Setting Up an NIS Client

This section discusses how to set up an NIS client on the local system.

Prerequisites

Install the following packages:

• yp-tools

• ypbind

Run chkconfig to cause ypbind to start when the system enters multiuser mode:

# /sbin/chkconfig ypbind on

After you have configured ypbind, start it with service:

# /sbin/service ypbind start Binding to the NIS domain:                                 [  OK  ] Listening for an NIS domain server.

Notes

If there is no NIS server for the local system's NIS domain, you need to set one up (page 663). If there is an NIS server, you need to know the name of the NIS domain the system belongs to and (optionally) the name or IP address of one or more NIS servers for the NIS domain.

An NIS client can run on the same system as an NIS server.

SELinux

When SELinux is set to use a targeted policy, NIS is protected by SELinux. You can disable this protection if necessary. For more information refer to "Setting the Targeted Policy with system-config-securitylevel" on page 402.

Step-by-Step Setup

This section lists the steps involved in setting up and starting an NIS client.

Specifying the System's NIS Domain Name

Specify the system's NIS domain name in the /etc/sysconfig/network file by adding the following line:

NISDOMAIN=nisdomainname

where nisdomainname is the name of the NIS domain that the local system belongs to. The ypbind and ypserv init scripts execute the network file so that the name of the system's NIS domain is set just before it is needed. You can use the nisdomainname utility to set or view the NIS domain name, but setting it in this manner does not maintain the name when the system is rebooted:

Tip: A DNS domain name is different from an NIS domain name

The DNS domain name is used throughout the Internet to refer to a group of systems. DNS maps these names to IP addresses to enable systems to communicate with one another.

The NIS domain name is used strictly to identify systems that share an NIS server and is normally not seen or used by users and other programs. Some administrators use one name as both a DNS domain name and an NIS domain name, although this practice can degrade security.

# nisdomainname (none) # nisdomainname mgs # nisdomainname mgs

Caution: To avoid confusion, use nisdomainname, not domainname

The domainname and nisdomainname utilities do the same thing: They display or set the system's NIS domain name. Use nisdomainname to avoid confusion when you are also working with DNS domain names.

Caution: You must set the local system's NIS domain name

If you do not set the local system's NIS domain name, when you start ypbind, it sends a message to syslogd (page 562) and quits.

Edit /etc/yp.conf to Specify an NIS Server

Edit /etc/yp.conf to specify one or more NIS servers (masters and/or slaves). As explained by comments in the file, you can use one of three formats to specify each server:

domain nisdomain server server_name
domain nisdomain broadcast (do not use)
ypserver server_name

where nisdomain is the name of the NIS domain that the local (client) system belongs to and server_name is the hostname of the NIS server that the local system queries. The second format is less secure than the first and third formats because it exposes the system to rogue servers by broadcasting a request for a server to identify itself.

You can use multiple lines to specify multiple servers for one or more domains. Specifying multiple servers for a single domain allows the system to change to another server when its current server is slow or down.

When you specify more than one NIS domain, you must set the system's NIS domain name before starting ypbind so the client queries the proper server. Specifying the NIS domain name in /etc/sysconfig/network before running the ypbind init script takes care of this issue. See "Specifying the System's NIS Domain Name" on page 659.

Start ypbind

The Red Hat Linux ypbind daemon is ypbind-mt renamedthat is, a newer, multithreaded version of the older ypbind daemon. Use chkconfig to cause ypbind to start each time the system enters multiuser mode and service to start ypbindimmediately. For more information refer to "Prerequisites" on page 659.

Testing the Setup

After starting ypbind, use nisdomainname to make sure the correct NIS domain name is set. Refer to "Specifying the System's NIS Domain Name" on page 659 if you need to set the NIS domain name. Next check that the system is set up to connect to the proper server. The name of the server is set in /etc/yp.conf (page 660).

$ ypwhich peach

Make sure the NIS server is up and running (replace server with the name of the server that ypwhich returned):

$ /usr/sbin/rpcinfo -u server ypserv program 100004 version 1 ready and waiting program 100004 version 2 ready and waiting

After starting ypbind, check that it has registered with portmap:

$ /usr/sbin/rpcinfo -u localhost ypbind program 100007 version 1 ready and waiting program 100007 version 2 ready and waiting

If rpcinfo does not report that ypbind is ready and waiting, check that ypbind is running:

$ /sbin/service ypbind status ypbind (pid 28689) is running...

If NIS is still not working properly, use the init script to stop ypbind. Start it again with debugging turned on:

# /sbin/service ypbind stop Shutting down NIS services:                                [  OK  ] # /sbin/ypbind -debug ...

The debug option keeps ypbind in the foreground and causes it to send error messages and debugging output to standard error.

yppasswd: Changes NIS Passwords

The yppasswd utilitynot to be confused with the yppasswdd daemon (two d's; see page 669) that runs on the NIS serverreplaces the functionality of passwd on clients when you are using NIS for passwords. Where passwd changes password information in the /etc/shadow file on the local system, yppasswd changes password information in the /etc/shadow file on the NIS master server and in the NIS shadow.byname map. Optionally, yppasswd can also change user information in the /etc/passwd file and passwd.byname map.

The yppasswd utility changes the way you log in on all systems in the NIS domain that use NIS to authenticate passwords. The yppasswd utility cannot change root and system passwords; by default, NIS does not store passwords of users with UIDs less than 500. You have to use passwd to change these users' passwords locally.

To use yppasswd, the yppasswdd daemon must be running on the NIS master server.

passwd versus yppasswd

When a user who is authenticated using NIS passwords runs passwd to change her password, all appears to work properly, yet the user's password is not changed: The user needs to use yppasswd. The root and system accounts, in contrast, must use passwd to change their passwords. A common solution to this problem is first to rename passwd, for example, to rootpasswd, and then to change its permissions so only root can execute it.^[1] Second, create a link to yppasswd named passwd:

^[1] The passwd utility has setuid permission with execute permission for all users. If, after changing its name and permissions, you want to restore its original name and permissions, first change its name and then give the command chmod 4511 /usr/bin/passwd.

# ls -l /usr/bin/passwd -r-s--x--x 1 root root 16336 Feb 13 2006 /usr/bin/passwd # mv /usr/bin/passwd /usr/bin/rootpasswd # chmod 700 /usr/bin/rootpasswd # ln -s /usr/bin/yppasswd /usr/bin/passwd # ls -l /usr/bin/{yppasswd,passwd,rootpasswd} lrwxrwxrwx 1 root root    17 Oct  8 15:32 /usr/bin/passwd -> /usr/bin/yppasswd -rwx------ 1 root root 16336 Feb 13 2006 /usr/bin/rootpasswd -r-xr-xr-x 3 root root 18544 Jan 25 2006 /usr/bin/yppasswd

With this setup, a nonroot user changing his password using passwd will run yppasswd, which is appropriate. If root or a system account user runs passwd (really yppasswd), yppasswd displays an error that will ideally remind the administrator to run rootpasswd.

Modifying User Information

As long as yppasswdd is running on the NIS master server, a user can use yppasswd from an NIS client to change her NIS password and root can change any user's password (except that of root or a system account user). A user can also use yppasswd to change his login shell and GECOS (page 1033) information if the yppasswdd daemon is set up to permit these changes. Refer to "yppasswdd: The NIS Password Update Daemon" on page 669 for information on how to configure yppasswdd to permit users to change these fields. Use the l option with yppasswd to change the login shell. Use fto change GECOS information:

$ yppasswd -f Changing NIS account information for mark on peach. Please enter password: Changing full name for mark on peach. To accept the default, simply press return. To enter an empty field, type the word "none". Name [MSobell]: Mark G Sobell Location []: SF Office Phone []: Home Phone []:

The GECOS information has been changed on peach.

$ ypmatch mark passwd mark:$1$X49qrfYv/:500:500:Mark G Sobell,SF:/home/mark:/bin/bash

Adding and Removing Users

There are several ways to add and remove users from the NIS passwd map. The easiest approach is to keep the /etc/passwd file on the NIS master server synchronized with the passwd map. You can keep these files synchronized by making changes to the passwd file using standard tools such as passwd and running ypinit to update the map (page 668).