NIS
Linux
Client
apt-get install nis rpcbind # Debian, Ubuntu yum install yp-tools ypbind rpcbind # Redhat, Fedora systemctl enable rpcbind.service ypbind.service emerge yp-tools ypbind rpcbind # Gentoo rc-update add rpcbind default rc-update add ypbind default
The NIS domainname must be set, not to be confused with the DNS domainname:
$ cat /etc/defaultdomain example.com $ domainname `cat /etc/defaultdomain`
For Fedora systems:
$ grep NIS /etc/sysconfig/network /etc/sysconfig/authconfig /etc/sysconfig/network:NISDOMAIN=example.com /etc/sysconfig/authconfig:USENIS=yes
Specify our NIS server:
$ grep ^ypserver /etc/yp.conf ypserver 10.0.0.1
The Name Service Switch should already be configured correctly and may look like this:
$ grep -E '^(passwd|group|hosts|shadow)' /etc/nsswitch.conf passwd: compat shadow: compat group: compat hosts: files dns
Use NIS for users, groups (and shadow passwords):
echo '+::::::' >> /etc/passwd echo '+:::' >> /etc/group echo '+::::::::' >> /etc/shadow
Without these entries, nsswitch.conf must explicitly specify NIS:
$ grep -E '^(passwd|group|hosts|shadow)' /etc/nsswitch.conf passwd: files nis shadow: files nis group: files nis hosts: files dns
Configure as an NIS client:
$ grep =. /etc/default/nis NISSERVER=false NISCLIENT=true YPPWDDIR=/etc YPCHANGEOK=chsh YPBINDARGS=-no-dbus
service nis restart # Debian service ypbind restart # Ubuntu, Gentoo systemctl start rpcbind.service ypbind.service # Redhat, Fedora
Server
$ apt-get install nis # Debian, Ubuntu $ cat /etc/defaultdomain example.com
Be sure to set the NIS domainname if not already set, otherwise ypbind might not start:
$ domainname `cat /etc/defaultdomain`
We're our own NIS server:
$ grep ^ypserver /etc/yp.conf ypserver 127.0.0.1
Configure as an NIS (master-)server:
$ grep =. /etc/default/nis NISSERVER=master NISCLIENT=false YPPWDDIR=/etc YPCHANGEOK=chsh
Adjust ypserv.securenets to allow NIS requests from localhost and a local network (10.2.0.0/24):
$ grep ^[0-9] /etc/ypserv.securenets 255.255.255.255 127.0.0.0 255.255.255.0 10.2.0.0
Adjust ypserv.conf for finer grained security. However, since NIS should only be deployed in trusted environment, the defaults should be sufficient.
$ grep -v ^\# /etc/ypserv.conf 10.2.0.0/255.255.255.0 : * : shadow.byname : port 10.2.0.0/255.255.255.0 : * : passwd.adjunct.byname : port * : * : * : none
Setup the server:
$ /usr/lib/yp/ypinit -m next host to add: server.example.com next host to add: ^D The current list of NIS servers looks like this: server.example.com Is this correct? [y/n: y] We need a few minutes to build the databases... Building /var/yp/example.com/ypservers... Running /var/yp/Makefile... server.example.com has been set up as a NIS master server. Now you can run ypinit -s server.example.com on all slave server.
Let's (re)start our NIS server:
/etc/init.d/nis restart
Note:
- /var/yp/Makefile will generate password entries for certain UIDs/GIDs - make sure that the UID and the primary GID of NIS-authenticated users are within the specified range! To do this, you might want to assign each of your (UID>=1000) users to their own group:
<source lang=bash>
for u in `getent passwd | awk -F: '/:x:1[0-9][0-9][0-9]:/ {print $1}'`; do echo $u getent group $u > /dev/null || groupadd $u usermod -g $u -G users $u chown -R $u:$u `getent passwd $u | awk -F: '{print $6}'` done
</source>
BSD
FreeBSD
Enable NIS in rc.conf:
$ grep nis /etc/rc.conf nisdomainname="example.com" nis_client_enable="YES" nis_client_flags="-s -S example.com,10.0.0.10" # 10.0.0.10 is our NIS server
Add entries to master.passwd and group:
echo '+:::::::::' >> /etc/master.passwd echo '+:*::' >> /etc/group
Start NIS:
/etc/rc.d/nisdomain start /etc/rc.d/ypbind start
At this point, NIS should be working (ypcat...), but we need to modify nsswitch.conf for general usage:
$ grep -E '^passwd|group' /etc/nsswitch.conf group: compat group_compat: nis passwd: compat passwd_compat: nis
NetBSD
We're setting our NIS domainname and start ypbind(8):
domainname example.com domainname > /etc/defaultdomain ypinit -c /etc/rc.d/ypbind start
To enable this during startup:
$ grep bind /etc/rc.conf rpcbind=YES rpcbind_flags="-l -s" ypbind=YES ypbind_flags=""
The name service switch needs to be edited as well:
$ grep -E '^(group|passwd):' /etc/nsswitch.conf group: files nis passwd: files nis
OpenBSD
We'll be an NIS client:
domainname example.com domainname > /etc/defaultdomain
Adjust the NIS server name as needed:
$ cat /etc/yp/`domainname` 10.0.0.2
Enable the portmapper and ypbind:
$ grep -E 'portmap|ypbind' /etc/rc.conf.local portmap=YES ypbind=YES
Let's pull all the usernames and groupnames from the YP domain:
echo '+:*::::::::' >> /etc/master.passwd echo '+:*::' >> /etc/group pwd_mkdb -p /etc/master.passwd
Solaris
Client
domainname int.example.com domainname > /etc/defaultdomain ypinit -c cd /etc cp -p nsswitch.conf nsswitch.conf.orig sed 's/^hosts.*/hosts: files dns/' nsswitch.nis > nsswitch.conf svcadm enable svc:/network/nis/client
Note: we're getting warnings after ypinit -c, yet NIS seems to work.
Server
domainname int.example.com domainname > /etc/defaultdomain touch /etc/{bootparams,timezone,netgroup} # Create missing files if needed! ypinit -m
After ypinit exits successfully, the following services should have been started:
$ svcs -a | grep /nis disabled Jul_10 svc:/network/rpc/nisplus:default online 17:00:29 svc:/network/nis/xfr:default online 17:00:30 svc:/network/nis/update:default online 17:00:30 svc:/network/nis/server:default online 17:00:31 svc:/network/nis/passwd:default online 17:10:13 svc:/network/nis/client:default
Links
- Debian NIS HOWTO (Adam Powell, Miquel van Smoorenburg, 2003)
- HOWTO Setup NIS (2008-10-03)
- Configuring your System: Networking Information (Gentoo Linux Handbook)