NIS INSTALL

I did not write this. but I used it a lot.

I wish I knew where I got the notes from, but I have kept them for a long time. I also used Yolinux.com for a lot of help.



NIS is a system which is designed to allow people to use the same username and password on a group of machines. (In NIS terms this group of machines is called a domain). This small introduction will guide you through setting up a central NIS server to centralise your logins, and a client to use it.

Of all the systems for sharing login details across multiple machines NIS is the oldest and possibly the most widely used. Other alternatives include database systems such as LDAP (OpenLDAP) and kerberos .

For NIS to work you need a single, central, machine which contains all the username and password pairs. Other machines will query this one when it comes to validating logins - so no local usernames and passwords need to exist.

For large systems this scales very well, when you wish to add a new user you only need to do it once on the central server rather than on each individual machine.

Installing the server is a simple matter:

name:~# apt-get install nis Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: portmap The following NEW packages will be installed: nis portmap 0 packages upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 190kB of archives. After unpacking 699kB will be used.

Once the packages have been downloaded and installed you will need to choose a name for the domain and set this up as a master server. (In NIS terms a domain is used to refer to a group of machines, it has no connection with DNS names, or WORKGROUP names).

Once you've installed the packages and given the system a domain name then you will need to set it up as a master server. You do this by editing the file /etc/defaults/nis making sure that you have the following lines:

NISSERVER=true NISCLIENT=false

Once this is done you need to control which machines are allowed to access the NIS server. Do this by editing the file /etc/ypserv.securenets as in the following example:

# Restrict to 192.168.1.x 255.255.255.0 192.168.1.0

Restart the server with /etc/init.d/nis restart and the server is ready.

This now has us running an NIS server, the next thing to do is initialise its maps. This is a simple process of running an init command and giving it the name of the servers you're using. In our case this is just the one server we've just setup:

root@sun:~# /usr/lib/yp/ypinit -m

Now we move on to setting up the clients.

Each client will also need the NIS package, so install that:

apt-get install nis

Enter the name of the domain you chose earlier (this is stored on the server in the file /etc/defaultdomain if ever you forget it).

Once this is done you will need to setup the server to authenticate against, place it's IP address in the file /etc/yp.conf, for example:

ypserver 192.168.1.1

Restart NIS with /etc/init.d/nis restart and test that this machine can access the client by running:

root@undecided:/etc# ypcat passwd mp3:x:1002:1002::/home/mp3: skx:x:1000:1000:Steve Kemp,,,:/home/skx:/bin/bash ipaudit:x:1001:100::/home/ipaudit:

Here we see that we've received some results so we're go to go on.

This is the most tricky step, upon this client you need to remove all user accounts from the password, shadow, group, and group shadow files. Here we really do mean users as people - say all the userid's above 1000. Leave the system accounts such as bin, bind, nobody alone.

(If you want a login to only be available on the local machine then leave it there - certainly leave the root account alone!)

For the /etc/passwd add +:::::: at the end.

For the file /etc/shadow add +::::::::, and for the other files /etc/group and /etc/gshadow add +:::.

Now try and login with a user!

When it comes to time to add a new user to your setup you should only need to add it upon the server, and all machines will benefit. You may need to rerun the ypinit command we gave earlier for it to take effect though.