ypserv, ypbind - Network Information Service (NIS) server
and binder processes
/usr/sbin/ypserv [-a method]
/usr/sbin/ypbind [-s -S domainname,servername1,servername2...]
[-ypset | -ypsetme]
Specifies the database routines used to store NIS maps.
The choices are: btree -- Recommended when creating and
maintaining very large maps. dbm/ndbm -- For backward
compatibility. This is the default. hash -- A potentially
quicker method for managing small maps. Allows the ypbind
process to run in a secure mode. This requires the server
to use a secure port. Allows the system administrator to
lock ypbind to a particular domain and set of servers. Up
to four servers can be specified as follows:
/usr/sbin/ypbind -S domainname,server1,server2,server3,server4
Note that there cannot be any spaces around the
commas in the command line. The -S option ensures
that this system only binds to the specified domain
and to one of the specified servers. The servers
used with the -S option must have entries in the
local /etc/hosts file. ypbind accepts all ypset
requests, unless restricted by the -S option.
ypbind accepts only local ypset requests.
Note
If neither -ypset nor -ypsetme are specified,
ypbind does not accept ypset requests to bind to a
particular server.
The Network Information Service (NIS) provides a distributed
data lookup service for sharing data among networked
systems. NIS data is stored in database files
called maps. The databases consist of dbm, btree, or hash
files stored in the /var/yp/src directory. These files are
described in ypfiles(4).
The NIS daemons are /usr/sbin/ypserv, the NIS database
lookup server, and /usr/sbin/ypbind, the NIS binder. The
software interface to NIS is described in ypclnt(3).
Administrative tools are described in yppush(8), ypxfr(8),
yppoll(8), and ypwhich(1). Tools to see the contents of
NIS maps are described in ypcat(1), and ypmatch(1).
Database generation and maintenance tools are described in
ypmake(8), and makedbm(8).
Both the ypserv and ypbind daemons are activated at system
startup time by /sbin/init.d/nis. The ypserv daemon runs
only on an NIS server machine with a complete NIS
database. The ypbind daemon runs on all machines using
NIS, both NIS servers and clients.
The [-a method] option to ypserv tells ypserv which format
the maps are stored in; either btree, dbm, or hash.
ypserv Daemon
The ypserv daemon's primary function is to look up information
in its local database of NIS maps. The operations
performed by ypserv are defined for the programmer in the
<rpcsvc/yp_prot.h> header file.
Communication with ypserv is by means of RPC calls.
Lookup functions are described in ypclnt(3), and are supplied
as C-callable functions in /libc.
There are four lookup functions, all of which are performed
on a specified map within an NIS domain: Match,
Get_first, Get_next, and Get_all. The Match operation
takes a key, and returns the associated value. The
Get_first operation returns the first key-value pair from
the map, and the Get_next operation returns the remaining
key-value pairs. The Get_all operation ships the entire
map to the requester.
Two other functions supply information about the map,
rather than the map entries: Get_order_number and Get_master_name.
Both the order number and the master name exist
in the map as key-value pairs, but the server will not
return either through the usual lookup functions. If the
map is examined with makedbm(8), however, they are visible.
Other functions are used within the NIS subsystem itself,
and are not of general interest to NIS clients. They
include the Do_you_serve_this_domain?, the Transfer_map,
and the Reinitialize_internal_state functions.
securenets File
The /etc/yp/securenets file contains a list of subnets
that are considered trusted and that are allowed to access
NIS data using the ypserv and ypxfrd daemons. It is a
user-created file that resides on an NIS master server and
any slave servers.
If the /etc/yp/securenets file does not exist, or exists
but contains no subnets, all IP addresses are accepted.
However, anyone on the Internet that knows the NIS server
address and the domain name can obtain NIS served data,
including the passwd file. Using the securenets file is a
recommended method of security.
If you want an NIS slave server, use a /etc/yp/securenets
file to restrict IP addresses to which it serves. The
slave server's IP address must be in the authorization
range of entries in the /etc/yp/securenets file on the NIS
master server.
Each entry in the /etc/yp/securenets file contains an IP
subnet mask and a corresponding subnet IP address separated
by at least one space. Lines that do not begin with
a digit are considered comments. The file has the following
format:
subnet_mask subnet_ip_address
In the following securenets file example, the first two
lines allow only those IP addresses that are within the
subnet 128.30 and 128.211.10 range to access the NIS
files. The third line authorizes the one host at address
128.211.5.6.
255.255.0.0 128.30.0.0 255.255.255.0 128.211.10.0
255.255.255.255 128.211.5.6
ypbind Daemon
The ypbind daemon's function is to remember information
that enables client processes on a single node to communicate
with a ypserv process. The ypbind function must run
on every machine that has NIS client service requirements.
The ypbind function must be started through an entry in
the /sbin/init.d/nis file.
The information ypbind remembers is called a binding, the
association of a domain name with the internet address of
the NIS server, and the port on that host at which the
ypserv process is listening for service requests. The
process of binding is driven by client requests. As a
request for an unbound domain comes in, the ypbind process
broadcasts on the net trying to find a ypserv process that
serves maps within that domain. Since the binding is
established by broadcasting, there must be at least one
ypserv process on every net. Once a domain is bound by a
particular ypbind, that same binding is given to every
client process on the node. The ypbind process on the
local node or a remote node may be queried for the binding
of a particular domain by using the ypwhich(1) command.
Bindings are verified before they are given out to a
client process. If ypbind is unable to speak to the
ypserv process it is bound to, it marks the domain as
unbound, tells the client process that the domain is
unbound, and tries to bind the domain once again.
Requests received for an unbound domain will fail immediately.
In general, a bound domain is marked as unbound
when the node running ypserv crashes or gets overloaded.
When the node gets overloaded, ypbind will try to bind to
any NIS server (typically one that is less-heavily loaded)
available on the net.
The ypbind process also accepts requests to set its binding
for a particular domain. The request is usually generated
by the NIS subsystem itself.
You must use the same database format for each map in a
domain. In addition, a server serving multiple NIS domains
must use the same database format for all domains.
Although a Tru64 UNIX NIS server that takes advantage of
btree files will be able to store very large maps, NIS
slave servers that lack this feature might have a much
smaller limit on the number of map entries they can handle.
It may not be possible to distribute very large maps
from a Tru64 UNIX NIS master server to a slave server that
lacks support for very large maps. NIS clients are not
affected by these enhancements.
The following is an example of the ypserv command used
with the btree format database routine to store NIS maps.
ypserv -a b
If this file exists when ypserv starts up, log information
is written to ypserv.log when error conditions occur.
User-created file on the NIS server that contains a list
of trusted subnets that are allowed to access NIS data
using the ypserv and ypxfrd daemons.
Commands: ypcat(1), ypmatch(1), yppasswd(1), ypwhich(1),
ypmake(8), yppush(8), ypxfr(8)
Functions: btree(3), dbm(3), dbopen(3), hash(3), ndbm(3),
ypclnt(3)
Files: ypfiles(4)
Network Administration: Services
ypserv(8)
[ Back ] |
