Local NIS server - problem with group management

Hi,

I just setup a local NIS server and a client to fiddle around with it. The setup is quite bone-headed with /home exported via NFS:

• Nicolas Kovacs / Ansible role rh_nfs_server · GitLab
• Nicolas Kovacs / Ansible role rh_nfs_client · GitLab

And here are the two Ansible roles to configure NIS on the server and the client:

• Nicolas Kovacs / Ansible role rh_nis_server · GitLab
• Nicolas Kovacs / Ansible role rh_nis_client · GitLab

So far the setup basically works:

• I create a user on the server.
• I run cd /var/yp && make.
• I can connect as this user on the client.

There seems to be a problem with group management though. Here’s what I have on the server:

groups microlinux
microlinux : microlinux wheel systemd-journal

And here’s this same user on a client machine:

groups microlinux
microlinux : microlinux

Documentation about NIS seems to be sparse to nonexistent on the Internet.

Any idea how I can manage groups correctly ?

I’m quite sure that groups, id, getent do all look at /etc/nsswitch.conf which lists services to query about database (like ‘group’)
For example, I have on a machine:

group:      files sss systemd

So a query about group would use /usr/lib64/libnss_files.so, /usr/lib64/libnss_sss.so, and /usr/lib64/libnss_systemd.so until a result if found (or none).
The “files” obviously reads the /etc/group, the “sss” talks to the sssd, and the “systemd” something.

Nothing seems to provide /usr/lib64/libnss_nis.so for el9. The el8 does still have package nss_nis

The sssd has backends, so it can query (and cache) services, like LDAP, Kerberos, AD, files, etc.
However, the sssd does not seem to have a backend for NIS.

The server as well as the clients are all EL8. I took a peek, and nss_nis is installed on the client:

# rpm -q nss_nis
nss_nis-3.0-8.el8.x86_64

Which leaves me clueless.

Some yp* package probably did pull it as dependency.

The official method for updating nsswitch.conf, etc in el8 is authselect Chapter 2. Configuring user authentication using authselect | Configuring authentication and authorization in RHEL | Red Hat Enterprise Linux | 8 | Red Hat Documentation
I don’t know whether it offers a way to inject ‘nis’ into the list of services.

Basically, you would need at least:

group:  files nis

or could as well be:

group:  files nis sss systemd

The PAM config is likely to require something too.

Making that all systematic with Ansible is probably the easiest part.

However, you did get in to the system with account from NIS? Therefore, the ‘passwd’ and ‘shadow’ databases must have gotten user info from NIS. If they did, then there is config for them. If there is, why the ‘group’ would be lacking? Baffling.

That’s it exactly. Baffling. Users created on the server can authenticate on the clients, but group info is completely missing. And there seems to be no documentation anywhere.

Could well be due to the fact that RHEL deprecated NIS in RHEL 8.3. That will also explain why there isn’t much in the way of documentation either, since the recommendations are to move away from NIS to IPA, LDAP or in some use cases Kerberos.

See here: What is the support status of Network Information Service (NIS) - Red Hat Customer Portal

I did peek at my “recent files”.
I’ve got LDAP files since 2004, so must have phased out NIS back then.
2013 shows addition of Kerberos (to move password hashes away from LDAP).
No wonder my memories of NIS were dim. Did not expect it to have been that long ago.

The IPA (“IdM”?) is essentially Kerberos, LDAP, DHCP, DNS, time service, etc “holistic solution”.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.