/usr/sbin/ypserv [-a method] /usr/sbin/ypbind [ -s -S domainname, servername1,servername2... ] [ -ypset | -ypsetme ]
Specifies the database routines used to store NIS maps. The choices are: btree - Recommended when creating and maintaining very large maps. dbm/ndbm - For backward compatibility. This is the default. hash - A potentially quicker method for managing small maps. Allows the ypbind process to run in a secure mode. This requires the server to use a secure port. Allows the system administrator to lock ypbind to a particular domain and set of servers. Up to four servers can be specified as follows: /usr/sbin/ypbind -S domainname,server1,server2,server3,server4 Note that there cannot be any spaces around the commas in the command line. The -S option ensures that this system only binds to the specified domain and to one of the specified servers. The servers used with the -S option must have entries in the local /etc/hosts file. ypbind accepts all ypset requests, unless restricted by the -S option. ypbind accepts only local ypset requests.
The Network Information Service (NIS) provides a distributed data lookup service for sharing data among networked systems. NIS data is stored in database files called maps. The databases consist of dbm, btree, or hash files stored in the /var/yp/src directory. These files are described in ypfiles(4).
The NIS daemons are /usr/sbin/ypserv, the NIS database lookup server, and /usr/sbin/ypbind, the NIS binder. The software interface to NIS is described in ypclnt(3). Administrative tools are described in yppush(8), ypxfr(8), yppoll(8), and ypwhich(1). Tools to see the contents of NIS maps are described in ypcat(1), and ypmatch(1). Database generation and maintenance tools are described in ypmake(8), and makedbm(8).
Both the ypserv and ypbind daemons are activated at system startup time by /sbin/init.d/nis. The ypserv daemon runs only on an NIS server machine with a complete NIS database. The ypbind daemon runs on all machines using NIS, both NIS servers and clients.
The [-a method] option to ypserv tells ypserv which format the maps are stored in; either btree, dbm, or hash.
The ypserv daemon's primary function is to look up information in its local database of NIS maps. The operations performed by ypserv are defined for the programmer in the <rpcsvc/yp_prot.h> header file.
Communication with ypserv is by means of RPC calls. Lookup functions are described in ypclnt(3), and are supplied as C-callable functions in /libc.
There are four lookup functions, all of which are performed on a specified map within an NIS domain: Match, Get_first, Get_next, and Get_all. The Match operation takes a key, and returns the associated value. The Get_first operation returns the first key-value pair from the map, and the Get_next operation returns the remaining key-value pairs. The Get_all operation ships the entire map to the requester.
Two other functions supply information about the map, rather than the map entries: Get_order_number and Get_master_name. Both the order number and the master name exist in the map as key-value pairs, but the server will not return either through the usual lookup functions. If the map is examined with makedbm(8), however, they are visible.
Other functions are used within the NIS subsystem itself, and are not of general interest to NIS clients. They include the Do_you_serve_this_domain?, the Transfer_map, and the Reinitialize_internal_state functions.
The file /etc/yp/securenets file contains a list of subnets that are considered trusted and that are allowed to access NIS data using the ypserv and ypxfrd daemons. It is a user-created file that resides on an NIS master server and any slave servers.
If the /etc/yp/securenets file does not exist, or exists but contains no subnets, all IP addresses are accepted. However, anyone on the Internet that knows the NIS server address and the domain name can obtain NIS served data, including the passwd file. Digital recommends that you use the securenets file to restrict access.
If you want an NIS slave server, use a /etc/yp/securenets file to restrict IP addresses to which it serves. The slave server's IP address must be in the authorization range of entries in the /etc/yp/securenets file on the NIS master server.
Each entry in the /etc/yp/securenets file contains an IP subnet mask and a corresponding subnet IP address separated by at least one space. Lines that do not begin with a digit are considered comments. The file has the following format: subnet_mask subnet_ip_address
In the following securenets file example, the first two lines allow only those IP addresses that are within the subnet 128.30 and 128.211.10 range to access the NIS files. The third line authorizes the one host at address 188.8.131.52. 255.255.0.0 184.108.40.206 255.255.255.0 220.127.116.11 255.255.255.255 18.104.22.168
The ypbind daemon's function is to remember information that enables client processes on a single node to communicate with a ypserv process. The ypbind function must run on every machine that has NIS client service requirements. The ypbind function must be started through an entry in the /sbin/init.d/nis file.
The information ypbind remembers is called a binding, the association of a domain name with the internet address of the NIS server, and the port on that host at which the ypserv process is listening for service requests. The process of binding is driven by client requests. As a request for an unbound domain comes in, the ypbind process broadcasts on the net trying to find a ypserv process that serves maps within that domain. Since the binding is established by broadcasting, there must be at least one ypserv process on every net. Once a domain is bound by a particular ypbind, that same binding is given to every client process on the node. The ypbind process on the local node or a remote node may be queried for the binding of a particular domain by using the ypwhich(1) command.
Bindings are verified before they are given out to a client process. If ypbind is unable to speak to the ypserv process it is bound to, it marks the domain as unbound, tells the client process that the domain is unbound, and tries to bind the domain once again. Requests received for an unbound domain will fail immediately. In general, a bound domain is marked as unbound when the node running ypserv crashes or gets overloaded. When the node gets overloaded, ypbind will try to bind to any NIS server (typically one that is less-heavily loaded) available on the net.
The ypbind process also accepts requests to set its binding for a particular domain. The request is usually generated by the NIS subsystem itself.
You must use the same database format for each map in a domain. In addition, a server serving multiple NIS domains must use the same database format for all domains.
Although a Digital UNIX NIS server that takes advantage of btree files will be able to store very large maps, NIS slave servers that lack this feature might have a much smaller limit on the number of map entries they can handle. It may not be possible to distribute very large maps from a Digital UNIX NIS master server to a slave server that lacks support for very large maps. NIS clients are not affected by these enhancements.
The following is an example of the ypserv command used with the btree format database routine to store NIS maps. ypserv -a b
If this file exists when ypserv starts up, log information is written to ypserv.log when error conditions occur. User-created file on the NIS server that contains a list of trusted subnets that are allowed to access NIS data using the ypserv and ypxfrd daemons.
Commands: ypcat(1), ypmatch(1), yppasswd(1), ypwhich(1), ypmake(8), yppush(8), ypxfr(8)
Functions: btree(3), dbm(3), dbopen(3), hash(3), ndbm(3), ypclnt(3)
Network and Communications Overview, Network Administration delim off