Difference between revisions of "OPS335 NIS Lab"

From CDOT Wiki
Jump to: navigation, search
m (Added instruction to modify /etc/nsswitch)
(NIS (Network Information Services))
Line 70: Line 70:
 
*Start the ypbind server with the command.
 
*Start the ypbind server with the command.
 
  systemctl start ypbind.service
 
  systemctl start ypbind.service
 +
{{Admon/important|SELinux and ypbind|You may encounter that SELinux denies the ypbind service. To get this working set SELinux to allow the ypbind service by running this command:}}
 +
grep ypbind /var/log/audit/audit.log | audit2allow -M mypol
 +
*Then to make the changes active run:
 +
semodule -i mypol.pp }}
 +
 
*Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted.
 
*Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted.
 
*Now when you run the following command:
 
*Now when you run the following command:

Revision as of 22:44, 22 November 2012

NIS (Network Information Services)

  • NIS server is used to synchronize system files between machines in an NIS domain.
  • The Network Information Service (NIS) is a system that provides

network information (login names, passwords, home directories, group information) to all of the machines on a network. NIS can allow users to log in on any machine on the network, as long as the machine has the NIS client programs running and the user's password is recorded in the NIS passwd database. NIS was formerly known as Sun Yellow Pages (YP).

  • In this lab you will set up your Fedora PC as both an NFS and NIS server. You will then use your VM's to serve as your NFS and NIS clients.
Important.png
Prerequisites
Before you begin make sure your Fedora 16 host and virtual machines are up to date (yum update).

Ensure both host and VM's have firewalls set up according to prior labs and all labs have been completed.

Ensure that your NFS server is running on the host and exporting the '/home' directory.

PART A: Setting up your NIS Server

  • Install the NIS server and client onto your f16 host PC
 yum install ypserv ypbind
  • Add the following line to the bottom of the file /etc/sysconfig/network
 NISDOMAIN="<learn-id>.org"
 YPSERV_ARGS="-p 783"
  • Edit the file /etc/yp.conf and set up your domain:
 domain <learn-id>.org server 127.0.0.1
  • Edit the file /etc/nsswitch.conf and add "nis" to three lines:
 passwd:     files nis
 shadow:     files nis
 group:      files nis
  • Create the file /var/yp/securenets:
 host 127.0.0.1
 255.255.255.0   192.168.x.0
  • Enable and start the NIS (ypserv) service.
systemctl start ypserv.service
systemctl enable ypserv.service
  • Enable and start the NIS map transfer (ypxfrd) service.
systemctl start ypxfrd.service
systemctl enable ypxfrd.service
  • Backup the configuration file for NIS databases
 cp /var/yp/Makefile /var/yp/Makefile.org
  • Modify the following two lines in /var/yp/Makefile from
 MINUID=500
 MINGID=500

to

 MINUID=1000
 MINGID=1000
  • Verify that your servers (NFS, ypserv) are running correctly with the following command:
 rpcinfo -p
  • Now change to directory /var/yp and run this command
 make
  • Enable and start the NIS binding (ypbind) service.
systemctl start ypbind.service
  • You may need to enable another boolean relating to NIS.
getsebool -a | grep yp
  • Use the following command to verify your NIS server is working - you should see your learnid password record.
 ypcat passwd
  • Add a new user named nis-user, with password "ops335".
  • Run 'ypcat passwd' again.
  • In order for the new user to show up you will need to recreate the map files- change directory to /var/yp and run the "make" command again.
  • Now modify your firewall so that the VM's (client vm03 initially) will be able to access your NIS server. You will need to adjust your firewall - use netstat to determine what ports will be needed.

PART B: Adding VM03 to your NIS domain

  • Ensure you are still mounting your home directory from the host machine using autofs. If not revisit last weeks lab.
  • Install ypbind on your vm03.
  • SSH to vm03 using two terminals, following your logs with one using
tail -f /var/log/messages
  • Use the other to edit /etc/yp.conf adding the following line:
domain <learnid>.org server 192.168.x.1
  • Add the following line to the bottom of the file /etc/sysconfig/network
 NISDOMAIN="<learn-id>.org"
  • Start the ypbind server with the command.
systemctl start ypbind.service
Important.png
SELinux and ypbind
You may encounter that SELinux denies the ypbind service. To get this working set SELinux to allow the ypbind service by running this command:
grep ypbind /var/log/audit/audit.log | audit2allow -M mypol
  • Then to make the changes active run:
semodule -i mypol.pp }}
  • Looking at your logs ensure that ypbind is registered with rpcbind, if it is unable your firewall may need to be adjusted.
  • Now when you run the following command:
ypcat passwd
  • You should be able to see the 'nis-user' entry added to the host machine.
  • Modify /etc/nsswitch so that this vm will check with NIS before looking at its own files for passwd, shadow, and group.

Part C: Adding the other VM's

  • Many of you had an issue last week when using NFS as you had differing GID & UID's between systems - when attempting to mount the home directory from the host you received various permission issues. We will intentionally create this issue on vm02 and then correct it with NIS.
  • SSH to the root account on vm02 and run the following command
cat /etc/passwd | grep home
  • Look at the existing users and compare them with the same users on the host machine. Find one whose credentials differ (if none do, create two).
  • For example on vm02:
[root@vm02 ~]# cat /etc/passwd | grep home
nis-user:x:1000:1000::/home/nis-user:/bin/bash
paul:x:1001:1001::/home/paul:/bin/bash
  • And on the host:
[root@f16 yp]# cat /etc/passwd | grep home
paul:x:1000:1000:paul:/home/paul:/bin/bash
nis-user:x:1001:1001::/home/nis-user:/bin/bash
  • While the two hosts share the same users, their UID and GID are different. This will cause a problem when mounting the home directory using NFS.
  • Add an entry to your fstab so that you are mounting the home directories from the host machine, then mount and switch to your learnid (or other account where UID/GID differs between systems)
su <learnid>
cd ~
  • You should recieve a permission denied error as the UID on the local system differs from the UID of the file owner on the remote server. Change back to your root account.
  • Install ypbind, configure it to use your domain and NIS server and start the service.
  • Edit the /etc/nsswitch file change the following lines as they appear below:
passwd:     nis files
shadow:     nis files
group:      nis files
initgroups: files
  • Save and exit the file. Again try to change to your learnid account (or other account where UID/GID differs between systems).
  • You should now be successful, cd to your home directory and do a listing. Below is some example output:
[paul@vm02 ~]$ ll
total 384
-rw-rw-r--. 1 nis-user nis-user      0 Mar 11 19:13 another_empty_file_from_vm03
drwxr-xr-x. 2 nis-user nis-user   4096 Mar 14 09:09 Desktop
drwxr-xr-x. 2 nis-user nis-user   4096 Feb 17 05:24 Documents
drwxr-xr-x. 2 nis-user nis-user   4096 Feb 17 05:45 Downloads
drwxr-xr-x. 2 nis-user nis-user   4096 Jan  4 10:12 Music
drwxr-xr-x. 2 nis-user nis-user   4096 Jan  4 10:12 Pictures
drwxr-xr-x. 2 nis-user nis-user   4096 Jan  4 10:12 Public
drwxr-xr-x. 2 nis-user nis-user   4096 Jan  4 10:12 Templates
drwxr-xr-x. 2 nis-user nis-user   4096 Jan  4 10:12 Videos
  • Create an empty file and do a listing again
[paul@vm02 ~]$ touch empty_from_vm02
[paul@vm02 ~]$ ll
-rw-rw-r--. 1 nis-user nis-user      0 Mar 18 14:58 empty_from_vm02
  • And finally
pwd
  • Notice you are in your home directory, however files show they are owned by a different user, even when you create a new one.
  • Ensure ypbind will start at boot and restart the vm.
  • Again SSH to the machine, this time using your learnid account. You should now be able to see the files in your home directory with the correct mapping.
  • Edit the fstab and remove the entry for NFS.

Part D: Adding autofs maps:

  • Copy the autofs files from vm03 to your host machine
scp /etc/auto.{home,master} root@f16:/etc/
  • Edit /etc/auto.master on the host and remove the 'etc' prefix from auto.home's path:
/home   auto.home   --timeout=60
  • Regenerate your NIS maps and run:
ypcat auto.home
  • You should receive the following:
No such map auto.home. Reason: No such map in server's domain
  • You will need to look into the Makefile to determine how to add auto.home and auto.master to the list of files shared by NIS.
  • After making changes to your Makefile, regenerate your maps again and run the same command as above. You should now see the file and its contents when you run ypcat auto.home.
[root@f16 yp]# ypcat auto.home
-fstype=nfs,rw,nosuid,soft      192.168.70.1:/home/&
  • SSH to vm02 and edit the /etc/nsswitch.conf file and make changes so autofs consults NIS. Reboot the machine.
  • When the VM comes back up, SSH and ensure auto mounting of home occurred.
  • When you have successfully made this change on vm02, repeat the steps needed for vm01.

Completing the Lab

Answer the following questions in your log book.

  1. What is the function of the /etc/nsswitch.conf file?
  2. What is the purpose of the rpcinfo command?
  3. Explain the purpose of the make command in the lab - what does it do?
  4. Explain the purpose of the /var/yp/securenets file.
  5. What is the function of the portmapper service?
  6. What ports did you need to open on your firewall?
  7. What changes did you need to make to SE Linux?