*Provides central management of users, groups, email aliases, hostnames, MAC address mappings, RPC/port service lookups etc.
Exploring NIS Maps
#ypwhich<--- Verify domain binding
#ypwhich –m <---- Shows maps available on domain.
#ypcat
#ypcat –k netgroup <--- will show the key in addition to the data.
#ypcat -x >---will show aliases available for maps.
Automount Master Map
*Config file is /etc/auto.master or /etc/auto_master, used to start automount processes to monitor mount points.
Example:
# cat /etc/auto.master
/misc /etc/auto.misc
The indirect directory to watch is /misc. The details about what resources to mount under /misc is contained in /etc/auto.misc.
# /etc/init.d/autofs start
# ps -ef | grep automount
root 2050 1 0 21:22 pts/1 00:00:00 /usr/sbin/automount /misc file /etc/auto.misc
Automount
The automount process is started with a directory to watch and a map of resources to manage under the mount point (by default, mounts expire after 5 minutes of inactivity).
Indirect maps:
*Names of directories under the master mount point being watched.
*Mounting options.
*Resource to mount.
*Example: Indirect auto.misc
# cat /etc/auto.misc
cd -fstype=iso9660,ro :/dev/cdrom
emacs -r bogus.host.com:/emacs
Direct maps (not in Linux):
*Fully qualified mount points.
*Mounting options.
*Resource to mount.
NIS and automount
*automount can facilitate a common network directory through NFS.
*The NIS network directories will correspond to an indirect map and mount point.
*The Master map and associated indirect maps can be pushed through NIS
NIS auto.master
$ ypcat -k auto.master
/home auto.home
$ ypcat -k auto.home
* cg1:/home/& <--* matches any directory reference under /home (indirect dir)
<--& used to substitute the key in the target mount.
Setting Up an NIS Client
# domainname ten.nis
# vi /etc/yp.conf
ypserver 192.168.1.98
# vi /etc/nsswitch.conf
passwd: compat
group: compat
Others to look at: automount, hosts, ethers, networks, aliases. Use compat if you want simulate typical Unix behavior, mandating the inclusion of "+/-" lines to /etc/passwd, /etc/group. Use files nis to avoid having to use "+/-" lines, but lose the ability to restrict NIS authentication.
# ps -ef | grep portmap
Verify portmap is running.
# ypbind
# ypwhich
192.168.1.98
# ypcat passwd
ccox:ZBaMuOdCZStAE:500:10:Chris Cox:/home/ccox:/bin/ksh
# /etc/init.d/autofs start <--Start if not running
Common NIS Maps
You can see the maps being advertised/pushed from the Master with ypwhich -m.
$ ypwhich -m
netid.byname server1
passwd.byuid server1
services.byname server1
services.byservicename server1
auto.home server1
netgroup server1
passwd.byname server1
group.byname server1
netgroup.byuser server1
netgroup.byhost server1
group.bygid server1
ypservers server1
rpc.byname server1
auto.master server1
Note: There is no passwd map, but rather are two passwd maps, one keyed byname and one keyed byuid. The passwd map is a alias for passwd.byname.
Setting up NIS Master
# domainname ten.nis
# /usr/lib/yp/ypinit -m
# ypserv <----optionally, can join this domain as a client, use ypbind instead.
# rpc.yppasswdd -D /etc
# /usr/lib/yp/ypxfrd <----need this if you support NIS Slaves.
Note: ·-D option to yppasswdd specifies the directory containing the original source passwd for the passwd.* maps.
Updating Maps
# useradd -m newuser
# passwd newuser
# ypcat passwd | grep newuser
# cd /var/yp
# make
updated passwd
pushed passwd
# ypcat passwd | grep newuser
newuser:axPwTTAWjfk/Y:4448:4444:/home/newuser:/bin/ksh
General NIS Problems
. ypcat to view maps, can see encrypted password strings in clear text.
· rpc is insecure
· No /etc/shadow map support, so no password aging
· Clients can hang on boot if NIS Server not available.
NIS Confusion
· Originally, NIS was designed to handle host resolution, however with DNS, pushing an NIS host map is redundant and can create consistency problems. Solution: Do not push a host map, let host resolution to use DNS instead.
* May have to run ypserv with the -b option.
* Using NIS domain the same as the Internet domain name. This causes confusion, generally not recommended today.
NIS+
· Sun’s upgrade to NIS
o Secure rpc support.
o Password aging.
o Better replication support for servers.
o Very granular security features.
NIS Security - sort of
# /var/yp/securenets
#
# allow connections from local host -- necessary
host 127.0.0.1
# same as 255.255.255.255 127.0.0.1
255.255.255.0 192.168.1.0
# Allow anyone in the 192.168.1.0 net.
No comments:
Post a Comment