Setting up an NIS Client

Using Network Information Service (NIS)

Network Information Service (NIS) was developed by Sun Microsystems as a way to share information among all computers in a local area network. The types of information NIS most commonly uses include the following:

User names and passwords from files such as /etc/passwd and /etc/shadow
Group information from the /etc/group file

Normally, each system has its own copy of information in respective files, and any changes require updating the files on each system individually. Using NIS, you can maintain a single set of configuration files for a collection of computers in an NIS server. All other computers running NIS clients can then access the files. For example, if your user name and password are in the NIS password database, you will be able to log in on all computers on the network running NIS client programs.

NIS was originally called Sun Yellow Pages (YP), but the name Yellow Pages is a registered trademark of British Telecom in the United Kingdom, so Sun Microsystems had to change the name. However, many NIS commands, and the NIS package names, begin with the letters yp.

If you want to use NIS in a network, you must set up at least one NIS server. You can have multiple NIS servers in a network, each serving a different collection of computers. You can also have a master NIS server and one or more slave NIS servers that receive a copy of the master's database. The group of computers a master NIS server supports is called an NIS domain or YP domain.

The master NIS server runs the ypserv daemon (this is the NIS server daemon) that maintains the shared information in DBM databases. (DBM refers to Data Base Management, a library of functions that maintain key-value pairs in a database.) The NIS databases are called maps. You can create these NIS maps directly from the text configuration files-such as /etc/passwd and /etc/group-by using the /usr/ lib/yp/makedbm program that comes with the NIS server software. More accurately, the ypserv daemon uses the Makefile in the /var/yp directory to create the maps for all shared configuration files.

The master NIS server provides the maps to all NIS client computers. The clients run the ypbind daemon through which various client programs access the master NIS server. In addition to a master server, one or more NIS slave servers may be set up to provide the NIS maps in case the master is unavailable or down. The NIS slave servers periodically copy the NIS maps from the master server (using the /usr/ lib/yp/ypxfr command) and are able to provide these maps to clients when the master is down.

You can think of NIS as a way of distributing the same set of configuration files among all computers in an NIS domain. You get the benefits of sharing the same files (such as the same user name and password for all machines), yet you can still edit and maintain just one set of files-the files on the master NIS server.

The next few sections describe how to set up your CentOS Linux system as an NIS client and as an NIS server.

Setting up an NIS Client

If your network uses NIS centrally to administer users and passwords, you can set up your CentOS Linux PC as an NIS client. In fact, when you install CentOS Linux from this book's companion CD-ROMs, you can enable NIS from the Authentication Configuration screen in the GUI installer.

Cross Ref

During CentOS Linux installation (see Chapter 2 for details), the Authentication Configuration screen shows you a number of different options for authenticating users-the default being shadow passwords and the MD5 password (which are discussed in Chapter 22). One of these options is a button labeled Enable NIS. You can click this button to set up your CentOS Linux PC as an NIS client. Of course, you should do this only if your network is set up with an NIS server.

If you do select the Enable NIS option, you have to provide the following information:

Specify the NIS domain name. The domain name refers to the group of computers the NIS server serves.
Specify the name of the NIS server.
Indicate whether or not you want your PC to use IP broadcast to find NIS servers in the local network.

If you did not configure your system as an NIS client during CentOS Linux installation, you can do so by performing the following tasks:

Define your NIS domain name.
Set up the NIS configuration file (/etc/yp.conf). In this file, you specify the master NIS and slave servers that provide NIS maps to your CentOS Linux PC.
Configure the NIS client daemon-ypbind-to start when your system boots.

The next three sections show you how to perform these tasks.

Setting the NIS Domain Name

The NIS domain name identifies the group of computers that a particular NIS server supports. You can set the NIS domain name of your system by using the domainname command. For example, to set your NIS domain name to admin, log in as root, and type the following at the shell prompt:

domainname admin

If you type domainname without any arguments, the command prints the current NIS domain name.

To ensure that the NIS domain name is set as soon as your system boots, the command should be run from one of the startup scripts. You can do this by adding the following line to the /etc/sysconfig/network file on your CentOS Linux system:

NISDOMAIN="admin"

Of course, you should use the NIS domain name appropriate to your network.

The NIS domain is different from the DNS domain names discussed earlier in this chapter. It's best if you pick an NIS domain name that's not related to the DNS domain name. Doing so makes it harder for crackers to guess your NIS domain name (if they know the NIS domain name, there is a risk that they can get the NIS password database).

Preparing the /etc/yp.conf File

The ypbind daemon, described in the next section, needs information about the NIS domains and NIS servers to do its job. It finds this information in the /etc/yp.conf configuration file. The ypbind daemon reads the /etc/yp.conf file when it starts up or when it receives the SIGHUP signal (for example, when you restart ypbind with the command kill -HUP ypbind).

To specify one or more NIS servers for the local domain (which you have already set with the domainname command), all you need in /etc/yp.conf are lines such as the following:

ypserver nisadmin
ypserver 192.168.0.7

You can use a name such as nisadmin if that name is listed in the /etc/hosts file (that way, ypbind can resolve the name into an IP address without having to use NIS). Otherwise, you should specify the NIS server's IP address.

In /etc/yp.conf, you can also specify specific NIS servers for specific NIS domains, like this:

domain sales server nissales
domain admin server nisadmin

A third type of entry in the /etc/yp.conf file specifies that ypbind should use IP broadcast in the local network to find an NIS server for a specified domain. To do this, add a line such as the following to /etc/yp.conf:

domain admin broadcast

Configuring the ypbind Daemon

Every computer in an NIS domain, including the server, runs the ypbind daemon. Various NIS client applications, such as ypwhich, ypcat, and yppoll, need the ypbind daemon to obtain information from the master NIS server. More precisely, the C library contacts the ypbind daemon to locate the NIS server for the domain. Then the C library contacts the server directly to obtain administrative information. The client applications get the information through functions in the C library.

To interactively start ypbind, log in as root and type the following command:

service ypbind start

If you want ypbind to start when the system boots, log in as root and type the following command to turn ypbind on:

chkconfig --add ypbind
chkconfig --level 35 ypbind on

Setting up the NIS Server

To set up your CentOS Linux system as an NIS server, you should first set it up as an NIS client-set the NIS domain name, configure the /etc/yp.conf file, and configure the ypbind daemon. (Note that the ypbind daemon won't work until you have an NIS server up and running.) After the client configuration, you can configure the NIS server. This requires that you perform the following tasks:

Create the NIS maps using ypinit.
Configure the master NIS server-ypserv
Optionally, configure one or more slave NIS servers

The next two sections explain these steps.

Creating the NIS Maps

Creating NIS maps involves converting the text files, such as /etc/passwd and /etc/group into DBM files by using makedbm. The map creation is controlled by /var/yp/Makefile, a file that can be used by the make command to perform specific tasks (see Chapter 23 for more information on make and Makefile).

You can configure what you want the NIS server to share with the clients in the NIS domain. You do so by editing the Makefile in the /var/yp directory. Open /var/yp/Makefile in a text editor, and locate the line that begins with all:. Here is a typical excerpt from the Makefile showing the comments before the all: line:

# If you don't want some of these maps built, feel free to comment
# them out from this list.
all:  passwd group hosts rpc services netid protocols mail \
      # netgrp shadow publickey networks ethers bootparams printcap \
      # amd.home auto.master auto.home auto.local passwd.adjunct \
      # timezone locale netmasks

As the comment lines (the ones that begin with #) indicate, you can comment out any maps you do not want to build. In the preceding example, the maps listed in the last three lines will not be built.

Next, you should edit the /var/yp/securenets file to specify the IP addresses of client computers that can access the NIS maps. The default file has the following lines:

# securenets    This file defines the access rights to your NIS server
#               for NIS clients. This file contains netmask/network
#               pairs. A clients IP address needs to match with at 
#               least one of those.
#
#               One can use the word "host" instead of a netmask of
#               255.255.255.255. Only IP addresses are allowed in this
#               file, not hostnames.
#
# Always allow access for localhost
255.0.0.0       127.0.0.0
# This line gives access to everybody. PLEASE ADJUST!
0.0.0.0         0.0.0.0

As the last comment line shows, the default configuration grants access to all IP addresses. For example, to limit access to the class C network 192.168.0.0, change the last line as follows:

255.255.255.0     192.168.0.0

This allows only those computers on the local network with IP addresses in the range 192.168.0.1 through 192.168.0.254 access to the NIS maps.

Next, you should generate the NIS map database by running the /usr/lib/yp/ypinit program with the -m option. Here is a sample session with that program:

/usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers.  lnbp200 is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  lnbp200
        next host to add: <Press Ctrl-D here>
The current list of NIS servers looks like this:
lnbp200
Is this correct?  [y/n: y]  y
We need some  minutes to build the databases...
Building /var/yp/admin/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/admin'
Updating passwd.byname...
Updating passwd.byuid...
...lines deleted...

The /usr/lib/yp/ypinit program automatically selects your host as an NIS server and prompts for the names of any other NIS servers. You can add the server names one at a time and press Ctrl-D when you are done. Then, you have to verify that the list of NIS servers is correct (type y). After that, make runs with the /var/yp/Makefile and generates the NIS maps as specified by the all: line in the Makefile. The map files are stored in a subdirectory of /var/yp that has the same name as the NIS domain name you have previously set for your system. For example, for the NIS domain admin, the map files are in the /var/yp/admin directory.

Configuring the Master NIS Server

To configure the NIS server daemon, ypserv, you have to prepare the configuration file /etc/ypserv.conf. You can learn about the syntax of this file by reading its man page, which you can access by typing the command man ypserv.conf. Among other options, you can use the following option to specify that DNS should not be used to look up hostnames that are not in the maps of the /etc/hosts file:

dns: no

You can also add other lines in /etc/ypserv.conf that specify access rules-which hosts can access which maps. The format of the access rules is as follows:

Host : Map : Security : mangle [: field_to_mangle]

The field_to_mangle is optional; it indicates which field in the map file should be mangled (the default is the second field because the password is in the second field of most files, such as /etc/passwd). To mangle a field is to replace it with an x if the request comes from an unprivileged host. The rest of the fields have the following meanings:

Host-IP address or a wildcard (*) indicating to whom the rule applies
Map-Name of the map to which the rule applies (the names of the maps are the same as those of the map files in the /var/yp/domainname directory, where domainname is your NIS domain name)
Security-One of the following: none (to allow access always), port (to access from a port less than 1024), deny (to deny access to the map), or des (to require DES authentication-this may not be supported by all C libraries)
mangle-One of the following: yes (the field specified by field_to_mangle should be replaced by an x if the request is from unauthorized host) or no (do not mangle)

For example, the following lines in the /etc/ypserv.conf file restrict access to the password map to systems in the 192.168.0 network:

   :    passwd.byname    : port       : yes
192.168.0    :    passwd.byuid     : port       : yes

If you do not specify any access rules, ypserv allows all computers to access all maps.

Once you have set up the /etc/ypserv.conf file, you can start the NIS server with the following command:

service ypserv start

Insider Insight

To ensure that ypserv starts whenever you reboot the system, log in as root and type the following command to enable it:

chkconfig --level 35 ypserv on

To handle password changes from clients, you must also run the rpc.yppasswdd server on the master NIS server for the domain. The rpc.yppasswdd server enables users on client systems to type the yppasswd command and change their password in the NIS database. If you do not have the rpc.yppasswdd server running on the master NIS server, users will get the following error message when they type the yppasswd command:

yppasswd: yppasswdd not running on NIS master host

You can correct this problem by starting rpc.yppasswdd; log in as root, and type the command:

service yppasswdd start

To start yppasswd automatically at run levels 3 and 5, type:

chkconfig --level 35 yppasswdd on

Once you have the master NIS server up and running, you can test it by using various NIS client programs, such as ypwhich, yppoll, ypcat, and ypmatch.

Configuring a Slave NIS Server

To set up a system as a slave NIS server, first set it up as an NIS client and verify that the client works. In particular, type ypwhich -m and look for a list of NIS maps and the name of the master NIS server for each map (the next section shows how the ypwhich -m command works).

After you confirm that the system is configured as an NIS client, type the following command to set up the system as a slave NIS server:

/usr/lib/yp/ypinit -s nismaster

where nismaster is the name of the master NIS server for the domain.

Testing NIS

If you do not have a master NIS server in your network, first perform the client configurations to create one, then start the master NIS server, as explained in earlier sections. Next, start the ypbind daemon as follows:

service ypbind start

Now, you can try out various NIS client programs and other utilities to see if everything is working correctly.

NIS servers and clients use Remote Procedure Call (RPC) to exchange information. Network File System (NFS), described in Chapter 19, also uses RPC. RPC requires the portmap service, which maps RPC services to TCP and UDP ports. When a server that supports RPC starts up, it registers itself with portmap and lists both the services it supports and the ports it uses. Your CentOS Linux system should already have portmap up and running. You can check for it with the following command:

ps ax | grep portmap
  371 ?        S      0:00 portmap
 6755 pts/0    S      0:00 grep portmap

You should see a line showing the portmap process and its ID in the output. In this case, the portmap process has an ID of 371.

To see if the ypserv and ypbind processes are running on the master NIS server, use the /usr/sbin/rpcinfo program to check if ypserv and ypbind were able to register with the portmap service. For example, here is a sample output:

/usr/sbin/rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100021    1   udp   1024  nlockmgr
    100021    3   udp   1024  nlockmgr
    100024    1   udp   1025  status
    100024    1   tcp   1024  status
    100007    2   udp    647  ypbind
    100007    1   udp    647  ypbind
    100007    2   tcp    650  ypbind
    100007    1   tcp    650  ypbind
    100004    2   udp    894  ypserv
    100004    1   udp    894  ypserv
    100004    2   tcp    897  ypserv
    100004    1   tcp    897  ypserv

Each line shows the RPC program number, a version number, the protocol (TCP or UDP), the port number, and the service. As you can see, both ypbind and ypserv are registered.

To determine which NIS server your system is using, try the ypwhich command. Here is a typical example:

ypwhich
lnbp200

You can also use the ypwhich command to view the master NIS server for a specified map. If you want to see the master NIS server for the available maps, type the following command:

ypwhich -m
mail.aliases lnbp200
protocols.bynumber lnbp200
services.byservicename lnbp200
netid.byname lnbp200
services.byname lnbp200
rpc.bynumber lnbp200
rpc.byname lnbp200
hosts.byaddr lnbp200
hosts.byname lnbp200
group.bygid lnbp200
group.byname lnbp200
passwd.byname lnbp200
protocols.byname lnbp200
ypservers lnbp200
passwd.byuid lnbp200

The output shows a list of the available NIS maps and, for each map, the name of the master NIS server.

To view the name of the master NIS server and information about a specific NIS map, use the yppoll command. For example, here is the result of a yppoll query for the passwd.byname map:

yppoll passwd.byname
Domain admin is supported.
Map passwd.byname has order number 972760603. [Sat Oct 27 15:16:43 2001]
The master server is lnbp200

Use the ypcat command to print the values of the keys in an NIS map. For example, here is a ypcat query for the NIS map group.byname:

ypcat group.byname
ivy:!:503:
ashley:!:502:
emily:!:501:
naba:!:500:

You can use ypmatch to look at the entries in an NIS map that match a specific key. For example, here is a ypmatch command line that looks for entries that match the key naba in the group.byname map:

ypmatch naba group.byname
naba:!:500:

If you compare this with the output from ypcat showing all the groups, you see that ypmatch shows the line corresponding to the group name naba.