Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

NIS Minitutorial

Prev

Contents Next

Adapted from Wikipedia

The Network Information Service, or NIS (originally called Yellow Pages or YP), is a client–server directory service protocol for distributing system configuration data such as user and host names between computers on a computer network. Sun Microsystems developed the NIS; the technology is licensed to virtually all other Unix vendors.

Because British Telecom PLC owned the name "Yellow Pages" as a registered trademark in the United Kingdom for its paper-based, commercial telephone directory, Sun changed the name of its system to NIS, though all the commands and functions still start with "yp".

A NIS/YP system maintains and distributes a central directory of user and group information, hostnames, e-mail aliases and other text-based tables of information in a computer network. For example, in a common UNIX environment, the list of users for identification is placed in /etc/passwd, and secret authentication hashes in /etc/shadow. NIS adds another "global" user list which is used for identifying users on any client of the NIS domain.

Administrators have the ability to configure NIS to serve password data to outside processes to authenticate users using various versions of the Unix crypt(3) hash algorithms. However, in such cases, any NIS(0307) client can retrieve the entire password database for offline inspection. Kerberos was designed to handle authentication in a more secure manner.

NIS use client server architecture with one master server (and possibly one or several secondary slave servers, necessary for reliability) and many clients. NIS uses several daemons on the server and on all clients to enable the NIS system.

On the NIS master and any NIS slaves, several NIS server daemons should be run.

The binding process begins with ypbind sending out a broadcast message for any NIS masters on the network to respond with their IP address and the port number to send requests on. If more than one NIS master responds to the request, only the first received reply is used. If for some reason ypbind finds it isn't getting replies from the NIS master, it assumes that the master has crashed and retransmits a request for a master.

The main daemons involved in the running of an NIS domain are:

You can find out which NIS master any client machine is bound to with the command ypwhich

Configuring The NFS Server

Adapted from Quick HOWTO Ch30 Configuring NIS - Linux Home Networking

Here are the steps to configure the NFS server in this scenario:

1. Edit the /etc/exports file to allow NFS mounts of the /home directory with read/write access.

/home                   *(rw,sync)

2. Let NFS read the /etc/exports file for the new entry, and make /home available to the network with the exportfs command.

# exportfs -a#

3. Make sure the required nfs, nfslock, and portmap daemons are both running and configured to start after the next reboot.

# chkconfig nfslock on
# chkconfig nfs on
# chkconfig portmap on
# service portmap start
# service nfslock start
# service nfs start

After configuring the NFS server, we have to configure its clients, This will be covered next.

3. Make sure you can mount master's /home directory on the new /home directory you just created. Unmount it once everything looks correct.

[root@node01 tmp]# mount 192.168.1.100:/home /home/
[root@node01 tmp]# ls /home
ftpinstall  nisuser  quotauser  node01  www
[root@node01 tmp]# umount /home
[root@node01 tmp]#

Configuring autofs automounting  on all nodes

Edit your /etc/auto.master file to refer to file /etc/auto.home for mounting information whenever the /home directory is accessed. After five minutes, autofs unmounts the directory.

#/etc/auto.master
/home      /etc/auto.home --timeout 600

5. Edit file /etc/auto.home to do the NFS mount whenever the /home directory is accessed. If the line is too long to view on your screen, you can add a \ character at the end to continue on the next line.

#/etc/auto.home
*   -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \
   192.168.1.100:/home/&

6. Start autofs and make sure it starts after the next reboot with the chkconfig command.

[root@node01 tmp]# chkconfig autofs on
[root@node01 tmp]# service autofs restart
Stopping automount:[  OK  ]
Starting automount:[  OK  ]
[root@node01 tmp]#

After doing this, you won't be able to see the contents of the /home directory on master as user root. This is because by default NFS activates the root squash feature, which disables this user from having privileged access to directories on remote NFS servers. You'll be able to test this later after NIS is configured.

All newly added Linux users will now be assigned a home directory under the new remote /home directory. This scheme will make the users feel their home directories are local, when in reality they are automatically mounted and accessed over your network.

Configuring The NIS Server

NFS only covers file sharing over the network. You now have to configure NIS login authentication for the lab students before the job is done. The configuration of the NIS server is not difficult, but requires many steps that you may overlook. There also multiple daemons that all needs to be started in particular order

Daemon Name Purpose
portmap The foundation RPC daemon upon which NIS runs.
yppasswdd Lets users change their passwords on the NIS server from NIS clients
ypserv Main NIS server daemon
ypbind Main NIS client daemon
ypxfrd Used to speed up the transfer of very large NIS maps

All the packages required for NIS clients are a standard part of most RHEL/CentOS installations.

You need to add the NIS domain you wish to use in the /etc/sysconfig/network file. For the school, call the domain mycompany.com.  Often people use DNS domain as a name.

#/etc/sysconfig/network
NISDOMAIN="mycompany.com"

NIS servers also have to be NIS clients themselves, so you'll have to edit the NIS client configuration file /etc/yp.conf to list the domain's NIS server as being the server itself or localhost.

# /etc/yp.conf - ypbind configuration file
ypserver 127.0.0.1

Start the necessary NIS daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot.

# service portmap start
# service yppasswdd start
# service ypserv start
# chkconfig portmap on
# chkconfig yppasswdd on
# chkconfig ypserv on

Make sure they are all running before continuing to the next step. You can use the rpcinfo command to do this.

# rpcinfo -p localhost | egrep "port|yp"
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100009    1   udp    681  yppasswdd
    100004    2   udp    698  ypserv
    100004    1   udp    698  ypserv
    100004    2   tcp    701  ypserv
    100004    1   tcp    701  ypserv
#

The ypbind and ypxfrd daemons won't start properly until after you initialize the NIS domain. You'll start these daemons after initialization is completed.

Now that you have decided on the name of the NIS domain, you'll have to use the ypinit command to create the associated authentication files for the domain. You will be prompted for the name of the NIS server, which in this case is master.

With this procedure, all nonprivileged accounts are automatically accessible via NIS.

# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS 
servers.  master is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  master
        next host to add:
The current list of NIS servers looks like this:
 
master
 
Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/NISDOMAIN/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/NISDOMAIN'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/NISDOMAIN'
 
master has been set up as a NIS master server.
 
Now you can run ypinit -s master on all slave server.
#

Note: Make sure portmap is running before trying this step or you'll get errors, such as:

failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...

You will have to delete the /var/yp/NISDOMAIN directory and restart portmap, yppasswd, and ypserv before you'll be able to do this again successfully.

You can now start the ypbind and the ypxfrd daemons because the NIS domain files have been created.

# service ypbind start
# service ypxfrd start
# chkconfig ypbind on
# chkconfig ypxfrd on

All the NIS daemons use RPC port mapping and, therefore, are listed using the rpcinfo command when they are running correctly.

# rpcinfo -p localhost | egrep "port|yp|nfs"
    program vers proto   port
     100000    2   tcp    111  portmapper
     100000    2   udp    111  portmapper
     100003    2   udp   2049  nfs
     100003    3   udp   2049  nfs
     100021    1   udp   1024  nlockmgr
     100021    3   udp   1024  nlockmgr
     100021    4   udp   1024  nlockmgr
     100004    2   udp    784  ypserv
     100004    1   udp    784  ypserv
     100004    2   tcp    787  ypserv
     100004    1   tcp    787  ypserv
     100009    1   udp    798  yppasswdd
  600100069    1   udp    850  fypxfrd
  600100069    1   tcp    852  fypxfrd
     100007    2   udp    924  ypbind
     100007    1   udp    924  ypbind
     100007    2   tcp    927  ypbind
     100007    1   tcp    927  ypbind
#

Adding New NIS Users

New NIS users can be created by logging into the NIS server and creating the new user account. In this case, you'll create a user account called nisuser and give it a new password.

Once this is complete, you then have to update the NIS domain's authentication files by executing the make command in the /var/yp directory.

This procedure makes all NIS-enabled, nonprivileged accounts become automatically accessible via NIS, not just newly created ones. It also exports all the user's characteristics stored in the /etc/passwd and /etc/group files, such as the login shell, the user's group, and home directory.

# useradd -g users nisuser
# passwd nisuser
Changing password for user nisuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
# cd /var/yp
[root@ypmaster]# make
gmake[1]: Entering directory `/var/yp/NISDOMAIN'
Updating passwd.byname...
Updating passwd.byuid...
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/NISDOMAIN'
[root@ypmaster]#

You can check to see if the user's authentication information has been updated by using the ypmatch command, which should return the user's encrypted password string.

[root@ypmaster]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash
[root@ypmaster]

You can also use the getent command, which has similar syntax. Unlike ypmatch, getent doesn't provide an encrypted password when run on an NIS server, it just provides the user's entry in the /etc/passwd file. On a NIS client, the results are identical with both showing the encrypted password.

[root@ypmaster]# getent passwd nisuser
nisuser:x:504:100::/home/nisuser:/bin/bash
[root@ypmaster]#

NOTE:

To set password you need to use yppasswd utility not passwd
 
See Changing Passwords
From root use
yppasswd -p user_name

 

Configuring The NIS Client

Now that the NIS server is configured, it's time to configure the NIS clients. There are a number of related configuration files that you need to edit to get it to work. Take a look at the procedure.

The authconfig or the authconfig-tui program automatically configures your NIS files after prompting you for the IP address and domain of the NIS server.

[root@node01 tmp]# authconfig-tui

Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIS server for a particular domain. It also edits the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs.

# /etc/yp.conf - ypbind configuration file
domain mycompany.com server 192.168.1.100

#/etc/sysconfig/network
NISDOMAIN=mycompany.com

In addition, the authconfig program updates the /etc/nsswitch.conf file that lists the order in which certain data sources should be searched for name lookups, such as those in DNS, LDAP, and NIS. Here you can see where NIS entries were added for the important login files.

#/etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis

Note: There is a sample NIS nsswitch.conf file in the /usr/share/doc/yp-tools* directory.

Start the ypbind NIS client, and portmap daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo command to ensure they are running correctly.

[root@node01 tmp]# service portmap start
Starting portmapper: [  OK  ]
[root@node01 tmp]# service ypbind start
Binding to the NIS domain:
Listening for an NIS domain server.
[root@node01 tmp]#

[root@node01 tmp]# chkconfig ypbind on
[root@node01 tmp]# chkconfig portmap on

Note: Remember to use the rpcinfo -p localhost command to make sure they all started correctly.

As the configuration examples refer to the NIS client and server by their hostnames, you'll have to make sure the names resolve correctly to IP addresses. This can be configured either in DNS, when the hosts reside in the same domain, or more simply by editing the /etc/hosts file on both Linux boxes.

#
# File: /etc/hosts (node01)
#
192.168.1.100    master

 
#
# File: /etc/hosts (master)
#
192.168.1.102    node01

You can run the ypcat, ypmatch, and getent commands on the nodes served by the NIS master to make sure communication to the server is correct.

[root@node01 tmp]# ypcat passwd
nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash
quotauser:!!:503:100::/home/quotauser:/bin/bash
ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash
www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash
node01:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash
[root@node01 tmp]#

[root@node01 tmp]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@node01 tmp]#

[root@node01 tmp]# getent passwd nisuser
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@node01 tmp]#

Possible sources of error would include:

Try to eliminate these areas as sources of error and refer to the syslog /var/log/messages file on the client and server for entries that may provide additional clues.

Once your basic NIS functionality testing is complete, try to test a remote login. Failures in this area could be due to firewalls blocking TELNET or SSH access and the TELNET and SSH server process not being started on the clients.

Try logging into the NIS client via telnet if it is enabled

# telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-6 on an i686
login: nisuser
Password:
Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com
[nisuser@node01 nisuser]$

Try logging into the NIS client via SSH.

# ssh -l nisuser 192.168.1.102
[email protected]'s password:
[nisuser@node01 nisuser]$

In some versions of Linux, the NIS client's SSH daemon doesn't re-read the /etc/nsswitch.conf file you just modified until SSH is restarted. SSH logins, therefore, won't query the NIS server until this is done. Restart SSH on the NIS client.

[root@node01 root]# service sshd restart
Stopping sshd:[  OK  ]
Starting sshd:[  OK  ]
[root@node01 root]#


   

Daemon Errors

The yppasswdd daemon must be running on both the client and server for password changes to work correctly. When they aren't running, you'll get errors.

[root@node01 etc]# yppasswd -p nisuser
yppasswd: yppasswdd not running on NIS master host ("master").
[root@node01 etc]#

You'll also get a similar error if you attempt to change an NIS password on an NIS master server in a master and slave configuration.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Learn Linux CCNA CEH CCNP IPv6

Sites



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019