NFS and autofs using NIS in ubuntu


The tutorial about NIS, NFS server in Ubuntu documentation is hopeless.
I really do not understand why there are NO guis made for this, except in OpenSuSE(Yast2). Here I have put a step by step user guide including firewall configuration. Most tutorials have no firewall or no user authentication but this could be used to share user-home directories across several computers.

NIS client name is mg48 and NFS Server is mg44

apt-get install rpcbind nfs-kernel-server nis

You do not need auto.master or auto.home in the NIS server. Be careful these files MUST not have +x enabled. If you are exporting /home please be warned that if you do not have the lists properly done it causes some type of bashrc loop for the user account in the server when user logins to server as +auto.home is sources infinitely. Better to have it in client only.

root@mg44:~# cat /etc/auto.master
cat: /etc/auto.master: No such file or directory
 
 root@mg44:~# cat /etc/auto.home
cat: /etc/auto.home: No such file or directory
 
 root@mg44:~# cat /etc/yp.conf 
# ypserver ypserver.network.com
# also empty
 
 root@mg44:/etc# cat ypserv.conf 
#
# ypserv.conf   In this file you can set certain options for the NIS server,
#               and you can deny or restrict access to certain maps based
#               on the originating host.
#
#               See ypserv.conf(5) for a description of the syntax.
#

# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.

# Host                       : Domain  : Map              : Security
#
# *                          : *       : passwd.byname    : port/mangle       
# *                          : *       : passwd.byuid     : port/mangle       

# This is the default - restrict access to the shadow password file,
# allow access to all others.
*                            : *       : shadow.byname    : port
*                            : *       : passwd.adjunct.byname : port
*                            : *       : *                : none
##### I did NO changes at all

 
root@mg44:/etc# cat hosts.allow 
# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# Add client IP addresses here
portmap rpcbind mountd nfsd statd lockd rquotad : 122.2.194.48
 
 
root@mg44:/etc# cat defaultdomain 
robotics
 




root@mg44:/etc# cat hosts
127.0.0.1       localhost
122.2.194.44    mg44
122.2.194.48    mg48
# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters



 
 
root@mg44:/etc# cat nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:     files nis
shadow:     files
group:      files nis

hosts:      files nis dns

#bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files 
rpc:        files
services:   files

netgroup:   files nis

#publickey:  nisplus

automount:  files nis
aliases:    files nis
 
root@mg44:/etc# cat /etc/ypserv.securenets
#
# securenets    This file defines the access rights to your NIS server
#               for NIS clients (and slave servers - ypxfrd uses this
#               file too). This file contains netmask/network pairs.
#               A clients IP address needs to match with at least one
#               of those.
#
#               One can use the word "host" instead of a netmask of
#               255.255.255.255. Only IP addresses are allowed in this
#               file, not hostnames.
#
# Always allow access for localhost
255.0.0.0       127.0.0.0

# This line gives access to everybody. PLEASE ADJUST!
#0.0.0.0         0.0.0.0
host     122.2.194.48
 
 
 

root@mg44:/etc# cat /etc/exports
/home/karthik    122.2.194.48(rw,sync,root_squash,no_subtree_check)
/data2/datasets    122.2.194.48(rw,sync,root_squash,no_subtree_check)
 
root@mg44:  exportfs -ra
service ypserv restart
service portmap restart
service nfs-kernel-server restart


make -C /var/yp 
 
NIS Client (mg48)

apt-get install portmap nis autofs nfs-common
You will be asked for the name of your NIS domain. Enter the name of your NIS domain. If you entered wrongly or want to change the defaultdomain of NIS change it in the file /etc/defaultdomain
robotics
For example, robotics is the name of my NIS server. Remember this parameter is case sensitive. It is probably a good idea to then add a portmap line to /etc/hosts.allow for security reasons:
portmap : <NIS server IP address>
Where "NIS server IP address" is the IP address of the NIS server.
3. Set up name services to use NIS:
Edit /etc/passwd to add a line at the end saying:
+::::::
Edit /etc/group to add a line at the end saying:
+:::
Edit /etc/shadow to add a line at the end saying:
+::::::::
This sets up those services to include NIS entries if a match isn't found in the file. You could change other services to use NIS by using the NIS service in /etc/nsswitch.conf, but these are the important ones.
4. Edit /etc/yp.conf and add the line:
ypserver 123.45.67.89 ypserver 987.65.43.21
Where 123.45.67.89 and 987.65.43.21 are the NIS servers.
5. Restart NIS:
/etc/init.d/nis restart
Note: sshd will need to be restarted to use the new authentication system. Just an FYI.
Note: A frequently asked question is how to give NIS users audio, DRI, video privileges. Simply add the user's group to video in file /etc/group
6. If you are using autofs with NIS you need this file nsswitch.conf  in ubuntu:
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the  nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd: compat
group:  compat

hosts:  files dns
networks:       files dns

services:       files nis
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files nis
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files nis
shadow: compat
 
 
 If you get an error likestartkde: kpersonalizer not found! Please install to properly configure your user.
 This means problem with normal user accessing video. Add the user to group "video" (/etc/group). 
 
 mg48:/etc # cat /etc/auto.master
 #+auto.master
/home    auto.home
/data2    auto.data2
 
 
mg48:/etc # cat /etc/auto.home
karthik      -rw,soft 122.2.194.44:/home/karthik


mg48:/etc # cat /etc/auto.data2
datasets      -rw,soft 122.2.194.44:/data2/datasets
 
 
mg48:/etc # cat hosts
127.0.0.1       localhost 

# special IPv6 addresses
::1             localhost ipv6-localhost ipv6-loopback

fe00::0         ipv6-localnet 

ff00::0         ipv6-mcastprefix 
ff02::1         ipv6-allnodes 
ff02::2         ipv6-allrouters 
ff02::3         ipv6-allhosts 
122.2.194.48    mg48 linux-ynpq
122.2.194.44    mg44 linux-ynpq

 Test the exports from client

mg48:~ # showmount -e mg44
Export list for mg44:
/data2/datasets 122.2.194.48
/home/karthik   122.2.194.48

In the server

NFS requires portmap, rpc.nfsd and rpc.mountd to run.
So you need to open:
  • rpc.nfs – 2049 tcp/udp
  • portmap – 111 tcp/udp
root@mg44:/etc# cat  /etc/default/nfs-kernel-server 
# Number of servers to start up
# To disable nfsv4 on the server, specify '--no-nfs-version 4' here
RPCNFSDCOUNT=8

# Runtime priority of server (see nice(1))
RPCNFSDPRIORITY=0

# Options for rpc.mountd.
# If you have a port-based firewall, you might want to set up
# a fixed port here using the --port option. For more information,
# see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
# To disable NFSv4 on the server, specify '--no-nfs-version 4' here
#RPCMOUNTDOPTS=--manage-gids
## USE SINGLE QUOTES BELOW 
RPCMOUNTDOPTS='-p 32771 -g'

# Do you want to start the svcgssd daemon? It is only required for Kerberos
# exports. Valid alternatives are "yes" and "no"; the default is "no".
NEED_SVCGSSD=

# Options for rpc.svcgssd.
RPCSVCGSSDOPTS=

# Options for rpc.nfsd.
RPCNFSDOPTS=
Restart the NFS Kernel Daemon:
service nfs-kernel-server restart
* Stopping NFS kernel daemon                                            [ OK ]
* Exporting directories for NFS kernel daemon…               [ OK ]
* Starting NFS kernel daemon                                              [ OK ]
Configure UFW to accept  incoming connections on port 32771 2049 and port 111
 
 ufw allow from 122.2.194.48  to any port 32771
ufw allow from 122.2.194.48  to any port 111
ufw allow from 122.2.194.48  to any port 2049
ufw status numbered

Test if the service-32771 as given above works in server

root@mg44:/etc# nmap localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2013-05-17 13:17 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000070s latency).
Not shown: 995 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
111/tcp   open  rpcbind
631/tcp   open  ipp
2049/tcp  open  nfs
32771/tcp open  sometimes-rpc5

Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
 
--- 

The ip addresses have been changed for security reasons.