Pick a Free OS

User login

Navigation

Centralised authentication using NIS

On the client side, users will have to use the utility 'yppasswd' to

change their passwords instead of passwd.

Clients

On the client side, open /etc/yp.conf. This file should contain a list of

the NIS servers for your domain. Multiple NIS servers can be specified

here so if one goes down, the NIS client will try the other. Hostnames are

also allowed here but make sure that the host's IP address is present in

/etc/hosts because NIS does not use DNS.

ypserver 192.168.0.100

ypserver nisbackup.freeos.com

Open /etc/passwd and remove the entries for all users that are to be

authenticated off the NIS master server. Also remove their shadow password

entries from /etc/shadow. At the bottom of /etc/passwd add this entry --

'+::::::'. Do the same for /etc/group but add the entry '+:::' here.

Start ypbind.

/etc/rc.d/init.d/ypbind start

Now try to login to your machine using a login/password pair that does not

exist on your machine. If the login is successful then your NIS setup is

working correctly.

The above '+' entries means that anyone who is in the NIS password database

will be able to login to this machine. You might not want that. You would

like only a few users or specific group of users access to a machine.

Edit /etc/nsswitch.conf and put in the following entries, if not already

there. Comment out any other passwd and group entries.

passwd: compat

group: compat

Some distributions like Red Hat use "passwd: files nisplus nis" here. That

will also work fine. In fact, with this entry in nsswitch.conf, you do not

require the '+' entries in /etc/passwd. What you lose is the ability to

selectively disallow certain users or netgroups, as we're trying to do below.

Now edit your passwd file and replace the '+::::::' entry with the name of

the user you want to allow, prefixed with a '+' and followed by

'::::::'.

+mayank::::::

+foo::::::/bin/false

+@nisgrp::::::

Here user mayank has access to the machine. User foo is also allowed but

the shell is set to /bin/false. Finally the netgroup nisgrp is also

allowed access. Here you see that you can also modify user date for the

client machine. You could also specify a different home directory path here.

To disallow access to few users/netgroups prefix the username with a '-'

instead. Also make sure that '+::::::' is a the bottom of the file and

this entry appears above it.

-mayank::::::