Product SiteDocumentation Site

Chapter 10. Policy: Integrating with NIS Domains and Netgroups

10.1. About NIS and FreeIPA
10.2. Creating Netgroups
10.2.1. Adding Netgroups
10.2.2. Adding Netgroup Members
10.3. Exposing Automount Maps to NIS Clients
10.4. Migrating from NIS to FreeIPA
10.4.1. Preparing Netgroup Entries in FreeIPA
10.4.2. Enabling the NIS Listener in FreeIPA
10.4.3. Exporting the Existing NIS Data
Network information service (NIS) is one of the most common ways to manage identities and authentication on Unix networks. It is simple and easy to use, but it also has inherent security risks and a lack of flexibility that can make administering NIS domains problematic.
FreeIPA supplies a way to integrate netgroups and other NIS data into the FreeIPA domain, which incorporates the stronger security structure of FreeIPA over the NIS configuration. Alternatively, administrators can simply migrate user and host identities from a NIS domain into the FreeIPA domain.

10.1. About NIS and FreeIPA

Network information service (NIS) centrally manages authentication and identity information such as users and passwords, hosts and IP addresses, and POSIX groups. This was originally called Yellow Pages (abbreviated YP) because of its simple focus on identity and authentication lookups.
NIS is considered too insecure for most modern network environments because it provides no host authentication mechanisms and it transmits all of its information over the network unencrypted, including password hashes. Still, while NIS has been falling out of favor with administrators, it is still actively used by many system clients. There are ways to work around those insecurities by integrating NIS with other protocols which offer enhanced security.
In FreeIPA, NIS objects are integrated into FreeIPA using the underlying LDAP directory. LDAP services offer support for NIS objects (as defined in RFC 2307), which FreeIPA customizes to provide better integration with other domain identities. The NIS object is created inside the LDAP service and then a module like nss_ldap or SSSD fetches the object using an encrypted LDAP connection.
NIS entities are stored in netgroups. A netgroup allows nesting (groups inside groups), which standard Unix groups don't support. Also, netgroups provide a way to group hosts, which is also missing in Unix group.
NIS groups work by defining users and hosts as members of a larger domain. A netgroup sets a trio of information — host, user, domain. This is called a triple.
host,user,domain
A netgroup triple associates the user or the host with the domain; it does not associate the user and the host with each other. Therefore, a triple usually defines a host or a user for better clarity and management.
host.example.com,,nisdomain.example.com
-,jsmith,nisdomain.example.com
NIS distributes more than just netgroup data. It stores information about users and passwords, groups, network data, and hosts, among other information. FreeIPA can use a NIS listener to map passwords, groups, and netgroups to FreeIPA entries.
In FreeIPA LDAP entries, the users in a netgroup can be a single user or a group; both are identified by the memberUser parameter. Likewise, hosts can be either a single host or a host group; both are identified by the memberHost attribute.
dn: ipaUniqueID=d4453480-cc53-11dd-ad8b-0800200c9a66,cn=ng,cn=accounts,...
objectclass: top
objectclass: ipaAssociation
objectclass: ipaNISNetgroup
ipaUniqueID: d4453480-cc53-11dd-ad8b-0800200c9a66
cn: netgroup1
memberHost: fqdn=host1.example.com,cn=computers,cn=accounts,...
memberHost: cn=VirtGuests,cn=hostgroups,cn=accounts,...
memberUser: cn=jsmith,cn=users,cn=accounts,...
memberUser: cn=bjensen,cn=users,cn=accounts,...
memberUser: cn=Engineering,cn=groups,cn=accounts,...
nisDomainName: nisdomain.example.com
In FreeIPA, these netgroup entries are handled using the netgroup-* commands, which show the basic LDAP entry:
# ipa netgroup-show netgroup1
Netgroup name: netgroup1
Description: my netgroup
NIS domain name: nisdomain
Member User: jsmith
Member User: bjensen
Member User: Engineering
Member Host: host1.example.com
Member Host: VirtGuests
When a client attempts to access the NIS netgroup, then FreeIPA translates the LDAP entry into a traditional NIS map and sends it to a client over the NIS protocol (using a NIS plug-in) or it translates it into an LDAP format that is compliant with RFC 2307 or RFC 2307bis (using a compatibility plug-in).
For more information on NIS, see the Berkeley lab manpages at http://compute.cnr.berkeley.edu/cgi-bin/man-cgi?netgroup+4.