We use the Linux NIS server (Network Information Service) for sharing critical data stored in flat files between systems on a network. It is often ideal to have a shared repository (such as NIS) for storing users and groups information instead of storing them in flat files like /etc/passwd.
So what is the benefit of that?
By making such files available via the NIS server, that would allow any remote NIS client machine to access or query the data in these shared files and use them as extensions to the local versions.
NIS is not for sharing files. You can share any tabular file which at least has one column with a unique value via NIS like /etc/services file.
The main benefit of using the NIS server is that you keep your data and files, and propagate any updates to all users.
Some users, especially Windows users, might think this is sort of Active Directory like service. The Linux NIS server is older than Active Directory and not a replicate for it.
What is NIS?
The NIS is a database that contains a series of tables. It creates tables from text files like /etc/passwd, /etc/services, and any other tabular files.
Each table may contain one column or more with a unique key on each row.
You can think of it like any normal database.
You can query these tables in two ways:
- Listing the entire table
- Pulling a specific entry by searching
When a program requests to search for a user password details, the client checks the /etc/passwd file to check if the user doesn’t exist there; the client then asks the NIS server to search for it in the /etc/passwd table from the NIS server.
You can use any of the services and tools that come with the NIS server:
ypserv: This service waits for queries and gives answers to NIS clients.
ypbind: This is the client-side of NIS.
ypxfrd: You can use this service for sending the NIS databases from master MIS servers to slave servers.
Linux NIS servers
Linux NIS server types are:
- Master server: stores original files.
- Slave (secondary) server: we can use it for load balancing and helpful in case of master server failure.
You can have multiple secondary NIS servers if you need them.
Primary and secondary NIS servers are kept synced and updated. This process is called server push.
NIS domain name
NIS domains are just like the domains of a domain controller in Windows, but the difference is that client can join the network without having to wait for admin acceptance.
Keep in mind that the names used for NIS domain names MUST be different from your DNS domain names.
Installing Master Linux NIS Server
On Red Hat based distros, you can install it like this:
$ dnf -y install ypserv
On Debian-based distros, you can install it like this:
$ apt-get -y install nis
After successful installation, you need to set the NIS domain name by using the domainname command.
Let’s name it nis.example.com
$ domainname nis.example.com
To persist our NIS domain name in Red hat based distros, we can create a variable called NISDOMAIN in the /etc/sysconfig/network file.
On Debian-based distros, you can achieve the same result by adding the domainname command with the correct value to one of the rc scripts which run at boot time.
As we mentioned earlier, the ypserv waits for queries and gives answers to NIS clients.
NIS is an RPC service, so you need to ensure that the rpcbind program is up and running before you attempt to start the Linux NIS server.
On new Linux distros that rely on systemd as the service manager, systemd will automatically take care of service intra-dependencies that exist between rpcbind and ypserv.
If your distro is not one of them, you can start rpcbind like this:
$ systemctl start rpcbind
On our distro which has systemd, we can start the service like this:
$ systemctl start ypserv
To confirm that the service is running, you can use the rpcinfo command.
$ rpcinfo -p | grep ypserv
Editing the Makefile
The make command is responsible for preparing the list of files that need compilation and the required program for compilation for each of them.
The make command compiles a file called Makefile.
Taking this concept to work on NIS is straightforward. In this case, a series of text files need to be converted into a database format. We want a tool that will re-convert any files that have been changed. We can use the make command.
The Makefile is in /var/yp directory. This file contains all the shared files by the NIS server.
Let’s discuss the options in the Makefile.
If you plan to have NIS slave servers, you will need to tell the master Linux NIS server to push the resulting maps to the slave servers. Change the NOPUSH variable to false if you want to have support for slave servers.
Keep in mind that you need to list the hostnames of your slave servers in /var/yp/ypservers file and ensure to list a corresponding entry in the /etc/hosts file.
Min UIDs GIDs
Every user on Linux has a user id and group id. You can get your id by typing the id command and gid command respectively.
You can set the minimum permissions for the files that will be shared via NIS using MINUID and MINGID like this:
Merging shadow passwords with real ones
The Linux NIS server can be used to authenticate their users, NIS server will automatically take the encrypted field from the /etc/shadow file and merge it into the NIS shared copy of /etc/passwd.
You can do this using the MERGE_PASSWD option:
Merging group shadow passwords with real ones
The /etc/group file allows passwords to be applied to group settings. Since the /etc/group file needs to be publicly readable, most distros have taken to support shadow group files /etc/gshadow.
The option is called MERGE_GROUP:
In Makefile, there is an option that enables you to specify what you need to share; it is (all) option.
all: passwd group hosts services shadow networks
The option YPPWDDIR specifies the location of the passwd, group, and shadow files, so you don’t need to type the full path.
Initialize NIS server using ypinit
Once you’ve finished editing options in Makefile, you can initialize the NIS server like this:
$ /usr/lib64/yp/ypinit -m
You can use the -m option to initialize the server as a master server.
Or if you are using a 32bit system, the command will be:
This tool will ask about the secondary NIS servers if you have any.
The server will store these entries in the /var/yp/ypservers file.
Congratulations, now your NIS server should work OK, and your map will be on the secondary servers if you have any.
Configuring NIS client
On Red Hat based distros, you can install NIS client like this:
$ dnf -y install ypbind
On Debian-based distros, you can install it like this:
$ apt-get install nis
The /etc/yp.conf file is the configuration for the client-side daemon.
You can start ypbind now:
$ systemctl start ypbind $ systemctl enable ypbind
This file contains entries of facilities and their corresponding files and services that the system will use for searching.
passwd: files nis
This entry tells the server to search for password entries in the /etc/passwd file, and if the NIS server finds nothing, check the NIS server.
There are some useful tools that can help you manage the information in the database.
ypcat: You can use this tool to get data from the NIS server by extracting it from the NIS map.
ypwhich: gets the name of the Linux NIS server that is responding to your requests.
ypmatch: rather than grabbing the entire map, or you can search by key to get a specific entry.
I hope you find the post useful and interesting. Keep coming back.
Mokhtar is the founder of LikeGeeks.com. He works as a Linux system administrator since 2010. He is responsible for maintaining, securing, and troubleshooting Linux servers for multiple clients around the world. He loves writing shell and Python scripts to automate his work.