NIS

Network Information Service (NIS) is a protocol developed by Sun to allow one to defer user authentication to a server. The server software is in the ypservAUR package, and the client software is in the yp-toolsAUR package. ypbind-mtAUR is also available, which is a multi threaded version of the client daemon.

Note: This article somewhat unfinished. In the future that will change, but in the meantime check the More resources section.

NIS Server

Install Packages

Install the ypbind-mtAUR, ypservAUR, and yp-toolsAUR packages.

/etc/hosts

Add your server's external (not 127.0.0.1) IP address to the hosts file. Make sure it is the first non-commented line in the file, yes, even above the localhost line, like so:

#
# /etc/hosts: static lookup table for host names
#

#<ip-address>	<hostname.domain.org>	<hostname>
#::1		localhost.localdomain	localhost
192.168.1.10   nis_server.domain.com   nis_server
127.0.0.1	localhost.localdomain	localhost nis_server
# End of file

This is due to a peculiarity in ypinit (maybe it is a bug, maybe it is a feature), which will always add the first line in /etc/hosts to the list of ypservers.

/etc/nisdomainname

Add the domain name to /etc/nisdomainname:

# NISDOMAINNAME="nis-domain-name"

/etc/ypserv.conf

Add rules to /etc/ypserv.conf for your your nis clients of this form:

# ip-address-of-client : nis-domain-name : rule : security

For example:

# 192.168. : home-domain : * : port

For more information see man ypserv.conf.

/var/yp/Makefile

Add or remove files you would like NIS to use to /var/yp/Makefile under the "all" rule.

Default:

# all:  passwd group hosts rpc services netid protocols netgrp \
#         shadow # publickey networks ethers bootparams printcap mail \
#         # amd.home auto.master auto.home auto.local passwd.adjunct \
#         # timezone locale netmasks

After that you have to build your NIS database:

# cd /var/yp
# make

Or you can do it in a more automated fashion:

# /usr/lib/yp/ypinit -m

If you use this way you may skip manually adding lines to /var/yp/ypservers.

/var/yp/securenets

Add rules to to restrict access:

# 255.255.0.0 192.168.0.0 # Gives access to anyone in 192.168.0.0/16

Be sure to comment out this line, as it gives access to anyone.

# 0.0.0.0      0.0.0.0

/var/yp/ypservers

Add your server to /var/yp/ypservers:

# your.nis.server

Set your domain name

 
# ypdomainname EXAMPLE.COM

Now edit the file and add your ypserver or nis server.

ypserver nis_server

Start NIS Daemons

Start/enable the following systemd units:

  • ypserv.service
  • (to allow clients to change their password with )

NIS Client

Install Packages

The first step is to install the tools that you need. This provides the configuration files and general tools needed to use NIS. Install yp-toolsAUR ypbind-mtAUR.

Set your domain name

 
# ypdomainname EXAMPLE.COM

You can apply this permanently by editing /etc/nisdomainname and adding:

# NISDOMAINNAME="EXAMPLE.COM"

Now edit the file and add your ypserver or nis server.

ypserver nis_server

/etc/hosts

It may be a good idea to add your NIS server to /etc/hosts

192.168.1.10   nis_server.domain.com   nis_server

Start NIS Daemons

Start/enable the and systemd units.

Early testing

To test the setup so far you can run the command yptest:

# yptest

If it works you will, among other things, see the contents of the NIS user database (which is printed in the same format as ).

/etc/nsswitch.conf

To actually use NIS to log in you have to edit . Modify the lines for passwd, group and shadow to read:

passwd: files nis
group: files nis
shadow: files nis

And then do not forget to restart .

/etc/pam.d/passwd

To allow a user on a client machine to change their password on the server, be sure that is started/enabled on the server.

Edit /etc/pam.d/passwd on the client to add the parameter to :

password     required     pam_unix.so sha512 shadow nullok nis

See section 7 of The Linux NIS HOWTO for further information on configuring NIS clients.

Connections after Systemd V235

Due to sandboxing on , any IP connections from and to the service are now denied. This will cause failures to log in, even though works as expected, and can also cause accounts-daemon to crash outright. The basic problem is that the default file that ships with specifies , and this prevents it from communicating with the NIS server at login. Moreover, since V239, that file also specifies , dropping from the list.

The solution is to whitelist the address or address range of your NIS server.

Use a drop-in unit file for , with these lines (the following allows connections , edit as appropriate):

systemd-userdbd.service

After updating nis clients to systemd 245-1, the systemd-userdbd.service can be affected by a similar issue as the which can cause 25 second login delays.

Use a drop-in unit file for systemd-userdbd.service containing your NIS server IP address to correct the issue.

More resources
gollark: ++remind 12y6mo Assassination attempt in 6 months.
gollark: ++remind 300y Conquer large and small Magellanic clouds.
gollark: You still have to do the peace treaty though.
gollark: ++remind 400y Conquer Triangulum.
gollark: ++remind 13y <@543131534685765673> is going to kill you ahead of schedule in a year. So do something about that. Also, he'll try in 5 years.
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.