NIS

From Segfault
Jump to: navigation, search

Linux

Client

apt-get install nis rpcbind                     # Debian, Ubuntu

yum install yp-tools ypbind rpcbind             # Redhat, Fedora
systemctl enable rpcbind.service ypbind.service

emerge yp-tools ypbind rpcbind                  # Gentoo
rc-update add rpcbind default
rc-update add ypbind default

The NIS domainname must be set, not to be confused with the DNS domainname:

$ cat /etc/defaultdomain       
example.com
$ domainname `cat /etc/defaultdomain`

For Fedora systems:

$ grep NIS /etc/sysconfig/network /etc/sysconfig/authconfig 
/etc/sysconfig/network:NISDOMAIN=example.com
/etc/sysconfig/authconfig:USENIS=yes

Specify our NIS server:

$ grep ^ypserver /etc/yp.conf
ypserver 10.0.0.1 

The Name Service Switch should already be configured correctly and may look like this:

$ egrep '^(passwd|group|hosts|shadow)' /etc/nsswitch.conf
passwd:         compat
shadow:         compat
group:          compat
hosts:          files dns

Use NIS for users, groups (and shadow passwords):

echo '+::::::'   >> /etc/passwd
echo '+:::'      >> /etc/group
echo '+::::::::' >> /etc/shadow

Without these entries, nsswitch.conf must explicitly specify NIS:

$ egrep '^(passwd|group|hosts|shadow)' /etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
hosts:      files dns

Configure as an NIS client:

$ grep =. /etc/default/nis
NISSERVER=false
NISCLIENT=true
YPPWDDIR=/etc
YPCHANGEOK=chsh
YPBINDARGS=-no-dbus
service nis restart                              # Debian
service ypbind restart                           # Ubuntu, Gentoo
systemctl start rpcbind.service ypbind.service   # Redhat, Fedora

Server

$ apt-get install nis             # Debian, Ubuntu

$ cat /etc/defaultdomain
example.com

Be sure to set the NIS domainname if not already set, otherwise ypbind might not start:

$ domainname `cat /etc/defaultdomain`

We're our own NIS server:

$ grep ^ypserver /etc/yp.conf
ypserver 127.0.0.1

Configure as an NIS (master-)server:

$ grep =. /etc/default/nis
NISSERVER=master
NISCLIENT=false
YPPWDDIR=/etc
YPCHANGEOK=chsh

Adjust ypserv.securenets to allow NIS requests from localhost and a local network (10.2.0.0/24):

$ grep ^[0-9] /etc/ypserv.securenets
255.255.255.255 127.0.0.0
255.255.255.0   10.2.0.0

Adjust ypserv.conf for finer grained security. However, since NIS should only be deployed in trusted environment, the defaults should be sufficient.

$ grep -v ^\# /etc/ypserv.conf
10.2.0.0/255.255.255.0       : *       : shadow.byname         : port
10.2.0.0/255.255.255.0       : *       : passwd.adjunct.byname : port
*                            : *       : *                     : none

Setup the server:

$ /usr/lib/yp/ypinit -m

      next host to add:  server.example.com
      next host to add:  ^D
The current list of NIS servers looks like this:
 
  server.example.com
 
Is this correct?  [y/n: y]  
We need a few minutes to build the databases...
Building /var/yp/example.com/ypservers...
Running /var/yp/Makefile...
 
server.example.com has been set up as a NIS master server.
Now you can run ypinit -s server.example.com on all slave server.

Let's (re)start our NIS server:

/etc/init.d/nis restart

Note:

  • /var/yp/Makefile will generate password entries for certain UIDs/GIDs - make sure that the UID and the primary GID of NIS-authenticated users are within the specified range! To do this, you might want to assign each of your (UID>=1000) users to their own group:

<source lang=bash>

for u in `getent passwd | awk -F: '/:x:1[0-9][0-9][0-9]:/ {print $1}'`; do 
   echo $u
   getent group $u > /dev/null || groupadd $u
   usermod -g $u -G users $u
   chown -R $u:$u `getent passwd $u | awk -F: '{print $6}'`
done

</source>

BSD

FreeBSD

Enable NIS in rc.conf:

$ grep nis /etc/rc.conf 
nisdomainname="example.com"
nis_client_enable="YES"
nis_client_flags="-s -S example.com,10.0.0.10"                 # 10.0.0.10 is our NIS server

Add entries to master.passwd and group:

echo '+:::::::::' >> /etc/master.passwd
echo '+:*::' >> /etc/group

Start NIS:

/etc/rc.d/nisdomain start
/etc/rc.d/ypbind start

At this point, NIS should be working (ypcat...), but we need to modify nsswitch.conf for general usage:

$ egrep '^passwd|group' /etc/nsswitch.conf
group: compat
group_compat: nis
passwd: compat
passwd_compat: nis

NetBSD

We're setting our NIS domainname and start ypbind(8):

domainname example.com
domainname > /etc/defaultdomain
ypinit -c
/etc/rc.d/ypbind start

To enable this during startup:

$ grep bind /etc/rc.conf
rpcbind=YES          rpcbind_flags="-l -s"
ypbind=YES           ypbind_flags=""

The name service switch needs to be edited as well:

$ egrep '^(group|passwd):' /etc/nsswitch.conf 
group:               files nis
passwd:              files nis

OpenBSD

We'll be an NIS client:

domainname example.com
domainname > /etc/defaultdomain

Adjust the NIS server name as needed:

$ cat /etc/yp/`domainname`
10.0.0.2

Enable the portmapper and ypbind:

$ egrep 'portmap|ypbind' /etc/rc.conf.local
portmap=YES
ypbind=YES

Let's pull all the usernames and groupnames from the YP domain:

 echo '+:*::::::::' >> /etc/master.passwd
 echo '+:*::' >> /etc/group
 pwd_mkdb -p /etc/master.passwd

Solaris

Client

domainname int.example.com
domainname > /etc/defaultdomain

ypinit -c
cd /etc
cp -p nsswitch.conf nsswitch.conf.orig
sed 's/^hosts.*/hosts:   files dns/' nsswitch.nis > nsswitch.conf
svcadm enable svc:/network/nis/client

Note: we're getting warnings after ypinit -c, yet NIS seems to work.

Server

domainname int.example.com
domainname > /etc/defaultdomain
touch /etc/{bootparams,timezone,netgroup}           # Create missing files if needed!

ypinit -m

After ypinit exits successfully, the following services should have been started:

$ svcs -a | grep /nis
disabled       Jul_10   svc:/network/rpc/nisplus:default
online         17:00:29 svc:/network/nis/xfr:default
online         17:00:30 svc:/network/nis/update:default
online         17:00:30 svc:/network/nis/server:default
online         17:00:31 svc:/network/nis/passwd:default
online         17:10:13 svc:/network/nis/client:default

Links