NIS 使用介绍

发布时间: 更新时间: 总字数:1460 阅读时间:3m 作者: 分享 复制网址

NIS(Network Information Services) 前身是 Sun Yellow Pages (YP),主要目的是向网络上的机器提供集中身份管理。

环境

  • 172.20.0.100 c1
  • 172.20.0.101 c2

参照 NFS 环境搭建172.20.0.100nfs 节点,并共享 /home 目录。

结构

NIS 管理的文件:

  • /etc/passwd 用户名密码(/etc/shadow?)
  • /etc/group 用户组
  • /etc/hosts 本地 hosts 解析
  • home directories

NIS 服务器通过 RPC 协议通信,NIS 服务器同时可以当做客户端使用,组成:

  • ypserv NIS Server,/usr/sbin/ypserv : NIS 主服务
  • ypbind NIS Client
  • yp-tools NIS 相关查询
  • rpcbind NIS RPC 通信

ypserv 相关配置

  • /etc/ypserv.conf
  • /etc/hosts : NIS server/client 的 hostname 和 ip 的对应
  • /etc/sysconfig/network : 指定 nisdomainname
  • /var/yp/Makefile
  • /usr/sbin/rpc.yppasswdd : NIS 用户端修改密码的服务

安装

Server

yum install -y yp-tools ypbind ypserv rpcbind
  • 配置 NIS Domain name:
$ cat /etc/sysconfig/network
NISDOMAIN=test
# YPSERV_ARGS="-p 925" (不建议配置)

也可以在 /bin/nisdomainname test 中添加 /etc/rc.d/rc.local,手动执行:

/bin/nisdomainname test
  • 配置 /etc/sysconfig/yppasswdd (不建议配置)
# YPPASSWDD_ARGS="--port 928"
  • 主配置文件 /etc/ypserv.conf
$ cat /etc/ypserv.conf
# How many map file handles should be cached ?
files: 30

# xfr requests are only allowed from ports < 1024
xfr_check_port: yes

# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.

# Host                     : Domain  : Map              : Security
#
# *                        : *       : passwd.byname    : port
# *                        : *       : passwd.byuid     : port

# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
*                          : *       : passwd.byuid     : port
*                          : *       : passwd.byname    : port
*                          : *       : shadow.byname    : port
*                          : *       : passwd.adjunct.byname : port

# * : * : * : *

# If you comment out the next rule, ypserv and rpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps. This will make
# the security check a little bit slower, but you only have to
# change the keys on the master server, not the configuration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES, you should create
# a rule for them above, that's much faster.
# 下面对所有放行
# *                        : *       : *                : none

# 下面的对 127.0.0.0/24 / 172.20.0.0 放行,其他拒绝
# 127.0.0.0/255.255.255.0     : * : * : none
# 172.20.0.0/255.255.255.0    : * : * : none
# *                           : * : * : deny
  • 配置 /etc/hosts
172.20.0.100 c1
172.20.0.101 c2
  • 添加用于和密码
$ useradd test
$ echo 123 | passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
[root@c1 ~]# /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of the hosts which will run NIS
servers.  c1 is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
	next host to add:  c1
	next host to add:  # 按下 ctrl + D 终止
The current list of NIS servers looks like this:

c1

Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/test/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/test'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/test'

c1 has been set up as a NIS master server.

Now you can run ypinit -s c1 on all slave server.

注意:

  • 创建目录 /var/yp//

  • 启动服务

systemctl enable rpcbind.service
systemctl start rpcbind.service
systemctl status rpcbind.service

systemctl enable ypserv.service
systemctl start ypserv.service
systemctl status ypserv.service

systemctl enable yppasswdd.service
systemctl start yppasswdd.service
systemctl status yppasswdd.service

其它文件:

  • /var/yp/Makefile : 建立与数据库有关的操作设置文件

Client

  • 安装
yum install -y ypbind yp-tools rpcbind
  • 配置 NIS Domain name:
$ cat /etc/sysconfig/network
NISDOMAIN=test
  • 配置开机自动添加 NIS 域
$ chmod +x /etc/rc.d/rc.local
$ cat /etc/rc.d/rc.local
/bin/nisdomainname test
  • 配置 /etc/hosts
172.20.0.100 c1
172.20.0.101 c2
  • 配置 /etc/yp.conf,进入图形界面配置
authconfig-tui
  • Authentication Configuraton
    • User Information -> [*] Use NIS
    • Authentication -> [*] Use Shadow Passwords
    • Next
  • NIS Settings
    • Domain -> test
    • Server -> 172.20.0.100
    • OK

等同于

$ echo "domain hpc server 172.20.0.100" >> /etc/yp.conf
$ /etc/sysconfig/authconfig : USENIS=yes
$ cat /etc/pam.d/system-auth | grep nis
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
$ cat /etc/nsswitch.conf | grep ^[^#] | grep nis
passwd:     files nis sss
shadow:     files nis sss
group:      files nis sss
hosts:      files nis dns myhostname
bootparams: nisplus [NOTFOUND=return] files
netgroup:   files nis sss
publickey:  nisplus
automount:  files nis
aliases:    files nisplus

配置完成后,会修改如下文件:

  • /etc/sysconfig/authconfig # 修改 USENIS=yes

  • /etc/sysconfig/network # 新增 NISDOMAIN=test

  • /etc/yp.conf # 新增 domain test server 172.20.0.100

  • /etc/nsswitch.conf

  • /etc/pam.d/system-auth

  • 启动服务

systemctl enable rpcbind.service
systemctl start rpcbind.service
systemctl status rpcbind.service

systemctl enable ypbind.service
systemctl start ypbind.service
systemctl status ypbind.service
  • 其他配置

  • /usr/bin/yppasswd : 更新 NIS server database 中的密码

  • /usr/bin/ypchsh : 更新 shell

  • /usr/bin/ypchfn : 更新用户信息

  • 客户端检测工具

  • yptest

  • ypwhich -x

  • ypcat [-kt] [-d domain] [-h hostname] mapname

共享 /home 目录

也可以通过配置 /etc/auto.master 实现 Autofs。

添加新用户

在 ypserv 端添加用户,然后在其他节点测试:

$ useradd test1
$ echo 123 | passwd --stdin test1
$ /usr/lib64/yp/ypinit -m

在 master 主机中每加入一个帐号都要重新生成一次数据库,也可以:

$ cd /var/yp/
$ make

FAQ

调试技巧

vim /usr/lib/systemd/system/ypbind.service

ExecStart=/usr/sbin/ypbind -d -v -n $OTHER_YPBIND_OPTS

yptest: WARNING: No such key in map

$ yptest
...
Test 3: yp_match
WARNING: No such key in map (Map passwd.byname, key nobody)

找不到 nobody,是因为之前 nobodyuid65534,而 CentOS 中为 99。该错误可以忽略,使用 yptest -u test 验证执行用户

/usr/bin/id: cannot find name for user ID 1001

$ ypcat -k passwd
test1 test1:$6$E405NEqj$DjC21749nwBHJzZMbIS/RDQZbQrHf8hF/3Y2MIpEQ1PqBtYiGDrIU6REHb.g8bzHDVidOcYL6jR2eWVBZxYM90:1001:1001::/home/test1:/bin/bash

ypbind: NIS domain: test, ypbind not registered with rpcbind.

重启 ypbind 失败,/var/log/messages 中报错如上:

ypbind: 5126: Trying entry: domain hpc server 172.20.0.100
ypbind: 5126: parsed domain 'hpc' server '172.20.0.100'
ypbind: 5126: add_server() domain: hpc, host: 172.20.0.100, slot: 0
ypbind: 5126: [Welcome to ypbind-mt, version 1.37.1]
ypbind: 5126: ping interval is 20 seconds
ypbind: 5126: rebind interval is 900 seconds
ypbind: 5128: NetworkManager is running.
ypbind: 5128: No network is available.  Waiting...
...
ypbind: NIS domain: test, ypbind not registered with rpcbind.
  • 问题原因:
  1. 关闭 selinux,配置 /etc/selinux/config
SELINUX=disabled
  1. 关闭 NetworkManager
systemctl stop NetworkManager
最新评论
加载中...
Home Archives Categories Tags Statistics