Setting up NIS and the Automounter on Linux

Table of Contents

Appendices


1. Introduction

NIS services (a.k.a. Yellow Pages [I need to add links to historical information]) are very useful for managing groups of UNIX machines. However NIS is traditionally rather insecure. There are some measures that you can take to configure NIS in a more secure manner. Thus you should not proceed unless you adhere to the following principles:

In general, your NIS server(s) should never be directly accessible from hostile networks (like the Internet!) without some kind of protection (like a firewall). You should inform yourself about known security issues with NIS before you decide to impliment it in your network [provide link].

Though this document has a Red Hat bias it should apply as well to other Linux distributions. For other distros you would need to inform yourself about packages to install, and auto-starting commands on boot.

Since some time now, Red Hat server packages are typically NOT automagically configured and started. For various sensible security reasons, you are obliged to do this yourself. Therefore you should be aware that you need to:

Note that when installing any machine, you initially set an authentication mode. You can later enable or disable NIS authentication, but you should have a uniform policy for shadow passwords and for MD5 passwords. The default on install for Red Hat systems is to enable both of these. This is a good policy, especially on freenix-only clusters, where these modes are typically supported. Do not change the password modes unless you know what you are doing, and you know how to repair your password file(s).

I show how to set up a server (the hard part) with classic NIS services, including the automounter for home directory access. Then I show how to set up and configure the clients (the easy part :-)

I assume that you installed the NFS Server option on your server, and on any clients which will NFS-export a home directory.

1.1  Conventions and Notes

1.1.1  Document Conventions

1.1.2  Notes on the Sample Network

This example network is configured as a subnet: 192.168.196. I have implemented a security policy which is subnet-based.

1.1.3  Notes on the Automounters

Two automounters are used and configured:

1.1.4  Notes on Home Directories

Note that user's home directories are located in various places, and are NFS-exported for automounting. The convention used is that home directory file systems are mounted in /etc/fstab with the path known as /export/home This filesystem is later NFS-exported by the NFS daemon and only mounted on request via NFS and autofs.

Ideally you should locate all home directories onto an NFS server. This often avoids the necessity of backing up client machines - they are instead treated as black boxes, that can be reinstalled on a whim. It also nicely allows us to focus security policy on servers. However in this example we show home directories served from client machines.

2. Setting up the Master Server

2.1  Install the software

  1. Install the following packages if they not already installed on the server
    • For NIS: yp-tools, ypbind, ypserv
    • For the automounters: autofs, am-utils, openldap (openldap may be required by am-utils; it depends on your patch level and software versions)
  2. You can configure and start amd immediately (we'll get to the other packages shortly), do the following:
    ROOT# chkconfig --level 345 amd on
    ROOT# /etc/init.d/amd start

2.2  Set the NIS Domain name

  1. Decide on the NIS 'domain' name and set it at the command line. This example uses 'birds'
    ROOT# domainname birds
  2. Edit /etc/sysconfig/network and add a line for the domain. This sets the domain name for future reboots:
    ROOT# cat /etc/sysconfig/network
    NETWORKING=yes
    HOSTNAME=eagle
    # define gateway only if it exists
    #GATEWAY=192.168.196.1
    NISDOMAIN=birds

2.3  Set up password/shadow map security

  1. These days the default /etc/ypserv.conf is 'ready to go'. You do not need to change it. This file deals with password and shadow map access. By default unprivileged users will only see mangled output of queries for those maps (the password is displayed as an 'x') once NIS is up and running:
    $ ypcat passwd
    fred:x:600:600:Fred F.:/home/fred:/bin/bash
    barney:x:650:650:Barney R.:/home/barney:/bin/bash
    wilma:x:651:651:Wilma F.:/home/wilma:/bin/bash
    

2.4  Configure server binding and map lookup

  1. Edit /etc/yp.conf and add the following line. The server will also run the client daemon ypbind, and this configuration will tell the server to bind to itself:
    domain birds  server eagle
  2. Make sure that /etc/nsswitch.conf is correctly configured for NIS. Note that the default Red Hat file will not work for the netgroup configuration; moreover you should edit out unwanted configurations or services, like nisplus (though it doesn't hurt to leave them there).
    This file specifies the order in which files or maps are accessed. For example, the passwd, shadow and group maps are first accessed as local files (important for the user 'root'!!) and when the user is not found, the system then tries NIS. Thus this file is also ver useful if you ever need to customize individual systems.

2.5  Set up the YP Makefile and any referenced files

  1. We need to change the makefile so that it includes the extra automounter support. Note that we always save the original file when editting!:
    ROOT# cd /var/yp
    ROOT# cp -p Makefile Makefile.orig
    Here is a sample Makefile. Note that principally I have added support for the extra automount maps. If you don't want to handle certain maps (like ethers, for example), then edit it out of the 'all:' target, and it will not be managed by NIS.
    A note about makefiles: if you download my Makefile example intending to use it then you must take care to download it properly. <TAB> spaces are incredibly important in makefiles; you must make sure to preserve them! Don't start editting any Makefile unless you have read a bit about them.
  2. Create some files mentioned in the makefile. For my Makefile I need to to create ('touch') the following files. If you decided to edit them out of the 'all' target in the makefile, then you would not bother. In fact these files are not accessed via NIS on my system. I put them in the 'all' target list in case I want to use them in the future:
    ROOT# touch /etc/ethers /etc/bootparams /etc/networks
  3. Create the /etc/netgroup file. This is a very useful file, and can be referenced in various places, including /etc/exports. References to any netgroup have the form: @net_group_name. In my example I have put my server in the @servers netgroup and my clients in the @clients netgroup. All machines are members of the @nodes netgroup. (You will see shortly how they are used in the NFS exports file).
    You may continue across several lines as long as you use the '\' continuation character at the end of the previous line.
    Note: the netgroup file must be editted as carefully as a Makefile. Small errors will have profound effects (like all your netgroups disappearing). More about this later..
  4. Prepare the automount map files:
    • auto.master - contains the list of the NIS-accessible automount maps
    • auto.home - will contain the mount points for /home/ on any of your systems. This file must be updated whenever you add or change user accounts on your system
    • auto.local - will contain some extra automount maps for the domain
    • auto.samba - will contain additional public samba-accessible shares

2.6  Initialize the NIS map database

  1. The NIS map database is created with ypinit. This only has to be done once, when a YP server is first created (or if ever you re-create it). Note that we have no YP daemon running yet. Thus ypinit will complain about 'unregistered services', but this can be ignored. Run ypinit with the 'master' switch:
    ROOT# /usr/lib/yp/ypinit -m
  2. 'ypinit' will prompt you for a list of servers (only 'eagle' in our case). press '^D' when done, and confirm the information. If you encounter errors about certain maps then correct the map files and run the command again.
  3. The example output is found here.

2.7  Start the daemons and permanently enable them

  1. Start the server, then the client (yes, you need a client on the server too), and finally the yppasswdd daemon. The daemon managing password changes is yppasswdd.
    ROOT# /etc/init.d/ypserv start
    Starting YP server services:                    [  OK  ]

    ROOT# /etc/init.d/ypbind start
    Binding to the NIS domain...                    [  OK  ]
    Listening for an NIS domain server: eagle.mynet.home
        

    ROOT# /etc/init.d/yppasswdd start
    Starting YP passwd service:                     [  OK  ]
  2. Permanently enable ypserv, ypbind and yppasswdd at runlevels 3,4, and 5:
    ROOT# chkconfig --level 345 ypserv on
    ROOT# chkconfig --level 345 yppasswdd on
    ROOT# chkconfig --level 345 ypbind on

2.8  Enable NFS services and Test the YP services

  1. Make sure that NFS services are enabled:
    ROOT# chkconfig --list nfs
    nfs   0:off   1:off   2:off   3:on    4:on    5:on    6:off
    If they are not enabled, then set the levels:
    ROOT# chkconfig --level 345 nfs on If the /etc/exports file is empty, then no daemons will be running after bootup, or when you start the NFS services. Therefore put at least a comment ( starts with the hash mark # ) in the file and launch NFS services:
    ROOT# /etc/init.d/nfs start
  2. Now prepare an /etc/exports file on the server. This server will export some of the home directories, and the /usr/local/ directory. When the file is ready you must export it with exportfs:
    ROOT# exportfs -r
  3. Test NIS services on the server:
    ROOT# ypwhich
    eagle.mynet.home

    ROOT# ypcat -k netgroup
    servers (eagle,,birds) (eagle.mynet.home,,birds)
    nodes servers clients
    clients (sparrow,,birds) (sparrow.mynet.home,,birds) (chicken,,birds)
    (chicken.mynet.home,,birds) (parrot,,birds) (parrot.mynet.home,,birds)

2.9  Secure NIS Binding

  1. The default /var/yp/securenets is wide-open -- it allows clients to bind to your server from anywhere in your network. You need to edit this file and add any client's IP addresses to this file, including the server's! The example file is found here.

2.10  Wrap network services

  1. The final step once everything works is to 'wrap' your services with 'libwrap'; that is to say, by configuring /etc/hosts.allow and /etc/hosts.deny. Normally you would deny all services in /etc/hosts.deny, and then allow selected services in /etc/hosts.allow.
    It is usually wise to start by editting /etc/hosts.allow. Note that changes to these files have instantaneous effect! Once you are satified with it then edit /etc/hosts.deny and close the rest of the services.

3. Setting up a Client

3.1  Allow the client to join the domain

Before a client can participate in an NIS domain it needs to have access to the domain. The server completely controls this access. Thus before beginning to configure the client, do the following two things ON THE SERVER if they have not yet been done (assume the client is 'chicken.mynet.home'):

  1. Put the client in the netgroup file. Append this node to the client entry in /etc/netgroup:
    (chicken,,birds) (chicken.mynet.home,,birds)
  2. Push the changes into the NIS maps:
    ROOT# cd /var/yp
    ROOT# make
  3. Put the client in the securenets file. Append this node to the end of the /var/yp/securenets file:
    host 192.168.196.5
  4. Restart ypserv so that it recognizes the new client just added to the securenets file:
    ROOT# /etc/init.d/ypserv restart

3.2  Install the software

  1. Install the following packages if they not already installed on the client:
    • For NIS: yp-tools, ypbind
    • For the automounters: autofs, am-utils, openldap (if required by am-utils; it depends on your patch level and version)
  2. You can configure and start amd immediately:
    ROOT# chkconfig --level 345 amd on
    ROOT# /etc/init.d/amd start

3.3  Configure YP map lookups

Make sure that the file /etc/nsswitch.conf is correctly configured for NIS. Note that the default Red Hat file will not work for the netgroup configuration; moreover you should edit out unwanted configurations or services, like nisplus.

This file specifies the order in which files or maps are accessed. For example, the passwd, shadow and group maps are first accessed as local files (important for the user 'root'!!) and when the user is not found, the system then tries NIS. Thus this file is very useful if you ever need to customize individual systems.

3.4  Set NIS Domain name and binding, and start it

You can either use a GUI or you can configure the files manually. I show both methods:

  1. GUI configuration:
    The authconfig GUI, or the setup GUI (after selecting 'authentication configuration') can be used to bring up NIS client services. Use the <TAB> key to navigate in this tool.
    ROOT# /usr/sbin/authconfig
    Set the following values. Note that you can point your clients directly to your NIS server (or servers if you configure later some slave servers), or you can broadcast for a server. Broadcasting is dangerous in an untrusted network. I show the direct method:
    AuthentificationValue

    Authentication MethodUse NIS
    Domainbirds
    Servereagle
    Select 'OK', then 'QUIT'. ypbind should now be configured and running. If so, proceed to the Test section below.
  2. Manual configuration:
    1. Set the NIS domain name for the current session and for future reboots:
      ROOT# domainname birds Then edit /etc/sysconfig/network and add the following line. This sets the domain name for future reboots:
      NISDOMAIN=birds
    2. Configure the server binding
      Edit /etc/yp.conf and add the following line. This configuration will tell ypbind to ask eagle for NIS services:
      domain birds server eagle
    3. Start the client and permanently enable it at run levels 3,4, and 5:
      ROOT# /etc/init.d/ypbind start
      ROOT# chkconfig --level 345 ypbind on

3.5  Configure autofs for NIS access

  1. Fix autofs startup:
    By default client machines will treat any local automount mapfiles first. Thus the best thing to do on all clients and slaves is to remove or rename local map files, unless you have a special need to configure a local map file. Therefore, when I install new clients I do the following during installation:
    ROOT# /etc/init.d/autofs stop
    ROOT# rm /etc/auto.*
    ROOT# rmdir /home /misc
    If you decide to use both local and NIS maps, then you should edit the local /etc/auto.master file, and comment out any unused entries in it.
  2. Fix /home access:
    You should also remove /home, since this 'mountpoint' will be managed by autofs shortly. See if anything is in the directory. If there is anything in the directory then you must move them and delete the /home directory. Long ago Red Hat stopped putting content like 'ftp' and 'apache' in /home. It should not be an issue, unless your linux vendor still populates /home. If there are no files then follow the instructions in the preceding point.

3.6  Start and enable autofs permanently

  1. Start the autofs daemon, both for future reboots, and for the current environment:
    ROOT# chkconfig --level 345 autofs on
    ROOT# /etc/init.d/autofs start You can check its status with the status command:
    ROOT# /etc/init.d/autofs status
    Configured Mount Points:
    ------------------------
    /usr/sbin/automount --timeout 300 /home yp auto.home  
    /usr/sbin/automount --timeout 300 /local yp auto.local  
    /usr/sbin/automount --timeout 300 /smb yp /etc/auto.smb  
    
    Active Mount Points:
    --------------------
    /usr/sbin/automount --timeout 300 /home yp auto.home
    /usr/sbin/automount --timeout 300 /local yp auto.local
    /usr/sbin/automount --timeout 300 /smb yp /etc/auto.smb

3.7  Associate /usr/local link with automounter

  1. To associate the /usr/local directory with the automount map, do the following on the client:
    ROOT# cd /usr
    ROOT# mv local local.orig
    ROOT# ln -s /opt/local /usr/local
    ROOT# ls /usr/local/. Now your clients will automount /usr/local from the server.

3.8  Enable NFS Server if needed

If this client will NFS-export a home directory, then you need to enable NFS Server functionality and export the directory. Proceed as you did for the server in the previous section. Note that your /etc/exports file should include only those directories exported by the client.

3.9  Wrap network services

As with the master server, the final step once everything works is to 'wrap' your services with 'libwrap'; that is to say, by configuring /etc/hosts.allow and /etc/hosts.deny.

4. Setting up a Slave NIS Server

This section needs still to be added .. it is very easy....

5. References

5.1  Man Pages

netgroup, ypserv, ypbind, exports, .....

Appendix A : Example Files

File NamePurpose

/etc/hostsAn example hosts file for this network
/etc/yp.confthe YP configuration file on the Server
/etc/yp.confthe YP configuration file on the Client
/etc/ypserv.confThis server-only configuration file will mangle the shadow and password maps for users coming from insecure ports (ie. it hides password information)
/etc/sysconfig/networkconfiguration file for the network on the Server
/etc/sysconfig/networkconfiguration file for the network on a dhcp Client
/etc/sysconfig/network-scripts/ifcfg-eth02nd configuration file for the network on the Server
/etc/sysconfig/network-scripts/ifcfg-eth02nd configuration file for the network on a dhcp Client
/var/yp/MakefileMy Makefile with extra automount maps and password/shadow merging
/etc/auto.mastermaster configuration file for the automounter on the Server
/etc/nsswitch.confThis example has the nisplus entries removed
/etc/netgroupA simple netgroup file
/etc/init.d/autofsa startup file for autofs for Red Hat 6.2 that allows both local and NIS automount maps
/etc/auto.homeA map for the home directories; file only located on the server.
/etc/auto.sambaA map for SMB filesystems; file only located on the server.
/etc/auto.localA map for various NFS filesystems, including /usr/local/; file only located on the server.
/etc/exportsexports file for the Server
/etc/exportsexports file for the Client
/var/yp/securenetsaccess file for client binding, used only by the server.
/etc/hosts.allowsample tcpwrappers security ALLOW file for the Server
/etc/hosts.allowsample tcpwrappers security ALLOW file for the Clients
/etc/hosts.denysample tcpwrappers security DENY file for all

Appendix B : List of Commands Used in This How-to

Appendix C : List of RPMs Mentioned in This How-to


Contact: http://penguin.triumf.ca/home/
Created: Sat Feb 15 12:16 MET 2003
Last Modified: Thu Nov 4 14:2 2004
Copyright © 2004, Denice Deatrich

Document generation: http://penguin.triumf.ca/xml/WebHowTo.html

Number of sections provided: 5