23.5.2 Configuring a NIS Server

The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.

23.5.2 Configuring a NIS Server

NIS master servers act as a central, authoritative repository for NIS information. NIS slave servers act as mirrors of this information. There must be only one NIS master server in a NIS domain. The number of NIS slave servers is optional, but creating at least one slave server provides a degree of redundancy should the master server be unavailable.

To configure a NIS master or slave server:

Install the ypserv package:
```
# yum install ypserv 
```
Edit /etc/sysconfig/network and add an entry to define the NIS domain, for example:
```
NISDOMAIN=mynisdom
```
Edit /etc/ypserv.conf to configure NIS options and to add rules for which hosts and domains can access which NIS maps.
For example, the following entries allow access only to NIS clients in the mynisdom domain on the 192.168.1 subnet:
```
192.168.1.0/24: mynisdom : * : none
* : * : * : deny
```
For more information, see the ypserv.conf(5) manual page and the comments in /etc/ypserv.conf.
Create the file /var/yp/securenets and add entries for the networks for which the server should respond to requests, for example:
```
# cat > /var/yp/securenets <<!
255.255.255.255 127.0.0.1
255.255.255.0   192.168.1.0
!
# cat /var/yp/securenets 
255.255.255.255 127.0.0.1
255.255.255.0   192.168.1.0
```
In this example, the server accepts requests from the local loopback interface and the 192.168.1 subnet.
Edit /var/yp/Makefile:
1. Set any required map options and specify which NIS maps to create using the all target, for example:
```
all:
passwd group auto.home
# hosts rpc services netid protocols mail \
# netgrp shadow publickey networks ethers bootparams printcap \
# amd.home auto.local. passwd.adjunct \
# timezone locale netmasks
```
  This example allows NIS to create maps for the /etc/passwd, /etc/group, and /etc/auto.home files. By default, the information from the /etc/shadow file is merged with the passwd maps, and the information from the /etc/gshadow file is merged with the group maps.
  For more information, see the comments in /var/yp/Makefile.
2. If you intend to use Kerberos authentication instead of NIS authentication, change the values of MERGE_PASSWD and MERGE_GROUP to false:
```
MERGE_PASSWD=false
MERGE_GROUP=false
```
  Note
  These settings prevent password hashes from appearing in the NIS maps.
3. If you configure any NIS slave servers in the domain, set the value of NOPUSH to false:
```
NOPUSH=false
```
  If you update the maps, this setting allows the master server to automatically push the maps to the slave servers.
Configure the NIS services:
1. Start the ypserv service and configure it to start after system reboots:
```
# service ypserv start
# chkconfig ypserv on
```
  The ypserv service runs on the NIS master server and any slave servers.
2. If the server will act as the master NIS server and there will be at least one slave NIS server, start the ypxfrd service and configure it to start after system reboots:
```
# service ypxfrd start
# chkconfig ypxfrd on
```
  The ypxfrd service speeds up the distribution of very large NIS maps from a NIS master to any NIS slave servers. The service runs on the master server only, and not on any slave servers. You do not need to start this service if there are no slave servers.
3. Start the yppasswdd service and configure it to start after system reboots:
```
# service yppasswdd start
# chkconfig yppasswdd on
```
  The yppasswdd service allows NIS users to change their password in the shadow map. The service runs on the NIS master server and any slave servers.
Configure the firewall settings:
1. Edit /etc/sysconfig/network and add the following entries that define the ports on which the ypserv and ypxfrd services listen:
```
YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"
```
  These entries fix the ports on which ypserv and ypxfrd listen.
2. Allow incoming TCP connections to ports 111 and 834 and incoming UDP datagrams on ports 111 and 834 from the local network:
```
# iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
  -m state --state NEW -m tcp --dport 111 -j ACCEPT
# iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
  -m state --state NEW -m tcp --dport 834 -j ACCEPT
# iptables -I INPUT -s subnet_addr/prefix_length -p udp \
  -m udp --dport 111 -j ACCEPT
# iptables -I INPUT -s subnet_addr/prefix_length -p udp \
  -m udp --dport 834 -j ACCEPT
# service iptables save
```
  In the example, subnet_addr/prefix_length specifies the network address, for example 192.168.1.0/24.
  portmapper services requests on TCP port 111 and UDP port 111; ypserv services requests on TCP port 834 and UDP port 834.
3. On the master server, if you run the ypxfrd service to support transfers to slave servers, allow incoming TCP connections to port 835 and incoming UDP datagrams on port 835 from the local network:
```
# iptables -I INPUT -s subnet_addr/prefix_length -p tcp \
  -m state --state NEW -m tcp --dport 835 -j ACCEPT
# iptables -I INPUT -s subnet_addr/prefix_length -p udp \
  -m udp --dport 835 -j ACCEPT
# service iptables save
```
4. Allow incoming UDP datagrams from the local network on the port on which yppasswdd listens:
```
# iptables -I INPUT -s subnet_addr/prefix_length -p udp \
  -m udp --dport `rpcinfo -p | gawk '/yppasswdd/ {print $4}'` -j ACCEPT
```
  Note
  Do not save this rule. The UDP port number that yppasswdd uses is different every time that it restarts.
5. Edit /etc/rc.local and add the following line:
```
iptables -I INPUT -s subnet_addr/prefix_length -p udp \
  -m udp --dport `rpcinfo -p | gawk '/yppasswd/ {print $4}'` -j ACCEPT
```
  This entry creates a firewall rule for the yppasswdd service when the system reboots. If you restart yppasswdd, you must correct the iptables rules manually unless you modify the /etc/init.d/yppasswdd script.

After you have started all the servers, create the NIS maps on the master NIS server:

# /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers.  nismaster is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>."
      next host to add:  nismaster
      next host to add:  nisslave1
      next host to add:  nisslave2
      next host to add:  ^D

The current list of NIS servers looks like this:

nismaster
nisslave1
nisslave2

Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
...
localhost has been set up as a NIS master server.

Now you can run ypinit -s nismaster on all slave server.

Enter the host names of the NIS slave servers (if any), type Ctrl-D to finish, and enter y to confirm the list of NIS servers. The host names must be resolvable to IP addresses in DNS or by entries in /etc/hosts.

The ypinit utility builds the domain subdirectory in /var/yp and makes the NIS maps that are defined for the all target in /var/yp/Makefile. If you have configured NOPUSH=false in /var/yp/Makefile and the names of the slave servers in /var/yp/ypservers, the command also pushes the updated maps to the slave servers.

On each NIS slave server, run the following command to initialize the server:
```
# /usr/lib64/yp/ypinit -s nismaster
```
In the example, nismaster is the host name or IP address of the NIS master server.
For more information, see the ypinit(8) manual page

Note

If you update any of the source files on the master NIS server that are used to build the maps, use the following command on the master NIS server to remake the map and push the changes out to the slave servers:

# make -C /var/yp