nis-master | (netbsd) | nis-slave | nis-client | nis-ops
tested on debian11 and slack150
This is not trivial. The NIS service is built on a few components:
rpc ypserv -- the server daemon rpc.ypxfrd -- NIS map transfer server # (debian) ypbind -- the client daemon rpc.yppasswdd -- NIS password update daemon # (debian) no need as we do not use passwords
So the setup process needs to follow a certain order:
NIS is not exactly known for its security hence preferably use that on a dedicated and isolated network.
make sure the master and the slave resolve themselves and to each other
vi /etc/hosts x.x.x.x ypmaster.angrycow.ru ypmaster x.x.x.x ypslave.angrycow.ru ypslave
apt update apt dist-upgrade apt autoremove --purge apt install nis # The following NEW packages will be installed: # libnss-nis make nis nscd rpcbind yp-tools ypbind-mt ypserv
slackpkg search nfs-utils # we need /sbin/rpc.statd anyhow slackpkg search rpcbind slackpkg search yptools slackpkg search make-4 slackpkg search guile slackpkg search gc-8 slackpkg search libnss # optional
those are enabled already
ls -lF /sbin/rpcbind /sbin/rpc.statd /usr/sbin/rpc.ypxfrd
those we start manually instead
ls -lF /etc/rc.d/rc.rpc /etc/rc.d/rc.yp chmod -x /etc/rc.d/rc.rpc chmod -x /etc/rc.d/rc.yp
backup the default setup before you initialize the NIS service, so you can start from scratch if necessary.
cd /var/ tar czpf yp.tar.gz yp/
setup the NIS domain name
domain=angrycow.ru domainname $domain
we’re going for some level of brute force here, making sure any required file setting is there
ls -lF /etc/{mydomain,domainname,defaultdomain}
cd /etc/
echo $domain > /etc/domainname
ln -s domainname /etc/mydomain
ln -s domainname /etc/defaultdomain
check
domainname # gnu/linux only nisdomainname
main config
# default file exists on gnu/linux only mv -i /etc/yp.conf /etc/yp.conf.dist vi /etc/yp.conf domain angrycow.ru server ypmaster domain angrycow.ru server ypslave # that command on gnu/linux only ypserver ypmaster #ypserver ypslave
bring a few daemons up to live
the daemons need to be up to begin with (so you can generate the maps)
systemctl list-unit-files | grep ^yp systemctl restart rpcbind systemctl restart ypserv.service systemctl restart ypbind.service # needs yp.conf systemctl stop yppasswdd.service systemctl enable rpcbind systemctl enable ypbind.service systemctl enable ypserv.service systemctl disable yppasswdd.service systemctl status rpcbind systemctl status ypserv.service systemctl status ypbind.service #systemctl status yppasswdd.service pgrep -a rpcbind pgrep -a ypserv pgrep -a ypbind #pgrep -a yppasswdd # only on master systemctl restart ypxfrd.service systemctl enable ypxfrd.service systemctl status ypxfrd.service pgrep -a ypxfrd
this replaces /etc/rc.d/rc.rpc and /etc/rc.d/rc.yp
vi /etc/rc.d/rc.local # rpc /sbin/rpcbind -s -w -l -h CLUSTER-IP /sbin/rpc.statd # server /usr/sbin/ypserv /usr/sbin/rpc.ypxfrd # client /usr/sbin/ypbind # w/o bcast
check pgrep -a rpcbind pgrep -a statd pgrep -a ypserv pgrep -a xfrd pgrep -a ypbind
and shutdown process
vi /etc/rc.d/rc.local_shutdown pkill ypbind pkill xfrd pkill ypserv pkill statd pkill rpcbind
setup maps
mv -i /etc/ypserv.conf /etc/ypserv.conf.dist grep -vE '^#|^$' /etc/ypserv.conf.dist > /etc/ypserv.conf vi /etc/ypserv.conf #* : * : * : none * : * : passwd.byname : port * : * : passwd.byuid : port dns: yes
prepare maps
# master only groupadd -g 1005 nis # not present on the slave grep ^nis /etc/group cd /var/yp/ mv -i Makefile Makefile.dist grep -vE '^#|^$' Makefile.dist > Makefile.clean grep -vE '^#|^$' Makefile.dist > Makefile vi Makefile NOPUSH=false MINUID = 1000 MINGID = 1000 MERGE_PASSWD = true MERGE_GROUP = true all: passwd group
enable ACLs
# slackware
ls -lF /var/yp/securenets
mv -i /var/yp/securenets /var/yp/securenets.dist
grep -vE '^$|^#' /var/yp/securenets.dist > /var/yp/securenets
vi /var/yp/securenets
# debian
ls -lF /etc/ypserv.securenets
mv -i /etc/ypserv.securenets /etc/ypserv.securenets.dist
grep -vE '^$|^#' /etc/ypserv.securenets.dist > /etc/ypserv.securenets
vi /var/yp/securenets
#0.0.0.0 0.0.0.0
#::/0
255.255.255.0 x.x.x.0
initialize the NIS databases
# debian /usr/lib/yp/ypinit -m # slackware /usr/lib64/yp/ypinit -m next host to add: ypmaster.angrycow.ru next host to add: ypslave.angrycow.ru ^D ls -lF /var/yp/$domain/passwd.byuid
check that you can see nobody/nogroup and dedicated nis group 1005
rpcinfo -p localhost ypcat -d $domain passwd.byuid ypcat -d $domain group.bygid
see nis-client.
but also configure the master as client to itself.
once everything works with a single NIS server, you might consider adding a slave for HA. see nis-slave.
see nis-ops.
failed to send 'clear' to local ypserv: RPC: Program not registered Updating group.byname...
==> to initialize the master, not only start rpc + ypbind, but also ypserv
No such map passwd.byuid. Reason: Can't bind to server which serves this domain No such map passwd.byname. Reason: Can't bind to server which serves this domain
==> you’ve made a mistake in yp.conf and/or /etc/hosts (and daemon needs to be up) ==> beware the securenet syntax is tricky
/etc/hosts.*[fw] 3.3. Files managed under NIS https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch03_03.htm
Homepage of the Linux NIS Project https://www.thkukuk.de/nis/index.html
ypserv https://github.com/thkukuk/ypserv
ypbind-mt https://github.com/thkukuk/ypbind-mt
yp-tools https://github.com/thkukuk/yp-tools
NIS https://wiki.archlinux.org/title/NIS
Quick HOWTO : Ch30 : Configuring NIS https://web.archive.org/web/20201111171924/http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS#.X6wdINLP0UE
The Linux NIS(YP)/NYS/NIS+ HOWTO https://tldp.org/HOWTO/NIS-HOWTO/
NIS : Linux central authentication https://web.archive.org/web/20211011030614/http://www.yolinux.com/TUTORIALS/NIS.html
Roaming profiles with NFS and NIS http://docs.slackware.com/howtos:network_services:roaming_profiles
Can’t bind to server which serves this domain https://access.redhat.com/discussions/3226371 –> rpcinfo and ypbind status
9.3. The Program rpc.ypxfrd https://www.linuxtopia.org/online_books/network_administration_guides/NIS_HOWTO_guide/ypserv_002.html
rpc.statd - NSM service daemon http://man.he.net/?topic=rpc.statd§ion=all
NIS Server Security https://www.oreilly.com/library/view/linux-network-administrators/1565924002/ch13s05.html
[fw] 12.2. How secure are NIS and NFS? docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_02.htm https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_02.htm
[fw] 12.5. Stronger security for NFS docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_05.htm https://docstore.mik.ua/orelly/networking_2ndEd/nfs/ch12_05.htm#nfs2-CHP-12-SECT-5.4.10.html
5.3. Securing NIS https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/s1-server-nis.html
14.2 Host Access Control https://www.slackbook.org/html/security-host.html
rpcbind – universal addresses to RPC program number mapper http://man.he.net/?topic=rpcbind§ion=all
hosts_access - format of host access control files http://man.he.net/?topic=hosts_access§ion=all
15.2. TCP Wrappers http://web.mit.edu/rhel-doc/5/RHEL-5-manual/Deployment_Guide-en-US/s1-services-tcp-wrappers.html
Replacing NIS with Kerberos and LDAP HOWTO http://aput.net/~jheiss/krbldap/howto.html
Samba + NIS http://forum.ubuntu-fr.org/viewtopic.php?id=439878