|
Project: Linux  Howtos
Centralised authentication using NIS
By Mayank Sarup <mayank@freeos.com>
Posted: ( 2000-12-02 00:19:24 EST by )
If users on your network are working on more than one machine you will
need to create a login/password pair for them on each machine. A more
elegant solution is to maintain a centralized database that client machines
refer to for authentication. NIS is one way to do that and this article shows
you how.
To log on to a machine on your network, you need a login/password pair that
is valid on that machine. This can become a problem over a larger network
where you may have people using more than one machine. An example of this
would be your computer lab where people are going to be working off different
machines most of the time. You will then be forced to create logins for each
user on every machine that they're likely to use. NIS steps in here and
provides you with centralized authentication. All the logins are created on a
single machine, which client machines access to authenticate users. Once you have centralized your authentication, you will also need to make
the home directory of the user available to him on the machine that they
log on to. If they still have to login to another machine to access their
data then it's not very useful having NIS around. NFS or the Network File
System allows you to 'export' a directory for mounting on other machines.
When mounted, that directory will appear as a local directory on the client
machine. This is completely transparent to the user. You can then transfer
files, run programs off a NFS mounted directory with great ease. NIS and its associated tools are available across nearly all the
distributions. What you need is ypbind, ypserv and yp-tools. For a NIS
client machine, all you need is ypbind and yp-tools. The ypserv package is
only required if you're setting up the machine as a server. All the
NIS tools are prefixed with YP. This is because the original name for NIS
was Yellow Pages. That was copyrighted by British Telecom and could not be
used. Sun settled on NIS but the name stuck. You will also need the portmap daemon, which is used to manage RPC
requests. This is used by NIS as well as NFS and is present in most Linux
distributions. Look for a package named portmap on your distribution CD.
InstallationInstallation of the NIS program files are easy enough if you're using the RPM's. rpm -ivh ypserv-1.3.11-9.i386.rpm The ypserv package is only required for machines that are to be NIS master or
slave servers. This is not required for NIS clients but the following packages
are. rpm -ivh ypbind-1.6-11.i386.rpm
rpm -ivh yp-tools-2.4-4.i386.rpm
ConfigurationBefore starting the configuration of your NIS server, you need to decide on a
NIS domain. Each NIS server will only serve clients from the domain that it
is a part of. This domain is not to be confused with your DNS domain name
and for security reasons, should not be the same as your DNS name. The NIS
domain system allows you to divide the computers on your network into
sub-domains that are served by NIS master servers for that domain only. The
NIS domain name can be anything you want (foo.bar.org or org.bar.foo), but
for security reasons, this should not not be the same as the DNS domain name.
The NIS domain name parameter is set by the nisdomainname command.
Equivalent commands are ypdomainname and domainname. They all do the same. nisdomainname foo.bar.org This command will need to be run on every machine on your network that
will be part of the domain. You should put the above in your system startup
scripts so that the domain name is automatically set at boot. Alternatively,
in Red Hat you can edit /etc/sysconfig/network and change or add the
parameter "NISDOMAN=domain". In SuSE open /etc/rc.config and look for
"YP_DOMAINNAME".
Server ConfigurationOpen the file named /etc/ypserv.conf Look for the lines below and un-comment them * : passwd.byname : port : yes
* : passwd.byuid : port : yes You should do this otherwise any user on the network can say "ypcat passwd"
and see the entire password database exported by the NIS server, including
the encrypted password. However, root on the client machines will be able
to view the encrypted password. Open /var/yp/Makefile. Go through the options at the top. You probably
won't have to modify them but it does make sense to check them out. Now
look for the "all" rule in this file. It will look something like the
following. all: passwd group rpc services netid This defines the files that are to be made available over NIS. NIS is
after all Network Information Services. You can use it for more than
just authentication. Here I'm also exporting /etc/services and /etc/hosts. The defaults that are un-commented will work just fine. We're just going
for centralized authentication here, so make sure that passwd and group
are un-commented. Move to /var/yp and run "make" there. This will create the NIS database
maps. You will need to run this every time you change a source file. e.g -
when you add/remove a user from the passwd file. Changes to passwords do
not require a make. You can also use the program ypinit. /usr/lib/yp/ypinit -m Ypinit will first prompt you for a list of NIS servers on the network. You
will need to enter the list of NIS servers for that domain. This should
also include any slave NIS servers that you are planning to setup. Ypinit
will write this list of servers to /var/yp/ypservers and then go ahead
with the make. Ypinit is fine for the first time you're setting up NIS but
if you make frequent changes to the NIS files then "make" is a better
option. This is because Ypinit re-creates the NIS database from scratch
whereas make will first check the source file for changes, update changes
to the NIS maps and push the changes to slave servers. While making the NIS maps, you might get some errors message saying that
it could not generate some of the files. If so then edit Makefile, search
for the "all" entry and comment out the files that gave the error. Run
the make again. The next file you need to edit is /var/yp/securenets. This file defines
the NIS clients that are allowed to access your NIS server. This file only
takes IP addresses -- no hostnames. The IP addresses are specified as a
netmask/IP address pair. Localhost will need to be in this file. The entry
should already be there, but if not then enter the following. The netmask
entry comes first. 255.0.0.0 127.0.0.0
255.255.255.0 192.168.0.0 You can also allow specific hosts by giving the keyword "host" followed by
an IP address. host 127.0.0.1 Similarly, you can enter other netmask/network pairs to restrict access to
the NIS server and improve security. Here 192.168.0.* has access to the
NIS server. The server setup is now done. The NIS server can be started now. Make sure
that the portmap daemon is started before the NIS server is. /etc/rc.d/init.d/portmap start /etc/rc.d/init.d/ypserv start If portmap is running, ypserv will start the NIS server and connect with
portmap. Use "rpcinfo -p" to check. You should get output that looks like
the following 100004 2 udp 1003 ypserv
100004 1 udp 1003 ypserv
100004 2 tcp 1006 ypserv
100004 1 tcp 1006 ypserv You also need to run rpc.yppasswdd. This allows users to change their
passwords over the network. This daemon should be run only on the NIS
master server. Also make sure that this daemon is started after ypserv. /etc/rc.d/init.d/yppasswdd On the client side, users will have to use the utility 'yppasswd' to
change their passwords instead of passwd.
ClientsOn the client side, open /etc/yp.conf. This file should contain a list of
the NIS servers for your domain. Multiple NIS servers can be specified
here so if one goes down, the NIS client will try the other. Hostnames are
also allowed here but make sure that the host's IP address is present in
/etc/hosts because NIS does not use DNS. ypserver 192.168.0.100
ypserver nisbackup.freeos.com Open /etc/passwd and remove the entries for all users that are to be
authenticated off the NIS master server. Also remove their shadow password
entries from /etc/shadow. At the bottom of /etc/passwd add this entry --
'+::::::'. Do the same for /etc/group but add the entry '+:::' here. Start ypbind. /etc/rc.d/init.d/ypbind start Now try to login to your machine using a login/password pair that does not
exist on your machine. If the login is successful then your NIS setup is
working correctly. The above '+' entries means that anyone who is in the NIS password database
will be able to login to this machine. You might not want that. You would
like only a few users or specific group of users access to a machine. Edit /etc/nsswitch.conf and put in the following entries, if not already
there. Comment out any other passwd and group entries. passwd: compat
group: compat Some distributions like Red Hat use "passwd: files nisplus nis" here. That
will also work fine. In fact, with this entry in nsswitch.conf, you do not
require the '+' entries in /etc/passwd. What you lose is the ability to
selectively disallow certain users or netgroups, as we're trying to do below. Now edit your passwd file and replace the '+::::::' entry with the name of
the user you want to allow, prefixed with a '+' and followed by
'::::::'. +mayank::::::
+foo::::::/bin/false
+@nisgrp:::::: Here user mayank has access to the machine. User foo is also allowed but
the shell is set to /bin/false. Finally the netgroup nisgrp is also
allowed access. Here you see that you can also modify user date for the
client machine. You could also specify a different home directory path here. To disallow access to few users/netgroups prefix the username with a '-'
instead. Also make sure that '+::::::' is a the bottom of the file and
this entry appears above it. -mayank::::::
+:::::: Here except for user mayank, everyone has access to the machine.
NFS SetupNow that the login procedure has been setup, you need to ensure that the
users have access to their home directories. On the server where the home directories are stored, install the NFS
server. This is also included in most if not all Linux distributions. The
NFS server takes its setting from the file /etc/exports. The format of the
file is quite simple. (options)The entry to export everything under the home directory would be /home 192.168.0.0/255.255.255.0(rw) The file also accepts only IP addresses. To export the same directory to
several hosts, use the address/netmask pairing as given above. In
brackets, other options specific to the mount may be given. Here I have
given 'rw', which means that the directory is exported with read-write
permissions ( By default, nfs exports as read-only ). For this setup, this
is all that is required. Do a 'man exports' to see all the options. On the client machine you can mount this exported filesystem. Modify
the /home entry to look like the one below. 192.168.0.21:/home /home nfs defaults 0 0 The format of this entry will be server:exported-directory mount-point nfs defaults 0 0 So at boot, the system will mount the entire home directory off the nfs
server and all the user home directories will be available. Make sure that
there are no sub-directories under home because after the NFS mount they
won't be visible. Login again. You will now be authenticated off the NIS server and you
will find yourself in your home directory. There are some good links related to NIS, which are given below.
NIS Howto
NFS Howto
Thorsten Kukuk
Other articles by Mayank Sarup
Current Rating: [ 8.33 / 10 ]
Number of Times Rated: [ 64 ]
|
