Hack8.Authenticate NFS-Lovers with NIS

Previous page
Table of content
Next page

Hack 8. Authenticate NFS-Lovers with NIS

If you're using NFS, using its companion authentication mechanism may be the right way to go.

The Network Information System (NIS) is a distributed authentication mechanism that was originally developed by Sun Microsystems and is most commonly used in conjunction with the file-sharing protocol NFS [Hack #56]. NIS enables all of the machines in a computing environment to share access to a centralized collection of authentication-related files and service configuration information, known as "maps." Each NIS map is typically provided in several different ways, each organized to optimize a specific type of access to that information, such as lookups by name or by some unique numeric component (such as being able to access a group map by group ID, a host's map by address, and so on).

NIS+, also from Sun Microsystems, is the successor to NIS. Much like LDAP, it organizes information hierarchically. Unfortunately, NIS+ never really caught on outside of Sun systems, and therefore few Unix and Unix-like operating systems (such as, for example, Linux) bother to support NIS+.


1.9.1. Installing NIS Clients and Servers

Most Linux distributions provide packages that include NIS client and server software, but if yours doesn't, or you simply want to install the latest and greatest, you'll need to build and install the following packages from ftp://ftp.kernel.org/pub/linux/utils/net/NIS:


ypbind-mt

The client NIS daemon


ypserv

The NIS server


yp-tools

The standard NIS utilities for displaying NIS files, changing your NIS password, changing the full name or shell in your NIS password file entry, and querying various aspects of an NIS server or NIS maps

The names of these packages will also include version numbers and an extension based on the archive format that you download (gzip or bzip2).

1.9.2. Setting Up an NIS Server

As mentioned earlier, NIS is the most commonly used distributed authentication mechanism today, largely because it is shipped free with almost all Unix and Unix-like systems. Another reason for the prevalence of NIS is that it's incredibly easy to set up. This section walks you through the process of setting up an NIS server. Setting up an NIS client is explained in the next section.

This section shows how to quickly set up an NIS server for use with an NFS server. This NIS server exports the default password, group, host, and other maps (files) found on the NIS server system. In a production environment, you would want to do substantially more customization before initiating NIS throughout your computing environment. For example, you would also want to customize the NIS configuration files /var/yp/securenets, /etc/yp.conf, and /etc/ypserv.conf. For more complete information about setting up NIS, see the NIS HOWTO listed at the end of this hack.


To set up an NIS server, log in as or su to root on the system you will be configuring as an NIS server, and do the following:

  1. Make sure that the NIS software is installed on your Linux system. At a minimum, you will need the /bin/domainname, /usr/sbin/ypserv, and /usr/lib/yp/ypinit programs.

  2. Next, make sure that the /etc/passwd file has an entry for your personal account, which should also be found in the password file on the system you will be configuring as an NIS client. In the next section, you'll use this entry to verify that NIS is working correctly.

  3. Set the domain name of your new NIS domain. This should not be the same as the name of your TCP/IP domain, to avoid confusing DNS and potentially compromising security in your domain. To set the NIS domain name, issue a command like the following:

     # /bin/domainname  foo.com

  4. Start the NIS server process using the following command:

     # /usr/sbin/ypserv

  5. Initialize the NIS databases using the following command:

     # /usr/lib/yp/ypinit -m

    You will see output like the following:

     At this point, we have to construct a list of the hosts which will run NIS servers.  64bit.vonhagen.org is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>. next host to add: 64bit.vonhagen.org next host to add: 6. When prompted for the name of any other NIS servers in your domain, press <Ctrl-D>. You will see output like the following: The current list of NIS servers looks like this: 64bit.vonhagen.org Is this correct? [y/n: y] 7. Press return to respond yes. You will then see output listing the files that have been generated and added to the NIS database. This output looks like the following, where the domain name you specified will appear instead of the word "yourdomain": We need some minutes to build the databases… Building /var/yp/ws.com/ypservers… Running /var/yp/Makefile… gmake[1]: Entering directory '/var/yp/yourdomain' Updating passwd.byname… Updating passwd.byuid… Updating group.byname… Updating group.bygid… Updating hosts.byname… Updating hosts.byaddr… Updating rpc.byname… Updating rpc.bynumber… Updating services.byname… Updating services.byservicename… Updating netid.byname… Updating protocols.bynumber… Updating protocols.byname… Updating mail.aliases… gmake[1]: Leaving directory '/var/yp/yourdomain'

That's all there is to it! Your new NIS server is up and running. You can now test that it is working correctly by following the instructions in the next section.

1.9.3. Setting Up an NIS Client

A good sysadmin Zen quote is "If a server is running and it has no clients, is it really working?" This section explains how to set up an NIS client of the server set up in the previous section, after doing some initial configuration so that you can verify that the server is actually doing "the right thing."

To do some preconfiguration to verify that NIS is actually working, log in as or su to root and edit the /etc/nsswitch.conf file on the system you are using as an NIS client. Find the line that tells your system how to locate password entries and modify that line to look like the following:

 passwd: files nis [NOTFOUND=return]

This tells your system to look for password information in the local password file and then consult NIS. If the password is not found in either of these locations, the [NOTFOUND=return] command tells your system to give up rather than pursuing any of the other authentication sources that may appear in this nsswitch.conf entry.

Next, save a copy of your system's /etc/passwd file and then remove all user entries from the existing password file. Leave the root and system service accounts in the filetypically, it's safe to remove accounts with UIDs greater than 200. As the last line of the newly abbreviated password file, add the following:

 +::::::

This tells NIS to append the contents of the password map (file) retrieved from the NIS server whenever password information is requested.

Notice that the entries for any individual accounts (including your own) have been removed from the abbreviated password file. This enables you to do a fairly simple test to determine whether NIS is working: if you can log in using an account that is not present in the password file on your client system but is present in the password file on your NIS server system, NIS is working correctly.

To set up an NIS client, log in as or su to root on the system you are using as an NIS client and do the following:

  1. Make sure the NIS client software is installed on your Linux system. At a minimum, you will need the /bin/domainname and /sbin/ypbind programs.

  2. Check whether the directory /var/yp exists and create it if it does not.

  3. Set the domain name of the NIS domain to which this new client will belong. This should be the same name as the domain name set in the previous section of this hack. To set the NIS domain name, issue a command like the following:

     # /bin/domainname  foo.com

  4. Edit the ypbind configuration file /etc/yp.conf, adding an entry for your NIS server. Continuing with the previous example, you'd add the following line:

     domain vonhagen.org server 64bit

    If your network is not running older, potentially incompatible NIS servers for other groups, you could also replace server 64bit with broadcast to cause the NIS client to broadcast on the local network in order to locate an NIS server.


  5. Start the NIS client process using the following command:

     # /sbin/ypbind

  6. To verify that NIS is working correctly, telnet from the NIS client system back to itself and attempt to log in as yourself. Remember that your password file entry is present in the password file on the NIS server but not in the password file on the NIS client.

You should be able to log in successfully. Congratulationsyou're running NIS! Remember to add setting the domain name and starting the NIS server and client to the startup procedures for each of your NIS client systems.

1.9.4. See Also

  • NIS HOWTO: http://www.linux-nis.org/nis-howto/

  • "Centralize Resources Using NFS" [Hack #56]

  • "Clean Up NIS After Users Depart" [Hack #77]


Previous page
Table of content
Next page
Linux Server Hacks (Vol. 2)
BSD Sockets Programming from a Multi-Language Perspective (Programming Series)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 162
Authors: M. Tim Jones
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Interprocess Communications in Linux: The Nooks and Crannies
Certified Ethical Hacker Exam Prep
SQL Tips & Techniques (Miscellaneous)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy