|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
| Contents | Next |
Adapted from Wikipedia
The Network Information Service, or NIS (originally called Yellow Pages or YP), is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.
Because British Telecom PLC owned the name "Yellow Pages" as a registered trademark in the United Kingdom for its paper-based, commercial telephone directory, Sun changed the name of its system to NIS, though all the commands and functions still start with "yp".
A NIS/YP system maintains and distributes a central directory of user and group information, hostnames, e-mail aliases and other text-based tables of information in a computer network. For example, in a common UNIX environment, the list of users for identification is placed in /etc/passwd, and secret authentication hashes in /etc/shadow. NIS adds another "global" user list which is used for identifying users on any client of the NIS domain.
Administrators have the ability to configure NIS to serve password data to outside processes to authenticate users using various versions of the Unix crypt(3) hash algorithms. However, in such cases, any NIS(0307) client can retrieve the entire password database for offline inspection. Kerberos was designed to handle authentication in a more secure manner.
NIS use client server architecture with one master server (and possibly one or several secondary slave servers, necessary for reliability) and many clients. NIS uses several daemons on the server and on all clients to enable the NIS system.
|
|
On the NIS master and any NIS slaves, several NIS server daemons should be run.
The binding process begins with ypbind sending out a broadcast message for any NIS masters on the network to respond with their IP address and the port number to send requests on. If more than one NIS master responds to the request, only the first received reply is used. If for some reason ypbind finds it isn't getting replies from the NIS master, it assumes that the master has crashed and retransmits a request for a master.
The main daemons involved in the running of an NIS domain are:
You can find out which NIS master any client machine is bound to with the command ypwhich
Adapted from Quick HOWTO Ch30 Configuring NIS - Linux Home Networking
Here are the steps to configure the NFS server in this scenario:
1. Edit the /etc/exports file to allow NFS mounts of the /home directory with read/write access.
/home *(rw,sync)
2. Let NFS read the /etc/exports file for the new entry, and make /home available to the network with the exportfs command.
# exportfs -a#
3. Make sure the required nfs, nfslock, and portmap daemons are both running and configured to start after the next reboot.
# chkconfig nfslock on # chkconfig nfs on # chkconfig portmap on # service portmap start # service nfslock start # service nfs start
After configuring the NFS server, we have to configure its clients, This will be covered next.
3. Make sure you can mount master's /home directory on the new /home directory you just created. Unmount it once everything looks correct.
[root@node01 tmp]# mount 192.168.1.100:/home /home/ [root@node01 tmp]# ls /home ftpinstall nisuser quotauser node01 www [root@node01 tmp]# umount /home [root@node01 tmp]#
Edit your /etc/auto.master file to refer to file /etc/auto.home for mounting information whenever the /home directory is accessed. After five minutes, autofs unmounts the directory.
#/etc/auto.master /home /etc/auto.home --timeout 600
5. Edit file /etc/auto.home to do the NFS mount whenever the /home directory is accessed. If the line is too long to view on your screen, you can add a \ character at the end to continue on the next line.
#/etc/auto.home * -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \ 192.168.1.100:/home/&
6. Start autofs and make sure it starts after the next reboot with the chkconfig command.
[root@node01 tmp]# chkconfig autofs on [root@node01 tmp]# service autofs restart Stopping automount:[ OK ] Starting automount:[ OK ] [root@node01 tmp]#
After doing this, you won't be able to see the contents of the /home directory on master as user root. This is because by default NFS activates the root squash feature, which disables this user from having privileged access to directories on remote NFS servers. You'll be able to test this later after NIS is configured.
All newly added Linux users will now be assigned a home directory under the new remote /home directory. This scheme will make the users feel their home directories are local, when in reality they are automatically mounted and accessed over your network.
NFS only covers file sharing over the network. You now have to configure NIS login authentication for the lab students before the job is done. The configuration of the NIS server is not difficult, but requires many steps that you may overlook. There also multiple daemons that all needs to be started in particular order
| Daemon Name | Purpose |
|---|---|
| portmap | The foundation RPC daemon upon which NIS runs. |
| yppasswdd | Lets users change their passwords on the NIS server from NIS clients |
| ypserv | Main NIS server daemon |
| ypbind | Main NIS client daemon |
| ypxfrd | Used to speed up the transfer of very large NIS maps |
All the packages required for NIS clients are a standard part of most RHEL/CentOS installations.
You need to add the NIS domain you wish to use in the /etc/sysconfig/network file. For the school, call the domain mycompany.com. Often people use DNS domain as a name.
#/etc/sysconfig/network NISDOMAIN="mycompany.com"
NIS servers also have to be NIS clients themselves, so you'll have to edit the NIS client configuration file /etc/yp.conf to list the domain's NIS server as being the server itself or localhost.
# /etc/yp.conf - ypbind configuration file ypserver 127.0.0.1
Start the necessary NIS daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot.
# service portmap start # service yppasswdd start # service ypserv start # chkconfig portmap on # chkconfig yppasswdd on # chkconfig ypserv on
Make sure they are all running before continuing to the next step. You can use the rpcinfo command to do this.
# rpcinfo -p localhost | egrep "port|yp"
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100009 1 udp 681 yppasswdd
100004 2 udp 698 ypserv
100004 1 udp 698 ypserv
100004 2 tcp 701 ypserv
100004 1 tcp 701 ypserv
#
The ypbind and ypxfrd daemons won't start properly until after you initialize the NIS domain. You'll start these daemons after initialization is completed.
Now that you have decided on the name of the NIS domain, you'll have to use the ypinit command to create the associated authentication files for the domain. You will be prompted for the name of the NIS server, which in this case is master.
With this procedure, all nonprivileged accounts are automatically accessible via NIS.
# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. master is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: master
next host to add:
The current list of NIS servers looks like this:
master
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/NISDOMAIN/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/NISDOMAIN'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/NISDOMAIN'
master has been set up as a NIS master server.
Now you can run ypinit -s master on all slave server.
#
Note: Make sure portmap is running before trying this step or you'll get errors, such as:
failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...
You will have to delete the /var/yp/NISDOMAIN directory and restart portmap, yppasswd, and ypserv before you'll be able to do this again successfully.
You can now start the ypbind and the ypxfrd daemons because the NIS domain files have been created.
# service ypbind start # service ypxfrd start # chkconfig ypbind on # chkconfig ypxfrd on
All the NIS daemons use RPC port mapping and, therefore, are listed using the rpcinfo command when they are running correctly.
# rpcinfo -p localhost | egrep "port|yp|nfs"
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100021 4 udp 1024 nlockmgr
100004 2 udp 784 ypserv
100004 1 udp 784 ypserv
100004 2 tcp 787 ypserv
100004 1 tcp 787 ypserv
100009 1 udp 798 yppasswdd
600100069 1 udp 850 fypxfrd
600100069 1 tcp 852 fypxfrd
100007 2 udp 924 ypbind
100007 1 udp 924 ypbind
100007 2 tcp 927 ypbind
100007 1 tcp 927 ypbind
#
New NIS users can be created by logging into the NIS server and creating the new user account. In this case, you'll create a user account called nisuser and give it a new password.
Once this is complete, you then have to update the NIS domain's authentication files by executing the make command in the /var/yp directory.
This procedure makes all NIS-enabled, nonprivileged accounts become automatically accessible via NIS, not just newly created ones. It also exports all the user's characteristics stored in the /etc/passwd and /etc/group files, such as the login shell, the user's group, and home directory.
# useradd -g users nisuser # passwd nisuser Changing password for user nisuser. New password: Retype new password: passwd: all authentication tokens updated successfully. # cd /var/yp [root@ypmaster]# make gmake[1]: Entering directory `/var/yp/NISDOMAIN' Updating passwd.byname... Updating passwd.byuid... Updating netid.byname... gmake[1]: Leaving directory `/var/yp/NISDOMAIN' [root@ypmaster]#
You can check to see if the user's authentication information has been updated by using the ypmatch command, which should return the user's encrypted password string.
[root@ypmaster]# ypmatch nisuser passwd nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash [root@ypmaster]
You can also use the getent command, which has similar syntax. Unlike ypmatch, getent doesn't provide an encrypted password when run on an NIS server, it just provides the user's entry in the /etc/passwd file. On a NIS client, the results are identical with both showing the encrypted password.
[root@ypmaster]# getent passwd nisuser nisuser:x:504:100::/home/nisuser:/bin/bash [root@ypmaster]#
To set password you need to use yppasswd utility not passwd
See Changing PasswordsFrom root useyppasswd -p user_name
Now that the NIS server is configured, it's time to configure the NIS clients. There are a number of related configuration files that you need to edit to get it to work. Take a look at the procedure.
The authconfig or the authconfig-tui program automatically configures your NIS files after prompting
you for the IP address and domain of the NIS server.
[root@node01 tmp]# authconfig-tui
Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIS server for a particular domain. It also edits the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs.
# /etc/yp.conf - ypbind configuration file domain mycompany.com server 192.168.1.100 #/etc/sysconfig/network NISDOMAIN=mycompany.com
In addition, the authconfig program updates the /etc/nsswitch.conf file that lists the order in which certain data sources should be searched for name lookups, such as those in DNS, LDAP, and NIS. Here you can see where NIS entries were added for the important login files.
#/etc/nsswitch.conf passwd: files nis shadow: files nis group: files nis
Note: There is a sample NIS nsswitch.conf file in the /usr/share/doc/yp-tools* directory.
Start the ypbind NIS client, and portmap daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo command to ensure they are running correctly.
[root@node01 tmp]# service portmap start Starting portmapper: [ OK ] [root@node01 tmp]# service ypbind start Binding to the NIS domain: Listening for an NIS domain server. [root@node01 tmp]# [root@node01 tmp]# chkconfig ypbind on [root@node01 tmp]# chkconfig portmap on
Note: Remember to use the rpcinfo -p localhost command to make sure they all started correctly.
As the configuration examples refer to the NIS client and server by their hostnames, you'll have to make sure the names resolve correctly to IP addresses. This can be configured either in DNS, when the hosts reside in the same domain, or more simply by editing the /etc/hosts file on both Linux boxes.
# # File: /etc/hosts (node01) # 192.168.1.100 master # # File: /etc/hosts (master) # 192.168.1.102 node01
You can run the ypcat, ypmatch, and getent commands on the nodes served by the NIS master to make sure communication to the server is correct.
[root@node01 tmp]# ypcat passwd nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash quotauser:!!:503:100::/home/quotauser:/bin/bash ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash node01:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash [root@node01 tmp]# [root@node01 tmp]# ypmatch nisuser passwd nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash [root@node01 tmp]# [root@node01 tmp]# getent passwd nisuser nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash [root@node01 tmp]#
Possible sources of error would include:
Try to eliminate these areas as sources of error and refer to the syslog /var/log/messages file on the client and server for entries that may provide additional clues.
Once your basic NIS functionality testing is complete, try to test a remote login. Failures in this area could be due to firewalls blocking TELNET or SSH access and the TELNET and SSH server process not being started on the clients.
Try logging into the NIS client via telnet if it is enabled
# telnet 192.168.1.201 Trying 192.168.1.201... Connected to 192.168.1.201. Escape character is '^]'. Red Hat Linux release 9 (Shrike) Kernel 2.4.20-6 on an i686 login: nisuser Password: Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com [nisuser@node01 nisuser]$
Try logging into the NIS client via SSH.
# ssh -l nisuser 192.168.1.102 [email protected]'s password: [nisuser@node01 nisuser]$
In some versions of Linux, the NIS client's SSH daemon doesn't re-read the /etc/nsswitch.conf file you just modified until SSH is restarted. SSH logins, therefore, won't query the NIS server until this is done. Restart SSH on the NIS client.
[root@node01 root]# service sshd restart Stopping sshd:[ OK ] Starting sshd:[ OK ] [root@node01 root]#
The yppasswdd daemon must be running on both the client and server for password changes to work correctly. When they aren't running, you'll get errors.
[root@node01 etc]# yppasswd -p nisuser
yppasswd: yppasswdd not running on NIS master host ("master").
[root@node01 etc]#
You'll also get a similar error if you attempt to change an NIS password on an NIS master server in a master and slave configuration.
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
Google matched content |
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March, 12, 2019
