Install and configure NIS+

Securely administer client access in a central location

Ease your system administration tasks and use Network Information Service plus (NIS+) to quickly handle maintenance and security issues for information. NIS+ is a network-wide naming and administration service that works on a client-server model. The server maintains all the details of the users and clients in a central database. In this article, get step-by-step instructions on how to install, configure, and administer NIS+.

Ashish Nainwal (nainwal@in.ibm.com), System Administrator, IBM

Ashish Nainwal is an AIX security support specialist and system administrator at IBM India Systems and Technology Lab. He has been one of the focal points in AIX security in his two years with AIX. Ashish has also been involved in various System p™ administration activities and has diverse experience with customers. You can contact him at anainwal@in.ibm.com.



28 August 2007

Also available in Chinese Russian

Introduction

Network Information Service plus (NIS+), a service used for network naming and administration, expands the services provided by Network Information Service (NIS). NIS+ works on a client-server model, and it stores information at a central location that allows clients to access it over the network. This central location, called the NIS+ namespace, can store information such as security details, workstation addresses, mail information, and so on.

The NIS+ namespace is hierarchical in nature, and it can be easily configured according to the logical structure of an organization. NIS+ also has a special security system to protect the structure of the namespace and its information; it checks both authentication and authorization to process a user's request.

Go to the Resources section for a link to the NIS Guide.

This article summarizes the basic steps and commands for NIS+ installation, configuration, and administration.

Installation and configuration

The installation and configuration examples use the following machine names as root server and client:

  • NIS+ server: server (9.124.111.62)
  • NIS+ client: client (9.124.111.61)

Installation

The installation of NIS+ requires the bos.net.nisplus fileset.

  1. Check the availability of the fileset using the following command:
    # lslpp –l | grep bos.net.nisplus
  2. Planning the NIS+ layout includes selecting the root domain name, root server machine, clients, and slave machines. Preparing a sketch of the domain hierarchy is also handy when configuring NIS+.
  3. The /usr/lib/security/methods.cfg file should have the NISPLUS module defined in it, as follows:
    NISPLUS:
            program = /usr/lib/security/NISPLUS

    The NISPLUS load module should be available in /usr/lib/security.

  4. In the /etc/security/user file, define the SYSTEM attribute in the default section as NISPLUS or compat:
    default: 
    	SYSTEM = NISPLUS OR compat
  5. Include the /usr/lib/nis directory in the default PATH, as follows:
    # export PATH=$PATH:/usr/lib/nis

Configuration

Starting the configuration of NISPLUS server requires a root domain name. Let's use the root domain name isl.com.

  1. Execute the nisserver command, as follows:
    # nisserver -r -d isl.com

    You should see the following display:

    # nisserver -r -d isl.com.
    0513-059 The keyserv Subsystem has been started. Subsystem PID is 303260.
    This script sets up this machine "indus29" as an NIS+
    root master server for domain isl.com..
    
    Domain name             : isl.com
    NIS+ group              : admin.isl.com
    NIS (YP) compatibility  : OFF
    Security Level          : 2=DES
    
    Is this information correct? (type 'y' to accept, 'n' to change)

    Change the attributes defined above by selecting n, and select y to continue.

    You should see the following display:

    This script will set up your machine as a root master server for
    domain isl.com without NIS compatibility at security level 2.
    
    WARNING: this script removes directories and files related to
    NIS+ under /var/nis directory with the exception of the client_info
    NIS_COLD_START and NIS_SHARED_DIRCACHE files which will be
    renamed to <file>.no_nisplus.  If you want to save these files,
    you should abort from this script now to save these files first.
    
    WARNING: once this script is executed, you will not be able to
    restore the existing NIS+ server environment.  However, you can
    restore your NIS+ client environment using "nisclient -i"
    with the proper domain name and server information.
    
    Do you want to continue? (type 'y' to continue, 'n' to exit this script)

    Select y to proceed, which triggers setting up the NIS+ server.

  2. The next step is to populate the NIS+ tables from the local files. You can use the following series of steps to copy the required files to the /var/tmp/nisplus directory, and then use the nispopulate command to populate the tables. This might take a long time, depending on the number of users in the system.
    # mkdir -p /var/tmp/nisplus
    # cp /etc/passwd          /var/tmp/nisplus/passwd
    # cp /etc/hosts           /var/tmp/nisplus/hosts
    # cp /etc/group           /var/tmp/nisplus/group
    # cp /etc/rpc             /var/tmp/nisplus/rpc
    # cp /etc/protocols       /var/tmp/nisplus/protocols
    # cp /etc/networks        /var/tmp/nisplus/networks
    # cp /etc/services        /var/tmp/nisplus/services
    
    # cd /var/tmp/nisplus
    
    # /usr/lib/nis/nispopulate -v -F -f -l <passwd>

    You have to give a password with the nispopulate command, which is used later for communication between the clients and server.

  3. Add the root server to the hosts table using the following command:
    nistbladm –A cname=<rootservername.domainname.> name=<rootservername> 
       addr=<ipaddress of rootserver> hosts.org_dir.domainname

    For example:

    nistbladm -A cname=server.isl.com. name=server addr=9.124.111.62 hosts.org_dir.isl.com

    The addition of this entry to the host table completes the NIS+ server configuration.

  4. To check if the server is up, run the following commands:
    # niscat passwd.org_dir
    # nisls
  5. Use the following command to add clients to the hosts table on the NIS+ server:
    # nistbladm –A cname=<clientname.domainname.> name=<clientname> 
       addr=<ipaddress of the client> hosts.org_dir.domainname.

    For example:

    # nistbladm -A cname=client.isl.com. name=client addr=9.124.111.61 hosts.org_dir.isl.com
  6. After adding clients to the host table, go to a client and initialize the client by using the following series of commands:
    # /usr/lib/nis/nisclient -D
    # stopsrc -s keyserv
    
    # /usr/lib/nis/nisclient -i -h <rootservername> -a <rootserverip> -d <domainname>

    For example:

    # /usr/lib/nis/nisclient -i -h server -a 9.124.113.62 -d isl.com
  7. Reboot the client:
    # shutdown -Fr

    Configuration of the NIS+ client is now complete.

  8. You can use the nisstat command from the client to check the server details. This ensures that the setup is correct.
    # nisstat

Administration

This section discusses general administration and basic commands for your NIS+ setup.

  1. To stop NIS+ and remove the domainname, enter the following:
    # stopsrc -s nis_cachemgr
    # /usr/lib/nis/nisserver -D
    # stopsrc -s keyserv
    # /usr/lib/nis/nisclient –D

    Remove all the files in the /var/nis/ directory.

  2. To create a group, check the domainname and use the nisgrpadm command to create a group (for example, testgrp).
    # domainname	
    isl.com
    # nisgrpadm -c testgrp.isl.com
    Group "testgrp.isl.com" created
  3. To see if the groups formed, enter:
    #  nisls groups_dir
    groups_dir.isl.com:
    admin
    testgrp
  4. To create an NIS+ user (for example, nispuser), enter:
    # nismkuser nispuser
  5. To display the users, enter:
    # niscat passwd.org_dir

    Similarly, you can use the niscat command to check several entries present in the NIS+ tables. For example, you can use it to display the host entries, as follows:

    # niscat -h hosts.org_dir
  6. To add the user to a group, enter:
    # nisgrpadm -a testgrp nispuser

    The command added nispuser.isl.com to the testgrp.isl.com group.

  7. To check the group entry for the testgrp group, enter:
    # nisgrpadm -l testgrp.isl.com

    To check the group entry for the testgrp.isl.com group, enter:

    nispuser
  8. Another useful command is nisls, which can be used to check the entries of the NIS+ tables. For example, to list the tables that have been populated, enter:
    # nisls org_dir

    To list the groups, enter:

    # nisls groups_dir

Conclusion

Though NIS+ has some advantages over NIS, it is important to note that there is no relation between NIS+ and NIS. The commands and the overall structure of NIS+ are different from NIS. The syntax for some commands in NIS+ is different from the commands for NIS. NIS+ was designed from scratch, and it is not an extension of NIS.

See the Network Information Services (NIS and NIS+) Guide in the Resources section for detailed information on other commands used for NIS+ administration.

Resources

Learn

Get products and technologies

  • IBM trial software: Build your next development project with software for download directly from developerWorks.
  • Quick links for AIX fixes: Get your AIX updates here.
  • IBM Fix Central: This site provides fixes and updates for your system's software, hardware, and operating system.

Discuss

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into AIX and Unix on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=AIX and UNIX
ArticleID=252146
ArticleTitle=Install and configure NIS+
publish-date=08282007