NIS/yp maps

From Syscore

We currently serve 4 NIS domains:

  • slam - This is the legacy NIS domain used for the "GL" cluster. It contains all of our users.
  • afsguys - This is an NIS domain used on our internal servers. It's basically a copy of the slam domain, currently.
  • research - This is the NIS domain used only by UMBC7. It is identical to the previous two domains, however, users who aren't faculty or have their "research access" field checked have the passwd field populated with *NOLOGIN*
  • rs - This NIS domain is used by the "research" cluster. If a user has a special "rs cluster" home directory setting, this is put in the home directory position. In addition, all users have *NOLOGIN* with the exception of those thathave "rs access" enabled.

These domains are very spartan. They contain only passwd maps; the slam & afsguys domains contain a base group map as well.

We run a modified version of the Linux ypserv on our Solaris systems, do to some inadequacies of NDBM (the backend storage format for the Sun ypserv). The source for this is located at /afs/umbc.edu/src/apps/yp.

The maps are manipulated in “real time” through one of the lbridged processes on ds-master.umbc.edu. The scripts manipulate the backend GDBM maps that get served out to NIS domains that are named “ds_”, then the map name. ds-master serves only other NIS servers, not NIS clients. Currently, for the afsguys and slam domain, the NIS servers are corens1, corens2, and corens3. Each of these machines runs a script from cfengine every 15 minutes to “ypxfr” these maps into the appropriate “real” maps (not “ds_”) for serving to their clients. These servers don’t have any slaves, per-se, as they are kinda sorta slaves themselves. And masters. It’s just weird.

The key to authorization around here is the contents of the passwd field. While it doesn’t contain an actual password (that’s in Kerberos), the field’s text does have meaning.

  • “*” User is a-ok, and can log in.
  • “*LK*” User’s account is locked.
  • “*INACTIVE*” User’s account has not been activated.
  • “*DEACTIVATED*” User’s account has been deactivated

Login applications should trigger on this field to figure out if someone should be allowed to log in, or not. Use of this field may be expanded in the future to deal with accounts with varying levels of access – e.g., can do imap/pop but no ssh.

Important Note: Use of these NIS maps by anyone other than the core managed systems they are designed to work on is UNSUPPORTED. Their function, specifications, contents, and existence is SUBJECT TO CHANGE WITHOUT ANY NOTICE WHATSOEVER.

So DON'T TRY TO USE THEM.

Retrieved from "http://www.umbc.edu/oit/iss/syscore/wiki/NIS/yp_maps"