8. What do you need to set up NIS+ ?
8.1. The Software
The Linux NIS+ client code was developed for the GNU C library 2.
There is also a port for Linux libc5, since most commercial Applications
where linked against this library in the past, and you cannot recompile
them for using glibc. There are problems with libc5 and NIS+:
static programs cannot be linked with it, and programs compiled
with this library will not work with other libc5 versions.
As base System you need a glibc based Distribution like Debian,
Red Hat Linux or SuSE Linux. If you have a Linux Distribution, which
does not have glibc 2.1.1 or later, you need to update to a newer
version.
The NIS+ client software can be obtained from:
Site Directory File Name
ftp.gnu.org /pub/gnu/glibc glibc-2.3.2.tar.gz,
glibc-linuxthreads-2.3.2.tar.gz
ftp.kernel.org /pub/linux/utils/net/NIS+ nis-utils-1.4.1.tar.gz |
You should also have a look at
http://www.linux-nis.org/nisplus/
for more information and the latest sources.
8.2. Setting up a NIS+ client
IMPORTANT: For setting up a NIS+ client read your Solaris NIS+ docs
what to do on the server side! This document only describes what to do
on the client side!
After installing the new libc and nis-tools, create the credentials for
the new client on the NIS+ server. Make sure portmap is running. Then
check if your Linux PC has the same time as the NIS+ Server. For secure RPC,
you have only a small window from about 3 minutes, in which the credentials
are valid. A good idea is to run xntpd on every host. After this, run
domainname nisplus.domain.
nisinit -c -H <NIS+ server> |
to initialize the cold start file. Read the nisinit man page for more
options. Make sure that the domainname will always be set after a reboot.
If you don't know what the NIS+ domain name is on your network, ask
your system/network administrator.
Now you should change your /etc/nsswitch.conf
file. Make sure that the
only service after publickey is nisplus ("publickey: nisplus"), and nothing
else!
Then start keyserv and make sure, that it will always be started
as first daemon after portmap at boot time. Run
to store the root secretkey on your system. (I hope you have added the
publickey for the new host on the NIS+ Server?).
niscat passwd.org_dir
should now show you all entries in the passwd database.
8.3. NIS+, keylogin, login and PAM
When the user logs in, he need to set his secretkey to keyserv. This is done
by calling "keylogin". The login from the shadow package will do this for the
user, if it was compiled against glibc 2.1. For a PAM aware login, you have
to change the /etc/pam.d/login file to
use pam_unix2, not pwdb, which doesn't support NIS+. An example:
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_unix2.so set_secrpc
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix2.so
password required /lib/security/pam_unix2.so
session required /lib/security/pam_unix2.so |
8.4. The nsswitch.conf File
The Network Services switch file /etc/nsswitch.conf
determines the order of lookups performed when a certain piece of
information is requested, just like the
/etc/host.conf file which determines the way
host lookups are performed. For example, the line
specifies that host lookup functions should first look in the local
/etc/hosts file, followed by a NIS+ lookup and
finally through the domain
name service (/etc/resolv.conf and named), at
which point if no match is found an error is returned.
A good /etc/nsswitch.conf file for NIS+ is:
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
# nisplus Use NIS+ (NIS version 3)
# nis Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the /var/db databases
# [NOTFOUND=return] Stop searching if not found so far
#
passwd: compat
group: compat
shadow: compat
passwd_compat: nisplus
group_compat: nisplus
shadow_compat: nisplus
hosts: nisplus files dns
services: nisplus [NOTFOUND=return] files
networks: nisplus [NOTFOUND=return] files
protocols: nisplus [NOTFOUND=return] files
rpc: nisplus [NOTFOUND=return] files
ethers: nisplus [NOTFOUND=return] files
netmasks: nisplus [NOTFOUND=return] files
netgroup: nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey: nisplus
automount: files
aliases: nisplus [NOTFOUND=return] files |