NIS FAQ

NIS PSD/FAQ

1.0: About NIS

2.0: Debugging NIS

  2.1: ypwhich
  2.2: ypcat
  2.3: ypmatch
  2.4: getent
  2.5: Files
  2.6: The Network
  
3.0: Common How Tos

  3.1: How to Setup a NIS Master Server?
  3.2: How to Setup a NIS Slave Server?
  3.3: How to Add a New NIS Slave to an Existing NIS Environment?
  3.4: How to Setup a SunOS NIS Client?
  3.5: How to Setup a Solaris NIS Client?
  3.6: How to Run NIS from a Remote Subnet?
  3.7: How to Remove NIS From a SunOS Client?
  3.8: How to Remove NIS From a SunOS Server?
  3.9: How to Remove NIS From a Solaris Client?
  3.10: How to Use DNS without NIS?
  3.11: How to Start yppasswd on the NIS Master Server?
  3.12: How to Change a password in the NIS map?
  3.13: How to Change IP address, Host Name, or domainname of a NIS machine?
  3.14: How to Set Up Secure NIS?
  3.15: How to Use Netgroups?

4.0: Some Frequently Asked Questions

  4.1: Miscellaneous Questions
  4.2: ypinit Problems
  4.3: NIS make Problems
  4.4: NIS Update Problems
  4.5: General NIS Client Problems
  4.6: ypcat Problems
  4.7: NIS passwd Problems

5.0: Patches

  5.1: SunOS NIS Patches
  5.2: Solaris NIS Patches

6.0: Known Bugs & RFEs

  6.1: Bugs

1.0: About NIS

This PSD documents a wide variety of information concerning NIS as implemented in the SunOS and Solaris operating systems. It is intended as both an introduction to NIS, and as a guide to the most common problems. There are many more complete references to NIS, a few of which are noted in section 7.0. In this document, the terms YP and NIS should be understood to be interchangeable. YP was the original name for the information service now known as NIS. NIS/YP is not the same thing as NIS+. The following terms are crucial for an understanding of NIS: A NIS SERVER is a machine which responds to requests for NIS service. The MASTER server actually contains all of the files which the NIS maps are built from, while the SLAVE servers just contain copies of those maps. The YPSERV daemon is run on all servers. It is what answers NIS requests. YPXFRD is usually run on the master server, to speed up transfers to the slaves. A NIS CLIENT is a machine which is allowed to access the NIS maps. The YPBIND daemon takes care of making these requests. All of NIS is bundled with SunOS. However, on Solaris versions from 2.0 up to 2.5.1, the bundled software only allows machines to be set up as NIS clients (Solaris 2.6 now has the NIS server side software back in it). If you want to set up a pre-2.6 Solaris machine as a NIS server you will need to download or purchase NSKIT. Please contact your local Sun sales office. A seperate PSD exists for NSKIT specific issues if you are running into problems involving the NSKIT, you should request the NSKIT PSD from SunService. For all intents and purposes NSKIT on Solaris 2.x is administered the same as NIS on SunOS 4.1.x except for some minor differences such as directory locations and source and Makefile differences 2.0 Debugging NIS

2.1: ypwhich

ypwhich will show you which NIS server you are currently bound to: %% /usr/bin/ypwhich rainbow-16 This is useful to know, because in some cases, one particular NIS server will give incorrect info, while everything else is fine. If you find that only one of your slave servers gives outdated information, you will probably want to follow the instructions in Section 3.3, to update your ypservers map information. You can also use ypwhich to learn what server a remote machine is bound to. This might be useful if you wish to examine load balance, or something similar: %% /usr/bin/ypwhich rainbow-16 rainbow The above showed that the remote machine, rainbow-16, is bound to the server rainbow.

2.2: ypcat

ypcat is one of the most obvious commands to use for NIS debugging. If, for example, a user can not log in, you might want to consult ypcat, to verify that their passwd does appear in the NIS map: %% /usr/bin/ypcat passwd ypcat will not always gives you the full info, because by default it does not show the column that the map is being indexed (or keyed) off of. To ensure that you are seeing everything, you can run ypcat with the -k option: %% /usr/bin/ypcat -k passwd

2.3: ypmatch

ypmatch can be used to look at an individual item in a NIS map, with the follow syntax: %% ypmatch entry mapname For example, to find the host 'psi' in the hosts map, you would type: %% ypmatch psi hosts Essentially, the information you get with ypmatch is the same as that available with ypcat, but is slightly easier to read.

2.4: getent

On a Solaris machine, you can use the command getent to look up NIS entries, as follows: %% getent mapname entry (opposite order of ypmatch) For example: %% getent root passwd The difference between ypmatch and getent is that ypmatch only looks up entries in the NIS maps, while getent consults the nsswitch.conf file, and then looks up the query according to that order. For example, if nsswitch.conf reads as follows: passwd: files nis The above getent would first have looked at the /etc/passwd file, then the NIS passwd map. Essentially, getent should do exactly the same lookup as any normal program would. If you find that you have to troubleshoot something specific in your NIS database you should use the yp commands instead to make sure you dont get the information from your local files or DNS. getent is only documented as able to consult passwd and groups. However, you may be able to getent hosts and other databases on newer OS'es.

2.5: Files

If the above commands do not make it clear what your problem is, you might want to consult the NIS files. If a NIS server is doing something incorrect during map distribution, you should look at the /var/yp/Makefile on the NIS server. It is particularly helpful to compare the Makefile to the original one that was shipped with the system: %% diff /var/yp/Makefile /usr/lib/NIS.Makefile If the files are substantially different, you should revert to the original, and see if that fixes the problem. Note that Solaris NSkit or Solaris 2.6 does not include an original Makefile in /usr/lib. As with most config files you should consider making a backup copy of the file before making changes. If a Solaris NIS Client is not correctly accessing NIS, you should consult the file /etc/nsswitch.conf, and verify that it includes a reference to NIS. SunOS NIS clients, once bound to a NIS domain, will continue to use NIS and will not look at their local files for any lookups.

2.6: The Network

If all else fails, especially in the case of very intermittent problems, you may wish to investigate your overall network for problems. Most problems of this sort are due to either hardware issues or performance problems. These topics are beyond the scope of the help that SunService can provide. Consult Sections 8.0 amd 9.0 for where you can get additional assistance from within Sun. 3.0 Common How Tos

3.1: How to Setup a NIS Master Server

First, initialize the NIS Makefile: # cp /usr/lib/NIS.Makefile /var/yp/Makefile (Note that on Solaris 2.x you will already have a Makefile in that directory providing you have NSKit installed or are running 2.6 or newer.) Afterwards, you will want to set your nis-domain. In the example below, simply replace 'example-name' with the name that you have chosen for your nis-domain. Note that this nis-domain name does not have to have any relationship to your DNS domain name. It should simply be a name which is set identically on all your NIS machines. It is actually more secure to use a nis-domain-name that is totally unrelated to your DNS domain. # domainname example-name # domainname > /etc/defaultdomain If you are planning on using DNS with NIS, you will need to change the /var/yp/Makefile to reflect this. Remember that SunOS 4.1.x machines cannot do DNS lookups on their own and have to submit their requests to the NIS server which then does the DNS lookup for them. Near the top of the Makefile you will find the following lines: # Set the following variable to "-b" to have NIS servers use the domain name # resolver for hosts not in the current domain. #B=-b B= In order for DNS to work with NIS, you must change the last two lines, as follows: B=-b #B= Finally, you can initialize NIS by running the ypinit script. When ypinit queries you for server names, make sure you include all slave servers that you are planning to set up in the near future: # cd /var/yp # /usr/etc/yp/ypinit -m If you wish to immediatelly start NIS, you can simply start the NIS daemons on your server: # ypserv # ypbind # ypxfrd Afterwards, you should make sure that ypserv, ypbind and ypxfrd are all in your /etc/rc.local file (if on SunOS 4.1.x), and not commented out. On Solaris 2.x these daemons will be started by the S71rpc script in your /etc/rc2.d directory for you automatically on the next boot (it checks for and starts up the appropriate daemons if the /etc/defaultdomain file exists and you have the directory /var/yp/`domainname` (which ypinit made for you)). Assuming you made the proper change to your rc.local file (if you are on SunOS 4.1.x) the next reboot for either OS version will start NIS services for you.

3.2: How to Setup a NIS Slave Server?

Start off by setting your nis-domain name on your slave. This name (example-name below) must be identical to the nis-domain name on your NIS master. # domainname example-name # domainname > /etc/defaultdomain Start the ypbind daemon: # ypbind Verify the NIS master knows about the slave Server # ypcat -k ypservers master-name slave-no-1 slave-no-2 new_slave IF THE NIS SLAVE IS NOT IN THE LIST, USE THE PROCEDURE IN SECTION

3.3 of this document.

Otherwise: Run the ypinit script. master-server-ip in the example below must be the ip address of the master server: new_slave# ypinit -s master-server-ip (/usr/sbin/ypinit on Solaris 2.x) (/usr/etc/yp/ypinit on SunOS 4.1.x) NOTE: If you get the following error from ypinit: "Can't enumerate maps from $master. Please check that it is running" then you should rerun ypinint and specify the hostname of the master server e.g. ypinit -s master-hostname You can immediatelly get your machine running as a NIS slave by running ypserv: new_slave# ypserv Afterwards, you should make sure that ypserv and ypbind are both in your /etc/rc.local file, and not commented out (SunOS 4.1.x ONLY). Whenever you reboot your machine at this point, NIS should automatically be started. 3.3: How to Add a New NIS Slave to an Existing NIS Environment? When you initialize your NIS master, you give it a list of NIS slaves. If you later add additional NIS slaves, or remove one of these original NIS slaves, you must update the NIS list of servers. This is done entirely from the NIS master server. First, you must output the list of NIS servers: nis_master# cd /var/yp/`domainname` nis_master# makedbm -u ypservers > /tmp/ypservers nis_master# vi /tmp/ypservers add new slave to bottom of list. (don't change order or format.) nis_master# makedbm /tmp/ypservers ypservers (/usr/sbin/makedbm on Solaris 2.x) verify addition via: nis_master# ypcat -k ypservers now go to the new slave (it must already be a client... ypinit -c) Run the ypinit script. master-server-ip in the example below must be the ip address of the master server: new-slave # /usr/etc/yp/ypinit -s master-server-ip NOTE: If you get the following error from ypinit: "Can't enumerate maps from $master. Please check that it is running" then you should rerun ypinint and specify the hostname of the master server e.g. /usr/etc/yp/ypinit -s master-hostname You can immediatelly get your machine running as a NIS slave by running ypserv: new-slave # ypserv Afterwards, you should make sure that ypserv and ypbind are both in your /etc/rc.local file, and not commented out (SunOS 4.1.x ONLY). Whenever you reboot your machine at this point, NIS should automatically be started.

3.4: How to Setup a SunOS NIS Client?

(Both this section and the next one assume that you have yp servers on the same subnet as they will broadcast bind (broadcasts do not typically cross routers) to a server. If no need to bind to a specific server across a subnet please see section 3.6) Start off by setting your nis-domain name. This name (example-name below) must be identical to the nis-domain name on your NIS master. # domainname example-name # domainname > /etc/defaultdomain Start the ypbind daemon: # /usr/etc/ypbind You should also make sure that ypbind is listed in your /etc/rc.local file. It will be started from S72inetsvc in /etc/rc2.d on a Solaris 2.x machine.

3.5: How to Setup a Solaris NIS Client?

Start off by setting your nis-domain name. This name (example-name below) must be identical to the nis-domain name on your NIS master. # domainname example-name # domainname > /etc/defaultdomain Put the NIS nsswitch file in place. # cp /etc/nsswitch.nis /etc/nsswitch.conf If you are using DNS as well, you will want to modify the hosts: line, by adding dns, as follows: hosts: files nis dns You will also need an /etc/resolv.conf file for DNS to work. See the DNS PSD or the man page for resolv.conf for details on this. The normal method for starting NIS under Solaris, is to give it a list of yp servers. They may be supplied by simply running ypinit, answering the questions, and then rebooting the machine: # ypinit -c If you prefer to start NIS in the less secure broadcast mode, rather than running ypinit, reboot your client machine without running ypinit, and it will come up running NIS in broadcast mode. Broadcast mode is considered less secure because it sends a broadcast to the network for a server for its domain. It would be possible then for a fake server to reply and give you login requests and trap your passwords, etc. Specifying a list of servers to bind to tends to make it more secure than just asking for any server that will reply to you

3.6: How to Run NIS from a Remote Subnet?

By default, you can not run a NIS client if your NIS server is on a different subnet. This is because NIS usually runs in broadcast mode, which means that it only queries local servers when starting. In Solaris, if you want to bind to a remote server, simply initialize the client with the -c flag: # ypinit -c (/usr/sbin/ypinit on Solaris 2.x) In SunOS, instead of running ypbind normally you must run it with the -ypsetme option, and then run ypset, using the NIS server's ip address as an argument: # ypbind -ypsetme # ypset nis-server-ip (/usr/lib/netsvc/yp/ypbind on Solaris 2.x) (/usr/sbin/ypset on Solaris 2.x) In this case, be sure to also modify the rc.local file appropriately. It is recommended that you have at least one NIS slave on each subnet. If you do this, only your NIS slave server will need to follow the above procedures all other machines on the subnet will be able to run normally, and they will bind to the local NIS slave.

3.7: How to Remove NIS From a SunOS Client?

To remove NIS from a SunOS client, remove the NIS files, as follows: # rm -r /var/yp/`domainname` # rm /etc/defaultdomain If you just want to temporarily disable NIS, you should move the objects to different names, rather than removing them. Afterwards, reboot the machine.

3.8: How to Remove NIS From a SunOS Server?

Removing NIS from a SunOS Server is a two-part process. First, you must edit the ypservers map on your NIS master, removing the defunct slave from the list of servers. Section 3.3 explains how to modify the ypservers map. Second, on the NIS slave, you must follow the normal procedure to remove NIS, described in Section 3.7 above.

3.9: How to Remove NIS From a Solaris Client?

To remove NIS from a Solaris client, remove the following NIS files: # rm -r /var/yp/`domainname` # rm /etc/defaultdomain If you just want to temporarily disable NIS, you should move the objects to different names, rather than removing them. Afterwards, you must also modify the nsswitch.conf file: # cp /etc/nsswitch.files /etc/nsswitch.conf If you are continuing to run DNS, you will want to modify the hosts: line of the nsswitch.conf, by adding dns: hosts: files dns Finally, reboot the machine.

3.10: How to run DNS without NIS

If you are running DNS on a SunOS machine, without NIS, you will find that it will react in a very erratic and unexpected manner. Lookups might not go to DNS at all, or they might go to DNS only in some specific cases. In order to run DNS in a Sun-supported manner, you should setup at least a minimal NIS configuration where you would have your SunOS clients bind to your NIS master and slaves and allow them to do the DNS lookups for your clients. If you are unwilling to do this, Sun SRDB #3886 explains how to modify your libc to remove any NIS dependencies. This procedure does work, but SunService is unable to support DNS on sites which use this configuration. On Solaris machines, you can run DNS without NIS by just modifying the 'hosts:' line in your /etc/nsswitch.conf file. See the man page for nsswitch.conf for how to do this.

3.11: How to Start yppasswd on the NIS Master Server?

rpc.yppasswdd must be run on the master server, in order for users to be able to change their yppasswds. To start rpc.yppasswdd from the command line, execute the following: # /usr/etc/rpc.yppasswdd /etc/passwd -nosingle -m passwd DIR=/etc If you are storing your passwd file somewhere besides /etc, you will need to change the '/etc/passwd' and 'DIR=/etc' arguments. Note: the -nosingle option works around a bug seen in various SunOS releases. On SUNOS 4.x : To start the yppasswdd daemon automatically after system reboot on your NIS master server, add the following to /etc/rc.local: # Automate rpc.yppasswdd startup /usr/etc/rpc.yppasswdd /etc/passwd -m all echo -n ' yppasswdd' Its best to use "all" instead of just passwd, because when updating the passwd map, the netid also needs to be updated as well. Usually there isnt a need to specify the DIR= option, make will automatically use /var/yp. NOTES The password file specified to rpc.yppasswdd may not be a link.

3.12: How to Change a password in the NIS map?

Previous to Solaris 2.5.1, from any NIS client, any user may run the command: # yppasswd As of 2.5.1 you should be using the passwd command since it follows the naming services currently in use on the machine and changes the appropriate password database (from the /etc/nsswitch.conf file). Read the man page for passwd(1) for more details. All three commands: passwd, nispasswd (for NIS+) and yppasswd (for NIS) are hard links to the same binary

3.13: How to Change IP address, Host Name, or domainname.

If you are changing the IP address, host name or domainname of a NIS machine, you must tear down NIS on the affected machine, make the changes, and then rebuild it. The standard procedure is: 1) remove the NIS files and reboot, per Section 3.7 or 3.8 2) edit the appropriate files to make the desired changes 3) rebuild your NIS environment per sections 3.1 through 3.5 If you are removing a NIS master server permanently you should choose a new machine to be the master and update the ypservers file and rebuild that new machine as the master. If you are removing a NIS slave server permanently you should make sure you update the ypservers file

3.14: How to Set Up Secure NIS?

SunOS 4.1.3_u1 and 4.1.4 allow you to increase security on your NIS server, as do older versions of SunOS, with patch 100482 installed. If you would like to restrict who may retrieve your NIS maps, you should create the file /var/yp/securenets. The contents of this file should be a number of lines which each read: netmask address For example, if you only wanted the machines 150.101.16.28 and 129.45.16.29 to be able to retrieve your NIS maps, you could enter the following two lines: 255.255.255.255 150.101.16.28 255.255.255.255 150.101.16.29 If you wanted everyone on the network 150.101.16.0 to be able to retrieve your maps, you could enter the line: 255.255.255.0 150.101.16.0 CAUTION: If you are attempting to setup a new client on a new subnet and are having problems getting it to bind to a server on the remote network check the server to see if you have enabled securenets. If so, you will not be able to get the machine to bind until you enable that subnet.

3.15: How to Use Netgroups?

Netgroups are only available to sites running NIS or NIS+. There is no local files implementation of netgroups. They are used to group machines or users together in order to make certain sysadmin tasks easier. The man page for negroups defines example useage of netgroups quite nicely as does Managing NFS and NIS by Hal Stern (An O'Reilly and Associates Nutshell book). A standard netgroup triple reads as follows: (hostname, username, domainname) A example netgroup line reads as follows: netgroup-name triple1 triple2 triple3 Though netgroup triples group together hostnames, usernames and domainnames, nothing really reads them in that manner. Thus, you'll usually want to use a triple just to list hosts or users i.e. in order to share NFS file systems or restrict logins to a system. For example, the following would be a typical /etc/netgroup file, on a NIS master: # cat /etc/netgroup root-users (,user1,), (,user2,), (,user3,) trusted-machines (machine1,,), (machine2,,), (machine3,,) Netgroups are limited to 1024 characters in size. If you need to put together a longer netgroup, you can do so by making a meta-group: meta-group netgroup1 netgroup2 netgroup1 (,user1,), (,user2,) netgroup2 (,user300,), (,user301,) The following netgroup will not do what you expect: bogus-group (machine1,user1,), (machine2,user2,) You might think this means user1 at machine1 and user2 at machine2, but in actuality, it is a netgroup of two users (user1 and user2) and two machines (machine1 and machine2). Always seperate out machine and user netgroups, as shown in the /etc/netgroup example above, and you will avoid confusion. Note that we reference the /etc/netgroup file but this file only exists in order to be your 'flat' source file. This file must be in your NIS or NIS+ databases. User netgroups can be used in the /etc/passwd file (and /etc/shadow if using Solaris 2.x). The following entry would include all of the users in the root-users group in your /etc/passwd + /etc/shadow files: # cat /etc/passwd ... +@root-users # cat /etc/shadow ... +@root-users On Solaris 2.x you must also edit /etc/nsswitch.conf in order to use that +/- syntax as follows: passwd: compat group: compat Machine netgroups can be used when exporting file systems. The following entry in /etc/exports on a SunOS machine would allow machines in the trusted-machines netgroup access to the /export filesystem: # cat /etc/exports /export -access=trusted-machines Remember that you must be running NIS or NIS+ for netgroups to work. Simply having an /etc/netgroup file will do nothing it is ONLY the netgroup NIS or NIS+ map which is used. Do a man on ypfiles to find out the names of the NIS or NIS+ maps. rpc.yppasswdd's lock file is '/etc/.pwd.lock'. The admin can prevent the daemon from doing the edit by making that file unwritable ("chmod 000 file" should do it). She should see a syslog msg from the daemon (if a pw change is attempted) "...Passwd file(s) busy...". She should be sure to remove that lock file (or make it writable) when she is done with the hand edit. Another (if a bit crude) workaround is to kill the daemon and restart when the hand edit is done.

4.0 Some Frequently Asked Questions

4.1: Miscellaneous Questions

Q: Does NIS support password aging?

A: No.

4.2: ypinit Problems

Q: Why does 'ypinit -m' crash with the following error: ... "Running /var/yp/Makefile..." "make: Fatal error: No arguments to build" "Error running Makefile." ...

A: /var/yp/Makefile does not exist. Copy it over before rerunning ypinit: # cp /usr/lib/NIS.Makefile /var/yp/Makefile # cd /var/yp # ypinit -m

Q: Why does 'ypinit -s' crash with the following error, when trying to initialize a slave: "can't bind for domain <domainname>" "reason: internal NIS server or client error" "can't enumerate maps from <master server>"

A: Your slave was not running ypbind, or it does not have access to NIS currently. You can verify this by running 'ypwhich' you will see that you are not currently bound to a NIS domain. Try following the procedure in Section 3.2 precisely. If that does not work, you may be on a different subnet than your master, and need to initialize ypbind per the instructions in Section 3.6. We have also seen the error corrected by specifying the hostname of the master server instead of the IP address.

Q: Why does 'ypinit -s' crash with the following error, when trying to initialize a slave: "ypxfr(get_misc_recs) RPC call to <master> failed: RPC: Timed out."

A: ypxfrd is not running on the NIS master server. Login to the master server and start it: # ypxfrd

4.3: NIS Make Problems

Q: Why does yppush refuse to transfer my brand new map when I do a make? -or-

Q: Why do I get the following message when doing a make: "Can't bind master to send ypclear message to ypserv for map mail.aliases." { See also the next question for another possible answer to this error. } There are two solutions to this problem. If you are running a mix of operating systems on your network (Solaris, IRIX, HPUX) you should probably consider the second solution since the maps should be built by the slave servers themselves as the dbm format may be different on different OS'es.

A1: ypxfr is confused, because copies of the new map do not exist on one of your NIS slaves. You must manually copy the maps. This can be done by copying /var/yp/`domainname`/map.* from the master to /var/yp/`domainname` on each of the slaves, using either rcp or ftp.

A2: First make the map on your master without pushing it to the slaves since it is the push (and thus the resulting ypxfr) to hang: # cd /var/yp # make -DNOPUSH mapname.byname mapname.bynumber Now, on each slave server, transfer the map over from your master server: # cd /var/yp # ypxfr -h NIS-master mapname.byname

Q: Why do I get the following message when doing a make: "Can't bind master to send ypclear message to ypserv for map mail.aliases."

A: This error can sometimes occur if the servers are not bound to the master. If you see it, you should find out what your servers are bound to: # ypwhich If you find your master (or slave) is bound to something other than the master, force it to bind to the master by killing ypbind on that machine and then restarting it like this: # ypbind -ypsetme # ypset master-nis-ip

Q: Why do I get the following error when I run a make: "can't get address for server ."

A: There is a blank line in your ypservers map. You can verify this by running the following: ypcat -k ypservers Remove the blank line by following the standard procedure for adjusting the ypservers map that is described in Section 3.3.

Q: Why do I get the following errors when making the netgroup map: "entry too big, problem storing netgroup" "error code 1"

A: netgroup maps have a maximum of 200 entries, or 1024 characters per line. You will get the above errors if you have a netgroup larger than this. You can correct this, by breaking your netgroup down into subgroups, for example: big-group: big-group-sub1 big-group-sub2 big-group-sub1: half of huge netgroup big-group-sub2: half of huge netgroup

4.4: NIS Update Problems

Q: Why doesn't my new slave server get NIS maps when they are made?

A: You have not added the new slave to your ypservers map. You can verify this by examining the ypservers map: # ypcat -k ypservers Section 3.3 explains how to update the ypservers map. You may also have problems if your slave server doesn't already have copies of the maps. See the first questions in section 4.3 for how to remedy this situation.

Q: Why does my groups map not get correctly distributed?

A: Because the netid was not distributed, the groups map does not have all the correct info. Run the following on the master to ensure that the netid is also distributed: # cd /var/yp # rm netid.time # make netid For groups updates to occur, both groups and netid must be distributed. It is always best to just run 'make' and let the processes make and distribute whatever maps have changed. Running make source-file may not update all maps that require changes.

Q: Why is my change to the NIS maps not showing up?

A1: You did not do a make on the NIS master. You can verify this by examining the map with ypcat. To resolve the problem, go to the NIS master and make the files: # cd /var/yp # make

A2: If make has been run, you are probably bound to a NIS slave which is not getting updates. You may wish to retry the make, in case the NIS slave was down the first time it was run. Otherwise, you probably need to update the ypservers map. Run ypwhich to see which slave you are bound to, and then examine the ypservers map to verify the problem: # ypwhich slave-3 # ypcat -k ypservers master slave-1 slave-2 If you find that the name which appears in 'ypwhich' does not appear when you look at the ypservers map, follow the instruction in Section 3.3 to update your ypservers map.

4.5: General NIS Client Problems

Q: Why do I get the following error message on my NIS client: "NIS server not responding for domain..."

A1: Your NIS server is currently down. Verify that you can ping it by IP address and if that works, login and check for the ypserv process. If it is not running then start it up.

A2: The netmasks file on your NIS client is incorrect, and thus the netmask and broadcast addresses are being set wrong. This can be verified by booting the client single user, and then comparing the /etc/netmasks file on the client and server. They should be identical.

A3: Your server is on a different subnet from your client, and you have not followed the appropriate procedures to take this into account. Examine Section 3.6 for an explanation of what to do in this case. The machine will probably need to be booted single user before these changes can be made.

A4: If you are seeing "NIS server not responding" intermittently, but NIS is working in between these messages, your network is likely overloaded. This is a performance issue that SunService can not provide assistance on. Consult Sections 8.0 and 9.0 for alternatives in this situation.

Q: Why can a user not log into my Solaris machine, even though I can see his passwd entry on that machine with 'ypmatch his-name passwd'?

A: Your nsswitch.conf is set up wrong on the client. Section 3.5 gives info on putting the nsswitch.conf file in place when setting up a Solaris client.

4.6: ypcat Problems

Q: How come I can't ypcat a map that I know exists in NIS?

A1: You might have this problem when you try and look at a map in NIS, as follows: # ypcat netmasks no such map in server's domain This occurs because NIS maps actually have unique names that are dependent upon how the map is indexed. Certain NIS maps (ethers, group, hosts, aliases, passwd, protocols, services) have standard nicknames, to make them easier to access. Run ypcat -x to see the list of aliases: # ypcat -x Use "passwd" for map "passwd.byname" ... You can access maps without aliases by using the real name. For example, the real name for the netmasks map is netmasks.byaddr: # ypcat netmasks.byaddr If you cd into /var/yp/`domainname` on your master server, you will see the complete list of actual NIS map names. Ignore the .dir and .pag suffixes.

A2: It may also be that the server you are bound to does not have that map on it. Do a ypwhich to find out what machine you are bound to. If for example, you are bound to a slave server and you cannot ypcat aliases you should check on both that slave server and the master server in the /var/yp/'domainname' directory for the existence of files called mail.aliases.dir and .pag Chances are your master has that map while the slave does not. Follow the procedure listed in the first question in section 4.3 for how to remedy this situation.

Q: Why does ypcat show incomplete info?

A: You might find that when you do a ypcat of a map, some of the info is missing, for example: # ypcat netmasks.byaddr 255.255.255.0 255.255.255.0 In this case, you should run ypcat with the -k option, which also shows you the column that is being indexed off of: # ypcat -k netmasks.byaddr 150.101 255.255.255.0 150.102 255.255.255.0 Q: After I add an entry to a source file and run a make I don't see it in the output of ypcat? A: NIS maps are not guaranteed to list the information in the same order as it is in your source files due to the dbm format. Some other things to be sure of is that you

1) made the change on your NIS master and not on a slave machine (see next paragraph),

2) you made the change to the source file that your NIS Makefile points to and not some other local copy, and

3) the yppush or ypxfr completed in order to give the slave server a new copy of the map. ypwhich -m on any machine in the same domain should always report the same master as owning the map. If you have any discrepancies in the output you should make sure that you are only running a make on your master and not on a slave machine.

Q: Why, when I ypcat a map, do I see multiple lines that are exactly the same sometimes?

A: For example, if you see this: # ypcat hosts | grep machineA 192.115.12.1 machineA mailhost datehost loghost 192.115.12.1 machineA mailhost datehost loghost 192.115.12.1 machineA mailhost datehost loghost 192.115.12.1 machineA mailhost datehost loghost This is because you are not seeing the keys that the map is indexed with. You should ypcat -k the same map and grep for the same machine and you will see this: # ypcat -k hosts | grep machineA machineA 192.115.12.1 machineA mailhost datehost loghost mailhost 192.115.12.1 machineA mailhost datehost loghost datehost 192.115.12.1 machineA mailhost datehost loghost loghost 192.115.12.1 machineA mailhost datehost loghost This map is your hosts.byname map and everytime a lookup for host 'datehost' or host 'machineA' is done the keys are examined in the map and then the appropriate entry is returned. The fact that you have 4 machine names that refer to the same IP address still requires you to have 4 differently keyed entries in the map.

4.7: NIS passwd Problems

Q: Why do I get the following error when running yppasswd: "can't find rpc.yppasswd server"

A: This means that you have not enabled rpc.yppasswdd on your NIS master server. Section 3.11 explains how to do this.

Q: Why do I get the following errors when running yppasswd: "RPC timed out" "yppasswd couldn't change entry, RPC call failed." or "passwd file is busy"

A: The passwd file has gotten locked. If there is genuinelly nothing else that should be using it, remove the lock file on the NIS master: %% rm /etc/passwd.tmp Q: How do I hand edit the passwd file when yppasswdd is running? A: rpc.yppasswdd's lock file is '/etc/.pwd.lock'. The admin can prevent the daemon from doing the edit by making that file unwritable ("chmod 000 file" should do it). She should see a syslog msg from the daemon (if a pw change is attempted) "...Passwd file(s) busy...". She should be sure to remove that lock file (or make it writable) when she is done with the hand edit. Another (if a bit crude) workaround is to kill the daemon and restart when the hand edit is done. 5.0: Patches The following is the list of all of the NIS related patches for 4.1.3, 4.1.3_u1, 4.1.4, 5.3 and 5.4. If you are having NIS problems, installing the patches is a good place to start, especially if you recognize the general symptoms noted below. In order for a machine to be stable, all of the recommended patches should be installed as well. The list of recommended patches for your operating system is available from sunsolve1.sun.com.

5.1: SunOS NIS Patches

102159 SunOS 4.1.3: modifications to create services.byservicename nis Corrects an oversight in the NIS Makefile which prevented the services.byservicename map from getting created, and slowed some NIS lookups of the service map.

100342 SunOS 4.1 4.1.1 4.1.2 4.1.3: NIS client needs long recovery tim Fixes an error in ypbind which slowed clients rebinding after a server had been rebooted. Should be installed on NIS clients if you are experiencing this problem.

100482 SunOS 4.1 4.1.1 4.1.2 4.1.3: ypserv and ypxfrd Jumbo Patch Closes several NIS security holes, and also fixes some NIS/DNS interoperability problems.

101435 SunOS 4.1.3_U1: ypserv and ypxfrd fix Fixes an interoperability problem, between NIS and DNS, which could cause DNS to fail if the first nameserver in the /etc/resolv.conf was not available.

101718 SunOS 4.1.3_U1: C2 rpc.yppasswdd patch If you are running C2 security, this patch must be installed, or you will not be able to correctly change your passwd from NIS clients, via yppasswd.

102617 SunOS 4.1.3_U1: POINT PATCH to ypbind Fixes problems in binding to a slow NIS+ server running in compat mode and other binding problems with slow servers.

102733 SunOS 4.1.4: mknetid fails when a user is in more than 16 group Fixes a problem where the netid map would not get made correctly if the user was in more than 16 groups.

5.2: Solaris NIS Patches

102707 SunOS 5.3: NIS commands fail to work with servers running in C2

102704 SunOS 5.4: Jumbo patch for NIS commands

102705 SunOS 5.4_x86: Jumbo patch for NIS commands Fixes a variety of problems with ypcat, ypmatch, ypwhich, ypxfr, makedbm and ypinit, many of them related to C2 security.

101973 SunOS 5.4: Jumbo patch for ypbind and libnsl Corrects ypbind limitations, and also a bug which caused problems connecting to a 4.1.3_u1 SunOS yp server. In general, patch lists are too dynamic for this document to accurately track so those listed are the latest at the last time this document was updated. For a more complete list you should search sunsovle at http://sunsolve.sun.com or if you have a specific question about a patch you should open a call with SunService regarding the patch number and your question about it.

6.0: Known Bugs & RFEs

6.1: Bugs

1078027 ypwhich -m does not dump maps if too many to list

1076214 ypwhich -m results in ypwhich(v2dumpmaps): can't get maplist: RPC: These document a bug on older SunOS systems, where ypwhich -m will get RPC errors if there are more than ~60 maps present in the NIS domain. This Bug-ID has been closed as will not fix, as it is with a dramatically older OS. 1184919 print daemon doesn't always start up This documents a bug in SunOS which can occasionally cause failures in printing service, usually with the error "printer/tcp: unknown service". Other services called from the inetd may sometimes fail similarly. This Bug-ID has been closed as will not fix. If you are experiencing it, you may work-around it by putting a 'sleep 30' statement after the start of 'ypbind' in your rc.local file. There are probably more bugs or RFE's that may be outstanding or may be fixed. The list is generally too dynamic for this document to track. If you suspect a bug you should browse in sunsolve http://sunsolve.sun.com or if you have a question about a particular bug you should place a call into SunService with the appropriate bug number and your question about it.