9.1. The Server Program ypserv
This document only describes how to set up the "ypserv" NIS server.
The NIS server software can be found on:
Site Directory File Name
ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.gz
ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.bz2 |
You could also look at
http://www.linux-nis.org/nis/
for more information.
The server setup is the same for both traditional NIS and NYS.
Compile the software to generate the ypserv and
makedbm
programs. ypserv-2.x only supports the securenets file for access
restrictions.
If you run your server as master, determine what files you require to be
available via NIS and then add or remove the appropriate
entries to the "all" rule in /var/yp/Makefile.
You always should look at the Makefile and edit the Options at the
beginning of the file.
There was one big change between ypserv 1.1 and ypserv 1.2. Since
version 1.2, the file handles are cached. This means you have to
call makedbm always with the -c option if you create new maps. Make
sure, you are using the
new /var/yp/Makefile from ypserv 1.2 or later,
or add the -c flag to makedbm in the Makefile. If you don't do that,
ypserv will continue to use the old maps, and not the updated one.
Now edit /var/yp/securenets and
/etc/ypserv.conf.
For more information, read the ypserv(8) and ypserv.conf(5) manual pages.
Make sure the portmapper (portmap(8)) is running, and start the
server ypserv. The command
% rpcinfo -u localhost ypserv |
should output something like
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting |
The "version 1" line could be missing, depending on the ypserv version and
configuration you are using. It is only necessary if you have old
SunOS 4.x clients.
Now generate the NIS (YP) database. On the master, run
On a slave make sure that ypwhich -m works. This means,
that your slave
must be configured as NIS client before you could run
% /usr/lib/yp/ypinit -s masterhost |
to install the host as NIS slave.
That's it, your server is up and running.
If you have bigger problems, you could start ypserv and
ypbind in debug
mode on different xterms. The debug output should show you what goes
wrong.
If you need to update a map, run make in the
/var/yp
directory on the NIS master. This will update a map if the source file
is newer, and push the files to the slave servers. Please don't use
ypinit for updating a map.
You might want to edit root's crontab *on the slave* server and add the
following lines:
20 * * * * /usr/lib/yp/ypxfr_1perhour
40 6 * * * /usr/lib/yp/ypxfr_1perday
55 6,18 * * * /usr/lib/yp/ypxfr_2perday |
This will ensure that most NIS maps are kept up-to-date, even if an
update is missed because the slave was down at the time the update was
done on the master.
You can add a slave at every time later. At first, make sure that
the new slave server has permissions to contact the NIS master. Then run
% /usr/lib/yp/ypinit -s masterhost |
on the new slave. On the master server, add the new slave server name
to
/var/yp/ypservers and run
make in
/var/yp
to update the map.
If you want to restrict access for users to your NIS server, you'll have
to setup the NIS server as a client as well by running ypbind and adding the
plus-entries to /etc/passwd _halfway_
the password file. The library
functions will ignore all normal entries after the first NIS entry, and
will get the rest of the info through NIS. This way the NIS access rules
are maintained. An example:
root:x:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:
bin:*:2:2:bin:/bin:
sys:*:3:3:sys:/dev:
sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:
lp:*:7:7:lp:/var/spool/lpd:
mail:*:8:8:mail:/var/spool/mail:
news:*:9:9:news:/var/spool/news:
uucp:*:10:50:uucp:/var/spool/uucp:
nobody:*:65534:65534:noone at all,,,,:/dev/null:
+miquels::::::
+:*:::::/etc/NoShell
[ All normal users AFTER this line! ]
tester:*:299:10:Just a test account:/tmp:
miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh |
Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels
will have normal access.
Alternatively, you could edit the /var/yp/Makefile file
and set NIS to use
another source password file. On large systems the NIS password and group
files are usually stored in /etc/yp/. If you do this the normal
tools to administrate the password file such as passwd, chfn,
adduser will not work anymore and you need special homemade tools
for this.
However, yppasswd, ypchsh and ypchfn will
work of course.
9.4. The Program rpc.yppasswdd
Whenever users change their passwords, the NIS password database and
probably other NIS databases, which depend on the NIS password
database, should be updated. The program "rpc.yppasswdd" is a server that
handles password changes and makes sure that the NIS information will
be updated accordingly. rpc.yppasswdd is now integrated in ypserv. You
don't need the older, separate yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz,
and you shouldn't use them any longer.
You need to start rpc.yppasswdd only on the NIS master server. By default,
users are not allowed to change their full name or the login shell.
You can allow this with the -e chfn or -e chsh option.
If your passwd and shadow files are not in another directory then
/etc, you need to add the -D option. For example, if you have put
all source files in /etc/yp and wish to allow the user to change
his shell, you need to start rpc.yppasswdd with the following parameters:
rpc.yppasswdd -D /etc/yp -e chsh |
or
rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh |
There is nothing more to do. You just need to make sure, that
rpc.yppasswdd uses the same files as /var/yp/Makefile.
Errors will be logged using syslog.