Difference between revisions of "OPS335 NIS Lab"
m (Added instruction to modify /etc/nsswitch) |
(→NIS (Network Information Services)) |
||
Line 70: | Line 70: | ||
*Start the ypbind server with the command. | *Start the ypbind server with the command. | ||
systemctl start ypbind.service | systemctl start ypbind.service | ||
+ | {{Admon/important|SELinux and ypbind|You may encounter that SELinux denies the ypbind service. To get this working set SELinux to allow the ypbind service by running this command:}} | ||
+ | grep ypbind /var/log/audit/audit.log | audit2allow -M mypol | ||
+ | *Then to make the changes active run: | ||
+ | semodule -i mypol.pp }} | ||
+ | |||
*Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted. | *Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted. | ||
*Now when you run the following command: | *Now when you run the following command: |
Revision as of 22:44, 22 November 2012
Contents
NIS (Network Information Services)
- NIS server is used to synchronize system files between machines in an NIS domain.
- The Network Information Service (NIS) is a system that provides
network information (login names, passwords, home directories, group information) to all of the machines on a network. NIS can allow users to log in on any machine on the network, as long as the machine has the NIS client programs running and the user's password is recorded in the NIS passwd database. NIS was formerly known as Sun Yellow Pages (YP).
- In this lab you will set up your Fedora PC as both an NFS and NIS server. You will then use your VM's to serve as your NFS and NIS clients.
PART A: Setting up your NIS Server
- Install the NIS server and client onto your f16 host PC
yum install ypserv ypbind
- Add the following line to the bottom of the file /etc/sysconfig/network
NISDOMAIN="<learn-id>.org" YPSERV_ARGS="-p 783"
- Edit the file /etc/yp.conf and set up your domain:
domain <learn-id>.org server 127.0.0.1
- Edit the file /etc/nsswitch.conf and add "nis" to three lines:
passwd: files nis shadow: files nis group: files nis
- Create the file /var/yp/securenets:
host 127.0.0.1 255.255.255.0 192.168.x.0
- Enable and start the NIS (ypserv) service.
systemctl start ypserv.service systemctl enable ypserv.service
- Enable and start the NIS map transfer (ypxfrd) service.
systemctl start ypxfrd.service systemctl enable ypxfrd.service
- Backup the configuration file for NIS databases
cp /var/yp/Makefile /var/yp/Makefile.org
- Modify the following two lines in /var/yp/Makefile from
MINUID=500 MINGID=500
to
MINUID=1000 MINGID=1000
- Verify that your servers (NFS, ypserv) are running correctly with the following command:
rpcinfo -p
- Now change to directory /var/yp and run this command
make
- Enable and start the NIS binding (ypbind) service.
systemctl start ypbind.service
- You may need to enable another boolean relating to NIS.
getsebool -a | grep yp
- Use the following command to verify your NIS server is working - you should see your learnid password record.
ypcat passwd
- Add a new user named nis-user, with password "ops335".
- Run 'ypcat passwd' again.
- In order for the new user to show up you will need to recreate the map files- change directory to /var/yp and run the "make" command again.
- Now modify your firewall so that the VM's (client vm03 initially) will be able to access your NIS server. You will need to adjust your firewall - use netstat to determine what ports will be needed.
PART B: Adding VM03 to your NIS domain
- Ensure you are still mounting your home directory from the host machine using autofs. If not revisit last weeks lab.
- Install ypbind on your vm03.
- SSH to vm03 using two terminals, following your logs with one using
tail -f /var/log/messages
- Use the other to edit /etc/yp.conf adding the following line:
domain <learnid>.org server 192.168.x.1
- Add the following line to the bottom of the file /etc/sysconfig/network
NISDOMAIN="<learn-id>.org"
- Start the ypbind server with the command.
systemctl start ypbind.service
grep ypbind /var/log/audit/audit.log | audit2allow -M mypol
- Then to make the changes active run:
semodule -i mypol.pp }}
- Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted.
- Now when you run the following command:
ypcat passwd
- You should be able to see the 'nis-user' entry added to the host machine.
- Modify /etc/nsswitch so that this vm will check with NIS before looking at its own files for passwd, shadow, and group.
Part C: Adding the other VM's
- Many of you had an issue last week when using NFS as you had differing GID & UID's between systems - when attempting to mount the home directory from the host you received various permission issues. We will intentionally create this issue on vm02 and then correct it with NIS.
- SSH to the root account on vm02 and run the following command
cat /etc/passwd | grep home
- Look at the existing users and compare them with the same users on the host machine. Find one whose credentials differ (if none do, create two).
- For example on vm02:
[root@vm02 ~]# cat /etc/passwd | grep home nis-user:x:1000:1000::/home/nis-user:/bin/bash paul:x:1001:1001::/home/paul:/bin/bash
- And on the host:
[root@f16 yp]# cat /etc/passwd | grep home paul:x:1000:1000:paul:/home/paul:/bin/bash nis-user:x:1001:1001::/home/nis-user:/bin/bash
- While the two hosts share the same users, their UID and GID are different. This will cause a problem when mounting the home directory using NFS.
- Add an entry to your fstab so that you are mounting the home directories from the host machine, then mount and switch to your learnid (or other account where UID/GID differs between systems)
su <learnid> cd ~
- You should recieve a permission denied error as the UID on the local system differs from the UID of the file owner on the remote server. Change back to your root account.
- Install ypbind, configure it to use your domain and NIS server and start the service.
- Edit the /etc/nsswitch file change the following lines as they appear below:
passwd: nis files shadow: nis files group: nis files initgroups: files
- Save and exit the file. Again try to change to your learnid account (or other account where UID/GID differs between systems).
- You should now be successful, cd to your home directory and do a listing. Below is some example output:
[paul@vm02 ~]$ ll total 384 -rw-rw-r--. 1 nis-user nis-user 0 Mar 11 19:13 another_empty_file_from_vm03 drwxr-xr-x. 2 nis-user nis-user 4096 Mar 14 09:09 Desktop drwxr-xr-x. 2 nis-user nis-user 4096 Feb 17 05:24 Documents drwxr-xr-x. 2 nis-user nis-user 4096 Feb 17 05:45 Downloads drwxr-xr-x. 2 nis-user nis-user 4096 Jan 4 10:12 Music drwxr-xr-x. 2 nis-user nis-user 4096 Jan 4 10:12 Pictures drwxr-xr-x. 2 nis-user nis-user 4096 Jan 4 10:12 Public drwxr-xr-x. 2 nis-user nis-user 4096 Jan 4 10:12 Templates drwxr-xr-x. 2 nis-user nis-user 4096 Jan 4 10:12 Videos
- Create an empty file and do a listing again
[paul@vm02 ~]$ touch empty_from_vm02 [paul@vm02 ~]$ ll -rw-rw-r--. 1 nis-user nis-user 0 Mar 18 14:58 empty_from_vm02
- And finally
pwd
- Notice you are in your home directory, however files show they are owned by a different user, even when you create a new one.
- Ensure ypbind will start at boot and restart the vm.
- Again SSH to the machine, this time using your learnid account. You should now be able to see the files in your home directory with the correct mapping.
- Edit the fstab and remove the entry for NFS.
Part D: Adding autofs maps:
- Copy the autofs files from vm03 to your host machine
scp /etc/auto.{home,master} root@f16:/etc/
- Edit /etc/auto.master on the host and remove the 'etc' prefix from auto.home's path:
/home auto.home --timeout=60
- Regenerate your NIS maps and run:
ypcat auto.home
- You should receive the following:
No such map auto.home. Reason: No such map in server's domain
- You will need to look into the Makefile to determine how to add auto.home and auto.master to the list of files shared by NIS.
- After making changes to your Makefile, regenerate your maps again and run the same command as above. You should now see the file and its contents when you run ypcat auto.home.
[root@f16 yp]# ypcat auto.home -fstype=nfs,rw,nosuid,soft 192.168.70.1:/home/&
- SSH to vm02 and edit the /etc/nsswitch.conf file and make changes so autofs consults NIS. Reboot the machine.
- When the VM comes back up, SSH and ensure auto mounting of home occurred.
- When you have successfully made this change on vm02, repeat the steps needed for vm01.
Completing the Lab
Answer the following questions in your log book.
- What is the function of the /etc/nsswitch.conf file?
- What is the purpose of the rpcinfo command?
- Explain the purpose of the make command in the lab - what does it do?
- Explain the purpose of the /var/yp/securenets file.
- What is the function of the portmapper service?
- What ports did you need to open on your firewall?
- What changes did you need to make to SE Linux?