Using NIS map command line administration utility
The nisedit command line utility allows you to manage NIS maps stored in Active Directory as RFC 2307 objects. nisedit is located at /opt/quest/bin/nisedit and has been designed to be script- and automation-friendly.
To run the nisedit utility, specify one or more general options and then specify a specific sub-command which may have further options and arguments. The following table contains a complete list of supported nisedit commands and a brief description of each.
Table 16: nisedit commands
add |
Add RFC 2307 NIS maps and/or entries to Active Directory. |
delete |
Delete RFC 2307 NIS map or entries out of Active Directory. |
dump |
Output RFC 2307 NIS maps and entries from Active Directory. |
modify |
Modify an RFC 2307 NIS map or entries in Active Directory. |
list |
List all RFC 2307 NIS map names from Active Directory. |
sync |
Synchronize changes to RFC 2307 NIS maps in Active Directory. |
passwd, group, and netid maps
The group, passwd, and netid maps are provided directly from the vasd cache that is populated straight from Active Directory user and group objects, and cannot be edited with nisedit.
Specific vs generic maps
Due to the RFC 2307 specifications, some maps are stored as specific objects, while all other maps are stored as generic objects. nisedit supports the six standard NIS maps. For more information, see RFC classes and attributes.
These maps generate their sub-maps from the single information source. For example, the services objects in Active Directory provide information used by vasyp to provide the services.byname and services.byservicename maps.
The VASYP daemon
The vasyp daemon acts as a NIS server that can provide backwards compatibility with existing NIS infrastructure. It provides NIS server functionality without having to run the NIS protocol over the network. By default, vasyp only responds to requests from the system on which vasyp is running, and all NIS map data is obtained from Active Directory by means of secure LDAP requests.
vasyp only works on machines that have the Safeguard Authentication Services agent software installed and are joined to the Active Directory domain. You can manage NIS map data in Active Directory using the Safeguard Authentication Services RFC 2307 Nismap Editor.
Using vasyp provides the following features:
-
Security
NIS is notoriously insecure, without any concept of encryption for data that goes across the network. Typically, user password hashes are also made available in the passwd.byname and passwd.byuid NIS maps. With vasyp, you can still have passwd and group NIS maps, but no password hashes are made available in those maps. Clients can instead use the Safeguard Authentication Services agent components like pam_vas for secure authentication with Active Directory, while still making the passwd NIS maps available to NAS devices and other systems that need the NIS information to function. vasyp uses the same computer identity that vasd does to authenticate to Active Directory and obtain the NIS map data through secure LDAP.
To successfully advertise a user's password hash by means of vasyp, a password hash must exist on the user object in Active Directory, and this hash must be cached locally.
To cache an existing hash locally, you must set the vasdcache-unix-password option in the vasd section of vas.conf
For further details, see the vas.conf man page.
Initially, creating these password hashes in Active Directory requires installation and configuration of a password filter DLL on the domain controller. One such DLL is included in SFU 3.5.
NOTE: The password filter .dll does not work on 64-bit versions of Windows Server. As this .dll is an integral part of legacy authentication support, running legacy authentication support using 64-bit versions of Windows is not supported.
NOTE: Safeguard Authentication Services does not require caching of password hashes to support authentication. Safeguard Authentication Services features a PAM module that provides Active Directory authentication support for most recent applications. It is only necessary to set up caching of UNIX password hashes to support much older applications that are not PAM-enabled and can only do crypt and compare authentication.
-
Disconnected Operation
vasyp manages a persistent cache of all available NIS maps. This allows applications like autofs, which uses NIS to get configuration information, to continue to function without interruption in situations where the Active Directory domain controller is unreachable.
-
Scalability
vasyp is a miniature NIS server that runs on each NIS client. Instead of having to deploy a master NIS server along with a number of slave servers, each NIS client talks to the vasyp daemon running on the same machine. This allows each NIS server to only have to handle one client. vasyp has been designed to minimize its memory footprint and computing requirements so that it has a minimal impact on the system's resources.
-
Flexibility
vasyp uses a two-process model, where the parent process ensures that the child process that handles all of the NIS RPC messages is always running. The NIS RPC process drops root privileges and runs as the daemon user. The parent process runs a separate process to update the NIS map cache periodically. This arrangement avoids potential blocking problems when using vasyp for hosts and services resolving.
For detailed information on usage and available options, see the vasypd man page.