How to set up NIS on your e-smith server

Dan York

e-smith, inc.

Table of Contents
1. Introduction
2. Installing the software on the server
3. Configuring the client systems
3.1. Surviving a Reboot
3.2. Configuring /etc/nsswitch.conf
4. Final Notes

This procedure has been tested on systems running e-smith server 4.1, 4.1.1 and 4.1.2. It should work on e-smith 4.0 as well.


1. Introduction

This document explains how to install Network Information Services (NIS) onto an e-smith server and gateway. NIS is a directory service that provides configuration information to other UNIX or Linux computer systems. If you have a network with Linux/UNIX clients, NIS allows you to synchronize user and group account information between your e-smith server and those clients. For instance, NIS allows a user to login to any Linux/UNIX client using the same username and password. NIS can also be used to synchronize such information as the list of services and protocols.

The basic scenario is that your e-smith server runs a service called ypserv which serves out the configuration information on your local network. Each client machine runs a service called ypbind that binds the client system to the NIS server. Both client and server are associated with each other through the use of the same NIS domain name. (Note that this is a completely separate "domain name" from that used by DNS and also by that used Microsoft Windows NT.)

Note: When choosing an NIS domain name, it is strongly suggested that you simply use your DNS domain name (such as "tofu-dog.com") unless you really know what you are doing and have some reason to use a different name.

For more information about NIS, view the Linux Documentation Project HOWTO at http://www.linuxdoc.org/HOWTO/NIS-HOWTO/

Warning

Be aware that there is a major security weakness in NIS in that configuration information is transmitted across your local network in plain text without any sort of encryption. The passwords are, of course, encrypted in /etc/passwd, but all of that information is passed along without any further encryption. For this reason, large sites prefer to use "NIS+", a combination of rsync and ssh, or other directory services tools. However, full support for NIS+ on Linux is not currently available.

Note that because of this inherent insecurity, e-smith, inc., does not have any current plans to integrate NIS support directly into the base e-smith server and gateway product.

As a final comment, you will notice that all the NIS commands start with "yp". This is due to the fact that originally NIS was called "Yellow Pages" and generally referred to as "yp". However, one of the telephone companies asserted its trademark over the term "Yellow Pages" and so the overall service was renamed to NIS. The commands, however, retained their original names.


2. Installing the software on the server

To install NIS, you need six RPMs. One, e-smith-ypserv can be obtained from Gordon Rowell's contrib directory at ftp://ftp.e-smith.org/pub/e-smith/contrib/GordonRowell/RPMS/noarch/

The other five, portmap, make, ypserv, ypbind, and yp-tools you need to obtain from a Red Hat 7.0 distribution. You can copy the RPMs from the /RedHat/RPMS/ directory on a RH7 CD or can obtain them from the Red Hat FTP site at ftp://ftp.redhat.com/pub/redhat/linux/7.0/en/os/i386/RedHat/RPMS/ (Given how busy Red Hat's FTP servers can be, you may need to download them in advance as you may have to go to several different mirror sites to obtain the RPM files you need. The list of Red Hat mirror sites is available at http://www.redhat.com/download/mirror.html)

Note that for the sake of readability and clarity, the instructions below show installing the rpms from a local directory on your e-smith server. This assumes that you have downloaded the rpms as mentioned above. Instead of doing this, you can also directly obtain the RPMs from the appropriate FTP sites during the installation procedure using the rpm command. If you choose to do this, simply use the full ftp URL to the RPM file instead of just the filename in the steps below.

Note: The portmap RPM is not installed by default on the e-smith server and gateway. However, if you have previously installed NFS support, you will have already installed portmap. To see if you have it installed, type the command rpm -q portmap at the Linux prompt on your e-smith server and gateway. (See step 1 below about accessing the prompt.)

Similarly, you may have previously installed make if you added compilers or other development tools to your system. Type rpm -q make to see if you have make installed. If you do, you can skip that step below.

Complete the following steps to add NIS to your e-smith server and gateway:

  1. Access the underlying Linux operating system by logging in as the user "root" with the admin password that you created during the configuration process. If your e-smith server is displaying the server console and not a login prompt, press Alt-F2 to switch to another console screen with a login prompt. To switch back, press Alt-F1.

    Note that if you have ssh enabled and you allow administrative access using ssh, you can perform all of these steps remotely via an ssh connection

  2. Make sure that you have either downloaded the appropriate RPMs to a directory on your e-smith server or that you know the full FTP URLs to use in the installation procedure.

  3. Next you need to start installing the Red Hat RPMs. Execute the following two commands to install portmap and make if they are not already on your system:

    
rpm -Uvh portmap-4.0-29.i386.rpm
    
    rpm -Uvh make-3.79.1-5.i386.rpm

    As an example of using the full URL, the following rpm command is the alternative way of installing the make rpm: (Assuming that you can gain entry into the very busy ftp.redhat.com ftp site.)

    
rpm -Uvh ftp://ftp.redhat.com/pub/redhat/linux/7.0/en/os/i386/RedHat/RPMS/make-3.79.1-5.i386.rpm
  4. Next install the NIS RPMs:

    
rpm -Uvh ypserv-1.3.11-9.i386.rpm
    
    rpm -Uvh ypbind-1.6-11.i386.rpm  yp-tools-2.4-4.i386.rpm

    Note in this last case that two RPMs are installed at the same time on the same command line. This is necessary because both depend upon each other to be installed and the rpm command generates an error if you try to install one without the other installed.

  5. Next, you need to download and install Gordon's contributed RPM that installs the e-smith-specific components you need. Run the command:

    
rpm -Uvh e-smith-ypserv-1.1.0-04.noarch.rpm
  6. You now have the necessary files installed. Using an editor such as vi, edit the file /etc/yp.conf and add the following line:

    
domain domainname server e-smith server name or IP address

    where domainname is the name you want to use for your NIS domain. As an example, if your e-smith server has the IP address of 192.168.1.1 and you want your NIS domainname to be "tofu-dog.com" (for our sample company, The Pagan Vegan), then your entry would be as follows:

    
domain tofu-dog.com server 192.168.1.1

    Note that it is possible to use a hostname for the server instead of the IP address. If you choose to do so, the hostname must be in /etc/hosts.

  7. In order for NIS to come back up once your system is rebooted, you need to add the environment variable NISDOMAIN to the file /etc/sysconfig/network. The e-smith way of doing this involves create a custom template to include the information. There are three steps to this process:

    1. Create the directory /etc/e-smith/templates-custom/etc/sysconfig/network As you very likely will need to create the parent directories as well, a simple way to do this is:

      
mkdir -p /etc/e-smith/templates-custom/etc/sysconfig/network
    2. Create a file called 30nis with the contents:

      
NISDOMAIN=domainname  

      where domainname is your NIS domain name.

    3. Expand the template using the command:

      
/sbin/e-smith/expand-template /etc/sysconfig/network

      If you now do "cat /etc/sysconfig/network" you should see that the NISDOMAIN variable has been set.

  8. While you are working with custom templates, you need to create some fragments to go into /etc/hosts.allow that will allow hosts on your local network to actually access the NIS services. This involves the following process:

    1. Create the directory /etc/e-smith/templates-custom/etc/hosts.allow

      
mkdir -p /etc/e-smith/templates-custom/etc/hosts.allow
    2. Create a file called ypserv with the contents:

      
ypserv: 127.0.0.1, your-network-IP-address/255.255.255.0

      where your-network-IP-address is the IP address of your network. (For instance, if your e-smith server is 192.168.10.1 and your DHCP hosts are 192.168.10.65 through 192.168.10.250, your network address is 192.168.10.0.) Here is an example:

      
ypserv: 127.0.0.1, 192.168.10.0/255.255.255.0

      Note: If you are using custom subnet masks, you will of course need to use them in place of the "255.255.255.0" that I use above. Also, if you have more than one local network, you will need to include additional "network/netmask" entries for each local network that will use NIS.

    3. Along the same lines, create a file called portmap with the contents:

      
portmap: 127.0.0.1, your-network-IP-address/255.255.255.0

      where your-network-IP-address is the IP address of your network.

    4. Expand the template using the command:

      
/sbin/e-smith/expand-template /etc/hosts.allow

    This will now allow local hosts to connect to the portmap and ypserv daemons.

  9. You next have to start the services. First, start portmap and ypserv

    
/etc/rc.d/init.d/portmap start
    /etc/rc.d/init.d/ypserv start
  10. Now you have to set the NIS domainname by typing the command:

    
domainname whatever-your-domainname-is

    You only need to do this now when you are initially setting up the system. When your system reboots in the future, the NIS domain name will be automatically set via the /etc/sysconfig/network file that you modified earlier.

  11. Next you need to initialize the NIS database using:

    
/usr/lib/ypinit -m

    You will see that your e-smith server is listed with it's full DNS domain name as an NIS server and you be prompted for further hosts that will be NIS servers. Simply press Ctrl+D to exit from this prompt. You will then see screens about the NIS database being built.

  12. Now you can start up the client services:

    
/etc/rc.d/init.d/ypbind start
    /etc/rc.d/init.d/yppasswdd start

    Note that there are indeed two 'd' characters at the end of that last filename (yppasswdd) above.

  13. Assuming that you saw no error messages, you should be able to now test NIS using, for instance, the ypcat command. As an example:

    
ypcat passwd

    should show you the contents of the /etc/passwd on your e-smith server.

  14. When you are finished, log out from the root account.


3. Configuring the client systems

On each client Linux/UNIX system, you need to perform these steps:

  1. Make sure that the NIS client software (ypbind) is installed on your system. If the client is Linux and RPM-based, this may require first installing the yp-tools RPM and then the ypbind RPM. Somehow, you need to get ypbind onto the client system. (You do not need ypserv.)

  2. Edit /etc/yp.conf to have a line such as:

    
domain domainname server e-smith server name or IP address

    where domainname is the name you entered on your e-smith server for your NIS domain. As an example, if your e-smith server has the IP address of 192.168.1.1 and you set your NIS domainname to be "tofu-dog.com", then your entry would be as follows:

    
domain tofu-dog.com server 192.168.1.1

    Note that it is possible to use a hostname for the server instead of the IP address. If you choose to do so, the server's hostname must be in the client's /etc/hosts. (Which, in an NIS environment, is not necessarily the case because all host information may be passed out through NIS.)

  3. Depending upon your system, you may also need to execute the domainname command prior to starting ypbind. On most client systems it probably will not hurt to do this in any event. The command would be:

    
domainname yourNISdomainname
  4. Restart (or start) ypbind so that it will now bind to the new domain. On Linux systems, this is typically done through a command similar to:

    
/etc/rc.d/init.d/ypbind start
  5. Assuming that you saw no error messages, you should be able to now test NIS using, for instance, the ypcat command. As an example:

    
ypcat passwd

    should show you the contents of the /etc/passwd on your e-smith server.


3.1. Surviving a Reboot

At some point in the process, you need to also ensure that the system knows about the NIS domain name when it reboots. This can be done after you have verified that NIS is functioning properly.

On Red Hat Linux systems, this is done by entering the NISDOMAIN environment variable into the /etc/sysconfig/network as described previously (although you would just need to edit the file directly and not need to use e-smith templates on a non-e-smith Linux system). In other versions of UNIX, the domain name alone is simply entered into the file /etc/defaultdomain. You will have to check on how exactly your client system does it. Some additional information can be found in the LDP NIS HOWTO at http://www.linuxdoc.org/HOWTO/NIS-HOWTO/x503.html


3.2. Configuring /etc/nsswitch.conf

Just because you now have NIS functioning on your system, it does not mean that your client workstation will actually use NIS when checking user names, host information, etc. On most Linux and Solaris systems, whether or not NIS is consulted is controlled by a file called /etc/nsswitch.conf. In a default configuration, a portion of the file typically looks like:


passwd:     files nisplus nis
shadow:     files nisplus nis
group:      files nisplus nis

hosts:      files nisplus nis dns

As you might guess, this means that for checking passwords, the system first checks the local files (/etc/passwd), then checks NIS+, and then NIS. (NIS and NIS+ are only consulted if they are available.)

If your system does not have 'nis' on a line next to one of the files you wish to have NIS handle, the client system will not use NIS for that file. If 'nis' is not present, you need to add it to /etc/nsswitch.conf so that it looks similar to what you see in the example above. (You can, of course, leave out the 'nisplus' entry as that service is not in use on your system.)

Note: The /etc/nsswitch.conf file is typically only consulted by the various daemons that use it when those services first start up. If you later change it (for instance, to include NIS) those services will not know about the new configuration until they are restarted. Because so many different services may use this file, this is one of the few instances where it may make sense to reboot your client workstation.


4. Final Notes

NIS and NFS: While NIS alone solves the issue of providing user account information to a large number of Linux/UNIX client workstations, there is also the issue of the users' home directories. The user account information provided by NIS will indicate that a user "ffrog" has a home directory of /home/e-smith/files/users/ffrog. Therefore when the user logs into a client system, that system will attempt to start "ffrog" out in that home directory. However, if those client systems are just general Linux/UNIX workstations, such a directory will not exist.

There are two ways to solve the problem. You could create the actual directories for the users on each client workstation that they will login to. While certainly a solution, this results in the data in the user's home directory on the client workstation beign out of sync with that on the e-smith server (as well as on any other client workstations the user may use).

A far better solution is to add Network File System (NFS) support to your e-smith server and export the user's home directory via NFS. In this situation, the home directory would be mounted onto all client workstations and the user would receive their home directory from the e-smith server regardless of which client workstation they logged into.

Because of the inherent security weaknesses within NFS, it, too, is not included by default in the e-smith server and gateway software. A HOWTO on installing NFS will be available from http://www.e-smith.org/docs/howto/

Host information: Previous users of NIS may be aware that NIS can supply host information to NIS clients. This is actually not really true with your e-smith server. Yes, NIS does have a "hosts" map (use ypcat hosts to see it), but it will only include the information about your e-smith server itself, and not any hosts that you may have entered using the Hostnames and addresses panel of the e-smith web manager.

When you enter host information through that panel, it is made available through DNS and all of your clients can retrieve it that way. The reason for this is because DNS is far more scalable than the older model used by NIS and based on /etc/hosts. Because NIS clients are almost always set to check local files first, then NIS, then DNS, they will obtain the host information - but from DNS. Since it works fine, there is no real issue here, and I mention it only because you may be surprised to see the "hosts" database essentially empty. (You can, in fact, speed up the process in a tiny way by making sure the hosts line of /etc/nsswitch.conf does not contain nis and instead contains only "hosts dns".)

 

If you have comments or suggestions about this document, please send them to documentation@e-smith.com

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Text and no Back-Cover Text. A copy of the GNU Free Documentation License is available on our web site at http://www.e-smith.org/docs/gfdl.html and from the Free Software Foundation at http://www.fsf.org/copyleft/fdl.html.

The e-smith logo and the terms "e-smith" and "i-bay" are trademarks or registered trademarks of e-smith, inc. in the United States and other countries. Linux is a registered trademark of Linus Torvalds. The terms "ssh" and "Secure Shell" are trademarks of SSH Communications Security Corp. All other trademarks are the property of their respective holders.