Linux [ServerSupport]

Configuringring NIS(Network Information Service) Server - Linux

Packages Required for Server

  • ypbind - RPC port binding service
  • portmap - RPC port mapping
  • ypserv - NIS server daemons
  • yp-tools - NIS support commands (ypcat, yppasswd, ypwhich, ...)
  • nscd - Handles password and group lookups and caches the results. Used by LDAP and NIS. Configuration of nscd defines which files are supported by NIS. i.e. authentication requires passwd, shadow and group file support. Uses configuration file /etc/nscd.conf
Here workstation1 (192.168.11.5) is client and nis1 (192.168.11.2) is server.

rpm -qa ypserv, make, portmap, ypserv, make, portmap,

Check for available packages

root@workstn1 ~]# yum list installed ypserv make portmap ypbind ypserv ypxfrd yppasswdd
Installed Packages Version Package Status
make.i386 1:3.81-3.el5 installed
ypbind.i386 3:1.19-8.el5 installed
Available Packages Version Package Status
ypbind.i386 3:1.19-12.el5_6.1 updates
ypserv.i386 2.19-5.el5_6.1 updates

Now Install the required Packages

[root@workstation1 ~]# yum install ypserv ypbind

Setting up Install Process
        Parsing package install arguments
        Resolving Dependencies
        --> Running transaction check
        ---> Package ypbind.i386 3:1.19-12.el5_6.1 set to be updated
        ---> Package ypserv.i386 0:2.19-5.el5_6.1 set to be updated
        --> Finished Dependency Resolution

        Dependencies Resolved

        ==========================================================
        Package                 Arch       Version          Repository   Size
        ==========================================================
        Installing:
        ypserv                  i386       2.19-5.el5_6.1   updates      135 k
        Updating:
        ypbind                  i386       3:1.19-12.el5_6.1  updates    37 k
        Transaction Summary
        ==========================================================
        Install      1 Package(s)
        Update       1 Package(s)
        Remove       0 Package(s)

        Total download size: 172 k
        Is this ok [y/N]: y
        Downloading Packages:
        (1/2): ypserv-2.19-5.el5_ 100% |=========================| 135 kB    00:02
        (2/2): ypbind-1.19-12.el5 100% |=========================|  37 kB    00:01
        Running rpm_check_debug
        Running Transaction Test
        Finished Transaction Test
        Transaction Test Succeeded
        Running Transaction
        Installing: ypserv                       ######################### [1/3]
        Updating  : ypbind                       ######################### [2/3]
        Cleanup   : ypbind                       ######################### [3/3]

        Installed: ypserv.i386 0:2.19-5.el5_6.1
        Updated: ypbind.i386 3:1.19-12.el5_6.1
        Complete!
Editing of network, yp.conf files

[root@nis1 ~]# vim /etc/sysconfig/network

Line1: NETWORKING=yes
Line2: NETWORKING_IPV6=yes
Line3: HOSTNAME=sahyadri.nisserver.com ########
Line4: NISDOMAIN=sahyadri.nisserver.com #####
Now save and exit.

[root@nis1 ~]# vim /etc/yp.conf
            Add a below line
            domain nis1.nisserver.com server 127.0.0.1 (optional)
            ypserver 127.0.0.1

Note: Where 127.0.0.1 is the "localhost" IP address of the NIS server. In this configuration, this NIS server is using NIS to authenticate logins, not just the client.

File: /etc/nsswitch.conf
            passwd:     files nis
            shadow:     files nis
            group:      files nis

Note: Order by which authentication methods are processed. eg. In this case, check the local /etc/passwd file first before checking with NIS for password authentication. It is recommended that the root password be authenticated locally using "files" with all other users authenticated using NIS.

File: /etc/ypserv.conf
        dns: no
        files: 30
        slp: no
        slp_timeout: 3600
        xfr_check_port: yes
        * : * : shadow.byname : port
        * : * : passwd.adjunct.byname : port
File: /var/yp/securenets

Configuration authorizes only a single subnet to authenticate with the NIS server:
host 127.0.0.1
255.255.255.0 XXX.XXX.XXX.0
The "host" statement allows access for a specified single host.
Configuration to allow two subnets to authenticate with the NIS server:
host 127.0.0.1
255.255.254.0 192.168.105.0
Allows the range of IP addresses 192.168.105.0 to 192.168.106.255 to authenticate with the NIS server.
Configuration to allow everyone to authenticate with the NIS server:

255.0.0.0 127.0.0.0
0.0.0.0 0.0.0.0
For more on the use of netmasks with IP addresses, see the YoLinux Networking tutorial and Subnets.

File: /var/yp/nicknames

Note: This is the default from the initial RPM installation and does not require any change for most configurations.

        passwd          passwd.byname
        group           group.byname
        networks        networks.byaddr
        hosts           hosts.byname
        protocols       protocols.bynumber
        services        services.byname
        aliases         mail.aliases
        ethers          ethers.byname

As root, issue the following configuration commands:

        # nisdomainname name-of-domain
        # service portmap restart
        # service yppasswdd start
        # service ypserv start
        # /usr/lib/yp/ypinit -m
        # make -C /var/yp
        # service ypbind start
        The command "make -C /var/yp" is equivalent to: 
        cd /var/yp 
        make
Now start the Key NIS Server related Daemons
    [root@sahyadri ~]# service network restart
    [root@sahyadri ~]# service ypserv restart
    Stopping YP server services:                     [FAILED]
    Setting NIS domain name ganga.sonicchip.com:     [  OK  ]
    Starting YP server services:                     [  OK  ]
    
    [root@sahyadri ~]# nisdomainname
    sahyadri.sonicchip.com
    
    [root@sahyadri ~]# service portmap restart
    Stopping portmap:                                [  OK  ]
    Starting portmap:                                [  OK  ]
    You have new mail in /var/spool/mail/root
    
    root@sahyadri ~]# service yppasswdd restart
    Stopping YP passwd service:                      [FAILED]
    Starting YP passwd service:                      [  OK  ]
    
    [root@sahyadri ~]# service ypserv restart
    Stopping YP server services:                     [  OK  ]
    Starting YP server services:                     [  OK  ]
    
    root@sahyadri ~]# chkconfig ypserv on
    [root@sahyadri ~]# chkconfig yppasswdd on
    [root@sahyadri ~]# chkconfig portmap on
Required are NIS Server Daemons
    Daemon Name                 Purpose
    portmap          The foundation RPC daemon upon which NIS runs
    yppasswdd        Let users change their passwords on the NIS server from NIS clients
    ypserv           Main NIS server daemon
    ypbind           Main NIS client daemon
    Ypxfrd           Used to speed up the transfer of very large NIS maps

Make sure they are all running before continuing to the next step. For this, we can use rpcinfo command.

    rpcinfo -p localhost
    program vers proto   port
    100000    2   tcp    111  portmapper
    100003    4   tcp   2049  nfs
    100005    3   tcp    750  mountd
    100009    1   udp    654  yppasswdd
    100004    2   udp    676  ypserv

Note: The ypbind & ypxfrd daemons won’t start properly until after you initialize the NIS domain. You’ll start these daemons after initialization is completed.

Initialize your NIS Domain (Sahyadri)

Now that you have decided on the name of the NIS domain, you’ll have to use the ypinit command to create the associated authentication files for the domain. You will be prompted for the name of the NIS server. Which in this case is ganga.
With this procedure, all non-privileged accounts are automatically accessible via NIS

[root@sahyadri ~]# /usr/lib/yp/ypinit -m

    At this point, we have to construct a list of the hosts which will run NIS
    servers.  sahaydri.nisserver.com is in the list of NIS server hosts.  Please continue to add
    the names for the other hosts, one per line.  When you are done with the
    list, type a <control D>.
    next host to add:  sahaydri.nisserver.com
    next host to add:  <here press <control D>> if you don't want to add.
    The current list of NIS servers looks like this:
    sahyadri.linuxserver.com
    Is this correct?  [y/n: y]  y
    We need a few minutes to build the databases...
    Building /var/yp/(none)/ypservers...
    Running /var/yp/Makefile...
    Domain name cannot be (none)
    sahaydri.linuxserver.com has been set up as a NIS master server.
    Now you can run ypinit -s sahaydri.linuxserver.com on all slave server.

Note: make sure protmap is running before trying this step or you’ll get errors,

Start the ypbind & ypxfrd Daemons on NIS Server (Ganga)


        [root@sahyadri ~]# service ypbind start
        Setting NIS domain name sahaydri.nisserver.com:      [  OK  ]
        Binding to the NIS domain:                        [  OK  ]
        Listening for an NIS domain server.
        
        [root@sahyadri ~]# service ypbind start
        Setting NIS domain name sahaydri.nisserver.com:      [  OK  ]
        Binding to the NIS domain:                        [  OK  ]
        Listening for an NIS domain server.
        
        [root@sahyadri ~]# chkconfig ypxfrd on
        [root@sahyadri ~]# chkconfig ypbind on
        Make sure the Daemons are Running
        
        [root@sahyadri ~]# rpcinfo -p localhost
        program vers proto   port
            100000    2   udp    111  portmapper
            100024    1   tcp    800  status
            100021    4   tcp  54347  nlockmgr
            100011    2   tcp    717  rquotad
            100003    4   tcp   2049  nfs
            100005    3   tcp    750  mountd
            100009    1   udp    654  yppasswdd
            100004    2   udp    676  ypserv
            100007    2   udp    934  ypbind
          00100069    1   udp    963  fypxfrd

Adding NIS User on Server


root@sahyadri ~]# useradd –g nisusers user1
root@sahyadri ~]# passwd user1
changing password for user user1
New Password:
Retype new password:
Passwd: all authentication tokens updated successfully.

[root@sahyadri ~]# cd /var/yp/
[root@sahyadri yp]# ll
total 48
drwxr-xr-x 2 root root  4096 Jul 22 13:19 binding
drwxrwxr-x 2 root root  4096 Jul 22 13:14 sahyadri.nisserver.com
-rw-r--r-- 1 root root 16669 Apr 14 19:19 Makefile
-rw-r--r-- 1 root root   185 Jan  6  2007 nicknames
drwxrwxr-x 2 root root  4096 Jul 22 13:17 (none)
-rw-rw-r-- 1 root root    20 Jul 22 13:17 ypservers

[root@ganga yp]# make   or  [root@sahyadri]# make -C /var/yp 
gmake[1]: Entering directory `/var/yp/sahaydri.nisserver.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/sahaydri.nisserver.com'
You can check to see if the users authentication information has been updated by using the 
ypmatch command which should return the user’s encrypted password string

[root@sahyadri yp]# ypmatch Vasant passwd
Vasant:$1$tSf8OySw$HrUphpf9X9IrDzZG289r4/:541:601:Vasant B Alagundagi, Mail-vasant@sonicchip.com, Cell-9900785307:/home/Vasant:/bin/bash
You can also use the getent command, which has similar syntax. Unlike ypmatch, getent doesn’t provide an encrypted password when run on an
NIS server, it just provides the user’s entry in the /etc/passwd file. On a NIS client, the results are identical with both showing the encrypted password.

[root@sahyadri yp]# getent passwd Vasant
Vasant:x:541:601:Vasant B Alagundagi, Mail-vasant@sonicchip.com, Cell-9900785307:/home/Vasant:/bin/bash
    
[root@sahyadri ~]# /sbin/chkconfig ypserv --list ; /sbin/chkconfig ypbind --list; /sbin/chkconfig ypxfrd --list 
ypserv          0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypxfrd          0:off   1:off   2:off   3:off   4:off   5:off   6:off

[root@sahyadri ~]# /sbin/chkconfig ypserv on ; /sbin/chkconfig ypbind on; /sbin/chkconfig ypxfrd on 
Following must be always on 

[root@sahyadri ~]# /sbin/chkconfig ypserv --list ; /sbin/chkconfig ypbind --list; /sbin/chkconfig ypxfrd --list; /sbin/chkconfig yppasswdd --list; /sbin/chkconfig portmap --list
ypserv          0:off   1:off   2:on    3:on    4:on    5:on    6:off
ypbind          0:off   1:off   2:on    3:on    4:on    5:on    6:off
ypxfrd          0:off   1:off   2:on    3:on    4:on    5:on    6:off
yppasswdd       0:off   1:off   2:on    3:on    4:on    5:on    6:off
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off

9.7 Configuring NIS Client

Now that the NIS server is configured, it’s time to configure the NIS clients. There are a number of reltated configuration files that you need to edit to get it to work. Take a look at the procedure.

Requires RPM packages for NIS Client:

  • ypbind
  • portmap
  • yp-tools
  • nscd

Using AuthConfig

The authconfig or the authconfig-tui or authconfig-gui or system-config-autentication The authconfig or the authconfig-tui program automatically configures your NIS files after prompting you for the IP address and domain of the NIS server.

  • [root@ganga~]# authconfig-tui
  • Stopping portmap:               [  OK  ]
    Starting portmap:               [  OK  ]
    Binding to the NIS domain:      [  OK  ]
    Listening for an NIS domain server.
    

    Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIS server for a particular domain. It also edit the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs

  • [root@ganga ~]# cat /etc/yp.conf
    domain sahaydri.nisserver.com server 192.168.11.2
  • [root@ganga ~]# cat /etc/sysconfig/network
    NISDOMAIN=sahaydri.nisserver.com

    In addition, the authconfig program updates the /etc/nsswitch.conf file that lists the order in which certain data sources should be searched for name lookups, such as those in DNS, LDAP, and NIS. Here you can see where NIS entries were added for the important login file.

  • [root@ganga ~]# cat /etc/nsswitch.conf
    passwd:     files nis
    shadow:     files nis
    group:      files nis
  • Note:You can also locate a sample NIS nsswitch.conf file in the /usr/share/doc/yp-tools directory

Start the NIS Client Relate Daemon

Start the ypbin NIS client, and protmap daemons in the /etc/ini.d directory and use the chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo command to ensure they are running correctly.


[root@ganga ~]# service ypbind start
Binding to the NIS domain:
Listening for an NIS domain server.

[root@ganga ~]# chkconfig ypbind on
[root@ganga ~]# service portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]

[root@ganga ~]# chkconfig portmap on
[root@ganga sysbkup2dec2011_1]# /sbin/chkconfig ypbind --list; /sbin/chkconfig portmap --list
ypbind          0:off   1:off   2:on    3:on    4:on    5:on    6:off
portmap         0:off   1:off   2:on    3:on    4:on    5:on    6:off
Restart on Server Sahyadri

[root@sahyadri scisysconfig_files]# service ypxfrd restart
Stopping YP map server:                                    [  OK  ]
Starting YP map server:                                    [  OK  ]

[root@sahyadri scisysconfig_files]# chkconfig ypxfrd on

Note:Remember to use the  rpcinfo –p localhost command to make sure they all started correctly

Verify Name Resolution

As the configuration examples refer to the NIS client and server by their hostname, you’ll have to make sure the names resolve correctly to IP address. This can be configure either in DNS, when the hosts reside in the same domain, or more simply by editing the /etc/hosts/ file on both linux boxes.

Test NIS Access to the NIS Server from client end


[root@ganga ~]# ypcat passwd
Vasant:$1$tSf8OySw$HrUphpf9X9IrDzZG289r4/:541:601:Vasant B Alagundagi, Mail-vasant@sonicchip.com, Cell-9900785307:/home/Vasant:/bin/bash
spai:$1$McZlETtN$altCj8DSMFzcV52uIZBWD.:502:607:Suman Pai:/home/spai:/bin/bash
nantha:$1$p3wrcb8t$5627SuLd.f7dyjAznEur91:616:615:Name-Nantha Kumar, Cell-8050790785:/home/nantha:/bin/bash
ramkumar:$1$5Ca2V9Ln$7ndZGFfXD3CPcXMJMLHEG.:556:607:Ramkumar G:/home/ramkumar:/bin/bash
sureshkumar:$1$0JzeP7Q9$mRMQaeJ9e70cpy25CLT4b1:512:501:Sureshkumar:/home/sureshkumar:/bin/bash

[root@ganga ~]# ypmatch Vasant passwd 
Vasant:$1$tSf8OySw$HrUphpf9X9IrDzZG289r4/:541:601:Vasant B Alagundagi, Mail-vasant@sonicchip.com, Cell-9900785307:/home/Vasant:/bin/bash

[root@ganga ~]# getent passwd Vasant
Vasant:x:541:601:Vasant B Alagundagi, Mail-vasant@sonicchip.com, Cell-9900785307:/home/Vasant:/bin/bash

Changing Password on NIS Client

yppasswd -p loginname

User Administration:

  • Add a new user: (as root on NIS server)
    useradd -g user-group user-id (or, also create home directory: useradd -m -g user-group user-id)
  • make -C /var/yp
    Updates local NIS databases.

User password management:

Users will now change their passwords using the NIS password command yppasswd instead of the local password file affected command, passwd. When using an NIS slave (described below), then do not modify the password while logged into the NIS master.
Also see the YoLinux.com tutorial: Web CGI interface to manage NIS passwords.

Miscellaneous

Note: Possible sources of error would include.

  • Incorrect authconfig setup resulting in errors in the /etc/yp.conf, /etc/sysconfig/network and /etc/nsswitch.conf file
  • Failure to run the ypinit command on the NIS server
  • NIS not being started on the NIS server or client
  • Poor routing between the server and client, or the existence of a firewall that’s blocking traffic

Try to eliminate these areas as sources of error and refer to the syslog /var/log/messages file on the client and server for entries that may provide additional clues.

Man pages: http://www.yolinux.com/TUTORIALS/NIS.html

  • nisdomainname - show or set the system’s NIS/YP domain name
  • ypinit - NIS database install and build program
  • yppush - Push configuration change notification to clients.
  • revnetgroup - Generate reverse netgroup data
  • ypserv - NIS server
  • ypxfr - Transfer NIS database from remote server to local host
  • ypinit - NIS database install and build program
  • yppoll - Return version and master server of a NIS map
  • ypset - Bind ypbind to a particular NIS server
  • ypcat - Print values of all keys in a NIS database
  • ypwhich - Return name of NIS server or map master
  • ypmatch - Print the values of one or more keys from a NIS map
  • yptest - Test NIS configuration
  • yppasswd - (Also: ypchfn, ypchsh) - Change NIS password in the NIS database
  • yppasswdd - NIS password update daemon
  • ypxfrd - NIS map transfer server for NIS master/slave servers.
  • ypserv - NIS server
  • ypbind - NIS binding process
  • nscd - Name service cache daemon

Configuration Files:

  • /etc/yp.conf
  • /etc/ypserv.conf
  • /etc/netgroup
  • /etc/nscd.conf
  • /etc/nsswitch.conf
  • /etc/nickname

Glossary

  • NSS: Name Service Switch. The /etc/nsswitch.conf, determines the order of lookups performed.
  • RPC: Remote Procedure Call. RPC routines allow C programs to make procedure calls on other machines across the network.
  • YP: Yellow Pages(tm), a registered trademark in the UK of British Telecom plc. forcing Sun to rename it to NIS. The NIS commands retain the "yp" prefix.
  • HostName: The name of the computer system. This is typically configured using Linux OS installation.
  • Host Name Resolution: The lookup by a client to find the IP address given the host name so that it can create a network connection.

TIP to disable shadow file for ypinit -m

edit /var/yp/Makefile below shown line with line no.
43 MERGE_PASSWD=false #Added by Vasant
48 MERGE_GROUP=false  #Added by Vasant
76 #By Vasant SHADOW           = $(YPPWDDIR)/shadow
77 #By Vasant GSHADOW     = $(YPPWDDIR)/gshadow

NIS maintenance scripts:

Read NIS database files and generate traditional /etc/passwd and /etc/shadow files. 
File: nis2pass 
#!/bin/bash
/usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1] ":x:" $3 ":" $4 ":" $5 ":" $6 ":" $7}' > passwd
/usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1] ":" $2 ":13539:0:99999:7:::"}' > shadow

9.18 Password Aging

http://www.linuxtopia.org/online_books/rhel5/rhel5_administration/rhel5_ch-sec-network.html

chage <username>
The following is a sample interactive session using this command:

            
        [root@interch-dev1 ~]# chage vasant
        Changing the aging information for davido
        Enter the new value, or press ENTER for the default

        Minimum Password Age [0]: 10
        Maximum Password Age [99999]: 90
        Last Password Change (YYYY-MM-DD) [2006-08-18]:
        Password Expiration Warning [7]:
        Password Inactive [-1]:
        Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
        
        [root@interch-dev1 ~]#