Managing NFS and NIS, 2nd Edition - Mike Eisler [55]
If DNS is being used, NFS client gonzo will be denied access. This is because if DNS is being used to resolve hostnames to IP addresses, it is also being used to resolve IP addresses to hostnames, and DNS always generates fully qualified hostnames. Thus if gonzo is in the sales.polygon.com domain, then the following gives gonzo access:
share -o rw=gonzo.sales.polygon.com /export
The qualified versus unqualified hostname issue is one that has the potential for causing you major grief, and at the end of the day, you may decide that it is far simpler to use DNS across the board. If you do opt to use both NIS and DNS, for consistent results, the following is recommended:
Place in the hosts map only unqualified hostnames and only hosts that belong to the same DNS domain that the NIS domain is based upon.
Place nis before dns in the hosts entry of nsswitch.conf. This way, if a host is in NIS, then you will consistently use its unqualified form. If you had DNS before NIS, then there would be no point in having NIS, except as a fallback in case DNS became unavailable. In that case, you would find that when DNS failed, access control lists set up to use the qualified hostname form would not suddenly result in access failures.
Configure nsswitch.conf to return an error if NIS is down: hosts: files nis [UNAVAIL=return] dns
This seems nonintuitive, since it means that if NIS is down, you won't be able to resolve hostnames and addresses. Let's suppose that you had the following in nsswitch.conf: hosts: files nis dns
Now suppose gonzo is in NIS, and gonzo.sales.polygon.com is in DNS. Assume /etc/hosts.equiv contains an entry for gonzo. If you use rlogin to log in from gonzo to another machine, while NIS is up, then you will be able to log in without a password prompt. This is because when NIS is up, the IP address of gonzo is resolved by gethostbyaddr( ) to gonzo. When NIS is down, you will get a password prompt, because the IP address is resolved in DNS to gonzo.sales.polygon.com. A workaround would be to place both gonzo and gonzo.sales.polygon.com in the /etc/hosts.equiv file, but this is prone to error.
Of course, if you do configure nsswitch.conf to return an error if NIS is down, then when NIS is down, you will not be able to access hostnames that are in a different DNS domain. For example: % telnet quote.triangle.com
Not to belabor the point, but if NIS availability is a concern for you, and you are running DNS, then you will want to give serious consideration to not using the hosts map in nsswitch.conf: hosts: dns
Centralized versus distributed management
This section applies to those organizations that have multiple system administration groups, each responsible for different departments within the organizations. If your organization has centralized remote control of all soft administration, then these issues will be of less interest to you.[1]
NIS lends itself to allowing you to give system administration groups for a given department within your organization responsibility for maintaining the department's NIS maps without the need for centralized control. However, the nature of hostnames, host addresses, and domain name management is that some central controls or rules are necessary in order to prevent mistakes in one department from affecting other departments and beyond.
There are at least three basic approaches to consider for managing hosts and domains.
Complete centralization
In this model, if someone wants an IP address, he or she contacts a single central committee to get one; the chances of errors are as low as possible, but the latency in getting requests honored is the longest. Adding new subdomains is also centralized. In this model, as there are specific system management groups managing the non-hosts NIS maps for a given department, it is not practical to manage hosts via NIS; you would use DNS exclusively.
Federation
In this model, the central committee has delegated responsibility for portions of the IP address space to individual groups responsible for a DNS subdomain. In this