CPSC 441, Networking, Fall 2004
Lab5: NFS and NIS


IN THIS LAB, we return to the task of setting up and configuring network services. In this case, you will be working with NFS (Network File System) and NIS (Network Information Service). Both of these services were originally introduced by Sun Microsystems, but they have since become standards.

You will be using NFS and NIS to store user's home directories on a server and allow the users to access their directories from other computers on the network. This is the same setup that was used for the Math/CS computer network up until last Spring. Since then, we have replaced NFS with a more secure file system, AFS.

You will be setting up your server computer to act as an NFS server and as an NIS server. You will then have to set up the client machines as clients for these services.

A Home Partition (Optional)

Traditionally, home directories are stored in their own partition on the server computer's hard disk. Your server has space to make a new partition, so you can do this if you want. (Do not do this if you already have non-root users on the server machine. Creating a home partition will hide those user's home directories.)

Log into your server computer as root, and start up the SuSE system administration tool, YaST. Go to the "System" section and click on "Partitioner." After clicking through a warning dialog, click the "Create" Button. In the create dialog, you want to change the "Mount Point" to "\home". You can, if you like, change the "End" of the partition to something like "5GB" to allow 5 gigabytes of space for the home partition. Click the "OK" button in the Create dialog, and finish by clicking the "Apply" button in the partitioner. YaST will create the partition, format it, "mount" it so it can be used, and configure the system to mount it automatically at boot.It might be a good idea to re-boot the server after creating a partition.

Creating Users

You will need some users for your NFS/NIS network. You should create these users on the server computer only. Create at least one user, with user name eck and password fred123. I will log in as this user to test your work. You will probably want to create one or two other users.

You can use YaST to create users. Go to the "Security and Users" section and click on "Edit and Create Users." Just click the "Add" button and fill in the appropriate information.

Another way to create users is with the useradd command on the command line. Just say "useradd -m username". The "-m" means to make a home directory for the user. When you make the user in this way, you must set a password for the user in order to enable the user's account. Use the command "passwd username".

The NFS Server

You will use NFS to share the /home directory on the server. As usual, it is easiest to use YaST to do the configuration. NFS actually requires that several different services run on the server. YaST will make sure it's all set up properly.

Go to the "Network Services" section of YaST. Click on "NFS Server." Turn on the server and click "Next". Click "Add Directory" and enter "/home" as the directory name in the dialog box that appears."

When you click "OK", a second dialog box will appear. This box allows you to specify which computers will be able to access the directory, and what access rights they will have. The default host, "*", is a wildcard that will let any computer on the Internet access the directory. You don't want this! Enter the complete IP address of one of the computers that you want to have access. In the options section, the "ro" indicates that the directory is shared "read-only." Users will need "read-write" access to their home directories, so change the "ro" to "rw".

You will want to share home directories to the two computers on your network, so add another host with the IP address of the second computer and the same options.

To make sure that your NFS server is running, log onto one of the client computers and try to mount the home directory on the server by hand. Do this with a command of the form

        mount  172.30.217.40:/home  /home

Use the IP address of the server. This command makes the home directory from the server appear as a directory named /home on the client machine. (If that directory already contains anything, its contents will be hidden by the stuff from the server.) Look in /home. You should see the home directories of the users that you created on the server. When finished, you should unmount the the shared file system with the command

       umount  /mnt

Note that the command is umount, not unmount. The mount and umount commands can only be given by root.

NFS Clients

You will want the client machines to mount the home directory automatically at boot time. You can do this using the YaST "NFS Client" module on the client machines. It should be clear how to do this (except maybe that it is OK to use the IP address of the server rather than a host name).

(To do this step by hand, you would mount the home directory from the server, as instructed above. To have it be remounted at boot time, you would just have to edit the file /etc/fstab. YaST will do this for you, but you might want to take a look at the line that is added to this file.)

Do this step on both of your client machines.

The NIS Server

Now that home directories are properly distributed to the clients, you need to distribute information about users. For this, you need a "directory service." We will use NIS. NIS is a general-purpose directory service that can be used to share all kinds of information, but we will use it for the most common purpose: sharing usernames and password information.

On the server machine, go to YaST's "Network Services" section and click on "NIS Server". You want to install the software and configure a Master Server. (A slave server is just one that duplicates the information on a master for the sake of efficiency.) After the software has been installed, you will need to specify an "NIS Domain Name." This name should be a single word that is not used for any other NIS Domain on the local network. It can be anything, such as "mydomain" or "foobar". Check the options "This host is also an NIS client" and "Allow changes to passwords". The other options should be unchecked.

When you click "Next", you will see a "NIS Global Maps Setup" page. This is where you select the information that you want to share. For sharing user information, you only need to check "group", "passwd", and "shadow". Check these options and click "Next".

The next screen, "NIS Server Query Hosts Setup", lets you specify which machines are allowed access the information. You have to set things up on this page to allow access by your client computers. However, to keep things easy, you can allow access to all computers. To do this, click "Add" and set both "Netmask" and "Network" to 0.0.0.0

Click on "Finish" to complete the setup.

(Note: Actually, I got an error here and had to start the services by hand. If this happens to you, ask for help.)

NIS Clients

Finally, you need to set up your client computers to use the NIS server. On each of the client computers, start YaST's "NIS Client" module. Set it to use NIS. Fill in the NIS Domain name that you used in the server configuration, and fill in the IP address of the server. Click finish and you should be done.

You should now be able to log onto both the server machine and the client machines as any of the users that you created on the server machine. The clients get information about the users using NIS, and they make the users' home directories available using NFS. Users can change their passwords using the passwd command on the clients.

If you add a new user on the server by hand, it will not automatically be added to the NIS database. So, you will have to rebuild the database. To do this, cd into the directory /var/yp and give the command make. This executes a Makefile that will rebuild the database. If you add the user using YaST, this step should be done automatically for you (I think).

Insecurities

NFS is not a secure network file system. One big problem is that all authentication is done by the client. The server just assumes that it can trust the client and hand over any files that the client asks for. Unfortunately, it's easy for another computer to impersonate one of the clients: All you have to do it turn off the client and set up another machine -- one that you control -- with the client's IP address. You can then use the fake client to gain complete control over the NFS files on the server. And, in any case, the root user on the client machines has access to the NFS files (by using the "su" command to impersonate other users).

Another problem is that NFS files are sent over the network in unencrypted form. This means that someone with a packet sniffer such as Ethereal can snoop on the contents of the packets as they travel over the network.

There are ways to improve the security somewhat, but NFS is really only suited to a trusted environment. The next version of NFS, Version 4, will support encryption of files and individual user authentication, which will bring it up to modern standards of security.

NIS is also an insecure protocol in that it sends its data in unencrypted form. A secure version, NIS+, is available. However, there is no NIS+ server that runs under Linux. (A Linux client is available.) In any case, the tendency is to move from NIS to LDAP as the directory protocol, and LDAP can be configured to do encryption and proper user authentication.

Web Server Note

By default, the Apache Web Server on your server computer makes user directories available under URL's of the form http://172.30.217.40/~username. This URL refers to a directory named public_html in the user's home directory. You should check that this access is working on your server.

Grading

This lab should be completed by Friday of next week, October 15. Please leave your computers running so that I can log into your computers and check the configuration. I will use username "eck" and password "fred123" to log in. (For one thing, I plan to log onto one of the client computers and create a web page in my public_html account. I should then be able to access this web page by pointing a browser at your server.)