How to centralise users with NIS

IMPORTANT: In my experience its best to put all the configuration in place before actually installing NIS or it will fail to start properly.

Here's an example of how to configure the shorewall firewall for NIS: 

###########################################################
# NIS SERVER                                              #
###########################################################
ACCEPT          net:192.168.1.0/24      $FW     udp     834
ACCEPT          net:192.168.1.0/24      $FW     tcp     834
ACCEPT          net:192.168.1.0/24      $FW     udp     835
ACCEPT          net:192.168.1.0/24      $FW     tcp     835

Configure hosts.deny: 

ypserv: ALL

Configure hosts.allow: 

mountd: 192.168.1.1 192.168.1.2
statd: 192.168.1.1 192.168.1.2
portmap: 192.168.1.1 192.168.1.2
rquotad: 192.168.1.1 192.168.1.2
ypserv: 192.168.1.1 192.168.1.2

Create /etc/default/nis: 

#
# /etc/defaults/nis     Configuration settings for the NIS daemons.
#

# Are we a NIS server and if so what kind (values: false, slave, master)?
NISSERVER=true

# Are we a NIS client?
NISCLIENT=false

# Location of the master NIS password file (for yppasswdd).
# If you change this make sure it matches with /var/yp/Makefile.
YPPWDDIR=/etc

# Do we allow the user to use ypchsh and/or ypchfn ? The YPCHANGEOK
# fields are passed with -e to yppasswdd, see it's manpage.
# Possible values: "chsh", "chfn", "chsh,chfn"
YPCHANGEOK=chsh

# NIS master server.  If this is configured on a slave server then ypinit
# will be run each time NIS is started.
NISMASTER=

# Additional options to be given to ypserv when it is started.
YPSERVARGS="-p 834"

# Additional options to be given to ypbind when it is started.
YPBINDARGS=-no-dbus

# Additional options to be given to yppasswdd when it is started.  Note
# that if -p is set then the YPPWDDIR above should be empty.
YPPASSWDDARGS=

# Additional options to be given to ypxfrd when it is started.
YPXFRDARGS="-p 835"

The main reason we do this rather than just letting the package create the file is to ensure nis starts bound to the ports specified.

Create /etc/ypserv.securenets: 

#
# securenets    This file defines the access rights to your NIS server
#               for NIS clients (and slave servers - ypxfrd uses this
#               file too). This file contains netmask/network pairs.
#               A clients IP address needs to match with at least one
#               of those.
#
#               One can use the word "host" instead of a netmask of
#               255.255.255.255. Only IP addresses are allowed in this
#               file, not hostnames.
#
# Always allow access for localhost
255.0.0.0       127.0.0.0

# This line gives access to everybody. PLEASE ADJUST!
# 0.0.0.0               0.0.0.0

host            192.168.1.1
host            192.168.1.2

Now go-ahead and install NIS: 

aptitude install nis

Finally, initiate the NIS database of user accounts: 

/usr/lib/yp/ypinit -m

Your /etc/passwd, /etc/shadow, /etc/group and /etc/gshadow files will be scanned by NIS at this stage. If you add users in future or otherwise change those files then be sure to re-run the above command.

NIS CLIENT HOWTO

IMPORTANT: In my experience its best to put all the configuration in place before actually installing NIS or it will fail to start properly.

In the case of the client we don't want to allow incoming connections to NIS so we will skip firewall configuration assuming you have a default block. Just a note to say that it's essential you ensure your box is properly firewalled or NIS can be a security problem.

Configure hosts.deny: 

ypserv: ALL

Again, we don't want to allow incoming connections to NIS on the client so we can skip /etc/hosts.allow.

Create /etc/default/nis: 

#
# /etc/defaults/nis     Configuration settings for the NIS daemons.
#

# Are we a NIS server and if so what kind (values: false, slave, master)?
NISSERVER=false

# Are we a NIS client?
NISCLIENT=true

# Location of the master NIS password file (for yppasswdd).
# If you change this make sure it matches with /var/yp/Makefile.
YPPWDDIR=/etc

# Do we allow the user to use ypchsh and/or ypchfn ? The YPCHANGEOK
# fields are passed with -e to yppasswdd, see it's manpage.
# Possible values: "chsh", "chfn", "chsh,chfn"
YPCHANGEOK=chsh

# NIS master server.  If this is configured on a slave server then ypinit
# will be run each time NIS is started.
NISMASTER=

# Additional options to be given to ypserv when it is started.
YPSERVARGS="-p 834"

# Additional options to be given to ypbind when it is started.
YPBINDARGS=-no-dbus

# Additional options to be given to yppasswdd when it is started.  Note
# that if -p is set then the YPPWDDIR above should be empty.
YPPASSWDDARGS=

# Additional options to be given to ypxfrd when it is started.
YPXFRDARGS="-p 835"

The main reason we do this rather than just letting the package create the file is to ensure nis starts bound to the ports specified.

Make sure the line shown below is commented out in /etc/ypserv.securenets: 

# This line gives access to everybody. PLEASE ADJUST!
# 0.0.0.0               0.0.0.0

Create /etc/yp.conf: 

#
# yp.conf       Configuration file for the ypbind process. You can define
#               NIS servers manually here if they can't be found by
#               broadcasting on the local net (which is the default).
#
#               See the manual page of ypbind for the syntax of this file.
#
# IMPORTANT:    For the "ypserver", use IP addresses, or make sure that
#               the host is in /etc/hosts. This file is only interpreted
#               once, and if DNS isn't reachable yet the ypserver cannot
#               be resolved and ypbind won't ever bind to the server.

ypserver 192.168.1.1

Now go-ahead and install NIS: 

aptitude install nis

You should now be able to query the NIS server from your NIS client: 

ypcat passwd

Next you need to remove users (probably with a UID greater than 1000) from the client, replacing their entries with special codes at the end of the file which will tell NIS to get user information from the NIS server. You need to update the password, shadow, group, and group shadow files.

Leave the system accounts such as root, bin, bind, nobody alone. If you want a login to only be available on the local machine then leave it there, or if you just want your 'virtual' users then only remove those - certainly leave the root account alone!

For /etc/passwd add the following at the end: 

+::::::

For /etc/shadow add the following at the end: 

+::::::::

For /etc/group add the following: at the end: 

+:::

For /etc/gshadow add the following at the end: 

+:::

Now restart NIS again and test! 

/etc/init.d/nis restart
ypcat passwd