NIS(7P)NIS(7P)NAME
nis, yp, ypbind - Network Information Services Protocol (Client)
SYNOPSIS
/var/ns/lib/libns_nis.so
DESCRIPTION
The Network Information Services Protocol (NIS) is a simple Sun RPC based
protocol to fetch keyed data from a remote host. It is typically used to
distribute name service information in medium sized organizations. The
data is maintained on a single host (designated the NIS master), and is
pushed occasionally to a list of slave servers. Client systems
dynamically locate a server and request data given a domain name, map
name and key. In Irix the daemon nsd(1M) acts as both the server and
client side proxy for the protocol. The server side is implemented in
the nsd extension library nisserv(7P) while the client side and binding
server are implemented in the nsd extension library nis(7P). This manual
page documents the behavior of the client side protocol library for the
nsd daemon. Applications which wish to make direct requests can still
use the NIS API routines documented in ypclnt(3Y).
The library /var/ns/lib/libns_nis.so is opened by the nsd(1M) daemon when
nis is listed as the protocol for some map in a nsswitch.conf file. On
first open the library initialization procedure sets up a port to handle
YPBIND RPC requests, determines the domain of the local system
(domainname(1)), and attempts to locate the servers for the domain.
The library contains code to fetch data from a remote NIS server and
present it as lines from the configuration file from which it came. The
nsd daemon then presents that data in the filesystem mounted under /ns.
Extended attributes in the nsswitch.conf file can be used to control the
behavior of the NIS protocol. Extended attributes are simply lists of
key/value pairs attached to each object in the nsd filesystem. The
attributes supported in this library are:
domain
This is the domainname given as a parameter to the remote name
server. This attribute is typically inherited from the daemon
depending on the nsswitch.conf file that is being read. Given the
configuration file /var/ns/domains/DOMAINNAME/nsswitch.conf the
attribute "domain" is set to DOMAINNAME. For the default domain,
represented by the file /etc/nsswitch.conf, the domain attribute is
the same as the current system-wide domain as set by the
domainname(1) command. Typically the script /etc/init.d/network
sets it using the value saved in /var/yp/ypdomain on system startup.
A client system can be a member of multiple domains by including
multiple instances of the nis keyword in the nsswitch.conf file
like:
hosts: nis(domain=engr) nis(domain=corp)
Page 1
NIS(7P)NIS(7P)
table
The table attribute is typically inherited from the daemon based on
the line from which this entry occurs in the nsswitch.conf file. In
the above example the table attribute would be set to hosts.byname
or hosts.byaddr depending on the context of the request. Because
the NIS protocol implementations historically did not contain all
the tables that are considered standard in UNS this implementation
will fake the tables: services.byport, rpc.byname, and
group.bymember. It will first try to fetch data from these tables,
and if returned the error YP_NOMAP it will walk through the opposite
map looking for the specific key. The attempted lookup of
services.byport, rpc.byname, and group.bymember can be skipped by
the no_pseudo_maps attribute. It will also swap services.byname
with services.byport since the NIS map which was called
services.byname in old implementation was really indexed by
port/protocol.
key The key attribute is set by the daemon on each request, and is
passed directly on to the remote NIS server without change.
nis_multicast
The nis_multicast attribute is an integer hop count for the maximum
number of hops for multicast bind requests. By default this is 32.
Setting the nis_multicast attribute to 0 will result in no multicast
binding requests being sent. This attribute must be set using the
-a command line option.
nis_retries
The nis_retries attribute is an integer counter which controls how
many times a request is sent and how long the request waits for
binding to occur before returning an error. The default is 5.
nis_timeout
The nis_timeout attribute is an integer that determines the amount
of time that a nis request can take before rebinding. The default
is 1 second. The total time that a nis request can take is
(nis_retries * nis_binding).
nis_secure
The nis_secure attribute is a boolean which specifies that requests
for this map should originate on a privileged port, thus allowing
secure maps to be served (see nisserv(7P)).
As with other nsd methods, the query results are made available
through the /ns filesystem and will by default be readable by
anyone. Therefore, if the data in the served map is sensitive (such
as for the shadow map), this attribute should be combined with the
mode attribute in order to restrict the visibilty of the files in
the /ns filesystem. This attribute should be specified in both the
server and clients' nsswitch.conf file.
Page 2
NIS(7P)NIS(7P)
nis_security
the nis_security attribute determines if ypbind requests should be
honored. This attribute should be set to one of none, local, or
any. This attribute must be set using the -a command line option.
nis_servers
The nis_servers attribute is a space separated list of IP addresses,
or locally resolvable host names for the systems which act as
servers for this domain. If the nis_servers attribute is given then
the daemon will not send out a broadcast or multicast request for a
server, but will instead unicast binding requests to the listed
servers. This may also be set by creating the file
/var/yp/binding/DOMAINNAME/ypservers for the domain you wish to
control. This file is made up of a space separated list of
addresses, or locally resolvable names. See ypservers(4) for more
detailed information.
null_extend_key
The null_extend_key attribute specifies that the null character
which terminates the key is really part of the key. Some
applications (such as sendmail) have historically included the null
in the key so this attribute provides backward compatibility with
the old behavior.
nis_enumerate_key
The nis_enumerate_key attribute is a boolean value that controls the
inclusion of keys in table enumeration data. Specifying this
attribute is equivalent to the -k option to ypcat(1). If the
null_extend_key attribute is set, the null in the key will be
excluded from the enumeration result.
no_pseudo_maps
The no_pseudo_maps attribute specifies that the initial lookup of
services.byport, rpc.byname, and group.bymember should be skipped
and that NSD should always attempt the workaround for these
potentially non-existent maps.
nis_maxfraglen
The nis_maxfraglen attribute allows increasing the maximum record
fragment length the NIS client will allow on a reply from a TCP
based request. Currently the only NIS procedure which uses TCP is
YPPROC_ALL. This procedure is called when applications use the
getxxent() library calls. A common and realtively obscure example
is when a user logs in, the getgrent function is called to retrieve
the list of groups to determine which groups this user is a member
of. If using NIS to retrieve the group list, and the NIS server is
sending very large fragments on the TCP stream, nsd's NIS client
code, as a security measure, will discard any fragment which exceeds
it's maximum allowable fragment size. The result in this instance
can be the user not seeing all the groups he/she belongs to via, for
example, the groups command.
Page 3
NIS(7P)NIS(7P)
The vast majority of vendor's NIS servers fragment the responses in
smaller sizes typically no more than 8k per fragment. However, there
is no standard for how this must be done and some servers have been
known to use much larger fragment sizes, and potentially, sending
the entire map in a single fragment. The nis_maxfraglen attribute
allows the flexibility of increasing (or decreasing) the default
limit of 32k.
NOTE: Should this attribute be used, some consideration should be
taken in increasing this value. Theoretically this fragment size can
be 2^31 as RPC uses the low order 31 bits of the fragment header to
specify the size. Increasing this limit too much can be detrimental
should the the YPPROC_ALL replies be spoofed with extremely large
fragment sizes.
ENABLING
The NIS functionality of nsd must be enabled via the chkconfig yp
command.
NOTE
The daemon nsd(1M) uses this library to replace the ypbind daemon from
previous IRIX releases. Similarly, nsd uses the nisserv(7P) library to
replace the ypserv daemon from previous releases.
FILES
/var/yp/binding/DOMAINNAME/ypservers
SEE ALSOchkconfig(1M), nsd(1M), nsswitch.conf(4), nisserv(7P), ypservers(4)
IRIX Admin: Networking and Mail
IRIX NIS Administration Guide
Page 4
