Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
YP(8)			    System Manager's Manual			 YP(8)

NAME
       yp -- description of the	YP/NIS system

SYNOPSIS
       yp

DESCRIPTION
       The  YP subsystem allows	network	management of passwd, group, netgroup,
       hosts, services,	rpc, bootparams	and ethers file	 entries  through  the
       functions   getpwent(3),	 getgrent(3),  getnetgrent(3),	gethostent(3),
       getnetent(3), getrpcent(3), and ethers(3).   The	 bootparamd(8)	daemon
       makes  direct  NIS  library  calls  since there are no functions	in the
       standard	C library for reading bootparams.  NIS support is  enabled  in
       nsswitch.conf(5).

       The  YP	subsystem  is  started automatically in	/etc/rc	if it has been
       initialized in /etc/rc.conf and if the directory	/var/yp	exists	(which
       it does in the default distribution).  The default NIS domain must also
       be  set with the	domainname(1) command, which will happen automatically
       at system startup if it is specified in /etc/rc.conf.

       NIS is an RPC-based client/server system	that allows  a	group  of  ma-
       chines  within  an  NIS	domain	to share a common set of configuration
       files.  This permits a system administrator to set up NIS  client  sys-
       tems  with  only	 minimal  configuration	data and add, remove or	modify
       configuration data from a single	location.

       The canonical copies of all NIS information are stored on a single  ma-
       chine  called  the  NIS master server.  The databases used to store the
       information are called NIS maps.	 In FreeBSD, these maps	are stored  in
       /var/yp/<domainname>  where  <domainname> is the	name of	the NIS	domain
       being served.  A	single NIS server can support several domains at once,
       therefore it is possible	to have	several	such directories, one for each
       supported domain.  Each domain will have	its  own  independent  set  of
       maps.

       In  FreeBSD,  the  NIS  maps are	Berkeley DB hashed database files (the
       same format used	for the	passwd(5) database  files).   Other  operating
       systems	that support NIS use old-style ndbm databases instead (largely
       because Sun Microsystems	originally based their NIS  implementation  on
       ndbm, and other vendors have simply licensed Sun's code rather than de-
       sign  their  own	 implementation	with a different database format).  On
       these systems, the databases are	generally split	 into  .dir  and  .pag
       files which the ndbm code uses to hold separate parts of	the hash data-
       base.   The Berkeley DB hash method instead uses	a single file for both
       pieces  of  information.	  This	means  that   while   you   may	  have
       passwd.byname.dir  and  passwd.byname.pag files on other	operating sys-
       tems (both of which are really parts of the  same  map),	 FreeBSD  will
       have  only  one file called passwd.byname.  The difference in format is
       not significant:	only the NIS server, ypserv(8),	and related tools need
       to know the database format of the NIS maps.  Client  NIS  systems  re-
       ceive all NIS data in ASCII form.

       There are three main types of NIS systems:

       1.   NIS	clients, which query NIS servers for information.

       2.   NIS	master servers,	which maintain the canonical copies of all NIS
	    maps.

       3.   NIS	 slave	servers, which maintain	backup copies of NIS maps that
	    are	periodically updated by	the master.

       A NIS client establishes	what is	called a binding to a  particular  NIS
       server  using  the  ypbind(8) daemon.  The ypbind(8) utility checks the
       system's	default	domain (as set by the domainname(1) command)  and  be-
       gins  broadcasting  RPC	requests on the	local network.	These requests
       specify the name	of the domain for which	ypbind(8) is attempting	to es-
       tablish a binding.  If a	server that has	been configured	to  serve  the
       requested  domain  receives  one	 of the	broadcasts, it will respond to
       ypbind(8), which	will record the	server's address.  If there  are  sev-
       eral  servers  available	 (a  master  and several slaves, for example),
       ypbind(8) will use the address of the first one to respond.  From  that
       point on, the client system will	direct all of its NIS requests to that
       server.	 The  ypbind(8)	utility	will occasionally "ping" the server to
       make sure it is still up	and running.  If it fails to receive  a	 reply
       to  one of its pings within a reasonable	amount of time,	ypbind(8) will
       mark the	domain as unbound and begin broadcasting again in the hopes of
       locating	another	server.

       NIS master and slave servers handle all NIS requests with the ypserv(8)
       daemon.	The ypserv(8) utility is responsible  for  receiving  incoming
       requests	 from  NIS  clients,  translating the requested	domain and map
       name to a path to the corresponding database file and transmitting data
       from the	database back to the client.  There is a specific set  of  re-
       quests  that  ypserv(8) is designed to handle, most of which are	imple-
       mented as functions within the standard C library:

       yp_order()   check the creation date of a particular map

       yp_master()  obtain the name of the  NIS	 master	 server	 for  a	 given
		    map/domain

       yp_match()   lookup  the	data corresponding to a	given in key in	a par-
		    ticular map/domain

       yp_first()   obtain the first key/data pair in a	particular map/domain

       yp_next()    pass ypserv(8) a key in a particular map/domain  and  have
		    it	return the key/data pair immediately following it (the
		    functions yp_first() and yp_next() can be used to do a se-
		    quential search of an NIS map)

       yp_all()	    retrieve the entire	contents of a map

       There are a few other requests which ypserv(8) is capable  of  handling
       (i.e.,  acknowledge  whether  or	not you	can handle a particular	domain
       (YPPROC_DOMAIN),	or acknowledge only if you can handle the  domain  and
       be silent otherwise (YPPROC_DOMAIN_NONACK)) but these requests are usu-
       ally  generated only by ypbind(8) and are not meant to be used by stan-
       dard utilities.

       On networks with	a large	number of hosts, it is often a	good  idea  to
       use a master server and several slaves rather than just a single	master
       server.	A slave	server provides	the exact same information as a	master
       server:	whenever  the  maps  on	the master server are updated, the new
       data should be propagated to the	slave systems using the	yppush(8) com-
       mand.  The NIS Makefile (/var/yp/Makefile) will do  this	 automatically
       if  the	administrator  creates	/var/yp/Makefile.local and empties the
       NOPUSH variable:

	   NOPUSH=

       (NOPUSH is set to true by default because the default configuration  is
       for  a  small network with only one NIS server).	 The yppush(8) command
       will initiate a transaction between the master and slave	 during	 which
       the slave will transfer the specified maps from the master server using
       ypxfr(8).   (The	 slave server calls ypxfr(8) automatically from	within
       ypserv(8); therefore it is not usually necessary	for the	 administrator
       to  use	it  directly.	It  can	 be run	manually if desired, however.)
       Maintaining slave servers helps improve NIS performance on  large  net-
       works by:

          Providing  backup services in the event that	the NIS	master crashes
	   or becomes unreachable

          Spreading the client	load out  over	several	 machines  instead  of
	   causing the master to become	overloaded

          Allowing  a single NIS domain to extend beyond a local network (the
	   ypbind(8) daemon might not be able to locate	a server automatically
	   if it resides on a network outside the reach	of its broadcasts.  It
	   is possible to force	ypbind(8) to bind to a particular server  with
	   ypset(8)  but  this is sometimes inconvenient.  This	problem	can be
	   avoided simply by placing a slave server on the local network.)

       The FreeBSD ypserv(8) is	specially designed to provide  enhanced	 secu-
       rity (compared to other NIS implementations) when used exclusively with
       FreeBSD client systems.	The FreeBSD password database system (which is
       derived	directly  from	4.4BSD)	includes support for shadow passwords.
       The standard password database does not contain users' encrypted	 pass-
       words:  these  are  instead  stored (along with other information) in a
       separate	database which is accessible only by the super-user.   If  the
       encrypted password database were	made available as an NIS map, this se-
       curity  feature would be	totally	disabled, since	any user is allowed to
       retrieve	NIS data.

       To help prevent this, FreeBSD's NIS server handles the shadow  password
       maps   (master.passwd.byname,  master.passwd.byuid,  shadow.byname  and
       shadow.byuid) in	a special way: the server will only provide access  to
       these  maps in response to requests that	originate on privileged	ports.
       Since only the super-user is allowed to bind to a privileged port,  the
       server  assumes that all	such requests come from	privileged users.  All
       other requests are denied: requests from	non-privileged ports will  re-
       ceive  only  an	error  code  from the server.  Additionally, FreeBSD's
       ypserv(8) includes support for Wietse  Venema's	tcp  wrapper  package;
       with  tcp  wrapper  support  enabled,  the  administrator can configure
       ypserv(8) to respond only to selected client machines.

       While these enhancements	provide	better security	than stock  NIS,  they
       are  by no means	100% effective.	 It is still possible for someone with
       access to your network to spoof the server into disclosing  the	shadow
       password	maps.

       On  the client side, FreeBSD's getpwent(3) functions will automatically
       search for the master.passwd maps and use them if they exist.  If  they
       do,  they  will	be  used, and all fields in these special maps (class,
       password	age and	account	expiration) will be decoded.  If they are  not
       found, the standard passwd maps will be used instead.

COMPATIBILITY
       When using a non-FreeBSD	NIS server for passwd(5) files,	it is unlikely
       that  the default MD5-based format that FreeBSD uses for	passwords will
       be accepted by it.  If this is the case,	the value of the passwd_format
       setting in login.conf(5)	should be changed to "des" for compatibility.

       Some systems, such as SunOS 4.x,	need NIS to be running	in  order  for
       their  hostname resolution functions (gethostbyname(), gethostbyaddr(),
       etc.)  to work properly.	 On  these  systems,  ypserv(8)	 performs  DNS
       lookups when asked to return information	about a	host that does not ex-
       ist  in its hosts.byname	or hosts.byaddr	maps.  FreeBSD's resolver uses
       DNS by default (it can be made to use NIS, if desired),	therefore  its
       NIS  server does	not do DNS lookups by default.	However, ypserv(8) can
       be made to perform DNS lookups if it is started with  a	special	 flag.
       It  can also be made to register	itself as an NIS v1 server in order to
       placate certain systems that insist on the  presence  of	 a  v1	server
       (FreeBSD	uses only NIS v2, but many other systems, including SunOS 4.x,
       search  for both	a v1 and v2 server when	binding).  FreeBSD's ypserv(8)
       does not	actually handle	NIS v1 requests, but  this  "kludge  mode"  is
       useful  for silencing stubborn systems that search for both a v1	and v2
       server.

       (Please see the ypserv(8) manual	page for  a  detailed  description  of
       these special features and flags.)

SEE ALSO
       domainname(1),	ypcat(1),  ypmatch(1),	ypwhich(1),  nsswitch.conf(5),
       yp_mkdb(8),  ypbind(8),	ypinit(8),  yppoll(8),	yppush(8),  ypserv(8),
       ypset(8), ypxfr(8)

HISTORY
       The  YP subsystem was written from the ground up	by Theo	de Raadt to be
       compatible to Sun's implementation.  Bug	fixes,	improvements  and  NIS
       server support were later added by Bill Paul.  The server-side code was
       originally written by Peter Eriksson and	Tobias Reber and is subject to
       the GNU Public License.	No Sun code was	referenced.

BUGS
       While  FreeBSD now has both NIS client and server capabilities, it does
       not yet have support for	 ypupdated(8)  or  the	yp_update()  function.
       Both  of	 these	require	secure RPC, which FreeBSD does not support yet
       either.

       The getservent(3) and getprotoent(3) functions do not yet have NIS sup-
       port.  Fortunately, these files do not need to be updated that often.

       Many more manual	pages should be	written,  especially  ypclnt(3).   For
       the  time  being, seek out a local Sun machine and read the manuals for
       there.

       Neither Sun nor this author have	found a	clean way to handle the	 prob-
       lems that occur when ypbind cannot find its server upon bootup.

FreeBSD	13.2		       December	14, 2011			 YP(8)

NAME | SYNOPSIS | DESCRIPTION | COMPATIBILITY | SEE ALSO | HISTORY | BUGS

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=yp&sektion=8&manpath=FreeBSD+14.2-RELEASE+and+Ports>

home | help