Search:  
Gentoo Wiki

HOWTO_Setup_NIS

This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc

This HOWTO details setting up NIS on a Gentoo Box as well as running the client.

Contents

Common (Clients and Servers)

NIS Domain

The NIS domain should be some string not normally associated with the DNS-domain name of your machine! The reason for this is that it makes it a little harder for external crackers to retrieve the password database from your NIS servers. If you don't know what the NIS domain name is on your network, ask your system/network administrator. (or just logon to the nis server and type nisdomainname)

Edit /etc/conf.d/net and add:

Code: /etc/conf.d/net
nis_domain_eth0="yournisdomain"
# server IPs
nis_servers_eth0="serverIP1 serverIP2"

or add:

Code: /etc/conf.d/net
 nis_domain_lo="yournisdomain"
Note: Current baselayout removed NISDOMAIN configuration from /etc/conf.d/domainname, and also removed /etc/init.d/domainname script. [1]

If for some reason you dont want to use net-scripts to set your NIS Domain then you can use hostname -y yournisdomain to set it. A good reason for this may be that you want a static /etc/yp.conf.

Client

Installing the tools

emerge yp-tools ypbind

Make sure you have pam compiled with +nis flag.

Setting Up the NIS Client

You have a configuration file called /etc/yp.conf. You can hardcode a NIS server there - for more info see the manual page for ypbind(8). You also need this file for NYS. An example:

Note: If you have nis_domain & nis_servers entries in the /etc/conf.d/net (per above instructions), then you do not need the following entries within the /etc/yp.conf file.
File: /etc/yp.conf
ypserver 10.10.0.1
ypserver 10.0.100.8
ypserver 10.3.1.1

If the system can resolve the hostnames without NIS, you may use the name, otherwise you have to use the IP address. ypbind 3.3 has a bug and will only use the last entry (ypserver 10.3.1.1 in the example). All other entries are ignored. ypbind-mt handle this correctly and uses whichever answers first.

Start Services

Start up portmap and ypbind

portmap
ypbind

Check if Registered

Use the command rpcinfo -p localhost to check if ypbind was able to register its service with the portmapper. The output should look like:

Code: rpcinfo -p localhost
      program vers proto   port
       100000    2   tcp    111  portmapper
       100000    2   udp    111  portmapper
       100007    2   udp    637  ypbind
       100007    2   tcp    639  ypbind

or

      program vers proto   port
       100000    2   tcp    111  portmapper
       100000    2   udp    111  portmapper
       100007    2   udp    758  ypbind
       100007    1   udp    758  ypbind
       100007    2   tcp    761  ypbind
       100007    1   tcp    761  ypbind

Depending on the ypbind version you are using.

  • You may also run rpcinfo -u localhost ypbind. This command should produce something like:
Code: rpcinfo -u localhost ypbind
       program 100007 version 2 ready and waiting

or

       program 100007 version 1 ready and waiting
       program 100007 version 2 ready and waiting

The output depends on the ypbind version you have installed. Important is only the "version 2" message.

At this point you should be able to use NIS client programs like ypcat, etc... For example, ypcat passwd.byname will give you the entire NIS password database.

To check if the domainname is set correct, use the /bin/ypdomainname from yp-tools 2.2. It uses the yp_get_default_domain() function which is more restrict. It doesn't allow for example the "(none)" domainname, which is the default under Linux and makes a lot of problems.

If the test worked you may now want to change your startupd files so that ypbind will be started at boot time and your system will act as a NIS client. Make sure that the domainname will be set before you start ypbind.

Once you get your system talking to the NIS server, you will want it to do so on startup. Thus, you need to enter the following commands

rc-update add portmap default
rc-update add ypbind default

Configure Client to Authenticate using NIS Server

Add the following line to /etc/passwd and /etc/group on your NIS clients:

+::::::

You can also use the + and - characters to include/exclude or change users. If you want to exclude the user guest just add -guest to your /etc/passwd file. You want to use a different shell (e.g. ksh) for the user "linux"? No problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/passwd. Fields that you don't want to change have to be left empty. You could also use Netgroups for user control.

For example, to allow login-access only to miquels, dth and ed, and all members of the sysadmin netgroup, but to have the account data of all other users available use:

+miquels:::::::
+ed:::::::
+dth:::::::
+@sysadmins:::::::
-ftp
+:*::::::/etc/NoShell

Note that in Linux you can also override the password field, as we did in this example. We also remove the login "ftp", so it isn't known any longer, and anonymous ftp will not work.


  1. configure yp.conf with your nisdomainserver ip address


To complete the installation, you have to modify your /etc/nsswitch.conf to add the support of nis for authentification.

Change :

passwd:      compat
shadow:      compat
group:       compat
netgroup:    files

to:

passwd:      compat nis
shadow:      compat nis
group:       compat nis
netgroup:    files nis

Some remarks

You may encounter an unclean shutdown when using NIS with udev. You may also have a problem with startup (portmap startup takes long time). The solution is from bug #42139. You have to prevent net.lo from stopping by i.e. adding "return 0" line in /etc/init.d/net.lo just at the beginig of iface_stop() function.

File: /etc/init.d/net.lo
iface_stop() {
        return 0
        ...
}

Server

These instructions are for setting up a YP master.

Installing the tools

emerge yp-tools ypserv

Master Server

Configure

Enter the /var/yp directory, and edit Makefile. Find the "all:" rule, and comment out all but the maps you need. If you're just authenticating users, then all you need is

all: passwd group shadow
Note: This is not a required step for a normal configuration and is optional. If you don't want to generate your YP information from your server's own files under /etc, change YPSRCDIR and YPPWDDIR to a directory where you want to store such files, e.g., /var/yp/ypfiles. (I'm no expert, but this was misleading in a sense I thought /etc would be over-written by the /var/yp/Makefile. YP *only* includes the information from certain /etc files.) Changing these variables is more advanced then this page demonstrates and requires further documenting here -- as the following warning dictates!
Note: If you set YPSRCDIR and YPPWDDIR above, then edit /etc/conf.d/rpc.yppasswd to include the -Doption.
FIXME: Changing the default $YPPWDDIR to something other then /etc breaks the Makefile. (Looking a few more lines down in the Makefile, I see NIS is built against $YPPWDDIR/group, $YPPWDDIR/passwd, ... and these files need to be present prior to running ypinit or running this Makefile. Once YPPWDDIR is changed from /etc to /var/yp/ypfiles, these "/etc" files are nolonger present to build against! Further documentation needs to be put here about changing this variable's location, or at the very least, this warning and a note pointing the reader where to find further information.)


Perform the following two checks prior to running ypinit:

1) If your system doesn't have a /etc/gshadow file, you will likely need to create a blank one:

touch /etc/gshadow

2) If you put your NIS domainname info into /etc/conf.d/net, you will need to restart your network to reread these changes.

/etc/init.d/net restart

Run ypinit, and this will configure the ypserv values along with executing the /var/yp/Makefile.

/usr/lib/yp/ypinit -m


Start

Start the YP server and add it to the default runlevel:

/etc/init.d/ypserv start
rc-update add ypserv default

You can now edit the source files (either in /etc or in the directory you set up above), then run make from the /var/yp directory to update them.

Slave Server (Optional)

FIXME: It might help to explain, whether this command is run on another separate host and whether ypserv needs to be installed at all? I'll take a stab and guess it does after using qfile! ;-). Please help provide further documentation clarifying how to setup a simple slave server. I'm guessing, setup is the same as configuring for a master, but at what stage does ypinit -s get executed?

Run /usr/lib/yp/ypinit -s master where master is the hostname of the (already configured) YP master.

Retrieved from "http://www.gentoo-wiki.info/HOWTO_Setup_NIS"

Last modified: Fri, 03 Oct 2008 13:35:00 +0000 Hits: 25,910