This document only describes how to set up the "ypserv" NIS server.
The NIS server software can be found on:
Site Directory File Name ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.bz2 |
You could also look at http://www.linux-nis.org/nis/ for more information.
The server setup is the same for both traditional NIS and NYS.
Compile the software to generate the ypserv and makedbm programs. ypserv-2.x only supports the securenets file for access restrictions.
If you run your server as master, determine what files you require to be available via NIS and then add or remove the appropriate entries to the "all" rule in /var/yp/Makefile. You always should look at the Makefile and edit the Options at the beginning of the file.
There was one big change between ypserv 1.1 and ypserv 1.2. Since version 1.2, the file handles are cached. This means you have to call makedbm always with the -c option if you create new maps. Make sure, you are using the new /var/yp/Makefile from ypserv 1.2 or later, or add the -c flag to makedbm in the Makefile. If you don't do that, ypserv will continue to use the old maps, and not the updated one.
Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read the ypserv(8) and ypserv.conf(5) manual pages.
Make sure the portmapper (portmap(8)) is running, and start the server ypserv. The command
% rpcinfo -u localhost ypserv |
should output something like
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting |
The "version 1" line could be missing, depending on the ypserv version and configuration you are using. It is only necessary if you have old SunOS 4.x clients.
Now generate the NIS (YP) database. On the master, run
% /usr/lib/yp/ypinit -m |
On a slave make sure that ypwhich -m works. This means, that your slave must be configured as NIS client before you could run
% /usr/lib/yp/ypinit -s masterhost |
That's it, your server is up and running.
If you have bigger problems, you could start ypserv and ypbind in debug mode on different xterms. The debug output should show you what goes wrong.
If you need to update a map, run make in the /var/yp directory on the NIS master. This will update a map if the source file is newer, and push the files to the slave servers. Please don't use ypinit for updating a map.
You might want to edit root's crontab *on the slave* server and add the following lines:
20 * * * * /usr/lib/yp/ypxfr_1perhour
40 6 * * * /usr/lib/yp/ypxfr_1perday
55 6,18 * * * /usr/lib/yp/ypxfr_2perday |
You can add a slave at every time later. At first, make sure that the new slave server has permissions to contact the NIS master. Then run
% /usr/lib/yp/ypinit -s masterhost |
If you want to restrict access for users to your NIS server, you'll have to setup the NIS server as a client as well by running ypbind and adding the plus-entries to /etc/passwd _halfway_ the password file. The library functions will ignore all normal entries after the first NIS entry, and will get the rest of the info through NIS. This way the NIS access rules are maintained. An example:
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:
bin:*:2:2:bin:/bin:
sys:*:3:3:sys:/dev:
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:
lp:*:7:7:lp:/var/spool/lpd:
mail:*:8:8:mail:/var/spool/mail:
news:*:9:9:news:/var/spool/news:
uucp:*:10:50:uucp:/var/spool/uucp:
nobody:*:65534:65534:noone at all,,,,:/dev/null:
+miquels::::::
+:*:::::/etc/NoShell
[ All normal users AFTER this line! ]
tester:*:299:10:Just a test account:/tmp:
miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh |
Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels will have normal access.
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use another source password file. On large systems the NIS password and group files are usually stored in /etc/yp/. If you do this the normal tools to administrate the password file such as passwd, chfn, adduser will not work anymore and you need special homemade tools for this.
However, yppasswd, ypchsh and ypchfn will work of course.
To set up the "yps" NIS server please refer to the previous paragraph. The "yps" server setup is similar, _but_ not exactly the same so beware if you try to apply the "ypserv" instructions to "yps"! "yps" is not supported by any author, and contains some security leaks. You really shouldn't use it !
The "yps" NIS server software can be found on:
Site Directory File Name ftp.lysator.liu.se /pub/NYS/servers yps-0.21.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS yps-0.21.tar.gz |
rpc.ypxfrd is used for speed up the transfer of very large NIS maps from a NIS master to NIS slave servers. If a NIS slave server receives a message that there is a new map, it will start ypxfr for transfering the new map. ypxfr will read the contents of a map from the master server using the yp_all() function. This process can take several minutes when there are very large maps which have to store by the database library.
The rpc.ypxfrd server speeds up the transfer process by allowing NIS slave servers to simply copy the master server's map files rather than building their own from scratch. rpc.ypxfrd uses an RPC-based file transfer protocol, so that there is no need for building a new map.
rpc.ypxfrd can be started by inetd. But since it starts very slow, it should be started with ypserv. You need to start rpc.ypxfrd only on the NIS master server.
Whenever users change their passwords, the NIS password database and probably other NIS databases, which depend on the NIS password database, should be updated. The program "rpc.yppasswdd" is a server that handles password changes and makes sure that the NIS information will be updated accordingly. rpc.yppasswdd is now integrated in ypserv. You don't need the older, separate yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldn't use them any longer.
You need to start rpc.yppasswdd only on the NIS master server. By default, users are not allowed to change their full name or the login shell. You can allow this with the -e chfn or -e chsh option.
If your passwd and shadow files are not in another directory then /etc, you need to add the -D option. For example, if you have put all source files in /etc/yp and wish to allow the user to change his shell, you need to start rpc.yppasswdd with the following parameters:
rpc.yppasswdd -D /etc/yp -e chsh |
or
rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh |
There is nothing more to do. You just need to make sure, that rpc.yppasswdd uses the same files as /var/yp/Makefile. Errors will be logged using syslog.