Lecture 02/18/2004
Network Information Services (NIS)
I. Sharing user and host information over the network
II. NIS architecture
III. NIS server
IV. NIS clients
------------------------------------------------
I. Sharing user and host information over the network
Server contains system configuration files
Cliens copy or query the configuration data from the Server
rdist, rsync, cfengine
NIS
NIS+
LDAP (Lightweight Directory Access Protocol)
Commonly shared system files
/etc/passwd
/etc/shadow
/etc/group
/etc/hosts
/etc/networks
/etc/services
/etc/protocols
/etc/ethers
/etc/mail/aliases
/etc/rpc
/etc/netgroup
/etc/printcap
/etc/termcap
------------------------------------------------------------
II. NIS architecture
- NIS was originally developed by Sun Microsystems in 1980s
Original name: Yellow Pages
- Server maintains the authoritative centralized copies of system files and
their maps in hashed format, ndbm or gdbm.
- Clients do not store NIS data locally, but they send out a query every
time they need information.
- Binding: connection Client - Server.
Client Server
ypbind --- RPC bind request ---> portmapper
ypbind <-- port number --- portmapper
ypbind --- RPC bind request ---> ypserv
ypbind <-- respond ------------ ypserv
Example: the DSV lab machines.
- Server NIS daemons:
portmap
ypbind
ypserv
yppasswdd
The portmap holds the port, service number and version numbers
for each RPC service. If the portmap goes down, then all services
need to be restarted after the portmap is restarted.
- Client NIS daemons:
- Advantages:
Centralized management of clients
Easy to configure and maintain
- Disadvantages:
Server manages only one NIS domain
Server (or network) is down - clients are down
Security problems
--------------------------------------------------------------
III. NIS server
- Server maintains the authoritative centralized copies of system files and
their maps in hashed format, ndbm or gdbm.
- Install RPM packages with
portmap
yp-tools
ypserv
ypbind
- Choose a unique name for the NIS domain, for example, unisys
- Modify NISDOMAIN entry in /etc/sysconfig/network on clients and servers:
NISDOMAIN=unisys
- Modify /etc/yp.conf including info about
the NIS domain and server:
domain domain-name server server-name
For example,
domain unisys server unisys01
- To initialize a Server, run
/usr/lib/yp/ypinit -m
- Modify entry "all" in /var/yp/Makefile, specifying only the maps we need to share,
for example passwd and group, and commenting-in the others.
all: passwd group
#hosts rpc services netid protocols mail \
# netgrp shadow publickey networks ethers bootparams printcap \
# amd.home auto.master auto.home auto.local passwd.adjunct \
# amd.home auto.master auto.home auto.local passwd.adjunct \
# timezone locale netmasks
- Start the NIS services:
/etc/rc.d/init.d/portmap start
/etc/rc.d/init.d/ypserv start
/etc/rc.d/init.d/yppasswdd start
/etc/rc.d/init.d/ypbind start
- To make sure all the NIS services are running, run /usr/sbin/rpcinfo -p | grep yp
and see if it gives you the following services:
100007 2 udp 1021 ypbind
100007 1 udp 1021 ypbind
100007 2 tcp 600 ypbind
100007 1 tcp 600 ypbind
100004 2 udp 909 ypserv
100004 1 udp 909 ypserv
100004 2 tcp 912 ypserv
100004 1 tcp 912 ypserv
100009 1 udp 937 yppasswdd
- Every time the files are modified on the server (passwd, shadow, group in our case),
run update for the NIS maps:
cd /var/yp
make
To start NIS services at bootup time, run ntsysv,
and check-in portmap, ypserv, ypbind and yppasswdd. Alternatively,
chkconfig --level 3 portmap on
chkconfig --level 3 ypserv on
chkconfig --level 3 ypbind on
chkconfig --level 3 yppasswdd on
- Server security
In /var/yp/securenets include only trastful clients, for example
255.0.0.0 127.0.0.0
255.255.255.0 192.168.5.0
255.255.255.255 128.6.238.69
You can also secure NIS server by limiting access to its portmap in
/etc/hosts.deny and /etc/hosts.allow files similar to what you did
for NFS in the previous class.
-----------------------------------------------------------------
IV. NIS clients
- Clients send out a query every time they need information.
- Install RPM packages with
- To verify that the server allows you to access its RPC (including "yp")
services, run
/usr/sbin/rpcinfo -p server_name
- Modify NISDOMAIN entry in /etc/sysconfig/network:
NISDOMAIN=unisys
- Modify /etc/yp.conf including info about
the NIS domain and server:
domain domain-name server server-name
For example,
domain unisys server unisys01
The server host name must be included in /etc/hosts
- If there are entries in /etc/passwd, /etc/shadow, and /etc/group, which
are supposed to be inquered from the NIS server, remove them.
- Modify /etc/nsswitch.conf for the following entries:
passwd: files nis
shadow: files nis
group: files nis
hosts: files dns
- Start the NIS client:
/etc/rc.d/inint.d/ypbind start
- To start NIS services at bootup time, run ntsysv,
and check-in ypbind. Alternatively,
chkconfig --level 3 ypbind on
- To change password on the clent, run yppasswd
Client Server
yppasswd --- password change request ---> yppasswdd
- To restrict user login access on some client machines, the NIS
client can be setup in "compatible mode".
Modify /etc/nsswitch.conf specifying
passwd: files compat
group: files compat
In /etc/passwd, add a '+' cookie at the last
line: +::::::
In /etc/group, add the entry +:::
To allow login to specific users only, modify the cookie in /etc/passwd:
+alexei::::::
+jbkim::::::
To disallow access to a few users:
-alexei::::::
-jbkim::::::
+::::::
-------------------------------------------------------------------
Assignment due by 02/25/2004
1. Setup your desktop as a NIS server and the cluster node as a NIS
client.
If the required packages are not installed, then mount the distribution
directory from 192.168.5.250 and run rpm. For example, for the server
you would need:
mount 192.168.5.250:/usr/src/cd90 /mnt/nfs
cd /mnt/nfs/RedHat/RPMS/
rpm -ivh ypbind-1.11-4.i386.rpm yp-tools-2.7-5.i386.rpm
rpm -ivh ypserv-2.6-2.i386.rpm
cd; umount /mnt/nfs
Run system upgrade with APT:
apt-get update
apt-get dist-upgrade
Give a unique name to your NIS domain, for example, the name of your
desktop machine so it wouldn't interfere with the other NIS servers
in the class. ssh as root to the client and delete your user account
with /usr/sbin/userdel.
---------------------------------------------------------------
NIS server and client troubleshooting tips:
If ypbind doesn't start on the server machine,
make sure the portmap and ypserv are running; check the entries in /etc/sysconfig/network and /etc/yp.conf files; then
cd /var/yp; make; then stop and start ypbind again.
If ypbind doesn't start on the client machine, check if
the NIS server is running and giving you access to both portmap and ypserv:
/usr/sbin/rpcinfo -p server_name
check the entries in /etc/sysconfig/network and /etc/yp.conf files; reboot the client machine;
then stop and start ypbind again.
--------------------------------------------------------------
Try to login as yourself to the client. To have your home
directory available on the client you need to export it from
the server and mount it on the client machine. Try to change your
password on the client machine with yppasswd command.
2. On the client machine, run
domainname
ypwhich
ypcat passwd
Do you see the encripted user passwords?
3. Secure the server by modifying /var/yp/securenets and removing all
the entries except that for 127.0.0.0.
Run ypcat passwd on the client again.
Do you see the encripted passwords this time?
4. Configure the NIS client to run in "compatible mode", as was discussed
in the lecture. Try to login as yourself.
Create a dummy user one the NIS server, for example, testu.
On the NIS client disallow user testu to
login modifying /etc/passwd as follows:
-testu::::::
+::::::
Try to run commands
id testu
su testu
On the NIS client, modify UseLogin setting for sshd daemon in file
/etc/ssh/sshd_config as follows:
UseLogin yes
Restart SSH daemon:
/etc/init.d/sshd restart
Try to SSH to the client machine as user testu
from the NIS server.
5. Create a list with telephone numbers and share it over NIS.
In new file /etc/telephones put some entries, for example:
Jen 5-3906
Mike 5-1234
Dave 5-2345
Modify Makefile in directory /var/yp to include new a map as follows:
after NETMASKS create a new line with
TELEPHONES = $(YPSRCDIR)/telephones;
add telephones to the list of NIS maps
all: passwd group telephones;
In end of the file create a new entry
telephones: $(TELEPHONES) $(YPDIR)/Makefile
@echo "Updating $@..."
@$(AWK) '{ print $$1"\t"$$0 }' $(TELEPHONES) | $(DBLOAD) \
-r -i $(TELEPHONES) -o $(YPMAPDIR)/$@ - $@
-@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
NOTE: each new line after 'telephones:' starts with < Tab >.
Recreate NIS maps:
cd /var/yp; make
Check if you can get the phone numbers on the client through NIS:
ypcat telephones