Configuring an NIS Client After you have successfully configured at least one master NIS server, you areready to configure one or more NIS clients.. Configuring and Starting the Client D
Trang 1Configuring an Example NIS Server
This section illustrates the process of setting up a simple master server TheNIS domain name is eng, running on the server nisbeast.example.com,which has an IP address 192.168.0.4 There are no slave servers, and all hosts inthe example.com DNS domain are permitted to access the NIS server
1 Set the NIS domain name:
N OT E If /var/yp/securenets does not exist on your system, create it.
3 Make sure that the portmapper is running:
# rpcinfo -u nisbeast portmapper
program 100000 version 2 ready and waiting
4 Start the primary server daemon, ypserv:
# service ypserv start
Starting YP server services: [ OK ]
5 Confirm that ypserv is running:
# rpcinfo -u nisbeast ypserv
program 100004 version 1 ready and waiting program 100004 version 2 ready and waiting
6 Initialize the NIS maps:
list, type a <control D>.
next host to add: nisbeast.kurtwerks.com next host to add:
The current list of NIS servers looks like this:
Trang 2Is this correct? [y/n: y] y
We need a few minutes to build the databases
gmake[1]: Leaving directory `/var/yp/eng’
nisbeast.kurtwerks.com has been set up as a NIS master server.
Now you can run ypinit -s nisbeast.kurtwerks.com on all slave servers.
After running the ypinit command as shown, a new directory taining the NIS map files exists, /var/yp/nisbeast Storing NISmaps in domain-specific directories makes it easy for a single system toact as an NIS server for multiple NIS domains
con-7 Start the password daemon, yppasswdd:
# service yppaswdd start
Starting YP passwd services: [ OK ]
8 Confirm that yppasswd is running:
# rpcinfo -u nisbeast yppasswd
program 100009 version 1 ready and waiting
9 Edit /etc/sysconfig/network and add the following line, menting out or deleting any other line that begins with NISDOMAIN:
com-NISDOMAIN=eng
10 Use the chkconfig utility or the Service Configuration tool, as shownearlier, to configure ypserv and yppasswdd to start at boot time
Trang 3If you run slave servers, repeat Steps 7 and 8 for the transfer daemon,ypxfrd(that is, start ypxfrd and make sure that it is running) Also make sure
to set ypxfrd to start at boot time in Step 10 Your shiny new NIS master server
is now up and running and ready to answer requests from NIS clients What’sthat? No clients? Read on
Configuring an NIS Client
After you have successfully configured at least one master NIS server, you areready to configure one or more NIS clients The general procedure for setting
up an NIS client involves the following steps:
1 Set the NIS domain name
2 Configure and start the NIS client daemon
3 Test the client daemon
4 Configure the client’s startup files to use NIS
The following subsections describe these steps in detail and discuss thecommand and configuration file syntax Note that there is some overlapbetween configuring a client and a server, so the discussion emphasizes clientconfiguration tasks The final subsection configures an example NIS client toillustrate the process of setting up a no-frills NIS client system that connects tothe server configured at the end of the previous section
Setting the NIS Domain Name
The initial step in configuring an NIS client is to set the NIS domain name Asexplained in the previous section, execute the following command to set it:
# nisdomainname nisdomain
As before, replace nisdomain with the name of your NIS domain
Configuring and Starting the Client Daemon
The NIS client daemon, ypbind uses a configuration file named /etc/yp.confthat specifies which NIS that server’s clients should use and how
to locate them, a process known as binding the client to the server NIS clientscan use one of three methods to bind the server, and the type of entry in/etc/yp.conf controls the way binding takes place The simplest entrytakes the form:
Trang 4ypserver nisserverip
This entry tells clients to use the server whose IP address is nisserverip
An example of this kind of entry might be:
ypserver 192.168.0.1
A somewhat more flexible approach enables clients to broadcast a query forthe server to contact for a given NIS domain This method saves tedious edit-ing of client configuration files if (or, perhaps, when) the IP address of the NISserver changes This entry takes the form shown here, where nisdomain isthe name of the NIS domain of which the local host is a member
domain nisdomain broadcast
An example entry for broadcast clients might resemble the following:
domain eng broadcast
Finally, if client systems are members of multiple NIS domains or if they canconnect to one of several servers for the same NIS domain, the following formenables you to associate a given server with a given NIS domain:
domain nisdomain server nisserverip
This type of entry in /etc/yp.conf associates the NIS domain nisdomainwith the NIS server (either master or slave) whose IP address is nisserverip.One example of this type of entry might be:
domain eng server 192.168.0.4 domain eng server 192.168.0.2 domain finance server 192.168.0.2
The first two lines identify two servers as the NIS servers for the eng NISdomain The second and third lines indicate that the NIS server whose IPaddress is 192.168.0.2 serves two NIS domains, eng, and finance
T I P If the client system can resolve hostnames to IP addresses without NIS (if, for example, the client runs a caching name server or has an entry in
/etc/hostsfor the NIS server), you can use a hostname instead of an IP address, but your best bet is to use IP addresses in /etc/yp.conf to minimize problems that might arise if name lookup services become inoperable for some reason.
Trang 5To set up the client’s NIS daemons, you can edit /etc/yp.conf directly oruse the Authentication Configuration tool, a graphical tool for configuringuser authentication The following procedure shows you how to use theAuthentication Configuration tool to configure a client system to use NIS:
1 Select Red Hat ➪ System Settings ➪ Authentication or type config-authentication(as root) in a terminal window to open theAuthentication Configuration tool shown in Figure 13-7
system-2 Check the Cache User Information check box Setting this option causesthe client to cache information retrieved from the server, making subse-quent NIS lookups considerably faster
3 Click the User Information tab
4 Click the Enable NIS Support check box
5 Click the Configure NIS button to open the NIS Settings dialog box (seeFigure 13-8)
6 If the NIS Domain Name text box is not already filled in, type the NISdomain name
7 Type the NIS server’s IP address or name in the NIS Server text box.The NIS Settings dialog box should now resemble Figure 13-8 The NISdomain name is eng and the NIS server is nisbeast.example.com
8 Check the Cache User Information check box to store authenticationinformation at runtime This will make lookups for NIS-based informa-tion faster
9 Click OK to close the NIS Settings dialog box
10 Click OK to close the Authentication Configuration tool
Figure 13-7 The Authentication Configuration tool.
Trang 6Figure 13-8 The completed NIS Settings dialog box.
The following listing shows the edits made to /etc/yp.conf by theAuthentication Configuration tool
# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
# Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
# Use broadcast on the local net for domain NISDOMAIN
# Use server HOSTNAME for the local domain The
# IP-address of server must be listed in /etc/hosts.
#
# broadcast
# If no server the default domain is specified or
# none of them is reachable, try a broadcast call to
# find a server domain eng server nisbeast.example.com
N OT E If you use the server’s IP address instead of its name, the IP address will appear in place of the server name.
NIS client programs, like the NIS servers, require RPC to function properly,
so make sure the portmapper is running before starting the client daemon,ypbind To start the client daemon, execute the following command, whichinvokes the ypbind initialization script:
# service ypbind start
Binding to the NIS domain: [ OK ] Listening for an NIS domain server.
Trang 7After starting the NIS client daemon, use the command rpcinfo -ulocalhost ypbindto confirm that ypbind was able to register its servicewith the portmapper The output should resemble the following:
# rpcinfo –u luther ypbind
program 100007 version 1 ready and waiting program 100007 version 2 ready and waiting
N OT E If you skip the test procedure outlined in this section, you must at least set the domain name and create the /var/yp directory Without this directory,
ypbinddoes not start.
Finally, use one of the NIS client commands discussed in the section titled
“Key NIS Client Files and Commands” to test whether the client and server arecommunicating properly For example, use the ypcat command to display thecontents of the NIS shared password file:
# ypcat passwd.byname
For user lookups to work properly on the client, do not add users whoseauthentication information will be retrieved using NIS on the client system.Instead, add a + sign to the end of /etc/passwd and /etc/group on yourNIS clients Experienced system administrators might use properly formattedentries for the password and group files (+:*:0:0:: and +:*:*, respec-tively), but this isn’t necessary for NIS to work properly
Now edit /etc/host.conf so that it uses NIS for hostname lookups Bydefault, the Fedora Core and Red Hat Enterprise Linux host.conf file lookslike the following:
order hosts,bind
This configuration means that name service lookups first look in /etc/hosts, then use bind, the name server, to perform name lookups Changethis line so that it reads:
order hosts,nis,bind
This entry causes name lookups to query NIS after looking in /etc/hostsand before using the resolver library
Last, edit /etc/nsswitch.conf By default, Red Hat Linux is configured
to perform standard NIS (as opposed to NIS+) lookups when user tion and related information is requested Among other entries, you should seelines that look like the following:
Trang 8authentica-passwd: files nis shadow: files nis group: files nis hosts: files nis
If you don’t see these entries, add them
Configuring the Client Startup Files
As when configuring an NIS server, you must modify some system configurationfiles and make sure that the client daemon starts and stops when the system startsand stops In addition to setting the NIS domain name in /etc/sysconfig/network and setting the server information in /etc/yp.conf, you mustenable ypbind, the NIS client, at boot time You can use the chkconfig util-ity or the Service Configuration tool to start ypbind when the system boots
Using chkconfig, issue the following commands:
# chkconfig levels 0123456 ypbind off
# chkconfig levels 345 ypbind on
To use the Service Configuration tool, start system-config-services asdemonstrated earlier, scroll down to the bottom of the services list, and place acheck mark beside the ypbind service When you’re done, select File ➪ Save
to save your changes, and then select File ➪ Exit to close the Service ration tool
Configu-NIS Client Commands
Table 13-2 lists the key NIS client commands and briefly describes their purpose.The ypcat command enables you to view the contents of an NIS map.ypcatdisplays maps from the default server unless you request a specific NISserver using -d nisdomain Similarly, to view the maps from a specificmachine, use -h hostname, replacing hostname with the host in which youare interested
Table 13-2 NIS Client Configuration Files and Commands
COMMAND DESCRIPTION
ypcat Prints the entries in an NIS database ypmatch Prints the value of one or more entries in an NIS map yppasswd Changes user passwords and information on the NIS server yppoll Displays the server and version number of an NIS map ypwhich Displays the name of the master NIS server
Trang 9ypwhichinvoked with no arguments displays the name of the default NISserver If invoked with the -d nisdomain option, it queries the master NISserver for the NIS domain named nisdomain You can also specify useypwhich hostname to query the NIS server, if any, on the machine namedhostname The -x option causes ypwhich to display the list of available maps.Suppose, for example, that you want to know the list of hosts that the NISserver nisbeast knows about First, use ypwhich -x command to see a list
of map nicknames available on nisbeast:
$ ypwhich -x
Use “ethers” for map “ethers.byname”
Use “aliases” for map “mail.aliases”
Use “services” for map “services.byname”
Use “protocols” for map “protocols.bynumber”
Use “hosts” for map “hosts.byname”
Use “networks” for map “networks.byaddr”
Use “group” for map “group.byname”
Use “passwd” for map “passwd.byname”
This output means, for example, that the map hosts.byname can beaccessed using the nickname or hosts So, try ypcat hosts:
$ ypcat hosts
192.168.0.1 coondog.example.com coondog 192.168.0.2 hounddog.example.com hounddog 192.168.0.3 moonshine.example.com moonshine 127.0.0.1 localhost.localdomain localhost 127.0.0.1 localhost.localdomain localhost 192.168.0.4 nisbeast.example.com nisbeast
If you are looking for a specific piece of information, use the ypmatch mand For example, to find the user bubba’s password file entry, use the command:
com-$ ypcat passwd | grep bubba
bubba:$1$KXv8uWVw$Uk96z3r0bdHrM9gCfR.Ge0:501:501::/home/bubba:/bin/csh
A more elegant method is to tell ypmatch to do it:
$ ypmatch -k bubba passwd
bubba:$1$KXv8uWVw$Uk96z3r0bdHrM9gCfR.Ge0:501:501::/home/bubba:/bin/csh
As you can see, the output is the same, but ypmatch enables you to zero in
on precisely the information you want without having to retrieve the entiremap and filter the output ypmatch’s -k option defines the key, or the infor-mation you want; the second argument tells ypmatch the map you want to
Trang 10search (passwd in this case) To see bubba’s group file entry, for example, youwould specify the map group:
$ ypmatch -k bubba group
bubba bubba:!:501:
The yppasswd command enables users to change their NIS passwords.What’s wrong with using plain vanilla passwd? The passwd commandaffects only the client machine The yppasswd command, on the other hand,updates the NIS maps on the NIS server, which means that the updated pass-word will be effective across the network, not just on the client machine Infact, if you use the passwd command for a user that is authenticated via NIS,the password change, if it succeeds, will not be propagated to other NIS clientsand will be discarded from the local machine’s authentication databases thenext time the NIS maps are updated
Before you test the configuration, you need to have an NIS client configured — it’s hard to test a server without a client — so we’ll delay test-ing the server configuration until the end of the next section
Configuring an Example NIS Client
This subsection illustrates configuring an NIS client to use the NIS services vided by the NIS server configured earlier in this chapter As before, the NISdomain name is eng, running on the server nisbeast.kurtwerks.com,which has an IP address 192.168.0.1
pro-1 Set the NIS domain name:
3 Make sure that the portmapper is running on the client:
# rpcinfo -u localhost portmapper
program 100000 version 2 ready and waiting
4 Start the primary client daemon, ypbind:
# service ypbind start
Binding to the NIS domain: [ OK ] Listening for an NIS domain server.
Trang 115 Confirm that ypbind is running:
# rpcinfo -u localhost ypbind
program 100007 version 1 ready and waiting program 100007 version 2 ready and waiting
6 Edit /etc/host.conf and add NIS to the services used for hostnamelookups The completed file looks like this:
order hosts,nis,bind
7 Use the chkconfig utility or Service Configuration tool, as explainedearlier in this chapter, to configure ypbind to start at boot time
Using NIS and NFS Together
As we promised in Chapter 12, this section shows you how to use NIS and NFS
to fully automate mounting NFS exports What you’ll discover, though, is that
we didn’t promise much That is, the only thing you need to do to use NIS andNFS together is use NIS to distribute the automounter configuration files Therest “just works.” The technique uses NFS automounts to handle the mountingpart of the process and NIS to distribute the automount files The exampleshown in this section enables users to log in at any system (running an NISclient and an NFS client) and always have access to their home directory with-out having to make any modification on the client system except to enable NFSand NIS
WHAT ABOUT NIS+?
The Network Information Service Plus, NIS+, is a replacement for NIS that provides improved security, a more flexible naming model, and better support
for large (okay, enormous) NIS installations The security improvements include
data encryption and secure RPC The original NIS specification (often called
traditional NISto distinguish it from NIS+) suffered from the typical RPC vulnerabilities because it transmitted information over the wire as clear text, making it an easy target for packet snoopers and ne’er-do-wells Data encryption makes snoopers’ jobs more difficult The naming scheme in NIS+
is dramatically different The new method is very LDAP-like, organized around
a tree of object nodes rather than a set of flat text files Unfortunately, development of NIS+ for Linux has stopped As a result, NIS+ for Linux is too immature to be considered for a production environment If you need the additional security features and more flexible (and complicated) namespace offered by NIS+, you will want to use some combination of Kerberos and LDAP See Chapter 34 for information about using Kerberos and LDAP for secure information sharing.
Trang 12Here’s the scenario:
■■ The NFS and NIS server is luther.kurtwerks.com, which has the IPaddress 192.168.0.4
■■ The NIS domain name is possumholler
■■ The home directories to export reside in the file system /export/homes
■■ The client system is marta.kurtwerks.com, which has the IP address192.168.0.1, and is running NFSv2
■■ To keep the example clear, the exports will be mounted on the clientsystem at the mount point /net
And here’s the procedure: The server system has already been configured as
an NIS and NFS server Likewise, the client system has already been ured as an NIS and NFS client Accordingly, the following steps focus only onmodifying these services on the server and client systems
config-1 On the NFS server, add the exported file system to /etc/exports:
# cat /etc/exports /export/homes 192.168.0.0/24(rw,no_subtree_check,secure,async,wdelay)
This entry exports the file system /export/homes to any client with
an IP address in the range 192.168.0.1-192.168.0.254 The export is figured as read-write, with subtree checking disabled, allows the server
con-to handle NFS requests asynchronously, and permits the server con-to delaydisk writes
2 On the NIS server, create an automount file for /net Keep in mind that
this file, auto.net, will be used on client systems, not the server.
# /etc/auto.net home -rw,soft,rsize=32678,wsize=32678,nfsvers=2 luther:/export/homes
This entry tells the automounter to mount the file system /export/homesexported from luther under the mount point /net/home inread-write mode The mount will be a soft mount, the read and writebuffers can be a maximum of 32,678 bytes, and the protocol version touse is NFSv2 The latter measure is necessary because the client in theexample is not running NFSv4
3 Edit a copy of /var/yp/Makefile and make the following changes:
a Beneath the line that reads (near line 93):
AUTO_LOCAL = $(YPSRCDIR)/auto.local
add the following entry:
AUTO_NET = $(YPSRCDIR)/auto.net
Trang 13This entry tells the makefile where to find the auto.net mounter file.
auto-b At the end of the that reads (near line 109):
all: passwd group hosts rpc service netid protocols mail \
insert the text auto.net auto.master before the terminatingbackslash The modified rule should look like the following:
all: passwd group hosts rpc service netid protocols mail auto.net auto.master \
This change tells the makefile to include the auto.net andauto.masterfiles as two of the files to convert to NIS maps
c Add the text below to the end of the file:
auto.net: $(AUTO_NET) $(YPDIR)/Makefile
@echo “Updating $@ ”
-@sed -e “/^#/d” -e s/#.*$$// $(AUTO_NET) | $(DBLOAD) \
-i $(AUTO_NET) -o $(YPMAPDIR)/$@ - $@
-@$(NOPUSH) || $(YPPUSH) -d $(DOMAIN) $@
Each line after the first must be indented with a tab character! This entry (a rule in makefile parlance) tells make how to create an NIS
map from the source auto.net You don’t need to understand how
it works, just that it does
4 Execute the make command in /var/yp to update the NIS maps:
# cd /var/yp
# make gmake[1]: Entering directory `/var/yp/possumholler’
Updating netid.byname
Updating auto.net
Updating auto.master
gmake[1]: Leaving directory `/var/yp/possumholler’
As you can see from the output, the auto.net file has been created.You can verify this by executing the following command:
Trang 146 On the client system, make sure that NIS and NFS client servers arerunning If not, start them.
7 On the client, start the autofs service, which handles local automounts:
# service autofs start
Summary
In this chapter, you saw how to configure Fedora Core and Red Hat EnterpriseLinux systems as NIS servers and clients You first learned how to set up andtest an NIS server and how to ensure that the NIS server comes up after a sys-tem reboot You also learned how to configure an NIS client to connect to anNIS server for user-authentication information Finally, you learned how touse NIS and NFS together, enabling NIS-authenticated users to mount theirNFS-exported home directories on any NIS client system without requiringspecial setup at the NFS client