Red Hat has removed the Network Information Service (NIS) components from RHEL 9. Can NIS automounts still be managed by Safeguard Authentication (SAS) Services on RHEL 9? (4372926)

Red Hat has removed the Network Information Service (NIS) components from RHEL 9. Can NIS automounts still be managed by Safeguard Authentication (SAS) Services on RHEL 9?

Red Hat has removed the Network Information Service (NIS) components from RHEL 9. Can NIS automounts still be managed by Safeguard Authentication (SAS) Services on RHEL 9?
 

From redhat.com

"NIS is based on outdated design patterns and is no longer considered secure, so the following components have been removed from RHEL 9,nss_nis, yp-tools, ypbind, ypserv"

What is the support status of Network Information Service (NIS) - Red Hat Customer Portal

Please note the following is one possible example showing how Safeguard Authentication Services can be utilized to manage NIS automounts on RHEL 9 without the RedHat NIS components being available.

Please note that One Identity does not support the configuration or issues arising from the use of the native OS configuration files including but not limited to autofs.conf, ldap.conf, and autofs_ldap_auth.conf.

If a different or more comprehensive strategy is required the One Identity Professional Services (PSO) teams can assist. Your account representative can provide more information on a PSO engagement or they can be reached here:

https://support.oneidentity.com/professional-services-product-select  

Note that this configuration does not require vasypd.

The NIS objects in AD can be read directly by the operating systems's autofs LDAP settings instead of using NIS to provide the maps.

The following is based off of a default install of Redhat 9.2, using vasproxyd for LDAP access through SAS.

NOTE: The BASE entries in the following configurations should be changed to the location in AD with the autofs maps.

This includes BASE, search_base, and ldap_base. The noted `/opt/quest/bin/vastool info domain-dn` should be replaced with the output of the command or the specific LDAP formatted name where the autofs maps are located.

1) Set up vasproxyd.

Install vasproxyd using preferred method. For example, from the install media, run:
./install.sh -qa vasproxyd
Configure vasproxyd. We are setting it up here for loopback only, and anonymous. vasproxyd will wrap the request in a normal sasl/gssapi ldap connection using host/, so traffic on the wire is encrypted/signed.
/opt/quest/bin/vastool configure vas vasproxyd stanza autofs listen-addrs=127.0.0.1:389 enable-anonymous=true

Restart the daemon to pick up the new autofs stanza:
systemctl restart vasproxyd

Test it:
/opt/quest/bin/vastool search -ah 127.0.0.1 -b '' -s base "(objectClass=*)" dnsHostName

This should return the hostname of the DC contacted.

2) Set up ldap.conf:
Modify /etc/openldap/ldap.conf
Add the following lines:
BASE    `/opt/quest/bin/vastool info domain-dn`
URI     ldap://127.0.0.1
REFERRALS no

3) Set up  autofs ldap auth
Modify /etc/autofs_ldap_auth.conf to have the following, replacing other settings in the stanza:
<autofs_ldap_sasl_conf
        usetls="no"
        authrequired="no"
/>

4) Set up autofs ldap
Modify /etc/autofs.conf
Add the following:
search_base = `/opt/quest/bin/vastool info domain-dn`
map_object_class = nisMap
entry_object_class = nisObject
map_attribute = nisMapName
entry_attribute = cn
value_attribute= nisMapEntry

ldap_uri = ldap://127.0.0.1
ldap_base = `/opt/quest/bin/vastool info domain-dn`

5) Set up nss:
In the file /etc/nsswitch.conf, add ldap to automount, so
automount: file
becomes
automount: file ldap

If using authselect, make the same change to
/usr/share/authselect/vendor/AuthenticationServices/nsswitch.conf
And run:
authselect select --force AuthenticationServices
This modifies the SAS configuration to push the ldap setting.
If the system is unjoined/joined or re-installed/upgraded this might have to be re-done.

At this point, restarting autofs should pick up the new configuration.

NOTE: For debug, add mount_verbose = yes

For example, this is syslog debug from setting /etc/autofs.conf: mount_verbose = yes

do_bind: lookup(ldap): auth_required: 1, sasl_mech (null)
do_bind: lookup(ldap): ldap simple bind returned 0
get_query_dn: lookup(ldap): found query dn CN=auto.home,CN=Computers,DC=nfstest01,DC=oias
lookup_one: lookup(ldap): searching for "(&(objectclass=nisObject)(|(cn=nfstest_1)(cn=/)(cn=\2A)))" under "CN=auto.home,CN=Computers,DC=nfstest01,DC=oias"
lookup_one: lookup(ldap): getting first entry for cn="nfstest_1"
lookup_one: lookup(ldap): examining first entry
lookup_mount: lookup(ldap): nfstest_1 -> -fstype=nfs,rw,nosuid,soft  192.168.1.120:/var/samba/home/&
parse_mount: parse(sun): expanded entry: -fstype=nfs,rw,nosuid,soft  192.168.1.120:/var/samba/home/nfstest_1
parse_mount: parse(sun): gathered options: fstype=nfs,rw,nosuid,soft
parse_mount: parse(sun): dequote("192.168.1.120:/var/samba/home/nfstest_1") -> 192.168.1.120:/var/samba/home/nfstest_1
parse_mount: parse(sun): core of entry: options=fstype=nfs,rw,nosuid,soft, loc=192.168.1.120:/var/samba/home/nfstest_1
sun_mount: parse(sun): mounting root /nfs/home, mountpoint nfstest_1, what 192.168.1.120:/var/samba/home/nfstest_1, fstype nfs, options rw,nosuid,soft
mount(nfs): root=/nfs/home name=nfstest_1 what=192.168.1.120:/var/samba/home/nfstest_1, fstype=nfs, options=rw,nosuid,soft
mount(nfs): nfs options="rw,nosuid,soft", nobind=0, nosymlink=0, ro=0
mount_mount: mount(nfs): calling mkdir_path /nfs/home/nfstest_1
mount(nfs): calling mount -t nfs -s -o rw,nosuid,soft 192.168.1.120:/var/samba/home/nfstest_1 /nfs/home/nfstest_1
mount_mount: mount(nfs): mounted 192.168.1.120:/var/samba/home/nfstest_1 on /nfs/home/nfstest_1