Troubleshooting NIS

The following is a top-down checklist to help fixing NIS-related problems on a typical Debian host in our D-PHYS network.

Checks on a Host where NIS Is Running

E.g., on the NIS server

ssh root@nis.phys.ethz.ch

Check whether the client host name is in an appropriate netgroup (i.e., the many netgroup and its descendants; most likely one of the _client variants) with

ypcat -k netgroup | grep `hostname` | awk '{print $1}'

Checks on the Host which You Want to Troubleshoot

Check whether NIS is installed

apt-cache policy nis

Fix with (as root)

apt-get install nis

Check whether the correct domain name is set. Do this with

domainname

Fix with (as root)

echo "phys.ethz.ch" > /etc/defaultdomain

Restart NIS

/etc/init.d/nis restart

If that fails and you have error messages like "ypbind[...]: Unable to register (YPBINDPROG, YPBINDVERS, udp)." in the syslog or "rpcbind: connect from 127.0.0.1 to getport/addr(ypbind): request from unauthorized host" in the auth.log, check with either

ypbind -no-dbus -debug

or

rpcinfo -p 127.0.0.1

if you're allowed to use RPC on localhost. If you get an error message like "rpcinfo: can't contact portmapper: RPC: Authentication error; why = Client credential too weak" or "Cannot register service: RPC: Authentication error; why = Client credential too weak", check the hosts.allow file. For older systems, you need an portmap entry allowing localhost, on newer systems you need an rpcbind entry for localhost. add the following two lines to hosts.allow and then try again (no need to restart any daemon for that):

portmap: 127.0.0.1
rpcbind: 127.0.0.1

Check whether the binding succeeded with

ypwhich

You should obtain the host name you get with the CNAME lookup

host nis.phys.ethz.ch

If DNS doesn't work, check if there's at least an /etc/hosts entry for your NIS server and that you can reach it:

ping nis.phys.ethz.ch

Check whether you get the NIS tables

ypcat passwd

Check in /etc/nsswitch.conf. All maps you want to use via NIS should at least have nis as one of the options

Check in /etc/auto.master. Use simple names (e.g., auto.home) instead of full paths if you want to use the corresponding nis table, and remove the file with the same name in /etc/

Note: NIS authentication (i.e., shadow passwords) is only available in our server-1 subnet. Use LDAP authentication in the docking and server-2 subnets.