Centralised authentication using NIS
By
Mulyanto <mulyanto@lycos.com>
If users on your network are working on more than one machine you will need to
create a login/password pair for them on each machine. A more elegant solution
is to maintain a centralized database that client machines refer to for
authentication. NIS is one way to do that and this article shows you how.
To log on to a machine on your network, you need a login/password pair that is valid on that machine. This can become a problem over a larger network where you may have people using more than one machine. An example of this would be your computer lab where people are going to be working off different machines most of the time. You will then be forced to create logins for each user on every machine that they're likely to use. NIS steps in here and provides you with centralized authentication. All the logins are created on a single machine, which client machines access to authenticate users.
Once you
have centralized your authentication, you will also need to make the home
directory of the user available to him on the machine that they log on to. If
they still have to login to another machine to access their data then it's not
very useful having
NIS
around. NFS or the Network File
System allows you to 'export' a directory for mounting on other machines.
When mounted, that directory will appear as a local directory on the client
machine. This is completely transparent to the user. You can then transfer
files, run programs off a NFS mounted directory with great ease.
NIS and its associated tools are available across nearly all the distributions. What you need is ypbind, ypserv and yp-tools. For a NIS client machine, all you need is ypbind and yp-tools. The ypserv package is only required if you're setting up the machine as a server. All the NIS tools are prefixed with YP. This is because the original name for NIS was Yellow Pages. That was copyrighted by British Telecom and could not be used. Sun settled on NIS but the name stuck.
You will also need the portmap daemon, which is used to manage RPC requests. This is used by NIS as well as NFS and is present in most Linux distributions. Look for a package named portmap on your distribution CD.
Installation
Installation of the NIS program files are easy enough if you're using the RPM's.
rpm -ivh ypserv-1.3.11-9.i386.rpm
The ypserv
package is only required for machines that are to be NIS master or
slave servers. This is not required for NIS clients but the following packages
are.
rpm -ivh
ypbind-1.6-11.i386.rpm
rpm -ivh yp-tools-2.4-4.i386.rpm
Configuration
Before
starting the configuration of your
NIS
server, you need to decide on a
NIS
domain. Each NIS server will only serve clients from the domain that it is a
part of. This domain is not to be confused with your DNS domain name and for
security reasons, should not be the same as your DNS name. The
NIS
domain system allows you to divide the computers on your network into
sub-domains that are served by NIS master servers for that domain only. The NIS
domain name can be anything you want (foo.bar.org or org.bar.foo), but for
security reasons, this should not not be the same as the DNS domain name. The
NIS domain name parameter is set by the nisdomainname command. Equivalent
commands are ypdomainname and domainname. They all do the same.
nisdomainname foo.bar.org
This
command will need to be run on every machine on your network that will be part
of the domain. You should put the above in your system startup scripts so that
the domain name is automatically set at boot. Alternatively, in Red Hat you can
edit /etc/sysconfig/network and change or add the parameter "NISDOMAN=domain".
In SuSE open /etc/rc.config and look for
"YP_DOMAINNAME".
Server Configuration
Open the file named /etc/ypserv.conf
Look for the lines below and un-comment them
* :
passwd.byname : port : yes
* : passwd.byuid : port : yes
You should do this otherwise any user on the network can say "ypcat passwd" and see the entire password database exported by the NIS server, including the encrypted password. However, root on the client machines will be able to view the encrypted password.
Open /var/yp/Makefile. Go through the options at the top. You probably won't have to modify them but it does make sense to check them out. Now look for the "all" rule in this file. It will look something like the following.
all: passwd group rpc services netid
This defines the files that are to be made available over NIS. NIS is after all Network Information Services. You can use it for more than just authentication. Here I'm also exporting /etc/services and /etc/hosts.
The defaults that are un-commented will work just fine. We're just going for centralized authentication here, so make sure that passwd and group are un-commented.
Move to /var/yp
and run "make" there. This will create the NIS database maps. You will need to
run this every time you change a source file. e.g -
when you add/remove a user from the passwd file. Changes to passwords do not
require a make.
You can also use the program ypinit.
/usr/lib/yp/ypinit -m
Ypinit will
first prompt you for a list of NIS servers on the network. You will need to
enter the list of NIS servers for that domain. This should also include any
slave NIS servers that you are planning to setup. Ypinit will write this list of
servers to /var/yp/ypservers and then go ahead
with the make. Ypinit is fine for the first time you're setting up NIS but if
you make frequent changes to the NIS files then "make" is a better option. This
is because Ypinit re-creates the NIS
next >>