this division into domains makes administration more autonomous and growth easier to manage, it does not make information harder to access. Clients have the same access to information in other domains as they would have had under one umbrella domain. A domain can even be administered from within another domain.

The principal NIS+ server is called the master server, and the backup servers are called replicas. Both master and replica servers run NIS+ server software and both maintain copies of NIS+ tables. Tables store information in NIS+ the way maps store information in NIS. The principal server stores the original tables, and the backup servers store copies.

However, NIS+ uses an updating model that is completely different from the one used by NIS. Since at the time NIS was developed, the type of information it would store changed infrequently, NIS was developed with an update model that focused on stability. Its updates are handled manually and, in large organizations, can take more than a day to propagate to all the replicas. Part of the reason for this is the need to remake and propagate an entire map every time any information in the map changes.

NIS+, however, accepts incremental updates. Changes must still be made on the master server, but once made they are automatically propagated to the replica servers and immediately made available to the entire namespace. You don't have to "make" any maps or wait for propagation.

Details about NIS+ domain structure, servers, and clients, are provided in Chapter 2, "The NIS+ Namespace."

An NIS+ domain can be connected to the Internet through its NIS+ clients, using the name service switch (see "NIS+ and the Name Service Switch" on page 17). The client, if it is also a DNS client, can set up its switch configuration file to search for information in either DNS zone files or NIS maps--in addition to NIS+ tables.

NIS+ stores information in tables instead of maps or zone files. NIS+ provides 16 types of predefined, or system, tables:

Each table stores a different type of information. For instance, the hosts table stores information about workstation addresses, while the passwd table stores information about users of the network.

NIS+ tables provide two major improvements over the maps used by NIS. First, an NIS+ table can be searched by any column, not just the first column (sometimes referred to as the "key"). This eliminates the need for duplicate maps, such as the hosts.byname and hosts.byaddr maps used by NIS. Second, the information in NIS+ tables can be accessed and manipulated at three levels of granularity: the table level, the entry level, and the column level. NIS+ tables--and the information stored in them--are described in Chapter 3, "NIS+ Tables and Information."

NIS+ Security

NIS+ protects the structure of the namespace, and the information it stores, by the complementary processes of authorization and authentication.

• Authorization. Every component in the namespace specifies the type of operation it will accept and from whom. This is authorization.
• Authentication. NIS+ attempts to authenticate every request for access to the namespace. Requests come from NIS+ principals. A NIS+ principal can be a process, machine, root, or a user. Valid NIS+ principals posses a NIS+ credential. NIS+ authenticates the originator of the request (principal) by checking the principal's credential.

If the principal posseses an authentic (valid) credential, and if the principal's request is one that the principal is authorized to perform, NIS+ carries out the request. If either the credential is missing or invalid, or the request is not one the principal is authorized to perform, NIS+ denies the request for access. A much fuller description of the entire NIS+ security system is provided in Chapter 4, "Security Overview." "

NIS+ and the Name Service Switch

NIS+ works in conjunction with a separate program called the name service switch. The name service switch, sometimes referred to as "the switch," enables Solaris 2.x-based workstations to obtain their information from more than one name service; specifically, from local or /etc files, NIS maps, DNS zone files, or NIS+ tables. The switch not only offers a choice of sources, but allows a workstation to specify different sources for different types of information. A complete description of the switch software and its associated files is provided in Chapter 12, "The Name Service Switch."

Solaris 1.x and NIS-Compatibility Mode

Although NIS+ is provided with the 2.x package, it can be used by workstations running NIS on the Solaris 1.x software. To access NIS+ service on machines running Solaris 1.x, you must run the NIS+ servers in NIS-compatibility mode.

NIS-compatibility mode enables an NIS+ server running Solaris 2.x to answer requests from NIS clients while continuing to answer requests from NIS+ clients. NIS+ does this by providing two service interfaces. One responds to NIS+ client requests, while the other responds to NIS client requests.

This mode does not require any additional setup or changes to NIS clients. In fact, NIS clients are not even aware that the server that is responding isn't an NIS server -- except for some differences including: the NIS+ server running in NIS-compatibility mode does not support the ypupdate and ypxfr protocols and thus it cannot be used as a replica or master NIS server. For more information on NIS-compatibility mode, see NIS+ Transition Guide.

---

Note - In Solaris 2.3 and later releases, the NIS-compatibility mode supports DNS-forwarding. In Solaris 2.2, support for DNS forwarding is available as a patch. The DNS forwarding patch is not available in Solaris 2.0 and 2.1 releases.

---

Two more differences need to be pointed out. One is that instructions for setting up a server in NIS-compatibility mode are slightly different than those used to set up a standard NIS+ server. For details, see NIS+ and DNS Setup and Configuration Guide. The other is that NIS-compatibility mode has security implications for tables in the NIS+ namespace. Since the NIS client software does not have the capability to provide the credentials that NIS+ servers expect from NIS+ clients, all their requests end up classified as unauthenticated. Therefore, to allow NIS clients to access information in NIS+ tables, those tables must provide access rights to unauthenticated requests. This is handled automatically by the utilities used to set up a server in NIS-compatibility mode, as described in Part 2. However, to understand more about the authentication process and NIS-compatibility mode, see Chapter 4, "Security Overview."

NIS+ Administration Commands

NIS+ provides a full set of commands for administering a namespace. Table 1-4, below, summarizes them.

Table 1-4

Command	Description
nisaddcred	Creates credentials for NIS+ principals and stores them in the cred table.
nisaddent	Adds information from /etc files or NIS maps into NIS+ tables.
nis_cachemgr	Starts the NIS+ cache manager on an NIS+ client.
niscat	Displays the contents of NIS+ tables.

Table 1-4 (Continued)

Command	Description
nischgrp	Changes the group owner of an NIS+ object.
nischmod	Changes an object's access rights.
nischown	Changes the owner of an NIS+ object.
nischttl	Changes an NIS+ object's time-to-live value.
nisdefaults	Lists an NIS+ object's default values: domain name, group name, workstation name, NIS+ principal name, access rights, directory search path, and time-to-live.
nisgrep	Searches for entries in an NIS+ table.
nisgrpadm	Creates or destroys an NIS+ group, or displays a list of its members. Also adds members to a group, removes them, or tests them for membership in the group.
nisinit	Initializes an NIS+ client or server.
nisln	Creates a symbolic link between two NIS+ objects.
nisls	Lists the contents of an NIS+ directory.
nismatch	Searches for entries in an NIS+ table.
nismkdir	Creates an NIS+ directory and specifies its master and replica servers.
nispasswd	Changes password information stored in the NIS+ passwd table. (Rather than using nispasswd, you should use passwd or passwd -r nisplus.)
nisrm	Removes NIS+ objects (except directories) from the namespace.
nisrmdir	Removes NIS+ directories and replicas from the namespace.
nissetup	Creates org_dir and groups_dir directories and a complete set of (unpopulated) NIS+ tables for an NIS+ domain.
nisshowcache	Lists the contents of the NIS+ shared cache maintained by the NIS+ cache manager.

Table 1-4 (Continued)

Command	Description
nistbladm	Creates or deletes NIS+ tables, and adds, modifies or deletes entries in an NIS+ table.
nisupdkeys	Updates the public keys stored in an NIS+ object.
passwd	Changes password information stored in the NIS+ Passwd table. Also administers password aging and other password-related parameters.

NIS+ API

The NIS+ application programmer's interface (API) is a group of functions that can be called by an application to access and modify NIS+ objects. The NIS+ API has 54 functions that fall into nine categories:

• Object manipulation functions (nis_names)
• Table access functions (nis_tables)
• Local name functions (nis_local_names)
• Group manipulation functions (nis_groups)
• Application subroutine functions (nis_subr)
• Miscellaneous functions (nis_misc)
• Database access functions (nis_db)
• Error message display functions (nis_error)
• Transaction log functions (nis_admin)

These category names match the names by which they are grouped in the NIS+ man pages.