What will you miss when this site closes?





204 votes ~ 6 comments

This site will turn read-only at the end of September 2017.

Sharing logins on multiple machines using NIS

Posted by Steve on Wed 20 Oct 2004 at 08:21

Tags:

NIS is a system which is designed to allow people to use the same username and password on a group of machines. (In NIS terms this group of machines is called a domain). This small introduction will guide you through setting up a central NIS server to centralise your logins, and a client to use it.

Of all the systems for sharing login details across multiple machines NIS is the oldest and possibly the most widely used. Other alternatives include database systems such as LDAP (OpenLDAP) and kerberos .

For NIS to work you need a single, central, machine which contains all the username and password pairs. Other machines will query this one when it comes to validating logins - so no local usernames and passwords need to exist.

For large systems this scales very well, when you wish to add a new user you only need to do it once on the central server rather than on each individual machine.

Installing the server is a simple matter:

uml200:~# apt-get install nis
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  portmap
The following NEW packages will be installed:
  nis portmap
0 packages upgraded, 2 newly installed, 0 to remove and 0  not upgraded.
Need to get 190kB of archives. After unpacking 699kB will be used.

Once the packages have been downloaded and installed you will need to choose a name for the domain and set this up as a master server. (In NIS terms a domain is used to refer to a group of machines, it has no connection with DNS names, or WORKGROUP names).

Once you've installed the packages and given the system a domain name then you will need to set it up as a master server. You do this by editing the file /etc/defaults/nis making sure that you have the following lines:

NISSERVER=true
NISCLIENT=false

Once this is done you need to control which machines are allowed to access the NIS server. Do this by editing the file /etc/ypserv.securenets as in the following example:

# Restrict to 192.168.1.x
255.255.255.0 192.168.1.0

Restart the server with /etc/init.d/nis restart and the server is ready.

This now has us running an NIS server, the next thing to do is initialise its maps. This is a simple process of running an init command and giving it the name of the servers you're using. In our case this is just the one server we've just setup:

root@sun:~# /usr/lib/yp/ypinit -m

Now we move on to setting up the clients.

Each client will also need the NIS package, so install that:

apt-get install nis

Enter the name of the domain you chose earlier (this is stored on the server in the file /etc/defaultdomain if ever you forget it).

Once this is done you will need to setup the server to authenticate against, place it's IP address in the file /etc/yp.conf, for example:

ypserver 192.168.1.1

Restart NIS with /etc/init.d/nis restart and test that this machine can access the client by running:

root@undecided:/etc# ypcat passwd
mp3:x:1002:1002::/home/mp3:
skx:x:1000:1000:Steve Kemp,,,:/home/skx:/bin/bash
ipaudit:x:1001:100::/home/ipaudit:

Here we see that we've received some results so we're go to go on.

This is the most tricky step, upon this client you need to remove all user accounts from the password, shadow, group, and group shadow files. Here we really do mean users as people - say all the userid's above 1000. Leave the system accounts such as bin, bind, nobody alone.

(If you want a login to only be available on the local machine then leave it there - certainly leave the root account alone!)

For the /etc/passwd add +:::::: at the end.

For the file /etc/shadow add +::::::::, and for the other files /etc/group and /etc/gshadow add +:::.

Now try and login with a user!

When it comes to time to add a new user to your setup you should only need to add it upon the server, and all machines will benefit. You may need to rerun the ypinit command we gave earlier for it to take effect though.

 

 


Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (127.0.xx.xx) on Fri 22 Oct 2004 at 22:20

that seems easy. So, if I have a user who is checking mail on one of the yp client boxes via pop will it still work? How will the mail server deliver to his account, does it need to check yp too? Adding a new user becomes more complicated? ie. add user to yp server, add home directory to remote machine. What about homedir permissions etc. Thanks. ygnome

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (127.0.xx.xx) on Fri 22 Oct 2004 at 23:49

Normally you'd use NFS on the /home and /var/mail directories to share files as well as accounts.

But beware, both NIS and NFS have inherent security design deficiencies which cannot be solved without encryption and authentication of all their network traffic This can be solved with a VPN (which does not protect traffic on the local network) or with IPSec, which I use.

I'd write a more detailed article about how I use IPSec in Debian if this site weren't using ads and thus making money off something I'm expected to provide for free. An ad-sponsored site is not a community site.

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (127.0.xx.xx) on Fri 22 Oct 2004 at 23:57

Well, the remote machine are on a low-bandwidth lan that saturates with business app trafic, so I'm not enamoured with the idea of mounting a remote homedir by any method. Making the users wait ages to open mail messages won't improve their humor, either... I can't see any ads, am I in some kind of parallel universe? ygnome

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 00:31

I'm not clear on what exactly your situation is; I can't figure out your setup from what you've written so far, so I can't really recommend anything other than pointing out that if you use POP or IMAP from a client machine to the mail server you don't have to do anything special on the POP/IMAP client host; no NIS or NFS is necessary there.

However, if the NIS server is not the mail server, you could get the mail server to have the same accounts as the NIS server by making the mail server into a NIS client. But if you don't also use NFS, then the mail server mail files will not exist on the NIS server and the home directories on the NIS server will not exist on the mail server.

I see google ads in the right-hand column on the front/main page (not on the article pages).

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Steve (127.0.xx.xx) on Sat 23 Oct 2004 at 01:03
[ View Weblogs ]

Two adverts on the index page - a page that users wouldn't see if they read the pieces using an RDF reader and skip straight to the articles.

The money raised so far is miniscule, sufficiently small that it's almost not worth the effort of setting up. If this doesnt change the adverts may well disappear.

If you dont like adverts feel free to mirror the articles elsewhere and don't display any - I won't object to any of my content being used in that manner. Other authors, if any, may of course differ.

I've given both time in setting up the site, and energy in writing pieces - if you don't wish to give anybody anything that's your choice.

Post anything you write on Advogato or some other advert free site. If it's well written, interesting, or original I'm sure people will appreciate it. I certainly hope people appreciate what I've done so far.

Of course it's very easy to denounce adverts and use that as an excuse for not actually doing anything or giving anything away at all. Maybe that's just my cynical nature coming out though and unfair - after all information wants to be free, and so does webhosting...

-- Steve.org.uk

[ Parent | Reply to this comment ]

Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 06:30

I'd gladly mirror the site if you actually wanted to have a lesser load on your server and if you could solve the copyright-on-articles thing. I like this site otherwise; I'd even host it for you. But as long as you have ads, you are making money off of me and other people who would write articles, and thus your motivation and objectivity are in doubt. Therefore I, for one, will not write any articles here. My original comment was just an aside, an explanation why I did not take the next obvious step in the discussion of NIS, NFS and IPSec.

I'm sure you've given plenty. So have I. Just not to you. And effort does not equal right to compensation.

You see that article on IPSec in the Debian Wiki? I wrote that. To write a micro-howto for racoon users in Debian would be the next logical step for me; but I won't write it until I can find a suitable forum for it where enough people will read it, and I won't write it here as long as you would place ads alongside it and not pay me.

That's all I'm saying.

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 07:01

Amazing

The owner of the site puts up the time to create it, host it and pays the mb costs of the rest of the world accessing it for free, and you get antsy because he might generate some micro-payments from some insignificant ads that are never going to equal his costs, never mind make him a profit...

And you have the nerve to call that 'Making money from Me'

Get A LIFE, dude

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 07:34

I don't really care about the miniscule amounts of money Steve Kemp currently gets (or quite possibly he haven't yet gotten any).

I do care about ads and ad revenue compromising his objectivity. What if I were to write an article about Google (his current sponsors), criticizing them for something? Would he feel hesitant about allowing it, perhaps demanding changes or even feel inclined to remove it? I know that these are risks and attitudes that are inseparable from having paid advertisements.

There is also the deeper issue of advertisements being the same thing as selling yourself and your voice. This is a Debian site. Would he take ads from, say, Canonical, Inc. (the Ubuntu guys)? From Red Hat? Sun? Microsoft? If you think some of these would not be OK, remember that all those companies have bought Google ads and could appear on this site at any moment.

Anyway, the purpose of my posts in this thread have not been to argue or badger anybody, it has been my goal to merely explain my position on why I choose not to write an article here. I think I now have done so sufficiently.

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 08:18

Yup. You have made your position perfectly clear:

"and I won't write it here as long as you would place ads alongside it and not pay me"

You're not worried about Steve's objectivity at all, in fact you want some of the ill-gotten gains yourself, but as soon as someone calls you on it, you descend into a 'holier than thou' argument about it.

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 11:06

Bad wording on my part; i do not actually want any money, I was trying to highlight the unbalanced state of the current situation, not describe a more desireable situation.

Yes, I could have written it better.

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 11:46

It's alright, we have got the drift of where you're coming from:

You don't want to be paid, and you are damned if you'll let Steve try and cover his costs.

Go for it, Steve, I see Google ads many times every day, if you can generate any cash out of them, all power to you!

Feel free to put a pay-pal donate button up too.

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Steve (127.0.xx.xx) on Sat 23 Oct 2004 at 12:09
[ View Weblogs ]

Thanks for the rational arguments. I have decided upon a compromise, possibly this will allow you to feel you can share things here, possibly not. If you create a user account and login then you will see no advertising. The motivation is that if you're contributing, either readership, comments, or pieces of text then you are repaying and dont need to see the adverts. If you're just here to read pieces and lookup a piece of information then you're paying for that by seeing an advert on the index. How does that sound?

-- Steve.org.uk

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 13:40

Hmm. I'd have to say no. It's not a problem that I personally see ads, it's that text that I wrote would possibly be used to promote things I don't agree with. By writing articles here I'd be attracting people here to see the ads. And there's still the matter of loss of objectivity.

Yeah, the ads are unobtrusive, the chances of an objectionable ad are slight, and anyone could register to evade them. But it's the principle of the thing.

And just to shut some people up I'll be writing that IPSec micro-howto now; I'll be posting it shortly. I'll probably put it in the Debian Wiki or something as well.

And for the record, no, I would have no problems whatsoever with a donation button.

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Steve (127.0.xx.xx) on Sat 23 Oct 2004 at 13:47
[ View Weblogs ]

I guess we just have differing opinions then, I don't think that anything promoted here will unduly influence the content - but of course it could happen and of course I may be unaware of it. I hope that if it does I would be rightly called out for it. I certainly respect your opinion, and I'm glad you took the time to express it so nicely, but I it looks like we've taken it as far as we can do so usefully here. For what it's worth google adverts I've seen elsewhere have always been unobtrusive and often relevent. A small bonus that paypal wouldn't give. Paypal I've never really thought a lot of, whereas google has always been a company which has had my respect. This could change with their recent public listing, but I hope it doesnt.

-- Steve.org.uk

[ Parent | Reply to this comment ]

Re: Advertisements
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 14:04

I never suggested Paypal specifically; aren't there others, like BitPass? I dunno really, I've just heard about them.

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (127.0.xx.xx) on Sat 23 Oct 2004 at 11:30

What is the need for this article when all the information required is present in /usr/share/doc/nis/nis.debian.howto.gz? It's even short and easy to read. I really don't see the point.

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Steve (127.0.xx.xx) on Sat 23 Oct 2004 at 12:06
[ View Weblogs ]

The information in all the pieces posted thus far has been contained elsewhere. The point is to collect it in here, make sure that it's written well and then allow people to find it easily. Sure some pieces may be more basic than others, but I believe making information more readable and organised is a useful thing in its own right.

-- Steve.org.uk

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (71.141.xx.xx) on Tue 6 Feb 2007 at 06:05
Well I would not have found this informative NIS tutorial in the Debian system, let alone Ubuntu. I didn't even know it exists! Thanks to Google and this webpage, I now have my NIS set up and I thank you for this, even if it has ads and whatnot. THANK YOU!!!!

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (193.174.xx.xx) on Mon 10 Oct 2005 at 11:32
Hello,

has anyone more sophisticated configuration examples?
I experienced some problems with NIS, when using NIS slave servers.
To compensate network failures / downtime of NIS-master I set up every client as
NIS slave. But there are occuring update problems in the distribution of changed user informations (password changing, adding new user etc).
The Master is not able to push the information to all slaves, when running "make" in /var/yp (TIME OUT), I had to create an own update-script so that it worked at least on some machine.
Maybe the problem is, that I use a network consisting of different linux versions / different versions of ypserv on some NIS slaves.
(the slave-machines with the older versions of ypserv [=same version as masters ypserv] work, the newer don't. ypbind works well on all)
It's strange, because the setup of the slaves with "ypinit -s nis-master" works fine on ALL machines (so it seems I can debar network access authorisation issues).
I think it would be a little unhealthy to run "ypinit" everytime to enforce an update of the local NIS-slave database.

Any ideas how to make a fault-diagnostic in this case?

(excuse me for the bad english ;-)

bye,

josh

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by maxk (192.115.xx.xx) on Tue 18 Oct 2005 at 23:05
[ View Weblogs ]
Hello, Josh.
I see this document isn't trying to be the full featured HOWTO. there are other places for them. As for a "more complex" situations, I've run several NIS domains . Some tips:
1. NIS is really useful in a LAN, other situations are not really handled, I think
2. when you exceed 30-40 clients you better have a slave for the rest.
2.1 a good segmentation would be 32 nodes continuous bocks:
x.y.z.0-31,x.y.z.32-63,x.y.z.64-95 and so on, so you limit each slave treat its own net block.and logically, you need to have about $num_machines/32 slaves.
In case you have really huge domain, you may consider NIS+ or LDAP ( prefer the latter )
2.2 There's no need to have each client as NIS slave - you're missing the point of centralizing the NIS control points. If you want to simply copy /etc/passwd and related stuff, you may as well consider using rdist.

4. I think a more suitable place for NIS ./etc files is /var/yp/etc (for 1 domain) or /var/yp/etc/$NIS_DOMAIN_NAME, so you can have several NIS domains, with *separate* user databases. this has an advantage of "physical" separation of local vs. NIS users data - incl. automount maps etc.

5. you should as well separate UID values from one NIS domain to another, if you can, e.g. nisdom1 should have UIDS in the range: 10000..19999 and the nisdom2 in the range of 20000..29999 etc.

6. for security reasons there are ways to make both clients and servers listen on pre-defined ports, for a better iptables handling ( you can of course handle this by RELATED state matching to the portmap port 111, but... I don't know what's the advantage to have a connection to server not having /etc/services entry... maybe there's a better solution. )

7. there are version compatibility problems, so the best practice is to use same ypserv and yptools packages on all the machines, usually the problems occur between NIS servers conversations (like pushing the maps to the slaves..)

8. Fault diagnostic is done via increasing log levels and reading the logs

Regards, Max.

[ Parent | Reply to this comment ]

Re: Sharing logins on multiple machines using NIS
Posted by Anonymous (98.221.xx.xx) on Tue 4 Oct 2011 at 13:27
I have to agree with the poster about not writing articles on an ad-sponsored site.

[ Parent | Reply to this comment ]