Using Network Information Services on CentOS Linux Page 1 of 21

Using Network Information Services on CentOS Linux

Introduction

In a small or medium-sized business, it may not be necessary to have a centralized management system
for computer users. Just having individual user accounts on each desktop machine may be all that's
needed. But, in an enterprise-type environment, having a central database of user log-in credentials
could be very helpful. Two tools that can be used to accomplish this are Network Information Services
(NIS), and Lightweight Directory Access Protocol (LDAP). LDAP has better security features than
NIS, but it also has a steeper learning curve. If you're working with a secure, internal network with
UNIX-type clients, and you want something that's quick and easy to learn, then NIS would be an
appropriate choice.

NIS was created by Sun Microsystems, and was originally called “Yellow Pages”. But, they had to
change the name when the owner of the real Yellow Pages sued for trademark infringement. So, if
you're wondering why the names of NIS utilities and configuration files start with “yp”, that's the
reason.

A newer version of NIS, called “NIS+” was also developed by Sun. It has better security than regular
NIS, but it's harder to use and isn't available for CentOS.

Prerequisites

Without a centralized user database, such as NIS, each computer would have its own copy of the
passwd, shadow, group, and gshadow files in the “/etc” directory. With NIS, all user information
would be aggregated on the NIS server. But, with UNIX-type operating systems, a user can't log in
unless a home directory exists for that user. When setting up an NIS system, there are three ways to
deal with this problem.

● If you're setting up NIS on an existing network, you can just use the home directories that
already exist on the individual client computers.
● If you're setting up a network from scratch, you can use “mkdir” to manually create home
directories on the individual client computers. Then, copy the bash configuration files from the
“/etc/skel” directory into each user's home directory. (Be sure to change ownership of all of
these files from "root" to the new user.) You'll also need to create an empty ".dmrc" file in each

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 2 of 21

user's home directory, and change ownership of it, as well. (You can do this with the "touch"
utility.) Note, though, that you won't be able to change ownership of these directories until NIS
server has been set up with the user's account.

With the preceding two options, any given user would only be able to access his files from whatever
computer has his home directory. If that's what you want, then fine. Otherwise, you might consider the
third option.

● Set up a centralized “/home” directory with the Network File System (NFS), and use that for the
users' home directories.

This option will allow any given user to access his files from any computer on the network. So, before
we get into the nitty-gritty of NIS, let's take a quick look at how to share a “/home” directory via NFS.

Network File System on CentOS

You can set up the shared directory on either the NIS server, or on a different server. Either way, the
procedure works the same.

First, install the “nfs-utils” and “portmap” packages on the designated fileserver.

sudo yum install nfs-utils portmap

Or, if you have a graphical interface on the server, you can use YUM Extender.

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 3 of 21

Next, edit the “/etc/exports” file to look something like this:

/home 192.168.0.0/255.255.255.0(rw,insecure)
This line says that we want to share the “/home” directory with users on the “192.168.0.0” network,
and that we want the users to have both read and write privileges. The “insecure” part means that we're
allowing NFS to access high-number ports. (That is, ports higher than 1024.) Activate the export with
the command:

sudo exportfs -a

You'll now configure the firewall, which is a two-step process. Open the “/etc/sysconfig/nfs” file for
editing. Un-comment the following lines:

RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020

Save the file and exit the text editor. Restart the nfs and portmap services with the following
commands:

sudo service portmap restart

sudo service nfs restart

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 4 of 21

NOTE: CentOS version 5 uses portmap. On version 6, portmap will be replaced by

rpcbind.

The second step is to open the firewall ports. You can use the “lokkit” utility from the command-line,
or, if you're using a graphical interface, you can use the GUI firewall utility. Either way, open the
following ports:

111:tcp
111:udp
2049:tcp
32803:tcp
32769:udp
892:tcp
892:udp
875:tcp
875:udp
662:tcp
662:udp

That completes NFS setup for the server. Now, you need to configure each of the client computers that
will be used to access this shared directory.
On each client computer, make a backup of the “/home” directory, and then create a new “/home”
directory that will be used as a mount point. (Note that before you do this, you'll want to log out of
your normal user account, and log back in as the “root” user.)

cd /
mv home home.backup
mkdir home

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 5 of 21

NOTE: This step only works if the “/home” directory is on the same partition as the “/” filesystem. If
“/home” is mounted as a separate partition, you won't be able to rename the “/home” directory.

Ensure that the shared directory can be mounted by entering:

mount 192.168.0.102:/home /home

(Of course, you would substitute the IP address of your own fileserver.)

If it works, then unmount it by entering:

umount /home

Make the share permanent by editing the “/etc/fstab” file. Add a line such as the following:

192.168.0.102:/home /home nfs rw,hard,intr 0 0

The “hard” option will cause a program to hang if the NFS server crashes. The “intr” option allows
you to gracefully kill the hung process. These options are highly recommended to help prevent
corruption of files should the NFS server crash.

Before you reboot the computer, ensure that the shared directory mounts correctly by entering:

mount -a
Reboot the machine, and log back in as a normal user.

Now that the NFS stuff is taken care of, you're ready to start configuring NIS.

Configuring the NIS Master Server

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 6 of 21

In any NIS setup, you'll have to have an NIS Master Server and the clients. Optionally, you can have
an NIS Slave Server that can take over if the Master Server goes down. Let's take a look at how to set
up the Master Server.

Install the NIS packages:

sudo yum install ypbind yp-tools yp-server portmap

NOTE: CentOS version 5 uses portmap. On version 6, portmap will be replaced by rpcbind.

Optionally, you can use YUM Extender:

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 7 of 21

The next step is to create an NIS domain. Note that this isn't the same as your network domain. Rather,
they're two separate entities. For convenience, you can give the NIS domain the same name as the
network domain, but you don't have to. Here in our test lab, we've named given our network domain
the name “xyzwidgets.com”. So, we'll name the NIS domain accordingly.

Open the “/etc/sysconfig/network” file for editing, and add the following lines, substituting your own
domain name:

NISDOMAIN=xyzwidgets.com
YPSERV_ARGS=”-p 834”
YPXFRD_ARGS="-p 835"

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 8 of 21

The second and third line will cause the NIS server and data transfer daemons to each listen on a
specified port. This makes it much easier to configure a firewall. (The default is for to choose ports
dynamically, which makes firewall administration much more difficult.)

To make the new domain name take effect, enter the command:

sudo nisdomainname xyzwidgets.com

Once you've started the NIS server domain, you'll be able to verify the domain name just by entering
the command, “nisdomainname”. If you enter the command before the daemon is started, you'll
only get “none” as a response.

Open the “/etc/ypserv.conf” file, and you'll see it set with the following defaults:

dns: no
files: 30
slp: no
slp_timeout: 3600
xfr_check_port: yes
: * : shadow.byname: port: yes
: * : passwd.adjunct.byname: port: yes

Leave the defaults as they are, and add the following line to the bottom of the file. (Again, substitute
your own NIS domain name.)

domain xyzwidgets.com

A Master NIS server also needs to be a client of itself. Open the “/etc/yp.conf” file and add the line:

ypserver 127.0.0.1

As long as you're still in the “/etc” directory, edit the “hosts.allow” file to allow PORTMAP access to

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 9 of 21

only the specified computers or network. Add a line like this one:

PORTMAP: 192.168.0.0

Next, cd into the “/var/yp” directory, and create a “securenets” file. This file will determine what
computers are allowed to access NIS. On each line of the file, enter the netmask, followed by the IP
address of either the computer or network that you want to allow. Make the file look something like:

255.255.255.255 127.0.0.1
255.255.255.0 192.168.0.0
In this example, we're allowing access from the localhost, and from the “192.168.0.0” network.

Before you start the NIS daemons, make sure that the portmap daemon is running. For CentOS 5,
enter:
sudo service portmap status

For CentOS 6, enter:

sudo service rpcbind status

This should be running already, but if not, start them with either:

sudo service portmap start

. . .or. . .

sudo service rpcbind start

Start the NIS daemons, and turn them on at boot-up, by entering:

sudo service yppasswdd start

sudo service ypserv start

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 10 of 21

sudo chkconfig yppasswd on

sudo chkconfig ypserv on

There are still two more NIS daemons that you'll eventually need to start. But, before they'll start
properly, you'll need to initialize the NIS domain. You'll do this with the “ypinit” utility.

SELinux Note:

SELinux is a good thing, but it can be quite contrary to deal with. For this reason, many IT
Administrators disable it, and never use it. (This isn't a practice that we like to recommend.)

When you issue certain "yp" commands, such as "ypinit", you'll see that they set an SELinux boolean
to allow the database initialization to take place. Here, this worked fine when running "ypinit -m" to
set up the Master server, but it didn't work later on when using "ypinit -s" to set up the Slave server. If
you get SELinux error messages when running a "yp" command, go ahead and disable SELinux to run
the command, and be sure to re-enable it when the command is complete.

Curiously, ypinit is in the “/usr/lib/yp” directory in the x86 version of CentOS, and in the
"/usr/lib64/yp" directory in the x86_64 version of CentOS. So, you'll need to enter the entire command
path to invoke it. To create the initial NIS maps, invoke it with the “-m” option.

sudo /usr/lib/yp/ypinit -m
. . . or . . .

sudo /usr/lib64/yp/ypinit -m
Here, you can see that the hostname of the Master server, “centos5.xyzwidgets.com”, has already been
recognized by ypinit.

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 11 of 21

If you want to have a Slave NIS server on you r network, then enter its hostname on the next line.

(If you're wondering what happened to “centos5-2”, it currently has a bad hard drive.)

When you've finished entering the hostnames of all NIS servers, press Ctrl-d.

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 12 of 21

When it's finished, you'll have a new subdirectory in the “/var/yp” directory, named after your NIS
domain.

If you ever need to run the “ypinit -m” command again, you'll need to delete this subdirectory, and

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 13 of 21

restart the portmap, yppasswd, and ypserv daemons first.

NOTE: In the preceding example, we used the hostnames of the Master and Slave NIS servers. For
this to work, you'll need to either have a DNS server that's configured with the two NIS servers, or to
edit the “/etc/hosts” file on each server.

Now that the ypinit is complete, you can start the remaining two daemons:

sudo service ypbind start

sudo service ypsfrd start
sudo chkconfig ypbind on
sudo chkconfig ypsfrd on

Note that when you start “ypbind”, it will automatically configure SELinux to allow proper operation.

The ypinit utility should have transferred any information from existing user accounts to the NIS maps.
You can test this by using either “ypmatch” or “getent” to retrieve information about a user that you
know already exists.

getnent passwd username

ypmatch username passwd

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 14 of 21

As you see here, the “ypmatch” command returns the hashed password string for the user. (Amazingly,
you're allowed to do this as a normal user.)

Add new users in the usual manner. Then, cd into the “/var/yp” directory, and run the “make”
command:

sudo useradd newuser

sudo passwd newuser
cd /var/yp
sudo make

Again, verify that it worked with the “ypmatch” and “getent” commands.

Note: Any time you make any changes to the user database, you'll need to cd to the "/var/yp"
directory and issue the "make" command. This includes when you use "useradd", "usermod",
"passwd", "chage", etc.

Configuring the NIS Server Firewall

We'll be honest, configuring a firewall for NIS can be quite the pain. The problem is, that only two of
the daemons can be set to listen on a designated port. The other daemons will listen on a different port
every time they're restarted. So, every time you boot the machine or restart the daemons, you'll have to
change your firewall.

In the "/etc/sysconfig/network" file, we've already set the "ypserv" and "ypxfrd" daemons to listen on

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 15 of 21

ports 834 and 835. So, we can open those two ports for UDP and TCP. To find out what ports to open
for the "ypbind" and "yppasswd" daemons, enter the command, "rpcinfo -p".

Here, we see that "yppassdd" is listening on port 1013 UDP, and "ypbind" is listening on ports 728 and
731, UDP and TCP. So, we now know to open those firewall ports.

You'll also need port 111 UDP and TCP open for the "portmapper" or "rpcbind" daemon.

Configuring the NIS Clients

Before we configure the Slave NIS server, we'll first look at configuring the NIS clients.

There are several methods that you can use to set up an NIS client. The best way is to use “authconfig-
tui”.

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 16 of 21

sudo authconfig-tui

On the first screen that comes up, enable the “Cache Information” and “Use NIS” options.

On the next screen, fill in the domain name information, if it isn't filled in already. Then, fill in the IP
address of the Master NIS server.

When you exit out of authconfig-tui, the NIS daemons will automatically get started or restarted.

Next, you'll need to edit the “/etc/host.conf” file. Change it to add the NIS lookup.

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 17 of 21

order hosts,nis,bind

Look in the “/etc/nsswitch.conf” file, and verify the following entries:

Test access to the NIS server by entering the command:

ypcat passwd

You should see a display that looks something like this:

Note that you won't see any user information about either service account users or the root user. That's
because NIS is configured to only map information for users with UID's of 500 or higher. (In other
words, it'll only map information for normal user accounts.)

Configuring the Slave NIS Server

For any essential network component, it's always good to have a backup in case the primary one fails.

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 18 of 21

In this section, we'll show you how to set up a Slave NIS server that can be automatically updated from
the Master NIS server. (If you've ever researched how to set up an NIS Slave server, you may find that
there really aren't any clear instructions on how to do it. We hope to rectify that now.)

The first step is to configure the "/var/yp/Makefile" on the Master NIS server. This will allow any
changes to the Master server maps to get pushed to the Slave server any time that you run the "make"
command on the Master.

On the Master server, open the "/var/yp/Makefile" for editing, and find the line that says,
"NOPUSH=true". Change it to:

NOPUSH=false

Install the NIS daemons on the Slave, as you did on the Master.

On the Slave, edit the "/etc/hosts.allow" file, the "/etc/sysconfig/network" file, and the
"/var/yp/securenets" file, making them all look the same as their counterparts on the Master NIS server.

Edit the "/etc/yp.conf" file, adding the Slave server first, and the Master server second.

domain xyzwidgets.com server 127.0.0.1

domain xyzwidgets.com server centos5

In the "/etc/ypserv.conf" file, add these two lines--with your own Master server and domain name--to
the bottom:

trusted_master: centos5
domain xyzwidgets.com

You're now ready to start the daemons. Start with "portmap" (or "rpcbind"), "ypbind", and "ypxfrd".
This will allow the Slave to query the master, and to optimize data file transfers.

sudo service portmap (or rpcbind) start

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 19 of 21

sudo service ypbind start

sudo service ypxfrd start
sudo chkconfig portmap (or rpcbind) on
sudo chkconfig ypbind on
sudo chkconfig ypxfrd on

At this point, you should be able to enter the "ypwhich -m" command on the Slave, and obtain a listing
of the map files on the Master.

Next, transfer the map files from the Master by entering either. . .

sudo /usr/lib/yp/ypinit -s centos5

. . . on a server with the x86 version of CentOS, or. . .

sudo /usr/lib64/yp/ypint -s centos5

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 20 of 21

. . . on the x86_64 version of CentOS.

Note that you may get some error messages during this transfer.

However, if you also see the "fallback to enumeration" message as shown here, don't worry about it;
the transfer is still taking place properly.

Start the rest of the NIS daemons:

sudo service ypserv start

sudo service yppasswdd start
sudo chkconfig ypserv on
sudo chkconfig yppasswd on

Finally, configure the firewall the same as you did for the Master server.

You can test this server by stopping the "ypserv" daemon on the Master, and trying to log in from a
client.

Copyright © 2010 CyberMontana, Inc. All rights reserved.

Using Network Information Services on CentOS Linux Page 21 of 21

Adding an Additional Slave Server

Adding additional Slave servers is easy.

● First, on the Master server, add the hostname of the new Slave to the "/var/yp/ypservers" file.
● Then, set up the new Slave in the same manner that you set up the first one.

Creating a Cron Job for Scheduled Map Transfers

You can set up a cron job on the Slave server to automatically retrieve any updates that didn't get
transferred via the "make" command. Create a cron job file in the "/etc/cron.d" directory, with an entry
that looks something like this:

45 * * * * root /usr/lib/yp/ypfxr_1perhour

This will cause a transfer to take place at 45 minutes past every hour. If you look in the "/usr/lib/yp" or
"/usr/lib64/yp" directory, you'll also see scripts that you can use for once-per-day or twice-per-day cron
jobs.

Changing User Passwords

Theoretically, a user can log into a client and use "yppasswd" to change his own password. However,
here in our test lab, we couldn't get that to work. So, the best thing to do is to let the use log onto the
Master server, and change it there. On the Master server, the user can either use "yppasswd", or the
regular "passwd" utility.

If the "yppasswd" utility is used, then then the new password won't get transferred to the Slave server
until the Slave's cron daemon runs the scheduled update command. If the "passwd" utility is used, then
the Administrator will have to run the "make" command to update the map files and get them
transferred to the Slave.

Copyright © 2010 CyberMontana, Inc. All rights reserved.