Tuesday, October 20, 2015

[NIS Server/ Clients]: NIS : Linux central authentication

NIS : Linux central authentication

NIS, (Network Information Services), enables account logins and other services (host name resolution, xinetd network services configuration, ...), to be centralized to a single NIS server.
This tutorial covers the configuration and use of NIS for login authentication. NIS+ is slightly more complex as it uses encryption for the data transfers between the NIS server and NIS client. Regular NIS does not use encryption, thus it should only be used for isolated or private networks protected by a firewall.

NIS Description:
NIS allows a central server to manage password authentication, host, services, etc which would normally be provided by the local files /etc/passwd/etc/shadow/etc/groups/etc/hosts/etc/services/etc/networks,/etc/rpc/etc/protocols/etc/aliases (sendmail), ...
NIS Client systems look to the NIS server to provide this data. This tutorial will cover the configuration of both an NIS server and NIS clients.
The logical cluster of the server and clients are known as an NIS "domain".
An NIS domain must have their time synchronized, usually using NTP (Network Time Protocol). 

NIS server configuration:
Requires RPM packages:
  • ypbind - RPC port binding service
  • portmap - RPC port mapping
  • ypserv - NIS server daemons
  • yp-tools - NIS support commands (ypcat, yppasswd, ypwhich, ...)
  • nscd - Handles password and group lookups and caches the results. Used by LDAP and NIS. Configuration of nscd defines which files are supported by NIS. i.e. authentication requires passwd, shadow and group file support. Uses configuration file /etc/ncsd.conf
The following configuration assumes that the NIS server will also be using NIS for authentication.
File: /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=hostname-of-this-nis-server
NISDOMAIN=name-of-domain
File: /etc/yp.conf
Example:
domain lab2 server 127.0.0.1
Format:
domain name-of-domain server 127.0.0.1
Where 127.0.0.1 is the "localhost" IP address of the NIS server. In this configuration, this NIS server is using NIS to authenticate logins, not just the client.
File: /etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
Order by which authentication methods are processed. eg. In this case, check the local /etc/passwd file first before checking with NIS for password authentication. It is recomended that the root password be authenticated locally using "files" with all other users authenticated using NIS.
File: /etc/ypserv.conf
dns: no
files: 30
slp: no
slp_timeout: 3600
xfr_check_port: yes
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port
File: /var/yp/securenets
Configuration authorizes only a single subnet to authenticate with the NIS server:
host 127.0.0.1
255.255.255.0   XXX.XXX.XXX.0
The "host" statement allows access for a specified single host.Configuration to allow two subnets to authenticate with the NIS server:
host 127.0.0.1
255.255.254.0   192.168.105.0
Allows the range of IP addresses 192.168.105.0 to 192.168.106.255 to authenticate with the NIS server.Configuration to allow everyone to authenticate with the NIS server:
255.0.0.0   127.0.0.0
0.0.0.0     0.0.0.0

File: /var/yp/nicknames
Note: This is the default from the initial RPM installation and does not require any change for most configurations.
passwd          passwd.byname
group           group.byname
networks        networks.byaddr
hosts           hosts.byname
protocols       protocols.bynumber
services        services.byname
aliases         mail.aliases
ethers          ethers.byname
As root, issue the following configuration commands:
# nisdomainname name-of-domain
# service portmap restart
# service yppasswdd start
# service ypserv start
# /usr/lib/yp/ypinit -m
# make -C /var/yp
# service ypbind start
Where:
  • The nisdomainname command creates the "NISDOMAIN" entry in /etc/sysconfig/network This is usually configured during Linux OS installation. Note the commands nisdomainname, ypdomainname anddomainname all are soft eqivalent. Without specifying an argument, the command returns the domain name.
    nisdomainname man page
  • Network server services:
    • portmap: RPC network communications services
    • yppasswd: Password daemon which allows users to change their NIS passwords on the server from their client systems.
    • ypserv: NIS server daemon
    • ypbind: NIS client daemon
  • ypinit -m: Configure the NIS server as a "master NIS server" with the option "-m". This will convert /etc/passwd/etc/shadow, hosts, ... files into NIS GNU dbm database format and generates a make file. Traditional Unix systems use ndbm database format.
    ypinit man page
  • The command "make -C /var/yp" is equivalent to:
    • cd /var/yp
    • make
  • NIS Clients:
    • ypbind: NIS client
See the YoLinux tutorial on the Linux init process and configuring your system to start services upon system boot.
Test:
  • Check if portmapper daemon is running and ypbind is a registered service: rpcinfo -u localhost ypbind  
    program 10007 version 1 ready and waiting
program 10007 version 2 ready and waiting

NIS client configuration:
Requires RPM packages:
  • ypbind
  • portmap
  • yp-tools
  • nscd
File: /etc/sysconfig/network
(RHEL, Fedora, CentOS, ... Red Hat based Linux systems)
NETWORKING=yes
HOSTNAME=client-hostname
NISDOMAIN=name-of-domain
File: /etc/yp.conf
Example:
domain lab2 server 192.168.20.5
Format:
domain name-of-domain server XXX.XXX.XXX.XXX
Where XXX.XXX.XXX.XXX is the IP address of the NIS server.
Man page: yp.conf
File: /etc/nsswitch.conf
...
...

passwd:     files nis
shadow:     files nis
group:      files nis

...
...
Options:
  • compat: Use compatibility setup
  • nisplus: Use NIS+ (NIS version 3)
  • nis: Use NIS (NIS version 2), also called YP
  • dns: Use DNS (Domain Name Service)
  • files: Use the local files /etc/passwd, /etc/group, ...
  • [NOTFOUND=return]: Stop searching if not found so far
Man page: nsswitch.conf
Create domain with the command: nisdomainname name-of-domain
Start NIS client services:
  • service portmap restart
  • service ypbind start
  • service nscd start (optional - used to cache login and passwd info to improve authentication response time)
Test:
  • Check if portmapper daemon is running and ypbind is a registered service: rpcinfo -u localhost ypbind
  • List passwd file: ypcat passwd
[Potential Pitfall]: If you find that the daemon ypbind on a client is crashing on a network which extends great distances, has heavy traffic or is unreliable, try starting ypbind with the option "-no-ping".
Red Hat configuration fix, edit file: /etc/init.d/ypbind
change to:
... OTHER_YPBIND_OPTS="-no-ping" ...
This will keep ypbind from checking its network connection unnecessarily.

Red Hat GUI client configuration:

GUI tool: /usr/bin/system-config-authentication Select the "Configure NIS ..." button:


NIS and system users:

User Administration:

Add a new user: (as root on NIS server)
  • useradd -g user-group user-id
    (or, also create home directory: useradd -m -g user-group user-id)
  • make -C /var/yp
    Updates local NIS databases.
Changing a password for a user: yppasswd -p user-id

User password management:

Users will now change their passwords using the NIS password command yppasswd instead of the local password file affected command, passwd. When using an NIS slave (described below), then do not modify the password while logged into the NIS master.Also see the YoLinux.com tutorial: Web CGI interface to manage NIS passwords.


NIS maintenance scripts:
Read NIS database files and generate traditional /etc/passwd and /etc/shadow files.
File: nis2pass

1#!/bin/bash
2 
3/usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1] ":x:" $3 ":" $4 ":" $5 ":" $6 ":" $7}' passwd
4 
5/usr/lib/yp/makedbm -u /var/yp/name-of-domain/passwd.byname | awk -F':' '{split($1,userid," ");print userid[1] ":" $2 ":13539:0:99999:7:::"}' > shadow
Man pages:
  • makedbm - Create or dump a ypserv database file
    Example: makedbm -u dbname
  • getent - Get entries from administrative database
    Example: getent database [key ...]
Hostname resolution:
It is the predominant practice to use DNS (bind) for hostname resolution. See the YoLinux DNS / Bind configuration tutorial
NIS is capable of performing host name resolution and so is LDAP.
Best Practice: Use DNS for general host resolution and the use the local file /etc/hosts to resolve the host name of the NIS server. This improves performance so that host name resolution of the NIS server does not require a network connection.
Configuring a NIS client to use NIS for host name resolution:
File: /etc/nsswitch.conf
...
...

hosts:     files nis

...
...
This configuration has the system look at the file /etc/hosts for a host name and then it looks to the NIS server.
Configuring an NIS Master - Slave failover server:
One can create a redundant failover slave server to improve network robustness. The NIS clients will be configured with an additional host in /etc/yp.conf.
Client File: /etc/yp.conf
domain name-of-domain server XXX.XXX.XXX.XXX
domain name-of-domain server ZZZ.ZZZ.ZZZ.ZZZ
Where XXX.XXX.XXX.XXX is the IP address of the NIS master server
and ZZZ.ZZZ.ZZZ.ZZZ is the IP address of the NIS slave server.
In addition, the NIS master and slave servers must arrange for NIS database transfers to stay synchronized. The configuration of the NIS servers are the same as for the above single master with the following additions and/or changes:

NIS Master:

  • NIS master file: /etc/ypservers 
    host-name-of-nis-master
host-name-of-nis-slave
  • Edit NIS master Makefile to allow database push to slave: /var/yp/Makefile 
    NOPUSH=false
  • After performing the NIS server procedures above, start the additional database transfer daemon:
    service ypxfrd start
  • Push configuration change notification to clients: yppush
    Perform this after updates to NIS master.
    yppush man page

NIS Slave:


  • /usr/lib/yp/ypinit -s nis-master-hostname: Configure the NIS server as a "slave NIS server" with the option "-s" and state the "master" from which the NIS database transfer will occur.
    Note: This is a change from the above single NIS master configuration.
  • Start the additional database transfer daemon: service ypxfrd start
Man pages:
  • nisdomainname - show or set the system’s NIS/YP domain name
  • ypinit - NIS database install and build program
  • yppush - Push configuration change notification to clients.
  • revnetgroup - Generate reverse netgroup data
  • ypserv - NIS server
  • ypxfr - Transfer NIS database from remote server to local host
  • ypinit - NIS database install and build program
  • yppoll - Return version and master server of a NIS map
  • ypset - Bind ypbind to a particular NIS server
  • ypcat - Print values of all keys in a NIS database
  • ypwhich - Return name of NIS server or map master
  • ypmatch - Print the values of one or more keys from a NIS map
  • yptest - Test NIS configuration
  • yppasswd - (Also: ypchfn, ypchsh) - Change NIS password in the NIS database
  • yppasswdd - NIS password update daemon
  • ypxfrd - NIS map transfer server for NIS master/slave servers.
  • ypserv - NIS server
  • ypbind - NIS binding process
  • nscd - Name service cache daemon
Configuration Files:
  • /etc/yp.conf
  • /etc/ypserv.conf
  • /etc/netgroup
  • /etc/nscd.conf
  • /etc/nsswitch.conf
  • /etc/nickname
Glossary:
  • NSS: Name Service Switch. The /etc/nsswitch.conf, determines the order of lookups performed.
  • RPC: Remote Procedure Call. RPC routines allow C programs to make procedure calls on other machines across the network.
  • YP: Yellow Pages(tm), a registered trademark in the UK of British Telecom plc. forcing Sun to rename it to NIS. The NIS commands retain the "yp" prefix.
  • HostName: The name of the computer system. This is typically configured using Linux OS installation.
  • Host Name Resolution: The lookup by a client to find the IP address given the host name so that it can create a network connection.
courtesy: http://www.yolinux.com/


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)