database
from scratch whereas make will first check the source file for changes, update
changes
to the NIS maps and push the changes to slave servers. While making the NIS
maps, you might get some errors message saying that it could not generate some
of the files. If so then edit Makefile, search for the "all" entry and comment
out the files that gave the error. Run the make again.
The next file you need to edit is /var/yp/securenets. This file defines the NIS clients that are allowed to access your NIS server. This file only takes IP addresses -- no hostnames. The IP addresses are specified as a netmask/IP address pair. Localhost will need to be in this file. The entry should already be there, but if not then enter the following. The netmask entry comes first.
255.0.0.0
127.0.0.0
255.255.255.0 192.168.0.0
You can also allow specific hosts by giving the keyword "host" followed by an IP address.
host 127.0.0.1
Similarly, you can enter other netmask/network pairs to restrict access to the NIS server and improve security. Here 192.168.0.* has access to the NIS server.
The server setup is now done. The NIS server can be started now. Make sure that the portmap daemon is started before the NIS server is.
/etc/rc.d/init.d/portmap start
/etc/rc.d/init.d/ypserv start
If portmap is running, ypserv will start the NIS server and connect with portmap. Use "rpcinfo -p" to check. You should get output that looks like the following
100004 2
udp 1003 ypserv
100004 1 udp 1003 ypserv
100004 2 tcp 1006 ypserv
100004 1 tcp 1006 ypserv
You also need to run rpc.yppasswdd. This allows users to change their passwords over the network. This daemon should be run only on the NIS master server. Also make sure that this daemon is started after ypserv.
/etc/rc.d/init.d/yppasswdd
On the client side, users will have to use the utility 'yppasswd' to change their passwords instead of passwd.
Clients
On the
client side, open /etc/yp.conf. This file should contain a list of the NIS
servers for your domain. Multiple
NIS
servers can be specified here so if one goes down, the NIS client will try the
other. Hostnames are also allowed here but make sure that the host's IP address
is present in
/etc/hosts because
NIS
does not use DNS.
ypserver
192.168.0.100
ypserver nisbackup.freeos.com
Open /etc/passwd
and remove the entries for all users that are to be authenticated off the
NIS
master server. Also remove their shadow password entries from /etc/shadow. At
the bottom of /etc/passwd add this entry --
'+::::::'. Do the same for /etc/group but add the entry '+:::' here.
Start ypbind.
/etc/rc.d/init.d/ypbind start
Now try to login to your machine using a login/password pair that does not exist on your machine. If the login is successful then your NIS setup is working correctly.
The above '+' entries means that anyone who is in the NIS password database will be able to login to this machine. You might not want that. You would like only a few users or specific group of users access to a machine.
Edit /etc/nsswitch.conf and put in the following entries, if not already there. Comment out any other passwd and group entries.
passwd:
compat
group: compat
Some distributions like Red Hat use "passwd: files nisplus nis" here. That will also work fine. In fact, with this entry in nsswitch.conf, you do not require the '+' entries in /etc/passwd. What you lose is the ability to selectively disallow certain users or netgroups, as we're trying to do below.
Now edit
your passwd file and replace the '+::::::' entry with the name of
the user you want to allow, prefixed with a '+' and followed by
'::::::'.
+mayank::::::
+foo::::::/bin/false
+@nisgrp::::::
Here user mayank has access to the machine. User foo is also allowed but the shell is set to /bin/false. Finally the netgroup nisgrp is also allowed access. Here you see that you can also modify user date for the client machine. You could also specify a different home directory path here.
To disallow access to few users/netgroups prefix the username with a '-' instead. Also make sure that '+::::::' is a the bottom of the file and this entry appears above it.
-mayank::::::
+::::::
Here except for user mayank, everyone has access to the machine.