NIS, which stands for Network Information Services, was developed by Sun Microsystems to centralize administration of UNIX® (originally SunOS™) systems. It has now essentially become an industry standard; all major UNIX® like systems (Solaris™, HP-UX, AIX®, Linux, NetBSD, OpenBSD, FreeBSD, etc) support NIS.
NIS was formerly known as Yellow Pages, but because of trademark issues, Sun changed the name. The old term (and yp) is still often seen and used.
It is a RPC-based client/server system that allows a group of machines within an NIS domain to share a common set of configuration files. This permits a system administrator to set up NIS client systems with only minimal configuration data and add, remove or modify configuration data from a single location.
It is similar to the Windows NT® domain system; although the internal implementation of the two are not at all similar, the basic functionality can be compared.
There are several terms and important user processes that will be explained while attempting to implement NIS on FreeBSD, regardless if the system is a NIS server or a NIS client:
Term | Description |
---|---|
NIS domainname | An NIS master server and all of its clients (including its slave servers) have a NIS domainname. Similar to an Windows NT® domain name, the NIS domainname does not have anything to do with DNS. |
rpcbind | Must be running in order to enable RPC (Remote Procedure Call, a network protocol used by NIS). If rpcbind is not running, it will be impossible to run an NIS server, or to act as an NIS client. |
ypbind | “Binds” an NIS client to its NIS server. It will take the NIS domainname from the system, and using RPC, connect to the server. ypbind is the core of client-server communication in an NIS environment; if ypbind dies on a client machine, it will not be able to access the NIS server. |
ypserv | Should only be running on NIS servers; this is the NIS server process itself. If ypserv(8) dies, then the server will no longer be able to respond to NIS requests (hopefully, there is a slave server to take over for it). There are some implementations of NIS (but not the FreeBSD one), that do not try to reconnect to another server if the server it used before dies. Often, the only thing that helps in this case is to restart the server process (or even the whole server) or the ypbind process on the client. |
rpc.yppasswdd | Another process that should only be running on NIS master servers; this is a daemon that will allow NIS clients to change their NIS passwords. If this daemon is not running, users will have to login to the NIS master server and change their passwords there. |
There are three types of hosts in an NIS environment: master servers, slave servers, and clients. Servers act as a central repository for host configuration information. Master servers hold the authoritative copy of this information, while slave servers mirror this information for redundancy. Clients rely on the servers to provide this information to them.
Information in many files can be shared in this manner.
The master.passwd
,
group
, and hosts
files are commonly shared via NIS. Whenever a process on a
client needs information that would normally be found in these
files locally, it makes a query to the NIS server that it is
bound to instead.
A NIS master server.
This server, analogous to a Windows NT® primary domain
controller, maintains the files used by all of the NIS
clients. The passwd
,
group
, and other various files used
by the NIS clients live on the master server.
It is possible for one machine to be an NIS master server for more than one NIS domain. However, this will not be covered in this introduction, which assumes a relatively small-scale NIS environment.
NIS slave servers. Similar to the Windows NT® backup domain controllers, NIS slave servers maintain copies of the NIS master's data files. NIS slave servers provide the redundancy, which is needed in important environments. They also help to balance the load of the master server: NIS Clients always attach to the NIS server whose response they get first, and this includes slave-server-replies.
NIS clients. NIS clients, like most Windows NT® workstations, authenticate against the NIS server (or the Windows NT® domain controller in the Windows NT® workstations case) to log on.
This section will deal with setting up a sample NIS environment.
Let us assume that an administrator of a small
university lab, which consists of 15 FreeBSD machines,
currently has no centralized point of administration. Each
machine has its own /etc/passwd
and
/etc/master.passwd
. These files are
kept in sync with each other only through manual
intervention; currently, a user is added to the lab, the
process must be ran on all 15 machines. The lab would
clearly benefit from the addition of two
NIS servers.
Therefore, the configuration of the lab now looks something like:
Machine name | IP address | Machine role |
---|---|---|
ellington | 10.0.0.2 | NIS master |
coltrane | 10.0.0.3 | NIS slave |
basie | 10.0.0.4 | Faculty workstation |
bird | 10.0.0.5 | Client machine |
cli[1-11] |
10.0.0.[6-17] | Other client machines |
If this is the first time a NIS scheme is being developed, it should be thoroughly planned ahead of time. Regardless of network size, several decisions need to be made as part of the planning process.
This might not be the normal “domainname” for the network. It is more accurately called the “NIS domainname”. When a client broadcasts its requests for info, it includes the name of the NIS domain that it is part of. This is how multiple servers on one network can tell which server should answer which request. Think of the NIS domainname as the name for a group of hosts that are related in some way.
Some organizations choose to use their Internet
domainname for their NIS domainname. This is not
recommended as it can cause confusion when trying to debug
network problems. The NIS domainname should be unique
within the network and it is helpful if it describes the
group of machines it represents. For example, the Art
department at Acme Inc. might be in the
“acme-art” NIS domain. For this example,
assume the chosen name will be
test-domain
.
However, some operating systems (notably SunOS™) use their NIS domain name as their Internet domain name. If one or more machines on the network have this restriction, it must be used as the Internet domain name for the NIS domain name.
There are several things to keep in mind when choosing a machine to use as a NIS server. One of the unfortunate things about NIS is the level of dependency the clients have on the server. If a client cannot contact the server for its NIS domain, very often the machine becomes unusable. The lack of user and group information causes most systems to temporarily freeze up. With this in mind be sure to choose a machine that will not be prone to being rebooted frequently, or one that might be used for development. The NIS server should ideally be a stand alone machine whose sole purpose in life is to be an NIS server. If the network is not very heavily used, it is acceptable to put the NIS server on a machine running other services, however; if the NIS server becomes unavailable, it will adversely affect all NIS clients.
The canonical copies of all NIS information are stored
on a single machine called the NIS master server. The
databases used to store the information are called NIS maps.
In FreeBSD, these maps are stored in
/var/yp/[domainname]
where
[domainname]
is the name of the NIS
domain being served. A single NIS server can support
several domains at once, therefore it is possible to have
several such directories, one for each supported domain.
Each domain will have its own independent set of
maps.
NIS master and slave servers handle all NIS requests
with the ypserv
daemon.
ypserv
is responsible for receiving
incoming requests from NIS clients, translating the
requested domain and map name to a path to the corresponding
database file and transmitting data from the database back
to the client.
Setting up a master NIS server can be relatively
straight forward, depending on environmental needs. FreeBSD
comes with support for NIS out-of-the-box. It only needs
to be enabled by adding the following lines to
/etc/rc.conf
:
This line will set the NIS domainname to
test-domain
upon network setup (e.g., after reboot).
This will tell FreeBSD to start up the NIS server processes when the networking is next brought up.
This will enable the
rpc.yppasswdd
daemon which, as
mentioned above, will allow users to change their NIS
password from a client machine.
Depending on the NIS setup, additional entries may be required. See the section about NIS servers that are also NIS clients, below, for details.
After setting up the above entries, run the command
/etc/netstart
as superuser. It will
set up everything, using the values defined in
/etc/rc.conf
. As a last step, before
initializing the NIS maps, start the
ypserv daemon manually:
#
service ypserv start
The NIS maps are database files,
that are kept in the /var/yp
directory. They are generated from configuration files in
the /etc
directory of the NIS master,
with one exception:
/etc/master.passwd
. This is for a
good reason, never propagate passwords for
root
and other administrative
accounts to all the servers in the NIS domain. Therefore,
before the NIS maps are initialized, configure the primary
password files:
#
cp /etc/master.passwd /var/yp/master.passwd
#
cd /var/yp
#
vi master.passwd
It is advisable to remove all entries regarding system
accounts (bin
,
tty
, kmem
,
games
, etc), as well as any accounts
that do not need to be propagated to the NIS clients
(for example root
and any other UID 0
(superuser) accounts).
Ensure the
/var/yp/master.passwd
is neither
group or world readable (mode 600)! Use the
chmod
command, as
appropriate.
When this task has been completed, it is time to
initialize the NIS maps. FreeBSD includes a script named
ypinit
to do this (see its
manual page for more information). Note that this script
is available on most UNIX® Operating Systems, but not on
all. On Digital UNIX/Compaq Tru64 UNIX it is called
ypsetup
. Because we are generating
maps for an NIS master, we are going to pass the
-m
option to ypinit
.
To generate the NIS maps run:
#
ypinit -m test-domain
Server Type: MASTER Domain: test-domain
Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
Ok, please remember to go back and redo manually whatever fails.
If not, something might not work.
At this point, we have to construct a list of this domains YP servers.
rod.darktech.org is already known as master server.
Please continue to add any slave servers, one per line. When you are
done with the list, type a <control D>.
master server : ellington
next host to add: coltrane
next host to add: ^D
The current list of NIS servers looks like this:
ellington
coltrane
Is this correct? [y/n: y] y
[..output from map generation..]
NIS Map update completed.
ellington has been setup as an YP master server without any errors.At this point, ypinit
should have
created /var/yp/Makefile
from
/var/yp/Makefile.dist
. When created,
this file assumes that the operating environment is a
single server NIS system with only FreeBSD machines. Since
test-domain
has a slave server as well,
edit /var/yp/Makefile
as well:
#
vi /var/yp/Makefile
You should comment out the line that says
(if it is not commented out already).
Setting up an NIS slave server is even more simple
than setting up the master. Log on to the slave server
and edit the file /etc/rc.conf
as you
did before. The only difference is that we now must use
the -s
option when running
ypinit
. The -s
option
requires the name of the NIS master be passed to it as
well, so our command line looks like:
#
ypinit -s ellington test-domain
Server Type: SLAVE Domain: test-domain Master: ellington
Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] n
Ok, please remember to go back and redo manually whatever fails.
If not, something might not work.
There will be no further questions. The remainder of the procedure
should take a few minutes, to copy the databases from ellington.
Transferring netgroup...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byuser...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byhost...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring group.bygid...
ypxfr: Exiting: Map successfully transferred
Transferring group.byname...
ypxfr: Exiting: Map successfully transferred
Transferring services.byname...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.byname...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.byname...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring netid.byname...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring ypservers...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byname...
ypxfr: Exiting: Map successfully transferred
coltrane has been setup as an YP slave server without any errors.
Remember to update map ypservers on ellington.There should be a directory called
/var/yp/test-domain
. Copies of the
NIS master server's maps should be in this directory.
These files must always be up to date. The following
/etc/crontab
entries on the slave
servers should do the job:
These two lines force the slave to sync its maps with the maps on the master server. These entries are not mandatory because the master server automatically attempts to push any map changes to its slaves; however, due to the importance of correct password information on other clients depending on the slave server, it is recommended to specifically force the password map updates frequently. This is especially important on busy networks where map updates might not always complete.
Now, run the command /etc/netstart
on the slave server as well, which again starts the NIS
server.
An NIS client establishes what is called a binding to a
particular NIS server using the ypbind
daemon. The ypbind
command checks the
system's default domain (as set by the
domainname
command), and begins
broadcasting RPC requests on the local network. These
requests specify the name of the domain for which
ypbind
is attempting to establish a
binding. If a server that has been configured to serve the
requested domain receives one of the broadcasts, it will
respond to ypbind
, which will record the
server's address. If there are several servers available (a
master and several slaves, for example),
ypbind
will use the address of the first
one to respond. From that point on, the client system will
direct all of its NIS requests to that server.
ypbind
will occasionally
“ping” the server to make sure it is still up
and running. If it fails to receive a reply to one of its
pings within a reasonable amount of time,
ypbind
will mark the domain as unbound
and begin broadcasting again in the hopes of locating
another server.
Setting up a FreeBSD machine to be a NIS client is fairly straightforward.
Edit /etc/rc.conf
and add the
following lines in order to set the NIS domainname and
start ypbind
during network
startup:
To import all possible password entries from the
NIS server, remove all user accounts from the
/etc/master.passwd
file and use
vipw
to add the following line to
the end of the file:
This line will afford anyone with a valid
account in the NIS server's password maps an
account. There are many ways to configure the NIS
client by changing this line. See the
netgroups
section below for more information. For
more detailed reading see O'Reilly's book on
Managing NFS and NIS
.
Keep in mind that at least one local account
(i.e. not imported via NIS) must exist in
/etc/master.passwd
and this
account should also be a member of the group
wheel
. If there is something
wrong with NIS, this account can be used to log in
remotely, become root
, and fix
things.
To import all possible group entries from the NIS
server, add this line to
/etc/group
:
To start the NIS client immediately, execute the following commands as the superuser:
#
/etc/netstart
#
service ypbind start
After completing these steps, the command,
ypcat passwd
, should show the
server's passwd map.
In general, any remote user may issue an RPC to
ypserv(8) and retrieve the contents of the NIS maps,
provided the remote user knows the domainname. To prevent
such unauthorized transactions, ypserv(8) supports a
feature called “securenets” which can be used to
restrict access to a given set of hosts. At startup,
ypserv(8) will attempt to load the securenets information
from a file called
/var/yp/securenets
.
This path varies depending on the path specified with
the -p
option. This file contains entries
that consist of a network specification and a network mask
separated by white space. Lines starting with
“#” are considered to be comments. A sample
securenets file might look like this:
If ypserv(8) receives a request from an address that
matches one of these rules, it will process the request
normally. If the address fails to match a rule, the request
will be ignored and a warning message will be logged. If the
/var/yp/securenets
file does not exist,
ypserv
will allow connections from any
host.
The ypserv
program also has support for
Wietse Venema's TCP Wrapper
package. This allows the administrator to use the
TCP Wrapper configuration files for
access control instead of
/var/yp/securenets
.
While both of these access control mechanisms provide some security, they, like the privileged port test, are vulnerable to “IP spoofing” attacks. All NIS-related traffic should be blocked at the firewall.
Servers using /var/yp/securenets
may fail to serve legitimate NIS clients with archaic TCP/IP
implementations. Some of these implementations set all host
bits to zero when doing broadcasts and/or fail to observe
the subnet mask when calculating the broadcast address.
While some of these problems can be fixed by changing the
client configuration, other problems may force
the retirement of the client systems in question or the
abandonment of
/var/yp/securenets
.
Using /var/yp/securenets
on a
server with such an archaic implementation of TCP/IP is a
really bad idea and will lead to loss of NIS functionality
for large parts of the network.
The use of TCP Wrapper increases the latency of the NIS server. The additional delay may be long enough to cause timeouts in client programs, especially in busy networks or with slow NIS servers. If one or more of the client systems suffers from these symptoms, convert the client systems in question into NIS slave servers and force them to bind to themselves.
In our lab, there is a machine basie
that
is supposed to be a faculty only workstation. We do not want
to take this machine out of the NIS domain, yet the
passwd
file on the master NIS server
contains accounts for both faculty and students. What can we
do?
There is a way to bar specific users from logging on to a
machine, even if they are present in the NIS database. To do
this, add
-
with
the correct number of colons like other entries to the end of
the username
/etc/master.passwd
file on the client
machine, where username
is the
username of the user to bar from logging in. The line with
the blocked user must be before the +
line
for allowing NIS users. This should preferably be done using
vipw
, since vipw
will
sanity check the changes to
/etc/master.passwd
, as well as
automatically rebuild the password database after editing.
For example, to bar user bill
from
logging on to basie
:
#
vipw
[add -bill::::::::: to the end, exit]
vipw: rebuilding the database...
vipw: done
basie#
cat /etc/master.passwd
root:[password]:0:0::0:0:The super-user:/root:/bin/csh
toor:[password]:0:0::0:0:The other super-user:/root:/bin/sh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
games:*:7:13::0:0:Games pseudo-user:/usr/games:/sbin/nologin
news:*:8:8::0:0:News Subsystem:/:/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
bind:*:53:53::0:0:Bind Sandbox:/:/sbin/nologin
uucp:*:66:66::0:0:UUCP pseudo-user:/var/spool/uucppublic:/usr/libexec/uucp/uucico
xten:*:67:67::0:0:X-10 daemon:/usr/local/xten:/sbin/nologin
pop:*:68:6::0:0:Post Office Owner:/nonexistent:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
-bill:::::::::
+:::::::::
basie#
The method shown in the previous section works reasonably well for special rules in an environment with small numbers of users and/or machines. On larger networks, administrators will likely forget to bar some users from logging onto sensitive machines, or may even have to modify each machine separately, thus losing the main benefit of NIS: centralized administration.
The NIS developers' solution for this problem is called netgroups. Their purpose and semantics can be compared to the normal groups used by UNIX® file systems. The main differences are the lack of a numeric ID and the ability to define a netgroup by including both user accounts and other netgroups.
Netgroups were developed to handle large, complex networks with hundreds of users and machines. On one hand, this is a Good Thing in such a situation. On the other hand, this complexity makes it almost impossible to explain netgroups with really simple examples. The example used in the remainder of this section demonstrates this problem.
Let us assume that the successful introduction of NIS in the laboratory caught a superiors' interest. The next task is to extend the NIS domain to cover some of the other machines on campus. The two tables contain the names of the new users and new machines as well as brief descriptions of them.
User Name(s) | Description |
---|---|
alpha ,
beta | Normal employees of the IT department |
charlie ,
delta | The new apprentices of the IT department |
echo ,
foxtrott ,
golf , ... | Ordinary employees |
able ,
baker , ... | The current interns |
Machine Name(s) | Description |
---|---|
war ,
death , famine ,
pollution | The most important servers deployed. Only the IT employees are allowed to log onto these machines. |
pride , greed ,
envy , wrath ,
lust , sloth | Less important servers. All members of the IT department are allowed to login onto these machines. |
one , two ,
three , four ,
... | Ordinary workstations. Only the real employees are allowed to use these machines. |
trashcan | A very old machine without any critical data. Even the intern is allowed to use this box. |
An attempt to implement these restrictions by separately
blocking each user, would require the addition of the
-
line to
each system's user
passwd
. One line for each
user who is not allowed to login onto that system. Forgetting
just one entry could cause significant trouble. It may be
feasible to do this correctly during the initial setup;
however, eventually someone will forget to add these lines for
new users.
Handling this situation with netgroups offers several advantages. Each user need not be handled separately; they would be assigned to one or more netgroups and logins would be allowed or forbidden for all members of the netgroup. While adding a new machine, login restrictions must be defined for all netgroups. If a new user is added, they must be added to one or more netgroups. Those changes are independent of each other: no more “for each combination of user and machine do...” If the NIS setup is planned carefully, only one central configuration file needs modification to grant or deny access to machines.
The first step is the initialization of the NIS map netgroup. FreeBSD's ypinit(8) does not create this map by default, but its NIS implementation will support it after creation. To create an empty map, simply type
#
vi /var/yp/netgroup
and begin adding content. For our example, we need at least four netgroups: IT employees, IT apprentices, normal employees and interns.
IT_EMP
, IT_APP
etc.
are the names of the netgroups. Each bracketed group adds
one or more user accounts to it. The three fields inside a
group are:
The name of the host(s) where the following items are valid. If a hostname is not specified, the entry is valid on all hosts. If a hostname is specified, it will need to be micro-managed within this configuration.
The name of the account that belongs to this netgroup.
The NIS domain for the account. Accounts may be imported from other NIS domains into a netgroup.
Each of these fields may contain wildcards. See netgroup(5) for details.
Netgroup names longer than 8 characters should not be used, especially with machines running other operating systems within the NIS domain. The names are case sensitive; using capital letters for netgroup names is an easy way to distinguish between user, machine and netgroup names.
Some NIS clients (other than FreeBSD) cannot handle netgroups with a large number of entries. For example, some older versions of SunOS™ start to cause trouble if a netgroup contains more than 15 entries. This limit may be circumvented by creating several sub-netgroups with 15 users or fewer and a real netgroup consisting of the sub-netgroups:
Repeat this process if more than 225 users will exist within a single netgroup.
Activating and distributing the new NIS map is easy:
#
cd /var/yp
ellington#
make
This will generate the three NIS maps
netgroup
,
netgroup.byhost
and
netgroup.byuser
. Use ypcat(1) to
check if the new NIS maps are available:
%
ypcat -k netgroup
ellington%
ypcat -k netgroup.byhost
ellington%
ypcat -k netgroup.byuser
The output of the first command should resemble the
contents of /var/yp/netgroup
. The second
command will not produce output without specified
host-specific netgroups. The third command may be used to get
the list of netgroups for a user.
The client setup is quite simple. To configure the server
war
, use vipw(8) to replace the
line
with
Now, only the data for the users defined in the netgroup
IT_EMP
is imported into
war
's password database and only these users
are allowed to login.
Unfortunately, this limitation also applies to the
~
function of the shell and all routines
converting between user names and numerical user IDs. In
other words,
cd ~
will
not work, user
ls -l
will show the numerical ID
instead of the username and
find . -user joe -print
will fail with
No such user. To fix this, import all
user entries without allowing them to login into the
servers.
This can be achieved by adding another line to
/etc/master.passwd
. This line should
contain:
+:::::::::/sbin/nologin
, meaning
“Import all entries but replace the shell with
/sbin/nologin
in the imported
entries”. It is possible to replace any field in the
passwd
entry by placing a default value in
/etc/master.passwd
.
Make sure that the line
+:::::::::/sbin/nologin
is placed after
+@IT_EMP:::::::::
. Otherwise, all user
accounts imported from NIS will have
/sbin/nologin
as their login
shell.
After this change, the NIS map will only need modification
when a new employee joins the IT department. A similar
approach for the less important servers may be used by
replacing the old +:::::::::
in their local
version of /etc/master.passwd
with
something like this:
The corresponding lines for the normal workstations could be:
And everything would be fine until there is a policy
change a few weeks later: The IT department starts hiring
interns. The IT interns are allowed to use the normal
workstations and the less important servers; and the IT
apprentices are allowed to login onto the main servers. Add a
new netgroup IT_INTERN
, then add the new IT
interns to this netgroup and start to change the configuration
on each and every machine. As the old saying goes:
“Errors in centralized planning lead to global
mess”.
NIS' ability to create netgroups from other netgroups can
be used to prevent situations like these. One possibility is
the creation of role-based netgroups. For example, one might
create a netgroup called BIGSRV
to define
the login restrictions for the important servers, another
netgroup called SMALLSRV
for the less
important servers and a third netgroup called
USERBOX
for the normal workstations. Each
of these netgroups contains the netgroups that are allowed to
login onto these machines. The new entries for the NIS map
netgroup should look like this:
This method of defining login restrictions works reasonably well when it is possible to define groups of machines with identical restrictions. Unfortunately, this is the exception and not the rule. Most of the time, the ability to define login restrictions on a per-machine basis is required.
Machine-specific netgroup definitions are the other
possibility to deal with the policy change outlined above. In
this scenario, the /etc/master.passwd
of
each box contains two lines starting with “+”.
The first of them adds a netgroup with the accounts allowed to
login onto this machine, the second one adds all other
accounts with /sbin/nologin
as shell. It
is a good idea to use the “ALL-CAPS” version of
the machine name as the name of the netgroup. In other words,
the lines should look like this:
BOXNAME
:::::::::
+:::::::::/sbin/nologinOnce this task is completed on all the machines, there is
no longer a need to modify the local versions of
/etc/master.passwd
ever again. All
further changes can be handled by modifying the NIS map. Here
is an example of a possible netgroup map for this scenario
with some additional goodies:
If some kind of database is used to manage the user accounts, it may be possible to create the first part of the map using the database's reporting tools. This way, new users will automatically have access to the boxes.
One last word of caution: It may not always be advisable to use machine-based netgroups. When deploying a couple of dozen or even hundreds of identical machines for student labs, role-based netgroups instead of machine-based netgroups may be used to keep the size of the NIS map within reasonable limits.
There are still a couple of things administrators need to do differently now that machines are in an NIS environment.
Every time a new user is added to the lab, they must
be added to the master NIS server and the
NIS maps will need rebuilt. If this
step is omitted, the new user will not be able to login
anywhere except on the NIS master. For example, if we
needed to add a new user jsmith
to
the lab, we would:
#
pw useradd jsmith
#
cd /var/yp
#
make test-domain
The user may also be added using
adduser jsmith
instead of pw useradd jsmith
.
Keep the administration accounts out of the NIS maps. This is undesirable as it will create a security risk. These users and passwords should not be propagated to all machines. Especially if these machines will have users whom should not have access to those accounts.
Keep the NIS master and slave secure, and minimize their downtime. If somebody either hacks or simply turns off these machines, they have effectively rendered many people without the ability to login to the lab.
This is the chief weakness of any centralized administration system. If the NIS servers are not protected, there will be a lot of angry users and unhappy management!
FreeBSD's ypserv has some support for serving NIS v1 clients. FreeBSD's NIS implementation only uses the NIS v2 protocol; however, other implementations include support for the v1 protocol for backwards compatibility with older systems. The ypbind daemons supplied with these systems will attempt to establish a binding to an NIS v1 server even though they may never actually need it (and they may persist in broadcasting in search of one even after they receive a response from a v2 server). Note that while support for normal client calls is provided, this version of ypserv does not handle v1 map transfer requests. Additionally, it cannot be used as a master or slave in conjunction with older NIS servers that only support the v1 protocol. Fortunately, there probably are not any such servers still in use today.
Care must be taken when running ypserv in a multi-server domain where the server machines are also NIS clients. It is generally a good idea to force the servers to bind to themselves rather than allowing them to broadcast bind requests and possibly become bound to each other. Strange failure modes can result if one server goes down and others are dependent upon it. Eventually all the clients will time out and attempt to bind to other servers, but the delay involved can be considerable and the failure mode is still present since the servers might bind to each other all over again.
A host may be forced to bind to a particular server by
running ypbind
with the -S
flag. Add the following lines to
/etc/rc.conf
to enable this feature
during every system boot:
NIS domain
,server
"See ypbind(8) for further information.
One of the most common issues that people run into when trying to implement NIS is password format compatibility. If the NIS server is using DES encrypted passwords, it will only support clients that are also using DES. For example, if any Solaris™ NIS clients exist on the network, there is a highly likelihood DES must be used for encrypted passwords.
To check which format the servers and clients are using,
look at /etc/login.conf
. If the host is
configured to use DES encrypted passwords, then the
default
class will contain an entry like
this:
Other possible values for the
passwd_format
capability include
blf
and md5
(for
Blowfish and MD5 encrypted passwords, respectively).
If any changes were made to
/etc/login.conf
, the login capability
database must be rebuilt by running the following command as
root
:
#
cap_mkdb /etc/login.conf
The format of passwords already in
/etc/master.passwd
will not be updated
until a user changes his password for the first time
after the login capability database is
rebuilt.
Next, in order to ensure that passwords are encrypted with
the chosen format, check that the
crypt_default
in
/etc/auth.conf
gives precedence to the
chosen password format. To do this, place the chosen format
first in the list. For example, when using DES encrypted
passwords, the entry would be:
Having followed the above steps on each of the FreeBSD based NIS servers and clients, verify that they all agree on which password format is used within the network. If users have trouble authenticating on an NIS client, this is a pretty good place to start looking for possible problems. Remember: to deploy an NIS server for a heterogeneous network, they will probably have to use DES on all systems because it is the lowest common standard.
All FreeBSD documents are available for download at http://ftp.FreeBSD.org/pub/FreeBSD/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.