HP-UX Virtual Partitions

   

HP-UX Virtual Partitions

By Marty Poniatowski

Table of Contents
Chapter 6.  Users and Groups

One of the most popular ways to manage user-related information in a distributed environment is the Network Information System (NIS). NIS provides a method for multiple systems to share a centralized database of password, group, and other optional databases such as services and/or hosts. By doing so, the administration of user accounts is simplified for both end-users and system administrators. You will also often hear NIS referred to as "Yellow Pages" or "YP"; in fact, most of the NIS commands begin with the letters "yp".

NIS and other such technologies are required only in a distributed environment where users have to be managed on many systems. This is because changes in information, such as adding and removing users, must be disseminated to many systems. This is normally not required in a centralized environment, where only a small number of copies of such information must be maintained.

NIS on HP-UX is interoperable with Solaris and Sun-licensed NIS implementations, including Linux. Like most of these implementations, HP's NIS is not implemented in C2 or Trusted System mode. Additionally, Microsoft-based operating systems such as Windows do not use or interoperate with NIS.

What Does NIS Manage?

NIS can manage many different databases. We'll focus on the user password and group information. Table 6-2 is a list of some of the databases NIS can manage:

Table 6-2. Some NIS Databases That NIS Can Manage

Filename

Information Contained in File

/etc/passwd

Usernames, user IDs primary groups, and encrypted passwords.

/etc/group

User group memberships.

/etc/hosts

Hostnames and IP addresses.

/etc/services

Network port numbers and service names.

/etc/aliases

Aliases and mailing lists for the mail system.

/etc/netgroup

Netgroup definitions.

/etc/rpc

Remote procedure call program numbers.

/etc/protocols

Network protocol names and numbers.

The following are optional for HP, but not used by HP-UX NIS clients.

/etc/bootparms

Information about diskless nodes.

/etc/ethers

Ethernet numbers (MAC addresses).

/etc/netmasks

Network masks.

NIS also calls each of these databases a map. These are called maps because NIS allows you to map a key, such as a username, to a value field, such as the user's passwd entry from the passwd map on the NIS Master Server.

How Do I Plan For NIS?

NIS requires one NIS Master Server and typically at least one NIS Slave Server per IP subnet. A NIS Master or Slave Server answers requests from NIS clients typically seeking user password information when a user login occurs. NIS is designed in a "top-down" or hierarchical manner, with all changes being made through the NIS Master Server. When a change is made to the NIS Master, the changes can be made visible to the NIS Slaves by "pushing" the updated database to the Slaves. Generally, an NIS server should satisfy the demands of 25 to 50 NIS clients. NIS Masters and Slaves are typically also NIS clients.

On the NIS Master server, you need to decide where you want to keep the NIS database "source" files. Most typically, the /etc files are used on the NIS Master for all databases except passwords, which are generally put into an "alternate" or "private" password file such as /etc/passwd.nis. Put only the user password database there and not the "system" users, such as root, sys, bin and so on. The "system" users should always be put in /etc/passwd on any NIS server or client.

NIS will provide a small additional network and system load on an NIS Slave and Master server. Most typically, this extra load is encountered when updating a map or database and pushing the changes to the Slave servers.

The design of NIS requires that you first configure the NIS Master Server, then the NIS Slave Servers, and finally, the NIS clients.

How Do I Configure an NIS Master Or Slave Server?

You can configure an NIS Master and Slave Server either by using SAM or by performing the process manually. If you use SAM to perform this process most of the work will take place for you in the background. You enter the pertinent information and SAM performs the configuration. You perform the steps in the manual procedure. There are many good documents that can help you in this configuration, including HP's Installing and Administering NFS Services manual. This manual covers configuring Master and Slave Servers and can be obtained from www.docs.hp.com. HP support likes when you follow these step-by-step procedures so that should you encounter a problem, your execution of the steps can be reviewed.

To configure with SAM, select Networking/Communications, then NIS. You will first be prompted to specify the NIS domain name. After that, you can proceed to the Enable NIS Master Server or Enable NIS Slave Server menus.

How Do I Configure an NIS Client?

You can also configure an NIS client by either using SAM or by performing the process manually. Once again, the Installing and Administering NFS Services manual provides an excellent step-by-step procedure for configuring the client.

To configure with SAM, select Networking/Communications, then NIS. You will first be prompted to specify the NIS domain name. After that you can proceed to the Enable NIS Client menu.

In either case, I have two additional tips. First, HP supplies the following /etc/nsswitch.compat file as a template to copy into /etc/nsswitch.conf. This allows you to use the "+" and "-" syntax in /etc/passwd and /etc/group:

# /etc/nsswitch.compat: # #An example file that could be copied over to # /etc/nsswitch.conf; it # uses NIS (YP) in conjunction with files. # passwd: compat group: compat hosts: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis NOTFOUND=return] files automount: files nis aliases: files nis services: files nis

Second, you may prefer DNS over NIS to manage the hosts database and use the following "hosts" entry in /etc/nsswitch.conf:

hosts: files [NOTFOUND=continue] dns ...

or

hosts: dns [NOTFOUND=continue,UNAVAILABLE=continue] files [NOTFOUND=continue,UNAVAILABLE=continue] nis

How Do I Maintain My NIS Environment?

The most common user activity is changing a user password. A user can use either the passwd -r nis or yppasswd command to do this. This will prompt for the old NIS passwd, the new password, make the change on the NIS server, and by default, re-make the NIS map and push it out to all the Slave Servers.

A system administrator can change user passwords either with SAM or with shell scripts or commands such as passwd -r nis <username> or yppasswd <username>. You can also use SAM to add new users, or you can do this with shell scripts or commands.

Often, when a user changes a database file by editing with vi, the changes need to be compiled into the NIS maps (called "making" a map) and pushing the maps out to the Slave Servers if the "make" does not do this. For example, after modifying some users' home directories in /etc/passwd.nis, the system administrator needs to:

1. cd /var/yp # Change to directory of NIS Makefile 2. make passwd # "make" or compile the passwd map 3. yppush passwd (if step #2 did not push to the NIS slaves)

Here is a tip that applies to HP-UX and to any NIS vendor's implementation with group files: There are times when users are members of multiple groups, producing lines in /etc/group that are longer than the NIS limitation of 1024 characters per line. To work around this, use different group names for the same GID, for example:

102 support:brian,sam,charlie 102 support1:bill,julie,maria

Note that you don't need to specify a user's primary group membership in /etc/group since that is already specified by their GID in /etc/passwd. If users are members of multiple groups, you only need to put their username in /etc/group entries for their secondary groups.

NIS provides a centralized database scheme for managing user password and group information. Administration techniques used for NIS setup and administration are well documented, integrated into SAM, and are generally interoperable with other NIS implementations.


       
    Top
     

    Категории