NetworkingStudyMaterial: NIS Server Linux/Ubuntu


NIS Server Linux/Ubuntu

NIS Server Installation & Configuration in

🔺(Ubuntu Server 14.04)🔺
                       Network Information System (NIS) NIS is a Remote Procedure Call (RPC)-based client/server system that allows a group of machines within an NIS domain to share a common set of configuration files. This permits a system administrator to set up NIS client systems with only minimal configuration data and to add, remove, or modify configuration data from a single location.

NIS Server Configuration

Add any client name and IP addresses to /etc/hosts. The server's IP should already be here. I do not mean, I mean the real IP available to the world. This ensures that NIS will still work even if DNS goes down. You could rely on DNS if you wanted, it's up to you.

Add the following line to hosts.allow:  $ sudo nano /etc/hosts.allow
                                      portmap ypserv ypbind : 192.168.x.x/255.255.255.x

Where the "list of IP addresses" string is, you need to make a list of IP addresses that consists of the server and all clients. These have to be IP addresses because of a limitation in portmap (it doesn't like hostnames).

Install NIS:
                     $ sudo apt-get install  nis

You will be asked for the name of your NIS domain. This can be anything; you're naming it. It just has to be the same domain for the server and all clients. Also note that if you don't yet have an NIS server set up, your initial install will wait about a minute before timing out while trying to bind.

$ nano /etc/default/portmap and comment out the ARGS="-i" line
$ nano /etc/default/nis and set the NISSERVER line to NISSERVER = master
$ nano /etc/yp.conf and add a server line of the form:

domain <domainname> server <servername> Example:(domain server gaurav)
where <domainname> is the name of your domain (entered when you installed nis) and <servername> is the name of the server you're setting all this up on. (This lives in /etc/defaultdomain for the curious)

$ nano /var/yp/Makefile and read the instructions. It probably won't need a lot of modification. The only thing I changed was the MINGID line so that the group memberships would be propagated across the domain. I set it to 1.

nano /etc/ypserv.securenets and add lines to restrict access to domain members. I use lines for specific hosts, like:

host 192.168.1.x
host 192.168.1.x
Build the DB for the first time, run: 

sudo /etc/init.d/rpcbind restart

Then do:

sudo /usr/lib/yp/ypinit -m

and follow the instructions. This will probably throw some errors about not being able to talk to certain things. This is okay. (Other errors probably aren't).

Now Restart everything:

sudo /etc/init.d/rpcbind restart
sudo /etc/init.d/ypbind restart
sudo /etc/init.d/ypserv restart
sudo /etc/init.d/nis restart

If you change anything (add a user, etc.), make sure to do:

sudo make -C /var/yp

Only allow domain members to talk to the appropriate services in hosts.allow. This implied that hosts.deny is set to something like ALL:ALL in order for this to work.

Limit who the server will respond to by putting domain members in /etc/securenets

(Alternatively?) To enable NIS password verification from non-privileged processes the following line may need to be added (before others for shadow.byname) to /etc/ypserv.conf

<server ip> : * : shadow.byname : none

That will make shadow password info available to any process on the server so you may want limit logins accordingly.

Restrict the ports that the yp services run on by specifying what port each service should run on in

nano /etc/default/nis. 

# Additional options to be given to ypserv when it is started.

# Additional options to be given to ypbind when it is started.

# Additional options to be given to yppasswdd when it is started.  Note
# that if -p is set then the YPPWDDIR above should be empty.
YPPASSWDDARGS="--port 836"

# Additional options to be given to ypxfrd when it is started.

For your firewall settings only allow your network (e.g. access to the server

iptables -A INPUT -p ALL -s!  --dport 834 -j DROP
iptables -A INPUT -p ALL -s!  --dport 835 -j DROP
iptables -A INPUT -p ALL -s!  --dport 836 -j DROP
iptables -A INPUT -p ALL -s!  --dport 837 -j DROP

NIS Client Configuration

$ sudo nano /etc/hosts       localhost       nkn4-OptiPlex-780
192.168.1.x   gaurav


$ sudo nano /etc/hosts.allow

/etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
# Example:    ALL: LOCAL @some_netgroup
#             ALL: EXCEPT
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
portmap : 192.168.1.x


$ sudo nano /etc/defaultdomain


$ sudo nano /etc/yp.conf

# yp.conf       Configuration file for the ypbind process. You can define
#               NIS servers manually here if they can't be found by
#               broadcasting on the local net (which is the default).
#               See the manual page of ypbind for the syntax of this file.
# IMPORTANT:    For the "ypserver", use IP addresses, or make sure that
#               the host is in /etc/hosts. This file is only interpreted
#               once, and if DNS isn't reachable yet the ypserver cannot
#               be resolved and ypbind won't ever bind to the server.

 ypserver 192.168.1.x


$ sudo nano /etc/ypserv.securenets

# securenets    This file defines the access rights to your NIS server
#               for NIS clients (and slave servers - ypxfrd uses this
#               file too). This file contains netmask/network pairs.
#               A clients IP address needs to match with at least one
#               of those.
#               One can use the word "host" instead of a netmask of
#      Only IP addresses are allowed in this
#               file, not hostnames.
# Always allow access for localhost         192.168.1.x

# This line gives access to everybody. PLEASE ADJUST!


$ sudo nano /var/yp/Makefile 

# We do not put password entries with lower UIDs (the root and system
# entries) in the NIS password database, for security. MINUID is the
# lowest uid that will be included in the password maps. If you
# create shadow maps, the UserID for a shadow entry is taken from
# the passwd file. If no entry is found, this shadow entry is
# ignored.
# MINGID is the lowest gid that will be included in the group maps.

# If you don't want some of these maps built, feel free to comment
# them out from this list.

ALL =   passwd shadow group hosts rpc services netid protocols netgrp
#ALL += publickey mail ethers bootparams printcap
#ALL += amd.home auto.master auto.home auto.local
#ALL += timezone locale networks netmasks


$ sudo nano /etc/passwd

add this line in last.



$ sudo nano /etc/group

add this line in last.



$ sudo nano /etc/shadow

add this line in last.



$ sudo nano /etc/lightdm/lightdm.conf 



$ sudo nano /etc/pam.d/common-session

add line at end

session optional skel=/etc/skel umask=007


Post a Comment