Setting Up an NIS Server

This section discusses how to set up an NIS server.

Prerequisites

Decide on an NIS domain name. Some sites use their DNS domain name as the NIS domain name. Choosing a different name is more secure.

Install the following package:

• ypserv

Run chkconfig to cause ypserv to start when the system enters multiuser mode:

# /sbin/chkconfig ypserv on

On the master server only, run chkconfig to cause the map server, ypxfrd (page 668), to start when the system enters multiuser mode:

# /sbin/chkconfig ypxfrd on

In addition, on the master server only, run chkconfig to cause the NIS password update daemon, yppasswdd (page 669), to start when the system enters multiuser mode:

# /sbin/chkconfig yppasswdd on

After configuring ypserv, start it with the ypserv init script:

# /sbin/service ypserv start Starting YP server services:

Next start the ypxfrd daemon (page 668) on the system running the master server:

# /sbin/service ypxfrd start Starting YP map server:                                   [  OK  ]

Now start the yppasswdd daemon (page 669) on the master server:

# /sbin/service yppasswdd start Starting YP passwd service:                               [  OK  ]

Notes

An NIS client can run on the same system as an NIS server.

There must be only one master server for each domain.

You can run multiple NIS domain servers (for different domains) on a single system.

An NIS server serves the NIS domains listed in /var/yp. For a more secure system, remove the maps directories from /var/yp when disabling an NIS server.

SELinux

When SELinux is set to use a targeted policy, NIS is protected by SELinux. You can disable this protection if necessary. For more information refer to "Setting the Targeted Policy with system-config-securitylevel" on page 402.

Step-by-Step Setup

This section lists the steps involved in setting up and starting an NIS server.

Specify the System's NIS Domain Name

Specify the system's NIS domain name by adding the following line to the /etc/sysconfig/network file:

NISDOMAIN=nisdomainname

where nisdomainname is the name of the NIS domain that the local system belongs to. For more information refer to "Specifying the System's NIS Domain Name" on page 659.

Edit /etc/ypserv.conf to Configure the NIS Server

The /etc/ypserv.conf file, which holds NIS server configuration information, specifies options and access rules. Option rules specify server options and have the following format:

option: value

Options

Following is a list of options and their default values:

files

Specifies the maximum number of map files that ypserv caches. Set to 0 to turn off caching. Default is 30.

trusted_master

On a slave server, the name/IP address of the master server that new maps will accepted be from. Default is no master server, meaning no new maps are accepted.

xfer_check_port

YES (default) requires the master server to run on a privileged port (page 1049). NO allows it to run on any port.

Access Rules

Access rules, which specify which hosts and domains can access which maps, have the following format:

host:domain:map:security

where host and domain specify the IP address and NIS domain this rule applies to; map is the name of the map that this rule applies to; and security is either none (always allow access), port (allow access from a privileged port), or deny (never allow access).

The following lines appear in the ypserv.conf file supplied with Red Hat Linux:

$ cat /etc/ypserv.conf ... # Not everybody should see the shadow passwords, not secure, since # under MSDOG everbody is root and can access ports < 1024 !!! *                          : *       : shadow.byname    : port *                          : *       : passwd.adjunct.byname : port ...

These lines restrict the shadow.byname and passwd.adjunct.byname (the passwd map with shadow [asterisk] entries) maps to access from ports numbered less than 1024. As the comment points out, however, anyone using a DOS or early Windows system on the network can read the maps because they can access ports numbered less than 1024.

The following example describes a LAN with some addresses that you want to grant NIS access from and some that you do not; perhaps you have a wireless segment or some public network connections that you do not want to expose to NIS. You can list the systems or an IP subnet that you want to grant access to in ypserv.conf. Anyone logging in on another IP address will then be denied NIS services. The following line from ypserv.conf grants access to anyone logging in from an IP address in the range of 192.168.0.1 to 192.168.0.255 (specified as 192.168.0.1 with a subnet mask [page 423] of /24):

$ cat /etc/ypserv.conf ...   192.168.0.1/24 : * : * : none

Create /var/yp/securenets to Enhance Security

To enhance system security, create the /var/yp/securenets file, which prevents unauthorized systems from sending RPC requests to the NIS server and retrieving NIS maps. Notably securenets prevents unauthorized users from retrieving the shadow map, which contains encrypted passwords. When securenets does not exist or is empty, an NIS server accepts requests from any system.

Each line of securenets lists a netmask and IP address. NIS accepts requests from systems whose IP addresses are specified in securenets and ignores and logs requests from other addresses. You must include the (local) server system as localhost (127.0.0.1) in securenets. A simple securenets file follows:

$ cat /var/yp/securenets # you must accept requests from localhost 255.255.255.255         127.0.0.1 # # accept requests from IP addresses 192.168.0.1 - 192.168.0.62 255.255.255.192         192.168.0.0 # # accept requests from IP addresses starting with 192.168.14 255.255.255.0           192.168.14.0

Edit /var/yp/Makefile to Specify Maps

The make utility (page 842), controlled by /var/yp/Makefile, uses makedbm to create the NIS maps that hold the information that NIS distributes. When you run ypinit on the master server, ypinit calls make: You do not need to run make manually.

Edit /var/yp/Makefile to set options and specify which maps to create. The following sections discuss /var/yp/Makefile in more detail.

Variables

Following is a list of variables you can set in /var/yp/Makefile. The values following the words Red Hat are the values set in the file distributed by Red Hat.

B

Do not change.

Red Hat: not set

NOPUSH

Specifies that ypserv is not to copy (push) maps to slave servers. Set to TRUE if you do not have any slave NIS servers; set to FALSE to cause NIS to copy maps to slave servers.

Red Hat: TRUE

MINUID, MINGID

Specifies the lowest UID and GID numbers to include in NIS maps. In the /etc/passwd and /etc/group files, lower ID numbers belong to root and system accounts and groups. To enhance security, NIS does not distribute password and group information about these users and groups. Set MINUID to the lowest UID number you want to include in the NIS maps and set MINGID to the lowest GID number you want to include.

Red Hat: 500/500

NFSNOBODYUID, NFSNOBODYGID

Specifies the UID and GID of the user named nfsnobody. NIS does not export values for this user. Set to 0 to export maps for nfsnobody.

Red Hat: 65534/65534

MERGE_PASSWD, MERGE_GROUP

TRUE merges the /etc/shadow and /etc/passwd files and the /etc/gshadow and /etc/group files in the passwd and group maps, enabling shadow user passwords and group passwords.

Red Hat: TRUE/TRUE

File Locations

The next sections of /var/yp/Makefile specify the standard file locations; you do not normally need to change them. This part of the makefile is broken into the following groups:

Commands Locates gawk and make and sets a value for umask (page 420)

Source directories Locates directories that contain NIS source files

NIS source files Locates NIS source files used to build the NIS database

Servers Locates the file that lists NIS servers

The all: Target

The all: target in /var/yp/Makefile specifies the maps that make is to build for NIS:

all: passwd group hosts rpc services netid protocols mail \        # netgrp shadow publickey networks ethers bootparams printcap \        # amd.home auto.master auto.home auto.local passwd.adjunct \        # timezone locale netmasks

The first line of the all: target lists the maps that make builds by default. This line starts with the word all, followed by a colon (:) and a TAB. Because each of the first three lines of the all: target ends with a backslash, each of the four physical lines in the all: target is part of one long logical line. The last three physical lines are commented out. Uncomment lines and delete or move map names until the list matches your needs.

As your needs change, you can edit the all: target in Makefile and run make in the /var/yp directory to modify the list of maps that NIS distributes.

Start the Servers

Start the master server and then the slave servers after completing the preceding steps. Use chkconfig to cause ypserv to start each time the system enters multiuser mode and service to start ypserv immediately. For more information refer to "Prerequisites" on page 663.

ypxfrd: the map server

The ypxfrd daemon speeds up the process of copying large NIS databases from servers to slaves. It allows slaves to copy the maps, thereby avoiding the need for each slave to copy the raw data and then compile the maps. When an NIS slave receives a message from the server stating that there is a new map, it starts ypxfr, which reads the map from the server.

The ypxfrd daemon runs on the master server only; it is not necessary to run it on slave servers. Use chkconfig to cause ypxfrd to start each time the system enters multiuser mode and service to start ypxfrd immediately. For more information refer to "Prerequisites" on page 663.

ypinit: Builds or Imports the Maps

The ypinit utility builds or imports and then installs the NIS database. On the master server, ypinit gathers information from the passwd, group, hosts, networks, services, protocols, netgroup, and rpc files in /etc and builds the database. On a slave server, ypinit copies the database from the master server.

You must run ypinit by giving its absolute pathname (/usr/lib/yp/ypinit). Use the m option to create the domain subdirectory under /var/yp and build the maps that go in it on the master server; use the s master option on slave servers to import maps from master (the master server). In the following example, ypinit asks for the names of each of the slave servers; it already has the name of the master server because this command is run on that system (peach in the example). Terminate the list with CONTROL-D on a line by itself. After you respond to the query about the list of servers being correct, ypinit builds the ypservers map and calls make with /var/yp/Makefile, which builds the maps specified in Makefile.

# /usr/lib/yp/ypinit -m At this point, we have to construct a list of the hosts which will run NIS servers. peach is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>. next host to add:  peach next host to add:  speedy next host to add: CONTROL-D The current list of NIS servers looks like this: peach speedy Is this correct? [y/n: y] y We need a few minutes to build the databases... Building /var/yp/mgs/ypservers... Running /var/yp/Makefile... gmake[1]: Entering directory `/var/yp/mgs' Updating passwd.byname... Updating passwd.byuid... Updating group.byname... Updating group.bygid... Updating hosts.byname... Updating hosts.byaddr... Updating rpc.byname... Updating rpc.bynumber... Updating services.byname... Updating services.byservicename... Updating netid.byname... Updating protocols.bynumber... Updating protocols.byname... Updating mail.aliases... gmake[1]: Leaving directory `/var/yp/mgs' peach has been set up as a NIS master server. Now you can run ypinit -s peach on all slave server.

Testing

From the server, check that ypserv is connected to portmap:

# rpcinfo -p| grep ypserv     100004   2   udp    849  ypserv     100004   1   udp    849  ypserv     100004   2   tcp    852  ypserv     100004   1   tcp    852  ypserv

Again from the server system, make sure the NIS server is up and running:

$ /usr/sbin/rpcinfo -u localhost ypserv program 100004 version 1 ready and waiting program 100004 version 2 ready and waiting

If the server is not working properly, use service to stop ypserv. Start it again with debugging turned on:

# /sbin/service ypserv stop Stopping YP server services:                               [  OK  ] # /usr/sbin/ypserv --debug ...

The debug option keeps ypserv in the foreground and causes it to send error messages and debugging output to standard error.

yppasswdd: The NIS Password Update Daemon

The NIS password update daemon, yppasswdd, runs only on the master server; it is not necessary to run it on slave servers. (If the master server is down and you try to change your password from a client, you get an error message.) When a user runs yppasswd (page 662) on a client, yppasswd exchanges information with the yppasswdd daemon to update the user's password (and optionally other) information in the NIS shadow (and optionally passwd) map and in the /etc/shadow (and optionally /etc/passwd) file on the NIS master server. Password change requests are sent to syslogd (page 562).

Start yppasswdd

Use chkconfig to cause yppasswdd to start each time the system enters multiuser mode and service to start yppasswdd immediately. For more information refer to "Prerequisites" on page 663.

Allow GECOS and Login Shell Modification

By default, yppasswdd does not allow users to change GECOS (page 1033) information or the login shell when they run yppasswd. You can allow users to change this information with options on the command line when you start yppasswdd or, more conveniently, by modifying the /etc/sysconfig/yppasswdd configuration file. The e chfn option to yppasswdd allows users to change their GECOS information; e chsh allows users to change their login shell. When you set the options in the /etc/sysconfig/yppasswdd file, they are set automatically each time the yppasswdd init file is run.

$ cat /etc/sysconfig/yppasswdd ... YPPASSWDD_ARGS=" -e chfn -e chsh"