![[LDP]](/moin_static184/ldp/tldp.png)
Modification unauthorized. Use Discussion page if necessary
Discussion Page Content
Original HOWTO
The Linux NIS(YP)/NYS/NIS+ HOWTO
Thorsten Kukuk
v1.3, 1 July 2003
This document describes how to configure Linux as NIS(YP) or NIS+ client
and how to install as NIS server.
-----------------------------------------------------------------------------
Table of Contents
1. Introduction
1.1. New Versions of this Document
1.2. Disclaimer
1.3. Feedback and Corrections
1.4. Acknowledgements
2. Glossary and General Information
2.1. Glossary of Terms
2.2. Some General Information
3. NIS, NYS or NIS+ ?
3.1. libc 4/5 with traditional NIS or NYS ?
3.2. glibc 2 and NIS/NIS+
3.3. NIS or NIS+ ?
4. How it works
4.1. How NIS works
4.2. How NIS+ works
5. The RPC Portmapper
6. What do you need to set up NIS?
6.1. Determine whether you are a Server, Slave or Client.
6.2. The Software
7. Setting Up the NIS Client
7.1. The ypbind daemon
7.2. Setting up a NIS Client using Traditional NIS
7.3. Setting up a NIS Client using NYS
7.4. Setting up a NIS Client using glibc 2.x
7.5. The nsswitch.conf File
7.6. Shadow Passwords with NIS
8. What do you need to set up NIS+ ?
8.1. The Software
8.2. Setting up a NIS+ client
8.3. NIS+, keylogin, login and PAM
8.4. The nsswitch.conf File
9. Setting up a NIS Server
9.1. The Server Program ypserv
9.2. The Server Program yps
9.3. The Program rpc.ypxfrd
9.4. The Program rpc.yppasswdd
10. Verifying the NIS/NYS Installation
11. Creating and Updating NIS maps
11.1. Creating new NIS maps
11.2. Updating NIS maps
11.3. Length of Map entries
12. Surviving a Reboot
12.1. NIS Init Script
12.2. NIS Domain Name
12.3. Distribution-specific Issues
13. Changing passwords with rpasswd
13.1. Server Configuration
13.2. Client Configuration
14. Common Problems and Troubleshooting NIS
15. Frequently Asked Questions
1. Introduction
More and more, Linux machines are installed as part of a network of
computers. To simplify network administration, most networks (mostly
Sun-based networks) run the Network Information Service. Linux machines can
take full advantage of existing NIS service or provide NIS service
themselves. Linux machines can also act as full NIS+ clients, this support is
in beta stage.
This document tries to answer questions about setting up NIS(YP) and NIS+ on
your Linux machine. Don't forget to read Section 5.
The NIS-Howto is edited and maintained by
+---------------------------------------------------------------------------+
| Thorsten Kukuk, <kukuk@suse.de> |
+---------------------------------------------------------------------------+
The primary source of the information for the initial NIS-Howto was from:
+---------------------------------------------------------------------------+
|Andrea Dell'Amico <adellam@ZIA.ms.it> |
|Mitchum DSouza <Mitch.DSouza@NetComm.IE> |
|Erwin Embsen <erwin@nioz.nl> |
|Peter Eriksson <peter@ifm.liu.se> |
+---------------------------------------------------------------------------+
who we should thank for writing the first versions of this document.
-----------------------------------------------------------------------------
1.1. New Versions of this Document
You can always view the latest version of this document on the World Wide Web
via the URL [http://www.linux-nis.org/nis-howto/HOWTO/NIS-HOWTO.html] http://
www.linux-nis.org/nis-howto/HOWTO/NIS-HOWTO.html.
New versions of this document will also be uploaded to various Linux WWW and
FTP sites, including the LDP home page.
Links to translations of this document could be found at [http://
www.linux-nis.org/nis-howto/] http://www.linux-nis.org/nis-howto/.
-----------------------------------------------------------------------------
1.2. Disclaimer
Although this document has been put together to the best of my knowledge it
may, and probably does contain errors. Please read any README files that are
bundled with any of the various pieces of software described in this document
for more detailed and accurate information. I will attempt to keep this
document as error free as possible.
-----------------------------------------------------------------------------
1.3. Feedback and Corrections
If you have questions or comments about this document, please feel free to
mail Thorsten Kukuk, at [mailto:kukuk@linux-nis.org] kukuk@linux-nis.org. I
welcome any suggestions or criticisms. If you find a mistake with this
document, please let me know so I can correct it in the next version. Thanks.
Please do not mail me questions about special problems with your Linux
Distribution! I don't know every Linux Distribution. But I will try to add
every solution you send me.
-----------------------------------------------------------------------------
1.4. Acknowledgements
We would like to thank all the people who have contributed (directly or
indirectly) to this document. In alphabetical order:
+---------------------------------------------------------------------------+
|Byron A Jeff <byron@cc.gatech.edu> |
|Markus Rex <msrex@suse.de> |
|Miquel van Smoorenburg <miquels@cistron.nl> |
|Dan York <dyork@lodestar2.com> |
|Christoffer Bromberg <christoffer@web.de> |
+---------------------------------------------------------------------------+
Theo de Raadt is responsible for the original yp-clients code. Swen Thuemmler
ported the yp-clients code to Linux and also ported the yp-routines in libc
(again based on Theo's work). Thorsten Kukuk has written the NIS(YP) and NIS+
routines for GNU libc 2.x from scratch.
-----------------------------------------------------------------------------
2. Glossary and General Information
2.1. Glossary of Terms
In this document a lot of acronyms are used. Here are the most important
acronyms and a brief explanation:
DBM
DataBase Management, a library of functions which maintain key-content
pairs in a data base.
DLL
Dynamically Linked Library, a library linked to an executable program at
run-time.
domainname
A name "key" that is used by NIS clients to be able to locate a suitable
NIS server that serves that domainname key. Please note that this does
not necessarily have anything at all to do with the DNS "domain" (machine
name) of the machine(s).
FTP
File Transfer Protocol, a protocol used to transfer files between two
computers.
libnsl
Name services library, a library of name service calls (getpwnam,
getservbyname, etc...) on SVR4 Unixes. GNU libc uses this for the NIS
(YP) and NIS+ functions.
libsocket
Socket services library, a library for the socket service calls (socket,
bind, listen, etc...) on SVR4 Unixes.
NIS
Network Information Service, a service that provides information, that
has to be known throughout the network, to all machines on the network.
There is support for NIS in Linux's standard libc library, which in the
following text is referred to as "traditional NIS".
NIS+
Network Information Service (Plus :-), essentially NIS on steroids. NIS+
is designed by Sun Microsystems Inc. as a replacement for NIS with better
security and better handling of _large_ installations.
NYS
This is the name of a project and stands for NIS+, YP and Switch and is
managed by Peter Eriksson <peter@ifm.liu.se>. It contains among other
things a complete reimplementation of the NIS (= YP) code that uses the
Name Services Switch functionality of the NYS library.
NSS
Name Service Switch. The /etc/nsswitch.conf file determines the order of
lookups performed when a certain piece of information is requested.
RPC
Remote Procedure Call. RPC routines allow C programs to make procedure
calls on other machines across the network. When people talk about RPC
they most often mean the Sun RPC variant.
YP
Yellow Pages(tm), a registered trademark in the UK of British Telecom
plc.
TCP-IP
Transmission Control Protocol/Internet Protocol. It is the data
communication protocol most often used on Unix machines.
-----------------------------------------------------------------------------
2.2. Some General Information
The next four lines are quoted from the Sun(tm) System & Network
Administration Manual:
+---------------------------------------------------------------------------+
| "NIS was formerly known as Sun Yellow Pages (YP) but |
| the name Yellow Pages(tm) is a registered trademark |
| in the United Kingdom of British Telecom plc and may |
| not be used without permission." |
+---------------------------------------------------------------------------+
NIS stands for Network Information Service. Its purpose is to provide
information, that has to be known throughout the network, to all machines on
the network. Information likely to be distributed by NIS is:
* login names/passwords/home directories (/etc/passwd)
* group information (/etc/group)
If, for example, your password entry is recorded in the NIS passwd database,
you will be able to login on all machines on the network which have the NIS
client programs running.
Sun is a trademark of Sun Microsystems, Inc. licensed to SunSoft, Inc.
-----------------------------------------------------------------------------
3. NIS, NYS or NIS+ ?
3.1. libc 4/5 with traditional NIS or NYS ?
The choice between "traditional NIS" or the NIS code in the NYS library is a
choice between laziness and maturity vs. flexibility and love of adventure.
The "traditional NIS" code is in the standard C library and has been around
longer and sometimes suffers from its age and slight inflexibility.
The NIS code in the NYS library requires you to recompile the libc library to
include the NYS code into it (or maybe you can get a precompiled version of
libc from someone who has already done it).
Another difference is that the traditional NIS code has some support for NIS
Netgroups, which the NYS code doesn't. On the other hand the NYS code allows
you to handle Shadow Passwords in a transparent way. The "traditonal NIS"
code doesn't support Shadow Passwords over NIS.
-----------------------------------------------------------------------------
3.2. glibc 2 and NIS/NIS+
Forgot all this if you use the new GNU C Library 2.x (aka libc6). It has real
NSS (name switch service) support, which makes it very flexible, and contains
support for the following NIS/NIS+ maps: aliases, ethers, group, hosts,
netgroups, networks, protocols, publickey, passwd, rpc, services and shadow.
The GNU C Library has no problems with shadow passwords over NIS.
-----------------------------------------------------------------------------
3.3. NIS or NIS+ ?
The choice between NIS and NIS+ is easy - use NIS+ only if you have severe
security needs. NIS+ is much more problematic to administer (it's pretty easy
to handle on the client side, but the server side is horrible). Another
problem is that the support for NIS+ under Linux contains a lot of bugs and
that the development has stopped.
-----------------------------------------------------------------------------
4. How it works
4.1. How NIS works
Within a network there must be at least one machine acting as a NIS server.
You can have multiple NIS servers, each serving different NIS "domains" - or
you can have cooperating NIS servers, where one is the master NIS server, and
all the other are so-called slave NIS servers (for a certain NIS "domain",
that is!) - or you can have a mix of them...
Slave servers only have copies of the NIS databases and receive these copies
from the master NIS server whenever changes are made to the master's
databases. Depending on the number of machines in your network and the
reliability of your network, you might decide to install one or more slave
servers. Whenever a NIS server goes down or is too slow in responding to
requests, a NIS client connected to that server will try to find one that is
up or faster.
NIS databases are in so-called DBM format, derived from ASCII databases. For
example, the files /etc/passwd and /etc/group can be directly converted to
DBM format using ASCII-to-DBM translation software (makedbm, included with
the server software). The master NIS server should have both, the ASCII
databases and the DBM databases.
Slave servers will be notified of any change to the NIS maps, (via the yppush
program), and automatically retrieve the necessary changes in order to
synchronize their databases. NIS clients do not need to do this since they
always talk to the NIS server to read the information stored in it's DBM
databases.
Old ypbind versions do a broadcast to find a running NIS server. This is
insecure, due the fact that anyone may install a NIS server and answer the
broadcast queries. Newer Versions of ypbind (ypbind-3.3 or ypbind-mt) are
able to get the server from a configuration file - thus no need to broadcast.
-----------------------------------------------------------------------------
4.2. How NIS+ works
NIS+ is a new version of the network information nameservice from Sun. The
biggest difference between NIS and NIS+ is that NIS+ has support for data
encryption and authentication over secure RPC.
The naming model of NIS+ is based upon a tree structure. Each node in the
tree corresponds to an NIS+ object, from which we have six types: directory,
entry, group, link, table and private.
The NIS+ directory that forms the root of the NIS+ namespace is called the
root directory. There are two special NIS+ directories: org_dir and
groups_dir. The org_dir directory consists of all administration tables, such
as passwd, hosts, and mail_aliases. The groups_dir directory consists of NIS+
group objects which are used for access control. The collection of org_dir,
groups_dir and their parent directory is referred to as an NIS+ domain.
-----------------------------------------------------------------------------
5. The RPC Portmapper
To run any of the software mentioned below you will need to run the program /
sbin/portmap. Some Linux distributions already have the code in the /sbin/
init.d/ or /etc/rc.d/ files to start up this daemon. All you have to do is to
activate it and reboot your Linux machine. Read your Linux Distribution
Documentation how to do this.
The RPC portmapper (portmap(8)) is a server that converts RPC program numbers
into TCP/IP (or UDP/IP) protocol port numbers. It must be running in order to
make RPC calls (which is what the NIS/NIS+ client software does) to RPC
servers (like a NIS or NIS+ server) on that machine. When an RPC server is
started, it will tell portmap what port number it is listening to, and what
RPC program numbers it is prepared to serve. When a client wishes to make an
RPC call to a given program number, it will first contact portmap on the
server machine to determine the port number where RPC packets should be sent.
Since RPC servers could be started by inetd(8), portmap should be running
before inetd is started.
For secure RPC, the portmapper needs the Time service. Make sure, that the
Time service is enabled in /etc/inetd.conf on all hosts:
+---------------------------------------------------------------------------+
|# |
|# Time service is used for clock syncronization. |
|# |
|time stream tcp nowait root internal |
|time dgram udp wait root internal |
+---------------------------------------------------------------------------+
IMPORTANT: Don't forget to restart inetd after changes on its configuration
file !
-----------------------------------------------------------------------------
6. What do you need to set up NIS?
6.1. Determine whether you are a Server, Slave or Client.
To answer this question you have to consider two cases:
1. Your machine is going to be part of a network with existing NIS servers
2. You do not have any NIS servers in the network yet
In the first case, you only need the client programs (ypbind, ypwhich, ypcat,
yppoll, ypmatch). The most important program is ypbind. This program must be
running at all times, which means, it should always appear in the list of
processes. It is a daemon process and needs to be started from the system's
startup file (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/
ypbind, /etc/rc.local). As soon as ypbind is running your system has become a
NIS client.
In the second case, if you don't have NIS servers, then you will also need a
NIS server program (usually called ypserv). Section 9 describes how to set up
a NIS server on your Linux machine using the ypserv daemon.
-----------------------------------------------------------------------------
6.2. The Software
The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the shared
library "/lib/libc.so.x" contain all necessary system calls to succesfully
compile the NIS client and server software. For the GNU C Library 2 (glibc
2.x), you also need /lib/libnsl.so.1.
Some people reported that NIS only works with "/usr/lib/libc.a" version
4.5.21 and better so if you want to play it safe don't use older libc's. The
NIS client software can be obtained from:
+----------------------------------------------------------------------------------+
| Site Directory File Name |
| |
| ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.8.tar.gz |
| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.13.tar.gz |
| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz |
| ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3-glibc5.diff.gz|
+----------------------------------------------------------------------------------+
Once you obtained the software, please follow the instructions which come
with the software. yp-clients 2.2 are for use with libc4 and libc5 until
5.4.20. libc 5.4.21 and glibc 2.x needs yp-tools 1.4.1 or later. The new
yp-tools 2.4 should work with every Linux libc. Since there was a bug in the
NIS code, you shouldn't use libc 5.4.21-5.4.35. Use libc 5.4.36 or later
instead, or the most YP programs will not work. ypbind 3.3 will work with all
libraries, too. If you use gcc 2.8.x or greater, egcs or glibc 2.x, you
should add the ypbind-3.3-glibc5.diff patch to ypbind 3.3. If possible you
should avoid the use of ypbind 3.3 for security reasons. ypbind-mt is a new,
multithreaded daemon. It needs a Linux 2.2 kernel and glibc 2.1 or later.
-----------------------------------------------------------------------------
7. Setting Up the NIS Client
7.1. The ypbind daemon
After you have succesfully compiled the software you are now ready to install
it. A suitable place for the ypbind daemon is the directory /usr/sbin. Some
people may tell you that you don't need ypbind on a system with NYS. This is
wrong. ypwhich and ypcat need it always.
You must do this as root of course. The other binaries (ypwhich, ypcat,
yppasswd, yppoll, ypmatch) should go in a directory accessible by all users,
normally /usr/bin.
Newer ypbind versions have a configuration file called /etc/yp.conf. You can
hardcode a NIS server there - for more info see the manual page for ypbind
(8). You also need this file for NYS. An example:
+---------------------------------------------------------------------------+
|ypserver 10.10.0.1 |
|ypserver 10.0.100.8 |
|ypserver 10.3.1.1 |
+---------------------------------------------------------------------------+
If the system can resolve the hostnames without NIS, you may use the name,
otherwise you have to use the IP address. ypbind 3.3 has a bug and will only
use the last entry (ypserver 10.3.1.1 in the example). All other entries are
ignored. ypbind-mt handle this correct and uses that one, which answerd at
first.
It might be a good idea to test ypbind before incorporating it in the startup
files. To test ypbind do the following:
* Make sure you have your YP-domain name set. If it is not set then issue
the command:
+---------------------------------------------------------------+
| /bin/domainname nis.domain |
+---------------------------------------------------------------+
where nis.domain should be some string _NOT_ normally associated with the
DNS-domain name of your machine! The reason for this is that it makes it
a little harder for external crackers to retreive the password database
from your NIS servers. If you don't know what the NIS domain name is on
your network, ask your system/network administrator.
* Start up "/sbin/portmap" if it is not already running.
* Create the directory /var/yp if it does not exist.
* Start up /usr/sbin/ypbind
* Use the command rpcinfo -p localhost to check if ypbind was able to
register its service with the portmapper. The output should look like:
+---------------------------------------------------------------+
| program vers proto port |
| 100000 2 tcp 111 portmapper |
| 100000 2 udp 111 portmapper |
| 100007 2 udp 637 ypbind |
| 100007 2 tcp 639 ypbind |
+---------------------------------------------------------------+
or
+---------------------------------------------------------------+
| program vers proto port |
| 100000 2 tcp 111 portmapper |
| 100000 2 udp 111 portmapper |
| 100007 2 udp 758 ypbind |
| 100007 1 udp 758 ypbind |
| 100007 2 tcp 761 ypbind |
| 100007 1 tcp 761 ypbind |
+---------------------------------------------------------------+
Depending on the ypbind version you are using.
* You may also run rpcinfo -u localhost ypbind. This command should produce
something like:
+---------------------------------------------------------------+
| program 100007 version 2 ready and waiting |
+---------------------------------------------------------------+
or
+---------------------------------------------------------------+
| program 100007 version 1 ready and waiting |
| program 100007 version 2 ready and waiting |
+---------------------------------------------------------------+
The output depends on the ypbind version you have installed. Important is
only the "version 2" message.
At this point you should be able to use NIS client programs like ypcat,
etc... For example, ypcat passwd.byname will give you the entire NIS password
database.
IMPORTANT: If you skipped the test procedure then make sure you have set the
domain name, and created the directory
+---------------------------------------------------------------------------+
| /var/yp |
+---------------------------------------------------------------------------+
This directory MUST exist for ypbind to start up succesfully.
To check if the domainname is set correct, use the /bin/ypdomainname from
yp-tools 2.2. It uses the yp_get_default_domain() function which is more
restrict. It doesn't allow for example the "(none)" domainname, which is the
default under Linux and makes a lot of problems.
If the test worked you may now want to change your startupd files so that
ypbind will be started at boot time and your system will act as a NIS client.
Make sure that the domainname will be set before you start ypbind.
Well, that's it. Reboot the machine and watch the boot messages to see if
ypbind is actually started.
-----------------------------------------------------------------------------
7.2. Setting up a NIS Client using Traditional NIS
For host lookups you must set (or add) "nis" to the lookup order line in your
/etc/host.conf file. Please read the manpage "resolv+.8" for more details.
Add the following line to /etc/passwd on your NIS clients:
+---------------------------------------------------------------------------+
|+:::::: |
+---------------------------------------------------------------------------+
You can also use the + and - characters to include/exclude or change users.
If you want to exclude the user guest just add -guest to your /etc/passwd
file. You want to use a different shell (e.g. ksh) for the user "linux"? No
problem, just add "+linux::::::/bin/ksh" (without the quotes) to your /etc/
passwd. Fields that you don't want to change have to be left empty. You could
also use Netgroups for user control.
For example, to allow login-access only to miquels, dth and ed, and all
members of the sysadmin netgroup, but to have the account data of all other
users available use:
+---------------------------------------------------------------------------+
| +miquels::::::: |
| +ed::::::: |
| +dth::::::: |
| +@sysadmins::::::: |
| -ftp |
| +:*::::::/etc/NoShell |
+---------------------------------------------------------------------------+
Note that in Linux you can also override the password field, as we did in
this example. We also remove the login "ftp", so it isn't known any longer,
and anonymous ftp will not work.
The netgroup would look like
+---------------------------------------------------------------------------+
|sysadmins (-,software,) (-,kukuk,) |
+---------------------------------------------------------------------------+
IMPORTANT: The netgroup feature is implemented starting from libc 4.5.26. If
you have a version of libc earlier than 4.5.26, every user in the NIS
password database can access your linux machine if you run "ypbind" !
-----------------------------------------------------------------------------
7.3. Setting up a NIS Client using NYS
All that is required is that the NIS configuration file (/etc/yp.conf) points
to the correct server(s) for its information. Also, the Name Services Switch
configuration file (/etc/nsswitch.conf) must be correctly set up.
You should install ypbind. It isn't needed by the libc, but the NIS(YP) tools
need it.
If you wish to use the include/exclude user feature (+/-guest/+@admins), you
have to use "passwd: compat" and "group: compat" in nsswitch.conf. Note that
there is no "shadow: compat"! You have to use "shadow: files nis" in this
case.
The NYS sources are part of the libc 5 sources. When run configure, say the
first time "NO" to the "Values correct" question, then say "YES" to "Build a
NYS libc from nys".
-----------------------------------------------------------------------------
7.4. Setting up a NIS Client using glibc 2.x
The glibc uses "traditional NIS", so you need to start ypbind. The Name
Services Switch configuration file (/etc/nsswitch.conf) must be correctly set
up. If you use the compat mode for passwd, shadow or group, you have to add
the "+" at the end of this files and you can use the include/exclude user
feature. The configuration is excatly the same as under Solaris 2.x.
-----------------------------------------------------------------------------
7.5. The nsswitch.conf File
The Network Services switch file /etc/nsswitch.conf determines the order of
lookups performed when a certain piece of information is requested, just like
the /etc/host.conf file which determines the way host lookups are performed.
For example, the line
+---------------------------------------------------------------------------+
| hosts: files nis dns |
+---------------------------------------------------------------------------+
specifies that host lookup functions should first look in the local /etc/
hosts file, followed by a NIS lookup and finally through the domain name
service (/etc/resolv.conf and named), at which point if no match is found an
error is returned. This file must be readable for every user! You can find
more information in the man-page nsswitch.5 or nsswitch.conf.5.
A good /etc/nsswitch.conf file for NIS is:
+---------------------------------------------------------------------------+
|# |
|# /etc/nsswitch.conf |
|# |
|# An example Name Service Switch config file. This file should be |
|# sorted with the most-used services at the beginning. |
|# |
|# The entry '[NOTFOUND=return]' means that the search for an |
|# entry should stop if the search in the previous entry turned |
|# up nothing. Note that if the search failed due to some other reason |
|# (like no NIS server responding) then the search continues with the |
|# next entry. |
|# |
|# Legal entries are: |
|# |
|# nisplus Use NIS+ (NIS version 3) |
|# nis Use NIS (NIS version 2), also called YP |
|# dns Use DNS (Domain Name Service) |
|# files Use the local files |
|# db Use the /var/db databases |
|# [NOTFOUND=return] Stop searching if not found so far |
|# |
| |
|passwd: compat |
|group: compat |
|# For libc5, you must use shadow: files nis |
|shadow: compat |
| |
|passwd_compat: nis |
|group_compat: nis |
|shadow_compat: nis |
| |
|hosts: nis files dns |
| |
|services: nis [NOTFOUND=return] files |
|networks: nis [NOTFOUND=return] files |
|protocols: nis [NOTFOUND=return] files |
|rpc: nis [NOTFOUND=return] files |
|ethers: nis [NOTFOUND=return] files |
|netmasks: nis [NOTFOUND=return] files |
|netgroup: nis |
|bootparams: nis [NOTFOUND=return] files |
|publickey: nis [NOTFOUND=return] files |
|automount: files |
|aliases: nis [NOTFOUND=return] files |
+---------------------------------------------------------------------------+
passwd_compat, group_compat and shadow_compat are only supported by glibc
2.x. If there are no shadow rules in /etc/nsswitch.conf, glibc will use the
passwd rule for lookups. There are some more lookup module for glibc like
hesoid. For more information, read the glibc documentation.
-----------------------------------------------------------------------------
7.6. Shadow Passwords with NIS
Shadow passwords over NIS are always a bad idea. You loose the security,
which shadow gives you, and it is supported by only some few Linux C
Libraries. A good way to avoid shadow passwords over NIS is, to put only the
local system users in /etc/shadow. Remove the NIS user entries from the
shadow database, and put the password back in passwd. So you can use shadow
for the root login, and normal passwd for NIS user. This has the advantage
that it will work with every NIS client.
-----------------------------------------------------------------------------
7.6.1. Linux
The only Linux libc which supports shadow passwords over NIS, is the GNU C
Library 2.x. Linux libc5 has no support for it. Linux libc5 compiled with NYS
enabled has some code for it. But this code is badly broken in some cases and
doesn't work with all correct shadow entries.
-----------------------------------------------------------------------------
7.6.2. Solaris
Solaris does not support shadow passwords over NIS.
-----------------------------------------------------------------------------
7.6.3. PAM
Linux-PAM 0.75 and newr does support Shadow passwords over NIS if you use the
pam_unix.so Module or if you install the extra pam_unix2.so Module. Old
systems using pam_pwdb/libpwdb (for example Red Hat Linux 5.x) need to change
the /etc/pam.d/* entries. All pam_pwdb rules should be replaced through a
pam_unix_* module.
An example /etc/pam.d/login file looks like:
+----------------------------------------------------------------------------------+
|#%PAM-1.0 |
|auth requisite pam_unix2.so nullok #set_secrpc |
|auth required pam_securetty.so |
|auth required pam_nologin.so |
|auth required pam_env.so |
|auth required pam_mail.so |
|account required pam_unix2.so |
|password required pam_pwcheck.so nullok |
|password required pam_unix2.so nullok use_first_pass use_authtok |
|session required pam_unix2.so none # debug or trace |
|session required pam_limits.so |
+----------------------------------------------------------------------------------+
-----------------------------------------------------------------------------
8. What do you need to set up NIS+ ?
8.1. The Software
The Linux NIS+ client code was developed for the GNU C library 2. There is
also a port for Linux libc5, since most commercial Applications where linked
against this library in the past, and you cannot recompile them for using
glibc. There are problems with libc5 and NIS+: static programs cannot be
linked with it, and programs compiled with this library will not work with
other libc5 versions.
As base System you need a glibc based Distribution like Debian, Red Hat Linux
or SuSE Linux. If you have a Linux Distribution, which does not have glibc
2.1.1 or later, you need to update to a newer version.
The NIS+ client software can be obtained from:
+---------------------------------------------------------------------------------+
| Site Directory File Name |
| |
| ftp.gnu.org /pub/gnu/glibc glibc-2.3.2.tar.gz, |
| glibc-linuxthreads-2.3.2.tar.gz |
| ftp.kernel.org /pub/linux/utils/net/NIS+ nis-utils-1.4.1.tar.gz |
+---------------------------------------------------------------------------------+
You should also have a look at [http://www.linux-nis.org/nisplus/] http://
www.linux-nis.org/nisplus/ for more information and the latest sources.
-----------------------------------------------------------------------------
8.2. Setting up a NIS+ client
IMPORTANT: For setting up a NIS+ client read your Solaris NIS+ docs what to
do on the server side! This document only describes what to do on the client
side!
After installing the new libc and nis-tools, create the credentials for the
new client on the NIS+ server. Make sure portmap is running. Then check if
your Linux PC has the same time as the NIS+ Server. For secure RPC, you have
only a small window from about 3 minutes, in which the credentials are valid.
A good idea is to run xntpd on every host. After this, run
+---------------------------------------------------------------------------+
|domainname nisplus.domain. |
|nisinit -c -H <NIS+ server> |
+---------------------------------------------------------------------------+
to initialize the cold start file. Read the nisinit man page for more
options. Make sure that the domainname will always be set after a reboot. If
you don't know what the NIS+ domain name is on your network, ask your system/
network administrator.
Now you should change your /etc/nsswitch.conf file. Make sure that the only
service after publickey is nisplus ("publickey: nisplus"), and nothing else!
Then start keyserv and make sure, that it will always be started as first
daemon after portmap at boot time. Run
+---------------------------------------------------------------------------+
|keylogin -r |
+---------------------------------------------------------------------------+
to store the root secretkey on your system. (I hope you have added the
publickey for the new host on the NIS+ Server?).
niscat passwd.org_dir should now show you all entries in the passwd database.
-----------------------------------------------------------------------------
8.3. NIS+, keylogin, login and PAM
When the user logs in, he need to set his secretkey to keyserv. This is done
by calling "keylogin". The login from the shadow package will do this for the
user, if it was compiled against glibc 2.1. For a PAM aware login, you have
to change the /etc/pam.d/login file to use pam_unix2, not pwdb, which doesn't
support NIS+. An example:
+---------------------------------------------------------------------------+
|#%PAM-1.0 |
|auth required /lib/security/pam_securetty.so |
|auth required /lib/security/pam_unix2.so set_secrpc |
|auth required /lib/security/pam_nologin.so |
|account required /lib/security/pam_unix2.so |
|password required /lib/security/pam_unix2.so |
|session required /lib/security/pam_unix2.so |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------
8.4. The nsswitch.conf File
The Network Services switch file /etc/nsswitch.conf determines the order of
lookups performed when a certain piece of information is requested, just like
the /etc/host.conf file which determines the way host lookups are performed.
For example, the line
+---------------------------------------------------------------------------+
| hosts: files nisplus dns |
+---------------------------------------------------------------------------+
specifies that host lookup functions should first look in the local /etc/
hosts file, followed by a NIS+ lookup and finally through the domain name
service (/etc/resolv.conf and named), at which point if no match is found an
error is returned.
A good /etc/nsswitch.conf file for NIS+ is:
+---------------------------------------------------------------------------+
|# |
|# /etc/nsswitch.conf |
|# |
|# An example Name Service Switch config file. This file should be |
|# sorted with the most-used services at the beginning. |
|# |
|# The entry '[NOTFOUND=return]' means that the search for an |
|# entry should stop if the search in the previous entry turned |
|# up nothing. Note that if the search failed due to some other reason |
|# (like no NIS server responding) then the search continues with the |
|# next entry. |
|# |
|# Legal entries are: |
|# |
|# nisplus Use NIS+ (NIS version 3) |
|# nis Use NIS (NIS version 2), also called YP |
|# dns Use DNS (Domain Name Service) |
|# files Use the local files |
|# db Use the /var/db databases |
|# [NOTFOUND=return] Stop searching if not found so far |
|# |
| |
|passwd: compat |
|group: compat |
|shadow: compat |
| |
|passwd_compat: nisplus |
|group_compat: nisplus |
|shadow_compat: nisplus |
| |
|hosts: nisplus files dns |
| |
|services: nisplus [NOTFOUND=return] files |
|networks: nisplus [NOTFOUND=return] files |
|protocols: nisplus [NOTFOUND=return] files |
|rpc: nisplus [NOTFOUND=return] files |
|ethers: nisplus [NOTFOUND=return] files |
|netmasks: nisplus [NOTFOUND=return] files |
|netgroup: nisplus |
|bootparams: nisplus [NOTFOUND=return] files |
|publickey: nisplus |
|automount: files |
|aliases: nisplus [NOTFOUND=return] files |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------
9. Setting up a NIS Server
9.1. The Server Program ypserv
This document only describes how to set up the "ypserv" NIS server.
The NIS server software can be found on:
+---------------------------------------------------------------------------+
| Site Directory File Name |
| |
| ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.gz |
| ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.bz2 |
+---------------------------------------------------------------------------+
You could also look at [http://www.linux-nis.org/nis/] http://
www.linux-nis.org/nis/ for more information.
The server setup is the same for both traditional NIS and NYS.
Compile the software to generate the ypserv and makedbm programs. ypserv-2.x
only supports the securenets file for access restrictions.
If you run your server as master, determine what files you require to be
available via NIS and then add or remove the appropriate entries to the "all"
rule in /var/yp/Makefile. You always should look at the Makefile and edit the
Options at the beginning of the file.
There was one big change between ypserv 1.1 and ypserv 1.2. Since version
1.2, the file handles are cached. This means you have to call makedbm always
with the -c option if you create new maps. Make sure, you are using the new /
var/yp/Makefile from ypserv 1.2 or later, or add the -c flag to makedbm in
the Makefile. If you don't do that, ypserv will continue to use the old maps,
and not the updated one.
Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read
the ypserv(8) and ypserv.conf(5) manual pages.
Make sure the portmapper (portmap(8)) is running, and start the server ypserv
. The command
+---------------------------------------------------------------------------+
| % rpcinfo -u localhost ypserv |
+---------------------------------------------------------------------------+
should output something like
+---------------------------------------------------------------------------+
| program 100004 version 1 ready and waiting |
| program 100004 version 2 ready and waiting |
+---------------------------------------------------------------------------+
The "version 1" line could be missing, depending on the ypserv version and
configuration you are using. It is only necessary if you have old SunOS 4.x
clients.
Now generate the NIS (YP) database. On the master, run
+---------------------------------------------------------------------------+
| % /usr/lib/yp/ypinit -m |
+---------------------------------------------------------------------------+
On a slave make sure that ypwhich -m works. This means, that your slave must
be configured as NIS client before you could run
+---------------------------------------------------------------------------+
| % /usr/lib/yp/ypinit -s masterhost |
+---------------------------------------------------------------------------+
to install the host as NIS slave.
That's it, your server is up and running.
If you have bigger problems, you could start ypserv and ypbind in debug mode
on different xterms. The debug output should show you what goes wrong.
If you need to update a map, run make in the /var/yp directory on the NIS
master. This will update a map if the source file is newer, and push the
files to the slave servers. Please don't use ypinit for updating a map.
You might want to edit root's crontab *on the slave* server and add the
following lines:
+---------------------------------------------------------------------------+
| 20 * * * * /usr/lib/yp/ypxfr_1perhour |
| 40 6 * * * /usr/lib/yp/ypxfr_1perday |
| 55 6,18 * * * /usr/lib/yp/ypxfr_2perday |
+---------------------------------------------------------------------------+
This will ensure that most NIS maps are kept up-to-date, even if an update is
missed because the slave was down at the time the update was done on the
master.
You can add a slave at every time later. At first, make sure that the new
slave server has permissions to contact the NIS master. Then run
+---------------------------------------------------------------------------+
| % /usr/lib/yp/ypinit -s masterhost |
+---------------------------------------------------------------------------+
on the new slave. On the master server, add the new slave server name to /var
/yp/ypservers and run make in /var/yp to update the map.
If you want to restrict access for users to your NIS server, you'll have to
setup the NIS server as a client as well by running ypbind and adding the
plus-entries to /etc/passwd _halfway_ the password file. The library
functions will ignore all normal entries after the first NIS entry, and will
get the rest of the info through NIS. This way the NIS access rules are
maintained. An example:
+-------------------------------------------------------------------------------+
| root:x:0:0:root:/root:/bin/bash |
| daemon:*:1:1:daemon:/usr/sbin: |
| bin:*:2:2:bin:/bin: |
| sys:*:3:3:sys:/dev: |
| sync:*:4:100:sync:/bin:/bin/sync |
| games:*:5:100:games:/usr/games: |
| man:*:6:100:man:/var/catman: |
| lp:*:7:7:lp:/var/spool/lpd: |
| mail:*:8:8:mail:/var/spool/mail: |
| news:*:9:9:news:/var/spool/news: |
| uucp:*:10:50:uucp:/var/spool/uucp: |
| nobody:*:65534:65534:noone at all,,,,:/dev/null: |
| +miquels:::::: |
| +:*:::::/etc/NoShell |
| [ All normal users AFTER this line! ] |
| tester:*:299:10:Just a test account:/tmp: |
| miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh|
+-------------------------------------------------------------------------------+
Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels
will have normal access.
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use
another source password file. On large systems the NIS password and group
files are usually stored in /etc/yp/. If you do this the normal tools to
administrate the password file such as passwd, chfn, adduser will not work
anymore and you need special homemade tools for this.
However, yppasswd, ypchsh and ypchfn will work of course.
-----------------------------------------------------------------------------
9.2. The Server Program yps
To set up the "yps" NIS server please refer to the previous paragraph. The
"yps" server setup is similar, _but_ not exactly the same so beware if you
try to apply the "ypserv" instructions to "yps"! "yps" is not supported by
any author, and contains some security leaks. You really shouldn't use it !
The "yps" NIS server software can be found on:
+---------------------------------------------------------------------------+
| Site Directory File Name |
| |
| ftp.lysator.liu.se /pub/NYS/servers yps-0.21.tar.gz |
| ftp.kernel.org /pub/linux/utils/net/NIS yps-0.21.tar.gz |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------
9.3. The Program rpc.ypxfrd
rpc.ypxfrd is used for speed up the transfer of very large NIS maps from a
NIS master to NIS slave servers. If a NIS slave server receives a message
that there is a new map, it will start ypxfr for transfering the new map.
ypxfr will read the contents of a map from the master server using the yp_all
() function. This process can take several minutes when there are very large
maps which have to store by the database library.
The rpc.ypxfrd server speeds up the transfer process by allowing NIS slave
servers to simply copy the master server's map files rather than building
their own from scratch. rpc.ypxfrd uses an RPC-based file transfer protocol,
so that there is no need for building a new map.
rpc.ypxfrd can be started by inetd. But since it starts very slow, it should
be started with ypserv. You need to start rpc.ypxfrd only on the NIS master
server.
-----------------------------------------------------------------------------
9.4. The Program rpc.yppasswdd
Whenever users change their passwords, the NIS password database and probably
other NIS databases, which depend on the NIS password database, should be
updated. The program "rpc.yppasswdd" is a server that handles password
changes and makes sure that the NIS information will be updated accordingly.
rpc.yppasswdd is now integrated in ypserv. You don't need the older, separate
yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldn't use them any
longer.
You need to start rpc.yppasswdd only on the NIS master server. By default,
users are not allowed to change their full name or the login shell. You can
allow this with the -e chfn or -e chsh option.
If your passwd and shadow files are not in another directory then /etc, you
need to add the -D option. For example, if you have put all source files in /
etc/yp and wish to allow the user to change his shell, you need to start
rpc.yppasswdd with the following parameters:
+---------------------------------------------------------------------------+
| rpc.yppasswdd -D /etc/yp -e chsh |
+---------------------------------------------------------------------------+
or
+---------------------------------------------------------------------------+
| rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh |
+---------------------------------------------------------------------------+
There is nothing more to do. You just need to make sure, that rpc.yppasswdd
uses the same files as /var/yp/Makefile. Errors will be logged using syslog.
-----------------------------------------------------------------------------
10. Verifying the NIS/NYS Installation
If everything is fine (as it should be), you should be able to verify your
installation with a few simple commands. Assuming, for example, your passwd
file is being supplied by NIS, the command
+---------------------------------------------------------------------------+
| % ypcat passwd |
+---------------------------------------------------------------------------+
should give you the contents of your NIS passwd file. The command
+---------------------------------------------------------------------------+
| % ypmatch userid passwd |
+---------------------------------------------------------------------------+
(where userid is the login name of an arbitrary user) should give you the
user's entry in the NIS passwd file. The "ypcat" and "ypmatch" programs
should be included with your distribution of traditional NIS or NYS.
If a user cannot log in, run the following program on the client:
+---------------------------------------------------------------------------+
|#include <stdio.h> |
|#include <pwd.h> |
|#include <sys/types.h> |
| |
|int |
|main(int argc, char *argv[]) |
|{ |
| struct passwd *pwd; |
| |
| if(argc != 2) |
| { |
| fprintf(stderr,"Usage: getwpnam username\n"); |
| exit(1); |
| } |
| |
| pwd=getpwnam(argv[1]); |
| |
| if(pwd != NULL) |
| { |
| printf("name.....: [%s]\n",pwd->pw_name); |
| printf("password.: [%s]\n",pwd->pw_passwd); |
| printf("user id..: [%d]\n", pwd->pw_uid); |
| printf("group id.: [%d]\n",pwd->pw_gid); |
| printf("gecos....: [%s]\n",pwd->pw_gecos); |
| printf("directory: [%s]\n",pwd->pw_dir); |
| printf("shell....: [%s]\n",pwd->pw_shell); |
| } |
| else |
| fprintf(stderr,"User \"%s\" not found!\n",argv[1]); |
| |
| exit(0); |
|} |
+---------------------------------------------------------------------------+
Running this program with the username as parameter will print all the
information the getpwnam function gives back for this user. This should show
you which entry is incorrect. The most common problem is, that the password
field is overwritten with a "*".
GNU C Library 2.1 (glibc 2.1) comes with a tool called getent. Use this
program instead the above on such a system. You could try:
+---------------------------------------------------------------------------+
| getent passwd |
+---------------------------------------------------------------------------+
or
+---------------------------------------------------------------------------+
| getent passwd login |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------
11. Creating and Updating NIS maps
11.1. Creating new NIS maps
The initial NIS maps will be created by running
+---------------------------------------------------------------------------+
| % /usr/lib/yp/ypinit -m |
+---------------------------------------------------------------------------+
This is done when setting up the NIS master server for the first time. For
more information about this, read Section 9. If you wish to add new maps to
your server or remove old one, you need to edit the /var/yp/Makefile and
change the all: rule. Add or remove the name of the rule, which generates the
map.
If you delete a map, you also have to remove the corresponding files.
After this change, you only need to run
+---------------------------------------------------------------------------+
| % make -C /var/yp |
+---------------------------------------------------------------------------+
and the maps should be created.
-----------------------------------------------------------------------------
11.2. Updating NIS maps
If you modify the sources for the NIS maps (for example if you create a new
user by adding the account to the passwd file), you need to regenerate the
NIS maps. This is done by a simple
+---------------------------------------------------------------------------+
| % make -C /var/yp |
+---------------------------------------------------------------------------+
This command will check which sources have changed, creates the maps new and
tell ypserv that the maps have changed.
-----------------------------------------------------------------------------
11.3. Length of Map entries
The length of one entry is limited by the NIS protocol to 1024 characters.
You can't just increase this value and recompile the system. Every system
that uses NIS v2 expects key and data values to be no more than 1024 bytes in
size; if you suddenly make YPMAXRECORD larger on your client and server, you
will break interoperability with all other systems on your network that use
NIS. To make it work right, you'd have to go to every vendor that supports
NIS and get them to all make the change at the same time. Chances are you
won't be able to do this.
With glibc 2.1 and newer this limit was removed from the glibc NIS
implementation. So it is possible under Linux to use longer entries, but only
if you have no other NIS clients or servers in your network.
To allow the creation of NIS maps with a longer entry, you need to add the
--no-limit-check option to the makedbm call in /var/yp/Makefile.
The result should look like:
+-------------------------------------------------------------------------------------+
|DBLOAD = $(YPBINDIR)/makedbm -c -m `$(YPBINDIR)/yphelper --hostname` --no-limit-check|
+-------------------------------------------------------------------------------------+
WARNING: This breaks the NIS protocol and even if Linux supports it, not all
Applictions running under Linux works with this change!
There is another way of solving this problem for /etc/group entries. This
idea is from Ken Cameron:
+---------------------------------------------------------------------------+
|1. Break the entry into more than one line and name each group |
| slightly differnet. |
| |
|2. keep the GID the same for all. |
| |
|3. have the first entry with the right group name and the GID. |
| I don't put any user names in this one. |
| |
|What happens is that going by user name you pick up the GID when the code |
|reads it. Then going the other way it stops after the first match of GID |
|and takes that name. It's ugly but works! |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------
12. Surviving a Reboot
Once you have NIS correctly configured on the server and client, you do need
to be sure that the configuration will survive a reboot.
There are two separate issues to check: the existence of an init script and
the correct storage of the NIS domain name.
-----------------------------------------------------------------------------
12.1. NIS Init Script
In your version of Linux, you need to check your directory of init scripts,
typically /etc/init.d, /etc/rc.d/init.d or /sbin/init.d to be sure there is a
startup script there for NIS. Usually this file is called ypbind or ypclient.
-----------------------------------------------------------------------------
12.2. NIS Domain Name
Perhaps the greatest issue that some people have with NIS is ensuring that
the NIS domain name is available after a reboot. According to Solaris 2.x,
the NIS domain name should be entered as a single line in:
+---------------------------------------------------------------------------+
| /etc/defaultdomain |
+---------------------------------------------------------------------------+
However, most Linux distributions does not seem to use this file.
-----------------------------------------------------------------------------
12.3. Distribution-specific Issues
At this time, the following information is known about how various Linux
distributions handle the storage of the NIS domainname.
-----------------------------------------------------------------------------
12.3.1. Caldera 2.x
Caldera uses the file /etc/nis.conf which has the same format as the normal /
etc/yp.conf.
-----------------------------------------------------------------------------
12.3.2. Debian
Debian appears to follow Sun's usage of /etc/defaultdomain.
-----------------------------------------------------------------------------
12.3.3. Red Hat Linux 6.x, 7.x, 8.x and 9
Create or modify the variable NISDOMAIN in the file /etc/sysconfig/network.
-----------------------------------------------------------------------------
12.3.4. SuSE Linux 6.x and 7.x
Modify the variable YP_DOMAINNAME in /etc/rc.config and then run the command
SuSEconfig.
-----------------------------------------------------------------------------
12.3.5. SuSE Linux 8.x and later
Since version 8.0 SuSE Linux also follow Sun's usage of /etc/defaultdomain.
-----------------------------------------------------------------------------
13. Changing passwords with rpasswd
The standard way to change a NIS password is to call yppasswd, on some
systems this is only an alias for passwd. This commands uses the yppasswd
protocol and needs a running rpc.yppasswdd process on the NIS master server.
The protocol has the disadvantage, that the old password will be send in
clear text over the network. This is not so problematic, if the password
change was successfull. In this case, the old password is replaced with the
new one. But if the password change fails, an attacker can use the clear
password to login as this user. Even more worse: If the system administrator
changes the NIS password for another user, the root password of the NIS
master server is transfered in clear text over the network. And this one will
not be changed.
One solution is to not use yppasswd for changing the password. Instead, a
good alternative is the rpasswd command from the pwdutils package.
+-----------------------------------------------------------------------------+
| Site Directory File Name |
| |
| ftp.kernel.org /pub/linux/utils/net/NIS pwdutils-2.3.tar.gz |
| ftp.suse.com /pub/people/kukuk/pam/pam_pwcheck pam_pwcheck-2.2.tar.bz2 |
| ftp.suse.com /pub/people/kukuk/pam/pam_unix2 pam_unix2-1.16.tar.bz2 |
+-----------------------------------------------------------------------------+
rpasswd changes passwords for user accounts on a remote server over a secure
SSL connection. A normal user may only change the password for their own
account, if the user knows the password of the administrator account (in the
moment this is the root password on the server), he may change the password
for any account if he calls rpasswd with the -a option.
-----------------------------------------------------------------------------
13.1. Server Configuration
For the server you need at first certificate, the default filename for this
is /etc/rpasswdd.pem. The file can be created with the following command:
+----------------------------------------------------------------------------------------+
|openssl req -new -x509 -nodes -days 730 -out /etc/rpasswdd.pem -keyout /etc/rpasswdd.pem|
+----------------------------------------------------------------------------------------+
A PAM configuration file for rpasswdd is needed, too. If the NIS accounts are
stored in /etc/passwd, the following is a good starting point for a working
configuration:
+---------------------------------------------------------------------------+
|#%PAM-1.0 |
|auth required pam_unix2.so |
|account required pam_unix2.so |
|password required pam_pwcheck.so |
|password required pam_unix2.so use_first_pass use_authtok |
|password required pam_make.so /var/yp |
|session required pam_unix2.so |
+---------------------------------------------------------------------------+
If sources for the NIS password maps are stored in another location (for
example in /etc/yp), the nisdir option of pam_unix2 can be used to find the
source files in another place:
+----------------------------------------------------------------------------------+
|#%PAM-1.0 |
|auth required pam_unix2.so |
|account required pam_unix2.so |
|password required pam_pwcheck.so nisdir=/etc/yp |
|password required pam_unix2.so nisdir=/etc/yp use_first_pass use_authtok |
|password required pam_make.so /var/yp |
|session required pam_unix2.so |
+----------------------------------------------------------------------------------+
Now start the rpasswdd daemon on the NIS master server.
Since the password change is done with PAM modules, rpasswdd is also able to
allow password changes for NIS+, LDAP or other services supported by a PAM
module.
-----------------------------------------------------------------------------
13.2. Client Configuration
On every client only the configuration file /etc/rpasswd.conf which contains
the name of the server is neded. If the server does not run on the default
port, the correct port can alse be mentioned here:
+---------------------------------------------------------------------------+
|# rpasswdd runs on master.example.com |
|server master.example.com |
|# Port 774 is the default port |
|port 774 |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------
14. Common Problems and Troubleshooting NIS
Here are some common problems reported by various users:
1. The libraries for 4.5.19 are broken. NIS won't work with it.
2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su command
breaks. You need to get the su command from the slackware 1.2.0
distribution. Incidentally that's where you can get the updated
libraries.
3. When a NIS server goes down and comes up again ypbind starts complaining
with messages like:
+---------------------------------------------------------------+
| yp_match: clnt_call: |
| RPC: Unable to receive; errno = Connection refused |
+---------------------------------------------------------------+
and logins are refused for those who are registered in the NIS database.
Try to login as root and kill ypbind and start it up again. An update to
ypbind 3.3 or higher should also help.
4. After upgrading the libc to a version greater then 5.4.20, the YP tools
will not work any longer. You need yp-tools 1.2 or later for libc >=
5.4.21 and glibc 2.x. For earlier libc version you need yp-clients 2.2.
yp-tools 2.x should work for all libraries.
5. In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or later,
or some YP programs like ypwhich will segfault.
6. libc 5 with traditional NIS doesn't support shadow passwords over NIS.
You need libc5 + NYS or glibc 2.x.
7. ypcat shadow doesn't show the shadow map. This is correct, the name of
the shadow map is shadow.byname, not shadow.
8. Solaris doesn't use always privileged ports. So don't use password
mangling if you have a Solaris client.
-----------------------------------------------------------------------------
15. Frequently Asked Questions
Most of your questions should be answered by now. If there are still
questions unanswered you might want to post a message to
+---------------------------------------------------------------------------+
| comp.os.linux.networking |
+---------------------------------------------------------------------------+
