2 .\" Bill Paul <wpaul@ctr.columbia.edu>. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. All advertising materials mentioning features or use of this software
13 .\" must display the following acknowledgement:
14 .\" This product includes software developed by Bill Paul.
15 .\" 4. Neither the name of the author nor the names of any co-contributors
16 .\" may be used to endorse or promote products derived from this software
17 .\" without specific prior written permission.
19 .\" THIS SOFTWARE IS PROVIDED BY Bill Paul AND CONTRIBUTORS ``AS IS'' AND
20 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 .\" ARE DISCLAIMED. IN NO EVENT SHALL Bill Paul OR CONTRIBUTORS BE LIABLE
23 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 .Nd NIS database server
49 is an RPC-based service designed to allow a number of UNIX-based
50 machines to share a common set of configuration files.
52 requiring a system administrator to update several copies of files
58 which tend to require frequent changes in most environments,
60 allows groups of computers to share one set of data which can be
61 updated from a single location.
65 utility is the server that distributes
67 databases to client systems within an
72 domain must have its domainname set to
73 one of the domains served by
78 The clients must also run
80 in order to attach to a particular server, since it is possible to
81 have several servers within a single
85 The databases distributed by
88 .Pa /var/yp/[domainname]
91 is the name of the domain being served.
93 such directories with different domainnames, and you need only one
95 daemon to handle them all.
99 as they are often called,
102 using several system files as source.
103 The database files are in
105 format to help speed retrieval when there are many records involved.
108 the maps are always readable and writable only by root for security
110 Technically this is only necessary for the password
111 maps, but since the data in the other maps can be found in
112 other world-readable files anyway, it does not hurt and it is considered
113 good general practice.
117 utility is started by
119 if it has been enabled in
122 There are some problems associated with distributing a
128 normally only stores encrypted passwords
130 .Pa /etc/master.passwd ,
131 which is readable and writable only by root.
135 map, this security feature would be completely defeated.
137 To make up for this, the
142 .Pa master.passwd.byname
144 .Pa master.passwd.byuid
145 maps in a special way.
146 When the server receives a request to access
147 either of these two maps (or in fact either of the
151 maps), it will check the TCP port from which the
152 request originated and return an error if the port number is greater
154 Since only the superuser is allowed to bind to TCP ports
155 with values less than 1024, the server can use this test to determine
156 whether or not the access request came from a privileged user.
157 Any requests made by non-privileged users are therefore rejected.
163 standard C library will only attempt to retrieve
165 .Pa master.passwd.byname
167 .Pa master.passwd.byuid
168 maps for the superuser: if a normal user calls any of these functions,
173 maps will be accessed instead.
174 The latter two maps are constructed by
178 file and stripping out the password fields, and are therefore
179 safe to pass on to unprivileged users.
180 In this way, the shadow password
181 aspect of the protected
183 database is maintained through
186 .Ss Setting Up Master and Slave Servers
188 is a convenient script that will help setup master and slave
192 There are two problems inherent with password shadowing in
196 .Bl -enum -offset indent
199 .Sq TCP port less than 1024
200 test is trivial to defeat for users with
201 unrestricted access to machines on your network (even those machines
202 which do not run UNIX-based operating systems).
209 have no support for password shadowing (which is most of them), you
210 will have to disable the password shadowing entirely by uncommenting the
213 .Pa /var/yp/Makefile .
214 This will cause the standard
218 maps to be generated with valid encrypted password fields, which is
219 necessary in order for
221 clients to perform user
222 authentication through
227 In general, any remote user can issue an RPC to
229 and retrieve the contents of your
231 maps, provided the remote user
232 knows your domain name.
233 To prevent such unauthorized transactions,
235 supports a feature called
237 which can be used to restrict access to a given set of hosts.
240 will attempt to load the securenets information from a file
242 .Pa /var/yp/securenets .
243 (Note that this path varies depending on the path specified with
246 option, which is explained below.)
247 This file contains entries
248 that consist of a network specification and a network mask separated
252 are considered to be comments.
254 sample securenets file might look like this:
255 .Bd -unfilled -offset indent
256 # allow connections from local host -- mandatory
257 127.0.0.1 255.255.255.255
258 # allow connections from any host
259 # on the 192.168.128.0 network
260 192.168.128.0 255.255.255.0
261 # allow connections from any host
262 # between 10.0.0.0 to 10.0.15.255
263 10.0.0.0 255.255.240.0
264 # IPv4 addresses in CIDR form
268 # IPv6 address with netmask
269 2001:db8:1::1 ffff:ffff:ffff:ffff::
270 # IPv6 address with prefix length
272 # IPv6 connections from local host
280 flag is specified, another format with the host field and the netmask
281 field exchanged is used instead. This is for compatibility with an
282 implementation found in Solaris. An example looks like the following:
283 .Bd -unfilled -offset indent
284 # allow connections from local host -- mandatory
285 255.255.255.255 127.0.0.1
286 # allow connections from any host
287 # on the 192.168.128.0 network
288 255.255.255.0 192.168.128.0
289 # allow connections from any host
290 # between 10.0.0.0 to 10.0.15.255
291 255.255.240.0 10.0.0.0
292 # IPv4 addresses in CIDR form
294 # "host" keyword can be used as 255.255.255.255
296 # IPv6 address with netmask
297 ffff:ffff:ffff:ffff:: 2001:db8:1::1
298 # IPv6 address with prefix length
300 # IPv6 connections from local host
302 # "host" keyword can be used as /128
308 receives a request from an address that matches one of these rules,
309 it will process the request normally.
310 If the address fails to match
311 a rule, the request will be ignored and a warning message will be
314 .Pa /var/yp/securenets
317 will allow connections from any host.
321 utility also has support for Wietse Venema's
324 This allows the administrator to use the tcpwrapper
326 .Pa ( /etc/hosts.allow
328 .Pa /etc/hosts.deny )
329 for access control instead of
330 .Pa /var/yp/securenets .
332 Note: while both of these access control mechanisms provide some
333 security, they, like the privileged port test, are both vulnerable
338 .Ss NIS v1 compatibility
341 has some support for serving
347 implementation only uses the
349 v2 protocol, however other implementations
350 include support for the v1 protocol for backwards compatibility
354 daemons supplied with these systems will try to establish a binding
357 v1 server even though they may never actually need it (and they may
358 persist in broadcasting in search of one even after they receive a
359 response from a v2 server).
361 support for normal client calls is provided, this version of
363 does not handle v1 map transfer requests; consequently, it cannot
364 be used as a master or slave in conjunction with older
367 only support the v1 protocol.
368 Fortunately, there probably are not any
369 such servers still in use today.
370 .Ss NIS servers that are also NIS clients
371 Care must be taken when running
373 in a multi-server domain where the server machines are also
376 It is generally a good idea to force the servers to
377 bind to themselves rather than allowing them to broadcast bind
378 requests and possibly become bound to each other: strange failure
379 modes can result if one server goes down and
380 others are dependent upon on it.
381 (Eventually all the clients will
382 time out and attempt to bind to other servers, but the delay
383 involved can be considerable and the failure mode is still present
384 since the servers might bind to each other all over again).
388 man page for details on how to force it to bind to a particular
391 The following options are supported by
395 This option affects the way
397 handles yp_match requests for the
404 cannot find an entry for a given host in its hosts maps, it will
405 return an error and perform no further processing.
410 will go one step further: rather than giving up immediately, it
411 will try to resolve the hostname or address using a DNS nameserver
413 If the query is successful,
415 will construct a fake database record and return it to the client,
416 thereby making it seem as though the client's yp_match request
419 This feature is provided for compatibility with SunOS 4.1.x,
420 which has brain-damaged resolver functions in its standard C
421 library that depend on
423 for hostname and address resolution.
426 resolver can be configured to do DNS
427 queries directly, therefore it is not necessary to enable this
428 option when serving only
433 Cause the server to run in debugging mode.
436 reports only unusual errors (access violations, file access failures)
440 In debug mode, the server does not background
441 itself and prints extra status messages to stderr for each
442 request that it receives.
443 Also, while running in debug mode,
445 will not spawn any additional subprocesses as it normally does
446 when handling yp_all requests or doing DNS lookups.
448 often take a fair amount of time to complete and are therefore handled
449 in subprocesses, allowing the parent server process to go on handling
451 This makes it easier to trace the server with
454 Specify a specific address to bind to for requests. This option may be
455 specified multiple times. If no
459 will bind to default passive address
460 .Pq e.g. INADDR_ANY for IPv4
463 Force ypserv to bind to a specific TCP/UDP port, rather than selecting
470 maps are stored under
474 flag may be used to specify an alternate
477 the system administrator to move the map files to a different place
478 within the file system.
482 file format as Solaris-compatible. The differences from the native
483 format are the order of the host and netmask fields, and availability
489 .Bl -tag -width Pa -compact
490 .It Pa /var/yp/[domainname]/[maps]
494 .It Pa /etc/nsswitch.conf
495 name switch configuration file
496 .It Pa /var/yp/securenets
497 host access control file
503 .Xr rpc.yppasswdd 8 ,
515 .An Bill Paul Aq wpaul@ctr.columbia.edu