24.5.2 Configuring an NIS Server

NIS master servers act as a central, authoritative repository for NIS information. NIS slave servers act as mirrors of this information. There must be only one NIS master server in an NIS domain. The number of NIS slave servers is optional, but creating at least one slave server provides a degree of redundancy should the master server be unavailable.

To configure an NIS master or slave server:

  1. Install the ypserv package:

    # yum install ypserv 
  2. Edit /etc/sysconfig/network and add an entry to define the NIS domain, for example:

    NISDOMAIN=mynisdom
  3. Edit /etc/ypserv.conf to configure NIS options and to add rules for which hosts and domains can access which NIS maps.

    For example, the following entries allow access only to NIS clients in the mynisdom domain on the 192.168.1 subnet:

    192.168.1.0/24: mynisdom : * : none
    * : * : * : deny

    For more information, see the ypserv.conf(5) manual page and the comments in /etc/ypserv.conf.

  4. Create the file /var/yp/securenets and add entries for the networks for which the server should respond to requests, for example:

    # cat > /var/yp/securenets <<!
    255.255.255.255 127.0.0.1
    255.255.255.0   192.168.1.0
    !
    # cat /var/yp/securenets 
    255.255.255.255 127.0.0.1
    255.255.255.0   192.168.1.0

    In this example, the server accepts requests from the local loopback interface and the 192.168.1 subnet.

  5. Edit /var/yp/Makefile:

    1. Set any required map options and specify which NIS maps to create using the all target, for example:

      all:
      passwd group auto.home
      # hosts rpc services netid protocols mail \
      # netgrp shadow publickey networks ethers bootparams printcap \
      # amd.home auto.local. passwd.adjunct \
      # timezone locale netmasks

      This example allows NIS to create maps for the /etc/passwd, /etc/group, and /etc/auto.home files. By default, the information from the /etc/shadow file is merged with the passwd maps, and the information from the /etc/gshadow file is merged with the group maps.

      For more information, see the comments in /var/yp/Makefile.

    2. If you intend to use Kerberos authentication instead of NIS authentication, change the values of MERGE_PASSWD and MERGE_GROUP to false:

      MERGE_PASSWD=false
      MERGE_GROUP=false
      Note

      These settings prevent password hashes from appearing in the NIS maps.

    3. If you configure any NIS slave servers in the domain, set the value of NOPUSH to false:

      NOPUSH=false

      If you update the maps, this setting allows the master server to automatically push the maps to the slave servers.

  6. Configure the NIS services:

    1. Start the ypserv service and configure it to start after system reboots:

      # systemctl start ypserv
      # systemctl enable ypserv

      The ypserv service runs on the NIS master server and any slave servers.

    2. If the server will act as the master NIS server and there will be at least one slave NIS server, start the ypxfrd service and configure it to start after system reboots:

      # systemctl start ypxfrd
      # systemctl enable ypxfrd

      The ypxfrd service speeds up the distribution of very large NIS maps from an NIS master to any NIS slave servers. The service runs on the master server only, and not on any slave servers. You do not need to start this service if there are no slave servers.

    3. Start the yppasswdd service and configure it to start after system reboots:

      # systemctl start yppasswdd
      # systemctl enable yppasswdd

      The yppasswdd service allows NIS users to change their password in the shadow map. The service runs on the NIS master server and any slave servers.

  7. Configure the firewall settings:

    1. Edit /etc/sysconfig/network and add the following entries that define the ports on which the ypserv and ypxfrd services listen:

      YPSERV_ARGS="-p 834"
      YPXFRD_ARGS="-p 835"

      These entries fix the ports on which ypserv and ypxfrd listen.

    2. Allow incoming TCP connections to ports 111 and 834 and incoming UDP datagrams on ports 111 and 834:

      # firewall-cmd --zone=zone --add-port=111/tcp --add-port=111/udp \
        --add-port=834/tcp --add-port=834/udp
      # firewall-cmd --permanent --zone=zone --add-port=111/tcp --add-port=111/udp \
        --add-port=834/tcp --add-port=834/udp

      portmapper services requests on TCP port 111 and UDP port 111, and ypserv services requests on TCP port 834 and UDP port 834.

    3. On the master server, if you run the ypxfrd service to support transfers to slave servers, allow incoming TCP connections to port 835 and incoming UDP datagrams on port 835:

      # firewall-cmd --zone=zone --add-port=835/tcp --add-port=835/udp
      # firewall-cmd --permanent --zone=zone --add-port=835/tcp --add-port=835/udp
    4. Allow incoming UDP datagrams on the port on which yppasswdd listens:

      # firewall-cmd --zone=zone \
        --add-port=`rpcinfo -p | gawk '/yppasswdd/ {print $4}'`/udp
      Note

      Do not make this rule permanent. The UDP port number that yppasswdd uses is different every time that it restarts.

    5. Edit /etc/rc.local and add the following line:

      firewall-cmd --zone=zone \
        --add-port=`rpcinfo -p | gawk '/yppasswdd/ {print $4}'`/udp

      This entry creates a firewall rule for the yppasswdd service when the system reboots. If you restart yppasswdd, you must correct the firewall rules manually unless you modify the /etc/init.d/yppasswdd script.

  8. After you have started all the servers, create the NIS maps on the master NIS server:

    # /usr/lib64/yp/ypinit -m
    
    At this point, we have to construct a list of the hosts which will run NIS
    servers.  nismaster is in the list of NIS server hosts.  Please continue to add
    the names for the other hosts, one per line.  When you are done with the
    list, type a <control D>."
          next host to add:  nismaster
          next host to add:  nisslave1
          next host to add:  nisslave2
          next host to add:  ^D
    
    The current list of NIS servers looks like this:
    
    nismaster
    nisslave1
    nisslave2
    
    Is this correct?  [y/n: y]  y
    We need a few minutes to build the databases...
    ...
    localhost has been set up as a NIS master server.
    
    Now you can run ypinit -s nismaster on all slave server.

    Enter the host names of the NIS slave servers (if any), type Ctrl-D to finish, and enter y to confirm the list of NIS servers. The host names must be resolvable to IP addresses in DNS or by entries in /etc/hosts.

    The ypinit utility builds the domain subdirectory in /var/yp and makes the NIS maps that are defined for the all target in /var/yp/Makefile. If you have configured NOPUSH=false in /var/yp/Makefile and the names of the slave servers in /var/yp/ypservers, the command also pushes the updated maps to the slave servers.

  9. On each NIS slave server, run the following command to initialize the server:

    # /usr/lib64/yp/ypinit -s nismaster

    where nismaster is the host name or IP address of the NIS master server.

    For more information, see the ypinit(8) manual page

Note

If you update any of the source files on the master NIS server that are used to build the maps, use the following command on the master NIS server to remake the map and push the changes out to the slave servers:

# make -C /var/yp