22.5.3 Adding User Accounts to NIS


This procedure assumes that:


NIS authentication is deprecated as it has security issues, including a lack of protection of authentication data.

To create an account for an NIS user on the NIS master server:

  1. If the NIS master server does not already export the base directory of the users' home directories, perform the following steps on the NIS master server:

    1. Create the base directory for user directories, for example /nethome:

      # mkdir /nethome
    2. Add an entry such as the following to /etc/exports:

      /nethome    *(rw,sync)

      You might prefer to restrict which clients can mount the file system. For example, the following entry allows only clients in the subnet to mount /nethome:

    3. Use the following command to export the file system:

      # exportfs -i -o ro,sync *:/nethome
    4. If you have configured /var/yp/Makfile to make the auto.home map available to NIS clients, create the following entry in /etc/auto.home:

      *    -rw,sync    nissvr:/nethome/&

      where nissvr is the host name or IP address of the NIS server.

  2. Create the user account:

    # useradd -b /nethome username

    The command updates the /etc/passwd file and creates a home directory on the NIS server.

  3. Depending on the type of authentication that you have configured:

    • For Kerberos authentication, on the Kerberos server or a client system with kadmin access, use kadmin to create a principal for the user in the Kerberos domain, for example:

      # kadmin -q "addprinc username@KRBDOMAIN"

      The command prompts you to set a password for the user, and adds the principal to the Kerberos database.

    • For NIS authentication, use the passwd command:

      # passwd username

      The command updates the /etc/shadow file with the hashed password.

  4. Update the NIS maps:

    # make -C /var/yp

    This command makes the NIS maps that are defined for the all target in /var/yp/Makefile. If you have configured NOPUSH=false in /var/yp/Makefile and the names of the slave servers in /var/yp/ypservers, the command also pushes the updated maps to the slave servers.


A Kerberos-authenticated user can use either kpasswd or passwd to change his or her password. An NIS-authenticated user must use the yppasswd command rather than passwd to change his or her password.