After updating the main server I forgot for a while to modify
/etc/sysconfigure/network and /etc/rc.d/init.d/ypserv to smuggle in
a fixed port for ypserv so that it could get through the firewall. That
isn't the interesting part. The interesting part was that on the
clients that had to connect through the firewall all sorts of
hideous delays appeared. I finally tracked it down to this:

1. client's ypbind would start but would not be able to bind to the ypserv.

2. client's /etc/nsswitch.conf contained:
hosts: files nis dns nisplus

3. rpcinfo -p server
took FOREVER, as did anything else that needed a name lookup.

4. nslookup server
was fast

5. ps -ef showed ypbind running

So, apparently what happens is that if ypbind starts, but cannot
actually bind to a server, it still fields namelookup requests.
However, instead of realizing it's not bound to anything and so cannot
possibly return an answer it times out somehow. Perhaps it tries to
bind again, or perhaps it queues a request without even checking to
see if it's bound, and that connection times out.

In any case, it's the wrong behavior. If ypbind isn't bound it should
answer name lookup requests with some variant of "not found".

The short term work around (until ypserv starts working again) is
to do:

service ypbind stop

At which point the name lookup mechanism skips ypbind and goes directly
to dns. Of course you have to log on to make this change, and when the
system is bogged down doing 3 minute name lookups that can sometimes
be challenging.

This was on Mandriva 2007.1 with ypbind: ypbind-1.20.2-1mdv2007.1.
Probably it's true for pretty much every linux that uses a similar ypbind.


David Mathog