NIS Server - Master Setup

nis-master | nis-slave | nis-client | nis-ops

tested on debian11 slack150 netbsd

Introduction

This is not trivial. The NIS service is built on a few components:

rpc
ypserv -- the server daemon
rpc.ypxfrd - NIS map transfer server # (debian)
ypbind -- the client daemon
rpc.yppasswdd - NIS password update daemon # (debian) no need as we do not use passwords

So the setup process needs to follow a certain order:

  1. configure yp.conf and ypserv.conf
  2. start and enable daemons at boot-time
  3. generate the maps

Warning

NIS is not exactly known for its security hence preferably use that on a dedicated and isolated network.

Requirements

make sure the master and the slave resolve themselves and to each other

vi /etc/hosts

x.x.x.x     ypmaster.angrycow.ru ypmaster
x.x.x.x     ypslave.angrycow.ru ypslave

Installation

debian

apt update
apt dist-upgrade
apt autoremove --purge
apt install nis
# The following NEW packages will be installed:
#  libnss-nis make nis nscd rpcbind yp-tools ypbind-mt ypserv

slackware

slackpkg search nfs-utils # we need /sbin/rpc.statd anyhow
slackpkg search rpcbind
slackpkg search yptools
slackpkg search make
slackpkg search guile
slackpkg search gc
slackpkg search libnss # optional

ls -lF /sbin/rpcbind /sbin/rpc.statd /etc/rc.d/rc.rpc /etc/rc.d/rc.yp
chmod +x /etc/rc.d/rc.rpc
chmod +x /etc/rc.d/rc.yp

netbsd

built-in

Shared preparation (master & slave)

backup the default setup before you initialize the NIS service, so you can start from scratch if necessary.

cd /var/
tar czpf yp.tar.gz yp/

setup the NIS domain name

domain=angrycow.ru

domainname $domain

we’re going for some level of brute force here

cd /etc/

ls -lF /etc/{mydomain,domainname,defaultdomain}

echo $domain > /etc/mydomain
ln -s mydomain /etc/domainname
ln -s mydomain /etc/defaultdomain

check

domainname
nisdomainname

main config

mv -i /etc/yp.conf /etc/yp.conf.dist
vi /etc/yp.conf

domain angrycow.ru server ypmaster
domain angrycow.ru server ypslave

ypserver ypmaster
#ypserver ypslave

Daemons (master + slave)

bring a few daemons up to live

the daemons need to be up to begin with (so you can generate the maps)

debian

systemctl list-unit-files | grep ^yp

systemctl restart rpcbind
systemctl restart ypserv.service
systemctl restart ypbind.service # needs yp.conf
systemctl stop yppasswdd.service

systemctl enable rpcbind
systemctl enable ypbind.service
systemctl enable ypserv.service
systemctl disable yppasswdd.service

systemctl status rpcbind
systemctl status ypserv.service
systemctl status ypbind.service
#systemctl status yppasswdd.service

pgrep -a rpcbind
pgrep -a ypserv
pgrep -a ypbind
#pgrep -a yppasswdd

# only on master
systemctl restart ypxfrd.service
systemctl enable ypxfrd.service
systemctl status ypxfrd.service
pgrep -a ypxfrd

slackware

/etc/rc.d/rc.rpc start
pgrep -a rpc

/etc/rc.d/rc.yp restart
pgrep -a yp

netbsd

vi /etc/rc.conf

rpcbind=yes
ypbind=yes
ypserv=yes
yppasswdd=no

/etc/rc.d/rpcbind restart
/etc/rc.d/ypserv restart
/etc/rc.d/ypbind restart
#/etc/rc.d/yppasswdd restart

Setup

setup maps

mv -i /etc/ypserv.conf /etc/ypserv.conf.dist
grep -vE '^#|^$' /etc/ypserv.conf.dist > /etc/ypserv.conf
vi /etc/ypserv.conf

#*                            : *       : *                : none
*                          : *       : passwd.byname    : port
*                          : *       : passwd.byuid     : port
dns: yes

prepare maps

# master only
groupadd -g 1005 nis

# not present on the slave
grep ^nis /etc/group

cd /var/yp/

# debian / slackware
mv -i Makefile Makefile.dist
grep -vE '^#|^$' Makefile.dist > Makefile
vi Makefile

# netbsd
mv -i Makefile.yp Makefile.yp.dist
grep -vE '^#|^$' Makefile.yp.dist > Makefile.yp
vi Makefile.yp

NOPUSH=false

MINUID = 1005
MINGID = 1005

# netbsd
#MINUID?=        1000
#MINGID?=        1000

MERGE_PASSWD = false
MERGE_GROUP = false

#all:   $(ALL)
all:    passwd group

enable ACLs

    ls -lF /var/yp/securenets
    mv -i /etc/ypserv.securenets /etc/ypserv.securenets.dist
    grep -vE '^$|^#' /etc/ypserv.securenets.dist > /etc/ypserv.securenets
    vi /var/yp/securenets

    #0.0.0.0         0.0.0.0
    #::/0
    255.255.255.0   x.x.x.0

Master setup

initialize the NIS databases

# debian
/usr/lib/yp/ypinit -m

# slackware
/usr/lib64/yp/ypinit -m

# netbsd
ypinit -m

next host to add:  ypmaster.angrycow.ru
next host to add:  ypslave.angrycow.ru
^D

ls -lF /var/yp/$domain/passwd.byuid

Acceptance testing

check that you can see nobody/nogroup and dedicated nis group 1005

rpcinfo -p localhost
ypcat -d $domain passwd.byuid
ypcat -d $domain group.bygid

Client setup

see nis-client.

but also configure the master as client to itself.

Slave setup

once everything works with a single NIS server, you might consider adding a slave for HA. see nis-slave.

Operations

see nis-ops.

Troubleshooting

failed to send 'clear' to local ypserv: RPC: Program not registered
Updating group.byname...

==> start rpc + ypbind but also initialize with ypinit

No such map passwd.byuid. Reason: Can't bind to server which serves this domain
No such map passwd.byname. Reason: Can't bind to server which serves this domain

==> you’ve made a mistake in yp.conf and/or /etc/hosts (and daemon needs to be up) ==> beware the securenet syntax is tricky…

TODO

Resources

[fw] 3.3. Files managed under NIS https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch03_03.htm

linux

Homepage of the Linux NIS Project https://www.thkukuk.de/nis/index.html

ypserv https://github.com/thkukuk/ypserv

ypbind-mt https://github.com/thkukuk/ypbind-mt

yp-tools https://github.com/thkukuk/yp-tools

NIS https://wiki.archlinux.org/title/NIS

Quick HOWTO : Ch30 : Configuring NIS https://web.archive.org/web/20201111171924/http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS#.X6wdINLP0UE

The Linux NIS(YP)/NYS/NIS+ HOWTO https://tldp.org/HOWTO/NIS-HOWTO/

NIS : Linux central authentication https://web.archive.org/web/20211011030614/http://www.yolinux.com/TUTORIALS/NIS.html

slackware

Roaming profiles with NFS and NIS http://docs.slackware.com/howtos:network_services:roaming_profiles

netbsd

23.6.3. Network Information Service (NIS/YP) http://www.netbsd.org/docs/guide/en/chap-net-intro.html#chap-net-intro-nsconcepts-nis

how to set up nfs and nis https://wiki.netbsd.org/tutorials/how_to_set_up_nfs_and_nis/

NIS in NetBSD https://www.silas.net.br/tech/netbsd/nis-in-netbsd.html

うにっくすさんの覚え書き - NetBSD - NIS https://web.archive.org/web/20090105175332/http://www.nognog.com/techmemo/NetBSD_NIS_HOWTO.php

solaris

Adding a New Slave Server http://docs.oracle.com/cd/E19455-01/806-1387/6jam692cm/index.html

NIS Troubleshooting on Solaris https://web.archive.org/web/20150902195323/http://www.softpanorama.net/Net/Application_layer/NIS/nis_troubleshooting.shtml

Solaris Naming Services Architecture http://www.informit.com/articles/article.aspx?p=24381&seqNum=11

troubles

Can’t bind to server which serves this domain https://access.redhat.com/discussions/3226371 –> rpcinfo and ypbind status

9.3. The Program rpc.ypxfrd https://www.linuxtopia.org/online_books/network_administration_guides/NIS_HOWTO_guide/ypserv_002.html

rpc

rpc.statd - NSM service daemon http://man.he.net/?topic=rpc.statd&section=all

security

NIS Server Security https://www.oreilly.com/library/view/linux-network-administrators/1565924002/ch13s05.html

[fw] 12.2. How secure are NIS and NFS? docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_02.htm https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_02.htm

[fw] 12.5. Stronger security for NFS docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_05.htm https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_05.htm#nfs2-CHP-12-SECT-5.4.10.html

5.3. Securing NIS https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/s1-server-nis.html

tcp wrappers

14.2 Host Access Control https://www.slackbook.org/html/security-host.html

rpcbind – universal addresses to RPC program number mapper http://man.he.net/?topic=rpcbind&section=all

hosts_access - format of host access control files http://man.he.net/?topic=hosts_access&section=all

15.2. TCP Wrappers http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-services-tcp-wrappers.html

krb & ldap

Replacing NIS with Kerberos and LDAP HOWTO http://aput.net/~jheiss/krbldap/howto.html

samba

Samba + NIS http://forum.ubuntu-fr.org/viewtopic.php?id=439878


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5
Copyright © 2022 Pierre-Philipp Braun