Secure Unix LAN (NIS and Kerberized NFSv4)

NIS Server

by ross at 17:10:03 on March 20, 2014

Add to /etc/rc.conf:

# Enable NIS server
nisdomainname="lan"
nis_server_enable="YES"
nis_yppasswdd_enable="YES"
rpcbind_enable="YES"

Create /var/yp/securenets:

# allow connections from local host -- mandatory
127.0.0.1     255.255.255.255
# allow connections from my LAN
192.168.10.0  255.255.255.0

Run:

# /etc/netstart
# service rpcbind start
Note: we must create a dir for the NIS domain or ypserv won't start
# mkdir /var/yp/lan
# chmod 700 /var/yp/lan
# service ypserv start

Create NIS master.passwd:

# cp /etc/master.passwd /var/yp/master.passwd
# vi /var/yp/master.passwd

Now delete all system accounts and leave only users with uid greater than or equal to 1000. As we won't use NIS authorization replace encrypted passwords with *. Your /var/yp/master.passwd should look like this:

user1:*:1001:1001:standard:0:0:User 1:/home/user1:/bin/tcsh
user2:*:1002:1002:standard:0:0:User 2:/home/user2:/bin/tcsh
user3:*:1003:1003:standard:0:0:User 3:/home/user3:/bin/tcsh

Initialize the NIS maps, deleting existing /var/yp/lan:

# ypinit -m lan
Server Type: MASTER Domain: lan

Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.

Do you want this procedure to quit on non-fatal errors? [y/n: n]  

Ok, please remember to go back and redo manually whatever fails.
If you don't, something might not work. 

Can we destroy the existing /var/yp/lan and its contents? [y/n: n]  y

At this point, we have to construct a list of this domains YP servers.
coffin.lan is already known as master server.
Please continue to add any slave servers, one per line. When you are
done with the list, type a <control D>.
        master server   :  coffin.lan
        next host to add:  ^D
The current list of NIS servers looks like this:

coffin.lan

Is this correct?  [y/n: y]  y
... skipped ...
NIS Map update completed.

coffin.lan has been setup as an YP master server without any errors. 

Run:

# service yppasswdd start

 

Comments