tutor:NIS

Introduction

NIS stands for Network Information Service. It is an RPC service, called ypserv, which is used in conjunction with portmap and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.

An NIS server is comprised of several applications. They include the following:

• /usr/sbin/rpc.yppasswdd — Also called the yppasswdd service, this daemon allows users to change their NIS passwords.
• /usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.
• /usr/sbin/yppush — This application propagates changed NIS databases to multiple NIS servers.
• /usr/sbin/ypserv — This is the NIS server daemon.

NIS is rather insecure by today's standards. It has no host authentication mechanisms and passes all of its information over the network unencrypted, including password hashes. As a result, extreme care must be taken to set up a network that uses NIS. Further complicating the situation, the default configuration of NIS is inherently insecure.

• http://www.yolinux.com/TUTORIALS/NIS.html
• http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS
• http://www.ntlug.org/NIS/Presentation
• http://www.freebsd.org/doc/en/books/handbook/network-nis.html
• http://www.linux-nis.org/nis-howto/HOWTO/index.html
• http://www.labtestproject.com/linnet/nis-nfs.html

Server

Requires RPM packages:

• ypbind - RPC port binding service
• portmap - RPC port mapping
• ypserv - NIS server daemons
• yp-tools - NIS support commands (ypcat, yppasswd, ypwhich, ...)
• nscd - Handles password and group lookups and caches the results. Used by LDAP and NIS. Configuration of nscd defines which files are supported by NIS. i.e. authentication requires passwd, shadow and group file support. Uses configuration file /etc/ncsd.conf

yum -y install ypbind portmap ypserv yp-tools nscd

Assume, the configuration assumes that the NIS server will also be using NIS for authentication.

cat /etc/sysconfig/network 
 
NETWORKING=yes
HOSTNAME=hostname-of-this-nis-server
NISDOMAIN=name-of-domain
 
#
cat /etc/yp.conf
 
domain name-of-domain server 127.0.0.1
 
#
cat /etc/nsswitch.conf
 
passwd:     files nis
shadow:     files nis
group:      files nis
 
# 
cat /etc/ypserv.conf
 
dns: no
files: 30
slp: no
slp_timeout: 3600
xfr_check_port: yes
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port 
 
#
cat /var/yp/securenets
0.0.0.0 0.0.0.0 //The access from all hosts is permitted.
255.255.255.0   10.0.171.0
 
#
cat /var/yp/nicknames  
 
passwd          passwd.byname
group           group.byname
networks        networks.byaddr
hosts           hosts.byname
protocols       protocols.bynumber
services        services.byname
aliases         mail.aliases
ethers          ethers.byname
 
# execute:
nisdomainname name-of-domain
service portmap restart
service yppasswdd start
service ypserv start
/usr/lib64/yp/ypinit -m
make -C /var/yp
service ypbind start
service ypxfrd start
 
# Set YP services to run on boot-up:
chkconfig yppasswdd on
chkconfig ypserv on
chkconfig ypbind on
chkconfig ypxfrd on

Client

Requires RPM packages:

• ypbind
• portmap
• yp-tools
• nscd

cat /etc/sysconfig/network 
 
NETWORKING=yes
HOSTNAME=client-hostname
NISDOMAIN=name-of-domain
 
#
cat /etc/yp.conf
 
domain name-of-domain server IP.addr.nis.server
 
#
cat /etc/nsswitch.conf
 
...
...
passwd:     files nis
shadow:     files nis
group:      files nis
...
...

• nisdomainname name-of-domain

Start NIS client services:

• service portmap restart
• service ypbind start
• service nscd start (optional - used to cache login and passwd info to improve authentication response time)
• chkconfig ypbind on
• chkconfig nscd on

Test:

• Check if portmapper daemon is running and ypbind is a registered service: rpcinfo -u localhost ypbind
• List passwd file: ypcat passwd
• ypmatch nisuser passwd