nis - linux central authentication
DESCRIPTION
NIS - Linux Central AuthenticationTRANSCRIPT
1
NIS : Linux central authentication
NIS, (Network Information Services), enables account logins and other services (host name resolution, xinetd
network services configuration ...), to be centralized to a single NIS server.
This tutorial covers the configuration and use of NIS for login authentication. NIS+ is slightly more complex as it uses
encryption for the data transfers between the NIS server and NIS client. Regular NIS does not use encryption, thus it
should only be used for isolated or private networks protected by a firewall.
NIS Description:
NIS allows a central server to manage password authentication, host, services, etc which would normally be
provided by the local files /etc/passwd, /etc/shadow, /etc/groups, /etc/hosts, /etc/services, /etc/networks,
/etc/rpc, /etc/protocols, /etc/aliases (sendmail), ...
NIS Client systems look to the NIS server to provide this data. This tutorial will cover the configuration of both an
NIS server and NIS clients.
The logical cluster of the server and clients are known as an NIS "domain".
An NIS domain must have their time synchronized, usually using NTP (Network Time Protocol).
LDAP has overtaken NIS as the preferred central authentication server technology as it has cross platform support
and greater client web and desktop application support. See the following YoLinux LDAP tutorials:
LDAP authentication
LDAP server configuration
Website authentication using LDAP and Apache
NIS has greater legacy UNIX support and is in place and used in many corporate networks. NIS is independent of
NFS (file sharing) although the two are often hosted on a single server and they were both originally developed by
Sun Microsystems.
NIS Configuration:
NIS server configuration
NIS client configuration
NIS server configuration:
Requires RPM packages:
ypbind - RPC port binding service
portmap - RPC port mapping
ypserv - NIS server daemons
yp-tools - NIS support commands (ypcat, yppasswd, ypwhich, ...)
nscd - Handles password and group lookups and caches the results.
NSCD is used by LDAP and NIS. Configuration of nscd defines which files are supported by NIS. i.e. authentication
requires passwd, shadow and group file support. Uses configuration file /etc/ncsd.conf
2
The following configuration assumes that the NIS server will also be using NIS for authentication.
File: /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=hostname-of-this-nis-server
NISDOMAIN=name-of-domain
File: /etc/yp.conf
Example:
domain lab2 server 127.0.0.1
Format:
domain name-of-domain server 127.0.0.1
Where 127.0.0.1 is the "localhost" IP address of the NIS server. In this configuration, this NIS server is using NIS to
authenticate logins, not just the client.
File: /etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
Order by which authentication methods are processed. eg. In this case, check the local /etc/passwd file first before
checking with NIS for password authentication. It is recommended that the root password be authenticated locally
using "files" with all other users authenticated using NIS.
File: /etc/ypserv.conf
dns: no
files: 30
slp: no
slp_timeout: 3600
xfr_check_port: yes
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port
File: /var/yp/securenets
Configuration authorizes only a single subnet to authenticate with the NIS server:
host 127.0.0.1
255.255.255.0 XXX.XXX.XXX.0
The "host" statement allows access for a specified single host.
Configuration to allow two subnets to authenticate with the NIS server:
host 127.0.0.1
255.255.254.0 192.168.105.0
Allows the range of IP addresses 192.168.105.0 to 192.168.106.255 to authenticate with the NIS server.
Configuration to allow everyone to authenticate with the NIS server:
3
255.0.0.0 127.0.0.0
0.0.0.0 0.0.0.0
For more on the use of netmasks with IP addresses, see the YoLinux Networking tutorial and Subnets.
File: /var/yp/nicknames
passwd passwd.byname
group group.byname
networks networks.byaddr
hosts hosts.byname
protocols protocols.bynumber
services services.byname
aliases mail.aliases
ethers ethers.byname
As root, issue the following configuration commands:
# nisdomainname name-of-domain
# service portmap restart
# service yppasswdd start
# service ypserv start
# /usr/lib/yp/ypinit -m
# make -C /var/yp
# service ypbind start
Where:
The nisdomainname command creates the "NISDOMAIN" entry in /etc/sysconfig/network This is usually
configured during Linux OS installation. Note the commands nisdomainname, ypdomainname and
domainname all are soft equivalent. Without specifying an argument, the command returns the domain name.
Network server services:
o portmap: RPC network communications services
o ypserv: NIS server daemon
o ypbind: NIS client daemon
o yppasswd: Password daemon which allows users to change their NIS passwords on the server from their
client systems.
ypinit -m: Configure the NIS server as a "master NIS server" with the option "-m". This will convert
/etc/passwd, /etc/shadow, hosts, ... files into NIS GNU dbm database format and generates a make file.
Traditional UNIX systems use ndbm database format.
The command "make -C /var/yp" is equivalent to:
o cd /var/yp
o make
NIS Clients:
o ypbind: NIS client
See the YoLinux tutorial on the Linux init process and configuring your system to start services upon system boot.
4
Test:
Check if portmapper daemon is running and ypbind is a registered service: rpcinfo -u localhost ypbind
o program 10007 version 1 ready and waiting
o program 10007 version 2 ready and waiting
NIS client configuration:
Requires RPM packages:
ypbind
portmap
yp-tools
nscd
File: /etc/sysconfig/network , (RHEL, Fedora, CentOS, ... Red Hat based Linux systems)
NETWORKING=yes
HOSTNAME=client-hostname
NISDOMAIN=name-of-domain
File: /etc/yp.conf
Example:
domain lab2 server 192.168.20.5
Format:
domain name-of-domain server XXX.XXX.XXX.XXX , Where XXX.XXX.XXX.XXX is the IP address of the NIS server.
File: /etc/nsswitch.conf
...
...
passwd: files nis
shadow: files nis
group: files nis
...
...
Options:
compat: Use compatibility setup
nisplus: Use NIS+ (NIS version 3)
nis: Use NIS (NIS version 2), also called YP
dns: Use DNS (Domain Name Service)
files: Use the local files /etc/passwd, /etc/group, ...
[NOTFOUND=return]: Stop searching if not found so far
Create domain with the command: nisdomainname name-of-domain
5
Start NIS client services:
service portmap restart
service ypbind start
service nscd start (optional - used to cache login and passwd info to improve authentication response time)
Test:
Check if portmapper daemon is running and ypbind is a registered service: rpcinfo -u localhost ypbind
List passwd file: ypcat passwd
Note:
[Potential Pitfall]: If you find that the daemon ypbind on a client is crashing on a network which extends great
distances, has heavy traffic or is unreliable, try starting ypbind with the option "-no-ping".
Red Hat configuration fix, edit file: /etc/init.d/ypbind and change to:
... OTHER_YPBIND_OPTS="-no-ping" ...
This will keep ypbind from checking its network connection unnecessarily.
Red Hat GUI client configuration:
GUI tool: /usr/bin/system-config-authentication
6
Select the "Configure NIS ..." button:
NIS and system users:
User Administration:
Add a new user: (as root on NIS server)
useradd -g user-group user-id (or, also create home directory: useradd -m -g user-group user-id)
make -C /var/yp ( updates local NIS databases.)
Changing a password for a user: yppasswd -p user-id
User password management:
Users will now change their passwords using the NIS password command yppasswd instead of the local password
file affected command, passwd. When using an NIS slave (described below), then do not modify the password while
logged into the NIS master.
NIS maintenance scripts:
Read NIS database files and generate traditional /etc/passwd and /etc/shadow files.
File: nis2pass
1 #!/bin/bash
2 /usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1]
":x:" $3 ":" $4 ":" $5 ":" $6 ":" $7}' > passwd
3 /usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1]
":" $2 ":13539:0:99999:7:::"}' > shadow
Man pages:
makedbm - Create or dump a ypserv database file
Example: makedbm -u dbname
getent - Get entries from administrative database
Example: getent database [key ...]
Hostname resolution:
It is the predominant practice to use DNS (bind) for hostname resolution.
7
Note: NIS is capable of performing host name resolution and so is LDAP.
Best Practice: Use DNS for general host resolution and the use the local file /etc/hosts to resolve the host name of
the NIS server. This improves performance so that host name resolution of the NIS server does not require a
network connection.
Configuring a NIS client to use NIS for host name resolution:
File: /etc/nsswitch.conf
...
...
hosts: files nis
...
...
This configuration has the system look at the file /etc/hosts for a host name and then it looks to the NIS server.
Configuring an NIS Master - Slave failover server:
One can create a redundant failover slave server to improve network robustness. The NIS clients will be configured
with an additional host in /etc/yp.conf.
Client File: /etc/yp.conf
domain name-of-domain server XXX.XXX.XXX.XXX
domain name-of-domain server ZZZ.ZZZ.ZZZ.ZZZ
Where XXX.XXX.XXX.XXX is the IP address of the NIS master server and ZZZ.ZZZ.ZZZ.ZZZ is the IP address of the NIS
slave server.
The NIS master and slave servers must arrange for NIS database transfers to stay synchronized. The configurations
of the NIS servers are the same as for the above single master with the following additions and/or changes:
NIS Master:
NIS master file: /etc/ypservers
host-name-of-nis-master
host-name-of-nis-slave
Edit NIS master Makefile to allow database push to slave: /var/yp/Makefile
NOPUSH=false
After performing the NIS server procedures above, start the additional database transfer daemon:
service ypxfrd start
Push configuration change notification to clients: yppush
Perform this after updates to NIS master.
yppush man page
8
NIS Slave:
/usr/lib/yp/ypinit -s nis-master-hostname: Configure the NIS server as a "slave NIS server" with the option "-s" and
state the "master" from which the NIS database transfer will occur.
Note: This is a change from the above single NIS master configuration.
Start the additional database transfer daemon: service ypxfrd start
Links:
Homepage of the Linux NIS/NIS+ Projects
Apache web server authentication using NIS - YoLinux.com tutorial
Web CGI interface to manage NIS passwords. - YoLinux.com tutorial
Linux Networking - YoLinux.com tutorial
Linux systems administration - YoLinux.com tutorial
NIS HowTo
Man pages:
nisdomainname - show or set the system’s NIS/YP domain name
ypinit - NIS database install and build program
yppush - Push configuration change notification to clients.
revnetgroup - Generate reverse netgroup data
ypserv - NIS server
ypxfr - Transfer NIS database from remote server to local host
ypinit - NIS database install and build program
yppoll - Return version and master server of a NIS map
ypset - Bind ypbind to a particular NIS server
ypcat - Print values of all keys in a NIS database
ypwhich - Return name of NIS server or map master
ypmatch - Print the values of one or more keys from a NIS map
yptest - Test NIS configuration
yppasswd - (Also: ypchfn, ypchsh) - Change NIS password in the NIS database
yppasswdd - NIS password update daemon
ypxfrd - NIS map transfer server for NIS master/slave servers.
ypserv - NIS server
ypbind - NIS binding process
nscd - Name service cache daemon
Configuration Files:
/etc/yp.conf
/etc/ypserv.conf
/etc/netgroup
/etc/nscd.conf
/etc/nsswitch.conf
/etc/nickname
9
Glossary:
NSS: Name Service Switch. The /etc/nsswitch.conf, determines the order of lookups performed.
RPC: Remote Procedure Call, routines allow C programs to make procedure calls on other machines across the n/w
HostName: The name of the computer system. This is typically configured using Linux OS installation.
YP: Yellow Pages(tm), a registered trademark in the UK of British Telecom plc. forcing Sun to rename it to
NIS.
Host Name Resolution: The lookup by a client to find the IP address given the host name so that it can
create a network connection.