NIS Server - Master Setup

nis-master | (netbsd) | nis-slave | nis-client | nis-ops

tested on debian11 and slack150

Introduction

This is not trivial. The NIS service is built on a few components:

rpc
ypserv      -- the server daemon
rpc.ypxfrd  -- NIS map transfer server # (debian)
ypbind      -- the client daemon
rpc.yppasswdd   -- NIS password update daemon # (debian) no need as we do not use passwords

So the setup process needs to follow a certain order:

  1. configure yp.conf and ypserv.conf
  2. start and enable daemons at boot-time
  3. generate the maps

Warning

NIS is not exactly known for its security hence preferably use that on a dedicated and isolated network.

Requirements

make sure the master and the slave resolve themselves and to each other

vi /etc/hosts

x.x.x.x     ypmaster.angrycow.ru ypmaster
x.x.x.x     ypslave.angrycow.ru ypslave

Install

debian

apt update
apt dist-upgrade
apt autoremove --purge
apt install nis
# The following NEW packages will be installed:
#  libnss-nis make nis nscd rpcbind yp-tools ypbind-mt ypserv

slackware

slackpkg search nfs-utils # we need /sbin/rpc.statd anyhow
slackpkg search rpcbind
slackpkg search yptools
slackpkg search make-4
slackpkg search guile
slackpkg search gc-8
slackpkg search libnss # optional

those are enabled already

ls -lF /sbin/rpcbind /sbin/rpc.statd /usr/sbin/rpc.ypxfrd

those we start manually instead

ls -lF /etc/rc.d/rc.rpc /etc/rc.d/rc.yp
chmod -x /etc/rc.d/rc.rpc
chmod -x /etc/rc.d/rc.yp

Shared preparation (master & slave)

backup the default setup before you initialize the NIS service, so you can start from scratch if necessary.

cd /var/
tar czpf yp.tar.gz yp/

setup the NIS domain name

domain=angrycow.ru

domainname $domain

we’re going for some level of brute force here, making sure any required file setting is there

ls -lF /etc/{mydomain,domainname,defaultdomain}

cd /etc/
echo $domain > /etc/domainname
ln -s domainname /etc/mydomain
ln -s domainname /etc/defaultdomain

check

domainname

# gnu/linux only
nisdomainname

main config

# default file exists on gnu/linux only
mv -i /etc/yp.conf /etc/yp.conf.dist

vi /etc/yp.conf

domain angrycow.ru server ypmaster
domain angrycow.ru server ypslave

# that command on gnu/linux only
ypserver ypmaster
#ypserver ypslave

Daemons (master + slave)

bring a few daemons up to live

the daemons need to be up to begin with (so you can generate the maps)

debian

systemctl list-unit-files | grep ^yp

systemctl restart rpcbind
systemctl restart ypserv.service
systemctl restart ypbind.service # needs yp.conf
systemctl stop yppasswdd.service

systemctl enable rpcbind
systemctl enable ypbind.service
systemctl enable ypserv.service
systemctl disable yppasswdd.service

systemctl status rpcbind
systemctl status ypserv.service
systemctl status ypbind.service
#systemctl status yppasswdd.service

pgrep -a rpcbind
pgrep -a ypserv
pgrep -a ypbind
#pgrep -a yppasswdd

# only on master
systemctl restart ypxfrd.service
systemctl enable ypxfrd.service
systemctl status ypxfrd.service
pgrep -a ypxfrd

slackware

this replaces /etc/rc.d/rc.rpc and /etc/rc.d/rc.yp

vi /etc/rc.d/rc.local

# rpc
/sbin/rpcbind -s -w -l -h CLUSTER-IP
/sbin/rpc.statd

# server
/usr/sbin/ypserv
/usr/sbin/rpc.ypxfrd

# client
/usr/sbin/ypbind # w/o bcast

check pgrep -a rpcbind pgrep -a statd pgrep -a ypserv pgrep -a xfrd pgrep -a ypbind

and shutdown process

vi /etc/rc.d/rc.local_shutdown

pkill ypbind
pkill xfrd
pkill ypserv
pkill statd
pkill rpcbind

Setup

setup maps

mv -i /etc/ypserv.conf /etc/ypserv.conf.dist
grep -vE '^#|^$' /etc/ypserv.conf.dist > /etc/ypserv.conf
vi /etc/ypserv.conf

#*                            : *       : *                : none
*                          : *       : passwd.byname    : port
*                          : *       : passwd.byuid     : port
dns: yes

prepare maps

# master only
groupadd -g 1005 nis

# not present on the slave
grep ^nis /etc/group

cd /var/yp/

mv -i Makefile Makefile.dist
grep -vE '^#|^$' Makefile.dist > Makefile.clean
grep -vE '^#|^$' Makefile.dist > Makefile
vi Makefile

NOPUSH=false
MINUID = 1000
MINGID = 1000

MERGE_PASSWD = true
MERGE_GROUP = true

all:    passwd group

enable ACLs

# slackware
    ls -lF /var/yp/securenets
    mv -i /var/yp/securenets /var/yp/securenets.dist
grep -vE '^$|^#' /var/yp/securenets.dist > /var/yp/securenets
vi /var/yp/securenets

# debian
    ls -lF /etc/ypserv.securenets
    mv -i /etc/ypserv.securenets /etc/ypserv.securenets.dist
    grep -vE '^$|^#' /etc/ypserv.securenets.dist > /etc/ypserv.securenets
    vi /var/yp/securenets

    #0.0.0.0         0.0.0.0
    #::/0
    255.255.255.0   x.x.x.0

Master setup

initialize the NIS databases

# debian
/usr/lib/yp/ypinit -m

# slackware
/usr/lib64/yp/ypinit -m

next host to add:  ypmaster.angrycow.ru
next host to add:  ypslave.angrycow.ru
^D

ls -lF /var/yp/$domain/passwd.byuid

Acceptance testing

check that you can see nobody/nogroup and dedicated nis group 1005

rpcinfo -p localhost
ypcat -d $domain passwd.byuid
ypcat -d $domain group.bygid

Client setup

see nis-client.

but also configure the master as client to itself.

Slave setup

once everything works with a single NIS server, you might consider adding a slave for HA. see nis-slave.

Operations

see nis-ops.

Troubleshooting

failed to send 'clear' to local ypserv: RPC: Program not registered
Updating group.byname...

==> to initialize the master, not only start rpc + ypbind, but also ypserv

No such map passwd.byuid. Reason: Can't bind to server which serves this domain
No such map passwd.byname. Reason: Can't bind to server which serves this domain

==> you’ve made a mistake in yp.conf and/or /etc/hosts (and daemon needs to be up) ==> beware the securenet syntax is tricky

TODO

Resources

[fw] 3.3. Files managed under NIS https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch03_03.htm

linux

Homepage of the Linux NIS Project https://www.thkukuk.de/nis/index.html

ypserv https://github.com/thkukuk/ypserv

ypbind-mt https://github.com/thkukuk/ypbind-mt

yp-tools https://github.com/thkukuk/yp-tools

NIS https://wiki.archlinux.org/title/NIS

Quick HOWTO : Ch30 : Configuring NIS https://web.archive.org/web/20201111171924/http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS#.X6wdINLP0UE

The Linux NIS(YP)/NYS/NIS+ HOWTO https://tldp.org/HOWTO/NIS-HOWTO/

NIS : Linux central authentication https://web.archive.org/web/20211011030614/http://www.yolinux.com/TUTORIALS/NIS.html

slackware

Roaming profiles with NFS and NIS http://docs.slackware.com/howtos:network_services:roaming_profiles

troubles

Can’t bind to server which serves this domain https://access.redhat.com/discussions/3226371 –> rpcinfo and ypbind status

9.3. The Program rpc.ypxfrd https://www.linuxtopia.org/online_books/network_administration_guides/NIS_HOWTO_guide/ypserv_002.html

rpc

rpc.statd - NSM service daemon http://man.he.net/?topic=rpc.statd&section=all

security

NIS Server Security https://www.oreilly.com/library/view/linux-network-administrators/1565924002/ch13s05.html

[fw] 12.2. How secure are NIS and NFS? docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_02.htm https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_02.htm

[fw] 12.5. Stronger security for NFS docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_05.htm https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_05.htm#nfs2-CHP-12-SECT-5.4.10.html

5.3. Securing NIS https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/s1-server-nis.html

tcp wrappers

14.2 Host Access Control https://www.slackbook.org/html/security-host.html

rpcbind – universal addresses to RPC program number mapper http://man.he.net/?topic=rpcbind&section=all

hosts_access - format of host access control files http://man.he.net/?topic=hosts_access&section=all

15.2. TCP Wrappers http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-services-tcp-wrappers.html

krb & ldap

Replacing NIS with Kerberos and LDAP HOWTO http://aput.net/~jheiss/krbldap/howto.html

samba

Samba + NIS http://forum.ubuntu-fr.org/viewtopic.php?id=439878


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Copyright © 2024 Pierre-Philipp Braun