0. INTRODUCTION.

This HOWTO describes:

1. How to setup a NIS client-only system

2. How to specify what resources to use for NIS
3. How to setup a NIS master server
4. Shadow passwords
5. How to setup a NIS slave server

1. HOW TO SETUP A LOCAL NIS CLIENT

1.1 install the netbase, netstd and nis packages

1.2 The installation procedure will ask for your NIS domainname. This
is just a name which describes the group of systems that use NIS, it
is not a hostname. It is stored in the config file /etc/defaultdomain,
in case you ever want to change it.

1.3 If your NIS server is not "local" to your network, you will have to do
some finetuning. The ypbind process has a configuration file called
/etc/yp.conf. You can hardcode a NIS server there - for more info
see the manual page for ypbind(8).

1.4 Start NIS by typing:

/etc/init.d/nis stop
/etc/init.d/nis start

2. HOW TO SPECIFY WHAT RESOURCES TO USE FOR NIS:

2.1 FOR LIBC6:

Check your /etc/nsswitch.conf file and make sure that the entries for
passwd, group, shadow and netgroup look like this:

passwd: compat
group: compat
shadow: compat
netgroup: nis db files

2.2 USERS: Add the following line to /etc/passwd on your NIS

clients:

+::::::

You can also use the + and - characters to include/exclude or change

users. If you want to exclude the user guest just add -guest to your
/etc/passwd file. You want to use a different shell (e.g. ksh) for
the user "linux"? No problem, just add "+linux::::::/bin/ksh"
(without the quotes) to your /etc/passwd. Fields that you don't want]
to change have to be left empty.

For example, to only allow login-access to miquels,dth and ed, but to

have the account data of all other users available:
 +miquels:::::::
+ed:::::::
+dth:::::::
+:*::::::/etc/NoShell

Note that in Linux you can also override the password field, as we did
in this example.

2.3 GROUPS: Add the following line to /etc/group

+:::

2.4 HOSTS:

Normally you should not do host lookups through NIS, use DNS for that.
If you really must use NIS for it, here's how to do it.

2.4.1 For libc5 applications:

If you want to use the NIS host maps of your NIS server you
have to change your /etc/host.conf file. You just have to add the
word "nis" to the "order" line. A sample host.conf file could look
like this:

order host,bind,nis
multi on

2.4.2 For libc6 applications:

Edit /etc/nsswitch.conf and change the hosts entry:

hosts: nis files

3. HOW TO SETUP A MASTER NIS SERVER:

3.1 Install the nis package. You'll also need the netbase and netstd
packages installed for the RPC daemons (rpc.portmap).

3.2 Make sure that _all_ systems you are going to use as a NIS server,
master or slave, have all other systems in the /etc/hosts file.
The FQDN (Fully Qualified Domain Name) should be the first hostname
after every IP address, followed by just the hostname (without the
domainname). For example:

192.168.88.10 troi.cistron.nl troi

On the NIS server the NIS hosts file (which is usually just /etc/hosts)
should also have this setup. This is because NIS does not use DNS.

3.3 set your NIS domain in the /etc/defaultdomain file. The NIS domain
is just a name which describes the group of systems that use NIS, it
is not a hostname. It is common practice to use your DNS domainname
for this. This is not a security risk, as many people claim.

3.4 set ypserv to master (ypserv=master) in /etc/init.d/nis

3.5 Add your local network number to the file /etc/ypserv.securenets.

You don't _have_ to do this: the default is to allow everybody to
access your NIS server. It is however *strongly* recommended.
 For added security you might also want to edit the /etc/ypserv.conf
file to mangle the password file for some clients (do not do this
if you have non-debian slave servers in your network!)

3.6 Setup the server by typing "/usr/lib/yp/ypinit -m"

3.7 Start the server by typing:

/etc/init.d/nis stop
/etc/init.d/nis start

This will start the server (ypserv) and the password daemon (yppasswdd).

If you want to restrict access to your NIS server, you'll have to setup
the NIS server as a client as well by running ypbind and adding the
plus-entries to /etc/passwd _halfway_ the password file. The library
functions will ignore all normal entries after the first NIS entry, and
will get the rest of the info through NIS. This way the NIS access rules
are maintained. example:

root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:
bin:*:2:2:bin:/bin:
sys:*:3:3:sys:/dev:
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:
lp:*:7:7:lp:/var/spool/lpd:
mail:*:8:8:mail:/var/spool/mail:
news:*:9:9:news:/var/spool/news:
uucp:*:10:50:uucp:/var/spool/uucp:
nobody:*:65534:65534:noone at all,,,,:/dev/null:
+miquels::::::
+:*:::::/etc/NoShell
[ All normal users AFTER this line! ]
tester:*:299:10:Just a test account:/tmp:
miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh

The user tester will exist, but have a shell of /etc/NoShell. miquels
will have normal access.

Alternatively, you could edit the /var/yp/Makefile file and set NIS to use
another source password file. On big systems, the NIS password and group
files are usually stored in /var/yp/ypfiles/. If you do this the normal
tools to administrate the password file such as "passwd", "chfn",
"adduser" will not work anymore and you will need special homemade tools
for this.

However yppasswd, ypchsh and ypchfn will work ofcourse. The Debian
version of these utilities - and the yppasswdd daemon - have a non-
standard extension. "Root" can - using the root password - change
other people's passwords, finger info and shell.

If you edit the NIS password file manually or you use the standard
/etc/passwd file, remember that after every change in one of the NIS
source files you'll have to run "make" in the /var/yp directory to update
the NIS maps. It would be reasonable to do this nightly from cron to be
sure the NIS maps are kept up-to-date.
4. SHADOW PASSWORDS

The Linux libc5 does not support shadow NIS maps. If you are dependant
on libc5 applications, do not use shadow NIS maps. Instead you can use
the method below:

4.1 SHADOW-LIKE SECURITY

You can provide shadow-like security by "mangling"

the password for NIS lookups of pasword-file entries. Read the manpage
for "ypserv.conf" and read the comments in the sample /etc/ypserv.conf.

4.2 REAL SHADOW SUPPORT

Libc6 has real shadow support for NIS builtin. It works like you would
expect; export the shadow map from the NIS server and just use it.
The shadow map should be built with the "-s" (secure) option to
makedbm. This is automatic in all modern /var/yp/Makefile files.

5. HOW TO SETUP A NIS SLAVE SERVER

5.1 First setup your system as a working NIS client (see 1.)

5.2 Follow the steps 3.1 .. 3.5 as described in above, but at step 3.4
set ypserv to slave (ypserv=slave) in the /etc/init.d/nis file.

5.3 Start the slave and initialize it by entering:

/etc/init.d/nis stop
/etc/init.d/nis start
/usr/lib/yp/ypinit -s <name_of_your_master_nis_server_here>

5.4 Now tell your master NIS server it has a slave. First you have to adjust
the NIS Makefile *on the master* so that all future updates get
distributed to the slave(s) automatically. Unset the NOPUSH variable
in /var/yp/Makefile like this:

NOPUSH=""

Now tell the master about its slaves by running "/usr/lib/yp/ypinit -m".
Enter the names of the slave servers. The maps will get rebuilt and
pushed to the slaves.

5.5 You might want to edit root's crontab *on the slave* and add the
following lines:

20 * * * * /usr/lib/yp/ypxfr_1perhour
40 6 * * * /usr/lib/yp/ypxfr_1perday
55 6,18 * * * /usr/lib/yp/ypxfr_2perday

This will ensure that most NIS maps are kept up-to-date, even if an
update is missed because the slave was down at the time the update was
done on the master.

_________________________________________________________________

Configuring NIS Services in Linux

What is NIS?
Network Information Service (NIS) is used for keeping a centralized repository of
users, hostnames and other useful information in a computer network. In single
server UNIX environments, the list of users and groups is usually kept in a file
such as /etc/passwd. Using NIS adds a "global" directory which is used for
authenticating users from any host on the network.
Note: In the early days, NIS was called Yellow Pages. The developers had to change
the name after a copyright infringement lawsuit, yet many of the key programs
associated with NIS have kept their original names beginning with yp.
Getting Started

This tutorial covers mostly RPM based distributions of GNU/Linux such as Red Hat,
Fedora, or CentOS. There are also references to Debian based distrbutions such as
Ubuntu. For information pertaining to your particular distrbution, please consult
your documentation.
Defining the NIS Domain Name

Edit the /etc/sysconfig/network file

In Red Hat-based distributions need to add the NIS domain name we wish to use in
the /etc/sysconfig/network file. For this example, we will call the domain "LINUX-
NIS".
#/etc/sysconfig/network
NISDOMAIN="LINUX-NIS"
In Debian based distributions we would edit the /etc/defaultdomain file and simply
put in the NIS domain name
#/etc/defaultdomain
LINUX-NIS
Also, in Debian-based distributions, we would edit the /etc/default/nis file and
configure this as a Master NIS server
#/etc/default/nis
NISSERVER=master
Both Linux distributions have a configuration file for YP. We need to edit our
/etc/yp.conf file. NIS servers also need to be NIS clients themselves, so we will
have to edit the yp.conf to point this file towards the server itself, or
localhost.
# /etc/yp.conf - ypbind configuration file
ypserver 127.0.0.1
NIS Server Daemons

The following is a list of NIS server daemons and their functionality. We need to
know these individual components in order to troubleshoot NIS issues later on.
DAEMON NAME
PURPOSE
portmap
The foundation service for RPC
yppasswdd
Allows users to change their NIS passwords
ypserv
NIS server daemon
ypbind
NIS client daemon
ypxfrd
The NIS map transfer daemon
Starting The NIS Server Related Daemons

We now need to start a couple of the NIS daemons in the /etc/init.d directory. In
this case we will only be starting the portmap, yppasswdd, and ypserv daemons so
that we can initialize the NIS domain.
On Red Hat we would issue the following commands:
[root@nis-server1]# /etc/init.d/portmap start
Starting portmapper: [ OK ]

[root@nis-server1]# /etc/init.d/yppasswdd start

Starting YP passwd service: [ OK ]

[root@nis-server1]# /etc/init.d/ypserv start

Setting NIS domain name LINUX-NIS: [ OK ]
Starting YP server services: [ OK ]

On Debian we would issue the following commands:

[root@nis-server1]# /etc/init.d/portmap start
Starting portmapper: [ OK ]

[root@nis-server1]# /etc/init.d/nis start

Setting NIS domainname to: LINUX-NIS
Starting NIS services: ypserv yppasswdd ypxfrd ypbind: [ OK ]
Note: The ypxfrd and ypbind daemons start with the all-encompassing nis startup
script for Debian. These daemons will time out on starting due to the fact that the
NIS domain has not been initialized yet. This is expected. NFS domain
initialization is covered in the next section.
With Redhat-based distributions we would use the chkconfig command to configure
these daemons to start after every reboot.
[root@nis-server1]# chkconfig portmap on
[root@nis-server1]# chkconfig yppasswdd on
[root@nis-server1]# chkconfig ypserv on
With Debian-based distributions we would simply invoke the update-rc.d command to
configure these services to start at boot time
[root@nis-server1]# update-rc.d portmap defaults [ OK ]
[root@nis-server1]# update-rc.d nis defaults [ OK ]

We need to make sure these daemons are running before continuing to the next step.
We can use the rpcinfo command to do this:
[root@nis-server1]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100009 1 udp 681 yppasswdd
100004 2 udp 698 ypserv
100004 1 udp 698 ypserv
100004 2 tcp 701 ypserv
100004 1 tcp 701 ypserv
The ypbind and ypxfrd might be listed as running, even though they do not start
properly until after the initialization of the NIS domain. If they are running, we
will restart these daemons after the domain initialization is completed.
Initializing The NIS Domain

Now that we have decided on the name of the NIS domain, we will have to use the
ypinit command to create the associated authentication files for the domain. We
will be prompted for the name of the NIS server, which in this case is nis-server.
[root@nis-server1]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS servers.
nis-server1 is in the list of NIS server hosts. We must continue to add the names
for the other hosts, one per line. When we are done with the list, simply type "a".
next host to add: nis-server1
next host to add:
The current list of NIS servers looks like this:
nis-server1
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/LINUX-NIS/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/LINUX-NIS'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/LINUX-NIS'
nis-server1 has been set up as a NIS master server.
Now we can run ypinit -s nis-server1 on all slave servers (If we have any slave
servers).
Note: Make sure portmap is running before trying this step or you'll get errors,
such as:
failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating
group.bygid...
You will have to delete the /var/yp/LINUX-NIS directory and restart portmap,
yppasswd, and ypserv before you'll be able to do this again successfully.
Start The ypbind and ypxfrd Daemons

On Redhat, you can now start the ypbind and the ypxfrd daemons because the NIS
domain had been initialized and the files have been created.
[root@nis-server1]# /etc/init.d/ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@nis-server1]# /etc/init.d/ypxfrd start
Starting YP map server: [ OK ]
[root@nis-server1]# chkconfig ypbind on
[root@nis-server1]# chkconfig ypxfrd on
On Debian, you would simply restart the /etc/init.d/nis service:
[root@nis-server1]# /etc/init.d/nis restart
Starting NIS services: ypserv yppasswdd ypxfrd ypbind
Verify The Daemons Are Running

All the NIS daemons use RPC port mapping and, therefore, are listed using the
rpcinfo command when they are running correctly.
[root@nis-server1]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100021 4 udp 1024 nlockmgr
100004 2 udp 784 ypserv
100004 1 udp 784 ypserv
100004 2 tcp 787 ypserv
100004 1 tcp 787 ypserv
 100009 1 udp 798 yppasswdd
600100069 1 udp 850 fypxfrd
600100069 1 tcp 852 fypxfrd
100007 2 udp 924 ypbind
100007 1 udp 924 ypbind
100007 2 tcp 927 ypbind
100007 1 tcp 927 ypbind
Adding New NIS Users

New NIS users can be created by logging into the NIS server and creating the new
user account. In this case, you'll create a user account called nisuser and give it
a new password.
Once this is complete, you then have to update the NIS domain's authentication
files by executing the make command in the /var/yp directory.
This procedure makes all NIS-enabled, nonprivileged accounts become automatically
accessible via NIS, not just newly created ones. It also exports all the user's
characteristics stored in the /etc/passwd and /etc/group files, such as the login
shell, the user's group, and home directory.
[root@nis-server1]# useradd -g users nisuser
[root@nis-server1]# passwd nisuser
Changing password for user nisuser.
New password: ********
Retype new password: ********
passwd: all authentication tokens updated successfully.

[root@nis-server1]# cd /var/yp
[root@nis-server1]# make
gmake[1]: Entering directory `/var/yp/LINUX-NIS'
Updating passwd.byname...
Updating passwd.byuid...
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/LINUX-NIS'
You can check to see if the user's authentication information has been updated by
using the ypmatch command, which should return the user's encrypted password
string.
[root@nis-server1]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash
You can also use the getent command, which has similar syntax. Unlike ypmatch,
getent doesn't provide an encrypted password when run on an NIS server, it just
provides the user's entry in the /etc/passwd file. On a NIS client, the results are
identical with both showing the encrypted password.
[root@nis-server1]# getent passwd nisuser
nisuser:x:504:100::/home/nisuser:/bin/bash
From here you should be up and going with your new NIS domain. Have fun.