NIS
(Network Information Services
) 前身是 Sun Yellow Pages
(YP
),主要目的是向网络上的机器提供集中身份管理。
环境
- 172.20.0.100 c1
- 172.20.0.101 c2
参照 NFS 环境搭建,172.20.0.100
为 nfs 节点
,并共享 /home
目录。
结构
NIS 管理的文件:
- /etc/passwd 用户名密码(/etc/shadow?)
- /etc/group 用户组
- /etc/hosts 本地 hosts 解析
- home directories
NIS 服务器通过 RPC 协议通信,NIS 服务器同时可以当做客户端使用,组成:
- ypserv NIS Server,/usr/sbin/ypserv : NIS 主服务
- ypbind NIS Client
- yp-tools NIS 相关查询
- rpcbind NIS RPC 通信
ypserv 相关配置
- /etc/ypserv.conf
- /etc/hosts : NIS server/client 的 hostname 和 ip 的对应
- /etc/sysconfig/network : 指定 nisdomainname
- /var/yp/Makefile
- /usr/sbin/rpc.yppasswdd : NIS 用户端修改密码的服务
安装
Server
yum install -y yp-tools ypbind ypserv rpcbind
$ cat /etc/sysconfig/network
NISDOMAIN=test
# YPSERV_ARGS="-p 925" (不建议配置)
也可以在 /bin/nisdomainname test
中添加 /etc/rc.d/rc.local
,手动执行:
/bin/nisdomainname test
- 配置 /etc/sysconfig/yppasswdd (不建议配置)
# YPPASSWDD_ARGS="--port 928"
$ cat /etc/ypserv.conf
# How many map file handles should be cached ?
files: 30
# xfr requests are only allowed from ports < 1024
xfr_check_port: yes
# The following, when uncommented, will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.
# Host : Domain : Map : Security
#
# * : * : passwd.byname : port
# * : * : passwd.byuid : port
# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
* : * : passwd.byuid : port
* : * : passwd.byname : port
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port
# * : * : * : *
# If you comment out the next rule, ypserv and rpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps. This will make
# the security check a little bit slower, but you only have to
# change the keys on the master server, not the configuration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES, you should create
# a rule for them above, that's much faster.
# 下面对所有放行
# * : * : * : none
# 下面的对 127.0.0.0/24 / 172.20.0.0 放行,其他拒绝
# 127.0.0.0/255.255.255.0 : * : * : none
# 172.20.0.0/255.255.255.0 : * : * : none
# * : * : * : deny
172.20.0.100 c1
172.20.0.101 c2
$ useradd test
$ echo 123 | passwd --stdin test
Changing password for user test.
passwd: all authentication tokens updated successfully.
[root@c1 ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. c1 is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: c1
next host to add: # 按下 ctrl + D 终止
The current list of NIS servers looks like this:
c1
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/test/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/test'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/test'
c1 has been set up as a NIS master server.
Now you can run ypinit -s c1 on all slave server.
注意:
systemctl enable rpcbind.service
systemctl start rpcbind.service
systemctl status rpcbind.service
systemctl enable ypserv.service
systemctl start ypserv.service
systemctl status ypserv.service
systemctl enable yppasswdd.service
systemctl start yppasswdd.service
systemctl status yppasswdd.service
其它文件:
- /var/yp/Makefile : 建立与数据库有关的操作设置文件
Client
yum install -y ypbind yp-tools rpcbind
$ cat /etc/sysconfig/network
NISDOMAIN=test
$ chmod +x /etc/rc.d/rc.local
$ cat /etc/rc.d/rc.local
/bin/nisdomainname test
172.20.0.100 c1
172.20.0.101 c2
authconfig-tui
- Authentication Configuraton
- User Information -> [*] Use NIS
- Authentication -> [*] Use Shadow Passwords
- Next
- NIS Settings
- Domain -> test
- Server -> 172.20.0.100
- OK
等同于
$ echo "domain hpc server 172.20.0.100" >> /etc/yp.conf
$ /etc/sysconfig/authconfig : USENIS=yes
$ cat /etc/pam.d/system-auth | grep nis
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
$ cat /etc/nsswitch.conf | grep ^[^#] | grep nis
passwd: files nis sss
shadow: files nis sss
group: files nis sss
hosts: files nis dns myhostname
bootparams: nisplus [NOTFOUND=return] files
netgroup: files nis sss
publickey: nisplus
automount: files nis
aliases: files nisplus
配置完成后,会修改如下文件:
/etc/sysconfig/authconfig # 修改 USENIS=yes
/etc/sysconfig/network # 新增 NISDOMAIN=test
/etc/yp.conf # 新增 domain test server 172.20.0.100
/etc/nsswitch.conf
/etc/pam.d/system-auth
启动服务
systemctl enable rpcbind.service
systemctl start rpcbind.service
systemctl status rpcbind.service
systemctl enable ypbind.service
systemctl start ypbind.service
systemctl status ypbind.service
其他配置
/usr/bin/yppasswd : 更新 NIS server database 中的密码
/usr/bin/ypchsh : 更新 shell
/usr/bin/ypchfn : 更新用户信息
客户端检测工具
yptest
ypwhich -x
ypcat [-kt] [-d domain] [-h hostname] mapname
共享 /home 目录
也可以通过配置 /etc/auto.master
实现 Autofs。
添加新用户
在 ypserv 端添加用户,然后在其他节点测试:
$ useradd test1
$ echo 123 | passwd --stdin test1
$ /usr/lib64/yp/ypinit -m
在 master 主机中每加入一个帐号都要重新生成一次数据库,也可以:
$ cd /var/yp/
$ make
FAQ
调试技巧
vim /usr/lib/systemd/system/ypbind.service
ExecStart=/usr/sbin/ypbind -d -v -n $OTHER_YPBIND_OPTS
yptest: WARNING: No such key in map
$ yptest
...
Test 3: yp_match
WARNING: No such key in map (Map passwd.byname, key nobody)
找不到 nobody
,是因为之前 nobody
的 uid
是 65534
,而 CentOS
中为 99
。该错误可以忽略,使用 yptest -u test
验证执行用户
/usr/bin/id: cannot find name for user ID 1001
$ ypcat -k passwd
test1 test1:$6$E405NEqj$DjC21749nwBHJzZMbIS/RDQZbQrHf8hF/3Y2MIpEQ1PqBtYiGDrIU6REHb.g8bzHDVidOcYL6jR2eWVBZxYM90:1001:1001::/home/test1:/bin/bash
ypbind: NIS domain: test, ypbind not registered with rpcbind.
重启 ypbind
失败,/var/log/messages
中报错如上:
ypbind: 5126: Trying entry: domain hpc server 172.20.0.100
ypbind: 5126: parsed domain 'hpc' server '172.20.0.100'
ypbind: 5126: add_server() domain: hpc, host: 172.20.0.100, slot: 0
ypbind: 5126: [Welcome to ypbind-mt, version 1.37.1]
ypbind: 5126: ping interval is 20 seconds
ypbind: 5126: rebind interval is 900 seconds
ypbind: 5128: NetworkManager is running.
ypbind: 5128: No network is available. Waiting...
...
ypbind: NIS domain: test, ypbind not registered with rpcbind.
- 关闭
selinux
,配置 /etc/selinux/config
:
SELINUX=disabled
- 关闭
NetworkManager
systemctl stop NetworkManager