2.5 :: NIS Server Installation and Configuration |
| Prev | Next | Index | |
These are step-by-step instructions for installing, configuring, and testing a NIS master server and slave server. These instructions assume the following:
The following packages were already installed during the Red Hat 9 OS installation process:
yp-tools-2.7-5
ypbind-1.11-4
ypserv-2.6-2
portmap-4.0-54
I visited www.redhat.com and retrieved the following (newer) packages:
ypserv-2.8-0.9E
It is very important to get the most recent packages!
Now on DAS-M, install/upgrade like this:
[root@das-m RPM]# rpm -Uvh yp*rpm
Here is the final listing of installed NIS-related packages:
yp-tools-2.7-5
ypbind-1.11-4
ypserv-2.8-0.9E
portmap-4.0-54
There are a number of configuration files that need to be edited before cranking up a NIS master server. They deal with the portmapper service, security, the ypbind daemon, the ypserver itself, replication, map files, and so on. We will go through the files, one by one:
The /etc/sysconfig/network file needs to have some lines added. This file will setup some NIS parameters upon system boot. NISDOMAIN is the NIS domain name. The YPSERV and YPXFRD ARGS allow you to configure a specific port for those services to listen on. This eases firewall configuration. Here are the lines:
NISDOMAIN=kerb.org YPSERV_ARGS="-p 888" YPXFRD_ARGS="-p 889"
The /etc/hosts.allow file allows you to secure the portmapper service (Sun RPC) with TCP Wrappers. In our configuration, we are preventing any host that does not reside on our lab network (10.10.22.0/24) from using the portmap service. We also allow the loopback address. Here are the lines to add to the file:
# Secure the Portmapper for DAS-M. Should be restricted to our LAN only portmap : 127. 10.10.22. : ALLOW portmap : ALL : DENY
You should configure this to match your network topology. For more details, type: man hosts.allow.
Next, we want to configure the /etc/yp.conf config file. This sets up the NIS binding config file, which is used by the ypbind daemon. It is necessary for NIS map replication from master to slave, and for testing the NIS server. We only need to add a single line to the default configuration file:
# /etc/yp.conf - ypbind configuration file # Valid entries are # #domain NISDOMAIN server HOSTNAME # Use server HOSTNAME for the domain NISDOMAIN. # #domain NISDOMAIN broadcast # Use broadcast on the local net for domain NISDOMAIN # #ypserver HOSTNAME # Use server HOSTNAME for the local domain. The # IP-address of server must be listed in /etc/hosts. # ypserver das-m.kerb.org
The /etc/ypserv.conf file can also be configured, but for our purposes, it was unnecessary to change it. You can check out the ypserv.conf manpage for details. For the record, here is the default config file:
# # ypserv.conf In this file you can set certain options for the NIS server, # and you can deny or restrict access to certain maps based # on the originating host. # # See ypserv.conf(5) for a description of the syntax. # # Some options for ypserv. This things are all not needed, if # you have a Linux net. # Should we do DNS lookups for hosts not found in the hosts table ? # This option is ignored in the moment. dns: no # How many map file handles should be cached ? files: 30 # xfr requests are only allowed from ports < 1024 xfr_check_port: yes # The following, when uncommented, will give you shadow like passwords. # Note that it will not work if you have slave NIS servers in your # network that do not run the same server as you. # Host : Domain : Map : Security # # * : * : passwd.byname : port # * : * : passwd.byuid : port # Not everybody should see the shadow passwords, not secure, since # under MSDOG everbody is root and can access ports < 1024 !!! * : * : shadow.byname : port * : * : passwd.adjunct.byname : port # If you comment out the next rule, ypserv and rpc.ypxfrd will # look for YP_SECURE and YP_AUTHDES in the maps. This will make # the security check a little bit slower, but you only have to # change the keys on the master server, not the configuration files # on each NIS server. # If you have maps with YP_SECURE or YP_AUTHDES, you should create # a rule for them above, that's much faster. # * : * : * : none
The next task is to create the /var/yp/securenets file. This file lists the source IP networks or hosts that will be allowed to connect to the ypserv daemon (NIS server). Syntax details can be found in the ypserv manpage. Here is what the config file should look like:
255.255.255.0 10.10.22.0 255.0.0.0 127.0.0.0
Even though we already configured /etc/sysconfig/network to do this on boot, we still need to set the NIS domain name for the installation and testing since we are not in the habit of rebooting GNU/Linux servers every time we add another service! Here is how you do it:
[root@das-m yp]# domainname kerb.org [root@das-m yp]# domainname kerb.org
The portmapper service (an implementation of Sun RPC) is required by ypserv, ypxfrd, and ypbind. We want it to start automatically at boot time. We also need to go ahead and start it before we can start ypserv, ypxfrd, or ypbind.
[root@das-m root]# chkconfig portmap off [root@das-m root]# chkconfig --level 345 portmap on [root@das-m root]# chkconfig --list portmap portmap 0:off 1:off 2:off 3:on 4:on 5:on 6:off [root@das-m root]# /etc/init.d/portmap restart Stopping portmapper: [FAILED] Starting portmapper: [ OK ]
We now want to make sure that the portmapper service is listening on TCP and UDP port 111, and use the rpcinfo command to see what RPC services are currently registered:
[root@das-m root]# netstat -tuna | grep :111
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:111 0.0.0.0:*
[root@das-m root]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
In our DAS system, Kerberos provides authentication and password control, but NIS provides the information that UNIX-like systems need in order for users to run programs and have an environment to work in. The NIS master server, located on DAS-M, provides this information network-wide via NIS maps. We must create the initial map files before we can start the NIS master server (the actual name of the program is ypserv). We will create the maps with our test user "kitty", and a test group called "labuser". We will also add some sample hostnames for our hosts map.
We will populate the NIS user map (known as the "passwd" map) by creating a normal Linux user, and we will populate the NIS "group" map by adding a normal Linux group. Two important points must be mentioned now:
Unix-like operating systems use a numeric UID (user ID) and GID (group ID) for file permissions and process ownership. The user-friendly username and groupname must be looked up in accordance with the /etc/nsswitch.conf configuration file. The default is normally to look them up in the /etc/passwd file and the /etc/group file. In our Distributed Authentication System, the NIS users are looked up with a query to a NIS server. Therefore, the UIDs and GIDs used in our local files on various hosts cannot conflict with the UIDs and GIDs used by NIS. Here is the policy for our organization:
Information that Unix-like operating systems need for each user include:
We will be making maps for users, groups, and hosts. Maps can also be made for things like services, protocols, auto-mounter maps, and more. In our environment, we do not need these additional maps. They may, however, be added later without any difficulties.
First, let's create our test user and associated group, as well as an additional secondary group:
[root@das-m yp]# groupadd -g 50000 labuser [root@das-m yp]# useradd -u 6000 -g labuser kitty [root@das-m yp]# chfn kitty Changing finger information for kitty. Name []: Kit Cat Office []: Lab 104 Office Phone []: 1234-1234 x1457 Home Phone []: (216)485-3383 Finger information changed. [root@das-m yp]# grep labuser /etc/group labuser:x:50000: [root@das-m yp]# grep kitty /etc/passwd kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash
Although the passwd (user) and group maps use the standard /etc/passwd and /etc/group files as the source of the map, we are going to use a different location for the source of our "hosts" map. We do not want the DAS-M authentication server's host list to be used on other hosts. Therefore, we create a text file /var/yp/hosts. This is the source of the NIS host map for the domain. It's syntax is the same as /etc/hosts. This will be reflected in the Makefile. Here is our sample /var/yp/hosts file:
# This is the source file for the "hosts" NIS map: 4.2.2.3 genuity 10.10.22.68 oscar 10.10.22.1 defgate 10.10.22.90 printer
Note: Although many HOWTOs and manuals advocate using separate map source files (not using /etc/passwd and /etc/group directly, I have chosen to use the standard sources. There are several reasons for this:
Now, we need to edit the /var/yp/Makefile configuration file. Here, I only show the changes from the default Makefile. The complete Makefile we are using can be viewed here.
#
# Makefile for the NIS databases
#
# This Makefile should only be run on the NIS master server of a domain.
# All updated maps will be pushed to all NIS slave servers listed in the
# /var/yp/ypservers file. Please make sure that the hostnames of all
# NIS servers in your domain are listed in /var/yp/ypservers.
#
# This Makefile can be modified to support more NIS maps if desired.
#
# Set the following variable to "-b" to have NIS servers use the domain
# name resolver for hosts not in the current domain. This is only needed,
# if you have SunOS slave YP server, which gets here maps from this
# server. The NYS YP server will ignore the YP_INTERDOMAIN key.
#B=-b
B=
# If we have only one server, we don't have to push the maps to the
# slave servers (NOPUSH=true). If you have slave servers, change this
# to "NOPUSH=false" and put all hostnames of your slave servers in the file
# /var/yp/ypservers.
NOPUSH=true
# We do not put password entries with lower UIDs (the root and system
# entries) in the NIS password database, for security. MINUID is the
# lowest uid that will be included in the password maps. If you
# create shadow maps, the UserID for a shadow entry is taken from
# the passwd file. If no entry is found, this shadow entry is
# ignored.
# MINGID is the lowest gid that will be included in the group maps.
MINUID=5000
MINGID=5000
# Don't export this uid/guid (nfsnobody).
# Set to 0 if you want to
NFSNOBODYUID=65534
NFSNOBODYGID=65534
# Should we merge the passwd file with the shadow file ?
# MERGE_PASSWD=true|false
MERGE_PASSWD=false
# Should we merge the group file with the gshadow file ?
# MERGE_GROUP=true|false
MERGE_GROUP=false
# These are commands which this Makefile needs to properly rebuild the
# NIS databases. Don't change these unless you have a good reason.
AWK = /usr/bin/gawk
MAKE = /usr/bin/gmake
UMASK = umask 066
#
# These are the source directories for the NIS files; normally
# that is /etc but you may want to move the source for the password
# and group files to (for example) /var/yp/ypfiles. The directory
# for passwd, group and shadow is defined by YPPWDDIR, the rest is
# taken from YPSRCDIR.
#
YPSRCDIR = /etc
YPPWDDIR = /etc
YPBINDIR = /usr/lib/yp
YPSBINDIR = /usr/sbin
YPDIR = /var/yp
YPMAPDIR = $(YPDIR)/$(DOMAIN)
# These are the files from which the NIS databases are built. You may edit
# these to taste in the event that you wish to keep your NIS source files
# seperate from your NIS server's actual configuration files.
#
GROUP = $(YPPWDDIR)/group
PASSWD = $(YPPWDDIR)/passwd
#SHADOW = $(YPPWDDIR)/shadow
#GSHADOW = $(YPPWDDIR)/gshadow
#ADJUNCT = $(YPPWDDIR)/passwd.adjunct
#ALIASES = $(YPSRCDIR)/aliases # aliases could be in /etc or /etc/mail
#ALIASES = /etc/aliases
#ETHERS = $(YPSRCDIR)/ethers # ethernet addresses (for rarpd)
#BOOTPARAMS = $(YPSRCDIR)/bootparams # for booting Sun boxes (bootparamd)
HOSTS = /var/yp/hosts
#NETWORKS = $(YPSRCDIR)/networks
#PRINTCAP = $(YPSRCDIR)/printcap
#PROTOCOLS = $(YPSRCDIR)/protocols
#PUBLICKEYS = $(YPSRCDIR)/publickey
#RPC = $(YPSRCDIR)/rpc
#SERVICES = $(YPSRCDIR)/services
#NETGROUP = $(YPSRCDIR)/netgroup
#NETID = $(YPSRCDIR)/netid
#AMD_HOME = $(YPSRCDIR)/amd.home
#AUTO_MASTER = $(YPSRCDIR)/auto.master
#AUTO_HOME = $(YPSRCDIR)/auto.home
#AUTO_LOCAL = $(YPSRCDIR)/auto.local
#TIMEZONE = $(YPSRCDIR)/timezone
#LOCALE = $(YPSRCDIR)/locale
#NETMASKS = $(YPSRCDIR)/netmasks
YPSERVERS = $(YPDIR)/ypservers # List of all NIS servers for a domain
target: Makefile
@test ! -d $(LOCALDOMAIN) && mkdir $(LOCALDOMAIN) ; \
cd $(LOCALDOMAIN) ; \
$(NOPUSH) || $(MAKE) -f ../Makefile ypservers; \
$(MAKE) -f ../Makefile all
# If you don't want some of these maps built, feel free to comment
# them out from this list.
all: passwd group hosts
# rpc services netid protocols mail \
# netgrp shadow publickey networks ethers bootparams printcap \
# amd.home auto.master auto.home auto.local passwd.adjunct \
# timezone locale netmasks
Now, we must start the NIS server (ypserv) and make sure that it is registered with the portmapper and listening on the appropriate ports:
[root@das-m yp]# /etc/init.d/ypserv start
Starting YP server services: [ OK ]
Check the RPC info and netstat:
[root@das-m yp]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100004 2 udp 888 ypserv
100004 1 udp 888 ypserv
100004 2 tcp 888 ypserv
100004 1 tcp 888 ypserv
[root@das-m yp]# netstat -tuna | grep 888
tcp 0 0 0.0.0.0:888 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:888 0.0.0.0:*
Now, we need to actually create the NIS maps using the ypinit command:
[root@das-m yp]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. das-m.kerb.org is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: das-m.kerb.org
next host to add: das-s.kerb.org
next host to add:
The current list of NIS servers looks like this:
das-m.kerb.org
das-s.kerb.org
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/kerb.org/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/kerb.org'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
gmake[1]: Leaving directory `/var/yp/kerb.org'
das-m.kerb.org has been set up as a NIS master server.
Now you can run ypinit -s das-m.kerb.org on all slave servers.
If you now look at /var/yp/ypservers, you will see that it has been populated with your master and slave servers. If you look in the directory /var/yp/kerb.org, you will see the actual maps. You have now created your NIS maps and the NIS server is up and running.
We need to start the ypbind daemon and test our NIS server:
[root@das-m yp]# /etc/init.d/ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@das-m yp]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100004 2 udp 888 ypserv
100004 1 udp 888 ypserv
100004 2 tcp 888 ypserv
100004 1 tcp 888 ypserv
100007 2 udp 774 ypbind
100007 1 udp 774 ypbind
100007 2 tcp 777 ypbind
100007 1 tcp 777 ypbind
[root@das-m yp]# ypwhich
das-m.kerb.org
[root@das-m yp]# ypwhich -m
hosts.byaddr das-m.kerb.org
hosts.byname das-m.kerb.org
group.bygid das-m.kerb.org
group.byname das-m.kerb.org
passwd.byname das-m.kerb.org
ypservers das-m.kerb.org
passwd.byuid das-m.kerb.org
[root@das-m yp]# ypcat passwd
kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash
[root@das-m yp]# ypcat hosts
4.2.2.3 genuity
10.10.22.1 defgate
10.10.22.68 oscar
10.10.22.90 printer
[root@das-m yp]# ypcat group
labuser:x:50000:
Now that ypserv and ypbind are running, let's set them up to start automatically at boot time:
[root@das-m yp]# chkconfig ypbind off [root@das-m yp]# chkconfig --level 345 ypbind on [root@das-m yp]# chkconfig --list ypbind ypbind 0:off 1:off 2:off 3:on 4:on 5:on 6:off [root@das-m yp]# chkconfig ypserv off [root@das-m yp]# chkconfig --level 345 ypserv on [root@das-m yp]# chkconfig --list ypserv ypserv 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Congratulations! You now have a working NIS server. In the next sections, we will setup the NIS slave server and test replication.
We will now setup a NIS slave server. This gives us redundancy in case the master server is unavailable. We will have to setup the ypxfrd daemon on DAS-M as well as setup a NIS slave server on DAS-S. Keep in mind that both NIS servers need to be running the portmapper and ypbind in order to replicate the NIS maps.
On the master, we need to edit the Makefile and start the ypxfrd service. We will then make sure that ypxfrd starts automatically during boot. Make sure that the NOPUSH variable in /var/yp/Makefile is set as follows:
# If we have only one server, we don't have to push the maps to the # slave servers (NOPUSH=true). If you have slave servers, change this # to "NOPUSH=false" and put all hostnames of your slave servers in the file # /var/yp/ypservers. NOPUSH=false
Now, let's start ypxfrd and make sure it is running:
[root@das-m root]# /etc/init.d/ypxfrd start
Starting YP map server: [ OK ]
[root@das-m root]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 774 ypbind
100007 1 udp 774 ypbind
100007 2 tcp 777 ypbind
100007 1 tcp 777 ypbind
100004 2 udp 888 ypserv
100004 1 udp 888 ypserv
100004 2 tcp 888 ypserv
100004 1 tcp 888 ypserv
600100069 1 udp 889 fypxfrd
600100069 1 tcp 889 fypxfrd
[root@das-m root]# netstat -tuna | grep 889
tcp 0 0 0.0.0.0:889 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:889 0.0.0.0:*
Let's configure the server to start ypxfrd automatically during boot:
[root@das-m root]# chkconfig ypxfrd off [root@das-m root]# chkconfig --level 345 ypxfrd on [root@das-m root]# chkconfig --list ypxfrd ypxfrd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Now, login to DAS-S. We will configure the NIS slave.
On DAS-S, you will need to perform the same installation/upgrade tasks as you did in Step 1 for the NIS master.
This is the same basic procedure as Step 2 for the NIS master. Below, you will see the relevant portions of each configuration file:
/etc/sysconfig/network should have the following additions:
NISDOMAIN=kerb.org YPSERV_ARGS="-p 888" YPXFRD_ARGS="-p 889"
/etc/hosts.allow should contain the following lines:
# Secure the Port Mapper on DAS-S. Restrict to LAN only.
portmap : 127. 10.10.22. : ALLOW
portmap : ALL : DENY
The /etc/yp.conf file should look like this:
# /etc/yp.conf - ypbind configuration file # Valid entries are # #domain NISDOMAIN server HOSTNAME # Use server HOSTNAME for the domain NISDOMAIN. # #domain NISDOMAIN broadcast # Use broadcast on the local net for domain NISDOMAIN # #ypserver HOSTNAME # Use server HOSTNAME for the local domain. The # IP-address of server must be listed in /etc/hosts. # ypserver 10.10.22.42
The /var/yp/securenets file should look like this:
255.255.255.0 10.10.22.0 255.0.0.0 127.0.0.0
This is accomplished exactly the same as Step 3 for the NIS master.
Please see Step 4 for the NIS master. The steps are the same.
As on the NIS master, we need ypbind and we want it to start automatically during boot. Here are the details:
[root@das-s root]# /etc/init.d/ypbind start
Binding to the NIS domain: [ OK ]
Listening for an NIS domain server.
[root@das-s root]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 715 ypbind
100007 1 udp 715 ypbind
100007 2 tcp 718 ypbind
100007 1 tcp 718 ypbind
[root@das-s root]# chkconfig ypbind off
[root@das-s root]# chkconfig --level 345 ypbind on
[root@das-s root]# chkconfig --list ypbind
ypbind 0:off 1:off 2:off 3:on 4:on 5:on 6:off
The NIS slave needs to be able to make NIS queries (as a client) to the NIS master. Now that ypbind is running, we can test NIS client functionality. This will be required for the NIS map transfers.
[root@das-s root]# ypwhich das-m.kerb.org [root@das-s root]# ypwhich -m hosts.byaddr das-m.kerb.org hosts.byname das-m.kerb.org group.bygid das-m.kerb.org group.byname das-m.kerb.org passwd.byname das-m.kerb.org ypservers das-m.kerb.org passwd.byuid das-m.kerb.org [root@das-s root]# ypcat passwd kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash [root@das-s root]# ypcat hosts 4.2.2.3 genuity 10.10.22.1 defgate 10.10.22.68 oscar 10.10.22.90 printer
When we run the ypinit -s command, DAS-S will copy the NIS maps from DAS-M over then network and make other preparations for becoming a NIS slave. Here is how we do it:
[root@das-s yp]# /usr/lib/yp/ypinit -s das-m.kerb.org We will need a few minutes to copy the data from das-m.kerb.org. Transferring hosts.byaddr... Trying ypxfrd ... success Transferring hosts.byname... Trying ypxfrd ... success Transferring group.bygid... Trying ypxfrd ... success Transferring group.byname... Trying ypxfrd ... success Transferring passwd.byname... Trying ypxfrd ... success Transferring ypservers... Trying ypxfrd ... success Transferring passwd.byuid... Trying ypxfrd ... success das-s.kerb.org's NIS data base has been set up. If there were warnings, please figure out what went wrong, and fix it.
Now, if you check in /var/yp/kerb.org, you should see the NIS maps:
[root@das-s yp]# cd kerb.org [root@das-s kerb.org]# ls group.bygid group.byname hosts.byaddr hosts.byname passwd.byname passwd.byuid ypservers
Finally, we are ready to start the NIS slave server. We will also configure it to start during boot, and verify that it is working properly.
[root@das-s root]# /etc/init.d/ypserv start
Starting YP server services: [ OK ]
[root@das-s root]# rpcinfo -p
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 715 ypbind
100007 1 udp 715 ypbind
100007 2 tcp 718 ypbind
100007 1 tcp 718 ypbind
100004 2 udp 888 ypserv
100004 1 udp 888 ypserv
100004 2 tcp 888 ypserv
100004 1 tcp 888 ypserv
[root@das-s root]# netstat -tuna | grep 888
tcp 0 0 0.0.0.0:888 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:888 0.0.0.0:*
[root@das-s root]# chkconfig ypserv off
[root@das-s root]# chkconfig --level 345 ypserv on
[root@das-s root]# chkconfig --list ypserv
ypserv 0:off 1:off 2:off 3:on 4:on 5:on 6:off
We can use ypcat against the local NIS maps instead of those on DAS-M for testing purposes:
[root@das-s root]# ypcat -h mysql passwd kitty:x:6000:50000:Kit Cat,Lab 104,1234-1234 x1457,(216)485-3383:/home/kitty:/bin/bash [root@das-s root]# ypcat -h mysql group labuser:x:50000:
Now, we will use the yppoll and ypxfr commands to make sure that we can initiate a map transfer:
[root@das-s yp]# /usr/lib/yp/ypxfr passwd.byname Map on Master "das-m.kerb.org" is not newer ypxfr: Master's version not newer [root@das-s yp]# yppoll passwd.byname Domain kerb.org is supported. Map passwd.byname has order number 1066710281. [Tue Oct 21 12:24:41 2003] The master server is das-m.kerb.org. [root@das-s yp]# /usr/lib/yp/ypxfr -f passwd.byname Trying ypxfrd ... success
As you can see, the map transfer does not occur unless the NIS master has a higher numbered map. To override this behaviour and transfer the map anyway, you use the ypxfr command with the -f flag.
Back on DAS-M, we want to test yppush. Yppush is the program that notifies (via RPC) the NIS slaves to copy the new maps over from the Master via ypxfr. Rather than running the yppush command directly, you will run the make -C /var/yp command to invoke yppush and update the maps. First, we must make a change to the map sources. Let's add a host to /var/yp/hosts with your favorite editor so that the list looks like this:
4.2.2.3 genuity 10.10.22.68 oscar 10.10.22.1 defgate 10.10.22.90 printer 4.2.2.2 genuity-alt
Now, we will run the make -C /var/yp command:
[root@das-m root]# make -C /var/yp make: Entering directory `/var/yp' gmake[1]: Entering directory `/var/yp/kerb.org' gmake[1]: `ypservers' is up to date. gmake[1]: Leaving directory `/var/yp/kerb.org' gmake[1]: Entering directory `/var/yp/kerb.org' Updating hosts.byname... Updating hosts.byaddr... gmake[1]: Leaving directory `/var/yp/kerb.org' make: Leaving directory `/var/yp'
Back on DAS-S, we can check that the change was propagated with the ypcat command and by looking at the file creation dates on the maps:
[root@das-s yp]# ypcat -h mysql hosts 4.2.2.3 genuity 10.10.22.1 defgate 10.10.22.68 oscar 10.10.22.90 printer 4.2.2.2 genuity-alt [root@das-s yp]# cd /var/yp/kerb.org [root@das-s kerb.org]# ls -l total 112 -rw------- 1 root root 12536 Oct 21 15:56 group.bygid -rw------- 1 root root 12559 Oct 21 15:56 group.byname -rw------- 1 root root 12569 Oct 21 16:14 hosts.byaddr -rw------- 1 root root 12554 Oct 21 16:14 hosts.byname -rw------- 1 root root 12938 Oct 21 15:56 passwd.byname -rw------- 1 root root 12916 Oct 21 15:56 passwd.byuid -rw------- 1 root root 12512 Oct 21 15:56 ypservers
As you can see, you have two working NIS servers and you have succesfully tested replication.
On the slave, it is a good idea to force a map transfer periodically. This keeps the slave synchronized with the master, even if an update occurred on the master while the slave was down or disconnected. There is a sample script in /usr/lib/yp which I modified and named ypxfr_hourly. This checks the map version numbers hourly and then transfers any updated maps automatically. Here is the /usr/lib/yp/ypxfr_hourly script:
#! /bin/sh
#
# ypxfr_hourly - Do hourly NIS map check/updates, to see, if we
# have missed one update.
YPBINDIR=/usr/lib/yp
for map in group.byname group.bygid passwd.byname passwd.byuid hosts.byname hosts.byaddr ypservers
do
$YPBINDIR/ypxfr $map
done
Note that the only maps that it checks for are passwd, group, hosts, and ypservers. If you use more maps, you will need to include them here. Now that we have created the script, we need to configure cron to run them hourly. We will accomplish this by making a soft link in the /etc/cron.hourly directory and making sure the permissions are correct:
[root@das-s yp]# chmod 0750 /usr/lib/yp/ypxfr_hourly [root@das-s yp]# cd /etc/cron.hourly [root@das-s cron.hourly]# ln -s /usr/lib/yp/ypxfr_hourly [root@das-s cron.hourly]# ls -l total 0 lrwxrwxrwx 1 root root 24 Oct 23 10:53 ypxfr_hourly -> /usr/lib/yp/ypxfr_hourly
Your NIS slave server is now configured and operational!
As an added safety precaution, we will automatically backup our NIS map source files (/etc/passwd, /etc/group, and /var/yp/hosts) to a different partition on the same disk. This will be configured on DAS-M, the NIS master server. If you are using RAID 1 or RAID 5, this may not be necessary. We use the nisback.sh script in conjunction with cron to copy the files, TAR them, compress the tarball, and save it. Here are the details:
Create the backup directory in the /home filesystem, which is in a different partition from /var and /etc :
[root@das-m sbin]# mkdir /home/Backups [root@das-m sbin]# chmod 0700 /home/Backups
Now, create the shell script nisback.sh in your favourite editor. It should look something like this when you are done:
#!/bin/bash # NIS map source backup tool, runs from cron # backups are stored in GZIP format in the /home/Backups directory # Generate date stamp for filename and define filename DATESTAMP=`date +%j-%y` BKUPFILE=$DATESTAMP.das-m.nis BKUPDIR=/home/Backups # Get rid of any existing backup file by the same name /bin/rm -f $BKUPDIR/$BKUPFILE.tar.gz # Copy NIS map sources to the backup directory cp /etc/passwd $BKUPDIR/passwd.nis cp /etc/group $BKUPDIR/group.nis cp /var/yp/hosts $BKUPDIR/hosts.nis # TAR the NIS map sources together cd $BKUPDIR /bin/tar -cf $BKUPFILE.tar *.nis # Remove the temp files /bin/rm -f passwd.nis group.nis hosts.nis # Compress the backup file with GZIP /bin/gzip $BKUPDIR/$BKUPFILE.tar # Change the permissions on the backup file so that it is read-only by root /bin/chmod 0400 $BKUPDIR/$BKUPFILE.tar.gz exit 0
Save the file as /usr/local/sbin/nisback.sh and change its permissions accordingly:
[root@das-m sbin]# chmod 0700 /usr/local/sbin/nisback.sh
Now, we need to configure cron to do this periodically. We have configured it to run hourly, but you can also set it up to run twice a day or daily. It's up to you. Our hourly jobs run at 1 minute past the hour. A soft link was created in the /etc/cron.hourly directory to the new shell script:
[root@das-m sbin]# cd /etc/cron.hourly [root@das-m cron.hourly]# ln -s /usr/local/sbin/nisback.sh [root@das-m cron.hourly]# ls -al total 12 drwxr-xr-x 2 root root 4096 Oct 23 09:51 . drwxr-xr-x 59 root root 8192 Oct 21 15:56 .. lrwxrwxrwx 1 root root 26 Oct 21 08:30 kdcback.sh -> /usr/local/sbin/kdcback.sh lrwxrwxrwx 1 root root 26 Oct 23 09:51 nisback.sh -> /usr/local/sbin/nisback.sh
Now, you should have an hourly backup with a history of daily snapshots. You can always restore from the last day on which the system was operating properly. When you have your DAS/NIS user database completed, it would also be a good idea to burn the KDC and NIS backup files to a CD and store it in a safe place. You do not need to worry about the /etc/shadow file being compromised from a backup, because we did not make /etc/shadow a part of the backup scripts. The passwords for DAS/NIS users are encrypted by the Kerberos system and cannot be restored without the password.
The following NIS-related TCP and UDP ports are now listening on each server:
On DAS-M
portmapper TCP/UDP 111
NIS ypserv TCP/UDP 888
NIS ypxfrd TCP/UDP 889
On DAS-S
portmapper TCP/UDP 111
NIS ypserv TCP/UDP 888
In addition, the servers also listen on a randomly assigned port for the ypbind daemon. This port is not available
outside of the servers' iptables firewall.
The following configuration files were modified:
The following scripts were created:
One of the advantages of NIS is the large number of tools available to help you test NIS functions on both the client and server. Here is a list of the commands that you can use to manage or troubleshoot NIS:
There is a manpage for each of these commands.
When you setup your first DAS client system, you will configure it as a NIS client. It will then use information
from the NIS servers for various functions. This will be detailed in the client setup section.
NIS HOWTO for Linux
LinuxNIS.Org Website
Solaris 9 Naming and Directory Services Admin Guide (PDF format)
2.5 :: NIS Server Installation and Configuration |
| Prev | Next | Index | |