Monday, August 11, 2008

Centralized user authentication with NIS

On a network with lots of users you will need to centralize your /etc/passwd file and your user database so that you can manage all your users in one place. you can centralize user management using NIS so that all users are added and deleted on one machine only. Users can log in from any other client machine, without the need to have a local user account on their own machines. (Together with Autofs described in my previous post and my next post on automounting /home directory over nfs . User databases can be managed in one place)
You can have multiple NIS servers on the same domain acting as Master and Slaves all managing one central user database.
The server acts as the central repository for all user names, passwords, and groups. The data is replicated from the /etc/passwd file to NIS databases.

On the server, you need to install a package called ypserv.

type apt-get install ypserv if you are using a debian based distribution or type

yum install ypserv if you are using a Red Hat derivative one.
After installing ypserv you need to setup a domain name that is used by server and client.

to setup your domain name type

domainname example

to make it persistent edit /etc/sysconfig/network file and add the following line

NISDOMAIN = example

were example is the name of your domain,

Next you need to convert the existing passwd, group and shadow files that contain user information and passwords to the NIS database format. You can do this using the following command:
/usr/lib/yp/ypinit -m

From now on, every time you add a user, delete a user, you have to update the NIS database. You can do this using the command:

make -C /var/yp

you should setup a cron job to run every hour or so to update the database for you automatically, do this by typing in crontab -e

and then adding the following line to your crontab file

0 * * * * make -C /var/yp &> /dev/null

this will build your nis database at the top of every hour

save the file

start the NIS server by typing
/etc/init.d/ypserv start

The server is now ready to handle authentication requests from the clients.

On the client, you need to install the yp-tools package, apt-get install yp-tools
for debian based distro's and yum install yp-tools for red hat derivative ones
then type
which will open your gui configuration program
click on enable NIS
and then click on configure NIS
enter the domain name ie example
and the ip address of your NIS server. if you don't have a gui then you can alternatively edit your /etc/yp.conf file, and point it to the appropriate server and domain name by adding the following line
domain example server servers_ip_address

The /etc/nsswitch.conf file lists the order for how lookups for various things are done, such as DNS lookup, user authentication, etc . to make NIS authentication faster, change the following in your /etc/nsswitch.conf file from:

passwd: files nisplus nis
shadow: files nisplus nis
group: files nisplus nis

To the following:

passwd: nis files nisplus
shadow : nis files nisplus
group: nis files nisplus

start the NIS client service by typing
/etc/init.d/ypbind start

you will now be able to login to your client machine using the
that are stored on your NIS Server. you will get
an error about not being able to mount your home directory, but my
next post on automounting home directories centrally addresses that problem

No comments: