Assumptions

These are step-by-step instructions for installing, configuring, and testing a NIS master server and slave server. These instructions assume the following:


Installation Instructions for DAS-M

Step 1: Installing and Upgrading NIS RPMs

The following packages were already installed during the Red Hat 9 OS installation process:

yp-tools-2.7-5
ypbind-1.11-4
ypserv-2.6-2
portmap-4.0-54

I visited www.redhat.com and retrieved the following (newer) packages:

ypserv-2.8-0.9E

It is very important to get the most recent packages!

Now on DAS-M, install/upgrade like this:

[root@das-m RPM]# rpm -Uvh yp*rpm

Here is the final listing of installed NIS-related packages:

yp-tools-2.7-5
ypbind-1.11-4
ypserv-2.8-0.9E
portmap-4.0-54

Step 2: Edit or create configuration files

There are a number of configuration files that need to be edited before cranking up a NIS master server. They deal with the portmapper service, security, the ypbind daemon, the ypserver itself, replication, map files, and so on. We will go through the files, one by one:

The /etc/sysconfig/network file needs to have some lines added. This file will setup some NIS parameters upon system boot. NISDOMAIN is the NIS domain name. The YPSERV and YPXFRD ARGS allow you to configure a specific port for those services to listen on. This eases firewall configuration. Here are the lines:

NISDOMAIN=kerb.org
YPSERV_ARGS="-p 888"
YPXFRD_ARGS="-p 889"

The /etc/hosts.allow file allows you to secure the portmapper service (Sun RPC) with TCP Wrappers. In our configuration, we are preventing any host that does not reside on our lab network (10.10.22.0/24) from using the portmap service. We also allow the loopback address. Here are the lines to add to the file:

# Secure the Portmapper for DAS-M.  Should be restricted to our LAN only

portmap : 127. 10.10.22. : ALLOW
portmap : ALL : DENY

You should configure this to match your network topology. For more details, type: man hosts.allow.

Next, we want to configure the /etc/yp.conf config file. This sets up the NIS binding config file, which is used by the ypbind daemon. It is necessary for NIS map replication from master to slave, and for testing the NIS server. We only need to add a single line to the default configuration file:

# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
#domain NISDOMAIN server HOSTNAME
#       Use server HOSTNAME for the domain NISDOMAIN.
#
#domain NISDOMAIN broadcast
#       Use  broadcast  on  the local net for domain NISDOMAIN
#
#ypserver HOSTNAME
#       Use server HOSTNAME for the  local  domain.  The
#       IP-address of server must be listed in /etc/hosts.
#
ypserver das-m.kerb.org

The /etc/ypserv.conf file can also be configured, but for our purposes, it was unnecessary to change it. You can check out the ypserv.conf manpage for details. For the record, here is the default config file:

#
# ypserv.conf   In this file you can set certain options for the NIS server,
#               and you can deny or restrict access to certain maps based
#               on the originating host.
#
#               See ypserv.conf(5) for a description of the syntax.
#
 
# Some options for ypserv. This things are all not needed, if
# you have a Linux net.
 
# Should we do DNS lookups for hosts not found in the hosts table ?
# This option is ignored in the moment.
dns: no
 
# How many map file handles should be cached ?
files: 30
 
# xfr requests are only allowed from ports < 1024
xfr_check_port: yes
 
# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.
 
# Host                     : Domain  : Map              : Security
#
# *                        : *       : passwd.byname    : port
# *                        : *       : passwd.byuid     : port
 
# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
*                          : *       : shadow.byname    : port
*                          : *       : passwd.adjunct.byname : port
 
# If you comment out the next rule, ypserv and rpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps. This will make
# the security check a little bit slower, but you only have to
# change the keys on the master server, not the configuration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES, you should create
# a rule for them above, that's much faster.
# *                        : *       : *                : none

The next task is to create the /var/yp/securenets file. This file lists the source IP networks or hosts that will be allowed to connect to the ypserv daemon (NIS server). Syntax details can be found in the ypserv manpage. Here is what the config file should look like:

255.255.255.0   10.10.22.0
255.0.0.0       127.0.0.0

Step 3: Manually set the NIS domain name

Even though we already configured /etc/sysconfig/network to do this on boot, we still need to set the NIS domain name for the installation and testing since we are not in the habit of rebooting GNU/Linux servers every time we add another service! Here is how you do it:

[root@das-m yp]# domainname kerb.org
[root@das-m yp]# domainname
kerb.org

Step 4: Start the portmapper service

The portmapper service (an implementation of Sun RPC) is required by ypserv, ypxfrd, and ypbind. We want it to start automatically at boot time. We also need to go ahead and start it before we can start ypserv, ypxfrd, or ypbind.

[root@das-m root]# chkconfig portmap off
[root@das-m root]# chkconfig --level 345 portmap on
[root@das-m root]# chkconfig --list portmap
portmap         0:off   1:off   2:off   3:on    4:on    5:on    6:off

[root@das-m root]# /etc/init.d/portmap restart
Stopping portmapper:                                       [FAILED]
Starting portmapper:                                       [  OK  ]

We now want to make sure that the portmapper service is listening on TCP and UDP port 111, and use the rpcinfo command to see what RPC services are currently registered:

[root@das-m root]# netstat -tuna | grep :111
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:111             0.0.0.0:*

[root@das-m root]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper

Step 5: Create the initial NIS maps for our DAS Information service

In our DAS system, Kerberos provides authentication and password control, but NIS provides the information that UNIX-like systems need in order for users to run programs and have an environment to work in. The NIS master server, located on DAS-M, provides this information network-wide via NIS maps. We must create the initial map files before we can start the NIS master server (the actual name of the program is ypserv). We will create the maps with our test user "kitty", and a test group called "labuser". We will also add some sample hostnames for our hosts map.

We will populate the NIS user map (known as the "passwd" map) by creating a normal Linux user, and we will populate the NIS "group" map by adding a normal Linux group. Two important points must be mentioned now:

Unix-like operating systems use a numeric UID (user ID) and GID (group ID) for file permissions and process ownership. The user-friendly username and groupname must be looked up in accordance with the /etc/nsswitch.conf configuration file. The default is normally to look them up in the /etc/passwd file and the /etc/group file. In our Distributed Authentication System, the NIS users are looked up with a query to a NIS server. Therefore, the UIDs and GIDs used in our local files on various hosts cannot conflict with the UIDs and GIDs used by NIS. Here is the policy for our organization:

Information that Unix-like operating systems need for each user include:

We will be making maps for users, groups, and hosts. Maps can also be made for things like services, protocols, auto-mounter maps, and more. In our environment, we do not need these additional maps. They may, however, be added later without any difficulties.

First, let's create our test user and associated group, as well as an additional secondary group:

[root@das-m yp]# groupadd -g 50000 labuser
[root@das-m yp]# useradd -u 6000 -g labuser kitty
[root@das-m yp]# chfn kitty
Changing finger information for kitty.
Name []: Kit Cat
Office []: Lab 104
Office Phone []: 1234-1234 x1457
Home Phone []: (216)485-3383
 
Finger information changed.

[root@das-m yp]# grep labuser /etc/group
labuser:x:50000:

[root@das-m yp]# grep kitty /etc/passwd
kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash

Although the passwd (user) and group maps use the standard /etc/passwd and /etc/group files as the source of the map, we are going to use a different location for the source of our "hosts" map. We do not want the DAS-M authentication server's host list to be used on other hosts. Therefore, we create a text file /var/yp/hosts. This is the source of the NIS host map for the domain. It's syntax is the same as /etc/hosts. This will be reflected in the Makefile. Here is our sample /var/yp/hosts file:

# This is the source file for the "hosts" NIS map:
 
4.2.2.3       genuity
10.10.22.68   oscar
10.10.22.1    defgate
10.10.22.90   printer

Note: Although many HOWTOs and manuals advocate using separate map source files (not using /etc/passwd and /etc/group directly, I have chosen to use the standard sources. There are several reasons for this:

Now, we need to edit the /var/yp/Makefile configuration file. Here, I only show the changes from the default Makefile. The complete Makefile we are using can be viewed here.

#
# Makefile for the NIS databases
#
# This Makefile should only be run on the NIS master server of a domain.
# All updated maps will be pushed to all NIS slave servers listed in the
# /var/yp/ypservers file. Please make sure that the hostnames of all
# NIS servers in your domain are listed in /var/yp/ypservers.
#
# This Makefile can be modified to support more NIS maps if desired.
#
 
# Set the following variable to "-b" to have NIS servers use the domain
# name resolver for hosts not in the current domain. This is only needed,
# if you have SunOS slave YP server, which gets here maps from this
# server. The NYS YP server will ignore the YP_INTERDOMAIN key.
#B=-b
B=
 
# If we have only one server, we don't have to push the maps to the
# slave servers (NOPUSH=true). If you have slave servers, change this
# to "NOPUSH=false" and put all hostnames of your slave servers in the file
# /var/yp/ypservers.
NOPUSH=true
 
# We do not put password entries with lower UIDs (the root and system
# entries) in the NIS password database, for security. MINUID is the
# lowest uid that will be included in the password maps. If you
# create shadow maps, the UserID for a shadow entry is taken from
# the passwd file. If no entry is found, this shadow entry is
# ignored.
# MINGID is the lowest gid that will be included in the group maps.
MINUID=5000
MINGID=5000
 
# Don't export this uid/guid (nfsnobody).
# Set to 0 if you want to
NFSNOBODYUID=65534
NFSNOBODYGID=65534
 
# Should we merge the passwd file with the shadow file ?
# MERGE_PASSWD=true|false
MERGE_PASSWD=false
 
# Should we merge the group file with the gshadow file ?
# MERGE_GROUP=true|false
MERGE_GROUP=false

# These are commands which this Makefile needs to properly rebuild the
# NIS databases. Don't change these unless you have a good reason.
AWK = /usr/bin/gawk
MAKE = /usr/bin/gmake
UMASK = umask 066
                                                                                                                                                             
#
# These are the source directories for the NIS files; normally
# that is /etc but you may want to move the source for the password
# and group files to (for example) /var/yp/ypfiles. The directory
# for passwd, group and shadow is defined by YPPWDDIR, the rest is
# taken from YPSRCDIR.
#
YPSRCDIR = /etc
YPPWDDIR = /etc
YPBINDIR = /usr/lib/yp
YPSBINDIR = /usr/sbin
YPDIR = /var/yp
YPMAPDIR = $(YPDIR)/$(DOMAIN)
                                                                                                                                                             
# These are the files from which the NIS databases are built. You may edit
# these to taste in the event that you wish to keep your NIS source files
# seperate from your NIS server's actual configuration files.
#
GROUP       = $(YPPWDDIR)/group
PASSWD      = $(YPPWDDIR)/passwd
#SHADOW     = $(YPPWDDIR)/shadow
#GSHADOW     = $(YPPWDDIR)/gshadow
#ADJUNCT     = $(YPPWDDIR)/passwd.adjunct
#ALIASES     = $(YPSRCDIR)/aliases  # aliases could be in /etc or /etc/mail
#ALIASES     = /etc/aliases
#ETHERS      = $(YPSRCDIR)/ethers     # ethernet addresses (for rarpd)
#BOOTPARAMS  = $(YPSRCDIR)/bootparams # for booting Sun boxes (bootparamd)
HOSTS        = /var/yp/hosts
#NETWORKS    = $(YPSRCDIR)/networks
#PRINTCAP    = $(YPSRCDIR)/printcap
#PROTOCOLS   = $(YPSRCDIR)/protocols
#PUBLICKEYS  = $(YPSRCDIR)/publickey
#RPC        = $(YPSRCDIR)/rpc
#SERVICES    = $(YPSRCDIR)/services
#NETGROUP    = $(YPSRCDIR)/netgroup
#NETID      = $(YPSRCDIR)/netid
#AMD_HOME    = $(YPSRCDIR)/amd.home
#AUTO_MASTER = $(YPSRCDIR)/auto.master
#AUTO_HOME   = $(YPSRCDIR)/auto.home
#AUTO_LOCAL  = $(YPSRCDIR)/auto.local
#TIMEZONE    = $(YPSRCDIR)/timezone
#LOCALE      = $(YPSRCDIR)/locale
#NETMASKS    = $(YPSRCDIR)/netmasks
                                                                                                                                                             
YPSERVERS = $(YPDIR)/ypservers  # List of all NIS servers for a domain
                                                                                                                                                             
target: Makefile
        @test ! -d $(LOCALDOMAIN) && mkdir $(LOCALDOMAIN) ; \
        cd $(LOCALDOMAIN)  ; \
        $(NOPUSH) || $(MAKE) -f ../Makefile ypservers; \
        $(MAKE) -f ../Makefile all
                                                                                                                                                             
# If you don't want some of these maps built, feel free to comment
# them out from this list.
                                                                                                                                                             
all:  passwd group hosts
        # rpc services netid protocols mail \
        # netgrp shadow publickey networks ethers bootparams printcap \
        # amd.home auto.master auto.home auto.local passwd.adjunct \
        # timezone locale netmasks

Now, we must start the NIS server (ypserv) and make sure that it is registered with the portmapper and listening on the appropriate ports:

[root@das-m yp]# /etc/init.d/ypserv start
Starting YP server services:                               [  OK  ]

Check the RPC info and netstat:

[root@das-m yp]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100004    2   udp    888  ypserv
    100004    1   udp    888  ypserv
    100004    2   tcp    888  ypserv
    100004    1   tcp    888  ypserv

[root@das-m yp]# netstat -tuna | grep 888
tcp        0      0 0.0.0.0:888             0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:888             0.0.0.0:*

Now, we need to actually create the NIS maps using the ypinit command:

[root@das-m yp]# /usr/lib/yp/ypinit -m
 
At this point, we have to construct a list of the hosts which will run NIS
servers.  das-m.kerb.org is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
        next host to add:  das-m.kerb.org
        next host to add:  das-s.kerb.org
        next host to add:
The current list of NIS servers looks like this:
 
das-m.kerb.org
das-s.kerb.org
 
Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/kerb.org/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/kerb.org'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
gmake[1]: Leaving directory `/var/yp/kerb.org'
 
das-m.kerb.org has been set up as a NIS master server.
 
Now you can run ypinit -s das-m.kerb.org on all slave servers.

If you now look at /var/yp/ypservers, you will see that it has been populated with your master and slave servers. If you look in the directory /var/yp/kerb.org, you will see the actual maps. You have now created your NIS maps and the NIS server is up and running.

Step 6: Start ypbind and test the NIS server

We need to start the ypbind daemon and test our NIS server:

[root@das-m yp]# /etc/init.d/ypbind start
Binding to the NIS domain:                                 [  OK  ]
Listening for an NIS domain server.
[root@das-m yp]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100004    2   udp    888  ypserv
    100004    1   udp    888  ypserv
    100004    2   tcp    888  ypserv
    100004    1   tcp    888  ypserv
    100007    2   udp    774  ypbind
    100007    1   udp    774  ypbind
    100007    2   tcp    777  ypbind
    100007    1   tcp    777  ypbind

[root@das-m yp]# ypwhich
das-m.kerb.org
[root@das-m yp]# ypwhich -m
hosts.byaddr das-m.kerb.org
hosts.byname das-m.kerb.org
group.bygid das-m.kerb.org
group.byname das-m.kerb.org
passwd.byname das-m.kerb.org
ypservers das-m.kerb.org
passwd.byuid das-m.kerb.org
[root@das-m yp]# ypcat passwd
kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash

[root@das-m yp]# ypcat hosts
4.2.2.3       genuity
10.10.22.1    defgate
10.10.22.68   oscar
10.10.22.90   printer
[root@das-m yp]# ypcat group
labuser:x:50000:

Step 7: Setup ypbind to start during boot

Now that ypserv and ypbind are running, let's set them up to start automatically at boot time:

[root@das-m yp]# chkconfig ypbind off
[root@das-m yp]# chkconfig --level 345 ypbind on
[root@das-m yp]# chkconfig --list ypbind
ypbind          0:off   1:off   2:off   3:on    4:on    5:on    6:off
[root@das-m yp]# chkconfig ypserv off
[root@das-m yp]# chkconfig --level 345 ypserv on
[root@das-m yp]# chkconfig --list ypserv
ypserv          0:off   1:off   2:off   3:on    4:on    5:on    6:off

Congratulations! You now have a working NIS server. In the next sections, we will setup the NIS slave server and test replication.


Setting Up Replication and the NIS Slave Server

We will now setup a NIS slave server. This gives us redundancy in case the master server is unavailable. We will have to setup the ypxfrd daemon on DAS-M as well as setup a NIS slave server on DAS-S. Keep in mind that both NIS servers need to be running the portmapper and ypbind in order to replicate the NIS maps.

Prepare the NIS master (DAS-M) for replication

On the master, we need to edit the Makefile and start the ypxfrd service. We will then make sure that ypxfrd starts automatically during boot. Make sure that the NOPUSH variable in /var/yp/Makefile is set as follows:

# If we have only one server, we don't have to push the maps to the
# slave servers (NOPUSH=true). If you have slave servers, change this
# to "NOPUSH=false" and put all hostnames of your slave servers in the file
# /var/yp/ypservers.
NOPUSH=false

Now, let's start ypxfrd and make sure it is running:

[root@das-m root]# /etc/init.d/ypxfrd start
Starting YP map server:                                    [  OK  ]
[root@das-m root]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100007    2   udp    774  ypbind
    100007    1   udp    774  ypbind
    100007    2   tcp    777  ypbind
    100007    1   tcp    777  ypbind
    100004    2   udp    888  ypserv
    100004    1   udp    888  ypserv
    100004    2   tcp    888  ypserv
    100004    1   tcp    888  ypserv
 600100069    1   udp    889  fypxfrd
 600100069    1   tcp    889  fypxfrd
[root@das-m root]# netstat -tuna | grep 889
tcp        0      0 0.0.0.0:889             0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:889             0.0.0.0:*

Let's configure the server to start ypxfrd automatically during boot:

[root@das-m root]# chkconfig ypxfrd off
[root@das-m root]# chkconfig --level 345 ypxfrd on
[root@das-m root]# chkconfig --list ypxfrd
ypxfrd          0:off   1:off   2:off   3:on    4:on    5:on    6:off



Now, login to DAS-S. We will configure the NIS slave.

Step 1 (NIS Slave): Install or upgrade required software packages

On DAS-S, you will need to perform the same installation/upgrade tasks as you did in Step 1 for the NIS master.

Step 2 (NIS Slave): Edit configuration files

This is the same basic procedure as Step 2 for the NIS master. Below, you will see the relevant portions of each configuration file:

/etc/sysconfig/network should have the following additions:

NISDOMAIN=kerb.org
YPSERV_ARGS="-p 888"
YPXFRD_ARGS="-p 889"

/etc/hosts.allow should contain the following lines:

# Secure the Port Mapper on DAS-S.  Restrict to LAN only.
                                                                                                                                                             
portmap : 127. 10.10.22. : ALLOW
portmap : ALL : DENY

The /etc/yp.conf file should look like this:

# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
#domain NISDOMAIN server HOSTNAME
#       Use server HOSTNAME for the domain NISDOMAIN.
#
#domain NISDOMAIN broadcast
#       Use  broadcast  on  the local net for domain NISDOMAIN
#
#ypserver HOSTNAME
#       Use server HOSTNAME for the  local  domain.  The
#       IP-address of server must be listed in /etc/hosts.
#
ypserver 10.10.22.42

The /var/yp/securenets file should look like this:

255.255.255.0   10.10.22.0
255.0.0.0       127.0.0.0

Step 3 (NIS Slave): Manually set the NIS domain name

This is accomplished exactly the same as Step 3 for the NIS master.

Step 4 (NIS Slave): Start the portmapper service

Please see Step 4 for the NIS master. The steps are the same.

Step 4 (NIS Slave): Start ypbind and configure it to start on boot

As on the NIS master, we need ypbind and we want it to start automatically during boot. Here are the details:

[root@das-s root]# /etc/init.d/ypbind start
Binding to the NIS domain:                                 [  OK  ]
Listening for an NIS domain server.

[root@das-s root]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100007    2   udp    715  ypbind
    100007    1   udp    715  ypbind
    100007    2   tcp    718  ypbind
    100007    1   tcp    718  ypbind

[root@das-s root]# chkconfig ypbind off
[root@das-s root]# chkconfig --level 345 ypbind on
[root@das-s root]# chkconfig --list ypbind
ypbind          0:off   1:off   2:off   3:on    4:on    5:on    6:off

Step 5 (NIS Slave): Make sure that NIS queries can be made to NIS master

The NIS slave needs to be able to make NIS queries (as a client) to the NIS master. Now that ypbind is running, we can test NIS client functionality. This will be required for the NIS map transfers.

[root@das-s root]# ypwhich
das-m.kerb.org
[root@das-s root]# ypwhich -m
hosts.byaddr das-m.kerb.org
hosts.byname das-m.kerb.org
group.bygid das-m.kerb.org
group.byname das-m.kerb.org
passwd.byname das-m.kerb.org
ypservers das-m.kerb.org
passwd.byuid das-m.kerb.org
[root@das-s root]# ypcat passwd
kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash

[root@das-s root]# ypcat hosts
4.2.2.3       genuity
10.10.22.1    defgate
10.10.22.68   oscar
10.10.22.90   printer

Step 6 (NIS Slave): Initialize the NIS slave server (transfer the maps)

When we run the ypinit -s command, DAS-S will copy the NIS maps from DAS-M over then network and make other preparations for becoming a NIS slave. Here is how we do it:

[root@das-s yp]# /usr/lib/yp/ypinit -s das-m.kerb.org
We will need a few minutes to copy the data from das-m.kerb.org.
Transferring hosts.byaddr...
Trying ypxfrd ... success
 
Transferring hosts.byname...
Trying ypxfrd ... success
 
Transferring group.bygid...
Trying ypxfrd ... success
 
Transferring group.byname...
Trying ypxfrd ... success
 
Transferring passwd.byname...
Trying ypxfrd ... success
 
Transferring ypservers...
Trying ypxfrd ... success
 
Transferring passwd.byuid...
Trying ypxfrd ... success
 
 
das-s.kerb.org's NIS data base has been set up.
If there were warnings, please figure out what went wrong, and fix it.

Now, if you check in /var/yp/kerb.org, you should see the NIS maps:

[root@das-s yp]# cd kerb.org
[root@das-s kerb.org]# ls
group.bygid  group.byname  hosts.byaddr  hosts.byname  passwd.byname  passwd.byuid  ypservers

Step 7 (NIS Slave): Start ypserv daemon, and set it up for start-on-boot

Finally, we are ready to start the NIS slave server. We will also configure it to start during boot, and verify that it is working properly.

[root@das-s root]# /etc/init.d/ypserv start
Starting YP server services:                               [  OK  ]
[root@das-s root]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100007    2   udp    715  ypbind
    100007    1   udp    715  ypbind
    100007    2   tcp    718  ypbind
    100007    1   tcp    718  ypbind
    100004    2   udp    888  ypserv
    100004    1   udp    888  ypserv
    100004    2   tcp    888  ypserv
    100004    1   tcp    888  ypserv
[root@das-s root]# netstat -tuna | grep 888
tcp        0      0 0.0.0.0:888             0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:888             0.0.0.0:*
[root@das-s root]# chkconfig ypserv off
[root@das-s root]# chkconfig --level 345 ypserv on
[root@das-s root]# chkconfig --list ypserv
ypserv          0:off   1:off   2:off   3:on    4:on    5:on    6:off

Step 8 (NIS Slave): Verify that the NIS slave server functions and NIS maps transfer

We can use ypcat against the local NIS maps instead of those on DAS-M for testing purposes:

[root@das-s root]# ypcat -h mysql passwd
kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash

[root@das-s root]# ypcat -h mysql group
labuser:x:50000:

Now, we will use the yppoll and ypxfr commands to make sure that we can initiate a map transfer:

[root@das-s yp]# /usr/lib/yp/ypxfr passwd.byname
Map on Master "das-m.kerb.org" is not newer
ypxfr: Master's version not newer
[root@das-s yp]# yppoll passwd.byname
Domain kerb.org is supported.
Map passwd.byname has order number 1066710281. [Tue Oct 21 12:24:41 2003]
The master server is das-m.kerb.org.
[root@das-s yp]# /usr/lib/yp/ypxfr -f passwd.byname
Trying ypxfrd ... success

As you can see, the map transfer does not occur unless the NIS master has a higher numbered map. To override this behaviour and transfer the map anyway, you use the ypxfr command with the -f flag.

Back on DAS-M, we want to test yppush. Yppush is the program that notifies (via RPC) the NIS slaves to copy the new maps over from the Master via ypxfr. Rather than running the yppush command directly, you will run the make -C /var/yp command to invoke yppush and update the maps. First, we must make a change to the map sources. Let's add a host to /var/yp/hosts with your favorite editor so that the list looks like this:

4.2.2.3       genuity
10.10.22.68   oscar
10.10.22.1    defgate
10.10.22.90   printer
4.2.2.2       genuity-alt

Now, we will run the make -C /var/yp command:

[root@das-m root]# make -C /var/yp
make: Entering directory `/var/yp'
gmake[1]: Entering directory `/var/yp/kerb.org'
gmake[1]: `ypservers' is up to date.
gmake[1]: Leaving directory `/var/yp/kerb.org'
gmake[1]: Entering directory `/var/yp/kerb.org'
Updating hosts.byname...
Updating hosts.byaddr...
gmake[1]: Leaving directory `/var/yp/kerb.org'
make: Leaving directory `/var/yp'

Back on DAS-S, we can check that the change was propagated with the ypcat command and by looking at the file creation dates on the maps:

[root@das-s yp]# ypcat -h mysql hosts
4.2.2.3       genuity
10.10.22.1    defgate
10.10.22.68   oscar
10.10.22.90   printer
4.2.2.2       genuity-alt
[root@das-s yp]# cd /var/yp/kerb.org
[root@das-s kerb.org]# ls -l
total 112
-rw-------    1 root     root        12536 Oct 21 15:56 group.bygid
-rw-------    1 root     root        12559 Oct 21 15:56 group.byname
-rw-------    1 root     root        12569 Oct 21 16:14 hosts.byaddr
-rw-------    1 root     root        12554 Oct 21 16:14 hosts.byname
-rw-------    1 root     root        12938 Oct 21 15:56 passwd.byname
-rw-------    1 root     root        12916 Oct 21 15:56 passwd.byuid
-rw-------    1 root     root        12512 Oct 21 15:56 ypservers

As you can see, you have two working NIS servers and you have succesfully tested replication.

Step 9 (NIS Slave): Schedule a regular, forced map transfer on the slave

On the slave, it is a good idea to force a map transfer periodically. This keeps the slave synchronized with the master, even if an update occurred on the master while the slave was down or disconnected. There is a sample script in /usr/lib/yp which I modified and named ypxfr_hourly. This checks the map version numbers hourly and then transfers any updated maps automatically. Here is the /usr/lib/yp/ypxfr_hourly script:

#! /bin/sh
#
# ypxfr_hourly - Do hourly NIS map check/updates, to see, if we
#                 have missed one update.
                                                                                                                                                             
YPBINDIR=/usr/lib/yp
 
for map in group.byname group.bygid passwd.byname passwd.byuid hosts.byname hosts.byaddr ypservers
do
  $YPBINDIR/ypxfr $map
done

Note that the only maps that it checks for are passwd, group, hosts, and ypservers. If you use more maps, you will need to include them here. Now that we have created the script, we need to configure cron to run them hourly. We will accomplish this by making a soft link in the /etc/cron.hourly directory and making sure the permissions are correct:

[root@das-s yp]# chmod 0750 /usr/lib/yp/ypxfr_hourly
[root@das-s yp]# cd /etc/cron.hourly
[root@das-s cron.hourly]# ln -s /usr/lib/yp/ypxfr_hourly
[root@das-s cron.hourly]# ls -l
total 0
lrwxrwxrwx    1 root     root           24 Oct 23 10:53 ypxfr_hourly -> /usr/lib/yp/ypxfr_hourly

Your NIS slave server is now configured and operational!


NIS Map Source Backup to the Local Disk

As an added safety precaution, we will automatically backup our NIS map source files (/etc/passwd, /etc/group, and /var/yp/hosts) to a different partition on the same disk. This will be configured on DAS-M, the NIS master server. If you are using RAID 1 or RAID 5, this may not be necessary. We use the nisback.sh script in conjunction with cron to copy the files, TAR them, compress the tarball, and save it. Here are the details:

Create the backup directory in the /home filesystem, which is in a different partition from /var and /etc :

[root@das-m sbin]# mkdir /home/Backups
[root@das-m sbin]# chmod 0700 /home/Backups

Now, create the shell script nisback.sh in your favourite editor. It should look something like this when you are done:

#!/bin/bash
 
# NIS map source backup tool, runs from cron
# backups are stored in GZIP format in the /home/Backups directory
 
# Generate date stamp for filename and define filename
DATESTAMP=`date +%j-%y`
BKUPFILE=$DATESTAMP.das-m.nis
BKUPDIR=/home/Backups
 
# Get rid of any existing backup file by the same name
/bin/rm -f $BKUPDIR/$BKUPFILE.tar.gz
 
# Copy NIS map sources to the backup directory
cp /etc/passwd $BKUPDIR/passwd.nis
cp /etc/group  $BKUPDIR/group.nis
cp /var/yp/hosts $BKUPDIR/hosts.nis
 
# TAR the NIS map sources together
cd $BKUPDIR
/bin/tar -cf $BKUPFILE.tar *.nis
 
# Remove the temp files
/bin/rm -f passwd.nis group.nis hosts.nis
 
# Compress the backup file with GZIP
/bin/gzip $BKUPDIR/$BKUPFILE.tar
 
# Change the permissions on the backup file so that it is read-only by root
/bin/chmod 0400 $BKUPDIR/$BKUPFILE.tar.gz
 
exit 0

Save the file as /usr/local/sbin/nisback.sh and change its permissions accordingly:

[root@das-m sbin]# chmod 0700 /usr/local/sbin/nisback.sh

Now, we need to configure cron to do this periodically. We have configured it to run hourly, but you can also set it up to run twice a day or daily. It's up to you. Our hourly jobs run at 1 minute past the hour. A soft link was created in the /etc/cron.hourly directory to the new shell script:

[root@das-m sbin]# cd /etc/cron.hourly
[root@das-m cron.hourly]# ln -s /usr/local/sbin/nisback.sh
[root@das-m cron.hourly]# ls -al
total 12
drwxr-xr-x    2 root     root         4096 Oct 23 09:51 .
drwxr-xr-x   59 root     root         8192 Oct 21 15:56 ..
lrwxrwxrwx    1 root     root           26 Oct 21 08:30 kdcback.sh -> /usr/local/sbin/kdcback.sh
lrwxrwxrwx    1 root     root           26 Oct 23 09:51 nisback.sh -> /usr/local/sbin/nisback.sh

Now, you should have an hourly backup with a history of daily snapshots. You can always restore from the last day on which the system was operating properly. When you have your DAS/NIS user database completed, it would also be a good idea to burn the KDC and NIS backup files to a CD and store it in a safe place. You do not need to worry about the /etc/shadow file being compromised from a backup, because we did not make /etc/shadow a part of the backup scripts. The passwords for DAS/NIS users are encrypted by the Kerberos system and cannot be restored without the password.


NIS Server Setup Summary

The following NIS-related TCP and UDP ports are now listening on each server:

  On DAS-M

  portmapper TCP/UDP 111
  NIS ypserv TCP/UDP 888
  NIS ypxfrd TCP/UDP 889

  On DAS-S

  portmapper TCP/UDP 111
  NIS ypserv TCP/UDP 888

In addition, the servers also listen on a randomly assigned port for the ypbind daemon. This port is not available outside of the servers' iptables firewall.

The following configuration files were modified:

The following scripts were created:

Diagnostic Tools for NIS

One of the advantages of NIS is the large number of tools available to help you test NIS functions on both the client and server. Here is a list of the commands that you can use to manage or troubleshoot NIS:

There is a manpage for each of these commands.

When you setup your first DAS client system, you will configure it as a NIS client. It will then use information from the NIS servers for various functions. This will be detailed in the client setup section.


References

NIS HOWTO for Linux
LinuxNIS.Org Website
Solaris 9 Naming and Directory Services Admin Guide   (PDF format)