Wednesday, October 9, 2013

NIS client

Setting up a NIS client consists on making a host bind to the services provided by a NIS server, master or slave. It must be noted that the binding is so strong that even a slight disruption of the communication between the client and the server may severely impact the functioning of the client, mostly noticed as a system global pause and lack of responsiveness. To mitigate this it's important to provide at least 2 slaves in addition to the master. Furthermore, hopefully, Solaris 11 timeout for rebinding is roughly cut by half than on Solaris 10. But note that this doesn't solve networking issues along the communication path between the client and the bounding or rebinding candidate server. Thus, it's virtually impossible (except perhaps for newer network virtualization advent) to have a fully fault-tolerant service as this would require a complete end-to-end duplication of physical network path and the related infrastructure. Furthermore, when configuring a NIS client, before starting, make sure that all of the NIS servers to be listed are fully operational, in order to avoid hassles right from the start.

Later after the client is fully operational, there are some interesting additional possiblities on using the service by employing some NIS programming.

To start configuring a client, define the (RPC) domain name which in Solaris 11 is persistently set with just the domainname command, for instance:
 
# domainname business.corp
 
Declare the NIS master on /etc/hosts.
You may check my post about official host names.
Don't declare any NIS slave yet to avoid timeout issues.
Active NIS slaves should be added only when configuring a new slave.

If DNS isn't implemented, use: 
IP HOST.RPC_DOMAIN [alias [alias ...]] 
If DNS is implemented, use:
IP FQDN [alias [alias ...]]
For instance, when no DNS is implemented we can use:

# cat /etc/hosts
#
# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# Internet host table
#
::1             localhost
127.0.0.1       localhost loghost

192.168.0.200  client-1.business.corp  client-1  # NIS client
192.168.0.10   nis-1.business.corp     nis-1     # NIS master

Finally, for using specific NIS servers, run the NIS client configuration script, otherwise (for the broadcast mode) nothing else is needed and it's done:

# ypinit -c

When asked for servers, be aware to inform only fully operational NIS servers already declared in /etc/hosts (unless DNS is fully operational) and preferably in order of proximity.

Restart the NIS client SMF services or otherwise reboot:

# svcadm restart nis/domain
# svcadm restart nis/client

By now the client should be able to bind to the NIS domain:

# ypwhich
nis-1 

But if, otherwise, there's a failure such as:

# ypwhich
Domain business.corp not bound on nis-1.

Check if svc:/network/rpc/bind on NIS servers are in local mode only.
If so, it will be necessary to change it on each of them.

# rpcinfo -s nis-1
rpcinfo: can't contact rpcbind: : 
   RPC: Authentication error; why = Failed (unspecified error)

Go to each NIS server as required and adjust accordingly:

nis-1# svccfg -s rpc/bind listprop config/local_only
config/local_only boolean     true

nis-1# svccfg -s rpc/bind
   setprop config/local_only = boolean: false

nis-1# svccfg -s rpc/bind listprop config/local_only
config/local_only boolean     false
 
nis-1# svcadm refresh rpc/bind

Then check again from the client:

# rpcinfo -s nis-1
   program version(s) netid(s)  service     owner
    100000  2,3,4     ...       rpcbind     superuser
    100169  1         ...       -           superuser
    100028  1         ...       ypupdated   superuser
    100069  1         ...       -           superuser
    100004  1,2       ...       ypserv      superuser
    100009  1         ...       yppasswdd   superuser
    100007  1,2,3     ...       ypbind      1
    100134  1         ...       ktkt_warnd  superuser
    100234  1         ...       gssd        superuser

Then, try again:

# svcadm restart nis/domain
# svcadm restart nis/client
# ypwhich
nis-1

Adjust the name service switch SMF service accordingly.
 
Refresh and restart the automounter:

# svcadm refresh autofs
# svcadm restart autofs
 
I recommend implementing pam_list.
This will provide a finer access control to NIS servers and clients.  

NOTE
Once a host becomes a NIS client it's important that at all times, even during boot, NIS servers are always up and running alongside NFS servers that host home directories.
    
Posted by at
Labels: , , , ,