NIS Notes

NIS NOTES

We recently upgraded our old NIS server from our old version of ypserv (YPserv 1.3.9 on Redhat 6.2) to a new version (YPserv 2.6 on Redhat 7.3)

Overall, this was a good thing. NIS isn't too secure, but the older versions are even less secure than the newer versions, so the upgrade was way overdue.

One of the things we did was to tighten down what maps we exported out. The old NIS server would export out the following maps:

passwd - Master YP password database of all users
groups - List of groups and users within groups
netgroups - groups of machines
aliases - email aliases
hosts - List of hostnames and IP addresses
ethers - Ethernet addresses and matching hostnames
netmasks - IP ranges and corresponding netmasks
protocols - Protocol file
services - Services file

Those maps were full of several years worth of (polietly) obsolete infomation, so the first thing to do was to clean them all out and get them up to date. Once this was done we had a good look at them.

The ethers, netmasks, protocol and services are not used by us. ethers uwas used for remote booting of sun systems which were removed years ago; netmasks is irrelevent as we don't do anything fancy with any of our netmasks; protocol and services we rely on the local machine files instead of the NIS ones

Next step was to edit the /var/yp/Makefile so it only updated the maps we were using. This meant commenting out maps that we didn't use and changing the make target. We ended up with something like this:

# These are the files from which the NIS databases are built. You may edit
# these to taste in the event that you wish to keep your NIS source files
# seperate from your NIS server's actual configuration files.
#
GROUP       = $(YPPWDDIR)/group
PASSWD      = $(YPPWDDIR)/passwd
ALIASES     = $(YPSRCDIR)/aliases
HOSTS       = $(YPSRCDIR)/hosts
NETGROUP    = $(YPSRCDIR)/netgroup
#       GROUP       = $(YPPWDDIR)/group
#       PASSWD      = $(YPPWDDIR)/passwd
#       SHADOW      = $(YPPWDDIR)/shadow
#       GSHADOW     = $(YPPWDDIR)/gshadow
#       ADJUNCT     = $(YPPWDDIR)/passwd.adjunct
#       AlIASES     = $(YPSRCDIR)/aliases
#       ETHERS      = $(YPSRCDIR)/ethers     # ethernet addresses (for rarpd)
#       BOOTPARAMS  = $(YPSRCDIR)/bootparams # for booting Sun boxes (bootparamd)
#       HOSTS       = $(YPSRCDIR)/hosts
#       NETWORKS    = $(YPSRCDIR)/networks
#       PRINTCAP    = $(YPSRCDIR)/printcap
#       PROTOCOLS   = $(YPSRCDIR)/protocols
#       PUBLICKEYS  = $(YPSRCDIR)/publickey
#       RPC         = $(YPSRCDIR)/rpc
#       SERVICES    = $(YPSRCDIR)/services
#       NETGROUP    = $(YPSRCDIR)/netgroup
#       NETID       = $(YPSRCDIR)/netid
#       AMD_HOME    = $(YPSRCDIR)/amd.home
#       AUTO_MASTER = $(YPSRCDIR)/auto.master
#       AUTO_HOME   = $(YPSRCDIR)/auto.home
#       AUTO_LOCAL  = $(YPSRCDIR)/auto.local
#       TIMEZONE    = $(YPSRCDIR)/timezone
#       LOCALE      = $(YPSRCDIR)/locale
#       NETMASKS    = $(YPSRCDIR)/netmasks

YPSERVERS = $(YPDIR)/ypservers  # List of all NIS servers for a domain

target: Makefile
        @test ! -d $(LOCALDOMAIN) && mkdir $(LOCALDOMAIN) ; \
        cd $(LOCALDOMAIN)  ; \
        $(NOPUSH) || $(MAKE) -f ../Makefile ypservers; \
        $(MAKE) -f ../Makefile all

all: passwd group hosts netgroup mail

A possible catch for people - notice in the make target all, it says "mail" and not "aliases". Had me beating my head against a wall for a little while.

Other files to ensure you have set up correctly are:

/var/yp/ypservers has any ypservers listed in it
/var/yp/securenets has any subnets you want to export to listed.

When we got everything else set up and working we started to get errors like the following in courier, Helvetica, sans-serif" color="green">/var/log/messages:


Dec  5 13:06:21 my-server ypserv[9606]: refused connect from 192.168.100.2:32806 to procedure ypproc_match
Dec  5 13:09:21 my-server ypserv[9606]: refused connect from 192.168.100.2:32806 to procedure ypproc_match
Dec  5 13:11:37 my-server ypserv[9606]: refused connect from 192.168.100.5:32786 to procedure ypproc_match

Much wailing and gnashing of teeth and we finally found the problem. There is a file /etc/nsswitch.conf which provides the order the computer should use when resolving information. Our problem was the default settings aren't right for our setup.

The default looks like this:

passwd:     files nisplus nis
shadow:     files nisplus nis
group:      files nisplus nis

hosts:      files nisplus nis dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files nisplus nis
rpc:        files
services:   files nisplus nis

netgroup:   files nisplus nis

publickey:  nisplus

automount:  files nisplus nis
aliases:    files nisplus

however, but since we don't have nisplus and we're not running all the nis maps we had to change that to this:

passwd:     files nis
shadow:     files
group:      files nis

hosts:      files nis dns

#bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files 
rpc:        files
services:   files

netgroup:   files nis

#publickey:  nisplus

automount:  files 
aliases:    files nis

Then restart ypbind on the offending machine and it fixes things.

Back to index page