From ArchWiki
Revision as of 19:02, 5 December 2017 by Jojoax (talk | contribs) (better override strategy to fix the problem)
Jump to navigation Jump to search

Network Information Service (NIS) is a protocol developed by Sun to allow one to defer user authentication to a server. The server software is in the ypservAUR package, and the client software is in the yp-toolsAUR package. ypbind-mtAUR is also available, which is a multi threaded version of the client daemon.

Note: This article somewhat unfinished. In the future that will change, but in the meantime check the More resources section.

NIS Server

Install Packages

Install the ypbind-mtAUR, ypservAUR, and yp-toolsAUR packages.



Add your server's external (not IP address to the hosts file. Make sure it is the first non-commented line in the file, yes, even above the localhost line, like so:

# /etc/hosts: static lookup table for host names

#<ip-address>	<>	<hostname>
#::1		localhost.localdomain	localhost   nis_server	localhost.localdomain	localhost nis_server
# End of file

This is due to a peculiarity in ypinit (maybe it's a bug, maybe it's a feature), which will always add the first line in /etc/hosts to the list of ypservers.


Add the domain name to /etc/nisdomainname:

# NISDOMAINNAME="nis-domain-name"


Add rules to /etc/ypserv.conf for your your nis clients of this form:

# ip-address-of-client : nis-domain-name : rule : security

For example:

# 192.168. : home-domain : * : port

For more information see man ypserv.conf.


Add or remove files you would like NIS to use to /var/yp/Makefile under the "all" rule.


# all:  passwd group hosts rpc services netid protocols netgrp \
#         shadow # publickey networks ethers bootparams printcap mail \
#         # amd.home auto.master auto.home auto.local passwd.adjunct \
#         # timezone locale netmasks

After that you have to build your NIS database:

# cd /var/yp
# make

Or you can do it in a more automated fashion:

# /usr/lib/yp/ypinit -m

If you use this way you may skip manually adding lines to /var/yp/ypservers.


Add rules to /var/yp/securenets to restrict access:

# # Gives access to anyone in

Be sure to comment out this line, as it gives access to anyone.



Add your server to /var/yp/ypservers:

# your.nis.server

Set your domain name

# ypdomainname EXAMPLE.COM

Now edit the /etc/yp.conf file and add your ypserver or nis server.

ypserver nis_server

Start NIS Daemons

Note: The daemons MUST be started in this order.

Start/enable the following systemd units:

  • rpcbind.service
  • ypbind.service
  • ypserv.service
  • yppasswdd.service (to allow clients to change their password with passwd)

NIS Client

Install Packages

The first step is to install the tools that you need. This provides the configuration files and general tools needed to use NIS.

# pacman -S yp-tools ypbind-mt


Set your domain name

# ypdomainname EXAMPLE.COM

You can apply this permanently by editing /etc/nisdomainname and adding:


Now edit the /etc/yp.conf file and add your ypserver or nis server.

ypserver nis_server


It may be a good idea to add your NIS server to /etc/hosts   nis_server

Start NIS Daemons

Note: The daemons MUST be started in this order.

Start/enable the rpcbind.service and ypbind.service systemd units.

Early testing

To test the setup so far you can run the command yptest:

# yptest

If it works you will, among other things, see the contents of the NIS user database (which is printed in the same format as /etc/passwd).


To actually use NIS to log in you have to edit /etc/nsswitch.conf. Modify the lines for passwd, group and shadow to read:

passwd: files nis
group: files nis
shadow: files nis

And then do not forget

# systemctl restart ypbind


To allow a user on a client machine to change their password on the server, be sure that yppasswdd.service is started/enabled on the server.

Edit /etc/pam.d/passwd on the client to add the nis parameter to password/

password     required sha512 shadow nullok nis

See section 7 of The Linux NIS HOWTO for further information on configuring NIS clients.

Attention on Systemd V235 since 10/2017

Due a problem with sandboxing on systemd-logind, which deneys any IP connections from and to the systemd-logind service it may be nessesary to edit

IMHO, the best practical solution ist to override the system's default systemd-logind.service by a modified local version:

cp -a /usr/lib/systemd/system/systemd-logind.service /etc/systemd/system
nano /etc/systemd/system/systemd-logind.service 
and comment out this line  IPAddressDeny=any into
# IPAddressDeny=any

This solution surrives an update of the systemd toolchain and keeps working after a reboot.

Workig, but not very recommended solution:

and comment out this line  IPAddressDeny=any into
# IPAddressDeny=any

to make flawless login possible.

More resources