network-nis.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>NIS/YP</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="Advanced Networking" href="advanced-networking.html" />
<link rel="PREVIOUS" title="ISDN" href="network-isdn.html" />
<link rel="NEXT" title="DHCP" href="network-dhcp.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="network-isdn.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 19. Advanced Networking</td>
<td width="10%" align="right" valign="bottom"><a href="network-dhcp.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="NETWORK-NIS" name="NETWORK-NIS">19.9. NIS/YP</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Written by</span> Bill Swingle.</i> <i
class="AUTHORGROUP"><span class="CONTRIB">Enhanced by</span> Eric Ogren and Udo
Erdelhoff.</i> 

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26896" name="AEN26896">19.9.1. What Is It?</a></h2>

<p>NIS, which stands for Network Information Services, was developed by Sun Microsystems
to centralize administration of <span class="TRADEMARK">UNIX</span>&reg; (originally
<span class="TRADEMARK">SunOS</span>&#8482;) systems. It has now essentially become an
industry standard; all major <span class="TRADEMARK">UNIX</span> like systems (<span
class="TRADEMARK">Solaris</span>&#8482;, HP-UX, <span class="TRADEMARK">AIX</span>&reg;,
Linux, NetBSD, OpenBSD, FreeBSD, etc) support NIS.</p>

<p>NIS was formerly known as Yellow Pages, but because of trademark issues, Sun changed
the name. The old term (and yp) is still often seen and used.</p>

<p>It is a RPC-based client/server system that allows a group of machines within an NIS
domain to share a common set of configuration files. This permits a system administrator
to set up NIS client systems with only minimal configuration data and add, remove or
modify configuration data from a single location.</p>

<p>It is similar to the <span class="TRADEMARK">Windows&nbsp;NT</span>&reg; domain
system; although the internal implementation of the two are not at all similar, the basic
functionality can be compared.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26930" name="AEN26930">19.9.2. Terms/Processes You Should
Know</a></h2>

<p>There are several terms and several important user processes that you will come across
when attempting to implement NIS on FreeBSD, whether you are trying to create an NIS
server or act as an NIS client:</p>

<div class="INFORMALTABLE"><a id="AEN26936" name="AEN26936"></a>
<table border="1" class="CALSTABLE">
<col />
<col />
<thead>
<tr>
<th>Term</th>
<th>Description</th>
</tr>
</thead>

<tbody>
<tr>
<td>NIS domainname</td>
<td>An NIS master server and all of its clients (including its slave servers) have a NIS
domainname. Similar to an <span class="TRADEMARK">Windows&nbsp;NT</span> domain name, the
NIS domainname does not have anything to do with DNS.</td>
</tr>

<tr>
<td>portmap</td>
<td>Must be running in order to enable RPC (Remote Procedure Call, a network protocol
used by NIS). If <tt class="COMMAND">portmap</tt> is not running, it will be impossible
to run an NIS server, or to act as an NIS client.</td>
</tr>

<tr>
<td>ypbind</td>
<td>``Binds'' an NIS client to its NIS server. It will take the NIS domainname from the
system, and using RPC, connect to the server. <tt class="COMMAND">ypbind</tt> is the core
of client-server communication in an NIS environment; if <tt class="COMMAND">ypbind</tt>
dies on a client machine, it will not be able to access the NIS server.</td>
</tr>

<tr>
<td>ypserv</td>
<td>Should only be running on NIS servers; this is the NIS server process itself. If
<span class="CITEREFENTRY"><span class="REFENTRYTITLE">ypserv</span>(8)</span> dies, then
the server will no longer be able to respond to NIS requests (hopefully, there is a slave
server to take over for it). There are some implementations of NIS (but not the FreeBSD
one), that do not try to reconnect to another server if the server it used before dies.
Often, the only thing that helps in this case is to restart the server process (or even
the whole server) or the <tt class="COMMAND">ypbind</tt> process on the client.</td>
</tr>

<tr>
<td>rpc.yppasswdd</td>
<td>Another process that should only be running on NIS master servers; this is a daemon
that will allow NIS clients to change their NIS passwords. If this daemon is not running,
users will have to login to the NIS master server and change their passwords there.</td>
</tr>
</tbody>
</table>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN26967" name="AEN26967">19.9.3. How Does It Work?</a></h2>

<p>There are three types of hosts in an NIS environment: master servers, slave servers,
and clients. Servers act as a central repository for host configuration information.
Master servers hold the authoritative copy of this information, while slave servers
mirror this information for redundancy. Clients rely on the servers to provide this
information to them.</p>

<p>Information in many files can be shared in this manner. The <tt
class="FILENAME">master.passwd</tt>, <tt class="FILENAME">group</tt>, and <tt
class="FILENAME">hosts</tt> files are commonly shared via NIS. Whenever a process on a
client needs information that would normally be found in these files locally, it makes a
query to the NIS server that it is bound to instead.</p>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN26974" name="AEN26974">19.9.3.1. Machine Types</a></h3>

<ul>
<li>
<p>A <span class="emphasis"><i class="EMPHASIS">NIS master server</i></span>. This
server, analogous to a <span class="TRADEMARK">Windows&nbsp;NT</span> primary domain
controller, maintains the files used by all of the NIS clients. The <tt
class="FILENAME">passwd</tt>, <tt class="FILENAME">group</tt>, and other various files
used by the NIS clients live on the master server.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> It is possible for one machine to be an NIS master server for more than
one NIS domain. However, this will not be covered in this introduction, which assumes a
relatively small-scale NIS environment.</p>
</blockquote>
</div>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">NIS slave servers</i></span>. Similar to
the <span class="TRADEMARK">Windows&nbsp;NT</span> backup domain controllers, NIS slave
servers maintain copies of the NIS master's data files. NIS slave servers provide the
redundancy, which is needed in important environments. They also help to balance the load
of the master server: NIS Clients always attach to the NIS server whose response they get
first, and this includes slave-server-replies.</p>
</li>

<li>
<p><span class="emphasis"><i class="EMPHASIS">NIS clients</i></span>. NIS clients, like
most <span class="TRADEMARK">Windows&nbsp;NT</span> workstations, authenticate against
the NIS server (or the <span class="TRADEMARK">Windows&nbsp;NT</span> domain controller
in the <span class="TRADEMARK">Windows&nbsp;NT</span> Workstation case) to log on.</p>
</li>
</ul>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN27004" name="AEN27004">19.9.4. Using NIS/YP</a></h2>

<p>This section will deal with setting up a sample NIS environment.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> This section assumes that you are running FreeBSD&nbsp;3.3 or later. The
instructions given here will <span class="emphasis"><i
class="EMPHASIS">probably</i></span> work for any version of FreeBSD greater than 3.0,
but there are no guarantees that this is true.</p>
</blockquote>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN27010" name="AEN27010">19.9.4.1. Planning</a></h3>

<p>Let us assume that you are the administrator of a small university lab. This lab,
which consists of 15 FreeBSD machines, currently has no centralized point of
administration; each machine has its own <tt class="FILENAME">/etc/passwd</tt> and <tt
class="FILENAME">/etc/master.passwd</tt>. These files are kept in sync with each other
only through manual intervention; currently, when you add a user to the lab, you must run
<tt class="COMMAND">adduser</tt> on all 15 machines. Clearly, this has to change, so you
have decided to convert the lab to use NIS, using two of the machines as servers.</p>

<p>Therefore, the configuration of the lab now looks something like:</p>

<div class="INFORMALTABLE"><a id="AEN27017" name="AEN27017"></a>
<table border="1" class="CALSTABLE">
<col />
<col />
<col />
<thead>
<tr>
<th>Machine name</th>
<th>IP address</th>
<th>Machine role</th>
</tr>
</thead>

<tbody>
<tr>
<td><tt class="HOSTID">ellington</tt></td>
<td><tt class="HOSTID">10.0.0.2</tt></td>
<td>NIS master</td>
</tr>

<tr>
<td><tt class="HOSTID">coltrane</tt></td>
<td><tt class="HOSTID">10.0.0.3</tt></td>
<td>NIS slave</td>
</tr>

<tr>
<td><tt class="HOSTID">basie</tt></td>
<td><tt class="HOSTID">10.0.0.4</tt></td>
<td>Faculty workstation</td>
</tr>

<tr>
<td><tt class="HOSTID">bird</tt></td>
<td><tt class="HOSTID">10.0.0.5</tt></td>
<td>Client machine</td>
</tr>

<tr>
<td><tt class="HOSTID">cli[1-11]</tt></td>
<td><tt class="HOSTID">10.0.0.[6-17]</tt></td>
<td>Other client machines</td>
</tr>
</tbody>
</table>
</div>

<p>If you are setting up a NIS scheme for the first time, it is a good idea to think
through how you want to go about it. No matter what the size of your network, there are a
few decisions that need to be made.</p>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN27056" name="AEN27056">19.9.4.1.1. Choosing a NIS Domain
Name</a></h4>

<p>This might not be the ``domainname'' that you are used to. It is more accurately
called the ``NIS domainname''. When a client broadcasts its requests for info, it
includes the name of the NIS domain that it is part of. This is how multiple servers on
one network can tell which server should answer which request. Think of the NIS
domainname as the name for a group of hosts that are related in some way.</p>

<p>Some organizations choose to use their Internet domainname for their NIS domainname.
This is not recommended as it can cause confusion when trying to debug network problems.
The NIS domainname should be unique within your network and it is helpful if it describes
the group of machines it represents. For example, the Art department at Acme Inc. might
be in the ``acme-art'' NIS domain. For this example, assume you have chosen the name
<span class="emphasis"><i class="EMPHASIS">test-domain</i></span>.</p>

<p>However, some operating systems (notably <span class="TRADEMARK">SunOS</span>) use
their NIS domain name as their Internet domain name. If one or more machines on your
network have this restriction, you <span class="emphasis"><i
class="EMPHASIS">must</i></span> use the Internet domain name as your NIS domain
name.</p>
</div>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN27072" name="AEN27072">19.9.4.1.2. Physical Server
Requirements</a></h4>

<p>There are several things to keep in mind when choosing a machine to use as a NIS
server. One of the unfortunate things about NIS is the level of dependency the clients
have on the server. If a client cannot contact the server for its NIS domain, very often
the machine becomes unusable. The lack of user and group information causes most systems
to temporarily freeze up. With this in mind you should make sure to choose a machine that
will not be prone to being rebooted regularly, or one that might be used for development.
The NIS server should ideally be a stand alone machine whose sole purpose in life is to
be an NIS server. If you have a network that is not very heavily used, it is acceptable
to put the NIS server on a machine running other services, just keep in mind that if the
NIS server becomes unavailable, it will affect <span class="emphasis"><i
class="EMPHASIS">all</i></span> of your NIS clients adversely.</p>
</div>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN27076" name="AEN27076">19.9.4.2. NIS Servers</a></h3>

<p>The canonical copies of all NIS information are stored on a single machine called the
NIS master server. The databases used to store the information are called NIS maps. In
FreeBSD, these maps are stored in <tt class="FILENAME">/var/yp/[domainname]</tt> where
<tt class="FILENAME">[domainname]</tt> is the name of the NIS domain being served. A
single NIS server can support several domains at once, therefore it is possible to have
several such directories, one for each supported domain. Each domain will have its own
independent set of maps.</p>

<p>NIS master and slave servers handle all NIS requests with the <tt
class="COMMAND">ypserv</tt> daemon. <tt class="COMMAND">ypserv</tt> is responsible for
receiving incoming requests from NIS clients, translating the requested domain and map
name to a path to the corresponding database file and transmitting data from the database
back to the client.</p>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN27084" name="AEN27084">19.9.4.2.1. Setting Up a NIS Master
Server</a></h4>

<p>Setting up a master NIS server can be relatively straight forward, depending on your
needs. FreeBSD comes with support for NIS out-of-the-box. All you need is to add the
following lines to <tt class="FILENAME">/etc/rc.conf</tt>, and FreeBSD will do the rest
for you.</p>