NIS
Network Information Service (NIS) is a protocol developed by Sun to allow one to defer user authentication to a server. The server software is in the ypservAUR package, and the client software is in the yp-toolsAUR package. ypbind-mtAUR is also available, which is a multi threaded version of the client daemon.
NIS Server
Install Packages
Install the ypbind-mtAUR, ypservAUR, and yp-toolsAUR packages.
Configuration
/etc/hosts
Add your server's external (not 127.0.0.1) IP address to the hosts file. Make sure it is the first non-commented line in the file, yes, even above the localhost line, like so:
/etc/hosts
#<ip-address> <hostname.domain.org> <hostname> #::1 localhost.localdomain localhost 192.168.1.10 nis_server.domain.com nis_server 127.0.0.1 localhost.localdomain localhost nis_server # End of file
This is due to a peculiarity in ypinit (maybe it is a bug, maybe it is a feature), which will always add the first line in /etc/hosts
to the list of ypservers.
/etc/nisdomainname
Add the domain name:
/etc/nisdomainname
# NISDOMAINNAME="nis-domain-name"
/etc/ypserv.conf
Add rules to /etc/ypserv.conf
for your your nis clients of this form:
/etc/ypserv.conf
# ip-address-of-client : nis-domain-name : rule : security
For example:
/etc/ypserv.conf
# 192.168. : home-domain : * : port
For more information see man ypserv.conf
.
/var/yp/Makefile
Add or remove files you would like NIS to use to /var/yp/Makefile
under the "all" rule.
Default:
# all: passwd group hosts rpc services netid protocols netgrp \ # shadow # publickey networks ethers bootparams printcap mail \ # # amd.home auto.master auto.home auto.local passwd.adjunct \ # # timezone locale netmasks
After that you have to build your NIS database:
# cd /var/yp # make
Or you can do it in a more automated fashion:
# /usr/lib/yp/ypinit -m
If you use this way you may skip manually adding lines to /var/yp/ypservers
.
/var/yp/securenets
Add rules to /var/yp/securenets
to restrict access:
/var/yp/securenets
# 255.255.0.0 192.168.0.0 # Gives access to anyone in 192.168.0.0/16
Be sure to comment out this line, as it gives access to anyone.
/var/yp/securenets
# 0.0.0.0 0.0.0.0
/var/yp/ypservers
Add your server to /var/yp/ypservers
:
/var/yp/ypservers
# your.nis.server
Set your domain name
# ypdomainname EXAMPLE.COM
Now edit the /etc/yp.conf
file and add your ypserver or nis server.
/etc/yp.conf
ypserver nis_server
Start NIS Daemons
Start/enable the following systemd units:
rpcbind.service
ypbind.service
ypserv.service
yppasswdd.service
(to allow clients to change their password withpasswd
)
NIS Client
Install Packages
The first step is to install the tools that you need. This provides the configuration files and general tools needed to use NIS. Install yp-toolsAUR ypbind-mtAUR.
Configuration
Set your domain name
# ypdomainname EXAMPLE.COM
You can apply this permanently by editing /etc/nisdomainname
and adding:
# NISDOMAINNAME="EXAMPLE.COM"
Now edit the /etc/yp.conf
file and add your ypserver or nis server.
ypserver nis_server
/etc/hosts
It may be a good idea to add your NIS server to /etc/hosts
192.168.1.10 nis_server.domain.com nis_server
Start NIS Daemons
Start/enable the rpcbind.service
and ypbind.service
systemd units.
Early testing
To test the setup so far you can run the command yptest:
# yptest
If it works you will, among other things, see the contents of the NIS user database (which is printed in the same format as /etc/passwd
).
/etc/nsswitch.conf
To actually use NIS to log in you have to edit /etc/nsswitch.conf
. Modify the lines for passwd, group and shadow to read:
passwd: files nis group: files nis shadow: files nis
And then do not forget to restart ypbind.service
.
/etc/pam.d/passwd
To allow a user on a client machine to change their password on the server, be sure that yppasswdd.service
is started/enabled on the server.
Edit /etc/pam.d/passwd
on the client to add the nis
parameter to password/pam_unix.so
:
password required pam_unix.so sha512 shadow nullok nis
See section 7 of The Linux NIS HOWTO for further information on configuring NIS clients.
Connections after Systemd V235
Due to sandboxing on systemd-logind
, any IP connections from and to the systemd-logind
service are now denied. This will cause failures to log in, even though yptest
works as expected, and can also cause accounts-daemon
to crash outright. The basic problem is that the default systemd-logind.service
file that ships with systemd
specifies IPAddressDeny=any
, and this prevents it from communicating with the NIS server at login. Moreover, since V239, that file also specifies RestrictAddressFamilies=AF_UNIX AF_NETLINK
, dropping AF_INET AF_INET6
from the list.
The solution is to whitelist the address or address range of your NIS server.
Another systemd sandboxing element related to namespace management ("ProtectHostname") may prevent proper operation. The following snippet turns that off too.
Use a drop-in unit file for systemd-logind.service
, with these lines (the following allows connections from 10.0.*.*
, edit as appropriate):
/etc/systemd/system/systemd-logind.service.d/open_network_interface.conf
[Service] RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 IPAddressAllow=10.0.0.0/16 ProtectHostname=no
systemd-userdbd.service
After updating nis clients to systemd 245-1, the systemd-userdbd.service
can be affected by a similar issue as the systemd-logind.service
which can cause 25 second login delays.
Use a drop-in unit file for systemd-userdbd.service
containing your NIS server IP address to correct the issue.
/etc/systemd/system/systemd-userdbd.service.d/override.conf
[Service] IPAddressAllow=n.n.n.n/32
(Alternately, the same drop-in file used for systemd-logind.service could be used.)
More resources
- The Linux NIS HOWTO,very helpful and generally applicable to Arch Linux.
- YoLinux NIS tutorial
- Quick HOWTO, Configuring NIS