Unix System Administration
Excerpt: Network Information Service (aka NIS or yp)
Christopher J. Cox
The Endless Now
January 2002
Network Information Service
- Provides a means of centralizing the creation and management of users, groups, email aliases, network hostnames, network MAC address mappings, RPC service lookups, TCP/UDP port service lookups.
- Originally called Yellow Pages from Sun Microsystems, this was their solution for distributed network management created in 1985.
- Information files that are used in NIS are called maps and often are stored in /var/yp.
NIS Domain Overview
NIS Maps
- An NIS map is a dbm database file compiled from a text input (e.g. /etc/passwd). One field in the data is considered to be the key field.
- Because they are implemented as dbm files, lookups using the key are very fast.
Becoming an NIS Client
- Set the domain with domainname.
- Declare the yp servers (NIS Masters or Slaves) to use for the domain in /etc/yp.conf.
- Edit /etc/nsswitch.conf so that NIS is used.
- Add + lines to /etc/passwd, /etc/group (if applicable, e.g. compat vs. files nis).
- Start the ypbind daemon (depends upon the portmap or rpc daemon).
The /etc/passwd File
- The popular account fields are stored in /etc/passwd, a colon delimited file:
- username
- password (nowadays, just an x), otherwise it may be an encrypted string common to older UNIX variants or HPUX in an untrusted mode.
- uid
- gid
- comment
- HOME directory
- initial program (shell)
"+/-" Lines
- A mechanism to allow NIS systems to augment the local file entries from /etc/passwd and /etc/group when using compat in nsswitch.conf.
/etc/passwd
+::::::
- Everyone in NIS wildcard (required in most NIS installations), often the last entry.
+ten::::::/bin/ksh
- Overrides the NIS shell setting for the user ten. You can override any field except the uid and gid. The user name could be a user, or a @<netgroup>.
-ftp
- Prevents the user ftp from logging in (i.e. disables anonymous ftp).
/etc/passwd and NIS
root:x:0:1:Super-User:/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash
uucp:x:5:5:uucp Admin:/etc/uucp:/bin/bash
...many entries omitted...
nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash
-bgates
-@dangerous-hosts-users
+ccox::::::/usr/bin/ksh
+@ten-users
- If a user is contained in multiple netgroup definitions, a remove - containing a user must come before an add +.
Exploring Maps
- Verify domain binding with ypwhich.
ypwhich -m
- Shows maps available on domain.
ypcat [-k] <mapname>
- Show text format of map.
- The -k will show the key in addition to the data.
ypcat passwd
ypcat -k netgroup
ypcat -x
will show aliases available for maps.
Netgroup Map
admin-users (-,ccox,)
ten-dev-users (-,user01,ten.nis), (-,user02,ten.nis)
dangerous-hosts-users (haX0rwkstn,haX0r,)
ten-users admin-users ten-dev-users
- <netgroup-name> followed by (<hostname>,<username>,<domainname>)
- If a field is ''-", it cannot be used. If a field is empty, it is a wildcard matching anything. The names (key) of the netgroups are arbitrary.
- admin-user - Valid on any domain, cannot be used to augment host map .
- ten-dev-users - Valid only for the ten.nis domain.
- dangerous-hosts-users - Could be used either with hosts or passwd maps.
- ten-users - Combination of other netgroup entries.
The Automounter
- Along with common authentication and resource specification, NIS can push maps to be used by an automounter to handle things like common
HOME
directories across systems (available through NFS for example).
- After configuration, any reference (e.g.
ls
, cd
, etc
.) to the defined directories will cause the automatic mounting (e.g. though NFS) of the directory referenced.
- Change
automount
in nsswitch.conf
to use nis
.
Automount Master Map
- The master map, usually found at
/etc/auto.master
or /etc/auto_master
, is a configuration file that is used to start automount
processes to monitor mount points.
- The master map contains:
- A directory mount point to watch.
- An information map of locations that can be mounted under the mount point.
- Directory mount options.
- The
auto.master
map may be from NIS.
Simple auto.master
# cat /etc/auto.master
/misc /etc/auto.misc
- The indirect directory to watch is
/misc
. The details about what resources to mount under /misc is contained in /etc/auto.misc
.
- Start the automount processes through the init startup script (e.g.
/etc/init.d/autofs start
). This will read the /etc/auto.master
(possibly from NIS) and start individual automount daemons to monitor the indirect directories it contains.
# /etc/init.d/autofs start
# ps -ef | grep automount
root 2050 1 0 21:22 pts/1 00:00:00 /usr/sbin/automount /misc file /etc/auto.misc
automount
The automount
process is started with a directory to watch and a map of resources to manage under the mount point (by default, mounts expire after 5 minutes of inactivity).
- Indirect maps contain:
- Names of directories under the master mount point being watched.
- Mounting options.
- Resource to mount.
- Direct maps (not available in Linux!) contain:
- Fully qualified mount points.
- Mounting options.
- Resource to mount.
Simple Indirect auto.misc
- The first example is somewhat Linux specific. Automatically mount the /dev/cdrom device when
/misc/cd
is entered/referenced (Linux can mount local devices this way).
- More portable is specifying an NFS resource. Mount the remote
/emacs
directory when /misc/emacs
is entered/referenced.
# cat /etc/auto.misc
cd -fstype=iso9660,ro :/dev/cdrom
emacs -r bogus.host.com:/emacs
NIS and automount
- As mentioned,
automount
can facilitate a common network HOME
directory through NFS for all users.
- The NIS
HOME
directories will correspond to an indirect map and mount point.
- The Master map and associated indirect maps can be pushed through NIS (
automount
knows how to make use of NIS).
NIS auto.master
- The NIS Server will make an auto.master available usually for the purpose of handling
HOME
directories for a domain.
$ ypcat -k auto.master
/home auto.home
- The NIS Server also advertises an auto.home map which is used to handle the NFS mount specifics for the
HOME
directories.
$ ypcat -k auto.home
* cg1:/home/&
- The *" matches any directory reference under
/home
(indirect directory being watched) and the &" is used to substitute the key in the target mount.
Setting Up an NIS Client
# domainname ten.nis
# vi /etc/yp.conf
ypserver 192.168.1.98
# vi /etc/nsswitch.conf
passwd: compat
group: compat
Others to look at: automount, hosts, ethers, networks, aliases. Use compat if you want simulate typical Unix behavior, mandating the inclusion of "+/-" lines to /etc/passwd, /etc/group. Use files nis to avoid having to use "+/-" lines, but lose the ability to restrict NIS authentication.
# ps -ef | grep portmap
Verify portmap is running.
# ypbind
# ypwhich
192.168.1.98
# ypcat passwd
ccox:ZBaMuOdCZStAE:500:10:Chris Cox:/home/ccox:/bin/ksh
# /etc/init.d/autofs start
Popular NIS Maps
You can see the maps being advertised/pushed from the Master with ypwhich -m.
$ ypwhich -m
netid.byname ccccd.theendlessnow.com
passwd.byuid ccccd.theendlessnow.com
services.byname ccccd.theendlessnow.com
services.byservicename ccccd.theendlessnow.com
auto.home ccccd.theendlessnow.com
netgroup ccccd.theendlessnow.com
passwd.byname ccccd.theendlessnow.com
group.byname ccccd.theendlessnow.com
netgroup.byuser ccccd.theendlessnow.com
netgroup.byhost ccccd.theendlessnow.com
group.bygid ccccd.theendlessnow.com
ypservers ccccd.theendlessnow.com
rpc.byname ccccd.theendlessnow.com
auto.master ccccd.theendlessnow.com
Note: There is no passwd map, but rather are two passwd maps, one keyed byname and one keyed byuid. The passwd map is a alias for passwd.byname.
Becoming an NIS Master
- Set the domain with domainname.
- Execute
/usr/lib/yp/ypinit -m
to initialize the databases (converts existing text file databases to dbm format). Specify NIS Slave servers if you want at that time.
- Start the
ypserv
daemon (depends upon the portmap
or rpc
daemon).
- Join the domain as an NIS client host using
ypbind
. Use nsswitch.conf
to ignore local NIS utilization.
yppasswd/yppasswdd
- In order for clients to be able to change their NIS passwords, a special daemon is normally run on the NIS Server called
yppasswdd
(two d’s on the end). It listens for requests from clients to change a password.
- To change a user password, use the command
yppasswd
. On many NIS client implementations, the call is made transparently when a call to passwd
is made.
ypxfrd
If you have NIS Slave servers, you probably should run ypxfrd
on the NIS Master to facilitate/accelerate delivery of pushes to the NIS Slave hosts.
Setting Up an NIS Master
# domainname ten.nis
# /usr/lib/yp/ypinit -m
# ypserv
...optionally, you can join this domain as a client.
# rpc.yppasswdd -D /etc
# /usr/lib/yp/ypxfrd
...need this if you support NIS Slaves.
- The
-D
option to yppasswdd
specifies the directory containing the original source passwd
for the passwd.*
maps.
- Why would you not want an NIS Master to use itself for name resolution?
Updating Maps
- As mentioned earlier, the maps are compiled versions of the original text versions usually stored in dbm format located in /var/yp.
- Also located in /var/yp is probably a Makefile.
- As changes are made to any of the textual maps, performing a ''make" in the /var/yp directory should update the compiled maps and push them to any NIS Slave servers.
Updating Maps (cont)
# useradd -m testuser
# passwd testuser
...assign an initial password...
# ypcat passwd | grep testuser
...should return nothing, user is only defined locally...
# cd /var/yp
# make
updated passwd
pushed passwd
# ypcat passwd | grep testuser
testuser:axPwTTAWjfk/Y:4448:4444:/home/testuser:/bin/ksh
Linux NIS
- Linux NIS Server setup has some benefits in that you can usually configure the map builds for passwd to not build for ids beneath a certain uid value. This makes it easier to use the
/etc/passwd
and /etc/group
files under Linux as the source for the dbm maps.
- Often there is also a utility to define the specific maps to make available, otherwise you will have to edit the
/var/yp/Makefile
yourself.
Making it Stick
- Need to set
domainname
and start ypbind
(NIS Client), ypserv
(NIS Master or Slave), yppasswdd
(NIS Master), ypxfrd
(NIS Master) and autofs
(automount
).
- In SuSE 8.1, you can configure the
domainname
in /etc/defaultdomain
(similar to commercial Unix systems). Other distributions configure NIS/YP parameters via /etc/sysconfig/*
.
General NIS Problems
- Can use
ypcat
to view maps, including the encrypted password strings in clear text.
- Protocol (rpc) is insecure (easily manipulated by intruders).
- No (usually)
/etc/shadow
map support, so no password aging (Note: Linux supports shadow maps).
- Considered to be old" and in need of fixing".
- Clients can hang on boot if NIS Server not available.
NIS Confusion
- Originally, NIS was designed to handle host resolution, however with DNS, pushing an NIS host map is redundant and can create consistency problems.
- Solution: Do not push a host map, force use of DNS instead.
- May have to run
ypserv
with the -b
option.
- Also, it was common to name the NIS domain the same as the Internet domain name. Again, this causes confusion and is generally not recommended today.
NIS+... the Solution?
- Sun’s upgrade to NIS, NIS+!
- Secure rpc support.
- Password aging.
- Better replication support for servers.
- Very granular security features.
- AND...
- Expensive to license (slowed its adoption).
- ''Buggy" (especially early on).
- Poorly supported outside of Sun (poor reputation inside of SUN!).
- THEREFORE...Not used much (unless an all Sun network).
NIS Security (kind of)
- Most contemporary NIS implementations support the idea of a
/var/yp/securenets
file which supplies information about which hosts can use the maps for a given NIS domain (this is considered to be rudimentary security).
# /var/yp/securenets
#
# allow connections from local host -- necessary
host 127.0.0.1
# same as 255.255.255.255 127.0.0.1
255.255.255.0 192.168.1.0
# Allow anyone in the 192.168.1.0 net.
Portability Concerns
- Restrict
automount
usage to just indirect maps (direct maps are not supported by Linux).
- Nested indirect maps, or shared mounts (ones used by
automount
and by some other means, for example, /etc/fstab
) should be avoided (these are not supported by HPUX or Linux).
- Just NFS mounts.
Conclusions
- NIS is an easy way to manage users across systems, including the ability to share a network
HOME
directory for each user.
- NIS commands differ somewhat across Unix and Linux.
- The
automounter
is a flexible tool, but only the lowest common denominator of features is truly portable.
Questions?