HOWTO Setup NIS

From Gentoo Linux Wiki

Jump to: navigation, search
This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

This HOWTO details setting up NIS on a Gentoo Box as well as running the client.

Contents

[edit] Common (Clients and Servers)

[edit] NIS Domain

The NIS domain should be some string not normally associated with the DNS-domain name of your machine! The reason for this is that it makes it a little harder for external crackers to retrieve the password database from your NIS servers. If you don't know what the NIS domain name is on your network, ask your system/network administrator. (or just logon to the nis server and type nisdomainname)

Edit /etc/conf.d/net and add:

Code: /etc/conf.d/net 
nis_domain_eth0="yournisdomain"
# server IPs
nis_servers_eth0="serverIP1 serverIP2"

or add:

Code: /etc/conf.d/net 
 nis_domain_lo="yournisdomain"
Note: Current baselayout removed NISDOMAIN configuration from /etc/conf.d/domainname, and also removed /etc/init.d/domainname script. [1]

If for some reason you dont want to use net-scripts to set your NIS Domain then you can use hostname -y yournisdomain to set it. A good reason for this may be that you want a static /etc/yp.conf.

[edit] Client

[edit] Installing the tools 

emerge yp-tools ypbind

Make sure you have pam compiled with +nis flag.

[edit] Setting Up the NIS Client

You have a configuration file called /etc/yp.conf. You can hardcode a NIS server there - for more info see the manual page for ypbind(8). You also need this file for NYS. An example:

File: yp.conf 
ypserver 10.10.0.1
ypserver 10.0.100.8
ypserver 10.3.1.1

If the system can resolve the hostnames without NIS, you may use the name, otherwise you have to use the IP address. ypbind 3.3 has a bug and will only use the last entry (ypserver 10.3.1.1 in the example). All other entries are ignored. ypbind-mt handle this correctly and uses whichever answers first.

Note: You do not need to edit the /etc/yp.conf if you have nis_* entries in the /etc/conf.d/net

[edit] Start Services

Start up portmap and ypbind 

portmap
ypbind

[edit] Registered?

Use the command rpcinfo -p localhost to check if ypbind was able to register its service with the portmapper. The output should look like:

Code: rpcinfo -p localhost 
      program vers proto   port
       100000    2   tcp    111  portmapper
       100000    2   udp    111  portmapper
       100007    2   udp    637  ypbind
       100007    2   tcp    639  ypbind

or 

      program vers proto   port
       100000    2   tcp    111  portmapper
       100000    2   udp    111  portmapper
       100007    2   udp    758  ypbind
       100007    1   udp    758  ypbind
       100007    2   tcp    761  ypbind
       100007    1   tcp    761  ypbind

Depending on the ypbind version you are using.

  • You may also run rpcinfo -u localhost ypbind. This command should produce something like:
Code: rpcinfo -u localhost ypbind 
       program 100007 version 2 ready and waiting

or 

       program 100007 version 1 ready and waiting
       program 100007 version 2 ready and waiting

The output depends on the ypbind version you have installed. Important is only the "version 2" message.

At this point you should be able to use NIS client programs like ypcat, etc... For example, ypcat passwd.byname will give you the entire NIS password database.

To check if the domainname is set correct, use the /bin/ypdomainname from yp-tools 2.2. It uses the yp_get_default_domain() function which is more restrict. It doesn't allow for example the "(none)" domainname, which is the default under Linux and makes a lot of problems.

If the test worked you may now want to change your startupd files so that ypbind will be started at boot time and your system will act as a NIS client. Make sure that the domainname will be set before you start ypbind.

[edit] Startup Setup

Once you get your system talking to the NIS server, you will want it to do so on startup. Thus, you need to enter the following commands 

rc-update add portmap default
rc-update add ypbind default

[edit] Setting up a NIS Client using Traditional NIS

Add the following line to /etc/passwd and /etc/group on your NIS clients: 

+::::::

You can also use the + and - characters to include/exclude or change users. If you want to exclude the user guest just add -guest to your /etc/passwd file. You want to use a different shell (e.g. ksh) for the user "linux"? No problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/passwd. Fields that you don't want to change have to be left empty. You could also use Netgroups for user control.

For example, to allow login-access only to miquels, dth and ed, and all members of the sysadmin netgroup, but to have the account data of all other users available use: 

+miquels:::::::
+ed:::::::
+dth:::::::
+@sysadmins:::::::
-ftp
+:*::::::/etc/NoShell

Note that in Linux you can also override the password field, as we did in this example. We also remove the login "ftp", so it isn't known any longer, and anonymous ftp will not work.


  1. configure yp.conf with your nisdomainserver ip address


To complete the installation, you have to modify your /etc/nsswitch.conf to add the support of nis for authentification.

Change : 

passwd:      compat
shadow:      compat
group:       compat
netgroup:    files

to: 

passwd:      compat nis
shadow:      compat nis
group:       compat nis
netgroup:    files nis

[edit] Some remarks

You may encounter not clean shutdown when using NIS with udev. You may also have a problem with startup (portmap startup takes long time). The solution is from bug #42139. You have to prevent net.lo from stopping by i.e. adding "return 0" line in /etc/init.d/net.lo just at the beginig of iface_stop() function.

File: /etc/init.d/net.lo 
iface_stop() {
        return 0
        ...
}

[edit] Server

These instructions are for setting up a YP master.

[edit] Installing the tools 

emerge yp-tools ypserv

[edit] Set up the maps

[edit] Master

Enter the /var/yp directory, and edit Makefile. Find the "all:" rule, and comment out all but the maps you need. If you're just authenticating users, then all you need is 

all: passwd group shadow

If you don't want to generate your YP information against the server's own files under /etc, change YPSRCDIR and YPPWDDIR to a directory where you want to store such files, e.g., /var/yp/ypfiles. Copy the relevant files into that directory. If your system doesn't have a gshadow file, you will likely need to create a blank one: 

touch /etc/gshadow

Run ypinit 

/usr/lib/yp/ypinit -m

Start the YP server and add it to the default runlevel: 

/etc/init.d/ypserv start
rc-update add ypserv default

You can now edit the source files (either in /etc or in the directory you set up above), then run make from the /var/yp directory to update them.

If you set YPSRCDIR and YPPWDDIR above, then edit /etc/conf.d/rpc.yppasswd to include the -Doption.

[edit] Slave

Run /usr/lib/yp/ypinit -s master where master is the hostname of the (already configured) YP master.

Retrieved from "http://gentoo-wiki.com/HOWTO_Setup_NIS"
Personal tools
In other languages