1524 lines
74 KiB
Plaintext
1524 lines
74 KiB
Plaintext
|
The Linux NIS(YP)/NYS/NIS+ HOWTO
|
|||
|
|
|||
|
Thorsten Kukuk
|
|||
|
|
|||
|
v1.3, 1 July 2003
|
|||
|
|
|||
|
|
|||
|
This document describes how to configure Linux as NIS(YP) or NIS+ client
|
|||
|
and how to install as NIS server.
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
Table of Contents
|
|||
|
1. Introduction
|
|||
|
1.1. New Versions of this Document
|
|||
|
1.2. Disclaimer
|
|||
|
1.3. Feedback and Corrections
|
|||
|
1.4. Acknowledgements
|
|||
|
|
|||
|
|
|||
|
2. Glossary and General Information
|
|||
|
2.1. Glossary of Terms
|
|||
|
2.2. Some General Information
|
|||
|
|
|||
|
|
|||
|
3. NIS, NYS or NIS+ ?
|
|||
|
3.1. libc 4/5 with traditional NIS or NYS ?
|
|||
|
3.2. glibc 2 and NIS/NIS+
|
|||
|
3.3. NIS or NIS+ ?
|
|||
|
|
|||
|
|
|||
|
4. How it works
|
|||
|
4.1. How NIS works
|
|||
|
4.2. How NIS+ works
|
|||
|
|
|||
|
|
|||
|
5. The RPC Portmapper
|
|||
|
6. What do you need to set up NIS?
|
|||
|
6.1. Determine whether you are a Server, Slave or Client.
|
|||
|
6.2. The Software
|
|||
|
|
|||
|
|
|||
|
7. Setting Up the NIS Client
|
|||
|
7.1. The ypbind daemon
|
|||
|
7.2. Setting up a NIS Client using Traditional NIS
|
|||
|
7.3. Setting up a NIS Client using NYS
|
|||
|
7.4. Setting up a NIS Client using glibc 2.x
|
|||
|
7.5. The nsswitch.conf File
|
|||
|
7.6. Shadow Passwords with NIS
|
|||
|
|
|||
|
|
|||
|
8. What do you need to set up NIS+ ?
|
|||
|
8.1. The Software
|
|||
|
8.2. Setting up a NIS+ client
|
|||
|
8.3. NIS+, keylogin, login and PAM
|
|||
|
8.4. The nsswitch.conf File
|
|||
|
|
|||
|
|
|||
|
9. Setting up a NIS Server
|
|||
|
9.1. The Server Program ypserv
|
|||
|
9.2. The Server Program yps
|
|||
|
9.3. The Program rpc.ypxfrd
|
|||
|
9.4. The Program rpc.yppasswdd
|
|||
|
|
|||
|
|
|||
|
10. Verifying the NIS/NYS Installation
|
|||
|
11. Creating and Updating NIS maps
|
|||
|
11.1. Creating new NIS maps
|
|||
|
11.2. Updating NIS maps
|
|||
|
11.3. Length of Map entries
|
|||
|
|
|||
|
|
|||
|
12. Surviving a Reboot
|
|||
|
12.1. NIS Init Script
|
|||
|
12.2. NIS Domain Name
|
|||
|
12.3. Distribution-specific Issues
|
|||
|
|
|||
|
|
|||
|
13. Changing passwords with rpasswd
|
|||
|
13.1. Server Configuration
|
|||
|
13.2. Client Configuration
|
|||
|
|
|||
|
|
|||
|
14. Common Problems and Troubleshooting NIS
|
|||
|
15. Frequently Asked Questions
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
More and more, Linux machines are installed as part of a network of
|
|||
|
computers. To simplify network administration, most networks (mostly
|
|||
|
Sun-based networks) run the Network Information Service. Linux machines can
|
|||
|
take full advantage of existing NIS service or provide NIS service
|
|||
|
themselves. Linux machines can also act as full NIS+ clients, this support is
|
|||
|
in beta stage.
|
|||
|
|
|||
|
This document tries to answer questions about setting up NIS(YP) and NIS+ on
|
|||
|
your Linux machine. Don't forget to read Section 5.
|
|||
|
|
|||
|
The NIS-Howto is edited and maintained by
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| Thorsten Kukuk, <kukuk@suse.de> |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
The primary source of the information for the initial NIS-Howto was from:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|Andrea Dell'Amico <adellam@ZIA.ms.it> |
|
|||
|
|Mitchum DSouza <Mitch.DSouza@NetComm.IE> |
|
|||
|
|Erwin Embsen <erwin@nioz.nl> |
|
|||
|
|Peter Eriksson <peter@ifm.liu.se> |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
who we should thank for writing the first versions of this document.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.1. New Versions of this Document
|
|||
|
|
|||
|
You can always view the latest version of this document on the World Wide Web
|
|||
|
via the URL [http://www.linux-nis.org/nis-howto/HOWTO/NIS-HOWTO.html] http://
|
|||
|
www.linux-nis.org/nis-howto/HOWTO/NIS-HOWTO.html.
|
|||
|
|
|||
|
New versions of this document will also be uploaded to various Linux WWW and
|
|||
|
FTP sites, including the LDP home page.
|
|||
|
|
|||
|
Links to translations of this document could be found at [http://
|
|||
|
www.linux-nis.org/nis-howto/] http://www.linux-nis.org/nis-howto/.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.2. Disclaimer
|
|||
|
|
|||
|
Although this document has been put together to the best of my knowledge it
|
|||
|
may, and probably does contain errors. Please read any README files that are
|
|||
|
bundled with any of the various pieces of software described in this document
|
|||
|
for more detailed and accurate information. I will attempt to keep this
|
|||
|
document as error free as possible.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.3. Feedback and Corrections
|
|||
|
|
|||
|
If you have questions or comments about this document, please feel free to
|
|||
|
mail Thorsten Kukuk, at [mailto:kukuk@linux-nis.org] kukuk@linux-nis.org. I
|
|||
|
welcome any suggestions or criticisms. If you find a mistake with this
|
|||
|
document, please let me know so I can correct it in the next version. Thanks.
|
|||
|
|
|||
|
Please do not mail me questions about special problems with your Linux
|
|||
|
Distribution! I don't know every Linux Distribution. But I will try to add
|
|||
|
every solution you send me.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
1.4. Acknowledgements
|
|||
|
|
|||
|
We would like to thank all the people who have contributed (directly or
|
|||
|
indirectly) to this document. In alphabetical order:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|Byron A Jeff <byron@cc.gatech.edu> |
|
|||
|
|Markus Rex <msrex@suse.de> |
|
|||
|
|Miquel van Smoorenburg <miquels@cistron.nl> |
|
|||
|
|Dan York <dyork@lodestar2.com> |
|
|||
|
|Christoffer Bromberg <christoffer@web.de> |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
Theo de Raadt is responsible for the original yp-clients code. Swen Thuemmler
|
|||
|
ported the yp-clients code to Linux and also ported the yp-routines in libc
|
|||
|
(again based on Theo's work). Thorsten Kukuk has written the NIS(YP) and NIS+
|
|||
|
routines for GNU libc 2.x from scratch.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
2. Glossary and General Information
|
|||
|
|
|||
|
2.1. Glossary of Terms
|
|||
|
|
|||
|
In this document a lot of acronyms are used. Here are the most important
|
|||
|
acronyms and a brief explanation:
|
|||
|
|
|||
|
DBM
|
|||
|
DataBase Management, a library of functions which maintain key-content
|
|||
|
pairs in a data base.
|
|||
|
|
|||
|
DLL
|
|||
|
Dynamically Linked Library, a library linked to an executable program at
|
|||
|
run-time.
|
|||
|
|
|||
|
domainname
|
|||
|
A name "key" that is used by NIS clients to be able to locate a suitable
|
|||
|
NIS server that serves that domainname key. Please note that this does
|
|||
|
not necessarily have anything at all to do with the DNS "domain" (machine
|
|||
|
name) of the machine(s).
|
|||
|
|
|||
|
FTP
|
|||
|
File Transfer Protocol, a protocol used to transfer files between two
|
|||
|
computers.
|
|||
|
|
|||
|
libnsl
|
|||
|
Name services library, a library of name service calls (getpwnam,
|
|||
|
getservbyname, etc...) on SVR4 Unixes. GNU libc uses this for the NIS
|
|||
|
(YP) and NIS+ functions.
|
|||
|
|
|||
|
libsocket
|
|||
|
Socket services library, a library for the socket service calls (socket,
|
|||
|
bind, listen, etc...) on SVR4 Unixes.
|
|||
|
|
|||
|
NIS
|
|||
|
Network Information Service, a service that provides information, that
|
|||
|
has to be known throughout the network, to all machines on the network.
|
|||
|
There is support for NIS in Linux's standard libc library, which in the
|
|||
|
following text is referred to as "traditional NIS".
|
|||
|
|
|||
|
NIS+
|
|||
|
Network Information Service (Plus :-), essentially NIS on steroids. NIS+
|
|||
|
is designed by Sun Microsystems Inc. as a replacement for NIS with better
|
|||
|
security and better handling of _large_ installations.
|
|||
|
|
|||
|
NYS
|
|||
|
This is the name of a project and stands for NIS+, YP and Switch and is
|
|||
|
managed by Peter Eriksson <peter@ifm.liu.se>. It contains among other
|
|||
|
things a complete reimplementation of the NIS (= YP) code that uses the
|
|||
|
Name Services Switch functionality of the NYS library.
|
|||
|
|
|||
|
NSS
|
|||
|
Name Service Switch. The /etc/nsswitch.conf file determines the order of
|
|||
|
lookups performed when a certain piece of information is requested.
|
|||
|
|
|||
|
RPC
|
|||
|
Remote Procedure Call. RPC routines allow C programs to make procedure
|
|||
|
calls on other machines across the network. When people talk about RPC
|
|||
|
they most often mean the Sun RPC variant.
|
|||
|
|
|||
|
YP
|
|||
|
Yellow Pages(tm), a registered trademark in the UK of British Telecom
|
|||
|
plc.
|
|||
|
|
|||
|
TCP-IP
|
|||
|
Transmission Control Protocol/Internet Protocol. It is the data
|
|||
|
communication protocol most often used on Unix machines.
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
2.2. Some General Information
|
|||
|
|
|||
|
The next four lines are quoted from the Sun(tm) System & Network
|
|||
|
Administration Manual:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| "NIS was formerly known as Sun Yellow Pages (YP) but |
|
|||
|
| the name Yellow Pages(tm) is a registered trademark |
|
|||
|
| in the United Kingdom of British Telecom plc and may |
|
|||
|
| not be used without permission." |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
NIS stands for Network Information Service. Its purpose is to provide
|
|||
|
information, that has to be known throughout the network, to all machines on
|
|||
|
the network. Information likely to be distributed by NIS is:
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>login names/passwords/home directories (/etc/passwd)
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>group information (/etc/group)
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
If, for example, your password entry is recorded in the NIS passwd database,
|
|||
|
you will be able to login on all machines on the network which have the NIS
|
|||
|
client programs running.
|
|||
|
|
|||
|
Sun is a trademark of Sun Microsystems, Inc. licensed to SunSoft, Inc.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3. NIS, NYS or NIS+ ?
|
|||
|
|
|||
|
3.1. libc 4/5 with traditional NIS or NYS ?
|
|||
|
|
|||
|
The choice between "traditional NIS" or the NIS code in the NYS library is a
|
|||
|
choice between laziness and maturity vs. flexibility and love of adventure.
|
|||
|
|
|||
|
The "traditional NIS" code is in the standard C library and has been around
|
|||
|
longer and sometimes suffers from its age and slight inflexibility.
|
|||
|
|
|||
|
The NIS code in the NYS library requires you to recompile the libc library to
|
|||
|
include the NYS code into it (or maybe you can get a precompiled version of
|
|||
|
libc from someone who has already done it).
|
|||
|
|
|||
|
Another difference is that the traditional NIS code has some support for NIS
|
|||
|
Netgroups, which the NYS code doesn't. On the other hand the NYS code allows
|
|||
|
you to handle Shadow Passwords in a transparent way. The "traditonal NIS"
|
|||
|
code doesn't support Shadow Passwords over NIS.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.2. glibc 2 and NIS/NIS+
|
|||
|
|
|||
|
Forgot all this if you use the new GNU C Library 2.x (aka libc6). It has real
|
|||
|
NSS (name switch service) support, which makes it very flexible, and contains
|
|||
|
support for the following NIS/NIS+ maps: aliases, ethers, group, hosts,
|
|||
|
netgroups, networks, protocols, publickey, passwd, rpc, services and shadow.
|
|||
|
The GNU C Library has no problems with shadow passwords over NIS.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
3.3. NIS or NIS+ ?
|
|||
|
|
|||
|
The choice between NIS and NIS+ is easy - use NIS+ only if you have severe
|
|||
|
security needs. NIS+ is much more problematic to administer (it's pretty easy
|
|||
|
to handle on the client side, but the server side is horrible). Another
|
|||
|
problem is that the support for NIS+ under Linux contains a lot of bugs and
|
|||
|
that the development has stopped.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4. How it works
|
|||
|
|
|||
|
4.1. How NIS works
|
|||
|
|
|||
|
Within a network there must be at least one machine acting as a NIS server.
|
|||
|
You can have multiple NIS servers, each serving different NIS "domains" - or
|
|||
|
you can have cooperating NIS servers, where one is the master NIS server, and
|
|||
|
all the other are so-called slave NIS servers (for a certain NIS "domain",
|
|||
|
that is!) - or you can have a mix of them...
|
|||
|
|
|||
|
Slave servers only have copies of the NIS databases and receive these copies
|
|||
|
from the master NIS server whenever changes are made to the master's
|
|||
|
databases. Depending on the number of machines in your network and the
|
|||
|
reliability of your network, you might decide to install one or more slave
|
|||
|
servers. Whenever a NIS server goes down or is too slow in responding to
|
|||
|
requests, a NIS client connected to that server will try to find one that is
|
|||
|
up or faster.
|
|||
|
|
|||
|
NIS databases are in so-called DBM format, derived from ASCII databases. For
|
|||
|
example, the files /etc/passwd and /etc/group can be directly converted to
|
|||
|
DBM format using ASCII-to-DBM translation software (makedbm, included with
|
|||
|
the server software). The master NIS server should have both, the ASCII
|
|||
|
databases and the DBM databases.
|
|||
|
|
|||
|
Slave servers will be notified of any change to the NIS maps, (via the yppush
|
|||
|
program), and automatically retrieve the necessary changes in order to
|
|||
|
synchronize their databases. NIS clients do not need to do this since they
|
|||
|
always talk to the NIS server to read the information stored in it's DBM
|
|||
|
databases.
|
|||
|
|
|||
|
Old ypbind versions do a broadcast to find a running NIS server. This is
|
|||
|
insecure, due the fact that anyone may install a NIS server and answer the
|
|||
|
broadcast queries. Newer Versions of ypbind (ypbind-3.3 or ypbind-mt) are
|
|||
|
able to get the server from a configuration file - thus no need to broadcast.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
4.2. How NIS+ works
|
|||
|
|
|||
|
NIS+ is a new version of the network information nameservice from Sun. The
|
|||
|
biggest difference between NIS and NIS+ is that NIS+ has support for data
|
|||
|
encryption and authentication over secure RPC.
|
|||
|
|
|||
|
The naming model of NIS+ is based upon a tree structure. Each node in the
|
|||
|
tree corresponds to an NIS+ object, from which we have six types: directory,
|
|||
|
entry, group, link, table and private.
|
|||
|
|
|||
|
The NIS+ directory that forms the root of the NIS+ namespace is called the
|
|||
|
root directory. There are two special NIS+ directories: org_dir and
|
|||
|
groups_dir. The org_dir directory consists of all administration tables, such
|
|||
|
as passwd, hosts, and mail_aliases. The groups_dir directory consists of NIS+
|
|||
|
group objects which are used for access control. The collection of org_dir,
|
|||
|
groups_dir and their parent directory is referred to as an NIS+ domain.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
5. The RPC Portmapper
|
|||
|
|
|||
|
To run any of the software mentioned below you will need to run the program /
|
|||
|
sbin/portmap. Some Linux distributions already have the code in the /sbin/
|
|||
|
init.d/ or /etc/rc.d/ files to start up this daemon. All you have to do is to
|
|||
|
activate it and reboot your Linux machine. Read your Linux Distribution
|
|||
|
Documentation how to do this.
|
|||
|
|
|||
|
The RPC portmapper (portmap(8)) is a server that converts RPC program numbers
|
|||
|
into TCP/IP (or UDP/IP) protocol port numbers. It must be running in order to
|
|||
|
make RPC calls (which is what the NIS/NIS+ client software does) to RPC
|
|||
|
servers (like a NIS or NIS+ server) on that machine. When an RPC server is
|
|||
|
started, it will tell portmap what port number it is listening to, and what
|
|||
|
RPC program numbers it is prepared to serve. When a client wishes to make an
|
|||
|
RPC call to a given program number, it will first contact portmap on the
|
|||
|
server machine to determine the port number where RPC packets should be sent.
|
|||
|
|
|||
|
Since RPC servers could be started by inetd(8), portmap should be running
|
|||
|
before inetd is started.
|
|||
|
|
|||
|
For secure RPC, the portmapper needs the Time service. Make sure, that the
|
|||
|
Time service is enabled in /etc/inetd.conf on all hosts:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|# |
|
|||
|
|# Time service is used for clock syncronization. |
|
|||
|
|# |
|
|||
|
|time stream tcp nowait root internal |
|
|||
|
|time dgram udp wait root internal |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
IMPORTANT: Don't forget to restart inetd after changes on its configuration
|
|||
|
file !
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6. What do you need to set up NIS?
|
|||
|
|
|||
|
6.1. Determine whether you are a Server, Slave or Client.
|
|||
|
|
|||
|
To answer this question you have to consider two cases:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
1. Your machine is going to be part of a network with existing NIS servers
|
|||
|
|
|||
|
2. You do not have any NIS servers in the network yet
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
In the first case, you only need the client programs (ypbind, ypwhich, ypcat,
|
|||
|
yppoll, ypmatch). The most important program is ypbind. This program must be
|
|||
|
running at all times, which means, it should always appear in the list of
|
|||
|
processes. It is a daemon process and needs to be started from the system's
|
|||
|
startup file (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/
|
|||
|
ypbind, /etc/rc.local). As soon as ypbind is running your system has become a
|
|||
|
NIS client.
|
|||
|
|
|||
|
In the second case, if you don't have NIS servers, then you will also need a
|
|||
|
NIS server program (usually called ypserv). Section 9 describes how to set up
|
|||
|
a NIS server on your Linux machine using the ypserv daemon.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
6.2. The Software
|
|||
|
|
|||
|
The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the shared
|
|||
|
library "/lib/libc.so.x" contain all necessary system calls to succesfully
|
|||
|
compile the NIS client and server software. For the GNU C Library 2 (glibc
|
|||
|
2.x), you also need /lib/libnsl.so.1.
|
|||
|
|
|||
|
Some people reported that NIS only works with "/usr/lib/libc.a" version
|
|||
|
4.5.21 and better so if you want to play it safe don't use older libc's. The
|
|||
|
NIS client software can be obtained from:
|
|||
|
|
|||
|
|
|||
|
+----------------------------------------------------------------------------------+
|
|||
|
| Site Directory File Name |
|
|||
|
| |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.8.tar.gz |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.13.tar.gz |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3-glibc5.diff.gz|
|
|||
|
+----------------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
Once you obtained the software, please follow the instructions which come
|
|||
|
with the software. yp-clients 2.2 are for use with libc4 and libc5 until
|
|||
|
5.4.20. libc 5.4.21 and glibc 2.x needs yp-tools 1.4.1 or later. The new
|
|||
|
yp-tools 2.4 should work with every Linux libc. Since there was a bug in the
|
|||
|
NIS code, you shouldn't use libc 5.4.21-5.4.35. Use libc 5.4.36 or later
|
|||
|
instead, or the most YP programs will not work. ypbind 3.3 will work with all
|
|||
|
libraries, too. If you use gcc 2.8.x or greater, egcs or glibc 2.x, you
|
|||
|
should add the ypbind-3.3-glibc5.diff patch to ypbind 3.3. If possible you
|
|||
|
should avoid the use of ypbind 3.3 for security reasons. ypbind-mt is a new,
|
|||
|
multithreaded daemon. It needs a Linux 2.2 kernel and glibc 2.1 or later.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7. Setting Up the NIS Client
|
|||
|
|
|||
|
7.1. The ypbind daemon
|
|||
|
|
|||
|
After you have succesfully compiled the software you are now ready to install
|
|||
|
it. A suitable place for the ypbind daemon is the directory /usr/sbin. Some
|
|||
|
people may tell you that you don't need ypbind on a system with NYS. This is
|
|||
|
wrong. ypwhich and ypcat need it always.
|
|||
|
|
|||
|
You must do this as root of course. The other binaries (ypwhich, ypcat,
|
|||
|
yppasswd, yppoll, ypmatch) should go in a directory accessible by all users,
|
|||
|
normally /usr/bin.
|
|||
|
|
|||
|
Newer ypbind versions have a configuration file called /etc/yp.conf. You can
|
|||
|
hardcode a NIS server there - for more info see the manual page for ypbind
|
|||
|
(8). You also need this file for NYS. An example:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|ypserver 10.10.0.1 |
|
|||
|
|ypserver 10.0.100.8 |
|
|||
|
|ypserver 10.3.1.1 |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
If the system can resolve the hostnames without NIS, you may use the name,
|
|||
|
otherwise you have to use the IP address. ypbind 3.3 has a bug and will only
|
|||
|
use the last entry (ypserver 10.3.1.1 in the example). All other entries are
|
|||
|
ignored. ypbind-mt handle this correct and uses that one, which answerd at
|
|||
|
first.
|
|||
|
|
|||
|
It might be a good idea to test ypbind before incorporating it in the startup
|
|||
|
files. To test ypbind do the following:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Make sure you have your YP-domain name set. If it is not set then issue
|
|||
|
the command:
|
|||
|
+---------------------------------------------------------------+
|
|||
|
| /bin/domainname nis.domain |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
where nis.domain should be some string _NOT_ normally associated with the
|
|||
|
DNS-domain name of your machine! The reason for this is that it makes it
|
|||
|
a little harder for external crackers to retreive the password database
|
|||
|
from your NIS servers. If you don't know what the NIS domain name is on
|
|||
|
your network, ask your system/network administrator.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Start up "/sbin/portmap" if it is not already running.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Create the directory /var/yp if it does not exist.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Start up /usr/sbin/ypbind
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>Use the command rpcinfo -p localhost to check if ypbind was able to
|
|||
|
register its service with the portmapper. The output should look like:
|
|||
|
+---------------------------------------------------------------+
|
|||
|
| program vers proto port |
|
|||
|
| 100000 2 tcp 111 portmapper |
|
|||
|
| 100000 2 udp 111 portmapper |
|
|||
|
| 100007 2 udp 637 ypbind |
|
|||
|
| 100007 2 tcp 639 ypbind |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
or
|
|||
|
+---------------------------------------------------------------+
|
|||
|
| program vers proto port |
|
|||
|
| 100000 2 tcp 111 portmapper |
|
|||
|
| 100000 2 udp 111 portmapper |
|
|||
|
| 100007 2 udp 758 ypbind |
|
|||
|
| 100007 1 udp 758 ypbind |
|
|||
|
| 100007 2 tcp 761 ypbind |
|
|||
|
| 100007 1 tcp 761 ypbind |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
Depending on the ypbind version you are using.
|
|||
|
|
|||
|
<EFBFBD><EFBFBD>*<2A>You may also run rpcinfo -u localhost ypbind. This command should produce
|
|||
|
something like:
|
|||
|
+---------------------------------------------------------------+
|
|||
|
| program 100007 version 2 ready and waiting |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
or
|
|||
|
+---------------------------------------------------------------+
|
|||
|
| program 100007 version 1 ready and waiting |
|
|||
|
| program 100007 version 2 ready and waiting |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
The output depends on the ypbind version you have installed. Important is
|
|||
|
only the "version 2" message.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
|
|||
|
At this point you should be able to use NIS client programs like ypcat,
|
|||
|
etc... For example, ypcat passwd.byname will give you the entire NIS password
|
|||
|
database.
|
|||
|
|
|||
|
IMPORTANT: If you skipped the test procedure then make sure you have set the
|
|||
|
domain name, and created the directory
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| /var/yp |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
This directory MUST exist for ypbind to start up succesfully.
|
|||
|
|
|||
|
To check if the domainname is set correct, use the /bin/ypdomainname from
|
|||
|
yp-tools 2.2. It uses the yp_get_default_domain() function which is more
|
|||
|
restrict. It doesn't allow for example the "(none)" domainname, which is the
|
|||
|
default under Linux and makes a lot of problems.
|
|||
|
|
|||
|
If the test worked you may now want to change your startupd files so that
|
|||
|
ypbind will be started at boot time and your system will act as a NIS client.
|
|||
|
Make sure that the domainname will be set before you start ypbind.
|
|||
|
|
|||
|
Well, that's it. Reboot the machine and watch the boot messages to see if
|
|||
|
ypbind is actually started.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.2. Setting up a NIS Client using Traditional NIS
|
|||
|
|
|||
|
For host lookups you must set (or add) "nis" to the lookup order line in your
|
|||
|
/etc/host.conf file. Please read the manpage "resolv+.8" for more details.
|
|||
|
|
|||
|
Add the following line to /etc/passwd on your NIS clients:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|+:::::: |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
You can also use the + and - characters to include/exclude or change users.
|
|||
|
If you want to exclude the user guest just add -guest to your /etc/passwd
|
|||
|
file. You want to use a different shell (e.g. ksh) for the user "linux"? No
|
|||
|
problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/
|
|||
|
passwd. Fields that you don't want to change have to be left empty. You could
|
|||
|
also use Netgroups for user control.
|
|||
|
|
|||
|
For example, to allow login-access only to miquels, dth and ed, and all
|
|||
|
members of the sysadmin netgroup, but to have the account data of all other
|
|||
|
users available use:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| +miquels::::::: |
|
|||
|
| +ed::::::: |
|
|||
|
| +dth::::::: |
|
|||
|
| +@sysadmins::::::: |
|
|||
|
| -ftp |
|
|||
|
| +:*::::::/etc/NoShell |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
Note that in Linux you can also override the password field, as we did in
|
|||
|
this example. We also remove the login "ftp", so it isn't known any longer,
|
|||
|
and anonymous ftp will not work.
|
|||
|
|
|||
|
The netgroup would look like
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|sysadmins (-,software,) (-,kukuk,) |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
IMPORTANT: The netgroup feature is implemented starting from libc 4.5.26. If
|
|||
|
you have a version of libc earlier than 4.5.26, every user in the NIS
|
|||
|
password database can access your linux machine if you run "ypbind" !
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.3. Setting up a NIS Client using NYS
|
|||
|
|
|||
|
All that is required is that the NIS configuration file (/etc/yp.conf) points
|
|||
|
to the correct server(s) for its information. Also, the Name Services Switch
|
|||
|
configuration file (/etc/nsswitch.conf) must be correctly set up.
|
|||
|
|
|||
|
You should install ypbind. It isn't needed by the libc, but the NIS(YP) tools
|
|||
|
need it.
|
|||
|
|
|||
|
If you wish to use the include/exclude user feature (+/-guest/+@admins), you
|
|||
|
have to use "passwd: compat" and "group: compat" in nsswitch.conf. Note that
|
|||
|
there is no "shadow: compat"! You have to use "shadow: files nis" in this
|
|||
|
case.
|
|||
|
|
|||
|
The NYS sources are part of the libc 5 sources. When run configure, say the
|
|||
|
first time "NO" to the "Values correct" question, then say "YES" to "Build a
|
|||
|
NYS libc from nys".
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.4. Setting up a NIS Client using glibc 2.x
|
|||
|
|
|||
|
The glibc uses "traditional NIS", so you need to start ypbind. The Name
|
|||
|
Services Switch configuration file (/etc/nsswitch.conf) must be correctly set
|
|||
|
up. If you use the compat mode for passwd, shadow or group, you have to add
|
|||
|
the "+" at the end of this files and you can use the include/exclude user
|
|||
|
feature. The configuration is excatly the same as under Solaris 2.x.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.5. The nsswitch.conf File
|
|||
|
|
|||
|
The Network Services switch file /etc/nsswitch.conf determines the order of
|
|||
|
lookups performed when a certain piece of information is requested, just like
|
|||
|
the /etc/host.conf file which determines the way host lookups are performed.
|
|||
|
For example, the line
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| hosts: files nis dns |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
specifies that host lookup functions should first look in the local /etc/
|
|||
|
hosts file, followed by a NIS lookup and finally through the domain name
|
|||
|
service (/etc/resolv.conf and named), at which point if no match is found an
|
|||
|
error is returned. This file must be readable for every user! You can find
|
|||
|
more information in the man-page nsswitch.5 or nsswitch.conf.5.
|
|||
|
|
|||
|
A good /etc/nsswitch.conf file for NIS is:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|# |
|
|||
|
|# /etc/nsswitch.conf |
|
|||
|
|# |
|
|||
|
|# An example Name Service Switch config file. This file should be |
|
|||
|
|# sorted with the most-used services at the beginning. |
|
|||
|
|# |
|
|||
|
|# The entry '[NOTFOUND=return]' means that the search for an |
|
|||
|
|# entry should stop if the search in the previous entry turned |
|
|||
|
|# up nothing. Note that if the search failed due to some other reason |
|
|||
|
|# (like no NIS server responding) then the search continues with the |
|
|||
|
|# next entry. |
|
|||
|
|# |
|
|||
|
|# Legal entries are: |
|
|||
|
|# |
|
|||
|
|# nisplus Use NIS+ (NIS version 3) |
|
|||
|
|# nis Use NIS (NIS version 2), also called YP |
|
|||
|
|# dns Use DNS (Domain Name Service) |
|
|||
|
|# files Use the local files |
|
|||
|
|# db Use the /var/db databases |
|
|||
|
|# [NOTFOUND=return] Stop searching if not found so far |
|
|||
|
|# |
|
|||
|
| |
|
|||
|
|passwd: compat |
|
|||
|
|group: compat |
|
|||
|
|# For libc5, you must use shadow: files nis |
|
|||
|
|shadow: compat |
|
|||
|
| |
|
|||
|
|passwd_compat: nis |
|
|||
|
|group_compat: nis |
|
|||
|
|shadow_compat: nis |
|
|||
|
| |
|
|||
|
|hosts: nis files dns |
|
|||
|
| |
|
|||
|
|services: nis [NOTFOUND=return] files |
|
|||
|
|networks: nis [NOTFOUND=return] files |
|
|||
|
|protocols: nis [NOTFOUND=return] files |
|
|||
|
|rpc: nis [NOTFOUND=return] files |
|
|||
|
|ethers: nis [NOTFOUND=return] files |
|
|||
|
|netmasks: nis [NOTFOUND=return] files |
|
|||
|
|netgroup: nis |
|
|||
|
|bootparams: nis [NOTFOUND=return] files |
|
|||
|
|publickey: nis [NOTFOUND=return] files |
|
|||
|
|automount: files |
|
|||
|
|aliases: nis [NOTFOUND=return] files |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
passwd_compat, group_compat and shadow_compat are only supported by glibc
|
|||
|
2.x. If there are no shadow rules in /etc/nsswitch.conf, glibc will use the
|
|||
|
passwd rule for lookups. There are some more lookup module for glibc like
|
|||
|
hesoid. For more information, read the glibc documentation.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.6. Shadow Passwords with NIS
|
|||
|
|
|||
|
Shadow passwords over NIS are always a bad idea. You loose the security,
|
|||
|
which shadow gives you, and it is supported by only some few Linux C
|
|||
|
Libraries. A good way to avoid shadow passwords over NIS is, to put only the
|
|||
|
local system users in /etc/shadow. Remove the NIS user entries from the
|
|||
|
shadow database, and put the password back in passwd. So you can use shadow
|
|||
|
for the root login, and normal passwd for NIS user. This has the advantage
|
|||
|
that it will work with every NIS client.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.6.1. Linux
|
|||
|
|
|||
|
The only Linux libc which supports shadow passwords over NIS, is the GNU C
|
|||
|
Library 2.x. Linux libc5 has no support for it. Linux libc5 compiled with NYS
|
|||
|
enabled has some code for it. But this code is badly broken in some cases and
|
|||
|
doesn't work with all correct shadow entries.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.6.2. Solaris
|
|||
|
|
|||
|
Solaris does not support shadow passwords over NIS.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
7.6.3. PAM
|
|||
|
|
|||
|
Linux-PAM 0.75 and newr does support Shadow passwords over NIS if you use the
|
|||
|
pam_unix.so Module or if you install the extra pam_unix2.so Module. Old
|
|||
|
systems using pam_pwdb/libpwdb (for example Red Hat Linux 5.x) need to change
|
|||
|
the /etc/pam.d/* entries. All pam_pwdb rules should be replaced through a
|
|||
|
pam_unix_* module.
|
|||
|
|
|||
|
An example /etc/pam.d/login file looks like:
|
|||
|
|
|||
|
|
|||
|
+----------------------------------------------------------------------------------+
|
|||
|
|#%PAM-1.0 |
|
|||
|
|auth requisite pam_unix2.so nullok #set_secrpc |
|
|||
|
|auth required pam_securetty.so |
|
|||
|
|auth required pam_nologin.so |
|
|||
|
|auth required pam_env.so |
|
|||
|
|auth required pam_mail.so |
|
|||
|
|account required pam_unix2.so |
|
|||
|
|password required pam_pwcheck.so nullok |
|
|||
|
|password required pam_unix2.so nullok use_first_pass use_authtok |
|
|||
|
|session required pam_unix2.so none # debug or trace |
|
|||
|
|session required pam_limits.so |
|
|||
|
+----------------------------------------------------------------------------------+
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
8. What do you need to set up NIS+ ?
|
|||
|
|
|||
|
8.1. The Software
|
|||
|
|
|||
|
The Linux NIS+ client code was developed for the GNU C library 2. There is
|
|||
|
also a port for Linux libc5, since most commercial Applications where linked
|
|||
|
against this library in the past, and you cannot recompile them for using
|
|||
|
glibc. There are problems with libc5 and NIS+: static programs cannot be
|
|||
|
linked with it, and programs compiled with this library will not work with
|
|||
|
other libc5 versions.
|
|||
|
|
|||
|
As base System you need a glibc based Distribution like Debian, Red Hat Linux
|
|||
|
or SuSE Linux. If you have a Linux Distribution, which does not have glibc
|
|||
|
2.1.1 or later, you need to update to a newer version.
|
|||
|
|
|||
|
The NIS+ client software can be obtained from:
|
|||
|
+---------------------------------------------------------------------------------+
|
|||
|
| Site Directory File Name |
|
|||
|
| |
|
|||
|
| ftp.gnu.org /pub/gnu/glibc glibc-2.3.2.tar.gz, |
|
|||
|
| glibc-linuxthreads-2.3.2.tar.gz |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS+ nis-utils-1.4.1.tar.gz |
|
|||
|
+---------------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
You should also have a look at [http://www.linux-nis.org/nisplus/] http://
|
|||
|
www.linux-nis.org/nisplus/ for more information and the latest sources.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
8.2. Setting up a NIS+ client
|
|||
|
|
|||
|
IMPORTANT: For setting up a NIS+ client read your Solaris NIS+ docs what to
|
|||
|
do on the server side! This document only describes what to do on the client
|
|||
|
side!
|
|||
|
|
|||
|
After installing the new libc and nis-tools, create the credentials for the
|
|||
|
new client on the NIS+ server. Make sure portmap is running. Then check if
|
|||
|
your Linux PC has the same time as the NIS+ Server. For secure RPC, you have
|
|||
|
only a small window from about 3 minutes, in which the credentials are valid.
|
|||
|
A good idea is to run xntpd on every host. After this, run
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|domainname nisplus.domain. |
|
|||
|
|nisinit -c -H <NIS+ server> |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
to initialize the cold start file. Read the nisinit man page for more
|
|||
|
options. Make sure that the domainname will always be set after a reboot. If
|
|||
|
you don't know what the NIS+ domain name is on your network, ask your system/
|
|||
|
network administrator.
|
|||
|
|
|||
|
Now you should change your /etc/nsswitch.conf file. Make sure that the only
|
|||
|
service after publickey is nisplus ("publickey: nisplus"), and nothing else!
|
|||
|
|
|||
|
Then start keyserv and make sure, that it will always be started as first
|
|||
|
daemon after portmap at boot time. Run
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|keylogin -r |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
to store the root secretkey on your system. (I hope you have added the
|
|||
|
publickey for the new host on the NIS+ Server?).
|
|||
|
|
|||
|
niscat passwd.org_dir should now show you all entries in the passwd database.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
8.3. NIS+, keylogin, login and PAM
|
|||
|
|
|||
|
When the user logs in, he need to set his secretkey to keyserv. This is done
|
|||
|
by calling "keylogin". The login from the shadow package will do this for the
|
|||
|
user, if it was compiled against glibc 2.1. For a PAM aware login, you have
|
|||
|
to change the /etc/pam.d/login file to use pam_unix2, not pwdb, which doesn't
|
|||
|
support NIS+. An example:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|#%PAM-1.0 |
|
|||
|
|auth required /lib/security/pam_securetty.so |
|
|||
|
|auth required /lib/security/pam_unix2.so set_secrpc |
|
|||
|
|auth required /lib/security/pam_nologin.so |
|
|||
|
|account required /lib/security/pam_unix2.so |
|
|||
|
|password required /lib/security/pam_unix2.so |
|
|||
|
|session required /lib/security/pam_unix2.so |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
8.4. The nsswitch.conf File
|
|||
|
|
|||
|
The Network Services switch file /etc/nsswitch.conf determines the order of
|
|||
|
lookups performed when a certain piece of information is requested, just like
|
|||
|
the /etc/host.conf file which determines the way host lookups are performed.
|
|||
|
For example, the line
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| hosts: files nisplus dns |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
specifies that host lookup functions should first look in the local /etc/
|
|||
|
hosts file, followed by a NIS+ lookup and finally through the domain name
|
|||
|
service (/etc/resolv.conf and named), at which point if no match is found an
|
|||
|
error is returned.
|
|||
|
|
|||
|
A good /etc/nsswitch.conf file for NIS+ is:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|# |
|
|||
|
|# /etc/nsswitch.conf |
|
|||
|
|# |
|
|||
|
|# An example Name Service Switch config file. This file should be |
|
|||
|
|# sorted with the most-used services at the beginning. |
|
|||
|
|# |
|
|||
|
|# The entry '[NOTFOUND=return]' means that the search for an |
|
|||
|
|# entry should stop if the search in the previous entry turned |
|
|||
|
|# up nothing. Note that if the search failed due to some other reason |
|
|||
|
|# (like no NIS server responding) then the search continues with the |
|
|||
|
|# next entry. |
|
|||
|
|# |
|
|||
|
|# Legal entries are: |
|
|||
|
|# |
|
|||
|
|# nisplus Use NIS+ (NIS version 3) |
|
|||
|
|# nis Use NIS (NIS version 2), also called YP |
|
|||
|
|# dns Use DNS (Domain Name Service) |
|
|||
|
|# files Use the local files |
|
|||
|
|# db Use the /var/db databases |
|
|||
|
|# [NOTFOUND=return] Stop searching if not found so far |
|
|||
|
|# |
|
|||
|
| |
|
|||
|
|passwd: compat |
|
|||
|
|group: compat |
|
|||
|
|shadow: compat |
|
|||
|
| |
|
|||
|
|passwd_compat: nisplus |
|
|||
|
|group_compat: nisplus |
|
|||
|
|shadow_compat: nisplus |
|
|||
|
| |
|
|||
|
|hosts: nisplus files dns |
|
|||
|
| |
|
|||
|
|services: nisplus [NOTFOUND=return] files |
|
|||
|
|networks: nisplus [NOTFOUND=return] files |
|
|||
|
|protocols: nisplus [NOTFOUND=return] files |
|
|||
|
|rpc: nisplus [NOTFOUND=return] files |
|
|||
|
|ethers: nisplus [NOTFOUND=return] files |
|
|||
|
|netmasks: nisplus [NOTFOUND=return] files |
|
|||
|
|netgroup: nisplus |
|
|||
|
|bootparams: nisplus [NOTFOUND=return] files |
|
|||
|
|publickey: nisplus |
|
|||
|
|automount: files |
|
|||
|
|aliases: nisplus [NOTFOUND=return] files |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
9. Setting up a NIS Server
|
|||
|
|
|||
|
9.1. The Server Program ypserv
|
|||
|
|
|||
|
This document only describes how to set up the "ypserv" NIS server.
|
|||
|
|
|||
|
The NIS server software can be found on:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| Site Directory File Name |
|
|||
|
| |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.gz |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.bz2 |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
You could also look at [http://www.linux-nis.org/nis/] http://
|
|||
|
www.linux-nis.org/nis/ for more information.
|
|||
|
|
|||
|
The server setup is the same for both traditional NIS and NYS.
|
|||
|
|
|||
|
Compile the software to generate the ypserv and makedbm programs. ypserv-2.x
|
|||
|
only supports the securenets file for access restrictions.
|
|||
|
|
|||
|
If you run your server as master, determine what files you require to be
|
|||
|
available via NIS and then add or remove the appropriate entries to the "all"
|
|||
|
rule in /var/yp/Makefile. You always should look at the Makefile and edit the
|
|||
|
Options at the beginning of the file.
|
|||
|
|
|||
|
There was one big change between ypserv 1.1 and ypserv 1.2. Since version
|
|||
|
1.2, the file handles are cached. This means you have to call makedbm always
|
|||
|
with the -c option if you create new maps. Make sure, you are using the new /
|
|||
|
var/yp/Makefile from ypserv 1.2 or later, or add the -c flag to makedbm in
|
|||
|
the Makefile. If you don't do that, ypserv will continue to use the old maps,
|
|||
|
and not the updated one.
|
|||
|
|
|||
|
Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read
|
|||
|
the ypserv(8) and ypserv.conf(5) manual pages.
|
|||
|
|
|||
|
Make sure the portmapper (portmap(8)) is running, and start the server ypserv
|
|||
|
. The command
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % rpcinfo -u localhost ypserv |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
should output something like
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| program 100004 version 1 ready and waiting |
|
|||
|
| program 100004 version 2 ready and waiting |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
The "version 1" line could be missing, depending on the ypserv version and
|
|||
|
configuration you are using. It is only necessary if you have old SunOS 4.x
|
|||
|
clients.
|
|||
|
|
|||
|
Now generate the NIS (YP) database. On the master, run
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % /usr/lib/yp/ypinit -m |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
On a slave make sure that ypwhich -m works. This means, that your slave must
|
|||
|
be configured as NIS client before you could run
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % /usr/lib/yp/ypinit -s masterhost |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
to install the host as NIS slave.
|
|||
|
|
|||
|
That's it, your server is up and running.
|
|||
|
|
|||
|
If you have bigger problems, you could start ypserv and ypbind in debug mode
|
|||
|
on different xterms. The debug output should show you what goes wrong.
|
|||
|
|
|||
|
If you need to update a map, run make in the /var/yp directory on the NIS
|
|||
|
master. This will update a map if the source file is newer, and push the
|
|||
|
files to the slave servers. Please don't use ypinit for updating a map.
|
|||
|
|
|||
|
You might want to edit root's crontab *on the slave* server and add the
|
|||
|
following lines:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| 20 * * * * /usr/lib/yp/ypxfr_1perhour |
|
|||
|
| 40 6 * * * /usr/lib/yp/ypxfr_1perday |
|
|||
|
| 55 6,18 * * * /usr/lib/yp/ypxfr_2perday |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
This will ensure that most NIS maps are kept up-to-date, even if an update is
|
|||
|
missed because the slave was down at the time the update was done on the
|
|||
|
master.
|
|||
|
|
|||
|
You can add a slave at every time later. At first, make sure that the new
|
|||
|
slave server has permissions to contact the NIS master. Then run
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % /usr/lib/yp/ypinit -s masterhost |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
on the new slave. On the master server, add the new slave server name to /var
|
|||
|
/yp/ypservers and run make in /var/yp to update the map.
|
|||
|
|
|||
|
If you want to restrict access for users to your NIS server, you'll have to
|
|||
|
setup the NIS server as a client as well by running ypbind and adding the
|
|||
|
plus-entries to /etc/passwd _halfway_ the password file. The library
|
|||
|
functions will ignore all normal entries after the first NIS entry, and will
|
|||
|
get the rest of the info through NIS. This way the NIS access rules are
|
|||
|
maintained. An example:
|
|||
|
|
|||
|
|
|||
|
+-------------------------------------------------------------------------------+
|
|||
|
| root:x:0:0:root:/root:/bin/bash |
|
|||
|
| daemon:*:1:1:daemon:/usr/sbin: |
|
|||
|
| bin:*:2:2:bin:/bin: |
|
|||
|
| sys:*:3:3:sys:/dev: |
|
|||
|
| sync:*:4:100:sync:/bin:/bin/sync |
|
|||
|
| games:*:5:100:games:/usr/games: |
|
|||
|
| man:*:6:100:man:/var/catman: |
|
|||
|
| lp:*:7:7:lp:/var/spool/lpd: |
|
|||
|
| mail:*:8:8:mail:/var/spool/mail: |
|
|||
|
| news:*:9:9:news:/var/spool/news: |
|
|||
|
| uucp:*:10:50:uucp:/var/spool/uucp: |
|
|||
|
| nobody:*:65534:65534:noone at all,,,,:/dev/null: |
|
|||
|
| +miquels:::::: |
|
|||
|
| +:*:::::/etc/NoShell |
|
|||
|
| [ All normal users AFTER this line! ] |
|
|||
|
| tester:*:299:10:Just a test account:/tmp: |
|
|||
|
| miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh|
|
|||
|
+-------------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels
|
|||
|
will have normal access.
|
|||
|
|
|||
|
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use
|
|||
|
another source password file. On large systems the NIS password and group
|
|||
|
files are usually stored in /etc/yp/. If you do this the normal tools to
|
|||
|
administrate the password file such as passwd, chfn, adduser will not work
|
|||
|
anymore and you need special homemade tools for this.
|
|||
|
|
|||
|
However, yppasswd, ypchsh and ypchfn will work of course.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
9.2. The Server Program yps
|
|||
|
|
|||
|
To set up the "yps" NIS server please refer to the previous paragraph. The
|
|||
|
"yps" server setup is similar, _but_ not exactly the same so beware if you
|
|||
|
try to apply the "ypserv" instructions to "yps"! "yps" is not supported by
|
|||
|
any author, and contains some security leaks. You really shouldn't use it !
|
|||
|
|
|||
|
The "yps" NIS server software can be found on:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| Site Directory File Name |
|
|||
|
| |
|
|||
|
| ftp.lysator.liu.se /pub/NYS/servers yps-0.21.tar.gz |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS yps-0.21.tar.gz |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
9.3. The Program rpc.ypxfrd
|
|||
|
|
|||
|
rpc.ypxfrd is used for speed up the transfer of very large NIS maps from a
|
|||
|
NIS master to NIS slave servers. If a NIS slave server receives a message
|
|||
|
that there is a new map, it will start ypxfr for transfering the new map.
|
|||
|
ypxfr will read the contents of a map from the master server using the yp_all
|
|||
|
() function. This process can take several minutes when there are very large
|
|||
|
maps which have to store by the database library.
|
|||
|
|
|||
|
The rpc.ypxfrd server speeds up the transfer process by allowing NIS slave
|
|||
|
servers to simply copy the master server's map files rather than building
|
|||
|
their own from scratch. rpc.ypxfrd uses an RPC-based file transfer protocol,
|
|||
|
so that there is no need for building a new map.
|
|||
|
|
|||
|
rpc.ypxfrd can be started by inetd. But since it starts very slow, it should
|
|||
|
be started with ypserv. You need to start rpc.ypxfrd only on the NIS master
|
|||
|
server.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
9.4. The Program rpc.yppasswdd
|
|||
|
|
|||
|
Whenever users change their passwords, the NIS password database and probably
|
|||
|
other NIS databases, which depend on the NIS password database, should be
|
|||
|
updated. The program "rpc.yppasswdd" is a server that handles password
|
|||
|
changes and makes sure that the NIS information will be updated accordingly.
|
|||
|
rpc.yppasswdd is now integrated in ypserv. You don't need the older, separate
|
|||
|
yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldn't use them any
|
|||
|
longer.
|
|||
|
|
|||
|
You need to start rpc.yppasswdd only on the NIS master server. By default,
|
|||
|
users are not allowed to change their full name or the login shell. You can
|
|||
|
allow this with the -e chfn or -e chsh option.
|
|||
|
|
|||
|
If your passwd and shadow files are not in another directory then /etc, you
|
|||
|
need to add the -D option. For example, if you have put all source files in /
|
|||
|
etc/yp and wish to allow the user to change his shell, you need to start
|
|||
|
rpc.yppasswdd with the following parameters:
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| rpc.yppasswdd -D /etc/yp -e chsh |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
or
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
There is nothing more to do. You just need to make sure, that rpc.yppasswdd
|
|||
|
uses the same files as /var/yp/Makefile. Errors will be logged using syslog.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
10. Verifying the NIS/NYS Installation
|
|||
|
|
|||
|
If everything is fine (as it should be), you should be able to verify your
|
|||
|
installation with a few simple commands. Assuming, for example, your passwd
|
|||
|
file is being supplied by NIS, the command
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % ypcat passwd |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
should give you the contents of your NIS passwd file. The command
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % ypmatch userid passwd |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
(where userid is the login name of an arbitrary user) should give you the
|
|||
|
user's entry in the NIS passwd file. The "ypcat" and "ypmatch" programs
|
|||
|
should be included with your distribution of traditional NIS or NYS.
|
|||
|
|
|||
|
If a user cannot log in, run the following program on the client:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|#include <stdio.h> |
|
|||
|
|#include <pwd.h> |
|
|||
|
|#include <sys/types.h> |
|
|||
|
| |
|
|||
|
|int |
|
|||
|
|main(int argc, char *argv[]) |
|
|||
|
|{ |
|
|||
|
| struct passwd *pwd; |
|
|||
|
| |
|
|||
|
| if(argc != 2) |
|
|||
|
| { |
|
|||
|
| fprintf(stderr,"Usage: getwpnam username\n"); |
|
|||
|
| exit(1); |
|
|||
|
| } |
|
|||
|
| |
|
|||
|
| pwd=getpwnam(argv[1]); |
|
|||
|
| |
|
|||
|
| if(pwd != NULL) |
|
|||
|
| { |
|
|||
|
| printf("name.....: [%s]\n",pwd->pw_name); |
|
|||
|
| printf("password.: [%s]\n",pwd->pw_passwd); |
|
|||
|
| printf("user id..: [%d]\n", pwd->pw_uid); |
|
|||
|
| printf("group id.: [%d]\n",pwd->pw_gid); |
|
|||
|
| printf("gecos....: [%s]\n",pwd->pw_gecos); |
|
|||
|
| printf("directory: [%s]\n",pwd->pw_dir); |
|
|||
|
| printf("shell....: [%s]\n",pwd->pw_shell); |
|
|||
|
| } |
|
|||
|
| else |
|
|||
|
| fprintf(stderr,"User \"%s\" not found!\n",argv[1]); |
|
|||
|
| |
|
|||
|
| exit(0); |
|
|||
|
|} |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
|
|||
|
Running this program with the username as parameter will print all the
|
|||
|
information the getpwnam function gives back for this user. This should show
|
|||
|
you which entry is incorrect. The most common problem is, that the password
|
|||
|
field is overwritten with a "*".
|
|||
|
|
|||
|
GNU C Library 2.1 (glibc 2.1) comes with a tool called getent. Use this
|
|||
|
program instead the above on such a system. You could try:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| getent passwd |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
or
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| getent passwd login |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
11. Creating and Updating NIS maps
|
|||
|
|
|||
|
11.1. Creating new NIS maps
|
|||
|
|
|||
|
The initial NIS maps will be created by running
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % /usr/lib/yp/ypinit -m |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
This is done when setting up the NIS master server for the first time. For
|
|||
|
more information about this, read Section 9. If you wish to add new maps to
|
|||
|
your server or remove old one, you need to edit the /var/yp/Makefile and
|
|||
|
change the all: rule. Add or remove the name of the rule, which generates the
|
|||
|
map.
|
|||
|
|
|||
|
If you delete a map, you also have to remove the corresponding files.
|
|||
|
|
|||
|
After this change, you only need to run
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % make -C /var/yp |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
and the maps should be created.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
11.2. Updating NIS maps
|
|||
|
|
|||
|
If you modify the sources for the NIS maps (for example if you create a new
|
|||
|
user by adding the account to the passwd file), you need to regenerate the
|
|||
|
NIS maps. This is done by a simple
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| % make -C /var/yp |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
This command will check which sources have changed, creates the maps new and
|
|||
|
tell ypserv that the maps have changed.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
11.3. Length of Map entries
|
|||
|
|
|||
|
The length of one entry is limited by the NIS protocol to 1024 characters.
|
|||
|
You can't just increase this value and recompile the system. Every system
|
|||
|
that uses NIS v2 expects key and data values to be no more than 1024 bytes in
|
|||
|
size; if you suddenly make YPMAXRECORD larger on your client and server, you
|
|||
|
will break interoperability with all other systems on your network that use
|
|||
|
NIS. To make it work right, you'd have to go to every vendor that supports
|
|||
|
NIS and get them to all make the change at the same time. Chances are you
|
|||
|
won't be able to do this.
|
|||
|
|
|||
|
With glibc 2.1 and newer this limit was removed from the glibc NIS
|
|||
|
implementation. So it is possible under Linux to use longer entries, but only
|
|||
|
if you have no other NIS clients or servers in your network.
|
|||
|
|
|||
|
To allow the creation of NIS maps with a longer entry, you need to add the
|
|||
|
--no-limit-check option to the makedbm call in /var/yp/Makefile.
|
|||
|
|
|||
|
The result should look like:
|
|||
|
+-------------------------------------------------------------------------------------+
|
|||
|
|DBLOAD = $(YPBINDIR)/makedbm -c -m `$(YPBINDIR)/yphelper --hostname` --no-limit-check|
|
|||
|
+-------------------------------------------------------------------------------------+
|
|||
|
|
|||
|
WARNING: This breaks the NIS protocol and even if Linux supports it, not all
|
|||
|
Applictions running under Linux works with this change!
|
|||
|
|
|||
|
There is another way of solving this problem for /etc/group entries. This
|
|||
|
idea is from Ken Cameron:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|1. Break the entry into more than one line and name each group |
|
|||
|
| slightly differnet. |
|
|||
|
| |
|
|||
|
|2. keep the GID the same for all. |
|
|||
|
| |
|
|||
|
|3. have the first entry with the right group name and the GID. |
|
|||
|
| I don't put any user names in this one. |
|
|||
|
| |
|
|||
|
|What happens is that going by user name you pick up the GID when the code |
|
|||
|
|reads it. Then going the other way it stops after the first match of GID |
|
|||
|
|and takes that name. It's ugly but works! |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12. Surviving a Reboot
|
|||
|
|
|||
|
Once you have NIS correctly configured on the server and client, you do need
|
|||
|
to be sure that the configuration will survive a reboot.
|
|||
|
|
|||
|
There are two separate issues to check: the existence of an init script and
|
|||
|
the correct storage of the NIS domain name.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.1. NIS Init Script
|
|||
|
|
|||
|
In your version of Linux, you need to check your directory of init scripts,
|
|||
|
typically /etc/init.d, /etc/rc.d/init.d or /sbin/init.d to be sure there is a
|
|||
|
startup script there for NIS. Usually this file is called ypbind or ypclient.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.2. NIS Domain Name
|
|||
|
|
|||
|
Perhaps the greatest issue that some people have with NIS is ensuring that
|
|||
|
the NIS domain name is available after a reboot. According to Solaris 2.x,
|
|||
|
the NIS domain name should be entered as a single line in:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| /etc/defaultdomain |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
However, most Linux distributions does not seem to use this file.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.3. Distribution-specific Issues
|
|||
|
|
|||
|
At this time, the following information is known about how various Linux
|
|||
|
distributions handle the storage of the NIS domainname.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.3.1. Caldera 2.x
|
|||
|
|
|||
|
Caldera uses the file /etc/nis.conf which has the same format as the normal /
|
|||
|
etc/yp.conf.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.3.2. Debian
|
|||
|
|
|||
|
Debian appears to follow Sun's usage of /etc/defaultdomain.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.3.3. Red Hat Linux 6.x, 7.x, 8.x and 9
|
|||
|
|
|||
|
Create or modify the variable NISDOMAIN in the file /etc/sysconfig/network.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.3.4. SuSE Linux 6.x and 7.x
|
|||
|
|
|||
|
Modify the variable YP_DOMAINNAME in /etc/rc.config and then run the command
|
|||
|
SuSEconfig.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
12.3.5. SuSE Linux 8.x and later
|
|||
|
|
|||
|
Since version 8.0 SuSE Linux also follow Sun's usage of /etc/defaultdomain.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
13. Changing passwords with rpasswd
|
|||
|
|
|||
|
The standard way to change a NIS password is to call yppasswd, on some
|
|||
|
systems this is only an alias for passwd. This commands uses the yppasswd
|
|||
|
protocol and needs a running rpc.yppasswdd process on the NIS master server.
|
|||
|
The protocol has the disadvantage, that the old password will be send in
|
|||
|
clear text over the network. This is not so problematic, if the password
|
|||
|
change was successfull. In this case, the old password is replaced with the
|
|||
|
new one. But if the password change fails, an attacker can use the clear
|
|||
|
password to login as this user. Even more worse: If the system administrator
|
|||
|
changes the NIS password for another user, the root password of the NIS
|
|||
|
master server is transfered in clear text over the network. And this one will
|
|||
|
not be changed.
|
|||
|
|
|||
|
One solution is to not use yppasswd for changing the password. Instead, a
|
|||
|
good alternative is the rpasswd command from the pwdutils package.
|
|||
|
|
|||
|
+-----------------------------------------------------------------------------+
|
|||
|
| Site Directory File Name |
|
|||
|
| |
|
|||
|
| ftp.kernel.org /pub/linux/utils/net/NIS pwdutils-2.3.tar.gz |
|
|||
|
| ftp.suse.com /pub/people/kukuk/pam/pam_pwcheck pam_pwcheck-2.2.tar.bz2 |
|
|||
|
| ftp.suse.com /pub/people/kukuk/pam/pam_unix2 pam_unix2-1.16.tar.bz2 |
|
|||
|
+-----------------------------------------------------------------------------+
|
|||
|
|
|||
|
rpasswd changes passwords for user accounts on a remote server over a secure
|
|||
|
SSL connection. A normal user may only change the password for their own
|
|||
|
account, if the user knows the password of the administrator account (in the
|
|||
|
moment this is the root password on the server), he may change the password
|
|||
|
for any account if he calls rpasswd with the -a option.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
13.1. Server Configuration
|
|||
|
|
|||
|
For the server you need at first certificate, the default filename for this
|
|||
|
is /etc/rpasswdd.pem. The file can be created with the following command:
|
|||
|
+----------------------------------------------------------------------------------------+
|
|||
|
|openssl req -new -x509 -nodes -days 730 -out /etc/rpasswdd.pem -keyout /etc/rpasswdd.pem|
|
|||
|
+----------------------------------------------------------------------------------------+
|
|||
|
|
|||
|
A PAM configuration file for rpasswdd is needed, too. If the NIS accounts are
|
|||
|
stored in /etc/passwd, the following is a good starting point for a working
|
|||
|
configuration:
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|#%PAM-1.0 |
|
|||
|
|auth required pam_unix2.so |
|
|||
|
|account required pam_unix2.so |
|
|||
|
|password required pam_pwcheck.so |
|
|||
|
|password required pam_unix2.so use_first_pass use_authtok |
|
|||
|
|password required pam_make.so /var/yp |
|
|||
|
|session required pam_unix2.so |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|
|||
|
If sources for the NIS password maps are stored in another location (for
|
|||
|
example in /etc/yp), the nisdir option of pam_unix2 can be used to find the
|
|||
|
source files in another place:
|
|||
|
+----------------------------------------------------------------------------------+
|
|||
|
|#%PAM-1.0 |
|
|||
|
|auth required pam_unix2.so |
|
|||
|
|account required pam_unix2.so |
|
|||
|
|password required pam_pwcheck.so nisdir=/etc/yp |
|
|||
|
|password required pam_unix2.so nisdir=/etc/yp use_first_pass use_authtok |
|
|||
|
|password required pam_make.so /var/yp |
|
|||
|
|session required pam_unix2.so |
|
|||
|
+----------------------------------------------------------------------------------+
|
|||
|
|
|||
|
Now start the rpasswdd daemon on the NIS master server.
|
|||
|
|
|||
|
Since the password change is done with PAM modules, rpasswdd is also able to
|
|||
|
allow password changes for NIS+, LDAP or other services supported by a PAM
|
|||
|
module.
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
13.2. Client Configuration
|
|||
|
|
|||
|
On every client only the configuration file /etc/rpasswd.conf which contains
|
|||
|
the name of the server is neded. If the server does not run on the default
|
|||
|
port, the correct port can alse be mentioned here:
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|# rpasswdd runs on master.example.com |
|
|||
|
|server master.example.com |
|
|||
|
|# Port 774 is the default port |
|
|||
|
|port 774 |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
14. Common Problems and Troubleshooting NIS
|
|||
|
|
|||
|
Here are some common problems reported by various users:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
1. The libraries for 4.5.19 are broken. NIS won't work with it.
|
|||
|
|
|||
|
2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su command
|
|||
|
breaks. You need to get the su command from the slackware 1.2.0
|
|||
|
distribution. Incidentally that's where you can get the updated
|
|||
|
libraries.
|
|||
|
|
|||
|
3. When a NIS server goes down and comes up again ypbind starts complaining
|
|||
|
with messages like:
|
|||
|
+---------------------------------------------------------------+
|
|||
|
| yp_match: clnt_call: |
|
|||
|
| RPC: Unable to receive; errno = Connection refused |
|
|||
|
+---------------------------------------------------------------+
|
|||
|
and logins are refused for those who are registered in the NIS database.
|
|||
|
Try to login as root and kill ypbind and start it up again. An update to
|
|||
|
ypbind 3.3 or higher should also help.
|
|||
|
|
|||
|
4. After upgrading the libc to a version greater then 5.4.20, the YP tools
|
|||
|
will not work any longer. You need yp-tools 1.2 or later for libc >=
|
|||
|
5.4.21 and glibc 2.x. For earlier libc version you need yp-clients 2.2.
|
|||
|
yp-tools 2.x should work for all libraries.
|
|||
|
|
|||
|
5. In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or later,
|
|||
|
or some YP programs like ypwhich will segfault.
|
|||
|
|
|||
|
6. libc 5 with traditional NIS doesn't support shadow passwords over NIS.
|
|||
|
You need libc5 + NYS or glibc 2.x.
|
|||
|
|
|||
|
7. ypcat shadow doesn't show the shadow map. This is correct, the name of
|
|||
|
the shadow map is shadow.byname, not shadow.
|
|||
|
|
|||
|
8. Solaris doesn't use always privileged ports. So don't use password
|
|||
|
mangling if you have a Solaris client.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
-----------------------------------------------------------------------------
|
|||
|
|
|||
|
15. Frequently Asked Questions
|
|||
|
|
|||
|
Most of your questions should be answered by now. If there are still
|
|||
|
questions unanswered you might want to post a message to
|
|||
|
|
|||
|
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
| comp.os.linux.networking |
|
|||
|
+---------------------------------------------------------------------------+
|
|||
|
|