Recent Changes - Search:
NTLUG

Linux is free.
Life is good.

NEXT MEETING

What's New

Introducing Ubuntu Phone

Linux Training
10am on Meeting Days!

1825 Monetary Lane Suite #104 Carrollton, TX

Do a presentation at NTLUG.

What is the Linux Installation Project?

Real companies using Linux!

Not just for business anymore.

Providing ready to run platforms on Linux

Unix System Administration

Excerpt: Network Information Service (aka NIS or yp)

Christopher J. Cox
The Endless Now
January 2002

Network Information Service

  • Provides a means of centralizing the creation and management of users, groups, email aliases, network hostnames, network MAC address mappings, RPC service lookups, TCP/UDP port service lookups.
  • Originally called Yellow Pages from Sun Microsystems, this was their solution for distributed network management created in 1985.
  • Information files that are used in NIS are called maps and often are stored in /var/yp.

NIS Domain Overview

Click to edit the image Click to edit the image Click to edit the image Click to edit the image

NIS Maps

  • An NIS map is a dbm database file compiled from a text input (e.g. /etc/passwd). One field in the data is considered to be the key field.
  • Because they are implemented as dbm files, lookups using the key are very fast.

Becoming an NIS Client

  • Set the domain with domainname.
  • Declare the yp servers (NIS Masters or Slaves) to use for the domain in /etc/yp.conf.
  • Edit /etc/nsswitch.conf so that NIS is used.
  • Add + lines to /etc/passwd, /etc/group (if applicable, e.g. compat vs. files nis).
  • Start the ypbind daemon (depends upon the portmap or rpc daemon).

The /etc/passwd File

  • The popular account fields are stored in /etc/passwd, a colon delimited file:
    • username
    • password (nowadays, just an x), otherwise it may be an encrypted string common to older UNIX variants or HPUX in an untrusted mode.
    • uid
    • gid
    • comment
    • HOME directory
    • initial program (shell)

"+/-" Lines

  • A mechanism to allow NIS systems to augment the local file entries from /etc/passwd and /etc/group when using compat in nsswitch.conf.
    • /etc/passwd
      • +::::::
        • Everyone in NIS wildcard (required in most NIS installations), often the last entry.
      • +ten::::::/bin/ksh
        • Overrides the NIS shell setting for the user ten. You can override any field except the uid and gid. The user name could be a user, or a @<netgroup>.
      • -ftp
        • Prevents the user ftp from logging in (i.e. disables anonymous ftp).

/etc/passwd and NIS

 root:x:0:1:Super-User:/root:/bin/bash
 bin:x:1:1:bin:/bin:/bin/bash
 daemon:x:2:2:Daemon:/sbin:/bin/bash
 lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
 uucp:x:5:5:uucp Admin:/etc/uucp:/bin/bash
 ...many entries omitted...
 nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash
 -bgates
 -@dangerous-hosts-users
 +ccox::::::/usr/bin/ksh
 +@ten-users
  • If a user is contained in multiple netgroup definitions, a remove - containing a user must come before an add +.

Exploring Maps

  • Verify domain binding with ypwhich.
  • ypwhich -m
    • Shows maps available on domain.
  • ypcat [-k] <mapname>
    • Show text format of map.
    • The -k will show the key in addition to the data.
      • ypcat passwd
      • ypcat -k netgroup
    • ypcat -x will show aliases available for maps.

Netgroup Map

 admin-users (-,ccox,)
 ten-dev-users  (-,user01,ten.nis), (-,user02,ten.nis)
 dangerous-hosts-users (haX0rwkstn,haX0r,)
 ten-users  admin-users ten-dev-users
  • <netgroup-name> followed by (<hostname>,<username>,<domainname>)
  • If a field is ''-", it cannot be used. If a field is empty, it is a wildcard matching anything. The names (key) of the netgroups are arbitrary.
    • admin-user - Valid on any domain, cannot be used to augment host map .
    • ten-dev-users - Valid only for the ten.nis domain.
    • dangerous-hosts-users - Could be used either with hosts or passwd maps.
    • ten-users - Combination of other netgroup entries.

The Automounter

  • Along with common authentication and resource specification, NIS can push maps to be used by an automounter to handle things like common HOME directories across systems (available through NFS for example).
  • After configuration, any reference (e.g. ls, cd, etc.) to the defined directories will cause the automatic mounting (e.g. though NFS) of the directory referenced.
  • Change automount in nsswitch.conf to use nis.

Automount Master Map

  • The master map, usually found at /etc/auto.master or /etc/auto_master, is a configuration file that is used to start automount processes to monitor mount points.
    • The master map contains:
      1. A directory mount point to watch.
      2. An information map of locations that can be mounted under the mount point.
      3. Directory mount options.
  • The auto.master map may be from NIS.

Simple auto.master

 # cat /etc/auto.master
 /misc     /etc/auto.misc
  • The indirect directory to watch is /misc. The details about what resources to mount under /misc is contained in /etc/auto.misc.
  • Start the automount processes through the init startup script (e.g. /etc/init.d/autofs start). This will read the /etc/auto.master (possibly from NIS) and start individual automount daemons to monitor the indirect directories it contains. 
 # /etc/init.d/autofs start
 # ps -ef | grep automount
 root 2050 1 0 21:22 pts/1 00:00:00 /usr/sbin/automount /misc file /etc/auto.misc

automount

The automount process is started with a directory to watch and a map of resources to manage under the mount point (by default, mounts expire after 5 minutes of inactivity).

  • Indirect maps contain:
    • Names of directories under the master mount point being watched.
    • Mounting options.
    • Resource to mount.
  • Direct maps (not available in Linux!) contain:
    • Fully qualified mount points.
    • Mounting options.
    • Resource to mount.

Simple Indirect auto.misc

  • The first example is somewhat Linux specific. Automatically mount the /dev/cdrom device when /misc/cd is entered/referenced (Linux can mount local devices this way).
  • More portable is specifying an NFS resource. Mount the remote /emacs directory when /misc/emacs is entered/referenced. 
 # cat /etc/auto.misc
 cd       -fstype=iso9660,ro  :/dev/cdrom
 emacs    -r                  bogus.host.com:/emacs

NIS and automount

  • As mentioned, automount can facilitate a common network HOME directory through NFS for all users.
  • The NIS HOME directories will correspond to an indirect map and mount point.
  • The Master map and associated indirect maps can be pushed through NIS (automount knows how to make use of NIS).

NIS auto.master

  • The NIS Server will make an auto.master available usually for the purpose of handling HOME directories for a domain. 
 $ ypcat -k auto.master
 /home		auto.home
  • The NIS Server also advertises an auto.home map which is used to handle the NFS mount specifics for the HOME directories. 
 $ ypcat -k auto.home
 *	cg1:/home/&
  • The *" matches any directory reference under /home (indirect directory being watched) and the &" is used to substitute the key in the target mount.

Setting Up an NIS Client

 # domainname ten.nis
 # vi /etc/yp.conf
 ypserver 192.168.1.98
 # vi /etc/nsswitch.conf
 passwd: compat
 group:  compat

Others to look at: automount, hosts, ethers, networks, aliases. Use compat if you want simulate typical Unix behavior, mandating the inclusion of "+/-" lines to /etc/passwd, /etc/group. Use files nis to avoid having to use "+/-" lines, but lose the ability to restrict NIS authentication. 

 # ps -ef | grep portmap

Verify portmap is running. 

 # ypbind
 # ypwhich
 192.168.1.98
 # ypcat passwd
 ccox:ZBaMuOdCZStAE:500:10:Chris Cox:/home/ccox:/bin/ksh

 # /etc/init.d/autofs start

Popular NIS Maps

You can see the maps being advertised/pushed from the Master with ypwhich -m. 

 $ ypwhich -m
 netid.byname            ccccd.theendlessnow.com
 passwd.byuid            ccccd.theendlessnow.com
 services.byname         ccccd.theendlessnow.com
 services.byservicename  ccccd.theendlessnow.com
 auto.home               ccccd.theendlessnow.com
 netgroup                ccccd.theendlessnow.com
 passwd.byname           ccccd.theendlessnow.com
 group.byname            ccccd.theendlessnow.com
 netgroup.byuser         ccccd.theendlessnow.com
 netgroup.byhost         ccccd.theendlessnow.com
 group.bygid             ccccd.theendlessnow.com
 ypservers               ccccd.theendlessnow.com
 rpc.byname              ccccd.theendlessnow.com
 auto.master             ccccd.theendlessnow.com

Note: There is no passwd map, but rather are two passwd maps, one keyed byname and one keyed byuid. The passwd map is a alias for passwd.byname.

Becoming an NIS Master

  • Set the domain with domainname.
  • Execute /usr/lib/yp/ypinit -m to initialize the databases (converts existing text file databases to dbm format). Specify NIS Slave servers if you want at that time.
  • Start the ypserv daemon (depends upon the portmap or rpc daemon).
  • Join the domain as an NIS client host using ypbind. Use nsswitch.conf to ignore local NIS utilization.

yppasswd/yppasswdd

  • In order for clients to be able to change their NIS passwords, a special daemon is normally run on the NIS Server called yppasswdd (two d’s on the end). It listens for requests from clients to change a password.
  • To change a user password, use the command yppasswd. On many NIS client implementations, the call is made transparently when a call to passwd is made.

ypxfrd

If you have NIS Slave servers, you probably should run ypxfrd on the NIS Master to facilitate/accelerate delivery of pushes to the NIS Slave hosts.

Setting Up an NIS Master

 # domainname ten.nis
 # /usr/lib/yp/ypinit -m
 # ypserv

...optionally, you can join this domain as a client. 

 # rpc.yppasswdd -D /etc
 # /usr/lib/yp/ypxfrd

...need this if you support NIS Slaves.

  • The -D option to yppasswdd specifies the directory containing the original source passwd for the passwd.* maps.
  • Why would you not want an NIS Master to use itself for name resolution?

Updating Maps

  • As mentioned earlier, the maps are compiled versions of the original text versions usually stored in dbm format located in /var/yp.
  • Also located in /var/yp is probably a Makefile.
    • As changes are made to any of the textual maps, performing a ''make" in the /var/yp directory should update the compiled maps and push them to any NIS Slave servers.

Updating Maps (cont)

 # useradd -m testuser
 # passwd testuser

...assign an initial password... 

 # ypcat passwd | grep testuser

...should return nothing, user is only defined locally... 

 # cd /var/yp
 # make
 updated passwd
 pushed passwd
 # ypcat passwd | grep testuser
 testuser:axPwTTAWjfk/Y:4448:4444:/home/testuser:/bin/ksh

Linux NIS

  • Linux NIS Server setup has some benefits in that you can usually configure the map builds for passwd to not build for ids beneath a certain uid value. This makes it easier to use the /etc/passwd and /etc/group files under Linux as the source for the dbm maps.
  • Often there is also a utility to define the specific maps to make available, otherwise you will have to edit the /var/yp/Makefile yourself.

Making it Stick

  • Need to set domainname and start ypbind (NIS Client), ypserv (NIS Master or Slave), yppasswdd (NIS Master), ypxfrd (NIS Master) and autofs (automount).
  • In SuSE 8.1, you can configure the domainname in /etc/defaultdomain (similar to commercial Unix systems). Other distributions configure NIS/YP parameters via /etc/sysconfig/*.

General NIS Problems

  • Can use ypcat to view maps, including the encrypted password strings in clear text.
  • Protocol (rpc) is insecure (easily manipulated by intruders).
  • No (usually) /etc/shadow map support, so no password aging (Note: Linux supports shadow maps).
  • Considered to be old" and in need of fixing".
  • Clients can hang on boot if NIS Server not available.

NIS Confusion

  • Originally, NIS was designed to handle host resolution, however with DNS, pushing an NIS host map is redundant and can create consistency problems.
    • Solution: Do not push a host map, force use of DNS instead.
      • May have to run ypserv with the -b option.
  • Also, it was common to name the NIS domain the same as the Internet domain name. Again, this causes confusion and is generally not recommended today.

NIS+... the Solution?

  • Sun’s upgrade to NIS, NIS+!
    • Secure rpc support.
    • Password aging.
    • Better replication support for servers.
    • Very granular security features.
  • AND...
    • Expensive to license (slowed its adoption).
    • ''Buggy" (especially early on).
    • Poorly supported outside of Sun (poor reputation inside of SUN!).
  • THEREFORE...Not used much (unless an all Sun network).

NIS Security (kind of)

  • Most contemporary NIS implementations support the idea of a /var/yp/securenets file which supplies information about which hosts can use the maps for a given NIS domain (this is considered to be rudimentary security). 
 # /var/yp/securenets
 #
 # allow connections from local host -- necessary
 host 127.0.0.1
 # same as 255.255.255.255 127.0.0.1
 255.255.255.0    192.168.1.0
 # Allow anyone in the 192.168.1.0 net.

Portability Concerns

  • Restrict automount usage to just indirect maps (direct maps are not supported by Linux).
  • Nested indirect maps, or shared mounts (ones used by automount and by some other means, for example, /etc/fstab) should be avoided (these are not supported by HPUX or Linux).
  • Just NFS mounts.

Conclusions

  • NIS is an easy way to manage users across systems, including the ability to share a network HOME directory for each user.
  • NIS commands differ somewhat across Unix and Linux.
  • The automounter is a flexible tool, but only the lowest common denominator of features is truly portable.

Questions?
Page last modified on July 12, 2006, at 08:00 PM