In this quick setup, we'll download Linux ypserv source code, compile/install it on a Linux server. We also setup a NIS client (Solaris 10) and configure autofs for each NIS user's home directory. Upon completion user accounts created and stored on the NIS master server are propagated within NIS domain. On a Solaris 10 client which has no local password entry for the NIS account, user can login via NIS and mount the home directory via auto_mount.
Cliff note: When working with other tools such as PowerBroker and Kerberos, NIS, with its network group setup properly, can be used as a powerful tool to manage group access to Unix principals (such as unix servers, samba shares, etc.)
(Note, in enterprise environment, always use in-house engineering group supplied binary, never download opensource code from the Internet.)
Linux ypserv can be found at this website http://www.linux-nis.org/nis/ypserv/index.html
Once download the tarball, untar it and compile/install.
[root@ipc4 ypserv-2.19]# ./configure --prefix=/usr/local
checking for a BSD-compatible install... /usr/bin/install -c
...
[root@ipc4 ypserv-2.19]# make install
Making install in etc
...
[root@ipc4 ypserv-2.19]# make clean
Making clean in scripts
gmake[1]: Entering directory `/home/shan/ypserv-2.19/scripts'
...
Now, let's confirm the new binaries are created in /usr/local/sbin directory.
[root@ipc4 yp]# ls /usr/local/sbin
rpc.yppasswdd rpc.ypxfrd yppush ypserv
Manually start ypserv, yppasswdd and ypxfrd daemons. You can create startup scripts in /etc/rc.d/init.d/ directory and use chkconfig/service utilities to control the startup/shutdown.
Make sure the following rpc (portmap for linux) ports are open (by started daemons) and iptables are updated to allow packets going thru Linux firewall:
[root@ipc4 ypserv-2.19]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 32768 status
100024 1 tcp 32769 status
100004 2 udp 810 ypserv
100004 1 udp 810 ypserv
100004 2 tcp 813 ypserv
100004 1 tcp 813 ypserv
100009 1 udp 825 yppasswdd
600100069 1 udp 830 fypxfrd
600100069 1 tcp 832 fypxfrd
100007 2 udp 749 ypbind
100007 1 udp 749 ypbind
100007 2 tcp 752 ypbind
100007 1 tcp 752 ypbind
Now, let's configure a NIS master server. Note, the error below is
because we don't have source file /etc/netgroup for map netgroup.
[root@ipc4 yp]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which
will run NIS servers. ipc4.shanjing.com is in the list of NIS
server hosts. Please continue to add the names for the other
hosts, one per line. When you are done with the list, type
a.
next host to add: ipc4.shanjing.com
next host to add:
The current list of NIS servers looks like this:
ipc4.shanjing.com
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/nis.shanjing.com/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/nis.shanjing.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
gmake[1]: *** No rule to make target `/etc/netgroup', needed by
`netgroup'. Stop.
gmake[1]: Leaving directory `/var/yp/nis.shanjing.com'
make: *** [target] Error 2
Error running Makefile.
Please try it by hand.
Let's create one:
[root@ipc4 ypserv-2.19]# cat /etc/netgroup
unix_sa (shan, - , jeff)
app1 (ryan, -, jeff)
dba (grace, -, ryan)
Let's re-configure it again,
[root@ipc4 etc]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. ipc4.shanjing.com is in the list of NIS server hosts.
Please continue to add the names for the other hosts, one per line.
When you are done with the list, type a.
next host to add: ipc4.shanjing.com
next host to add:
next host to add:
The current list of NIS servers looks like this:
ipc4.shanjing.com
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/nis.shanjing.com/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/nis.shanjing.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating netgroup...
Updating netgroup.byhost...
Updating netgroup.byuser...
Updating mail.aliases...
Updating shadow.byname... Ignored -> merged with passwd
Updating publickey.byname...
gmake[1]: Leaving directory `/var/yp/nis.shanjing.com'
ipc4.shanjing.com has been set up as a NIS master server.
Now you can run ypinit -s ipc4.shanjing.com on all slave server.
It looks good this time!
Let's create a user on the master NIS server:
[root@ipc4 nis.shanjing.com]# useradd -c"Ryan" -d /home/ryan -s /bin/ksh ryan
[root@ipc4 nis.shanjing.com]# passwd ryan
Changing password for user ryan.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Update yp maps:
[root@ipc4 nis.shanjing.com]# cd /var/yp
[root@ipc4 yp]# make
gmake[1]: Entering directory `/var/yp/nis.shanjing.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating netid.byname...
Updating shadow.byname... Ignored -> merged with passwd
gmake[1]: Leaving directory `/var/yp/nis.shanjing.com'
Test the new user:
[root@ipc4 yp]# ypmatch ryan passwd
ryan:$1$kgyaeE9C$JCw5AYddwDQmMgGtjN0zo.:502:502:Ryan:/home/ryan:/bin/ksh
[root@ipc4 yp]# getent passwd ryan
ryan:x:502:502:Ryan:/home/ryan:/bin/ksh
ryan@sun1:/home/ryan>ypcat -x
Use "passwd" for map "passwd.byname"
Use "group" for map "group.byname"
Use "project" for map "project.byname"
Use "networks" for map "networks.byaddr"
Use "hosts" for map "hosts.byname"
Use "ipnodes" for map "ipnodes.byname"
Use "protocols" for map "protocols.bynumber"
Use "services" for map "services.byname"
Use "aliases" for map "mail.aliases"
Use "ethers" for map "ethers.byname"
ryan@sun1:/home/ryan>ypcat -k passwd
nfsnobody nfsnobody:!!:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
grace grace:$1$hTYYKpqW$8Q950yPIt8Pp9udq/wptL.:503:503::/home/grace:/bin/bash
ryan ryan:$1$kgyaeE9C$JCw5AYddwDQmMgGtjN0zo.:502:502:Ryan:/home/ryan:/bin/ksh
jeff jeff:$1$ny7ZjDpL$yBUG7DBQNTVlB97fqsu38/:501:501::/home/jeff:/bin/bash
shan shan:$1$78sSi/vv$kHm3SjQ1xiuQsdz/QLNrg1:500:500:shanjing:/home/shan:/bin/bash
Setup a NIS client (Solaris 10)
1. Setup domainname and enter NIS server info:
root@sun1:/root>domainname nis.shanjing.com
root@sun1:/root>domainname
nis.shanjing.com
root@sun1:/root>echo "nis.shanjing.com" > /etc/defaultdomain
root@sun1:/root>echo "192.168.1.104 ipc4.shanjing.com" >> /etc/hosts
2. Setup NIS client: (This is for Solaris 10, Linux and AIX client setups are slightly different)
root@sun1:/root>ypinit -c
In order for NIS to operate sucessfully, we have to construct a list of the
NIS servers. Please continue to add the names for YP servers in order of
preference, one per line. When you are done with the list, type a
or a return on a line by itself.
next host to add: ipc4.shanjing.com
next host to add: ^D
The current list of yp servers looks like this:
ipc4.shanjing.com
Is this correct? [y/n: y] y
3. Edit ypbind startup script to restrict ypbind:
root@sun1:/root>vi /lib/svc/method/yp
if [ -f /var/yp/binding/$domain/ypservers ]; then
$YPDIR/ypbind -ypsetme > /dev/null 2>&1
else
$YPDIR/ypbind -ypsetme > /dev/null 2>&1
4. Restart client daemon and confirm ypbind is running:
root@sun1:/root>svcadm enable svc:/network/nis/client:default
root@sun1:/root>svcs -l svc:/network/nis/client:default
fmri svc:/network/nis/client:default
name NIS (YP) client
enabled true
state online
next_state none
state_time Wed Sep 30 12:09:40 2009
logfile /var/svc/log/network-nis-client:default.log
restarter svc:/system/svc/restarter:default
contract_id 109
dependency require_all/none svc:/system/filesystem/minimal (online)
dependency require_all/restart svc:/network/rpc/bind (online)
dependency require_all/none svc:/system/identity:domain (online)
dependency optional_all/none svc:/network/nis/server (disabled)
root@sun1:/root>ps -ef | egrep ypbind
root 1094 1 0 12:09:41 ? 0:00 /usr/lib/netsvc/yp/ypbind -ypsetme
5. Restrict General NIS Login Access
Update /etc/passwd, add the following line at the end of passwd and shadow files,respectively.
+::::::/bin/false
Update /etc/shadow
+:x:::::::
6. Update switch file, make sure change passwd to "compat" for Interaction with -/+.
root@sun1:/root>cp /etc/nsswitch.conf /etc/nsswitch.conf.bak
root@sun1:/root>vi /etc/nsswitch.conf
passwd: compat
group: files nis
hosts: files dns nis
networks: files nis
protocols: files nis
rpc: files nis
ethers: files nis
netmasks: files nis
publickey: files nis
netgroup: files nis
automount: files nis
services: files nis
Now, we setup autofs on Solaris client. In this example, we setup all NIS clients' home directories under sun1:/export/home.
ryan@sun1:/home/ryan>cat /etc/auto_master
+auto_master
/net -hosts -nosuid,nobrowse
/home auto_home -nobrowse
ryan@sun1:/home/ryan>cat /etc/auto_home
+auto_home
* sun1:/export/home/&
Finally, to enable a NIS user (or a group of NIS users) accessing a server, we merely add the proper NIS groups (in this example, app1 and dba) into target servers /etc/passwd and /etc/shadow files (a solaris server).
Test a NIS user login from Solaris client:
root@sun1:/var/adm>su - ryan
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
ryan@sun1:/home/ryan>pwd
ryan@sun1:/home/ryan>df -k | grep ryan
/export/home/ryan 6554797 3196550 3292700 50% /home/ryan
========================
One of the biggest shortcoming for NIS is it doesn't encrypt information between servers and clients. This is why NIS is suggested for non-privilege account management and other tools such as powerbroker should be used with NIS to restrict privileged accounts access.
