This document tries to answer questions about setting up NIS(YP) and NIS+ on your Linux machine. Don't forget to read Section 5.
The NIS-Howto is edited and maintained by
Thorsten Kukuk, <kukuk@suse.de> |
The primary source of the information for the initial NIS-Howto was from:
Andrea Dell'Amico <adellam@ZIA.ms.it> Mitchum DSouza <Mitch.DSouza@NetComm.IE> Erwin Embsen <erwin@nioz.nl> Peter Eriksson <peter@ifm.liu.se> |
who we should thank for writing the first versions of this document.
You can always view the latest version of this document on the World Wide Web via the URL http://www.linux-nis.org/nis-howto/HOWTO/NIS-HOWTO.html.
New versions of this document will also be uploaded to various Linux WWW and FTP sites, including the LDP home page.
Links to translations of this document could be found at http://www.linux-nis.org/nis-howto/.
If you have questions or comments about this document, please feel free to mail Thorsten Kukuk, at kukuk@linux-nis.org. I welcome any suggestions or criticisms. If you find a mistake with this document, please let me know so I can correct it in the next version. Thanks.
Please do not mail me questions about special problems with your Linux Distribution! I don't know every Linux Distribution. But I will try to add every solution you send me.
Byron A Jeff <byron@cc.gatech.edu> Markus Rex <msrex@suse.de> Miquel van Smoorenburg <miquels@cistron.nl> Dan York <dyork@lodestar2.com> Christoffer Bromberg <christoffer@web.de> |
DataBase Management, a library of functions which maintain key-content pairs in a data base.
Dynamically Linked Library, a library linked to an executable program at run-time.
File Transfer Protocol, a protocol used to transfer files between two computers.
Yellow Pages(tm), a registered trademark in the UK of British Telecom plc.
The next four lines are quoted from the Sun(tm) System & Network Administration Manual:
"NIS was formerly known as Sun Yellow Pages (YP) but the name Yellow Pages(tm) is a registered trademark in the United Kingdom of British Telecom plc and may not be used without permission." |
If, for example, your password entry is recorded in the NIS passwd database, you will be able to login on all machines on the network which have the NIS client programs running.
Sun is a trademark of Sun Microsystems, Inc. licensed to SunSoft, Inc.
Since RPC servers could be started by inetd(8), portmap should be running before inetd is started.
# # Time service is used for clock syncronization. # time stream tcp nowait root internal time dgram udp wait root internal |
IMPORTANT: Don't forget to restart inetd after changes on its configuration file !
To answer this question you have to consider two cases:
In the first case, you only need the client programs (ypbind, ypwhich, ypcat, yppoll, ypmatch). The most important program is ypbind. This program must be running at all times, which means, it should always appear in the list of processes. It is a daemon process and needs to be started from the system's startup file (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/ypbind, /etc/rc.local). As soon as ypbind is running your system has become a NIS client.
In the second case, if you don't have NIS servers, then you will also need a NIS server program (usually called ypserv). Section 9 describes how to set up a NIS server on your Linux machine using the ypserv daemon.
Site Directory File Name ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.7.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.12.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3-glibc5.diff.gz |
ypserver 10.10.0.1 ypserver 10.0.100.8 ypserver 10.3.1.1 |
Make sure you have your YP-domain name set. If it is not set then issue the command:
/bin/domainname nis.domain |
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100007 2 udp 637 ypbind 100007 2 tcp 639 ypbind |
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100007 2 udp 758 ypbind 100007 1 udp 758 ypbind 100007 2 tcp 761 ypbind 100007 1 tcp 761 ypbind |
You may also run rpcinfo -u localhost ypbind. This command should produce something like:
program 100007 version 2 ready and waiting |
program 100007 version 1 ready and waiting program 100007 version 2 ready and waiting |
At this point you should be able to use NIS client programs like ypcat, etc... For example, ypcat passwd.byname will give you the entire NIS password database.
IMPORTANT: If you skipped the test procedure then make sure you have set the domain name, and created the directory
/var/yp |
This directory MUST exist for ypbind to start up succesfully.
To check if the domainname is set correct, use the /bin/ypdomainname from yp-tools 2.2. It uses the yp_get_default_domain() function which is more restrict. It doesn't allow for example the "(none)" domainname, which is the default under Linux and makes a lot of problems.
If the test worked you may now want to change your startupd files so that ypbind will be started at boot time and your system will act as a NIS client. Make sure that the domainname will be set before you start ypbind.
Well, that's it. Reboot the machine and watch the boot messages to see if ypbind is actually started.
Add the following line to /etc/passwd on your NIS clients:
+:::::: |
+miquels::::::: +ed::::::: +dth::::::: +@sysadmins::::::: -ftp +:*::::::/etc/NoShell |
sysadmins (-,software,) (-,kukuk,) |
You should install ypbind. It isn't needed by the libc, but the NIS(YP) tools need it.
hosts: files nis dns |
A good /etc/nsswitch.conf file for NIS is:
# # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the /var/db databases # [NOTFOUND=return] Stop searching if not found so far # passwd: compat group: compat # For libc5, you must use shadow: files nis shadow: compat passwd_compat: nis group_compat: nis shadow_compat: nis hosts: nis files dns services: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files netgroup: nis bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files automount: files aliases: nis [NOTFOUND=return] files |
An example /etc/pam.d/login file looks like:
#%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session required pam_unix2.so none # debug or trace session required pam_limits.so |
The NIS+ client software can be obtained from:
Site Directory File Name ftp.gnu.org /pub/gnu/glibc glibc-2.2.5.tar.gz, glibc-linuxthreads-2.2.5.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS+ nis-utils-1.4.1.tar.gz |
You should also have a look at http://www.linux-nis.org/nisplus/ for more information and the latest sources.
domainname nisplus.domain. nisinit -c -H <NIS+ server> |
keylogin -r |
niscat passwd.org_dir should now show you all entries in the passwd database.
#%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_unix2.so set_secrpc auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix2.so password required /lib/security/pam_unix2.so session required /lib/security/pam_unix2.so |
hosts: files nisplus dns |
A good /etc/nsswitch.conf file for NIS+ is:
# # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Legal entries are: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the /var/db databases # [NOTFOUND=return] Stop searching if not found so far # passwd: compat group: compat shadow: compat passwd_compat: nisplus group_compat: nisplus shadow_compat: nisplus hosts: nisplus files dns services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files netgroup: nisplus bootparams: nisplus [NOTFOUND=return] files publickey: nisplus automount: files aliases: nisplus [NOTFOUND=return] files |
This document only describes how to set up the "ypserv" NIS server.
The NIS server software can be found on:
Site Directory File Name ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.4.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.4.tar.bz2 |
You could also look at http://www.linux-nis.org/nis/ for more information.
The server setup is the same for both traditional NIS and NYS.
Compile the software to generate the ypserv and makedbm programs. ypserv-2.x only supports the securenets file for access restrictions.
If you run your server as master, determine what files you require to be available via NIS and then add or remove the appropriate entries to the "all" rule in /var/yp/Makefile. You always should look at the Makefile and edit the Options at the beginning of the file.
There was one big change between ypserv 1.1 and ypserv 1.2. Since version 1.2, the file handles are cached. This means you have to call makedbm always with the -c option if you create new maps. Make sure, you are using the new /var/yp/Makefile from ypserv 1.2 or later, or add the -c flag to makedbm in the Makefile. If you don't do that, ypserv will continue to use the old maps, and not the updated one.
Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read the ypserv(8) and ypserv.conf(5) manual pages.
Make sure the portmapper (portmap(8)) is running, and start the server ypserv. The command
% rpcinfo -u localhost ypserv |
should output something like
program 100004 version 1 ready and waiting program 100004 version 2 ready and waiting |
The "version 1" line could be missing, depending on the ypserv version and configuration you are using. It is only necessary if you have old SunOS 4.x clients.
Now generate the NIS (YP) database. On the master, run
% /usr/lib/yp/ypinit -m |
On a slave make sure that ypwhich -m works. This means, that your slave must be configured as NIS client before you could run
% /usr/lib/yp/ypinit -s masterhost |
That's it, your server is up and running.
If you have bigger problems, you could start ypserv and ypbind in debug mode on different xterms. The debug output should show you what goes wrong.
If you need to update a map, run make in the /var/yp directory on the NIS master. This will update a map if the source file is newer, and push the files to the slave servers. Please don't use ypinit for updating a map.
You might want to edit root's crontab *on the slave* server and add the following lines:
20 * * * * /usr/lib/yp/ypxfr_1perhour 40 6 * * * /usr/lib/yp/ypxfr_1perday 55 6,18 * * * /usr/lib/yp/ypxfr_2perday |
You can add a slave at every time later. At first, make sure that the new slave server has permissions to contact the NIS master. Then run
% /usr/lib/yp/ypinit -s masterhost |
If you want to restrict access for users to your NIS server, you'll have to setup the NIS server as a client as well by running ypbind and adding the plus-entries to /etc/passwd _halfway_ the password file. The library functions will ignore all normal entries after the first NIS entry, and will get the rest of the info through NIS. This way the NIS access rules are maintained. An example:
root:x:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin: bin:*:2:2:bin:/bin: sys:*:3:3:sys:/dev: sync:*:4:100:sync:/bin:/bin/sync games:*:5:100:games:/usr/games: man:*:6:100:man:/var/catman: lp:*:7:7:lp:/var/spool/lpd: mail:*:8:8:mail:/var/spool/mail: news:*:9:9:news:/var/spool/news: uucp:*:10:50:uucp:/var/spool/uucp: nobody:*:65534:65534:noone at all,,,,:/dev/null: +miquels:::::: +:*:::::/etc/NoShell [ All normal users AFTER this line! ] tester:*:299:10:Just a test account:/tmp: miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh |
Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels will have normal access.
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use another source password file. On large systems the NIS password and group files are usually stored in /etc/yp/. If you do this the normal tools to administrate the password file such as passwd, chfn, adduser will not work anymore and you need special homemade tools for this.
However, yppasswd, ypchsh and ypchfn will work of course.
The "yps" NIS server software can be found on:
Site Directory File Name ftp.lysator.liu.se /pub/NYS/servers yps-0.21.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS yps-0.21.tar.gz |
rpc.yppasswdd -D /etc/yp -e chsh |
rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh |
% ypcat passwd |
should give you the contents of your NIS passwd file. The command
% ypmatch userid passwd |
If a user cannot log in, run the following program on the client:
#include <stdio.h> #include <pwd.h> #include <sys/types.h> int main(int argc, char *argv[]) { struct passwd *pwd; if(argc != 2) { fprintf(stderr,"Usage: getwpnam username\n"); exit(1); } pwd=getpwnam(argv[1]); if(pwd != NULL) { printf("name.....: [%s]\n",pwd->pw_name); printf("password.: [%s]\n",pwd->pw_passwd); printf("user id..: [%d]\n", pwd->pw_uid); printf("group id.: [%d]\n",pwd->pw_gid); printf("gecos....: [%s]\n",pwd->pw_gecos); printf("directory: [%s]\n",pwd->pw_dir); printf("shell....: [%s]\n",pwd->pw_shell); } else fprintf(stderr,"User \"%s\" not found!\n",argv[1]); exit(0); } |
getent passwd |
getent passwd login |
The initial NIS maps will be created by running
% /usr/lib/yp/ypinit -m |
This is done when setting up the NIS master server for the first time. For more information about this, read Section 9. If you wish to add new maps to your server or remove old one, you need to edit the /var/yp/Makefile and change the all: rule. Add or remove the name of the rule, which generates the map.
If you delete a map, you also have to remove the corresponding files.
After this change, you only need to run
% make -C /var/yp |
and the maps should be created.
DBLOAD = $(YPBINDIR)/makedbm -c -m `$(YPBINDIR)/yphelper --hostname` --no-limit-check |
There is another way of solving this problem for /etc/group entries. This idea is from Ken Cameron:
1. Break the entry into more than one line and name each group slightly differnet. 2. keep the GID the same for all. 3. have the first entry with the right group name and the GID. I don't put any user names in this one. What happens is that going by user name you pick up the GID when the code reads it. Then going the other way it stops after the first match of GID and takes that name. It's ugly but works! |
/etc/defaultdomain |
However, most Linux distributions does not seem to use this file.
Caldera uses the file /etc/nis.conf which has the same format as the normal /etc/yp.conf.
Create or modify the variable NISDOMAIN in the file /etc/sysconfig/network.
Here are some common problems reported by various users:
The libraries for 4.5.19 are broken. NIS won't work with it.
When a NIS server goes down and comes up again ypbind starts complaining with messages like:
yp_match: clnt_call: RPC: Unable to receive; errno = Connection refused |