NIS Setup (Rocky Linux 8)

Wi

William Jing

NIS
Auth
HPC
5
5 min read
Last modified: December 26, 2024
NIS Setup (Rocky Linux 8)

This guide is for Rocky Linux 8.

Overview

Setting up a Linux server cluster often requires central authentication systems, including options like LDAP and NIS. In this guide, we focus on using NIS (Network Information Service) to manage user authentication and ensure seamless integration across nodes. This guide provides comprehensive, step-by-step instructions for establishing a robust and functional NIS configuration. By centralizing user authentication across multiple Linux servers, NIS reduces administrative overhead and facilitates seamless integration of distributed systems, including password-less SSH logins.

Architecture

Network Information Service (NIS) is a client-server directory service protocol designed to distribute system configuration files—such as user accounts, groups, and hostnames—across a network. Below is an overview of the NIS architecture:

NIS Architecture

NIS Architecture

Key NIS Maps

Map NameDescription
passwd.bynameUser account information by username
passwd.byuidUser account information by UID
group.bynameGroup information by group name
group.bygidGroup information by GID
hosts.bynameHostname-to-IP mapping
hosts.byaddrIP-to-hostname mapping

These maps form the core of NIS functionality, providing structured access to user and host data for network-wide consistency.

Server-Side Configuration

  1. Install Necessary Packages:

    Install the required components for NIS server functionality.

    dnf -y install ypserv rpcbind

  2. Set NIS Domain Name:

    Define a unique domain name for your NIS setup.

    ypdomainname hpc
echo -e "\nNISDOMAIN=hpc" >> /etc/sysconfig/network

  3. Allow All Hosts, Users, and Groups:

    Configure NIS to permit unrestricted access. Adjust this for stricter security in production.

    echo "* : * : * : none" >> /etc/ypserv.conf

    Warning: This configuration allows unrestricted access to all hosts, users, and groups, which may pose security risks. For production environments, consider defining stricter access control policies to limit exposure.

  4. Enable and Start Services:

    Activate the necessary services to run the NIS server.

    systemctl enable --now rpcbind ypserv ypxfrd yppasswdd nis-domainname

  5. Initialize NIS Maps:

    Generate the initial NIS maps, which include user and group data.

    /usr/lib64/yp/ypinit -m

  6. Update NIS Maps After Adding Users:

    Refresh the maps whenever changes are made to user or group data.

    make -C /var/yp

  7. Optional: Configure SELinux:

    Adjust SELinux policies to accommodate NIS functionality.

    setsebool -P nis_enabled on
setsebool -P domain_can_mmap_files on

  8. Configure Firewall:

Firewall configuration is a critical step to ensure the security of your NIS setup. It controls the network traffic that can access your server and prevents unauthorized access. Consider performing this step before enabling services to avoid exposing your system during configuration.

  • Edit /etc/sysconfig/network:

    echo 'YPSERV_ARGS="-p 944"' >> /etc/sysconfig/network
echo 'YPXFRD_ARGS="-p 945"' >> /etc/sysconfig/network

  • Edit /etc/sysconfig/yppasswdd:

    echo 'YPPASSWDD_ARGS="--port 950"' >> /etc/sysconfig/yppasswdd

  • Restart Services:

    systemctl restart rpcbind ypserv ypxfrd yppasswdd

  • Configure Firewall:

    firewall-cmd --add-service=rpc-bind
firewall-cmd --add-port={944-951/tcp,944-951/udp}
firewall-cmd --runtime-to-permanent

Client-Side Configuration

  1. Install Necessary Packages:

    Install the required components for the NIS client.

    dnf -y install ypbind rpcbind oddjob-mkhomedir

  2. Set NIS Domain Name:

    Define the NIS domain for the client system.

    ypdomainname hpc
echo -e '\nNISDOMAIN=hpc' >> /etc/sysconfig/network

  3. Configure NIS Client:

    Set up the client to connect to the NIS server.

    • Edit /etc/yp.conf:

      echo 'domain hpc server controlplane-01' >> /etc/yp.conf

  4. Enable and Start Services:

    Activate the services required for NIS client functionality.

    systemctl enable --now rpcbind ypbind nis-domainname oddjobd

  5. Configure Authentication:

    authselect select nis --force

    This command configures the system to use NIS for authentication by updating the PAM (Pluggable Authentication Module) stack. It ensures that users authenticated via the NIS server can access the system. This step is crucial for enabling centralized authentication in an NIS environment.

    • To create home directories on initial login:

      authselect enable-feature with-mkhomedir

  6. Optional: Configure SELinux:

    Adjust SELinux policies to support NIS client operations.

    setsebool -P nis_enabled on

  7. Verify NIS Server Binding:

    Check which NIS server the client is connected to.

    ypwhich

    • Expected output:

      controlplane-01

  8. Change NIS Password:

    Update the NIS password for a user.

    yppasswd

Conclusion

By following this guide, you can successfully set up and configure NIS on both the server and client sides. This setup centralizes user management, simplifies authentication across multiple systems, and reduces administrative overhead. For production environments, always review security settings to ensure compliance with organizational policies and best practices. If you encounter issues, consult the system logs, verify service statuses, or check network configurations to identify potential misconfigurations. With proper setup and maintenance, NIS can significantly streamline system administration and improve operational efficiency.

Comments

You must be logged in to comment.