Network Information Service: NIS
|
| < Day Day Up > |
|
On networks supporting NFS, many resources and devices are shared by the same systems. Normally, each system would need its own configuration files for each device or resource. Changes would entail updating each system individually. However, NFS provides a special service called Network Information System (NIS) that maintains such configuration files for the entire network. For changes, you only need to update the NIS files. NIS works for information required for most administrative tasks, such as those relating to users, network access, or devices. For example, you can maintain user and password information with an NIS service, having only to update those NIS password files.
| Note | NIS+ is a more advanced form of NIS that provides support for encryption and authentication. However, it is more difficult to administer. |
NIS was developed by Sun Microsystems and was originally known as Sun's Yellow Pages (YP). NIS files are kept on an NIS server (NIS servers are still sometimes referred to as YP servers). Individual systems on a network use NIS clients to make requests from the NIS server. The NIS server maintains its information on special database files called maps. Linux versions exist for both NIS clients and servers. Linux NIS clients easily connect to any network using NIS.
The NIS client is installed as part of the initial installation on most Linux distributions. NIS client programs are ypbind (the NIS client daemon), ypwhich, ypcat, yppoll, ypmatch, yppasswd, and ypset. Each has its own Man page with details of its use. The NIS server programs are ypserv (the NIS server), ypinit, yppasswdd, yppush, ypxfr, and netgroup—each also with its own Man page. You can start and stop the ypbind client daemon and the ypserv NIS server with the service command. Alternatively, you can use redhat-config-services to start and stop the NIS client and server daemons.
service ypbind start service ypserv start
| Note | You can use Red Hat's authconfig-gtx to specify the remote NIS server on your network. |
NIS Servers
You have significant flexibility when setting up NIS servers. If you have a small network, you may need only one NIS domain, for which you would have one NIS server. For larger networks, you can divide your network into several NIS domains, each with its own server. Even if you only have one domain, you may want several NIS slave servers. For an NIS domain, you can have a master NIS server and several NIS slave servers. The slave servers can act as backups, in case the master server goes down. A slave server only contains copies of the configuration files set up on the NIS master server.
Configuring an NIS server involves several steps, listed here:
-
Define the NIS domain name that the NIS server will work for.
-
Start the ypserv daemon.
-
In the /var/yp/Makefile file, set any NIS server options and specify the configuration files to manage.
-
Use ypinit to create the NIS versions of the configuration files.
Defining NIS Domain
You first have to define an NIS domain name. You can have the NIS domain defined whenever you start up your system, by defining the NIS_DOMAIN variable in the /etc/sysconfig/network file. To this variable, you assign the name you want to give your NIS domain. The following example defines the NIS domain called myturtles.nis:
NIS_DOMAIN=myturtles.nis
When first setting up the server, you may want to define your NIS domain name without having to restart your system. You can do so with the domainname command, as shown here:
domainname myturtles.nis
You can start the NIS server with the ypserv startup script:
service ypserv start
Setting NIS Server Options
Then edit the /var/yp/Makefile file to select the configuration files that the NIS server will maintain, along with setting any NIS server options. Standard options as well as most commonly used configuration files are usually already set up.
NIS server options are listed first. The NOPUSH option will be set to true, indicating that there are no slave NIS servers. If you are setting up any slave NIS servers for this domain, you will have to set this option to no:
NOPUSH = true
The minimum user and group IDs are set to 500. These are set using the MINUID and MINGID variables:
MINUID=500 MINGID=500
Most distributions use a shadow password and shadow group files to encrypt passwords and groups. The MERGE_PASSWD and MERGE_GROUP settings will be set to true. NIS will merge shadow password information into its password file:
MERGE_PASSWD=true MERGE_GROUP=true
The directories where NIS will find password and other configuration files are then defined using the YPSRCDIR and YPPWDIR variables. Normally, the /etc directory holds your configuration files:
YPSRCDIR = /etc YPPWDDIR = /etc
Then the configuration files that NIS can manage are listed. Here, you will find entries like PASSWD for password, GROUP for your groups, and PRINTCAP for your printers. A sample of the entries are shown here:
GROUP = $(YPPWDDIR)/group PASSWD = $(YPPWDDIR)/passwd SHADOW = $(YPPWDDIR)/shadow GSHADOW = $(YPPWDDIR)/gshadow ALIASES = /etc/aliases ETHERS = $(YPSRCDIR)/ethers # ethernet addresses (for rarpd) BOOTPARAMS = $(YPSRCDIR)/bootparams # for booting Sun boxes (bootparamd) HOSTS = $(YPSRCDIR)/hosts NETWORKS = $(YPSRCDIR)/networks PRINTCAP = $(YPSRCDIR)/printcap PROTOCOLS = $(YPSRCDIR)/protocols
Specifying Shared Files
The actual files that are shared on the network are listed in the all: entry, which follows the list of configuration files. Only some of the files defined are listed as shared, those listed in the first line after all:. The remaining lines are automatically commented out (with a preceding # sign). You can add files by removing the # sign or moving their entries to the first line.
all: passwd group hosts rpc services netid protocols mail \ # netgrp shadow publickey networks ethers bootparams printcap \ # amd.home auto.master auto.home auto.local passwd.adjunct \ # timezone locale netmasks
Be sure not to touch the remainder of the Makefile.
Creating the NIS Database
You then enter the ypinit command with the -m option to create the NIS database consisting of the NIS configuration files. Your NIS server will be detected, and then you will be asked to enter the names of any slave NIS servers used on this NIS domain. If there are any, enter them. When you are finished, press CTRL-D. The NIS database files are then created.
ypinit -m
For an NIS slave server, you would use
ypinit -s masterhost
Should you receive the following error, it most likely means that your NIS server was not running. Be sure to start ypserv before you run ypinit.
failed to send 'clear' to local ypserv: RPC: Program not registeredUpdating
If you later need to update your NIS server files, you would change to the /var/yp directory and issue the make command.
cd /var/yp make
Controlling Access
The /var/yp/securenets file enables access by hosts to your NIS server. Hosts can be referenced by network or individually. Entries consist of a subnet mask and an IP address. For example, you could give access to all the hosts in a local network with the following entry:
255.255.255.0 192.168.1.0
For individual hosts, you can use the mask 255.255.255.255 or just the term "host," as shown here:
host 192.168.1.4
Controlling how different hosts access NIS shared data is determined in /etc/ypserv.conf.
Netgroups
You can use NIS to set up netgroups, which allows you to create network-level groups of users. Whereas normal groups are created locally on separate hosts, an NIS netgroup can be used for network-wide services. For example, you can use NIS netgroups to control access to NFS file systems. Netgroups are defined in the /etc/netgroup file. Entries consist of a netgroup name followed by member identifiers consisting of three segments: the host, the user, and the NIS domain:
group (host, user, NIs-domain) (host, user, NIS-domain) ...
For example, in the NIS domain myturtles.nis, to define a group called myprojects that consists of the user chris on the host rabbit, and the user george on the host lizard.mytrek.com, you would use the following:
myprojects (rabbit, chris, myturtles.nis) \ (lizard.mytrek.com, george, myturtles.nis)
A blank segment will match on any value. The following entry includes all users on the host rabbit:
newgame (rabbit,,myturtles.ni)
If your use of a group doesn't need either a user or a host segment, you can eliminate one or the other using a hyphen (-). The following example generates a netgroup consisting just of hostnames, with no usernames:
myservers (rabbit,-,) (turtle.mytrek.com,-,)
You can then reference different netgroups in various configuration files by prefixing the netgroup name with an @ sign, as shown here:
@newgame
NIS Clients
For a host to use NIS on your network, you first need to specify your NIS domain name on that host. In addition, your NIS clients need to know the name of your NIS server. If you installed Linux on a network already running NIS, you may have already entered this information during the installation process.
Specifying the NIS Domain and Server
On Red Hat, you can specify your NIS domain name and server with the authconfg-gtk tool, which you can access from the System Settings window. In that window, select Authentication. This opens the Authentication Configuration window. On the User Information panel, click the Configure NIS button to open a dialog where you can enter the name of the NIS domain as well as the NIS server. Be sure to also enable NIS on the User Information panel. The NIS domain will be saved in the /etc/sysconfig/network file, and the NIS server, in the /etc/yp.conf file.
Accessing the Server
Each NIS client host on your network then has to run the ypbind NIS client to access the server. In the client's /etc/yp.conf file, you need to specify the NIS server it will use. The following entry would reference the NIS server at 192.168.1.1:
ypserver 192.168.1.1
Alternatively, you can specify the NIS domain name and the server it uses:
domain mydomain.nis server servername
The authconfg-gtk tool will make the following entry in /etc/yp.conf for the myturtle.nis NIS domain using the turtle.mytrek.com server:
domain myturtles.nis server turtle.mytrek.com
To start the NIS client, you run the ypbind script:
service ypbind start
Then, to check that all is working, you can use ypcat to try to list the NIS password file:
ypcat passwd.
You can use ypcat to list any of the NIS configuration files. The ypwhich command will display the name of the NIS server your client is using. ypmatch can be used to find a particular entry in a configuration file.
ypmatch cecelia passwd.
Users can change their passwords in the NIS passwd file by using the yppasswd command. It works the same as the passwd command. You will also have to have the yppasswdd daemon running.
Specifying Configuration Files with nsswitch.conf
To ensure that the client accesses the NIS server for a particular configuration file, you should specify nisplus in file's entry in the /etc/nsswitch.conf file. The nisplus option refers to the NIS version 3 used currently on Red Hat. The nis option is used to refer to the older NIS version 2. The /etc/nsswitch.conf file specifies where a host should look for certain kinds of information. For example, the following entry says to check the local configuration files (files) first and then the NIS server (nisplus) for passwords data:
passwd: files nisplus
The files designation says to first use the system's own files, those on the local host. nis says to look up entries in the NIS files, accessing the NIS server. nisplus says to use NIS+ files maintained by the NIS+ server. dns says to perform DNS lookups; it can only be used on files like hosts that contain hostnames. These are some standard entries:
passwd: files nisplus shadow: files nisplus group: files nisplus hosts: files nisplus dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files nisplus rpc: files services: files nisplus netgroup: files nisplus publickey: nisplus automount: files nisplus aliases: files nisplus
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 328