Next Previous Contents

8. What do you need to set up NIS+ ?

8.1 The Software

The Linux NIS+ client code was developed for the GNU C library 2. There is also a port for Linux libc5, since all commercial Applications are linked against this library, and you couldn't recompile them for using glibc. There are problems with libc5 and NIS+: You couldn't link static programs with it, and programs compiled with this library will not work with other libc5 versions.

You need to retrieve and compile the latest GNU C library 2 snapshot. And you need a glibc based system like RedHat 5.x or the upcoming Debian 2.0. But be warned: This is beta Software ! Read the Docs about glibc snapshots and from the Distributions ! glibc 2.0.x doesn't contain the NIS+ support, and will never contain it. The first public version with NIS+ support will be 2.1.

The NIS+ client software can be obtained from:

  Site                   Directory                  File Name

  ftp.kernel.org         /pub/software/libs/glibc   libc-*, glibc-crypt-*,
                                                    glibc-linuxthreads-*
  ftp.kernel.org         /pub/linux/utils/net/NIS+  nis-tools-1.4.2.tar.gz
  ftp.kernel.org         /pub/linux/utils/net/NIS+  pam_keylogin-1.2.tar.gz

Distributions based on glibc can be fetched from:

  Site                   Directory

  ftp.redhat.com         /pub/redhat/redhat-5.1
  ftp.debian.org         /pub/debian/dists/hamm

For compilation of the GNU C Library, please follow the instructions which come with the software. Here you could find the patched libc5, based on NYS and the glibc sources as drop in replacement for the standart libc5:

  Site               Directory                  File Name

  ftp.kernel.org     /pub/linux/utils/net/NIS+  libc-5.4.44-nsl-0.4.10.tar.gz

You should also look at http://www-vt.uni-paderborn.de/~kukuk/linux/nisplus.html for more information and the latest sources.

8.2 Setting up a NIS+ client

IMPORTANT: For setting up a NIS+ client, read your Solaris NIS+ docs what to do on the server side ! This document only describes what to do on the client side !

After installing the new libc and nis-tools, create the credentials for the new client on the NIS+ server. Make sure, portmap is running. Then check, if your Linux PC has the same time as the NIS+ Server. For secure RPC, you have only a small window from about 3 minutes, in which the credentials are valid. A good idea is to run xntpd on every host. After this, run

domainname nisplus.domain.
nisinit -c -H <NIS+ server>

to initialize the cold Start File. Read the nisinit man page for more options. Make sure, that the domainname will always be set after a reboot. If you don't know what the NIS+ domain name is on your network, ask your system/network administrator.

Now you should change your /etc/nsswitch.conf file. Make sure, that the only service after publickey is nisplus ("publickey: nisplus"), and nothing else !

After this, start keyserv and make sure, that it will always be started at boot time. Run

keylogin -r
to store the root secretkey on your system. (I hope you have added the publickey for the new host on the NIS+ Server ?).

"niscat passwd.org_dir" should now show you all entries in the passwd database.

8.3 NIS+, keylogin, login and PAM

When the user logs in, he need to set his secretkey to keyserv. This is done by calling "keylogin". The login from the shadow package will do this for the user. For a PAM aware login, you have to install pam_keylogin-1.1.tar.gz and change the /etc/pam.d/login file to use pam_unix_auth, not pwdb, which doesn't support NIS+. An example:

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_keylogin.so
auth       required     /lib/security/pam_unix_auth.so
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_unix_passwd.so
session    required     /lib/security/pam_unix_session.so

8.4 The nsswitch.conf File

The Network Services switch file /etc/nsswitch.conf determines the order of lookups performed when a certain piece of information is requested, just like the /etc/host.conf file which determines the way host lookups are performed. For example, the line

    hosts: files nisplus dns

specifies that host lookup functions should first look in the local /etc/hosts file, followed by a NIS+ lookup and finally thru the domain name service (/etc/resolv.conf and named), at which point if no match is found an error is returned.

A good /etc/nsswitch.conf file for NIS+ is:

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the /var/db databases
#       [NOTFOUND=return]       Stop searching if not found so far
#

passwd:     compat
# for libc5: passwd: files nisplus
group:      compat
# for libc5: group: files nisplus
shadow:     compat
# for libc5: shadow: files nisplus

passwd_compat: nisplus
group_compat:  nisplus
shadow_compat: nisplus

hosts:      nisplus files dns

services:   nisplus [NOTFOUND=return] files
networks:   nisplus [NOTFOUND=return] files
protocols:  nisplus [NOTFOUND=return] files
rpc:        nisplus [NOTFOUND=return] files
ethers:     nisplus [NOTFOUND=return] files
netmasks:   nisplus [NOTFOUND=return] files
netgroup:   nisplus
bootparams: nisplus [NOTFOUND=return] files
publickey:  nisplus
automount:  files
aliases:    nisplus [NOTFOUND=return] files


Next Previous Contents