1 Introduction
1.1 Purpose
This document describes how to setup a Network Information System (aka NIS) enviroment with one master server and one client.
1.2 Preparation
TCP/IP should be running on all systems that should be part of the NIS environment. All clients should be mentioned in the /etc/hosts file of nfs server server_nis.
I am using NFS and Automount in this document.
2 List all NIS services
# svcs "*nis*"
STATE STIME FMRI
disabled 13:09:23 svc:/network/rpc/nisplus:default
disabled 13:09:39 svc:/network/nis/update:default
disabled 13:09:39 svc:/network/nis/server:default
disabled 13:09:39 svc:/network/nis/xfr:default
disabled 13:09:40 svc:/network/nis/passwd:default
disabled 13:09:43 svc:/network/nis/client:default
3 Setting up NFS server server_nis
A NIS server does not need a NFS server to operate correctly. But NIS is mostly used to accomodate roaming user in a Unix environment. In this environment NIS is used to make the user databases available on the network. NFS is the used to make the home directories available.
3.1 Setting up NFS
# vi /etc/dfs/dfstab
+-------------------
| share -F nfs /export/home
# svcadm enable nfs/server
# shareall
3.2 Configure automount
# vi /etc/auto_home
+------------------
| * server_nis:/export/home/&
4 Create an extra user
# useradd -d /export/home/user1 -m -s /usr/bin/bash user1
# usermod -d /home/user1 user1
5 Setting up NIS server server_nis
5.1 Create the files needed with NIS
# cp /etc/nsswitch.nis /etc/nsswitch.conf
# domainname nis.world
# domainname > /etc/defaultdomain
# cd /etc
# touch ethers bootparams locale timezone netgroup netmasks
5.2 Make server_nis a Master server
# ypinit -m
-- Output skipped --
next host to add: server_nis
next host to add:
The current list of yp servers looks like this:
server_nis
Is this correct? [y/n: y] y
-- Output skipped --
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
5.3 Check the NIS daemons status
# svcs nis/server
5.4 Create the NIS maps
# cd /var/yp
# /usr/ccs/bin/make
5.5 Test the master NIS server server_nis
# ypwhich
# ypwhich -m
# ypcat hosts
# ypmatch server_nis hosts
# ypmatch user1 passwd
6 Configure NIS client client_nis
6.1 Configure automount
# vi /etc/auto_home
+------------------
| * server_nis:/export/home/&
6.2 Create the files needed with NIS
# cp /etc/nsswitch.nis /etc/nsswitch.conf
# domainname nis.world
# domainname > /etc/defaultdomain
6.3 Make client_nis a NIS client
# ypinit -c
-- Output skipped --
next host to add: server_nis
next host to add:
6.4 Start the NIS daemons
# svcadm enable nis/client
6.5 Reboot the system
# init 6
6.6 Testing the NIS client (client_nis)
# ypwhich
# ypwhich -m
# ypcat hosts
# ypmatch user1 passwd
7 Adding an extra user to NIS
7.1 Adding the user on the master server (server_nis)
# useradd -d /export/home/user2 -m -s /usr/bin/bash user2
# usermod -d /home/user2 user2
# passwd user2
7.2 Updating the NIS maps on the master server (server_nis)
# cd /var/yp
# /usr/ccs/bin/make
7.3 Using new user to log in
Go to NIS client client_nis and try to log in as user2.
8 Set up NIS slave server slave_nis
8.1 Create the files needed with NIS
# cp /etc/nsswitch.nis /etc/nsswitch.conf
# domainname nis.world
# domainname > /etc/defaultdomain
8.2 Make iene a NIS client
# ypinit -c
-- Output skipped --
next host to add: server_nis
next host to add: slave_nis
next host to add:
* Make sure that the ypserv process is running on the NIS master server *
# svcadm enable nis/client
8.3 Make slave_nis a slave server
# ypinit -s server_nis
-- Output skipped --
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
# svcadm disable nis/client
# svcadm enable nis/server
9 Securing NIS
9.1 /etc/securenets
In the default installation of NIS, any host that can reach the NIS master server or Slave server can connect as a client and look at the contents of the NIS map files. To overcome this problem you can use the /etc/securenets file.
9.1.1 Create securenets
# vi /etc/securenets
o-------------------
| # Grant access to a specific host
| hosts 172.16.60.x
|
| # Grant access to all hosts on a subnet
| 255.255.255.0 172.16.60.0
9.2 passwd.adjunct
Another problem with the default setup of NIS is that all users can retrieve the compiled password of any user account in the NIS passwd map. This is because NIS joins the /etc/passwd and /etc/shadow file into one passwd map.
User can read the passwd map by running the ypcat passwd command.
$ ypcat passwd | grep abhi
abhi:QWasxs.poskw4:1000:1:MeMyselfI:/home/abhi:/bin/bash
The passwd.adjunct file can be used to remove the encrypted password from the ypcat command output.
9.3 Creating passwd.adjunct
# mkdir /var/yp/security
# chown root security
# chmod 700 security
# nawk -F\: '{printf("%s:%s:::::\n",$1,$2)}'
/etc/passwd > /etc/security/passwd.adjunct
9.3.1 Fixing the passwd file
# cp /etc/passwd /etc/passwd.original
# nawk -F\:
'{printf("%s:##%s:%s:%s:%s:%s:%s\n",$1,$1,$3,$4,$5,$6,$7)}'
/etc/passwd > /etc/passwd.new
# cat /etc/passwd.new
Check if the passwd.new file is correct.
# cp -i /etc/passwd.new /etc/passwd cp: overwrite /etc/passwd (yes/no)? yes
9.3.2 Generate new map files
# cd /var/yp
# /usr/ccs/bin/make
9.3.3 Test Configuration
# ypmatch abhi passwd
abhi:##abhi:1000:1:MeMyselfI:/home/abhi:/bin/bash
