Fedora 6 and Red Hat Enterprise Linux Bible
To configure your Fedora or RHEL system as an NIS master server, you should first configure it as an NIS client (that is, set the NIS domain name , set up /etc/yp.conf , and configure client daemons as described earlier). Then you can create the NIS maps and configure the NIS master server daemon processes ( ypserv and rpc.yppasswdd ). The following subsections describe these procedures.
| Note | If there is a firewall on your NIS server, you must make UDP port 111 (sunrpc) available or NIS clients won't be able to connect to your NIS service. If the computer is also a router, if possible, block access to port 111 outside of your local network. |
Creating NIS Maps
To create NIS maps so that your Fedora or RHEL system can be an NIS master server, start from the /var/yp directory from a Terminal window as root user . In that directory, a Makefile enables you to configure which files are being shared with NIS. The files that are shared by default are listed near the beginning of this chapter and within the Makefile itself.
| Note | A Makefile is a file that contains information needed to perform a particular task. You run the make command to actually perform the task. Make is often used for software development, to contain instructions for building and installing a whole set of software commands. |
Choosing Files to Map
If you don't want to share any file that is set up in the Makefile, you can prevent that file from being built. Do this by finding the following line in the Makefile and simply deleting the file you want excluded:
all: passwd group hosts rpc services netid protocols mail \ # netgrp shadow publickey networks ethers bootparams printcap \ # amd.home auto.master auto.home auto.local passwd.adjunct \ # timezone locale netmasks
You may notice that not all the names in the all: line represent the exact filename. For example, netgrp is for the /etc/ netgroup file. The files that each name represents are listed a few lines below the all: line in the Makefile. You may also notice that many of the files are already commented out, including the shadow file.
| Tip | The NIS-HOWTO document suggests that using shadow passwords with NIS is "always a bad idea." Options in the Makefile (described in the next section) enable you to automatically merge the shadow and gshadow files into the passwd and group files, respectively. |
Choosing Mapping Options
Several options are set in the Makefile. You can choose to change these options or leave them as they are. Here are the options:
-
B= - You can use the B= option to allow NIS to use the domain name resolver to find hosts that are not in the current domain. By default, B= is not set. To turn on this feature, set it to -b ( B=-b ).
-
NOPUSH=true - When set to true (the default), the NOPUSH option prevents the maps from being pushed to a slave server. This implies that the NIS master server is the only server for the NIS domain. Set this to false , and place the hostnames of slave servers into the /var/yp/ypservers file if you do not want the NIS master to be the only server for the domain.
-
MINUID=500 - To prevent password entries from being distributed for administrative users, the MINUID is set to 500. This assumes that all regular user accounts on the system that you want to share have UIDs that are 500 or above.
-
MINGID=500 - To prevent password entries from being distributed for administrative groups, the MINGID is set to 500 . This assumes that all regular groups that you want to share have GIDs that are 500 or above.
Note Tools for adding users and groups to Fedora or RHEL always begin with the number 500. Some UNIX and Linux systems, however, may use lower UIDs and GIDs for regular users. In those cases, you may need to lower MINUID and MINGID to below 500, but not below 100 (which always represent administrative logins).
-
MERGE_PASSWD=true - Keep this option set to true if you want each user's password to be merged from the shadow file back into the passwd file that is shared by NIS.
-
MERGE_GROUP=true - Keep this option set to true if you want each group's password to be merged from the gshadow file back into the group file that is shared by NIS.
To build the NIS maps, your system must have the awk, make , and umask commands. In the Makefile, the locations of these commands are /usr/bin/gawk, /usr/bin/ gmake , and umask , respectively. (The umask command is a shell built-in command, so you don't have to look for its location.) You can use comparable commands in different locations by changing the values of the AWK, MAKE , and UMASK variables in the Makefile.
Besides the options just mentioned, there are several variables you can set to change the location of NIS files. For example, the locations of password files (YPPWDDIR) and other source files (YPSRCDIR) are both set to /etc by default. The location of YP commands (YPBINDIR) is set to /usr/ lib /yp . If you want to change the values of these or other variables, you can do so in the Makefile.
Defining NIS Client Access
Add the IP addresses of the client computers that are allowed access to your NIS maps to the /var/yp/securenets file. By default, any computer on any network that can reach your NIS master can have access to your maps (which is not a secure situation). So, it is important that you configure this file. IP numbers can be given in the form of netmask /network pairs. For example:
255.255.255.0 10.0.0.0
This example enables access to your NIS master server maps from all computers on network number 10.0.0.
| Cross-Reference | See Chapter 15 for descriptions of IP addresses and netmasks. |
Configuring Access to Maps
In the /etc/ypserv.conf file, you can define rules regarding which client host computers have access to which maps. You can also set several related options. Access rules in the ypserv.conf file have the following format:
host:domain:map:security
Asterisks can replace ho st, domain , and map fields to create rules that match any host or map, respectively. The host field is the IP address for the network or particular host for which the rule applies. The domain indicates the NIS domain for which the rule applies. The map field is the name of the map for which you are defining access. The security field is replaced by none (to always allow access), port (to allow access from a port less than port number 1024), deny (to deny access to this map), or des (to require DES authentication).
The following options can be set in the ypserv.conf file:
-
dns - If yes ( dns: yes ), NIS will query the TCP/IP name server for hostnames when hostnames are not found in maps. By default, dns:no is set.
-
xfr_check_port - If yes ( xfr_check_port:yes ), the NIS master server must run on a port that is less than port number 1024. If no, any port number may be used. By default, this is set to yes .
If you make changes to the /etc/ypserv.conf file, the ypserv daemon will pick up those changes the next time your system reboots (or the ypserv service restarts). Alternatively, you can have ypserv read the contents of the file immediately by sending the ypserv process a SIGHUP signal. Removing the comment character (#) from the following line in /etc/ypserv.conf allows all hosts access to all maps:
* : * : * : none
Generating the NIS Map Database
To install and build the NIS database, run the ypinit command. To start the ypinit program, type the following:
# /usr/lib/yp/ypinit -m next host to add: maple next host to add:
The ypinit command should automatically choose your hostname to use as an NIS server. After that, it asks you to add slave servers. Add one at a time; then press Ctrl+D after you have entered your last slave server. Verify that the list of NIS servers is correct (type y ). (Remember that slave servers are not required.)
The database is built at this point. A new directory that has the name of your NIS domain is created in /var/yp . For example, if your NIS domain name is trident, the directory is /var/yp/trident . All maps built are then placed in that directory.
Adding NIS Slave Servers
In Fedora and RHEL, NIS is configured by default to have a master NIS server and no slave NIS servers. You can allow your NIS maps to be pushed to one or more slave servers by setting NOPUSH=false in the /var/yp/Makefile file. After that, you need to add the names of the slave servers to your /var/yp/ypservers file. You can either add the hostnames manually or have them added automatically when you run the ypinit command later.
Configuring NIS Server Daemons
The NIS server must be running several daemon processes to be an NIS server. In addition to the NIS server daemons described, the portmap service must be on as well (which it should be by default). Fedora and RHEL supply run-level scripts that you can configure to start NIS server daemon processes. These scripts, located in the /etc/init.d directory, include the following:
-
ypserv - This script starts the ypserv ( /usr/sbin/ypserv ) daemon. It reads information from the /etc/ypserv.conf file to determine what to do. Then it listens for requests from NIS client computers on the network.
-
yppasswdd - This script starts the rpc.yppasswdd ( /usr/sbin/rpc.yppasswdd ) daemon. This daemon handles requests from users on NIS client computers who want to change their user passwords.
Unless you requested that these scripts be configured to start at boot time when you installed Fedora or RHEL, they will not start automatically. You can use the following chkconfig command to set ypserv and yppasswdd scripts to start automatically at boot time.
# chkconfig ypserv on # chkconfig yppasswdd on
If you want to start the services immediately, you can type the following:
# /etc/init.d/ypserv start # /etc/init.d/yppasswdd start
The NIS master server should be up and running. If there are any NIS slave servers, you should configure them now.
Категории