The Linux NIS(YP)/NYS/NIS+ HOWTO

The Linux NIS(YP)/NYS/NIS+ HOWTO
The Linux NIS(YP)/NYS/NIS+ HOWTO
Table of Contents
The Linux NIS(YP)/NYS/NIS+ HOWTO.........................................................................................................1
Thorsten Kukuk.......................................................................................................................................1
1.Introduction...........................................................................................................................................1
2.Glossary and General Information........................................................................................................1
3.NIS, NYS or NIS+ ?.............................................................................................................................1
4.How it works.........................................................................................................................................1
5.The RPC Portmapper............................................................................................................................2
6.What do you need to set up NIS?..........................................................................................................2
7.What do you need to set up NIS+ ?......................................................................................................2
8.Setting up a NIS Server.........................................................................................................................2
9.Verifying the NIS/NYS Installation......................................................................................................2
10.Common Problems and Troubleshooting NIS....................................................................................2
11.Frequently Asked Questions...............................................................................................................2
1. Introduction..........................................................................................................................................3
1.1 New Versions of this Document........................................................................................................3
1.2 Disclaimer..........................................................................................................................................3
1.3 Feedback and Corrections..................................................................................................................4
1.4 Acknowledgements............................................................................................................................4
10. Common Problems and Troubleshooting NIS...................................................................................4
11. Frequently Asked Questions..............................................................................................................5
2. Glossary and General Information.......................................................................................................5
2.1 Glossary of Terms..............................................................................................................................5
2.2 Some General Information.................................................................................................................7
3. NIS, NYS or NIS+ ?............................................................................................................................7
3.1 libc 4/5 with traditional NIS or NYS ?..............................................................................................7
3.2 glibc 2 and NIS/NIS+........................................................................................................................8
3.3 NIS or NIS+ ?....................................................................................................................................8
4. How it works........................................................................................................................................8
4.1 How NIS works..................................................................................................................................8
4.2 How NIS+ works...............................................................................................................................9
5. The RPC Portmapper...........................................................................................................................9
6. What do you need to set up NIS?.......................................................................................................10
6.1 Determine whether you are a Server, Slave or Client......................................................................10
6.2 The Software....................................................................................................................................11
6.3 The ypbind daemon..........................................................................................................................11
6.4 Setting up a NIS Client using Traditional NIS................................................................................13
6.5 Setting up a NIS Client using NYS.................................................................................................14
6.6 Setting up a NIS Client using glibc 2.x...........................................................................................14
6.7 The nsswitch.conf File.....................................................................................................................14
6.8 Shadow Passwords with NIS...........................................................................................................16
Linux.........................................................................................................................................16
Solaris.......................................................................................................................................16
PAM..........................................................................................................................................16
7. What do you need to set up NIS+ ?...................................................................................................17
7.1 The Software....................................................................................................................................17
7.2 Setting up a NIS+ client...................................................................................................................18
7.3 NIS+, keylogin, login and PAM......................................................................................................18
i
The Linux NIS(YP)/NYS/NIS+ HOWTO
Table of Contents
7.4 The nsswitch.conf File.....................................................................................................................19
8. Setting up a NIS Server......................................................................................................................20
8.1 The Server Program ypserv.............................................................................................................20
8.2 The Server Program yps...................................................................................................................23
8.3 The Program rpc.ypxfrd...................................................................................................................23
8.4 The Program rpc.yppasswdd............................................................................................................23
9. Verifying the NIS/NYS Installation...................................................................................................24
ii
The Linux NIS(YP)/NYS/NIS+ HOWTO
Thorsten Kukuk
v1.0, 9 March 1999
This document describes how to configure Linux as NIS(YP) or NIS+ client and how to install as NIS server.
1.Introduction
• 1.1 New Versions of this Document
• 1.2 Disclaimer
• 1.3 Feedback and Corrections
• 1.4 Acknowledgements
2.Glossary and General Information
• 2.1 Glossary of Terms
• 2.2 Some General Information
3.NIS, NYS or NIS+ ?
• 3.1 libc 4/5 with traditional NIS or NYS ?
• 3.2 glibc 2 and NIS/NIS+
• 3.3 NIS or NIS+ ?
4.How it works
• 4.1 How NIS works
• 4.2 How NIS+ works
The Linux NIS(YP)/NYS/NIS+ HOWTO
1
The Linux NIS(YP)/NYS/NIS+ HOWTO
5.The RPC Portmapper
6.What do you need to set up NIS?
• 6.1 Determine whether you are a Server, Slave or Client.
• 6.2 The Software
• 6.3 The ypbind daemon
• 6.4 Setting up a NIS Client using Traditional NIS
• 6.5 Setting up a NIS Client using NYS
• 6.6 Setting up a NIS Client using glibc 2.x
• 6.7 The nsswitch.conf File
• 6.8 Shadow Passwords with NIS
7.What do you need to set up NIS+ ?
• 7.1 The Software
• 7.2 Setting up a NIS+ client
• 7.3 NIS+, keylogin, login and PAM
• 7.4 The nsswitch.conf File
8.Setting up a NIS Server
• 8.1 The Server Program ypserv
• 8.2 The Server Program yps
• 8.3 The Program rpc.ypxfrd
• 8.4 The Program rpc.yppasswdd
9.Verifying the NIS/NYS Installation
10.Common Problems and Troubleshooting NIS
11.Frequently Asked Questions
Next Previous Contents Next Previous Contents
5.The RPC Portmapper
2
The Linux NIS(YP)/NYS/NIS+ HOWTO
1. Introduction
More and more, Linux machines are installed as part of a network of computers. To simplify network
administration, most networks (mostly Sun−based networks) run the Network Information Service. Linux
machines can take full advantage of existing NIS service or provide NIS service themselves. Linux machines
can also act as full NIS+ clients, this support is in beta stage.
This document tries to answer questions about setting up NIS(YP) and NIS+ on your Linux machine. Don't
forget to read the section The RPC Portmapper.
The NIS−Howto is edited and maintained by
Thorsten Kukuk, <kukuk@suse.de>
The primary source of the information for the initial NIS−Howto was from:
Andrea Dell'Amico
Mitchum DSouza
Erwin Embsen
Peter Eriksson
<adellam@ZIA.ms.it>
<Mitch.DSouza@NetComm.IE>
<erwin@nioz.nl>
<peter@ifm.liu.se>
who we should thank for writing the first versions of this document.
1.1 New Versions of this Document
You can always view the latest version of this document on the World Wide Web via the URL
http://www.suse.de/~kukuk/linux/HOWTO/NIS−HOWTO.html.
New versions of this document will also be uploaded to various Linux WWW and FTP sites, including the
LDP home page.
Links to translations of this document could be found at http://www.suse.de/~kukuk/linux/nis−howto.html.
1.2 Disclaimer
Although this document has been put together to the best of my knowledge it may, and probably does contain
errors. Please read any README files that are bundled with any of the various pieces of software described
in this document for more detailed and accurate information. I will attempt to keep this document as error
free as possible.
1. Introduction
3
The Linux NIS(YP)/NYS/NIS+ HOWTO
1.3 Feedback and Corrections
If you have questions or comments about this document, please feel free to mail Thorsten Kukuk, at
kukuk@suse.de. I welcome any suggestions or criticisms. If you find a mistake with this document, please let
me know so I can correct it in the next version. Thanks.
Please do not mail me questions about special problems with your Linux Distribution! I don't know every
Linux Distribution. But I will try to add every solution you send me.
1.4 Acknowledgements
We would like to thank all the people who have contributed (directly or indirectly) to this document. In
alphabetical order:
Byron A Jeff
Markus Rex
Miquel van Smoorenburg
<byron@cc.gatech.edu>
<msrex@suse.de>
<miquels@cistron.nl>
Theo de Raadt is responsible for the original yp−clients code. Swen Thuemmler ported the yp−clients code to
Linux and also ported the yp−routines in libc (again based on Theo's work). Thorsten Kukuk has written the
NIS(YP) and NIS+ routines for GNU libc 2.x from scratch.
Next Previous ContentsNextPreviousContents
10. Common Problems and Troubleshooting NIS
Here are some common problems reported by various users:
1. The libraries for 4.5.19 are broken. NIS won't work with it.
2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su command breaks. You need to get the su
command from the slackware 1.2.0 distribution. Incidentally that's where you can get the updated
libraries.
3. When a NIS server goes down and comes up again ypbind starts complaining with messages like:
yp_match: clnt_call:
RPC: Unable to receive; errno = Connection refused
and logins are refused for those who are registered in the NIS database. Try to login as root and kill
ypbind and start it up again. An update to ypbind 3.3 or higher should also help.
4. After upgrading the libc to a version greater then 5.4.20, the YP tools will not work any longer. You
need yp−tools 1.2 or later for libc >= 5.4.21 and glibc 2.x. For earlier libc version you need
1.3 Feedback and Corrections
4
The Linux NIS(YP)/NYS/NIS+ HOWTO
yp−clients 2.2. yp−tools 2.x should work for all libraries.
5. In libc 5.4.21 − 5.4.35 yp_maplist is broken, you need 5.4.36 or later, or some YP programs like
ypwhich will segfault.
6. libc 5 with traditional NIS doesn't support shadow passwords over NIS. You need libc5 + NYS or
glibc 2.x.
7. ypcat shadow doesn't show the shadow map. This is correct, the name of the shadow map is
shadow.byname, not shadow.
8. Solaris doesn't use always privileged ports. So don't use password mangling if you have a Solaris
client.
NextPreviousContents Next PreviousContents
11. Frequently Asked Questions
Most of your questions should be answered by now. If there are still questions unanswered you might want to
post a message to
comp.os.linux.networking
Next PreviousContentsNextPreviousContents
2. Glossary and General Information
2.1 Glossary of Terms
In this document a lot of acronyms are used. Here are the most important acronyms and a brief explanation:
DBM
DataBase Management, a library of functions which maintain key−content pairs in a data
base.
DLL
Dynamically Linked Library, a library linked to an executable program at run−time.
11. Frequently Asked Questions
5
The Linux NIS(YP)/NYS/NIS+ HOWTO
domainname
A name "key" that is used by NIS clients to be able to locate a suitable NIS server that serves
that domainname key. Please note that this does not necessarily have anything at all to do
with the DNS "domain" (machine name) of the machine(s).
FTP
File Transfer Protocol, a protocol used to transfer files between two computers.
libnsl
Name services library, a library of name service calls (getpwnam, getservbyname, etc...) on
SVR4 Unixes. GNU libc uses this for the NIS (YP) and NIS+ functions.
libsocket
Socket services library, a library for the socket service calls (socket, bind, listen, etc...) on
SVR4 Unixes.
NIS
Network Information Service, a service that provides information, that has to be known
throughout the network, to all machines on the network. There is support for NIS in Linux's
standard libc library, which in the following text is referred to as "traditional NIS".
NIS+
Network Information Service (Plus :−), essentially NIS on steroids. NIS+ is designed by Sun
Microsystems Inc. as a replacement for NIS with better security and better handling of
_large_ installations.
NYS
This is the name of a project and stands for NIS+, YP and Switch and is managed by Peter
Eriksson <peter@ifm.liu.se>. It contains among other things a complete reimplementation of
the NIS (= YP) code that uses the Name Services Switch functionality of the NYS library.
NSS
Name Service Switch. The /etc/nsswitch.conf file determines the order of lookups performed
when a certain piece of information is requested.
RPC
Remote Procedure Call. RPC routines allow C programs to make procedure calls on other
machines across the network. When people talk about RPC they most often mean the Sun
RPC variant.
YP
11. Frequently Asked Questions
6
The Linux NIS(YP)/NYS/NIS+ HOWTO
Yellow Pages(tm), a registered trademark in the UK of British Telecom plc.
TCP−IP
Transmission Control Protocol/Internet Protocol. It is the data communication protocol most
often used on Unix machines.
2.2 Some General Information
The next four lines are quoted from the Sun(tm) System & Network Administration Manual:
"NIS was formerly known as Sun Yellow Pages (YP) but
the name Yellow Pages(tm) is a registered trademark
in the United Kingdom of British Telecom plc and may
not be used without permission."
NIS stands for Network Information Service. Its purpose is to provide information, that has to be known
throughout the network, to all machines on the network. Information likely to be distributed by NIS is:
• login names/passwords/home directories (/etc/passwd)
• group information (/etc/group)
If, for example, your password entry is recorded in the NIS passwd database, you will be able to login on all
machines on the network which have the NIS client programs running.
Sun is a trademark of Sun Microsystems, Inc. licensed to SunSoft, Inc.
NextPreviousContentsNextPreviousContents
3. NIS, NYS or NIS+ ?
3.1 libc 4/5 with traditional NIS or NYS ?
The choice between "traditional NIS" or the NIS code in the NYS library is a choice between laziness and
maturity vs. flexibility and love of adventure.
2.2 Some General Information
7
The Linux NIS(YP)/NYS/NIS+ HOWTO
The "traditional NIS" code is in the standard C library and has been around longer and sometimes suffers
from its age and slight inflexibility.
The NIS code in the NYS library requires you to recompile the libc library to include the NYS code into it (or
maybe you can get a precompiled version of libc from someone who has already done it).
Another difference is that the traditional NIS code has some support for NIS Netgroups, which the NYS code
doesn't. On the other hand the NYS code allows you to handle Shadow Passwords in a transparent way. The
"traditonal NIS" code doesn't support Shadow Passwords over NIS.
3.2 glibc 2 and NIS/NIS+
Forgot all this if you use the new GNU C Library 2.x (aka libc6). It has real NSS (name switch service)
support, which makes it very flexible, and contains support for the following NIS/NIS+ maps: aliases, ethers,
group, hosts, netgroups, networks, protocols, publickey, passwd, rpc, services and shadow. The GNU C
Library has no problems with shadow passwords over NIS.
3.3 NIS or NIS+ ?
The choice between NIS and NIS+ is easy − use NIS if you don't have to use NIS+ or have severe security
needs. NIS+ is _much_ more problematic to administer (it's pretty easy to handle on the client side, but the
server side is horrible). Another problem is that the support for NIS+ under Linux is still under developement
− you need the latest glibc 2.1. There is an unsupported port of the glibc NIS+ support for libc5 as dropin
replacement.
NextPreviousContentsNextPreviousContents
4. How it works
4.1 How NIS works
Within a network there must be at least one machine acting as a NIS server. You can have multiple NIS
servers, each serving different NIS "domains" − or you can have cooperating NIS servers, where one is the
master NIS server, and all the other are so−called slave NIS servers (for a certain NIS "domain", that is!) − or
you can have a mix of them...
Slave servers only have copies of the NIS databases and receive these copies from the master NIS server
whenever changes are made to the master's databases. Depending on the number of machines in your network
3.2 glibc 2 and NIS/NIS+
8
The Linux NIS(YP)/NYS/NIS+ HOWTO
and the reliability of your network, you might decide to install one or more slave servers. Whenever a NIS
server goes down or is too slow in responding to requests, a NIS client connected to that server will try to
find one that is up or faster.
NIS databases are in so−called DBM format, derived from ASCII databases. For example, the files
/etc/passwd and /etc/group can be directly converted to DBM format using ASCII−to−DBM
translation software ("makedbm", included with the server software). The master NIS server should have
both, the ASCII databases and the DBM databases.
Slave servers will be notified of any change to the NIS maps, (via the "yppush" program), and automatically
retrieve the necessary changes in order to synchronize their databases. NIS clients do not need to do this since
they always talk to the NIS server to read the information stored in it's DBM databases.
Old ypbind versions do a broadcast to find a running NIS server. This is insecure, due the fact that anyone
may install a NIS server and answer the broadcast queries. Newer Versions of ypbind (ypbind−3.3 or
ypbind−mt) are able to get the server from a configuration file − thus no need to broadcast.
4.2 How NIS+ works
NIS+ is a new version of the network information nameservice from Sun. The biggest difference between
NIS and NIS+ is that NIS+ has support for data encryption and authentication over secure RPC.
The naming model of NIS+ is based upon a tree structure. Each node in the tree corresponds to an NIS+
object, from which we have six types: directory, entry, group, link, table and private.
The NIS+ directory that forms the root of the NIS+ namespace is called the root directory. There are two
special NIS+ directories: org_dir and groups_dir. The org_dir directory consists of all administration tables,
such as passwd, hosts, and mail_aliases. The groups_dir directory consists of NIS+ group objects which are
used for access control. The collection of org_dir, groups_dir and their parent directory is referred to as an
NIS+ domain.
NextPreviousContentsNextPreviousContents
5. The RPC Portmapper
To run any of the software mentioned below you will need to run the program /usr/sbin/portmap. Some Linux
distributions already have the code in the /sbin/init.d/ or /etc/rc.d/ files to start up this daemon. All you have
to do is to activate it and reboot your Linux machine. Read your Linux Distribution Documentation how to
do this.
The RPC portmapper (portmap(8)) is a server that converts RPC program numbers into TCP/IP (or UDP/IP)
protocol port numbers. It must be running in order to make RPC calls (which is what the NIS/NIS+ client
software does) to RPC servers (like a NIS or NIS+ server) on that machine. When an RPC server is started, it
will tell portmap what port number it is listening to, and what RPC program numbers it is prepared to serve.
4.2 How NIS+ works
9
The Linux NIS(YP)/NYS/NIS+ HOWTO
When a client wishes to make an RPC call to a given program number, it will first contact portmap on the
server machine to determine the port number where RPC packets should be sent.
Normally, standard RPC servers are started by inetd(8), so portmap must be running before inetd is started.
For secure RPC, the portmapper needs the Time service. Make sure, that the Time service is enabled in
/etc/inetd.conf on all hosts:
#
# Time service is used for clock syncronization.
#
time
stream tcp
nowait root
internal
time
dgram
udp
wait
root
internal
IMPORTANT: Don't forget to restart inetd after changes on its configuration file !
NextPreviousContentsNextPreviousContents
6. What do you need to set up NIS?
6.1 Determine whether you are a Server, Slave or Client.
To answer this question you have to consider two cases:
1. Your machine is going to be part of a network with existing NIS servers
2. You do not have any NIS servers in the network yet
In the first case, you only need the client programs (ypbind, ypwhich, ypcat, yppoll, ypmatch). The most
important program is ypbind. This program must be running at all times, which means, it should always
appear in the list of processes. It is a daemon process and needs to be started from the system's startup file
(eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/ypbind, /etc/rc.local). As soon as ypbind is running
your system has become a NIS client.
In the second case, if you don't have NIS servers, then you will also need a NIS server program (usually
called ypserv). Section Setting up a NIS Server describes how to set up a NIS server on your Linux machine
using the "ypserv" implementation by Peter Eriksson and Thorsten Kukuk. Note that from version 0.14 this
implementation supports the master−slave concept talked about in section 4.1.
There is also another free NIS server available, called "yps", written by Tobias Reber in Germany which does
support the master−slave concept, but has other limitations and isn't supported since a long time.
6. What do you need to set up NIS?
10
The Linux NIS(YP)/NYS/NIS+ HOWTO
6.2 The Software
The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the shared library "/lib/libc.so.x" contain all
necessary system calls to succesfully compile the NIS client and server software. For the GNU C Library 2
(glibc 2.x), you also need /lib/libnsl.so.1.
Some people reported that NIS only works with "/usr/lib/libc.a" version 4.5.21 and better so if you want to
play it safe don't use older libc's. The NIS client software can be obtained from:
Site
Directory
File Name
ftp.kernel.org
ftp.kernel.org
ftp.kernel.org
ftp.kernel.org
ftp.uni−paderborn.de
/pub/linux/utils/net/NIS
/pub/linux/utils/net/NIS
/pub/linux/utils/net/NIS
/pub/linux/utils/net/NIS
/linux/local/yp
yp−tools−2.2.tar.gz
ypbind−mt−1.4.tar.gz
ypbind−3.3.tar.gz
ypbind−3.3−glibc5.diff.gz
yp−clients−2.2.tar.gz
Once you obtained the software, please follow the instructions which come with the software. yp−clients 2.2
are for use with libc4 and libc5 until 5.4.20. libc 5.4.21 and glibc 2.x needs yp−tools 1.4.1 or later. The new
yp−tools 2.2 should work with every Linux libc. Since there was a bug in the NIS code, you shouldn't use
libc 5.4.21−5.4.35. Use libc 5.4.36 or later instead, or the most YP programs will not work. ypbind 3.3 will
work with all libraries, too. If you use gcc 2.8.x or greater, egcs or glibc 2.x, you should add the
ypbind−3.3−glibc5.diff patch to ypbind 3.3. Please never use the ypbind from yp−clients 2.2. ypbind−mt is a
new, multithreaded daemon. It needs a Linux 2.2 kernel, and glibc 2.1 or later.
6.3 The ypbind daemon
After you have succesfully compiled the software you are now ready to install it. A suitable place for the
ypbind daemon is the directory /usr/sbin. Some people may tell you that you don't need ypbind on a system
with NYS. This is wrong. ypwhich and ypcat need it always.
You must do this as root of course. The other binaries (ypwhich, ypcat, yppasswd, yppoll, ypmatch) should
go in a directory accessible by all users, normally /usr/bin.
Newer ypbind versions have a configuration file called /etc/yp.conf. You can hardcode a NIS server there −
for more info see the manual page for ypbind(8). You also need this file for NYS. An example:
ypserver voyager
ypserver defiant
ypserver ds9
If the system cam resolv the hostnames without NIS, you may use the name, otherwise you have to use the IP
address. ypbind 3.3 has a bug and will only use the last entry (ypserver ds9 in the example). All other entries
are ignored. ypbind−mt handle this correct and uses that one, which answerd at first.
6.2 The Software
11
The Linux NIS(YP)/NYS/NIS+ HOWTO
It might be a good idea to test ypbind before incorporating it in the startup files. To test ypbind do the
following:
• Make sure you have your YP−domain name set. If it is not set then issue the command:
/bin/domainname nis.domain
where nis.domain should be some string _NOT_ normally associated with the DNS−domain
name of your machine! The reason for this is that it makes it a little harder for external crackers to
retreive the password database from your NIS servers. If you don't know what the NIS domain name
is on your network, ask your system/network administrator.
• Start up "/usr/sbin/portmap" if it is not already running.
• Create the directory "/var/yp" if it does not exist.
• Start up "/usr/sbin/ypbind"
• Use the command "rpcinfo −p localhost" to check if ypbind was able to register its service with the
portmapper. The output should look like:
program vers proto
100000
2
tcp
100000
2
udp
100007
2
udp
100007
2
tcp
port
111
111
637
639
portmapper
portmapper
ypbind
ypbind
program vers proto
100000
2
tcp
100000
2
udp
100007
2
udp
100007
1
udp
100007
2
tcp
100007
1
tcp
port
111
111
758
758
761
761
portmapper
portmapper
ypbind
ypbind
ypbind
ypbind
or
Depending on the ypbind version you are using.
• You may also run "rpcinfo −u localhost ypbind". This command should produce something like:
program 100007 version 2 ready and waiting
or
program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting
The output depends on the ypbind version you have installed. Important is only the "version 2"
6.2 The Software
12
The Linux NIS(YP)/NYS/NIS+ HOWTO
message.
At this point you should be able to use NIS client programs like ypcat, etc... For example, "ypcat
passwd.byname" will give you the entire NIS password database.
IMPORTANT: If you skipped the test procedure then make sure you have set the domain name, and created
the directory
/var/yp
This directory MUST exist for ypbind to start up succesfully.
To check if the domainname is set correct, use the /bin/ypdomainname from yp−tools 2.2. It uses the
yp_get_default_domain() function which is more restrict. It doesn't allow for example the "(none)"
domainname, which is the default under Linux and makes a lot of problems.
If the test worked you may now want to change your startupd files so that ypbind will be started at boot time
and your system will act as a NIS client. Make sure that the domainname will be set before you start ypbind.
Well, that's it. Reboot the machine and watch the boot messages to see if ypbind is actually started.
6.4 Setting up a NIS Client using Traditional NIS
For host lookups you must set (or add) "nis" to the lookup order line in your /etc/host.conf file. Please read
the manpage "resolv+.8" for more details.
Add the following line to /etc/passwd on your NIS clients:
+::::::
You can also use the + and − characters to include/exclude or change users. If you want to exclude the user
guest just add −guest to your /etc/passwd file. You want to use a different shell (e.g. ksh) for the user "linux"?
No problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/passwd. Fields that you don't
want to change have to be left empty. You could also use Netgroups for user control.
For example, to allow login−access only to miquels, dth and ed, and all members of the sysadmin netgroup,
but to have the account data of all other users available use:
+miquels:::::::
+ed:::::::
+dth:::::::
6.4 Setting up a NIS Client using Traditional NIS
13
The Linux NIS(YP)/NYS/NIS+ HOWTO
+@sysadmins:::::::
−ftp
+:*::::::/etc/NoShell
Note that in Linux you can also override the password field, as we did in this example. We also remove the
login "ftp", so it isn't known any longer, and anonymous ftp will not work.
The netgroup would look like
sysadmins (−,software,) (−,kukuk,)
IMPORTANT: The netgroup feature is implemented starting from libc 4.5.26. If you have a version of libc
earlier than 4.5.26, every user in the NIS password database can access your linux machine if you run
"ypbind" !
6.5 Setting up a NIS Client using NYS
All that is required is that the NIS configuration file (/etc/yp.conf) points to the correct server(s) for its
information. Also, the Name Services Switch configuration file (/etc/nsswitch.conf) must be correctly set up.
You should install ypbind. It isn't needed by the libc, but the NIS(YP) tools need it.
If you wish to use the include/exclude user feature (+/−guest/+@admins), you have to use "passwd: compat"
and "group: compat" in nsswitch.conf. Note that there is no "shadow: compat"! You have to use "shadow:
files nis" in this case.
The NYS sources are part of the libc 5 sources. When run configure, say the first time "NO" to the "Values
correct" question, then say "YES" to "Build a NYS libc from nys".
6.6 Setting up a NIS Client using glibc 2.x
The glibc uses "traditional NIS", so you need to start ypbind. The Name Services Switch configuration file
(/etc/nsswitch.conf) must be correctly set up. If you use the compat mode for passwd, shadow or group, you
have to add the "+" at the end of this files and you can use the include/exclude user feature. The configuration
is excatly the same as under Solaris 2.x.
6.7 The nsswitch.conf File
The Network Services switch file /etc/nsswitch.conf determines the order of lookups performed when a
certain piece of information is requested, just like the /etc/host.conf file which determines the way host
lookups are performed. For example, the line
6.5 Setting up a NIS Client using NYS
14
The Linux NIS(YP)/NYS/NIS+ HOWTO
hosts: files nis dns
specifies that host lookup functions should first look in the local /etc/hosts file, followed by a NIS lookup and
finally through the domain name service (/etc/resolv.conf and named), at which point if no match is found an
error is returned. This file must be readable for every user! You can find more information in the man−page
nsswitch.5 or nsswitch.conf.5.
A good /etc/nsswitch.conf file for NIS is:
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
/etc/nsswitch.conf
An example Name Service Switch config file. This file should be
sorted with the most−used services at the beginning.
The entry '[NOTFOUND=return]' means that the search for an
entry should stop if the search in the previous entry turned
up nothing. Note that if the search failed due to some other reason
(like no NIS server responding) then the search continues with the
next entry.
Legal entries are:
nisplus
nis
dns
files
db
[NOTFOUND=return]
Use NIS+ (NIS version 3)
Use NIS (NIS version 2), also called YP
Use DNS (Domain Name Service)
Use the local files
Use the /var/db databases
Stop searching if not found so far
passwd:
compat
group:
compat
# For libc5, you must use shadow: files nis
shadow:
compat
passwd_compat: nis
group_compat: nis
shadow_compat: nis
hosts:
nis files dns
services:
networks:
protocols:
rpc:
ethers:
netmasks:
netgroup:
bootparams:
publickey:
automount:
aliases:
nis [NOTFOUND=return]
nis [NOTFOUND=return]
nis [NOTFOUND=return]
nis [NOTFOUND=return]
nis [NOTFOUND=return]
nis [NOTFOUND=return]
nis
nis [NOTFOUND=return]
nis [NOTFOUND=return]
files
nis [NOTFOUND=return]
files
files
files
files
files
files
files
files
files
passwd_compat, group_compat and shadow_compat are only supported by glibc 2.x. If there are no shadow
rules in /etc/nsswitch.conf, glibc will use the passwd rule for lookups. There are some more lookup module
6.5 Setting up a NIS Client using NYS
15
The Linux NIS(YP)/NYS/NIS+ HOWTO
for glibc like hesoid. For more information, read the glibc documentation.
6.8 Shadow Passwords with NIS
Shadow passwords over NIS are always a bad idea. You loose the security, which shadow gives you, and it is
supported by only some few Linux C Libraries. A good way to avoid shadow passwords over NIS is, to put
only the local system users in /etc/shadow. Remove the NIS user entries from the shadow database, and put
the password back in passwd. So you can use shadow for the root login, and normal passwd for NIS user.
This has the advantage that it will work with every NIS client.
Linux
The only Linux libc which supports shadow passwords over NIS, is the GNU C Library 2.x. Linux libc5 has
no support for it. Linux libc5 compiled with NYS enabled has some code for it. But this code is badly broken
in some cases and doesn't work with all correct shadow entries.
Solaris
Solaris does not support shadow passwords over NIS.
PAM
PAM does not support Shadow passwords over NIS, especially pam_pwdb/libpwdb. This is a big problem for
RedHat 5.x users. If you have glibc and PAM, you need to change the /etc/pam.d/* entries. Replace all
pam_pwdb rules through pam_unix_* modules. Due a bug in the pam_unix_auth.so module this will not
always work.
An example /etc/pam.d/login file looks like:
#%PAM−1.0
auth
auth
auth
account
password
session
required
required
required
required
required
required
/lib/security/pam_securetty.so
/lib/security/pam_unix_auth.so
/lib/security/pam_nologin.so
/lib/security/pam_unix_acct.so
/lib/security/pam_unix_passwd.so
/lib/security/pam_unix_session.so
For auth you need to use the pam_unix_auth.so module, for account the pam_unix_acct.so, for password the
pam_unix_passwd.so and for session the pam_unix_session.so module.
NextPreviousContentsNextPreviousContents
6.8 Shadow Passwords with NIS
16
The Linux NIS(YP)/NYS/NIS+ HOWTO
7. What do you need to set up NIS+ ?
7.1 The Software
The Linux NIS+ client code was developed for the GNU C library 2. There is also a port for Linux libc5,
since most commercial Applications are linked against this library, and you cannot recompile them for using
glibc. There are problems with libc5 and NIS+: static programs cannot be linked with it, and programs
compiled with this library will not work with other libc5 versions.
You need to retrieve and compile the GNU C Library 2.1 for Intel based platforms, or GNU C Library 2.1.1
for 64bit platforms. As base System you need a glibc based Distribution like Debian 2.x, RedHat 5.x or SuSE
Linux 6.x.
For every distribution, you need to recompile the gcc/g++ compiler, libstdc++ and ncures. For Redhat, you
need to make a lot of changes of the PAM configuration. For SuSE Linux 6.0, you need to recompile the
shadow package.
The NIS+ client software can be obtained from:
Site
Directory
File Name
ftp.funet.fi
/pub/gnu/funet
ftp.kernel.org
ftp.kernel.org
/pub/linux/utils/net/NIS+
/pub/linux/utils/net/NIS+
libc−*, glibc−crypt−*,
glibc−linuxthreads−*
nis−utils−19990223.tar.gz
pam_keylogin−1.2.tar.gz
Distributions based on glibc can be fetched from:
Site
Directory
ftp.debian.org
ftp.redhat.com
ftp.suse.de
/pub/debian/dists/slink
/pub/redhat/redhat−5.2
/pub/SuSE−Linux/6.0
For compilation of the GNU C Library please follow the instructions which come with the software. You cam
find the patched libc5, based on NYS, and the sources as drop in replacement for the standart libc5 at:
Site
Directory
File Name
ftp.kernel.org
/pub/linux/utils/net/NIS+
libc−5.4.44−nsl−0.4.10.tar.gz
7. What do you need to set up NIS+ ?
17
The Linux NIS(YP)/NYS/NIS+ HOWTO
You should also have a look at http://www.suse.de/~kukuk/linux/nisplus.html for more information and the
latest sources.
7.2 Setting up a NIS+ client
IMPORTANT: For setting up a NIS+ client read your Solaris NIS+ docs what to do on the server side! This
document only describes what to do on the client side!
After installing the new libc and nis−tools, create the credentials for the new client on the NIS+ server. Make
sure portmap is running. Then check if your Linux PC has the same time as the NIS+ Server. For secure
RPC, you have only a small window from about 3 minutes, in which the credentials are valid. A good idea is
to run xntpd on every host. After this, run
domainname nisplus.domain.
nisinit −c −H <NIS+ server>
to initialize the cold start file. Read the nisinit man page for more options. Make sure that the domainname
will always be set after a reboot. If you don't know what the NIS+ domain name is on your network, ask your
system/network administrator.
Now you should change your /etc/nsswitch.conf file. Make sure that the only service after publickey is
nisplus ("publickey: nisplus"), and nothing else!
Then start keyserv and make sure, that it will always be started as first daemon after portmap at boot time.
Run
keylogin −r
to store the root secretkey on your system. (I hope you have added the publickey for the new host on the
NIS+ Server?).
"niscat passwd.org_dir" should now show you all entries in the passwd database.
7.3 NIS+, keylogin, login and PAM
When the user logs in, he need to set his secretkey to keyserv. This is done by calling "keylogin". The login
from the shadow package will do this for the user, if it was compiled against glibc 2.1. For a PAM aware
login, you have to install pam_keylogin−1.2.tar.gz and change the /etc/pam.d/login file to use
pam_unix_auth, not pwdb, which doesn't support NIS+. An example:
#%PAM−1.0
7.2 Setting up a NIS+ client
18
The Linux NIS(YP)/NYS/NIS+ HOWTO
auth
auth
auth
auth
account
password
session
required
required
required
required
required
required
required
/lib/security/pam_securetty.so
/lib/security/pam_keylogin.so
/lib/security/pam_unix_auth.so
/lib/security/pam_nologin.so
/lib/security/pam_unix_acct.so
/lib/security/pam_unix_passwd.so
/lib/security/pam_unix_session.so
7.4 The nsswitch.conf File
The Network Services switch file /etc/nsswitch.conf determines the order of lookups performed when a
certain piece of information is requested, just like the /etc/host.conf file which determines the way host
lookups are performed. For example, the line
hosts: files nisplus dns
specifies that host lookup functions should first look in the local /etc/hosts file, followed by a NIS+ lookup
and finally through the domain name service (/etc/resolv.conf and named), at which point if no match is
found an error is returned.
A good /etc/nsswitch.conf file for NIS+ is:
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
/etc/nsswitch.conf
An example Name Service Switch config file. This file should be
sorted with the most−used services at the beginning.
The entry '[NOTFOUND=return]' means that the search for an
entry should stop if the search in the previous entry turned
up nothing. Note that if the search failed due to some other reason
(like no NIS server responding) then the search continues with the
next entry.
Legal entries are:
nisplus
nis
dns
files
db
[NOTFOUND=return]
Use NIS+ (NIS version 3)
Use NIS (NIS version 2), also called YP
Use DNS (Domain Name Service)
Use the local files
Use the /var/db databases
Stop searching if not found so far
passwd:
compat
# for libc5: passwd: files nisplus
group:
compat
# for libc5: group: files nisplus
shadow:
compat
# for libc5: shadow: files nisplus
7.4 The nsswitch.conf File
19
The Linux NIS(YP)/NYS/NIS+ HOWTO
passwd_compat: nisplus
group_compat: nisplus
shadow_compat: nisplus
hosts:
nisplus files dns
services:
networks:
protocols:
rpc:
ethers:
netmasks:
netgroup:
bootparams:
publickey:
automount:
aliases:
nisplus
nisplus
nisplus
nisplus
nisplus
nisplus
nisplus
nisplus
nisplus
files
nisplus
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
[NOTFOUND=return]
files
files
files
files
files
files
[NOTFOUND=return] files
[NOTFOUND=return] files
NextPreviousContentsNextPreviousContents
8. Setting up a NIS Server
8.1 The Server Program ypserv
This document only describes how to set up the "ypserv" NIS server.
The NIS server software can be found on:
Site
Directory
File Name
ftp.kernel.org
/pub/linux/utils/net/NIS
ypserv−1.3.6.tar.gz
You could also look at http://www.suse.de/~kukuk/linux/nis.html for more information.
The server setup is the same for both traditional NIS and NYS.
Compile the software to generate the ypserv and makedbm programs. You can configure ypserv to use the
securenets file or the tcp_wrappers. The tcp_wrapper is much more flexible, but a lot of people have big
problems with it. And some configuration files for tcp_wrappers may cause a memory leak. If you have
problems with ypserv compiled for tcp_wrapper, recompile it using the securenets file. ypserv −−version tells
8. Setting up a NIS Server
20
The Linux NIS(YP)/NYS/NIS+ HOWTO
you, which version you have.
If you run your server as master, determine what files you require to be available via NIS and then add or
remove the appropriate entries to the "all" rule in /var/yp/Makefile. You always should look at the
Makefile and edit the Options at the beginning of the file.
There was one big change between ypserv 1.1 and ypserv 1.2. Since version 1.2, the file handles are cached.
This means you have to call makedbm always with the −c option if you create new maps. Make sure, you are
using the new /var/yp/Makefile from ypserv 1.2 or later, or add the −c flag to makedbm in the
Makefile. If you don't do that, ypserv will continue to use the old maps, and not the updated one.
Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read the ypserv(8)
and ypserv.conf(5) manual pages.
Make sure the portmapper (portmap(8)) is running, and start the server ypserv. The command
% rpcinfo −u localhost ypserv
should output something like
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
The "version 1" line could be missing, depending on the ypserv version and configuration you are using. It is
only necessary if you have old SunOS 4.x clients.
Now generate the NIS (YP) database. On the master, run
% /usr/lib/yp/ypinit −m
On a slave make sure that ypwhich −m works. This means, that your slave must be configured as NIS
client before you could run
% /usr/lib/yp/ypinit −s masterhost
to install the host as NIS slave.
That's it, your server is up and running.
If you have bigger problems, you could start ypserv and ypbind in debug mode on different xterms. The
debug output should show you what goes wrong.
8. Setting up a NIS Server
21
The Linux NIS(YP)/NYS/NIS+ HOWTO
If you need to update a map, run make in the /var/yp directory on the NIS master. This will update a map
if the source file is newer, and push the files to the slave servers. Please don't use ypinit for updating a
map.
You might want to edit root's crontab *on the slave* server and add the following lines:
20 *
* * *
40 6
* * *
55 6,18 * * *
/usr/lib/yp/ypxfr_1perhour
/usr/lib/yp/ypxfr_1perday
/usr/lib/yp/ypxfr_2perday
This will ensure that most NIS maps are kept up−to−date, even if an update is missed because the slave was
down at the time the update was done on the master.
You can add a slave at every time later. At first, make sure that the new slave server has permissions to
contact the NIS master. Then run
% /usr/lib/yp/ypinit −s masterhost
on the new slave. On the master server, add the new slave server name to /var/yp/ypservers and run
make in /var/yp to update the map.
If you want to restrict access for users to your NIS server, you'll have to setup the NIS server as a client as
well by running ypbind and adding the plus−entries to /etc/passwd _halfway_ the password file. The library
functions will ignore all normal entries after the first NIS entry, and will get the rest of the info through NIS.
This way the NIS access rules are maintained. An example:
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:
bin:*:2:2:bin:/bin:
sys:*:3:3:sys:/dev:
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:
lp:*:7:7:lp:/var/spool/lpd:
mail:*:8:8:mail:/var/spool/mail:
news:*:9:9:news:/var/spool/news:
uucp:*:10:50:uucp:/var/spool/uucp:
nobody:*:65534:65534:noone at all,,,,:/dev/null:
+miquels::::::
+:*:::::/etc/NoShell
[ All normal users AFTER this line! ]
tester:*:299:10:Just a test account:/tmp:
miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh
Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels will have normal access.
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use another source password file.
On large systems the NIS password and group files are usually stored in /etc/yp/. If you do this the
8. Setting up a NIS Server
22
The Linux NIS(YP)/NYS/NIS+ HOWTO
normal tools to administrate the password file such as passwd, chfn, adduser will not work anymore
and you need special homemade tools for this.
However, yppasswd, ypchsh and ypchfn will work of course.
8.2 The Server Program yps
To set up the "yps" NIS server please refer to the previous paragraph. The "yps" server setup is similar, _but_
not exactly the same so beware if you try to apply the "ypserv" instructions to "yps"! "yps" is not supported
by any author, and contains some security leaks. You really shouldn't use it !
The "yps" NIS server software can be found on:
Site
Directory
File Name
ftp.lysator.liu.se
ftp.kernel.org
/pub/NYS/servers
/pub/linux/utils/net/NIS
yps−0.21.tar.gz
yps−0.21.tar.gz
8.3 The Program rpc.ypxfrd
rpc.ypxfrd is used for speed up the transfer of very large NIS maps from a NIS master to NIS slave servers. If
a NIS slave server receives a message that there is a new map, it will start ypxfr for transfering the new map.
ypxfr will read the contents of a map from the master server using the yp_all() function. This process can take
several minutes when there are very large maps which have to store by the database library.
The rpc.ypxfrd server speeds up the transfer process by allowing NIS slave servers to simply copy the master
server's map files rather than building their own from scratch. rpc.ypxfrd uses an RPC−based file transfer
protocol, so that there is no need for building a new map.
rpc.ypxfrd can be started by inetd. But since it starts very slow, it should be started with ypserv. You need to
start rpc.ypxfrd only on the NIS master server.
8.4 The Program rpc.yppasswdd
Whenever users change their passwords, the NIS password database and probably other NIS databases, which
depend on the NIS password database, should be updated. The program "rpc.yppasswdd" is a server that
handles password changes and makes sure that the NIS information will be updated accordingly.
rpc.yppasswdd is now integrated in ypserv. You don't need the older, separate yppasswd−0.9.tar.gz or
yppasswd−0.10.tar.gz, and you shouldn't use them any longer. The rpc.yppasswdd in ypserv 1.3.2 has full
shadow support. yppasswd is now part of yp−tools−2.2.tar.gz.
8.2 The Server Program yps
23
The Linux NIS(YP)/NYS/NIS+ HOWTO
You need to start rpc.yppasswdd only on the NIS master server. By default, users are not allowed to change
their full name or the login shell. You can allow this with the −e chfn or −e chsh option.
If your passwd and shadow files are not in another directory then /etc, you need to add the −D option. For
example, if you have put all source files in /etc/yp and wish to allow the user to change his shell, you need to
start rpc.yppasswdd with the following parameters:
rpc.yppasswdd −D /etc/yp −e chsh
or
rpc.yppasswdd −s /etc/yp/shadow −p /etc/yp/passwd −e chsh
There is nothing more to do. You just need to make sure, that rpc.yppasswdd uses the same files as
/var/yp/Makefile. Errors will be logged using syslog.
NextPreviousContentsNextPreviousContents
9. Verifying the NIS/NYS Installation
If everything is fine (as it should be), you should be able to verify your installation with a few simple
commands. Assuming, for example, your passwd file is being supplied by NIS, the command
% ypcat passwd
should give you the contents of your NIS passwd file. The command
% ypmatch userid passwd
(where userid is the login name of an arbitrary user) should give you the user's entry in the NIS passwd file.
The "ypcat" and "ypmatch" programs should be included with your distribution of traditional NIS or NYS.
If a user cannot log in, run the following program on the client:
#include <stdio.h>
9. Verifying the NIS/NYS Installation
24
The Linux NIS(YP)/NYS/NIS+ HOWTO
#include <pwd.h>
#include <sys/types.h>
int
main(int argc, char *argv[])
{
struct passwd *pwd;
if(argc != 2)
{
fprintf(stderr,"Usage: getwpnam username\n");
exit(1);
}
pwd=getpwnam(argv[1]);
if(pwd != NULL)
{
printf("name.....:
printf("password.:
printf("user id..:
printf("group id.:
printf("gecos....:
printf("directory:
printf("shell....:
}
else
fprintf(stderr,"User
[%s]\n",pwd−>pw_name);
[%s]\n",pwd−>pw_passwd);
[%d]\n", pwd−>pw_uid);
[%d]\n",pwd−>pw_gid);
[%s]\n",pwd−>pw_gecos);
[%s]\n",pwd−>pw_dir);
[%s]\n",pwd−>pw_shell);
\"%s\" not found!\n",argv[1]);
exit(0);
}
Running this program with the username as parameter will print all the information the getpwnam function
gives back for this user. This should show you which entry is incorrect. The most common problem is, that
the password field is overwritten with a "*".
GNU C Library 2.1 (glibc 2.1) comes with a tool called getent. Use this program instead the above on such a
system. You could try:
getent passwd
or
getent passwd login
NextPreviousContents
9. Verifying the NIS/NYS Installation
25