25. Network Information Service (NIS)
1. Central information database
2. Can provide user, group, name resolution, home directory, and authentication information.
o ypserv – Provides the ypserv and yppasswdd daemons. ypserv provides the NIS service and yppasswdd allows the user to change their password and possibly their shell and GECOS information (see below).
o ypbind – Provides ypbind daemon that is used by clients to connect to an NIS server.
o yp-tools – Provides various NIS client programs.
o portmap – Not part of NIS, but is required for it to work.
Assigned by portmap.
5. Supported NIS Versions
Both ypbind and ypserv support versions 1 & 2.
o Flat namespace. No sub-domains are allowed.
o Only one master per domain.
o Multiple slave servers are allowed. This provides fault tolerance and load sharing.
o Low Security – Designed when networks could be trusted (e.g. No sniffers installed, no one tries to bypass the service).
o Low Scalability – Replication of data between servers isn’t very efficient. NIS has a flat name space that can’t be delegated out by subdomain to help ease administration. This limits the use of NIS in larger networks.
o Only runs on *nix – Limited use in heterogeneous environments.
25.2 NIS Client Info
o Two options for finding NIS server:
ypbind contacts it’s NIS server by sending a broadcast message. This can be a security risk since a rogue NIS server could answer all NIS broadcasts in order to collect authentication information.
NIS servers for the client’s domain can be listed in this file. This is more secure since clients contact the NIS server directly instead of broadcasting. This file is modified by authconfig when you select NIS authentication.
o Use authconfig to configure the client machine to use NIS. You must specified the following:
1. The domain the client will belong to.
2. An NIS domain server (master or slave).
authconfig automatically starts the ypbind daemon for you.
o Configure /etc/nsswitch.conf.
Make sure that “nis” is listed for any information that will be stored in NIS. For example:
passwd: files nis # Check for users in the local system file first, then NIS
shadow: files nis # Same as above, only for the users’ passwords
hosts: files nis dns # Check the local files, then NIS, then DNS for host information
The order specified is important. For example, if user steve is defined in both the system files and the NIS map and we have the same setup as the nsswitch.conf file above, the information about user steve (passwd, GECOS, etc.) will be retrieved from the local system files and not from the NIS map.
To change this, we would need to reverse the order listed above for the passwd and shadow entries so that “nis” comes before “files”.
3. Client Side Tools
o ypwhich – Determines which master or slave NIS server the client is using.
o ypcat – Used to print keys in an NIS map. For example, to print information in the passwd file:
o ypcat passwd
o ypchfn – Change your GECOS information in NIS.
yppasswdd must be started with “-e chfn” in order for users to be able change their GECOS information.
o ypchsh – Change your login shell in NIS.
yppasswdd must be started with “-e chsh” in order for users be able to change their login shell.
o yppasswd – Change your NIS password.
o yppush – Used to copy NIS information from masters to slaves. Called automatically if “NOPUSH=false” in the /var/yp/Makefile.
o ypmatch – Used to print the value of one or more keys in an NIS map.
For example, to print and entry for user steve in the passwd file:
ypmatch steve passwd
25.3 NIS Server
o Specify your domain in /etc/sysconfig/network by inserting the following line:
This will set your domain name at bootup. To set it now, use the domainname command:
SECURITY NOTE: The domain specified should not be the same as your DNS domain. NIS domains should be kept secret in order to improve security. If an NIS domain is known and the NIS server can be reached, any client can connect to the domain.
o Master Servers
1. Make sure the host name has been changed to something other than localhost.localdomain. This can cause problems for slave servers if it’s not changed.
2. Specify the networks that are allowed to connect to the NIS server in /var/yp/securenets.
3. Change /var/yp/Makefile to fit your needs. This file includes a list of possible information that NIS can store.
A few options:
NOPUSH=true # Set to false if you have slave servers
MERGE_PASSWD=true # Should we merge the shadow file with the password file?
MERGE_GROUP=true # Should we merge the gshadow file with the group file?
MINUID=500 # Lowest uid to include in the NIS map
MINGID=500 # Lowest gid to include in the NIS map
4. Start portmap and ypserv:
5. service portmap start
6. service ypserv start
8. Create the NIS map:
9. /usr/lib/yp/ypinit -m
You may receiving the following message:
Could not read ypservers map: 3 Can’t bind to server which serves this domain
This does not appear to be a critical error. The NIS map is still created.
If you only want to include login and group information in your NIS map, you could use the following instead of ypinit:
make passwd shadow group
Any time you change information on the master server that affects the NIS map, you must re-run the “make” command. User passwords are the exception to this rule. They are updated automatically.
o Slave Servers
1. Put an entry in /etc/hosts for the master NIS server.
2. All names of the slave servers must be specified in the /var/yp/ypservers file on the master server.
3. Start portmap and ypserv:
4. service portmap start
5. service ypserv start
7. Execute ypinit:
8. /usr/lib/yp/ypinit -s
If specifying the IP address of the master server doesn’t work, specify the hostname (from /etc/hosts) of the master server instead.
You may see the following message several times:
Trying ypxfrd … not running
Everything still appears to transfer ok from the master server.
o yppush is automatically called whenever the master server’s database are updated. yppush transfers the NIS map from the master to the slaves. In order for replication to work, ypbind must be running on the master server.
o ypxfr is similar to yppush except that it transfers the NIS map from the NIS server to the localhost. It is usually invoked by ypinit or ypserver.
o Check NIS using rpcinfo:
o rpcinfo -p localhost
o Verify portmap is running.
25.4 Using Automounter to Automount User Home Directories
1. First, add the following line to /etc/auto.master:
2. /home /etc/auto.home –timeout 60
3. Then, create the /etc/auto.home file with the following contents:
4. * -rw,soft,intr 192.168.1.20:/home/&
In this case, 192.168.1.20 is the IP address of the NFS server.
5. Unmount /home on the client machine if it is a separate partition.
6. Restart autofs.
7. On the NFS server, put the following line in /etc/exports
8. /home 192.168.1.0(rw)
9. Start (or restart) NFS on the NIS server.