NIS - Password management
If you wanted to log in on every computer in a network with the same user name and
password, you would need the yellow pages...
Who needs NIS?
If you had a few Linux PCs inside a network and you wanted to log in with the same
user name and password on every machine, it would become intensive work to create all
user accounts on all machines. Also if every user had to have the same group and
user ID on every computer so he can access his files via NFS, a central configuration
tool would be enourmeous help.
NIS offers a central administration of the user accounts.
NIS stands for Network Information Service and also can be found with the name YP (YellowPages). For legal reasons this name must not be used any longer thus the successor of NIS is only called NIS+.
How does NIS work?
On a special computer inside the network (best would be a server which is always turned
on) runs a NIS server. On this server all users and groups are registered (in the files
/etc/passwd and /etc/group) that should have access to the other
computers in the network.
If a client booted in the network it would ask the NIS server which users should get
access in addition to its own /etc/passwd. Also the client can get the place
where the home directory of the users are stored. If you stored all home directories on
one server using NFS you would independently get the same home directory, graphical
desktop and all settings whereever you log in.
An answer to the question if you took NIS or NIS+ whould depend on the security you want. NIS does not support shadow passwords, on the other hand NIS+ is more complicated to configure. Here we will focus onthe installation of NIS. Information about NIS+ can be found e.g. at http://www.muc.de/~ralfl/nisplus/faq.html.
Installation of the server
First you need the program ypsers which you get as source code from ftp://ftp.kernel.org/pub/linux/utils/net/NIS/ but is usually installed with common distributions. If not you have to install it (with SuSE the package ypserv.rpm and ypclient.rpm in the section n1).
The server should be started automatically during booting, so you add the entry
/usr/sbin/ypservin the /sbin/init.d/boot.local or you create a proper init-script.
SuSE users can use YAST:
Administration of the Systems
-> change configuration file
The environment variable START_YPSERV set to yes and you get the
same result.
For test purposes you can start ypserv by hand:
>> ypservand then test the server executing
>> rpcinfo -u localhost ypservThe answer should look like:
program 100004 version 2 ready and waitingNext the NIS domain name has to be set. This one is independent from the DNS domain name but could be selected identically (what is recommended to remember the name easier).
If the DNS name of the server was server.mynet.com, you set the NIS domain name with the command
>> ypdomainname mynet.comAgain SuSE users can use YAST to set this. The corresponding variable is called YP_DOMAINNAME.
As reported NIS does not support shadow passwords. Since all new distributions
use these passwords as defaults you have to change this.
The idea of shadow passwords is the following: For a login first the existence
of the user is checked. Therefore the login program looks into the file
/etc/passwd.
There the configuration for the users are saved. This file has to be readable by the user
thus it is not clever to put the password into this file, too, even if the
passwords are encrypted. The passwords corresponding to the users are stored in
/etc/shadow which can only be read by the superuser.
The file /etc/passwd does only have entries like
frank:x:506:100:Frank Zander:/home/frank:/bin/bashwhere one line includes the information separated by a colon in the following order:
- Username
- wild card for the password if shadow paswords are used
- User-ID
- Group-ID
- Home-directory
- Login-shell
frank:KjQpGgsH/XoRa:10990:0:10000::::The second entry is important, this is the encrypted password.
To activate a useraccount on the NIS server you have to deactivate the shadow passwords. This is very simple. Just copy the encrypted passwords from /etc/shadow and substitute the x in the file etc/passwd.
After processing this for all users you can announce the data to the NIS server. Keep in mind that you always have to copy the shadow password to /etc/passwd after creating a new user account.
Submitting the passwords, UserIDs etc. to the NIS server can be done with
>> ypmakeThis creates files in the directory /var/yp/<NIS-DOMAINNAME>/.
To make sure that the NIS server is up-to-date and always offers the latest user
information this command should be executed automatically using a cronjob.
Therefore you put the entry
0 4,8,14,20,23 * * * ypmake >/dev/nullinto the root's crontab
You edit the crontab with
>> crontab -eYou can set the environment variable $EDITOR to your preferred editor, e.g.
>> export EDITOR=emacsThe NIS server configuration is finished and we can face the clients.
Client Installation
With SuSE the configuration of the NIS client is very simple. Using YAST you can make all settings. At
Administration of the System
-> Change configuration file
you set the following environment variables:
- YP_DOMAINNAME: Here you set the domain name of the NIS, to be consistent with the example described above it has to be mynet.com
- YP_SERVER: DNS domain name or the IP of the NIS server, e.g. 192.168.0.1
- START_YPBIND: Set to yes starts the NIS daemon automatically
An automatic start of the NIS client requires an entry like
ypdomainname mynet.com /usr/sbin/ypbindin the file /sbin/init.d/boot.local or you write an init script.
Finally you have to change the password and group file. Therefore you add to the end of the file /etc/passwd
+::::::This entry imports the users from the NIS server to the existing users. Special selections are possible thus only special users can get access, e.g. with
+miquels:::::::only miquesl is added. Using
-usernameyou can deny access for special users to this computer. Other ways to configure the password file can be found in the NIS howto at http://www.linuxdoc.org/HOWTO/NIS-HOWTO/.
Also adding the group to the client and not only the users, you put a similar entry into the /etc/group:
+:::The different ways to configure this entry are identical to the /etc/passwd
Home directories
If every user has to have his universal home directory on all PCs you have to store it
centrally on the server and bind it to the client.
For this purpose we recommend the use of the network file systen (NFS).
Therfore the server needs a running NFS server daemon (please use the documentation
of your distribution, we will not explain the configuration of a NFS server at this point).
The file /etc/exports should own the follogin entry:
/home *.mynet.com(rw)This entry allows that the directory /home with all its subdirectories can be mounted by the clients in the domain mynet.com.
In brackets you find the access rights for the clients.
The entry rw allows read-write access for the users to their home directories which makes sense.
On the client site the home directories have to be mounted during the boot process. Therefore the client needs an entry in the file /etc/fstab:
servername:/home /home nfs defaults 0 0The first entry specifies the computer and the direcdtory which you want to mount, the second entry names the local directory where the mount point has to be included. nfs shows the client that this is not a local directory. The last entry handles the access rights and the hard disk checks and can be taken as shown.
You can only mount if the local directory is empty. So you should rename the existing home directory on the clients and create a new empty one:
>> mv /home /home_orig >> mkdir /homeThen you can test the nfs-mounting of the home directory using
mount servername:/home /homeNow the home directory of the server should be visible on the client, too.
From now on every user who logs in gets his own home directory, independent of the computer he uses.
Talkback Area
Enter Own Comment