Configuring The NFS Server

Here are the steps to configure the NFS server in this scenario:
1. Edit the /etc/exports file to allow NFS mounts of the /home directory with read/write access.
/home *(rw,sync)
2. Let NFS read the /etc/exports file for the new entry, and make /home available to the network
with the exportfs command.
[root@bigboy tmp]# exportfs -a
[root@bigboy tmp]#
3. Make sure the required nfs, nfslock, and portmap daemons are both running and configured to
start after the next reboot.
[root@bigboy tmp]# chkconfig nfslock on
[root@bigboy tmp]# chkconfig nfs on
[root@bigboy tmp]# chkconfig portmap on
[root@bigboy tmp]# service portmap start
Starting portmapper: [ OK ]
[root@bigboy tmp]# service nfslock start
Starting NFS statd: [ OK ]
[root@bigboy tmp]# service nfs start
Starting NFS services: [ OK ]
Starting NFS quotas: [ OK ]
Starting NFS daemon: [ OK ]
Starting NFS mountd: [ OK ]
[root@bigboy tmp]#
After configuring the NFS server, we have to configure its clients, This will be covered next.
Configuring The NFS Client

You also need to configure the NFS clients to mount their /home directories on the NFS server.
These steps archive the /home directory. In a production environment in which the /home
directory would be actively used, you'd have to force the users to log off, backup the data, restore
it to the NFS server, and then follow the steps below. As this is a lab environment, these
prerequisites aren't necessary.
1. Make sure the required netfs, nfslock, and portmap daemons are running and configured to
start after the next reboot.
[root@smallfry tmp]# chkconfig nfslock on
[root@smallfry tmp]# chkconfig netfs on
[root@smallfry tmp]# chkconfig portmap on
[root@smallfry tmp]# service portmap start
Starting portmapper: [ OK ]
[root@smallfry tmp]# service netfs start
Mounting other filesystems: [ OK ]
[root@smallfry tmp]# service nfslock start
Starting NFS statd: [ OK ]
[root@smallfry tmp]#
2. Keep a copy of the old /home directory, and create a new directory /home on which you'll
mount the NFS server's directory.
[root@smallfry tmp]# mv /home /home.save
[root@smallfry tmp]# mkdir /home
[root@smallfry tmp]# ll /
...
...
drwxr-xr-x 1 root root 11 Nov 16 20:22 home
drwxr-xr-x 2 root root 4096 Jan 24 2003 home.save
...
...
[root@smallfry tmp]#
3. Make sure you can mount bigboy's /home directory on the new /home directory you just
created. Unmount it once everything looks correct.
[root@smallfry tmp]# mount 192.168.1.100:/home /home/
[root@smallfry tmp]# ls /home
ftpinstall nisuser quotauser smallfry www
[root@smallfry tmp]# umount /home
[root@smallfry tmp]#
4. Start configuring autofs automounting. Edit your /etc/auto.master file to refer to file
/etc/auto.home for mounting information whenever the /home directory is accessed. After five
minutes, autofs unmounts the directory.
#/etc/auto.master
/home /etc/auto.home --timeout 600
5. Edit file /etc/auto.home to do the NFS mount whenever the /home directory is accessed. If the
line is too long to view on your screen, you can add a \ character at the end to continue on the
next line.
#/etc/auto.home
* -fstype=nfs,soft,intr,rsize=8192,wsize=8192,nosuid,tcp \
192.168.1.100:/home/&
6. Start autofs and make sure it starts after the next reboot with the chkconfig command.
[root@smallfry tmp]# chkconfig autofs on
[root@smallfry tmp]# service autofs restart
Stopping automount:[ OK ]
Starting automount:[ OK ]
[root@smallfry tmp]#
After doing this, you won't be able to see the contents of the /home directory on bigboy as user
root. This is because by default NFS activates the root squash feature, which disables this user
from having privileged access to directories on remote NFS servers. You'll be able to test this
later after NIS is configured.
Note: This automounter feature doesn't appear to function correctly in my preliminary testing of
Fedora Core 3. See Chapter 29, "Remote Disk Access with NFS", for details.
All newly added Linux users will now be assigned a home directory under the new remote /home
directory. This scheme will make the users feel their home directories are local, when in reality
they are automatically mounted and accessed over your network.
Configuring The NIS Server

NFS only covers file sharing over the network. You now have to configure NIS login
authentication for the lab students before the job is done. The configuration of the NIS server is
not difficult, but requires many steps that you may overlook. Don't worry, we'll review each one in
detail.
Note: In the early days, NIS was called Yellow Pages. The developers had to change the name
after a copyright infringement lawsuit, yet many of the key programs associated with NIS have
kept their original names beginning with yp.
Install the NIS Server Packages

All the packages required for NIS clients are a standard part of most Fedora installations. The
ypserv package for servers is not. Install the package according to the steps outlined in Chapter
6,"Installing Linux Software".
Edit Your /etc/sysconfig/network File

You need to add the NIS domain you wish to use in the /etc/sysconfig/network file. For the
school, call the domain NIS-SCHOOL-NETWORK.
#/etc/sysconfig/network
NISDOMAIN="NIS-SCHOOL-NETWORK"
Edit Your /etc/yp.conf File

NIS servers also have to be NIS clients themselves, so you'll have to edit the NIS client
configuration file /etc/yp.conf to list the domain's NIS server as being the server itself or localhost.
# /etc/yp.conf - ypbind configuration file
ypserver 127.0.0.1
Start The Key NIS Server Related Daemons

Start the necessary NIS daemons in the /etc/init.d directory and use the chkconfig command to
ensure they start after the next reboot.
[root@bigboy tmp]# service portmap start
Starting portmapper: [ OK ]
[root@bigboy tmp]# service yppasswdd start
Starting YP passwd service: [ OK ]
[root@bigboy tmp]# service ypserv start
Setting NIS domain name NIS-SCHOOL-NETWORK: [ OK ]
Starting YP server services: [ OK ]
[root@bigboy tmp]#

[root@bigboy tmp]# chkconfig portmap on

[root@bigboy tmp]# chkconfig yppasswdd on
[root@bigboy tmp]# chkconfig ypserv on
Table 30.1 lists a summary of the daemon's functions.
Table 30-1 Required NIS Server Daemons
Daemon Name Purpose
portmap The foundation RPC daemon upon which NIS runs.
yppasswdd Lets users change their passwords on the NIS server from NIS clients
ypserv Main NIS server daemon
ypbind Main NIS client daemon
ypxfrd Used to speed up the transfer of very large NIS maps
Make sure they are all running before continuing to the next step. You can use the rpcinfo
command to do this.
[root@bigboy tmp]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100009 1 udp 681 yppasswdd
100004 2 udp 698 ypserv
100004 1 udp 698 ypserv
100004 2 tcp 701 ypserv
100004 1 tcp 701 ypserv
[root@bigboy tmp]#
The ypbind and ypxfrd daemons won't start properly until after you initialize the NIS domain.
You'll start these daemons after initialization is completed.
Initialize Your NIS Domain

Now that you have decided on the name of the NIS domain, you'll have to use the ypinit
command to create the associated authentication files for the domain. You will be prompted for
the name of the NIS server, which in this case is bigboy.
With this procedure, all nonprivileged accounts are automatically accessible via NIS.
[root@bigboy tmp]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. bigboy is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: bigboy
next host to add:
The current list of NIS servers looks like this:
bigboy

Is this correct? [y/n: y] y

We need a few minutes to build the databases...
Building /var/yp/NIS-SCHOOL-NETWORK/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'

bigboy has been set up as a NIS master server.

Now you can run ypinit -s bigboy on all slave server.

[root@bigboy tmp]#
Note: Make sure portmap is running before trying this step or you'll get errors, such as:
failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...
You will have to delete the /var/yp/NIS-SCHOOL-NETWORK directory and restart portmap,
yppasswd, and ypserv before you'll be able to do this again successfully.
Start The ypbind and ypxfrd Daemons

You can now start the ypbind and the ypxfrd daemons because the NIS domain files have been
created.
[root@bigboy tmp]# service ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@bigboy tmp]# service ypxfrd start
Starting YP map server: [ OK ]
[root@bigboy tmp]# chkconfig ypbind on
[root@bigboy tmp]# chkconfig ypxfrd on
Make Sure The Daemons Are Running

All the NIS daemons use RPC port mapping and, therefore, are listed using the rpcinfo command
when they are running correctly.
[root@bigboy tmp]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100021 1 udp 1024 nlockmgr
100021 3 udp 1024 nlockmgr
100021 4 udp 1024 nlockmgr
100004 2 udp 784 ypserv
 100004 1 udp 784 ypserv
100004 2 tcp 787 ypserv
100004 1 tcp 787 ypserv
100009 1 udp 798 yppasswdd
600100069 1 udp 850 fypxfrd
600100069 1 tcp 852 fypxfrd
100007 2 udp 924 ypbind
100007 1 udp 924 ypbind
100007 2 tcp 927 ypbind
100007 1 tcp 927 ypbind
[root@bigboy tmp]#
Adding New NIS Users

New NIS users can be created by logging into the NIS server and creating the new user account.
In this case, you'll create a user account called nisuser and give it a new password.
Once this is complete, you then have to update the NIS domain's authentication files by executing
the make command in the /var/yp directory.
This procedure makes all NIS-enabled, nonprivileged accounts become automatically accessible
via NIS, not just newly created ones. It also exports all the user's characteristics stored in the
/etc/passwd and /etc/group files, such as the login shell, the user's group, and home directory.
[root@bigboy tmp]# useradd -g users nisuser
[root@bigboy tmp]# passwd nisuser
Changing password for user nisuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@bigboy tmp]# cd /var/yp
[root@bigboy yp]# make
gmake[1]: Entering directory `/var/yp/NIS-SCHOOL-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/NIS-SCHOOL-NETWORK'
[root@bigboy yp]#
You can check to see if the user's authentication information has been updated by using the
ypmatch command, which should return the user's encrypted password string.
[root@bigboy yp]# ypmatch nisuser passwd
nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/::504:100::/home/nisuser:/bin/bash
[root@bigboy yp]
You can also use the getent command, which has similar syntax. Unlike ypmatch, getent doesn't
provide an encrypted password when run on an NIS server, it just provides the user's entry in
the /etc/passwd file. On a NIS client, the results are identical with both showing the encrypted
password.
[root@bigboy yp]# getent passwd nisuser
nisuser:x:504:100::/home/nisuser:/bin/bash
[root@bigboy yp]#
Configuring The NIS Client

Now that the NIS server is configured, it's time to configure the NIS clients. There are a number of
related configuration files that you need to edit to get it to work. Take a look at the procedure.
Run authconfig

The authconfig or the authconfig-tui program automatically configures your NIS files after
prompting you for the IP address and domain of the NIS server.
[root@smallfry tmp]# authconfig-tui
Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP
address of the NIS server for a particular domain. It also edits the /etc/sysconfig/network file to
define the NIS domain to which the NIS client belongs.
# /etc/yp.conf - ypbind configuration file
domain NIS-SCHOOL-NETWORK server 192.168.1.100

#/etc/sysconfig/network
NISDOMAIN=NIS-SCHOOL-NETWORK
In addition, the authconfig program updates the /etc/nsswitch.conf file that lists the order in which
certain data sources should be searched for name lookups, such as those in DNS, LDAP, and
NIS. Here you can see where NIS entries were added for the important login files.
#/etc/nsswitch.conf
passwd: files nis
shadow: files nis
group: files nis
Note: You can also locate a sample NIS nsswitch.conf file in the /usr/share/doc/yp-tools*
directory.
Start The NIS Client Related Daemons

Start the ypbind NIS client, and portmap daemons in the /etc/init.d directory and use the
chkconfig command to ensure they start after the next reboot. Remember to use the rpcinfo
command to ensure they are running correctly.
[root@smallfry tmp]# service portmap start
Starting portmapper: [ OK ]
[root@smallfry tmp]# service ypbind start
Binding to the NIS domain:
Listening for an NIS domain server.
[root@smallfry tmp]#

[root@smallfry tmp]# chkconfig ypbind on

[root@smallfry tmp]# chkconfig portmap on
Note: Remember to use the rpcinfo -p localhost command to make sure they all started correctly.
Verify Name Resolution

As the configuration examples refer to the NIS client and server by their hostnames, you'll have to
make sure the names resolve correctly to IP addresses. This can be configured either in DNS,
when the hosts reside in the same domain, or more simply by editing the /etc/hosts file on both
Linux boxes.
#
# File: /etc/hosts (smallfry)
#
192.168.1.100 bigboy

#
# File: /etc/hosts (bigboy)
#
192.168.1.102 smallfry
Test NIS Access To The NIS Server

You can run the ypcat, ypmatch, and getent commands to make sure communication to the
server is correct.
[root@smallfry tmp]# ypcat passwd
nisuser:$1$Cs2GMe6r$1hohkyG7ALrDLjH1:505:100::/home/nisuser:/bin/bash
quotauser:!!:503:100::/home/quotauser:/bin/bash
ftpinstall:$1$8WjAVtes$SnRh9S1w07sYkFNJwpRKa.:502:100::/:/bin/bash
www:$1$DDCi/OPI$hwiTQ.L0XqYJUk09Bw.pJ/:504:100::/home/www:/bin/bash
smallfry:$1$qHni9dnR$iKDs7gfyt..BS9Lry3DAq.:501:100::/:/bin/bash
[root@smallfry tmp]#

[root@smallfry tmp]# ypmatch nisuser passwd

nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@smallfry tmp]#

[root@smallfry tmp]# getent passwd nisuser

nisuser:$1$d6E2i79Q$wp3Eo0Qw9nFD/:504:100::/home/nisuser:/bin/bash
[root@smallfry tmp]#
Possible sources of error would include:
Incorrect authconfig setup resulting in errors in the /etc/yp.conf, /etc/sysconfig/network and
/etc/nsswitch.conf files
Failure to run the ypinit command on the NIS server
NIS not being started on the NIS server or client.
Poor routing between the server and client, or the existence of a firewall that's blocking traffic
Try to eliminate these areas as sources of error and refer to the syslog /var/log/messages file on
the client and server for entries that may provide additional clues.
Test Logins via The NIS Server

Once your basic NIS functionality testing is complete, try to test a remote login. Failures in this
area could be due to firewalls blocking TELNET or SSH access and the TELNET and SSH server
process not being started on the clients.
Logging In Via Telnet
Try logging into the NIS client via telnet if it is enabled
[root@bigboy tmp]# telnet 192.168.1.201
Trying 192.168.1.201...
Connected to 192.168.1.201.
Escape character is '^]'.
Red Hat Linux release 9 (Shrike)
Kernel 2.4.20-6 on an i686
login: nisuser
Password:
Last login: Sun Nov 16 22:03:51 from 192-168-1-100.simiya.com
[nisuser@smallfry nisuser]$
Logging In Via SSH
Try logging into the NIS client via SSH.
[root@bigboy tmp]# ssh -l nisuser 192.168.1.102
nisuser@192.168.1.102's password:
[nisuser@smallfry nisuser]$
In some versions of Linux, the NIS client's SSH daemon doesn't re-read the /etc/nsswitch.conf file
you just modified until SSH is restarted. SSH logins, therefore, won't query the NIS server until
this is done. Restart SSH on the NIS client.
[root@smallfry root]# service sshd restart
Stopping sshd:[ OK ]
Starting sshd:[ OK ]
[root@smallfry root]#