Title: nis Subject: short notes on nis Notes from: http://www.linux-nis.org/nis-howto/HOWTO/setting_nis.html --------------------------------------------------- client programs: ypbind, ypwhich, ypcat, yppoll, ypmatch server programs: makedbm, yppush, ypserv --------------------------------------------------- For secure rpc you need the time service enabled in /etc/inetd.conf Source of NIS software: ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.8.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.13.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3-glibc5.diff.gz --------------------------------------------------- /etc/yp.conf contains: ypserver 10.10.0.1 ypserver 10.0.100.8 ypserver 10.3.1.1 NOTE: ypbind 3.3 has bug which only uses last entery NIS domain name set in /etc/defaultdomain, but file chanes on linux distrobutions caldera 2.x /etc/nis.conf Red Hat Linux 6.x, 7.x, 8.x and 9 /etc/sysconfig/network SuSE Linux 6.x and 7.x YP_DOMAINNAME in /etc/rc.config SuSE Linux 8.x and later /etc/defaultdomain --------------------------------------------------- TEST: To test ypbind do the following: /bin/domainname nis.domain /sbin/portmap if [ ! -d /var/yp ] ; then makdir /var/yp ; fi /usr/sbin/ypbind rpcinfo -p localhost rpcinfo -u localhost ypbind ypcat passwd.byname To test the domainname /bin/ypdomainname To test the passwd ypmatch userid passwd To test with GNU C library tool getent getent passwd login getent passwd --------------------------------------------------- To use nis for hostname lookups: /etc/nsswitch.conf hosts: files dns nis passwd: compat group: compat shadow: files nis --------------------------------------------------- To use nis users /etc/passwd +:::::: --------------------------------------------------- To allow login-access only to miquels,and sysadmin netgroup, +miquels::::::: +@sysadmins::::::: +:*::::::/etc/NoShell NOTE: The netgroup would look like sysadmins (-,software,) (-,kukuk,) --------------------------------------------------- Shadow passwords over NIS are always a bad. --------------------------------------------------- Client PAM: /etc/pam.d/login #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so none # debug or trace session required pam_limits.so --------------------------------------------------- NIS+ client setup: check that the time is correct domainname nisplus.domain. nisinit -c -H To test passwd data niscat passwd.org_dir Setup PAM /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_unix2.so set_secrpc auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix2.so password required /lib/security/pam_unix2.so session required /lib/security/pam_unix2.so Setup nsswitch.conf passwd: compat group: compat shadow: compat passwd_compat: nisplus group_compat: nisplus shadow_compat: nisplus hosts: nisplus files dns services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files netgroup: nisplus bootparams: nisplus [NOTFOUND=return] files publickey: nisplus automount: files aliases: nisplus [NOTFOUND=return] files --------------------------------------------------- Setup an NIS Server Add entries to the "all" rule in /var/yp/Makefile Add -c to makedbm in /var/yp/Makefile edit /var/yp/securenets edit /etc/ypserv.conf start portmapper and ypserv Test rpcinfo -u localhost ypserv Generate NIS (YP) database on master, /usr/lib/yp/ypinit -m On the slave /usr/lib/yp/ypinit -s masterhost Update the maps ( and push to slaves) cd /var/yp; make Don't use ypinit Cron for root should contain: 20 * * * * /usr/lib/yp/ypxfr_1perhour 40 6 * * * /usr/lib/yp/ypxfr_1perday 55 6,18 * * * /usr/lib/yp/ypxfr_2perday Add slave server by running this on the slave On Slave run: /usr/lib/yp/ypinit -s masterhost On master: add slave to /var/yp/ypservers and run make in /var/yp Password changes are handled by a damon on NIS master server: rpc.yppasswdd -D /etc/yp -s /etc/yp/shadow -p /etc/yp/passwd -e chsh --------------------------------------------------- Edit nis maps: edit the /var/yp/Makefile make -C /var/yp One line can only be 1024 characters long --------------------------------------------------- Change password Bad method: yppasswd -or- rpasswd -a Better method: rpasswd (part of pwdutils) --------------------------------------------------- Server Config? Generate Server certificate: openssl req -new -x509 -nodes -days 730 -out /etc/rpasswdd.pem -keyout /etc/rpasswdd.pem PAM configuration If passwords are in /etc/passwd #%PAM-1.0 auth required pam_unix2.so account required pam_unix2.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok password required pam_make.so /var/yp session required pam_unix2.so If passwords are in /etc/yp #%PAM-1.0 auth required pam_unix2.so account required pam_unix2.so password required pam_pwcheck.so nisdir=/etc/yp password required pam_unix2.so nisdir=/etc/yp use_first_pass use_authtok password required pam_make.so /var/yp session required pam_unix2.so Start the rpasswdd on the NFS master Client only needs config file: /etc/rpasswd.conf # rpasswdd runs on master.example.com server master.example.com # Port 774 is the default port port 774 ---------------------------------------------------