Original Question:
I have NIS server running on SUNOS 4.1.4 with about 25+ NIS clients.
The clients also run SUNOS 4.1.4.
Will I be able to run Solaris 2.5 or 2.6 on the server with the same NIS enviornment.
Will the NIS clients running SUNOS 4.1.4 be able to bind to the server with solaris 2.5 or 2.6.
Will the current NIS and NFS setup on the server (automounter etc.) continue running without problems if the server is upgraded to solaris 2.5 or 2.6
Please let me know if there are any issues to be dealt with.
The answers i gor were as follows
Thanks to everyone who replied.
Chetan
___________________________
1. You can run the same NIS environment, if you add the
NIS compatibility kit to the server.
2. Yes. They will be able to bind.
3. NIS and NFS will continue to work.
Bismark Espinoza [bismark@alta.Jpl.Nasa.Gov]
__________________________________
Yes. If you're running 2.5 or 2.5.x install the NSKiT Pkg w/patches.
Get the latest NSKiT 1.2 patches from Sunsolve. It is imperative you apply
the patches. On 2.6 NSKiT (Name Services Translation Kit) comes
bundled with the OS.
- Wally Winzer Jr.
Auteria Wally Winzer Jr. [wally.winzer@ChampUSA.COM]
____________________________________
Yes, you will be able to run the same NIS environment.
You have to options:
1- Install on your 2.x server, the NIS software, wich you have to get
it separately (doesn't come with the OS).
In this case, you don't have to touch anything in your environment.
2- Install NIS+ in your 2.x server, with the NIS compatiblity mode.
This compatibility mode implies a lower security level, but is lower than
nis+ and the same as nis.
In this case, you will have to convert your nis maps to nis+ tables, but
that is easy to do, following the nis+ installation instructions in the manual.
You don't have to make changes to your clients with any of the options.
Hope this helps
mariel
Mariel Feder [mfeder@central.meralco.com.ph]
_________________________________
SUN has dropped the support for NIS (master or slave) servers in 2.x - only
NIS clients are supported. I heard, that NIS re-appeared in 2.6, all the other
poor people are forced to use NIS+. Because so many people did not want to use
NIS+, SUN has included NIS again in 2.6. But we don't use 2.6, so i don't know
any details.
However: for those old fashioned conservative people like you, SUN provides
a program called NIS kit, whith which you can make a 2.x machine a NIS
server.
We have ordered it (i am also very old fashioned ;-), but our vendor can supply
it in the middle of may, so i can't give you any information about usability
and so on.
But on one of the many SUN web sites (try http://search.sun.com, search for
"NIS"), you can get the "Naming Services Transition Kit 1.2 Administrators
Guide". And for more information, i have included a text file (don't ask me,
where i got it...) as an attachment.
Stefan Voss [s.voss@terradata.de]
____________________________________________
Yes - the clients will not change at all. When you install Solaris, you
will want to
move all of your NIS tables into NIS+ tables and start NIS+ in
compatibility mode.
yes
Your biggest hurdle will be to move the NIS tables into NIS+ tables. But
before you do that,
there may be a way to run NIS on the server without bothering with NIS+
which might save
you considerably.
Tom Erickson
NASA Goddard Space Flt. Ctr. - RMS Information Systems, Inc.
Data Systems & Technology Division - System Administrator
Thomas.M.Erickson.1@gsfc_dot_nasa_dot_gov
(For email address to work, replace "_dot_" with ".")
301.286 1439 ('ma-bell)
301.286 1768 (fax)
_________________________
If you go to 2.5 (not recommended), you will have to get the NISKit
add-on to put back NIS; it's back in the OS for 2.5.1 and 2.6, though.
You should have no problems having SunOS and Solaris in the same NIS
environment; I've done it myself.
Note that automounts are handled better under Solaris; instead of
having a link from (for example) /home/someone over to
/tmp_mnt/someone (where it's mounted), Solaris just mounts the
directory right in /home. This is definitely a feature, but it may
surprise you :-)
:-D
-- David Thorburn-Gundlach * It's easier to fight for one's principles (play) david@bae.uga.edu * than to live up to them. -- fortune cookie (work) david_thorburn-gundlach@groton.pfizer.com Helping out at Pfizer http://www.bae.uga.edu/other/david/ -_____________________________________I am currently running a NIS environment with Solaris 2.5.1 NIS server with Solaris 1.x and 2.x clients. I used the NSKit 1.2 from Sun to set up NIS on the solaris machine. It limits the flexibility of NIS, but it is working. I am doing automounting with the Solaris 1.x machines and don't have any problems. The only concern that I have is the passwd/shadow files. NIS was designed for Solaris 1.x with no shadow file. Solaris 2.x uses the shadow file. Adding users was a little tricky, but can be done. You hae to manually edit the shadow file instead of using the "pwconv" command.
I think that you can get the upgrade to happen. I did have a few issues to work through, but everything is currently doing what I need!
Have fun!
Dan
Daniel Button Unix System Administrator Atrium Technology Services Domain & Infrastructure Support (732) 764-5591 __________________________________________
END
This Tip Sheet documents a wide variety of information concerning NIS
as implemented in the SunOS and Solaris operating systems. It is
intended as both an introduction to NIS, and as a guide to the most
common problems. There are many more complete references to NIS, a few
of which are noted in section 7.0.
In this document, the terms YP and NIS should be understood to be
interchangeable. YP was the original name for the information service
now known as NIS.
The following terms are crucial for an understanding of NIS:
A NIS SERVER is a machine which responds to requests for NIS service.
The MASTER server actually contains all of the files which the NIS
maps are built from, while the SLAVE servers just contain copies of
those maps. The YPSERV daemon is run on all servers. It is what
actually answers the NIS requests. YPXFRD is usually run on the master
server, to speed up transfers to the slaves.
A NIS CLIENT is a machine which is allowed to access the NIS maps.
The YPBIND daemon takes care of actually making these requests.
All of NIS is bundled with SunOS. However, on Solaris machines, the
bundled software only allows machines to be set up as NIS clients. If
you want to set up a Solaris machine as a NIS server, you will need to
purchase NSKIT. Please contact your local Sun sales office.
A seperate info sheet exists for NSKIT specific issues if you are
running into problems involving the NSKIT, you should request the
NSKIT PSD from SunService. Nothing in this document regarding NIS
servers is necessarily correct for Solaris machines running NSKIT.
1.0 Introdunction
=================
1.1 Overview
-------------
This Tip Sheet documents a variety of information concerning NSKIT,
the Solaris Name Services Transition Kit. From now on, we'll refer to
this product as NSKIT. Most of this document concerns itself with
the NSKIT 1.2 product, although some 1.0 specific issues are noted.
NSKIT provides NIS Server (Yellow Pages) capability on Solaris systems,
a feature which is not provided in the Core OS. NSKIT allows you to
maintain true NIS server capabilities on Solaris without having to maintain
SunOS systems for the NIS Master and Slave servers.
This Tip Sheet is intended as both an introduction to NSKIT, and as a
guide to the most common problems. It is not a replacement for the
product documentation nor a tutorial on managing NIS. Further references
are noted in section 7.0.
Please note that SunService also has a Tip Sheet for general NIS issues that
are not specific to NSKIT.
1.2 Versions of NSKIT and where to get it
------------------------------------------
There are two versions of the NSKIT that have been released and one which
was never released, although some customers might be using it. Here is
the breakdown:
NSKIT 1.2 - Native Solaris binaries, implements password shadow file
and C2 password.adjunct file. Also first Intel x86 version.
NSKIT 1.2 is available on its own product CD, produced by
SunSoft.
It is also on the Solaris 2.5 Server Supplement CD (avail.
12/95), and on the Solaris Migration kit CD. Also from the
World Wide Web: (location subject to change)
http://www.sun.com/cgi-bin/show?smcc/solaris-migration/
products/nskit/nskit.html
These two versions are supplied by SMCC.
Contact SunExpress or your local Sun representative to obtain
NSKIT on CD.
NSKIT 1.1 - Unreleased initial attempt to port to Solaris. Buggy, do not
use. This product was never released and is not supported.
NSKIT 1.0 - Initial version, runs in "BCP-mode" which essentially means
it consists of SunOS binary-compatible modules. Does not
implement
the password shadow file. Many bugs. Performance issues caused
by the non-native Solaris BCP-mode. Shipped 1992-Sept 1995.
Many customers just downloaded patch 101363 which contained
this entire product without the documentation. The product
was originally available on CD from SunExpress.
Because this product has limited support, we recommend all
NSKIT 1.0 customers upgrade to 1.2 as soon as possible.
2.0 Debugging NSKIT
====================
2.1 Prerequisite patches
-------------------------
NSKIT 1.2 requires the installation of a patch AFTER installing NSKIT on 2.3
and 2.4.
The patches are listed below in "5.0 Patches". The patches are required
because the NSKIT 1.2 install process overwrites the following NIS client
modules provided in the Core OS:
/usr/bin/ypcat
/usr/bin/ypmatch
/usr/bin/ypwhich
/usr/sbin/makedbm
/usr/sbin/ypinit
/usr/lib/netsvc/yp/ypxfr
Again, install the NIS Commands patch AFTER installing NSKIT 1.2!
2.2 ypasswd doesn't change passwd
----------------------------------
Problem: yppasswd either refuses to change the password, or the
password is changed only in the password source file, but not in
the NIS map.
1. Check for /usr/ccs/bin in root's PATH (1.0 - See Tips on How
to Install)
2. Parameters for yppasswdd are incorrect. (See Tips again!)
3. The old and new passwords supplied were the same.
2.3 General NSKIT Tips:
------------------------
Define problem - is it unique to an NSKIT Server in a heterogeneous network,
or are is the problem common to all servers?
2.4 Special Debug modes
------------------------
- ypserv logs a limited amount of information to stderr with -v flag
or to the /var/yp/ypserv.log file, IF IT EXISTS.
- ypserv with NSKIT 1.2 no longer logs DNS debug info with the -d flag!
- /usr/sbin/rpc.nisd_resolv is now used to do the DNS lookups.
NEED INFO ON rpc.nisd_resolv DEBUG MODES FOR THIS SECTION.
- ypxfr logs limited amount of information to the /var/yp/ypxfr.log
file, IF IT EXISTS. ypxfr runs on a slave server to request an update
from the master server. It only logs info when ypxfr operations are not
successful.
3.0 Common How Tos
===================
3.1 How to install NSKIT 1.2 so that it WORKS (supplement to the manual)
-------------------------------------------------------------------------
1. If upgrading from NSKIT 1.0,
pkgrm SUNWnskit (to remove the NSKIT 1.0)
2. If upgrading from NSKIT 1.0,
move any /etc/init.d/yp and /var/yp/Makefile to ".old" or save files.
Merge in any changes with the new files after step 5.
3. Make sure SUNWsprot package is installed (contains /usr/ccs/bin/make)
pkginfo -l SUNWsprot. YOU NEED THIS TO RUN make!
Install SUNWsprot from your Core OS Media.
4. Install the NSKIT 1.2 software with pkgadd (see the manual)
It comes in three packages:
SUNWnsktr - "root" files (NIS Startup script and /var/yp files)
SUNWnsktu - "usr" files (binaries in /usr/lib/netsvc/yp, /usr/sbin and
man pages) SUNWnskta - Answerbook format documentation
5. Install the patches. Do this AFTER installing the packages. If you do
it before installing the packages, you wind up with old modules!!
6. Add /usr/ccs/bin to root's PATH if you plan to run make instead of
ypinit:
PATH=$PATH:/usr/ccs/bin
export PATH
7. Follow instructions in the manual.
3.2 How to install NSKIT 1.2 when password source file is in /var/yp
---------------------------------------------------------------------
1. Copy /etc/passwd AND /etc/shadow to /var/yp
2. Edit /var/yp/passwd and /var/yp/shadow to remove the root entry and any
other entries you don't want to share with NIS.
3. Edit /var/yp/Makefile, change PWDIR=/etc to PWDIR=/var/yp
3.3 How to enable DNS forwarding with NSKIT 1.2
------------------------------------------------
1. The traditional method is documented below, under "How to enable DNS
forwarding with NSKIT 1.0, or if you have non-NSKIT 1.2 Slave Servers".
YOU MUST DO THIS IF YOU HAVE SunOS or non-Sun slave servers!!
2. Otherwise, you only need to create /etc/resolv.conf! The NSKIT 1.2
/etc/init.d/yp script will start the ypserv running with a new-for-1.2
-d switch. The -d switch now tells ypserv to turn on DNS forwarding just
as the YP_INTERDOMAIN flag does.
3.4 How to enable DNS forwarding with NSKIT 1.0, or if you have non-NSKIT
--------------------------------------------------------------------------
1.2 Slave Servers
1. Edit the /var/yp/Makefile. Uncomment the line that reads:
#B=-b
And comment the line that reads:
B=b
2. Create /etc/resolv.conf if it does not already exist. Test it with
nslookup. (Do this on all the slaves as well!!!)
3. Touch /etc/hosts, remake the hosts map. Push it to the slaves.
4. Check /var/yp/`domainname`/hosts.pag for the YP_INTERDOMAIN flag:
# strings hosts.byname.pag|grep YP
mercedesYP_MASTER_NAMEYP_INTERDOMAIN0811449537YP_LAST_MODIFIED
^^^^^^^^^^^^^^
5. Test it out from an NIS client. Try to ping or ypmatch a hostname
not available thru NIS but available thru DNS.
Test clients bound to the various Slave servers as well.
6. Note - you don't need to edit the /etc/nsswitch.conf on the master/slave
servers but it couldn't hurt to change the hosts entry for
troubleshooting:
hosts: nis dns files
3.5 NSKIT 1.0 Patch 101363-08 does not install with installpatch!
------------------------------------------------------------------
1. move any /etc/init.d/yp and /var/yp/Makefile to ".old" or save files.
Merge in any changes with the new files after step 1.
3.6 Getting NSKIT 1.0 yppasswd to work
---------------------------------------
1. NSKIT 1.0 password file uses the old SunOS formation with the encrypted
password after the username. Solaris puts an "x" in that field and put
the encrypted password in the /etc/shadow file. This does NOT work with
NSKIT 1.0 and is not supported. Ignore what the README in patch
101363-08 has to say on this subject.
2. If you do not already have a a SunOS style passwd file (passwd file has
encrypted passwords in it) YOU MUST merge the passwords from the shadow
file into the passwd file by hand - that's the main gotcha. Still, read
on. DO THIS in /var/yp/passwd!!
3. In the Makefile, change the occurances of $(DIR)/passwd to $(PWDIR)/
passwd.
4. Startup of yppasswdd in /etc/init.d/yp has BUGS in 101363-08.
The environment for yppasswdd does not include a PATH for the
/usr/ccs/bin/make command. I suggest adding the following after line
#30:
PATH=$PATH:/usr/ccs/bin
export PATH
5. The startup of yppasswdd (as usual!!) fails to include the -nosingle
before the -m parameter. Edit lines 45+46 of the /etc/init.d/yp startup
file to fix how yppasswdd starts up. Note the default file assumes that
the passwd source file is in /var/yp:
FOR SUNOS STYLE passwd FILE (passwd source file has imbedded passwords),
add a -nosingle before the -m:
$YPDIR/rpc.yppasswdd /var/yp/passwd -nosingle -m passwd \
PWDIR=/var/yp ; echo 'yppasswdd\c'
4.0 Some Frequently Asked Questions
====================================
4.1 Why doesn't yppasswdd re-make my NIS maps?
-----------------------------------------------
The most likely cause is the "make" is not occuring. Look in Tips
3.1 and 3.6 to make sure that /usr/ccs/bin is included in the PATH
for root (NSKIT 1.0), or that you have edited /etc/init.d/yp as suggested
in those tips.
4.2 What startup script starts up YP/NIS?
------------------------------------------
/etc/init.d/yp, a hard link to the /etc/rc2.d/S71yp file.
4.3 Can I mix and match SunOS and NSKIT masters and Slaves?
------------------------------------------------------------
Sure, you can mix and match SunOS 4.1.x masters, slaves, and SunOS 4.1.x
clients with Solaris NSKIT masters, slaves, and Solaris clients in the
same NIS domain.
Just be aware that DNS forwarding by SunOS slaves works only
if the B=-b switch in the Makefile turns on the YP_INTERDOMAIN flag
in the hosts.byname.pag (see note on this in section 3).
4.4 Can I hide the encrypted passwords so they do not appear in the NIS
------------------------------------------------------------------------
passwd map?
-----------
You need to run C2 security for this. By default, the map has
the encrypted passwd in it. You need NSKIT 1.2 to implement C2 security.
4.5 Does NSKIT and/or NIS support password aging?
--------------------------------------------------
Nope, and probably never will.
4.6 What can you tell me about /var/yp/securenets?
---------------------------------------------------
The /var/yp/securenets file is used to limit access to NIS services.
If such a file exists on an NIS server, the server only answers
queries or supplies maps to hosts and networks listed in the file.
The securenets man page tries to explain the format. Each line
can have an entry like:
255.255.255.0 192.10.7.255
-or-
hosts 198.200.1.65
The first example is a netmask followed by a network number (for networks),
The second example is a host followed by its IP address.
4.7 How does NSKIT 1.2 know which format my NIS password source file is in?
----------------------------------------------------------------------------
- It keys upon the PWDIR variable defined in /var/yp/Makefile using the
following algorithm:
- Solaris-style shadow files are used if $PWDIR/shadow exists
- C2 shadow files are used if $PWDIR/security/passwd.adjunct exists
- Otherwise, SunOS-style password file format is assumed
4.8 How do I "hide" my password files so they are not in /etc?
---------------------------------------------------------------
- In NSKIT 1.2, all you have to do is edit the PWDIR variable
in the Makefile, and remake the maps, stop and restart the
YP daemons (/etc/init.d/yp stop; /etc/init.d/yp start).
- In NSKIT 1.0, look at the info in Section 3 Tip: Getting NSKIT 1.0
yppasswd to work
4.9 Help! yppasswd seems to work but the maps never get updated
----------------------------------------------------------------
- In this case, the password source file (e.g. /var/yp/passwd) get
the new encrypted password, but the make of the passwd map fails.
- Try to remake the passwd map to see if the new password is made. If
the make fails, then look to fix whatever is broken in your Makefile
(the Makefile as supplied by Sun should work fine). Check that
your Makefile is looking for the Source file you expect ($PWDIR).
- Check for /usr/ccs/bin in root's PATH. See Section 3 Tips on how to
install NSKIT for more info (NSKIT 1.0 only)..
- See Section 3 Tip: Getting NSKIT 1.0 yppasswd to work. It is almost
always the yppasswdd failing to do this.
4.10 What is the rpc_nisd process doing running on my NSKIT 1.2 server?
-----------------------------------------------------------------------
At NSKIT 1.2, ypserv forks an rpc.nisd process to do the DNS lookups.
This is the same process used by the NIS+ server for DNS lookups.
4.11 What is the difference between the /var/yp/binding files on SunOS and
--------------------------------------------------------------------------
Solaris?
--------
- On a SunOS 4.1.X system, /var/yp/binding/<domainname> is a cache of
recent bindings. Note that even with the cache, ypbind on a SunOS system
will always broadcast to find an NIS server for the domain.
- On a Solaris 2.x system, /var/yp/binding/<domainname>/ypservers is
a list of NIS server for ypbind to use to contact directly, listed
in priority order by server to try and reach for a binding.
It will look in this file even when running with -broadcast switch.
5.0 Patches
===========
NSKIT 1.2 ***Mandatory Solaris patches from CD
These MUST be installed AFTER you install the product! Before reporting
any problems, check that these patches are installed with showrev -p.
102707-02 SunOS 5.3: jumbo patch for NIS commands (SPARC)
102704-02 SunOS 5.4: jumbo patch for NIS commands (SPARC)
102705-02 SunOS 5.4_x86: jumbo patch for NIS commands (x86)
No patches required for 2.5.
NSKIT 1.0 ***Mandatory patches:
101363-09 NSKIT 1.0 patch (is a pkgadd of SUNWnskit) 2.3 and 2.4 SPARC
101973-14 libnsl patch (-12 or later is recommended)
6.0 Known Bugs
==============
6.1 RFEs
--------
Implement password aging: this will most likely never happen.
6.2 BUGs:
--------
NSKIT 1.0 - the README for 101363-08 contains confusing installation
instructions in the "Special Install Instructions".
IGNORE THESE - they apply to C2 security use the 1.2
product instead!
NSKIT 1.0 - A make (or ypinit -m) gets an error 139 and yppush leaves a
core file behind. This happens usually when there are no
slaves.
However, the make appears to work OK. A workaround is to
edit /var/yp/Makefile, change NOPUSH="" to NOPUSH="1", stop
and restart the ypserv process. Bug ID 1181693.
Some have found this problem can be fixed by installing the
101973-14 patch. THIS PROBLEM IS FIXED in NSKIT 1.2.
We recommend upgrading to NSKIT 1.2.
NSKIT 1.2 - "yp_all transport level create failure"
This bug is under investigation.
NSKIT 1.2 - Install is not foolproof. Common issues include:
- Make sure you install the recommended patch AFTER installing
NSKIT 1.2!
- Make sure you edit /etc/init.d/yp or include /usr/ccs/bin in
root's PATH.
- Make sure you edit the /var/yp/Makefile PWDIR variable if you
want your password source file to be located in a directory
different than /etc.
7.0 References
==============
Pointers to Product Documentation
Although this document tries to give an overview of the most common
NSKIT issues, it is by no means comprehensive. As stated earlier, a general
NIS Tips Sheet is also avaialble from SunService. The following resources
should be used to supplement the information that is contained herein.
7.1 Important Man Pages
-----------------------
Examine the man pages for:
ypserv, ypxfr, yppasswdd, rpc_nisd to learn more about these commands.
7.2 Sun SRDBs (viewable from SunSolve)
-------------
TBD.
7.3 Sun Educational Services
----------------------------
Unfortunately, no formal training class is available for the NSKIT
product itself, nor especially for NIS, although elements of the
Solaris 1.X System Administration class covers NIS. Solaris 2.X
System Administration and the SA-380 Network Administration class
do not provide NIS training (they teach NIS+ instead).
7.4 Solaris Documentation
-------------------------
"Name Services Transition Kit 1.2 Administrators Guide",
contained on the NSKIT 1.2 CDROM (answerbook format), also
from the URL. Hardcopy Sun Part No: 802-3884-05.
7.5 Third Party Documentation
-----------------------------
"Managing NFS and NIS" by Hal Stern, pub by O'Reilly and Associates.
Excellent general reference on NFS and NIS. ISBN 0-937175-75-7
8.0_Supportability
==================
NSKIT Supportability Information
NSKIT 1.0 bugs will not longer be supported by Sun after the release
of the 1.2 product. Install the 1.2 product and reproduce the problem
before reporting problems to Sun.
SunService is not responsible for the initial configuration of your
NSKIT, nor for answering basic questions about how to put such a NSKIT
configuration together. Please refer to this document and the
product documentation before calling Sun.
We can help resolve problems where NSKIT is not behaving correctly, but
in such cases the contact must be a system administrator who has a
good understanding of the syntax and rules of NSKIT maps.
9.0 Additional Support
======================
Pointers to Additional Support
For initial configuration, or NSKIT setup, please contact your local
SunService office for possible consulting offerings. Sun's Customer
Relations organization can put you in touch with your local
SunIntegration or Sales office. You can reach Customer Relation
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:37 CDT