Yolinux.com Tutorial

NIS : Linux central authentication

NIS, (Network Information Services), enables account logins and other services (host name resolution, xinetd network services configuration, ...), to be centralized to a single NIS server.

This tutorial covers the configuration and use of NIS for login authentication. NIS+ is slightly more complex as it uses encryption for the data transfers between the NIS server and NIS client. Regular NIS does not use encryption, thus it should only be used for isolated or private networks protected by a firewall.

Related YoLinux Tutorials:

°Apache NIS, LDAP Authentication

°LDAP authentication

°LDAP server configuration

°Linux Networking

°YoLinux Tutorials Index

Free Information Technology Magazine Subscriptions and Document Downloads

Free Information Technology Software and Development Magazine Subscriptions and Document Downloads

NIS Description:

NIS allows a central server to manage password authentication, host, services, etc which would normally be provided by the local files /etc/passwd, /etc/shadow, /etc/groups, /etc/hosts, /etc/services, /etc/networks, /etc/rpc, /etc/protocols, /etc/aliases (sendmail), ...

NIS Client systems look to the NIS server to provide this data. This tutorial will cover the configuration of both an NIS server and NIS clients.

The logical cluster of the server and clients are known as an NIS "domain".

An NIS domain must have their time synchronized, usually using NTP (Network Time Protocol).
See the YoLinux.com SysAdmin tutorial on NTP for configuring an NTP client to synchronize with a public NTP server.

LDAP has overtaken NIS as the preferred central authentication server technology as it has cross platform support and greater client web and desktop application support. See the following YoLinux LDAP tutorials:

NIS has greater legacy Unix support and is in place and used in many corporate networks. NIS is independent of NFS (file sharing) although the two are often hosted on a single server and they were both originally developed by Sun Microsystems.

NIS Configuration:

NIS server configuration:

Requires RPM packages:

  • ypbind - RPC port binding service
  • portmap - RPC port mapping
  • ypserv - NIS server daemons
  • yp-tools - NIS support commands (ypcat, yppasswd, ypwhich, ...)
  • nscd - Handles password and group lookups and caches the results. Used by LDAP and NIS. Configuration of nscd defines which files are supported by NIS. i.e. authentication requires passwd, shadow and group file support. Uses configuration file /etc/ncsd.conf

See the YoLinux systems administration tutorial on installing Red Hat/Fedora/CentOS RPMs or Ubuntu/Debian packages.

The following configuration assumes that the NIS server will also be using NIS for authentication.

File: /etc/sysconfig/network 

NETWORKING=yes
HOSTNAME=hostname-of-this-nis-server
NISDOMAIN=name-of-domain

File: /etc/yp.conf

Example: 
domain lab2 server 127.0.0.1
Format: 
domain name-of-domain server 127.0.0.1
Where 127.0.0.1 is the "localhost" IP address of the NIS server. In this configuration, this NIS server is using NIS to authenticate logins, not just the client.

File: /etc/nsswitch.conf 

passwd:     files nis
shadow:     files nis
group:      files nis
Order by which authentication methods are processed. eg. In this case, check the local /etc/passwd file first before checking with NIS for password authentication. It is recomended that the root password be authenticated locally using "files" with all other users authenticated using NIS.

File: /etc/ypserv.conf 

dns: no
files: 30
slp: no
slp_timeout: 3600
xfr_check_port: yes
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port

File: /var/yp/securenets

Configuration authorizes only a single subnet to authenticate with the NIS server: 
host 127.0.0.1
255.255.255.0   XXX.XXX.XXX.0
The "host" statement allows access for a specified single host.

Configuration to allow two subnets to authenticate with the NIS server: 

host 127.0.0.1
255.255.254.0   192.168.105.0
Allows the range of IP addresses 192.168.105.0 to 192.168.106.255 to authenticate with the NIS server.

Configuration to allow everyone to authenticate with the NIS server: 

255.0.0.0   127.0.0.0
0.0.0.0     0.0.0.0
For more on the use of netmasks with IP addresses, see the YoLinux Networking tutorial and Subnets.

File: /var/yp/nicknames
Note: This is the default from the initial RPM installation and does not require any change for most configurations. 

passwd          passwd.byname
group           group.byname
networks        networks.byaddr
hosts           hosts.byname
protocols       protocols.bynumber
services        services.byname
aliases         mail.aliases
ethers          ethers.byname

As root, issue the following configuration commands: 

# nisdomainname name-of-domain
# service portmap restart
# service yppasswdd start
# service ypserv start
# /usr/lib/yp/ypinit -m
# make -c /var/yp
# service ypbind start
Where:
  • The nisdomainname command creates the "NISDOMAIN" entry in /etc/sysconfig/network This is usually configured during Linux OS installation. Note the commands nisdomainname, ypdomainname and domainname all are soft eqivalent. Without specifying an argument, the command returns the domain name.
    nisdomainname man page
  • Network server services:
    • portmap: RPC network communications services
    • yppasswd: Password daemon which allows users to change their NIS passwords on the server from their client systems.
    • ypserv: NIS server daemon
    • ypbind: NIS client daemon
  • ypinit -m: Configure the NIS server as a "master NIS server" with the option "-m". This will convert /etc/passwd, /etc/shadow, hosts, ... files into NIS GNU dbm database format and generates a make file. Traditional Unix systems use ndbm database format.
    ypinit man page
  • The command "make -c /var/yp" is equivalent to:
    • cd /var/yp
    • make
  • NIS Clients:
    • ypbind: NIS client

See the YoLinux tutorial on the Linux init process and configuring your system to start services upon system boot.

Test:

  • Check if portmapper daemon is running and ypbind is a registered service: rpcinfo -u localhost ypbind 
    program 10007 version 1 ready and waiting
    program 10007 version 2 ready and waiting

NIS client configuration:

Requires RPM packages:

  • ypbind
  • portmap
  • yp-tools
  • nscd

File: /etc/sysconfig/network
(RHEL, Fedora, CentOS, ... Red Hat based Linux systems) 

NETWORKING=yes
HOSTNAME=client-hostname
NISDOMAIN=name-of-domain
File: /etc/yp.conf
Example: 
domain lab2 server 192.168.20.5
Format: 
domain name-of-domain server XXX.XXX.XXX.XXX
Where XXX.XXX.XXX.XXX is the IP address of the NIS server.
Man page: yp.conf

File: /etc/nsswitch.conf 

...
...

passwd:     files nis
shadow:     files nis
group:      files nis

...
...
Options:
  • compat: Use compatibility setup
  • nisplus: Use NIS+ (NIS version 3)
  • nis: Use NIS (NIS version 2), also called YP
  • dns: Use DNS (Domain Name Service)
  • files: Use the local files /etc/passwd, /etc/group, ...
  • [NOTFOUND=return]: Stop searching if not found so far
Man page: nsswitch.conf

Create domain with the command: nisdomainname name-of-domain

Start NIS client services:

  • service portmap restart
  • service ypbind start
  • service nscd start (optional - used to cache login and passwd info to improve authentication response time)

Test:

  • Check if portmapper daemon is running and ypbind is a registered service: rpcinfo -u localhost ypbind
  • List passwd file: ypcat passwd

[Potential Pitfall]: If you find that the daemon ypbind on a client is crashing on a network which extends great distances, has heavy traffic or is unreliable, try starting ypbind with the option "-no-ping".

Red Hat configuration fix, edit file: /etc/init.d/ypbind
change to:

... OTHER_YPBIND_OPTS="-no-ping" ...
This will keep ypbind from checking its network connection unnecessarily.

Red Hat GUI client configuration:

GUI tool: /usr/bin/system-config-authentication

Select the "Configure NIS ..." button:

NIS and system users:

User Administration:

Add a new user: (as root on NIS server)

  • useradd -g user-group user-id
    (or, also create home directory: useradd -m -g user-group user-id)
  • make -c /var/yp
    Updates local NIS databases.

Changing a password for a user: yppasswd -p user-id

User password management:

Users will now change their passwords using the NIS password command yppasswd instead of the local password file affected command, passwd. When using an NIS slave (described below), then do not modify the password while logged into the NIS master.

Also see the YoLinux.com tutorial: Web CGI interface to manage NIS passwords.

NIS maintenance scripts:

Read NIS database files and generate traditional /etc/passwd and /etc/shadow files.

File: nis2pass

#!/bin/bash
/usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1] ":x:" $3 ":" $4 ":" $5 ":" $6 ":" $7}' > passwd
/usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1] ":" $2 ":13539:0:99999:7:::"}' > shadow

Man pages:

  • makedbm - Create or dump a ypserv database file
    Example: makedbm -u dbname
  • getent - Get entries from administrative database
    Example: getent database [key ...]

Hostname resolution:

It is the predominant practice to use DNS (bind) for hostname resolution. See the YoLinux DNS / Bind configuration tutorial

NIS is capable of performing host name resolution and so is LDAP.

Best Practice: Use DNS for general host resolution and the use the local file /etc/hosts to resolve the host name of the NIS server. This improves performance so that host name resolution of the NIS server does not require a network connection.

Configuring a NIS client to use NIS for host name resolution:

File: /etc/nsswitch.conf 

...
...

hosts:     files nis

...
...
This configuration has the system look at the file /etc/hosts for a host name and then it looks to the NIS server.

Configuring an NIS Master - Slave failover server:

One can create a redundant failover slave server to improve network robustness. The NIS clients will be configured with an additional host in /etc/yp.conf.

Client File: /etc/yp.conf 

domain name-of-domain server XXX.XXX.XXX.XXX
domain name-of-domain server ZZZ.ZZZ.ZZZ.ZZZ
Where XXX.XXX.XXX.XXX is the IP address of the NIS master server
and ZZZ.ZZZ.ZZZ.ZZZ is the IP address of the NIS slave server.

In addition, the NIS master and slave servers must arrange for NIS database transfers to stay synchronized. The configuration of the NIS servers are the same as for the above single master with the following additions and/or changes:

NIS Master:

  • NIS master file: /etc/ypservers 
    host-name-of-nis-master
host-name-of-nis-slave
  • Edit NIS master Makefile to allow database push to slave: /var/yp/Makefile 
    NOPUSH=false
  • After performing the NIS server procedures above, start the additional database transfer daemon:
    service ypxfrd start
  • Push configuration change notification to clients: yppush
    Perform this after updates to NIS master.
    yppush man page

NIS Slave:

  • /usr/lib/yp/ypinit -s nis-master-hostname: Configure the NIS server as a "slave NIS server" with the option "-s" and state the "master" from which the NIS database transfer will occur.
    Note: This is a change from the above single NIS master configuration.
  • Start the additional database transfer daemon: service ypxfrd start

Links:

Man pages:

  • nisdomainname - show or set the system’s NIS/YP domain name
  • ypinit - NIS database install and build program
  • yppush - Push configuration change notification to clients.
  • revnetgroup - Generate reverse netgroup data
  • ypserv - NIS server
  • ypxfr - Transfer NIS database from remote server to local host
  • ypinit - NIS database install and build program
  • yppoll - Return version and master server of a NIS map
  • ypset - Bind ypbind to a particular NIS server
  • ypcat - Print values of all keys in a NIS database
  • ypwhich - Return name of NIS server or map master
  • ypmatch - Print the values of one or more keys from a NIS map
  • yptest - Test NIS configuration
  • yppasswd - (Also: ypchfn, ypchsh) - Change NIS password in the NIS database
  • yppasswdd - NIS password update daemon
  • ypxfrd - NIS map transfer server for NIS master/slave servers.
  • ypserv - NIS server
  • ypbind - NIS binding process
  • nscd - Name service cache daemon

Configuration Files:

  • /etc/yp.conf
  • /etc/ypserv.conf
  • /etc/netgroup
  • /etc/nscd.conf
  • /etc/nsswitch.conf
  • /etc/nickname

Glossary:

  • NSS: Name Service Switch. The /etc/nsswitch.conf, determines the order of lookups performed.
  • RPC: Remote Procedure Call. RPC routines allow C programs to make procedure calls on other machines across the network.
  • YP: Yellow Pages(tm), a registered trademark in the UK of British Telecom plc. forcing Sun to rename it to NIS. The NIS commands retain the "yp" prefix.
  • HostName: The name of the computer system. This is typically configured using Linux OS installation.
  • Host Name Resolution: The lookup by a client to find the IP address given the host name so that it can create a network connection.

Books:

"NFS and NIS"
by Mike Eisler, Ricardo Labiaga, Hal Stern
Sams, ISBN# 1565925106

Amazon.com
"Red Hat Fedora 6 and Enterprise Linux Bible"
by Christopher Negus
Sams, ISBN# 047008278X

Amazon.com
"Fedora 7 & Red Hat Enterprise Linux: The Complete Reference"
by Richard Petersen
Sams, ISBN# 0071486429

Amazon.com
"Red Hat Fedora Core 6 Unleashed"
by Paul Hudson, Andrew Hudson
Sams, ISBN# 0672329298

Amazon.com
"Red Hat Linux Fedora 3 Unleashed"
by Bill Ball, Hoyt Duff
Sams, ISBN# 0672327082

Amazon.com
"Red Hat Linux 9 Unleashed"
by Bill Ball, Hoyt Duff
Sams, ISBN# 0672325888

I have the Red Hat 6 version and I have found it to be very helpful. I have found it to be way more complete than the other Linux books. It is the most complete general Linux book in publication. While other books in the "Unleashed" series have disappointed me, this book is the best out there.

Amazon.com

Return to http://YoLinux.com home page
Return to YoLinux Tutorial Index
Feedback Form

Copyright © 2007 by Greg Ippolito