Installing and Administering NFS Services - Previous Directory

Installing and Administering NFS 

Services 

HP 9000 Networking 

Manufacturing Part Number: B1031-90048 

E0601 

U.S.A. 

© Copyright 2001 Hewlett-Packard Company.

Legal Notices 

The information in this document is subject to change without notice. 

Hewlett-Packard makes no warranty of any kind with regard to this 

manual, including, but not limited to, the implied warranties of 

merchantability and fitness for a particular purpose. Hewlett-Packard 

shall not be held liable for errors contained herein or direct, indirect, 

special, incidental or consequential damages in connection with the 

furnishing, performance, or use of this material. 

Warranty. A copy of the specific warranty terms applicable to your 

Hewlett- Packard product and replacement parts can be obtained from 

your local Sales and Service Office. 

Restricted Rights Legend. Use, duplication or disclosure by the U.S. 

Government is subject to restrictions as set forth in subparagraph (c) (1) 

(ii) of the Rights in Technical Data and Computer Software clause at 

DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and 

(c) (2) of the Commercial Computer Software Restricted Rights clause at 

FAR 52.227-19 for other agencies. 

Hewlett-Packard Co. 

19420 Homestead Road 

Cupertino, CA 95014 USA 

Use of this manual and CD(s) supplied for this pack is restricted to this 

product only. Additional copies of the programs may be made for security 

and back-up purposes only. Resale of the programs in their present form 

or with alterations, is expressly prohibited. 

Copyright Notices 

©copyright 1983-2000 Hewlett-Packard Company, all rights reserved. 

Reproduction, adaptation, or translation of this document without prior 

written permission is prohibited, except as allowed under the copyright 

laws. 

©copyright 1979, 1980, 1983, 1985-94 Regents of the University of 

California 

This software is based in part on the Fourth Berkeley Software 

Distribution under license from the Regents of the University of 

California. 

2

©copyright 1986-1997 Sun Microsystems, Inc. 

©copyright 1985-86, 1988 Massachusetts Institute of Technology 

©copyright 1989-93 The Open Software Foundation, Inc. 

©copyright 1986 Digital Equipment Corporation 

©copyright 1990 Motorola, Inc. 

©copyright 1990, 1991, 1992 Cornell University 

©copyright 1989-1991 The University of Maryland 

©copyright 1988 Carnegie Mellon University 

Trademark Notices 

UNIX is a registered trademark of The Open Group. 

X Window System is a trademark of the Massachusetts Institute of 

Technology. 

OSF/Motif is a trademark of the Open Software Foundation, Inc. in the 

U.S. and other countries. 

NFS® is a registered trademark of Sun Microsystems, Inc. 

NIS and NIS+ are trademarks of Sun Microsystems, Inc. 

NOTE 

The Network Information Service (NIS) was formerly known as Yellow 

Pages (YP). The functionality is the same; only the name has changed. 

“Yellow Pages” is a registered trademark in the United Kingdom of 

British Telecommunications plc. 

3

Contents 

1. Installing the NFS Services 

Installing the NFS Services Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 

Overview of the NFS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 

2. Configuring and Administering NFS 

Preparing for NFS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

To Check the Network Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

To Set User IDs and Group IDs (if neither NIS nor NIS+ is used) . . . . . . . . . . . . . . 21 

To Ensure that No User is a Member of Too Many Groups . . . . . . . . . . . . . . . . . . . . 22 

Configuring and Administering an NFS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 

To Make Directories Available to NFS Clients (Export Directories) . . . . . . . . . . . . . 24 

To Enable NFS Server Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 

To Remove (Unexport) an Exported Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 

To Enable PC NFS Server Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 

To Disable NFS Server Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 

Configuring and Administering an NFS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 

Deciding Between Automounter and AutoFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 

Deciding Between Standard-Mounted Directories and Automounted Directories . . 35 

To Mount a Remote Directory Using a Standard NFS Mount . . . . . . . . . . . . . . . . . . 40 

To Enable NFS Client Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 

To Verify Your NFS Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 

To Change the Default Mount Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 

To Ensure Data Integrity Between the Client and Server . . . . . . . . . . . . . . . . . . . . . 49 

To Remove (Unmount) a Mounted Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 

To Disable NFS Client Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 

NFS Client and Server Transport Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 

NFS Client TCP Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 

Specifying TCP or UDP Connections. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 

NFS Server TCP Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 

Configuring and Administering the NFS Automounter . . . . . . . . . . . . . . . . . . . . . . . . 55 

To Automount All Exported Directories from Any Host Using the -hosts Map . . . . 56 

To Decide Between Direct and Indirect NFS Automounts. . . . . . . . . . . . . . . . . . . . . 58 

To Mount a Remote Directory Using a Direct Automounter Map . . . . . . . . . . . . . . . 61 

To Mount a Remote Directory Using an Indirect Automounter Map . . . . . . . . . . . . 64 

To Configure Multiple (Replicated) Servers for an Automounted Directory . . . . . . . 68 

To Use Environment Variables as Shortcuts in Automounter Maps. . . . . . . . . . . . . 69 

To Use Wildcard Characters as Shortcuts in Automounter Maps . . . . . . . . . . . . . . . 69 

To Automount Users’ Home Directories with the -passwd Map . . . . . . . . . . . . . . . . 71 

5

Contents 

6 

To Automount Users’ Home Directories with Wildcard Characters . . . . . . . . . . . . . 74 

To Automount Multiple Directories Simultaneously (Hierarchical Mounts) . . . . . . 77 

To Improve Automounter Performance with Subdirectory Notation in Indirect Maps 

77 

To Include an Automounter Map in Another Automounter Map. . . . . . . . . . . . . . . . 79 

To Turn Off an Automounter Map with the -null Map. . . . . . . . . . . . . . . . . . . . . . . . 80 

To Enable the NFS Automounter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 

To Verify Your Automounter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 

To Modify or Remove (Unmount) an Automounted Directory . . . . . . . . . . . . . . . . . . 83 

To Restart the Automounter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 

Configuring and Administering AutoFS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 

Advantages of AutoFS Versus Automounter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 

Migrating From Automounter to AutoFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 

To Understand How AutoFS Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 

To Automount All Exported Directories from Any Host Using the -hosts Map . . . . 90 

To Decide Between Direct and Indirect NFS Automounts. . . . . . . . . . . . . . . . . . . . . 92 

To Mount a Remote Directory Using a Direct Automounter Map . . . . . . . . . . . . . . . 95 

To Mount a Remote Directory Using an Indirect Automounter Map . . . . . . . . . . . . 99 

To Configure Multiple (Replicated) Servers for an Automounted Directory . . . . . . 102 

To Use Environment Variables as Shortcuts in Automounter Maps. . . . . . . . . . . . 103 

To Use Wildcard Characters as Shortcuts in Automounter Maps . . . . . . . . . . . . . . 104 

To Automount Users’ Home Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 

To Automount Multiple Directories Simultaneously (Hierarchical Mounts) . . . . . 108 

To Include an Automounter Map in Another Automounter Map. . . . . . . . . . . . . . . 109 

To Create a Hierarchy of Automounter Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 

To Turn Off an Automounter Map with the -null Map. . . . . . . . . . . . . . . . . . . . . . . 111 

To Enable AutoFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 

To Disable AutoFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 

To Verify Your AutoFS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 

To Modify or Remove (Unmount) an Automounted Directory . . . . . . . . . . . . . . . . . 114 

Configuring and Using NFS Netgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 

To Create Netgroups in the /etc/netgroup File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 

To Create Netgroups in the NIS+ netgroup Table . . . . . . . . . . . . . . . . . . . . . . . . . . 117 

To Use Netgroups in Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 

Configuring the Other NFS Daemons and Services. . . . . . . . . . . . . . . . . . . . . . . . . . . 122 

To Enable the Other NFS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 

To Restrict Access to the Other NFS Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Contents 

3. Configuring the Cache File System (CacheFS) 

The Cache File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 

CacheFS Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 

Configuring CacheFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 

To Configure a Local File System as Cache. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 

To Mount an NFS File System Using CacheFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 

To Automount a File System Using CacheFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 

4. Configuring and Administering NIS 

Overview of NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 

Information Managed by NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 

Structure of the NIS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 

Planning the NIS Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 

To Determine the Number of NIS Domains You Need . . . . . . . . . . . . . . . . . . . . . . . 140 

To Determine the Number of NIS Servers You Need . . . . . . . . . . . . . . . . . . . . . . . . 141 

To Determine Which Hosts Will Be NIS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 

To Draw an NIS Network Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 

Configuring and Administering an NIS Master Server. . . . . . . . . . . . . . . . . . . . . . . . 143 

To Create the Master passwd File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 

To Create the Master group File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 

To Create the Master hosts File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 

To Enable NIS Master Server Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 

To Verify Your NIS Master Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 

To Configure the NIS Master Server to Use a Private passwd File. . . . . . . . . . . . . 149 

To Restrict Client and Slave Server Access to the Master Server . . . . . . . . . . . . . . 150 

To Check the Contents of an NIS Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 

To Modify an NIS Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 

To Add an Automounter Map to Your NIS Domain . . . . . . . . . . . . . . . . . . . . . . . . . 153 

To Remove an Automounter Map from Your NIS Domain . . . . . . . . . . . . . . . . . . . . 155 

To Add a Slave Server to Your NIS Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 

To Remove a Slave Server from Your NIS Domain. . . . . . . . . . . . . . . . . . . . . . . . . . 157 

To Query BIND for Host Information After Querying NIS . . . . . . . . . . . . . . . . . . . 158 

To Use NIS With Short File Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 

To Configure an HP-UX Master Server in a Domain with Sun Systems . . . . . . . . 159 

Configuring and Administering an NIS Slave Server . . . . . . . . . . . . . . . . . . . . . . . . . 161 

To Edit the Slave Server’s passwd File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 

To Edit the Slave Server’s group File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 

To Enable NIS Slave Server Capability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 

7

Contents 

To Verify Your NIS Slave Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 

To Schedule Regular Map Transfers from the NIS Master Server . . . . . . . . . . . . . 167 

To Restrict Access to the Slave Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 

Configuring and Administering an NIS Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 

To Edit the NIS Client’s passwd File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 

To Edit the NIS Client’s group File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 

To Enable NIS Client Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 

To Verify Your NIS Client Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 

To Tell Users How to Use yppasswd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 

To Prevent a Client from Binding to Unknown Servers. . . . . . . . . . . . . . . . . . . . . . 176 

To Bind an NIS Client to a Server on a Different Subnet . . . . . . . . . . . . . . . . . . . . 177 

Configuring and Administering Secure RPC (if NIS+ is not used) . . . . . . . . . . . . . . . 178 

To Have Users Create their Secure RPC Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 

To Create Secure RPC Keys for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 

To Create Secure RPC Keys for Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 

To Tell Users How to Use Secure RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 

Summary of NIS Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 

5. Configuring and Administering NIS+ 

Overview of NIS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 

Advantages of NIS+ over NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 

Disadvantages of NIS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 

Structure of the NIS+ Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 

Structure of an NIS+ Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 

How NIS+ Information is Stored and Propagated . . . . . . . . . . . . . . . . . . . . . . . . . . 191 

NIS+ Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 

NIS+ Authentication and Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 

NIS Compatibility Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 

Planning the NIS+ Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 

To Determine the Number of NIS+ Domains You Need . . . . . . . . . . . . . . . . . . . . . . 197 

To Determine the Number of NIS+ Servers You Need . . . . . . . . . . . . . . . . . . . . . . . 198 

To Determine Which Hosts Will Be NIS+ Servers . . . . . . . . . . . . . . . . . . . . . . . . . . 198 

Setting Up the NIS+ Namespace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 

To Set Up the Root Master Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 

To Populate the NIS+ Tables on the Master Server . . . . . . . . . . . . . . . . . . . . . . . . . 202 

To Add Administrators to the NIS+ admin Group . . . . . . . . . . . . . . . . . . . . . . . . . . 205 

8

Contents 

To Set Up NIS+ Client Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 

To Set Up NIS+ Replica Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 

To Initialize NIS+ Client Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 

To Set Up an NIS+ Subdomain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 

To Use BIND With NIS+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214 

To Allow an NIS+ User Authenticated Access to Another Domain . . . . . . . . . . . . . 216 

Administering NIS+. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 

To List the Properties of NIS+ Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 

To Change the Default Properties for New NIS+ Objects . . . . . . . . . . . . . . . . . . . . 219 

To Change the Permissions for NIS+ Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 

To Change the Ownership of NIS+ Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 

To Change the Search Order of Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 

To List the Contents of an NIS+ Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 

To Search an NIS+ Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 

To Add an Entry to an NIS+ Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 

To Remove an Entry from an NIS+ Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 

To Modify an Entry in an NIS+ Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 

To Add a Host to an NIS+ Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 

To Add a User to an NIS+ Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 

To Create New Credentials for an Existing NIS+ Principal . . . . . . . . . . . . . . . . . . 236 

To Create New Credentials for the Root Master Server. . . . . . . . . . . . . . . . . . . . . . 237 

To Change a Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 

To Create an NIS+ Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 

To Remove an NIS+ Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 

To Create or Remove Paths Among Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 

To Create or Remove an NIS+ Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 

To Add or Remove Members of an NIS+ Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 

To Remove a Replica Server from an NIS+ Domain . . . . . . . . . . . . . . . . . . . . . . . . . 246 

To Remove an NIS+ Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 

To Back Up NIS+ Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 

Summary of NIS+ Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 

6. Configuring the Name Service Switch 

Installing and Customizing the nsswitch.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 

Syntax of the nsswitch.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 

Default Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 

Troubleshooting the Name Service Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 

9

Contents 

7. Configuring and Using the Remote Execution Facility (REX) 

How REX Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267 

REX Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 

Configuring REX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 

To Configure REX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 

To Configure REX Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 

To Configure Logging for the rexd Daemon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272 

8. Troubleshooting NFS Services 

Common Problems with NFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 

If You Receive an NFS “Server Not Responding” Message. . . . . . . . . . . . . . . . . . . . 276 

If You Receive an “Access Denied” Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 

If You Receive a “Permission Denied” Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 

If You Receive an “Unknown Host” or “Not In Hosts Database” Message . . . . . . . 283 

If You Receive a “Device Busy” Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 

If You Receive a “Stale File Handle” Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 

If a Program Hangs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 

If Data is Lost Between the Client and the Server. . . . . . . . . . . . . . . . . . . . . . . . . . 289 

If You Cannot Start New Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 

If You Receive a “Too Many Levels of Remote in Path” Message . . . . . . . . . . . . . . . 291 

Common Problems with NIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 

If You Receive an NIS “Server Not Responding” Message . . . . . . . . . . . . . . . . . . . . 293 

If a User Cannot Log In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294 

If You Receive an “Unknown Host” Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 

If an NIS Client Cannot Bind to a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298 

If NIS Returns Incorrect Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299 

Common Problems with NIS+. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 

If NIS+ Cannot Find an Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 

If You Have Authentication or Permissions Problems . . . . . . . . . . . . . . . . . . . . . . . 304 

If You Have Insufficient Memory or Disk Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 

If You Receive an “Unable to Fork” Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 

If a User Cannot Log In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 

If nisping -C Fails or Transaction Logs Are Not Truncated . . . . . . . . . . . . . . . . . . . 311 

If a Replica Update Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 

If You Receive an “Illegal Object Type” Message . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 

If You Receive a “Could Not Bind to Server” Message . . . . . . . . . . . . . . . . . . . . . . . 313 

10

Contents 

If You Receive a “Generic System Error” or “Possible Loop Detected” Message . . . 313 

If You Receive a “Corrupt Log” or “Corrupt Database” Message . . . . . . . . . . . . . . . 314 

Performance Tuning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 

To Diagnose NFS Performance Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 

To Improve NFS Server Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 

To Adjust the Number of nfsd Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 

To Improve NFS Client Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321 

To Improve NIS+ Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 

Logging and Tracing of NFS Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 

NFS Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 

Automounter Logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 

Automounter Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 

Logging for the Other NFS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 

NIS Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 

NIS+ Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 

Logging With nettl and netfmt. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 

Tracing With nettl and netfmt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 

Normal System Startup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 

A. NIS+ Error Messages 

11

Contents 

12

1 Installing the NFS Services 

Chapter 1 13

Installing the NFS Services 

This chapter tells you how to install the NFS Services and briefly 

describes each one. It contains the following sections: 

• Installing the NFS Services Software 

• Overview of the NFS Services 

This manual does not document NFS Diskless. For information on NFS 

Diskless configuration and administration, see the Managing Systems 

and Workgroups manual. 

For more information, see Managing NFS and NIS, by Hal Stern, 

published by O’Reilly & Associates. 

14 

Chapter 1


Installing the NFS Services Software 

Installing the NFS Services Software 

Before you begin to install the software, make sure you have the correct 

operating system on your computer. The HP-UX operating system, the 

required link software, and the NFS Services software must all be the 

same version. You can check your HP-UX operating system version with 

the uname -r command. 

Use the HP-UX Software Distributor (SD) to install the NFS Services file 

set. Issue the following command to start the SD swinstall utility: 

/usr/sbin/swinstall 

The Software Distributor is documented in Managing HP-UX Software 

with SD-UX. 

Chapter 1 15


Overview of the NFS Services 


Hewlett-Packard’s NFS Services include the following: 

• Network File System (NFS) provides transparent access to files 

from anywhere on the network. An NFS server makes a directory 

available to other hosts on the network by “exporting” the directory. 

An NFS client provides access to the NFS server’s directory by 

“mounting” the directory. To users on the NFS client, the directory 

looks like part of the local file system. For information on configuring 

and administering NFS, see “Configuring and Administering NFS” on 

page 19. 

• Network Information Service (NIS) allows centralized 

management of common configuration files, like /etc/passwd, 

/etc/hosts, and /etc/services. An NIS “master server” holds 

master copies of the configuration files, or “maps”. The master server 

may distribute copies of the maps to NIS “slaves servers” to provide 

load balancing and reliability. An NIS client gets configuration 

information from the master server or a slave server instead of from 

its local configuration files. (Some local configuration files, like 

/etc/passwd and /etc/group, can be used in addition to the NIS 

maps.) For more information, see “Configuring and Administering 

NIS” on page 135. 

• Network Information Service Plus (NIS+) is the next generation 

of NIS. Like NIS, it provides centralized management of common 

configuration files. Unlike NIS, it allows you to create multiple 

domains in a hierarchical structure called a “namespace.” It also has 

enhanced security features. It allows you to update the NIS+ 

databases from any client host in the network without having to log 

into the master server. For more information, see “Configuring and 

Administering NIS+” on page 185. 

• Network Lock Manager and Network Status Monitor 

(rpc.lockd and rpc.statd) provide file locking and synchronized file 

access to files that are shared with NFS. Files may be locked with 

lockf or fcntl. For more information, see the following man pages: 

lockd(1M), statd(1M), lockf(2), and fcntl(2). 

• Remote Procedure Call (RPC) is the mechanism that allows NFS 

clients and NFS servers to communicate. You can write your own 

RPC applications, using rpcgen, an RPC compiler that simplifies 

16 

Chapter 1



RPC programming. On HP-UX 10.30 and later, 

Transport-Independent RPC (TI-RPC) is supported. For information 

on RPC and rpcgen, see Power Programming with RPC, by John 

Bloomer, published by O’Reilly and Associates, Inc. 

• Remote Execution Facility (REX) allows you to execute 

commands interactively on a remote host while your local 

environment is simulated on the remote host. To use REX, you issue 

the on command on your local host, supplying the command you want 

to execute remotely and the name of the remote host where you want 

the command to execute. Your current environment variables are 

then copied to the remote host, and your home directory is mounted 

on the remote host using NFS. For information on configuring, 

administering, and using REX, see Chapter 7, “Configuring and 

Using the Remote Execution Facility (REX).” 

• The rup command collects and displays status information about the 

hosts on the local network. All hosts running the rstatd daemon will 

respond to queries from the rup command. For more information, see 

the man pages rstatd(1M) and rup(1). For information on 

configuring rstatd, see “Configuring the Other NFS Daemons and 

Services” on page 122. 

• The rusers command collects and displays information about all 

users logged into the hosts on the local network. All hosts running the 

rusersd daemon will respond to queries from the rusers command. 

For more information, see the man pages rusersd(1M) and 

rusers(1). For information on configuring rusersd, see “Configuring 

the Other NFS Daemons and Services” on page 122. 

• The rwall program allows you to broadcast a message to all the users 

logged into a remote host. The rwall program sends a message to a 

specified host where the rwalld daemon is running. The rwalld 

daemon then writes the message to all the users logged into that host. 

For more information, see the man pages rwalld(1M) and rwall(1M). 

For information on configuring rwalld, see “Configuring the Other 

NFS Daemons and Services” on page 122. 

• The spray command sends a stream of packets to a specified host and 

then reports how many of the packets were received and what the 

transfer rate was. All hosts running the sprayd daemon will respond 

to packets sent by the spray command. For more information, see the 

man pages sprayd(1M) and spray(1M). For information on 

configuring sprayd, see “Configuring the Other NFS Daemons and 

Services” on page 122. 

Chapter 1 17



• The quota command, which displays information about a user’s disk 

usage and limits, may be used to get information about a user on a 

remote host, if the rquotad daemon is running on the remote host. 

For more information, see the man pages rquotad(1M) and quota(1). 

For information on configuring rquotad, see “Configuring the Other 

NFS Daemons and Services” on page 122. 

18 

Chapter 1

2 Configuring and Administering 

NFS 

This chapter tells you how to configure and administer an HP 9000 as an 

NFS server or client, by editing files and issuing HP-UX commands. 

Chapter 2 19

Configuring and Administering NFS 

An NFS server is a machine that “exports” (makes available) its local 

files and directories to NFS clients. An NFS client is a machine that 

“mounts” files and directories exported by NFS servers. NFS-mounted 

files and directories look to users like part of the NFS client’s local file 

system. 

A machine can be an NFS server and an NFS client at the same time. 

NOTE 

HP does not support NIS over Wide Area Networks (WANs). WANs 

include network links using X.25, microwave links, public common 

carriers, or high speed lines (such as 56kb). 

This chapter is intended for system administrators who prefer not to use 

SAM. However, Hewlett-Packard recommends that you use SAM to 

configure and administer NFS. SAM (System Administration Manager) 

is Hewlett-Packard’s windows-based user interface for performing 

system administration tasks. To run SAM, type sam at the HP-UX 

prompt. SAM has an extensive online help facility. 

This chapter contains the following sections: 

• Preparing for NFS Configuration 

• Configuring and Administering an NFS Server 

• Configuring and Administering an NFS Client 

• Configuring and Administering the NFS Automounter 

• Configuring and Using NFS Netgroups 

• Configuring the Other NFS Daemons and Services 

20 

Chapter 2


Preparing for NFS Configuration 


Before you configure your machine as an NFS server or client, you must 

perform the following tasks: 

1. To Check the Network Connections 

2. To Set User IDs and Group IDs (if neither NIS nor NIS+ is used) 

3. To Ensure that No User is a Member of Too Many Groups 

The rest of this section explains the procedures for performing these 

tasks. 

To Check the Network Connections 

• Issue the /usr/sbin/ping(1M) command for each system with which 

your system will communicate using NFS. 

If the ping(1M) command fails, see the manuals listed below for 

troubleshooting procedures. 

Before you configure NFS, you must have already installed and 

configured the network hardware and software on all the machines that 

will use NFS. For information on installing and configuring the network 

hardware and software, refer to the following manuals: 

Installing and Administering LAN/9000 Software 

Installing and Administering Token Ring/9000 Software 

Installing and Administering FDDI/9000 Software 

To Set User IDs and Group IDs (if neither NIS nor 

NIS+ is used) 

• Create one /etc/passwd file and one /etc/group file that contain all 

the users and groups on the network, and then copy these files to all 

the machines on the network. 

or 

• Edit the /etc/passwd and /etc/group files on each machine to 

ensure that the following conditions are true: 

Chapter 2 21



— Each user has the same user ID on all machines where that user 

has an account. 

— No two users anywhere on the network have the same user ID. 

— Each group has the same group ID on all machines where that 

group exists. 

— No two groups on the network have the same group ID. 

When users request NFS access to remote files, their user IDs and group 

IDs are used to check file ownership and permissions, just as they are 

locally. 

If a user has one user ID on an NFS client and a different user ID on an 

NFS server, the server will not grant the user access to his or her files on 

the server, because it thinks the files belong to someone else. 

If a user on one machine has the same user ID as a user on another 

machine, one user may gain access to the other user’s files. 

For information on the /etc/passwd and /etc/group files, type man 4 

passwd or man 4 group at the HP-UX prompt. 

If you are using NIS or NIS+, the /etc/passwd and /etc/group files are 

managed by a master server, and all other machines on the network 

request user and group information from the servers. With NIS or NIS+, 

it is unnecessary to set user IDs and group IDs on each machine. For 

instructions on configuring NIS, see “Configuring and Administering 

NIS” on page 135. For instructions on configuring NIS+, see 

“Configuring and Administering NIS+” on page 185. 

To Ensure that No User is a Member of Too Many 

Groups 

1. If you are not running NIS or NIS+, issue the following command for 

each user on your system: 

/usr/bin/grep -c username /etc/group 

This command returns the number of occurrences of username in the 

/etc/group file. 

If you are using NIS to manage your group database, issue the 

following command for each user in your domain: 

/usr/bin/ypcat -k group | /usr/bin/grep -c username 

22 

Chapter 2



This command returns the number of occurrences of username in the 

NIS group database. 

If you are using NIS+ to manage your group database, issue the 

following command for each user in your domain: 

niscat -M group.org_dir | /usr/bin/grep -c username 

2. If any user is a member of more than 16 groups, remove the user from 

some of the groups. See “To Modify an NIS Map” on page 152 for 

instructions on modifying an NIS map. See “To Modify an Entry in an 

NIS+ Table” on page 229 for instructions on modifying an NIS+ 

table. 

If you are running a version of HP-UX older than release 9.0, a user 

can be a member of only 8 groups, rather than 16. 

If a user is a member of too many groups, NFS returns an RPC 

authentication error when the user attempts access to files or directories 

using NFS. 

Chapter 2 23


Configuring and Administering an NFS Server 


An NFS server is a machine that “exports” its local directories (makes 

them available for client machines to mount using NFS). On the NFS 

client, these mounted files and directories look to users like part of the 

client’s local file system. An NFS server can also be an NFS client. 

Following are the tasks involved in configuring and administering an 

NFS server. The first two tasks are the only ones required to get your 

server up and running. 

• To Make Directories Available to NFS Clients (Export Directories) 

• To Enable NFS Server Capability 

• To Remove (Unexport) an Exported Directory 

• To Enable PC NFS Server Capability 

• To Disable NFS Server Capability 

This section tells you how to perform these tasks, by editing files and 

issuing HP-UX commands. However, Hewlett-Packard recommends that 

you use SAM to configure and administer NFS. SAM (System 

Administration Manager) is Hewlett-Packard’s windows-based user 

interface for performing system administration tasks. To run SAM, type 

sam at the HP-UX prompt. SAM has an extensive online help facility. 

To Make Directories Available to NFS Clients (Export 

Directories) 

1. Add a line to the /etc/exports file for each directory you want to 

make available to NFS clients, using a text editor like vi. If the 

/etc/exports file does not exist on your system, you will have to 

create it. Following is the syntax of a line in the /etc/exports file: 

directory [-option[,option]] 

Type man 4 exports at the HP-UX prompt for a complete list of the 

export options. After adding your exported directories to the 

/etc/exports file, you must enable NFS server capability before 

NFS clients can mount your exported directories. See “To Enable NFS 

Server Capability” on page 28. 

24 

Chapter 2



2. If your system is already running as an NFS server, issue the 

following command to add the directory to your server’s internal list 

of exported directories: 

/usr/sbin/exportfs directory 

You can issue the exportfs -i command to add the directory to your 

server’s internal list of exported directories, without adding the directory 

to the /etc/exports file. However, it will stop being exported when you 

reboot your system or restart NFS, unless you also add it to the 

/etc/exports file. (Issuing the exportfs command does not change the 

contents of the /etc/exports file.) Type man 1M exportfs for more 

information. 

You cannot export a directory and its ancestor or descendant, if they are 

on the same disk or logical volume. For example, if you are exporting the 

root directory (/), you cannot also export /opt, unless / and /opt are on 

different disks or logical volumes. Likewise, if you are exporting 

/opt/frame, you cannot also export /opt unless /opt/frame and /opt 

are on different disks or logical volumes. However, if a directory and its 

ancestor or descendant are on different disks or logical volumes, and you 

want to export both of them, you must export them using two separate 

entries in /etc/exports. Use the bdf(1M) command to determine 

whether your file systems are on different disks or logical volumes. Each 

line in the bdf output is a separate disk or volume that requires its own 

entry in /etc/exports if you want to export it. 

The /etc/exports file should be owned by root and have mode 644 

(-rw-r--r--). 

The export options that restrict access to an exported directory are 

applied in addition to the regular HP-UX permissions already in place on 

that directory. For example, if only the owner of a file has permission to 

write to it, nobody else can write to the file, even if it is exported to the 

world with read/write permission. 

Access permissions may also be specified on the NFS client when a 

directory is mounted. If these permissions are different from the 

permissions for the exported directory on the NFS server, the more 

restrictive permissions are used. 

It is not a good idea to export a directory if it contains a symbolic link 

that points outside the exported directory. Once the directory is mounted 

on an NFS client, the symbolic link will be resolved locally on the client, 

so the destination of the symbolic link must exist on the client as well as 

the server. If the destination of the symbolic link does not exist on the 

Chapter 2 25



client, a No such file or directory message will be displayed 

whenever anyone attempts access to it. 

Figure 2-1 illustrates the problem of symbolic links in NFS mounts, 

where the destination of the symbolic link exists on the NFS server but 

might not exist on the NFS client. 

Figure 2-1 

Symbolic Links in NFS Mounts 

NFS server 

/ 

NFS client 

/ 

/exports 

/dir1 

/nonexports 

/file2 

/nfs 

/dir1 

Where is 

/file2? 

/file1 /link 

/file1 /link 

symbolic link 

Examples from /etc/exports 

The following example exports the /usr/bin directory to NFS clients 

cabbage, cauliflower, and broccoli. Users on client broccoli have 

read/write access to the /usr/bin directory. Users on cabbage and 

cauliflower have read-only access. In addition to the export options, 

the HP-UX permissions for the /usr/bin directory must be set to allow 

access to the world or to a group that includes the users on broccoli, 

cabbage and cauliflower. 

/usr/bin -access=cabbage:cauliflower:broccoli,rw=broccoli 

The following example allows all NFS clients read-only access to the 

directory /usr/share/man. The /usr/share/man directory must also 

allow read access to NFS users (for example, with -r--r--r-- 

permissions). 

/usr/share/man -ro 

The following example exports the /var/mail directory. It allows root 

access to clients sage, thyme, and basil. The root users on all other NFS 

clients are considered “unknown” to the NFS server, so they are given 

the access privileges of user nobody. Non-root users on all NFS clients 

26 

Chapter 2



are allowed read/write access to the /var/mail directory, if the HP-UX 

permissions on the /var/mail directory allow them read/write access. 

/var/mail -root=sage:thyme:basil 

The following example exports the private root directory of diskless 

client sage. It allows root access to the root user on client sage. All other 

users on client sage have read/write access, if they are allowed 

read/write access through the regular HP-UX permissions. Users on 

other NFS clients have read-only access, if they are allowed read access 

through the HP-UX permissions. 

/export/private_roots/sage -rw=sage,root=sage 

In the following example, any user without a valid user ID who attempts 

access to client basil’s private root directory will receive an RPC 

authentication error, because anonymous access is denied with the 

anon=65535 option. The root user on client basil is allowed root access 

to the directory, but the root users on all other machines are treated as 

“unknown” and denied access. The non-root users on all NFS clients are 

allowed read/write access, if the HP-UX permissions on that directory 

allow them read/write access. 

/export/private_roots/basil -root=basil,anon=65535 

The following example exports the /export/newsletter directory to all 

NFS clients. Root users will be given the effective user ID of 200. Other 

anonymous users will keep their own user IDs (even though they do not 

exist in the NFS server’s passwd database), but they will be given the 

access permissions associated with user ID 200. If a root user is allowed 

to create a file in this directory, the ls command will show that it is 

owned by user ID 200. If an anonymous user with a non-zero user ID (for 

example, 840) is allowed to create a file in this directory, the ls command 

will show that it is owned by user ID 840. 

/export/newsletter -anon=200 

The following example exports the /opt/frame directory to all NFS 

clients. Non-root users have read/write access (if the regular HP-UX 

permissions allow it), and root users are given the access privileges of 

user nobody. NFS writes are done asynchronously; that is, when an NFS 

client writes data to a mounted directory, the server returns a response 

before writing the data to disk. This allows the client to continue 

processing without waiting for the write request to complete. 

/opt/frame -async 

Chapter 2 27



To Enable NFS Server Capability 

1. In the /etc/rc.config.d/nfsconf file, make sure the NFS_SERVER 

and START_MOUNTD variables are set to 1, as follows: 

NFS_SERVER=1 

START_MOUNTD=1 

2. Issue the following command to run the NFS startup script: 

/sbin/init.d/nfs.server start 

The NFS startup script uses the variables in 

/etc/rc.config.d/nfsconf to determine which processes to start. 

The START_MOUNTD variable causes the NFS startup script to start 

rpc.mountd, the mount daemon. 

CAUTION 

If rpc.mountd is configured in /etc/inetd.conf on your system, set the 

START_MOUNTD flag to 0. Mounts will fail if rpc.mountd is enabled 

through both /etc/inetd.conf and /etc/rc.config.d/nfsconf. 

For more information, see the following man pages: mountd(1M) and 

inetd.conf(4). 

To Remove (Unexport) an Exported Directory 

1. On the NFS server, issue the following command for a list of all the 

NFS clients that have mounted the directory you want to unexport: 

/usr/sbin/showmount -a 

NOTE 

The output of the showmount command is not always complete. If an NFS 

client mounts a remote directory twice and unmounts it only once, the 

remote directory is still mounted on the client, but the showmount 

command does not list that client. Also, clients configured to 

automount a directory will not be listed by the showmount command if 

the directory is not currently mounted. 

2. On every NFS client that has the directory mounted, issue the 

following command for a list of the process IDs and user names of 

28 

Chapter 2



everyone using the mounted directory: 

/usr/sbin/fuser -u servername:/directory 

3. Warn any users to cd out of the directory, and kill any processes that 

are using the directory, or wait until the processes terminate. You can 

use the following command to kill all processes using the directory: 

/usr/sbin/fuser -ck local_mount_point 

4. On every NFS client that has the directory mounted, issue the 

following command to unmount the directory: 

/usr/sbin/umount local_mount_point 

or 

/usr/sbin/umount servername:/directory 

5. On every NFS client that had the directory mounted, use a text editor 

to comment out or remove the line in the /etc/fstab file that lists 

the directory you want to unexport. This prevents clients from 

attempting to mount the directory when they reboot. 

6. On every client that has the directory configured to be automounted, 

edit the /etc/auto_* files to comment out or remove the directory 

from the automounter maps. Clients that automount the directory 

may not be listed by the showmount command. 

If you are using NIS to manage your automounter maps, edit the 

/etc/auto_* files on the NIS master server, and then issue the 

following commands to regenerate the maps and push them to the 

slave servers: 

cd /var/yp 

/usr/ccs/bin/make auto.mapname auto.mapname ... 

If you are using NIS+ to manage your automounter maps, see “To 

Remove an Entry from an NIS+ Table” on page 228. 

7. If you modified any direct automounter maps or the automounter 

master map, restart the automounter. See “To Restart the 

Automounter” on page 83. 

8. On the NFS server, use a text editor to remove the line in the 

/etc/exports file that lists the directory you want to unexport. 

9. On the NFS server, issue the following command to unexport the 

directory: 

/usr/sbin/exportfs -u directory 

Chapter 2 29



If you unexport a directory that an NFS client currently has mounted, 

the next time someone on that client requests access to the directory, 

NFS will return an NFS stale file handle error message. The client 

may be able to unmount the directory, but if that does not work, the 

client must reboot to recover. 

For more information, see the following man pages: showmount(1M), 

fuser(1M), umount(1M), and exportfs(1M), make(1), and ypmake(1M). 

To Enable PC NFS Server Capability 

1. If necessary, create a file called /etc/pcnfsd.conf and add PC NFS 

configuration information to it. The /etc/pcnfsd.conf file is not 

required in order to run pcnfsd. For more information on the 

/etc/pcnfsd.conf file, type man 1M pcnfsd at the HP-UX prompt. 

2. In the /etc/rc.config.d/nfsconf file, use a text editor to set the 

PCNFS_SERVER flag to 1, as follows: 

PCNFS_SERVER=1 

3. Issue the following command to run the NFS startup script: 


The PCNFS_SERVER flag causes the NFS startup script to start the PC 

NFS server daemon, pcnfsd. As a PC NFS server, your system can 

export its directories and files to PC NFS clients. 

Following are some reasons why you might want to create an 

/etc/pcnfsd.conf file: 

• If your PC NFS client software is assigning user IDs smaller than 101 

or greater than 60002, set the uidrange in the /etc/pcnfsd.conf 

file to allow access to a different range of user IDs, as in the following 

example: 

uidrange 80-60005 

• If you want to give PC users a different set of default print options, 

the /etc/pcnfsd.conf file should contain a line similar to the 

following, which defines raw as a default print option for PC users 

submitting jobs to the printer lj3_2: 

printer lj3_2 lj3_2 lp -dlj3_2 -oraw 

The /etc/pcnfsd.conf file is read when the pcnfsd daemon starts up. 

If you make any changes to /etc/pcnfsd.conf while pcnfsd is running, 

30 

Chapter 2



you must restart pcnfsd before your changes will take effect. 

A PC must have NFS client software installed in order to use your 

system as a PC NFS server. 

For more information on pcnfsd, type man 1M pcnfsd at the HP-UX 

prompt. 

To Disable NFS Server Capability 

1. On the NFS server, issue the following command for a list of all the 

NFS clients that have directories mounted from the NFS server you 

are planning to disable: 

/usr/sbin/showmount -a 

NOTE 

The output of the showmount command is not always complete. If an NFS 

client mounts a remote directory twice and unmounts it only once, the 

remote directory is still mounted on the client, but the showmount 

command does not list that client. Also, clients that are configured to 

automount a directory will not be listed by the showmount command if 

the directory is not currently mounted. 

2. On every NFS client listed by the showmount command, issue the 

following command for each directory that is mounted from your NFS 

server: 

/usr/sbin/fuser -u servername:/directory 

This command lists the process IDs and user names of everyone using 

the mounted directory. 



use the following command to kill all processes using the directory: 


4. On every client that has directories mounted from your server, issue 

the following command: 

/usr/sbin/umount -h servername 

5. If your server will be down for a long time, edit the /etc/fstab file on 

each client to comment out or remove any NFS mounts from the 

Chapter 2 31



server you are planning to disable. This prevents the clients from 

attempting to mount directories from your server when the clients 

are rebooted. 

6. If your server will be down for a long time, edit the /etc/auto_* files 

on each client to comment out or remove any automounts from the 

server you are planning to disable. Clients that automount the 

server’s directories might not be listed by the showmount command. 

If you are using NIS to manage your automounter maps, edit the 

/etc/auto_* files on the NIS master server, and then issue the 

following commands to regenerate the maps and push them to the 


cd /var/yp 

/usr/ccs/bin/make auto.mapname auto.mapname ... 

If you are using NIS+ to manage your automounter maps, see “To 

Remove an Entry from an NIS+ Table” on page 228. 

7. If you modified any direct automounter maps or the automounter 

master map, restart the automounter. See “To Restart the 


8. Issue the following command on the server to unexport all exported 

directories: 

/usr/sbin/exportfs -au 

9. On the NFS server, edit the /etc/rc.config.d/nfsconf file to set 

the NFS_SERVER variable to 0. This prevents the NFS server daemons 

from starting up when your system reboots. If your server will be 

down only a short time, this step is unnecessary. 


10.Edit the /etc/inetd.conf file to comment out the line that contains 

rpc.mountd (if it exists) and the lines for the other RPC services. 

11.Issue the following command to disable NFS server capability: 

/sbin/init.d/nfs.server stop 

If your NFS server will be down for only a very short period of time, this 

procedure is not necessary. If the server is down for only a few minutes, 

and directories are hard-mounted on the clients, clients attempting 

access to the server will simply hang until it comes back up. Then, they 

will resume access to it as if nothing had happened. 

32 

Chapter 2



However, if the server will be down for a long time, NFS clients 

attempting access to it will have to interrupt their attempts, usually 

with [CTRL]-C. If directories are mounted with the nointr option, 

clients must reboot their systems in order to stop trying to access a down 

server. 

See the following man pages for more information: showmount(1M), 

fuser(1M), exportfs(1M), and mountd(1M). 

Chapter 2 33


Configuring and Administering an NFS Client 


An NFS client is a machine that “mounts” remote directories using 

NFS. These mounted remote directories appear to users as if they are 

part of the NFS client’s local file system. An NFS client can also be an 

NFS server. Following are the tasks involved in configuring and 

administering an NFS client. Only the first four tasks are required in 

order to get your client up and running. 

• Deciding Between Standard-Mounted Directories and Automounted 

Directories 

• To Mount a Remote Directory Using a Standard NFS Mount 

• To Enable NFS Client Capability 

• To Verify Your NFS Client Configuration 

• To Change the Default Mount Options 

• To Ensure Data Integrity Between the Client and Server 

• To Remove (Unmount) a Mounted Directory 

• To Disable NFS Client Capability 



you use SAM to configure and administer NFS. SAM (System 

Administration Manager) is Hewlett-Packard’s windows-based user 

interface for performing system administration tasks. To run SAM, type 

sam at the HP-UX prompt. SAM has an extensive online help facility. 

Deciding Between Automounter and AutoFS 

Beginning with the HP-UX Extension Pack Release, August 1998 (for 

HP-UX 11.0), a new automounting utility, AutoFS, is available in 

addition to the pre-existing Automounter. You can configure your system 

to use either Automounter or AutoFS. Automounter is the default on a 

newly installed or updated system. However, you may choose to migrate 

to AutoFS, since it has several advantages over Automounter: 

• AutoFS can be used to mount any type of file system, including NFS 

Protocol Version 3. (The pre-existing Automounter can be used only 

for NFS PV2.) 

34 

Chapter 2



• With AutoFS the configured mount points are the actual mount 

points. (The pre-existing Automounter mounts directories under 

/tmp_mnt and creates symbolic links from the configured mount 

points to the actual ones under /tmp_mnt.) 

• You do not have to stop AutoFS to change your automounter maps. 

The AutoFS daemon, automountd, runs continuously. When you 

make a change to an automounter map, you run the automount 

command, which reads the maps and then exits. (The pre-existing 

automounter has to be killed and restarted whenever you make a 

change to an automounter map.) 

For information on migrating to AutoFS, see “Migrating From 

Automounter to AutoFS” on page 88. 

Deciding Between Standard-Mounted Directories and 

Automounted Directories 

Before you mount any remote directories on your local system, decide 

whether you want each directory to be standard-mounted or 

automounted; you can automount directories using either AutoFS or 

Automounter. Table 2-1 lists the advantages and disadvantages of each 

type of mount. 

Standard-mounted directories stay mounted until you explicitly 

unmount them. Automounted directories stay mounted until they are 

left idle for five minutes. You can change this default as follows: 

• If you are using AutoFS, you can change the five minute default by 

adding the -t duration option to the AUTOMOUNT_OPTIONS 

variable in the /etc/rc.config.d/nfsconf file. 

For instructions on using AutoFS, see “Configuring and 

Administering AutoFS” on page 86. 

• If you are using the Automounter, you can change the five minute 

default by adding the -tl duration option to the AUTO_OPTIONS 

variable in the /etc/rc.config.d/nfsconf file. 

For instructions on using the Automounter, see “Configuring and 

Administering the NFS Automounter” on page 55. 

Chapter 2 35



Table 2-1 

Standard-Mounted vs. Automounted Directories 

Standard-Mounted 

Directory 

Advantage: 

Configuration is simpler 

than for automounted 

directories. Only one file 

(/etc/fstab) is used to 

configure standard 

mounts. 

Advantage: Standard 

mounts can be added 

and removed easily 

during run time, 

without interrupting 

NFS access to other 

directories. 

Advantage: The 

directory stays 

mounted, so you never 

have to wait for it to be 

mounted after you issue 

a read or write request. 

Automounted Directory 

(using AutoFS) 

Disadvantage: Configuration 

can be more complicated 

than for standard mounts. 

Multiple files are usually 

required to configure 

AutoFS. 

Advantage: Directories 

mounted using AutoFS can 

be added and removed easily 

during run time, without 

interrupting NFS access to 

other directories. 

Disadvantage: If the 

automounted directory has 

timed out and been 

unmounted, and you attempt 

to read it or write to it, you 

may have to wait a few 

seconds for it to be mounted 

again. 


(using Automounter) 

Disadvantage: Configuration 

can be more complicated than 

for standard mounts. Multiple 

files are usually required to 

configure the Automounter. 

Disadvantage: Some 

automounted directories can be 

changed easily during run time, 

but others cannot be changed, 

added, or removed without 

restarting the automounter. 

Disadvantage: If the 

automounted directory has 

timed out and been unmounted, 

and you attempt to read it or 

write to it, you may have to wait 

a few seconds for it to be 

mounted again. 

36 

Chapter 2



Table 2-1 




Advantage: The 

configured mount point 

is the actual mount 

point. This is 

straightforward and 

does not confuse users 

or programs that 

require NFS-mounted 

files and directories. 



Advantage: The configured 

mount point is the actual 

mount point. This is 

straightforward and does not 

confuse users or programs 

that require NFS-mounted 




Disadvantage: The 

automounter maintains its own 

directory of mount points, and 

the mount points you configure 

are links to this directory. A 

user using an automounted 

directory could be confused by 

the output of the pwd command 

in a C or Bourne shell, which 

displays the actual mount point 

under /tmp_mnt rather than 

the configured mount point. 

(The Korn shell pwd command 

displays the configured mount 

point.) 

If a directory is not mounted, 

attempting access to the actual 

mount point will not cause a 

mount to occur, but attempting 

access to the configured mount 

point will. This can be confusing 

to users and to programs that 

use the pwd command, like the 

at command. 

Chapter 2 37



Table 2-1 




Disadvantage: If a 

directory is configured 

to be standard- mounted 

when your system boots, 

and the NFS server for 

the directory is not 

booted yet, your system 

will hang until the NFS 

server becomes 

available. If your system 

and the server are 

configured to mount 

directories from each 

other at boot time, 

standard mounts can 

cause both systems to 

hang indefinitely. 

Disadvantage: The 

configuration file for 

standard mounts 

(/etc/fstab) must be 

maintained separately 

on each NFS client. 

Not Applicable 



Advantage: A directory 

automounted with AutoFS is 

not mounted until a user or 

process requests access to it, 

so both your system and the 

NFS server will have time to 

boot before any attempt is 

made to mount the directory. 

Advantage: AutoFS 

configuration files (maps) 

may be managed centrally 

through NIS or NIS+. 

Advantage: You do not have 

to stop AutoFS to change 

your automounter maps. The 

AutoFS daemon, 

automountd, runs 

continuously. When you 

make a change to an 

automounter map, you run 

the automount command, 

which reads the maps and 

then exits. 



Advantage: A directory 

automounted with 

Automounter is not mounted 

until a user or process requests 

access to it, so both your system 

and the NFS server will have 

time to boot before any attempt 

is made to mount the directory. 

Advantage: Automounter 

configuration files (maps) may 

be managed centrally through 

NIS or NIS+. 

Disadvantage: Automounter 

must be killed and restarted 

whenever you make a change to 

an automounter map. 

38 

Chapter 2



Table 2-1 




Disadvantage: Only one 

NFS server may be 

configured for each 

standard-mounted 

directory. 

Disadvantage: If you 

have to configure many 

similar standard 

mounts, you must 

configure each of them 

individually, because 

you cannot use wildcard 

characters or 

environment variables 

when you configure 

standard NFS mounts. 

Disadvantage: Standard 

NFS mounts provide no 

shortcut for configuring 

all available remote 

directories; each 

directory must be 

configured explicitly. If 

the NFS servers change 

which directories they 

are exporting, you must 

change your local NFS 

client configuration. 



Advantage: Multiple servers 

may be configured for a 

single automounted 

directory, for reliability and 

load balancing. All servers 

are polled simultaneously, 

and the directory is mounted 

from the first server to 

respond. 

Advantage: AutoFS allows 

you to use wildcard 

characters and environment 

variables in configuration 

files (maps) as shortcuts 

when you are configuring 

many similar automounts. 

Advantage: AutoFS allows 

you to configure a special 

“built-in” map (the -hosts 

map), which causes all the 

exported directories from 

any NFS server on the 

network to be automounted 

on your system whenever 

anyone requests access to a 

directory on that server. The 

servers can change which 

directories they export, and 

your configuration remains 

valid. 



Advantage: Multiple servers 

may be configured for a single 

automounted directory, for 

reliability and load balancing. 

All servers are polled 

simultaneously, and the 

directory is mounted from the 

first server to respond. 

Advantage: The automounter 

allows you to use wildcard 

characters and environment 

variables in configuration files 

(maps) as shortcuts when you 

are configuring many similar 

automounts. 

Advantage: The automounter 

allows you to configure a special 

“built-in” map (the -hosts 

map), which causes all the 

exported directories from any 

NFS server on the network to 

be automounted on your system 

whenever anyone requests 

access to a directory on that 

server. The servers can change 

which directories they export, 

and your configuration remains 

valid. 

Chapter 2 39



To Mount a Remote Directory Using a Standard NFS 

Mount 

1. In the /etc/fstab file, use a text editor to add a line for each remote 

directory you want mounted on your system. If the /etc/fstab file 

does not exist, you will have to create it. A line in the /etc/fstab file 

has the following syntax: 

server:remote_directory local_directory nfs defaults 0 0 

or 

server:remote_directory local_directory nfs 

option[,option...] 0 0 

For descriptions of the mount options, see “To Change the Default 

Mount Options” on page 43. 

2. If your system is already running as an NFS client, issue the 

following command to mount each remote directory you have added to 

the /etc/fstab file: 

/usr/sbin/mount local_directory 

Or, issue the following command to mount all the directories listed in 

the /etc/fstab file: 

/usr/sbin/mount -a 

The remote directories listed in the /etc/fstab file will be mounted 

automatically when you enable NFS client capability or reboot your 

system. See “To Enable NFS Client Capability” on page 42. 

The local directory you configure as a mount point must exist and should 

be empty. If the local mount point contains files or directories, they will 

be hidden and inaccessible while the remote directory is mounted over 

them. 

Before you can mount a remote directory on your system, the remote 

system where the directory is located must be configured as an NFS 

server and must export the directory. 

To mount a directory temporarily, issue the mount command, but do not 

add the mount to the /etc/fstab file. It will stay mounted until you 

reboot your system or until you unmount it with the umount command. 

For more information, type man 4 fstab or man 1M mount at the HP-UX 

prompt. 

40 

Chapter 2



Example NFS Mount of man pages 

broccoli:/usr/share/man /usr/share/man NFS ro 0 0 

This example mounts the directory /usr/share/man from the NFS 

server broccoli. The local mount point is also /usr/share/man. The 

directory is mounted read-only. Figure 2-2 illustrates this example: 

Figure 2-2 

NFS Mount of man pages 

NFS server "broccoli" 

/ 

local NFS client 

/ 

/usr /etc 

/opt 

/usr /etc 

/opt 

/share 

/share 

/man 

/man 

/man1 /man2 /man3 

/man1 /man2 /man3 

Chapter 2 41



Example NFS Mount of Home Directories 

broccoli:/home/broccoli /home/broccoli nosuid 0 0 

cauliflower:/home/cauliflower /home/cauliflower nosuid 0 0 

This example mounts the home directories from NFS servers broccoli 

and cauliflower on the local NFS client. The nosuid option prevents 

programs with setuid permission from executing on the local client. 

Figure 2-3 illustrates this example: 

Figure 2-3 

NFS Mount of Home Directories 

NFS server "cauliflower" 

/ 


/ 

NFS server "broccoli" 

/ 

/usr 

/home 

/etc 

/usr 

/home 

/etc 

/usr 

/home 

/etc 

/cauliflower 

/cauliflower 

/broccoli 

/broccoli 

/sandra /wendie /sandra /wendie /claudia /ann /claudia /ann 

To Enable NFS Client Capability 

1. In the /etc/rc.config.d/nfsconf file, make sure the NFS_CLIENT 

variable is set to 1, as follows: 

NFS_CLIENT=1 

2. Run the NFS startup script by issuing the following command: 

/sbin/init.d/nfs.client start 

Setting the NFS_CLIENT variable to 1 causes the NFS startup script to be 

run whenever you reboot your system. 

The NFS startup script starts the necessary NFS client daemons and 

mounts the remote directories configured in the /etc/fstab file. 

42 

Chapter 2



To Verify Your NFS Client Configuration 

• After you have configured the directories you want to mount and 

enabled NFS client capability, issue the ls command in the local 

directories you have configured as NFS mount points. If your NFS 

client is working correctly, the ls command will list the contents of 

mounted directories. If the local directories are empty, or if you get 

error messages, see “Troubleshooting NFS Services” on page 273. 

To Change the Default Mount Options 

1. Include the NFS mount options in your /etc/fstab file or 

automounter map as needed. Table 2-2 lists the NFS mount options. 

2. If you changed the mount options in the automounter master map, 

you must restart the automounter before your changes will take 

effect. See “To Restart the Automounter” on page 83. 

If you changed the mount options for a directory that is currently 

mounted, you must unmount and remount it before your changes will 

take effect. Issue the following commands: 

/usr/sbin/umount local_directory 

/usr/sbin/mount local_directory 

Table 2-2 

rw 

(read/write) 

or 

ro (read-only) 

(default: rw) 

suid 

or 

nosuid 

(default: suid) 

NFS Mount Options 

Use rw for data that users need to modify. In order for you to mount a 

directory read/write, the NFS server must export it read/write. 

Use ro for data you do not want users to change. A directory that is 

automounted from several servers should be read-only, to keep versions 

identical on all servers. 

Specify suid if you want to allow mounted programs that have setuid 

permission to run with the permissions of their owners, regardless of who 

starts them. If a program with setuid permission is owned by root, it will 

run with root permissions, regardless of who starts it. 

Specify nosuid to protect your system against setuid programs that may 

run as root and damage your system. 

Chapter 2 43



Table 2-2 

hard 

or 

soft 

(default: hard) 

intr 

or 

nointr 

(default: intr) 

fg 

(foreground) 

or 

bg 

(background) 

(default: fg) 


Specify hard if users will be writing to the mounted directory or running 

programs located in it. When NFS tries to access a hard-mounted 

directory, it keeps trying until it succeeds or someone interrupts its 

attempts. If the server goes down, any processes using the mounted 

directory hang until the server comes back up and then continue 

processing without errors. Interruptible hard mounts may be interrupted 

with CTRL-C or kill (see the intr option, later). 

Specify soft if the server is unreliable and you want to prevent systems 

from hanging when the server is down. When NFS tries to access a 

soft-mounted directory, it gives up and returns an error message after 

trying retrans times (see the retrans option, later). Any processes using 

the mounted directory will return errors if the server goes down. 

Specify intr if users are not likely to damage critical data by manually 

interrupting an NFS request. If a hard mount is interruptible, a user may 

press [CTRL]-C or issue the kill command to interrupt an NFS mount 

that is hanging indefinitely because a server is down. 

Specify nointr if users might damage critical data by manually 

interrupting an NFS request, and you would rather have the system 

hang while the server is down than risk losing data between the client 

and the server. 

Specify fg for directories that are necessary for the client machine to boot 

or operate correctly. If a foreground mount fails, it is retried again in the 

foreground until it succeeds or is interrupted. All automounted 

directories are mounted in the foreground; you cannot specify the bg 

option with automounted directories. 

Specify bg for mounting directories that are not necessary for the client to 

boot or operate correctly. Background mounts that fail are retried in the 

background, allowing the mount process to consider the mount complete 

and go on to the next one. If you have two machines configured to mount 

directories from each other, configure the mounts on one of the machines 

as background mounts. That way, if both systems try to boot at once, they 

will not become deadlocked, each waiting to mount directories from the 

other. The bg option cannot be used with automounted directories. 

44 

Chapter 2



Table 2-2 

devs 

or nodevs 

(default: devs) 

timeo=n 

(default=7) 

retrans=n 

(default=4) 

retry=n 

(default=1) 


Specify devs if you are mounting device files from a server whose device 

files will work correctly on the client. The devs option allows you to use 

NFS-mounted device files to read and write to devices from the NFS 

client. It is useful for maintaining a standard, centralized set of device 

files, if all your systems are configured similarly. 

Specify nodevs if device files mounted from a server will not work 

correctly for reading and writing to devices on the NFS client. The 

nodevs option generates an error if a process on the NFS client tries to 

read or write to an NFS-mounted device file. 

The timeout, in tenths of a second, for NFS requests (read and write 

requests to mounted directories). If an NFS request times out, this 

timeout value is doubled, and the request is retransmitted. After the NFS 

request has been retransmitted the number of times specified by the 

retrans option (see below), a soft mount returns an error, and a hard 

mount retries the request. The maximum timeo value is 30 (3 seconds). 

Try doubling the timeo value if you see several server not responding 

messages within a few minutes. This can happen because you are 

mounting directories across a gateway, because your server is slow, or 

because your network is busy with heavy traffic. 

The number of times an NFS request (a read or write request to a 

mounted directory) is retransmitted after it times out. If the request does 

not succeed after n retransmissions, a soft mount returns an error, and a 

hard mount retries the request. 

Increase the retrans value for a directory that is soft-mounted from a 

server that has frequent, short periods of down time. This gives the 

server sufficient time to recover, so the soft mount does not return an 

error. 

The number of times the NFS client attempts to mount a directory after 

the first attempt fails. If you specify intr, you can interrupt the mount 

before n retries. However, if you specify nointr, you must wait until n 

retries have been made, until the mount succeeds, or until you reboot the 

system. 

If mounts are failing because your server is very busy, increasing the 

retry value may fix the problem. 

Chapter 2 45



Table 2-2 

rsize=n 

(default=8192 

) 

wsize=n 

(default=8192 

) 

vers=n 

(default=3) 

O (Overlay 

mount) 

default: not 

specified 


The number of bytes the NFS client requests from the NFS server in a 

single read request. 

If packets are being dropped between the client and the server, decrease 

rsize to 4096 or 2048. To find out whether packets are being dropped, 

issue the NFSstat -rc command at the HP-UX prompt. If the timeout 

and retrans values returned by this command are high, but the badxid 

number is close to zero, then packets are being dropped somewhere in the 

network. 

The number of bytes the NFS client sends to the NFS server in a single 

write request. 

If packets are being dropped between the client and the server, decrease 

wsize to 4096 or 2048. To find out whether packets are being dropped, 

issue the NFSstat -rc command at the HP-UX prompt. If the timeout 

and retrans values returned by this command are high, but the badxid 

number is close to zero, then packets are being dropped somewhere in the 

network. 

The version of the NFS protocol to use. By default, the local NFS client 

will attempt to mount the file system using NFS version 3. If the NFS 

server does not support version 3, the file system will be mounted using 

version 2. 

If you know that the NFS server does not support version 3, specify 

vers=2, and you will save time during the mount, because the client will 

not attempt to use version 3 before using version 2. 

Allows the file system to be mounted over an existing mount point, 

making the underlying file system inaccessible. If you attempt to mount a 

file system over an existing mount point without the -O option, the mount 

will fail with the error device busy. 

Caution: Using the -O mount option can put your system in a confusing 

state. The -O option allows you to hide local data under an NFS mount 

point without receiving any warning. Local data hidden beneath an NFS 

mount point will not be backed up during regular system backups. 

On HP-UX, the -O option is valid only for NFS-mounted file systems. For 

this reason, if you specify the -O option, you must also specify the -F nfs 

option to the mount command or the nfs file system type in the 

/etc/fstab file. 

46 

Chapter 2



Table 2-2 

proto= 

remount 

default: not 

specified 

grpid 

default: not 

specified 

Table 2-3 


Allows user to specify which transport option should be used: UDP or 

TCP. Once specified, NFS only attempts to connect using that transport 

option. If the specified transport option is not available, the mount fails. 

If the file system is mounted read-only, this option remounts it 

read/write. This allows you to change the access permissions from 

read-only to read/write without forcing everyone to leave the mounted 

directory or killing all processes using it. 

Forces a newly created file in the mounted file system to inherit the group 

ID of the parent directory. 

By default, a newly created file inherits the effective group ID of the 

calling process, unless the GID bit is set on the parent directory. If the 

GID bit is set, the new file inherits the group ID of the parent directory. 

Several NFS mount options allow you to change the length of time file 

and directory attributes remain cached on the NFS client. By default, an 

NFS client caches certain attributes of files and directories, like their 

ownership, size, and modification time. If a user on an NFS client is 

making a series of changes to a file, the changes to the file’s attributes 

are cached and modified locally on the client, and finally, the resulting 

attributes are sent to the server. 

NFS Caching Options 

noac 

(default: not 

specified) 

nocto 

(default: not 

specified) 

If specified, this option prevents the NFS client from caching attributes for 


Specify noac for a directory that will be used frequently by many NFS 

clients. The noac option ensures that the file and directory attributes on the 

server are up to date, because no changes are cached on the clients. 

However, if many NFS clients using the same NFS server all disable 

attribute caching, the server may become overloaded with attribute 

requests and updates. You can also use the actimeo option to set all the 

caching timeouts to a small number of seconds, like 1 or 3. 

If you specify noac, do not specify the other caching options. 

If specified, this option suppresses fresh attributes when opening a file. 

Specify nocto for a file or directory that never changes, to decrease the load 

on your network. 

Chapter 2 47



Table 2-3 

acdirmax=n 

(default=60) 

acdirmin=n 

(default=30) 

acregmax=n 

(default=60) 

acregmin=n 

(default=3) 


The maximum number of seconds a directory’s attributes are cached on the 

NFS client. When this timeout period expires, the client flushes its attribute 

cache, and if the attributes have changed, the client sends them to the NFS 

server. 

For a directory that rarely changes or that is owned and modified by only 

one user, like a user’s home directory, you can decrease the load on your 

network by setting acdirmax=120 or higher. 

The minimum number of seconds a directory’s attributes are cached on the 

NFS client. If the directory is modified before this timeout expires, the 

timeout period is extended by acdirmin seconds. 

For a directory that rarely changes or that is owned and modified by only 

one user, like a user’s home directory, you can decrease the load on your 

network by setting acdirmin=60 or higher. 

The maximum number of seconds a file’s attributes are cached on the NFS 

client. When this timeout period expires, the client flushes its attribute 

cache, and if the attributes have changed, the client sends them to the NFS 

server. 

For a file that rarely changes or that is owned and modified by only one user, 

like a file in a user’s home directory, you can decrease the load on your 

network by setting acregmax=120 or higher. 

The minimum number of seconds a file’s attributes are cached on the NFS 

client. If the file is modified before this timeout expires, the timeout period 

is extended by acregmin seconds. 

For a file that rarely changes or that is owned and modified by only one user, 

like a file in a user’s home directory, you can decrease the load on your 

network by setting acdirmin=30 or higher. 

48 

Chapter 2



Table 2-3 

actimeo=n 

(no default) 


Setting actimeo to n seconds is equivalent to setting acdirmax, acdirmin, 

acregmax, and acregmin to n seconds. 

Set actimeo=1 or actimeo=3 for a directory that is used and modified 

frequently by many NFS clients. This ensures that the file and directory 

attributes are kept reasonably up to date, even if they are changed 

frequently from various client locations. 

Set actimeo=120 or higher for a directory that rarely or never changes. 

If you set the actimeo value, do not set the acdirmax, acdirmin, acregmax, 

or acregmin values. 

To Ensure Data Integrity Between the Client and 

Server 

• Make sure the directory is exported from the server with the noasync 

option (the default). If the directory is exported with the async 

option, the NFS server will acknowledge NFS writes before writing 

data to disk. Changing an exported directory from async to noasync 

degrades write performance for that directory. 

• If users or applications will be writing to the NFS-mounted directory, 

make sure it is mounted with the hard option (the default), rather 

than the soft option. 

• If you have a small number of NFS applications that require absolute 

data integrity, add the O_SYNC flag to the open() calls in your 

applications. When you open a file with the O_SYNC flag, a write() 

call will not return until the write request has been sent to the NFS 

server and acknowledged. The O_SYNC flag degrades write 

performance for applications that use it. 

• If you have a large number of NFS applications requiring absolute 

data integrity, or if your entire installation needs a high degree of 

data integrity, set the NUM_NFSIOD variable to 0 in the 

/etc/rc.config.d/nfsconf file on each client, as follows, 

NUM_NFSIOD=0 

and issue the following commands to kill all the biod daemons (PID is 

a process ID returned by the ps command): 

/usr/bin/ps -ef | /usr/bin/grep biod 

Chapter 2 49



/usr/bin/kill PID PID ... 

The biod daemons improve write performance by handling NFS 

write requests from users and applications. After a write request is 

passed to a biod daemon, control is returned to the user or 

application. Running a client without biod daemons degrades write 

performance for all users and applications on that client. 

• If multiple NFS users will be writing to the same file, add the 

lockf() call to your applications to lock the file so that only one user 

may modify it at a time. 

If multiple users on different NFS clients will be writing to the file, 

you must also turn off attribute caching on those clients by mounting 

the file with the noac option. 

For more information, see the following man pages: mount(1M), open(2), 

write(2), lockf(2), and biod(1M). 

To Remove (Unmount) a Mounted Directory 

1. On the NFS client, issue the following command to determine 

whether the directory you want to unmount is currently in use: 

/usr/sbin/fuser -cu local_mount_point 





use the following command to kill all processes using the mounted 

directory: 


3. If you want to remove the mounted directory permanently, use an 

editor to remove the appropriate line in the /etc/fstab file. 

If you want to remove the mounted directory temporarily, leave the 

line in /etc/fstab, and the directory will be mounted again when 

you reboot your system or run the NFS startup script. 

4. Issue the following command at the HP-UX prompt: 


If any user or process is using the remote directory, NFS cannot 

unmount it and will issue an error message. 

50 

Chapter 2



For more information, type man 1M mount or man 1M fuser at the 

HP-UX prompt. 

To Disable NFS Client Capability 

1. On the NFS client, issue the mount(1M) command with no options, to 

get a list of all the mounted file systems on the client: 

/usr/sbin/mount 

2. For every NFS-mounted directory listed by the mount command, issue 

the following command to determine whether the directory is 

currently in use: 






use the following command to kill all processes using the mounted 

directory: 


4. Issue the following command on the client to unmount all 

NFS-mounted directories: 

/usr/sbin/umount -at nfs 

5. Edit the /etc/rc.config.d/nfsconf file on the client to set the 

NFS_CLIENT and AUTOMOUNT variables to 0. This prevents the client 

processes from starting up again when you reboot the client. 


AUTOMOUNT=0 

6. Issue the following command to disable NFS client capability: 

/sbin/init.d/nfs.client stop 

For more information, type man 1M mount or man 1M fuser at the 

HP-UX prompt. 

Chapter 2 51


NFS Client and Server Transport Connections 


NFS runs over both UDP and TCP transport protocols. The default 

transport protocol is TCP. Using the TCP protocol increases 

dependability on wide-area networks. Packets are successfully delivered 

more consistently. TCP provides congestion control and error recovery. 

NFS over TCP works with NFS version 2 and version 3. 

NFS Client TCP Connections 

An NFS client has a maximum number of connections for each server. By 

default the maximum number of connections is one. The total maximum 

number of connections on the client is the number of NFS servers 

multiplied by the maximum number of connections allowed for each 

server. 

For example, say the maximum number of connections allowed for 

client1 is two, if the network environment allowed client1 access to five 

servers, the total number of connections allowed for client1 is 10: two on 

each server. An NFS client remains connected to the NFS server until 

the client becomes inactive: idle or disconnected by the client. By default, 

idle time is 5 minutes. This means that there is no outbound request for 

more than 5 minutes. 

Support of 32K Transfer 

NFS supports 32K transfer sizes across both TCP and UDP transport. 

By default, NFS transfers 8K sizes. To specify 32k transfer sizes, set the 

mount option for read- and write- size to 32k. 

mount -F nfs -o rsize=32768, w=32768 

Specifying TCP or UDP Connections 

Using the mount command from the client with no protocol parameters, 

the behavior will be first to try to establish a TCP connection with the 

server. If that fails, then it will try to establish a UDP connection with 

the server. 

You can tell NFS to establish ONLY a TCP connection using the 

following command: 

52 

Chapter 2



mount -o proto=tcp 

If TCP is not available on the server, the mount fails. 

You can tell NFS to establish ONLY a UDP connection using the 


mount -o proto=udp 

If UDP is not available on the server, the mount fails. 

NFS Server TCP Connections 

On the NFS server, to ensure a request for a TCP connection will be 

successful, the service must be advertised in the /etc/services name 

database file. This database advertises the availability of TCP on the 

server through port 2049. The entry appears in the /etc/services 

name database file. There is also an entry for UDP. They are as follows: 

nfsd 2049/tcp #NFS remote file system 

nfsd 2049/udp #NFS remote file system 

NOTE 

Note that these entries are automatically added to the /etc/services 

file since this service must be advertised in order to start the server 

daemon (nfsd) correctly. Be sure that the local map resolution points to 

the local file. If NIS maps are used, be sure that the services file used by 

NIS also contains this additional entry for TCP. 

Changes to the NFS Server Daemon 

For NFS over UDP, the number of NFS server daemons (nfsd) is at 

minimum equal to the number of active processors. This number can 

actually be a multiple of the number of active processors running. When 

NFS is running over TCP, only one additional daemon is started. 

You can start a daemon for either transport type or both. Here’s a list of 

ways you can specify the NFS daemon. 

• You can start one daemon that will run over all the supported 

transports, including UDP and TCP. Type: /usr/sbin/nfsd -a 

, where is the number of UDP and TCP 

daemons you want started. 

Chapter 2 53



• You can start the NFS daemon over either protocol you choose: TCP 

or UDP. To specify one or the other, type: /usr/sbin/nfsd -p 

where is either 

TCP or UDP. 

• You can start the daemon for the transport protocol that the device 

specifies. Type: /usr/sbin/nfsd -t , where 

is the name of the device that specifies the transport 

protocol you want to use. 

Severing the Connection 

The server connection is terminated by nfsd when one of the following 

occurs: 

1. When the connection has been idle for more than six minutes. Idle is 

defined as no outbound requests. 

2. When the maximum number of connections is reached. If a request 

for a connection comes in when this is the case, the least recently 

used connection will be broken. The request for a connection is then 

established. 

3. When the NFS daemon (nfsd) receives a disconnecting event or 

unrecoverable error. For example, when a client crashes. 

54 

Chapter 2


Configuring and Administering the NFS Automounter 

Configuring and Administering the NFS 

Automounter 

This section tells you how to configure the NFS automounter. The 

automounter mounts directories automatically when users or processes 

request access to them, and it unmounts them automatically after they 

have been idle for a period of time (five minutes, by default). Following 

are the tasks involved in configuring the NFS automounter. Tasks 1 and 

14 alone will get the automounter up and running on your system. 

Before configuring the automounter, see “Deciding Between 

Standard-Mounted Directories and Automounted Directories” on page 

35. 

The automounter does not support NFS protocol version 3. Automounted 

file systems will be mounted with NFS protocol version 2. The following 

topics are covered in this section: 

1. “To Automount All Exported Directories from Any Host Using the 

-hosts Map” on page 56 

2. “To Decide Between Direct and Indirect NFS Automounts” on page 

58 

3. “To Mount a Remote Directory Using a Direct Automounter Map” on 

page 61 

4. “To Mount a Remote Directory Using an Indirect Automounter Map” 

on page 64 

5. “To Configure Multiple (Replicated) Servers for an Automounted 

Directory” on page 68 

6. “To Use Environment Variables as Shortcuts in Automounter Maps” 

on page 69 

7. “To Use Wildcard Characters as Shortcuts in Automounter Maps” on 

page 69 

8. “To Automount Users’ Home Directories with the -passwd Map” on 

page 71 

9. “To Automount Users’ Home Directories with Wildcard Characters” 

on page 74 

10.“To Automount Multiple Directories Simultaneously (Hierarchical 

Chapter 2 55



Mounts)” on page 77 

11.“To Improve Automounter Performance with Subdirectory Notation 

in Indirect Maps” on page 77 

12.“To Include an Automounter Map in Another Automounter Map” on 

page 79 

13.“To Turn Off an Automounter Map with the -null Map” on page 80 

14.“To Enable the NFS Automounter” on page 81 

15.“To Verify Your Automounter Configuration” on page 81 

16.“To Modify or Remove (Unmount) an Automounted Directory” on 

page 83 

17.“To Restart the Automounter” on page 83 



you use SAM to configure and administer the automounter. SAM 

(System Administration Manager) is Hewlett-Packard’s windows-based 

user interface for performing system administration tasks. To run SAM, 

type sam at the HP-UX prompt. SAM has an extensive online help 

facility. 

NOTE 

SAM does not support specifying maps or directories on the automount 

command line. SAM finds automounter maps only if they are listed in 

the master map. SAM recognizes automounted directories only if they 

are listed in an automounter map. 

To Automount All Exported Directories from Any 

Host Using the -hosts Map 

• If you are using local files for your automounter maps, use an editor 

to add the following line to the automounter master map file (usually 

called /etc/auto_master): 

/net -hosts -nosuid 

If you are using NIS to manage your automounter maps, add the line 

to the master map file on the NIS master server, and then issue the 

following commands to rebuild the map and push it out to slave 

56 

Chapter 2



servers: 

cd /var/yp 

/usr/ccs/bin/make auto.master 

If you are using NIS+ to manage your automounter maps, issue the 

following command to add an entry to the NIS+ auto_master table: 

nistbladm -a key=”/net” value=”-hosts -nosuid” \ 

auto_master.org_dir 

The local mount point (/net) should not exist. 

This configuration change will not take effect until you restart the 

automounter or reboot your system with the automounter enabled. See 

“To Enable the NFS Automounter” on page 81 or “To Restart the 


The -hosts map is a “built-in” automounter map; you do not have to 

create it. The -hosts map causes the automounter to mount all the 

exported directories from any NFS server on the network whenever a 

user or process requests access to one of the exported directories from 

that server. 

CAUTION 

Because the -hosts map allows NFS access to any reachable remote 

system, a user may inadvertently cause an NFS mount over X.25 or 

SLIP, which is unsupported, or through a slow router or gateway. Mounts 

over slow links may cause excessive retransmissions and degrade 

performance for all users. 

When a user or process requests a directory from an NFS server, the 

automounter creates a subdirectory, named after the NFS server, under 

the local mount point you configured in the automounter master map. 

(The conventional mount point for the -hosts map is /net.) Then the 

automounter mounts all the exported directories from that server under 

the subdirectory it created. Directories will stay mounted until they are 

left idle for five minutes. The five minute default can be changed by 

adding the -tl duration option to the AUTO_OPTIONS variable in the 

/etc/rc.config.d/nfsconf file. 

For example, if server sage exports /opt and /apps, and a user on your 

NFS client types the following command, 

cd /net/sage/opt/frame 

Chapter 2 57



the subdirectory /sage is created under /net, and /opt and /apps are 

mounted under /sage. Figure 2-4 shows the automounted file structure 

after the user’s command. 

Figure 2-4 

Automounted Directories from -hosts Map—One Server 

/net 

/sage 

/opt /apps 

If server thyme exports the directory /exports/proj1, and a user types 

the following command, 

more /net/thyme/exports/proj1/readme 

the subdirectory /thyme is created under /net, and /exports/proj1 is 

mounted under /thyme. Figure 2-5 shows the automounted directory 

structure after the second user’s command. 

Figure 2-5 

Automounted Directories from -hosts Map—Two Servers 

/net 

/sage 

/thyme 

/opt /apps 

/exports 

/proj1 

The -hosts map is an indirect map. It uses the hosts database (the 

/etc/hosts file, the NIS hosts map, the NIS+ hosts table, or BIND 

[DNS]) to find a host on the network. 

To Decide Between Direct and Indirect NFS 

Automounts 

• Before you automount a remote directory, decide whether you want to 

use a direct or indirect automounter map. Table 2-4 lists the 

advantages and disadvantages of each type of map. 

58 

Chapter 2



Table 2-4 

Direct Map 

In general, an indirect map is better than a direct map, because it is 

easier to modify while the automounter is running, and because it does 

not cause “mount storms” in directories with many automount points. 

However, if your automounted directory must share the same parent 

directory with local or standard-mounted directories, or if users must 

always get a complete list of available files and directories when they 

issue the ls command, you should choose a direct map. 

Table 2-4 lists the advantages and disadvantages of direct and indirect 

automounter maps. 

Direct vs. Indirect Automounter Map Types 

Indirect Map 

Advantage: A user can see the contents of 

a direct-mounted directory with the ls 

command. If the contents are not currently 

mounted, ls causes them to be mounted. 

Advantage: Direct-mounted automounted 

directories can share the same parent 

directory with local or standard-mounted 


Disadvantage: If you add or remove 

mounts in a direct map, or if you change 

the local mount point for an existing 

mount in a direct map, you have to restart 

the automounter or reboot your system 

before the automounter sees the changes 

you made. 

Disadvantage: When a user or program 

accesses a directory containing many 

direct mount points, all the directories are 

mounted, whether they are needed or not. 

This can cause a flurry of mount activity. 

Disadvantage: If a user types ls to see the 

contents of an indirect-mounted directory, it 

appears empty unless its subdirectories are 

currently mounted. The user must cd to a 

subdirectory or type ls subdirectory to 

cause it to be mounted. 

Disadvantage: An indirect map turns the 

parent directory of the mount points into a 

symbolic link and hides any local, 

standard-mounted, or direct-mounted files or 

directories underneath it. 

Advantage: If you modify an indirect map, the 

automounter will see the changes the next 

time it mounts the directory, so you don’t have 

to restart the automounter. 

Advantage: When a user or program accesses 

a directory containing many indirect mount 

points, only directories that are already 

mounted appear. 

Chapter 2 59



How the Automounter Sets Up Direct and Indirect Mounts 

When a user or program requests access to a remote directory, the 

automounter mounts it under its own directory, called /tmp_mnt. Then, 

the automounter creates a symbolic link from the mount point you 

configured to the mount point under /tmp_mnt. For example, if you 

configured the local mount point as /usr/bin, the automounter would 

mount the directory under /tmp_mnt/usr/bin and create a symbolic link 

from /usr/bin to /tmp_mnt/usr/bin. 

The automounts configured in a direct map may be mounted in various 

places in the local file system. Symbolic links are created from the 

configured mount points to the corresponding mount points under 

/tmp_mnt. 

The automounts configured in an indirect map are all mounted under the 

same local parent directory. A symbolic link is created from the parent 

directory of the configured mount points to the corresponding parent 

directory under /tmp_mnt. 

Figure 2-6 shows the difference between direct mounts and indirect 

mounts on an NFS client. 

Figure 2-6 

The Difference Between Direct Mounts and Indirect Mounts 

direct mounts 

indirect mounts 

/ 

/ 

/tmp_mnt 

configured 

parent directory 

/tmp_mnt 

configured 


actual 


actual 


= mounted directory 

= symbolic link 

Attempting to read or write directly to the /tmp_mnt directory does not 

60 

Chapter 2



cause the automounter to mount any directories that are not already 

mounted. You must access the automounted directories through the 

mount points you configured, which are symbolic links into the /tmp_mnt 

directory. 

To Mount a Remote Directory Using a Direct 

Automounter Map 

1. If you are using local files for your automounter maps, use an editor 

to open or create a direct map in the /etc directory. The direct map is 

commonly called /etc/auto_direct. Add a line to the direct map 

with the following syntax: 

local_directory [mount_options] server:remote_directory 


to the direct map on the NIS master server. 


following command to add an entry to the NIS+ direct map table 

(commonly called auto_direct.org_dir): 

nistbladm -a key=”local_directory” value=”mount_options \ 

server:remote_directory” auto_direct.org_dir 


to open or create the automounter master map in the /etc directory. 

The master map should be called /etc/auto_master. If you are using 

NIS, open the master map on the NIS master server. 

If the direct map you just modified is not listed in the automounter 

master map, add the following line to the master map: 

/- direct_map_name [mount_options] 


following command to add an entry for the auto_direct map to the 

auto_master map: 

nistbladm -a key=”/-” value=”direct_map_name mount_options” 

\ 


3. If you are using NIS to manage your automounter maps, issue the 

following commands on the NIS master server to rebuild the maps 

and push them to the slave servers: 

cd /var/yp 

Chapter 2 61



/usr/ccs/bin/make auto.master auto.direct 

The local directory you configure as the mount point should be empty or 

non-existent. The automounter will create any non-existent directories 

between the root directory and the configured mount point. If the local 

directory you configure is not empty, any local files or directories in it will 

be hidden and inaccessible while the remote directory is mounted over it. 

CAUTION 

Do not automount a remote directory on a local directory that is a 

symbolic link. 

The mount options are the same ones used for standard NFS-mounted 

directories. See “To Change the Default Mount Options” on page 43 for a 

list of mount options. The bg option cannot be used for an automounted 

directory. The mount options configured in the direct map override the 

ones in the master map if there is a conflict. 

You can configure all your direct automounts in the same map. Many 

people use the file name /etc/auto_direct for their direct map. 

If the direct map name in the automounter master map contains a slash 

(/), the automounter assumes it is a local file. If it does not contain a 

slash, the automounter uses the Name Service Switch to determine 

whether it is a file, an NIS map, or an NIS+ table. See “Configuring the 

Name Service Switch” on page 253. 

If you plan to use NIS or NIS+ to manage your automounter maps, you 

can have only one direct map in your configuration. If you plan to use 

NIS to manage your automounter maps, and your file system does not 

allow file names longer than 14 characters, keep the map name to 10 

characters or fewer. 




After you configure the directories you want automounted, you must 

enable the automounter. See “To Enable the NFS Automounter” on page 

81. If the automounter is already running when you add a direct mount 

to your configuration, you must restart the automounter before your 

changes will take effect. See “To Restart the Automounter” on page 83. 

Automounted directories stay mounted until they are left idle for five 

minutes. The five minute default can be changed by adding the 

62 

Chapter 2



-tl duration option to the AUTO_OPTIONS variable in the 


If you change the mount options, the remote server name, or the remote 

directory name for an existing direct mount while the automounter is 

running, the changes you made will take effect the next time the 

directory is mounted. However, if you change the local directory name in 

the direct map, or if you change the master map, these changes will not 

take effect until you restart the automounter. See “To Restart the 


Automounted directories in the /etc/mnttab file contain the keyword 

ignore to prevent them from being mounted at boot time. 

For more information on automounter configuration, type man 1M 

automount at the HP-UX prompt. 

Example File Entries for Direct Automounts 

Following are example lines from an automounter direct map on NFS 

client sage. The sharp sign (#) indicates a comment line. 

# /etc/auto_direct file 

# local mount point mount options remote server:directory 

/auto/project/specs -nosuid 

thyme:/export/project/specs 

/auto/project/budget -nosuid basil:/finance/FY94/proj1 

Following are example lines from the automounter master map on NFS 

client sage. 

# /etc/auto_master file 

# local mount point map name mount options 

/- /etc/auto_direct 

Figure 2-7 illustrates how the automounter sets up the direct mounts for 

this configuration. 

Chapter 2 63



Figure 2-7 

Example of Direct Mounts 

NFS server "basil" 

/ 

NFS server "thyme" 

/ 

NFS client "sage" 

/ 

/finance 

/export 

/tmp_mnt 

/auto 

/FY94 

/project 

/auto 

/project 

/proj1 

/specs 

/project 

/specs 

/budget 

/targets /ytd 

/reqmnts /designs 

/specs 

/budget 


/targets /ytd 

NFS mounts 

symbolic links 

To Mount a Remote Directory Using an Indirect 



to open or create an indirect map in the /etc directory. Add a line 

with the following syntax to the indirect map: 

local_subdirectory [mount_options] server:remote_directory 


to an indirect map on the NIS master server. 


following command to add an entry to an NIS+ indirect map table: 

nistbladm -a key=”local_subdirectory” value=”mount_options 

\ 

server:remote_directory” indirect_mapname.org_dir 





64 

Chapter 2



If the indirect map you just modified is not listed in the automounter 


local_parent_directory indirect_map_name [mount_options] 


following command to add an entry for the indirect map to the 

auto_master map: 

nistbladm -a key=”local_parent_directory” 

value=”indirect_map_name \ 

mount_options” auto_master.org_dir 




cd /var/yp 

/usr/ccs/bin/make auto.master indirect_mapname 

The local_subdirectory specified in the indirect map is the deepest 

subdirectory in the local directory pathname. For example, if you were 

mounting a remote directory on /nfs/apps/draw, the 

local_subdirectory specified in the indirect map would be draw. 

The local_parent_directory specified in the master map is all but the 

deepest subdirectory in the local directory pathname. For example, if you 

were mounting a remote directory on /nfs/apps/draw, the 

local_parent_directory specified in the master map would be 

/nfs/apps. 

The local_parent_directory and local_subdirectory should not 

exist; the automounter will create them when it mounts the remote 

directory. If the local_parent_directory or local_subdirectory 

contains files or directories, they will be hidden beneath the remote 

directory when it is mounted. 

CAUTION 

The local_subdirectory and local_parent_directory must not be 

symbolic links. 




directory. The mount options configured in the indirect map override the 


Chapter 2 65



You can configure indirect automounts in the same indirect map only if 

their local_parent_directory, as specified in the automounter master 

map, is the same. For example, indirect mounts with the local mount 

points /nfs/apps/draw and /nfs/apps/word could be configured in the 

same indirect map. 

Indirect maps are usually called /etc/auto_name, where name is 

something that helps you remember what is configured in the map. If 

you plan to use NIS to manage your automounter maps, and if your file 

system does not support file names longer than 14 characters, keep your 

indirect map names to 10 characters or fewer. 

If the indirect map name in the automounter master map contains a 

slash (/), the automounter assumes it is a local file. If it does not contain 

a slash, the automounter uses the Name Service Switch to determine 

whether it is a file, an NIS map, or an NIS+ table. See “Configuring the 







-tl duration option to the AUTO_OPTIONS variable in the 


After you configure the directories you want automounted, you must 

enable the automounter. See “To Enable the NFS Automounter” on page 

81. If the automounter is already running when you add an indirect 

mount to your configuration, you do not have to restart the automounter 

unless you change the master map. Any changes you make to an existing 

indirect map will take effect the next time the automounter mounts the 

directory. However, changes to the master map will not take effect until 

you restart the automounter. See “To Restart the Automounter” on page 

83. 





Example File Entries for Indirect Automounts 

Following are example lines from an automounter indirect map on NFS 

66 

Chapter 2



client sage. The sharp sign (#) indicates a comment. Everything from the 

sharp sign to the end of the line is ignored by the automounter. 

# /etc/auto_desktop file 

# local mount point mount options remote 

server:directory 

draw -nosuid thyme:/export/apps/draw 

write -nosuid basil:/exprort/write 


client sage. The master map also includes an entry for the direct map 

/etc/auto_direct. 




/nfs/desktop 

/etc/auto_desktop 

Figure 2-8 illustrates how the automounter sets up the indirect mounts 

for this configuration. 

Figure 2-8 

How the Automounter Sets Up Indirect Mounts 


/ 

/export 

/write 

readme /wordtool 


/ 

/export 

/apps 

/draw 

/pics /bin 


/ 

/tmp_mnt 

/nfs 

/nfs 

/desktop 

/desktop 

symbolic link 

/draw /write 

/pics /bin 

readme 

/wordtool 


Chapter 2 67



To Configure Multiple (Replicated) Servers for an 


1. Follow the instructions in “To Mount a Remote Directory Using a 

Direct Automounter Map” on page 61 or “To Mount a Remote 

Directory Using an Indirect Automounter Map” on page 64. 

2. In the direct or indirect map, modify the line that mounts the remote 

directory so that multiple servers are listed. 

• If the remote directory has a different name on the different 

servers, use a syntax like the following example from a direct map: 

/nfs/proj2/schedule -ro 

\ 

broccoli:/export/proj2/schedule 

cauliflower:/proj2/FY94/schedule 

The automounter reads this entry as one line. The line has been 

broken for readability, and the backslash (\) tells the automounter 

that the line continues after the line break. 

• If the remote directory has the same name on every server, use a 

syntax like the following example from an indirect map: 

man -ro broccoli,cabbage,cauliflower:/usr/share/man 

Directories with multiple servers should be mounted read-only to ensure 

that the versions remain the same on all the servers. 

When a user requests access to a directory with multiple servers 

configured, the automounter polls all the servers simultaneously and 

mounts the directory from the server that responds first. Multiple 

servers give users reliable access to a mounted directory, because if one 

server is down, the directory can be mounted from another. Also, 

multiple servers provide some load balancing across the network; a 

server that is not busy will respond more quickly to the automounter’s 

poll than one that is heavily loaded, so the directory will be mounted 

from the server that is not busy. 

If you configure multiple servers on both sides of a gateway, the servers 

on the same side of the gateway as the NFS client will always be used, 

because they will always respond to the client’s poll before the servers on 

the other side of the gateway. 

68 

Chapter 2



To Use Environment Variables as Shortcuts in 

Automounter Maps 

1. Use an environment variable anywhere in a direct or indirect 

automounter map except the first field, which specifies the local 

mount point. An environment variable must be preceded by a dollar 

sign ($) or enclosed in curly braces {}. The following direct map uses 

a variable called HOST: 

/private_files sage:/export/private_files/$HOST 

2. Add the -D option to the AUTO_OPTIONS variable in the 

/etc/rc.config.d/nfsconf file to assign a value to the variable, as 

in the following example: 

AUTO_OPTIONS=”-f $AUTO_MASTER -D HOST='hostname'” 

The example shown above assumes that NFS server sage has 

subdirectories in its /export/private_files directory that are named 

after the hosts in its network. Every host in the network can use the 

same automounter map and the same AUTO_OPTIONS definition to mount 

its private files from server sage. 

For example, when the automounter starts up on host basil, it assigns 

the value basil to the HOST variable. Then, when someone requests 

access to the local /private_files directory on basil, the automounter 

mounts /export/private_files/basil from server sage. 

Any environment variable that is set to a value may be used in an 

automounter map. If you do not set the variable with the -D option in 

/etc/rc.config.d/nfsconf, the automounter uses the current value of 

the environment variable on the local host. 

To Use Wildcard Characters as Shortcuts in 


1. Use the asterisk (*) in an indirect map as a wildcard character to 

represent the local subdirectory, when you want the local 

subdirectory to be the same as the remote system name or the remote 

subdirectory. 

2. Use the ampersand (&) in a direct or indirect map as the remote 

system name or the remote subdirectory. Whatever is in the local 

directory name field will replace the ampersand. If you have used an 

asterisk to represent the local subdirectory, whatever replaces the 

Chapter 2 69



asterisk (*) in the local subdirectory field also replaces the ampersand 

(&) in the remote system name or remote subdirectory field. 

You cannot use the asterisk (*) wildcard in a direct map. 

The following example automounts users’ home directories. The home 

directories are physically located on NFS server basil, under the remote 

directory /home. On the local NFS client, the home directories will also 

be mounted under /home. 

Following is the line from the automounter master map 

/etc/auto_master that lists the indirect map /etc/auto_home. 



/home /etc/auto_home -nosuid 

Following is the line from the automounter indirect map 

/etc/auto.home that mounts users’ home directories on demand. 

# /etc/auto_home file 



* basil:/home/& 

A user’s home directory is configured in the /etc/passwd file as 

/home/username. For example, the home directory of user terry is 

/home/terry. When Terry logs in, the automounter looks in the 

/etc/auto_home map and substitutes terry for both the asterisk and 

the ampersand. The automounter then mounts Terry’s home directory 

from /home/terry on server basil to /home/terry on the local NFS 

client. 

The ampersand character can be used to represent both the remote 

server and the remote subdirectory, in the same line of the indirect map. 

For example, if users’ home directories are physically located on many 

different servers, but the directory under which the home directories are 

located is called /home/servername on all the servers, the following line 

in the /etc/auto_home map will mount all users’ home directories from 

any server: 

* &:/home/& 

If the home directory of user terry is configured in the /etc/passwd file 

as /home/basil/terry, when Terry logs in, the automounter will mount 

the remote directory /home/basil from server basil on the local 

70 

Chapter 2



directory /home/basil. 

The line with the asterisk and ampersand should be the last line in an 

indirect map. The automounter reads the lines in the indirect map 

sequentially until it finds a match for the requested local subdirectory. 

The asterisk (*) matches any subdirectory, so the automounter stops 

reading at the line with the asterisk, because it has found a match. Any 

lines after the asterisk are never read. 

For example, if the /etc/auto_home map contains the following lines, 


charlie thyme:/home/charlie 

the automounter attempts to mount /home/charlie from host basil. 

The asterisk is a match for charlie, so the automounter looks no further 

and never reads the second line. However, if the /etc/auto_home map 

contains the following lines, 

charlie thyme:/home/charlie 


the automounter will mount Charlie’s home directory from host thyme 

and everyone else’s home directory from host basil. 



To Automount Users’ Home Directories with the 

-passwd Map 

This task might require you to make some changes to your NFS servers 

as well as your NFS clients. 

NOTE 

The -passwd map requires that users’ home directories be located under 

the same directory on all systems in the network. On HP-UX release 9.x 

or earlier, home directories are usually located under /users. On HP-UX 

release 10.0 or later, home directories are usually located under /home. 

For this reason, you should not set up the -passwd map until all of your 

systems are running HP-UX release 10.0 or later. 

Chapter 2 71



Setting up the NFS Server 

1. On the NFS servers where home directories are located, make sure 

every user’s home directory is of the form 

directory/servername/username. For example, if the home 

directories are located under the /home directory on server sage, user 

Claire’s home directory would be /home/sage/claire. 

2. Make sure the machines where users’ home directories are located 

are set up as NFS servers and are exporting the home directories. See 

“Configuring and Administering an NFS Server” on page 24. 

Setting up the NFS Client 

1. In the /etc/passwd file on the NFS clients, or in the NIS passwd map 

or NIS+ passwd table, configure the home directory of each user as 

directory/servername/username, where servername is the name 

of the machine where the user’s home directory is physically located. 

For example, if home directories are mounted under /home on NFS 

client thyme, Claire’s home directory, which is located on server sage, 

would be configured as /home/sage/claire in the /etc/passwd file 

on client thyme. 

2. Create a directory of the form directory/servername on the NFS 

clients for each NFS server where users’ home directories are located. 

For example, if users’ home directories are located on servers sage 

and basil, and they will be automounted under the directory /home 

on host thyme, you would create the directories /home/sage and 

/home/basil on host thyme. 

3. If you are using local files for your automounter maps, add the 

following line to the automounter master map (usually called 

/etc/auto_master) on the NFS clients. If you are using NIS to 

manage your automounter maps, add the line to the master map on 

the NIS master server. 

local_parent_directory -passwd [mount_options] 

The local_parent_directory is the directory under which users’ 

home directories will be mounted. This directory must be different 

from the directory in the user’s passwd entry. For example, you might 

use homes as the directory, as in the following example: 

/homes -passwd -nosuid 


72 

Chapter 2




nistbladm -a key=”/homes” value=”-passwd -nosuid” \ 



following commands on the NIS master server to rebuild the master 

map and push it to slave servers: 

cd /var/yp 


5. Create a symbolic link from each user’s home directory as it is 

configured in /etc/passwd (for example, /home/sage/claire) to 

local_parent_directory/username, where 

local_parent_directory is the local mount point you configured in 

the automounter master map, as in the following example: 

ln -s /homes/claire /home/sage/claire 

The changes you have made will not take effect until you enable or 

restart the automounter. See “To Enable the NFS Automounter” on page 

81 or “To Restart the Automounter” on page 83. 

The -passwd map is a built-in automounter map that you do not have to 

create. It uses the /etc/passwd file, the NIS passwd map, or the NIS+ 

passwd table to find a user’s home system and then mounts the user’s 

home directory under the configured mount point when the user logs in. 

Figure 2-9 illustrates a configuration using the -passwd map. 

Chapter 2 73



Figure 2-9 

Home Directories Automounted with -passwd Map 

NFS server "sage" 

/ 


/ 

NFS client "thyme" 

/ 

/home 

/home 

/homes 

/home 

/sage 

/basil 

/mark 

/annalee /claire /alex /mark 

.cshrc /Mail 

.kshrc /mydocs .cshrc /Mail 

/sage /basil 

/claire 

/claire /mark 

.kshrc /mydocs 



To Automount Users’ Home Directories with Wildcard 

Characters 

1. Make sure every user’s home directory is of the form 

directory/servername/username, on the NFS servers where the 

directories are located. For example, if the home directories are 

located under the /home directory on server sage, user Claire’s home 

directory pathname would be /home/sage/claire. 

NOTE 

This configuration requires that users’ home directories be located under 

the same directory on all systems in the network. On HP-UX release 

9.x or earlier, home directories are usually located under /users. On 

HP-UX release 10.0 or later, home directories are usually located 

under /home. For this reason, you should not set up this configuration 

until all of your systems are running HP-UX release 10.0 or later. 




74 

Chapter 2





directory/servername/username, where servername is the name 

of the machine where the user’s home directory is physically located. 

For example, if home directories are mounted under /home on NFS 

client thyme, Claire’s home directory, which is located on server sage, 

would be configured as /home/sage/claire in the /etc/passwd file 

on client thyme. 

4. If you are using local files for your automounter maps, create a file 

called /etc/auto_home on the NFS clients, and add the following line 

to it. If you are using NIS to manage your automounter maps, add the 

line to the /etc/auto_home file on the NIS master server. 

* &:/home/& -nosuid 

The asterisk (*) and ampersand (&) characters are explained in “To 

Use Wildcard Characters as Shortcuts in Automounter Maps” on 

page 69. 


following command to add an entry to the auto_home table: 

nistbladm -a key=”*” value=”&/home/& -nosuid” \ 

auto_home.org_dir 


following line to the automounter master map (usually called 

/etc/auto_master) on the NFS clients: 

/home /etc/auto_home 

If you are using NIS to manage your automounter maps, add the 

following line to the /etc/auto_master file on the NIS master server: 

/home auto.home 



nistbladm -a key=”/home” value=”auto_home” 




and push them to slave servers: 

cd /var/yp 


Chapter 2 75



The changes you have made will not take effect until you enable or 

restart the automounter. See “To Enable the NFS Automounter” on page 

81 or “To Restart the Automounter” on page 83. 

Example of Automounting a User’s Home Directory 

User Howard’s home directory is located on NFS server basil, where it 

is called /home/basil/howard. On all the machines in the network, 

Howard has the following entry in the /etc/passwd file: 

howard:MILQ3N1tBHXhM:828:Howard:/home/basil/howard:/bin/ksh 

When Howard logs into any NFS client, the automounter recognizes 

/home as an automounter mount point, because it is configured in the 

master map: 

/home auto_home 

The automounter reads the auto_home to find out how to mount 

Howard’s home directory. The subdirectory basil is not listed in the 

auto_home map, but the asterisk (*) in the following line matches any 

subdirectory: 

* &:/home/& -nosuid 

So the automounter substitutes basil for all wildcard characters in that 

line: 

basil 

basil:/home/basil 

The automounter mounts /home/basil from server basil to the local 

mount point /home/basil on the NFS client. All the home directories on 

server basil are located under /home/basil. Figure 2-10 illustrates this 

configuration: 

Figure 2-10 

Home Directories Automounted with Wildcards 


/ 

/home 

/basil 


/ 

/home 

/basil 

/james 

/howard 

/james /howard 

76 

Chapter 2



To Automount Multiple Directories Simultaneously 

(Hierarchical Mounts) 

• Use an editor to create an entry with the following format in a direct 

or indirect automounter map. (Create the map, if necessary, and add 

it to the automounter master map.) 

local_dir /local_subdirectory [-options] 

server:remote_directory \ 

/local_subdirectory [-options] 

server:remote_directory \ . . . 

The backslash (\) characters tell the automounter to ignore the line 

breaks, so this entry is effectively all one line. Map entries with this 

format cause all the remote directories on the line to be mounted at the 

same time. For example, the following entry from a direct map mounts 

the source code and the data files for a project at the same time; 

whenever anyone requests access to either one, they are both mounted. 

/our_project /source -ro broccoli:/opt/proj1/src \ 

/datafiles cauliflower:/opt/proj1/samples/data 

Because the directories are always mounted simultaneously, you can use 

relative pathnames to move from one to another, for example, 

cd ../source 

Here is another example from an indirect map. In this example, the same 

mount option (nosuid) applies to all three automounted directories. 

chap2 -nosuid /text sage:/our_book/chap2 \ 

/graphics basil:/our_book/artwork/chap2 \ 

/old sage:/our_book/oldfiles/chap2 

To Improve Automounter Performance with 

Subdirectory Notation in Indirect Maps 

1. Look for entries in your indirect maps that specify the same server 

and remote pathname and differ only in the local mount point and the 

deepest subdirectory on the remote system. For example, the 

following entries in an indirect map are good candidates for 

subdirectory notation: 

terriers 

hunting_dogs 

local_breeders 

akcserver:/breeders/terriers 

akcserver:/breeders/retrievers 

akcserver:/breeders/SFbayarea 

Chapter 2 77



2. Replace the last slash (/) in the remote pathnames with a colon, as in 

the following example: 

terriers 

hunting_dogs 

local_breeders 

akcserver:/breeders:terriers 

akcserver:/breeders:retrievers 

akcserver:/breeders:SFbayarea 

When the automounter encounters subdirectory notation, it mounts the 

parent directory instead of mounting each subdirectory individually. 

In the above example using subdirectory notation, the automounter 

mounts akcserver:/breeders whenever one of the remote 

subdirectories (terriers, retrievers, or SFbayarea) is requested. 

Then, when another subdirectory is requested, it is already mounted, 

and all the automounter has to do is create a symbolic link for it. 

Subdirectory notation creates some very confusing path names on the 

local host. The following example shows how the automounter sets up 

mounts using subdirectory notation. 

Assume that the indirect map shown above is called auto.dogs and is 

listed in the master map as follows: 

/pets/dogs 

auto.dogs 

Suppose someone requests access to a file in the hunting_dogs directory, 

and while it is mounted, someone else requests access to a file in the 

local_breeders directory. If you use subdirectory notation, the 

automounter performs the following steps: 

1. Mounts remote directory /breeders from NFS server akcserver 

onto local directory /tmp_mnt/breeders/hunting_dogs. 

The path to the mount point is the path name on the server, and the 

mount point itself is the subdirectory name that was requested on the 

local host. The subdirectories hunting_dogs and local_breeders 

are underneath this mount point. 

2. Creates a symbolic link from /pets/dogs/hunting_dogs to 

/tmp_mnt/breeders/hunting_dogs/hunting_dogs. 

3. Creates a symbolic link from /pets/dogs/local_breeders to 

/tmp_mnt/breeders/hunting_dogs/local_breeders. 

Without subdirectory notation, the automounter performs the following 

steps: 

1. Mounts remote directory /breeders/retrievers from NFS server 

akcserver onto local directory /tmp_mnt/pets/dogs/hunting_dogs. 

78 

Chapter 2



2. Creates a symbolic link from /pets/dogs/hunting_dogs to 

/tmp_mnt/pets/dogs/hunting_dogs. 

3. Mounts remote directory /breeders/SFbayarea from NFS server 

akcserver onto local directory 

/tmp_mnt/pets/dogs/local_breeders. 

4. Creates a symbolic link from /pets/dogs/local_breeders to 

/tmp_mnt/pets/dogs/local_breeders. 

To Include an Automounter Map in Another 


• To include the contents of an automounter map in another 

automounter map, add a plus sign (+) before the map name, as in the 

following example: 




basil -nosuid basil:/home/basil 

+auto.home 

Assume the /etc/auto_home map is listed in the master map with the 

following line: 

/home 

/etc/auto_home 

This example has the following effect: 

If a user logs in whose home directory is in /home/basil, the 

automounter will mount the directory /home/basil from host basil. 

If a user logs in whose home directory is in /home/sage, /home/thyme,or 

any subdirectory of /home other than basil, the automounter will look 

in either the NIS or NIS+ auto.home map for information on mounting 

the user’s home directory (depending on the Name Service Switch 

configuration). 

The plus sign (+) tells the automounter to look in a different map for the 

information it needs to mount the directory. If the map name following 

the plus sign begins with a slash, the automounter assumes it is a local 

map. If the map name contains no slashes, the automounter uses the 

Name Service Switch to determine whether it is a file, an NIS map, or an 

NIS+ table. See “Configuring the Name Service Switch” on page 253. 

Chapter 2 79



You can include an NIS or NIS+ map inside an NIS or NIS+ master or 

direct map. You cannot include an NIS or NIS+ map inside an NIS or 

NIS+ indirect map. 

If you specify an included NIS+ automounter map with no dots in the 

name, the automounter appends org_dir.defaultdomain to the map 

name. For example, if the map name you specify is auto_home, and your 

Name Service Switch configuration indicates that NIS+ is to be used, the 

automounter will look for a map called 

auto_home.org_dir.defaultdomain. 

For more information, type man 1M automount or man 4 

nsswitch.conf. 

To Turn Off an Automounter Map with the -null Map 

1. Add a line with the following syntax to the automounter master map: 

local_directory -null 

2. If the automounter is running, restart it to force it to read its maps. 

See “To Restart the Automounter” on page 83. 

The -null option “turns off” the map that is mounted on 

local_directory. For example, if the NIS auto.master map mounts 

the auto.home map on /home, and you include the following line in your 

local /etc/auto_master file, 

/home -null 

the NIS auto.home map will not be used on your system. 

The -null option is useful for turning off NIS or NIS+ automounter 

maps that do not apply to your host. 

You can also replace NIS maps with local maps, as in the following 

example from /etc/auto_master: 

/home /etc/auto_ourhome 

Because the automounter reads the local /etc/auto_master file before 

the NIS auto.master map, this entry causes the automounter to look for 

mount information in the local file /etc/auto_ourhome instead of the 

auto.home NIS map. 

To use a local automounter master map, make sure the AUTO_OPTIONS 

variable in /etc/rc.config.d/nfsconf includes the string 

-f $AUTO_MASTER, and make sure the AUTO_MASTER variable is set to the 

80 

Chapter 2



name of your local automounter master map file. 

For more information, type man 1M automount. 

To Enable the NFS Automounter 


and AUTOMOUNT variables are set to 1, as follows: 


AUTOMOUNT=1 

2. If you will use a local file as your automounter master map, make 

sure the AUTO_MASTER variable in /etc/rc.config.d/nfsconf is set 

to the name of your automounter master map. (The default master 

map name is /etc/auto_master.) 

AUTO_MASTER=”/etc/auto_master” 

If you will use an NIS or NIS+ automounter master map, remove -f 

$AUTO_MASTER from the AUTO_OPTIONS variable. 

3. Issue the following command to run the NFS client startup script: 


When the automounter starts up, if your AUTO_OPTIONS variable 

specifies a master map file with the -f filename option, the 

automounter will look for a file by that name on the local host. It will also 

use the Name Service Switch to determine which name services you are 

using and find the master maps that are available from those name 

services. If your AUTO_OPTIONS variable does not specify the -f 

filename option, the automounter will consult the Name Service Switch 

configuration to determine where to look for your automounter master 

map. 

The automounter does not support NFS protocol version 3. Automounted 

file systems will be mounted with NFS protocol version 2. 

For more information, type man 4 nsswitch.conf or man 1M automount 

at the HP-UX prompt. 

To Verify Your Automounter Configuration 

1. Type the following command to change the current working directory 

to an automounted directory: 

Chapter 2 81



/usr/bin/cd local_directory 

where local_directory is the configured mount point in the 

automounter map. 

2. Type the following command to verify that the contents of the remote 

directory have been mounted under the local mount point: 

/usr/bin/ls 

If the directory is configured in an indirect map, issuing the ls command 

from the parent directory will display nothing. When you cd to a 

subdirectory configured in the indirect map, or issue the command 

ls subdirectory, the subdirectory will be mounted. 

Therefore, if you have the following indirect map configuration, 



/nfs/desktop 





draw 

-nosuid 

thyme:/export/apps/draw 

write -nosuid basil:/export write 

and you issue the following commands, 

cd /nfs/desktop 

ls 

the ls command will produce no output, because the draw and write 

subdirectories are not currently mounted. However, if you issue the 

following commands, 

cd /nfs/desktop/write 

cd /nfs/desktop/draw 

cd .. 

ls 

the ls command will display 

draw 

write 

If the automounter is not mounting your configured directories, see 

“Troubleshooting NFS Services” on page 273. 

82 

Chapter 2



To Modify or Remove (Unmount) an Automounted 


1. Use an editor to make your changes to the direct or indirect map. 

2. If you removed the last entry in the direct or indirect map, remove the 

line for that map in the automounter master map. 

3. If you made any of the following changes, you need to restart the 

automounter before your changes will take effect: 

• any changes to the master map 

• changes to the local directory name in a direct map 

See “To Restart the Automounter” on page 83. 

To Restart the Automounter 

1. Issue the following command to get a list of all the automounted 

directories on the client: 

/usr/bin/grep tmp_mnt /etc/mnttab 

2. For every automounted directory listed by the grep command, issue 








issue the following command to kill all the processes using the 

mounted directory: 


4. Issue the following commands to kill the automounter (PID is the 

process ID returned by the ps command): 

ps -ef | grep automount 

kill -SIGTERM PID 

CAUTION 

Do not kill the automounter with -SIGKILL (-9). The SIGKILL signal can 

Chapter 2 83



cause any currently automounted directories to become inaccessible 

until you reboot your system. 

5. Type the ps command to make sure the automounter is no longer 

active: 

/usr/bin/ps -ef | grep automount 

If the ps command indicates the automounter is still active, make 

sure all users are out of the automounted directories and then try 

again. Do not restart the automounter until all automount processes 

have terminated. 

6. Issue the following command to start the automounter: 

/usr/sbin/automount options 

options is the list of options configured in the AUTO_OPTIONS 

variable in the /etc/rc.config.d/nfsconf file. You can also source 

the /etc/rc.config.d/nfsconf file, and then enter the automount 

command as follows: 

/usr/sbin/automount $AUTO_OPTIONS 

If you attempt to kill the automounter while a user or process is working 

in a directory containing indirect mount points (for example, if you have 

the -hosts map mounted at /net, and a process is using /net as its 

current working directory), the automounter creates a child process to 

serve the directory while the parent process continues to try to shut 

down. Therefore, you may notice that the ps command lists two 

automount processes. When all automounted directories have been 

unmounted, both processes terminate. 

If you restart the automounter before these automount processes 

terminate, the new process attempts to shut itself down, finds that a 

directory is busy, and creates a child process. You then have three 

automount processes. 

If you attempt to kill the automounter while a user or process is using an 

automounted directory underneath an automounter mount point (for 

example, if you have the -hosts map mounted at /net, and a user’s 

current directory is /net/basil/tools), the directory remains mounted 

under /tmp_mnt, and the configured mount point and its symbolic link 

are removed. 

84 

Chapter 2



Even after you restart the automounter, the directory remains mounted 

under /tmp_mnt, and the automounter will not unmount it. You can use 

the umount(1M) command to unmount the directory under /tmp_mnt. 

For more information, type man 1M automount at the HP-UX prompt. 

Chapter 2 85


Configuring and Administering AutoFS 


This section tells you how to configure AutoFS. AutoFS mounts 

directories automatically when users or processes request access to 

them, and it unmounts them automatically after they have been idle for 

a period of time (five minutes, by default). 

Following are the tasks involved in configuring AutoFS. Tasks 4 and 16 

alone will get AutoFS up and running on your system. 

Before configuring AutoFS, see “Deciding Between Standard-Mounted 

Directories and Automounted Directories” on page 35. The following 

topics are covered in this section: 

1. “Advantages of AutoFS Versus Automounter” on page 87 

2. “Migrating From Automounter to AutoFS” on page 88 

3. “To Understand How AutoFS Works” on page 89 

4. “To Automount All Exported Directories from Any Host Using the 

-hosts Map” on page 90 

5. “To Decide Between Direct and Indirect NFS Automounts” on page 

92 

6. “To Mount a Remote Directory Using a Direct Automounter Map” on 

page 95 

7. “To Mount a Remote Directory Using an Indirect Automounter Map” 

on page 99 

8. “To Configure Multiple (Replicated) Servers for an Automounted 

Directory” on page 102 

9. “To Use Environment Variables as Shortcuts in Automounter Maps” 

on page 103 

10.“To Use Wildcard Characters as Shortcuts in Automounter Maps” on 

page 104 

11.“To Automount Users’ Home Directories” on page 106 

12.“To Automount Multiple Directories Simultaneously (Hierarchical 

Mounts)” on page 108 

13.“To Include an Automounter Map in Another Automounter Map” on 

page 109 

86 

Chapter 2



14.“To Create a Hierarchy of Automounter Maps” on page 110 

15.“To Turn Off an Automounter Map with the -null Map” on page 111 

16.“To Enable AutoFS” on page 111 

17.“To Disable AutoFS” on page 112 

18.“To Verify Your AutoFS Configuration” on page 112 

19.“To Modify or Remove (Unmount) an Automounted Directory” on 

page 114 

NOTE 

SAM does not currently support AutoFS. To perform AutoFS tasks you 

need to edit files and issue HP-UX commands as described in the 

following sections. 

Advantages of AutoFS Versus Automounter 

Beginning with the HP-UX Extension Pack Release, August 1998 (for 

HP-UX 11.0), the new automounting utility, AutoFS, is available in 

addition to the pre-existing Automounter. You can configure your system 

to use either Automounter or AutoFS. Automounter is the default on a 

newly installed or updated system. However, you may choose to migrate 

to AutoFS, since it has several advantages over Automounter: 

• AutoFS can be used to mount any type of file system, including NFS 

Protocol Version 3. (The pre-existing Automounter can be used only 

for NFS PV2.) 

• With AutoFS, the configured mount points are the actual mount 

points. (The pre-existing Automounter mounts directories under 

/tmp_mnt and creates symbolic links from the configured mount 

points to the actual ones under /tmp_mnt.) 

• You do not have to stop AutoFS to change your automounter maps. 

The AutoFS daemon, automountd, runs continuously. When you 

make a change to an automounter map, you run the automount 

command, which reads the maps and then exits. (The pre-existing 

automounter has to be killed and restarted whenever you make a 

change to an automounter map.) 

Chapter 2 87



Migrating From Automounter to AutoFS 

If you were using the automounter before you updated to the HP-UX 

Extension Pack Release, August 1998, you must perform the following 

tasks to migrate your automounter configuration to AutoFS: 

For more information, see the automount(1M) or automountd(1M) man 

pages. 

Table 2-5 

1. Move the /etc/rc.config.d/nfsconf file to 

/etc/rc.config.d.nfsconf.old. 

2. Copy the /usr/newconfig/etc/rc.config.d/nfsconf file to 

/etc/rc.config.d/nfsconf. 

3. In the /etc/rc.config.d/nfsconf file set the AUTOFS variable equal 

to 1. 

4. Copy any options you had specified in the AUTO_OPTIONS variable to 

either the AUTOMOUNT_OPTIONS or the AUTOMOUNTD_OPTIONS variable. 

Remove obsolete options. 

Table 2-5 lists the options to the old automount command and the 

equivalent AutoFS command options. It also indicates which 

automount options are obsolete with AutoFS. 

Old Automount Command-Line Options Used By AutoFS 

Old automount 

Option 

-D 

variable=value 

Equivalent 

AutoFS Command 

Option 

automountd -D 

variable=value 

Purpose 

Assign value to 

environment 

variable. 

-f master_file automount -f 

master_file 

Use master_file as 

local master map. 

-M 

mount_directory 

Obsolete with 

AutoFS. 

Automount directories 

under 

mount_directory 

instead of /tmp_mnt. 

-m Obsolete with 

AutoFS. 

Ignore NIS 

auto.master map. 

88 

Chapter 2



Table 2-5 

Old Automount Command-Line Options Used By AutoFS 

Old automount 

Option 

Equivalent 

AutoFS Command 

Option 

Purpose 

-n Obsolete with 

AutoFS. 

Allow automounts 

only of previously 

mounted target file 

systems. 

-T automountd -T Enable automount 

tracing. 

-tl duration automount -t 

duration 

Specify time before 

unmounting idle 

directories. 

-tm interval 

-tw interval 

Obsolete with 

AutoFS. 

Obsolete with 

AutoFS. 

Specify interval 

between mount 

attempts. 

Specify interval 

between unmount 

attempts. 

-v automount -v 

automountd -v 

Verbose mode. 

5. Modify any scripts you have that kill and restart automount. The new 

AutoFS daemon, automountd, rarely needs to be restarted. If you 

need to make changes to your automounter maps, just run the 

automount program after modifying the maps. It is not a daemon, like 

the old automount process; it is a program that runs once to read the 

maps and then terminates. 

To Understand How AutoFS Works 

AutoFS consists of the following components: 

1. The automount command, for reading automounter maps into 

memory. 

2. The AutoFS file system. 

Chapter 2 89



3. The automountd daemon, which automounts file systems when they 

are requested by users. 

The automount command is invoked at system startup. It reads the 

automounter master map to create the initial set of AutoFS mount 

points in the internal mount table, /etc/mnttab. The automounted file 

systems are not automatically mounted at startup. They are points 

under which file systems will be mounted later, when users request 

access to them. 

When AutoFS receives a request to mount a file system that is not 

currently mounted, it calls the automountd daemon, which actually 

mounts the requested file system. Once the file system is mounted, 

further access does not require any action from the automountd daemon. 

Unlike the old automounter, AutoFS mounts file systems at the 

configured mount points. It does not maintain its own directory of mount 

points with symbolic links into it the way the old automounter does. 

The automountd daemon is completely independent from the automount 

command. Because of this separation, it is possible to add, delete, or 

change automounter map information without having to stop and restart 

the automountd daemon. 

After system startup, when the AutoFS mount points are set up, you can 

modify the set of mount points by modifying the automounter maps and 

running the automount command to read them and modify the mount 

table accordingly. You do not have to stop and restart AutoFS. 

If an automounted file system has been idle for 5 minutes, AutoFS 

unmounts it. 

For more information on AutoFS, type man 1M automount or man 1M 

automountd at the HP-UX prompt. 

To Automount All Exported Directories from Any 

Host Using the -hosts Map 


to add the following line to the automounter master map file, 

/etc/auto_master: 

/net -hosts -nosuid 


to the master map file on the NIS master server, and then issue the 

following commands to rebuild the map and push it out to slave 

90 

Chapter 2



servers: 

cd /var/yp 

/usr/ccs/bin/make auto_master 

2. On each host that will use the map you have just modified, issue the 

following command to force AutoFS to read the modified map: 

/usr/sbin/automount 

The local mount point (/net) should not exist. 

You must enable AutoFS before any directories can be automounted. See 

“To Enable the NFS Automounter” on page 81. 

The -hosts map is a “built-in” automounter map; you do not have to 

create it. The -hosts map causes AutoFS to mount all the exported 

directories from any NFS server on the network whenever a user or 

process requests access to one of the exported directories from that 

server. 

CAUTION 

Because the -hosts map allows NFS access to any reachable remote 

system, a user may inadvertently cause an NFS mount over X.25 or 

SLIP, which is unsupported, or through a slow router or gateway. Mounts 

over slow links may cause excessive retransmissions and degrade 

performance for all users. 

When a user or process requests a directory from an NFS server, AutoFS 

creates a subdirectory, named after the NFS server, under the local 

mount point you configured in the automounter master map. (The 

conventional mount point for the -hosts map is /net.) Then AutoFS 

mounts all the exported directories from that server under the 

subdirectory it created. Directories will stay mounted until they are left 

idle for five minutes. The five minute default can be changed by adding 

the -t duration option to the AUTOMOUNT_OPTIONS variable in the 


For example, if server sage exports /opt and /apps, and a user on your 

NFS client types the following command, 

cd /net/sage/opt/frame 

the subdirectory /sage is created under /net, and /opt and /apps are 

mounted under /sage. Figure 2-11 shows the automounted file structure 

after the user’s command. 

Chapter 2 91



Figure 2-11 

Automounted Directories from -hosts Map—One Server 

/net 

/sage 

/opt /apps 

If server thyme exports the directory /exports/proj1, and a user types 

the following command, 

more /net/thyme/exports/proj1/readme 

the subdirectory /thyme is created under /net, and /exports/proj1 is 

mounted under /thyme. Figure 2-12 shows the automounted directory 

structure after the second user’s command. 

Figure 2-12 

Automounted Directories from -hosts Map—Two Servers 

/net 

/sage 

/thyme 

/opt /apps 

/exports 

/proj1 

The -hosts map is an indirect map. It uses the hosts database (the 

/etc/hosts file, the NIS hosts map, or BIND [DNS]) to find a host on 

the network. The Name Service Switch configuration determines which 

name services will be searched for host information. See “Configuring the 


To Decide Between Direct and Indirect NFS 

Automounts 

• Before you automount a remote directory, decide whether you want to 

use a direct or indirect automounter map. Table 2-6 lists the 

advantages and disadvantages of each type of map. 

In general, an indirect map is better than a direct map, because it is 

easier to modify while AutoFS is running, and because it does not cause 

92 

Chapter 2



Table 2-6 

“mount storms” in directories with many automount points. 

However, if your automounted directory must share the same parent 

directory with local or standard-mounted directories, or if users must 

always get a complete list of available files and directories when they 

issue the ls command, you should choose a direct map. 

Table 2-6 lists the advantages and disadvantages of direct and indirect 



Direct Map 

Advantage: A user can see the 

contents of a direct-mounted 

directory with the ls command. If 

the contents are not currently 

mounted, ls causes them to be 

mounted. 

Advantage: Direct-mounted 

automounted directories can 

share the same parent directory 

with local or standard-mounted 


Disadvantage: If you add or 

remove mounts in a direct map, 

or if you change the local mount 

point for an existing mount in a 

direct map, you have to force 

AutoFS to reread its maps or 

reboot your system before AutoFS 

sees the changes you made. 

Indirect Map 

Disadvantage: If a user types ls to 

see the contents of an 

indirect-mounted directory, it 

appears empty unless its 

subdirectories are currently 

mounted. The user must cd to a 

subdirectory or type ls 

subdirectory to cause it to be 

mounted. 

Disadvantage: An indirect map 

hides any local, standard-mounted, 

or direct-mounted files or directories 

underneath the mount point for the 

map. 

Advantage: If you modify an indirect 

map, AutoFS will see the changes 

the next time it mounts the 

directory, so you don’t have to force 

AutoFS to reread its maps. 

Chapter 2 93



Table 2-6 


Direct Map 

Disadvantage: When a user or 

program accesses a directory 

containing many direct mount 

points, all the directories are 

mounted, whether they are 

needed or not. This can cause a 

flurry of mount activity. 

Disadvantage: When automount 

reads a direct map, it creates an 

entry for each automounted 

directory in the internal mount 

table, /etc/mnttab. This can 

cause the mount table to become 

very large. 

Indirect Map 

Advantage: When a user or program 

accesses a directory containing many 

indirect mount points, only 

directories that are already mounted 

appear. 

Advantage: When automount reads 

an indirect map, it creates only one 

entry for the entire map in the 

internal mount table, /etc/mnttab. 

Additional entries are created as 

directories are actually mounted. 

The mount table takes up no more 

space than necessary, because only 

mounted directories appear in it. 

How AutoFS Sets Up Direct and Indirect Mounts 

The automounts configured in a direct map may be mounted in various 

places in the local file system; they do not have to be located under the 

same parent directory. 

The automounts configured in an indirect map are all mounted under the 

same local parent directory. 

Figure 2-13 shows the difference between direct mounts and indirect 

mounts on an NFS client. 

94 

Chapter 2



Figure 2-13 

The Difference Between Direct Mounts and Indirect Mounts 

mounts in a direct map 

mounts in an indirect map 

/ 

/ 

= automounted directory 

To Mount a Remote Directory Using a Direct 



to open or create a direct map in the /etc directory. The direct map is 

commonly called /etc/auto_direct. Add a line to the direct map 

with the following syntax: 

local_directory [mount_options] server:remote_directory 


to the direct map on the NIS master server. 





If the direct map you just modified is not listed in the automounter 


/- direct_map_name [mount_options] 




cd /var/yp 

/usr/ccs/bin/make auto_master auto_direct 

Chapter 2 95



4. On each host that will use the map you have just modified, issue the 

following command to force AutoFS to read the modified map: 


The local directory you configure as the mount point should be empty or 

non-existent. AutoFS will create any non-existent directories between 

the root directory and the configured mount point. If the local directory 

you configure is not empty, any local files or directories in it will be 

hidden and inaccessible while the remote directory is mounted over it. 

CAUTION 

Do not automount a remote directory on a local directory that is a 

symbolic link. 

If you are using NIS to manage your automounter maps, make sure the 

local mount point is different from the exported directory on the server. If 

they are the same, the server may attempt to mount its exported 

directory over itself, and the directory will become unavailable. 




directory. The mount options configured in the direct map override the 


You can configure all your direct automounts in the same map. Many 

people use the file name /etc/auto_direct for their direct map. If you 

plan to use NIS to manage your automounter maps, you can have only 

one direct map in your configuration. If you plan to use NIS to manage 

your automounter maps, and your file system does not allow file names 

longer than 14 characters, keep the map name to 10 characters or fewer. 

If the direct map name in the automounter master map contains a slash 

(/), AutoFS assumes it is a local file. If it does not contain a slash, AutoFS 

uses the Name Service Switch to determine whether it is a file or an NIS 

map. See “Configuring the Name Service Switch” on page 253. 






96 

Chapter 2





-t duration option to the AUTOMOUNT_OPTIONS variable in the 


If you change the mount options, the remote server name, or the remote 

directory name for an existing direct mount while AutoFS is running, the 

changes you made will take effect the next time the directory is mounted. 

However, if you change the local directory name in the direct map, or if 

you change the master map, these changes will not take effect until you 

issue the automount command to force AutoFS to reread its maps. 

You can list executable automounter maps in the master map, or include 

them in local automounter map files. Executable automounter maps 

return a map entry on standard output when automountd supplies them 

with a key to look up. If they cannot supply a map entry for the key, they 

should return nothing. AutoFS determines whether a map is executable 

by checking whether the execute bit is set in its permissions string. If a 

map is not executable, make sure its execute bit is not set. 



For more information on AutoFS configuration, type man 1M automount 


Example File Entries for Direct Automounts 

Following are example lines from an automounter direct map on NFS 

client sage. The sharp sign (#) indicates a comment line. 

# /etc/auto_direct file 

# local mount point mount options remote server:directory 

/auto/project/specs -nosuid 

thyme:/export/project/specs 

/auto/project/budget -nosuid basil:/export/FY94/proj1 


client sage. 




Figure 2-14 illustrates how the AutoFS sets up the direct mounts for this 

Chapter 2 97



configuration. 

Figure 2-14 

Example of Direct Mounts 


/ 

/export 

/FY94 


/ 

/export 

/project 


/ 

/auto 

/project 

/proj1 

/specs 

/targets /ytd 


/specs 

/budget 


/targets /ytd 


98 

Chapter 2



To Mount a Remote Directory Using an Indirect 



to open or create an indirect map in the /etc directory. Add a line 

with the following syntax to the indirect map: 

local_subdirectory [mount_options] server:remote_directory 


to an indirect map on the NIS master server. 





If the indirect map you just modified is not listed in the automounter 


local_parent_directory indirect_map_name [mount_options] 




cd /var/yp 

/usr/ccs/bin/make auto_master indirect_mapname 

4. If you modified the automounter master map, issue the following 

command on each host that will use the map, to force AutoFS to read 

the modified master map: 


The local_subdirectory specified in the indirect map is the deepest 

subdirectory in the local directory pathname. For example, if you were 

mounting a remote directory on /nfs/apps/draw, the 

local_subdirectory specified in the indirect map would be draw. 

The local_parent_directory specified in the master map is all but the 

deepest subdirectory in the local directory pathname. For example, if you 

were mounting a remote directory on /nfs/apps/draw, the 

local_parent_directory specified in the master map would be 

/nfs/apps. 

The local_parent_directory and local_subdirectory should not 

exist; AutoFS will create them when it mounts the remote directory. If 

Chapter 2 99



the local_parent_directory or local_subdirectory contains files or 

directories, they will be hidden beneath the remote directory when it is 

mounted. 

CAUTION 

The local_subdirectory and local_parent_directory must not be 

symbolic links. 

If you are using NIS to manage your automounter maps, make sure the 

local mount point is different from the exported directory on the server. If 

they are the same, the server may attempt to mount its exported 

directory over itself, and the directory will become unavailable. 




directory. The mount options configured in the indirect map override the 


You can configure indirect automounts in the same indirect map only if 

their local_parent_directory, as specified in the automounter master 

map, is the same. For example, indirect mounts with the local mount 

points /nfs/apps/draw and /nfs/apps/word could be configured in the 

same indirect map. 

Indirect maps are usually called /etc/auto_name, where name is 

something that helps you remember what is configured in the map. If 

you plan to use NIS to manage your automounter maps, and if your file 

system does not support file names longer than 14 characters, keep your 

indirect map names to 10 characters or fewer. 

If the indirect map name in the automounter master map contains a 

slash (/), AutoFS assumes it is a local file. If it does not contain a slash, 

AutoFS uses the Name Service Switch to determine whether it is a file or 

an NIS map. See “Configuring the Name Service Switch” on page 253. 






-t duration option to the AUTOMOUNT_OPTIONS variable in the 


100 

Chapter 2





If AutoFS is already running when you add an indirect mount to your 

configuration, you do not have to run the automount command unless 

you change the master map. Any changes you make to an existing 

indirect map will take effect the next time AutoFS mounts the directory. 

However, changes to the master map will not take effect until you issue 

the automount command to force AutoFS to reread its maps. 

You can list executable automounter maps in the master map, or include 

them in local automounter map files. Executable automounter maps 

return a map entry on standard output when automountd supplies them 

with a key to look up. If they cannot supply a map entry for the key, they 

should return nothing. AutoFS determines whether a map is executable 

by checking whether the execute bit is set in its permissions string. If a 

map is not executable, make sure its execute bit is not set. 





Example File Entries for Indirect Automounts 

Following are example lines from an automounter indirect map on NFS 

client sage. The sharp sign (#) indicates a comment. Everything from the 

sharp sign to the end of the line is ignored by AutoFS. 




draw -nosuid thyme:/export/apps/draw 

write -nosuid basil:/exprort/write 


client sage. The master map also includes an entry for the direct map 

/etc/auto_direct. 




/nfs/desktop 


Figure 2-15 illustrates how AutoFS sets up the indirect mounts for this 

Chapter 2 101



configuration. 

Figure 2-15 

How AutoFS Sets Up Indirect Mounts 


/ 

/export 

/write 


/ 

/export 

/apps 


/ 

/nfs 

/desktop 

readme /wordtool 

/draw 

/draw 

/write 

/pics /bin 

/pics /bin 

readme 

/wordtool 


To Configure Multiple (Replicated) Servers for an 


1. Follow the instructions in “To Mount a Remote Directory Using a 

Direct Automounter Map” on page 61 or “To Mount a Remote 

Directory Using an Indirect Automounter Map” on page 64. 

2. In the direct or indirect map, modify the line that mounts the remote 

directory so that multiple servers are listed. 

• If the remote directory has a different name on the different 

servers, use a syntax like the following example from a direct map: 

/nfs/proj2/schedule -ro 

\ 

broccoli:/export/proj2/schedule 

cauliflower:/proj2/FY94/schedule 

AutoFS reads this entry as one line. The line has been broken for 

readability, and the backslash (\) tells AutoFS that the line 

continues after the line break. 

102 

Chapter 2



• If the remote directory has the same name on every server, use a 

syntax like the following example from an indirect map: 

man -ro broccoli,cabbage,cauliflower:/usr/share/man 

• You can assign weights to the various servers, by specifying a 

number in parentheses after each server name. The lower the 

weight number, the more likely the server is to be selected. 

man -ro 

broccoli(1),cabbage(2),cauliflower(3):/usr/share/man 

Servers with no weight specified have a default weight of zero 

(most likely to be selected). 

Server proximity is more important than the weights you assign. 

A server on the same network segment as the client is more likely 

to be selected than a server on another network segment, 

regardless of the weights you assign. 

Directories with multiple servers should be mounted read-only to ensure 

that the versions remain the same on all the servers. 

When a user requests access to a directory with multiple servers 

configured, AutoFS polls all the servers simultaneously and mounts the 

directory from the server that responds first. Multiple servers give users 

reliable access to a mounted directory, because if one server is down, the 

directory can be mounted from another. Also, multiple servers provide 

some load balancing across the network; a server that is not busy will 

respond more quickly to AutoFS’s poll than one that is heavily loaded, so 

the directory will be mounted from the server that is not busy. 

If you configure multiple servers on both sides of a gateway, a server on 

the same side of the gateway as the NFS client will always be used, 

because it will always respond to the client’s poll before the servers on 

the other side of the gateway. 

To Use Environment Variables as Shortcuts in 


1. Use an environment variable anywhere in a direct or indirect 

automounter map except the first field, which specifies the local 

mount point. An environment variable must be preceded by a dollar 

sign ($) or enclosed in curly braces {}. The following direct map uses 

a variable called HOST: 

Chapter 2 103



/private_files sage:/export/private_files/$HOST 

2. Add the -D option to the AUTOMOUNTD_OPTIONS variable in the 

/etc/rc.config.d/nfsconf file to assign a value to the variable, as 

in the following example: 

AUTOMOUNTD_OPTIONS=”-D HOST='hostname'” 

The example shown above assumes that NFS server sage has 

subdirectories in its /export/private_files directory that are named 

after the hosts in its network. Every host in the network can use the 

same automounter map and the same AUTOMOUNTD_OPTIONS definition to 

mount its private files from server sage. 

For example, when AutoFS starts up on host basil, it assigns the value 

basil to the HOST variable. Then, when someone requests access to the 

local /private_files directory on basil, AutoFS mounts 

/export/private_files/basil from server sage. 

Any environment variable that is set to a value may be used in an 

automounter map. If you do not set the variable with the -D option in 

/etc/rc.config.d/nfsconf, AutoFS uses the current value of the 

environment variable on the local host. 

You cannot use environment variables in the automounter master map. 

To Use Wildcard Characters as Shortcuts in 


1. Use the asterisk (*) in an indirect map as a wildcard character to 

represent the local subdirectory, when you want the local 

subdirectory to be the same as the remote system name or the remote 

subdirectory. 

2. Use the ampersand (&) in a direct or indirect map as the remote 

system name or the remote subdirectory. Whatever is in the local 

directory name field will replace the ampersand. If you have used an 

asterisk to represent the local subdirectory, whatever replaces the 

asterisk (*) in the local subdirectory field also replaces the ampersand 

(&) in the remote system name or remote subdirectory field. 

You cannot use the asterisk (*) wildcard in a direct map. 

The following example automounts users’ home directories. The home 

directories are physically located on NFS server basil, under the remote 

directory /export/home. On the local NFS client, the home directories 

104 

Chapter 2



will be mounted under /home. 

Following is the line from the automounter master map 

/etc/auto_master that lists the indirect map /etc/auto_home. 



/home /etc/auto_home -nosuid 

Following is the line from the automounter indirect map 

/etc/auto_home that mounts users’ home directories on demand. 




* basil:/export/home/& 

A user’s home directory is configured in the /etc/passwd file as 

/home/username. For example, the home directory of user terry is 

/home/terry. When Terry logs in, AutoFS looks in the /etc/auto_home 

map and substitutes terry for both the asterisk and the ampersand. 

AutoFS then mounts Terry’s home directory from /export/home/terry 

on server basil to /home/terry on the local NFS client. 

The ampersand character can be used to represent both the remote 

server and the remote subdirectory, in the same line of the indirect map. 

For example, if users’ home directories are physically located on many 

different servers, but the directory under which the home directories are 

located is called /export/home/servername on all the servers, the 

following line in the /etc/auto_home map will mount all users’ home 

directories from any server: 

* &:/export/home/& 

If the home directory of user terry is configured in the /etc/passwd file 

as /home/basil/terry, when Terry logs in, AutoFS will mount the 

remote directory /export/home/basil from server basil on the local 

directory /home/basil. 

The line with the asterisk and ampersand should be the last line in an 

indirect map. AutoFS reads the lines in the indirect map sequentially 

until it finds a match for the requested local subdirectory. The asterisk 

(*) matches any subdirectory, so AutoFS stops reading at the line with 

the asterisk, because it has found a match. Any lines after the asterisk 

are never read. 

Chapter 2 105



For example, if the /etc/auto_home map contains the following lines, 


charlie thyme:/export/home/charlie 

AutoFS attempts to mount /export/home/charlie from host basil. 

The asterisk is a match for charlie, so AutoFS looks no further and 

never reads the second line. However, if the /etc/auto_home map 

contains the following lines, 

charlie thyme:/export/home/charlie 


AutoFS will mount Charlie’s home directory from host thyme and 

everyone else’s home directory from host basil. 



To Automount Users’ Home Directories 

NOTE 

This configuration requires that users’ home directories be located under 

the same directory on all systems in the network. On HP-UX release 9.x 

or earlier, home directories are usually located under /users. On HP-UX 

release 10.0 or later, home directories are usually located under /home. 

For this reason, you should not set up this configuration until all of your 

systems are running HP-UX release 10.0 or later. 






the NFS mount point where the user’s home directory will be 

mounted. For example, if home directories are mounted under /home, 

Claire’s home directory would be configured as /home/claire in the 

/etc/passwd file. 

3. If you are using local files for your automounter maps, create a file 

called /etc/auto_home on the NFS clients, and add a line to it for 

each user, like the following example. If you are using NIS to manage 

your automounter maps, add the lines to the /etc/auto_home file on 

106 

Chapter 2



the NIS master server. 

sammy thyme:/export/home/& -nosuid 

The ampersand (&) character takes the value of the user name in 

each line. In the example above, user sammy’s home directory is 

physically located on host thyme in /export/home/sammy. 


following line to the automounter master map, /etc/auto_master, 

on the NFS clients: 

/home /etc/auto_home 


to the /etc/auto_master file on the NIS master server. 



and push them to slave servers: 

cd /var/yp 

/usr/ccs/bin/make auto_master 

6. Issue the following command, on each NFS client that will use these 

automounter maps, to force AutoFS to reread the maps: 


Before you can automount home directories, you must enable AutoFS. 

See “To Enable the NFS Automounter” on page 81. 

Example of Automounting a User’s Home Directory 

User Howard’s home directory is located on NFS server basil, where it 

is called /export/home/howard. On all the machines in the network, 

Howard has the following entry in the /etc/passwd file: 

howard:MILQ3N1tBHXhM:828:Howard:/home/howard:/bin/ksh 

When Howard logs into any NFS client, AutoFS recognizes /home as an 

AutoFS mount point, because it is configured in the master map: 

/home auto_home 

AutoFS reads the auto_home map to find out how to mount Howard’s 

home directory. It finds the following line: 

howard basil:/export/home/& -nosuid 

AutoFS substitutes howard for the ampersand (&) character in that line: 

Chapter 2 107



howard basil:/export/home/howard -nosuid 

AutoFS mounts /export/home/howard from server basil to the local 

mount point /home/howard on the NFS client. Figure 2-16 illustrates 

this configuration: 

Figure 2-16 

Home Directories Automounted with Wildcards 


/ 

/export 

/home 


/ 

/home 

/howard 

/howard 

.profile 

mystuff 

.profile 

mystuff 

To Automount Multiple Directories Simultaneously 

(Hierarchical Mounts) 

• Use an editor to create an entry with the following format in a direct 

or indirect automounter map. (Create the map, if necessary, and add 

it to the automounter master map.) 

local_dir /local_subdirectory [-options] 

server:remote_directory \ 

/local_subdirectory [-options] 

server:remote_directory \ . . . 

The backslash (\) characters tell AutoFS to ignore the line breaks, so 

this entry is effectively all one line. 

Map entries with this format cause all the remote directories on the line 

to be mounted at the same time. For example, the following entry from a 

direct map mounts the source code and the data files for a project at the 

same time; whenever anyone requests access to either one, they are both 

mounted. 

/our_project /source -ro broccoli:/opt/proj1/src \ 

/datafiles cauliflower:/opt/proj1/samples/data 

108 

Chapter 2



Because the directories are always mounted simultaneously, you can use 

relative pathnames to move from one to another, for example, 

cd ../source 

Here is another example from an indirect map. In this example, the same 

mount option (nosuid) applies to all three automounted directories. 

chap2 -nosuid /text sage:/our_book/chap2 \ 

/graphics basil:/our_book/artwork/chap2 \ 

/old sage:/our_book/oldfiles/chap2 

To Include an Automounter Map in Another 


• To include the contents of an automounter map in another 

automounter map, add a plus sign (+) before the map name, as in the 





basil 

-nosuid 

basil:/export/home/basil 

+auto_home 

Assume the /etc/auto_home map is listed in the master map with the 

following line: 

/home 

/etc/auto_home 

This example has the following effect: 

If a user logs in whose home directory is in /home/basil, AutoFS will 

mount the directory /export/home/basil from host basil. 

If a user logs in whose home directory is in /home/sage, /home/thyme,or 

any subdirectory of /home other than basil, AutoFS will consult the NIS 

map auto_home for information on mounting the user’s home directory. 

The plus sign (+) tells AutoFS to look in a different map for the 

information it needs to mount the directory. If the map name following 

the plus sign begins with a slash, AutoFS assumes it is a local file. If the 

map name contains no slashes, AutoFS uses the Name Service Switch to 

determine whether it is a file or an NIS map. See “Configuring the Name 

Service Switch” on page 253. 

Chapter 2 109



You can include an automounter map inside a local file but not inside an 

NIS map. 

For more information, type man 1M automount or man 4 

nsswitch.conf. 

To Create a Hierarchy of Automounter Maps 

An organization made up of many departments may wish to organize a 

shared automounted directory structure. In the following example, the 

shared top-level directory is called /org. The /org directory contains 

several subdirectories, listed in the auto_org automounter map. Each 

department administers its own automounter map for its subdirectory. 

The automounter master map needs just a single entry for /org: 

# auto_master map 

# Directory Map Name 

/org 

auto_org 

The auto_org map looks like this: 

finance -fstype=autofs auto_finance 

marketing -fstype=autofs auto_marketing 

legal -fstype=autofs auto_legal 

research -fstype=autofs auto_research 

eng -fstype=autofs auto_eng 

And the engineering department’s map, auto_eng, looks like this: 

releases 

bigiron:/export/releases 

tools 

mickey,minnie:/export/tools 

source -fstype=autofs auto_eng_source 

projects -fstype=autofs auto_eng_projects 

A user in the ‘‘blackhole’’ project within engineering might use the 

following path: 

/org/eng/projects/blackhole 

Beginning with the AutoFS mount at /org, the evaluation of this path 

would dynamically create additional AutoFS mounts at /org/eng and 

/org/eng/projects. Since AutoFS mounts are created only when 

needed, changes to maps require no action to become visible at the user’s 

workstation. The automount command needs to be run only when 

changes are made to the master map or to a direct map. 

Hierarchical automounter maps provide a framework within which large 

110 

Chapter 2



shared filesystems can be organized. Together with NIS, which allows 

you to share information across administrative domains, the 

maintenance of the shared namespace can be effectively decentralized. 

To Turn Off an Automounter Map with the -null Map 

1. Add a line with the following syntax to the automounter master map: 

local_directory -null 

2. If AutoFS is running, issue the following command, on each client 

that will use the map, to force AutoFS to reread its maps: 


The -null option “turns off” the map that is mounted on 

local_directory. For example, if the NIS auto_master map mounts 

the auto_home map on /home, and you include the following line in your 

local /etc/auto_master file, 

/home -null 

the NIS auto_home map will not be used on your system. 

The -null option is useful for turning off NIS automounter maps that do 

not apply to your host. 

You can also replace NIS maps with local maps, as in the following 

example from /etc/auto_master: 

/home /etc/auto_ourhome 

Because AutoFS reads the local /etc/auto_master file before the NIS 

auto_master map, this entry causes AutoFS to look for mount 

information in the local file /etc/auto_ourhome instead of the 

auto_home NIS map. 

For more information, type man 1M automount. 

To Enable AutoFS 

1. In the /etc/rc.config.d/nfsconf file, make sure the NFS_CLIENT, 

AUTOMOUNT, and the AUTOFS variables are set to 1, as follows: 


AUTOMOUNT=1 

AUTOFS=1 

2. Issue the following command to run the NFS client startup script: 

Chapter 2 111




The nfs.client start script will start any NFS client processes 

that are not already running, including AutoFS. 

When AutoFS starts up, it uses the Name Service Switch to determine 

which name services you are using and to find the master maps that are 

available from those name services. 

For more information, type man 4 nsswitch.conf or man 1M automount 


To Disable AutoFS 

1. Issue the following command to run the NFS client shutdown script: 



and AUTOMOUNT variables are set to 1, and the AUTOFS variable is set 

to 0, as follows: 


AUTOMOUNT=1 

AUTOFS=0 

CAUTION 

Do not kill the automountd daemon with the kill command. It does not 

die gracefully. It does not unmount AutoFS mount points before it dies. 

Use the nfs.client stop script to ensure that automountd dies cleanly. 

After you have disabled AutoFS using the nfs.client stop script, you 

may notice that the autofs_proc process is still running. You can safely 

ignore this process. (The autofs_proc cannot be ‘‘killed’’; the only way to 

stop autofs_proc is to reboot.) 

To Verify Your AutoFS Configuration 

1. Type the following command to change the current working directory 

to an automounted directory: 

/usr/bin/cd local_directory 

where local_directory is the configured mount point in the 

automounter map. 

112 

Chapter 2



2. Type the following command to verify that the contents of the remote 

directory have been mounted under the local mount point: 

/usr/bin/ls 

If the directory is configured in an indirect map, issuing the ls command 

from the parent directory will display nothing. When you cd to a 

subdirectory configured in the indirect map, or issue the command 

ls subdirectory, the subdirectory will be mounted. 

Therefore, if you have the following indirect map configuration, 



/nfs/desktop 





draw 

-nosuid 

thyme:/export/apps/draw 

write -nosuid basil:/export/write 

and you issue the following commands, 

cd /nfs/desktop 

ls 

the ls command will produce no output, because the draw and write 

subdirectories are not currently mounted. However, if you issue the 

following commands, 

cd /nfs/desktop/write 

cd /nfs/desktop/draw 

cd .. 

ls 

the ls command will display 

draw 

write 

If AutoFS is not mounting your configured directories, see 

“Troubleshooting NFS Services” on page 273. 

Chapter 2 113



To Modify or Remove (Unmount) an Automounted 


1. If you are planning to remove an automounted directory, issue the 

following command to determine whether the directory is currently in 

use: 









3. Use an editor to make your changes to the direct or indirect map. 

4. If you removed the last entry in the direct or indirect map, remove the 

line for that map in the automounter master map. 

5. If you made any changes to the master map, or if you added or 

modified a local mount point in a direct map, run the following 

command to force AutoFS to reread its maps: 


114 

Chapter 2


Configuring and Using NFS Netgroups 


This section tells you how to create and use NFS netgroups to restrict 

NFS access to your system. It describes the following tasks: 

• To Create Netgroups in the /etc/netgroup File 

• To Create Netgroups in the NIS+ netgroup Table 

• To Use Netgroups in Configuration Files 

To Create Netgroups in the /etc/netgroup File 

1. If you are using the local /etc/netgroup file or the NIS netgroup 

map for netgroups, add lines with the following syntax to the 

/etc/netgroup file. If you are using NIS, be sure to edit the 

/etc/netgroup file only on the NIS master server. 

netgroup_name (host, user, NIS_domain), (host, user, 

NIS_domain) ... 

2. If you are using NIS to manage your netgroups database, issue the 

following command on the NIS master server to generate the 

netgroup, netgroup.byhost, and netgroup.byuser maps from the 

/etc/netgroup file and push the generated maps out to the NIS 


cd /var/yp 

/usr/ccs/bin/make netgroup 

A netgroup can be used in most NFS and NIS configuration files instead 

of a host name or a user name. A netgroup does not create a relationship 

between users and hosts. When a netgroup is used in a configuration file, 

it represents either a group of hosts or a group of users but never both. 

If you are using BIND (DNS) for hostname resolution, hosts must be 

specified as fully qualified domain names, for example 

turtle.bio.nmt.edu. 

If the host, user, or NIS_domain is left blank in a netgroup, that field 

can take any value. If a dash (-) is specified in any field of a netgroup, 

that field can take no value. 

The NIS_domain field specifies the NIS domain in which the (host, 

user, NIS_domain) triple is valid. For example, if the netgroup 

Chapter 2 115



database contains the following netgroup, 

myfriends (sage,-,bldg1), (cauliflower,-,bldg2), 

(pear,-,bldg3) 

and an NFS server running NIS in the domain bldg1 exports a directory 

only to the netgroup myfriends, only host sage may mount that 

directory. The other two triples are ignored, because they are not valid in 

the bldg1 domain. 

If an HP-UX host not running NIS exports a directory to the netgroup 

myfriends, the NIS_domain field is ignored, and all three hosts (sage, 

cauliflower, and pear) may mount the directory. 

If the netgroup database contains the following netgroup, 

mydomain (,,bldg1) 

and a host in the NIS domain bldg1 exports a directory to the netgroup 

mydomain, any host in any domain may mount the directory, because the 

host field is blank. 

If an HP-UX host not running NIS exports a directory to the netgroup 

mydomain, shown above, the NIS_domain field is ignored, but the host 

field is used, so any host in any domain may mount the directory. 

If a host in the NIS domain bldg2 exports a directory to the netgroup 

mydomain, no host in any domain may mount the directory, because the 

triple is not valid in the bldg2 domain, so it is ignored. 

Netgroup Examples 

The following netgroup specifies a group of hosts: 

trusted_hosts (sage, , ), (basil, , ), (thyme, , ) 

The trusted_hosts netgroup could be used in the -access option of a 

line in the /etc/exports file, as follows: 

/usr -access=trusted_hosts 

The following netgroup specifies a group of users: 

administrators ( ,jane, ), ( ,art, ), ( ,mel, ) 

If this netgroup were ever accidentally included in a list of hosts rather 

than users, the blank space would be interpreted as a wildcard meaning 

any host. For example, if someone used this netgroup in a -access list in 

the /etc/exports file, any host would have access to the exported 

directory. For this reason, if a netgroup is used strictly as a list of users, 

116 

Chapter 2



it is better to put a dash in the host field, as follows: 

administrators (-,jane, ), (-,art, ), (-,mel, ) 

The dash indicates that no hosts are included in the netgroup. 

The trusted_hosts and administrators netgroups could be used 

together in the /etc/hosts.equiv file, as follows: 

+@trusted_hosts +@administrators 

The first netgroup would be read for host names, and the second would 

be read for user names. Users in the administrators netgroup could log 

into the local host from any host in the trusted_hosts netgroup without 

supplying a password. 

The two netgroups could be combined into one, as follows: 

goodguys (sage,jane, ), (basil,art, ), (thyme,mel, ) 

If the two netgroups were combined this way, the same netgroup could be 

used as both the host name and the user name in the /etc/hosts.equiv 

file: 

+@goodguys 

+@goodguys 

The first occurrence of it would be read for the host name, and the second 

occurrence would be read for the user name. No relationship exists 

between the host and user in any of the triples. For example, user jane 

might not even have an account on host sage. 

A netgroup can contain other netgroups, as in the following example: 

root-users (dill,-, ), (sage,-, ), (thyme,- , ), (basil,-, ) 

mail-users (rosemary, , ), (oregano, , ), root-users 

The root-users netgroup is a group of four systems. The mail-users 

netgroup uses the root-users netgroup as part of a larger group of 

systems. The blank space in the third field of each triple indicates that 

these netgroups are valid in any NIS domain. 

To Create Netgroups in the NIS+ netgroup Table 

If you are using NIS+ to manage your netgroups, issue commands with 

the following syntax to add entries to the NIS+ netgroup table: 

nistbladm -a group= host=host user=user domain=domain \ 

comment= netgroup.org_dir 

or 

Chapter 2 117



nistbladm -a group=netgroup host= user= domain= \ 

comment= netgroup.org_dir 

In the NIS+ netgroup table, each netgroup may consist of multiple table 

entries. Each table entry specifies either a (host, user, domain) triple or 

an included netgroup. Each entry may contain a comment in the last 

column. 

For information on the general syntax of netgroups and how they are 

used, see “To Create Netgroups in the /etc/netgroup File” on page 115. 

For more information on NIS+, see “Configuring and Administering 

NIS+” on page 185. 

To Use Netgroups in Configuration Files 

Netgroups may be used in the following files: 

• /etc/exports, in the -access list 

• /etc/hosts.equiv or $HOME/.rhosts, in place of a host name or 

user name 

• /etc/passwd, to tell processes whether to look in the NIS password 

database for information about the users in the netgroup 

• /etc/group, to tell processes whether to look in the NIS group 

database for information about the users in the netgroup 

The next few sections explain how to use netgroups in these files. 

Using Netgroups in the /etc/exports File 

In the /etc/exports file, netgroups can be used in the list of NFS clients 

following the -access option, as in the following example: 

/var/mail -access=mail_clients 

The mail_clients netgroup is defined as follows: 

mail_clients (cauliflower, , ), (broccoli, , ), (cabbage, , ) 

Only the host names from the netgroup are used. If the netgroup also 

contains user names, these are ignored. This netgroup is valid in any 

NIS domain, because the third field in each triple is left blank. 

Using Netgroups in the /etc/hosts.equiv or $HOME/.rhosts File 

In the /etc/hosts.equiv file, or in a .rhosts file in a user’s home 

118 

Chapter 2



directory, netgroups can be used in either the host name field or the user 

name field, as in the following example: 

+@our_friends 

+@our_friends 

The netgroup our_friends can be used as both the host name and the 

user name, because it includes both host names and user names, as 

follows: 

our_friends (sage,sara, ), (sage,eric, ), (dill,-, ), ( 

,monica, ) 

The blank host name field in the fourth triple serves as a wildcard, 

allowing users from any host on the network to log in without supplying 

a password. However, only the users listed in the netgroup are given this 

privileged access, because each user name field contains either a user 

name or a dash. 

Netgroups can also be used to deny privileged access to certain hosts or 

users in the /etc/hosts.equiv or $HOME/.rhosts file, as in the 


+ -@vandals 

The plus sign (+) is a wildcard in the /etc/hosts.equiv or 

$HOME/.rhosts file syntax, allowing privileged access from any host in 

the network. The netgroup vandals is defined as follows: 

vandals ( ,pat, ), ( ,harriet, ), ( ,reed, ) 

All users except those listed in the vandals netgroup can log into the 

local system without supplying a password from any system in the 

network. 

CAUTION 

Any users who are denied privileged access in the /etc/hosts.equiv 

file can still be allowed privileged access in a user’s $HOME/.rhosts file. 

The $HOME/.rhosts file is read after the /etc/hosts.equiv file and 

overrides it. 

For more information, type man 4 hosts.equiv at the HP-UX prompt. 

Using Netgroups in the /etc/passwd File 

In the /etc/passwd file, netgroups can be used to indicate whether user 

information should be looked up in the NIS or NIS+ passwd database. 

Chapter 2 119



The following example line from the /etc/passwd file indicates that 

users in the netgroup animals should be looked up in the NIS or NIS+ 

passwd database: 

+@animals 

The animals netgroup is defined as follows in the /etc/netgroup file: 

animals (-,mickey, ), (-,daffy, ), (-,porky, ), (-,bugs, ) 

Note that the /etc/passwd file is searched sequentially, so if user 

mickey, daffy, porky, or bugs appears before the animals netgroup in 

the /etc/passwd file, the NIS or NIS+ database will never be consulted 

for information on that user. 

The Name Service Switch configuration is used to determine where to 

look for the contents of a netgroup. See “Configuring the Name Service 

Switch” on page 253. 

Netgroups can also be used to prevent lookups of certain users in the NIS 

or NIS+ passwd database. The following example lines from the 

/etc/passwd file indicate that if the NIS or NIS+ passwd database 

contains entries for users in the bears netgroup, these entries cannot be 

used on the local system. Any other users can be looked up in the NIS or 

NIS+ database. 

-@bears 

+::-2:60001::: 

The line beginning with + causes the NIS or NIS+ database to be 

searched for any users (except those in the bears netgroup) who are not 

listed before the line beginning with +. 

For more information on NIS, see “Configuring and Administering NIS” 

on page 135. 



For information on the /etc/passwd file, type man 4 passwd at the 

HP-UX prompt. 

Using Netgroups in the /etc/group File 

In the /etc/group file, netgroups can be used to indicate whether group 

information about certain users should be looked up in the NIS or NIS+ 

group database. 

The following example line from the /etc/group file indicates that group 

120 

Chapter 2



information for users in the netgroup animals can be found in the NIS or 

NIS+ group database: 

+@animals 

The animals netgroup is defined as follows in the /etc/netgroup file: 

animals (-,mickey, ), (-,daffy, ), (-,porky, ), (-,bugs, ) 

Members of the animals netgroup can belong to groups listed in the local 

/etc/group file as well as in the NIS or NIS+ group database. The 

following lines in the /etc/group file give users bugs and daffy 

membership in the group wiseguys and in any group in the NIS or NIS+ 

database that includes them as members: 

wiseguys::22:bugs,daffy 

+@animals 

Netgroups can also be used in the /etc/group file to prevent lookups for 

certain users. The bears netgroup is defined as follows in the 

/etc/netgroup file: 

bears (-,yogi, ), (-,smokey, ), (-,pooh, ) 

The following lines in the /etc/group file allow user pooh membership 

in group teddybears but not in any other group listed in the NIS or 

NIS+ database or after the -@bears line in the /etc/group file: 

teddybears::23:pooh,paddington 

-@bears 

For more information on NIS, see “Configuring and Administering NIS” 

on page 135. 



For information on the /etc/group file, type man 4 group at the HP-UX 

prompt. 

Chapter 2 121


Configuring the Other NFS Daemons and Services 

Configuring the Other NFS Daemons and 

Services 

If you want to use some of the other NFS services, like the Remote 

Execution Facility (REX) or the rup(1) and rusers(1) commands, this 

section tells you how to enable those daemons and services. This section 

tells you how to perform the following tasks: 

• To Enable the Other NFS Services 

• To Restrict Access to the Other NFS Services 

To Enable the Other NFS Services 

1. In the /etc/inetd.conf file, use a text editor to uncomment the lines 

that begin with “rpc.” (Delete the sharp sign [#] in the first column.) 

If the lines do not exist, type them into the /etc/inetd.conf file. 

Table 2-7 gives the line you need to enter for each NFS service. 

2. If NFS is not yet running on your system, issue the following 

command: 


3. Issue the following command to force inetd to read its configuration 

file: 

/usr/sbin/inetd -c 

CAUTION 

Do not issue the /usr/sbin/inetd command if NFS is not yet running 

on your system. The NFS startup script starts the rpcbind(1M) process, 

which must be running before you start inetd. 

Table 2-7 lists the NFS daemons and services that can be started by the 

inetd daemon. It briefly describes each one and tells you which man 

pages you can read for more information. It also gives the line that 

configures each service in the inetd.conf file. 

You cannot use SAM to enable the other NFS services. 

122 

Chapter 2



Table 2-7 

rexd 

rstatd 

rusersd 

rwalld 

Other NFS Services 

The rpc.rexd program is the server for the on command, which starts the 

Remote Execution Facility (REX). The on command sends a command to be 

executed on a remote system. The rpc.rexd program on the remote system 

executes the command, simulating the environment of the user who issued 

the on command. See Chapter 7, “Configuring and Using the Remote 

Execution Facility (REX),” or see man pages rexd(1M) and on(1). The 

following line configures rexd in inetd.conf: 

rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1 rpc.rexd 

The rpc.rstatd program answers requests from the rup command, which 

collects and displays status information about the machines on the local 

network. For more information, see man pages rstatd(1M) and rup(1). The 

following line configures rstatd in inetd.conf: 

rpc dgram udp wait root /usr/lib/netsvc/rstat/rpc.rstatd 100001 

1-3 \ 

rpc.rstatd 

The rpc.rusersd program responds to requests from the rusers command, 

which collects and displays information about all users logged into the 

machines on the local network. For more information, see man pages 

rusersd(1M) and rusers(1). The following line configures rusersd in 

inetd.conf: 

rpc dgram udp wait root /usr/lib/netsvc/rusers/rpc.rusersd 100002 

1-2 \ 

rpc.rusersd 

The rpc.rwalld program handles requests from the rwall program. The 

rwall program sends a message to a specified machine where the 

rpc.rwalld program is running, and the message is written to all users 

logged onto the machine. For more information, see man pages rwalld(1M) 

and rwall(1M). The following line configures rwalld in inetd.conf: 

rpc dgram udp wait root /usr/lib/netsvc/rwall/rpc.rwalld 100008 1 \ 

rpc.rwalld 

Chapter 2 123



Table 2-7 

sprayd 

rquotad 

Other NFS Services 

The rpc.sprayd program is the server for the spray command, which sends a 

stream of packets to a specified host and then reports how many were 

received and how fast. For more information, see man pages sprayd(1M) and 

spray(1M). The following line configures sprayd in inetd.conf: 

rpc dgram udp wait root /usr/lib/netsvc/spray/rpc.sprayd 100012 1 \ 

rpc.sprayd 

The rpc.rquotad program responds to requests from the quota command, 

which displays information about a user’s disk usage and limits. For more 

information, see man pages rquotad(1M) and quota(1). The following line 

configures rquotad in inetd.conf: 

rpc dgram udp wait root /usr/sbin/rpc.rquotad 100011 1 rpc.rquotad 

To Restrict Access to the Other NFS Services 

• In the /var/adm/inetd.sec file, create a line with the following 

syntax for each service to which you want to restrict access: 

service {allow} host_or_network [host_or_network...] 

{deny} 

If the /var/adm/inetd.sec file does not exist, you will have to create it. 

service must match one of the service names in the /etc/rpc file. 

Specify either allow or deny but not both. Enter only one line per 

service. 

host_or_network can be either an official host name or network name or 

an IP address. Any of the four numbers in an IP address can be specified 

as a range (for example, 1-28) or the wildcard character (*). 

The inetd.sec file is checked only when the service is started. If a 

service remains active and accepts more requests without being 

restarted, the inetd.sec file is not checked again. 

You can use SAM to modify the /var/adm/inetd.sec file. 

For more information see the man pages inetd.conf(4) and 

inetd.sec(4). 

Examples from /var/adm/inetd.sec 

The following example allows only hosts on subnets 15.13.2.0 through 

124 

Chapter 2



15.13.12.0 to use the spray command: 

sprayd allow 15.13.2-12.0 

The following example prevents host cauliflower from using the rwall 


rwalld deny cauliflower 

Chapter 2 125



126 

Chapter 2

3 Configuring the Cache File 

System (CacheFS) 

This chapter describes the benefits of using the Cache File System and 

how to configure it on HP-UX. CacheFS is not available on HP-UX 11.0. 

Chapter 3 127

Configuring the Cache File System (CacheFS) 

The Cache File System 

The Cache File System 

IMPORTANT CacheFS is not available on HP-UX 11.0. 

The Cache File System (CacheFS) is a general purpose file system 

caching mechanism that improves NFS server performance and 

scalability by reducing server and network load. CacheFS provides the 

ability to cache one file system on another. 

In an NFS environment, CacheFS increases the client per server ratio, 

reduces server and network loads, and improves performance for clients 

on slow links (for example, PPP). 

CacheFS performs local disk caching of file systems, which reduces the 

network traffic. Individual client machines become less reliant on the 

server, thereby decreasing overall server load, which leads to an increase 

in server performance. 

CacheFS improves read performance for data that will be read more 

than once. It does not improve write performance at all. 

Good choices for cached file systems include man pages and executable 

programs, which are read multiple times and rarely modified. Using 

CacheFS for /var/mail is not a good use of resources. The /var/mail 

file is modified frequently and is typically read only once and then 

thrown away. 

By default, CacheFS maintains consistency with the back file system 

using a consistency checking model like that of NFS (polling for changes 

in file attributes). 

The first time data is read from an NFS-mounted file system, there is 

actually some overhead while CacheFS writes the data to its local cache. 

After the data is written to the cache, read performance for the file 

system is significantly improved. 

128 

Chapter 3


CacheFS Terms 

CacheFS Terms 

Following are some CacheFS terms that will be used in this chapter: 

back file system The file system that is being cached. On HP-UX, NFS is 

the supported back file system. 

front file system The file system that contains the cached data. HFS is 

the supported front file systems. 

cold cache A cache that does not yet have any data in its front file 

system. In this case, requested data must be copied 

from the back file system to the front file system (that 

is, the cache must be populated). An attempt to 

reference data that is not yet cached is called a “cache 

miss.” 

warm cache A cache that contains the desired data in its front file 

system. In this case, the cached data can be returned to 

the user without requiring any action from the back file 

system. An attempt to reference data that has been 

cached is called a “cache hit.” 

Chapter 3 129


Configuring CacheFS 


IMPORTANT CacheFS is not available on HP-UX 11.0. 

You can use CacheFS to cache NFS-mounted or automounted NFS file 

systems. You must decide whether to use CacheFS before you mount a 

file system. Before you can mount a file system using CacheFS, you must 

configure a local file system as the cache directory. 

NOTE 

You cannot use SAM to mount a file system with CacheFS. 

Configuring CacheFS involves several procedures. This section provides 

instructions for completing tasks needed to configure CacheFS: 

• To Configure a Local File System as Cache 

• To Mount an NFS File System Using CacheFS 

• To Automount a File System Using CacheFS 

For more information on CacheFS, see the following man pages: 

cfsadmin(1M), fsck_cachefs(1M), mount(1M), mount_cachefs(1M), 

and cachefsstat(1M). 

130 

Chapter 3



To Configure a Local File System as Cache 

1. If necessary, configure and mount the HFS file system, the front file 

system, on the client system where data will be cached. See the 

HP-UX System Administration Tasks manual for more information. 

No special disk partitioning is necessary for creating a CacheFS front 

file system. If you already have a mounted file system with sufficient 

disk space for caching your NFS file systems, you can create a 

subdirectory in the existing file system to use for your CacheFS front 

file system. 

2. Become root user. 

3. Create a CacheFS directory with the data structures necessary to 

allow a CacheFS mount, by typing the following command: 

/usr/sbin/cfsadmin -c /cache_directory 

For example, if you had a mounted file system called /disk2, you 

could create a CacheFS directory called /disk2/cache with the 


/usr/sbin/cfsadmin -c /disk2/cache 

CacheFS manages its resources most effectively in cases where the 

entire front file system is dedicated to caching, or in cases where the 

non-cache portions of the front file system are static, read-only files. 

CacheFS allows more than one file system to be cached in the same 

cache. There is no need to create a separate cache directory for each 

CacheFS mount. In typical usage, you need to run cfsadmin -c only 

once to create a single cache for all of your CacheFS mounts. 

For more information, type man 1M cfsadmin at the HP-UX prompt. 

Chapter 3 131



To Mount an NFS File System Using CacheFS 

Before you can mount an NFS file system with CacheFS, you must 

configure a directory in a local file system as cache. See “To Configure a 

Local File System as Cache” on page 131. 

1. Mount an NFS file system using CacheFS by typing the mount(1M) 

command, as in the following examples: 

mount -F cachefs -o backfstype=nfs,cachedir=/disk2/cache \ 

nfsserver:/opt/frame /opt/frame 

2. Add a line to the /etc/fstab file, as in the following example, to 

cause your NFS file system to be mounted at system boot: 

nfsserver:/opt/frame /opt/frame cachefs \ 

backfstype=nfs,cachedir=/disk2/cache 0 0 

This example NFS-mounts the directory /opt/frame from server 

nfsserver to the local /opt/frame directory. Now /opt/frame can be 

accessed just like any mounted file system. As data in /opt/frame is 

referenced, it will be copied into /disk2/cache. Further references to 

the data will access the data on the local disk instead of the data on the 

remote server. 

For more information, type man 1M mount at the HP-UX prompt. 

132 

Chapter 3



To Automount a File System Using CacheFS 

Before you can automount an NFS file system with CacheFS, you must 

configure a directory in a local file system as cache. See “To Configure a 

Local File System as Cache” on page 131. 

1. Add a line for the automounted file system to the appropriate 

automounter direct or indirect map, as in the following examples: 

# direct map example: 

/usr/dist -ro,nosuid,fstype=cachefs,backfstype=nfs, \ 

cachedir=/disk2/cache distserver:/export/dist 

# indirect map example: 

proj1 -nosuid,fstype=cachefs,backfstype=nfs,\ 

cachedir=/disk2/cache \ 

/src testbox1:/export/proj1/src 

/data testbox2:/export/proj1/data 

2. If you modified a direct map or the automounter master map, (Step 1 

instructs users to edit direct map. When did or would users edit 

master map?) issue the following command, on each NFS client that 

will use the map, to force AutoFS to reread its maps: 


You can specify caching in an NIS automounter map only if all clients 

who will use the map have their caching directory set up in the same 

location (/disk2/cache, in the examples). 

For more information, type man 1M automount at the HP-UX prompt. 

• cachefsstat shows information, gathered from the cache, about a 

specific file system or all cached file systems. 

Chapter 3 133



134 

Chapter 3


NIS 

The Network Information Service (NIS), previously called “Yellow 

Pages,” is a distributed database system that allows you to maintain 

Chapter 4 135

Configuring and Administering NIS 

commonly used configuration information on a master server and 

propagate the information to all the hosts in your network. This chapter 

explains how to configure and administer the servers and clients in an 

NIS domain. It contains the following sections: 

• Overview of NIS 

• Planning the NIS Network 

• Configuring and Administering an NIS Master Server 

• Configuring and Administering an NIS Slave Server 

• Configuring and Administering an NIS Client 

• Configuring and Administering Secure RPC (if NIS+ is not used) 

• Summary of NIS Commands 

NOTE 

NIS is not supported across extended LANs (LANs separated by routers 

or bridges). NIS is also not supported across WAN links, like X.25 and 

SLIP. 

136 

Chapter 4


Overview of NIS 


NIS allows you to administer the configuration of many hosts from a 

central location. Common configuration information, which would have 

to be maintained separately on each host in a network without NIS, can 

be stored and maintained in a central location and propagated to all of 

the nodes in the network. 

Information Managed by NIS 

By default, NIS manages the following configuration files: 

• /etc/hosts, a file that maps internet addresses to host names. 

• /etc/passwd, a list of the users on your system, along with their 

passwords, home directories, and other information. 

• /etc/group, a list of groups of users. 

• /etc/netgroup, a list of NFS netgroups, which are groups of host 

names or user names used for allowing or denying access to systems 

and services. 

• /etc/services, a file that associates network services with their 

port numbers and protocols. 

• /etc/protocols, a file that associates network protocols with 

protocol numbers. 

• /etc/networks, a list of network names and numbers. 

• /etc/rpc, a file that maps RPC program names to program numbers. 

• /etc/auto_master, an NFS automounter map that lists the direct 

and indirect automounter maps and their mount points. 

• /etc/mail/aliases, a list of sendmail aliases. 

• /etc/publickey, a list of secure RPC encryption keys. 

• /etc/netid, a list of secure RPC netnames (unix.UID@domainname 

or unix.hostname@domainname) for users and hosts outside your NIS 

domain. 

• /etc/vhe_list, a configuration file for the Virtual Home 

Environment. (Type man 4 vhe_list for more information.) VHE is 

Chapter 4 137



not supported on 10.0 and later releases. 

The information in these files is put into NIS databases automatically 

when you create an NIS master server. Other system files may be 

managed by NIS, if you wish to customize your configuration. 

Structure of the NIS Network 

The center of the NIS network is the NIS master server. When you 

create an NIS master server, the configuration files on that host are used 

to create NIS maps, which are hashed database versions of the 

configuration files. Once the NIS network is set up, any changes to the 

maps must be made on the master server. 

In addition to the master server, you can create backup servers, called 

NIS slave servers, to take some load off the master server and to 

substitute for the master server when it is down. When you create an 

NIS slave server, the maps on the master server are transferred to the 

slave server. Whenever a change is made to a map on the master server, 

the modified map must be transferred to the slave servers. 

Typically, all the hosts in the network, including the master and slave 

servers, are NIS clients. Whenever a process on an NIS client requests 

configuration information, it calls NIS instead of looking in its local 

configuration files. (For group and password information and mail 

aliases, the /etc files may be consulted first, and NIS may be consulted if 

the requested information is not found in the /etc files.) 

The set of maps shared by the servers and clients is called the NIS 

domain. The master copies of the maps are located on the NIS master 

server, in the directory /var/yp/domainname. Under the domainname 

directory, each map is stored as two files: mapname.dir and 

mapname.pag. Each slave server has an identical directory containing 

the same set of maps. 

When a client starts up, it broadcasts a request for a server that serves 

its domain. Any server that has the set of maps for the client’s domain 

may answer the request. The client “binds” to the first server to answer 

its request, and that server answers all of its NIS queries. 

Figure 4-1 shows the flow of information in an NIS domain. 

138 

Chapter 4



Figure 4-1 

Flow of Information in an NIS Network 

Master 

Server 

Maps are created from 

configuration files on 

the master server. 

maps 

Slave 

Server 

maps 

Slave 

Server 

Maps are transferred 

from the master server 

to the slave servers. 

data 

data 

data 

Servers send 

configuration data 

to clients. 

Client 

Client 

Client 

A host cannot be the master server for more than one NIS domain. 

However, a master server for one domain may be a slave server for 

another domain. A host can be a slave server for multiple domains. A 

client belongs to only one domain. Figure 4-2 shows an NIS network with 

servers that serve multiple domains. 

Figure 4-2 

Servers that Server Multiple NIS Domains 

Master 

Server 

Domain 1 

Master Slave 

Server Server 

Slave 

Serve 

Domain 

Slave 

Server 

Slave 

Server 

Slave 

Server 

Client Client Client 

Clien Clien Clien Clien 

Chapter 4 139


Planning the NIS Network 


This section explains how to plan the layout of your NIS network. It tells 

you how to perform the following tasks: 

• To Determine the Number of NIS Domains You Need 

• To Determine the Number of NIS Servers You Need 

• To Determine Which Hosts Will Be NIS Servers 

• To Draw an NIS Network Map 

To Determine the Number of NIS Domains You Need 

For many sites, all hosts can belong to the same domain, and it is not 

necessary to set up more than one. However, you might want to create 

multiple domains for the following reasons: 

• If your site is divided into multiple administrative departments, with 

a different system administrator for each department, you should 

allow each system administrator to maintain a separate NIS domain. 

• If your site is divided into multiple administrative departments, and 

each department requires different configuration data and allows 

access to different users and hosts, you should create a separate NIS 

domain for each administrative department. 

140 

Chapter 4



To Determine the Number of NIS Servers You Need 

Following are some guidelines for determining the number of NIS 

servers you will need in your domain: 

• You must put a server on each subnetwork in your domain. When a 

client starts up, it broadcasts a message to find the nearest server. 

This broadcast message is not propagated across routers or gateways, 

so each subnet must have at least one server. 

• In general, a server can serve about 30 NIS clients if the clients and 

servers run at the same speed. If the clients are faster than the 

servers, you will need more servers. If the clients are slower than the 

servers, each server can serve 50 or more clients. 

To Determine Which Hosts Will Be NIS Servers 

• Choose servers that are reliable and highly available. 

• Choose fast servers that are not used for CPU-intensive applications. 

Do not use gateways or terminal servers as NIS servers. 

• Distribute servers appropriately among client networks. Because an 

NIS client can bind only to a server on its own subnet, each subnet 

must have enough servers to accommodate the clients on that subnet. 

Chapter 4 141



To Draw an NIS Network Map 

It is a very good idea to draw a map of your NIS network, to help with 

maintenance and troubleshooting in the future. Figure 4-3 shows an 

example of an NIS network map. 

Figure 4-3 

Example NIS Network Map 

hostname: eeyore 

role: slave (PoohCorners) 

domain: PoohCorners 

network: 192.6.36.0 


number of clients: 12 

hostname: pooh 

role: master (PoohCorners) 


hostname: tigger 

role: slave (PoohCorners) 


network: 192.6.27.0 



network: 192.6.45.0 



hostname: rabbit 

role: master (Wonderland) 

slave (PoohCorners) 

domain: Wonderland 

network: 192.6.81.0 



hostname: alice 

role: slave (Wonderland) 


hostname: hatter 

role: slave (Wonderland) 


network: 192.6.85.0 



142 

Chapter 4


Configuring and Administering an NIS Master Server 

Configuring and Administering an NIS Master 

Server 

An NIS master server holds the source files for all the NIS maps in the 

domain. Any changes to the NIS maps must be made on the NIS master 

server. The NIS master server delivers information to NIS clients and 

supplies the NIS slave servers with up-to-date maps. 

An NIS master server must also be an NIS client. 

This section explains how to perform the following tasks. Only the first 

five tasks are required to get your NIS master server up and running. 

• To Create the Master passwd File 

• To Create the Master group File 

• To Create the Master hosts File 

• To Enable NIS Master Server Capability 

• To Verify Your NIS Master Server Configuration 

• To Configure the NIS Master Server to Use a Private passwd File 

• To Restrict Client and Slave Server Access to the Master Server 

• To Check the Contents of an NIS Map 

• To Modify an NIS Map 

• To Add an Automounter Map to Your NIS Domain 

• To Remove an Automounter Map from Your NIS Domain 

• To Add a Slave Server to Your NIS Domain 

• To Remove a Slave Server from Your NIS Domain 

• To Query BIND for Host Information After Querying NIS 

• To Use NIS With Short File Names 

• To Configure an HP-UX Master Server in a Domain with Sun 

Systems 

Chapter 4 143



To Create the Master passwd File 

1. Copy the /etc/passwd file from each host in your NIS domain to the 

/etc directory on the host that will be the master server. Name each 

copy /etc/passwd.hostname, where hostname is the name of the 

host it came from. 

2. Concatenate all the passwd files together, including the master 

server’s passwd file, into a temporary passwd file, as follows: 

cd /etc 

cat passwd passwd.hostname1 passwd.hostname2... > 

passwd.temp 

3. Issue the following command to sort the temporary passwd file by 

user name: 

sort -o /etc/passwd.temp -t: -k1,1 /etc/passwd.temp 

4. Examine /etc/passwd.temp for duplicate user names. If you find 

multiple entries for the same user, edit the file to remove redundant 

ones. Make sure each user in your network has a unique user name. 

5. Issue the following command to sort the temporary passwd file by 

user ID: 

sort -o /etc/passwd.temp -t: -k3n,3 /etc/passwd.temp 

6. Examine /etc/passwd.temp for duplicate user IDs. If you find 

multiple entries with the same user ID, edit the file to change the 

user IDs so that no two users have the same user ID. 

7. Move /etc/passwd.temp (the sorted, edited file) to /etc/passwd. 

This file will be used to generate the passwd map for your NIS 

domain. 

8. Remove all the /etc/passwd.hostname files from the master server. 

NOTE 

NIS does not require that the passwd file be sorted in any particular way. 

Sorting the passwd file simply makes it easier to find duplicate entries. 

For more information, type man 4 passwd or man 1 sort at the HP-UX 

prompt. 

144 

Chapter 4



To Create the Master group File 

1. Copy the /etc/group file from each host in your NIS domain to the 


copy /etc/group.hostname, where hostname is the name of the host 

it came from. 

2. Concatenate all the group files together, including the master server’s 

group file, into a temporary group file, as follows: 

cd /etc 

cat group group.hostname1 group.hostname2... > group.temp 

3. Issue the following command to sort the temporary group file by 

group name: 

sort -o /etc/group.temp -t: -k1,1 /etc/group.temp 

4. Examine /etc/group.temp for duplicate group names. If a group 

name appears more than once, merge the groups with the same name 

into one group and remove the duplicate entries. 

5. Issue the following command to sort the temporary group file by 

group ID: 

sort -o /etc/group.temp -t: -k3n,3 /etc/group.temp 

6. Examine /etc/group.temp for duplicate group IDs. If you find 

multiple entries with the same group ID, edit the file to change the 

group IDs so that no two groups have the same group ID. 

7. Move /etc/group.temp (the sorted, edited file) to /etc/group. This 

file will be used to generate the group map for your NIS domain. 

8. Remove the /etc/group.hostname files from the master server. 

NOTE 

NIS does not require that the group file be sorted in any particular way. 

Sorting the group file simply makes it easier to find duplicate entries. 

For more information, type man 4 group or man 1 sort at the HP-UX 

prompt. 

Chapter 4 145



To Create the Master hosts File 

1. Copy the /etc/hosts file from each host in your NIS domain to the 


copy /etc/hosts.hostname, where hostname is the name of the host 

it came from. 

2. Concatenate all the hosts files together, including the master server’s 

hosts file, into a temporary hosts file, as follows: 

cd /etc 

cat hosts hosts.hostname1 hosts.hostname2... > hosts.temp 

3. Issue the following command to sort the temporary hosts file so that 

duplicate IP addresses are on adjacent lines: 

sort -o /etc/hosts.temp /etc/hosts.temp 

4. Examine /etc/hosts.temp for duplicate IP addresses. If the same IP 

address appears in multiple entries, remove all the entries but one. If 

you need to map an IP address to multiple host names, include them 

as aliases in a single entry. 

5. Issue the following command to sort the temporary hosts file by host 

name: 

sort -o /etc/hosts.temp -b -k2,2 /etc/hosts.temp 

6. Examine /etc/hosts.temp for duplicate host names. A host name 

may be mapped to multiple IP addresses only if the IP addresses 

belong to different LAN cards on the same host. If a host name 

appears in multiple entries, mapped to IP addresses on different 

hosts, remove all the entries but one. 

7. Examine /etc/hosts.temp for duplicate aliases. No alias should 

appear in more than one entry. 

8. Move /etc/hosts.temp (the sorted, edited file) to /etc/hosts. This 

file will be used to generate the hosts map for your NIS domain. 

9. Remove the /etc/hosts.hostname files from the master server. 

NOTE 

NIS does not require that the hosts file be sorted in any particular way. 

Sorting the hosts file simply makes it easier to find duplicate entries. 

For more information, type man 4 hosts or man 1 sort at the HP-UX 

146 

Chapter 4



prompt. 

To Enable NIS Master Server Capability 

1. Log in as root to the host that will be the master server. 

2. On the host that will be the master server, ensure that the $PATH 

environment variable includes the following directory paths: 

• /var/yp 

• /usr/lib/netsvc/yp 

• /usr/ccs/bin 

3. Issue the following command to set the NIS domain name: 

/usr/bin/domainname domainname 

If your host uses short file names, make sure the first 14 characters of 

domainname uniquely identify your domain among the other NIS 

domains in your network. 

4. In the /etc/rc.config.d/namesvrs file, set the NIS_DOMAIN 

variable to the domain name: 

NIS_DOMAIN=domainname 

5. In the /etc/rc.config.d/namesvrs file, set the NIS_MASTER_SERVER 

and NIS_CLIENT variables to 1, as follows: 

NIS_MASTER_SERVER=1 

NIS_CLIENT=1 

If the host that will be the master server is already a slave server for 

another domain, set the NIS_MASTER_SERVER variable to 1 and the 

NIS_SLAVE_SERVER variable to 0. 

If the host is an NIS+ server or client, set the NISPLUS_SERVER and 

NISPLUS_CLIENT flags to 0. 

6. Issue the following command to create the NIS maps for the domain: 

/usr/sbin/ypinit -m 

The ypinit script will prompt you for the names of your slave 

servers. Enter the names of your slave servers in response to the 

prompt. 

7. Issue the following commands to run the NIS startup scripts: 

Chapter 4 147



/sbin/init.d/nis.server start 

/sbin/init.d/nis.client start 

The master server is now running as both an NIS master server and an 

NIS client. Next, you must configure the slave servers you listed when 

you ran the ypinit script. See “Configuring and Administering an NIS 

Slave Server” on page 161. 

For more information, see the following man pages: domainname(1), 

ypinit(1M), and ypfiles(4). 

To Verify Your NIS Master Server Configuration 

• Log into the master server and issue the following command: 

/usr/bin/ypwhich -m 

The ypwhich -m command lists all the NIS maps available to the local 

client and gives the name of the master server that serves each map. In 

this case, the local host is both the client and the master server. Your 

display should look something like this, where mastername is the name 

of your local host: 

# /usr/bin/ypwhich -m 

vhe_list mastername 

servi.bynp mastername 

services.byname mastername 

rpc.byname mastername 

protocols.bynumber mastername 

protocols.byname mastername 

rpc.bynumber mastername 

passwd.byuid mastername 

passwd.byname mastername 

networks.byname mastername 

networks.byaddr mastername 

netgroup.byuser mastername 

netgroup.byhost mastername 

netgroup mastername 

hosts.byname mastername 

hosts.byaddr mastername 

group.byname mastername 

group.bygid mastername 

publickey.byname mastername 

netid.byname mastername 

mail.byaddr mastername 

mail.aliases mastername 

auto.master mastername 

148 

Chapter 4



ypservers mastername 

If you do not see a similar display, see “Troubleshooting NFS Services” on 

page 273. Type man 1 ypwhich for more information on the ypwhich 

command. 

To Configure the NIS Master Server to Use a Private 

passwd File 

CAUTION 

Do not use this procedure if your NIS master server is also a mail server. 

If the NIS master server uses only a subset of the information in the NIS 

passwd map, it cannot resolve mail addresses, and mail messages will 

fail. 

1. Log in as root to the NIS master server. 

2. Copy the /etc/passwd file to /etc/passwd.yp. 

3. Using a text editor, remove users from the /etc/passwd file who 

should not be allowed access to the NIS master server. Do not include 

a plus sign (+) in this file. 

4. Use a text editor to edit the /var/yp/Makefile file. Change the 

following line 

PWFILE=$(DIR)/passwd 

to the following: 

PWFILE=$(DIR)/passwd.yp 

5. In the /etc/rc.config.d/namesvrs file, modify the 

YPPASSWDD_OPTIONS variable. Change the following line 

YPPASSWDD_OPTIONS=”/etc/passwd -m passwd 

PWFILE=/etc/passwd” 

to the following: 

YPPASSWDD_OPTIONS=”/etc/passwd.yp -m passwd 

PWFILE=/etc/passwd.yp” 

6. Issue the following commands to regenerate the NIS passwd maps 

from /etc/passwd.yp: 

cd /var/yp 

Chapter 4 149



/usr/ccs/bin/make passwd 

This command generates both the passwd.byname and the 

passwd.byuid maps and pushes them to the slave servers. 

If your slave servers are not up and running yet, run make with the 

NOPUSH flag set to 1: 

cd /var/yp 

/usr/ccs/bin/make NOPUSH=1 passwd 

This procedure creates a restricted /etc/passwd file that is used only by 

the NIS master server. The unrestricted /etc/passwd.yp file is used to 

generate the NIS passwd maps, which are used by the rest of the hosts in 

the NIS domain. 

For more information, see the following man pages: passwd(4), make(1), 

ypmake(1M), and ypinit(1M). 

To Restrict Client and Slave Server Access to the 

Master Server 

1. On the NIS master server, create a file called /var/yp/securenets,if 

it does not already exist. 

2. Add lines to the file with the following syntax: 

address_mask IP_address 

The IP_address is the internet address of an NIS client, NIS slave 

server, or subnet that may request NIS information or transfer NIS 

maps from the NIS master server. 

The address_mask indicates which bits in the IP_address field are 

important. If a bit is set in the address_mask field, the corresponding 

bit in the source address of any incoming NIS requests must match 

the same bit in the IP_address field. 

3. Issue the following commands to kill and restart the ypserv process: 

/sbin/init.d/nis.server stop 


If a client or slave host has multiple network interface cards, add a line 

to the securenets file for the IP address of each card. 

Type man 4 securenets at the HP-UX prompt for more information. 

150 

Chapter 4



Examples from /var/yp/securenets 

The following line from a /var/yp/securenets file allows only the NIS 

client at IP address 10.11.12.13 to request information from the NIS 

master server. Because every bit is set in the address mask, the source IP 

address on the NIS request must match exactly, or the master server will 

not return the requested information. 

255.255.255.255 10.11.12.13 

The following line from a /var/yp/securenets file allows any host on 

the network 10.11.12.0 to request NIS information or transfer NIS maps 

from the master server. The last 8 bits of the IP address are ignored, 

because the last 8 bits of the address mask are set to 0. Any host whose 

IP address begins 10.11.12 will be allowed access to the master server. 

255.255.255.0 10.11.12.13 

To Check the Contents of an NIS Map 

• Issue the following command to verify that an NIS map contains the 

data you expect it to contain: 

/usr/bin/ypcat -k mapname 

The -k option lists the key for each item in the map as well as the data 

associated with the key. For example, in the netgroup map, the netgroup 

name is the key. Without the -k option, ypcat would list all the data 

associated with each netgroup name, but not the netgroup name itself. 

For more information on the ypcat command, type man 1 ypcat at the 

HP-UX prompt. 

Chapter 4 151



To Modify an NIS Map 


2. Make your changes to the source file for the NIS map. For example, if 

you want to change the NIS hosts map, make your changes to the 

/etc/hosts file. 

3. Issue the following commands to generate the map and push it to the 


cd /var/yp 

/usr/ccs/bin/make mapname 

If your slave servers are not up and running yet, run the make 

command with the NOPUSH flag set to 1: 

cd /var/yp 

/usr/ccs/bin/make NOPUSH=1 mapname 

This procedure works for all NIS maps except the ypservers map, which 

has no source file. For instructions on modifying the ypservers map, see 

“To Add a Slave Server to Your NIS Domain” on page 156 or “To Remove 

a Slave Server from Your NIS Domain” on page 157. 

If you make changes to the passwd, group, or hosts maps, regenerate 

the netid.byname map. The netid.byname map is a mapping of users to 

groups, where each user is followed by a list of all the groups to which 

the user belongs. The netid.byname map is generated from the 

/etc/passwd and /etc/group files. 

For more information, see the following man pages: make(1), ypmake(1M), 

yppush(1M), and ypxfr(1M). 

152 

Chapter 4



To Add an Automounter Map to Your NIS Domain 


2. In the /usr/sbin/ypinit script, use a text editor to add the 

automounter map to the MASTER_MAPS list, as follows: 

MASTER_MAPS=”group.bygid group.byname \ 

hosts.byaddr bosts.byname netgroup netgroup.byhost \ 

netgroup.byuser networks.byaddr networks.byname 

passwd.byname \ 

passwd.byuid protocols.byname protocols.bynumber 

rpc.bynumber \ 

services.byname vhe_list publickey.byname netid.byname 

mail.byaddr \ 

mail.aliases auto.master rpc.byname servi.bynp 

auto.mapname” 

3. In the /var/yp/Makefile file, add the automounter map to the list of 

maps that begins with all:, as follows: 

all: passwd group hosts networks rpc services protocols \ 

netgroup aliases publickey netid vhe_list auto.master \ 

auto.mapname 

4. In the /var/yp/Makefile file, copy the statement that begins 

$(YPDBDIR)/$(DOM)/auto_master.time to the space below it. 

Change all occurrences of auto.master or auto_master to the name 

of the map you are adding. Note that some occurrences must be 

auto_mapname (the name of the ASCII file), and some must be 

auto.mapname (the name of the NIS database). 

$ (YPDBDIR)/$(DOM)/auto_master.time: $(DIR)/auto_master 

@(sed -e ”s/ˆ[ | ]*//g” -e ”/ˆ#/d” -e s/#.*$$// < 

$(DIR)/auto_master $(CHKPIPE)) | 

$(MAKEDBM) - $(YPDBDIR) /$(DOM)/auto.master; 

@touch $(YPDBDIR)/$(DOM)/auto_master.time; 

@echo ”updated auto.master”; 

@if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOM) 

auto.master; fi 

@if [ ! $(NOPUSH) ]; then echo ”pushed auto.master”; 

fi 

$ (YPDBDIR)/$(DOM)/auto_mapmame.time: $(DIR)/auto_mapname 

@(sed -e ”s/ˆ[ | ]*//g” -e ”/ˆ#/d” -e s/#.*$$// < 

$(DIR)/auto_mapname $(CHKPIPE)) | 

$(MAKEDBM) - $(YPDBDIR) /$(DOM)/auto.mapname; 

@touch $(YPDBDIR)/$(DOM)/auto_mapname.time; 

@echo ”updated auto.mapname”; 


Chapter 4 153



auto.mapname; fi 

@if [ ! $(NOPUSH) ]; then echo ”pushed 

auto.mapname”; fi 

5. In the /var/yp/Makefile file, copy the statement that begins 

auto.master: to the space below it. Change auto.master to 

auto.mapname, and change both occurrences of auto_master.time to 

auto_mapname.time. 

auto.master: 

@if [ $(NOPUSH) ]; then $(MAKE) $(MFLAGS) -k \ 

$(YPDBDIR)/$(DOM)/auto_master.time DOM=$(DOM) 

DIR=$(DIR); \ 

else $(MAKE) $(MFLAGS) -k 

$(YPDBDIR)/$(DOM)/auto_master.time \ 

DOM=$(DOM) DIR=$(DIR) NOPUSH=$(NOPUSH);fi 

auto.mapname: 


$(YPDBDIR)/$(DOM)/auto_mapname.time DOM=$(DOM) 

DIR=$(DIR); \ 


$(YPDBDIR)/$(DOM)/auto_mapname.time \ 


6. Issue the following commands to generate the map: 

cd /var/yp 

/usr/ccs/bin/make NOPUSH=1 auto.mapname 

7. If you have slave servers configured in your domain, log into each 

slave server and issue the following command to copy the new map to 

the slave server: 

/usr/sbin/ypxfr auto.mapname 

For more information, see the man page for ypinit(1M), make(1), 

ypmake(1M), or ypxfr(1M). 

154 

Chapter 4



To Remove an Automounter Map from Your NIS 

Domain 


2. In the /usr/sbin/ypinit script, use a text editor to remove the map 

name from the MASTER_MAPS list. 

3. In the /var/yp/Makefile file, remove the map from the list of maps 

that begins with all:. 

4. In the /var/yp/Makefile file, remove the statement that begins 

$(YPDBDIR)/$(DOM)/auto_mapname.time. For example, if you were 

removing the auto.home map, you would remove the following lines: 

$ (YPDBDIR)/$(DOM)/auto_home.time: $(DIR)/auto_home 

@(sed -e ”s/ˆ[ | ]*//g” -e ”/ˆ#/d” -e s/#.*$$// < 

$(DIR)/auto_home $(CHKPIPE)) | 

$(MAKEDBM) - $(YPDBDIR) /$(DOM)/auto.home; 

@touch $(YPDBDIR)/$(DOM)/auto_home.time; 

@echo ”updated auto.home”; 


auto.home; fi 

@if [ ! $(NOPUSH) ]; then echo ”pushed auto.home”; 

fi 

5. In the /var/yp/Makefile file, remove the statement that begins 

auto.mapname:. For example, if you were removing the auto.home 

map, you would remove the following lines: 

auto.home: 


$(YPDBDIR)/$(DOM)/auto_home.time DOM=$(DOM) 

DIR=$(DIR); \ 


$(YPDBDIR)/$(DOM)/auto_home.time \ 


6. On the master and on each of the slave servers, remove the map files, 

mapname.dir and mapname.pag from the directory where your maps 

are stored. The directory is called /var/yp/domainname, where 

domainname is the name of your NIS domain. For example, if you 

were removing the auto.home map from the Finance domain, you 

would issue the following commands on the master server and on 

each of the slave servers: 

cd /var/yp/Finance 

rm auto.home.dir auto.home.pag 

Chapter 4 155



For more information, see the man pages ypinit(1M), make(1), 

ypmake(1M), and ypfiles(4). 

To Add a Slave Server to Your NIS Domain 


2. Issue the following command, where domainname is the name of the 

domain to which you want to add the slave server: 

cd /var/yp/domainname 

3. Issue the following command to create an editable ASCII text file 

from the ypservers map: 

/usr/sbin/makedbm -u ypservers > tempfile 

4. Use a text editor to add the name of the new server to the ASCII file, 

tempfile. 

5. Issue the following command to regenerate the ypservers map from 

the ASCII file: 

/usr/sbin/makedbm tempfile ypservers 

6. Log in as root to the new slave server and configure it as an NIS slave 

server. See “Configuring and Administering an NIS Slave Server” on 

page 161. 

For more information, see the man page for makedbm(1M) or ypfiles(4). 

156 

Chapter 4



To Remove a Slave Server from Your NIS Domain 


2. Issue the following commands to create an editable ASCII text file 

from the ypservers map: 



3. Use a text editor to remove the name of the slave server from the 

ASCII file, tempfile. 

4. Issue the following command to regenerate the ypservers map from 

the ASCII file: 


5. Log in as root to the slave server. 

6. Remove all the map files from the map directory, and remove the map 

directory. The directory is called /var/yp/domainname, where 

domainname is the name of your NIS domain. For example, if you 

were removing a slave server from the Finance domain, you would 

issue the following commands: 

cd /var/yp/Finance 

rm * 

cd .. 

rmdir Finance 

7. If the slave is not a slave server in any other NIS domain, use a text 

editor to set the NIS_SLAVE_SERVER variable to 0 in the 

/etc/rc.config.d/namesvrs file. 

NIS_SLAVE_SERVER=0 

8. If the slave is not a server in any other NIS domain, issue the 

following command to turn off NIS server capability: 


For more information, see the man pages makedbm(1M) and ypfiles(4). 

Chapter 4 157



To Query BIND for Host Information After Querying 

NIS 

This section tells you how to set up server-side hostname fallback, 

which causes your NIS servers to query BIND for host information after 

querying NIS. A server will search the NIS hosts database first, but if 

the hosts database does not contain the requested information, the 

server will query the BIND name service. The server will return the host 

information to the clients through NIS. 

1. Configure your NIS servers as BIND name servers, or install an 

/etc/resolve.conf file on each server that allows it to query a 

BIND name server. See Installing and Administering Internet 

Services for more information. 

2. On the NIS master server, in the /var/yp/Makefile file, set the B 

variable to -b, as follows: 

B=-b 

3. Issue the following command on the master server to change the 

modification time on /etc/hosts so that make will regenerate the 

hosts database: 

/usr/bin/touch /etc/hosts 

4. Issue the following commands to regenerate the NIS maps on the 

master server and push them to the NIS slave servers: 

cd /var/yp 

/usr/ccs/bin/make 

5. On all the NIS servers in your domain, change the hosts line in the 

/etc/nsswitch.conf file to the following: 

hosts: nis dns files 

Hewlett-Packard recommends that you use the Name Service Switch on 

your NIS clients instead of server-side hostname fallback. However, if 

your NIS clients are PCs that do not have a feature like the Name 

Service Switch, use the server-side hostname fallback described in this 

section if you want to force BIND lookups after NIS lookups. See 

“Configuring the Name Service Switch” on page 253. 

158 

Chapter 4



To Use NIS With Short File Names 

1. Make sure the first 14 characters of your domain name uniquely 

identify your domain among the other NIS domains in your network. 

2. If you plan to use NIS to manage your automounter maps, keep the 

automounter map names to 10 characters or fewer. 


4. In the /var/yp/Makefile file, uncomment all the lines between 

START OF EXAMPLE and END OF EXAMPLE. (Remove the sharp sign [#] 

from the beginning of each line.) Do not uncomment the START OF 

EXAMPLE and END OF EXAMPLE lines. 

5. In the /var/yp/Makefile file, delete everything after the END OF 

EXAMPLE line. 

This procedure causes your NIS master server to use HP’s proprietary 

ypmake script instead of the Makefile. The Makefile does not support 

short filenames, but ypmake does. Type man 1M ypmake at the HP-UX 

prompt for more information. 

To Configure an HP-UX Master Server in a Domain 

with Sun Systems 

1. Log in as root to the host that will be the master server. 

2. If you have customized your HP Makefile, move it to 

/var/yp/Makefile.hp. 

3. Copy your Sun Makefile into the /var/yp directory on the HP system. 

If your Sun Makefile is not called Makefile, use a text editor to set 

the MAKEFILE_NAME variable to the name of your Sun Makefile in the 

/usr/sbin/ypinit script. 

4. If you have customized your HP Makefile, add those changes into 

your Sun Makefile. 

5. In the /usr/sbin/ypinit script on the HP host that will be the 

master server, add the netmasks.byaddr, bootparams, 

ethers.byaddr, and ethers.byname maps to the MASTER_MAPS 

variable. 

6. On one of your Sun systems, locate or create an /etc/ethers file, an 

/etc/bootparams file, and an /etc/netmasks file that contain all the 

Chapter 4 159



information required by the Sun systems in your NIS domain. 

7. Copy the /etc/ethers, /etc/bootparams, and /etc/netmasks files 

to the HP host that will be the master server. 

8. Follow the instructions in “To Enable NIS Master Server Capability” 

on page 147. 

160 

Chapter 4


Configuring and Administering an NIS Slave Server 

Configuring and Administering an NIS Slave 

Server 

An NIS slave server provides information to NIS clients, taking some 

load off the NIS master server and substituting for the master server 

when it is down. The NIS maps are created on the NIS master server and 

then transferred from the master server to the slave servers. Changes to 

NIS maps must be made on the NIS master server, which then pushes 

the changed maps to the NIS slave servers. 

An NIS slave server must also be an NIS client. 

The NIS master server must be configured and running before you start 

your slave servers. 

This section explains how to perform the following tasks: 

• To Edit the Slave Server’s passwd File 

• To Edit the Slave Server’s group File 

• To Enable NIS Slave Server Capability 

• To Verify Your NIS Slave Server Configuration 

• To Schedule Regular Map Transfers from the NIS Master Server 

• To Restrict Access to the Slave Server 

Chapter 4 161



To Edit the Slave Server’s passwd File 

• Remove all users from the /etc/passwd file except the root user and 

the system entries required for your system to boot. By convention, 

system entries usually have user IDs less than 100, so you can 

remove all entries with user IDs of 100 or greater. 

• The Name Service Switch configuration file provided for NIS 

(/etc/nsswitch.nis) causes your host to check its local 

/etc/passwd file and then continue to the NIS passwd map if the 

requested information is not in the local file. However, in previous 

releases, you had to add a plus sign (+) to the /etc/passwd file to 

cause your host to check the NIS passwd database. 

If you want your host to behave as it did before HP-UX release 10.30, 

add the following entry as the last line in the /etc/passwd file: 

+::-2:60001::: 

Also, make sure your /etc/nsswitch.conf file specifies compat as 

the name service for passwd. See “Configuring the Name Service 


The plus sign (+) causes processes to consult NIS for any user 

information not found in the local /etc/passwd file. 

The -2 in the user ID field restricts the access of people who may 

attempt to log in using “+” as a valid user name when NIS is not 

running. Anyone who successfully logs in as “+” will be granted only 

the access permissions of user nobody. 

CAUTION 

Do not put an asterisk (*) in the password field on HP systems. On Sun 

systems, an asterisk in the password field prevents people from 

logging in as “+” when NIS is not running. However, on HP systems, 

the asterisk prevents all users from logging in when NIS is running. 

The changes you make to the /etc/passwd file on an NIS slave server 

are the same changes you make on an NIS client. Following is an 

example /etc/passwd file on an NIS slave server: 

root:0AnhFBmriKvHA:0:3::/:/bin/ksh 

daemon:*:1:5::/:/bin/sh 

bin:*:2:2::/bin:/bin/sh 

adm:*:4:4::/usr/adm:/bin/sh 

162 

Chapter 4



uucp:*:5:3::/usr/spool/uucppublic:/usr/lib/uucp/uucico 

lp:*:9:7::/usr/spool/lp:/bin/sh 

hpdb:*:27:1:ALLBASE:/:/bin/sh 

+::-2:60001::: 

For more information, type man 4 passwd at the HP-UX prompt. 

To Edit the Slave Server’s group File 

• Remove all groups from the /etc/group file except the group entries 

required for your system to boot. 


(/etc/nsswitch.nis) causes your host to check its local /etc/group 

file and then continue to the NIS group map if the requested 

information is not in the local file. However, in previous releases, you 

had to add a plus sign (+) to the /etc/group file to cause your host to 

check the NIS group database. 


add the following entry as the last line in the /etc/group file: 

+:*:* 


the name service for group. See “Configuring the Name Service 


The plus sign (+) causes processes to consult NIS for any group 

information not found in the local /etc/group file. The asterisk (*) in 

the password field prevents people from using the plus sign as a valid 

group name if NIS is not running. 

The changes you make to the /etc/group file on an NIS slave server are 

the same changes you make on an NIS client. Following is an example 

/etc/group file on an NIS slave server: 

root::0:rootl,sam 

other::1: 

bin::2: 

sys::3: 

adm::4: 

daemon::5: 

mail::6: 

lp::7: 

+:*:* 

For more information, type man 4 group at the HP-UX prompt. 

Chapter 4 163



To Enable NIS Slave Server Capability 

1. Make sure the NIS master server is already configured and running 

NIS. 

2. Log in as root to the host that will be the slave server. 

3. On the host that will be the slave server, ensure that the $PATH 

environment variable includes the following directory paths: 

• /var/yp 





where domainname is the same as the domain name on the NIS 

master server. 




6. In the /etc/rc.config.d/namesvrs file, set the NIS_SLAVE_SERVER 

and NIS_CLIENT variables to 1, as follows: 

NIS_SLAVE_SERVER=1 

NIS_CLIENT=1 

If the slave server is a master server in another NIS domain, set the 

NIS_MASTER_SERVER variable to 1 and the NIS_SLAVE_SERVER 

variable to 0. The yppasswdd daemon, which is required on the 

master server, is started only if NIS_MASTER_SERVER=1. 

If the slave server is an NIS+ server or client, set the 

NISPLUS_SERVER and NISPLUS_CLIENT variables to 0. 

7. Issue the following command to set up the NIS slave server and copy 

the NIS maps from the master server: 

/usr/sbin/ypinit -s NIS_server_name [DOM=domainname] 

The NIS_server_name is the name of the master server or a slave 

server that has a complete set of up-to-date maps for the domain. If 

the slave server will serve a domain different from the one set by the 

domainname command, specify the domainname after the 

164 

Chapter 4



NIS_server_name. 

8. Issue the following commands to run the NIS startup scripts: 



In order to receive map updates from the NIS master server, you must 

add the new slave server to the ypservers map on the master server. See 

“To Add a Slave Server to Your NIS Domain” on page 156. 


ypinit(1M), and ypfiles(4). 

Chapter 4 165



To Verify Your NIS Slave Server Configuration 


2. In the /etc/rc.config.d/namesvrs file, add -ypset to the 

YPBIND_OPTIONS variable: 

YPBIND_OPTIONS=”-ypset” 

3. Issue the following commands to restart ypbind (the NIS client 

process) on the slave server: 

/sbin/init.d/nis.client stop 


4. Issue the following command to force the NIS client process on the 

slave server to bind to the server process on the same host: 

/usr/sbin/ypset slave_server_name 

5. Issue the following command to check whether the NIS slave server is 

working: 

/usr/bin/ypwhich 

The ypwhich command should return the host name of the slave 

server. If the ypwhich command does not return the name of the slave 

server, see “Troubleshooting NFS Services” on page 273. 

6. In the /etc/rc.config.d/namesvrs file, remove -ypset from the 

YPBIND_OPTIONS variable: 

YPBIND_OPTIONS=”” 

7. Issue the following commands to restart ypbind (the NIS client 

process) on the slave server: 



For more information, see the following man pages: ypbind(1M), 

ypset(1M), and ypwhich(1). 

166 

Chapter 4



To Schedule Regular Map Transfers from the NIS 

Master Server 


2. Copy the ypxfr_1perday, ypxfr_2perday, and ypxfr_1perhour 

scripts from the /usr/newconfig/var/yp directory to the /var/yp 

directory: 

cp /usr/newconfig/var/yp/ypxfr_1perday /var/yp 

cp /usr/newconfig/var/yp/ypxfr_2perday /var/yp 

cp /usr/newconfig/var/yp/ypxfr_1perhour /var/yp 

3. Create a crontab file that invokes these files at regular times. 

Following is an example crontab file: 

0 21 * * * /var/yp/ypxfr_1perday 

30 5,19 * * * /var/yp/ypxfr_2perday 

15 * * * * /var/yp/ypxfr_1perhour 

This file runs the ypxfr_1perday script at 9:00 PM every night. It 

runs the ypxfr_2perday script at 5:30 AM and 7:30 PM every day. It 

runs the ypxfr_1perhour at 15 minutes past every hour. 

4. Issue the following command to enter the file into crontab, 

crontab filename 

where filename is the crontab file you just created. 

If you have created customized NIS maps for your domain, you will have 

to add them to the appropriate scripts. You can also use the scripts 

provided as templates for creating your own scripts. 

In some domains, transferring the passwd maps once per hour generates 

too much network traffic. If you find this is the case, schedule transfers of 

the passwd maps for less frequent intervals. 

If you have multiple slave servers, schedule map transfers for different 

times on different servers, so all the servers are not performing transfers 

at the same time. 

For more information, see the following man pages: cron(1M), 

crontab(1), and ypxfr(1M). 

Chapter 4 167



To Restrict Access to the Slave Server 

1. On the NIS slave server, create a file called /var/yp/securenets, if 

it does not already exist. 



The IP_address is the internet address of an NIS client, NIS slave 

server, or subnet that may request NIS information or transfer NIS 

maps from the NIS master server. 



bit in the source address of any incoming NIS requests must match 

the same bit in the IP_address field. 

3. Issue the following commands to kill and restart the ypserv process: 



If a client or slave host has multiple network interface cards, add a line 

to the securenets file for the IP address of each card. 

Type man 4 securenets at the HP-UX prompt for more information. 

Examples from /var/yp/securenets 

The following line from a /var/yp/securenets file allows only the NIS 

client at IP address 10.11.12.13 to request information from the NIS 

slave server. Because every bit is set in the address mask, the source IP 

address on the NIS request must match exactly, or the slave server will 

not return the requested information. 

255.255.255.255 10.11.12.13 

The following line from a /var/yp/securenets file allows any host on 

the network 10.11.12.0 to request NIS information or transfer NIS maps 

from the slave server. The last 8 bits of the IP address are ignored, 

because the last 8 bits of the address mask are set to 0. Any host whose 

IP address begins 10.11.12 will be allowed access to the slave server. 

255.255.255.0 10.11.12.13 

168 

Chapter 4


Configuring and Administering an NIS Client 


An NIS client gets its configuration information from an NIS master 

server or an NIS slave server. When an NIS client is started, it sends out 

a broadcast message requesting a server. Any server on the client’s 

network that holds the NIS maps for the client’s domain may respond to 

the message. The NIS client “binds” to the first server to respond to its 

broadcast message, and that server answers all the client’s queries for 

information. 


five tasks are necessary for getting your NIS client up and running. 

• To Edit the NIS Client’s passwd File 

• To Edit the NIS Client’s group File 

• To Enable NIS Client Capability 

• To Verify Your NIS Client Configuration 

• To Tell Users How to Use yppasswd 

• To Prevent a Client from Binding to Unknown Servers 

• To Bind an NIS Client to a Server on a Different Subnet 

Chapter 4 169



To Edit the NIS Client’s passwd File 

• Remove all users from the /etc/passwd file except the root user and 

the system entries required for your system to boot. By convention, 

system entries usually have user IDs less than 100, so you can 

remove all entries with user IDs of 100 or greater. 


(/etc/nsswitch.nis) causes your host to check its local 

/etc/passwd file and then continue to the NIS passwd map if the 

requested information is not in the local file. However, in previous 

releases, you had to add a plus sign (+) to the /etc/passwd file to 

cause your host to check the NIS passwd database. 


add the following entry as the last line in the /etc/passwd file: 

+::-2:60001::: 


the name service for passwd. See “Configuring the Name Service 


The plus sign (+) causes processes to consult NIS for any user 

information not found in the local /etc/passwd file. 

The -2 in the user ID field restricts the access of people who may 

attempt to log in using “+” as a valid user name when NIS is not 

running. Anyone who successfully logs in as “+” will be granted only 

the access permissions of user nobody. 

CAUTION 

Do not put an asterisk (*) in the password field on HP systems. On Sun 

systems, an asterisk in the password field prevents people from 

logging in as “+” when NIS is not running. However, on HP systems, 

the asterisk prevents all users from logging in when NIS is running. 

The changes you make to the /etc/passwd file on an NIS client are the 

same changes you make on an NIS slave server. Following is an example 

/etc/passwd file on an NIS client: 

root:0AnhFBmriKvHA:0:3: :/:/bin/ksh 

daemon:*:1:5::/:/bin/sh 

bin:*:2:2::/bin:/bin/sh 

adm:*:4:4::/usr/adm:/bin/sh 

170 

Chapter 4



uucp:*:5:3::/usr/spool/uucppublic:/usr/lib/uucp/uucico 

lp:*:9:7::/usr/spool/lp:/bin/sh 

hpdb:*:27:1:ALLBASE:/:/bin/sh 

+::-2:60001::: 

For more information, type man 4 passwd at the HP-UX prompt. 

To Edit the NIS Client’s group File 

• Remove all groups from the /etc/group file except the group entries 

required for your system to boot. 


(/etc/nsswitch.nis) causes your host to check its local /etc/group 

file and then continue to the NIS group map if the requested 

information is not in the local file. However, in previous releases, you 

had to add a plus sign (+) to the /etc/group file to cause your host to 

check the NIS group database. 


add the following entry as the last line in the /etc/group file: 

+:*:* 


the name service for group. See “Configuring the Name Service 


The plus sign (+) causes processes to consult NIS for any group 

information not found in the local /etc/group file. The asterisk (*) in 

the password field prevents people from using the plus sign as a valid 

group name if NIS is not running. 

The changes you make to the /etc/group file on an NIS client are the 

same changes you make on an NIS slave server. Following is an example 

/etc/group file on an NIS client: 

root::0:rootl,sam 

other::1: 

bin::2: 

sys::3: 

adm::4: 

daemon::5: 

mail::6: 

lp::7: 

+:*:* 

For more information, type man 4 group at the HP-UX prompt. 

Chapter 4 171



To Enable NIS Client Capability 

1. Make sure at least one NIS master or slave server is running on the 

client’s subnetwork. 

2. Log in as root to the NIS client. 

3. On the NIS client, ensure that the $PATH environment variable 

includes the following directory paths: 

• /var/yp 





where domainname is a domain served by an NIS server on the client’s 

subnetwork. 




6. In the /etc/rc.config.d/namesvrs file, set the NIS_CLIENT 

variable to 1, as follows: 

NIS_CLIENT=1 

If the host was previously an NIS+ client, set the NISPLUS_CLIENT 

variable to 0. 

7. Copy the /etc/nsswitch.nis file to /etc/nsswitch.conf: 

cp /etc/nsswitch.nis /etc/nsswitch.conf 

If you have plus and minus signs in your /etc/passwd or /etc/group 

files, they will be ignored. If you want your host to use the plus and 

minus signs in your files as signals to consult NIS, modify the passwd 

and group lines in /etc/nsswitch.conf to specify compat, as 

follows: 

passwd: compat 

group: compat 

8. Reboot the client host to ensure that long-running processes read the 

new /etc/nsswitch.conf file. Rebooting the client will also cause 

the NIS client startup script to execute, because the NIS_CLIENT 

172 

Chapter 4



variable is set to 1. 

To start the NIS client processes without rebooting the host, issue the 

following command to run the NIS startup script: 



ypbind(1M), and nsswitch.conf(4). 

Chapter 4 173



To Verify Your NIS Client Configuration 

• Log into the NIS client and issue the following command: 

/usr/bin/ypwhich -m 

The ypwhich -m command lists all the NIS maps available to the client 

and gives the name of the master server that serves each map. Your 

display should look something like this, where mastername is the name 

of the master server for your domain: 

# /usr/bin/ypwhich -m 

vhe_list mastername 

servi.bynp mastername 

services.byname mastername 

rpc.byname mastername 

protocols.bynumber mastername 

protocols.byname mastername 

rpc.bynumber mastername 

passwd.byuid mastername 

passwd.byname mastername 

networks.byname mastername 

networks.byaddr mastername 

netgroup.byuser mastername 

netgroup.byhost mastername 

netgroup mastername 

hosts.byname mastername 

hosts.byaddr mastername 

group.byname mastername 

group.bygid mastername 

publickey.byname mastername 

netid.byname mastername 

mail.byaddr mastername 

mail.aliases mastername 

auto.master mastername 

ypservers mastername 

If you do not see a similar display, see “Troubleshooting NFS Services” on 

page 273. Type man 1 ypwhich for more information on the ypwhich 


174 

Chapter 4



To Tell Users How to Use yppasswd 

• Tell all the users in your NIS domain that they must use 

/usr/bin/yppasswd or passwd -r nis instead of the passwd 

command when they want to change their login passwords. 

• Tell users that, when they want to change their login passwords, they 

should do so just before they leave for the day. This will allow time for 

the updated NIS maps on the master server to be pushed to the slave 

servers. 

The yppasswd command is a link to the passwd -r nis command. It 

changes the /etc/passwd file on the NIS master server, regenerates the 

NIS passwd maps from the updated /etc/passwd file, and then pushes 

the NIS passwd maps to the slave servers. 

For more information, see the following man pages: yppasswd(1), 

yppasswdd(1M), passwd(1), ypxfr(1M), and yppush(1M). 

Chapter 4 175



To Prevent a Client from Binding to Unknown Servers 

1. On the NIS client, create a file called /var/yp/secureservers, if it 

does not already exist. 



The IP_address is the internet address of an NIS server or the 

subnet of an NIS server from which the client will accept NIS 

information. 



bit in the address of any NIS server must match the same bit in the 

IP_address field. 

3. Issue the following commands to kill and restart the ypbind process: 



If an NIS server host has multiple network interface cards, add a line to 

the secureservers file for the IP address of each card. 

If you start ypbind with the -ypset option and issue the ypset 

command to bind to a specific server, the /var/yp/secureservers file is 

ignored, and the client may bind to any server. 

Type man 1M ypbind at the HP-UX prompt for more information. 

Examples from /var/yp/secureservers 

The following line from a /var/yp/secureservers file allows the NIS 

client to bind only to the server at IP address 20.21.22.23. Because every 

bit is set in the address mask, the IP address of the NIS server must 

match the IP_address field exactly, or the client will not bind to it. 

255.255.255.255 20.21.22.23 

The following line from a /var/yp/secureservers file allows the client 

to bind to any NIS server on the network 20.21.22.0. The last 8 bits of the 

server’s IP address are ignored, because the last 8 bits of the address 

mask are set to 0. The client may bind to any server whose IP address 

begins 20.21.22. 

255.255.255.0 20.21.22.23 

176 

Chapter 4



To Bind an NIS Client to a Server on a Different 

Subnet 

Hewlett-Packard recommends that you configure a server on each subnet 

where you have NIS clients; however, if you cannot do that, follow these 

steps to force an NIS client to bind to a server on a different subnet: 

1. Log in as root to the NIS client. 

2. Add the -ypset option to the YPBIND_OPTIONS variable in the 

/etc/rc.config.d/namesvrs file, as follows: 

YPBIND_OPTIONS=”-ypset” 

3. In the /etc/rc.config.d/namesvrs file, set the YPSET_ADDR 

variable to the IP address of an NIS server, as in the following 

example: 

YPSET_ADDR=”15.13.115.168” 

4. Issue the following commands to restart the NIS client: 



If the server you specify in the ypset command is unavailable when your 

client boots up, your client will broadcast a request for a server to its 

local network. If no server exists on the local network, the client will 

hang. 

For more information, type man 1M ypset or man 1M ypbind. 

Chapter 4 177


Configuring and Administering Secure RPC (if NIS+ is not used) 

Configuring and Administering Secure RPC 

(if NIS+ is not used) 

Configuring secure RPC allows you to write applications that use secure 

RPC. You must be running NIS in order to use secure RPC. 

If you are using NIS+, your secure RPC credentials are created and 

updated when you configure and administer your NIS+ domain. Follow 

the procedures in this section only if you are using NIS and not NIS+. 

NOTE 

Secure NFS, the ability to export and mount directories with the secure 

option, is not supported on HP-UX. 

Configuring and administering secure RPC involves the following tasks: 

• To Have Users Create their Secure RPC Keys 

or 

To Create Secure RPC Keys for Users 

• To Create Secure RPC Keys for Hosts 

• To Tell Users How to Use Secure RPC 

178 

Chapter 4



To Have Users Create their Secure RPC Keys 

1. In the /etc/publickey file on the NIS master server, make sure the 

entry for user nobody exists and is not commented out (is not 

preceded by #). 

2. Tell each user in your NIS domain to issue the chkey command: 

/usr/bin/chkey 

At the Password prompt, the user should enter his or her login 

password. 

The chkey command displays a message saying it is generating a key for 

unix.UID@NIS_domain. This string identifies the user in the 

publickey.byname NIS map. UID is the user ID of the user for whom the 

key is being generated, and NIS_domain is the default NIS domain, 

returned by the domainname command. 

The secure RPC key is encrypted with the user’s login password. The 

/usr/bin/yppasswd command reencrypts the secure RPC key with the 

new password whenever a user changes the login password. 

In order for users to create keys for themselves with the chkey 

command, the publickey.byname map must have an entry for user 

nobody. If you remove the entry for user nobody, users can change their 

secure RPC keys with the chkey command, but they cannot create keys if 

they do not already have them. 

For more information, see the following man pages: publickey(4), 

chkey(1), and yppasswd(1). 

Chapter 4 179



To Create Secure RPC Keys for Users 

Use this procedure if you do not want users to be able to create their own 

secure RPC keys. 


2. Comment out the entry in the /etc/publickey file for user nobody. 

(Insert a sharp sign [#] as the first character on the line.) 

3. Issue the following commands to regenerate the publickey.byname 

map from the /etc/publickey file and push it to the slave servers: 

cd /var/yp 

/usr/ccs/bin/make publickey 

4. Issue the newkey -u command for each user in your NIS domain: 

# /usr/sbin/newkey -u username 

Enter a password when prompted for it by the newkey -u command. 

5. Tell users the passwords you assigned for them. Users should issue 

the /usr/bin/keylogin command, using the passwords you 

assigned. Then, they should issue the /usr/bin/yppasswd command 

to change their login passwords. The yppasswd command will 

reencrypt their secure RPC keys with their new login passwords. 

The newkey -u command displays a message saying it is adding a key for 

unix.UID@NIS_domain. This string identifies the user in the 

publickey.byname NIS map. UID is the user ID of the user for whom the 

key is being generated, and NIS_domain is the default NIS domain, 

returned by the domainname command. 


newkey(1M), chkey(1), keylogin(1), yppasswd(1), make(1), ypmake(1M), 

and yppush(1M). 

180 

Chapter 4



To Create Secure RPC Keys for Hosts 


2. Issue the newkey -h command for each host in your NIS domain: 

# /usr/sbin/newkey -h hostname 

3. Enter the root password for hostname when prompted for it by the 

newkey -h command. 

4. On each host for which you have just created a secure RPC key, log in 

as root. This registers the secure RPC password with the 

/usr/sbin/keyserv daemon. 

The newkey -h command displays a message saying it is adding a key for 

unix.hostname@NIS_domain. This string identifies the host in the 

publickey.byname NIS map. 

Whenever you change the root password with the passwd command, the 

passwd command automatically reencrypts the secure RPC key with the 

new root password. 

For more information, see the following man pages: newkey(1M), 

publickey(4), passwd(1), and keyserv(1M). 

Chapter 4 181



To Tell Users How to Use Secure RPC 

Tell the users who require secure RPC authorization to follow these 

guidelines: 

• If you allow users to create their own secure RPC keys with the chkey 

command, they should enter their login passwords at the Password 

prompt. 

• If you use the newkey -u command to add users to the publickey 

database, users should issue the /usr/bin/keylogin command using 

the password you assigned. Then, they should issue the 

/usr/bin/yppasswd command to change their login passwords. The 

yppasswd command will automatically reencrypt their secure RPC 

keys with their new passwords. 

• When users log into a host without supplying a password (for 

example, when they use rlogin to log into a host that has their local 

host configured in /etc/hosts.equiv), they should issue the 

/usr/bin/keylogin command after logging in, to register the secure 

RPC password with the /usr/sbin/keyserv daemon. 


newkey(1M), chkey(1), keylogin(1), yppasswd(1), rlogin(1). 

182 

Chapter 4


Summary of NIS Commands 

Table 4-1 

chkey(1) 

domainname(1) 

keylogin(1) 

keylogout(1) 

makedbm(1M) 

newkey(1M) 

ypcat(1) 

ypinit(1M) 

ypmake(1M) 

ypmatch(1) 

yppasswd(1) 

yppoll(1M) 

yppush(1M) 

ypset(1M) 

ypwhich(1) 



Creates or changes a secure RPC key. 

Sets or displays the name of the NIS domain. 

Decrypts and stores a secure RPC key. keylogin is called when a user 

logs in, but the user must issue keylogin if no password was provided 

at login or if a password other than the login password was used to 

encrypt the secure RPC key. 

Deletes a stored decrypted secure RPC key. 

Generates an NIS map from an ASCII input file. 

Creates a secure RPC key for a user or host. 

Prints all the values in an NIS map. 

Sets up an NIS master server or slave server. 

Generates one or more NIS maps from ASCII files and optionally 

pushes them to NIS slave servers. /var/yp/Makefile and make(1) do 

the same thing. 

Prints the values associated with one or more selected keys in an NIS 

map. 

Changes a login password stored in the NIS passwd map. 

Returns the name of the master server for an NIS map and the time 

when the map was built. 

Forces NIS slave servers to transfer one or more NIS maps from the 

master server. Slave servers use ypxfr to transfer the maps. ypmake 

calls yppush unless it is invoked with NOPUSH=1. 

Tells an NIS client process (ypbind[1M]) to bind to a specified NIS 

server. ypset can be used only if ypbind is invoked with the -ypset 

option. 

Returns the name of the NIS server for the local client or the name of 

the NIS master server for one or more NIS maps. 

Chapter 4 183



Table 4-1 

ypxfr(1M) 


Transfers one or more NIS maps from a master server to the local 

slave server. A slave server calls ypxfr when yppush is executed on 

the master server. 

184 

Chapter 4


NIS+ 

The Network Information Service Plus (NIS+), is the next generation of 

the Network Information Service (NIS). It is not an enhancement to NIS; 

Chapter 5 185

Configuring and Administering NIS+ 

it is a whole new service. Like NIS, it is a distributed database system 

that allows you to maintain commonly used configuration information on 

a master server and propagate the information to all the hosts in your 

network. This chapter explains how to configure and administer the 

servers and clients in an NIS+ namespace. It contains the following 

sections: 

• Overview of NIS+ 

• Planning the NIS+ Namespace 

• Setting Up the NIS+ Namespace 

• Administering NIS+ 

• Summary of NIS+ Commands 

You cannot use SAM to configure NIS+. However, you can use SAM to 

update NIS+ tables and to configure NIS+ groups. 

For more information on NIS+, type man 1 nis at the HP-UX prompt, or 

see All About Administering NIS+, by Rick Ramsey, published by 

SunSoft Press, ISBN 0-13-309576-2. 

186 

Chapter 5


Overview of NIS+ 


NIS+ allows you to maintain configuration information for many hosts in 

a set of distributed databases. You can read or modify these databases 

from any host in the network, if you have the proper credentials and 

access permissions. Common configuration information, which would 

have to be maintained separately on each host in a network without 

NIS+, can be stored and maintained in a single location and propagated 

to all of the hosts in the network. 

Advantages of NIS+ over NIS 

NIS+ has the following advantages over NIS: 

• NIS+ supports a hierarchical domain structure called the NIS+ 

namespace. You can create a separate domain for each workgroup or 

department in your organization. Each domain can be managed 

independently of the others. Hosts in any domain may have access to 

information in all the other domains in the namespace. 

• The NIS+ namespace can grow with your organization. Because 

information may be distributed over multiple domains, each with its 

own servers, the size of the NIS+ namespace is not limited by the 

capacity of any single server. 

• NIS+ is not limited by subnet boundaries. NIS+ clients do not 

broadcast requests, so you do not need a server on every subnet. 

• NIS+ is secure. It uses a private key/public key authentication 

scheme with DES encryption. Every user and host in the namespace 

has its own unique credentials, and you can decide which users and 

hosts will be allowed to read or modify the information in each NIS+ 

domain. 

• You can modify the information in an NIS+ table from any host in the 

namespace. Modifications are made directly to the NIS+ table, so you 

do not have to rebuild the table from a file. 

• Replica servers in NIS+ domains receive each table update as it is 

made. You do not have to push whole tables to the replica servers. 

• An NIS+ table may contain many columns, and you can search for 

entries based on the information in any column. 

Chapter 5 187



Disadvantages of NIS+ 

NIS+ has the following disadvantages: 

• NIS+ is difficult to administer. It requires dedicated system 

administrators trained in NIS+ administration. NIS+ administration 

is very different from NIS administration. 

• The NIS+ databases are not automatically backed up to flat files. The 

system administrator must create and maintain a backup strategy for 

NIS+ databases, which includes dumping them to flat files and 

backing up the files. 

188 

Chapter 5



Structure of the NIS+ Namespace 

An NIS+ namespace may be “flat,” consisting of a single domain, or it 

may be hierarchical, like the DNS domain structure. Every namespace 

has exactly one root domain. All other domains are subdomains of the 

root domain. Figure 5-1 shows a sample hierarchical NIS+ namespace. 

The master server of the root domain is the root master server. Master 

servers of subdomains are called non-root master servers. NIS+ 

backup servers are called replica servers. Replica servers are the NIS+ 

equivalent of slave servers in an NIS domain. The replica servers of the 

root domain are called root replica servers, and the replica servers of 

the non-root domains are called non-root replica servers. A server 

may serve more than one domain, but it is not recommended. 

All NIS+ servers must also be NIS+ clients. The root master and root 

replica servers are clients of the root domain. However, a non-root server 

serves a subdomain of the domain in which it is a client. The domain in 

which it is a client is the parent domain of the domain it serves. 

Figure 5-1 

Sample NIS+ Namespace 

Wiz.Com domain (root domain) 

client 

root master server 

client 

root replica server 

client 

client 

client 

client 

master server 

replica server 

master server 

replica server 

client client client client 

Sales.Wiz.Com domain (subdomain) 

Eng.Wiz.Com domain (subdomain) 

Chapter 5 189



Structure of an NIS+ Domain 

An NIS+ domain is an NIS+ directory whose name is the domain name. 

An NIS+ directory is not an HP-UX directory. You must use the nisls(1) 

command to see the directory structure of an NIS+ domain. Figure 5-2 

shows the NIS+ directory structure of the Wiz.Com.and Eng.Wiz.Com. 

domains. 

Each NIS+ domain contains two NIS+ subdirectories, called groups_dir 

and org_dir. The groups_dir subdirectory contains NIS+ groups, which 

are like HP-UX groups except they are used only to determine access to 

NIS+ objects. The org_dir subdirectory contains all the standard NIS+ 

tables. Any other NIS+ directories are subdomains. In the example in 

Figure 5-2, Eng.Wiz.Com. is a subdomain. 

Figure 5-2 

NIS+ Directory Structure of the “Wiz.Com.” and “Eng.Wiz.Com.” 

Domains 

Wiz.Com. 

groups_dir org_dir Eng.Wiz.Com. 

admin 

Hosts 

Passwd 

groups_dir 

org_dir 

Group 

admin 

Hosts 

Passwd 

Group 

. . . 

. . . 

The full name of an NIS+ object includes the names of all the NIS+ 

directories in its directory path. For example, the full name of the hosts 

table in the Wiz.Com. domain is hosts.org_dir.Wiz.Com. To specify an 

entry in this table, you need to specify enough column values to uniquely 

identify it. For example, to identify a host whose canonical name in the 

cname column is romney, you would specify 

[cname=romney],hosts.org_dir.Wiz.Com. If the default domain on 

the local host is Wiz.Com., you can leave off the domain name and type 

just hosts.org_dir or [cname=romney],hosts.org_dir. Domain 

190 

Chapter 5



names always end in a period, except when you are setting the default 

domain with the domainname command. 

How NIS+ Information is Stored and Propagated 

NIS+ information is stored in the /var/nis directory. On a server, the 

/var/nis/data subdirectory, or the /var/nis/hostname subdirectory 

(where hostname is the name of the local host), contains the NIS+ 

directories and tables that make up the domain. 

You can make changes to the NIS+ objects from any NIS+ client in the 

namespace, if you are authenticated and have the proper access 

permissions. Whenever anyone makes a change to an NIS+ object, the 

change is sent to all the replica servers. NIS+ sends only the changes to 

replica servers, not whole tables. A transaction log in the /var/nis 

directory on each server keeps track of all the changes that have been 

made. To keep the transaction log from growing too large, you must 

checkpoint the domain regularly. When you checkpoint the domain 

(with the nisping[1M] command), the changes in the transaction log on 

all the servers are incorporated into the tables on disk, and the 

transaction log is cleared. 

An NIS+ client may get information from any domain in the namespace, 

if it is authenticated and has the proper access permissions. Each NIS+ 

client has a file called NIS_COLD_START in the /var/nis directory, which 

contains the internet addresses of servers the client can contact for NIS+ 

information. Because all servers are also clients, every server has a cold 

start file, too. An NIS+ client does not “bind” to a server the way an NIS 

client does. It contacts a server directly to request information. If a client 

requests information about a domain from a server that does not serve 

the domain, the server tells the client how to find a server that serves the 

domain. As the client learns about other servers, it adds the information 

to a cache file called NIS_SHARED_DIRCACHE in the /var/nis directory, 

and it uses the information to find servers later. 

NIS+ Tables 

By default, an NIS+ domain that you set up with the standard scripts 

contains the NIS+ tables listed in Table 5-1. Table 5-1 also gives the 

configuration files and the NIS maps that are equivalent to the NIS+ 

Chapter 5 191



Table 5-1 

tables. 

Standard NIS+ Tables 

NIS+ Table 

Equivalent File 

Equivalent NIS 

maps 

Purpose 

auto_home /etc/auto_home auto.home Location of users’ 

home directories. 

auto_master /etc/auto_master auto.master Mapping of 

automounter mount 

points to 


bootparams none on HP-UX bootparams Not used on HP-UX. 

Provided for Sun 

interoperability. 

cred /etc/publickey publickey.byname Secure RPC keys and 

netnames for 

authenticating users 

and hosts. 

ethers none on HP-UX ethers.byname 

ethers.byaddr 

group /etc/group group.bygid 

group.byname 

hosts /etc/hosts hosts.byaddr 

hosts.byname 

mail_aliases /etc/mail/aliases mail.aliases 

mail.byaddr 

netgroup /etc/netgroup netgroup 

netgroup.byhost 

netgroup.byuser 

Not used on HP-UX. 



List of HP-UX 

groups, their group 

IDs and members. 

Mapping of host 

names to internet 

addresses. 

sendmail aliases and 

their corresponding 

mailing lists. 

List of netgroups 

(used only with NFS 

services) and their 

members. 

192 

Chapter 5



Table 5-1 

Standard NIS+ Tables 

NIS+ Table 

Equivalent File 

Equivalent NIS 

maps 

Purpose 

netmasks none on HP-UX netmasks.byaddr Not used on HP-UX. 



networks /etc/networks networks.byaddr 

networks.byname 

passwd /etc/passwd passwd.byname 

passwd.byuid 

protocols /etc/protocols protocols.byname 

protocols.bynumb 

er 

rpc /etc/rpc rpc.bynumber 

rpc.byname 

Mapping of network 

names to network 

addresses. 

List of user names 

and IDs with 

associated user 

information. 

Mapping of 

networking protocols 

to protocol numbers. 

Mapping of RPC 

programs to program 

numbers. 

sendmailvars none on HP-UX none Not used on HP-UX. 



services /etc/services services.byname 

servi.bynp 

Mapping of 

networking services 

to port numbers and 

protocols. 

timezone /etc/TIMEZONE none Timezone of the local 

host. 

trusted 

/tcb/files/auth 

directory 

none 

User information for 

trusted systems. 

NIS+ Authentication and Authorization 

Authentication is the process by which NIS+ determines who you are. 

Chapter 5 193



To be an authenticated NIS+ user, you must have an entry in the cred 

table, and your password must decrypt your secure RPC key, which is 

stored in the cred table. 

When you log in and supply your password, NIS+ identifies you as an 

NIS+ principal. If you are a non-root user, your NIS+ principal name is 

loginname.domainname. For example, if you log in as user ming in 

domain Wiz.Com., your NIS+ principal name is ming.Wiz.Com. If you 

are a root user, NIS+ identifies you by the host name where you logged 

in, and your NIS+ principal name is hostname.domainname. For 

example, if you logged in as root to host garlic in the Eng.Wiz.Com. 

domain, your NIS+ principal name is garlic.Eng.Wiz.Com. 

The cred table stores two types of credentials: Local and DES. A Local 

credential associates an NIS+ principal name with a user ID. Only 

non-root users have Local credentials. A DES credential contains the 

secure RPC keys for authenticating an NIS+ user. Both root and non-root 

users may have DES credentials. Each NIS+ principal has only one DES 

credential, in his or her home domain, but he or she may have Local 

credentials in many domains. 

Authorization is the process by which NIS+ determines what you are 

allowed to do with NIS+ objects. Every NIS+ object has a permissions 

string that determines who can read, modify, create, or destroy it. This 

permissions string is similar to the HP-UX file permissions string that 

grants read, write, and execute permissions to HP-UX users. 

NIS+ grants 4 types of permissions: (r)ead, (m)odify, (c)reate, and 

(d)estroy. It grants permissions to 4 types of users: nobody, owner, group, 

and world. Figure 5-3 shows the format of an NIS+ permissions string: 

Figure 5-3 

Format of the NIS+ Permissions String 

- read 

- modify 

- create 

- destroy 

r m c d r m c d r m c d r m c d 

} 

} 

} 

} 

nobody owner group world 

User nobody is the group of all unauthenticated users. If you have no 

entry in the cred table, NIS+ identifies you as user nobody and assigns 

you a user ID of -2. 

194 

Chapter 5



The owner of an NIS+ object is typically the NIS+ principal who created 

it. However, you can change the owner of an NIS+ object with the 

nischown(1) command. 

The group is the NIS+ group that owns the object. NIS+ groups are 

stored in the groups_dir subdirectory under each domain directory. An 

NIS+ domain typically has an admin group consisting of the NIS+ 

principals who administer the domain. Not every NIS+ object has a 

group owner. For more information on NIS+ groups, type man 1 

nisgrpadm at the HP-UX prompt. 

The world is the group of all authenticated NIS+ principals. If you are 

an authenticated NIS+ principal, but you are not the owner of an object, 

and you are not a member of the NIS+ group that owns the object, then 

you will have whatever access permissions are granted to the world. 

Every NIS+ directory has an owner and permissions associated with it. 

Every table has an owner and permissions. Entries and columns in a 

table have all the permissions the table has, but you can assign more 

permissions to an entry or column than the table has. An entry’s owner 

and group owner may be different from the owner and group owner of the 

table to which the entry belongs. 

When an NIS+ object is created, it inherits a default owner and 

permissions. Most NIS+ commands have an option for overriding these 

defaults. You can also change these defaults. Type man 1 nisdefaults 

at the HP-UX prompt for more information. After an NIS+ object has 

been created, you can change its owner with the nischown(1) command, 

its group owner with the nischgrp(1) command, and its permissions 

with the nischmod(1) command. 

Chapter 5 195



NIS Compatibility Mode 

An NIS+ server may serve NIS clients, by running in NIS 

compatibility mode. NIS compatibility mode is intended as a 

migration tool, to allow you to migrate your servers from NIS to NIS+ 

without having to migrate all your clients to NIS+ at the same time. 

NIS compatibility mode has the following disadvantages: 

• NIS compatibility mode is less secure than regular mode. NIS clients 

cannot be authenticated by NIS+, so NIS compatibility mode allows 

unauthenticated clients to read the passwd table. 

• If you have links or concatenation paths in NIS+ tables, NIS clients 

will not be able to follow them. 

• NIS clients may read information only in their default domain. They 

cannot read information in other domains in the namespace. 

• Every NIS client must have a server on its local subnet, unless its 

server name has been set with the ypset command. 

If any server in an NIS+ domain is running in NIS compatibility mode, 

all servers for that domain must run in NIS compatibility mode. 

All servers in an NIS+ domain must be NIS+ servers. You cannot mix 

NIS servers and NIS+ servers in the same domain. 

196 

Chapter 5


Planning the NIS+ Namespace 


This section explains how to plan your NIS+ namespace. It tells you how 

to perform the following tasks: 

• To Determine the Number of NIS+ Domains You Need 

• To Determine the Number of NIS+ Servers You Need 

• To Determine Which Hosts Will Be NIS+ Servers 

To Determine the Number of NIS+ Domains You Need 

For many sites, all hosts can belong to the same domain, and it is not 

necessary to set up a hierarchical namespace with multiple domains. 

However, you might want to create multiple domains for the following 

reasons: 

• NIS+ works most efficiently when each domain contains fewer than 

10,000 table entries. 10,000 table entries translates roughly into 

about 1000 users. Therefore, you should create enough domains so 

that no domain contains more than 1000 users. 

• If your site is divided into multiple administrative departments, with 

a different system administrator for each department, you should 

allow each system administrator to maintain a separate NIS+ 

domain. 

• If your site is divided into multiple administrative departments, and 

each department requires different configuration data and allows 

access to different users and hosts, you should create a separate NIS+ 

domain for each administrative department. 

Chapter 5 197



To Determine the Number of NIS+ Servers You Need 

Following are some guidelines for determining the number of NIS+ 

servers you will need in your domain: 

• You must configure one master server per NIS+ domain. 

• Configure at least one replica server per NIS+ domain, but no more 

than 10 replica servers per domain. 

• A server may serve more than one domain, but it is not 

recommended. 

To Determine Which Hosts Will Be NIS+ Servers 

• Choose servers that are reliable and highly available. 

• Choose fast servers that are not used for CPU-intensive applications. 

Do not use gateways or terminal servers as NIS+ servers. Do not use 

NFS or database servers as NIS+ servers. 

• Choose servers with sufficient disk space. NIS+ data is stored in 

/var/nis. The /var/nis directory requires approximately 5 Kbytes 

of disk space per client of the domain. For example, if a domain has 

1000 clients, /var/nis requires about 5 Mbytes of disk space. You 

should add an additional 10-15 Mbytes to allow transaction logs to 

grow. So, for a server in a domain of 1000 clients, you should allocate 

15-20 Mbytes of disk space. 

• Choose servers with sufficient memory. The minimum amount of 

memory required for an NIS+ server is 64 Mbytes, but servers of 

medium and large domains should have at least 128 Mbytes. 

198 

Chapter 5


Setting Up the NIS+ Namespace 


An NIS+ namespace may be “flat,” consisting of a single domain, or it 

may be hierarchical, like the HP-UX directory structure. Every 

namespace has exactly one root domain. All other domains are 

subdomains of the root domain. 


six tasks are required to set up a “flat” namespace consisting of a single 

domain. 

• To Set Up the Root Master Server 

• To Populate the NIS+ Tables on the Master Server 

• To Add Administrators to the NIS+ admin Group 

• To Set Up NIS+ Client Hosts 

• To Set Up NIS+ Replica Servers 

• To Initialize NIS+ Client Users 

• To Set Up an NIS+ Subdomain 

• To Use BIND With NIS+ 

• To Allow an NIS+ User Authenticated Access to Another Domain 

Chapter 5 199



To Set Up the Root Master Server 

Before you perform this task, make sure no one is using the host that 

will be the root master server. The nisserver script copies the 

/etc/nsswitch.nisplus file to /etc/nsswitch.conf. This may render 

the host unusable until the NIS+ tables are populated and NIS+ is 

operational. 

1. Log in as root to the host that will be the root master server. 

2. Issue the following command to set the default domain name: 

/usr/bin/domainname default_domain 

The domain name must have at least two components, for example, 

Wiz.Com. Do not type a period at the end of the domain name. 

3. Set the PATH variable to include /usr/lib/nis. If you are running 

the C shell, type the following command: 

setenv PATH $PATH:/usr/lib/nis 

If you are running the Bourne or Korn shell, type the following 

commands: 

PATH=$PATH:/usr/lib/nis 

export PATH 

4. Issue the following command to set up the root master server: 

nisserver -r 

If you want the server to run in NIS compatibility mode so that it can 

serve NIS clients, add the -Y option. See “NIS Compatibility Mode” on 

page 196 for more information. 

nisserver -r -Y 

The nisserver script asks you if the information it has is correct. You 

can change it by typing n. The script then allows you to change each 

piece of information. To make a change, just type the correct 

information after the incorrect information and press [Return]. You 

cannot change the security level. 

When the nisserver script asks you for a password, type the root 

password. The nisserver script will use the root password to create 

credentials for the local host in the cred table. 

5. To verify that the nisserver script created the root domain 

successfully, issue the following command: 

200 

Chapter 5



nisls -lR 

The nisls command should list the domain name, the org_dir and 

groups_dir NIS+ directories, the admin group, and all the standard 

tables listed in Table 5-1. 

6. If the host was previously an NIS server or client, set the 

NIS_MASTER_SERVER, NIS_SLAVE_SERVER, and NIS_CLIENT variables 

to 0 in the /etc/rc.config.d/namesvrs file. 

7. Create a cron job that runs nisping -Ca at least once a day, during a 

time when the network is not busy. The following example crontab 

file runs nisping -Ca once a day, at 3:00 AM. It directs standard 

output and standard error from the nisping command to the file 

/tmp/nisping.log. 

0 3 * * * /usr/lib/nis/nisping -Ca > /tmp/nisping.log 2& >1 

The nisping -Ca command causes all servers of the domain to 

update their tables with the changes in the transaction log and to 

clear the transaction log. If you do not issue the nisping -Ca 

command regularly, your transaction log may grow too large, and you 

may not have enough disk space to checkpoint it. 

After you run the nisserver script, the local host is set up as the root 

master server and as a client of the default domain. However, the domain 

tables are still empty. The next section, “To Populate the NIS+ Tables on 

the Master Server”, explains how to fill the tables with data. 

For more information, see the following man pages: nisserver(1M), 

domainname(1M), nisls(1), nsswitch.conf(4), crontab(1), 

rpc.nisd(1M), and nis(1). 

Chapter 5 201



To Populate the NIS+ Tables on the Master Server 

You can populate NIS+ tables from files or from NIS maps. Before you 

populate the master server’s tables, you must run the nisserver script 

to create the tables. See “To Set Up the Root Master Server” on page 200 

or “To Set Up an NIS+ Subdomain” on page 211. 

NOTE 

The nispopulate script may fail if there is insufficient /tmp space on the 

system. To keep this from happening, you can set the environment 

variable TMPDIR to a different directory. If TMPDIR is not set to a valid 

directory, the script will use the /tmp directory instead. 

1. Log in as root to the master server. 

2. If you will populate the NIS+ tables from files, create a temporary 

directory, and copy the files into it from the /etc directory: 

mkdir /nis+files 

cd /etc 

cp auto_home auto_master group hosts mail/aliases netgroup \ 

networks passwd protocols rpc services TIMEZONE ../nis+files 

3. In the temporary directory, remove the entry for root from the passwd 

file. Remove all other entries with user ID 0 (zero) from the passwd 

file. Remove all the system entries such as root and bin, with user 

IDs of less than 100, from the passwd file. This should be done both 

for security and for interoperability with NIS and other NIS+ 

implementations. Remove any other entries from the passwd, 

aliases, or hosts files that you do not want distributed across the 

namespace. 

4. In the temporary directory, remove any fully-qualified DNS domain 

names from the hosts file. NIS+ cannot find fully-qualified DNS 

domain names in its hosts table unless the DNS domain name 

matches one of the NIS+ domain names in its namespace. 

5. Replace any periods in automounter map names with underbars. For 

example, if your master map is called auto.master, rename it to 

auto_master. If you will populate your NIS+ tables from NIS maps, 

make sure your NIS map names contain no periods. If you will 

populate your NIS+ tables from files, make sure your file names 

contain no periods. 

6. To populate the NIS+ tables from files, issue the following command. 

202 

Chapter 5



The -p option specifies the path to the files. 

nispopulate -F -p /nis+files -d domainname 

To populate the NIS+ tables from NIS maps, issue the following 


nispopulate -Y -h NIS_server_name -a NIS_server_address \ 

-y NIS_domain -d domainname 

The nispopulate script asks you if the information it has is correct. 

You can change it by typing n. The script then allows you to change 

each piece of information. To make a change, just type the correct 

information after the incorrect information and press [Return]. 

If you are populating files on the root master server, you do not need 

the -d domainname option, because the default domain is the domain 

the host will serve. However, on subdomain master servers, it is very 

important to specify the domain, because it is different from the 

default domain. 

7. To verify that your tables have been populated successfully, issue the 

niscat command for several standard tables. The standard tables are 

listed in Table 5-1. The following example lists the contents of the 

NIS+ passwd table: 

niscat passwd.org_dir.domainname. 

8. Issue the following command to checkpoint the domain: 

nisping -Ca 

CAUTION 

If you do not have enough swap or disk space, the server will be unable to 

checkpoint properly, but it won’t notify you. To ensure that the 

checkpoint completed successfully, issue the niscat command to list 

the contents of a table: 

niscat rpc.org_dir 

If you do not have enough swap space, you’ll see the following error 

message: 

can’t list table: Server busy, Try Again. 

To fix this problem, increase the swap space and checkpoint the 

domain again. 

Chapter 5 203



9. Reboot the host to force long-running processes to read the new 

/etc/nsswitch.conf file. (The nisserver script copies 

/etc/nsswitch.nisplus to /etc/nsswitch.conf.) 

The nispopulate script populates the cred table from the passwd and 

hosts files or NIS maps. Every NIS+ principal except the root user on 

the root master server is given the default NIS+ password, which is 

nisplus. (The credentials for the root user on the root master server 

were created using the root password.) When you run the nisclient 

script to initialize a client host in the root domain, the nisclient script 

will change the client’s credentials to use the client’s root password 

instead of the default NIS+ password. See “To Set Up NIS+ Client Hosts” 

on page 206. 

For more information, see the following man pages: nispopulate(1M), 

nispasswd(1), niscat(1), nisping(1M), and nis(1). 

204 

Chapter 5



To Add Administrators to the NIS+ admin Group 

Follow this procedure to add administrators to the NIS+ admin group, or 

use SAM (System Administration Manager). To run SAM type sam at the 

HP-UX prompt. For more information, type man 1M sam. 

1. Type the following command to add NIS+ principals to the admin 

group: 

nisgrpadm -a admin.domainname NIS+_principal 

[NIS+_principal ...] 

For example, to add users ming and sara to the admin group in the 

Wiz.Com. domain, you would type the following command: 

nisgrpadm -a admin.Wiz.Com. ming.Wiz.Com. sara.Wiz.Com. 

2. Issue the following command to list the members of the admin group 

to make sure the administrators you added are there: 

nisgrpadm -l admin.Wiz.Com. 

The members of the NIS+ admin group may make any modifications to 

the NIS+ objects in the domain that the group owner is allowed to make. 

See “NIS+ Authentication and Authorization” on page 193 for an 

explanation of NIS+ permissions. 

It is useful to add non-root users to the admin group, because they can 

administer the domain while logged into any host in the namespace. 

Root users must be logged in as root to a specific host in order to be 

recognized as members of the admin group. 

The admin group is an NIS+ group stored in the groups_dir 

subdirectory of the domain directory. It is not one of the HP-UX groups 

stored in the /etc/group file or the NIS+ group table. 

For more information, type man 1M nisgrpadm or man 1 nis at the 

HP-UX prompt. 

Chapter 5 205



To Set Up NIS+ Client Hosts 

Before you set up an NIS+ client host, the master server must be set up 

and running, and the client must have an entry in the NIS+ hosts table 

on the master server. Also, make sure no one is using the client host. The 

nisclient script copies the /etc/nsswitch.nisplus file to 

/etc/nsswitch.conf. This may render the host unusable until NIS+ is 

operational. 

1. Log into the master server and issue the following command to 

determine whether the client host has NIS+ credentials in the 

domain’s cred table: 

nisgrep client_hostname cred.org_dir.domainname 

The nispopulate script creates credentials for every host that is in 

the /etc/hosts file or NIS hosts map when the command is run. If 

the client host did not have a hosts entry when nispopulate was 

run, it will not have credentials in the cred table. 

2. If the nisgrep command returns nothing, issue the following 

command on the master server to add a credential for the client host: 

nisclient -co client_hostname 

When prompted for a password, type the default password, nisplus. 

3. Log in as root to the host that will be the NIS+ client. 

4. Issue the following command to set the NIS+ domain name: 


5. If the host was previously an NIS server or client, set the 


to 0 in the /etc/rc.config.d/namesvrs file. 







export PATH 

7. Issue the following command to initialize the client host: 

nisclient -i -h master_server_name 

206 

Chapter 5



If the master server’s internet address is not in the client’s 

/etc/hosts file, the nisclient script will prompt you for the master 

server’s internet address. 

The nisclient script will prompt you for the secure RPC password 

for root. Type the default NIS+ password, nisplus. 

The nisclient script will then prompt you for the root password on 

the client host. After you type the password, the nisclient script 

will change the client host’s entry in the cred table to use the root 

password instead of the default password. 

8. Issue the following command on the new NIS+ client host to verify 

that the host can receive information from the NIS+ server: 

nisls 

The nisls command should list the domain name and the org_dir 

and groups_dir NIS+ directories. 

9. To verify that your client can get information from NIS+ tables, issue 

the niscat command for several standard tables. The standard tables 

are listed in Table 5-1. The following example lists the contents of the 

NIS+ passwd table: 

niscat passwd.org_dir 

10.Reboot the host to force long-running processes to read the new 

/etc/nsswitch.conf file. (The nisclient script copies 

/etc/nsswitch.nisplus to /etc/nsswitch.conf.) 


nisaddcred(1M), nisclient(1M), nisls(1), and nis(1). 

Chapter 5 207



To Set Up NIS+ Replica Servers 

Before you can set up a replica server, the master server must be set up 

and running, and the hosts table on the master server must contain an 

entry for the host that will be a replica. 

When you run the nisserver script to initialize a replica server, the 

NIS+ tables on the master server are copied to the replica. Copying the 

tables can take anywhere from a few minutes to a couple of hours, 

depending on the size of your tables, the network load, and the system 

load on the master and replica servers. 

1. Log in as root to the host that will be a replica server. 







export PATH 

3. If the host will be a root replica server, set it up as a client in the root 

domain. If the host will be a non-root replica server, set it up as a 

client in the parent domain of the domain it will serve. See “To Set Up 

NIS+ Client Hosts” on page 206. 

4. Type the following command if the master server is not running in 

NIS compatibility mode: 

rpc.nisd 

Type the following command if the master server is running in NIS 

compatibility mode: 

rpc.nisd -Y 

If the master server is running in NIS compatibility mode, its replica 

servers must also run in NIS compatibility mode. See “NIS 

Compatibility Mode” on page 196 for more information. 

5. Set the NISPLUS_SERVER variable to 1 in the 

/etc/rc.config.d/namesvrs file: 

NISPLUS_SERVER=1 

If the host was previously an NIS server or client, set the 

208 

Chapter 5




to 0. 

6. Log in as root to the master server. 

7. Type the following command to initialize the replica server: 

nisserver -R -h replica_host_name 

The nisserver script asks you if the information it has is correct. You 

can change it by typing n. The script then allows you to change each 

piece of information. To make a change, just type the correct 

information after the incorrect information and press [Return]. 

8. Type the following command on the master server to checkpoint the 

domain and copy the domain directories to the new replica server: 

nisping -a 

9. To verify that the replica server is operating correctly, issue the 


nisstat -H replica_host_name 

The nisstat command should return a list of statistics about the 

replica server. 

It is recommended that you have only a few replicas per domain, for 

performance reasons. Do not configure more than 10 replicas per domain. 

If your domain includes sites that are distant from the master server, 

configure replica servers at the distant sites to avoid unnecessary 

network traffic. 


rpc.nisd(1M), nisping(1M), nisstat(1M), and nis(1). 

Chapter 5 209



To Initialize NIS+ Client Users 

Tell all of your non-root users to perform this task. This task sets a user’s 

secure RPC password to be the same as the user’s login password. 

1. Log into any NIS+ client host using your non-root user login. 

2. Issue the following command: 

/usr/lib/nis/nisclient -u 

The nisclient script will prompt you for the secure RPC password. 

Type the default password, nisplus. 

The nisclient script will then prompt you for your login password. 

After you type your login password, the nisclient script will change 

your cred table entry to use your login password instead of the 

default password. 

To change your password in the future, use the nispasswd command, 

which changes your login password and your secure RPC password at 

the same time. 

For more information, see the following man pages: nisclient(1M), 

nispasswd(1), and nis(1). 

210 

Chapter 5



To Set Up an NIS+ Subdomain 

Before you can set up a subdomain, the parent domain must be set up, 

and its master server must be running. The master server for the parent 

domain must have an entry in its hosts table for the master server of the 

new subdomain. 

1. Log in as root to the host that will be the master server for the 

subdomain. 







export PATH 

3. Set up the host as a client in the parent domain. For example, if the 

root domain is Wiz.Com., and you are setting up a subdomain called 

Eng.Wiz.Com., make the host a client in the Wiz.Com. domain. See 

“To Set Up NIS+ Client Hosts” on page 206. 

4. Type the following command if the new master server will not run in 

NIS compatibility mode: 

rpc.nisd 

If the new master server will be required to serve NIS clients, type 

the following command to run the server in NIS compatibility mode. 

See “NIS Compatibility Mode” on page 196 for more information. 

rpc.nisd -Y 

5. Set the NISPLUS_SERVER variable to 1 in the 

/etc/rc.config.d/namesvrs file: 

NISPLUS_SERVER=1 

If the host was previously an NIS server or client, set the 


to 0. 

6. Log in as root to the master server for the parent domain of the new 

subdomain. For example, if the new subdomain will be called 

Eng.Wiz.Com., log in as root to the master server for the Wiz.Com. 

domain. 

Chapter 5 211



7. Issue the following command if the master server of the new 

subdomain will not run in NIS compatibility mode: 

nisserver -M -d subdomain_name -h 

subdomain_master_server_name 

If the master server of the new subdomain will be required to serve 

NIS clients, issue the following command to set up the master server 

in NIS compatibility mode: 

nisserver -M -Y -d subdomain_name -h 

subdomain_master_server_name 

8. Log in as root to the master server of the new subdomain. 

9. Populate the new master server’s tables from files or from NIS maps. 

See “To Populate the NIS+ Tables on the Master Server” on page 202. 

Be sure to specify the -d domainname option in the nispopulate 


10.To verify that the subdomain was created successfully, issue the 


nisls -lR subdomain_name 

The nisls command should list the subdomain name, the org_dir 

and groups_dir NIS+ directories, the admin group, and all the 

standard tables listed in Table 5-1. 

11.Create a cron job that runs nisping -Ca at least once a day, during a 

time when the network is not busy. The following example crontab 

file runs nisping -Ca once a day, at 3:00 AM. It directs standard 

output and standard error from the nisping command to the file 


0 3 * * * /usr/lib/nis/nisping -Ca > /tmp/nisping.log 2& >1 



clear the transaction log. If you do not issue the nisping -Ca 

command regularly, your transaction log may grow too large, and you 

may not have enough disk space to checkpoint it. 

12.Initialize the clients of the new subdomain. See “To Set Up NIS+ 

Client Hosts” on page 206. 

13.Set up one or more replica servers for the new subdomain. See “To Set 

Up NIS+ Replica Servers” on page 208. 

14.Initialize the client users of the new subdomain. See “To Initialize 

212 

Chapter 5



NIS+ Client Users” on page 210. 

Every time you create a master server, you create a new subdomain. You 

can create as many domains as you need. You can create subdomains 

beneath subdomains. It is recommended that you keep your namespace 

hierarchy as simple as possible and that you keep an accurate map of 

your namespace. 


rpc.nisd(1M), nispopulate(1M), nisclient(1M), and nis(1). 

Chapter 5 213



To Use BIND With NIS+ 

An NIS+ client can consult BIND (DNS), NIS, NIS+, or the /etc/hosts 

file when it needs to resolve a host name to an IP address. The Name 

Service Switch determines where an NIS+ client will look for host 

information. 

Some clients, like PCs, cannot use the Name Service Switch. If your 

domain includes PC clients, you can configure the NIS+ server to query 

BIND when its NIS+ hosts table does not contain the information that a 

client requests. The server then returns the information to the client 

through NIS+. 

Only NIS+ servers running in NIS compatibility mode may consult 

BIND to answer client queries. See “NIS Compatibility Mode” on page 

196 for more information. 

This section tells you how to perform the following tasks: 

• To Configure an NIS+ Client to Query BIND 

• To Configure an NIS+ Server to Return BIND Information to Clients 

If your NIS+ clients support the Name Service Switch, configure the 

clients to query BIND. 

If your NIS+ clients do not support the Name Service Switch, configure 

their server to return BIND information. 

NOTE 

BIND must already be configured and running before you can configure 

an NIS+ client or server to query it. To configure BIND, see the 

Installing and Administering Internet Services manual. 

214 

Chapter 5



To Configure an NIS+ Client to Query BIND 

1. Log in as root to the NIS+ client host. 

2. Use a text editor to open the /etc/nsswitch.conf file, and find the 

line that begins with hosts. It probably looks something like this: 

hosts: nisplus [NOTFOUND=return] files 

Change the hosts line so that it looks like this: 

hosts: dns [NOTFOUND=return] nisplus [NOTFOUND=return] 

files 

The NIS+ client will now query BIND first for host information. If the 

BIND server is down or unreachable, it will query NIS+. Then, if no 

NIS+ server is available, it will consult its local /etc/hosts file. For 

more information, type man 4 nsswitch.conf at the HP-UX prompt. 

To Configure an NIS+ Server to Return BIND Information to 

Clients 

Only servers running in NIS compatibility mode may return BIND 

information to clients through NIS+. 

1. Log in as root to the NIS+ server. 

2. In the /etc/rc.config.d/namesvrs file, set the EMULYP variable to 

“-Y -B”, as follows: 

EMULYP=”-Y -B” 

3. Kill the rpc.nisd daemon, and restart it with the -Y and -B options: 

ps -ef | grep rpc.nisd 

kill PID 

rpc.nisd -Y -B 

For more information, type man 1M rpc.nisd at the HP-UX prompt. 

Chapter 5 215



To Allow an NIS+ User Authenticated Access to 

Another Domain 

A user’s home domain is defined as the domain where the user has a 

DES credential in the cred table. (Each NIS+ principal has a DES 

credential in only one domain.) If a user needs to be authenticated in 

another domain, the user must have a Local credential in that domain. 

In domains where the user does not have a Local credential, the user is 

treated as “nobody.” 

1. From any NIS+ client host, issue the following commands to copy the 

passwd table entry from the user’s home domain to the remote 

domain where the user needs authenticated access: 

nismatch name=username passwd.org_dir.user’s_homedomain \ 

> tempfile 

nisaddent -a -f tempfile passwd remote_domainname 

2. If necessary, change the user ID in the entry to ensure that it is 

unique in the passwd table of the remote domain. Each user ID may 

occur only once in a passwd table. See “To Modify an Entry in an 

NIS+ Table” on page 229. 

3. From any NIS+ client host, issue the following command: 

nisaddcred -p UID -P loginname.domainname local 

remote_domainname 

The argument following the -p option is the user’s user ID from the 

NIS+ passwd table in the remote domain where the user needs 

authenticated access. The argument following the -P option is the 

user’s NIS+ principal name and must end with a period. 

The remote_domainname argument is the domain where the 

credential will be created (the domain where the user needs 

authenticated access). 

The following example allows NIS+ principal sara.Eng.Wiz.Com to be 

authenticated in domain Sales.Wiz.Com.: 

nisaddcred -p 7899 -P sara.Eng.Wiz.Com. local Sales.Wiz.Com. 

You must have create permission for the cred table and the passwd table 

in the remote domain in order to complete this task. 

For more information, see the following man pages: nisaddcred(1M), 

nismatch(1), and nisaddent(1M). 

216 

Chapter 5


Administering NIS+ 


This section explains how to administer and maintain your NIS+ domain 

or namespace after you have set it up. It explains how to perform the 

following tasks: 

• To List the Properties of NIS+ Objects 

• To Change the Default Properties for New NIS+ Objects 

• To Change the Permissions for NIS+ Objects 

• To Change the Ownership of NIS+ Objects 

• To Change the Search Order of Domains 

• To List the Contents of an NIS+ Table 

• To Search an NIS+ Table 

• To Add an Entry to an NIS+ Table 

• To Remove an Entry from an NIS+ Table 

• To Modify an Entry in an NIS+ Table 

• To Add a Host to an NIS+ Domain 

• To Add a User to an NIS+ Domain 

• To Create New Credentials for an Existing NIS+ Principal 

• To Create New Credentials for the Root Master Server 

• To Change a Password 

• To Create an NIS+ Table 

• To Remove an NIS+ Table 

• To Create or Remove Paths Among Tables 

• To Create or Remove an NIS+ Group 

• To Add or Remove Members of an NIS+ Group 

• To Remove a Replica Server from an NIS+ Domain 

• To Remove an NIS+ Domain 

• To Back Up NIS+ Tables 

Chapter 5 217



To List the Properties of NIS+ Objects 

• To list the object properties of any NIS+ directory, table, table entry, 

group, or link, issue the following command from an NIS+ client host: 

niscat -o NIS+_object 

For example, to list the object properties of the passwd table entry for 

user jane in the default domain, you would issue this command: 

niscat -o ’[name=jane],passwd.org_dir’ 

The niscat -o command gives you information about the object, 

including its owner, group owner, and permissions. If the NIS+ object is a 

table, the niscat -o command gives the number of columns in the table, 

the names of the columns, and the permissions for each column. 

For more information, type man 1 niscat at the HP-UX prompt. 

218 

Chapter 5



To Change the Default Properties for New NIS+ 

Objects 

Whenever you create a new NIS+ object (a directory, table, table entry, 

group, or link), it inherits a set of default properties (owner, group owner, 

permissions, time to live, and so on). You can override the default object 

properties by setting the NIS_DEFAULTS environment variable. 

You can use SAM (System Administration Manager) to change all the 

default object properties except time to live. To run SAM type sam at the 

HP-UX prompt. For more information, type man 1M sam. 

1. Issue the nisdefaults command to find out the current default 

values: 

nisdefaults 

2. If you are using the Korn or Bourne shell, issue the following 


NIS_DEFAULTS=access=perms:owner=owner:group=group:ttl=time 

export NIS_DEFAULTS 

If you are using the C shell, issue the following command: 

setenv NIS_DEFAULTS 

access=perms:owner=owner:group=group:ttl=time 

You do not have to specify all four values. For example, you could 

change just the default owner and group owner, as in the following 

example: 

setenv NIS_DEFAULTS 

owner=garlic.Eng.Wiz.Com.:group=admin.Eng.Wiz.Com. 

You can also set the default group owner by setting the NIS_GROUP 

environment variable, but if the NIS_DEFAULTS variable specifies a 

default group owner, it overrides the NIS_GROUP variable. 

The time to live (ttl) applies only to NIS+ directories and groups. It tells 

NIS+ clients when to purge the information in their caches and get new 

information from a server. (To change the ttl value for an existing NIS+ 

object, use the nischttl[1] command.) 

For more information, see the following man pages: nisdefaults(1), 

nischttl(1), sam(1M), and nis(1). 

Chapter 5 219



To Change the Permissions for NIS+ Objects 

• To change the permissions of an NIS+ directory, table, table entry, 

group, or link, issue the nischmod command from an NIS+ client 

host. 

The following example changes the permissions for the group table in 

the Wiz.Com. domain. It gives user nobody no permissions, owner 

and group owner full permissions, and world read permission only. 

nischmod n=,og=rmcd,w=r group.org_dir.Wiz.Com. 

The following example gives user nobody read permission for the 

groups_dir directory in the default domain and takes away modify, 

create, and destroy permission from the group owner: 

nischmod n+r,g-mcd groups_dir 

• To change permissions for a table column, use the nistbladm -u 


The following example changes the permissions on the passwd 

column of the passwd table in the default domain. It gives nobody, 

group, and world no permissions and takes away create and destroy 

permissions from the owner. 

nistbladm -u passwd=ngw=,o-cd passwd.org_dir 

In order to change the permissions for an NIS+ object, you need modify 

permission for that object. 

You can use SAM (System Administration Manager) to change the 

permissions for groups, tables, table entries, and table columns. To run 

SAM type sam at the HP-UX prompt. For more information, type man 1M 

sam. 

The actual permissions for an entry or column are the entry or column 

permissions plus the permissions for the table. For example, if the 

passwd table has permissions ----rmcdrmcd----, and the passwd 

column of the passwd table has permissions r---------------, the 

actual permissions for the passwd column are r---rmcdrmcd----. 

NOTE 

The cred table must allow read permission to user nobody in order for 

NIS+ to start up. 

220 

Chapter 5



For more information, see the following man pages: nischmod(1), 

nistbladm(1), sam(1M), and nis(1). 

Chapter 5 221



To Change the Ownership of NIS+ Objects 

• To change the owner of an NIS+ directory, table, table entry, group, or 

link, issue the nischown command from an NIS+ client host. 

The following example changes the owner of the passwd table entry 

for user sid to sid.Sales.Wiz.Com.: 

nischown sid.Sales.Wiz.Com. ’[name=sid],passwd.org_dir’ 

The following example makes sid.Sales.Wiz.Com. the owner of his 

own cred table entries: 

nischown sid ’[cname=sid.Sales.Wiz.Com.],cred.org_dir’ 

In this example, the owner (sid) not a fully qualified NIS+ principal 

name. NIS+ will append the default domain to sid when it processes 

the command. The cred table contains two entries for 

sid.Sales.Wiz.Com.: a Local credential and a DES credential. The 

command in this example will change the ownership of both entries, 

because both entries have the same value in the cname column. 

• To change the group owner of an NIS+ directory, table, table entry, 

group, or link, issues the nischgrp command. 

The following example changes the group owner of the 

Sales.Wiz.Com. directory to admin.Sales.Wiz.Com.: 

nischgrp admin.Sales.Wiz.Com. Sales.Wiz.Com. 

The following example changes the group owner of all the entries in 

the hosts table to the admin group in the default domain: 

nischgrp admin ’[]hosts.org_dir’ 

To change the ownership of an NIS+ object, you need modify permission 

for the object. 

You can use SAM (System Administration Manager) to change the 

ownership for groups, tables, and table entries. To run SAM type sam at 

the HP-UX prompt. For more information, type man 1M sam. 

You cannot change the owner or group owner of a table column, because 

it is always the same as the owner and group owner of the table. 

For more information, see the following man pages: nischown(1), 

nischgrp(1), sam(1M), and nis(1). 

222 

Chapter 5



To Change the Search Order of Domains 

When a client requests information from an NIS+ table without 

specifying a domain, by default, the table in the client’s default domain is 

searched first. If the information is not found, and the default domain is 

not the root domain, the table in the default domain’s parent domain is 

searched. The search continues up the hierarchy until the information is 

found or the root domain has been searched. 

You can override this default search path by setting the NIS_PATH 

environment variable. 

• If you are using the Korn or Bourne shell, issue the following 


NIS_PATH=domain:domain:... 

export NIS_PATH 

• If you are using the C shell, issue the following command: 

setenv NIS_PATH domain:domain:... 

You can use the $ character as a wildcard, as in the following example: 

NISPATH=’org_dir.$:$:Eng.Wiz.Com.’ 

Single quotes are required to prevent the shell from interpreting the $ 

character. 

When the $ character replaces part of a domain path name, as in 

org_dir.$, it represents the default domain. So, if the default domain is 

Sales.Wiz.Com., the domain path org_dir.$ is interpreted as 

org_dir.Sales.Wiz.Com. 

When the $ character is used to represent an entire domain path name, 

like the second $ character in the example above, it represents the 

default search path (default domain, then parent domain, and on up to 

the root domain). If your default domain is Sales.Wiz.Com., and the 

root domain is Wiz.Com., the NIS_PATH value shown in the above creates 

the following search path: 

• org_dir.Sales.Wiz.Com. 

• Sales.Wiz.Com. 

• Wiz.Com. 

• Eng.Wiz.Com. 

For more information, type man 1 nis at the HP-UX prompt. 

Chapter 5 223



To List the Contents of an NIS+ Table 

• Issue the following command from an NIS+ client host: 

niscat tablename 

For example, to list the contents of the passwd table in the domain 

Wiz.Com., you would issue the following command: 

niscat passwd.org_dir.Wiz.Com. 

If the table is in the default domain, you do not have to include the 

domain name, but you do have to include org_dir. 

If you do not have read permission for the table, no entries will be 

displayed. If you have read permission only for certain entries, only those 

entries will be displayed. If you have read permission only for certain 

columns, any columns for which you do not have read permission will be 

displayed as *NP*. 

You can use SAM (System Administration Manager) to view or modify 

the contents of NIS+ tables. To run SAM type sam at the HP-UX prompt. 

For more information, type man 1M sam. 

For more information, see the following man pages: niscat(1) and 

sam(1M). 

224 

Chapter 5



To Search an NIS+ Table 

• Issue one of the following commands from any NIS+ client host: 

nisgrep ’column_name=regular_expression’ tablename 

nismatch column_name=text_string tablename 

For example, the following command returns all the entries from users in 

the passwd table whose home directories are under /users: 

nisgrep ’home=/users/*’ passwd.org_dir 

If you do not specify a column name, the first column of the table is 

searched. The following command returns the Local and DES credentials 

for NIS+ principal liz.Eng.Wiz.Com. from the cred table: 

nismatch liz.Eng.Wiz.Com. cred.org_dir 

The nismatch command can search only columns that were defined as 

searchable when the table was created. The nisgrep command can 

search any column in a table. 

To get the name of a column, or to determine whether a column is 

searchable, issue the following command: 

niscat -o tablename.org_dir 

The nisgrep command can search on regular expressions, but the 

nismatch command can search only for exact matches of text strings. 

The nisgrep command is slower than the nismatch command. 

You must have read permission on the table or the entries you are 

searching for, or NIS+ will not display the entries. 

You can use SAM (System Administration Manager) to search NIS+ 

tables. To run SAM type sam at the HP-UX prompt. 

For more information, see the following man pages: nismatch(1) and 

sam(1M). 

Chapter 5 225



To Add an Entry to an NIS+ Table 

To add an entry to an NIS+ table, follow one of these procedures, or use 

SAM (System Administration Manager). To run SAM, type sam at the 

HP-UX prompt. 

To Add an Entry with nistbladm 

1. Issue the following command from any NIS+ client host: 

nistbladm -a column_name=value column_name=value ... 

tablename 

The following example adds an entry to the hosts table: 

nistbladm -a cname=romney name=romney.Eng.Wiz.Com \ 

addr=15.14.13.12 comment=”acb, pillar R4” hosts.org_dir 

2. Issue the following command to make sure the entry was added 

successfully: 

nismatch column_name=value tablename 

The following example searches the hosts table for the entry for host 

romney: 

nismatch cname=romney hosts.org_dir 

If the entry exists, and if you have read access to it, the nismatch 

command will return the entry. 

In the nistbladm -a command, you must specify the value for every 

column. To leave a column blank, specify no value after the equal sign 

(=). The following example adds an entry to the group table without 

specifying a password: 

nistbladm -a name=staff passwd= gid=10 members=root 

group.org_dir 

To get the names of the columns in a table, issue the following command: 


You must have create permission for the table in order to add an entry to 

it. 

For more information, see the following man pages: nistbladm(1), 

niscat(1), and sam(1M). 

226 

Chapter 5



To Add an Entry with nisaddent 

1. Issue the following command to dump the NIS+ table to a temporary 

file: 

nisaddent -d table_type > filename 

Do not include “org_dir” in the table type. The following example 

dumps the group.org_dir table to tempfile: 

nisaddent -d group > tempfile 

To find out the table type for a table, issue the niscat -o tablename 

command. Type man 1 niscat for more information. 

2. Use a text editor to add an entry to the temporary file. 

3. Issue the following command to merge the contents of the temporary 

file into the NIS+ table: 

nisaddent -m -f filename table_type 

For example, the following command merges the contents of 

tempfile into the group.org_dir table: 

nisaddent -m -f tempfile group 

For more information, type man 1M nisaddent at the HP-UX prompt. 

Chapter 5 227



To Remove an Entry from an NIS+ Table 

To remove an entry from an NIS+ table, follow this procedure, or use 

SAM (System Administration Manager). To run SAM, type sam at the 

HP-UX prompt. 

• Issue the following command from any NIS+ client host: 

nistbladm -r column_name=value column_name=value ... 

tablename 

The following example removes an entry from the hosts table: 

nistbladm -r cname=romney addr=15.14.13.12 hosts.org_dir 

In the nistbladm -r command, specify as many column values as you 

need to identify a single entry. If the criteria you specify identify more 

than one entry, NIS+ displays an error. If you want to remove all entries 

matching a set of criteria, use the -R option instead of the -r option. The 

following example removes both the Local and DES credentials for 

principal liz.Eng.Wiz.Com. from the cred table: 

nistbladm -R cname=liz.Eng.Wiz.Com. cred.org_dir 



You must have destroy permission for the table or for the entries you 

want to remove. 


niscat(1), and sam(1M). 

228 

Chapter 5



To Modify an Entry in an NIS+ Table 

You can use either of two methods to modify a table entry: 

1. You can use nistbladm(1) to modify the entry directly. 

2. You can use nisaddent(1M) to dump the table to a file, and you can 

modify the file. Then, you can use nisaddent to update the NIS+ 

table from the file. 

You can use SAM (System Administration Manager) to modify entries in 

NIS+ tables. To run SAM, type sam at the HP-UX prompt. 

You must have modify permission for the table or for the entries you 

want to modify. 


nisaddent(1M), niscat(1), and sam(1M). 

To Modify an Entry with nistbladm 

• Issue the following command from any NIS+ client host: 

nistbladm -m column_name=new_value column_name=new_value 

... \ 

’[column_name=old_value,column_name=old_value 

...],tablename’ 

The following example changes a user’s shell in the passwd table: 

nistbladm -m shell=ksh ’[name=maddy,uid=6789],passwd.org_dir’ 

The values you specify inside the square brackets must identify a single 

entry. 



For more information, see the following man pages: nistbladm(1M) and 

niscat(1). 

Chapter 5 229



To Modify an Entry with nisaddent 

1. Issue the following command to dump the NIS+ table to a temporary 

file: 

nisaddent -d table_type > filename 

Do not include “org_dir” in the table type. The following example 

dumps the group.org_dir table to tempfile: 

nisaddent -d group > tempfile 

To find out the table type for a table, issue the niscat -o tablename 

command. Type man 1 niscat for more information. 

2. Use a text editor to make your changes to the temporary file. 

3. Issue the following command to merge the contents of the temporary 

file into the NIS+ table: 

nisaddent -m -f filename table_type 

For example, the following command merges the contents of 

tempfile into the group.org_dir table: 

nisaddent -m -f tempfile group 

For more information, type man 1M nisaddent at the HP-UX prompt. 

230 

Chapter 5



To Add a Host to an NIS+ Domain 

1. Issue the following command, from any NIS+ client host, to add the 

new host to the NIS+ hosts table: 

nistbladm -a cname=hostname name=hostname addr=IPaddress \ 

comment=comment hosts.org_dir.domainname 

You must have create permission for the hosts table to use this 


You must create one hosts table entry in which the cname and name 

columns are both set to the official host name. If you wish to configure 

aliases for the host name, create entries in which the cname column 

contains the official host name and the name column contains the 

alias. 

If the domain is the default domain, you do not have to specify the 

domain name, as in the following example: 

nistbladm -a cname=romney.Eng.Wiz.Com 

name=romney.Eng.Wiz.Com \ 

addr=15.14.13.12 comment= hosts.org_dir 

2. Issue the following command to add a DES credential for the new 

host to the cred table: 

nisaddcred -p unix.hostname@domainname -P 

hostname.domainname \ 

des domainname 

If you do not specify the domain name as the last argument, the 

credential is created in the default domain, as in the following 

example: 

nisaddcred -p unix.romney@Eng.Wiz.Com -P romney.Wiz.Com. 

des 

The argument following the -p option is the host’s secure RPC 

netname and does not end with a period. The argument following the 

-P option is the host’s NIS+ principal name and must end with a 

period. 

When NIS+ prompts you for a password, enter the root password of 

the new host. 

You must have create permission for the cred table to use this 


3. If you want to allow the root user on this host to administer the NIS+ 

Chapter 5 231



domain, add the host to the domain’s admin group. Issue this 


nisgrpadm -a hostname.domainname admin_groupname.domainname 

The admin group for most domains is called “admin,” as in the 


nisgrpadm -a romney.Eng.Wiz.Com. admin.Eng.Wiz.Com. 

You must have modify permission for the admin group in order to add 

members to it. 

4. Set up the host as a client of the NIS+ domain to which you just 

added the host’s data and credentials. See “To Set Up NIS+ Client 

Hosts” on page 206. 

You can use SAM (System Administration Manager) to add hosts to the 

hosts table, cred table, and admin group in an NIS+ domain, but you 

cannot use SAM to set up NIS+ clients. To run SAM, type sam at the 

HP-UX prompt. 


nisaddcred(1M), nisgrpadm(1), sam(1M), and nis(1). 

232 

Chapter 5



To Add a User to an NIS+ Domain 

To add users to an NIS+ domain, follow this procedure, or use SAM 

(System Administration Manager). To run SAM, type sam at the HP-UX 

prompt. 

1. Issue the following command, from any NIS+ client host, to add the 

new user to the NIS+ passwd table: 

nistbladm -a name=loginname passwd= uid=userID gid=groupID \ 

gcos=user_info home=home_dir shell=shell shadow= \ 

passwd.org_dir.domainname 

You must have create permission for the passwd table to use this 


If the domain is the default domain, you do not have to specify the 

domain name, as in the following example: 

nistbladm -a name=sara passwd= uid=7899 gid=20 \ 

gcos=”Sara Sena,,x77555,” home=/home/sara shell=/bin/ksh \ 

shadow= passwd.org_dir 

2. Issue the following commands to add Local and DES credentials for 

the new user to the cred table: 

nisaddcred -p UID -P loginname.domainname local domainname 

nisaddcred -p unix.UID@domainname -P loginname.domainname 

des \ 

domainname 

If you do not specify the domain name as the last argument, the 

credentials are created in the default domain, as in the following 

example: 

nisaddcred -p 7899 -P sara.Eng.Wiz.Com. local 

nisaddcred -p unix.7899@Eng.Wiz.Com -P sara.Eng.Wiz.Com. 

des 

The user ID must not belong to any other user in the passwd table. 

The argument following the -P option is the user’s NIS+ principal 

name and must end with a period. 

When the nisaddcred command prompts you for a password, enter a 

temporary password for the user. 

You must have create permission for the cred table to use this 


3. Issue the following command to change the user’s password: 

Chapter 5 233



passwd -r nisplus loginname 

When the nispasswd command prompts you for a password, type the 

same password you typed when you created the user’s DES credential 

in step 2. 

You can ignore the message that tells you what to do if the user’s 

login password is different from the user’s secure RPC password. If 

you followed the steps in this section, the user’s two passwords are 

the same. 

4. Issue the following command to make the user the owner of the user’s 

passwd table entry: 

nischown username.domainname 

’[name=username],passwd.org_dir.domainname’ 

The following example changes the ownership of a passwd table entry 

in the default domain: 

nischown sara.Eng.Wiz.Com. ’[name=sara],passwd.org_dir’ 

5. Add the user to the primary group you specified when you added the 

user to the passwd table. 

a. Issue the following command to dump the current NIS+ group 

table to a file: 

nisaddent -d group > filename 

b. Use a text editor to add the new user to the appropriate group in 

filename. 

c. Issue the following command to merge the contents of the 

temporary file into the NIS+ group table: 

nisaddent -m -f filename group 

You must have modify permission for the group table to add a user to 

a group. 

6. Create the user’s home directory, and make the user the owner of it, 

as in the following example: 

mkdir /export/home/sara 

chown sara /export/home/sara 

7. If you are using the automounter to mount users’ home directories, 

add the new user’s home directory to the auto_home table. For 

information on the automounter, see “Configuring and Administering 

the NFS Automounter” on page 55. For instructions on adding an 

234 

Chapter 5



entry to an NIS+ table, see “To Add an Entry to an NIS+ Table” on 

page 226. 

8. Tell the new user to log in with the password you specified in steps 2 

and 3 and change passwords with the nispasswd command. 


nisaddcred(1M), passwd(1), nisaddent(1), sam(1M), and nis(1). 

Chapter 5 235



To Create New Credentials for an Existing NIS+ 

Principal 

Sometimes a user or host needs new credentials, because the old ones 

have become corrupted or cannot be used. Follow these steps: 

1. Log in as root to the NIS+ master server for the domain. 

2. Issue the following command to create new credentials for the NIS+ 

principal and overwrite any existing credentials: 

/usr/lib/nis/nisclient -co principalname 

where principalname is username.domainname for a non-root user or 

hostname.domainname for a root user (host). 

Supply the password when you are prompted for it. 

3. Wait two minutes for the NIS+ replicas to be updated. 

4. If the principal is a root user (host), log into the host as root, and issue 

the following command to reinitialize it: 

/usr/lib/nis/nisclient -i -h master_servername -d 

domainname 

5. Test the login by having the user or root user log in. If the login does 

not work, try killing and restarting rpc.nisd on the master server: 


kill PID 

rpc.nisd 

If you are running in NIS compatibility mode, be sure to restart 

rpc.nisd with the -Y option: 

rpc.nisd -Y 

For more information, see the following man pages: nisclient(1M) and 

rpc.nisd(1M). 

236 

Chapter 5



To Create New Credentials for the Root Master Server 

Sometimes the credentials for the root master server become corrupted 

and unusable, and it is necessary to create new ones. Follow this 

procedure to recreate the credentials for the root master server host. 

1. Log in as root to every NIS+ server in the namespace, and issue the 

following commands to kill the nis_cachemgr process and restart 

rpc.nisd at security level 0: 

ps -ef | grep nis_cachemgr 

kill PID 


kill PID 

rpc.nisd -S 0 

2. Log into the root master server, and issue the following command to 

create new credentials for the root master server host: 

nisaddcred -p unix.hostname@domain -P hostname.domain des 

where hostname is the name of the root master server. Note that the 

secure RPC netname (following -p) does not end in a dot, while the 

NIS+ principal name (following -P) does end in a dot. 

Enter the root password when prompted for it. 

If the nisaddcred command hangs, perform step 3, below, then try 

step 2 again. 

3. On the root master server, issue the following commands to kill the 

keyserv daemon and remove the /etc/.rootkey file: 

ps -ef | grep keyserv 

kill PID 

rm /etc/.rootkey 

4. On the root master server, issue the following commands. Note that 

the domainname must end in a dot. 

nisupdkeys org_dir.domainname. 

nisupdkeys groups_dir.domainname. 

nisupdkeys domainname. 

5. On the root master server, issue the following commands: 

nisping org_dir 

nisping groups_dir 

nisping domainname 

Chapter 5 237



6. On the root master server, issue the following command: 

keylogin -r 

Supply the root password when prompted for it. 

7. Log in as root to every server in the namespace, and issue the 

following commands. Note that the domainname must end in a dot. 

nisupdkeys org_dir.domainname. 

nisupdkeys groups_dir.domainname. 

nisupdkeys domainname. 

8. Log in as root to every server in the namespace, including the root 

master server, and issue the following commands to restart the 

nis_cachemgr process and restart rpc.nisd at security level 2: 

nis_cachemgr -i 


kill PID 

rpc.nisd 

For more information, see the following man pages: nis_cachemgr(1M), 

rpc.nisd(1M), nisaddcred(1M), keyserv(1M), nisupdkeys(1M), 

nisping(1M), and keylogin(1). 

238 

Chapter 5



To Change a Password 

• To change the password of a non-root user, issue the following 

command from any NIS+ client host: 

passwd -r nisplus username -D domainname 

The username is not necessary if you are logged in as a non-root user 

and are changing your own password. The -D domainname is 

necessary only if you are changing the password of a user in another 

domain. 

The nispasswd command changes the password in the NIS+ passwd 

and cred tables. It does not change the password in the /etc/passwd 

file. To change the password in the /etc/passwd file, use the 

passwd(1) command. 

If your NIS+ servers are running in NIS compatibility mode, users on 

NIS clients must use the yppasswd command to change their 

passwords in the NIS+ passwd table. 

To change a non-root user’s password, you must have modify 

permission for the passwd and cred tables or for the user’s entries in 

the passwd and cred tables. 

• To change the password of a root user, follow these steps: 

1. Log in as root to the host whose password you want to change. 

2. Issue the passwd command to change the root password in the 

/etc/passwd file: 

passwd 

3. Issue the following command to encrypt the root user’s secret key 

with the new password: 

chkey -p 

CAUTION 

You can change the root password on the root master server, but do not 

change the public or private key on the root master server. The root 

master server’s keys are embedded in every directory object on every 

client, replica server, and subdomain server. 

For more information, see the following man pages: nispasswd(1), 

yppasswd(1), passwd(1), chkey(1), and nis(1). 

Chapter 5 239



To Create an NIS+ Table 

When you set up an NIS+ domain, the nisserver script creates a default 

set of tables. You can also create your own custom tables. 

1. Issue the following command from any NIS+ client host: 

nistbladm -c table_type column=flags column=flags ... 

tablename 

The following example creates a three-column table called 

hostinfo.Wiz.Com. The S flag indicates that the first two columns 

are searchable. 

nistbladm -c hostinfo host=S user=S \ 

location= hostinfo.org_dir.Wiz.Com. 

In most cases, the table type can be the same as the table name 

(without org_dir and the domain name). In most of the standard 

tables, the table type is the same as the table name. Two-column 

tables in which only the first column is searchable have type 

key-value. All automounter maps have type key-value. 

2. If your table has type key-value (two columns with only the first 

column searchable), you can use the nisaddent command to populate 

it from a file or an NIS map. The following example populates the 

auto_direct map from the /etc/auto.direct file: 

nisaddent -f /etc/auto.direct -t auto_direct.org_dir 

key-value 

If your table is not of type key-value, you must add entries to it one at 

a time. You can use SAM, or you can use the nistbladm command. 

See “To Add an Entry to an NIS+ Table” on page 226. 

At least one column in a table must be searchable. 

To create a table, you must have create permission for the org_dir 

directory (or the directory where you want to put the new table). 


nisaddent(1M), and sam(1M). 

240 

Chapter 5



To Remove an NIS+ Table 

1. Issue the following command from any NIS+ client host, to remove all 

the entries in the table: 

nistbladm -R ’[],tablename’ 

The following example removes all the entries from the 

mail_aliases table in the Wiz.Com. domain: 

nistbladm -R ’[],mail_aliases.org_dir.Wiz.Com.’ 

2. Issue the following command from any NIS+ client host to remove the 

table: 

nistbladm -d tablename 

The following example removes the mail_aliases table from the 

Wiz.Com. domain: 

nistbladm -d mail_aliases.org_dir.Wiz.Com. 

If the table is in the default domain, you do not have to specify the fully 

qualified domain with the table name, but you still have to include 

“org_dir” in the table name. 

A table must be empty before you can remove it. 

To remove a table, you must have destroy permission for the NIS+ 

directory where the table resides. 

For more information, type man 1 nistbladm at the HP-UX prompt. 

Chapter 5 241



To Create or Remove Paths Among Tables 

A concatenation path or table path is a property of a table. If a table 

does not contain information requested by an NIS+ principal, but it has a 

concatenation path, NIS+ searches the other tables in the concatenation 

path until it finds the requested information or comes to the end of the 

path. NIS+ does not follow paths recursively; that is, if one of the tables 

in the concatenation path has its own concatenation path, NIS+ will not 

follow it. 

Do not use table paths if your server is running in NIS compatibility 

mode. NIS clients cannot follow table paths. 

• To find out whether a table has a concatenation path, issue this 


niscat -o tablename 

The Search Path line in the output is the table’s concatenation path. 

• To create or modify a concatenation path for a table, issue this 


nistbladm -u -p othertable:othertable... tablename 

The following example creates a path from passwd.Sales.Wiz.Com. 

to passwd.Eng.Wiz.Com. It causes NIS+ to search the passwd table 

of the Eng.Wiz.Com. domain if it fails to find requested information 

in the passwd table of the Sales.Wiz.Com. domain. 

nistbladm -u -p passwd.Eng.Wiz.Com. passwd.Sales.Wiz.Com. 

• To remove a concatenation path from a table, issue this command: 

nistbladm -u -p ”” tablename 

The following example removes the concatenation path from the 

passwd table in the Sales.Wiz.Com. domain: 

nistbladm -u -p ”” passwd.Sales.Wiz.Com. 

You can also create NIS+ links to other tables, but links are slower than 

paths and are not recommended. Type man 1 nisln for more 

information. 

You need modify permission for a table to change its concatenation path. 

For more information, type man 1 nistbladm at the HP-UX prompt. 

242 

Chapter 5



To Create or Remove an NIS+ Group 

• To create an NIS+ group, type the following command on any NIS+ 

client host: 

nisgrpadm -c groupname 

The following example creates an NIS+ group called engineers in 

the Sales.Wiz.Com. domain: 

nisgrpadm -c engineers.Sales.Wiz.Com. 

• To remove an NIS+ group, type the following command on any NIS+ 

client host: 

nisgrpadm -d groupname 

The following example removes the NIS+ group called engineers 

from the Sales.Wiz.Com. domain: 

nisgrpadm -d engineers.Sales.Wiz.Com. 

NIS+ groups are not the same as the HP-UX groups stored in the 

group.org_dir table or the /etc/group file. NIS+ groups are used to 

determine group ownership of NIS+ objects. NIS+ objects allow certain 

access permissions to their group owners. NIS+ groups are stored in the 

groups_dir subdirectory of the domain directory. 

To create an NIS+ group, you must have create permission for the 

groups_dir directory. To remove a group, you must have destroy 

permission for group or for the groups_dir directory. 

You can use SAM (System Administration Manager) to create or remove 

NIS+ groups. To run SAM, type sam at the HP-UX prompt. 

For more information, see the following man pages: nisgrpadm(1) and 

sam(1M). 

Chapter 5 243



To Add or Remove Members of an NIS+ Group 

• To add members to an NIS+ group, type the following command on 

any NIS+ client host: 

nisgrpadm -a groupname group_member [group_member...] 

The following example adds the host principal thyme.Wiz.Com. and 

the NIS+ group tempadmin.Wiz.Com. to the group admin.Wiz.Com.: 

nisgrpadm -a admin.Wiz.Com. thyme.Wiz.Com. 

@tempadmin.Wiz.Com. 

• To remove members from an NIS+ group, type the following 

command on any NIS+ client host: 

nisgrpadm -r groupname group_member [group_member...] 

The following example removes the user principal amy.Wiz.Com. and 

all principals in the Eng.Wiz.Com. domain from the group 

admin.Wiz.Com.: 

nisgrpadm -r admin.Wiz.Com. amy.Wiz.Com. *.Eng.Wiz.Com. 

• To list the current members of an NIS+ group, type the following 

command on any NIS+ client host: 

nisgrpadm -l groupname 

An NIS+ group member may take any of the following forms: 

principal 

@group 

Any host or user principal (for example, amy.Wiz.Com.) 

Another NIS+ group (for example, 

@tempadmin.Wiz.Com.) 

*.domain All principals in an NIS+ domain (for example, 

*.Eng.Wiz.Com.) 

You can exclude any of these types of members from a group by putting a 

minus sign (-) before the member (for example, -@tempadmin.Wiz.Com.). 

A user must have a Local credential in the cred table of the group’s 

domain before you can add the user to the group. 

NIS+ groups are not the same as the HP-UX groups stored in the 

group.org_dir table or the /etc/group file. NIS+ groups are used to 

determine group ownership of NIS+ objects. NIS+ objects allow certain 

access permissions to their group owners. NIS+ groups are stored in the 

groups_dir subdirectory of the domain directory. 

244 

Chapter 5



To add or remove members of an NIS+ group, you must have modify 

permission for the group. 

You can use SAM (System Administration Manager) to add or remove 

members of NIS+ groups. To run SAM, type sam at the HP-UX prompt. 

For more information, see the man pages nisgrpadm(1) and sam(1M). 

Chapter 5 245



To Remove a Replica Server from an NIS+ Domain 

1. Log into the replica you want to remove, and issue the following 

commands to kill rpc.nisd and nis_cachemgr: 


kill PID 

ps -ef | grep nis_cachemgr 

kill PID 

2. Issue the following command to remove the /var/nis directory: 

rm -R /var/nis 

3. Reinitialize the host as an NIS+ client. See “To Set Up NIS+ Client 

Hosts” on page 206. 

4. From any NIS+ client host, issue the following commands: 

nisrmdir -s -f replica_hostname org_dir.domainname 

nisrmdir -s -f replica_hostname groups_dir.domainname 

nisrmdir -s -f replica_hostname domainname 

The following commands removes replica server thyme from domain 

Eng.Wiz.Com.: 

nisrmdir -s -f thyme org_dir.Eng.Wiz.Com. 

nisrmdir -s -f thyme groups_dir.Eng.Wiz.Com. 

nisrmdir -s -f thyme Eng.Wiz.Com. 

The -f option forces the replica to be removed, even if the replica 

cannot be reached. 

To remove a replica server from a domain, you must have modify 

permission for the domain the replica serves. 

For more information, see the following man pages: nisrmdir(1) and 

nis(1). 

246 

Chapter 5



To Remove an NIS+ Domain 

• Issue the following commands to remove an NIS+ domain: 

nisrmdir org_dir.domainname 

nisrmdir groups_dir.domainname 

nisrmdir domainname 

You must remove the org_dir and groups_dir directories before you 

remove the domain directory. You will not be able to remove the 

org_dir and groups_dir subdirectories if you remove the domain 

directory first. 

The nisrmdir command dissociates all servers from the domain and 

removes the domain directory. 

You must have destroy permission for the parent domain in order to 

remove a subdomain. 

For more information, see the following man pages: nisrmdir(1) and 

nis(1). 

Chapter 5 247



To Back Up NIS+ Tables 

It is recommended that you back up your NIS+ tables at least once a day. 

1. Create a directory for your flat files, and make it the current 

directory: 

mkdir /nis+files 

cd /nis+files 







export PATH 

3. Issue the following commands to dump your NIS+ tables to files: 

nisaddent -d aliases > aliases 

nisaddent -d bootparams > bootparams 

nisaddent -d ethers > ethers 

nisaddent -d group > group 

nisaddent -d hosts > hosts 

nisaddent -d netgroup > netgroup 

nisaddent -d netid > netid 

nisaddent -d netmasks > netmasks 

nisaddent -d networks > networks 

nisaddent -d passwd > passwd 

nisaddent -d protocols > protocols 

nisaddent -d publickey > publickey 

nisaddent -d rpc > rpc 

nisaddent -d services > services 

nisaddent -d trusted > trusted 

nisaddent -d timezone > timezone 

niscat auto_home.org_dir > auto_home 

niscat auto_master.org_dir > auto_master 

niscat auto_direct.org_dir > auto_direct 

4. Make sure your NIS+ tables are fully checkpointed. Issue the 

following command to check the size of your transaction log: 

nislog | head -10 

If your transaction log contains only three entries, then your tables 

are fully checkpointed. If your transaction logs contain more than 

248 

Chapter 5



three entries, issue the following command to checkpoint them: 

nisping -Ca 

5. Use your favorite backup utility (tar[1], dump[1M], etc.) to back up 

the following: 

• The /var/nis directory 

• The /etc/.rootkey file 

• The flat files you created by dumping the NIS+ tables 

Chapter 5 249


Summary of NIS+ Commands 

Table 5-2 

chkey(1) 

domainname(1) 

keylogin(1) 

keylogout(1) 

nisaddent(1M) 

nisaddcred(1M) 

nis_cachemgr(1M) 

niscat(1) 

nischgrp(1) 

nischmod(1) 

nischown(1) 

nischttl(1) 

nisclient(1M) 

nisdefaults(1) 

niserror(1) 



Creates or changes a secure RPC key. 

Sets or displays the name of the NIS+ domain. 

Decrypts and stores a secure RPC key. keylogin is called when 

a user logs in, but the user must issue keylogin if no password 

was provided at login or if the login password is different from 

the secure RPC password. 

Deletes a stored decrypted secure RPC key. 

Populates or updates an NIS+ table with the contents of a file or 

NIS map. 

Adds credentials for NIS+ principals to the cred table. 

A daemon that caches information about servers and their 

locations. 

Displays the entries in an NIS+ table or the properties of an 

NIS+ object. 

Changes the group owner of an NIS+ object. 

Changes the permissions on an NIS+ object. 

Changes the owner of an NIS+ object. 

Changes the time to live of an NIS+ object. The time to live is 

the length of time a directory or group object may remain 

cached. 

Initializes NIS+ client hosts. Creates credentials for NIS+ 

users. 

Lists the default values for the current process. Default values 

include permissions and ownership for any new NIS+ objects 

created. 

Displays the error message that corresponds to an NIS+ error 

number. 

250 

Chapter 5



Table 5-2 

nisgrep(1) 

nisgrpadm(1) 

nisinit(1M) 

nisln(1) 

nislog(1M) 

nismatch(1) 

nismkdir(1M) 

nispasswd(1) 

nisping(1M) 

nispopulate(1M) 

nisrm(1) 

nisrmdir(1) 

nisserver(1M) 

nisetup(1M) 

nisstat(1M) 


Searches an NIS+ table for a specified string or regular 

expression. 

Creates or destroys NIS+ groups. Adds or removes NIS+ group 

members. Lists the members or tests for membership in an 

NIS+ group. 

Initializes an NIS+ client or NIS+ root master server. 

Hewlett-Packard recommends that you use the nisclient(1M) 

and nisserver(1M) scripts instead of the nisinit script. 

Symbolically links NIS+ objects. 

Displays the contents of the NIS+ transaction log. 

Searches specified columns in an NIS+ table for specified 

values. 

Creates an NIS+ directory or adds a replica server to an 

existing NIS+ directory. 

Changes a user’s login password in the NIS+ passwd table and 

encrypts the user’s secret key with the new password. 

Causes servers to update their tables with the information in 

their transaction logs. 

Populates NIS+ tables with data from files or NIS maps. 

Removes an NIS+ object. 

Removes an NIS+ directory or removes a replica server from a 

directory. 

Sets up a host as an NIS+ server. 

Creates all the default tables for an NIS+ domain. 

Displays statistics and configuration information about an NIS+ 

server. 

nisshowcache(1M) 

Displays the contents of the NIS+ directory cache. 

Chapter 5 251



Table 5-2 

nistbladm(1) 

nistest(1) 

nisupdkeys(1M) 


Creates or destroys NIS+ tables. Adds, removes, or modifies 

entries in NIS+ tables. Modifies table properties, like the 

concatenation path and separator character. 

Tests for the existence, object type, and access rights of NIS+ 

objects. 

Updates the public keys in an NIS+ directory object. 

rpc.nisd(1M) 

rpc.nisd_resolv(1M) 

rpc.nisd is the NIS+ server daemon. The nisd_resolv process 

is started when you run rpc.nisd in NIS compatibility mode 

with DNS forwarding. 

252 

Chapter 5

6 Configuring the Name Service 

Switch 

Chapter 6 253

Configuring the Name Service Switch 

The Name Service Switch determines where your host will look for the 

information that is traditionally stored in the following files: 

• /etc/mail/aliases 

• automounter maps (like /etc/auto_master and /etc/auto_home) 

• /etc/group 

• /etc/hosts 

• /etc/netgroup 

• /etc/networks 

• /etc/passwd 

• /etc/protocols 

• /etc/publickey 

• /etc/rpc 

• /etc/services 

You can configure your host to look for each type of information in NIS, 

NIS+, or the local /etc file. You can configure your host to consult any 

combination of these sources, in any order; however, it is recommended 

that you do not configure your host to consult both NIS and NIS+. 

For host information (host names and IP addresses), you can configure 

your host to consult BIND (DNS) in addition to NIS, NIS+, or the local 

/etc/hosts file. Again, it is recommended that you do not configure your 

host to consult both NIS and NIS+. 

The Name Service Switch on HP-UX 10.30 has a different default 

behavior from the Name Service Switch in previous releases. If you are 

using the default Name Service Switch configuration (or if you do not 

have an /etc/nsswitch.conf file), and you want your host to behave 

the same way after you upgrade to HP-UX 10.30, copy the 

/etc/nsswitch.hp_defaults file to /etc/nsswitch.conf. See “Default 

Configuration” on page 261 for more information. 

The ability to consult more than one name service for host information is 

often called hostname fallback. The Name Service Switch provides 

client-side hostname fallback, because it is used by client-side 

programs (for example, gethostbyname) which request host information. 

NIS and NIS+ allow you to configure a server-side hostname 

fallback, which causes the NIS or NIS+ server to query BIND when it 

254 

Chapter 6


fails to find requested host information in its database. The NIS or NIS+ 

server then returns the host information to the client through NIS or 

NIS+. An NIS+ server must run in NIS compatibility mode to support 

server-side hostname fallback. This server-side hostname fallback is 

intended for use with clients like PCs that do not have a feature like the 

Name Service Switch. Hewlett-Packard recommends that you use the 

Name Service Switch if possible, instead of server-side hostname 

fallback. For more information on the NIS server-side hostname fallback, 

see “To Query BIND for Host Information After Querying NIS” on page 

158. For information on NIS+ server-side hostname fallback, see “To 

Configure an NIS+ Server to Return BIND Information to Clients” on 

page 215. 

This chapter tells you how to configure the Name Service Switch. It 

contains the following sections: 

• Installing and Customizing the nsswitch.conf File 

• Syntax of the nsswitch.conf File 

• Default Configuration 

• Troubleshooting the Name Service Switch 

NOTE 

Configuring the Name Service Switch is a separate task from configuring 

the name services themselves. You must also configure the name services 

before you can use them. The Name Service Switch just determines 

which name services are queried and in what order. 

Chapter 6 255


Installing and Customizing the nsswitch.conf File 

Installing and Customizing the 

nsswitch.conf File 

The configuration file for the Name Service Switch is called 

/etc/nsswitch.conf. If this file does not exist, the system has a default 

Name Service Switch configuration, described in “Default Configuration” 

on page 261, later in this chapter. 

Table 6-1 

File Name 

nsswitch.files 

nsswitch.nis 

nsswitch.nisplus 

1. Copy the appropriate Name Service Switch configuration file to 

/etc/nsswitch.conf. 

Table 6-1 lists the Name Service Switch configuration files supplied in 

the /etc directory and describes the purpose of each one. 

If you plan to use BIND (DNS) for host information, step 2 in this 

procedure explains how to add BIND to the Name Service Switch 

configuration file. 

Name Service Switch Configuration Files in /etc Directory 

Purpose 

For hosts not configured as NIS or NIS+ clients. All types of 

lookups consult files on the local host. 

For hosts configured as NIS clients. Some types of lookups use 

local files first and consult NIS if the local files do not contain the 

requested information. Other types of lookups consult NIS first 

and look in local files only if NIS does not respond. 

For hosts configured as NIS+ clients. Some types of lookups use 

local files first and consult NIS+ if the local files do not contain 

the requested information. Other types of lookups consult NIS+ 

first and look in local files only if NIS+ does not respond. 

nsswitch.hp_defaults 

For hosts that used the HP-UX default Name Service Switch 

configuration on earlier releases and will continue to use it on 

HP-UX 10.30. See “Default Configuration” on page 261. 

2. If you chose a configuration file other than nsswitch.hp_defaults, 

and you want to use BIND (DNS) for host name and IP address 

lookups, change the hosts line to read as follows: 

256 

Chapter 6


Installing and Customizing the nsswitch.conf File 

hosts: dns [NOTFOUND=return] files 

If you want your host to consult NIS or NIS+ when BIND is not 

running, change the hosts line to read as follows: 

hosts: dns [NOTFOUND=return] nis [NOTFOUND=return] files 

or 

hosts: dns [NOTFOUND=return] nisplus [NOTFOUND=return] 

files 

3. Reboot your host to force long-running processes to read the new 

/etc/nsswitch.conf file. Many processes, like the keyserv(1M) 

daemon, read the file only at startup and continue to use the values 

they read at startup even though the file has changed. The safest way 

to restart all necessary processes in the correct order is to reboot the 

host. 

HP recommends that you maintain at least a minimal /etc/hosts file 

that includes important addresses like gateways, diskless boot servers 

and root servers, and your host’s own IP address. HP also recommends 

that you include the word files in the hosts line to help ensure a 

successful system boot using the /etc/hosts file when BIND and NIS or 

NIS+ are not available. 

For more information on the Name Service Switch, type man 4 

nsswitch.conf at the HP-UX prompt. 

Chapter 6 257


Syntax of the nsswitch.conf File 


Each line in the /etc/nsswitch.conf file has the following syntax: 

lookup_type name_service [status=action status=action ...] 

name_service ... 

If you include any status=action pairs after a name service, the square 

brackets are required. 

lookup_type 

name_service 

status 

action 

The type of information to be looked up. The supported 

keywords and the information types they represent are 

listed in Table 6-2. These keywords are case-sensitive. 

A name service to use for the type of information in the 

lookup_type field. Supported keywords and the name 

services they represent are listed in Table 6-3. These 

keywords are case-sensitive. 

One of the following statuses returned by a name 

service query. These values may be entered in 

uppercase or lowercase. 

SUCCESS 

NOTFOUND 

UNAVAIL 

TRYAGAIN 

The lookup was successful, and the 

requested information was found. 

The name service returned a 

response, but the requested data was 

not in its database. 

The name service is not configured. 

The name service was busy and the 

request timed out. This value is 

returned only by NIS+ and DNS. 

The action to take based on the status of the name 

service query. The following values may be entered in 

uppercase or lowercase. 

continue Try the next name service in the list. 

return End the lookup and return control to 

the calling process without consulting 

the next name service in the list. 

If a line beginning with one of the lookup_types does not exist in the 

258 

Chapter 6



Table 6-2 

Keyword 

aliases 

automount 

group 

hosts 

netgroup 

networks 

passwd 

protocols 

publickey 

rpc 

/etc/nsswitch.conf file, the default Name Service Switch 

configuration for that type of information is used. If the 

/etc/nsswitch.conf file does not exist, the default configuration is 

used for every type of information. The default Name Service Switch 

configuration is described in “Default Configuration” on page 261. 

Types of Lookups Controlled by the Name Service Switch 

Type of Information Represented by Keyword 

sendmail aliases stored in the /etc/mail/aliases file, the NIS 

mail.aliases and mail.byaddr maps, or the NIS+ mail_aliases 

table. 

NFS automounter maps stored in files like /etc/auto_master and 

/etc/auto_home, NIS maps like auto.master and auto.home, or 

NIS+ tables like auto_master and auto_home. 

Information about HP-UX groups stored in the /etc/group file, the 

NIS group.bygid and group.byname maps, or the NIS+ group table. 

Host names and IP addresses stored in the /etc/hosts file, the NIS 

hosts.byaddr and hosts.byname maps, or the NIS+ hosts table. 

NFS netgroups stored in the /etc/netgroup file, the NIS netgroup, 

netgroup.byhost and netgroup.byuser maps, or the NIS+ 

netgroup table. 

Network names and IP addresses stored in the /etc/networks file, 

the NIS networks.byaddr and networks.byname maps, or the 

NIS+ networks table. 

User login information stored in the /etc/passwd file, the NIS 

passwd.byname and passwd.byuid maps, or the NIS+ passwd 

table. 

Networking protocol names and numbers stored in the 

/etc/protocols file, the NIS protocols.byname and 

protocols.bynumber maps, or the NIS+ protocols table. 

Secure RPC credentials stored in the /etc/publickey file, the NIS 

publickey.byname map, or the NIS+ cred table. 

RPC program names and numbers stored in the /etc/rpc file, the 

NIS rpc.byname and rpc.bynumber maps, or the NIS+ rpc table. 

Chapter 6 259



Table 6-2 

Keyword 

services 

Table 6-3 

Keyword 

files 

nis 

nisplus 

dns 

compat 

Types of Lookups Controlled by the Name Service Switch 

Type of Information Represented by Keyword 

Mapping of networking services to port numbers and protocols, stored 

in the /etc/services file, the NIS services.byname and 

services.bynp maps, or the NIS+ services table. 

Name Services Supported by the Name Service Switch 

Name Service Represented by Keyword 

Files in the /etc directory on the local host (/etc/passwd, /etc/hosts, 

and so on) 

Network Information Service (NIS) 

Network Information Service Plus (NIS+) 

Domain Name System (DNS), which is implemented by Berkeley Internet 

Name Domain (BIND) on HP-UX. See the Installing and Administering 

Internet Services manual for more information. The dns keyword may be 

used only on the line beginning with hosts. 

NIS compatibility mode, used only for passwd and group information. If 

you specify compat as a name service, your local /etc/passwd or 

/etc/group file will be consulted first, and any lines in the file beginning 

with plus (+) or minus (-) will direct lookups to NIS, just as they did in 

earlier releases. 

If you want lookups to go to NIS+ instead of NIS when a plus or minus is 

encountered in the file, specify compat for passwd or group, and add the 

following lines to the bottom of your /etc/nsswitch.conf file: 

passwd_compat: nisplus 

group_compat: nisplus 

If you omit these lines, the compat keyword causes lookups to go to NIS, 

not NIS+. 

260 

Chapter 6


Default Configuration 


If the /etc/nsswitch.conf file does not exist, or if the line for a 

particular type of information is absent or syntactically incorrect, the 

following default configuration is used. 

passwd: files nis 

group: files nis 


networks: nis [NOTFOUND=return] files 

protocols: nis [NOTFOUND=return] files 

rpc: nis [NOTFOUND=return] files 

publickey: nis [NOTFOUND=return] files 

netgroup: nis [NOTFOUND=return] files 

automount: files nis 

aliases: files nis 

services: nis [NOTFOUND=return] files 

If your /etc/nsswitch.conf file contains a syntactically correct line for 

a particular type of information, that line is used instead of the default. 

If you specify a name service for a particular type of information, but you 

do not specify four status=action pairs after the name service, the 

following default status=action pairs are used for any statuses you did 

not specify: 

SUCCESS=return 

NOTFOUND=continue 

UNAVAIL=continue 

TRYAGAIN=continue 

So, for example, in the default configuration for passwd, the local 

/etc/passwd file will be consulted first, and if the query returns 

anything but SUCCESS, the NIS passwd map will be consulted. 

The default Name Service Switch behavior on HP-UX changed at release 

10.30. The file /etc/nsswitch.hp_defaults gives the default Name 

Service Switch behavior for HP-UX prior to release 10.30. If you want 

your host to keep the same Name Service Switch behavior when you 

upgrade to release 10.30, copy /etc/nsswitch.hp_defaults to 

/etc/nsswitch.conf. Following is the old default Name Service Switch 

for HP-UX prior to release 10.30. 

Chapter 6 261



passwd: compat 

group: compat 


networks: nis [NOTFOUND=return] files 

protocols: nis [NOTFOUND=return] files 

rpc: nis [NOTFOUND=return] files 

publickey: nis [NOTFOUND=return] files 

netgroup: nis [NOTFOUND=return] files 

automount: files nis 

aliases: files nis 

services: nis [NOTFOUND=return] files 

This configuration uses the +/- syntax in the /etc/passwd and 

/etc/group files. The local /etc/passwd or /etc/group file is consulted 

first, and when a plus (+) or minus (-) sign is encountered in the file, the 

query goes to the NIS database. 

This configuration uses BIND (DNS) for host name and IP address 

lookups. NIS is consulted only if the local host is not configured to use 

BIND. The local /etc/hosts file is consulted only if the local host is not 

configured as a DNS or NIS client. 

262 

Chapter 6


Troubleshooting the Name Service Switch 


• Issue the nsquery command to perform a hosts, passwd, or group 

lookup, as follows: 

/usr/contrib/bin/nsquery lookup_type lookup_query 

The lookup_type may be hosts, passwd, or group. 

The lookup_query may be a host name or IP address, a user name or 

user ID, or a group name or group ID. 

The nsquery command displays the Name Service Switch configuration 

that is currently in use. Then, it displays the results of the query. The 

following example uses nsquery to perform a lookup of the host name 

romney: 

# /usr/contrib/bin/nsquery hosts romney 

Using “nisplus [NOTFOUND=return] files” for the hosts policy. 

Searching nisplus for romney 

romney was NOTFOUND 

Switch configuration: Terminates Search 

As an optional third argument to nsquery, you can supply a Name 

Service Switch configuration in double quotes, as in the following 

example: 

# /usr/contrib/bin/nsquery passwd 30 “files nis” 

Using “files nis” for the passwd policy. 

Searching /etc/passwd for 30 

User name: www 

User Id: 30 

Group Id: 1 

Gecos: 

Home Directory: / 

Shell: 

Switch configuration: Terminates Search 

For more information, type man 1 nsquery at the HP-UX prompt. 

Chapter 6 263



264 

Chapter 6

7 Configuring and Using the 

Remote Execution Facility 

(REX) 

Chapter 7 265

Configuring and Using the Remote Execution Facility (REX) 

The Remote Execution Facility (REX) allows you to execute commands 

on a remote host. REX is similar to the remsh(1) command, except REX 

simulates the user’s home environment on the remote host and mounts 

the user’s current working directory on the remote host. REX consists of 

the following: 

• The on command, which is the user interface to REX and runs on the 

host where the user is logged in. The host where the on command is 

issued is known as the REX client. 

• The rexd daemon, which runs on the remote host. The host running 

the rexd daemon is known as the REX server. 

This chapter contains the following sections: 

• How REX Works 

• Configuring REX 

266 

Chapter 7


How REX Works 

How REX Works 

1. A user issues the on command, specifying a command to execute and 

the name of a remote host on which to execute it. 

The user must be logged in as a non-root user (a user with a non-zero 

user ID) to use the on command. Also, an account with the user’s local 

user ID must exist on the remote host. 

2. The on command passes the user’s environment variables to the 

remote host. If the command is interactive, the on command also 

passes some of the user’s tty settings to the remote host. Note that 

the user’s environment and tty settings on the remote system will 

not be identical to those on the user’s home system. 

3. The rexd daemon running on the remote host NFS-mounts the user’s 

current working directory on the remote host, if it is not already 

mounted there. 

By default, rexd mounts the user’s current working directory under 

/var/spool/rexd/rexdAXXXX/current_directory, where AXXXX is 

a letter followed by a four-digit number, and current_directory is 

the full pathname of the user’s current working directory on the local 

system. 

4. The command that the user specified with the on command is 

executed on the remote host (the REX server). If the user did not 

specify a command to execute, a shell is started on the REX server. 

5. After the command has executed on the REX server, rexd unmounts 

the user’s current working directory. If the directory is busy, rexd will 

not be able to unmount it. 

For more information on REX, type man 1M rexd or man 1 on at the 

HP-UX prompt. 

Chapter 7 267


How REX Works 

REX Example 

In the following example, user tracy is logged into host sage. Her 

current working directory is her home directory, /home/sage/tracy. She 

issues the on command to run more on host thyme: 

on -i thyme more /etc/exports 

The -i option is required, because more is an interactive command. 

tracy’s home environment on host sage is transferred to host thyme. 

tracy’s current working directory (her home directory, in this example) 

is mounted on host thyme. 

Figure 7-1 

REX Example 

sage 

/ 

home 

sage 

tracy 

HOME=/home/sage/tracy 

PATH=:/usr:/usr/bin 

SHELL=/usr/bin/ksh 

... 

thyme 

/ 

var 

spool 

rexd 

rexdD4253 

home 

sage 

tracy 

HOME=/home/sage/tracy 

PATH=:/usr:/usr/bin 

SHELL=/usr/bin/ksh 

... 

The more command from the /usr/bin directory on host thyme executes, 

listing the /etc/exports file from host thyme. The output of the more 

command is directed to tracy’s display on host sage. 

After tracy types q to quit the more program, her current working 

directory is unmounted from host thyme. 

268 

Chapter 7


Configuring REX 


This section tells you how to set up REX clients and REX servers. It also 

explains how to configure added security for REX servers and how to 

configure logging for the rexd daemon. 

To Configure REX 

1. Make sure all the hosts to which users need access are listed in your 

hosts database (BIND, NIS, or /etc/hosts). 

2. Make sure users have accounts on all the hosts they need to use. 

Make sure the user ID for each user is the same on all hosts where 

that user has an account. 

If you are using NIS or NIS+, and users do not need access to any 

hosts outside your NIS domain or NIS+ namespace, this step is not 

necessary. With NIS and NIS+, user accounts are administered 

centrally on the master server, and all hosts have access to the same 

user information. See “Configuring and Administering NIS” on page 

135 for instructions on setting up NIS. See “Configuring and 

Administering NIS+” on page 185 for instructions on setting up 

NIS+. 

3. Make sure all REX clients (hosts from which users will issue the on 

command) are configured as NFS servers. See “Configuring and 

Administering an NFS Server” on page 24. 

4. Make sure users’ home directories on all REX clients are exported to 

REX servers (available to be mounted with NFS). See “To Make 

Directories Available to NFS Clients (Export Directories)” on page 

24. 

5. Make sure all REX servers (hosts where the rexd daemon will run) 

are configured as NFS clients. See “Configuring and Administering 

an NFS Client” on page 34. 

6. Use a text editor to uncomment the following line in the 

/etc/inetd.conf file, which starts rexd: 

rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1 

rpc.rexd 

7. Issue the following command to force inetd to reread its 

Chapter 7 269



configuration file: 


270 

Chapter 7



To Configure REX Security 

1. On each REX server, add the -r option to the line in 

/etc/inetd.conf that starts the rexd daemon, as follows: 

rpc stream tcp nowait root /usr/sbin/rpc.rexd 100017 1 \ 

rpc.rexd -r 

2. Issue the following command to force inetd to reread 

/etc/inetd.conf: 


3. Add lines to the /etc/hosts.equiv file on the REX server to allow 

REX clients to use the server, 

or 

have each REX user add lines to a .rhosts file in the user’s home 

directory on the REX server to allow access from REX clients. 

The -r option causes rexd to deny requests from a user on a REX client 

unless the client is listed in /etc/hosts.equiv or the user’s 

$HOME/.rhosts file on the REX server. 

A line in the /etc/hosts.equiv or $HOME/.rhosts file has the following 

syntax: 

hostname 

[username] 

For example, if user paula has accounts on REX clients broccoli and 

cabbage and on REX server cauliflower, she would create a .rhosts 

file in her home directory on cauliflower with the following lines: 

broccoli 

cabbage 

paula 

paula 

CAUTION 

The /etc/hosts.equiv and $HOME/.rhosts files create a significant 

security risk. Make sure these files and users’ home directories are 

writable only by the owner. 

For more information, see the man pages for rexd(1M) and 

hosts.equiv(4). 

Chapter 7 271



To Configure Logging for the rexd Daemon 

1. Use a text editor to add the -l log_file option to the line in 

/etc/inetd.conf that starts rexd, as in the following example: 


rpc.rexd -l /var/adm/rexd.log 

2. Issue the following command to force inetd to reread its 

configuration file: 


When logging is turned on, rexd logs any diagnostic, warning, and error 

messages to log_file.Iflog_file exists, rexd appends messages to the 

file. If log_file does not exist, rexd creates it. Messages are not logged 

if the -l option is not specified. 

Information logged to the file includes date and time of the error, host 

name, process ID and name of the function generating the error, and the 

error message. 

Different RPC services can share a single log file, because enough 

information is included to uniquely identify each error. 

Type man 1M rexd for explanations of the messages logged by the rexd 

daemon. 

Many of the errors logged by rexd are also returned to the user who 

issued the on command. Type man 1 on for explanations of the messages 

returned by the on command. 

272 

Chapter 7

8 Troubleshooting NFS Services 

This chapter describes tools and procedures for troubleshooting the NFS 

Services. It contains the following sections: 

• Common Problems with NFS 

Chapter 8 273

Troubleshooting NFS Services 

• Common Problems with NIS 

• Common Problems with NIS+ 

• Performance Tuning 

• Logging and Tracing of NFS Services 

• Normal System Startup 

274 

Chapter 8


Common Problems with NFS 


This section lists the following common problems encountered with NFS 

and suggests ways to correct them. 

• If You Receive an NFS “Server Not Responding” Message, see 

page 276. 

• If You Receive an “Access Denied” Message, see page 279. 

• If You Receive a “Permission Denied” Message, see page 281. 

• If You Receive an “Unknown Host” or “Not In Hosts Database” 

Message, see page 283. 

• If You Receive a “Device Busy” Message, see page 284. 

• If You Receive a “Stale File Handle” Message, see page 285. 

• If a Program Hangs, see page 287. 

• If Data is Lost Between the Client and the Server, see page 289. 

• If You Cannot Start New Processes, see page 290. 

• If You Receive a “Too Many Levels of Remote in Path” Message, see 

page 291. 

Chapter 8 275



If You Receive an NFS “Server Not Responding” 

Message 

❏ Issue the /usr/sbin/ping(1M) command on the NFS client to make 

sure the NFS server is up and is reachable on the network. If the 

ping command fails, either the server is down, or the network has a 

problem. If the server is down, reboot it, or wait for it to come back up. 

For information on troubleshooting network problems, see Installing 

and Administering LAN/9000 Software. 

❏ Issue the following command on the NFS client to make sure the 

server is running all the NFS server processes: 

/usr/bin/rpcinfo -p servername 

The rpcinfo command should display the following processes: 

— rpcbind 

— nfs 

— mountd 

— status 

— nlockmgr 

— llockmgr 

If any of these processes is not running, follow these steps: 

1. Make sure the /etc/rc.config.d/nfsconf file on the NFS server 

contains the following lines: 


START_MOUNTD=1 

2. Make sure that the /etc/inetd.conf file on the NFS server does 

not contain a line to start rpc.mountd. If it does, make sure the 

START_MOUNTD variable in /etc/rc.config.d/nfsconf is set to 0. 

3. Issue the following command on the NFS server to start all the 

necessary NFS processes: 


❏ Issue the following command on the NFS client to make sure the 

rpc.mountd process on the NFS server is available and responding to 

RPC requests: 

276 

Chapter 8



/usr/bin/rpcinfo -u servername mountd 

If the rpcinfo command returns RPC_TIMED_OUT, the rpc.mountd 

process may be hung. Issue the following commands on the NFS 

server to restart rpc.mountd (PID is the process ID returned by the 

ps command): 

/usr/bin/ps -ef | /usr/bin/grep mountd 

/usr/bin/kill PID 

/usr/sbin/rpc.mountd 

❏ You can receive “server not responding” messages when the server or 

network is heavily loaded and the RPC requests are timing out. Try 

doubling the timeo mount option for the directory, as in the following 

example from the /etc/fstab file, which changes the timeo value 

from 7 (the default) to 14. (The timeo option is in tenths of a second.) 

cabbage:/usr /usr nfs nosuid,timeo=14 0 0 

❏ Issue the following command on the NFS client to check that your 

hosts database returns the correct address for the NFS server: 

/usr/bin/nslookup server_name 

If your client cannot resolve the server’s hostname, see “If You 

Receive an “Unknown Host” or “Not In Hosts Database” Message” on 

page 283. 

Issue the same nslookup command on the NFS server, and compare 

the address with the one returned by the nslookup command on the 

NFS client. If they are different, correct your NIS, NIS+, BIND, or 

/etc/hosts configuration. For information on NIS troubleshooting, 

see “Common Problems with NIS” on page 292. For information on 

NIS+ troubleshooting, see “Common Problems with NIS+” on page 

301. For information on BIND or /etc/hosts, see Installing and 

Administering Internet Services. 

❏ If you are using the automounter, issue the ps -ef command to make 

sure the automount process is running on your NFS client. If it is not, 

follow these steps: 

1. Make sure the AUTOMOUNT variable is set to 1 in the 

/etc/rc.config.d/nfsconf file on the NFS client. 

AUTOMOUNT=1 

2. Issue the following command on the NFS client to start the 

automounter: 

Chapter 8 277




❏ If the “server not responding” message was followed by 

RPC_AUTH_ERROR; why=AUTH_BOGUS_CREDENTIAL, this could mean 

that you (or the user who received the message) are a member of too 

many groups. On HP-UX release 9.0 or later, you can be a member of 

up to 16 groups. On HP-UX releases prior to 9.0, you can be a member 

of up to 8 groups. 

278 

Chapter 8



If You Receive an “Access Denied” Message 

❏ Issue the following command on the NFS client to check that the NFS 

server is exporting the directory you want to mount: 

/usr/sbin/showmount -e server_name 

If the server is not exporting the directory, edit the /etc/exports file 

on the server so that it allows your NFS client access to the directory. 

Then, issue the following command to force the server to read its 

/etc/exports file. 

/usr/sbin/exportfs -a 

If the directory is exported with the access option, make sure your 

NFS client is included in the access list, either individually or as a 

member of a netgroup. 

❏ If your NFS client is included in the access list as a member of a 

netgroup, make sure it is a member of the netgroup in the server’s 

/etc/netgroup file. 

If you are using NIS to manage your netgroups, issue the following 

command to determine whether your NIS server has up-to-date 

information about the netgroup that includes your client: 

/usr/bin/ypmatch netgroup_name netgroup 

If your NIS server does not return the correct information, see 

“Common Problems with NIS” on page 292. 

If you are using NIS+ to manage your netgroups, issue the following 

command to determine whether the NIS+ database has up-to-date 

information about the netgroup that includes your client: 

nismatch name=netgroup_name netgroup.org_dir 

If your NIS+ server does not return the correct information, see 

“Common Problems with NIS+” on page 301. 

❏ Issue the following commands on the NFS server to make sure your 

NFS client is listed in its hosts database: 

nslookup client_name 

nslookup client_IP_address 

If the server cannot resolve your client’s hostname, see “If You 

Receive an “Unknown Host” or “Not In Hosts Database” Message” on 

page 283. 

Chapter 8 279



❏ If rpc.mountd is configured in /etc/inetd.conf on the NFS server, 

check the server’s /var/adm/inetd.sec file to make sure your NFS 

client is allowed access to rpc.mountd. 

280 

Chapter 8



If You Receive a “Permission Denied” Message 

❏ Check the mount options in the /etc/fstab file on the NFS client. A 

directory you are attempting to write to may have been mounted 

read-only. 

❏ Issue the ls -l command to check the HP-UX permissions on the 

server directory and on the client directory that is the mount point. 

You may not be allowed access to the directory. 

❏ Issue the following command on the NFS server: 

/usr/sbin/exportfs 

Or, issue the following command on the NFS client: 

/usr/sbin/showmount -e server_name 

Check the export permissions on the exported directory. The directory 

may have been exported read-only to your client. The system 

administrator of the NFS server can use the remount mount option to 

mount the directory read/write without unmounting it. See “To 

Change the Default Mount Options” on page 43. 

If you are logged in as root to the NFS client, check the export 

permissions to determine whether root access to the directory is 

granted to your NFS client. 

❏ If you are logged in as root to the NFS client, and your client is not 

allowed root access to the exported directory, check the passwd 

database on the NFS server to determine whether it contains an 

entry for user nobody. Without root access, the root user on an NFS 

client is given the access permissions of user nobody. Also, check 

whether anonymous users are denied access to the directory (with the 

anon=65535 export option). 

If your client is not allowed root access or anonymous user ID access 

to the exported directory, log in as a non-root user to get access to the 

directory. 

❏ If you are not running NIS or NIS+, or if the server is in a different 

domain from the client, check the passwd databases on the server and 

the client to make sure you have a valid login on both machines and 

that your user ID is the same on both machines. If your user ID is 

unrecognized on the NFS server, you will be granted the permissions 

of user nobody. 

❏ If you were attempting to run a program when you received the 

Chapter 8 281



“permission denied” message, issue the ls -l command on the NFS 

server to check whether the program you tried to run has the setuid 

bit set. If it does, check /etc/fstab to determine whether the 

directory was mounted with the nosuid mount option. If necessary, 

remove the nosuid option from the /etc/fstab file, then unmount 

and remount the directory. 

282 

Chapter 8



If You Receive an “Unknown Host” or “Not In Hosts 

Database” Message 

❏ Issue the following command to trace a lookup of the unknown host: 

/usr/contrib/bin/nsquery hosts hostname 

The trace will indicate which name services (BIND, NIS, NIS+, or 

/etc/hosts) were queried and in what order. If your host is not 

performing lookups the way you want, see “Configuring the Name 

Service Switch” on page 253 for instructions on configuring the Name 

Service Switch. 

❏ If your host is using the /etc/hosts file to resolve hostnames, edit 

the file to add or correct the entry for the unknown host. Type man 4 

hosts for the correct syntax. 

❏ If your host is using NIS to resolve hostnames, see “Common 

Problems with NIS” on page 292. 

❏ If your host is using NIS+ to resolve hostnames, see “Common 

Problems with NIS+” on page 301. 

❏ If your host is using BIND (DNS) to resolve hostnames, see Installing 

and Administering Internet Services for instructions on 

troubleshooting BIND. 

Chapter 8 283



If You Receive a “Device Busy” Message 

❏ If you received the “device busy” message while attempting to mount 

a directory, try to access the mounted directory. If you can access it, 

then it is already mounted. 

❏ If you received the “device busy” message while attempting to 

unmount a directory, a user or process is currently using the 

directory. Wait until the process completes, or follow these steps: 

1. Issue the following command to determine who is using the 



The fuser(1M) command will return a list of process IDs and user 

names that are currently using the directory mounted under 

local_mount_point. This will help you decide whether to kill the 

processes or wait for them to complete. 

2. To kill all processes using the mounted directory, issue the 



3. Try again to unmount the directory. 

284 

Chapter 8



If You Receive a “Stale File Handle” Message 

Table 8-1 

A “stale file handle” occurs when one client removes an NFS-mounted file 

or directory that another client has open, as in the following sequence of 

events: 

NFS client 1 NFS client 2 

1 % cd /proj1/source 

2 % cd /proj1 

3 % rm -Rf source 

4 % ls 

.:Stale File Handle 

If a server stops exporting a directory that a client has mounted, the 

client will receive a stale file handle error. Stale file handles also occur if 

you restore the NFS server’s file systems from a backup or randomize the 

inode numbers with fsirand(1M). 

❏ If the stale file handle occurred because someone removed a file or 

directory that was in use, or because a server stopped exporting a 

directory that was in use, follow these steps: 

1. Issue the /usr/bin/cd command to move out of the NFS-mounted 

directory that is causing the problem, then try unmounting the 

directory: 

/usr/bin/cd .. 

/usr/sbin/umount directory 

2. If the directory cannot be unmounted because it is busy (in use), 

issue the following commands to kill the processes using the 

directory and to try again to unmount it: 



3. If the directory still cannot be unmounted, reboot the client. 

4. To avoid stale file handles caused by users deleting NFS-mounted 

files, try using a source code control system, like Revision Control 

System (RCS). A source code control system allows only one user 

at a time to modify a file or directory, so one user cannot remove 

Chapter 8 285



files another user is accessing. Type man 5 rcsintro for more 

information. 

❏ If someone has restored the server’s file systems from backup or 

issued the fsirand command on the server, follow these steps on each 

of the NFS clients to prevent stale file handles by restarting NFS: 

1. Issue the mount(1M) command with no options, to get a list of all 

the mounted file systems on the client: 

/usr/sbin/mount 

2. For every NFS-mounted directory listed by the mount command, 

issue the following command to determine whether the directory 

is currently in use: 


This command lists the process IDs and user names of everyone 

using the mounted directory. 

3. Warn any users to cd out of the directory, and kill any processes 

that are using the directory, or wait until the processes terminate. 

You can use the following command to kill all processes using the 

directory: 


4. Issue the following command on the client to unmount all 

NFS-mounted directories: 

/usr/sbin/umount -at nfs 

5. Issue the following commands to restart the NFS client: 



286 

Chapter 8



If a Program Hangs 

❏ Check whether the NFS server is up and operating correctly. See “If 

You Receive an NFS “Server Not Responding” Message” on page 276. 

If the server is down, wait until it comes back up, or, if the directory 

was mounted with the intr mount option (the default), you can 

interrupt the NFS mount, usually with CTRL-C. 

❏ If the program uses file locking, issue the following commands (on 

either the client or the server) to make sure rpc.statd and 

rpc.lockd are available and responding to RPC requests: 

/usr/bin/rpcinfo -u servername status 

/usr/bin/rpcinfo -u servername llockmgr 

/usr/bin/rpcinfo -u servername nlockmgr 

/usr/bin/rpcinfo -u clientname status 

/usr/bin/rpcinfo -u clientname llockmgr 

/usr/bin/rpcinfo -u clientname nlockmgr 

If any of these commands returns RPC_TIMED_OUT, the rpc.statd or 

rpc.lockd process may be hung. Follow these steps to restart 

rpc.statd and rpc.lockd: 

1. Issue the following commands, on both the NFS client and the 

NFS server, to kill rpc.statd and rpc.lockd (PID is a process ID 

returned by the ps command): 

/usr/bin/ps -ef | /usr/bin/grep rpc.statd 


/usr/bin/ps -ef | /usr/bin/grep rpc.lockd 


2. Issue the following commands, on both the client and the server, to 

remove the contents of the sm and sm.bak directories: 

/usr/bin/rm -r /etc/sm 

/usr/bin/rm -r /etc/sm.bak 

3. Issue the following commands to restart rpc.statd and 

rpc.lockd on both the client and the server: 

/usr/sbin/rpc.statd 

/usr/sbin/rpc.lockd 

NOTE 

Always start rpc.statd before starting rpc.lockd. 

Chapter 8 287



4. Issue the following commands to verify that rpc.statd, 

rpc.lockd, and nfsd are all running and responding to RPC 

requests: 

/usr/bin/rpcinfo -u servername status 

/usr/bin/rpcinfo -u servername llockmgr 

/usr/bin/rpcinfo -u servername nlockmgr 

/usr/bin/rpcinfo -u servername nfs 

/usr/bin/rpcinfo -u clientname status 

/usr/bin/rpcinfo -u clientname llockmgr 

/usr/bin/rpcinfo -u clientname nlockmgr 

/usr/bin/rpcinfo -u clientname nfs 

5. Wait two minutes before retrying the mount that caused the 

program to hang. 

6. If the problem persists, restart rpc.statd and rpc.lockd, and 

turn on tracing. See “To Start and Stop Detailed Logging of 

rpc.statd and rpc.lockd” on page 327 and “To Start and Stop Basic 

Logging of rpc.statd and rpc.lockd” on page 328. 

288 

Chapter 8



If Data is Lost Between the Client and the Server 

❏ Make sure the directory is exported from the server with the noasync 

option (the default). If the directory is exported with the async 

option, the NFS server will acknowledge NFS writes before actually 

writing data to disk. Changing an exported directory from async to 

noasync degrades write performance for that directory. 

❏ If users or applications will be writing to the NFS-mounted directory, 

make sure it is mounted with the hard option (the default), rather 

than the soft option. 

❏ If you have a small number of NFS applications that require absolute 

data integrity, add the O_SYNC flag to the open() calls in your 

applications. When you open a file with the O_SYNC flag, a write() 

call will not return until the write request has been sent to the NFS 

server and acknowledged. The O_SYNC flag degrades write 

performance for applications that use it. 

❏ If you have a large number of NFS applications requiring absolute 

data integrity, or if your entire installation needs a high degree of 

data integrity, set the NUM_NFSIOD variable to 0 in the 

/etc/rc.config.d/nfsconf file on each client, as follows, 

NUM_NFSIOD=0 

and issue the following commands to kill all the biod processes (PID 

is a process ID returned by the ps command): 

/usr/bin/ps -ef | /usr/bin/grep biod 

/usr/bin/kill PID PID ... 

The biod daemons improve performance by handling NFS read and 

write requests from users and applications. After a write request is 

passed to a biod daemon, control is returned to the user or 

application. Running a client without biod daemons degrades NFS 

performance for all users and applications on that client. 

❏ If multiple NFS users will be writing to the same file, add the 

lockf() call to your applications to lock the file so that only one user 

may modify it at a time. 

If multiple users on different NFS clients will be writing to the file, 

you must also turn off attribute caching on those clients by mounting 

the file with the noac mount option. Turning off attribute caching 

degrades NFS performance. 

Chapter 8 289



For more information, see the following man pages: mount(1M), open(2), 

write(2), lockf(2), and biod(1M). 

If You Cannot Start New Processes 

❏ Issue the following command to check your server’s memory 

utilization: 

netstat -m 

If the number of requests for memory denied is high, your server 

does not have enough memory. Consider adding more memory or 

using a different host as the NFS server. 

❏ Issue the ps -ef command on the NFS server, and check for many 

instances of the same application. Sometimes an application clones 

itself indefinitely until it uses up all the available inodes on a system. 

❏ The default maximum number of inodes shipped with HP-UX tends 

to be too small for sites that make extensive use of NFS. Follow this 

procedure to increase the maximum number of inodes on your NFS 

server: 

1. Log in as root to the NFS server. 

2. Type /usr/sbin/sam to start SAM (System Administration 

Manager). 

3. Open Kernel Configuration. 

4. Open Configurable Parameters. 

5. Highlight the line that begins with ninode, and choose Modify 

Configurable Parameter from the Actions menu. 

6. Increase the value in the Formula/Value field, either by changing 

the constant multiplier in the formula or replacing the formula 

with a value. If your ninode value is currently set to the default 

(606), try changing it to 2048. 

7. Use SAM to regenerate the kernel and reboot the system. 

For more information on using SAM, choose SAM’s Help button, or press 

the F1 key for context-sensitive help. 

290 

Chapter 8



If You Receive a “Too Many Levels of Remote in Path” 

Message 

This message indicates that you are attempting to mount a directory 

from a server that has NFS-mounted the directory from another server. 

You cannot “chain” your NFS mounts this way. You must mount the 

directory from the server that has it mounted on a local disk. 

Chapter 8 291


Common Problems with NIS 


This section lists the following common problems encountered with NIS 


• If You Receive an NIS “Server Not Responding” Message, see 

page 293. 

• If a User Cannot Log In, see page 294. 

• If You Receive an “Unknown Host” Message, see page 296. 

• If an NIS Client Cannot Bind to a Server, see page 298. 

• If NIS Returns Incorrect Information, see page 299. 

292 

Chapter 8



If You Receive an NIS “Server Not Responding” 

Message 

❏ Issue the /usr/sbin/ping(1M) command on the NIS client to make 

sure the NIS server is up and is reachable on the network. If the ping 

command fails, either the server is down, or the network has a 

problem. If the server is down, reboot it, or wait for it to come back up. 

For information on troubleshooting network problems, see Installing 

and Administering LAN/9000 Software. 

To boot your NIS client without waiting for the server to come up, 

boot the client in single user mode, set NIS_CLIENT=0 in the 

/etc/rc.config.d/namsvrs file, then boot your client the rest of the 

way up. 

❏ Issue the domainname command (with no arguments) on both the NIS 

server and the NIS client to check whether their domain names are 

the same. If they are different, log in as root to the NIS client and 

issue the following command to change its domain name: 

domainname domainname 

❏ Issue the ps -ef command on the NIS server to check whether 

ypserv is running. If it is not, follow these steps: 

1. In the /etc/rc.config.d/namesvrs file on the NIS server, make 

sure the following variables are set: 

NIS_MASTER_SERVER=1 

2. Issue the following command to start up the NIS server: 


❏ Make sure an NIS server exists on the same subnet as the NIS client. 

The client broadcasts its bind request, and it binds to the first server 

that responds to the request. Broadcasts do not cross gateways or 

routers, so the server must be on the same subnet as the client in 

order to receive the bind request. If you cannot configure an NIS 

server on the same subnet as your NIS clients, see “To Bind an NIS 

Client to a Server on a Different Subnet” on page 177. 

Chapter 8 293



If a User Cannot Log In 

❏ If the user has recently changed passwords, ask the user to try 

logging in with the old password. If the user can log in using the old 

password, follow these steps: 

1. Issue the ps -ef command on the NIS master server to make sure 

the yppasswdd daemon is running. If it is not, issue the following 

command to start all the NIS server processes: 


2. Check the cron scripts on the slave servers to make sure transfers 

of the passwd map from the master server are frequent enough. 

Once per hour is usually frequent enough, but frequent map 

transfers may cause too much network traffic. You might want to 

schedule map transfers for late at night, and advise users to make 

their password changes just before they go home. 

❏ Issue the following command on the NIS client to determine which 

master server supplies the passwd map to the client: 

/usr/bin/ypwhich -m passwd 

If the server does not respond, see “If You Receive an NIS “Server Not 

Responding” Message” on page 293. 

If the ypwhich command returns the name of the NIS master server, 

log in as root to the master server and make sure the user has an 

entry in its /etc/passwd file. Then, issue the following commands on 

the master server to generate the NIS passwd database from the 

/etc/passwd file and push it to the NIS slave servers: 

cd /var/yp 

/usr/ccs/bin/make passwd 

❏ Issue the domainname command (with no arguments) to make sure 

the client’s default domain is the domain served by the NIS master 

server. If it is not, log in as root to the NIS client, and issue the 

following command to change its domain name: 


❏ Issue the following command to check whether the NIS client has an 

entry in the passwd database on the NIS server to which it is bound: 

/usr/bin/ypmatch username passwd 

If the client has no entry in the passwd database, issue the following 

294 

Chapter 8



command on the NIS server to which the client is bound: 

/usr/sbin/ypxfr passwd 

This command transfers the passwd database from the NIS master 

server to the server where you issue the command. 

❏ If the user’s NIS client is bound to a slave server, make sure the slave 

server is listed in the NIS master server’s ypservers database. 

Follow these steps: 

1. Issue the following command on the NIS client to determine which 

server the client is bound to: 


2. Log into the NIS master server, and issue the following command: 


3. Issue the following command on the NIS master server to write 

the contents of the ypservers database to a temporary file: 


4. If the NIS slave server is not listed in tempfile, use a text editor 

to add it, and then issue the following command to rebuild the 

ypservers database: 


❏ If you are using NIS compat mode, make sure the NIS escape entry in 

the /etc/passwd file on the client does not have an asterisk in the 

password field. On HP systems, the NIS escape entry in the 

/etc/passwd file should be 

+::-2:60001::: 

Chapter 8 295



If You Receive an “Unknown Host” Message 

❏ Issue the following command to trace a lookup of the unknown host: 

/usr/contrib/bin/nsquery hosts hostname 

The trace will indicate which name services (BIND, NIS, NIS+, or 

/etc/hosts) were queried and in what order. If your host is not 

performing lookups the way you want, see “Configuring the Name 

Service Switch” on page 253 for instructions on configuring the Name 

Service Switch. 


master server supplies the hosts map: 

/usr/bin/ypwhich -m hosts 



If the ypwhich command returns the name of the NIS master server, 

log in as root to the master server and make sure the unknown host is 

listed in its /etc/hosts file. Then, issue the following commands on 

the master server to generate the NIS hosts database from the 

/etc/hosts file and push it to the NIS slave servers: 

cd /var/yp 

/usr/ccs/bin/make hosts 



server. If it is not, log in as root to the NIS client and issue the 



❏ Issue the following command to check whether the unknown host is 

listed in the hosts database on the NIS server to which the client is 

bound: 

/usr/bin/ypmatch hostname hosts 

If the host is not listed in the hosts database, issue the following 

command on the NIS server to which the client is bound: 

/usr/sbin/ypxfr hosts 

This command transfers the hosts database from the NIS master 

server to the server where you issue the command. 

296 

Chapter 8



❏ If the NIS client is bound to a slave server, make sure the slave server 

is listed in the NIS master server’s ypservers database. Follow these 

steps: 




2. Log in as root to the NIS master server and issue the following 

command to change to the directory where the domain databases 

reside: 


3. On the NIS master server, issue the following command to write 







Chapter 8 297



If an NIS Client Cannot Bind to a Server 

If NIS commands return any of the following messages, 

ypcat: can’t bind to an NIS server for domain domainname 

ypmatch: can’t match key. 

reason: can’t communicate with ypbind 

ypwhich: clntudp_create error RPC_PROG_NOT_REGISTERED 

then ypbind is not running on the client. Issue the following command to 

start all the NIS client processes: 


298 

Chapter 8



If NIS Returns Incorrect Information 


master server supplies the appropriate NIS map: 

/usr/bin/ypwhich -m mapname 



❏ Log in as root to the NIS master server, and issue the following 

command to check the contents of the appropriate NIS map: 


If the map contents are not correct, edit the ASCII file from which the 

map is generated. Then issue the following commands to regenerate 

the map and push it to the slave servers: 

cd /var/yp 

/usr/ccs/bin/make mapname 



server. If it is not, log in as root to the NIS client, and issue the 



❏ Issue the following command on the NIS client to check the contents 

of the map on the NIS server to which the client is bound: 


If the contents are not correct, log in as root to the server that serves 

the NIS client, and issue the following command: 

/usr/sbin/ypxfr mapname 

This command transfers the map from the NIS master server to the 

server where you issue the command. 

❏ If the NIS client is bound to a slave server, make sure the slave server 

is listed in the NIS master server’s ypservers database. Follow these 

steps: 




Chapter 8 299



2. Log in as root to the NIS master server and issue the following 

command to change to the directory where the domain databases 

reside: 


3. On the NIS master server, issue the following command to write 







❏ Make sure the slave servers have cron scripts that schedule regular 

updates of the map. 

300 

Chapter 8


Common Problems with NIS+ 


This section lists the following common problems encountered with NIS+ 


• If NIS+ Cannot Find an Object, see page 302. 

• If You Have Authentication or Permissions Problems, see page 304. 

• If You Have Insufficient Memory or Disk Space, see page 307. 

• If You Receive an “Unable to Fork” Message, see page 308. 

• If a User Cannot Log In, see page 309. 

• If nisping -C Fails or Transaction Logs Are Not Truncated, see 

page 311. 

• If a Replica Update Fails, see page 312. 

• If You Receive an “Illegal Object Type” Message, see page 312. 

• If You Receive a “Could Not Bind to Server” Message, see page 313. 

• If You Receive a “Generic System Error” or “Possible Loop Detected” 

Message, see page 313. 

• If You Receive a “Corrupt Log” or “Corrupt Database” Message, see 

page 314. 

Appendix A lists the NIS+ error messages, along with their causes and 

the actions you can take to correct them. 

Chapter 8 301



If NIS+ Cannot Find an Object 

❏ Make sure you typed the name of the object correctly and specified 

the correct path. The path to a system table must include “org_dir.” 

The path to an NIS+ group must include “groups_dir,” unless it is an 

argument to the nisgrpadm command, which cannot find a group if 

you include “groups_dir” in its path. 

❏ Make sure the value of the NIS_PATH variable includes the domain 

where the object resides. If the NIS_PATH variable is not set, the 

default search path is the default domain and all domains up to the 

root domain. See “To Change the Search Order of Domains” on page 

223. 

❏ If you are logged into a non-root server, and you are searching for an 

object in the domain the server serves, specify the full path name of 

the object, including the domain. A non-root server is a client of its 

parent domain, and any searches initiated from the server will search 

the server’s parent domain by default. 

❏ Make sure any fully qualified names end with a period. If a name 

does not end with a period, NIS+ appends a domain name to it. 

❏ Make sure the object exists. Issue the nisls -l directory 

command, where directory is the directory where the object should 

exist. 

❏ If the object was created recently, the replica servers might not have 

been updated yet. You can issue the nisping(1M) command to 

synchronize the replica servers, or you can just wait a few minutes for 

the replicas to synchronize themselves automatically. 

❏ If the object is configured in an automounter map, use the niscat(1) 

command to make sure your automounter maps contain the proper 

information. If the source files or NIS maps used to build the NIS+ 

tables contained periods in their names, NIS+ cannot build the tables 

correctly. Before you run nissetup(1M) or nisserver(1M) to set up 

an NIS+ master server, replace periods in automounter map names 

with underbars. For example, if your master map is called 

auto.master, rename it to auto_master. 

❏ Issue the nisls -l command in the directory where the object should 

exist, and look closely to make sure the object name does not begin 

with a blank. If you type an extra space before the object name when 

you create an object, some NIS+ commands take the space as part of 

the object name. Rename the object, or remove it and recreate it 

302 

Chapter 8



without the extra space. 

❏ A table or log file may have been corrupted. Restore the file from your 

most recent backup. 

❏ If you have changed the name of a domain, many NIS+ operations 

will fail, because the old domain name is embedded in objects 

throughout the domain. Do not change the name of an existing 

domain. If you have already done so, change the name back to the 

original. To rename a domain, create a new domain, initialize clients 

in the new domain, and then remove the old domain. 

Chapter 8 303



If You Have Authentication or Permissions Problems 

❏ Issue the following command to determine whether you are 

authenticated: 

niscat passwd.org_dir 

If you are authenticated, you should be able to see the encrypted 

password field for your user ID. If you are not authenticated, the 

password field for your user ID will display *NP*. 

❏ If you are not authenticated, try to keylogin using your login 

password. If that does not work, try the password “nisplus”. If that 

does not work, try your most recent login password. 

❏ If the error you see is “Password does not decrypt sectet key,” you can 

probably fix it by issuing the keylogin command. This error is 

normal if you are running in a secure environment where a user’s 

login password and secure RPC password are different. Users whose 

login and secure RPC password should be the same can fix this error 

by performing a keylogin and then issuing the following command: 

/usr/lib/nis/nisclient -u 

❏ If you are a root user on an NIS+ replica server, and you cannot 

become authenticated, recreate the credentials for the replica, then 

remove and add the replica. See “To Create New Credentials for an 

Existing NIS+ Principal” on page 236, “To Remove a Replica Server 

from an NIS+ Domain” on page 246, and “To Set Up NIS+ Replica 

Servers” on page 208. 

❏ If you are a root user on the root master server, and you cannot 

become authenticated, recreate the credentials for the root master 

server. See “To Create New Credentials for the Root Master Server” 

on page 237. 

❏ Use the niscat(1) or nismatch(1) command to make sure the cred 

table contains credentials for you. If necessary, log in as an 

authenticated user and issue the nisaddcred(1M) command to create 

credentials for your NIS+ principal. 

❏ Issue the niscat -o command to check the ownership and 

permissions on the object you are trying to access. If necessary, use 

the nischmod(1) command to modify the permissions on the object. 

If you must be a member of an NIS+ group to access the object, issue 

the nisgrpadm -l command to make sure your NIS+ principal name 

304 

Chapter 8



is included in the group. If necessary, use the nisgrpadm(1) command 

to add your principal name to the group. 

❏ Issue the ps -ef command to make sure the keyserv(1M) daemon is 

running. If it is not, start it. Make sure automount, rpc.nisd, and 

sendmail are running. If they are not, start them. 

❏ If you changed the root password with the nispasswd command, log 

in as a user with modify permission for the passwd and cred tables, 

and change the root password back. To change the root password, 

issue the passwd command followed by the chkey -p command. 

CAUTION 

You can change the root password on the root master server, but do not 

change the public or private key on the root master server. The root 

master server’s keys are embedded in every directory object on every 

client, replica server, and subdomain server. 

❏ Make sure the NIS+ hosts table does not contain a host with the 

same name as the user. If a host has the same name as a user, one 

credential will overwrite the other, and either the user or the root 

user will no longer be able to perform a keylogin. (The keylogin is 

performed automatically when a user logs in, if the user’s login 

password is the same as the user’s secure RPC password.) 

Use nismatch(1) to find the credentials for the user or host in the 

cred table. If both a Local and a DES credential exist, the credentials 

are for a non-root user. If only a DES credential exists, the credential 

is for a root user. If necessary, change the host name. (It is easier to 

change a host name than to change a user name.) You can set up an 

alias to map the host’s old name to the new name. 

NOTE 

When you are running nisaddcred or nisclient, if you see a Changing 

Key message instead of an Adding Key message, you have a duplicate 

user or host name in your domain. 

❏ If you have recently changed the default domain of a client host, 

remove the /etc/.rootkey file on the host and rerun the 

nisclient(1M) script to initialize the host. 

❏ If a user’s login password is different from the user’s secure RPC 

Chapter 8 305



password, the user must perform a keylogin after login in order to 

become authenticated. 

❏ If a user logs into a remote host that does not require a password, for 

example, because it has an entry for the user in a $HOME/.rhosts or 

/etc/hosts.equiv file, the user must perform a keylogin after login 

in order to become authenticated. 

❏ Make sure the publickey entry in the /etc/nsswitch.conf file is 

set to nisplus. 

❏ A user’s or host’s credentials may have become corrupted. If the user 

experiencing the problem is a non-root user, tell the user to issue the 

keylogout command followed by the keylogin command. If the user 

experiencing the problem is a root user, tell the root user to remove 

the /etc/.rootkey file and then issue the keylogout -f command 

followed by the keylogin -r command. 

❏ An out-of-date /etc/.rootkey file might exist. Use the ls -l 

command to compare the date on the /etc/.rootkey file with the 

date on the cred.org_dir table. If the /etc/.rootkey file is much 

older than the cred table, it could be out of date. Run keylogin -r as 

root on the problem host, and then reinitialize the host as an NIS+ 

client. 

❏ If your server is running at security level 0, and you try to run 

nispasswd to change your password, NIS+ will display an error 

message saying that you do not have secure RPC credentials for the 

domain. 

❏ If you have changed the name of a domain, many NIS+ operations 

will fail, because the old domain name is embedded in objects 

throughout the domain. Do not change the name of an existing 

domain. If you have already done so, change the name back to the 

original. To rename a domain, create a new domain, initialize clients 

in the new domain, and then remove the old domain. 

306 

Chapter 8



If You Have Insufficient Memory or Disk Space 

❏ As a short-term solution to free up memory, kill all unnecessary 

windows and processes. If necessary, exit your windowing system and 

work from the terminal command line. 

Use the ps -el command to check the size of running processes. 

Sometimes programs develop memory leaks and grow very large. If 

necessary, compare the size of processes on your host with processes 

on a host that is not having memory problems to determine whether 

the processes on your host are growing too large. 

❏ As a long-term solution, install more memory or swap space, or move 

your NIS+ server to a system that has more memory or swap space. 

❏ If you have a shortage of disk space, clean out the /tmp directory and 

remove any unnecessary files. Remove core files from the root 

directory and home directories. 

❏ If you do not checkpoint your transaction log regularly, it becomes 

very large. However, in order to checkpoint your transaction log, you 

need sufficient disk space to allow NIS+ to make a complete copy of 

the log before removing it. You might have to add disk space to your 

server before checkpointing the log. 

To checkpoint the log, issue the nisping -Ca command. If your 

transaction log is large, or if you have a large number of replica 

servers, the nisping command can take a long time. It is 

recommended that you create a cron job to run nisping -Ca every 

night while the network is not busy. 

Chapter 8 307



If You Receive an “Unable to Fork” Message 

❏ Kill any unnecessary processes on your server host. This message 

occurs when your host has run out of available processes. 

❏ If necessary, follow this procedure to increase the maximum number 

of inodes on your NIS+ server: 

1. Log in as root to the NIS+ server. 

2. Type /usr/sbin/sam to start SAM (System Administration 

Manager). 

3. Open Kernel Configuration. 

4. Open Configurable Parameters. 

5. Highlight the line that begins with ninode, and choose Modify 

Configurable Parameter from the Actions menu. 

6. Increase the value in the Formula/Value field, either by changing 

the constant multiplier in the formula or replacing the formula 

with a value. If your ninode value is currently set to the default 

(606), try changing it to 2048. 

7. Use SAM to regenerate the kernel and reboot the system. 

308 

Chapter 8



If a User Cannot Log In 

❏ Have the user issue the keylogin command using the user’s secure 

RPC password. In most cases, this password should be the same as 

the user’s login password. If the keylogin does not work, have the 

user try it with the password “nisplus.” If that doesn’t work, have the 

user try to keylogin with his or her most recent password. 

❏ If the user changed passwords with the passwd command, the user 

will not be able to log into an NIS+ host. The passwd command affects 

only the /etc/passwd file on the local host. Users must run 

nispasswd to change their passwords in the NIS+ passwd table. If 

your NIS+ server is running in NIS compatibility mode, users on NIS 

clients must issue the yppasswd command to change their passwords 

in the NIS+ passwd table. 

❏ After a user has changed passwords, there may be a delay before the 

new password is propagated through the domain. This delay can be 

as long as many minutes, depending on the size of your domain. The 

problem will probably resolve itself if you wait, or you can issue the 

nisping org_dir command to force the servers to resynchronize. 

❏ If the user is trying to log into a host in a remote domain, use 

nismatch(1) to make sure the remote domain has a Local credential 

for the user. Use nisaddcred(1M) to add a Local credential for the 

user if none exists. 

❏ Use the niscat(1) command to make sure your automounter maps 

contain the proper information. If the source files or NIS maps used 

to build the NIS+ tables contained periods in their names, NIS+ 

cannot build the tables correctly. Before you run nissetup(1M) or 

nisserver(1M) to set up an NIS+ master server, replace periods in 

automounter map names with underbars. For example, if your master 

map is called auto.master, rename it to auto_master. 

❏ If the /etc/nsswitch.conf file has been modified recently on the 

user’s host, reboot the host to make sure all processes are using the 

new configuration. 

❏ Make sure the NIS+ hosts table does not contain a host with the 

same name as the user. If a host has the same name as a user, one 

credential will overwrite the other, and either the user or the root 

user will no longer be able to perform a keylogin. (The keylogin is 

performed automatically when a user logs in, if the user’s login 

password is the same as the user’s secure RPC password.) 

Chapter 8 309



Use nismatch(1) to find the credentials for the user or host in the 

cred table. If both a Local and a DES credential exist, the credentials 

are for a non-root user. If only a DES credential exists, the credential 

is for a root user. If necessary, change the host name. (It is easier to 

change a host name than to change a user name.) You can set up an 

alias to map the host’s old name to the new name. 

NOTE 

When you are running nisaddcred or nisclient, if you see a Changing 

Key message instead of a Adding Key message, you have a duplicate 

user or host name in your domain. 

310 

Chapter 8



If nisping -C Fails or Transaction Logs Are Not 

Truncated 

❏ Issue the following command to check the update status of your 

replica servers: 

nisping -u 

❏ If you do not issue the nisping -Ca command regularly, your 

transaction log may grow too large, and you may not have enough 

disk space to checkpoint it. 

Make sure every master server in your namespace has a cron job that 

runs nisping -Ca at least once a day, during a time when the 

network is not busy. The following example crontab file runs 

nisping -Ca once a day, at 3:00 AM. It directs standard output and 

standard error from the nisping command to the file 


0 3 * * * /usr/lib/nis/nisping -Ca > /tmp/nisping.log 2&>1 



clear the transaction log. 

❏ The most common cause of a checkpoint failure is lack of swap or disk 

space. The checkpoint process creates a temporary copy of the 

transaction log before it truncates the log and removes the temporary 

copy. Check your available swap and disk space, and free up all that 

you can. Remove core files. If necessary, configure more swap space. 

❏ One or more replica servers may be down. Logs are not cleared on a 

master server until all replicas for the master’s domain have been 

updated. If a replica server is going to be down or out of service for a 

period of time, issue the nisrmdir -s command to remove it as a 

replica. 

❏ Make sure the /var/nis/hostname.log file exists. Make sure it is 

readable and that you are allowed to write to it. 

❏ Check for error messages in syslog. Appendix A lists the NIS+ error 

messages, their causes, and the actions you can take to resolve them. 

Chapter 8 311



If a Replica Update Fails 

❏ The master server might be busy, or another replica might be 

performing an update. The update is usually rescheduled 

automatically and retried later. 

❏ The server might be out of child processes to allocate. See “If You 

Receive an “Unable to Fork” Message” on page 308. 

❏ A read-only process might have been requested to dump. 

Usually, problems with replica updates solve themselves. Check the 

system log on the replica server and the master server for more 

information. 

If You Receive an “Illegal Object Type” Message 

❏ You may have attempted to create a table with no searchable 

columns. See “To Create an NIS+ Table” on page 240. 

❏ A database operation may have returned the error code 

DB_BADOBJECT. Type man 3N nis_db for a list of error codes and their 

meanings. 

❏ You may have tried to add or modify an object with a length of zero. 

❏ You may have tried to perform an NIS+ directory operation on an 

object that was not a directory. 

❏ You may have tried to link an NIS+ directory to a LINK object. 

❏ You may have specified an NIS+ object that was not a group in the 

nisgrpadm command or in another NIS+ group operation. 

❏ You may have tried to perform an NIS+ table operation on an object 

that was not a table. 

312 

Chapter 8



If You Receive a “Could Not Bind to Server” Message 

❏ Issue the following command to make sure your default domain name 

does not end with a period: 

domainname 

❏ In the /etc/rc.config.d/namesvrs file, make sure the value of the 

NIS_DOMAIN variable does not end with a period. 

If You Receive a “Generic System Error” or “Possible 

Loop Detected” Message 

❏ Make sure you are specifying the correct domain for the operation you 

are trying to perform. 

Remember that non-root servers are clients of the directory above the 

one they serve. If you do not specify a domain when you perform an 

operation on a server, the operation is performed on the default domain, 

in which the server is a client. To perform an operation on the domain 

the server serves, specify the domain name in the command, or set the 

NIS_PATH variable so that the first domain in the list is the domain the 

server serves. See “To Change the Search Order of Domains” on page 

223. 

Chapter 8 313



If You Receive a “Corrupt Log” or “Corrupt Database” 

Message 

❏ Issue the following command to determine whether you have multiple 

independent rpc.nisd processes running: 

ps -ef | grep nisd 

In normal operation, rpc.nisd may spawn child rpc.nisd processes, 

and this causes no problem. However, if two parent rpc.nisd 

processes are running on the same host at the same time, they will 

overwrite each other’s data and corrupt logs and databases. (Two 

parent rpc.nisd processes can be running only if someone started 

one by hand.) 

If you have more than one parent rpc.nisd process running, issue 

the kill -9 processID command to kill all but one of them, and 

then issue the ps -ef command again to make sure only one parent 

process remains. If you are running rpc.nisd in NIS compatibility 

mode (with the -Y or -B option), kill all independent 

rpc.nisd_resolv processes as well. 

If an NIS+ table is corrupt, restore it from your most recent backup 

that contains an uncorrupted version. You can then use your 

transaction logs to update the table with any changes that occurred 

since the backup was made. However, if the transaction log is also 

corrupt, you must recreate your NIS+ environment. You can do this in 

one of two ways: 

1. Restore the /var/nis directory and the /etc/.rootkey file from a 

backup. 

2. Recreate the NIS+ environment all over again, either from current 

/etc files or from flat files, if you have been backing up your 

databases to flat files. 

314 

Chapter 8


Performance Tuning 


This section gives suggestions for identifying performance problems in 

your network and improving NFS performance on your servers and 

clients. It contains the following sections: 

• To Diagnose NFS Performance Problems, see page 316. 

• To Improve NFS Server Performance, see page 318. 

• To Adjust the Number of nfsd Processes, see page 320. 

• To Improve NFS Client Performance, see page 321. 

• To Improve NIS+ Performance, see page 323. 

Chapter 8 315



To Diagnose NFS Performance Problems 

1. Issue the following command on several of your NFS clients: 

nfsstat -rc 

2. If the timeout and retrans values displayed by nfsstat -rc are 

high, but the badxid value is close to zero, packets are being dropped 

before they get to the NFS server. 

Try decreasing the values of the wsize and rsize mount options to 

4096 or 2048 on the NFS clients. See “To Change the Default Mount 

Options” on page 43. 

See Installing and Administering LAN/9000 Software for 

information on troubleshooting LAN problems. 

3. If the timeout and badxid values displayed by nfsstat -rc are of 

the same magnitude, your server is probably slow. Client RPC 

requests are timing out and being retransmitted before the NFS 

server has a chance to respond to them. 

See “To Improve NFS Server Performance” on page 318. 

Try doubling the value of the timeo mount option on the NFS clients. 

See “To Change the Default Mount Options” on page 43. 

4. If the null value displayed by nfsstat -rc is greater than 1%, the 

automounter is trying too frequently to mount a directory from 

multiple servers. It sends out null procedure calls to all the 

configured servers and mounts the directory from the server that 

answers first. 

Increase the time between mount attempts by adding the -tm 60 

option to the AUTO_OPTIONS variable in /etc/rc.config.d/nfsconf, 

as follows: 

AUTO_OPTIONS=”-f $AUTO_MASTER -tm 60” 

Then, restart the automounter. See “To Restart the Automounter” on 

page 83. 

Continue to increase the value of the -tm parameter until the null 

value displayed by nfsstat is less than 1%. 

5. Issue the following command on any machine on the network: 

netstat -i 

The number of collisions (Coll) divided by the number of output 

316 

Chapter 8



packets (Opkts) is the collision rate. If your collision rate is greater 

than 10%, consider dividing your network into smaller segments and 

putting an NFS server on each segment. See Installing and 

Administering LAN/9000 Software for information on dividing your 

network. 

Chapter 8 317



To Improve NFS Server Performance 

❏ Issue the following command to check your server’s memory 

utilization: 

netstat -m 

If the number of requests for memory denied is high, your server 

does not have enough memory, and NFS clients will experience poor 

performance. Consider adding more memory or using a different host 

as the NFS server. 

❏ Put heavily used directories on different disks on your NFS servers so 

they can be accessed in parallel. 

❏ Make sure your server is running the correct number of nfsd 

processes. See “To Adjust the Number of nfsd Processes” on page 320. 

❏ Issue the following command on the NFS server: 

vmstat -n 

If the us and sy values under cpu are high, and the id (idle time) 

value under cpu is close to zero, your server’s CPU is heavily loaded. 

Try using a faster machine as your NFS server. Do not use a gateway 

or a terminal server as an NFS or NIS server. 

❏ Issue the following command to determine which processes are using 

the most CPU: 

/usr/bin/top 

The top program sorts the processes running on your system, with 

the most CPU-intensive process at the top of the display. It refreshes 

the display every five seconds. Try taking some CPU-intensive 

processes off the server. 

Type q to exit the top program. 

❏ Log into the NFS server and issue the following command: 

nfsstat -s 

If the number of readlink calls is of the same magnitude as the 

number of lookup calls, you have a symbolic link in a file system that 

is frequently traversed by NFS clients. 

On the NFS clients that require access to the linked directory, mount 

the target of the link. Then, remove the link from the exported 

directory on the server. 

318 

Chapter 8



When a client requests access to a linked file or directory, two 

requests are sent to the server: one to look up the path to the link, 

and another to look up the target of the link. You can improve NFS 

performance by removing symbolic links from exported directories. 

CAUTION 

Do not remove symbolic links in an NFS diskless environment. File 

sharing in NFS diskless is done by means of symbolic links. 

❏ If the value of getattr displayed by nfsstat -s is greater than 60%, 

one or more clients have either turned off attribute caching (with the 

noac mount option) or set the caching timeout values too low. 

Increase the attribute caching timeouts on the clients that have them 

set below the default values. See “To Change the Default Mount 


❏ Export directories with the async option. When async is specified, 

the server acknowledges write requests from clients before writing 

data to disk. Clients do not have to wait for a write request to 

complete before issuing another request. 

Chapter 8 319



To Adjust the Number of nfsd Processes 

1. Issue the following command on the NFS server: 

netstat -s 

If the UDP statistics displayed by the netstat command indicate a 

large number of socket overflows, as in the following example, then 

your server is not running enough nfsd daemons. 

udp: 

0 incomplete headers 

0 bad data length fields 

0 bad checksums 

1375 socket overflows 

2. To increase the number of nfsd daemons running, change the value of 

the NUM_NFSD variable in the /etc/rc.config.d/nfsconf file, as in 


NUM_NFSD=8 

3. Issue the following command to start more nfsd processes: 

/usr/sbin/nfsd number 

4. Issue the netstat -s command again to check the number of socket 

overflows. Continue to adjust the NUM_NFSD value and start nfsd 

processes until the number of new socket overflows is close to zero. 

(The output of nfsstat is cumulative, so when there are no new 

socket overflows, the number will stay the same.) 

As a general rule, an NFS server should run approximately two nfsd 

daemons for each entry in the /etc/exports file. 

For more information, type man 1M nfsd at the HP-UX prompt. 

320 

Chapter 8



To Improve NFS Client Performance 

❏ Issue the ps -ef command to make sure four biod processes are 

running on each client. To start four biod processes, set the 

NUM_NFSIOD variable to 4 in the /etc/rc.config.d/nfsconf file, 

and issue the following command: 

/usr/sbin/biod 4 

NOTE 

If your performance bottleneck is a slow server, increasing the number of 

biod processes beyond four will not improve NFS performance, and it 

might make it worse. 

❏ For files and directories that are mounted read-only and never 

change, set the actimeo mount option to 120 or greater in the 

/etc/fstab file on your NFS clients. See “To Change the Default 


❏ If you see several “server not responding” messages within a few 

minutes, try doubling the value of the timeo mount option in the 

/etc/fstab file on your NFS clients. See “To Change the Default 


❏ If you frequently see the following message when attempting access 

to a soft-mounted directory, 

NFS operation failed for server servername: Timed out 

try increasing the value of the retrans mount option in the 

/etc/fstab file on the NFS clients. Or, change the soft mount to an 

interruptible hard mount, by specifying the hard and intr options 

(the defaults). See “To Change the Default Mount Options” on page 

43. 

❏ Type the following command on the NFS server, to find out the block 

size of the server’s file system: 

/usr/sbin/tunefs -v devicefilename 

On the NFS clients, set the wsize and rsize mount options to the 

bsize value displayed by tunefs. See “To Change the Default Mount 


❏ On the NFS clients, look in the /etc/fstab file for “stepping-stone” 

mounts (hierarchical mounts), as in the following example: 

Chapter 8 321



thyme:/usr /usr nfs defaults 0 0 

basil:/usr/share /usr/share nfs defaults 0 0 

sage:/usr/share/lib /usr/share/lib nfs defaults 0 0 

Wherever possible, change these “stepping-stone” mounts so that 

whole directories are mounted from a single NFS server. 

Stepping-stone (hierarchical) mounts, like the one in the example 

above, cause more NFS requests than mounts from a single server. In 

the example, if a client wants access to something in 

/usr/share/lib, a request must be sent to server thyme, then to 

server basil, and finally to server sage. 

322 

Chapter 8



To Improve NIS+ Performance 

❏ Issue the following command to check the size of your transaction log: 

/usr/lib/nis/nislog | head -10 

If your transaction log is fully checkpointed, it will contain only three 

entries. If it contains many entries, issue the following command to 

checkpoint it: 

nisping -Ca 

❏ The nisping -C command can cause a long delay if your namespace 

is large. Do not reboot the system. Do not reenter the nisping 

command. This problem will solve itself. Just wait until the server 

finishes checkpointing. 

❏ Make sure your NIS_PATH environment variable is set to something 

clean and simple, like org_dir.$:$. A complex NIS_PATH value, 

particularly one that contains a variable, will slow your system and 

may cause some operations to fail. See “To Change the Search Order 

of Domains” on page 223. 

❏ Concatenation paths in tables slow performance. If performance is a 

problem in your NIS+ namespace, do not use concatenation paths. 

See “To Create or Remove Paths Among Tables” on page 242. 

❏ Make sure you have 10 or fewer replica servers per domain. 

❏ NIS+ groups that contain other groups (recursive groups) slow NIS+ 

performance. If performance is a problem in your NIS+ namespace, 

do not use recursive NIS+ groups. See “To Add or Remove Members of 

an NIS+ Group” on page 244. 

❏ Large transaction logs slow NIS+ performance, particularly at system 

startup. If your transaction logs are large, or if you have just run the 

nispopulate script to populate your domain tables, issue the 

nisping -Ca command to checkpoint your directories. Make sure 

your master server has a cron job scheduled to issue the nisping 

-Ca command daily. Type man 1 crontab for information. 

❏ Issue the ps -ef command to make sure nis_cachemgr is running on 

every NIS+ client host. Start it if it is not. Type man 1M 

nis_cachemgr for information. 

❏ An NIS+ lookup command like niscat returns the error message 

Server busy. Try again. 

Chapter 8 323



for one of the following reasons: 

• The server is busy synchronizing and checkpointing its directories. 

Just wait until the server is finished checkpointing and try the 

command again. 

• The server is out of swap or disk space. Increase the swap space on 

the server, and then checkpoint the server’s directories with 

nisping -Ca. 

324 

Chapter 8


Logging and Tracing of NFS Services 


This section tells you how to start the following tools: 

• NFS Logging 

• Automounter Logging 

• Automounter Tracing 

• Logging for the Other NFS Services 

• NIS Logging 

• NIS+ Logging 

• Logging With nettl and netfmt 

• Tracing With nettl and netfmt 

Chapter 8 325



NFS Logging 

You can configure logging for the following NFS daemons: 

• rpc.mountd 

• rpc.statd 

• rpc.lockd 

Each message logged by these daemons can be identified by the date, 

time, host name, process ID, and name of the daemon that generated the 

message. You can direct logging messages from all these NFS daemons to 

the same file. 

To Control the Size of Log Files 

Log files grow without bound, using up disk space. You might want to 

create a cron job to truncate your log files regularly. Following is an 

example crontab entry that empties the log file at 1:00 AM every 

Monday, Wednesday, and Friday: 

0 1 * * 1,3,5 cat /dev/null > log_file 

For more information, type man 1M cron or man 1 crontab at the 

HP-UX prompt. 

326 

Chapter 8



To Start and Stop rpc.mountd Logging 

1. Issue the following commands to kill the rpc.mountd process and 

restart it with logging turned on (PID is a process ID returned by the 


ps -ef | grep mountd 

kill PID 

/usr/sbin/rpc.mountd -l /var/adm/mountd.log 

2. If you want rpc.mountd to log mount requests and mount failures as 

well as errors, add the -t2 option to the rpc.mountd command, as in 


/usr/sbin/rpc.mountd -l /var/adm/mountd.log -t2 

3. To stop logging, kill rpc.mountd and restart it without the -l 

logfile and -t2 options. 

If you do not specify the -l or-t option, rpc.mountd logs only errors to 

/var/adm/mountd.log. If this file does not exist, rpc.mountd creates it. 

rpc.mountd can share the same log file with the other NFS daemons. 

For more information, type man 1M mountd at the HP-UX prompt. 

To Start and Stop Detailed Logging of rpc.statd and rpc.lockd 

To start detailed logging of rpc.statd and rpc.lockd while they are 

running, issue the following commands (PID is a process ID returned by 

the ps command): 

/usr/bin/ps -ef | /usr/bin/grep rpc.statd 

/usr/bin/kill -SIGUSR2 PID 

/usr/bin/ps -ef | /usr/bin/grep rpc.lockd 

/usr/bin/kill -SIGUSR2 PID 

The SIGUSR2 signal sets the logging to level 3 (the most detailed level). 

The logging for rpc.statd is appended to the file 

/var/adm/rpc.statd.log. The logging for rpc.lockd is appended to 

the file /var/adm/rpc.lockd.log. 

To stop detailed logging of rpc.statd and rpc.lockd, issue the same 

commands listed above to send the SIGUSR2 signal to the processes. The 

SIGUSR2 signal is a toggle that turns logging on or off, depending on its 

current state. 

For more information, type man 1M statd or man 1M lockd at the 

HP-UX prompt. 

Chapter 8 327



To Start and Stop Basic Logging of rpc.statd and rpc.lockd 

To start basic logging of rpc.statd and rpc.lockd (just errors, 

warnings, startup, and shutdown), issue the following commands (PID is 

a process ID returned by the ps command): 

ps -ef | grep lockd 

kill PID 

ps -ef | grep statd 

kill PID 

/usr/sbin/rpc.statd -l /var/adm/rpc.statd.log 

/usr/sbin/rpc.lockd -l /var/adm/rpc.lockd.log 

NOTE 

Always start rpc.statd before starting rpc.lockd. 

To stop basic logging of rpc.statd and rpc.lockd, kill them and restart 

them without the -l logfile option. 

The rpc.statd and rpc.lockd daemons can share the same log file with 

the other NFS daemons. 

For more information, type man 1M lockd or man 1M statd at the 

HP-UX prompt. 

328 

Chapter 8



Automounter Logging 

Automounter logs messages through /usr/sbin/syslogd. By default, 

syslogd writes messages to the file /var/adm/syslog/syslog.log. 

Type man 1M syslogd for more information on syslogd. 

For explanations of the automounter log messages, type man 1M 

automount. 

To Start Automounter Logging 

1. Log in as root to the NFS client. 



















CAUTION 

Do not kill the automounter with -SIGKILL (-9). The SIGKILL signal can 

cause any currently automounted directories to become inaccessible 

until you reboot your system. 

6. Issue the following command to start the automounter with logging 

enabled: 

Chapter 8 329



/usr/sbin/automount options -v 





/usr/sbin/automount $AUTO_OPTIONS -v 

To Stop Automounter Logging 

To stop automounter logging, kill the automounter and restart it (as 

described in the previous section), except start it without the -v option. 

330 

Chapter 8



Automounter Tracing 

Two levels of automounter tracing are available: 

Detailed (level 3) Includes traces of all automounter requests and 

replies, mount attempts, timeouts, and unmount 

attempts. You can start level 3 tracing while the 

automounter is running. 

Basic (level 1) Includes traces of all automounter requests and 

replies. You must restart the automounter to start level 

1 tracing. 

To Start and Stop Automounter Detailed Tracing 


2. Issue the following commands (PID is the process ID returned by the 



kill -SIGUSR2 PID 

Level 3 tracing is appended to the file /var/adm/automount.log. 

To stop level 3 tracing, issue the same commands listed above to send the 

SIGUSR2 signal to the automounter. The SIGUSR2 signal is a toggle that 

turns tracing on or off depending on its current state. 

If you have basic (level 1) tracing turned on when you send the SIGUSR2 

signal to the automounter, the SIGUSR2 signal turns tracing off. 

To Start and Stop Automounter Basic Tracing 


2. Add “2> tracefile” to the AUTO_OPTIONS variable in the 

/etc/rc.config.d/nfsconf file, as in the following example: 

AUTO_OPTIONS=”-f $AUTO_MASTER 2> /var/adm/automount.log” 

This change redirects standard error to the file 

/var/adm/automount.log. Automounter basic trace output is sent to 

standard error. 




Chapter 8 331


















CAUTION Do not kill the automounter with -SIGKILL (-9). 

7. Issue the following command to start the automounter with tracing 

enabled: 

/usr/sbin/automount options -T 





/usr/sbin/automount $AUTO_OPTIONS -T 

To stop automounter logging, kill the automounter and restart it (as 

described in the previous section), except start it without the -T option. 

332 

Chapter 8



Logging for the Other NFS Services 

You can configure logging for the following NFS services: 

• rpc.rexd 

• rpc.rstatd 

• rpc.rusersd 

• rpc.rwalld 

• rpc.sprayd 

Logging is not available for the rpc.quotad daemon. 


time, host name, process ID, and name of the function that generated the 

message. You can direct logging messages from all these NFS services to 









HP-UX prompt. 

To Configure Logging for the Other NFS Services 

1. Add the -l logfile option to the lines in /etc/inetd.conf for the 

services you want to log. In the following example, logging is turned 

on for rpc.rexd and rpc.rstatd: 


rpc.rexd -l /var/adm/rpc.log 

rpc dgram udp wait root /usr/lib/netsvc/rstat/rpc.rstatd \ 

100001 1-3 rpc.rstatd -l /var/adm/rpc.log 

2. Issue the following command to restart inetd: 


If you do not specify a log file for the other NFS services (with the -l 

Chapter 8 333



option), they do not log any messages. The NFS services can all share the 

same log file. 

Type man 1M rexd for descriptions of the messages logged by the 

rpc.rexd daemon. 

For more information, see the following man pages: rexd(1M), 

rstatd(1M), rusersd(1M), rwalld(1M), and sprayd(1M). 

334 

Chapter 8



NIS Logging 

You can configure logging for the following NIS processes: 

• ypxfr 

• ypserv 

• ypbind 

• yppasswdd 


time, host name, process ID, and name of the function that generated the 

message. You can direct logging messages from all these NIS daemons to 









HP-UX prompt. 

To Stop and Start Logging of ypxfr 

If ypxfr is run interactively from the command line, it logs messages to 

standard output. If ypxfr is run by cron or by yppush, it logs messages 

to the file /var/yp/ypxfr.log, if the file exists. To start logging of 

ypxfr, issue the following command to make sure the 

/var/yp/ypxfr.log file exists: 

/usr/bin/touch /var/yp/ypxfr.log 

To stop logging of ypxfr, remove the ypxfr.log file: 

/usr/bin/rm /var/yp/ypxfr.log 

You cannot redirect the logging output of ypxfr. 

For more information, see the following man pages: ypxfr(1M), 

cron(1M), and yppush(1M). 

Chapter 8 335



To Start and Stop Logging of ypserv 

By default, the ypserv daemon logs messages to the file 

/var/yp/ypserv.log, if it exists. To start logging of ypserv, issue the 

following command to make sure the /var/yp/ypserv.log file exists: 

/usr/bin/touch /var/yp/ypserv.log 

To stop logging of ypserv, remove the ypserv.log file: 

/usr/bin/rm /var/yp/ypserv.log 

If you want to direct ypserv logging to a different file, follow these steps: 

1. Add the -l logfile option to the YPSERV_OPTIONS variable in 

/etc/rc.config.d/namesvrs, as in the following example: 

YPSERV_OPTIONS=”-l /var/yp/nis_log” 

2. Issue the following commands to restart ypserv (PID is the process 

ID returned by the ps command): 

ps -ef | grep ypserv 

kill PID 

/usr/lib/netsvc/yp/ypserv options 

options is the list of options configured in the YPSERV_OPTIONS 

variable in the /etc/rc.config.d/namesvrs file. You can also source 

the /etc/rc.config.d/namesvrs file, and then enter the ypserv 


/usr/lib/netsvc/yp/ypserv $YPSERV_OPTIONS 

If you specify a log file with the -l option, ypserv can share the same log 

file with the other NIS daemons. 

For more information, type man 1M ypserv at the HP-UX prompt. 

To Configure ypbind Logging 

1. Add the -l logfile option to the YPBIND_OPTIONS variable in 


YPBIND_OPTIONS=”-l /var/yp/nis_log” 

2. Issue the following commands to restart ypbind (PID is the process 

ID returned by the ps command): 

ps -ef | grep ypbind 

kill PID 

/usr/lib/netsvc/yp/ypbind options 

336 

Chapter 8



options is the list of options configured in the YPBIND_OPTIONS 


the /etc/rc.config.d/namesvrs file, and then enter the ypbind 


/usr/lib/netsvc/yp/ypbind $YPBIND_OPTIONS 

If you do not specify a log file for ypbind (with the -l option), it logs 

messages to the system console, /dev/console. The ypbind daemon can 

share the same log file with the other NIS daemons. 

For more information, type man 1M ypbind at the HP-UX prompt. 

To Configure yppasswdd Logging 

1. Add the -l logfile option to the YPPASSWDD_OPTIONS variable in 


YPPASSWDD_OPTIONS=”-l /var/yp/nis_log” 

2. Issue the following commands to restart yppasswdd (PID is the 


ps -ef | grep yppasswdd 

kill PID 

/usr/lib/netsvc/yp/rpc.yppasswdd options 

options is the list of options configured in the YPPASSWDD_OPTIONS 


the /etc/rc.config.d/namesvrs file, and then enter the yppasswdd 


/usr/lib/netsvc/yp/rpc.yppasswdd $YPPASSWDD_OPTIONS 

For more information, type man 1M yppasswdd at the HP-UX prompt. 

Chapter 8 337



NIS+ Logging 

You can log the activities of the NIS+ rpc.nisd daemon with the -A and 

-v options. 

1. On the NIS+ server, add the -A or -v option to the RPC_NISD_OPTIONS 

variable, as in the following example: 

RPC_NISD_OPTIONS=”$EMULYP -v” 

2. Issue the following commands to restart rpc.nisd: 

/sbin/init.d/nisplus.server stop 

/sbin/init.d/nisplus.server start 

3. To stop NIS+ logging, remove the -v and -A options from the 

RPC_NISD_OPTIONS variable, and issue the commands in step 2 to 

restart rpc.nisd. 

The -v option causes rpc.nisd to send a running narration of what it is 

doing to syslogd. Messages are logged at LOG_INFO priority. 

The -A option logs NIS+ authentication activities to syslogd with 

LOG_INFO priority. 

You might have to modify your /etc/syslog.conf file to allow messages 

of LOG_INFO priority to be logged. 

For more information, type man 1M syslogd or man 1M nisd at the 

HP-UX prompt. 

338 

Chapter 8



Logging With nettl and netfmt 

1. Issue the following command to make sure nettl is running: 

/usr/bin/ps -ef | grep nettl 

If nettl is not running, issue the following command to start it: 

/usr/sbin/nettl -start 

2. Issue the following command to start logging: 

/usr/sbin/nettl -l i w e d -e all 

The logging classes are specified following the -l option. They are i 

(informational), w (warning), e (error), and d (disaster). Disaster 

logging is always on. You cannot turn it off. Information logging (i) 

fills up your log file faster than the other classes, so you might want to 

leave it off. 

3. Recreate the event you want to log. 

4. Issue the following command to turn logging off: 

/usr/sbin/nettl -l d -e all 

This command changes the logging class back to disaster only for all 

subsystems. 

5. Issue the following command to format the binary log file: 

/usr/sbin/netfmt -lN -f /var/adm/nettl.LOG00 > 

formatted_file 

where formatted_file is the name of the file where you want the 

formatted output from netfmt. The default log file, 

/var/adm/nettl.LOGnn, is specified in the nettl configuration file, 

/etc/nettlgen.conf. If the file /var/adm/nettl.LOG00 does not 

exist on your system, the default log file may have been changed in 

/etc/nettlgen.conf. 

NIS+ logging is not supported by nettl. 

For more information, type man 1M nettl or man 1M netfmt. 

Chapter 8 339



Tracing With nettl and netfmt 

1. Issue the following command to make sure nettl is running: 

/usr/bin/ps -ef | grep nettl 

If nettl is not running, issue the following command to start it: 

/usr/sbin/nettl -start 

2. Issue the following command to start tracing: 

/usr/sbin/nettl -tn pduin pduout loopback -e all -s 1024 \ 

-f tracefile 

3. Recreate the event you want to trace. 

4. Issue the following command to turn tracing off: 

/usr/sbin/nettl -tf -e all 

5. Create the following filter file for netfmt: 

filter ip_saddr remote_host_IP_address 

filter ip_daddr remote_host_IP_address 

filter rpcprogram nfs 

filter rpcprogram nlockmgr 

filter rpcprogram llockmgr 

filter rpcprogram status 

filter rpcprogram mount 

filter rpcprogram rpcbind 

remote_host_IP_address is the IP address of the host with which 

your host was communicating when the event you want to trace 

occurred. 

6. Issue the following command to format the binary trace file: 

/usr/sbin/netfmt -c filter_file -lN -f tracefile.TRC0 > 

formatted_file 

where tracefile is the name of the file you specified when you 

started tracing, and formatted_file is the name of the file where 

you want the formatted output from netfmt. 

NIS+ tracing is not supported by nettl. 

For more information, type man 1M nettl or man 1M netfmt. 

340 

Chapter 8


Normal System Startup 


This section explains the system startup sequence and how the NFS, 

NIS, and NIS+ daemons are started up in a normal system boot. 

1. The /sbin/rc script sources all the files in the /etc/rc.config.d 

directory. The files in /etc/rc.config.d contain environment 

variables that control the startup and behavior of various processes. 

2. The /sbin/rc script runs the scripts in the directories /sbin/rc0.d, 

/sbin/rc1.d, /sbin/rc2.d, /sbin/rc3.d, and /sbin/rc4.d, in that 

order. 

The scripts in the /sbin/rcn.d directories are named 

SNNNscriptname, where NNN is a sequence number, and scriptname 

is the name of a startup script in the /sbin/init.d directory. Each of 

these scripts is actually a link to a startup script in /sbin/init.d. 

The /sbin/rc script runs them in order by sequence number. 

Following is a partial listing of the /sbin/rc2.d directory: 

lrwxr-xr-x 1 root ... S400nfs.core -> 

/sbin/init.d/nfs.core 

lrwxr-xr-x 1 root ... S406nisplus.server -> 

/sbin/init.d/nisplus.server 

lrwxr-xr-x 1 root ... S408nisplus.client -> 

/sbin/init.d/nisplus.client 

lrwxr-xr-x 1 root ... S410nis.server -> 

/sbin/init.d/nis.server 

lrwxr-xr-x 1 root ... S420nis.client -> 

/sbin/init.d/nis.client 

lrwxr-xr-x 1 root ... S430nfs.client -> 

/sbin/init.d/nfs.client 

All the startup scripts for the NFS services are started at run level 2 

except the nfs.server script, which is started at run level 3. Table 

8-2 shows the NFS, NIS, and NIS+ startup scripts, in the order they 

are run at system startup. It lists the processes that each script starts 

and the files and environment variables in /etc/rc.config.d that 

influence their behavior. 

All of the startup scripts start rpcbind if it is not already started, but 

Chapter 8 341



Table 8-2 

only one rpcbind process should be running at once. 

Startup Scripts for the NFS Services 

Startup 

script in 

/sbin/init.d 

Processes started 

Related file in 

/etc/rc.config.d 

Environment variable 

used 

nfs.core rpcbind(1M) none none 

nisplus.server 

rpcbind(1M) 

domainname(1) 

keyserv(1M) 

rpc.nisd(1M) 

rpc.nispasswdd(1M) 

namesvrs 

NISPLUS_SERVER 

NIS_DOMAIN 

KEYSERV_OPTIONS 

RPC_NISD_OPTIONS 

RPC_NISPASSWDD_OPTION 

S 

nisplus.client 

rpcbind(1M) 

domainname(1) 

keyserv(1M) 

nis_cachemgr(1M) 

namesvrs 

NISPLUS_CLIENT 

NIS_DOMAIN 


NIS_CACHEMGR_OPTIONS 

nis.server 

rpcbind(1M) 

domainname(1) 

ypserv(1M) 

ypxfrd(1M) 

yppasswdd(1M) 

ypupdated(1M) 

keyserv(1M) 

namesvrs 

NIS_MASTER_SERVER 

NIS_SLAVE_SERVER 

NIS_DOMAIN 

YPSERV_OPTIONS 

YPPASSWDD_OPTIONS 


YPUPDATED_OPTIONS 

YPXFRD_OPTIONS 

nis.client 

rpcbind(1M) 

domainname(1) 

ypbind(1M) 

keyserv(1M) 

namesvrs 

NIS_CLIENT 

NIS_DOMAIN 

WAIT_FOR_NIS_SERVER 

MAX_NISCHECKS 

YPBIND_OPTIONS 


YPSET_ADDR 

nfs.client 

rpcbind(1M) 

biod(1M) 

statd(1M) 

lockd(1M) 

automount(1M) 

mount(1M) 

swapon(1M) 

nfsconf 

NFS_CLIENT 

NUM_NFSIOD 

STATD_OPTIONS 

LOCKD_OPTIONS 

AUTOMOUNT 

AUTO_MASTER 

AUTO_OPTIONS 

342 

Chapter 8



Table 8-2 

Startup Scripts for the NFS Services 

Startup 

script in 

/sbin/init.d 

Processes started 

Related file in 

/etc/rc.config.d 

Environment variable 

used 

nfs.server 

rpcbind(1M) 

exportfs(1M) 

mountd(1M) 

nfsd(1M) 

statd(1M) 

lockd(1M) 

pcnfsd(1M) 

swapon(1M) 

nfsconf 

NFS_SERVER 

NUM_NFSD 

STATD_OPTIONS 

LOCKD_OPTIONS 

START_MOUNTD 

MOUNTD_OPTIONS 

PCNFS_SERVER 

Chapter 8 343



344 

Chapter 8

A 

NIS+ Error Messages 

Appendix A 345


This section lists alphabetically the more common NIS+ error messages. 

“Common Problems with NIS+” on page 301 describes various types of 

problems and their solutions. 

Error messages may appear in pop-up windows, shell tool command 

lines, user console window, the syslog file, or in log files. You can raise or 

lower the severity threshold level for reporting error conditions in your 

/etc/syslog.conf file. 

Some of the error messages documented in this chapter are documented 

more fully in the appropriate man pages. 

You may encounter error messages generated by Remote Procedure 

Calls. These RPC error messages are not documented here. 

In the most cases, the error messages that you see are generated by the 

commands you issued or the table or directory your command is 

addressing. However, in some cases an error message may be generated 

by a server invoked in response to your command. (These messages 

usually show in syslog.) For example, a “permission denied” message 

most likely refers to you or the host you are using, but it could also be 

caused by software on a server not having the correct permissions to 

carry out some function passed on to it by your command or your host. 

Similarly, some commands cause a number of different NIS+ objects to 

be searched or queried. Any one of these objects could return an error 

message regarding permissions, read-only state, not available, and so 

forth. In such cases the message may or may not be able to inform you of 

which object the problem occurred in. 

If you cannot trace the cause of an error message to your command or 

machine, consider the possibility that the message may have been 

generated by a server in response to your command or in response to 

some other NIS+ function. 

In normal operation, the NIS+ software and servers make routine NIS+ 

function calls. Sometimes those calls fail and in doing so generate an 

error message. It occasionally happens that before a client or server 

processes your most recent command, some other NIS+ call fails and you 

see the resulting error message. Such a message might appear as if it 

were in response to your command, when in fact it is in response to some 

other operation entirely. 

A single NIS+ error message may have slightly different meanings 

depending on which part of the NIS+ software generated the message. 

For example, when the message “Not found” is generated by the nisls 

346 

Appendix A


command, it means that there are no NIS+ objects that have the 

specified name, but when it is generated by the nismatch command it 

means that no table entries were found that meet the search criteria. 

The error messages in this appendix are sorted alphabetically according 

to the following rules: 

• Capitalization is ignored. Thus, messages that begin with “A” and “a” 

are alphabetized together. 

• Nonalphabetic symbols are ignored. Thus, a message that begins with 

_svcauth_des is listed with the other messages that begin with the 

letter “S”. 

• Many messages contain variable strings such as user IDs, domain 

names, host names, and so forth. Variables are ignored when sorting 

the messages. For example, the message Sales: is not a table 

would be listed in this appendix as name: is not a table and 

would be alphabetized under the letter ‘I’ for the first non-variable 

letter. 

• Error messages that begin with asterisks, such as **ERROR: 

domainname does not exist are generated by the NIS+ installation 

and setup scripts. They are alphabetized according to their first letter, 

ignoring the asterisks. 

abort_transaction: Failed to action NIS+_objectname 

The abort_transaction routine failed to back out of an incomplete 

transaction due to a server crash or some other unrecoverable error. 

abort_transaction: Internal database error 

abort_transaction: Internal error, log entry corrupt NIS+_objectname 

These two messages indicate corruption in a namespace database or log. 

add_cleanup: Cant allocate more rags. 

add_pingitem: Couldn’t add directoryname to pinglist (no memory) 

These messages indicate that your system is running low on available 

memory. See “If You Have Insufficient Memory or Disk Space” on page 

307. 

add_update: Attempt add transaction from read only child. 

add_update Warning: attempt add transaction from read only child 

An attempt by a read-only child rpc.nisd process to add an entry to a 

log. An occasional appearance of this message in a log is not serious. If 

this message appears frequently, call your HP support contact. 

Appendix A 347


Attempting to free a free rag! 

This message indicates a software problem with rpc.nisd. The 

rpc.nisd process should have aborted. Run ps -ef | grep rpc.nisd 

to see if rpc.nisd is still running. If it is, kill it and restart it. If it is not 

running, start it. If a core file was dumped in /var/nis, delete it. 

If you started rpc.nisd with the -Y or -B option, you must also kill the 

rpc.nisd_resolv daemon. 

Attempt to remove a non-empty table 

The nistbladm command has attempted to remove an NIS+ table that 

still contains entries. Or, nisrmdir has attempted to remove a directory 

that contains files or subdirectories. If you are trying to delete a 

directory, use nisls -lR to check for existing files or subdirectories and 

delete them first. If you are trying to delete a table, use nistbladm to 

delete any existing entries. 

This message is generated by the NIS+ error code constant 

NIS_NOTEMPTY. See the nis_tables(3N) man page for additional 

information. 

authdes_marshal: DES encryption failure 

DES encryption for some authentication data failed. Possible causes: 

• Corruption of a library function or argument. 

• A problem with a DES encryption chip if you are using one. 

Call your HP support contact for assistance. 

authdes_refresh: keyserv is unable to encrypt session key 

authdes_refresh: unable to encrypt conversation key 

The keyserv process was unable to encrypt the indicated key with the 

public key that it was given. See “If You Have Authentication or 

Permissions Problems” on page 304. 

authdes_refresh: unable to synchronize clock 

This indicates a synchronization failure between client and server clocks. 

This will usually correct itself. However, if this message is followed by 

any timestamp-related error, you should manually resynchronize the 

clocks. If the problem reoccurs, check that remote rpcbind is functioning 

correctly. 

348 

Appendix A


authdes_refresh: unable to synch up w/server 

The client/server clock synchronization has failed. This could be caused 

by the rpcbind process on the server not responding. Use ps -ef on the 

server to see if rpcbind is running. If it is not, restart it. If this error 

message is followed by any timestamp-related message, then you need to 

use date to manually resync the client clock to the server clock. 

authdes_seccreate: keyserv is unable to generate session key 

This indicates that keyserv was unable to generate a random DES key 

for this session. This requires some action on your part: 

• Check to make sure that keyserv is running properly. If it is not, 

restart it along with all other long-running processes, like automount, 

rpc.nisd, and sendmail, that use secure RPC or make NIS+ calls. 

Then do a keylogin. 

• Ifkeyserv is up and running properly, restart the process that logged 

this error. 

authdes_seccreate: no public key found for servername 

The client side cannot get a DES credential for the server named 

servername. This requires some action on your part: 

• Check to make sure that servername has DES credentials. If it does 

not, create them. 

• Check the /etc/nsswitch.conf file to see which name service is 

specified, and then make sure that service is responding. If it is not 

responding, restart it. 

authdes_seccreate: out of memory 

See “If You Have Insufficient Memory or Disk Space” on page 307. 

authdes_seccreate: unable to gen conversation key 

The keyserv process was unable to generate a random DES key. The 

most likely cause is that the keyserv process is down or otherwise not 

responding. Use ps -ef to check whether the keyserv process is 

running on the keyserv host. If it is not, then start it and then run 

keylogin. 

If restarting keyserv fails to correct the problem, it may be that other 

processes that use secure RPC or make NIS+ calls are not running (for 

example, automount, rpc.nisd, or sendmail). Check to see whether 

Appendix A 349


these processes are running, and if they are not, restart them. 

See “If You Have Authentication or Permissions Problems” on page 304. 

authdes_validate: DES decryption failure 

DES decryption for some authentication data failed. Possible causes: 

• Corruption of a library function or argument. 

• A problem with a DES encryption chip if you are using one. 

Call your HP support contact for assistance. 

authdes_validate: verifier mismatch 

The time stamp that the client sent to the server does not match the one 

received from the server. (This is not recoverable within a secure RPC 

session.) Possible causes: 

• Corruption of the session key or time stamp data in the client or 

server cache. 

• The server deleted from this cache a session key for a still active 

session. 

• Network data corruption. 

Try re-executing the command. 

CacheBind: xdr_directory_obj failed. 

The most likely causes for this message are the following: 

• Bad or incorrect parameters being passed to the xdr_directory_obj 

routine. Check the syntax and accuracy of whatever command you 

most recently entered. 

• An attempt to allocate system memory failed. See “If You Have 

Insufficient Memory or Disk Space” on page 307. 

• If your command syntax is correct, and your system does not seem to 

be short of memory, call your HP support contact. 

Cache expired 

The entry returned came from an object cache that has expired. This 

means that the time to live value has gone to zero and the entry may 

have changed. If the flag NO_CACHE was passed to the lookup function, 

then the lookup function will retry the operation to get an unexpired 

copy of the object. 

350 

Appendix A



NIS_CACHEEXPIRED. See the nis_tables(3N) and nis_names(3N) man 

pages for more information. 

Callback: - select failed message number 

CALLBACK_SVC: bad argument 

An internal system call failed. In most cases this problem will correct 

itself. If it does not correct itself, make sure that rpc.nisd has not been 

aborted. If it has, restart it. If the problem reoccurs frequently, call your 

HP support contact. 

Cannot grow transaction log error string-variable 

The system cannot add to the log file. The reason is indicated by the 

variable. The most common cause of this message is lack of disk space. 

See “If You Have Insufficient Memory or Disk Space” on page 307. 

Cannot truncate transaction log file 

An attempt has been made to checkpoint the log, and the rpc.nisd 

daemon is trying to shrink the log file after deleting the checkpointed 

entries from the log. See the ftruncate(2) man page for a description of 

various factors that might cause this routine to fail. See also “If You 

Have Insufficient Memory or Disk Space” on page 307. 

Cannot write one character to transaction log, error message 

An attempt has been made by the rpc.nisd daemon to add an update 

from the current transaction into the transaction log, and the attempt 

has failed for the reason given in the message which has been returned 

by the function. Additional information may be obtained from the write 

routine’s man page. 

Can’t compile regular expression variable 

Returned by the nisgrep command when the expression in keypat was 

malformed. 

Can’t find name’s secret key 

Possible causes are as follows: 

• You may have incorrectly typed the password. 

• There may be no entry for name in the cred table. 

• NIS+ could not decrypt the key (possibly because the entry might be 

corrupt). 

Appendix A 351


• The /etc/nsswitch.conf file may be directing the query to a local 

password in an /etc/passwd file that is different than the NIS+ 

password recorded in the cred table. 


checkpoint_log: Called from read only child ignored. 

This is simply a status message indicating that a read-only process 

attempted to perform an operation restricted to the parent process, and 

the attempt was aborted. No action need be taken. 

checkpoint_log: Unable to checkpoint, log unstable. 

An attempt was made to checkpoint a log that was not in a stable state. 

That is, the log was in a resync, update, or checkpoint state. Wait until 

the log is stable, and then rerun the nisping command. 

check_updaters: Starting resync. 

This is simply a system status message. No action need be taken. 

Child process requested to checkpoint! 

This message indicates a minor software problem that the system is 

capable of correcting. If these messages appear often, you can change the 

threshold level in your /etc/syslog.conf file. See the syslogd(1M) 

man page for details. 

Column not found: columnname 

The specified column does not exist in the specified table. 

Could not find name's secret key 





corrupt). 

• The /etc/nsswitch.conf file may have the wrong publickey policy. 

It may be directing the query to a local password in the /etc/passwd 

file that is different from the NIS+ password recorded in the cred 

table. 


352 

Appendix A


Could not generate netname 

The secure RPC software could not generate the secure RPC netname for 

your user ID when performing a keylogin. This could be due to the 

following causes: 

• You do not have Local credentials in the NIS+ cred table of the host’s 

home domain. 

• You have a local entry in /etc/passwd with a user ID that is different 

from the user ID you have in the NIS+ passwd table. 

String-variable: could not get secret key for 'name' 





corrupt). 

• The /etc/nsswitch.conf file may have the wrong publickey policy. 

It may be directing the query to a local password in an /etc/passwd 

file that is different from the NIS+ password recorded in the cred 

table. 


Couldn’t fork a process! 

The server could not fork a child process to satisfy a callback request. 

This is probably caused by your system reaching its maximum number of 

processes. You can kill some unneeded processes, or increase the number 

of processes your system can handle. See “If You Receive an “Unable to 

Fork” Message” on page 308. 

Couldn't parse access rights for column string-variable 

This message is usually returned by the nistbladm -u command when 

something other than a plus sign (+), a minus sign (-), or an equal sign 

(=) is entered as the operator. Other possible causes are failure to 

separate different column rights with a comma, or the entry of 

something other than r, d, c, or m for the type of permission. See the 

nistbladm(1) man page to check the syntax for this type of entry error. If 

everything is entered correctly and you still get this error, the table 

might have been corrupted. 

Appendix A 353


Database for table does not exist 

At attempt to look up a table has failed. See “If NIS+ Cannot Find an 

Object” on page 302. 


NIS_NOSUCHTABLE. See the nis_tables(3N) and nis_names(3N) man 

pages for additional information. 

_db_add: child process attempting to add/modify 

_db_addib: non-parent process attempting an add 

These messages indicate that a read-only or non-parent process 

attempted to add or modify an object in the database. In most cases, 

these messages do not require any action on your part. If these messages 

are repeated frequently, call your HP support contact. 

db_checkpoint: Unable to checkpoint string-variable 

This message indicates that for some reason NIS+ was unable to 

complete checkpointing of a directory. The most likely cause is that the 

disk is full. See “If You Have Insufficient Memory or Disk Space” on page 

307. 

_db_remib: non-parent process attempting a remove 

_db_remove: non-parent process attempting a remove 

These messages indicate that a read-only or non-parent process 

attempted to remove a table entry. In most cases, these messages do not 

require any action on your part. If these messages are repeated 

frequently, call your HP support contact. 

Do you want to see more information on this command? 

This indicates that there is some kind of syntax or spelling error on your 

script command line. 

Entry/Table type mismatch 

This occurs when an attempt is made to add or modify an entry in a 

table, and the entry passed is of a different type from the table (for 

example, if the number of columns is not the same). Check that your 

update correctly matches the table type. 


NIS_TYPEMISMATCH. See the nis_tables(3N) man page for additional 

information. 

**ERROR: chkey failed again. Please contact your network 

354 

Appendix A


administrator to verify your network password. 

This message indicates that you typed the wrong network password. 

• If this is the first time you are initializing this machine, contact your 

network administrator to verify the network password. 

• If this machine has been initialized before as an NIS+ client of the 

same domain, try typing the root login password at the secure RPC 

password prompt. 

• If this machine is currently an NIS+ client and you are trying to 

change it to a client of a different domain, remove the /etc/.rootkey 

file, and then rerun the nisclient script, using the network 

password given to you by your network administrator (or the network 

password generated by the nispopulate script). 

Error: Could not create a valid NIS+ coldstart file 

This message is from nisinit, the NIS+ initialization routine. It is 

followed by another message preceded by a string that begins 

“lookup:..”. This second message will explain why a valid NIS+ 

coldstart file could not be created. 

**ERROR: could not restore file filename 

This message indicates that NIS+ was unable to rename 

filename.no_nisplus to filename. 

Check your system console for system error messages. 

• If there is a system error message, fix the problem described in the 

error message and then rerun nisclient -i. 

• If there aren’t any system error messages, try renaming this file 

manually, and then rerun nisclient -i. 

**ERROR: Couldn’t get the server NIS+_server’s address. 

The script was unable to retrieve the server’s IP address for the specified 

domain. Manually add the IP address for the server NIS+_server into 

the /etc/hosts file, then rerun nisclient -i. 

**ERROR: directory directory-path does not exist. 

This message indicates that you typed an incorrect directory path. Type 

the correct directory path. 

Appendix A 355


**ERROR: domainname does not exist. 

This message indicates that you are trying to replicate a domain that 

does not exist. If domainname is spelled incorrectly, rerun the script with 

the correct domain name. 

**ERROR: parent-domain does not exist. 

This message indicates that the parent domain of the domain you typed 

on the command line does not exist. This message should appear only 

when you are setting up a non-root master server. 

• If the domain name is spelled incorrectly, rerun the script with the 

correct domain name. 

• If the domain’s parent domain does not exist, you have to create the 

parent domain first, and then you can create this domain. 

**ERROR: Don’t know about the domain “domainname”. Please check 

your domainname. 

This message indicates that you typed an unrecognized domain name. 

Rerun the script with the correct domain name. 

**ERROR: failed dumping tablename table. 

The script was unable to populate the cred table because the script did 

not succeed in dumping the tablename table. 

• If niscat tablename.org_dir fails, make sure that all the servers 

are operating, then rerun the script to populate the tablename table. 

• If niscat tablename.org_dir is working, the error may have been 

caused by the NIS+ server being temporarily busy. Rerun the script to 

populate the tablename table. 

**ERROR: host hostname is not a valid NIS+ principal in domain 

domainname. This host hostname must be defined in the credential table 

in domain domainname. Use nisclient -c to create the host credential 

A machine has to be a valid NIS+ client with proper credentials before it 

can become an NIS+ server. To convert a machine to an NIS+ root replica 

server, the machine first must be an NIS+ client in the root domain. 

Before you can convert a machine to an NIS+ non-root master or a 

replica server, the machine must be an NIS+ client in the parent domain 

of the domain that it plans to serve. See “To Set Up NIS+ Replica 

Servers” on page 208. 

356 

Appendix A


Error in accessing NIS+ cold start file is NIS+ installed? 

This message is returned if NIS+ is not installed on a machine, or if for 

some reason the file /var/nis/NIS_COLD_START could not be found or 

accessed. Check to see if there is a /var/nis/NIS_COLD_START file. If the 

file exists, make sure your path is set correctly and that NIS_COLD_START 

has the proper permissions. Then rename or remove the old coldstart file 

and rerun the nisclient script to install NIS+ on the machine. 

This message is generated by the cache manager that sends the NIS+ 

error code constant NIS_COLDSTART_ERR. See the write(2) and open(2) 

man pages for additional information on why a file might not be 

accessible. 

Error in RPC subsystem 

This fatal error indicates the RPC subsystem failed in some way. 

Generally, there will be a syslog message on either the client or server 

side indicating why the RPC request failed. 


NIS_RPCERROR. See the nis_tables(3N) and nis_names(3N) man pages 

for more information. 

**ERROR: it failed to add the credential for root. 

The NIS+ command nisaddcred failed to create the root credential when 

trying to set up a root master server. Check your system console for 

system error messages. 


error message and then rerun nisserver. 

• If there aren’t any system error messages, check to see whether the 

rpc.nisd process is running. If it is not running, restart it and then 

rerun nisserver. 

**ERROR: it failed to create the tables. 

The NIS+ command nissetup failed to create the directories and tables. 

Check your system console for system error messages. 


error message and rerun nisserver. 

• If there aren’t any system error messages, check to see whether the 

rpc.nisd process is running. If it is not running, restart it and rerun 

nisserver. 

Appendix A 357


**ERROR: it failed to initialize the root server. 

The NIS+ command nisinit -r failed to initialize the root master 

server. Check your system console for system error messages. If there is a 

system error message, fix the problem described in the error message 

and rerun nisserver. 

**ERROR: it failed to make the domainname directory 

The NIS+ command nismkdir failed to make the new directory 

domainname when running nisserver to create a non-root master. The 

parent domain does not have create permission to create this new 

domain. 

• If you are not the owner of the domain or a group member of the 

parent domain, rerun the script as the owner or as a group member of 

the parent domain. 

• If rpc.nisd is not running on the new master server of the domain 

that you are trying to create, restart rpc.nisd. 

**ERROR: it failed to promote new master for the domainname directory 

The NIS+ command nismkdir failed to promote the new master for the 

directory domainname when creating a non-root master with the 

nisserver script. 

• If you do not have modify permission in the parent domain of this 

domain, rerun the script as the owner or as a group member of the 

parent domain. 

• If rpc.nisd is not running on the servers of the domain that you are 

trying to promote, restart rpc.nisd on these servers and rerun 

nisserver. 

**ERROR: it failed to replicate the directory-name directory 

The NIS+ command nismkdir failed to create the new replica for the 

directory directory-name. 

• If rpc.nisd is not running on the master server of the domain that 

you are trying to replicate, restart rpc.nisd on the master server, 

and rerun nisserver. 

• If rpc.nisd is not running on the new replica server, restart it on the 

new replica and rerun nisserver. 

**ERROR: invalid group name. It must be a group in the root-domain 

domain. 

358 

Appendix A


This message indicates that you used an invalid group name while trying 

to configure a root master server. Rerun nisserver -r with a valid 

group name for root-domain. 

**ERROR: invalid name “client-name” It is neither an host nor an user 

name. 

This message indicates that you typed an invalid client name. 

• If the client-name was spelled incorrectly, rerun nisclient -c with 

the correct client-name. 

• If the client-name was spelled correctly, but it does not exist in the 

hosts or passwd table, put the client name into the hosts or passwd 

table and rerun nisclient -c. 

**ERROR: hostname is a master server for this domain. You cannot 

demote a master server to replica. If you really want to demote this 

master, you should promote a replica server to master using nisserver 

with the -M option. 

You cannot directly convert a master server to a replica server of the 

same domain. You can, however, change a replica to be the new master 

server of a domain by running nisserver -M with the replica host name 

as the new master. This automatically makes the old master a replica. 

**ERROR: missing hostnames or usernames. 

This messages indicates that you did not type the client names on the 

command line. Rerun nisclient -c with the client names. 

**ERROR: NIS+ group name must end with a “.” 

This message indicates that you did not specify a fully qualified group 

name ending with a period. Rerun the script with a fully qualified group 

name. 

Appendix A 359


**ERROR: NIS+ server is not running on remote-host. You must do the 

following before becoming a NIS+ server: 1. become a NIS+ client of 

the parent domain or any domain above the domain which you plan to 

serve. (nisclient) 2. start the NIS+ server. (rpc.nisd) 

This message indicates that rpc.nisd is not running on the remote 

machine that you are trying to convert to an NIS+ server. Use the 

nisclient script to become an NIS+ client of the parent domain or any 

domain above the domain you plan to serve. Start rpc.nisd on 

remote-host. 

**ERROR: nisinit failed. 

nisinit was unable to create the NIS_COLD_START file. 

Check the following: 

• Use ping(1M) to check that the NIS+ server that you specified with 

the -H option is running. 

• Make sure you typed the correct domain name. 

• Make sure rpc.nisd is running on the server. 

• Make sure the nobody class has read permission for this domain. 

**ERROR: NIS map transfer failed. tablename table will not be loaded. 

NIS+ was unable to transfer the NIS map for this table to the NIS+ 

database. 

• If the NIS server host is running, try running the script again. The 

error may have been due to a temporary failure. 

• If all tables have this problem, try running the script again using a 

different NIS server. 

**ERROR: no permission to create directory domainname 

The parent domain does not have create permission to create this new 

domain. If you are not the owner of the domain or a group member of the 

parent domain, rerun the script as the owner or as a group member of 

the parent domain. 

**ERROR: no permission to replicate directory domainname. 

This message indicates that you do not have permission to replicate the 

domain. Rerun the script as the owner or as a group member of the 

domain. 

360 

Appendix A


**ERROR: table tablename.org_dir. domain does not exist. “tablename 

table will not be loaded.” 

The script did not find the NIS+ table tablename. 

• If tablename is spelled incorrectly, rerun the script with the correct 

table name. 

• If the tablename table does not exist, and tablename is one of the 

standard NIS+ tables, use nissetup to create the table. Or use 

nistbladm to create the private table tablename. Then rerun the 

script to populate this table. 

• If the tablename table exists, the error may have been caused by the 

NIS+ server being temporarily busy. Rerun the script to populate this 

tablename table. 

**ERROR: this name “client-name” is in both the passwd and hosts 

tables. You cannot have an username same as the hostname. 

client-name appears in both the passwd and hosts tables. One name is 

not allowed to be in both of these tables. Manually remove the entry from 

either the passwd or hosts table. Then, rerun nisclient -c. 

**ERROR: You cannot use the -u option as a root user. 

This message indicates that the superuser tried to run nisclient -u. 

The -u option is for initializing ordinary users only. Superusers do not 

need to be initialized as NIS+ clients. 

**ERROR: You have specified the Z option after having selected the X 

option. Please select only one of these options [list]. Do you want to 

see more information on this command? 

The script you are running allows you to choose only one of the listed 

options. 

• Type y to view additional information. 

• Type n to stop the script and exit. 

After exiting the script, rerun it with just one of the options. 

**ERROR: you must specify a fully qualified groupname. 

This message indicates that you did not specify a fully qualified group 

name ending with a period. Rerun the script with a fully qualified group 

name. 

**ERROR: you must specify both the NIS domainname (-y) and the NIS 

Appendix A 361


server hostname (-h). 

This message indicates that you failed to type either the NIS domain 

name or the NIS server host name. Type the NIS domain name and the 

NIS server host name at the prompt or on the command line. 

**ERROR: you must specify one of these options: -c, -i, -u, -r. 

**ERROR: you must specify one of these options: -r, -M or -R 

**ERROR: you must specify one of these options: -C, -F, or -Y 

These messages indicate that a required option was missing from the 

command line. Rerun the script with the correct option. 

**ERROR: You must be root to use -i option. 

This message indicates that an ordinary user tried to run nisclient -i. 

Only the superuser has permission to run nisclient -i. 

Error while talking to callback proc 

An RPC error occurred on the server while it was calling back to the 

client. The transaction was aborted at that time and any unsent data 

was discarded. Check the syslog record on the server for more 

information. 


NIS_CBERROR. See the nis_tables(3N) man page for additional 

information. 

First/Next chain broken 

This message indicates that the connection between the client and server 

broke while a callback routine was posting results. This could happen if 

the server died in the middle of the process. 


NIS_CHAINBROKEN. 

Generic system error 

Some form of generic system error occurred while attempting the 

request. Check the syslog record on your system for error messages 

from the server. 

This message usually indicates that the server has crashed or the 

database has become corrupted. This message may also be generated if 

you incorrectly specify the name of a server or replica as if it belonged to 

the domain it was serving rather than the domain above. 


362 

Appendix A


NIS_SYSTEMERROR. See the nis_tables(3N) and nis_names(3N) man 


Illegal object type for operation 

The fields of the object do not conform to the fields of the table to which it 

is being added. This message is generated by the NIS+ error code 

constant DB_BADOBJECT. 

insufficient permission to update credentials. 

This message is generated by the nisaddcred command when you have 

insufficient permission to execute an operation. This could be insufficient 

permission at the table, column, or entry level. Use niscat -o 

cred.org_dir to determine what permissions you have for that cred 

table. If you need additional permission, you or the system administrator 

can change the permission requirements of the object with nischmod(1) 

or add you to a group that does have the required permissions with 

nisgrpadm(1). 


Invalid Object for operation 

• Name context: the name passed to the function is not a legal NIS+ 

name. 

• Table context: the object pointed to is not a valid NIS+ entry object for 

the given table. This could occur if it had a mismatched number of 

columns, or a different data type (for example, binary or text) from 

the associated column in the table. 


NIS_INVALIDOBJ. See the nis_tables(3N) and nis_names(3N) man 


tablename is not a table 

The object with the name tablename is not a table object. For example, 

the nisgrep and nismatch commands will return this error if the object 

you specify on the command line is not a table. 

invalid usecs Routine_name: invalid usecs 

This message is generated when the value in the tv_usecs field of a 

variable of type struct timestamp is larger than the number of 

microseconds in a second. This is usually due to some type of software 

error. 

Appendix A 363


Link Points to illegal name 

The passed name resolved to a LINK type object and the contents of the 

object pointed to an invalid name. 


NIS_LINKNAMEERROR. See the nis_tables(3N) and nis_names(3N) man 


Load limit of numeric-variable reached! 

An attempt has been made to create a child process when the maximum 

number of child processes has already been created on this server. This 

message is seen on the server’s system log, but only if the threshold for 

logging messages has been set to include LOG_WARNING level messages. 

login and keylogin passwords differ. 

This message is displayed when you are changing your password with 

nispasswd. The system has changed your password but has been unable 

to update your credentials in the cred table with the new password or to 

restore your original password in the passwd table. The message is 

followed by these instructions: 

Use NEW password for login and OLD password for keylogin. Use 

“chkey -p” to reencrypt the credentials with the new login 

password. You must keylogin explicitly after your next login. 

These instructions are then followed by a status message explaining why 

it was not possible to revert back to the old password. If you see these 

messages, be sure to follow the instructions as given. 

log_resync: Cannot truncate transaction log file 

An attempt has been made to checkpoint the log, and the rpc.nisd 

daemon is trying to shrink the log file after deleting the checkpointed 

entries from the log. See the ftruncate(2) man page for a description of 

various factors that might cause this routine to fail. See also “If nisping 

-C Fails or Transaction Logs Are Not Truncated” on page 311. 

Malformed Name or illegal name 

The name passed to the function is not a legal or valid NIS+ name. 

One possible cause is that someone changed an existing domain name. 

Existing domain names should not be changed. 


NIS_BADNAME. See the nis_tables(3N) man page for more information. 

364 

Appendix A


_map_addr: RPC timed out. 

A process or application could not contact NIS+ within its default time 

limit to get necessary data or resolve host names. In most cases, this 

problem will solve itself after a short wait. See “To Improve NIS+ 

Performance” on page 323 for information about performance problems. 

Master server busy full dump rescheduled 

This message indicates that a replica server has been unable to update 

itself with a full dump from the master server because the master is 

busy. See “If a Replica Update Fails” on page 312. 

String Missing or malformed attribute 

The name of an attribute did not match with a named column in the 

table, or the attribute did not have an associated value. 

This could indicate an error in the syntax of a command. The string 

should give an indication of what is wrong. Common causes are spelling 

errors, failure to correctly place the equal sign (=), an incorrect column or 

table name, and so forth. 


NIS_BADATTRIBUTE. See the nis_tables(3N) man page for additional 

information. 

Modification failed 

Returned by the nisgrpadm command when someone else modified the 

group during the execution of your command. Check to see who else is 

working with this group. Reissue the command. 


NIS_IBMODERROR. 

Modify operation failed 

The attempted modification failed for some reason. 


NIS_MODFAIL. See the nis_tables(3N) and nis_names(3N) man pages 


Name not served by this server 

A request was made to a server that does not serve the specified name. 

Normally this will not occur, however if you are not using the built in 

location mechanism for servers, you may see this if your mechanism is 

broken. 

Appendix A 365


Other possible causes are as follows: 

• Coldstart file corruption. Delete the /var/nis/NIS_COLD_START file 

and then reboot. 

• Cache problem such as the local cache being out of date. Kill the 

nis_cachemgr and remove /var/nis/NIS_SHARD_DIR_CACHE, and 

then reboot. If the problem is not in the root directory, you may be 

able to simply kill the domain cache manager and try the command 

again. 

• Someone removed the directory from a replica. 

This message is generated by the NIS+ error code constant NIS_NOT_ME. 

See the nis_tables(3N) and nis_names(3N) man pages for more 

information. 

Named object is not searchable 

The table name resolved to an NIS+ object that was not searchable. 


NIS_NOTSEARCHABLE. See the nis_tables(3N) man page for more 

information. 

Name/entry isn't unique 

An operation has been requested based on a specific search criterion that 

returns more than one entry (for example, if you used nistbladm -r to 

delete a user from the passwd table, and there were two entries in the 

table for that user name). 

You can apply your command to multiple entries by using the -R option 

to nistbladm instead of -r. 

NisDirCacheEntry::write: xdr_directory_obj failed 

The most likely causes for this message are the following: 



• If your system does not seem to be short of memory, call your HP 

support contact. 

366 

Appendix A


NIS+ operation failed 

This generic error message should be rarely seen. Usually it indicates a 

minor software problem that the system can correct on its own. If it 

appears frequently, or if it appears to indicate a problem that the system 

is not successfully dealing with, call your HP support contact. 

This message is generated by the NIS+ error code constant NIS_FAIL. 

String-variable: NIS+ server busy try again later. 

NIS+ server busy try again later. 

Try the command later. See “If a Replica Update Fails” on page 312 or 

“To Improve NIS+ Performance” on page 323. 

NIS+ server for string-variable not responding still trying 

NIS+ server not responding 

See “To Improve NIS+ Performance” on page 323. 

NIS+ server needs to be checkpointed. Use nisping -C domainname 

This message is generated at the LOG_CRIT level on the server’s system 

log. It indicates that the log is becoming too large. Use nisping -C 

domainname to truncate the log by checkpointing. Checkpoint 

immediately! Do not wait. 

See “If nisping -C Fails or Transaction Logs Are Not Truncated” on page 

311. 

NIS+ servers unreachable 

This soft error indicates that a server for the desired directory of the 

named table object could not be reached. This can occur when there is a 

network failure or the server has crashed. A new attempt may succeed. 

See the description of the HARD_LOOKUP flag in the nis_tables(3N) and 

nis_names(3N) man pages. 


NIS_NAMEUNREACHABLE. See the nis_tables(3N) and nis_names(3N) 

man pages for additional information. 

NIS+ service is unavailable or not installed 


NIS_UNAVAIL. 

NIS+: write ColdStart File: xdr_directory_obj failed 

The most likely causes for this message are as follows: 

Appendix A 367


• Bad or incorrect parameters. Check the syntax and accuracy of 

whatever command you most recently entered. 



If your command syntax is correct, and your system does not seem to be 

short of memory, call your HP support contact. 

nis_checkpoint_svc: readonly child instructed to checkpoint ignored. 

nis_dumplog_svc: readonly child called to dump log, ignored 

These are simply status messages indicating that a read-only process 



nis_dump_svc: load limit reached. 

The maximum number of child processes permitted on your system has 

been reached. See “If You Receive an “Unable to Fork” Message” on page 

308. 

nis_dump_svc: one replica is already resyncing. 

Only one replica can resync from a master at a time. Try the command 

later. See “If a Replica Update Fails” on page 312. 

nis_dump_svc: Unable to fork a process. 

The fork system call has failed. See “If a Replica Update Fails” on page 

312, or see the fork(2) man page. 

nis_mkdir_svc: readonly child called to mkdir, ignored 

nis_ping_svc: readonly child was pung ignored. 

nis_rmdir_svc: readonly child called to rmdir, ignored 

These are simply status messages indicating that a read-only process 



nisaddcred: no password entry for uid userid 

nisaddcred: unable to create credential. 

These two messages are generated during execution of the nispopulate 

script. The NIS+ command nisaddcred failed to add a Local credential 

for the user ID userid on a remote domain. This happens only when you 

are trying to populate the passwd table in a remote domain. 

To correct the problem, add a table path in the local passwd table: 

368 

Appendix A


# nistbladm -u -p passwd.org_dir.remote-domain passwd.org_dir 

The remote-domain must be the same domain that you specified with 

the -d option when you ran nispopulate. Rerun the script to populate 

the passwd table. 

No file space on server 

See “If You Have Insufficient Memory or Disk Space” on page 307. This 

message is generated by the NIS+ error code constant NIS_NOFILESPACE. 

No match 

This is most likely an error message from the shell, caused by failure to 

escape the brackets when specifying an indexed name. For example, 

failing to set off a bracketed indexed name with quote marks would 

generate this message because the shell would fail to interpret the 

brackets as shown below: 

# nistbladm -m shell=/bin/csh [name=miyoko],passwd.org_dir 

No match 

The correct syntax is as follows: 

# nistbladm -m shell=/bin/csh ’[name=miyoko],passwd.org_dir’ 

No memory 

Your system does not have enough memory to perform the specified 

operation. See “If You Have Insufficient Memory or Disk Space” on page 

307. 

No password entry for uid userid 

No password entry found for uid userid 

Both of these messages indicate that no entry for this user was found in 

the passwd table when trying to create or add a credential for that user. 

Before you can create or add a credential, the user must be listed in the 

passwd table. 

• The most likely cause is mistyping the user’s user ID on the command 

line. Check your command line for correct syntax and spelling. 

• Check that you are either in the correct domain or specifying the 

correct domain on the command line. 

• If the command line is correct, use nismatch to check the passwd 

table and make sure the user is listed under the user ID you are 

entering. 

Appendix A 369


If the user is not listed in the passwd table, use nistbladm or 

nisaddent to add the user to the passwd table before creating the 

credential. 

Non NIS+ namespace encountered 

The name could not be completely resolved. This usually indicates that 

the name passed to the function resolves to a namespace that is outside 

the NIS+ name tree. In other words, the name is contained in an 

unknown directory. When this occurs, this error is returned with an 

NIS+ object of type DIRECTORY. 


NIS_FOREIGNNS. See the nis_tables(3N) or nis_names(3N) man pages 


Not found 

String Not found 

Names context: the named object does not exist in the namespace. 

Table context: no entries in the table matched the search criteria. If the 

search criteria was null (return all entries), then this result means that 

the table is empty and may safely be removed. 

If the FOLLOW_PATH flag was set, this error indicates that none of the 

tables in the path contain entries that match the search criteria. 


NIS_NOTFOUND. See the nis_tables(3N) and nis_names(3N) man pages 


See also “If NIS+ Cannot Find an Object” on page 302. 

Not Found no such name 

This hard error indicates that the named directory of the table object 

does not exist. This could occur when the server that should be the 

parent of the server that serves the table does not know about the 

directory in which the table resides. 


NIS_NOSUCHNAME. See the nis_names(3N) and nis_names(3N) man pages 


See also “If NIS+ Cannot Find an Object” on page 302. 

370 

Appendix A


Not master server for this domain 

This message may mean that an attempt was made to directly update 

the database on a replica server. 

This message may also mean that a change request was made to a server 

that serves the name, but it is not the master server. This can occur 

when a directory object changes and it specifies a new master server. 

Clients that have cached copies of that directory object in their 

/var/nis/NIS_SHARD_DIR_CACHE file should run ps to obtain the 

process ID of the nis_cachemgr, kill the nis_cachemgr process, remove 

the /var/nis/NIS_SHARD_DIR_CACHE file, and then restart 

nis_cachemgr. 


NIS_NOTMASTER. See the nis_tables(3N) and nis_names(3N) man pages 


Not owner 

The operation you attempted can be performed only by the object’s 

owner, and you are not the owner. 


NIS_NOTOWNER. 

Object with same name exists 

An attempt was made to add a name that already exists. To add the 

name, first remove the existing name and then add the new name or 

modify the existing named object. 


NIS_NAMEEXISTS. See the nis_tables(3N) and nis_names(3N) man 


parse error: string-variable (key variable) 

This message is displayed by the nisaddent command when it attempts 

to use database files from an /etc directory and there is an error in one 

of the file’s entries. The first variable should describe the problem, and 

the variable after key should identify the particular entry at fault. If the 

problem is with the /etc/passwd file, you can use pwck(1M) to check it. 

Password does not decrypt secret key for name 



Appendix A 371




corrupt). 


password in an /etc/passwd file that is different from the NIS+ 



Partial Success 

This result is similar to NIS_NOTFOUND except that it means the request 

succeeded but resolved to zero entries. 

When this occurs, the server returns a copy of the table object instead of 

an entry so that the client may then process the path or implement some 

other local policy. 


NIS_PARTIAL. See the nis_tables(3N) man page for additional 

information. 

Passed object is not the same object on server 

An attempt to remove an object from the namespace was aborted because 

the object that would have been removed was not the same object that 

was passed in the request. 


NIS_NOTSAMEOBJ. See the nis_tables(3N) and nis_names(3N) man 


Permission denied 

Returned when you do not have the permissions required to perform the 

operation you attempted. See “If You Have Authentication or 

Permissions Problems” on page 304. 


NIS_PERMISSION. 

Probable success 

Name context: the request was successful; however, the object returned 

came from an object cache, and not directly from the server. If you do not 

wish to see objects from object caches, you must specify the flag 

NO_CACHE when you call the lookup function. 

372 

Appendix A


Table context: even though the request was successful, a table in the 

search path was not able to be searched, so the result may not be the 

same as the one you would have received if that table had been 

accessible. 


NIS_S_SUCCESS. See the nis_tables(3N) and nis_names(3N) man pages 


Probably not found 

The named entry does not exist in the table, however not all tables in the 

path could be searched, so the entry may exist in one of those tables. 


NIS_S_NOTFOUND. See the nis_tables(3N) man page for more 

information. 

Query illegal for named table 

A problem was detected in the request structure passed to the client 

library. 


NIS_BADREQUEST. See the nis_tables(3N) man page for additional 

information. 

replica_update: Child process attempting update, aborted 

This is simply a status message indicating that a read-only process 

attempted an update and the attempt was aborted. 

replica_update: error result was string 

This message indicates a problem (identified by the string) in carrying 

out a dump to a replica. See “If a Replica Update Fails” on page 312. 

replica_update: error result was Master server busy, full dump 

rescheduled 

replica_update: master server busy rescheduling the resync. 

replica_update: master server is busy will try later. 

replica_update: nis dump result Master server busy, full dump 

rescheduled 

These messages all indicate that the server is busy and the dump will be 

done later. 

Appendix A 373


replica_update: nis dump result nis_perror error string 

This message indicates a problem (identified by the error string) in 

carrying out a dump to a replica. See “If a Replica Update Fails” on page 

312. 

replica_update: number updates number errors 

A status message indicating a successful update. 

replica_update: WARNING: last_update (directoryname) returned 0! 

An NIS+ process could not find the last update timestamp in the 

transaction log for that directory. This will cause the system to perform a 

full resync of the problem directory. 

Results Sent to callback proc 

This is simply a status message. No action need be taken. 


NIS_CBRESULTS. See the nis_tables(3N) man page for additional 

information. 

root_replica_update: update failed string-variable: could not fetch 

object from master. 

This message indicates a problem in carrying out a dump to a replica. 

See “If a Replica Update Fails” on page 312. 

Security exception on local system. UNABLE TO MAKE REQUEST. 

This message may be displayed if a user has the same login ID as a 

machine name. See “If a User Cannot Log In” on page 309. 

Server busy, try again 

The server was too busy to handle your request. 

• For the add, remove, and modify operations, this message is returned 

when the master server for a directory is either unavailable or in the 

process of checkpointing its database. 

• This message can also be returned when the server is updating its 

internal state. 

• In the case of nis_list, this message can be returned if the client 

specifies a callback and the server does not have enough resources to 

handle the callback. 

Retry the command at a later time when the server is available. 

374 

Appendix A



NIS_TRYAGAIN. See the nis_tables(3N) and nis_names(3N) man pages 


Server out of memory 

In most cases this message indicates a fatal result. It means that the 

server ran out of heap space. See “If You Have Insufficient Memory or 

Disk Space” on page 307. 


NIS_NOMEMORY. See the nis_tables(3N) and nis_names(3N) man pages 


Success 

The request was successful. 


NIS_SUCCESS. See the nis_tables(3N) man page for additional 

information. 

_svcauth_des: bad nickname 

The nickname received from the client is invalid or corrupted, possibly 

due to network congestion. The severity of this message depends on what 

level of security you are running. At a low security level, this message is 

informational only; at a higher level, you may have to try the command 

again later. 

_svcauth_des: corrupted window from principal-name 

The window that was sent does not match the one sent in the verifier. 

The severity of this message depends on what level of security you are 

running. At a low security level, this message is primarily for your 

information; at a higher level you may have to try the command again at 

some later time or take corrective action as described below. 

Possible causes: 

• The server’s key pair has been changed. The client used the server’s 

old public key while the server has a new secret key cached with 

keyserv. Run keylogin on both client and server. 

• The client’s key pair has been changed and the client has not run 

keylogin on the client system so that system is still sending the 

client’s old secret key to the server, which is now using the client’s 

new public key. Naturally, the two do not match. Run keylogin again 

Appendix A 375


on both client and server. 

• Network corruption of data. Try the command again. If that does not 

work, investigate and correct any network problems. Then run 

keylogin again on both server and client. 

_svcauth_des: decryption failure for principal-name 

_svcauth_des: encryption failure 

DES decryption for some authentication data failed. Possible causes are 

as follows: 

• Corruption to a library function or argument. 

• A problem with a DES encryption chip, if you are using one. 



information; at a higher level, you may have to call your HP support 

contact for assistance. If the problem appears to be related to a DES 

encryption chip, call your HP support contact. 

_svcauth_des: invalid timestamp received from principal-name 

The time stamp received from the client is corrupted, or the server is 

trying to decrypt it using the wrong key. Possible causes are as follows: 

• Congested network. Retry the command. 

• Server cached out the entry for this client. Check the network load. 

_svcauth_des: key_decrypt 

sessionkey failed for principal-name 

The keyserv process failed to decrypt the session key with the given 

public key. Possible causes are as follows: 

• The keyserv process is dead or not responding. Use ps -ef to check 

whether the keyserv process is running on the keyserv host. If it is 

not, then restart it and run keylogin. 

• The server principal has not run keylogin. Run keylogin for the 

server principal. 

• The server principal (host) does not have credentials. Run nismatch 

hostname.domainname.cred.org_dir on the client’s home domain 

cred table. Create new credentials if necessary. 

• keyserv may have been restarted, in which case certain long-running 

applications, such as rpc.nisd, sendmail, and automount, also need 

376 

Appendix A


to be restarted. 

• DES encryption failure. Call your HP support contact. 

_svcauth_des: no public key for principal-name 

The server cannot get the client’s public key. Possible causes are as 

follows: 

• The principal has no public key. Run niscat on the cred table of the 

principal’s home domain. If there is no DES credential in that table 

for the principal, use nisaddcred to create one, and then run 

keylogin for that principal. 

• The name service specified by the /etc/nsswitch.conf file is not 

responding. 

_svcauth_des: replayed credential from principal-name 

The server has received a request and finds an entry in its cache for the 

same client name and conversation key with the time stamp of the 

incoming request before that of the one currently stored in the cache. 



information. At a higher level, you may have to take corrective action as 

described below. 


• The client and server clocks are out of sync. Use date to resync the 

client clock to the server clock. 

• The server is receiving requests in random order. This could occur if 

you are using multithreading applications. If your applications 

support TCP, then set /etc/netconfig (or your NETPATH 

environment variable) to tcp. 

Appendix A 377


_svcauth_des: timestamp is earlier than the one previously seen from 

principal-name 

The time stamp received from the client on a subsequent call is earlier 

than one seen previously from that client. The severity of this message 

depends on what level of security you are running. At a low security 

level, this message is primarily for your information; at a higher level, 

you may have some corrective action as described below. 


• The client and server clocks are out of sync. Use date to resynch the 

client clock to the server clock. 

• The server cached out the entry for this client. The server maintains a 

cache of information regarding the current clients. This cache size 

equals 64 client handles. 

_svcauth_des: timestamp expired for principal-name 

The time stamp received from the client is not within the default 

35-second window in which it must be received. The severity of this 

message depends on what level of security you are running. At a low 

security level, this message is primarily for your information; at a higher 

level you may have to take corrective action as described below. 


• The 35-second window is too small to account for slow servers or a 

slow network. 

• The client and server clocks are so far out of sync that the window 

cannot allow for the difference. Use date to resynchronize the client 

clock to the server clock. 

• The server has cached out the client entry. Retry the operation. 

Too Many Attributes 

The search criteria passed to the server had more attributes than the 

table had searchable columns. 


NIS_TOOMANYATTRS. See the nis_tables(3N) man page for additional 

information. 

378 

Appendix A


Unable to authenticate NIS+ client 

This message is generated when a server attempts to execute the 

callback procedure of a client and gets a status of RPC_AUTHERR from the 

RPC clnt_call. This is usually caused by out-of-date authentication 

information. Out-of-date authentication information can occur when the 

system is using data from a cache that has not been updated, or when 

there has been a recent change in the authentication information that 

has not yet been propagated to this server. In most cases, this problem 

should correct itself in a short period of time. 

If this problem does not correct itself, it may indicate one of the following 

problems: 

• Corrupted /var/nis/NIS_SHARD_DIR_CACHE file. Kill nis_cachemgr, 

remove this file, and restart nis_cachemgr. 

• Corrupted /var/nis/NIS_COLD_START file. Remove the file and then 

run nisinit to recreate it. 

• Corrupted /etc/.rootkey file. Run keylogin -r. 


NIS_CLNTAUTH. 

Unable to authenticate NIS+ server 

In most cases this is a minor software error from which your system 

should quickly recover without difficulty. It is generated when the server 

gets a status of RPC_AUTHERR from the RPC clnt_call. 

If this problem does not quickly clear itself, it may indicate a corrupted 

/var/nis/NIS_COLD_START, /var/nis/NIS_SHARD_DIR_CACHE, or 

/etc/.rootkey file. 


NIS_SRVAUTH. 

Unable to bind to master server for name 'string-variable' 

See “If NIS+ Cannot Find an Object” on page 302. This particular 

message may be caused by adding a trailing dot to the server’s domain 

name in the domainname command or the NIS_DOMAIN variable in the 

/etc/rc.config.d/namesvrs file. 

Appendix A 379


Unable to create callback. 

The server was unable to contact the callback service on your machine. 

This results in no data being returned. See the nis_tables(3N) man 

page for more information. 

Unable to create process on server 

This error is generated if the NIS+ service routine receives a request for 

a procedure number it does not support. 

This message is generated by the NIS+ error code constant NIS_NOPROC. 

String-variable: Unable to decrypt secret key for name. 




• NIS+ could not decrypt the key because the entry might be corrupt. 


password in the /etc/passwd file that is different from the NIS+ 



Unknown error 

This is displayed when the NIS+ error handling routine receives an error 

of an unknown type. 

Unknown object 

The object returned is of an unknown type. 


NIS_UNKNOWNOBJ. See the nis_tables(3N) and nis_names(3N) man 


update_directory: number objects still running. 

This is a status message displayed on the server during the update of a 

directory during a replica update. You do not need to take any action. 

380 

Appendix A


WARNING: db::checkpoint: could not dump database: No such file or 

directory 

This message indicates that the system was unable to open a database 

file during a checkpoint. Possible causes are as follows: 

• The database file was deleted. 

• The server is out of file descriptors. 

• There is a disk problem 

• You or the host do not have correct permissions. 

WARNING: db_dictionary::add_table: could not initialize database from 

scheme 

The database table could not be initialized. Possible causes are as 

follows: 

• There was a system resource problem (see “If You Have Insufficient 

Memory or Disk Space” on page 307). 

• You incorrectly specified the new table in the command syntax. 

• The database is corrupted. 

WARNING: db_query::db_query:bad index 

In most cases this message indicates incorrect specification of an indexed 

name. Make sure that the indexed name is found in the specified table. 

Check the command for spelling and syntax errors. 

**WARNING: domain domainname already exists. 

This message indicates that the domain you tried to create already 

exists. 

• If you are trying to promote a new non-root master server or are 

recovering from a previous nisserver problem, continue running the 

script. 

• If domainname was spelled incorrectly, rerun the script with the 

correct domain name. 

Appendix A 381


**WARNING: failed to add new member NIS+_principal into the 

groupname group. You will need to add this member manually: 1. 

/usr/sbin/nisgrpadm -a groupname NIS+_principal 

The NIS+ command nisgrpadm failed to add a new member into the 

NIS+ group groupname. Use the nisgrpadm command to add this NIS+ 

principal manually. 

**WARNING: failed to populate tablename table. 

The nisaddent command was unable to load the NIS+ tablename table. 

A more detailed error message usually appears before this warning 

message. 

**WARNING: hostname specified will not be used. It will use the local 

hostname instead. 

This message indicates that you typed a remote host name with the -H 

option. The nisserver -r script does not configure remote machines as 

root master servers. 

• If the local machine is the one that you want to convert to an NIS+ 

root master server, no other action is needed. The nisserver -r 

script will ignore the host name you typed. 

• If you actually want to convert the remote host (instead of the local 

machine) to an NIS+ root master server, exit the script. Rerun the 

nisserver -r script on the remote host. 

**WARNING: hostname is already a server for this domain. If you 

choose to continue with the script, it will try to replicate the groups_dir 

and org_dir directories for this domain. 

This is a message warning you that hostname is already a replica server 

for the domain that you are trying to replicate. 

• If you are running the script to fix an earlier nisserver problem, 

continue running the script. 

• Ifhostname was mistakenly entered, rerun the script with the correct 

host name. 

382 

Appendix A


**WARNING: alias-hostname is an alias name for host 

canonical_hostname. You cannot create credential for host alias. 

This message indicates that you have typed a host alias in the name list 

for nisclient -c. The script asks you if you want to create the 

credential for the canonical host name, since you should not create 

credentials for host alias names. 

**WARNING: file directory-path/tablename does not exist! 

tablename table will not be loaded. 

The script was unable to find the input file for tablename. 

• If directory-path/tablename is spelled incorrectly, rerun the script 

with the correct table name. 

• If directory-path/tablename file does not exist, create and update 

this file with the proper data. Then rerun the script to populate this 

table. 

**WARNING: NIS auto.master map conversion failed. auto.master table 

will not be loaded. 

The auto.master map conversion failed while trying to convert all the 

dots to underscores in the auto_master table. Rerun the script with a 

different NIS server. 

**WARNING: NIS netgroup map conversion failed. netgroup table will 

not be loaded. 

The netgroup map conversion failed while trying to convert the NIS 

domain name to the NIS+ domain name in the netgroup map. Rerun the 

script with a different NIS server. 

**WARNING: nisupdkeys failed on directory domainname. This script 

will not be able to continue. Please remove the domainname directory 

using ‘nisrmdir’. 

The NIS+ command nisupdkeys failed to update the keys in the listed 

directory object. If rpc.nisd is not running on the new master server 

that is supposed to serve this new domain, restart rpc.nisd. Then use 

nisrmdir to remove the domainname directory. Finally, rerun nisserver. 

Appendix A 383


WARNING: nisupdkeys failed on directory directory-name 

You will need to run nisupdkeys manually: 

1. /usr/lib/nis/nisupdkeys directory-name 

The NIS+ command nisupdkeys failed to update the keys in the listed 

directory object. Use the nisupdkeys command to update the keys 

manually. 

**WARNING: once this script is executed, you will not be able to 

restore the existing NIS+ server environment. However, you can 

restore your NIS+ client environment using “nisclient -r” with the 

proper domainname and server information. Use “nisclient -r” to 

restore your NIS+ client environment. 

These messages appear if you have already run the script at least once 

before to set up an NIS+ server. They indicate that NIS+ related files will 

be removed and recreated as needed if you decide to continue running 

this script. 

• If it is all right for these NIS+ files to be removed, continue running 

the script. 

• If you want to save these NIS+ files, exit the script by typing n at the 

Do you want to continue? prompt. Then save the NIS+ files in a 

different directory and rerun the script. 

**WARNING: this script removes directories and files related to NIS+ 

under /var/nis directory with the exception of the NIS_COLD_START 

and NIS_SHARED_DIRCACHE files which will be renamed to 

.no_nisplus. If you want to save these files, you should abort 

from this script now to save these files first. 

See the message above for an explanation. 

**WARNING: you must specify the NIS domainname. 

**WARNING: you must specify the NIS server hostname. Please try 

again. 

These messages indicates that you did not type the NIS domain name at 

the prompt. Type the NIS server domain name at the prompt. 

Window verifier mismatch 

This is a debugging message generated by the _svcauth_des code. A 

verifier could be invalid because a key was flushed out of the cache. 

When this occurs, _svcauth_des returns the AUTH_BADCRED status. 

You (string-variable) do not have secure RPC credentials in NIS+ 

384 

Appendix A


domain 'string-variable' 

This message could be caused by trying to run nispasswd on a server 

that does not have the credentials required by the command. Keep in 

mind that servers running at security level 0 do not create or maintain 

credentials. 


verify_table_exists: cannot create table for string nis_perror message. 

To perform an operation on a table, NIS+ first verifies that the table 

exists. If the table does not exist, NIS+ attempts to create it. If it cannot 

create the table, it returns this error message. The string identifies the 

table that could not be located or created; the nis_perror message 

portion provides information as to the cause of the problem. You can look 

up that portion of the message as if it were an independent message in 

this appendix. Possible causes problem are as follows: 

• The server was just added as a replica of the directory, and it may not 

have the directory object. Run nisping -C to checkpoint. 

• You are out of disk space. See “If You Have Insufficient Memory or 

Disk Space” on page 307. 

• Database corruption 

• Some other type of software error. Call your HP support contact. 

Appendix A 385


386 

Appendix A

Index 

Symbols 

$ (dollar sign) in NIS_PATH, 223 

$HOME/.rhosts file, 119, 271, 306 

* (asterisk) 

in /etc/group, 163, 171 

in /etc/passwd, 162, 295 

*NP* in NIS+ table output, 224 

+ (plus sign) 

in $HOME/.rhosts file, 119 

in /etc/hosts.equiv file, 119 

in automounter maps, 79, 109 

in group file, 120, 163, 171 

in passwd file, 119, 162, 170, 295 

Numerics 

32k transfer size, 52 

A 

access denied, NFS, 279 

access export option, 118, 279 

acdirmax mount option, 48 

acdirmin mount option, 48 

acregmax mount option, 48 

acregmin mount option, 48 

actimeo mount option, 49, 321 

admin group, NIS+, 232, 305 

aliases, mail, 137 

anon export option, 27 

asterisk (*) 

in /etc/group, 163, 171 

in /etc/passwd, 162, 295 

async export option, 49, 289, 319 

asynchronous I/O, 49, 289, 319, 321 

attribute caching, 47, 50, 128, 289, 319, 321 

AUTH_BOGUS_CREDENTIAL, 278 

authentication, NIS+, 194, 210, 216, 236, 304 

authorization, NIS+, 194, 205, 216, 304 

auto_direct map, 62, 96 

auto_master map, 56, 61, 64, 90, 95, 99, 137 

AUTO_MASTER variable, 81, 111, 342 

AUTO_OPTIONS variable, 57, 63, 66, 69, 84, 

316, 330, 331, 332, 342 

autoFS, 86 

autofs script, 111 

AUTOMOUNT variable, 51, 81, 111, 342 

AUTOMOUNT_OPTIONS variable, 91, 97, 

100 

AUTOMOUNTD_OPTIONS variable, 104 

automounter, 55 

advantages, 35 

direct vs. indirect, 58, 92 

duration of mounts, 57, 63, 66, 91, 97, 100 

environment variables in map, 69, 103 

hierarchical mounts, 77, 108 

-hosts map, 39, 56, 90 

improving performance, 77 

in SAM, 56 

included files, 79, 109 

interval between mount attempts, 316 

logging, 329, 330 

maps in NIS, 153, 155 

maps in NIS+, 202, 240, 302, 309 

mounting home directories, 70, 71, 74, 105, 

106 

multiple servers, 68, 102 

-null map, 80, 111 

-passwd map, 71 

replicated servers, 68, 102 

restarting, 83, 329, 332 

simultaneous mounts, 77, 108 

starting, 81, 111, 342 

subdirectory notation, 77 

tracing, 331, 332 

unmounting directories, 83, 114 

verifying configuration, 81, 112 

vs. standard mount, 35 

wildcards in maps, 69, 74, 104, 106 

with CacheFS, 133 

B 

back file system, CacheFS, 129 

backups, of NIS+ data, 248 

badxid, displayed by nfsstat, 316 

bdf, 25 

bg mount option, 44 

BIND, 277, 279 

troubleshooting, 283 

with NIS, 158, 255, 283, 296 

with NIS+, 202, 214, 215, 255 

binding, NIS, 138, 169 

across gateways or routers, 177 

to authorized servers, 176 

biod, 50, 289, 342 

number of, 321 

stopping, 289 

block size, file system, 321 

bootparams file, 159 

bsize, displayed by tunefs, 321 

387

Index 

C 

CacheFS, 128 

automounted directories, 133 

configuring, 131 

creating directory, 131 

whether to use, 128 

caching attributes 

see attribute caching, 50 

can’t bind message, ypcat, 298 

cant match key message, ypmatch, 298 

cfsadmin, 131 

checkpoint, NIS+, 191, 201, 212, 307, 323 

failed, 311 

chkey, 179, 182, 183, 239, 250, 305 

client connections, 52 

client, NFS, 20, 34 

restarting, 286 

starting, 42, 81, 111 

stopping, 51, 286 

too slow, 321 

verifying configuration, 43 

client, NIS, 138, 169 

binding, 138 

binding across gateways or routers, 177 


/etc/group file, 171 

/etc/passwd file, 170 

preventing unauthorized bindings, 176 

starting, 172 


client, NIS+, 189, 191 



clntudp_create error, ypwhich, 298 

cold cache, 129 

collision rate, 316 

column names, NIS+ tables, 218, 226, 228 

compat, in nsswitch.conf file, 162, 163, 170, 

171, 260 

compatibility mode, NIS, 196, 200, 208, 211, 

239, 260, 309 

concatenation paths, NIS+, 242, 323 

connection 

severing, 54 

connections 

advertised, 53 

NFS server, 53 

continue, in nsswitch.conf file, 258 

corrupt database message, NIS+, 314 

corrupt log message, NIS+, 314 

could not bind to server message, NIS+, 313 

CPU load, 318 

identifying CPU-intensive processes, 318 

create permission, NIS+, 226, 231, 240, 243 

cred table, 194, 200, 210, 216, 231, 233, 304, 

305 

populated by nispopulate, 204 

required permissions, 220 

credentials, NIS+, 178, 194, 231, 233, 304 

corrupted, 306 

creating for users, 210 

recreating, 236 

recreating for root master, 237 

cron and crontab, 167, 201, 212, 294, 300, 311, 

323, 326 

D 

data integrity, NFS, 49, 289 

data traffic, 316 

DB_BADOBJECT, 312 

DES credential, NIS+, 194, 216 

destroy permission, NIS+, 228, 241, 243, 247 

device busy, 284 

devs mount option, 45 

direct map, 61, 95 

advantages, 58, 92 

environment variables in, 69, 103 

examples, 63, 97 

modifying, 63, 97, 101 

directories, NIS+, 190, 191 

disk space required for NIS+, 198, 307, 311 

Diskless, NFS, 14, 319 

DNS, 277, 279 


with NIS, 158, 255, 283, 296 

with NIS+, 202, 214, 215, 255 

dollar sign ($) in NIS_PATH, 223 

domain, NIS, 138 

number of, 140, 197 

planning, 140, 197 

domain, NIS+, 190, 191 

changing name of, 303, 306 

default search order, 223 


removing, 247 

removing a replica, 246 

search path, 302, 323 

domainname, 147, 164, 172, 183, 200, 206, 

250, 293, 294, 296, 299, 313, 342 

dropped packets, 316 

388

Index 

E 

EMULYP variable, 211, 215 

environment variables 


in rc.config.d directory, 342 

error messages, NIS+, 346 

/etc/.rootkey file, 305, 306 

/etc/auto_direct file 

see auto_direct map, 62, 96 

/etc/auto_master file 

see auto_master map, 56, 90 

/etc/bootparams file 

see bootparams file, 159 

/etc/ethers file 

see ethers file, 159 

/etc/exports file 

see exports file, 25 

/etc/fstab file 

see fstab file, 32 

/etc/group file 

see group database, 22 

/etc/hosts file 

see hosts database, 137 

/etc/hosts.equiv file 

see hosts.equiv file, 119 

/etc/inetd.conf file 

see inetd.conf file, 28 

/etc/mnttab file 

see mnttab file, 66, 101 

/etc/netgroup file 

see netgroup file, 115 

/etc/netid file 

see netid database, 137 

/etc/netmasks file 

see netmasks file, 159 

/etc/networks file 

see networks file, 137 

/etc/nsswitch.conf file 

see nsswitch.conf file, 158 

/etc/protocols file 

see protocols file, 137 

/etc/publickey file 

see publickey database, 137 

/etc/rc.config.d/namesvrs file 

see namesvrs file, 28 

/etc/rc.config.d/nfsconf file 

see nfsconf file, 28 

/etc/rpc file 

see rpc file, 124 

/etc/services file 

see services file, 137 

/etc/sm and /etc/sm.bak directories, 287 

ethers file, 159 

export options, 24 

access, 118, 279 

anon, 27 

async, 49, 289, 319 

noasync, 49, 289 

ro, 26 

rw, 26 

exportfs, 25, 30, 32, 279, 281, 342 

exporting directories, 25 

examples, 26 

on different disks, 25 

with root access, 27 

exports file, 25 

example entries, 26 

forcing a reading of, 279 

netgroups in, 118 

removing entries, 28 

F 

fcntl, 16 

fg mount option, 44 

file locking, 50, 289 

file system block size, 321 

front file system, CacheFS, 129, 131 

fsirand, 285, 286 

fstab file, 32, 40, 42, 43, 50, 321 

CacheFS entries, 132 

example entries, 41 

fuser, 29, 31, 50, 51, 83, 284, 285, 286, 329, 332 

G 

gateways, 177 

with NIS, 293 

generic system error message, NIS+, 313 

getattr, displayed by nfsstat, 319 

gethostbyname, 255 

group database, 22, 23, 137, 163, 278 

modifying NIS+, 234 


on NIS client, 171 

on NIS master server, 145, 202 

on NIS slave server, 163 

plus sign (+) in, 163 

group ID, 22 

group owner, NIS+, 195, 218, 222 

group_compat, in nsswitch.conf file, 260 

groups, NIS+, 190 

adding members, 205, 244 

389

Index 

admin group, 205, 232, 305 

recursive, 323 

removing, 243 

removing members, 244 

types of members, 244 

groups_dir directory, NIS+, 190 

in path name, 302 

grpid mount option, 47 

H 

hard mount option, 32, 44, 289, 321 

hierarchical mounts, automounter, 77, 108 

home directories, automounting, 70, 71, 74, 

105, 106 

home domain, NIS+, 216 

$HOME/.rhosts file, 119, 271, 306 

hostname fallback, 158, 255, 283, 296 

hosts database, 137, 158, 277, 279, 283 

on NIS master server, 146 

using BIND, 158, 255 

-hosts map, 39, 56, 90 

examples, 58, 91, 58, 91 

hosts table, 231 

hosts.equiv file, 119, 306 

HP 9000, 19 

hung program, 287 

hung system, 32, 38 

I 

ignore, in mnttab file, 63, 66, 97, 101 

illegal object type message, NIS+, 312 

included files, in automounter maps, 79, 109 

indirect map, 64, 99 

advantages, 58, 92 

environment variables in, 69, 103 


modifying, 66, 101 

subdirectory notation, 77 

wildcards in, 69, 74, 104, 106 

inetd.conf file, 32, 122, 269, 271, 272, 276, 280, 

333 

starting mountd from, 28 

inetd.sec file, 124, 280 

examples, 125 

init.d directory, 342 

inodes, not enough, 290 

installing NFS Services, 15 

interruptible mounts, 33, 287 

intr mount option, 44, 287, 321 

K 

kernel parameter, ninode, 290, 308 

keylogin, 180, 182, 183, 238, 250, 305, 306, 309 

keylogout, 183, 250, 306 

keyserv, 181, 237, 305, 342 

KEYSERV_OPTIONS variable, 342 

key-value type, NIS+ table, 240 

L 

LAN, 21 

collision rate, 316 

further reading, 21 

NIS supported configurations, 136, 169 


links, NIS+, 242, 312 

Local credential, NIS+, 194, 216, 309 

lock manager 

see lockd, 16 

lockd, 16, 276, 342 

checking for hung process, 287 

logging, 327, 328 

restarting, 287, 288, 327, 328 

LOCKD_OPTIONS variable, 327, 342 

lockf(), 16, 50, 289 

log in, unable to, 294, 309 

logging, 325 

automounter, 329, 330 

handling log files, 326 

lockd, 327, 328 

mountd, 327 

nettl and netfmt, 339 

NFS, 326 

NIS, 335 

NIS+, 338 

nisd, 338 

rexd, 272, 333 

rstatd, 333 

rusersd, 333 

rwalld, 333 

sprayd, 333 

statd, 327, 328 

ypbind, 336 

yppasswdd, 337 

ypserv, 336 

ypxfr, 335 

lookup, displayed by nfsstat, 318 

lost data, NFS, 49, 289 

ls, with automounter, 81, 112 

390

Index 

M 

mail aliases, 137 

make, 115, 149, 152, 153, 154, 155, 158, 180, 

294, 296, 299 

makedbm, 153, 156, 157, 158, 183, 295, 297, 

300 

Makefile, NIS, 149, 153, 155 

maps, automounter in NIS+, 202, 240, 302, 

309 

maps, NIS, 137, 138 

adding, 153 


determining server for, 148, 174, 299 

listing contents of, 151, 211, 299 

modifying, 152 

pushing to slaves, 167, 175, 294 

removing, 155 

master map, 61, 64, 95, 99, 137 

master server, NIS, 138 

choosing a host, 141, 198 


/etc/group file, 145, 202 

/etc/hosts file, 146 

/etc/passwd file, 144, 149 

in Sun network, 159 


restricting access to, 149, 150 

starting, 147 


master server, NIS+, 189 

memory required for NIS+, 198, 307 

memory, for NFS server, 290, 318 

mnttab file, 63, 66, 97, 101 

modify permission, NIS+, 220, 222, 229, 232, 

242, 245, 246 

mount, 40, 43, 51, 52, 286, 342 

with CacheFS, 132 

mount options 

acdirmax, 48 

acdirmin, 48 

acregmax, 48 

acregmin, 48 

actimeo, 49, 321 

bg, 44 

changing, 43, 63, 66, 97, 101 

devs, 45 

fg, 44 

grpid, 47 

hard, 32, 44, 49, 289, 321 

intr, 44, 287, 321 

noac, 47, 50, 289, 319 

nocto, 47 

nodevs, 45 

nointr, 33, 44 

nosuid, 42, 43, 56, 90, 282 

O, 46 

remount, 47 

retrans, 45, 321 

retry, 45 

ro, 43 

rsize, 46, 316, 321 

rw, 43 

secure, 178 

soft, 44, 49, 289, 321 

suid, 43 

timeo, 45, 277, 316, 321 

vers, 46 

wsize, 46, 316, 321 

mountd, 276, 342 

in /etc/inetd.conf file, 28, 32, 276, 280 

logging, 327 

restarting, 277, 327 

MOUNTD_OPTIONS variable, 342 

mounting directories, 40 


with automounter, 62, 64, 96, 99 

multiple mounts, automounter, 68, 102 

multiple servers, for automounted 

directories, 68, 102 

N 

Name Service Switch, 158, 162, 163, 170, 171, 

204, 207, 214, 215, 255, 283, 296, 306, 309 

default configuration, 261 

defaults before HP-UX 10.30, 256, 261 

namespace, NIS+, 187, 189, 199 

planning, 197 

namesvrs file, 147, 149, 157, 164, 166, 172, 

208, 211, 293, 336, 337, 338 

/net directory, 56, 90 

netfmt, 339, 340 

netgroup file, 115 

netgroup table, NIS+, 117 

netgroups, 115, 279 

creating, 115 

examples, 116 

files where valid, 118 

in $HOME/.rhosts, 119 

in /etc/exports, 118 

in /etc/group, 120 

391

Index 

in /etc/hosts.equiv, 119 

in /etc/passwd, 119 

in NIS, 115, 137 

netid database, 137, 152 

netmasks file, 159 

netnames, 137, 179, 180, 181 

netstat, 316, 320 

nettl, 339, 340 

network 

see LAN, 21 

Network File System 

see NFS, 16 

Network Information Service 

see NIS, 16 

Network Information Service Plus 

see NIS+, 16 

network map, NIS, 142 

networks file, 137 

newkey, 180, 181, 182, 183 


see also client, NFS, 20 

see also server, NFS, 20 

client, 20, 34 


installing the software, 15 

logging, 326 

secure NFS, 178 

server, 20, 24 

starting, 42, 81, 111 

startup scripts, 341 

stopping, 31, 51, 286 

system startup, 341 


NFS client 

connections, 52 

NFS Diskless, 14, 319 

NFS server 

daemon, 53 

nfs.client script, 49, 51, 81, 111, 122, 277, 286, 

327, 341, 342 

nfs.core script, 341, 342 

nfs.server script, 28, 30, 276, 341, 342 

NFS_CLIENT variable, 42, 51, 81, 111, 342 

NFS_SERVER variable, 28, 32, 276, 342 

nfsconf file, 28, 30, 32, 42, 49, 51, 57, 63, 66, 

69, 81, 91, 97, 100, 104, 111, 276, 289, 316, 

320, 321, 327, 331 

nfsd, 276, 318, 342 


nfsstat, 316, 318, 320 

ninode kernel parameter, 290, 308 

NIS, 16, 135 

see also client, NIS, 138 

see also domain, NIS, 138 

see also maps, NIS, 137 

see also master server, NIS, 138 

see also slave server, NIS, 138 

binding, 138, 169 

client, 138, 169 

domain, 138 

files managed by, 137, 191 


LAN support, 136 

list of commands, 183, 250 

logging, 335 

maps, 137, 138, 153, 155, 191 

master server, 138 

network planning, 140, 197 

number of servers, 141, 198 

PATH required, 147, 164, 172 

querying BIND, 158, 255 

slave server, 138, 161 

startup scripts, 147, 341 

Sun vs. HP, 159 



with short file names, 159 

ypmake vs. Makefile, 159 

NIS compatibility mode, NIS+, 196, 200, 208, 

211, 239, 260, 309 

NIS+, 16, 185 

see also groups, NIS+, 190 

see also server, NIS+, 198 

see also tables, NIS+, 191 

see also domain, NIS+, 190 

adding a host, 231 

adding a user, 233 

adding table entries, 226, 227 

admin group, 205, 232, 305 

advantages over NIS, 187 

authentication, 194, 210, 216, 304 

authorization, 194, 205, 216, 304 

backing up data, 248 

changing root password, 239 

client, 206 

configuration, 199 

creating subdomains, 211 

creating tables, 240 

credentials, 178, 194, 304 

default password, 204, 207 

392

Index 

determining number of domains, 197 

determining number of servers, 198 


disadvantages, 188 

disk space required, 198, 307, 311 

domain search order, 223 

domain structure, 190, 191 

error messages, 346 

files managed by, 192 


groups, 190, 205, 243, 244 

home domain, 216 

initializing users, 210 

links, 242, 312 

list of commands, 250 

listing table contents, 224 

logging, 338 

memory required, 198, 307 

modifying table entries, 229, 230 

NIS compatibility mode, 196, 200, 208, 211, 

309 

object properties, 218, 219 

ownership of objects, 222 

PATH required, 200, 206, 208, 211, 248 

permissions, 194, 205, 216, 220 

planning the namespace, 197 

populating tables, 202 

principal name, 216 

querying BIND, 255 

removing a domain, 247 

removing a replica server, 246 

removing table entries, 228 

removing tables, 241 

replica server, 208 

root master server, 305 

searching tables, 225 

security level, 306 

startup scripts, 341 


table paths, 242, 323 

table type, 240 

tables, 191, 192 

time to live, 219 



NIS+ principal, 194 

nis.client script, 147, 165, 166, 173, 176, 177, 

298, 341, 342 

nis.server script, 147, 150, 157, 165, 168, 293, 

294, 341, 342 

nis_cachemgr, 237, 250, 323, 342 

NIS_CACHEMGR_OPTIONS variable, 342 

NIS_CLIENT variable, 147, 164, 172, 342 

NIS_COLD_START file, 191 

NIS_DEFAULTS variable, 219 

NIS_DOMAIN variable, 147, 164, 172, 293, 

313, 342 

NIS_GROUP variable, 219 

NIS_MASTER_SERVER variable, 147, 293, 

342 

NIS_MAXCHECKS variable, 342 

NIS_PATH variable, 223, 302, 313, 323 

NIS_SHARED_DIRCACHE file, 191 

NIS_SLAVE_SERVER variable, 147, 157, 

164, 293, 342 

nisaddcred, 216, 231, 233, 237, 250, 304, 309 

Adding Key message, 305, 310 

Changing Key message, 305, 310 

nisaddent, 227, 230, 234, 240, 250 

niscat, 203, 207, 218, 224, 226, 228, 242, 250, 

304, 323 

nischgrp, 195, 219, 222, 250 

nischmod, 195, 219, 220, 250 

nischown, 195, 219, 222, 234, 250 

nischttl, 219, 250 

nisclient, 206, 210, 236, 250, 305 

Adding Key message, 305, 310 

Changing Key message, 305, 310 

nisd, 208, 211, 215, 236, 237, 252, 305, 314, 

342 

logging, 338 

nisd_resolv, 314 

nisdefaults, 195, 219, 250, 304 

niserror, 250 

nisgrep, 225, 251 

nisgrpadm, 205, 232, 243, 244, 251, 305 

nisinit, 251 

nisln, 242, 251 

nislog, 248, 251 

nisls, 200, 207, 212, 302, 303 

nismatch, 216, 225, 226, 251, 279, 304, 305, 

309 

nismkdir, 251 

nispasswd, 233, 239, 251, 309 

nispasswdd, 342 

nisping, 191, 201, 203, 209, 212, 237, 249, 251, 

302, 307, 309, 323 

failed, 311 

nisplus.client script, 341, 342 

nisplus.server script, 341, 342 

NISPLUS_CLIENT variable, 342 

393

Index 

NISPLUS_SERVER variable, 208, 211, 342 

nispopulate, 202, 251, 323 

nisrm, 251 

nisrmdir, 246, 247, 251, 311 

nisserver, 200, 209, 212, 251, 302, 309 

nissetup, 251, 302, 309 

nisshowcache, 251 

nisstat, 209, 251 

nistbladm, 220, 226, 228, 229, 231, 233, 240, 

241, 242, 252 

nistest, 252 

nisupdkeys, 237, 252 

noac mount option, 47, 50, 289, 319 

noasync export option, 49, 289 

nobody, 27, 162, 170, 179, 180, 194, 281, 304 

nocto mount option, 47 

nodevs mount option, 45 

nointr mount option, 33, 44 

NOPUSH option, make, 154 

nosuid mount option, 42, 43, 56, 90, 282 

not in hosts database, 283, 296 

NOTFOUND, in nsswitch.conf file, 258 

nslookup, 277, 279 

tracing, 283 

nsquery, 263, 283, 296 

nsswitch.conf file, 158, 162, 163, 170, 171, 

204, 207, 215, 255, 256, 306 

default configuration, 261 

defaults before HP-UX 10.30, 256, 261 

modifying, 309 

syntax, 258 

-null map, 80, 111 

null, displayed by nfsstat, 316 

NUM_NFSD variable, 320, 342 

NUM_NFSIOD variable, 49, 289, 321, 342 

O 

O mount option, 46 

O_SYNC flag, open(), 49, 289 

object properties, NIS+, 218, 219 

on, 266, 267 

example, 268 

org_dir directory, NIS+, 190 

in path name, 302 

owner, NIS+, 195, 218, 222 

P 

packets dropped, 316 

passwd command, 175, 181, 309 

passwd database, 22, 137, 175, 281, 294 

asterisk (*) in, 295 





plus sign (+) in, 162, 295 

-passwd map, 71 

passwd table, NIS+, 233, 305 

passwd_compat, in nsswitch.conf file, 260 

password, changing 

root password with NIS+, 239 

with NIS, 175 

with NIS+, 210, 233, 239, 305, 309 

with secure RPC, 179, 180, 181, 182 

password, default NIS+, 204, 207 

password, different from secure RPC 

password, 306 

path names, NIS+, 191, 302 

PATH, for NIS, 147, 164, 172 

PATH, for NIS+, 200, 206, 208, 211, 248 

PC NFS, 30, 158 

PCNFS_SERVER variable, 30, 342 

pcnfsd, 30, 342 

performance, 315 

finding NFS problems, 316 

improving NFS client, 128, 321 

improving NFS server, 318 

improving NIS+, 323 

permission denied, NFS, 281 

permissions 

default for new NIS+ object, 195, 219 

NIS+, 194, 205, 216, 218, 220 

on exported directories, 25, 26 

ping, 21, 276, 293 

plus sign (+) 

in $HOME/.rhosts file, 119 

in /etc/hosts.equiv file, 119 


in group file, 120, 163, 171 

in passwd file, 119, 162, 170, 295 

possible loop detected message, NIS+, 313 

principal, NIS+, 194, 216 

printer, in pcnfsd.conf file, 30 

private keys, on root master server, 305 

processes cannot start, 290 

program hangs, 287 

protocols file, 137 

public keys, on root master server, 305 

publickey database, 137, 179, 180, 181, 182 

publickey, in nsswtich.conf, 306 

pwd, with automounter, 37 

394

Index 

Q 

quota, 18, 124 

R 

rc script, 341 

rc.config.d directory, 341, 342 

rc0.d directory, 341 





RCS, 286 

read permission, NIS+, 224, 225 

read/write access, NFS, 26 

readlink, displayed by nfsstat, 318 

read-only access, NFS, 26 

Remote Execution Facility 

see REX, 17 

Remote Procedure Call 

see RPC, 17 

remount mount option, 47 

replica server, NIS+, 189, 208 

number to configure, 209, 323 

removing, 246 

update fails, 312 

updating from master, 302 

replicated servers, for automounted 


retrans mount option, 45, 321 

retrans, displayed by nfsstat, 316 

retry mount option, 45 

return, in nsswitch.conf file, 258 

Revision Control System 

see RCS, 286 

REX, 17, 122, 123, 266 

client, 266 


example, 268 

security, 124, 271 

server, 266 

rexd, 123, 266, 267, 269 

logging, 272, 333 

.rhosts file, 119, 271 

rlogin, with secure RPC, 182 

ro export option, 26 

ro mount option, 43 

root access to exported directories, 27, 281 

root domain, NIS+, 189 

root master server, NIS+, 189, 305 



root password 

changing with NIS+, 239 

on NIS+ master server, 200, 305 

secure RPC, 181 

root replica server, NIS+, 189 

.rootkey file, 305, 306 

routers, 177 

with NIS, 293 

RPC, 17 

authentication error, 23, 278 

netnames, 137 

secure, 178, 194 

rpc file, 124, 137 

rpc.nisd_resolv, 252, 314 

rpc.rquotad 

see rquotad, 18 

rpc.rstatd 

see rstatd, 17 

rpc.rusersd 

see rusersd, 17 

rpc.rwalld 

see rwalld, 17 

rpc.sprayd 

see sprayd, 17 

rpc.statd 

see statd, 287 

RPC_AUTH_ERROR, 278 

RPC_NISD_OPTIONS variable, 338, 342 

RPC_NISPASSWDD_OPTIONS variable, 

342 

RPC_TIMED_OUT, 277, 287 

rpcbind, 122, 276, 342 

rpcgen, 17 

rpcinfo, 276 

rquotad, 18, 124 

security, 124 

rsize mount option, 46, 316, 321 

rstatd, 17, 123 

logging, 333 

security, 124 

rup, 17, 123 

rusers, 17, 123 

rusersd, 17, 123 

logging, 333 

security, 124 

rw export option, 26 

rw mount option, 43 

rwall, 17, 123 

rwalld, 17, 123 

logging, 333 

security, 124 

395

Index 

S 

SAM, 20, 24, 34, 56, 186, 205, 219, 220, 222, 

224, 226, 228, 229, 232, 243, 290, 308 

/sbin/init.d directory 

see init.d directory, 342 

/sbin/init.d/nfs.client 

see nfs.client script, 28 

/sbin/init.d/nfs.core 

see nfs.core script, 28 

/sbin/init.d/nfs.server 

see nfs.server script, 28 

/sbin/init.d/nis.client 

see nis.client script, 28 

/sbin/init.d/nis.server 

see nis.server script, 28 

/sbin/init.d/nisplus.client 

see nisplus.client script, 28 

/sbin/init.d/nisplus.server 

see nisplus.server script, 28 

/sbin/rc script 

see rc script, 341 

/sbin/rc0.d directory, 341 





SD (Software Distributor), 15 

search order, NIS+ domains, 223 

secure mount option, 178 


administering keys, 180 

host keys, 181 

NIS+ credentials, 194, 210 

user-created keys, 179 

using, 182 

securenets file, 150, 168 


secureservers file, 176 

examples, 176 

security 

in exported directories, 27 

in inetd.conf file, 124 

in mounted directories, 42 




REX, 271 


using netgroups, 115 

security level, NIS+, 306 

sendmail, 305 

sendmail aliases, 137 

server busy message, niscat, 323 

server not responding, NFS, 276, 321 

server not responding, NIS, 293 

server, NFS, 20, 24 

CPU load, 318 

memory requirements, 290, 318 

PC NFS, 30 

starting, 28 

stopping, 31 

too slow, 316, 318 

server, NIS+ 


determining number of, 198 

disk space required, 198 

memory required, 198 

populating tables, 202 

serving NIS clients, 196, 200, 208, 211 

verifying configuration, 203, 209 

services file, 137 

short file names, 159 

showmount, 28, 31, 279, 281 

SIGUSR2 signal 

to automount, 331 

to lockd and statd, 327 

simultaneous mounts, automounter, 77, 108 

slave server, NIS, 138 

adding, 156, 161, 165 

choosing a host, 141, 198 

/etc/group file, 163 

/etc/passwd file, 162 

getting maps from master, 167 


removing, 157 

restricting access to, 168 

starting, 164, 166 


slow server, NFS, 316, 318 

sm and sm.bak directories, 287 

socket overflows, 320 

soft mount, 49 

timed out, 321 

soft mount option, 44, 289, 321 

Software Distributor (SD), 15 

spray, 17, 124 

sprayd, 17, 124 

logging, 333 

security, 124 

stale file handle, 30, 285 

avoiding, 286 

standard mount, 35, 40 

396

Index 

START_MOUNTD variable, 28, 276, 342 

startup scripts, 341, 342 

statd, 16, 276, 342 

checking for hung process, 287 

logging, 327, 328 

restarting, 287, 288, 327, 328 

STATD_OPTIONS variable, 342 

status monitor 

see statd, 16 

subdirectory notation, automounter, 77 

subdomains, NIS+, 211 

SUCCESS, in nsswitch.conf file, 258 

suid mount option, 43 

Sun ONC/NFS 

Makefile vs. ypmake, 159 

with HP-UX, 159 

swap space, for NIS+ checkpoint, 311 

swapon, 342 

swinstall, 15 


created by automounter, 60 

in exported directories, 26 

in mounted file systems, 318 

synchronous I/O, 49, 289 

syslog, 329, 338, 346 

system hang, 32, 38 

system startup, 341, 342 

T 

table type, NIS+, 240 

tables, NIS+, 191 

adding entries, 226, 227 

backing up, 248 

column names, 218, 226, 228 

corrupted, 303, 314 

creating, 240 

dumping to files, 248 

links, 242 

list of standard, 192 

listing contents, 224 

modifying entries, 229, 230 

populating, 202 

removing, 241 

removing entries, 228 

searching, 225 

table paths, 242, 323 

table type, 227, 230 

updating transaction logs, 191, 201, 212 

TCP connection 

server, 53 

specifying, 52 

TCP connections, 52 

time to live, for NIS+ objects, 219 

timeo mount option, 45, 277, 316, 321 

timeout, displayed by nfsstat, 316 

/tmp_mnt directory, 60, 83, 329, 331 

TMPDIR variable, 202 

too many levels of remote, 291 

top, 318 

tracing, 325 


nettl and netfmt, 340 

traffic, LAN, 316 

transaction log, NIS+, 191, 201, 212, 307, 323 

cannot truncate, 311 

corrupt, 314 

transfer sizes, 52 

transport connections, 52 


Name Service Switch, 263 


NIS, 292 

NIS+, 301 

NIS+ error messages, 346 

TRYAGAIN, in nsswitch.conf file, 258 

ttl, for NIS+ objects, 219 

tunefs, for displaying bsize, 321 

U 

UDP statistics, 320 

uidrange, in pcnfsd.conf file, 30 

umount, 29, 31, 50, 51, 84, 284, 285, 286 

unable to fork message, NIS+, 308 

uname, 15 

UNAVAIL, in nsswitch.conf file, 258 

unexporting directories, 28 

unknown host, 283, 296 

unmounting directories, 50, 51, 83, 84, 114, 

284, 285 

UPD connection 

specifying, 52 

updating software, 15 

user ID, 22 

unknown, 27 

user nobody 

see nobody, 27 

V 

/var/adm/inetd.sec file 

see inetd.sec file, 124 

/var/yp/Makefile 

397

Index 

see Makefile, 149 

/var/yp/securenets file 

see securenets file, 150 

/var/yp/secureservers file 

see secureservers file, 176 

vers mount option, 46 

VHE, 137 

vmstat, 318 

logging, 335 

ypxfrd, 342 

YPXFRD_OPTIONS variable, 342 

W 

WAIT_FOR_NIS_SERVER variable, 342 

warm cache, 129 

wildcards in automounter maps, 69, 74, 104, 

106 

world, in NIS+ permissions string, 195 

write access 

see read/write access, 26 

wsize mount option, 46, 316, 321 

Y 

ypbind, 166, 298, 342 

logging, 336 


YPBIND_OPTIONS variable, 166, 177, 336, 

342 

ypcat, 151, 183, 211, 299 

cant bind message, 298 

ypinit, 147, 153, 155, 159, 164, 183 

ypmake, 115, 158, 180, 183, 294, 296, 299 

ypmatch, 183, 279, 294, 296 

can’t match key message, 298 

yppasswd, 175, 179, 180, 182, 183 

yppasswdd, 294, 342 

logging, 337 


YPPASSWDD_OPTIONS variable, 149, 337, 

342 

yppoll, 183 

yppush, 183 

ypserv, 293, 342 

logging, 336 


YPSERV_OPTIONS variable, 336, 342 

ypservers, 152, 156, 157, 165, 295, 297, 299 

ypset, 166, 177, 183 

YPSET_ADDR variable, 177, 342 

ypupdated, 342 

YPUPDATED_OPTIONS variable, 342 

ypwhich, 148, 166, 174, 183, 294, 295, 296, 299 

clntudp_create error, 298 

ypxfr, 154, 167, 184, 295, 296, 299 

398

Installing and Administering NFS Services - Previous Directory

Create successful ePaper yourself

Delete template?

Save as template?