NIS(7P) NIS(7P) NAME nis, yp, ypbind - Network Information Services Protocol (Client) SYNOPSIS /var/ns/lib/libns_nis.so DESCRIPTION The Network Information Services Protocol (NIS) is a simple Sun RPC based protocol to fetch keyed data from a remote host. It is typically used to distribute name service information in medium sized organizations. The data is maintained on a single host (designated the NIS master), and is pushed occasionally to a list of slave servers. Client systems dynamically locate a server and request data given a domain name, map name and key. In Irix the daemon nsd(1M) acts as both the server and client side proxy for the protocol. The server side is implemented in the nsd extension library nisserv(7P) while the client side and binding server are implemented in the nsd extension library nis(7P). This manual page documents the behavior of the client side protocol library for the nsd daemon. Applications which wish to make direct requests can still use the NIS API routines documented in ypclnt(3Y). The library /var/ns/lib/libns_nis.so is opened by the nsd(1M) daemon when nis is listed as the protocol for some map in a nsswitch.conf file. On first open the library initialization procedure sets up a port to handle YPBIND RPC requests, determines the domain of the local system (domainname(1)), and attempts to locate the servers for the domain. The library contains code to fetch data from a remote NIS server and present it as lines from the configuration file from which it came. The nsd daemon then presents that data in the filesystem mounted under /ns. Extended attributes in the nsswitch.conf file can be used to control the behavior of the NIS protocol. Extended attributes are simply lists of key/value pairs attached to each object in the nsd filesystem. The attributes supported in this library are: domain This is the domainname given as a parameter to the remote name server. This attribute is typically inherited from the daemon depending on the nsswitch.conf file that is being read. Given the configuration file /var/ns/domains/DOMAINNAME/nsswitch.conf the attribute "domain" is set to DOMAINNAME. For the default domain, represented by the file /etc/nsswitch.conf, the domain attribute is the same as the current system-wide domain as set by the domainname(1) command. Typically the script /etc/init.d/network sets it using the value saved in /var/yp/ypdomain on system startup. A client system can be a member of multiple domains by including multiple instances of the nis keyword in the nsswitch.conf file like: hosts: nis(domain=engr) nis(domain=corp) table The table attribute is typically inherited from the daemon based on the line from which this entry occurs in the nsswitch.conf file. In the above example the table attribute would be set to hosts.byname or hosts.byaddr depending on the context of the request. Because the NIS protocol implementations historically did not contain all the tables that are considered standard in UNS this implementation will fake the tables: services.byport, rpc.byname, and group.bymember. It will first try to fetch data from these tables, and if returned the error YP_NOMAP it will walk through the opposite map looking for the specific key. The attempted lookup of services.byport, rpc.byname, and group.bymember can be skipped by the no_pseudo_maps attribute. It will also swap services.byname with services.byport since the NIS map which was called services.byname in old implementation was really indexed by port/protocol. key The key attribute is set by the daemon on each request, and is passed directly on to the remote NIS server without change. nis_multicast The nis_multicast attribute is an integer hop count for the maximum number of hops for multicast bind requests. By default this is 32. Setting the nis_multicast attribute to 0 will result in no multicast binding requests being sent. This attribute must be set using the -a command line option. nis_retries The nis_retries attribute is an integer counter which controls how many times a request is sent and how long the request waits for binding to occur before returning an error. The default is 5. nis_timeout The nis_timeout attribute is an integer that determines the amount of time that a nis request can take before rebinding. The default is 1 second. The total time that a nis request can take is (nis_retries * nis_binding). nis_secure The nis_secure attribute is a boolean which specifies that requests for this map should originate on a privileged port, thus allowing secure maps to be served (see nisserv(7P)). As with other nsd methods, the query results are made available through the /ns filesystem and will by default be readable by anyone. Therefore, if the data in the served map is sensitive (such as for the shadow map), this attribute should be combined with the mode attribute in order to restrict the visibilty of the files in the /ns filesystem. This attribute should be specified in both the server and clients' nsswitch.conf file. nis_security the nis_security attribute determines if ypbind requests should be honored. This attribute should be set to one of none, local, or any. This attribute must be set using the -a command line option. nis_servers The nis_servers attribute is a space separated list of IP addresses, or locally resolvable host names for the systems which act as servers for this domain. If the nis_servers attribute is given then the daemon will not send out a broadcast or multicast request for a server, but will instead unicast binding requests to the listed servers. This may also be set by creating the file /var/yp/binding/DOMAINNAME/ypservers for the domain you wish to control. This file is made up of a space separated list of addresses, or locally resolvable names. See ypservers(4) for more detailed information. null_extend_key The null_extend_key attribute specifies that the null character which terminates the key is really part of the key. Some applications (such as sendmail) have historically included the null in the key so this attribute provides backward compatibility with the old behavior. nis_enumerate_key The nis_enumerate_key attribute is a boolean value that controls the inclusion of keys in table enumeration data. Specifying this attribute is equivalent to the -k option to ypcat(1). If the null_extend_key attribute is set, the null in the key will be excluded from the enumeration result. no_pseudo_maps The no_pseudo_maps attribute specifies that the initial lookup of services.byport, rpc.byname, and group.bymember should be skipped and that NSD should always attempt the workaround for these potentially non-existent maps. nis_maxfraglen The nis_maxfraglen attribute allows increasing the maximum record fragment length the NIS client will allow on a reply from a TCP based request. Currently the only NIS procedure which uses TCP is YPPROC_ALL. This procedure is called when applications use the getxxent() library calls. A common and realtively obscure example is when a user logs in, the getgrent function is called to retrieve the list of groups to determine which groups this user is a member of. If using NIS to retrieve the group list, and the NIS server is sending very large fragments on the TCP stream, nsd's NIS client code, as a security measure, will discard any fragment which exceeds it's maximum allowable fragment size. The result in this instance can be the user not seeing all the groups he/she belongs to via, for example, the groups command. The vast majority of vendor's NIS servers fragment the responses in smaller sizes typically no more than 8k per fragment. However, there is no standard for how this must be done and some servers have been known to use much larger fragment sizes, and potentially, sending the entire map in a single fragment. The nis_maxfraglen attribute allows the flexibility of increasing (or decreasing) the default limit of 32k. NOTE: Should this attribute be used, some consideration should be taken in increasing this value. Theoretically this fragment size can be 2^31 as RPC uses the low order 31 bits of the fragment header to specify the size. Increasing this limit too much can be detrimental should the the YPPROC_ALL replies be spoofed with extremely large fragment sizes. ENABLING The NIS functionality of nsd must be enabled via the chkconfig yp command. NOTE The daemon nsd(1M) uses this library to replace the ypbind daemon from previous IRIX releases. Similarly, nsd uses the nisserv(7P) library to replace the ypserv daemon from previous releases. FILES /var/yp/binding/DOMAINNAME/ypservers SEE ALSO chkconfig(1M), nsd(1M), nsswitch.conf(4), nisserv(7P), ypservers(4) IRIX Admin: Networking and Mail IRIX NIS Administration Guide Page 4