The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
NIS master servers act as a central, authoritative repository for NIS information. NIS slave servers act as mirrors of this information. There must be only one NIS master server in a NIS domain. The number of NIS slave servers is optional, but creating at least one slave server provides a degree of redundancy should the master server be unavailable.
To configure a NIS master or slave server:
Install the
ypserv
package:#
yum install ypserv
Edit
/etc/sysconfig/network
and add an entry to define the NIS domain, for example:NISDOMAIN=mynisdom
Edit
/etc/ypserv.conf
to configure NIS options and to add rules for which hosts and domains can access which NIS maps.For example, the following entries allow access only to NIS clients in the
mynisdom
domain on the 192.168.1 subnet:192.168.1.0/24: mynisdom : * : none * : * : * : deny
For more information, see the
ypserv.conf(5)
manual page and the comments in/etc/ypserv.conf
.Create the file
/var/yp/securenets
and add entries for the networks for which the server should respond to requests, for example:#
cat > /var/yp/securenets <<!
255.255.255.255 127.0.0.1 255.255.255.0 192.168.1.0 ! #cat /var/yp/securenets
255.255.255.255 127.0.0.1 255.255.255.0 192.168.1.0In this example, the server accepts requests from the local loopback interface and the 192.168.1 subnet.
Edit
/var/yp/Makefile
:Set any required map options and specify which NIS maps to create using the
all
target, for example:all: passwd group auto.home # hosts rpc services netid protocols mail \ # netgrp shadow publickey networks ethers bootparams printcap \ # amd.home auto.local. passwd.adjunct \ # timezone locale netmasks
This example allows NIS to create maps for the
/etc/passwd
,/etc/group
, and/etc/auto.home
files. By default, the information from the/etc/shadow
file is merged with thepasswd
maps, and the information from the/etc/gshadow
file is merged with thegroup
maps.For more information, see the comments in
/var/yp/Makefile
.If you intend to use Kerberos authentication instead of NIS authentication, change the values of
MERGE_PASSWD
andMERGE_GROUP
tofalse
:MERGE_PASSWD=false MERGE_GROUP=false
NoteThese settings prevent password hashes from appearing in the NIS maps.
If you configure any NIS slave servers in the domain, set the value of
NOPUSH
tofalse
:NOPUSH=false
If you update the maps, this setting allows the master server to automatically push the maps to the slave servers.
Configure the NIS services:
Start the
ypserv
service and configure it to start after system reboots:#
service ypserv start
#chkconfig ypserv on
The
ypserv
service runs on the NIS master server and any slave servers.If the server will act as the master NIS server and there will be at least one slave NIS server, start the
ypxfrd
service and configure it to start after system reboots:#
service ypxfrd start
#chkconfig ypxfrd on
The
ypxfrd
service speeds up the distribution of very large NIS maps from a NIS master to any NIS slave servers. The service runs on the master server only, and not on any slave servers. You do not need to start this service if there are no slave servers.Start the
yppasswdd
service and configure it to start after system reboots:#
service yppasswdd start
#chkconfig yppasswdd on
The
yppasswdd
service allows NIS users to change their password in theshadow
map. The service runs on the NIS master server and any slave servers.
Configure the firewall settings:
Edit
/etc/sysconfig/network
and add the following entries that define the ports on which theypserv
andypxfrd
services listen:YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"
These entries fix the ports on which
ypserv
andypxfrd
listen.Allow incoming TCP connections to ports 111 and 834 and incoming UDP datagrams on ports 111 and 834 from the local network:
#
iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp --dport 111 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp --dport 834 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p udp-m udp --dport 111 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p udp-m udp --dport 834 -j ACCEPT
#service iptables save
In the example,
subnet_addr
/
prefix_length
specifies the network address, for example192.168.1.0/24
.portmapper
services requests on TCP port 111 and UDP port 111;ypserv
services requests on TCP port 834 and UDP port 834.On the master server, if you run the
ypxfrd
service to support transfers to slave servers, allow incoming TCP connections to port 835 and incoming UDP datagrams on port 835 from the local network:#
iptables -I INPUT -s
\subnet_addr
/prefix_length
-p tcp-m state --state NEW -m tcp --dport 835 -j ACCEPT
#iptables -I INPUT -s
\subnet_addr
/prefix_length
-p udp-m udp --dport 835 -j ACCEPT
#service iptables save
Allow incoming UDP datagrams from the local network on the port on which
yppasswdd
listens:#
iptables -I INPUT -s
\subnet_addr
/prefix_length
-p udp-m udp --dport `rpcinfo -p | gawk '/yppasswdd/ {print $4}'` -j ACCEPT
NoteDo not save this rule. The UDP port number that
yppasswdd
uses is different every time that it restarts.Edit
/etc/rc.local
and add the following line:iptables -I INPUT -s
subnet_addr
/prefix_length
-p udp \ -m udp --dport `rpcinfo -p | gawk '/yppasswd/ {print $4}'` -j ACCEPTThis entry creates a firewall rule for the
yppasswdd
service when the system reboots. If you restartyppasswdd
, you must correct theiptables
rules manually unless you modify the/etc/init.d/yppasswdd
script.
After you have started all the servers, create the NIS maps on the master NIS server:
#
/usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS servers.nismaster
is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>." next host to add:nismaster
next host to add:
next host to add:nisslave1
next host to add:nisslave2
^D
The current list of NIS servers looks like this:nismaster
nisslave1
nisslave2
Is this correct? [y/n: y]y
We need a few minutes to build the databases... ... localhost has been set up as a NIS master server. Now you can run ypinit -snismaster
on all slave server.Enter the host names of the NIS slave servers (if any), type
to finish, and enterCtrl-D
y
to confirm the list of NIS servers. The host names must be resolvable to IP addresses in DNS or by entries in/etc/hosts
.The ypinit utility builds the domain subdirectory in
/var/yp
and makes the NIS maps that are defined for theall
target in/var/yp/Makefile
. If you have configuredNOPUSH=false
in/var/yp/Makefile
and the names of the slave servers in/var/yp/ypservers
, the command also pushes the updated maps to the slave servers.On each NIS slave server, run the following command to initialize the server:
#
/usr/lib64/yp/ypinit -s
nismaster
In the example,
nismaster
is the host name or IP address of the NIS master server.For more information, see the
ypinit(8)
manual page
If you update any of the source files on the master NIS server that are used to build the maps, use the following command on the master NIS server to remake the map and push the changes out to the slave servers:
# make -C /var/yp