From 75784aa5e79fb4e54dd7e40af19b5bed6130a298 Mon Sep 17 00:00:00 2001 From: binh <> Date: Fri, 18 Feb 2005 11:33:25 +0000 Subject: [PATCH] More consolidation. Binh. --- .../Protocols-and-Standards.xml | 2791 +---------------- 1 file changed, 7 insertions(+), 2784 deletions(-) diff --git a/LDP/guide/docbook/Linux-Networking/Protocols-and-Standards.xml b/LDP/guide/docbook/Linux-Networking/Protocols-and-Standards.xml index a7fb945b..c68d8637 100644 --- a/LDP/guide/docbook/Linux-Networking/Protocols-and-Standards.xml +++ b/LDP/guide/docbook/Linux-Networking/Protocols-and-Standards.xml @@ -19,8 +19,8 @@ IEEE (Institute of Electrical and Electronics Engineers) 802 Standards 802.12 High-speed LANs ->Start 353 Notes Protocols + So it is clear that data units can be transmitted from a sender Data-link Layer to a (peer) receiver Data-Link ayer. The data unit (DU) is encapsulated in a frame. Each frame contains additional information. The meaning of this additional information and the rules that the sender and receiver must follow when processing this information consitutue the protocol. Hence, the frame constitutes a Protocol Data Unit (PDU). To distinguish between PDU's of different layers the PDU may be referred to as a DPDU (D for Data-link). Piggy-backing @@ -216,7 +216,7 @@ ALOHA ALOHA is a contention protocol and is used when carrier sense is not available. Mainly this i for satellite communication. The protocol allows devices to transmit at any time. Read your textbook to see the analysis of ALOHA for the case when slotted and unslotted ALOHA is used. ->End 353 Notes + 3.8. Amateur Radio @@ -231,7 +231,8 @@ ALOHA is a contention protocol and is used when carrier sense is not available. make it more useful in the amateur radio environment. · Amateur radio on Linux web site - + + NDIS and ODI The Network Device Interface Specification (NDIS) is a standard developed @@ -1987,1183 +1988,8 @@ also automatically remove packets sent to a computer that is having a problem. This makes Token Ring a reliable choice for networking. -This section is designed to help you get up and running using a Token Ring -adaptor to access the network. Generally speaking Section 3 will tell you -which driver you need based on the adaptor card you have. - ------------------------------------------------------------------------------ - -2. Hardware requirements - -Make sure that you have a Token Ring card that is supported from the list -below. Many PCI,ISA and even the odd MCA cards are now supported. Check -[http://www.linuxtr.net] http://www.linuxtr.net for the latest information. - -Cards that are reported to work: - -3COM - -  * 3C389 PCMCIA - -  * 3C619, 3C619B or 3C619C Token Link - -  * 3C319 Velocity ISA - -  * 3C359 Velocity XL - PCI - -  * 3C339 Velocity PCI - - -IBM - -  * PCI. PCI Token Ring Adapter; PCI Wake on Lan Token Ring Adapter; 16/4 - Token Ring PCI Adapter 2, Wake on Lan, and Wake on Lan Special; High - Speed 100/16/4 Token Ring Adapter, Token Ring 16/4 Management Adapter. - -  * Cardbus. 16/4 Token Ring Adapter - -  * LanStreamer. PCI: Auto LanStreamer, Triple Lanstreamer; MCA: LanStreamer - MC16, Lanstreamer MC32, AutoLanstreamer MC32, Dual Lanstreamer MC32 - -  * ISA. Auto 16/4 Token Ring Adapter, 16/4 Token Ring Adapter, Turbo 16/4 - Token Ring Adapter, Auto Wake Token Ring Adapter. - -  * PCMCIA. Turbo 16/4 PC Card, Turbo 16/4 PC Card 2, Auto 16/4 Credit Card - Adapter, 16/4 Credit Card Adapter, 16/4 Credit Card Adapter II - -  * Tropic MCA. 16/4 Token Ring Adapter/A, Auto 16/4 Token Ring Adapter - - -Olicom - -  * RapidFire 3139, 3140, 3141, and 3540 - -  * OC 3136 - -  * OC 3137 - -  * OC 3118 - -  * OC 3129 - - -Madge - -  * 51-02 Smart 16/4 PCI - -  * 20-03 16/4 Cardbus Adapter Mk2 - -  * 51-04 Smart 16/4 PCI Ringnode Mk3 - -  * 51-09 Smart 16/4 Fiber PCI Ringnode - -  * 51-07 Smart 100/16/4 PCI-HS Ringnode - -  * 51-05 Smart 100/16/4 PCI Ringnode - -  * 20-01 Smart 16/4 PCMCIA - -  * 60-07 Presto PCI 2000 - -  * 60-06 Presto PCI Plus - -  * 60-05 Presto PCI - -  * 53-05 Smart Mk4 PCI Adapter (low profile) - -  * 31-40 Rapidfire 3140V2 16/4 PCI Adapter - - -SysKonnect - -  * TR4/16(+) SK-4190 ISA - -  * TR4/16(+) SK-4590 PCI - -  * TR4/16(+) SK-4591 PCI - - -SMC - -  * Tokencard Elite (8115T) - -  * Tokencard Elite/A MCA (8115T/A) - - -Intel - -  * TokenExpress PRO - -  * TokenExpress 16/4 - - -Cards that may cause problems: - -Token-Ring Network 16/4 Adapter II. This adapter will NOT work. Do not -confuse this card with the IBM Token Ring adapter II (4mbit) which does. It -is a DMA/Busmaster adapter for ISA. - -3Com TokenLink Velocity ISA. You may or may not get this one to work. I have -had reports of people running it without problems, and others who get errors -left and right. ------------------------------------------------------------------------------ - -3. Which driver should I use? - -The realm of Token Ring drivers on Linux has expanded quite a bit in last -couple of years. It's not just ibmtr anymore! So as a result this map will -tell you given a card which driver you should try and the recommended minimum -kernel version (if any). - -3COM - -  * 3C389 PCMCIA -- ibmtr_cs - -  * 3C619, 3C619B or 3C619C Token Link -- ibmtr - -  * 3C319 Velocity ISA -- try ibmtr - -  * 3C359 Velocity XL - PCI -- driver available from [http://www.linuxtr.net] - http://www.linuxtr.net - -  * 3C339 Velocity PCI -- tms380tr - - -IBM - -  * PCI Token Ring Adaptor -- olympic - -  * PCI Wake on Lan Token Ring Adaptor -- olympic - -  * 16/4 Token Ring PCI Adaptor 2, Wake On Lan, and Wake on Lan Special -- - olympic - -  * High Speed 100/16/4 Token Ring -- olympic - -  * Turbo 16/4 ISA adapter -- ibmtr - -  * Token Ring Auto 16/4 ISA adapter -- ibmtr - -  * Token Ring Auto 16/4 adapter /A -- ibmtr - -  * Token Ring 16/4 adapter /A -- ibmtr - -  * Token Ring adapter /A -- ibmtr - -  * Token Ring adapter II (4 Megabit only) -- ibmtr - -  * 16/4 ISA Token Ring card (16bit) -- ibmtr - -  * 16/4 ISA Token Ring card (8bit) -- ibmtr - -  * All LANStreamer -- lanstreamer - -  * PCMCIA - Turbo 16/4 -- ibmtr_cs - -  * PCMCIA - 16/4 -- ibmtr_cs - -  * Cardbus - 16/4 - olympic, kernel v.2.4.3 or greater - - -Olicom - -  * RapidFire 3139, 3140, 3141, and 3540 - -  * OC 3136 - -  * OC 3137 - -  * OC 3118 - -  * OC 3129 - - -For these Olicom cards, see their website [http://www.olicom.com] http:// -www.olicom.com for drivers. You will need a 2.2.x series kernel. - -Madge - -  * 51-02 Smart 16/4 PCI - -  * 20-03 16/4 Cardbus Adapter Mk2 - -  * 51-04 Smart 16/4 PCI Ringnode Mk3 - -  * 51-09 Smart 16/4 Fiber PCI Ringnode - -  * 51-07 Smart 100/16/4 PCI-HS Ringnode - -  * 51-05 Smart 100/16/4 PCI Ringnode - -  * 20-01 Smart 16/4 PCMCIA - -  * 60-07 Presto PCI 2000 - -  * 60-06 Presto PCI Plus - -  * 60-05 Presto PCI - - -For these Madge cards you'll want to visit their site [http://www.madge.com] -http://www.madge.com for drivers and get the 2.31 Madge drivers. You will -need either a 2.0.36 or 2.2.5 as a minimum. - -2.41 drivers: - -  * 51-05 Smart Mk4 PCI Adapter - -  * 53-05 Smart Mk4 PCI Adapter (low profile) - -  * 31-40 Rapidfire 3140V2 16/4 PCI Adapter - -  * 20-03 Smart 16/4 Cardbus Mk2 - -  * 51-04 Smart 16/4 PCI Ringnode Mk3 - -  * 60-07 Presto PCI 2000 - -  * 60-06 Presto PCI Plus - -  * 60-05 Presto PCI - - -According to the Madge README file the 2.41 driver has been tested on -uniprocessor and SMP kernel versions: 2.0.36, 2.2.5-15 ,2.2.10, 2.2.12-20, -2.4.2-2. - -Other Madge cards are reportedly based on the Texas Instruments tms380 -chipset and thus as of the 2.3.26 kernel you can try the tms380tr driver. - -SysKonnect - -  * TR4/16(+) SK-4190 ISA - -  * TR4/16(+) SK-4590 PCI - -  * TR4/16(+) SK-4591 PCI - - -In the 2.2.x series of kernels try sktr. In the 2.3.x and greater series try -the tms380tr driver. - -SMC - -  * Tokencard Elite (8115T) - -  * Tokencard Elite/A MCA (8115T/A) - - -Driver is included as part of the 2.3.38+ kernel. - -Intel - -  * TokenExpress PRO - -  * TokenExpress 16/4 - - -Support for these cards is currently under development. Check [http:// -www.linuxtr.net] http://www.linuxtr.net for status. ------------------------------------------------------------------------------ - -3.1. Drivers/Adapter Specifics - -Here we'll describe the different options and configurations available for -each of the available drivers. ------------------------------------------------------------------------------ - -3.1.1. Kernel Module Aliases and Parameters - -Most drivers accept arguments in the form of module paramters (with the -exception of the special case of PCMCIA, which is fully described below). - -Kernel modules are specified in the file /etc/conf.modules or /etc/ -modules.conf depending upon which version of modutils you've got. - -You can directly modify this file or use the tools builtin to your specific -distribution. These distribution specific tools are beyond the scope of this -document, but you can always directly modify the modules.conf file by hand to -get things up and running and then figure out how your distribution handles -these files. For example, Debian has several files in the /etc/modutils -directory and from these builds the modules.conf file. - -Kernel modules aliases are utilized to associate a particular name with a -kernel module. - -For token ring, this is used to assign drivers for each of the token ring -interfaces so that the system scripts know which driver to insert when you -bring an interface up. - -The format of the alias lines are: -+---------------------------------------------------------------------------+ -| alias module_name interface | -| | -+---------------------------------------------------------------------------+ -Usually, the only line you'll need for the token ring networking would be -something like: -+---------------------------------------------------------------------------+ -|alias olympic tr0 | -+---------------------------------------------------------------------------+ -This binds the olympic driver to the tr0 interface so when you type -+---------------------------------------------------------------------------+ -|ifconfig tr0 up | -+---------------------------------------------------------------------------+ -if the tr0 interface is not already loaded, the system will insert the -olympic driver, which in turn will find the network card and create the tr0 -network device. - -Kernel modules parameters are specified in the following format: -+---------------------------------------------------------------------------+ -| options module_name parameter_1=XXX [parameter2=YYY ...] | -| | -+---------------------------------------------------------------------------+ -Where the modules_name is the name of the driver, i.e. olympic, ibmtr, 3c359 -and the ` parameters are those available for each driver. See either the -following sections for driver specifics or check out the drivers source code. - -For example, if you wanted to set the Olympic driver to 16 mbps operation and -with a default buffer size of 8192 bytes, you would use the following line: -+---------------------------------------------------------------------------+ -| options olympic ringspeed=16 pkt_buf_sz=8192 | -| | -+---------------------------------------------------------------------------+ ------------------------------------------------------------------------------ - -3.1.2. IBMTR Driver - -IBM Tropic Chipset Based Token Ring Adapters - -This is the original token ring driver in the kernel and supports almost all -adapters that use the IBM Tropic chipset, including the IBM ISA, ISA/Pnp, and -a multitude of adapters from other manufacturers. - -The IBM Turbo 16/4 ISA/PnP adapter will, in fact, work fine with the ibmtr -driver. In older drivers you had to run the card in Auto 16/4 compatability -mode. The simplest way to set this is to use the LANAID disks sent with the -card and run the command: -+---------------------------------------------------------------------------+ -|LANAIDC /FAST=AUTO16 | -+---------------------------------------------------------------------------+ -You should then use LANAIDC or LANAID to configure the card according to -documentation. The latest drivers for the Turbo Adapters will recognize these -adapters and configure them straight out of the box. You may have to either -turn off isapnp support in the kernel or modify your isapnp.conf file to -enable the adapter. - -Options: - -Perusal of the ibmtr source code may leave you to believe that the adapter -can take three parameters, however, in reality the driver doesn't take any. -These parameters are a hang over from the early stages of the driver and are -only intended to be used to force the driver to only test restricted -åddresses when looking for adapters. The information on these options are -included here for completeness only. - -  * io: Specify the I/O ports that the driver will check for the presence of - any cards. All Tropic based ISA adapters, or adapters emulating the ISA - cards will be found on either port 0xA20 or 0xA24. If you know that your - adapter is configured for 0xA24 and/or that probing on port 0xA20 will - cause problems with your machine, use io to force the driver to check a - specific port only. - - The Turbo adapters (including the confusingly named latest Auto 16/4 - cards) can have their io regions located anywhere permitted by the PnP - specification. This location is found using the new turbo detection code - and no parameters are required. - -  * irq & mem: The two options were used to tell the driver exactly which irq - to use and where the shared ram for the adapter could be found. These two - options are now totally redundant in the driver as the interrupt line and - the location of the shared ram is obtained directly by interrogating the - adapter. - - ------------------------------------------------------------------------------ -3.1.3. Olympic Driver - -IBM PCI Pit/Pit-Phy/Olympic chipset based token ring cards - -Options: - -The driver accepts four options: ringspeed, pkt_buf_sz, message_level and -network_monitor. - -These options can be specified differently for each card found, i.e if you -have two olympic adapters in your machine and want to assign a ring speed of -16mbps to the first adapter, but a ring speed of 4mbps to the second adapter, -your options line would read: -+---------------------------------------------------------------------------+ -| options olympic ringspeed=16,4 | -| | -+---------------------------------------------------------------------------+ -However, it should be noted that the driver assigns value to each adapter in -the order they are discovered¸ which is usually the order there are present -on the pci bus. A little trial and error may be required to be certain which -adapter is receiving which configuration option. - - - -  * ringspeed: Has one of three settings 0 (default), 4 or 16. 0 will make - the card autosense the ringspeed and join at the appropriate speed, this - will be the default option for most people. 4 or 16 allow you to - explicitly force the card to operate at a certain speed. The card will - fail if you try to insert it at the wrong speed. (Although some hubs will - allow this so be *very* careful). The main purpose for explicitly setting - the ring speed is for when the card is first on the ring. In autosense - mode, if the card cannot detect any active monitors on the ring it will - not open, so you must re-init the card at the appropriate speed. - Unfortunately at present the only way of doing this is rmmod and insmod - which is a bit tough if it is compiled in the kernel. The driver does - support 100 mbps full duplex operation. This is automatically detected by - the adapter when connected to an appropriate switch. - -  * pkt_buf_sz: This is this initial receive buffer allocation size. This - will default to 4096 if no value is entered. You may increase performance - of the driver by setting this to a value larger than the network packet - size, although the driver now re-sizes buffers based on MTU settings as - well. - -  * message_level: Controls level of messages created by the driver. Defaults - to 0 which only displays start-up and critical messages. Presently any - non-zero value will display all soft messages as well. NB This does not - turn debugging messages on, that must be done by modified the source - code. - -  * network_monitor: Any non-zero value will provide a quasi network - monitoring mode. All unexpected MAC frames (beaconing etc.) will be - received by the driver and the source and destination addresses printed. - Also an entry will be added in /proc/net called olympic_tr%d, where tr%d - is the registered device name, i.e tr0, tr1, etc. This displays low level - information about the configuration of the ring and the adapter. This - feature has been designed for network administrators to assist in the - diagnosis of network / ring problems. (This used to - OLYMPIC_NETWORK_MONITOR, but has now changed to allow each adapter to be - configured differently and to alleviate the necessity to re-compile - olympic to turn the option on). - - -Multi-card. The driver will detect multiple cards and will work with shared -interrupts, each card is assigned the next token ring device, i.e. tr0 , tr1, -tr2. The driver should also happily reside in the system with other drivers. -It has been tested with ibmtr.c running. I have had multiple cards in the -same system, all sharing the same interrupt and working perfectly fine -together. This is also true for the Cardbus Olympic adapters, I have quite -happily had a Cardbus adapter and regular 16 bit PCMCIA token ring adapter -working together in the same laptop. - -Variable MTU size:. The driver can handle a MTU size upto either 4500 or -18000 depending upon ring speed. The driver also changes the size of the -receive buffers as part of the mtu re-sizing, so if you set mtu = 18000, you -will need to be able to allocate 16 * (sk_buff with 18000 buffer size) call -it 18500 bytes per ring position = 296,000 bytes of memory space, plus of -course anything necessary for the tx sk_buff's. Remember this is per card, so -if you are building routers, gateway's etc, you could start to use a lot of -memory real fast. ------------------------------------------------------------------------------ - -3.1.4. Lanstreamer Driver - -IBM PCI/MCA Lanstreamer chipset based token ring cards - -Options: - -The driver accepts three options: ringspeed, pkt_buf_sz, message_level and -network_monitor. - -These options can be specified differently for each card found, i.e if you -have two olympic adapters in your machine and want to assign a ring speed of -16mbps to the first adapter, but a ring speed of 4mbps to the second adapter, -your options line would read: -+---------------------------------------------------------------------------+ -| options lanstreamer ringspeed=16,4 | -| | -+---------------------------------------------------------------------------+ -However, it should be noted that the driver assigns value to each adapter in -the order they are discovered¸ which is usually the order there are present -on the pci/mca bus. A little trial and error may be required to be certain -which adapter is receiving which configuration option. - - - -  * ringspeed: Has one of three settings 0 (default), 4 or 16. 0 will make - the card autosense the ringspeed and join at the appropriate speed, this - will be the default option for most people. 4 or 16 allow you to - explicitly force the card to operate at a certain speed. The card will - fail if you try to insert it at the wrong speed. (Although some hubs will - allow this so be *very* careful). The main purpose for explicitly setting - the ring speed is for when the card is first on the ring. In autosense - mode, if the card cannot detect any active monitors on the ring it will - not open, so you must re-init the card at the appropriate speed. - Unfortunately at present the only way of doing this is rmmod and insmod - which is a bit tough if it is compiled in the kernel. switch. - -  * pkt_buf_sz: This is this initial receive buffer allocation size. This - will default to 4096 if no value is entered. You may increase performance - of the driver by setting this to a value larger than the network packet - size, although the driver now re-sizes buffers based on MTU settings as - well. - -  * message_level: Controls level of messages created by the driver. Defaults - to 0 which only displays start-up and critical messages. Presently any - non-zero value will display all soft messages as well. NB This does not - turn debugging messages on, that must be done by modified the source - code. - - -Network Monitor. The Lanstreamer driver does support a network monitor mode -similar to the olympic driver, however it is a compile time option and not a -module parameter. To enable the network monitor mode, edit lanstreamer.c and -change the line: -+---------------------------------------------------------------------------+ -|#define STREAMER_NETWORK_MONITOR 0 | -+---------------------------------------------------------------------------+ -to read: -+---------------------------------------------------------------------------+ -|#define STREAMER_NETWORK_MONITOR 1 | -+---------------------------------------------------------------------------+ -All unexpected MAC frames (beaconing etc.) will be received by the driver and -the source and destination addresses printed. Also an entry will be added in -/proc/net called streamer_tr. This displays low level information about the -configuration of the ring and the adapter. This feature has been designed for -network administrators to assist in the diagnosis of network / ring problems. - -Multi-card. The driver will detect multiple cards and will work with shared -interrupts, each card is assigned the next token ring device, i.e. tr0 , tr1, -tr2. The driver should also happily reside in the system with other drivers. - -Variable MTU size:. The driver can handle a MTU size upto either 4500 or -18000 depending upon ring speed. The driver also changes the size of the -receive buffers as part of the mtu re-sizing, so if you set mtu = 18000, you -will need to be able to allocate 16 * (sk_buff with 18000 buffer size) call -it 18500 bytes per ring position = 296,000 bytes of memory space, plus of -course anything necessary for the tx sk_buff's. Remember this is per card, so -if you are building routers, gateway's etc, you could start to use a lot of -memory real fast. ------------------------------------------------------------------------------ - -3.1.5. 3Com 3C359 Driver - -3COM PCI TOKEN LINK VELOCITY XL TOKEN RING CARDS - -Currently the 3c359 driver in not included in the standard kernel source. To -utlize the driver, you must download the driver from the [http:// -www.linuxtr.net] Linux Token Ring Project web site and patch your kernel. - -Once you've downloaded the file, you can patch your kernel with the following -commands: -+---------------------------------------------------------------------------+ -| cd /usr/src/linux | -| patch -p1 < 3c359-2.4.16.patch | -| | -+---------------------------------------------------------------------------+ -or, if the patch file is gzipped: -+---------------------------------------------------------------------------+ -| zcat 3c359-2.4.16.patch | patch -p1 | -| | -+---------------------------------------------------------------------------+ -Then just run make config|menuconfig|xconfig and select the 3c359 driver from -the token ring drivers section of the kernel configuration and then compile -and install the kernel and/or modules as usual. - -Options: - -The driver accepts three options: ringspeed, pkt_buf_sz, message_level. - -These options can be specified differently for each card found, i.e if you -have two olympic adapters in your machine and want to assign a ring speed of -16mbps to the first adapter, but a ring speed of 4mbps to the second adapter, -your options line would read: -+---------------------------------------------------------------------------+ -| options 3c359 ringspeed=16,4 | -| | -+---------------------------------------------------------------------------+ -However, it should be noted that the driver assigns value to each adapter in -the order they are discovered¸ which is usually the order there are present -on the pci bus. A little trial and error may be required to be certain which -adapter is receiving which configuration option. - - - -  * ringspeed: Has one of three settings 0 (default), 4 or 16. 0 will make - the card autosense the ringspeed and join at the appropriate speed, this - will be the default option for most people. 4 or 16 allow you to - explicitly force the card to operate at a certain speed. The card will - fail if you try to insert it at the wrong speed. (Although some hubs will - allow this so be *very* careful). The main purpose for explicitly setting - the ring speed is for when the card is first on the ring. In autosense - mode, if the card cannot detect any active monitors on the ring it will - open at the same speed as its last opening. This can be harardous if this - speed does not match the speed you want the ring to operate at. - -  * pkt_buf_sz: This is this initial receive buffer allocation size. This - will default to 4096 if no value is entered. You may increase performance - of the driver by setting this to a value larger than the network packet - size, although the driver now re-sizes buffers based on MTU settings as - well. - -  * message_level: Controls level of messages created by the driver. Defaults - to 0 which only displays start-up and critical messages. Presently any - non-zero value will display all soft messages as well. NB This does not - turn debugging messages on, that must be done by modified the source - code. - - -Multi-card. The driver will detect multiple cards and will work with shared -interrupts, each card is assigned the next token ring device, i.e. tr0 , tr1, -tr2. The driver should also happily reside in the system with other drivers. -It has been tested with ibmtr.c running. I have had multiple cards in the -same system, all sharing the same interrupt and working perfectly fine -together. - -Variable MTU size:. The driver can handle a MTU size upto either 4500 or -18000 depending upon ring speed. The driver also changes the size of the -receive buffers as part of the mtu re-sizing, so if you set mtu = 18000, you -will need to be able to allocate 16 * (sk_buff with 18000 buffer size) call -it 18500 bytes per ring position = 296,000 bytes of memory space, plus of -course anything necessary for the tx sk_buff's. Remember this is per card, so -if you are building routers, gateway's etc, you could start to use a lot of -memory real fast. ------------------------------------------------------------------------------ - -3.1.6. SysKonnect adapters - -Information for the SysKonnect Token Ring ISA/PCI Adapter is courtesy Jay -Schulist - -The Linux SysKonnect Token Ring driver works with the SysKonnect TR4/16(+) -ISA, SysKonnect TR4/16(+) PCI, SysKonnect TR4/16 PCI, and older revisions of -the SK NET TR4/16 ISA card. - -Latest information on this driver can be obtained on the Linux-SNA WWW site. -Please point your browser to: http://www.linux-sna.org - -Important information to be noted: - -  * 1. Adapters can be slow to open (~20 secs) and close (~5 secs), please be - patient. - -  * 2. This driver works very well when autoprobing for adapters. Why even - think about those nasty io/int/dma settings of modprobe when the driver - will do it all for you! - - -This driver is rather simple to use. Select Y to Token Ring adapter support -in the kernel configuration. A choice for SysKonnect Token Ring adapters will -appear. This drives supports all SysKonnect ISA and PCI adapters. Choose this -option. I personally recommend compiling the driver as a module (M), but if -you you would like to compile it staticly answer Y instead. - -This driver supports multiple adapters without the need to load multiple -copies of the driver. You should be able to load up to 7 adapters without any -kernel modifications, if you are in need of more please contact the -maintainer of this driver. - -Load the driver either by lilo/loadlin or as a module. When a module using -the following command will suffice for most: -+---------------------------------------------------------------------------+ -| # modprobe sktr | -| | -+---------------------------------------------------------------------------+ -This will produce output similar to the following: (Output is user specific) -+--------------------------------------------------------------------------------+ -| sktr.c: v1.01 08/29/97 by Christoph Goos | -| tr0: SK NET TR 4/16 PCI found at 0x6100, using IRQ 17. | -| tr1: SK NET TR 4/16 PCI found at 0x6200, using IRQ 16. | -| tr2: SK NET TR 4/16 ISA found at 0xa20, using IRQ 10 and DMA 5. | -| | -+--------------------------------------------------------------------------------+ -Now just setup the device via ifconfig and set and routes you may have. After -this you are ready to start sending some tokens. - -Errata. For anyone wondering where to pick up the SysKonnect adapters please -browse to http://www.syskonnect.com - -Below is the setting for the SK NET TR 4/16 ISA adapters -+---------------------------------------------------------------------------------------+ -| *************************** | -| *** C O N T E N T S *** | -| *************************** | -| | -| 1) Location of DIP-Switch W1 | -| 2) Default settings | -| 3) DIP-Switch W1 description | -| | -| | -| ============================================================== | -| CHAPTER 1 LOCATION OF DIP-SWITCH | -| ============================================================== | -| | -| +------------------------------------------------------------------+ | -| |+------+ +-----+ +---+ | | -| ||------| W1 +-----+ +----+ | | | | -| ||------| | | | | +---+ | -| ||------| +-----------+ +----+ | | | || | -| ||------| | | +---+ +---+ +---+ | -| ||------| | TMS380C26 | | | | | -| ||------| | | +---+ |-+ | -| |+------+ | | | | | -| | +-----------+ | | | -| | | | | -| | |-+ | -| | | | -| | | | -| | | | -| | | | -| +------------+----------------+--+-----------------------+---------+ | -| +----------------+ +-----------------------+ | -| | -+---------------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------+ -| | -| ============================================================== | -| CHAPTER 2 DEFAULT SETTINGS | -| ============================================================== | -| | -| W1 1 2 3 4 5 6 7 8 | -| +------------------------------+ | -| | ON X | | -| | OFF X X X X X X X | | -| +------------------------------+ | -| | -| W1.1 = ON Adapter drives address lines SA17..19 | -| W1.2 - 1.5 = OFF BootROM disabled | -| W1.6 - 1.8 = OFF I/O address 0A20h | -| | -+-------------------------------------------------------------------------------+ -+-------------------------------------------------------------------------------+ -| ============================================================== | -| CHAPTER 3 DIP SWITCH W1 DESCRIPTION | -| ============================================================== | -| | -| +---+---+---+---+---+---+---+---+ ON | -| | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | | -| +---+---+---+---+---+---+---+---+ OFF | -| |AD | BootROM Addr. | I/O | | -| +-+-+-------+-------+-----+-----+ | -| | | | | -| | | +------ 6 7 8 | -| | | ON ON ON 1900h | -| | | ON ON OFF 0900h | -| | | ON OFF ON 1980h | -| | | ON OFF OFF 0980h | -| | | OFF ON ON 1b20h | -| | | OFF ON OFF 0b20h | -| | | OFF OFF ON 1a20h | -| | | OFF OFF OFF 0a20h (+) | -| | | | -| | | | -| | +-------- 2 3 4 5 | -| | OFF x x x disabled (+) | -| | ON ON ON ON C0000 | -| | ON ON ON OFF C4000 | -| | ON ON OFF ON C8000 | -| | ON ON OFF OFF CC000 | -| | ON OFF ON ON D0000 | -| | ON OFF ON OFF D4000 | -| | ON OFF OFF ON D8000 | -| | ON OFF OFF OFF DC000 | -| | | -| | | -| +----- 1 | -| OFF adapter does NOT drive SA<17..19> | -| ON adapter drives SA<17..19> (+) | -| | -| | -| (+) means default setting | -| | -| | -+-------------------------------------------------------------------------------+ ------------------------------------------------------------------------------ - -3.1.7. PCMCIA - -3.1.7.1. Introduction - -PCMCIA Token Ring adapters will work on all versions of the Linux kernel. -Unfortunately, the road to hell is often paved with melting snowballs ;-) and -there are a myriad of different combinations that can be used to get the -adapters to work, all with different options, different requirements and -different issues. Hopefully with this document you will be able to figure out -which combinations of ingredients are required and how to get them up and -running on your machine. ------------------------------------------------------------------------------ - -3.1.7.2. History - -In the 2.0.x and 2.2.x kernels days, pcmcia was only available as an external -package, created and maintained by David Hinds. When the only stable kernel -available was 2.0.36, life was pretty easy and with a few simple -configuration options the adapters would work. - -With the advent of 2.2.x, ibmtr.c was completely updated, which broke the -pcmcia driver (ibmtr_cs.c). The pcmcia driver was updated to work with the -new ibmtr driver and the 2.2.x kernels. This is where the first level of -complication starts. As the pcmcia_cs package is stand alone, it has to -support the various different kernels, so instead of being able to have -different versions of drivers in different versions of the kernel source, the -pcmcia_cs drivers must work with all kernel versions. This not only creates -some ugliness in the driver itself but also causes confusion as to which -version of pcmcia_cs works for the latest kernel. - -At this point, everything was working fine, and then come along the 2.3.x -develpment series of kernels. The 2.3.x kernels provided their own support -for pcmcia and the ibmtr_cs driver was included in the kernel proper. So now -there were two ways of getting pcmcia token ring support, either using the -kernel drivers themselves or using the pcmcia_cs package, not too much of a -problem because only developers were using the 2.3.x kernels. Of course this -all changed when the 2.4 kernel was released and a lot more users started -using the kernel. - -During late 2000, early 2001, significant development work was done on both -the standard ibmtr driver and the pcmcia driver. Original pcmcia updates -including using high memory and hot-eject support. These initial updates were -only for the 2.2.x kernels, and hence only included in the pcmcia_cs package. -Later development saw great improvements in ibmtr and ibmtr_cs for the 2.4.x -kernels. So as of writing, 1/23/02 , there are many different combinations of -kernel version and driver floating around especially considering that -different distributions have released different versions of the 2.4 kernels. ------------------------------------------------------------------------------ - -3.1.7.3. 2.0.x kernels - -If you are using one of the 2.0.x kernels, then I salute your perserverance -and really you should have got the pcmcia drivers configured and working by -now ;-) - -You will have to use the pcmcia_cs package and play with the /etc/pcmcia/ -config.opts, see the section below about config.opts fun. Just about any -version of pcmcia_cs that's been released in the last 2/3 years will work -fine. ------------------------------------------------------------------------------ - -3.1.7.4. 2.2.0 - 2.2.6 kernels - -These were the series of kernels where the pcmcia driver didn't work at all. -It's probably just easiest to upgrade the kernel to a later version. - -If you really do need to get this up and running, then a recent pcmcia_cs is -required and you should be able to grab the ibmtr.c and ibmtr.h from a 2.2.7 -- 2.2.16 kernel and use them (note no greater than 2.2.16 !!) - -You have to do the config.opts mangling, see the section on setting all this -up. ------------------------------------------------------------------------------ - -3.1.7.5. 2.2.7 - 2.2.16 kernels - -These kernels are well supported, simply use the pcmcia_cs package and play -with the config.opts file. ------------------------------------------------------------------------------ - -3.1.7.6. 2.2.17 - 2.2.19 kernels - -The pcmcia driver was updated for these kernel to eliminate the need for the -config.opts mangling. You'll need pcmcia_cs at least 3.1.24, although it is -probably better just to grab the latest version. - -Simply compile up pcmcia_cs and you're done. No need to play with -config.opts, in fact if you've been running a previous version that did have -the ibmtr_cs line in config.opts it would be a very good idea to remove or -comment out the line. The new driver allocates the entire 64k for shared ram -and it needs to be aligned on a 64k boundary, if you've got a previous -srambase value not on a 64k boundary, the driver will barf and the kernel -will panic. ------------------------------------------------------------------------------ - -3.1.7.7. 2.4.0 - 2.4.4 (non Redhat) kernels - -Use the built-in kernel pcmcia driver and play with config.opts. - -If you want to use the latest and greatest version of the driver with the -high memory and hot-swap support you can download the patch and patch up your -kernel. Then the line in config.opts can be removed and everything will work -fine. ------------------------------------------------------------------------------ - -3.1.7.8. 2.4.4-ac11 > kernels - -These kernels include the new drivers so simply compile up the drivers, -ensure that there is no configuration line in config.opts and away you go. ------------------------------------------------------------------------------ - -3.1.7.9. 2.4.2 mangled, i.e. Redhat 7.1 - -When RedHat released 7.1 with the 2.4.2 kernel they modified the kernel (as -they always do) and included the updated ibmtr/ibmtr_cs driver from the -[http://www.linuxtr.net] web site. If you're lucky this may work straight out -of the box (again no need for the ibmtr_cs line in config.opts), if not then -it is probably easiest to upgrade to the latest 2.4.x kernels and use the -drivers there. (The reason being that while I will work out how to get around -a distribution caused problem, I will not provide support for them, I'll -answer questions and give help because I'm a nice guy, but I am not going to -provide driver updates against distributions. Official support is for the -drivers in the kernels available from the official kernel mirrors. ------------------------------------------------------------------------------ - -3.1.7.10. 2.4.x kernels and pcmcia_cs - -There is no need to use pcmcia_cs with the 2.4 kernels to get the token ring -adapters up and running, but I appreciate that some of you may need to use -pcmcia_cs to get other adapters working that are not supported properly in -the kernel. - -The pcmcia_cs package will not work with the latest drivers, it may work with -the 2.4.0-2.4.4 drivers. I am currently in two minds about providing support -with pcmcia_cs for the 2.4 kernels, you can ask me directly or check the -[http://www.linuxtr.net] web site every now and then so see if anything has -changed. ------------------------------------------------------------------------------ - -3.1.7.11. Config.opts mangling (or how to send yourself insane) - -This is the hardest part to getting the pcmcia adapters working with the -drivers that need the ibmtr_cs line in /etc/pcmcia/config.opts. No set of -values is guaranteed to work the same on a different machine. It really is a -case of trial and error but forewarned and forearmed with a little bit of -knowledge can make the process a whole lot easier. - -"Hey, I don't care, just give me something that works" - -OK, try this, it works in most situations, if it doesn't you have to read the -rest of the section anyway. Just insert the following line in /etc/pcmcia/ -config.opts -+---------------------------------------------------------------------------+ -|modules "ibmtr_cs" opts "mmiobase=0xd2000 srambase=0xd4000" | -+---------------------------------------------------------------------------+ -restart pcmcia and insert the adapter. - -"OK, that didn't work, bring on the pain" - -The pcmcia driver need to allocate two areas of memory to operate properly. -All areas of memory allocated must be aligned on the same boundary as the -size of the area being aligned, i.e. a block 8K in size must be on an 8K -boundary (0xc8000, 0xca000, 0xcc000, 0xce000, 0xd0000, 0xd2000) and for a 16K -block must be on a 16K boundary (0xc8000, 0xcc000, 0xd0000, 0xd4000). All -memory areas must be allocated within the ISA address space, -0xC0000-0xDFFFF). Theoretically you should be able to use anywhere within -this area, although experience has shown that most machines hide stuff in the -0xc0000-0xc9fff area. Some machines have even been known to use the -0xd0000-0xd1fff area without telling anybody (some thinkpads !!). So you -really want to stick with memory allocations in the 0xcc000 - 0xdffff range. - -Of course, the two memory areas cannot overlap either ;) - -The first area of memory is an 8K area for the memory mapped input/output -(MMIO) and must be placed on an 8K boundary. This area of memory is not -usually the cause of any problems and can be placed pretty much anywhere, -recommended values are: 0xcc000, 0xd0000,0xd2000,0xd4000. - -The second area of memory can be sized to fit your desires, this is the area -of memory where the incoming and outgoing packets are stored and received. -The driver defaults to a 16K memory size and must be placed on a 16K -boundary. Good areas are: 0xd0000,0xd4000,0xd8000. - -Once you've decided which areas of memory you are goin to try, you need to -add the correct line to the /etc/pcmcia/config.opts file. Configuration lines -in this file take the format of: -+-----------------------------------------------------------------------------------------------+ -| module "module_name" opts "option1=opt1_value option2=opt2_value ...." | -| | -+-----------------------------------------------------------------------------------------------+ -In our case module_name is ibmtr_cs. There are three options that be set with -the ibmtr_cs driver, mmiobase, srambase and sramsize. - -If they are not set they will revert to the defaults in the driver, which in -9 cases out of 10 won't work for you. sramsize rarely has to be set unless -you are looking for that last little bit of performance from your adapter. - -So, having decided upon your values, let's say 0xd2000 for the MMIO and -0xd4000 for the shared memory you would build a config.opts line like this: -+------------------------------------------------------------------------------------+ -| module "ibmtr_cs" opts "mmiobase=0xd2000 srambase=0xd4000" | -| | -+------------------------------------------------------------------------------------+ -The pcmcia_cs package must be restarted for these new options to take effect, -usually with: -+---------------------------------------------------------------------------+ -|/etc/init.d/pcmcia restart or /etc/rc.d/init.d/pcmcia/restart | -+---------------------------------------------------------------------------+ -depending upon which run level organization your distribution adheres to. - -Then just plug it in and see if it works. If not you'll just have to go back -and change the values for mmiobase and srambase until you find a combination -that works. Or, you can upgrade to a kernel/pcmcia_cs version that support -high memory allocation, where all this config.opts nonsense is not required -and you can just happily plug your adapter in and watch it run. ------------------------------------------------------------------------------ - -3.1.8. Madge Supplied Drivers - -Madge released 2.31 of their driver in 1999 and 2.41 in late 2001. Both -drivers can be downloaded from the [http://www.madge.com] Madge web site and -the 2.41 driver is also available from the [http:/www.linuxtr.net] Linux -Token Ring Project web site. - -Once the drivers have been downloaded, see the README file that comes with -the drivers for instruction on how to built and install the drivers. The only -other issue some people find with the drivers is a failure to build the tool -chain due to an incorrect version of the newt libraries. If you get a -compiler error relating to newt.h change the madge-source/include/mtok/ -config.h file so that the #define NEWNEWT line reads: -+---------------------------------------------------------------------------+ -| #define NEWNEWT 1 | -| | -+---------------------------------------------------------------------------+ -This will ensure the tools use the correct newt libraries during the build -process. - -A patch is available from the Linux Token Ring Project web site for the 2.31 -drivers to enable them to work with the 2.4.x kernels. ------------------------------------------------------------------------------ - -3.1.9. Olicom Drivers - -Back when Olicom were still in business they did produce a Linux driver that -does actually work. Trying to find the driver these days is a bit tough. If -the ftp.olicom.com site is still up and running, the driver can be found -there. - -The driver is a combination of GPL source code and proprietary binary low -level code. The driver only works with the 2.0.36 and 2.2.x kernels. It -should be possible to port this driver to the 2.4.x kernels... ------------------------------------------------------------------------------ - -4. Known problems - -See www.linuxtr.net for the latest greatest set of bugs. Generally speaking -the biggest problem that I've seen (with ibmtr) is that if you pull your -connection from the wall the 2.0.x series of kernels would generally not -recover. - -This has been fixed in the latest version of ibmtr and the driver should now -recognize when the link cable has been detached. - -There are some laptops that don't want to work with the Olympic Cardbus -adapter, for some reason the driver never sees the open interrupt from the -card. I don't think this is a problem with the driver, but with the Cardbus -subsystem, for some people this problem has simply gone away with a newer -kernel and I personally have never seen it on the laptops I've used in the -development of the driver (Sony Vaio Z505 and Dell Latitude CPx500). ------------------------------------------------------------------------------ - -5. VMWare and Token Ring - -Thanks to Scott Russell scottrus@raleigh.ibm.com for this little "trick" - -One of the bummers about VMWare is if you are on a Token-Ring adapter, your -VMWare system can't have a real TCP/IP address. Turns out this isn't the -case. Here's how to do it. - -  * In the info below we'll call your linux box 'linux.mycompany.biz.com' - -  * Register another ip address, I'll call it 'vmware.mycompany.biz.com' - -  * Make sure FORWARD_IPV4=true in your /etc/sysconfig/network file. If you - have to change it you can dynamically turn on the feature as root - +---------------------------------------------------------------+ - | cat 1 > /proc/sys/net/ipv4/ip_forward | - +---------------------------------------------------------------+ - -  * Alias the second ip to the TR adapter. You end up with something like - this from /sbin/ifconfig: - +---------------------------------------------------------------+ - | tr0 linux.mycompany.biz.com | - | tr0:0 vmware.mycompany.biz.com | - | vmnet1 192.168.0.1 | - | | - +---------------------------------------------------------------+ - -  * Make sure you can ping both ip addresses from another box. If you cannot - then this next step will not work. - -  * Use ipchains/iptables to redirect incoming traffic for the tr0:0 - interface to your vmnet1 interface. (When I did this I only redirected - specific ports from tr0:0 to vmnet1.) - - -Now any outside system your 'NT' box appears to be on the TR. In bound -traffic can find it as well as out. ------------------------------------------------------------------------------ - -6. Commonly asked Questions - -Here are a collection of commonly asked questions that arise from time to -time on the linux-tr mailing list. If your question isn't answered here or -elsewhere in this document, feel free to ask away on the mailing list. - -Q: DHCP doesn't work with my Token Ring adapter. -Q: I can't set the LAA on my adapter with ifconfig tr0 hw tr 4000DEADBEEF. -Q: My Linux machine is on a bridged network and I'm having connectivity - issues with machine beyond the bridge. -Q: Can I use a Linux machine to bridge between token ring and ethernet ? -Q: OK, if I can't bridge, how do I connect my Token Ring and ethernet - networks ? - -Q: DHCP doesn't work with my Token Ring adapter. - -A: Certain dhcp servers and clients do not work properly with token ring -drivers. This is especially true with the 2.4 kernels. During the development -of the 2.3.x series of kernels the internal type for token ring was changed -to accomodate multicast support over token ring. The solution is to upgrade -your dhcp client/server to a version that supports token ring and/or the -latest kernel versions. - -Q: I can't set the LAA on my adapter with ifconfig tr0 hw tr 4000DEADBEEF. - -A: Firstly, double check that your adapter/driver support setting the LAA, -and that you've supplied a valid LAA. Also, most drivers will only allow this -to be set before the adapter is opened onto the ring. Again, this is related -to the change in the internal type for token ring in the 2.4 kernels. A patch -is available from the [http:/www.linuxtr.net] web site for nettools that -fixes this and allows the LAA to be set. - -Q: My Linux machine is on a bridged network and I'm having connectivity -issues with machine beyond the bridge. - -A: The token ring source routing code in the kernel uses the spanning tree -algorithm. Contact your network administrator to enable this protocol on the -bridges. - -Q: Can I use a Linux machine to bridge between token ring and ethernet ? - -A: The simply answer in no. Bridging network topologies in software is -incredibly complicated and while it is possibly, nobody has written the code -to do it. If you must bridge there are several manufacturers that produce -hardware bridges (most notably Cisco). - -Q: OK, if I can't bridge, how do I connect my Token Ring and ethernet -networks ? - -A: A cheap linux box with a token ring and ethernet adapter makes an -excellent router. There is no difference between setting up a token ring/ -ethernet router and an ethernet/ethernet router. You can do masquerading -(NAT) and filtering on the router as per usual. For more details see the -Netfilter howto. - -Q: What options do I need to include in the kernel for Token Ring driver -support? - -A: - Kernel Compile Options: - - Network device support ---> - [*] Network device support - .... - [*] Token Ring driver support - < > IBM Tropic chipset based adaptor support - -Q: Where can I find more information? - -If you have any problems with the drivers that are not talked about in this -howto, feel free to email me at . - -You may also wish to join the Linux on Token Ring Listserv by mailing < -majordomo@linuxtr.net> with the body containing: -+---------------------------------------------------------------------------+ -|subscribe linux-tr | -+---------------------------------------------------------------------------+ -The latest and greatest information, drivers, patches, bug fixes, etc, etc -can always be found at the [http://www.linuxtr.net] Linux Token Project site. +See Token-Ring HOWTO for more details on running Token Ring on your local +network. @@ -3506,1610 +2332,7 @@ provide information that has to be known throughout the network to all machines on the network. For example, it enables an administrator to allow users access to any machine in a network running NIS without a password entry existing on each machine; only the main database needs -to be maintained. This section describes how to configure Linux as -NIS(YP) or NIS+ client and how to install an NIS(YP) server. -Don't forget to read Section 5. - - ------------------------------------------------------------------------------ -2.2. Some General Information - - -The next four lines are quoted from the Sun(tm) System & Network -Administration Manual: - - - - -+---------------------------------------------------------------------------+ -| "NIS was formerly known as Sun Yellow Pages (YP) but | -| the name Yellow Pages(tm) is a registered trademark | -| in the United Kingdom of British Telecom plc and may | -| not be used without permission." | -+---------------------------------------------------------------------------+ - - - - -NIS stands for Network Information Service. Its purpose is to provide -information, that has to be known throughout the network, to all machines on -the network. Information likely to be distributed by NIS is: - - - -  * login names/passwords/home directories (/etc/passwd) -  * group information (/etc/group) - - - -If, for example, your password entry is recorded in the NIS passwd database, -you will be able to login on all machines on the network which have the NIS -client programs running. - - - -Sun is a trademark of Sun Microsystems, Inc. licensed to SunSoft, Inc. - ------------------------------------------------------------------------------ - -3. NIS, NYS or NIS+ ? - -3.1. libc 4/5 with traditional NIS or NYS ? - - -The choice between "traditional NIS" or the NIS code in the NYS library is a -choice between laziness and maturity vs. flexibility and love of adventure. -The "traditional NIS" code is in the standard C library and has been around -longer and sometimes suffers from its age and slight inflexibility. -The NIS code in the NYS library requires you to recompile the libc library to -include the NYS code into it (or maybe you can get a precompiled version of -libc from someone who has already done it). -Another difference is that the traditional NIS code has some support for NIS -Netgroups, which the NYS code doesn't. On the other hand the NYS code allows -you to handle Shadow Passwords in a transparent way. The "traditonal NIS" -code doesn't support Shadow Passwords over NIS. - - ------------------------------------------------------------------------------ - -3.2. glibc 2 and NIS/NIS+ - - -Forgot all this if you use the new GNU C Library 2.x (aka libc6). It has real -NSS (name switch service) support, which makes it very flexible, and contains -support for the following NIS/NIS+ maps: aliases, ethers, group, hosts, -netgroups, networks, protocols, publickey, passwd, rpc, services and shadow. -The GNU C Library has no problems with shadow passwords over NIS. - - ------------------------------------------------------------------------------ - -3.3. NIS or NIS+ ? - - -The choice between NIS and NIS+ is easy - use NIS+ only if you have severe -security needs. NIS+ is much more problematic to administer (it's pretty easy -to handle on the client side, but the server side is horrible). Another -problem is that the support for NIS+ under Linux contains a lot of bugs and -that the development has stopped. - - ------------------------------------------------------------------------------ - -4. How it works - -4.1. How NIS works - - -Within a network there must be at least one machine acting as a NIS server. -You can have multiple NIS servers, each serving different NIS "domains" - or -you can have cooperating NIS servers, where one is the master NIS server, and -all the other are so-called slave NIS servers (for a certain NIS "domain", -that is!) - or you can have a mix of them... - - - -Slave servers only have copies of the NIS databases and receive these copies -from the master NIS server whenever changes are made to the master's -databases. Depending on the number of machines in your network and the -reliability of your network, you might decide to install one or more slave -servers. Whenever a NIS server goes down or is too slow in responding to -requests, a NIS client connected to that server will try to find one that is -up or faster. - - - -NIS databases are in so-called DBM format, derived from ASCII databases. For -example, the files /etc/passwd and /etc/group can be directly converted to -DBM format using ASCII-to-DBM translation software (makedbm, included with -the server software). The master NIS server should have both, the ASCII -databases and the DBM databases. - - - -Slave servers will be notified of any change to the NIS maps, (via the yppush -program), and automatically retrieve the necessary changes in order to -synchronize their databases. NIS clients do not need to do this since they -always talk to the NIS server to read the information stored in it's DBM -databases. - - - -Old ypbind versions do a broadcast to find a running NIS server. This is -insecure, due the fact that anyone may install a NIS server and answer the -broadcast queries. Newer Versions of ypbind (ypbind-3.3 or ypbind-mt) are -able to get the server from a configuration file - thus no need to broadcast. - - ------------------------------------------------------------------------------ - -4.2. How NIS+ works - - -NIS+ is a new version of the network information nameservice from Sun. The -biggest difference between NIS and NIS+ is that NIS+ has support for data -encryption and authentication over secure RPC. - - - -The naming model of NIS+ is based upon a tree structure. Each node in the -tree corresponds to an NIS+ object, from which we have six types: directory, -entry, group, link, table and private. - - - -The NIS+ directory that forms the root of the NIS+ namespace is called the -root directory. There are two special NIS+ directories: org_dir and -groups_dir. The org_dir directory consists of all administration tables, such -as passwd, hosts, and mail_aliases. The groups_dir directory consists of NIS+ -group objects which are used for access control. The collection of org_dir, -groups_dir and their parent directory is referred to as an NIS+ domain. - - ------------------------------------------------------------------------------ - -5. The RPC Portmapper - - -To run any of the software mentioned below you will need to run the program / -sbin/portmap. Some Linux distributions already have the code in the /sbin/ -init.d/ or /etc/rc.d/ files to start up this daemon. All you have to do is to -activate it and reboot your Linux machine. Read your Linux Distribution -Documentation how to do this. - - - -The RPC portmapper (portmap(8)) is a server that converts RPC program numbers -into TCP/IP (or UDP/IP) protocol port numbers. It must be running in order to -make RPC calls (which is what the NIS/NIS+ client software does) to RPC -servers (like a NIS or NIS+ server) on that machine. When an RPC server is -started, it will tell portmap what port number it is listening to, and what -RPC program numbers it is prepared to serve. When a client wishes to make an -RPC call to a given program number, it will first contact portmap on the -server machine to determine the port number where RPC packets should be sent. - - - -Since RPC servers could be started by inetd(8), portmap should be running -before inetd is started. - - - -For secure RPC, the portmapper needs the Time service. Make sure, that the -Time service is enabled in /etc/inetd.conf on all hosts: - - - - -+---------------------------------------------------------------------------+ -|# | -|# Time service is used for clock syncronization. | -|# | -|time stream tcp nowait root internal | -|time dgram udp wait root internal | -+---------------------------------------------------------------------------+ - - - -IMPORTANT: Don't forget to restart inetd after changes on its configuration -file ! - - ------------------------------------------------------------------------------ - -6. What do you need to set up NIS? - -6.1. Determine whether you are a Server, Slave or Client. - - -To answer this question you have to consider two cases: - - - - 1. Your machine is going to be part of a network with existing NIS servers - 2. You do not have any NIS servers in the network yet - - - -In the first case, you only need the client programs (ypbind, ypwhich, ypcat, -yppoll, ypmatch). The most important program is ypbind. This program must be -running at all times, which means, it should always appear in the list of -processes. It is a daemon process and needs to be started from the system's -startup file (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/ -ypbind, /etc/rc.local). As soon as ypbind is running your system has become a -NIS client. - - - -In the second case, if you don't have NIS servers, then you will also need a -NIS server program (usually called ypserv). Section 9 describes how to set up -a NIS server on your Linux machine using the ypserv daemon. - - ------------------------------------------------------------------------------ - -6.2. The Software - - -The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the shared -library "/lib/libc.so.x" contain all necessary system calls to succesfully -compile the NIS client and server software. For the GNU C Library 2 (glibc -2.x), you also need /lib/libnsl.so.1. - - - -Some people reported that NIS only works with "/usr/lib/libc.a" version -4.5.21 and better so if you want to play it safe don't use older libc's. The -NIS client software can be obtained from: - - - - -+----------------------------------------------------------------------------------+ -| Site Directory File Name | -| | -| ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.8.tar.gz | -| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.13.tar.gz | -| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz | -| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3-glibc5.diff.gz| -+----------------------------------------------------------------------------------+ - - - - -Once you obtained the software, please follow the instructions which come -with the software. yp-clients 2.2 are for use with libc4 and libc5 until -5.4.20. libc 5.4.21 and glibc 2.x needs yp-tools 1.4.1 or later. The new -yp-tools 2.4 should work with every Linux libc. Since there was a bug in the -NIS code, you shouldn't use libc 5.4.21-5.4.35. Use libc 5.4.36 or later -instead, or the most YP programs will not work. ypbind 3.3 will work with all -libraries, too. If you use gcc 2.8.x or greater, egcs or glibc 2.x, you -should add the ypbind-3.3-glibc5.diff patch to ypbind 3.3. If possible you -should avoid the use of ypbind 3.3 for security reasons. ypbind-mt is a new, -multithreaded daemon. It needs a Linux 2.2 kernel and glibc 2.1 or later. - - ------------------------------------------------------------------------------ - -7. Setting Up the NIS Client - -7.1. The ypbind daemon - - -After you have succesfully compiled the software you are now ready to install -it. A suitable place for the ypbind daemon is the directory /usr/sbin. Some -people may tell you that you don't need ypbind on a system with NYS. This is -wrong. ypwhich and ypcat need it always. - - - -You must do this as root of course. The other binaries (ypwhich, ypcat, -yppasswd, yppoll, ypmatch) should go in a directory accessible by all users, -normally /usr/bin. - - - -Newer ypbind versions have a configuration file called /etc/yp.conf. You can -hardcode a NIS server there - for more info see the manual page for ypbind -(8). You also need this file for NYS. An example: - - - - -+---------------------------------------------------------------------------+ -|ypserver 10.10.0.1 | -|ypserver 10.0.100.8 | -|ypserver 10.3.1.1 | -+---------------------------------------------------------------------------+ - - - - -If the system can resolve the hostnames without NIS, you may use the name, -otherwise you have to use the IP address. ypbind 3.3 has a bug and will only -use the last entry (ypserver 10.3.1.1 in the example). All other entries are -ignored. ypbind-mt handle this correct and uses that one, which answerd at -first. - - - -It might be a good idea to test ypbind before incorporating it in the startup -files. To test ypbind do the following: - - -  * Make sure you have your YP-domain name set. If it is not set then issue - the command: - - +---------------------------------------------------------------+ - | /bin/domainname nis.domain | - +---------------------------------------------------------------+ - - where nis.domain should be some string _NOT_ normally associated with the - DNS-domain name of your machine! The reason for this is that it makes it - a little harder for external crackers to retreive the password database - from your NIS servers. If you don't know what the NIS domain name is on - your network, ask your system/network administrator. - -  * Start up "/sbin/portmap" if it is not already running. - -  * Create the directory /var/yp if it does not exist. - -  * Start up /usr/sbin/ypbind - -  * Use the command rpcinfo -p localhost to check if ypbind was able to - register its service with the portmapper. The output should look like: - +---------------------------------------------------------------+ - | program vers proto port | - | 100000 2 tcp 111 portmapper | - | 100000 2 udp 111 portmapper | - | 100007 2 udp 637 ypbind | - | 100007 2 tcp 639 ypbind | - +---------------------------------------------------------------+ - or - +---------------------------------------------------------------+ - | program vers proto port | - | 100000 2 tcp 111 portmapper | - | 100000 2 udp 111 portmapper | - | 100007 2 udp 758 ypbind | - | 100007 1 udp 758 ypbind | - | 100007 2 tcp 761 ypbind | - | 100007 1 tcp 761 ypbind | - +---------------------------------------------------------------+ - Depending on the ypbind version you are using. - -  * You may also run rpcinfo -u localhost ypbind. This command should produce - something like: - +---------------------------------------------------------------+ - | program 100007 version 2 ready and waiting | - +---------------------------------------------------------------+ - or - +---------------------------------------------------------------+ - | program 100007 version 1 ready and waiting | - | program 100007 version 2 ready and waiting | - +---------------------------------------------------------------+ - The output depends on the ypbind version you have installed. Important is - only the "version 2" message. - -At this point you should be able to use NIS client programs like ypcat, -etc... For example, ypcat passwd.byname will give you the entire NIS password -database. - -IMPORTANT: If you skipped the test procedure then make sure you have set the -domain name, and created the directory - -+---------------------------------------------------------------------------+ -| /var/yp | -+---------------------------------------------------------------------------+ - - -This directory MUST exist for ypbind to start up succesfully. - - - -To check if the domainname is set correct, use the /bin/ypdomainname from -yp-tools 2.2. It uses the yp_get_default_domain() function which is more -restrict. It doesn't allow for example the "(none)" domainname, which is the -default under Linux and makes a lot of problems. - - - -If the test worked you may now want to change your startupd files so that -ypbind will be started at boot time and your system will act as a NIS client. -Make sure that the domainname will be set before you start ypbind. - - - -Well, that's it. Reboot the machine and watch the boot messages to see if -ypbind is actually started. - - ------------------------------------------------------------------------------ - -7.2. Setting up a NIS Client using Traditional NIS - - -For host lookups you must set (or add) "nis" to the lookup order line in your -/etc/host.conf file. Please read the manpage "resolv+.8" for more details. - - - -Add the following line to /etc/passwd on your NIS clients: - - - - -+---------------------------------------------------------------------------+ -|+:::::: | -+---------------------------------------------------------------------------+ - - - - -You can also use the + and - characters to include/exclude or change users. -If you want to exclude the user guest just add -guest to your /etc/passwd -file. You want to use a different shell (e.g. ksh) for the user "linux"? No -problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/ -passwd. Fields that you don't want to change have to be left empty. You could -also use Netgroups for user control. - - - -For example, to allow login-access only to miquels, dth and ed, and all -members of the sysadmin netgroup, but to have the account data of all other -users available use: - - - - -+---------------------------------------------------------------------------+ -| +miquels::::::: | -| +ed::::::: | -| +dth::::::: | -| +@sysadmins::::::: | -| -ftp | -| +:*::::::/etc/NoShell | -+---------------------------------------------------------------------------+ - - - - -Note that in Linux you can also override the password field, as we did in -this example. We also remove the login "ftp", so it isn't known any longer, -and anonymous ftp will not work. - - - -The netgroup would look like - - - - -+---------------------------------------------------------------------------+ -|sysadmins (-,software,) (-,kukuk,) | -+---------------------------------------------------------------------------+ - - - - -IMPORTANT: The netgroup feature is implemented starting from libc 4.5.26. If -you have a version of libc earlier than 4.5.26, every user in the NIS -password database can access your linux machine if you run "ypbind" ! - - ------------------------------------------------------------------------------ - -7.3. Setting up a NIS Client using NYS - - -All that is required is that the NIS configuration file (/etc/yp.conf) points -to the correct server(s) for its information. Also, the Name Services Switch -configuration file (/etc/nsswitch.conf) must be correctly set up. - - - -You should install ypbind. It isn't needed by the libc, but the NIS(YP) tools -need it. - - - -If you wish to use the include/exclude user feature (+/-guest/+@admins), you -have to use "passwd: compat" and "group: compat" in nsswitch.conf. Note that -there is no "shadow: compat"! You have to use "shadow: files nis" in this -case. - - - -The NYS sources are part of the libc 5 sources. When run configure, say the -first time "NO" to the "Values correct" question, then say "YES" to "Build a -NYS libc from nys". - - ------------------------------------------------------------------------------ - -7.4. Setting up a NIS Client using glibc 2.x - - -The glibc uses "traditional NIS", so you need to start ypbind. The Name -Services Switch configuration file (/etc/nsswitch.conf) must be correctly set -up. If you use the compat mode for passwd, shadow or group, you have to add -the "+" at the end of this files and you can use the include/exclude user -feature. The configuration is excatly the same as under Solaris 2.x. - - ------------------------------------------------------------------------------ - -7.5. The nsswitch.conf File - - -The Network Services switch file /etc/nsswitch.conf determines the order of -lookups performed when a certain piece of information is requested, just like -the /etc/host.conf file which determines the way host lookups are performed. -For example, the line - - - - -+---------------------------------------------------------------------------+ -| hosts: files nis dns | -+---------------------------------------------------------------------------+ - - - - -specifies that host lookup functions should first look in the local /etc/ -hosts file, followed by a NIS lookup and finally through the domain name -service (/etc/resolv.conf and named), at which point if no match is found an -error is returned. This file must be readable for every user! You can find -more information in the man-page nsswitch.5 or nsswitch.conf.5. - - - -A good /etc/nsswitch.conf file for NIS is: - - - - -+---------------------------------------------------------------------------+ -|# | -|# /etc/nsswitch.conf | -|# | -|# An example Name Service Switch config file. This file should be | -|# sorted with the most-used services at the beginning. | -|# | -|# The entry '[NOTFOUND=return]' means that the search for an | -|# entry should stop if the search in the previous entry turned | -|# up nothing. Note that if the search failed due to some other reason | -|# (like no NIS server responding) then the search continues with the | -|# next entry. | -|# | -|# Legal entries are: | -|# | -|# nisplus Use NIS+ (NIS version 3) | -|# nis Use NIS (NIS version 2), also called YP | -|# dns Use DNS (Domain Name Service) | -|# files Use the local files | -|# db Use the /var/db databases | -|# [NOTFOUND=return] Stop searching if not found so far | -|# | -| | -|passwd: compat | -|group: compat | -|# For libc5, you must use shadow: files nis | -|shadow: compat | -| | -|passwd_compat: nis | -|group_compat: nis | -|shadow_compat: nis | -| | -|hosts: nis files dns | -| | -|services: nis [NOTFOUND=return] files | -|networks: nis [NOTFOUND=return] files | -|protocols: nis [NOTFOUND=return] files | -|rpc: nis [NOTFOUND=return] files | -|ethers: nis [NOTFOUND=return] files | -|netmasks: nis [NOTFOUND=return] files | -|netgroup: nis | -|bootparams: nis [NOTFOUND=return] files | -|publickey: nis [NOTFOUND=return] files | -|automount: files | -|aliases: nis [NOTFOUND=return] files | -+---------------------------------------------------------------------------+ - - - - -passwd_compat, group_compat and shadow_compat are only supported by glibc -2.x. If there are no shadow rules in /etc/nsswitch.conf, glibc will use the -passwd rule for lookups. There are some more lookup module for glibc like -hesoid. For more information, read the glibc documentation. - - ------------------------------------------------------------------------------ - -7.6. Shadow Passwords with NIS - - -Shadow passwords over NIS are always a bad idea. You loose the security, -which shadow gives you, and it is supported by only some few Linux C -Libraries. A good way to avoid shadow passwords over NIS is, to put only the -local system users in /etc/shadow. Remove the NIS user entries from the -shadow database, and put the password back in passwd. So you can use shadow -for the root login, and normal passwd for NIS user. This has the advantage -that it will work with every NIS client. - - ------------------------------------------------------------------------------ - -7.6.1. Linux - - -The only Linux libc which supports shadow passwords over NIS, is the GNU C -Library 2.x. Linux libc5 has no support for it. Linux libc5 compiled with NYS -enabled has some code for it. But this code is badly broken in some cases and -doesn't work with all correct shadow entries. - - ------------------------------------------------------------------------------ - -7.6.2. Solaris - - -Solaris does not support shadow passwords over NIS. - - ------------------------------------------------------------------------------ - -7.6.3. PAM - - -Linux-PAM 0.75 and newr does support Shadow passwords over NIS if you use the -pam_unix.so Module or if you install the extra pam_unix2.so Module. Old -systems using pam_pwdb/libpwdb (for example Red Hat Linux 5.x) need to change -the /etc/pam.d/* entries. All pam_pwdb rules should be replaced through a -pam_unix_* module. - - - -An example /etc/pam.d/login file looks like: - - - - -+----------------------------------------------------------------------------------+ -|#%PAM-1.0 | -|auth requisite pam_unix2.so nullok #set_secrpc | -|auth required pam_securetty.so | -|auth required pam_nologin.so | -|auth required pam_env.so | -|auth required pam_mail.so | -|account required pam_unix2.so | -|password required pam_pwcheck.so nullok | -|password required pam_unix2.so nullok use_first_pass use_authtok | -|session required pam_unix2.so none # debug or trace | -|session required pam_limits.so | -+----------------------------------------------------------------------------------+ - - - ------------------------------------------------------------------------------ - -8. What do you need to set up NIS+ ? - -8.1. The Software - - -The Linux NIS+ client code was developed for the GNU C library 2. There is -also a port for Linux libc5, since most commercial Applications where linked -against this library in the past, and you cannot recompile them for using -glibc. There are problems with libc5 and NIS+: static programs cannot be -linked with it, and programs compiled with this library will not work with -other libc5 versions. -As base System you need a glibc based Distribution like Debian, Red Hat Linux -or SuSE Linux. If you have a Linux Distribution, which does not have glibc -2.1.1 or later, you need to update to a newer version. - - - -The NIS+ client software can be obtained from: - - - - -+---------------------------------------------------------------------------------+ -| Site Directory File Name | -| | -| ftp.gnu.org /pub/gnu/glibc glibc-2.3.2.tar.gz, | -| glibc-linuxthreads-2.3.2.tar.gz | -| ftp.kernel.org /pub/linux/utils/net/NIS+ nis-utils-1.4.1.tar.gz | -+---------------------------------------------------------------------------------+ - - - - -You should also have a look at [http://www.linux-nis.org/nisplus/] http:// -www.linux-nis.org/nisplus/ for more information and the latest sources. - - ------------------------------------------------------------------------------ - -8.2. Setting up a NIS+ client - - -IMPORTANT: For setting up a NIS+ client read your Solaris NIS+ docs what to -do on the server side! This document only describes what to do on the client -side! - - - -After installing the new libc and nis-tools, create the credentials for the -new client on the NIS+ server. Make sure portmap is running. Then check if -your Linux PC has the same time as the NIS+ Server. For secure RPC, you have -only a small window from about 3 minutes, in which the credentials are valid. -A good idea is to run xntpd on every host. After this, run - - - - -+---------------------------------------------------------------------------+ -|domainname nisplus.domain. | -|nisinit -c -H | -+---------------------------------------------------------------------------+ - - - - -to initialize the cold start file. Read the nisinit man page for more -options. Make sure that the domainname will always be set after a reboot. If -you don't know what the NIS+ domain name is on your network, ask your system/ -network administrator. - - - -Now you should change your /etc/nsswitch.conf file. Make sure that the only -service after publickey is nisplus ("publickey: nisplus"), and nothing else! - - - -Then start keyserv and make sure, that it will always be started as first -daemon after portmap at boot time. Run - - - - -+---------------------------------------------------------------------------+ -|keylogin -r | -+---------------------------------------------------------------------------+ - - - - -to store the root secretkey on your system. (I hope you have added the -publickey for the new host on the NIS+ Server?). - - - -niscat passwd.org_dir should now show you all entries in the passwd database. - - ------------------------------------------------------------------------------ - -8.3. NIS+, keylogin, login and PAM - - -When the user logs in, he need to set his secretkey to keyserv. This is done -by calling "keylogin". The login from the shadow package will do this for the -user, if it was compiled against glibc 2.1. For a PAM aware login, you have -to change the /etc/pam.d/login file to use pam_unix2, not pwdb, which doesn't -support NIS+. An example: - - - - -+---------------------------------------------------------------------------+ -|#%PAM-1.0 | -|auth required /lib/security/pam_securetty.so | -|auth required /lib/security/pam_unix2.so set_secrpc | -|auth required /lib/security/pam_nologin.so | -|account required /lib/security/pam_unix2.so | -|password required /lib/security/pam_unix2.so | -|session required /lib/security/pam_unix2.so | -+---------------------------------------------------------------------------+ - - - ------------------------------------------------------------------------------ - -8.4. The nsswitch.conf File - - -The Network Services switch file /etc/nsswitch.conf determines the order of -lookups performed when a certain piece of information is requested, just like -the /etc/host.conf file which determines the way host lookups are performed. -For example, the line - - - - -+---------------------------------------------------------------------------+ -| hosts: files nisplus dns | -+---------------------------------------------------------------------------+ - - - - -specifies that host lookup functions should first look in the local /etc/ -hosts file, followed by a NIS+ lookup and finally through the domain name -service (/etc/resolv.conf and named), at which point if no match is found an -error is returned. - - - -A good /etc/nsswitch.conf file for NIS+ is: - - - - -+---------------------------------------------------------------------------+ -|# | -|# /etc/nsswitch.conf | -|# | -|# An example Name Service Switch config file. This file should be | -|# sorted with the most-used services at the beginning. | -|# | -|# The entry '[NOTFOUND=return]' means that the search for an | -|# entry should stop if the search in the previous entry turned | -|# up nothing. Note that if the search failed due to some other reason | -|# (like no NIS server responding) then the search continues with the | -|# next entry. | -|# | -|# Legal entries are: | -|# | -|# nisplus Use NIS+ (NIS version 3) | -|# nis Use NIS (NIS version 2), also called YP | -|# dns Use DNS (Domain Name Service) | -|# files Use the local files | -|# db Use the /var/db databases | -|# [NOTFOUND=return] Stop searching if not found so far | -|# | -| | -|passwd: compat | -|group: compat | -|shadow: compat | -| | -|passwd_compat: nisplus | -|group_compat: nisplus | -|shadow_compat: nisplus | -| | -|hosts: nisplus files dns | -| | -|services: nisplus [NOTFOUND=return] files | -|networks: nisplus [NOTFOUND=return] files | -|protocols: nisplus [NOTFOUND=return] files | -|rpc: nisplus [NOTFOUND=return] files | -|ethers: nisplus [NOTFOUND=return] files | -|netmasks: nisplus [NOTFOUND=return] files | -|netgroup: nisplus | -|bootparams: nisplus [NOTFOUND=return] files | -|publickey: nisplus | -|automount: files | -|aliases: nisplus [NOTFOUND=return] files | -+---------------------------------------------------------------------------+ - - - ------------------------------------------------------------------------------ - -9. Setting up a NIS Server - -9.1. The Server Program ypserv - - -This document only describes how to set up the "ypserv" NIS server. - - - -The NIS server software can be found on: - - - - -+---------------------------------------------------------------------------+ -| Site Directory File Name | -| | -| ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.gz | -| ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.bz2 | -+---------------------------------------------------------------------------+ - - - - -You could also look at [http://www.linux-nis.org/nis/] http:// -www.linux-nis.org/nis/ for more information. - - - -The server setup is the same for both traditional NIS and NYS. - - - -Compile the software to generate the ypserv and makedbm programs. ypserv-2.x -only supports the securenets file for access restrictions. - - - -If you run your server as master, determine what files you require to be -available via NIS and then add or remove the appropriate entries to the "all" -rule in /var/yp/Makefile. You always should look at the Makefile and edit the -Options at the beginning of the file. - - - -There was one big change between ypserv 1.1 and ypserv 1.2. Since version -1.2, the file handles are cached. This means you have to call makedbm always -with the -c option if you create new maps. Make sure, you are using the new / -var/yp/Makefile from ypserv 1.2 or later, or add the -c flag to makedbm in -the Makefile. If you don't do that, ypserv will continue to use the old maps, -and not the updated one. - - - -Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read -the ypserv(8) and ypserv.conf(5) manual pages. - - - -Make sure the portmapper (portmap(8)) is running, and start the server ypserv -. The command - - - - -+---------------------------------------------------------------------------+ -| % rpcinfo -u localhost ypserv | -+---------------------------------------------------------------------------+ - - - - -should output something like - - - - -+---------------------------------------------------------------------------+ -| program 100004 version 1 ready and waiting | -| program 100004 version 2 ready and waiting | -+---------------------------------------------------------------------------+ - - - - -The "version 1" line could be missing, depending on the ypserv version and -configuration you are using. It is only necessary if you have old SunOS 4.x -clients. - - - -Now generate the NIS (YP) database. On the master, run - - - - -+---------------------------------------------------------------------------+ -| % /usr/lib/yp/ypinit -m | -+---------------------------------------------------------------------------+ - - - - -On a slave make sure that ypwhich -m works. This means, that your slave must -be configured as NIS client before you could run - - - - -+---------------------------------------------------------------------------+ -| % /usr/lib/yp/ypinit -s masterhost | -+---------------------------------------------------------------------------+ - - - -to install the host as NIS slave. - -That's it, your server is up and running. - -If you have bigger problems, you could start ypserv and ypbind in debug mode -on different xterms. The debug output should show you what goes wrong. - -If you need to update a map, run make in the /var/yp directory on the NIS -master. This will update a map if the source file is newer, and push the -files to the slave servers. Please don't use ypinit for updating a map. - -You might want to edit root's crontab *on the slave* server and add the -following lines: - - - -+---------------------------------------------------------------------------+ -| 20 * * * * /usr/lib/yp/ypxfr_1perhour | -| 40 6 * * * /usr/lib/yp/ypxfr_1perday | -| 55 6,18 * * * /usr/lib/yp/ypxfr_2perday | -+---------------------------------------------------------------------------+ - - - -This will ensure that most NIS maps are kept up-to-date, even if an update is -missed because the slave was down at the time the update was done on the -master. - -You can add a slave at every time later. At first, make sure that the new -slave server has permissions to contact the NIS master. Then run - - - -+---------------------------------------------------------------------------+ -| % /usr/lib/yp/ypinit -s masterhost | -+---------------------------------------------------------------------------+ - - - -on the new slave. On the master server, add the new slave server name to /var -/yp/ypservers and run make in /var/yp to update the map. - -If you want to restrict access for users to your NIS server, you'll have to -setup the NIS server as a client as well by running ypbind and adding the -plus-entries to /etc/passwd _halfway_ the password file. The library -functions will ignore all normal entries after the first NIS entry, and will -get the rest of the info through NIS. This way the NIS access rules are -maintained. An example: - - - -+-------------------------------------------------------------------------------+ -| root:x:0:0:root:/root:/bin/bash | -| daemon:*:1:1:daemon:/usr/sbin: | -| bin:*:2:2:bin:/bin: | -| sys:*:3:3:sys:/dev: | -| sync:*:4:100:sync:/bin:/bin/sync | -| games:*:5:100:games:/usr/games: | -| man:*:6:100:man:/var/catman: | -| lp:*:7:7:lp:/var/spool/lpd: | -| mail:*:8:8:mail:/var/spool/mail: | -| news:*:9:9:news:/var/spool/news: | -| uucp:*:10:50:uucp:/var/spool/uucp: | -| nobody:*:65534:65534:noone at all,,,,:/dev/null: | -| +miquels:::::: | -| +:*:::::/etc/NoShell | -| [ All normal users AFTER this line! ] | -| tester:*:299:10:Just a test account:/tmp: | -| miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh| -+-------------------------------------------------------------------------------+ - - - -Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels -will have normal access. - -Alternatively, you could edit the /var/yp/Makefile file and set NIS to use -another source password file. On large systems the NIS password and group -files are usually stored in /etc/yp/. If you do this the normal tools to -administrate the password file such as passwd, chfn, adduser will not work -anymore and you need special homemade tools for this. - -However, yppasswd, ypchsh and ypchfn will work of course. ------------------------------------------------------------------------------ - -9.2. The Server Program yps - -To set up the "yps" NIS server please refer to the previous paragraph. The -"yps" server setup is similar, _but_ not exactly the same so beware if you -try to apply the "ypserv" instructions to "yps"! "yps" is not supported by -any author, and contains some security leaks. You really shouldn't use it ! - -The "yps" NIS server software can be found on: - - - -+---------------------------------------------------------------------------+ -| Site Directory File Name | -| | -| ftp.lysator.liu.se /pub/NYS/servers yps-0.21.tar.gz | -| ftp.kernel.org /pub/linux/utils/net/NIS yps-0.21.tar.gz | -+---------------------------------------------------------------------------+ - - - ------------------------------------------------------------------------------ - -9.3. The Program rpc.ypxfrd - -rpc.ypxfrd is used for speed up the transfer of very large NIS maps from a -NIS master to NIS slave servers. If a NIS slave server receives a message -that there is a new map, it will start ypxfr for transfering the new map. -ypxfr will read the contents of a map from the master server using the yp_all -() function. This process can take several minutes when there are very large -maps which have to store by the database library. - -The rpc.ypxfrd server speeds up the transfer process by allowing NIS slave -servers to simply copy the master server's map files rather than building -their own from scratch. rpc.ypxfrd uses an RPC-based file transfer protocol, -so that there is no need for building a new map. - -rpc.ypxfrd can be started by inetd. But since it starts very slow, it should -be started with ypserv. You need to start rpc.ypxfrd only on the NIS master -server. ------------------------------------------------------------------------------ - -9.4. The Program rpc.yppasswdd - -Whenever users change their passwords, the NIS password database and probably -other NIS databases, which depend on the NIS password database, should be -updated. The program "rpc.yppasswdd" is a server that handles password -changes and makes sure that the NIS information will be updated accordingly. -rpc.yppasswdd is now integrated in ypserv. You don't need the older, separate -yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldn't use them any -longer. - -You need to start rpc.yppasswdd only on the NIS master server. By default, -users are not allowed to change their full name or the login shell. You can -allow this with the -e chfn or -e chsh option. - -If your passwd and shadow files are not in another directory then /etc, you -need to add the -D option. For example, if you have put all source files in / -etc/yp and wish to allow the user to change his shell, you need to start -rpc.yppasswdd with the following parameters: - - - -+---------------------------------------------------------------------------+ -| rpc.yppasswdd -D /etc/yp -e chsh | -+---------------------------------------------------------------------------+ - - - -or - - - -+---------------------------------------------------------------------------+ -| rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh | -+---------------------------------------------------------------------------+ - - - -There is nothing more to do. You just need to make sure, that rpc.yppasswdd -uses the same files as /var/yp/Makefile. Errors will be logged using syslog. ------------------------------------------------------------------------------ - -10. Verifying the NIS/NYS Installation - -If everything is fine (as it should be), you should be able to verify your -installation with a few simple commands. Assuming, for example, your passwd -file is being supplied by NIS, the command - - - -+---------------------------------------------------------------------------+ -| % ypcat passwd | -+---------------------------------------------------------------------------+ - - - -should give you the contents of your NIS passwd file. The command - - - -+---------------------------------------------------------------------------+ -| % ypmatch userid passwd | -+---------------------------------------------------------------------------+ - - - -(where userid is the login name of an arbitrary user) should give you the -user's entry in the NIS passwd file. The "ypcat" and "ypmatch" programs -should be included with your distribution of traditional NIS or NYS. - -If a user cannot log in, run the following program on the client: - - -+---------------------------------------------------------------------------+ -|#include | -|#include | -|#include | -| | -|int | -|main(int argc, char *argv[]) | -|{ | -| struct passwd *pwd; | -| | -| if(argc != 2) | -| { | -| fprintf(stderr,"Usage: getwpnam username\n"); | -| exit(1); | -| } | -| | -| pwd=getpwnam(argv[1]); | -| | -| if(pwd != NULL) | -| { | -| printf("name.....: [%s]\n",pwd->pw_name); | -| printf("password.: [%s]\n",pwd->pw_passwd); | -| printf("user id..: [%d]\n", pwd->pw_uid); | -| printf("group id.: [%d]\n",pwd->pw_gid); | -| printf("gecos....: [%s]\n",pwd->pw_gecos); | -| printf("directory: [%s]\n",pwd->pw_dir); | -| printf("shell....: [%s]\n",pwd->pw_shell); | -| } | -| else | -| fprintf(stderr,"User \"%s\" not found!\n",argv[1]); | -| | -| exit(0); | -|} | -+---------------------------------------------------------------------------+ - - - -Running this program with the username as parameter will print all the -information the getpwnam function gives back for this user. This should show -you which entry is incorrect. The most common problem is, that the password -field is overwritten with a "*". - -GNU C Library 2.1 (glibc 2.1) comes with a tool called getent. Use this -program instead the above on such a system. You could try: - - -+---------------------------------------------------------------------------+ -| getent passwd | -+---------------------------------------------------------------------------+ - - -or - - -+---------------------------------------------------------------------------+ -| getent passwd login | -+---------------------------------------------------------------------------+ - - - ------------------------------------------------------------------------------ - -11. Creating and Updating NIS maps - -11.1. Creating new NIS maps - -The initial NIS maps will be created by running - - -+---------------------------------------------------------------------------+ -| % /usr/lib/yp/ypinit -m | -+---------------------------------------------------------------------------+ - - - -This is done when setting up the NIS master server for the first time. For -more information about this, read Section 9. If you wish to add new maps to -your server or remove old one, you need to edit the /var/yp/Makefile and -change the all: rule. Add or remove the name of the rule, which generates the -map. - -If you delete a map, you also have to remove the corresponding files. - -After this change, you only need to run - - -+---------------------------------------------------------------------------+ -| % make -C /var/yp | -+---------------------------------------------------------------------------+ - - - -and the maps should be created. ------------------------------------------------------------------------------ - -11.2. Updating NIS maps - -If you modify the sources for the NIS maps (for example if you create a new -user by adding the account to the passwd file), you need to regenerate the -NIS maps. This is done by a simple - - -+---------------------------------------------------------------------------+ -| % make -C /var/yp | -+---------------------------------------------------------------------------+ - - - -This command will check which sources have changed, creates the maps new and -tell ypserv that the maps have changed. ------------------------------------------------------------------------------ - -11.3. Length of Map entries - -The length of one entry is limited by the NIS protocol to 1024 characters. -You can't just increase this value and recompile the system. Every system -that uses NIS v2 expects key and data values to be no more than 1024 bytes in -size; if you suddenly make YPMAXRECORD larger on your client and server, you -will break interoperability with all other systems on your network that use -NIS. To make it work right, you'd have to go to every vendor that supports -NIS and get them to all make the change at the same time. Chances are you -won't be able to do this. - -With glibc 2.1 and newer this limit was removed from the glibc NIS -implementation. So it is possible under Linux to use longer entries, but only -if you have no other NIS clients or servers in your network. - -To allow the creation of NIS maps with a longer entry, you need to add the ---no-limit-check option to the makedbm call in /var/yp/Makefile. - -The result should look like: - - -+-------------------------------------------------------------------------------------+ -|DBLOAD = $(YPBINDIR)/makedbm -c -m `$(YPBINDIR)/yphelper --hostname` --no-limit-check| -+-------------------------------------------------------------------------------------+ - - - -WARNING: This breaks the NIS protocol and even if Linux supports it, not all -Applictions running under Linux works with this change! - -There is another way of solving this problem for /etc/group entries. This -idea is from Ken Cameron: - - -+---------------------------------------------------------------------------+ -|1. Break the entry into more than one line and name each group | -| slightly differnet. | -| | -|2. keep the GID the same for all. | -| | -|3. have the first entry with the right group name and the GID. | -| I don't put any user names in this one. | -| | -|What happens is that going by user name you pick up the GID when the code | -|reads it. Then going the other way it stops after the first match of GID | -|and takes that name. It's ugly but works! | -+---------------------------------------------------------------------------+ - - ------------------------------------------------------------------------------ - -12. Surviving a Reboot - -Once you have NIS correctly configured on the server and client, you do need -to be sure that the configuration will survive a reboot. - -There are two separate issues to check: the existence of an init script and -the correct storage of the NIS domain name. ------------------------------------------------------------------------------ - -12.1. NIS Init Script - -In your version of Linux, you need to check your directory of init scripts, -typically /etc/init.d, /etc/rc.d/init.d or /sbin/init.d to be sure there is a -startup script there for NIS. Usually this file is called ypbind or ypclient. ------------------------------------------------------------------------------ - -12.2. NIS Domain Name - -Perhaps the greatest issue that some people have with NIS is ensuring that -the NIS domain name is available after a reboot. According to Solaris 2.x, -the NIS domain name should be entered as a single line in: - - -+---------------------------------------------------------------------------+ -| /etc/defaultdomain | -+---------------------------------------------------------------------------+ - - - -However, most Linux distributions does not seem to use this file. ------------------------------------------------------------------------------ - -12.3. Distribution-specific Issues - -At this time, the following information is known about how various Linux -distributions handle the storage of the NIS domainname. ------------------------------------------------------------------------------ - -12.3.1. Caldera 2.x - -Caldera uses the file /etc/nis.conf which has the same format as the normal / -etc/yp.conf. ------------------------------------------------------------------------------ - -12.3.2. Debian - -Debian appears to follow Sun's usage of /etc/defaultdomain. ------------------------------------------------------------------------------ - -12.3.3. Red Hat Linux 6.x, 7.x, 8.x and 9 - -Create or modify the variable NISDOMAIN in the file /etc/sysconfig/network. ------------------------------------------------------------------------------ - -12.3.4. SuSE Linux 6.x and 7.x - -Modify the variable YP_DOMAINNAME in /etc/rc.config and then run the command -SuSEconfig. ------------------------------------------------------------------------------ - -12.3.5. SuSE Linux 8.x and later - -Since version 8.0 SuSE Linux also follow Sun's usage of /etc/defaultdomain. ------------------------------------------------------------------------------ - -13. Changing passwords with rpasswd - -The standard way to change a NIS password is to call yppasswd, on some -systems this is only an alias for passwd. This commands uses the yppasswd -protocol and needs a running rpc.yppasswdd process on the NIS master server. -The protocol has the disadvantage, that the old password will be send in -clear text over the network. This is not so problematic, if the password -change was successfull. In this case, the old password is replaced with the -new one. But if the password change fails, an attacker can use the clear -password to login as this user. Even more worse: If the system administrator -changes the NIS password for another user, the root password of the NIS -master server is transfered in clear text over the network. And this one will -not be changed. - -One solution is to not use yppasswd for changing the password. Instead, a -good alternative is the rpasswd command from the pwdutils package. - - - -+-----------------------------------------------------------------------------+ -| Site Directory File Name | -| | -| ftp.kernel.org /pub/linux/utils/net/NIS pwdutils-2.3.tar.gz | -| ftp.suse.com /pub/people/kukuk/pam/pam_pwcheck pam_pwcheck-2.2.tar.bz2 | -| ftp.suse.com /pub/people/kukuk/pam/pam_unix2 pam_unix2-1.16.tar.bz2 | -+-----------------------------------------------------------------------------+ - - - -rpasswd changes passwords for user accounts on a remote server over a secure -SSL connection. A normal user may only change the password for their own -account, if the user knows the password of the administrator account (in the -moment this is the root password on the server), he may change the password -for any account if he calls rpasswd with the -a option. ------------------------------------------------------------------------------ - -13.1. Server Configuration - -For the server you need at first certificate, the default filename for this -is /etc/rpasswdd.pem. The file can be created with the following command: - - - -+----------------------------------------------------------------------------------------+ -|openssl req -new -x509 -nodes -days 730 -out /etc/rpasswdd.pem -keyout /etc/rpasswdd.pem| -+----------------------------------------------------------------------------------------+ - - - -A PAM configuration file for rpasswdd is needed, too. If the NIS accounts are -stored in /etc/passwd, the following is a good starting point for a working -configuration: - - - -+---------------------------------------------------------------------------+ -|#%PAM-1.0 | -|auth required pam_unix2.so | -|account required pam_unix2.so | -|password required pam_pwcheck.so | -|password required pam_unix2.so use_first_pass use_authtok | -|password required pam_make.so /var/yp | -|session required pam_unix2.so | -+---------------------------------------------------------------------------+ - - - -If sources for the NIS password maps are stored in another location (for -example in /etc/yp), the nisdir option of pam_unix2 can be used to find the -source files in another place: - - - -+----------------------------------------------------------------------------------+ -|#%PAM-1.0 | -|auth required pam_unix2.so | -|account required pam_unix2.so | -|password required pam_pwcheck.so nisdir=/etc/yp | -|password required pam_unix2.so nisdir=/etc/yp use_first_pass use_authtok | -|password required pam_make.so /var/yp | -|session required pam_unix2.so | -+----------------------------------------------------------------------------------+ - - - -Now start the rpasswdd daemon on the NIS master server. - -Since the password change is done with PAM modules, rpasswdd is also able to -allow password changes for NIS+, LDAP or other services supported by a PAM -module. - ------------------------------------------------------------------------------ - -13.2. Client Configuration - -On every client only the configuration file /etc/rpasswd.conf which contains -the name of the server is neded. If the server does not run on the default -port, the correct port can alse be mentioned here: - - - -+---------------------------------------------------------------------------+ -|# rpasswdd runs on master.example.com | -|server master.example.com | -|# Port 774 is the default port | -|port 774 | -+---------------------------------------------------------------------------+ - - - ------------------------------------------------------------------------------ - -14. Common Problems and Troubleshooting NIS - -Here are some common problems reported by various users: - - 1. The libraries for 4.5.19 are broken. NIS won't work with it. - - 2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su command - breaks. You need to get the su command from the slackware 1.2.0 - distribution. Incidentally that's where you can get the updated - libraries. - - 3. When a NIS server goes down and comes up again ypbind starts complaining - with messages like: - - - - +---------------------------------------------------------------+ - | yp_match: clnt_call: | - | RPC: Unable to receive; errno = Connection refused | - +---------------------------------------------------------------+ - - - - and logins are refused for those who are registered in the NIS database. - Try to login as root and kill ypbind and start it up again. An update to - ypbind 3.3 or higher should also help. - - 4. After upgrading the libc to a version greater then 5.4.20, the YP tools - will not work any longer. You need yp-tools 1.2 or later for libc >= - 5.4.21 and glibc 2.x. For earlier libc version you need yp-clients 2.2. - yp-tools 2.x should work for all libraries. - - 5. In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or later, - or some YP programs like ypwhich will segfault. - - 6. libc 5 with traditional NIS doesn't support shadow passwords over NIS. - You need libc5 + NYS or glibc 2.x. - - 7. ypcat shadow doesn't show the shadow map. This is correct, the name of - the shadow map is shadow.byname, not shadow. - - 8. Solaris doesn't use always privileged ports. So don't use password - mangling if you have a Solaris client. - ------------------------------------------------------------------------------ - -15. Frequently Asked Questions - -Most of your questions should be answered by now. If there are still -questions unanswered you might want to post a message to - - - -+---------------------------------------------------------------------------+ -| comp.os.linux.networking | -+---------------------------------------------------------------------------+ - +to be maintained.