Showing posts with label Nis. Show all posts
Showing posts with label Nis. Show all posts

Tuesday, January 17, 2012

How to Setup and Configure YPServ Linux NIS Server and Client


NIS stands for Network Information Service.
NIS is also called as YP. YP stands for Yellow Pages.
NIS is a lookup service for set of databases. The databases in this cases can be a passwd file, group file, hosts file, etc. This is primarily used as a central repository to hold all username and passwords (i.e /etc/passwd), and different servers can authenticate against this server for the username and password.

This is very helpful for system administrators who has to manage several servers. Instead of creating useraccount for your users on each and every Linux servers, you can just create the account on one server that is configured to run NIS server. All other servers can be configured as NIS client, which will authenticate against this central NIS server repository.
This is a step-by-step tutorial that explains the installation and configuration of ypserv NIS server and client.
YPServ stands for Yellow Pages Server.
If an NIS server is already configured, and you are just trying to connect a Linux server to an existing NIS server, skip to the “Configre NIS Client” section below.
If you are installing and configuring both NIS server and client, start from the 1st step below.

NIS Server Configuration

1. Verify Portmap

Portmap server maps DARPA port to RPC program number. For a NIS client that makes RPC calls to talk to the NIS Server (which is a RPC server), portmapper should be running.
When the NIS server starts, it informs the portmapper on what port it is listening. When NIS client contacts a NIS server, it will first check with the portmapper and get the portnumber where the NIS servers is running, and will send the RPC calls to that port number.
On most Linux distributions, portmap will be running by default. Make sure it is running, and configured to be started when the system is rebooted.
# ps -ef | grep -i portmap
rpc       3624     1  0 Feb23 ?        00:00:00 portmap
root     16908  8658  0 10:35 pts/0    00:00:00 grep -i portmap

# chkconfig --list | grep portmap
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off

2. Install YPServ

Install ypserv on your server using the typical installation methods for your respective Linux distro (for example: apt-get, or yum, or up2date, etc.).
If you like to install it from source, download the ypserv source.
On redhat system, identify the ypserv RPM from your installation CD and install it as shown below using rpm.
# rpm -ivh ypserv-2.19-5.el5.i386.rpm
Preparing...                ########################################### [100%]
   1:ypserv                 ########################################### [100%]
ypserv will be installed under /usr/sbin/ypserv
# whereis ypserv
ypserv: /usr/sbin/ypserv /etc/ypserv.conf /usr/share/man/man8/ypserv.8.gz

3. Start ypserv

Check to see whether the ypserv is registered with the portmap as shown below.
# rpcinfo -u localhost ypserv
rpcinfo: RPC: Program not registered
program 100004 is not available
The above output indicates either ypserv is not installed, or ypserv is installed but not started yet. The following quick check indicates that the ypserv is not started yet.
# chkconfig --list | grep yp
ypbind          0:off   1:off   2:off   3:off   4:off   5:off   6:off
yppasswdd       0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypserv          0:off   1:off   2:off   3:off   4:off   5:off   6:off
ypxfrd          0:off   1:off   2:off   3:off   4:off   5:off   6:off

# service ypserv status
ypserv is stopped
Set the NISDOMAIN in the /etc/sysconfig/network file as shown below.
# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=prod-db
GATEWAY=192.168.1.1
NISDOMAIN=example.com
Start the ypserv as shown below.
# service ypserv start
Setting NIS domain name example.com:      [  OK  ]
Starting YP server services:              [  OK  ]
There are some NIS server configuration parameters set in the /etc/ypserv.conf file. But, you don’t need to modify the default values in this file.

4. Generate NIS Database

Once the ypserv is installed and started, it is time to generate the NIS database. All the NIS database are stored under /var/yp directory. Before you generate the database you will not see the directory for your domain name under the /var/yp.
# ls -l /var/yp
total 36
drwxr-xr-x 2 root root  4096 May 18  2010 binding
-rw-r--r-- 1 root root 16669 Oct 31  2008 Makefile
-rw-r--r-- 1 root root   185 Jun  6  2007 nicknames
Generate the NIS database using ypinit program as shown below. You just have to enter the hostname of your NIS server to generate the database.
# /usr/lib/yp/ypinit -m

Please continue to add the names for the other hosts, one
per line.  When you are done with the list, type a .
        next host to add:  prod-db
        next host to add: 

The current list of NIS servers looks like this: prod-db

Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/example.com/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/example.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
...
gmake[1]: Leaving directory `/var/yp/example.com'

prod-db has been set up as a NIS master server.

Now you can run ypinit -s prod-db on all slave server.
After generating the database, you can see a new directory for your domain is created under /var/yp as shown below.
# ls -l /var/yp
total 44
drwxr-xr-x 2 root root  4096 Oct  8 10:59 example.com
drwxr-xr-x 2 root root  4096 May 18  2010 binding
-rw-r--r-- 1 root root 16669 Oct 31  2008 Makefile
-rw-r--r-- 1 root root   185 Jun  6  2007 nicknames
-rw-r--r-- 1 root root    10 Aug 31 10:58 ypservers
The /var/yp/ypservers will contain the name of your NIS server hostname.
# cat /var/yp/ypservers
prod-db

5. Verify the installation

Verify the NIS server installation by checking whether the passwd file can be accessed using the ypcat NIS client program.
# ypcat passwd
No such map passwd.byname. Reason: Can't bind to server which serves this domain
You might get the above error message because ypbind might not running on your system. Just start the ypbind and verify the configuration.
# service ypbind start

# ypcat passwd
ramesh:R7EFEGJ1mxRGwVLVC.:401:401::/home/ramesh:/bin/bash
john:QtlRW$Fx.uZvD:402:402::/home/john:/bin/bash
If you don’t like to display the encrypted passwd field in the ypcat passwd output, set the MERGE_PASSWD to false in the /var/yp/Makefile as shown below.
# vi /var/yp/Makefile
MERGE_PASSWD=false
After you do the above, the ypcat passwd command will just display a ‘x’ in the passwd file.
# ypcat passwd
ramesh:x:401:401::/home/ramesh:/bin/bash
john:x:402:402::/home/john:/bin/bash
Anytime you make a change (either updates to the Makefile, or changes to a database). For example, when you add a new user, or modify an existing user account, you should do the following. Without this, the changes will not be reflected to any of your NIS client.
# cd /var/yp
# make
I recommend that you add this to the root cron job on your NIS server to execute this every 15 minutes. This way, you don’t need to worry about running this manually anytime you make some changes to the NIS database.

NIS Client Configuration

The following steps needs to be executed on the NIS client. In the above example, we installed NIS server on a servername called prod-db. If you want another Linux server dev-db, to use the /etc/passwd file on the prod-db for authentication, you need to do the following steps on the dev-db server (NIS client).

6. Set the Domainname on Client

Verify the domainname is set properly on this server. If this doesn’t return the proper domainname. Execute ‘domainname {your-domain}’ to set the domainname on the server.
# domainname
example.com
domainname command will set the domainname temporarily. i.e if you reboot the system, the domainname will be gone. To make the domainname permanent, update the network file and set the NISDOMAIN parameter as shown below.
# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=dev-db
GATEWAY=192.168.1.4
NISDOMAIN=example.com

7. Set the NIS Server Name on Client

Add the following line to the /etc/yp.conf file. This instructs the NIS client that the NIS server is prod-db. Instead of prod-db below, you can also give the ip-address of the prod-db server.
# vi /etc/yp.conf
domain example.com server prod-db

8. Start the ypbind on Client

ypbind is a NIS binding program. This searches for a NIS server for your NIS domain and maintains NIS binding information.
Make sure ypbind is up and running on the NIS client server. Most Linux distributions has ypbind installed already. If it is not running, start it.
# ps -ef | grep ypbind

# service ypbind start
Verify the NIS server installation by checking whether the passwd file can be accessed using the ypcat NIS client program.
# ypcat passwd
No such map passwd.byname. Reason: Can't bind to server which serves this domain
You might get the above error message because ypbind might not running on your system. Just start the ypbind and verify the configuration.
# service ypbind start

# ypcat passwd
ramesh:x.:401:401::/home/ramesh:/bin/bash
john:x:402:402::/home/john:/bin/bash
By at
Labels:

Saturday, September 3, 2011

NIS on RHEL5


NETWORK INFORMATION SERVICE

NIS is centralized authentication software in Linux / Unix / Solaris platform. In a network, there will be a NIS server, one or more NIS slaves and lots of NIS Client machines. This document explains how to install and configue NIS Master, Slave and Client Machines in Redhat enterprise linux rhel5. It can also be applicable on centos, fedora and other variants.

Configuring the NIS MASTER Server:

Packages :
For installing NIS the following packages are required.
For server:

ypserv
portmap
make

For client:

ypbind
portmap
authconfig
autofs

Installation:

Step1:
Configure the NISDOMAIN. It should be different from the FQDN [domain name].
[root@vm3 ~]# nisdomainname nis.lap.com
And you have to resolve it in /etc/hosts

[root@vm3 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
192.168.0.23 nis.lap.com
[root@vm3 ~]#

To make it permenant add the enty in /etc/sysconfig/network. This should be done in order to srvive a reboot.

[root@vm3 ~]# cat /etc/sysconfig/network
NETWORKING_IPV6=no
HOSTNAME=vm3
NETWORKING=yes
GATEWAY=192.168.0.1
NISDOMAIN=nis.lap.com
[root@vm3 ~]#

restart the network service

Step2:

Install the packages for server.

[root@vm3 ~]# yum install yp*
if using rpm you've to install ypserv, portmapper and dependecy make.
After installing these a new directory yp will be created under /var

Security Tip:

To allow only some hosts to access information of NIS, create this file and edit as follows. [At first time]

[root@vm3 ~]# cat /var/yp/securenets
#subnet #network
255.255.255.0 192.168.0.0
[root@vm3 ~]#

Step3:

Start the service
[root@vm3 ~]# /etc/init.d/ypserv start
Starting YP server services: [ OK ]
[root@vm3 ~]# chkconfig ypserv on

Check whether its running:

[root@vm3 ~]# rpcinfo -u 192.168.0.23 ypserv
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting

[root@vm3 ~]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 715 status
100024 1 tcp 718 status
100004 2 udp 821 ypserv
100004 1 udp 821 ypserv
100004 2 tcp 824 ypserv
100004 1 tcp 824 ypserv

Step4:

Create Users:

We are creating 5 users having username and passed are same.
Eg: Name- user1 password- user1



[root@vm3 ~]# for i in 1 2 3 4 5; do useradd user$i; echo user$i | passwd --stdin user$i; done

Changing password for user user1.
passwd: all authentication tokens updated successfully.
Changing password for user user2.
passwd: all authentication tokens updated successfully.
Changing password for user user3.
passwd: all authentication tokens updated successfully.
Changing password for user user4.
passwd: all authentication tokens updated successfully.
Changing password for user user5.
passwd: all authentication tokens updated successfully.

Step5:

Now set mastet NIS and initialize NIS maps DB.

# vi /var/yp/Makefile

In this file you can specify MINUID and MINGID [line num 32] and any files you want to read by NIS. [line num 72]. Read the Comments for details.

In this you can configure many parameters. One of them is NOPUSH.

If we have only one server, we don't have to push the maps to the slave servers (NOPUSH=true). If you have slave servers, change this to "NOPUSH=false" and put all hostnames of your slave servers in the file /var/yp/ypservers.
NOPUSH=false

Create the Map:
[root@vm3 ~]# /usr/lib/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers. vm3 is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a .
next host to add: vm3
next host to add: vm5 #vm5 is the hostname of our slave server.
next host to add: #It is resolved in /etc/hosts.


The current list of NIS servers looks like this:
vm3
vm5

Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/nis.lap.com/ypservers...



Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/nis.lap.com'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/nis.lap.com'

vm3 has been set up as a NIS master server.

Now you can run ypinit -s vm3 on all slave server.
[Slave configuration we will discuss later in the same document.]
[root@vm3 ~]#


[root@vm3 ~]# /etc/init.d/ypxfrd start
Starting YP map server: [ OK ]
[It should be started in order to forward the map from master to slave machines.]
[root@vm3 ~]#

[root@vm3 ~]# service yppasswdd start
Starting YP passwd service: [ OK ]
[root@vm3 ~]# chkconfig yppasswdd on

Share /home directory using NFS:

You have to share the /home directory of the NIS server machine inorder to access from the client machines. Because when you are logging in from client you are getting to that users home directory. So it should be mounted to client machine from the server.
[Implement the proper backup mechanism for /home in the server.]

[root@vm3 ~]# cat /etc/exports
/home *(rw,sync)

[root@vm3 ~]# exportfs -a
[root@vm3 ~]# service nfs start
[root@vm3 ~]# service portmap restart
[root@vm3 ~]# chkconfig nfs on
[root@vm3 ~]# chkconfig portmap on


Adding new NIS users:

Add new users in server. And goto the dirctory /var/yp
and execute the following command

# make

Configuring NIS SLAVE server:

Install the ypserv, portmapper and dependancy packages. And set the NISDOMAINNAME same as in the server. In this example. As follows.

[root@vm5 ~]# nisdomainname nis.lap.com

Create entries for name resolutions of server and other hosts in /etc/hosts. Its better you copy the /etc/hosts of server and make proper edits in it.

[root@vm5 ~]# scp 192.168.0.23:/etc/hosts /etc/hosts

[root@vm5 ~]# yum install yp*
[root@vm5 ~]# service ypserv start
[root@vm5 ~]# chkconfig ypserv on

Execute the following command in order to get the NIS maps from the server to the slave.

[root@vm5 ~]# /usr/lib/yp/ypinit -s vm3

Where vm3 is the hostname of server and it should be resolved in /etc/hosts. And dont forget to update the server's /etc/hosts file with slave's information.

If the following command executed well, you will get output as follows.

We will need a few minutes to copy the data from vm3.
Transferring hosts.byaddr...
Trying ypxfrd ... success

Transferring netid.byname...
Trying ypxfrd ... success

Transferring group.byname...
Trying ypxfrd ... success

[..output truncated..]

Transferring services.byservicename...
Trying ypxfrd ... success

nisclnt.lap.com's NIS data base has been set up.
If there were warnings, please figure out what went wrong, and fix it.



At this point, make sure that /etc/passwd and /etc/group have
been edited so that when the NIS is activated, the data bases you
have just created will be used, instead of the /etc ASCII files.

Start the yppasswd service.

[root@vm5 ~]# service yppasswdd start
Starting YP passwd service: [ OK ]
[root@vm5 ~]# chkconfig yppasswdd on

You might want to edit root's crontab *on the slave* server and add the following lines:
20 *    * * *    /usr/lib/yp/ypxfr_1perhour
40 6    * * *    /usr/lib/yp/ypxfr_1perday
55 6,18 * * *    /usr/lib/yp/ypxfr_2perday

This will ensure that most NIS maps are kept up-to-date, even if an update is missed because the slave was down at the time the update was done on the master.

On the master server, add the new slave server name to /var/yp/ypservers and run make in /var/yp to update the map .

Configuring NIS Client:

Install the following packages in client machine.

[root@vm6 ~]# yum install ypbind authconfig autofs

Give the domain name and Ipof the NIS server in client.

#authconfig -tui
or
#setup
-> Authentication Configuration
->Check these fields
->Cache Information.
->Use NIS
->next
Domain: nis.lap.com #give domain name here its nis.lap.com
Server: 192.168.0.23

If you have slave servers give like this. Ips of machines one after one separated by commas.

server 192.168.0.23, 192.168.0.25

Edit the /etc/nsswitch.conf file

The username and passwords should be checked in order such that the NIS files should be checked first. So edit the entries as follows.



vi /etc/nsswitch.conf
passwd: nis files
shadow: nis files
group: nis files

Configure autofs:

Open the configuration file of autofs and make edits.

#vi /etc/auto.master
/home /etc/auto.misc --timeout=60
#vi /etc/auto.misc



  • -rw,sync 192.168.0.23:/home/&
    Restart the autofs service.
#service autofs restart
#chkconfig autofs on

Some useful commands:

#ypcat passwd

from client executing the above command will give the entriesof NIS users in /etc/passwd file of master server.
By at
Labels:

Monday, June 20, 2011

Setup NIS Server


NIS Server
Build NIS Server in order to share users’ accounts among virtual networks. Following examples show that NIS Server is built on HostOS in virtual networks like NFS Server. It’s necessary to install ypserv for NIS.
First we need to install the ypserv package, we can install it by using the following command
#yum -y install ypserv
// set domain name
#ypdomainname example.com
// add at the bottom of file
#vi /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=ns.server-linux.info
GATEWAY=192.168.0.1
NISDOMAIN=example.com
#vi /var/yp/Makefile
# MERGE_PASSWD=true|false
MERGE_PASSWD=false// line 42: change
#
# MERGE_GROUP=true|false
MERGE_GROUP=false// line 46: change
#
all: passwd shadow group hosts rpc services netid protocols   // line 109: add shadow
// create a directory for email automatically when a user is added in the system
[root@ns ~]# mkdir -p /etc/skel/Maildir/cur
[root@ns ~]# mkdir -p /etc/skel/Maildir/new
[root@ns ~]# mkdir -p /etc/skel/Maildir/tmp
[root@ns ~]# chmod -R 700 /etc/skel/Maildir/
[root@ns ~]# useradd cent
[root@ns ~]# passwd cent
Changing password for user cent.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
 [root@ns ~]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS servers. ns.server-linux.info is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a .
next host to add: ns.server-linux.info
next host to add: // push Ctrl + D keys
The current list of NIS servers looks like this:
ns.server-linux.info
Is this correct? [y/n: y] y// input ‘y’ and push Enter key
We need a few minutes to build the databases…
Building /var/yp/server-linux.info/ypservers
Running /var/yp/Makefile…
gmake[1]: Entering directory `/var/yp/server-linux.info
Updating passwd.byname…
Updating passwd.byuid…
Updating group.byname…
Updating group.bygid…
Updating hosts.byname…
Updating hosts.byaddr…
Updating rpc.byname…
Updating rpc.bynumber…
Updating services.byname…
Updating services.byservicename…
Updating netid.byname…
Updating protocols.bynumber…
Updating protocols.byname…
Updating mail.aliases…
gmake[1]: Leaving directory `/var/yp/server-linux.info
ns.server-linux.info has been set up as a NIS master server.
Now you can run ypinit -s ns.server-linux.info on all slave server.
[root@ns ~]# /etc/rc.d/init.d/portmap start
Starting portmap: [  OK  ]
[root@ns ~]# /etc/rc.d/init.d/ypserv start
Starting YP server services: [  OK  ]
[root@ns ~]# /etc/rc.d/init.d/yppasswdd start
Starting YP passwd service: [  OK  ]
[root@ns ~]# chkconfig portmap on
[root@ns ~]# chkconfig ypserv on
[root@ns ~]# chkconfig yppasswdd on
// It’s neccessary to update NIS database with following way if new user is added again
[root@ns ~]# cd /var/yp
[root@ns yp]# make
After building NIS Server, Configure on clients in order to share users’ accounts. Following examples show config on GuestOS ‘www’.
[root@www ~]# vi /etc/sysconfig/network

NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=www.server-linux.info
GATEWAY=192.168.0.1
NISDOMAIN=server-linux.info// add the line

[root@www ~]# vi /etc/sysconfig/authconfig

USEWINBINDAUTH=no
USEKERBEROS=no
USESYSNETAUTH=no
FORCESMARTCARD=no
USESMBAUTH=no
USESMARTCARD=no
USELDAPAUTH=no
USELOCAUTHORIZE=no
USEWINBIND=no
USESHADOW=yes
USEDB=no
USEMD5=yes
USEPASSWDQC=no
USELDAP=no
USEHESIOD=no
USECRACKLIB=yes
USENIS=yes// change

[root@www ~]# vi /etc/yp.conf

# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
#Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
#Use broadcast on the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
#Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
#Use server HOSTNAME for the local domain. The
#IP-address of server must be listed in /etc/hosts.
#
# broadcast
#If no server for the default domain is specified or
#none of them is rechable, try a broadcast call to
#find a server.
#
domain server-linux.info server nfs.server-linux.info  // add the line

[root@www ~]# vi /etc/nsswitch.conf

passwd:files nis// line 33: add
shadow:files nis// add
group:files nis// add

#hosts:db files nisplus nis dns
hosts:files dns nis// add

[root@www ~]# chkconfig ypbind on
[root@www ~]# chkconfig portmap on
[root@www ~]# reboot

www login: cent// user name on NIS
Password:// input password
Last login: Sun Mar 11 22:02:12 on tty1
[cent@www ~]$// could login
[cent@www ~]$ ypwhich
nfs.server-linux.info
[cent@www ~]$ ypcat passwd
cent:x:500:500::/home/cent:/bin/bash
[cent@www ~]$ yppasswd// change password
Changing NIS account information for cent on nfs.server-linux.info.
Please enter old password:// input current password
Changing NIS password for cent on nfs.server-linux.info.
Please enter new password:// input new password
Please retype new password:// verify

The NIS password has been changed on nfs.server-linux.info.
By at
Labels:
Subscribe to: Comments (Atom)