Topaz Nis Setup

References:

Topaz Configuration

  • Master: gandalf
  • Slave: merlin

Master configuration

  • Set nisdomainname: domainname topazproject.org
  • Add the following to /etc/sysconfig/network 
    YPSERV_ARGS="-p 834"
YPXFRD_ARGS="-p 835"
  • Update shorewall to allow traffic on 834 & 835 (tcp & udp)
  • Install ypserv
  • Update chkconfig and start ypbind for first time
  • Create a /var/yp/securenets file
  • Update /var/yp/Makefile to indicate databases to share and set 'NOPUSH=false'
  • Run /usr/lib64/yp/ypinit -m to update databases (Can just run make subsequently)
  • Configure init scripts to run: ypserv, ypxfrd, yppasswdd (and ypbind if a client too)

Concerns

  • We're using shadow passwords and NIS obviates the benefit. May want to discuss.
  • Our NIS domainname matches our DNS domain. This is supposed to be bad. I tried using something different, but ran into difficulties -- I think most tools assume they'll be the same even though it is supposed to make it easier for a hacker to figure things out...

Slave configuration

See guide above in master section:

  • Setup as a client first
  • Setup as a server up until the makefile bit above
  • Use ypinit -s masterhost instead of using the makefile
  • Setup cron job to pull over stuff from master

Client configuration

  • Ensure /etc/hosts contains 207.7.131.18 gandalf.topazproject.org gandalf
  • Add NISDOMAIN=topazproject.org to /etc/sysconfig/network
  • Set the domainname: domainname topazproject.org
  • Ensure that the /var/yp directory exists
  • Add nis to /etc/host.conf
  • Setup /etc/yp.conf with domain topazproject.org server gandalf
  • Setup /etc/nsswitch.conf as follows: 
    passwd: files nis
shadow: compat
group:  files nis
hosts:  files nis dns
  • Add the following to the bottom of /etc/passwd 
    +::::::
  • Configure init scrpt 
    chkconfig --level 0123456 ypbind off
chkconfig --level 345 ypbind on
  • Start ypbind: /etc/init.d/ypbind start
  • Create a backup user in case NIS is ever down 
    mkdir /home2
useradd -d /home2/topazdev topazdev
passwd topazdev
  • Disable root ssh PermitRootLogin no

User Configuration

Add/delete the user to /etc/passwd and /etc/shadow as usual on the NFS server. To export: 

    cd /var/yp
    make

Unfortunately ypserv does not seem to release the old files and you might have to reload ypserv by: 

    service ypserv reload