  The Linux NIS(YP)/NYS/NIS+ HOWTO
  Thorsten Kukuk
  v0.9, 10. January 1998

  This document describes how to configure Linux as NIS(YP) or NIS+
  client and how to install as NIS server.

  1.  Introduction

  More and more, Linux machines are installed as part of a network of
  computers. To simplify network administration, most networks (mostly
  Sun-based networks) run the Network Information Service. Linux
  machines can take full advantage of existing NIS service or provide
  NIS service themselves. Linux machines can also act as full NIS+
  clients, this support is in beta stage.

  This document tries to answer questions about setting up NIS(YP) and
  NIS+ on your Linux machine. Don't forget to read the section about
  ``the RPC Portmapper''

  The NIS-Howto is edited and maintained by:

       Thorsten Kukuk, kukuk@vt.uni-paderborn.de

  The primary source of the information for the initial NIS-Howto was
  from:

       Andrea Dell'Amico       <adellam@ZIA.ms.it>
       Mitchum DSouza          <Mitch.DSouza@NetComm.IE>
       Erwin Embsen            <erwin@nioz.nl>
       Peter Eriksson          <peter@ifm.liu.se>

  who we should thank for writing the first versions of this document.

  1.1.  New versions of this document

  New versions of this document will be posted periodically to the
  newsgroups  comp.os.linux.help <news:comp.os.linux.help> and
  comp.os.linux.announce <news:comp.os.linux.announce>.  They will also
  be uploaded to various Linux WWW and FTP sites, including the LDP home
  page.

  You can always view the latest version of this on the World Wide Web
  via the URL http://sunsite.unc.edu/mdw/HOWTO/NIS-HOWTO.html
  <http://sunsite.unc.edu/mdw/HOWTO/NIS-HOWTO.html>.

  1.2.  Disclaimer

  Although this document has been put together to the best of our
  knowledge it may, and probably does contain errors. Please read any
  README files that are bundled with any of the various pieces of
  software described in this document for more detailed and accurate
  information. We will attempt to keep this document as error free as
  possible.

  1.3.  Feedback and Corrections

  If you have questions or comments about this document, please feel
  free to mail Thorsten Kukuk, at kukuk@vt.uni-paderborn.de. I welcome
  any suggestions or criticisms. If you find a mistake with this
  document, please let me know so I can correct it in the next version.
  Thanks.

  Please do not mail me questions about special problems with your Linux
  distributions! I don't know every Linux Distribution. But I will try
  to add every solution you send me.

  1.4.  Acknowledgements

  We would like to thank all the people who have contributed (directly
  or indirectly) to this document. In alphabetical order:

       Byron A Jeff            <byron@cc.gatech.edu>
       Miquel van Smoorenburg  <miquels@cistron.nl>

  Theo de Raadt <deraadt@theos.com> is responsible for the original yp-
  clients code.  Swen Thuemmler <swen@uni-paderborn.de> ported the yp-
  clients code to Linux and also ported the yp-routines in libc (again
  based on Theo's work). Thorsten Kukuk has written the NIS(YP) and NIS+
  routines for GNU libc 2.x from scratch.

  2.  Glossary and General Information

  2.1.  Glossary of Terms

  In this document a lot of acronyms are used. Here are the most
  important acronyms and a brief explanation:

     DBM
        DataBase Management, a library of functions which maintain key-
        content pairs in a data base.

     DLL
        Dynamically Linked Library, a library linked to an executable
        program at run-time.

     domainname
        A name "key" that is used by NIS clients to be able to locate a
        suitable NIS server that serves that domainname key. Please note
        that this does not necessarily have anything at all to do with
        the DNS "domain" (machine name) of the machine(s).

     FTP
        File Transfer Protocol, a protocol used to transfer files
        between two computers.

     libnsl
        Name services library, a library of name service calls
        (getpwnam, getservbyname, etc...) on SVR4 Unixes. GNU libc uses
        this for the NIS (YP) and NIS+ functions.

     libsocket
        Socket services library, a library for the socket service calls
        (socket, bind, listen, etc...) on SVR4 Unixes.

     NIS
        Network Information Service, a service that provides
        information, that has to be known throughout the network, to all
        machines on the network. There is support for NIS in Linux's
        standard libc library, which in the following text is referred
        to as "traditional NIS".

     NIS+
        Network Information Service (Plus :-), essentially NIS on
        steroids. NIS+ is designed by Sun Microsystems Inc. as a
        replacement for NIS with better security and better handling of
        _large_ installations.

     NYS
        This is the name of a project and stands for NIS+, YP and Switch
        and is managed by Peter Eriksson <peter@ifm.liu.se>. It contains
        among other things a complete reimplementation of the NIS (= YP)
        code that uses the Name Services Switch functionality of the NYS
        library.

     NSS
        Name Service Switch. The /etc/nsswitch.conf file determines the
        order of lookups performed when a certain piece of information
        is requested.

     RPC
        Remote Procedure Call. RPC routines allow C programs to make
        procedure calls on other machines across the network.  When
        people talk about RPC they most often mean the Sun RPC variant.

     YP Yellow Pages(tm), a registered trademark in the UK of British
        Telecom plc.

     TCP-IP
        Transmission Control Protocol/Internet Protocol. It's the data
        communication protocol most often used on Unix machines.

  2.2.  Some General Information

  The next four lines are quoted from the Sun(tm) System & Network
  Administration Manual:

           "NIS was formerly known as Sun Yellow Pages (YP) but
            the name Yellow Pages(tm) is a registered trademark
            in the United Kingdom of British Telecom plc and may
            not be used without permission."

  NIS stands for Network Information Service. Its purpose is to provide
  information, that has to be known throughout the network, to all
  machines on the network. Information likely to be distributed by NIS
  is:

    login names/passwords/home directories (/etc/passwd)

    group information (/etc/group)

  So, for example, if your password entry is recorded in the NIS passwd
  database, you will be able to login on all machines on the net which
  have the NIS client programs running.

  Sun is a trademark of Sun Microsystems, Inc. licensed to SunSoft, Inc.

  3.  NIS or NIS+ ?

  The choice between NIS and NIS+ is easy - use NIS if you don't have to
  use NIS+ or have severe security needs. NIS+ is _much_ more
  problematic to administer (it's pretty easy to handle on the client
  side, but the server side is horrible). Another problem is that the
  support for NIS+ under Linux is still under developement - you need
  the latest glibc snapshot for it or have to wait for glibc 2.1. There
  is a port of the glibc NIS+ support for libc5 as drop in replacement.

  3.1.  libc 4/5 with traditional NIS or NYS ?

  The choice between "traditional NIS" or the NIS code in the NYS
  library is a choice between laziness and maturity vs. flexibility and
  love of adventure.

  The "traditional NIS" code is in the standard C library and has been
  around longer and sometimes suffers from it's age and slight
  inflexibility.

  The NIS code in the NYS library requires you to recompile the libc
  library to include the NYS code into the libc library (or maybe you
  can go get a precompiled version of libc from someone who has already
  done it).

  Another difference is that the traditional NIS code has some support
  for NIS Netgroups, which the NYS code doesn't (yet). On the other hand
  the NYS code allows you to handle Shadow Passwords in a transparent
  way. The "traditonal NIS" code doesn't support Shadow Passwords over
  NIS.

  Forgot this all if you use the new GNU C Library 2.x (aka libc6). It
  supports NSS (name switch service), which makes it very flexible, and
  contains support for the following NIS/NIS+ maps: aliases, ethers,
  group, hosts, netgroups, networks, protocols, publickey, passwd, rpc,
  services and shadow.

  4.  How it works

  4.1.  How NIS(YP) works

  Within a network there must be at least one machine acting as a NIS
  server. You can have multiple NIS servers, each serving different NIS
  "domains" - or you can have cooperating NIS servers, where one is said
  to be the master NIS server, and all the other are so-called slave NIS
  servers (for a certain NIS "domain", that is!) - or you can have a mix
  of them...

  Slave servers only have copies of the NIS databases and receive these
  copies from the master NIS server whenever changes are made to the
  master's databases.  Depending on the number of machines in your
  network and the reliability of your network, you might decide to
  install one or more slave servers.  Whenever a NIS server goes down or
  is too slow in responding to requests, a NIS client connected to that
  server will try to find one that is up or quicker.

  NIS databases are in so-called DBM format, derived from ASCII
  databases.  For example, the files /etc/passwd and /etc/group can be
  directly converted to DBM format using ASCII-to-DBM translation
  software ("makedbm", it's included with the server software). The
  master NIS server should have both, the ASCII databases and the DBM
  databases.

  Slave servers  will be notified of any change to the NIS maps, (via
  the "yppush" program), and automatically retrieve the necessary
  changes in order to synchronize their databases. NIS clients do not
  need to do this since they always talk to the NIS server to read the
  information stored in it's DBM databases.

  The author of the YP clients for linux has informed us that the newest
  ypbind (ypbind-3.3.tar.gz) is able to get the server from a
  configuration file - thus no need to broadcast (which is insecure -
  due to the fact that anyone may install a NIS server and answer the
  broadcast queries...)

  4.2.  How NIS+ works

  NIS+ is a new version of the network information nameservice from Sun.
  The biggest difference between NIS and NIS+ is, that NIS+ has support
  for data encryption and authentication over secure RPC.

  The  naming  model of NIS+ is based upon a tree structure. Each node
  in the tree corresponds to an NIS+ object, from which we have six
  types: directory, entry, group, link, table and private.

  The NIS+ directory that forms the root of the NIS+ namespace is called
  the root directory. There are two special NIS+ directories: org_dir
  and groups_dir. The org_dir directory consists of all administration
  tables, such as passwd, hosts, and mail_aliases. The groups_dir
  directory consists of NIS+ group objects which are used for access
  control. The collection of org_dir, groups_dir and their parent
  directory is referred to as an NIS+ domain.

  5.  The RPC Portmapper

  To run any of the software mentioned below you will need to run the
  program /usr/sbin/portmap. Some Linux distributions already have the
  code in the /etc/rc.d/ files to start up this daemon.  All you have to
  do is to activate it and reboot your Linux machine.  Read your Linux
  Distribution Documentation how to do this.

  The RPC portmapper (portmap(8)) is a server that converts RPC program
  numbers into TCP/IP (or UDP/IP) protocol port numbers. It must be
  running in order to make RPC calls (which is what the NIS/NIS+ client
  software does) to RPC servers (like a NIS or NIS+ server) on that
  machine.  When an RPC server is started, it will tell portmap what
  port number it is listening to, and what RPC program numbers it is
  prepared to serve.  When a client wishes to make an RPC call to a
  given program number, it will first contact portmap on the server
  machine to determine the port number where RPC packets should be sent.
  Normally, standard RPC servers are started by inetd(8), so portmap
  must be started before inetd is invoked.

  For secure RPC, the portmapper needs the Time Service. Make sure, that
  the Time Service is enabled in /etc/inetd.conf on all hosts:

       #
       # Time service is used for clock syncronization.
       #
       time    stream  tcp     nowait  nobody  /usr/sbin/tcpd  in.timed
       time    dgram   udp     wait    nobody  /usr/sbin/tcpd  in.timed

  IMPORTANT: Don't forget to restart inetd after changes on this file !

  6.  What do you need to set up NIS?

  6.1.  Determine whether you are a Server, Slave or Client.

  To answer this question you have to consider two cases:

  1. Your machine is going to be part of a network with existing NIS
     servers

  2. You do not have any NIS servers in the network yet

  In the first case, you only need the client programs (ypbind, ypwhich,
  ypcat, yppoll, ypmatch). The most important program is ypbind. This
  program must be running at all times, that is, it should always appear
  in the list of processes. It's a so-called daemon process and needs to
  be started from the system's startup file (eg. /etc/rc.local,
  /etc/init.d/nis, /etc/rc.d/init.d/ypbind).  As soon as ypbind is
  running, your system has become a NIS client.

  In the second case, if you don't have NIS servers, then you will also
  need a NIS server program (usually called ypserv). Section 8 describes
  how to set up a NIS server on your Linux machine using the "ypserv"
  implementation by Peter Eriksson and Thorsten Kukuk.  Note that from
  version 0.14 this implementation supports the master-slave concept
  talked about in section 4.1.

  There is also another free NIS server available, called "yps", written
  by Tobias Reber in Germany which does support the master-slave
  concept, but has other limitations and isn't supported any longer.

  6.2.  The Software

  The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the
  shared library "/lib/libc.so.x" contain all necessary system calls to
  succesfully compile the NIS client and server software. For glibc 2.x,
  you also need /lib/libnsl.so.1.

  Some people reported that NIS only works with "/usr/lib/libc.a"
  version 4.5.21 and better so if you want to play it safe don't use
  older libc's.  The NIS client software can be obtained from:

    Site                  Directory                        File Name

    ftp.uni-paderborn.de  /linux/local/yp                  yp-clients-2.2.tar.gz
    ftp.uni-paderborn.de  /linux/local/yp                  ypbind-3.3.tar.gz
    ftp.kernel.org        /pub/linux/utils/net/NIS         yp-tools-1.4.tar.gz
    ftp.kernel.org        /pub/linux/utils/net/NIS         ypbind-3.3.tar.gz
    sunsite.unc.edu       /pub/Linux/system/Network/admin  yp-clients-2.2.tar.gz

  Once you obtained the software, please follow the instructions which
  come with the software. yp-clients 2.2 are for use with libc4 and
  libc5 until 5.4.20. libc 5.4.21 and glibc 2.x needs yp-tools 1.4.
  Since there was some bugs in the NIS code, you shouldn't use libc
  5.4.21-5.4.35. Use libc 5.4.36 or later instead. ypbind 3.3 will work
  with all libraries.  You should never use the ypbind from yp-clients
  2.2.

  6.3.  The ypbind daemon

  Assuming you have succesfully compiled the software you are now ready
  to install the software. A suitable place for the ypbind daemon is the
  directory /usr/sbin. Some people may tell you, that you don't need
  ypbind on a system with NYS. This is wrong, ypwhich and ypcat need it.

  You'll need to do this as root of course. The other binaries (ypwhich,
  ypcat, yppoll, ypmatch) should go in a directory accessible by all
  users, normally /usr/bin.

  The ypbind process has a configuration file called /etc/yp.conf. You
  can hardcode a NIS server there - for more info see the manual page
  for ypbind(8).  You also need this file for NYS.  An example:

         ypserver voyager
         ypserver ds9

  If the system could resolv the hostnames without NIS, you could use
  the name, else you have to use the IP address.

  It might be a good idea to test ypbind before  incorporating it in the
  /etc/rc.d/ files. To test ypbind do the following:

    Make sure you have your domain name set. If it is not set then
     issue the command:

                   /bin/domainname nis.domain

  where nis.domain should be some string, _NOT_ normally associated with
  the domain name of your machine! The reason for this is that it makes
  it a little harder for external crackers to retreive the password
  database from your NIS servers. If you don't know what the NIS domain
  name is on your network, ask your system/network administrator.

    Start up "/usr/sbin/portmap" if it is not already running.

    Create the directory "/var/yp" if it does not exist.

    Start up "/usr/sbin/ypbind"

    Use the command "rpcinfo -p localhost" to check if ypbind was able
     to register its service with the portmapper. The rpcinfo should
     produce something like:

              program vers proto   port
               100000    2   tcp    111  portmapper
               100000    2   udp    111  portmapper
               100007    2   udp    637  ypbind
               100007    2   tcp    639  ypbind
               300019    1   udp    660

    You may also run "rpcinfo -u localhost ypbind". This command should
     produce something like:

               program 100007 version 2 ready and waiting

  At this point you should be able to use NIS client programs like
  ypcat, etc...  For example, "ypcat passwd" will give you the entire
  NIS password database.

  IMPORTANT: If you skipped the test procedure then make sure you have
  set the domain name, and created the directory:

           /var/yp

  This directory MUST exist for ypbind to start up succesfully.

  If the test worked you may now want to change the files in /etc/rc.d/
  on your system so that ypbind will be started up at boot time and your
  system will act as a NIS client. Make sure, that the domainname will
  be set at boot time.

  Well, that's it. Reboot the machine and watch the boot messages to see
  if ypbind is actually started.

  6.4.  Setting up a NIS Client using Traditional NIS

  For host lookups you must set (or add) "nis" to the lookup order line
  in your /etc/host.conf file. Please read the manpage "resolv+.8" for
  more details.

  Add the following line to /etc/passwd on your NIS clients:

       +::::::

  You can also use the + and - characters to include/exclude or change
  users. If you want to exclude the user guest just add -guest to your
  /etc/passwd file.  You want to use a different shell (e.g. ksh) for
  the user "linux"?  No problem, just add "+linux::::::/bin/ksh"
  (without the quotes) to your /etc/passwd. Fields that you don't want
  to change have to be left empty. You could also use Netgroups for user
  control.

  For example, to only allow login-access to miquels, dth and ed, and
  all members of the sysadmin netgroup, but to have the account data of
  all other users available:

             +miquels:::::::
             +ed:::::::
             +dth:::::::
             +@sysadmins:::::::
             -ftp
             +:*::::::/etc/NoShell

  Note that in Linux you can also override the password field, as we did
  in this example. In this example, we also remove the login "ftp", so
  it isn't known any longer, and anonymous ftp will not work.

  The netgroup would be look like

       sysadmins (-,software,) (-,kukuk,)

  IMPORTANT: Note that the netgroup  feature is implemented starting
  from libc 4.5.26. But if you have a version of libc earlier than
  4.5.26, every user in the NIS password database can access your linux
  machine if you run "ypbind".

  6.5.  Setting up a NIS Client using NYS

  All that is required is that the NIS configuration file (/etc/yp.conf)
  points to the correct server(s) for its information.  Also, the Name
  Services Switch configuration file (/etc/nsswitch.conf) must be
  correctly set up.

  You should install ypbind. It isn't needed by the libc, but the
  NIS(YP) tools need it.

  If you wish to use the include/exclude user feature
  (+/-guest/+@admins), you have to use "passwd: compat" and "group:
  compat". Note, that there is no "shadow: compat" ! You have to use
  "shadow: files nis" in this case.

  The NYS sources are part of the libc 5 sources. When run configure,
  say the first time "NO" to the "Values correct" question, then say
  "YES" to "Build a NYS libc from nys".

  6.6.  Setting up a NIS Client using glibc 2.x

  The glibc uses "traditional NIS", so you need to start ypbind. The
  Name Services Switch configuration file (/etc/nsswitch.conf) must be
  correctly set up. If you use the compat mode for passwd, shadow or
  group, you have to add the "+" at the end of this files, and you could
  use the include/exclude user feature. The configuration is excatly the
  same as under Solaris 2.x.

  6.7.  The nsswitch.conf File

  The Network Services switch file /etc/nsswitch.conf determines the
  order of lookups performed when a certain piece of information is
  requested, just like the /etc/host.conf file which determines the way
  host lookups are performed. For example, the line

           hosts: files nis dns

  specifies that host lookup functions should first look in the local
  /etc/hosts file, followed by a NIS lookup and finally thru the domain
  name service (/etc/resolv.conf and named), at which point if no match
  is found an error is returned.

  A first version of a manual page for nsswitch.conf could be found at
  http://www-vt.uni-paderborn.de/~kukuk/linux/misc.html <http://www-
  vt.uni-paderborn.de/~kukuk/linux/misc.html>.

  A good /etc/nsswitch.conf file for NIS is:

  #
  # /etc/nsswitch.conf
  #
  # An example Name Service Switch config file. This file should be
  # sorted with the most-used services at the beginning.
  #
  # The entry '[NOTFOUND=return]' means that the search for an
  # entry should stop if the search in the previous entry turned
  # up nothing. Note that if the search failed due to some other reason
  # (like no NIS server responding) then the search continues with the
  # next entry.
  #
  # Legal entries are:
  #
  #       nisplus                 Use NIS+ (NIS version 3)
  #       nis                     Use NIS (NIS version 2), also called YP
  #       dns                     Use DNS (Domain Name Service)
  #       files                   Use the local files
  #       db                      Use the /var/db databases
  #       [NOTFOUND=return]       Stop searching if not found so far
  #

  passwd:     compat
  group:      compat
  shadow:     compat

  passwd_compat: nis
  group_compat: nis
  shadow_compat: nis

  hosts:      nis files dns

  services:   nis [NOTFOUND=return] files
  networks:   nis [NOTFOUND=return] files
  protocols:  nis [NOTFOUND=return] files
  rpc:        nis [NOTFOUND=return] files
  ethers:     nis [NOTFOUND=return] files
  netmasks:   nis [NOTFOUND=return] files
  netgroup:   nis
  bootparams: nis [NOTFOUND=return] files
  publickey:  nis [NOTFOUND=return] files
  automount:  files
  aliases:    nis [NOTFOUND=return] files

  passwd_compat, group_compat and shadow_compat are only supported by
  glibc 2.x.  If there are no shadow rules in /etc/nsswitch.conf, glibc
  will use the passwd rule for lookups. There are some more lookup
  module for glibc like hesoid.  For more information, read the glibc
  documentation.

  7.  What do you need to set up NIS+ ?

  7.1.  The Software

  The Linux NIS+ client code was developed for the GNU C library 2.
  There is also a port for Linux libc5, since all commercial Applicatons
  are linked against this library, and you couldn't recompile them for
  using glibc. There are problems with libc5 + NIS+: You couldn't link
  static programs with it, and programs compiled with this library will
  not work with other libc5 versions.

  You need to retrieve and compile the latest GNU C library 2 snapshot.
  And you need a glibc based system like RedHat 5.0 or the unstable
  Debian. But be warned: This are all beta Software ! Read the Docs
  about glibc snapshots and from the Distributions ! glibc 2.0.x doesn't
  contain the NIS+ support, and will never contain it. The first public
  version with NIS+ support will be 2.1.

  The NIS+ client software can be obtained from:

         Site                   Directory                  File Name

         ftp.kernel.org         /pub/software/libs/glibc   libc-*, glibc-crypt-*,
                                                           glibc-linuxthreads-*
         ftp.kernel.org         /pub/linux/utils/net/NIS+  nis-tools-1.4.tar.gz
         ftp.kernel.org         /pub/linux/utils/net/NIS+  pam_keylogin-1.1.tar.gz

  Distributions based on glibc can be fetched from:

         Site                   Directory

         ftp.redhat.com         /pub/redaht/mustang
         ftp.debian.org         /pub/debian/hamm

  For compilation of the GNU C Library, please follow the instructions
  which come with the software. Here you could find the patched libc5,
  based on NYS and the glibc sources as drop in replacement for the
  standart libc5:

         Site               Directory                  File Name

         ftp.kernel.org     /pub/linux/utils/net/NIS+  libc-5.4.38-nsl-0.4.6.tar.gz

  You should also look at http://www-vt.uni-
  paderborn.de/~kukuk/linux/nisplus.html <http://www-vt.uni-
  paderborn.de/~kukuk/linux/nisplus.html> for more information and the
  latest sources.

  7.2.  Setting up a NIS+ client

  IMPORTANT: For setting up a NIS+ client, read your Solaris NIS+ docs
  what to do on the server side ! This document only describes what to
  do on the client side !

  After installing the new libc and nis-tools, create the credentials
  for the new client on the NIS+ server. Then run

       domainname nisplus.domain.
       nisinit -c -H <NIS+ server>

  to initialize the cold Start File. Read the nisinit man page for more
  options. Make sure, that the domainname will always be set after a
  reboot.  If you don't know what the NIS+ domain name is on your
  network, ask your system/network administrator.

  Now you should change your /etc/nsswitch.conf file. Make sure, that
  the only service after publickey is nisplus ("publickey: nisplus"),
  and nothing else !

  After this, start keyserv and make sure, that it will always be
  started at boot time. Run

       keylogin -r

  to store the root secretkey on your system. (I hope you have added the
  publickey for the new host on the NIS+ Server ?).

  "niscat passwd.org_dir" should now show you all entries in the passwd
  database.

  7.3.  NIS+, keylogin, login and PAM

  When the user logs in, he need to set his secretkey to keyserv. This
  is done by calling "keylogin". The login from the shadow package will
  do this for the user. For a PAM aware login, you have to install
  pam_keylogin-1.1.tar.gz and change the /etc/pam.d/login file to use
  pam_unix_auth, not pwdb, which doesn't support NIS+. An example:

       #%PAM-1.0
       auth       required     /lib/security/pam_securetty.so
       auth       required     /lib/security/pam_keylogin.so
       auth       required     /lib/security/pam_unix_auth.so
       auth       required     /lib/security/pam_nologin.so
       account    required     /lib/security/pam_unix_acct.so
       password   required     /lib/security/pam_unix_passwd.so
       session    required     /lib/security/pam_unix_session.so

  7.4.  The nsswitch.conf File

  The Network Services switch file /etc/nsswitch.conf determines the
  order of lookups performed when a certain piece of information is
  requested, just like the /etc/host.conf file which determines the way
  host lookups are performed. For example, the line

           hosts: files nisplus dns

  specifies that host lookup functions should first look in the local
  /etc/hosts file, followed by a NIS+ lookup and finally thru the domain
  name service (/etc/resolv.conf and named), at which point if no match
  is found an error is returned.

  A first version of a manual page for nsswitch.conf could be found at
  http://www-vt.uni-paderborn.de/~kukuk/linux/misc.html <http://www-
  vt.uni-paderborn.de/~kukuk/linux/misc.html>.

  A good /etc/nsswitch.conf file for NIS+ is:

       #
       # /etc/nsswitch.conf
       #
       # An example Name Service Switch config file. This file should be
       # sorted with the most-used services at the beginning.
       #
       # The entry '[NOTFOUND=return]' means that the search for an
       # entry should stop if the search in the previous entry turned
       # up nothing. Note that if the search failed due to some other reason
       # (like no NIS server responding) then the search continues with the
       # next entry.
       #
       # Legal entries are:
       #
       #       nisplus                 Use NIS+ (NIS version 3)
       #       nis                     Use NIS (NIS version 2), also called YP
       #       dns                     Use DNS (Domain Name Service)
       #       files                   Use the local files
       #       db                      Use the /var/db databases
       #       [NOTFOUND=return]       Stop searching if not found so far
       #

       passwd:     compat
       # for libc5: passwd: files nisplus
       group:      compat
       # for libc5: group: files nisplus
       shadow:     compat
       # for libc5: shadow: files nisplus

       passwd_compat: nisplus
       group_compat:  nisplus
       shadow_compat: nisplus

       hosts:      nisplus files dns

       services:   nisplus [NOTFOUND=return] files
       networks:   nisplus [NOTFOUND=return] files
       protocols:  nisplus [NOTFOUND=return] files
       rpc:        nisplus [NOTFOUND=return] files
       ethers:     nisplus [NOTFOUND=return] files
       netmasks:   nisplus [NOTFOUND=return] files
       netgroup:   nisplus
       bootparams: nisplus [NOTFOUND=return] files
       publickey:  nisplus
       automount:  files
       aliases:    nisplus [NOTFOUND=return] files

  8.  Setting up a NIS Server

  8.1.  The Server Program ypserv

  This document only describes how to set up the "ypserv" NIS server.

  The NIS server software can be found on:

         Site                   Directory                     File Name

         ftp.kernel.org         /pub/linux/utils/net/NIS      ypserv-1.2.7.tar.gz
         waaug.erols.com        /pub/net/nis                  ypserv-1.2.7.tar.gz

  You could also look at http://www-vt.uni-
  paderborn.de/~kukuk/linux/nis.html <http://www-vt.uni-
  paderborn.de/~kukuk/linux/nis.html> for more information and the
  latest sources.

  The server setup is the same for both traditional NIS and NYS.

  Compile the software to generate the "ypserv" and "makedbm" programs.
  If you run your server as master, determine what files you require to
  be available via NIS and then add or remove the appropriate entries to
  the /var/yp/Makefile.

  Now edit /var/yp/securenets and /etc/ypserv.conf.  For more
  information, read the ypserv(8) and ypserv.conf(5) manual pages.

  Make sure the portmapper (portmap(8)) is running, and start the server
  "ypserv". The command

           % rpcinfo -u localhost ypserv

  should output something like

           program 100004 version 2 ready and waiting

  Now generate the NIS (YP) database. On the master, run

           % /usr/lib/yp/ypinit -m

  on a slave, make sure that ypwhich -m works. Then run

           % /usr/lib/yp/ypinit -s masterhost

  That's it, your server is up and running.

  You might want to edit root's crontab *on the slave* server and add
  the following lines:

             20 *    * * *    /usr/lib/yp/ypxfr_1perhour
             40 6    * * *    /usr/lib/yp/ypxfr_1perday
             55 6,18 * * *    /usr/lib/yp/ypxfr_2perday

  This will ensure that most NIS maps are kept up-to-date, even if an
  update is missed because the slave was down at the time the update was
  done on the master.

  If you want to restrict access to your NIS server, you'll have to
  setup the NIS server as a client as well by running ypbind and adding
  the plus-entries to /etc/passwd _halfway_ the password file. The
  library functions will ignore all normal entries after the first NIS
  entry, and will get the rest of the info through NIS. This way the NIS
  access rules are maintained. example:

            root:x:0:0:root:/root:/bin/bash
            daemon:*:1:1:daemon:/usr/sbin:
            bin:*:2:2:bin:/bin:
            sys:*:3:3:sys:/dev:
            sync:*:4:100:sync:/bin:/bin/sync
            games:*:5:100:games:/usr/games:
            man:*:6:100:man:/var/catman:
            lp:*:7:7:lp:/var/spool/lpd:
            mail:*:8:8:mail:/var/spool/mail:
            news:*:9:9:news:/var/spool/news:
            uucp:*:10:50:uucp:/var/spool/uucp:
            nobody:*:65534:65534:noone at all,,,,:/dev/null:
            +miquels::::::
            +:*:::::/etc/NoShell
            [ All normal users AFTER this line! ]
            tester:*:299:10:Just a test account:/tmp:
            miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh

  The user tester will exist, but have a shell of /etc/NoShell. miquels
  will have normal access.

  Alternatively, you could edit the /var/yp/Makefile file and set NIS to
  use another source password file. On big systems, the NIS password and
  group files are usually stored in /var/yp/ypfiles/. If you do this the
  normal tools to administrate the password file such as "passwd",
  "chfn", "adduser" will not work anymore and you will need special
  homemade tools for this.

  However yppasswd, ypchsh and ypchfn will work ofcourse.

  8.2.  The Server Program yps

  To set up the "yps" NIS server please refer to the previous paragraph.
  The "yps" server setup is similar, _but_ not exactly the same so
  beware if you try to apply the "ypserv" instructions to "yps"!  "yps"
  is not supported by any author, and contains some security leaks.  You
  shouldn't really use it !

  The "yps" NIS server software can be found on:

         Site                Directory                         File Name

         ftp.kernel.org      /pub/linux/utils/net/NIS          yps-0.21.tar.gz
         ftp.lysator.liu.se  /pub/NYS/servers                  yps-0.21.tar.gz

  8.3.  The Program rpc.yppasswdd

  Whenever users change their passwords, the NIS password database and
  probably other NIS databases, which depend on the NIS password
  database, should be updated.  The program "rpc.yppasswdd" is a server
  that handles password changes and makes sure that the NIS information
  will be updated accordingly. rpc.yppasswdd is now integrated in ypserv
  1.2.7. You don't need the older, separate yppasswd-0.9.tar.gz or
  yppasswd-0.10.tar.gz, and you shouldn't use them any longer. The
  rpc.yppasswdd in ypserv 1.2.7 has full shadow support. yppasswd is now
  part of yp-tools-1.4.tar.gz,

  You need to start rpc.yppasswdd only on the NIS master server. By
  default, users are not allowed to change their full name or the login
  shell.  You could allow this with the -e chfn or -e chsh option.

  9.  Verifying the NIS/NYS Installation

  If everything is fine (as it should be), you should be able to verify
  your installation with a few simple commands. Assuming, for example,
  your passwd file is being supplied by NIS, the command

           % ypcat passwd

  should give you the contents of your NIS passwd file. The command

           % ypmatch userid passwd

  (where userid is the login name of an arbitrary user) should give you
  the user's entry in the NIS passwd file. The "ypcat" and "ypmatch"
  programs should be included with your distribution of traditional NIS
  or NYS.

  If a user couldn't log in, run the following program on the client:

  #include <stdio.h>
  #include <pwd.h>
  #include <sys/types.h>

  int
  main(int argc, char *argv[])
  {
    struct passwd *pwd;

    if(argc != 2)
      {
        fprintf(stderr,"Usage: getwpnam username\n");
        exit(1);
      }

    pwd=getpwnam(argv[1]);

    if(pwd != NULL)
      {
        printf("name.....: [%s]\n",pwd->pw_name);
        printf("password.: [%s]\n",pwd->pw_passwd);
        printf("user id..: [%d]\n", pwd->pw_uid);
        printf("group id.: [%d]\n",pwd->pw_gid);
        printf("gecos....: [%s]\n",pwd->pw_gecos);
        printf("directory: [%s]\n",pwd->pw_dir);
        printf("shell....: [%s]\n",pwd->pw_shell);
      }
    else
      fprintf(stderr,"User \"%s\" not found!\n",argv[1]);

    exit(0);
  }

  Running this program with the username as parameter, will print all
  the information the getpwnam function will give back for this user.
  This should show you, which entry is incorrect. The most common
  problem is, that the password field is overwritten with a "*".

  10.  Common Problems and Troubleshooting NIS

  Here are some common problems reported by various users:

  1. The libraries for 4.5.19 are broken. NIS won't work with it.

  2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su
     command breaks. You need to get the su command from the slackware
     1.2.0 distribution. Incidentally that's where you can get the
     updated libraries.

  3. You could run into trouble with NIS and DNS on the same machine
     using an old a.out distribution. The DNS server occasionally will
     not bring up NIS.

  4. When a NIS server goes down and comes up again ypbind starts
     complaining with messages like:

              yp_match: clnt_call:
                          RPC: Unable to receive; errno = Connection refused

  and logins are refused for those who are registered in the NIS
  database. Try to login as root and if you succeed, then kill ypbind
  and start it up again. An update to ypbind 3.3 or higher should also
  help.

  5. After upgrade the libc to a version greater then 5.4.20, the YP
     tools will not work any longer. You need yp-tools 1.2 or later for
     libc >= 5.4.21 and glibc 2.x and yp-clients 2.2. for earlier
     versions.

  6. In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or
     later for yp-tools 1.x.

  7. libc 5 with traditional NIS doesn't support shadow passwords over
     NIS.  You need libc5 + NYS or glibc 2.x.

  11.  Frequently Asked Questions

  Most of your questions should be answered by now. If there are still
  questions unanswered you might want to post a message to

           comp.os.linux.help

  or

           comp.os.linux.networking

  or contact one of the authors of this HOWTO.

