The Linux NIS(YP)/NYS/NIS+ HOWTO

The Linux NIS(YP)/NYS/NIS+ HOWTO
Thorsten Kukuk
v1.0, 9 March 1999

This document describes how to configure Linux as NIS(YP) or NIS+
client and how to install as NIS server.
______________________________________________________________________

Table of Contents

1. Introduction

1.1 New Versions of this Document
1.2 Disclaimer
1.3 Feedback and Corrections
1.4 Acknowledgements

2. Glossary and General Information

2.1 Glossary of Terms
2.2 Some General Information

3. NIS, NYS or NIS+ ?

3.1 libc 4/5 with traditional NIS or NYS ?
3.2 glibc 2 and NIS/NIS+
3.3 NIS or NIS+ ?

4. How it works

4.1 How NIS works
4.2 How NIS+ works

5. The RPC Portmapper

6. What do you need to set up NIS?

6.1 Determine whether you are a Server, Slave or Client.
6.2 The Software
6.3 The ypbind daemon
6.4 Setting up a NIS Client using Traditional NIS
6.5 Setting up a NIS Client using NYS
6.6 Setting up a NIS Client using glibc 2.x
6.7 The nsswitch.conf File
6.8 Shadow Passwords with NIS
6.8.1 Linux
6.8.2 Solaris
6.8.3 PAM

7. What do you need to set up NIS+ ?

7.1 The Software
7.2 Setting up a NIS+ client
7.3 NIS+, keylogin, login and PAM
7.4 The nsswitch.conf File

8. Setting up a NIS Server

8.1 The Server Program ypserv
8.2 The Server Program yps
8.3 The Program rpc.ypxfrd
8.4 The Program rpc.yppasswdd

9. Verifying the NIS/NYS Installation

10. Common Problems and Troubleshooting NIS

11. Frequently Asked Questions

______________________________________________________________________

1. Introduction

More and more, Linux machines are installed as part of a network of
computers. To simplify network administration, most networks (mostly
Sun-based networks) run the Network Information Service. Linux
machines can take full advantage of existing NIS service or provide
NIS service themselves. Linux machines can also act as full NIS+
clients, this support is in beta stage.

This document tries to answer questions about setting up NIS(YP) and
NIS+ on your Linux machine. Don't forget to read the section ``The RPC
Portmapper''.

The NIS-Howto is edited and maintained by

Thorsten Kukuk, <[email protected]>

The primary source of the information for the initial NIS-Howto was
from:

Andrea Dell'Amico <[email protected]>
Mitchum DSouza <[email protected]>
Erwin Embsen <[email protected]>
Peter Eriksson <[email protected]>

who we should thank for writing the first versions of this document.

1.1. New Versions of this Document

You can always view the latest version of this document on the World
Wide Web via the URL http://www.suse.de/~kukuk/linux/HOWTO/NIS-
HOWTO.html <http://www.suse.de/~kukuk/linux/HOWTO/NIS-HOWTO.html>.

New versions of this document will also be uploaded to various Linux
WWW and FTP sites, including the LDP home page.

Links to translations of this document could be found at
http://www.suse.de/~kukuk/linux/nis-howto.html
<http://www.suse.de/~kukuk/linux/nis-howto.html>.

1.2. Disclaimer

Although this document has been put together to the best of my
knowledge it may, and probably does contain errors. Please read any
README files that are bundled with any of the various pieces of
software described in this document for more detailed and accurate
information. I will attempt to keep this document as error free as
possible.

1.3. Feedback and Corrections

If you have questions or comments about this document, please feel
free to mail Thorsten Kukuk, at [email protected]. I welcome any
suggestions or criticisms. If you find a mistake with this document,
please let me know so I can correct it in the next version. Thanks.

Please do not mail me questions about special problems with your Linux
Distribution! I don't know every Linux Distribution. But I will try to
add every solution you send me.

1.4. Acknowledgements

We would like to thank all the people who have contributed (directly
or indirectly) to this document. In alphabetical order:

Byron A Jeff <[email protected]>
Markus Rex <[email protected]>
Miquel van Smoorenburg <[email protected]>

Theo de Raadt is responsible for the original yp-clients code. Swen
Thuemmler ported the yp-clients code to Linux and also ported the yp-
routines in libc (again based on Theo's work). Thorsten Kukuk has
written the NIS(YP) and NIS+ routines for GNU libc 2.x from scratch.

2. Glossary and General Information

2.1. Glossary of Terms

In this document a lot of acronyms are used. Here are the most
important acronyms and a brief explanation:

DBM
DataBase Management, a library of functions which maintain key-
content pairs in a data base.

DLL
Dynamically Linked Library, a library linked to an executable
program at run-time.

domainname
A name "key" that is used by NIS clients to be able to locate a
suitable NIS server that serves that domainname key. Please note
that this does not necessarily have anything at all to do with
the DNS "domain" (machine name) of the machine(s).

FTP
File Transfer Protocol, a protocol used to transfer files
between two computers.

libnsl
Name services library, a library of name service calls
(getpwnam, getservbyname, etc...) on SVR4 Unixes. GNU libc uses
this for the NIS (YP) and NIS+ functions.

libsocket
Socket services library, a library for the socket service calls
(socket, bind, listen, etc...) on SVR4 Unixes.
NIS
Network Information Service, a service that provides
information, that has to be known throughout the network, to all
machines on the network. There is support for NIS in Linux's
standard libc library, which in the following text is referred
to as "traditional NIS".

NIS+
Network Information Service (Plus :-), essentially NIS on
steroids. NIS+ is designed by Sun Microsystems Inc. as a
replacement for NIS with better security and better handling of
_large_ installations.

NYS
This is the name of a project and stands for NIS+, YP and Switch
and is managed by Peter Eriksson <[email protected]>. It contains
among other things a complete reimplementation of the NIS (= YP)
code that uses the Name Services Switch functionality of the NYS
library.

NSS
Name Service Switch. The /etc/nsswitch.conf file determines the
order of lookups performed when a certain piece of information
is requested.

RPC
Remote Procedure Call. RPC routines allow C programs to make
procedure calls on other machines across the network. When
people talk about RPC they most often mean the Sun RPC variant.

YP Yellow Pages(tm), a registered trademark in the UK of British
Telecom plc.

TCP-IP
Transmission Control Protocol/Internet Protocol. It is the data
communication protocol most often used on Unix machines.

2.2. Some General Information

The next four lines are quoted from the Sun(tm) System & Network
Administration Manual:

"NIS was formerly known as Sun Yellow Pages (YP) but
the name Yellow Pages(tm) is a registered trademark
in the United Kingdom of British Telecom plc and may
not be used without permission."

NIS stands for Network Information Service. Its purpose is to provide
information, that has to be known throughout the network, to all
machines on the network. Information likely to be distributed by NIS
is:

o login names/passwords/home directories (/etc/passwd)

o group information (/etc/group)

If, for example, your password entry is recorded in the NIS passwd
database, you will be able to login on all machines on the network
which have the NIS client programs running.

Sun is a trademark of Sun Microsystems, Inc. licensed to SunSoft, Inc.

3. NIS, NYS or NIS+ ?

3.1. libc 4/5 with traditional NIS or NYS ?

The choice between "traditional NIS" or the NIS code in the NYS
library is a choice between laziness and maturity vs. flexibility and
love of adventure.

The "traditional NIS" code is in the standard C library and has been
around longer and sometimes suffers from its age and slight
inflexibility.

The NIS code in the NYS library requires you to recompile the libc
library to include the NYS code into it (or maybe you can get a
precompiled version of libc from someone who has already done it).

Another difference is that the traditional NIS code has some support
for NIS Netgroups, which the NYS code doesn't. On the other hand the
NYS code allows you to handle Shadow Passwords in a transparent way.
The "traditonal NIS" code doesn't support Shadow Passwords over NIS.

3.2. glibc 2 and NIS/NIS+

Forgot all this if you use the new GNU C Library 2.x (aka libc6). It
has real NSS (name switch service) support, which makes it very
flexible, and contains support for the following NIS/NIS+ maps:
aliases, ethers, group, hosts, netgroups, networks, protocols,
publickey, passwd, rpc, services and shadow. The GNU C Library has no
problems with shadow passwords over NIS.

3.3. NIS or NIS+ ?

The choice between NIS and NIS+ is easy - use NIS if you don't have to
use NIS+ or have severe security needs. NIS+ is _much_ more
problematic to administer (it's pretty easy to handle on the client
side, but the server side is horrible). Another problem is that the
support for NIS+ under Linux is still under developement - you need
the latest glibc 2.1. There is an unsupported port of the glibc NIS+
support for libc5 as dropin replacement.

4. How it works

4.1. How NIS works

Within a network there must be at least one machine acting as a NIS
server. You can have multiple NIS servers, each serving different NIS
"domains" - or you can have cooperating NIS servers, where one is the
master NIS server, and all the other are so-called slave NIS servers
(for a certain NIS "domain", that is!) - or you can have a mix of
them...
Slave servers only have copies of the NIS databases and receive these
copies from the master NIS server whenever changes are made to the
master's databases. Depending on the number of machines in your
network and the reliability of your network, you might decide to
install one or more slave servers. Whenever a NIS server goes down or
is too slow in responding to requests, a NIS client connected to that
server will try to find one that is up or faster.

NIS databases are in so-called DBM format, derived from ASCII
databases. For example, the files /etc/passwd and /etc/group can be
directly converted to DBM format using ASCII-to-DBM translation
software ("makedbm", included with the server software). The master
NIS server should have both, the ASCII databases and the DBM
databases.

Slave servers will be notified of any change to the NIS maps, (via
the "yppush" program), and automatically retrieve the necessary
changes in order to synchronize their databases. NIS clients do not
need to do this since they always talk to the NIS server to read the
information stored in it's DBM databases.

Old ypbind versions do a broadcast to find a running NIS server. This
is insecure, due the fact that anyone may install a NIS server and
answer the broadcast queries. Newer Versions of ypbind (ypbind-3.3 or
ypbind-mt) are able to get the server from a configuration file - thus
no need to broadcast.

4.2. How NIS+ works

NIS+ is a new version of the network information nameservice from Sun.
The biggest difference between NIS and NIS+ is that NIS+ has support
for data encryption and authentication over secure RPC.

The naming model of NIS+ is based upon a tree structure. Each node
in the tree corresponds to an NIS+ object, from which we have six
types: directory, entry, group, link, table and private.

The NIS+ directory that forms the root of the NIS+ namespace is called
the root directory. There are two special NIS+ directories: org_dir
and groups_dir. The org_dir directory consists of all administration
tables, such as passwd, hosts, and mail_aliases. The groups_dir
directory consists of NIS+ group objects which are used for access
control. The collection of org_dir, groups_dir and their parent
directory is referred to as an NIS+ domain.

5. The RPC Portmapper

To run any of the software mentioned below you will need to run the
program /usr/sbin/portmap. Some Linux distributions already have the
code in the /sbin/init.d/ or /etc/rc.d/ files to start up this daemon.
All you have to do is to activate it and reboot your Linux machine.
Read your Linux Distribution Documentation how to do this.

The RPC portmapper (portmap(8)) is a server that converts RPC program
numbers into TCP/IP (or UDP/IP) protocol port numbers. It must be
running in order to make RPC calls (which is what the NIS/NIS+ client
software does) to RPC servers (like a NIS or NIS+ server) on that
machine. When an RPC server is started, it will tell portmap what
port number it is listening to, and what RPC program numbers it is
prepared to serve. When a client wishes to make an RPC call to a
given program number, it will first contact portmap on the server
machine to determine the port number where RPC packets should be sent.

Normally, standard RPC servers are started by inetd(8), so portmap
must be running before inetd is started.

For secure RPC, the portmapper needs the Time service. Make sure, that
the Time service is enabled in /etc/inetd.conf on all hosts:

#
# Time service is used for clock syncronization.
#
time stream tcp nowait root internal
time dgram udp wait root internal

IMPORTANT: Don't forget to restart inetd after changes on its
configuration file !

6. What do you need to set up NIS?

6.1. Determine whether you are a Server, Slave or Client.

To answer this question you have to consider two cases:

1. Your machine is going to be part of a network with existing NIS
servers

2. You do not have any NIS servers in the network yet

In the first case, you only need the client programs (ypbind, ypwhich,
ypcat, yppoll, ypmatch). The most important program is ypbind. This
program must be running at all times, which means, it should always
appear in the list of processes. It is a daemon process and needs to
be started from the system's startup file (eg. /etc/init.d/nis,
/sbin/init.d/ypclient, /etc/rc.d/init.d/ypbind, /etc/rc.local). As
soon as ypbind is running your system has become a NIS client.

In the second case, if you don't have NIS servers, then you will also
need a NIS server program (usually called ypserv). Section ``Setting
up a NIS Server'' describes how to set up a NIS server on your Linux
machine using the "ypserv" implementation by Peter Eriksson and
Thorsten Kukuk. Note that from version 0.14 this implementation
supports the master-slave concept talked about in section 4.1.

There is also another free NIS server available, called "yps", written
by Tobias Reber in Germany which does support the master-slave
concept, but has other limitations and isn't supported since a long
time.

6.2. The Software

The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the
shared library "/lib/libc.so.x" contain all necessary system calls to
succesfully compile the NIS client and server software. For the GNU C
Library 2 (glibc 2.x), you also need /lib/libnsl.so.1.

Some people reported that NIS only works with "/usr/lib/libc.a"
version 4.5.21 and better so if you want to play it safe don't use
older libc's. The NIS client software can be obtained from:

Site Directory File Name

ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.2.tar.gz
ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.4.tar.gz
ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz
ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3-glibc5.diff.gz
ftp.uni-paderborn.de /linux/local/yp yp-clients-2.2.tar.gz

Once you obtained the software, please follow the instructions which
come with the software. yp-clients 2.2 are for use with libc4 and
libc5 until 5.4.20. libc 5.4.21 and glibc 2.x needs yp-tools 1.4.1 or
later. The new yp-tools 2.2 should work with every Linux libc. Since
there was a bug in the NIS code, you shouldn't use libc 5.4.21-5.4.35.
Use libc 5.4.36 or later instead, or the most YP programs will not
work. ypbind 3.3 will work with all libraries, too. If you use gcc
2.8.x or greater, egcs or glibc 2.x, you should add the
ypbind-3.3-glibc5.diff patch to ypbind 3.3. Please never use the
ypbind from yp-clients 2.2. ypbind-mt is a new, multithreaded daemon.
It needs a Linux 2.2 kernel, and glibc 2.1 or later.

6.3. The ypbind daemon

After you have succesfully compiled the software you are now ready to
install it. A suitable place for the ypbind daemon is the directory
/usr/sbin. Some people may tell you that you don't need ypbind on a
system with NYS. This is wrong. ypwhich and ypcat need it always.

You must do this as root of course. The other binaries (ypwhich,
ypcat, yppasswd, yppoll, ypmatch) should go in a directory accessible
by all users, normally /usr/bin.

Newer ypbind versions have a configuration file called /etc/yp.conf.
You can hardcode a NIS server there - for more info see the manual
page for ypbind(8). You also need this file for NYS. An example:

ypserver voyager
ypserver defiant
ypserver ds9

If the system cam resolv the hostnames without NIS, you may use the
name, otherwise you have to use the IP address. ypbind 3.3 has a bug
and will only use the last entry (ypserver ds9 in the example). All
other entries are ignored. ypbind-mt handle this correct and uses that
one, which answerd at first.

It might be a good idea to test ypbind before incorporating it in the
startup files. To test ypbind do the following:

o Make sure you have your YP-domain name set. If it is not set then
issue the command:

/bin/domainname nis.domain

where nis.domain should be some string _NOT_ normally associated with
the DNS-domain name of your machine! The reason for this is that it
makes it a little harder for external crackers to retreive the pass-
word database from your NIS servers. If you don't know what the NIS
domain name is on your network, ask your system/network administrator.

o Start up "/usr/sbin/portmap" if it is not already running.

o Create the directory "/var/yp" if it does not exist.

o Start up "/usr/sbin/ypbind"

o Use the command "rpcinfo -p localhost" to check if ypbind was able
to register its service with the portmapper. The output should look
like:

program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 637 ypbind
100007 2 tcp 639 ypbind

or

program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 758 ypbind
100007 1 udp 758 ypbind
100007 2 tcp 761 ypbind
100007 1 tcp 761 ypbind

Depending on the ypbind version you are using.

o You may also run "rpcinfo -u localhost ypbind". This command should
produce something like:

program 100007 version 2 ready and waiting

or

program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting

The output depends on the ypbind version you have installed. Impor-
tant is only the "version 2" message.

At this point you should be able to use NIS client programs like
ypcat, etc... For example, "ypcat passwd.byname" will give you the
entire NIS password database.

IMPORTANT: If you skipped the test procedure then make sure you have
set the domain name, and created the directory

/var/yp

This directory MUST exist for ypbind to start up succesfully.

To check if the domainname is set correct, use the /bin/ypdomainname
from yp-tools 2.2. It uses the yp_get_default_domain() function which
is more restrict. It doesn't allow for example the "(none)"
domainname, which is the default under Linux and makes a lot of
problems.

If the test worked you may now want to change your startupd files so
that ypbind will be started at boot time and your system will act as a
NIS client. Make sure that the domainname will be set before you start
ypbind.

Well, that's it. Reboot the machine and watch the boot messages to see
if ypbind is actually started.

6.4. Setting up a NIS Client using Traditional NIS

For host lookups you must set (or add) "nis" to the lookup order line
in your /etc/host.conf file. Please read the manpage "resolv+.8" for
more details.

Add the following line to /etc/passwd on your NIS clients:

+::::::

You can also use the + and - characters to include/exclude or change
users. If you want to exclude the user guest just add -guest to your
/etc/passwd file. You want to use a different shell (e.g. ksh) for
the user "linux"? No problem, just add "+linux::::::/bin/ksh"
(without the quotes) to your /etc/passwd. Fields that you don't want
to change have to be left empty. You could also use Netgroups for user
control.

For example, to allow login-access only to miquels, dth and ed, and
all members of the sysadmin netgroup, but to have the account data of
all other users available use:

+miquels:::::::
+ed:::::::
+dth:::::::
+@sysadmins:::::::
-ftp
+:*::::::/etc/NoShell

Note that in Linux you can also override the password field, as we did
in this example. We also remove the login "ftp", so it isn't known any
longer, and anonymous ftp will not work.

The netgroup would look like

sysadmins (-,software,) (-,kukuk,)

IMPORTANT: The netgroup feature is implemented starting from libc
4.5.26. If you have a version of libc earlier than 4.5.26, every user
in the NIS password database can access your linux machine if you run
"ypbind" !

6.5. Setting up a NIS Client using NYS

All that is required is that the NIS configuration file (/etc/yp.conf)
points to the correct server(s) for its information. Also, the Name
Services Switch configuration file (/etc/nsswitch.conf) must be
correctly set up.

You should install ypbind. It isn't needed by the libc, but the
NIS(YP) tools need it.

If you wish to use the include/exclude user feature
(+/-guest/+@admins), you have to use "passwd: compat" and "group:
compat" in nsswitch.conf. Note that there is no "shadow: compat"! You
have to use "shadow: files nis" in this case.

The NYS sources are part of the libc 5 sources. When run configure,
say the first time "NO" to the "Values correct" question, then say
"YES" to "Build a NYS libc from nys".

6.6. Setting up a NIS Client using glibc 2.x

The glibc uses "traditional NIS", so you need to start ypbind. The
Name Services Switch configuration file (/etc/nsswitch.conf) must be
correctly set up. If you use the compat mode for passwd, shadow or
group, you have to add the "+" at the end of this files and you can
use the include/exclude user feature. The configuration is excatly the
same as under Solaris 2.x.

6.7. The nsswitch.conf File

The Network Services switch file /etc/nsswitch.conf determines the
order of lookups performed when a certain piece of information is
requested, just like the /etc/host.conf file which determines the way
host lookups are performed. For example, the line

hosts: files nis dns

specifies that host lookup functions should first look in the local
/etc/hosts file, followed by a NIS lookup and finally through the
domain name service (/etc/resolv.conf and named), at which point if no
match is found an error is returned. This file must be readable for
every user! You can find more information in the man-page nsswitch.5
or nsswitch.conf.5.

A good /etc/nsswitch.conf file for NIS is:

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the /var/db databases
# [NOTFOUND=return] Stop searching if not found so far
#

passwd: compat
group: compat
# For libc5, you must use shadow: files nis
shadow: compat

passwd_compat: nis
group_compat: nis
shadow_compat: nis

hosts: nis files dns

services: nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
ethers: nis [NOTFOUND=return] files
netmasks: nis [NOTFOUND=return] files
netgroup: nis
bootparams: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files
automount: files
aliases: nis [NOTFOUND=return] files

passwd_compat, group_compat and shadow_compat are only supported by
glibc 2.x. If there are no shadow rules in /etc/nsswitch.conf, glibc
will use the passwd rule for lookups. There are some more lookup
module for glibc like hesoid. For more information, read the glibc
documentation.

6.8. Shadow Passwords with NIS

Shadow passwords over NIS are always a bad idea. You loose the
security, which shadow gives you, and it is supported by only some few
Linux C Libraries. A good way to avoid shadow passwords over NIS is,
to put only the local system users in /etc/shadow. Remove the NIS user
entries from the shadow database, and put the password back in passwd.
So you can use shadow for the root login, and normal passwd for NIS
user. This has the advantage that it will work with every NIS client.

6.8.1. Linux

The only Linux libc which supports shadow passwords over NIS, is the
GNU C Library 2.x. Linux libc5 has no support for it. Linux libc5
compiled with NYS enabled has some code for it. But this code is badly
broken in some cases and doesn't work with all correct shadow entries.

6.8.2. Solaris

Solaris does not support shadow passwords over NIS.

6.8.3. PAM

PAM does not support Shadow passwords over NIS, especially
pam_pwdb/libpwdb. This is a big problem for RedHat 5.x users. If you
have glibc and PAM, you need to change the /etc/pam.d/* entries.
Replace all pam_pwdb rules through pam_unix_* modules. Due a bug in
the pam_unix_auth.so module this will not always work.

An example /etc/pam.d/login file looks like:

#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_unix_auth.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_unix_passwd.so
session required /lib/security/pam_unix_session.so

For auth you need to use the pam_unix_auth.so module, for account the
pam_unix_acct.so, for password the pam_unix_passwd.so and for session
the pam_unix_session.so module.

7. What do you need to set up NIS+ ?

7.1. The Software

The Linux NIS+ client code was developed for the GNU C library 2.
There is also a port for Linux libc5, since most commercial
Applications are linked against this library, and you cannot recompile
them for using glibc. There are problems with libc5 and NIS+: static
programs cannot be linked with it, and programs compiled with this
library will not work with other libc5 versions.

You need to retrieve and compile the GNU C Library 2.1 for Intel based
platforms, or GNU C Library 2.1.1 for 64bit platforms. As base System
you need a glibc based Distribution like Debian 2.x, RedHat 5.x or
SuSE Linux 6.x.

For every distribution, you need to recompile the gcc/g++ compiler,
libstdc++ and ncures. For Redhat, you need to make a lot of changes of
the PAM configuration. For SuSE Linux 6.0, you need to recompile the
shadow package.

The NIS+ client software can be obtained from:

Site Directory File Name

ftp.funet.fi /pub/gnu/funet libc-*, glibc-crypt-*,
glibc-linuxthreads-*
ftp.kernel.org /pub/linux/utils/net/NIS+ nis-utils-19990223.tar.gz
ftp.kernel.org /pub/linux/utils/net/NIS+ pam_keylogin-1.2.tar.gz

Distributions based on glibc can be fetched from:

Site Directory

ftp.debian.org /pub/debian/dists/slink
ftp.redhat.com /pub/redhat/redhat-5.2
ftp.suse.de /pub/SuSE-Linux/6.0

For compilation of the GNU C Library please follow the instructions
which come with the software. You cam find the patched libc5, based on
NYS, and the sources as drop in replacement for the standart libc5 at:

Site Directory File Name

ftp.kernel.org /pub/linux/utils/net/NIS+ libc-5.4.44-nsl-0.4.10.tar.gz

You should also have a look at
http://www.suse.de/~kukuk/linux/nisplus.html
<http://www.suse.de/~kukuk/linux/nisplus.html> for more information
and the latest sources.

7.2. Setting up a NIS+ client

IMPORTANT: For setting up a NIS+ client read your Solaris NIS+ docs
what to do on the server side! This document only describes what to do
on the client side!

After installing the new libc and nis-tools, create the credentials
for the new client on the NIS+ server. Make sure portmap is running.
Then check if your Linux PC has the same time as the NIS+ Server. For
secure RPC, you have only a small window from about 3 minutes, in
which the credentials are valid. A good idea is to run xntpd on every
host. After this, run

domainname nisplus.domain.
nisinit -c -H <NIS+ server>

to initialize the cold start file. Read the nisinit man page for more
options. Make sure that the domainname will always be set after a
reboot. If you don't know what the NIS+ domain name is on your
network, ask your system/network administrator.
Now you should change your /etc/nsswitch.conf file. Make sure that the
only service after publickey is nisplus ("publickey: nisplus"), and
nothing else!

Then start keyserv and make sure, that it will always be started as
first daemon after portmap at boot time. Run

keylogin -r

to store the root secretkey on your system. (I hope you have added the
publickey for the new host on the NIS+ Server?).

"niscat passwd.org_dir" should now show you all entries in the passwd
database.

7.3. NIS+, keylogin, login and PAM

When the user logs in, he need to set his secretkey to keyserv. This
is done by calling "keylogin". The login from the shadow package will
do this for the user, if it was compiled against glibc 2.1. For a PAM
aware login, you have to install pam_keylogin-1.2.tar.gz and change
the /etc/pam.d/login file to use pam_unix_auth, not pwdb, which
doesn't support NIS+. An example:

#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_keylogin.so
auth required /lib/security/pam_unix_auth.so
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_unix_passwd.so
session required /lib/security/pam_unix_session.so

7.4. The nsswitch.conf File

The Network Services switch file /etc/nsswitch.conf determines the
order of lookups performed when a certain piece of information is
requested, just like the /etc/host.conf file which determines the way
host lookups are performed. For example, the line

hosts: files nisplus dns

specifies that host lookup functions should first look in the local
/etc/hosts file, followed by a NIS+ lookup and finally through the
domain name service (/etc/resolv.conf and named), at which point if no
match is found an error is returned.

A good /etc/nsswitch.conf file for NIS+ is:

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the /var/db databases
# [NOTFOUND=return] Stop searching if not found so far
#

passwd: compat
# for libc5: passwd: files nisplus
group: compat
# for libc5: group: files nisplus
shadow: compat
# for libc5: shadow: files nisplus

passwd_compat: nisplus
group_compat: nisplus
shadow_compat: nisplus

hosts: nisplus files dns

services: nisplus [NOTFOUND=return] files
networks: nisplus [NOTFOUND=return] files
protocols: nisplus [NOTFOUND=return] files
rpc: nisplus [NOTFOUND=return] files
ethers: nisplus [NOTFOUND=return] files
netmasks: nisplus [NOTFOUND=return] files
netgroup: nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey: nisplus
automount: files
aliases: nisplus [NOTFOUND=return] files

8. Setting up a NIS Server

8.1. The Server Program ypserv

This document only describes how to set up the "ypserv" NIS server.

The NIS server software can be found on:

Site Directory File Name

ftp.kernel.org /pub/linux/utils/net/NIS ypserv-1.3.6.tar.gz

You could also look at http://www.suse.de/~kukuk/linux/nis.html
<http://www.suse.de/~kukuk/linux/nis.html> for more information.

The server setup is the same for both traditional NIS and NYS.

Compile the software to generate the ypserv and makedbm programs. You
can configure ypserv to use the securenets file or the tcp_wrappers.
The tcp_wrapper is much more flexible, but a lot of people have big
problems with it. And some configuration files for tcp_wrappers may
cause a memory leak. If you have problems with ypserv compiled for
tcp_wrapper, recompile it using the securenets file. ypserv --version
tells you, which version you have.

If you run your server as master, determine what files you require to
be available via NIS and then add or remove the appropriate entries to
the "all" rule in /var/yp/Makefile. You always should look at the
Makefile and edit the Options at the beginning of the file.

There was one big change between ypserv 1.1 and ypserv 1.2. Since
version 1.2, the file handles are cached. This means you have to call
makedbm always with the -c option if you create new maps. Make sure,
you are using the new /var/yp/Makefile from ypserv 1.2 or later, or
add the -c flag to makedbm in the Makefile. If you don't do that,
ypserv will continue to use the old maps, and not the updated one.

Now edit /var/yp/securenets and /etc/ypserv.conf. For more
information, read the ypserv(8) and ypserv.conf(5) manual pages.

Make sure the portmapper (portmap(8)) is running, and start the server
ypserv. The command

% rpcinfo -u localhost ypserv

should output something like

program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting

The "version 1" line could be missing, depending on the ypserv version
and configuration you are using. It is only necessary if you have old
SunOS 4.x clients.

Now generate the NIS (YP) database. On the master, run

% /usr/lib/yp/ypinit -m

On a slave make sure that ypwhich -m works. This means, that your
slave must be configured as NIS client before you could run

% /usr/lib/yp/ypinit -s masterhost

to install the host as NIS slave.

That's it, your server is up and running.

If you have bigger problems, you could start ypserv and ypbind in
debug mode on different xterms. The debug output should show you what
goes wrong.

If you need to update a map, run make in the /var/yp directory on the
NIS master. This will update a map if the source file is newer, and
push the files to the slave servers. Please don't use ypinit for
updating a map.

You might want to edit root's crontab *on the slave* server and add
the following lines:

20 * * * * /usr/lib/yp/ypxfr_1perhour
40 6 * * * /usr/lib/yp/ypxfr_1perday
55 6,18 * * * /usr/lib/yp/ypxfr_2perday

This will ensure that most NIS maps are kept up-to-date, even if an
update is missed because the slave was down at the time the update was
done on the master.

You can add a slave at every time later. At first, make sure that the
new slave server has permissions to contact the NIS master. Then run

% /usr/lib/yp/ypinit -s masterhost

on the new slave. On the master server, add the new slave server name
to /var/yp/ypservers and run make in /var/yp to update the map.

If you want to restrict access for users to your NIS server, you'll
have to setup the NIS server as a client as well by running ypbind and
adding the plus-entries to /etc/passwd _halfway_ the password file.
The library functions will ignore all normal entries after the first
NIS entry, and will get the rest of the info through NIS. This way the
NIS access rules are maintained. An example:

root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:
bin:*:2:2:bin:/bin:
sys:*:3:3:sys:/dev:
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:
lp:*:7:7:lp:/var/spool/lpd:
mail:*:8:8:mail:/var/spool/mail:
news:*:9:9:news:/var/spool/news:
uucp:*:10:50:uucp:/var/spool/uucp:
nobody:*:65534:65534:noone at all,,,,:/dev/null:
+miquels::::::
+:*:::::/etc/NoShell
[ All normal users AFTER this line! ]
tester:*:299:10:Just a test account:/tmp:
miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh

Thus the user "tester" will exist, but have a shell of /etc/NoShell.
miquels will have normal access.

Alternatively, you could edit the /var/yp/Makefile file and set NIS to
use another source password file. On large systems the NIS password
and group files are usually stored in /etc/yp/. If you do this the
normal tools to administrate the password file such as passwd, chfn,
adduser will not work anymore and you need special homemade tools for
this.

However, yppasswd, ypchsh and ypchfn will work of course.

8.2. The Server Program yps

To set up the "yps" NIS server please refer to the previous paragraph.
The "yps" server setup is similar, _but_ not exactly the same so
beware if you try to apply the "ypserv" instructions to "yps"! "yps"
is not supported by any author, and contains some security leaks. You
really shouldn't use it !

The "yps" NIS server software can be found on:

Site Directory File Name

ftp.lysator.liu.se /pub/NYS/servers yps-0.21.tar.gz
ftp.kernel.org /pub/linux/utils/net/NIS yps-0.21.tar.gz

8.3. The Program rpc.ypxfrd

rpc.ypxfrd is used for speed up the transfer of very large NIS maps
from a NIS master to NIS slave servers. If a NIS slave server receives
a message that there is a new map, it will start ypxfr for
transfering the new map. ypxfr will read the contents of a map
from the master server using the yp_all() function. This process
can take several minutes when there are very large maps which have to
store by the database library.

The rpc.ypxfrd server speeds up the transfer process by allowing
NIS slave servers to simply copy the master server's map files
rather than building their own from scratch. rpc.ypxfrd uses an RPC-
based file transfer protocol, so that there is no need for building a
new map.

rpc.ypxfrd can be started by inetd. But since it starts very slow, it
should be started with ypserv. You need to start rpc.ypxfrd only on
the NIS master server.

8.4. The Program rpc.yppasswdd

Whenever users change their passwords, the NIS password database and
probably other NIS databases, which depend on the NIS password
database, should be updated. The program "rpc.yppasswdd" is a server
that handles password changes and makes sure that the NIS information
will be updated accordingly. rpc.yppasswdd is now integrated in
ypserv. You don't need the older, separate yppasswd-0.9.tar.gz or
yppasswd-0.10.tar.gz, and you shouldn't use them any longer. The
rpc.yppasswdd in ypserv 1.3.2 has full shadow support. yppasswd is now
part of yp-tools-2.2.tar.gz.

You need to start rpc.yppasswdd only on the NIS master server. By
default, users are not allowed to change their full name or the login
shell. You can allow this with the -e chfn or -e chsh option.

If your passwd and shadow files are not in another directory then
/etc, you need to add the -D option. For example, if you have put all
source files in /etc/yp and wish to allow the user to change his
shell, you need to start rpc.yppasswdd with the following parameters:

rpc.yppasswdd -D /etc/yp -e chsh

or

rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh

There is nothing more to do. You just need to make sure, that
rpc.yppasswdd uses the same files as /var/yp/Makefile. Errors will be
logged using syslog.

9. Verifying the NIS/NYS Installation

If everything is fine (as it should be), you should be able to verify
your installation with a few simple commands. Assuming, for example,
your passwd file is being supplied by NIS, the command

% ypcat passwd

should give you the contents of your NIS passwd file. The command

% ypmatch userid passwd

(where userid is the login name of an arbitrary user) should give you
the user's entry in the NIS passwd file. The "ypcat" and "ypmatch"
programs should be included with your distribution of traditional NIS
or NYS.

If a user cannot log in, run the following program on the client:

#include <stdio.h>
#include <pwd.h>
#include <sys/types.h>

int
main(int argc, char *argv[])
{
struct passwd *pwd;

if(argc != 2)
{
fprintf(stderr,"Usage: getwpnam username\n");
exit(1);
}

pwd=getpwnam(argv[1]);

if(pwd != NULL)
{
printf("name.....: [%s]\n",pwd->pw_name);
printf("password.: [%s]\n",pwd->pw_passwd);
printf("user id..: [%d]\n", pwd->pw_uid);
printf("group id.: [%d]\n",pwd->pw_gid);
printf("gecos....: [%s]\n",pwd->pw_gecos);
printf("directory: [%s]\n",pwd->pw_dir);
printf("shell....: [%s]\n",pwd->pw_shell);
}
else
fprintf(stderr,"User \"%s\" not found!\n",argv[1]);

exit(0);
}

Running this program with the username as parameter will print all the
information the getpwnam function gives back for this user. This
should show you which entry is incorrect. The most common problem is,
that the password field is overwritten with a "*".

GNU C Library 2.1 (glibc 2.1) comes with a tool called getent. Use
this program instead the above on such a system. You could try:

getent passwd

or

getent passwd login

10. Common Problems and Troubleshooting NIS

Here are some common problems reported by various users:

1. The libraries for 4.5.19 are broken. NIS won't work with it.

2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su
command breaks. You need to get the su command from the slackware
1.2.0 distribution. Incidentally that's where you can get the
updated libraries.

3. When a NIS server goes down and comes up again ypbind starts
complaining with messages like:

yp_match: clnt_call:
RPC: Unable to receive; errno = Connection refused

and logins are refused for those who are registered in the NIS
database. Try to login as root and kill ypbind and start it up again.
An update to ypbind 3.3 or higher should also help.

4. After upgrading the libc to a version greater then 5.4.20, the YP
tools will not work any longer. You need yp-tools 1.2 or later for
libc >= 5.4.21 and glibc 2.x. For earlier libc version you need yp-
clients 2.2. yp-tools 2.x should work for all libraries.

5. In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or
later, or some YP programs like ypwhich will segfault.

6. libc 5 with traditional NIS doesn't support shadow passwords over
NIS. You need libc5 + NYS or glibc 2.x.

7. ypcat shadow doesn't show the shadow map. This is correct, the name
of the shadow map is shadow.byname, not shadow.

8. Solaris doesn't use always privileged ports. So don't use password
mangling if you have a Solaris client.

11. Frequently Asked Questions

Most of your questions should be answered by now. If there are still
questions unanswered you might want to post a message to

comp.os.linux.networking