NFS and NIS have been around for a while, way before someone decided to network two Windows boxes. They have a lot of neat features.
The Network Information Service (NIS) is a directory service protocol created by Sun. It is not as elegant as, say, LDAP with Kerberos, but can get the work done if due care is taken to keep it as safe as possible.
I am going to present the steps necessary to setup a NFS/NIS system that would server a bunch of users and the unix boxes they connect to. Originally I was going to make this fit one single post but I realized that it (hopefully) would be easier if I broke down into sessions and dealt with just one aspect at a time. I will also create a fake company so it has that professional look to it. Sounds like a plan? Great! Let's get busy then. In this example, we work at Cannelloni LLC, a performance kitcar manufacturing company. It is primarily a Linux shop all the way to the desktops. Recently it has grown enough to need a centralized directory service and file sharing systems. Since we are talking about NIS, Cannelloni chose to use NIS for now. Later on the show we will talk about NIS limitations.
I would start this mess with the main/master NIS server because I want to have the authentication side of the business out of the way. First of all, we need a NIS domain name. This really needs not to have anything to do with the DNS domain, but should make sense to you. Think of it as a logical group or unit. You talked to your boss and after a few beers it was decided to divide the current network mess into the following groups:
Probably you could have come up with better names, but that is what you get by trying to work drunk. You can always change them later. If nothing else, just to piss off accounting. Since doing every single group would bore me to death, we will assume that development decides to take the lead. If it works there, the same concept will be generalized across the entire company. So, development choses idefix (it is not very powerful but that really does not matter) as its NIS server; another machine, obelix, which has a nice hotswappable RAID 5 will be the fileserver which will export fileshares through NFS.
First, we start by finding out a bit about the company's network and which part of it belongs to development. Careful research indicates the entire company is behind a router, so it has only a handful of public IPs (webserver, mail, and so on) while the LAN uses the private network 192.168.10.0 (it is a small company). The IPs assigned to development are 192.168.10.100 to 192.168.10.120, and all the IPs have not been assigned yet. This is very important to know because we can limit which machines can see the NIS maps. How do we do that? Well, we are getting a bit ahead; let's first create a place to save all the configuration files we will be creating.
We Need a Home
NIS stores a lot of important stuff in general in /var/yp Go take a look at it; it should look kinda like this:
dalek@idefix-> ls /var/yp binding Makefile nicknames dalek@idefix->
Kinda boring I know but we are just starting with it. The Makefile you see there is used to generate the NIS maps. By default it will use /etc/passwd, /etc/shadow, /etc/group and a lot of other files that are in /etc. I honestly do not like that. /etc for me is kinda of an important directory and I would rather have its contents not being passwd all over the universe. Instead, I prefer to feed NIS my own passwd, group, and any other map I want to share. Not only that makes it a bit safer but also easier to manage/move around as everything is contained in a single location you can simply tar and move to the next machine. So, we need to do some editing in Makefile. So, I create two directories: /var/yp/src and /var/yp/src/pw. Then, I edit the Makefile as follows (you will need to search within that file for those definitions):
# YPSRCDIR = /etc YPSRCDIR = /var/yp/src # YPPWDDIR = /etc YPPWDDIR = /var/yp/src/pwd
# DIR =/etc DIR =/var/yp/src # PWDIR =/etc PWDIR =/var/yp/src/pwd
The next step is to create those directories and make sure they can only be read/accessed by root, specially /var/yp/src/pwd as it will host the password file that will be shared through NIS. Next we will create a file called securenets in /var/yp which will tell which machines can see these maps:
dalek@idefix-> cat /var/yp/securenets # /var/yp/securenets # Restrict access to the NIS maps to the machines defined in this file # # allow connections from local host -- necessary host 127.0.0.1 # same as 255.255.255.255 127.0.0.1 # # allow connections from any host on the development network host 192.168.10.100 # asterix host 192.168.10.101 # obelix host 192.168.10.102 # idefix host 192.168.10.103 # panoramix host 192.168.10.104 # abraracourcix host 192.168.10.105 # bonemine host 192.168.10.106 # agecanonix host 192.168.10.107 # assurancetourix host 192.168.10.108 # cetautomatix host 192.168.10.109 # ordralfabetix host 192.168.10.110 # lelosubmarine host 192.168.10.111 # falbala host 192.168.10.112 # aplusbegalix host 192.168.10.113 # amerix host 192.168.10.114 # caiusbonus host 192.168.10.115 # caiusmalosinus host 192.168.10.115 # tragicomix host 192.168.10.116 # alambix host 192.168.10.117 # petisuix host 192.168.10.118 # jolitorax host 192.168.10.119 # beaufix host 192.168.10.120 # barberouge dalek@idefix->
Do notice we chose to specify each host in /var/yp/securenets. Since the number of machines in this list is not a power of 2, we could not use IP of the first machine and a carefully chosen subnet mask to cover them all. Also, spelling out every machine we plan on using allows us to later on comment out the ones we do not need.
A Domain by Any Name
Now that we have that taken care of, we need to come up with a name for our NIS domain. Since this name does not need to be remotely related to our DNS domain, we will call it development as it is the NIS domain for the development group. I know, I know, I am very original...
Ok, you ask, now how to make NIS know we chose a NIS domain name? Well, the domain name is stored in /etc/defaultdomain (for solaris) or /etc/domainname (for Linux). If you write the domain name you want to use in that file (i.e. there is just one single line in the file and all it has is your domain name, in this case, development) and reboot, idefix will then know the name of the domain. You can check it by using the command domainname as follows:
dalek@idefix>cat /etc/defaultdomain development dalek@idefix>
Now, before you go rebooting the machine, let's see if we can change its domain name without rebooting, shall we? In both Solaris and Linux, you can set the runtime domain name to development by saying
dalek@idefix>domainname development dalek@idefix>
How about checking it?
dalek@idefix>domainname development dalek@idefix>
Of course, since we had already defined the domain name in /etc/defaultdomain (Solaris) or /etc/domainname, we could have said
dalek@idefix>domainname `cat /etc/defaultdomain`
dalek@idefix>domainname `cat /etc/domainname`
Do note the back quotes; they are rather important.
Ok, I am going to take a break for now. Next time we will talk about the wonderful world of maps. Stay tuned!