|
|
The Linux NIS(YP)/NYS/NIS+ HOWTO
4.1. How NIS works /*nis是如何工作的*/
Within a network there must be at least one machine acting as a NIS server. You can have multiple NIS servers, each serving different NIS "domains" - or you can have cooperating NIS servers, where one is the master NIS server, and all the other are so-called slave NIS servers (for a certain NIS "domain", that is!) - or you can have a mix of them.../*网络中至少有一台做nis server,他们可以是各自管理不同的域,也可以是主从服务器的协作关系*/
Slave servers only have copies of the NIS databases and receive these copies from the master NIS server whenever changes are made to the master's databases. Depending on the number of machines in your network and the reliability of your network, you might decide to install one or more slave servers. Whenever a NIS server goes down or is too slow in responding to requests, a NIS client connected to that server will try to find one that is up or faster./*从nis服务器只是保存着主服务器数据的copy,根据你网络的规模来安装nis 从server,但 nis服务响应客户较慢时,客户会自己去找响应快的*/
NIS databases are in so-called DBM format, derived from ASCII databases. For example, the files /etc/passwd and /etc/group can be directly converted to DBM format using ASCII-to-DBM translation software (makedbm, included with the server software). The master NIS server should have both, the ASCII databases and the DBM databases./*nis数据库是DBM格式的,它从ASCii发展而来。Nis server应该有ascii和DBM数据库*/
Slave servers will be notified of any change to the NIS maps, (via the yppush program), and automatically retrieve the necessary changes in order to synchronize their databases. NIS clients do not need to do this since they always talk to the NIS server to read the information stored in it's DBM databases./*nis从服务器会被及时通知,当主服务器上的任何maps数据库有改动时(通过yppush程序实现),从服务器就会自动检索到改动数据,以保持与主服务器的同步。*/
Old ypbind versions do a broadcast to find a running NIS server. This is insecure, due the fact that anyone may install a NIS server and answer the broadcast queries. Newer Versions of ypbind (ypbind-3.3 or ypbind-mt) are able to get the server from a configuration file - thus no need to broadcast./*旧的ypbind通过广播找nis服务器,这是不安全的*/
NIS+ is a new version of the network information nameservice from Sun. The biggest difference between NIS and NIS+ is that NIS+ has support for data encryption and authentication over secure RPC./*nis+是新的 sun开发的网络信息服务系统,它与nis 的不同是nis+支持通过安全的RPC协议的加密认证功能*/
The naming model of NIS+ is based upon a tree structure. Each node in the tree corresponds to an NIS+ object, from which we have six types: directory, entry, group, link, table and private.
The NIS+ directory that forms the root of the NIS+ namespace is called the root directory. There are two special NIS+ directories: org_dir and groups_dir. The org_dir directory consists of all administration tables, such as passwd, hosts, and mail_aliases. The groups_dir directory consists of NIS+ group objects which are used for access control. The collection of org_dir, groups_dir and their parent directory is referred to as an NIS+ domain.
5. The RPC Portmapper
To run any of the software mentioned below you will need to run the program /sbin/portmap. Some Linux distributions already have the code in the /sbin/init.d/ or /etc/rc.d/ files to start up this daemon. All you have to do is to activate it and reboot your Linux machine. Read your Linux Distribution Documentation how to do this./*以下部分谈到的都要得到RPC pormap的支持,它一般已被大多数的 linux发行版所包含了。*/
The RPC portmapper (portmap(8)) is a server that converts RPC program numbers into TCP/IP (or UDP/IP) protocol port numbers. It must be running in order to make RPC calls (which is what the NIS/NIS+ client software does) to RPC servers (like a NIS or NIS+ server) on that machine. When an RPC server is started, it will tell portmap what port number it is listening to, and what RPC program numbers it is prepared to serve. When a client wishes to make an RPC call to a given program number, it will first contact portmap on the server machine to determine the port number where RPC packets should be sent./*RPC portmap是一种将RPC程序自己的端口转换为tcp/udp 通用端口的服务。它是为响应RPC呼叫请求的机制。它告诉portmap程序要监听的端口是啥,以及为哪些RPC程序服务,当客户端发起请RPC求后,它就去联系portmap,已决定从哪个端口去发送数据包*/
Since RPC servers could be started by inetd(8), portmap should be running before inetd is started./*一般先启动portmap,再启动RPC程序*/
For secure RPC, the portmapper needs the Time service. Make sure, that the Time service is enabled in /etc/inetd.conf on all hosts:
## Time service is used for clock syncronization.#time stream tcp nowait root internaltime dgram udp wait root internal
IMPORTANT: Don't forget to restart inetd after changes on its configuration file !
6.1. Determine whether you are a Server, Slave or Client. /*做主服务器,从服务器或客户机*/
To answer this question you have to consider two cases:/考虑2点/
1. Your machine is going to be part of a network with existing NIS servers/*网络中已有nis服务器*/
2. You do not have any NIS servers in the network yet/*网络中没nis服务器*/
In the first case, you only need the client programs (ypbind, ypwhich, ypcat, yppoll, ypmatch). The most important program is ypbind. This program must be running at all times, which means, it should always appear in the list of processes. It is a daemon process and needs to be started from the system's startup file (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/ypbind, /etc/rc.local). As soon as ypbind is running your system has become a NIS client./*第一种情况,即做客户端,要用到ypbind,它一般要开机要起来*/
In the second case, if you don't have NIS servers, then you will also need a NIS server program (usually called ypserv). Section 9 describes how to set up a NIS server on your Linux machine using the ypserv daemon./*第二种情况做服务器用到ypserv这个服务*/
6.2. The Software
The system library "/usr/lib/libc.a" (version 4.4.2 and better) or the shared library "/lib/libc.so.x" contain all necessary system calls to succesfully compile the NIS client and server software. For the GNU C Library 2 (glibc 2.x), you also need /lib/libnsl.so.1.
Some people reported that NIS only works with "/usr/lib/libc.a" version 4.5.21 and better so if you want to play it safe don't use older libc's. The NIS client software can be obtained from:
Site Directory File Name ftp.kernel.org /pub/linux/utils/net/NIS yp-tools-2.8.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-mt-1.13.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypbind-3.3-glibc5.diff.gz
Once you obtained the software, please follow the instructions which come with the software. yp-clients 2.2 are for use with libc4 and libc5 until 5.4.20. libc 5.4.21 and glibc 2.x needs yp-tools 1.4.1 or later. The new yp-tools 2.4 should work with every Linux libc. Since there was a bug in the NIS code, you shouldn't use libc 5.4.21-5.4.35. Use libc 5.4.36 or later instead, or the most YP programs will not work. ypbind 3.3 will work with all libraries, too. If you use gcc 2.8.x or greater, egcs or glibc 2.x, you should add the ypbind-3.3-glibc5.diff patch to ypbind 3.3. If possible you should avoid the use of ypbind 3.3 for security reasons. ypbind-mt is a new, multithreaded daemon. It needs a Linux 2.2 kernel and glibc 2.1 or later./*下载编译软件*/
7. Setting Up the NIS Client
7.1. The ypbind daemon
After you have succesfully compiled the software you are now ready to install it. A suitable place for the ypbind daemon is the directory /usr/sbin. Some people may tell you that you don't need ypbind on a system with NYS. This is wrong. ypwhich and ypcat need it always./*ypwhich,ypcat需要ypbind的后台支持,所以不能没有ypbind*/
Newer ypbind versions have a configuration file called /etc/yp.conf. You can hardcode a NIS server there - for more info see the manual page for ypbind(8). You also need this file for NYS. An example: /ypbind的配置文件是/etc/yp.conf其中可以指定服务器地址*/
Ypserver 10.10.0.1ypserver 10.0.100.8ypserver 10.3.1.1
If the system can resolve the hostnames without NIS, you may use the name, otherwise you have to use the IP address. ypbind 3.3 has a bug and will only use the last entry (ypserver 10.3.1.1 in the example). All other entries are ignored. ypbind-mt handle this correct and uses that one, which answerd at first./*如能有其他解析的话也可以用机器名来表示*/
It might be a good idea to test ypbind before incorporating it in the startup files. To test ypbind do the following:
· Make sure you have your YP-domain name set. If it is not set then issue the command:
/bin/domainname nis.domain
where nis.domain should be some string _NOT_ normally associated with the DNS-domain name of your machine! The reason for this is that it makes it a little harder for external crackers to retreive the password database from your NIS servers. If you don't know what the NIS domain name is on your network, ask your system/network administrator. /nis domain name并不和dns域名有何种联系,这是为了安全考虑,防止黑客检索nis密码数据库*/
· Start up "/sbin/portmap" if it is not already running. /*先保证potmap 启动*/
· Create the directory /var/yp if it does not exist./建立目录/
· Start up /usr/sbin/ypbind /运行ypbind/
· Use the command rpcinfo -p localhost to check if ypbind was able to register its service with the portmapper. The output should look like:
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100007 2 udp 637 ypbind 100007 2 tcp 639 ypbind
or
program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100007 2 udp 758 ypbind 100007 1 udp 758 ypbind 100007 2 tcp 761 ypbind 100007 1 tcp 761 ypbind
Depending on the ypbind version you are using.
· You may also run rpcinfo -u localhost ypbind. This command should produce something like:
program 100007 version 2 ready and waiting
or
program 100007 version 1 ready and waiting program 100007 version 2 ready and waiting
The output depends on the ypbind version you have installed. Important is only the "version 2" message.
At this point you should be able to use NIS client programs like ypcat, etc... For example, ypcat passwd.byname will give you the entire NIS password database./ypcat passwd可以用来显示nis 密码数据库的内容/
IMPORTANT: If you skipped the test procedure then make sure you have set the domain name, and created the directory
/var/yp
This directory MUST exist for ypbind to start up succesfully.
To check if the domainname is set correct, use the /bin/ypdomainname from yp-tools 2.2. It uses the yp_get_default_domain() function which is more restrict. It doesn't allow for example the "(none)" domainname, which is the default under Linux and makes a lot of problems./*ypdomainname看nis域名*/
If the test worked you may now want to change your startupd files so that ypbind will be started at boot time and your system will act as a NIS client. Make sure that the domainname will be set before you start ypbind.
Well, that's it. Reboot the machine and watch the boot messages to see if ypbind is actually started.
7.5. The nsswitch.conf File
The Network Services switch file /etc/nsswitch.conf determines the order of lookups performed when a certain piece of information is requested, just like the /etc/host.conf file which determines the way host lookups are performed. For example, the line/此文件类似/etc/host.conf文件,用来指定服务的检索顺序/
hosts: files nis dns
specifies that host lookup functions should first look in the local /etc/hosts file, followed by a NIS lookup and finally through the domain name service (/etc/resolv.conf and named), at which point if no match is found an error is returned. This file must be readable for every user! You can find more information in the man-page nsswitch.5 or nsswitch.conf.5.
A good /etc/nsswitch.conf file for NIS is:
## /etc/nsswitch.conf## An example Name Service Switch config file. This file should be# sorted with the most-used services at the beginning.## The entry '[NOTFOUND=return]' means that the search for an# entry should stop if the search in the previous entry turned# up nothing. Note that if the search failed due to some other reason# (like no NIS server responding) then the search continues with the# next entry.## Legal entries are:## nisplus Use NIS+ (NIS version 3)# nis Use NIS (NIS version 2), also called YP# dns Use DNS (Domain Name Service)# files Use the local files# db Use the /var/db databases# [NOTFOUND=return] Stop searching if not found so far#passwd: compatgroup: compat# For libc5, you must use shadow: files nisshadow: compatpasswd_compat: nisgroup_compat: nisshadow_compat: nishosts: nis files dnsservices: nis [NOTFOUND=return] filesnetworks: nis [NOTFOUND=return] filesprotocols: nis [NOTFOUND=return] filesrpc: nis [NOTFOUND=return] filesethers: nis [NOTFOUND=return] filesnetmasks: nis [NOTFOUND=return] filesnetgroup: nisbootparams: nis [NOTFOUND=return] filespublickey: nis [NOTFOUND=return] filesautomount: filesaliases: nis [NOTFOUND=return] files
passwd_compat, group_compat and shadow_compat are only supported by glibc 2.x. If there are no shadow rules in /etc/nsswitch.conf, glibc will use the passwd rule for lookups. There are some more lookup module for glibc like hesoid. For more information, read the glibc documentation.
9. Setting up a NIS Server 建立服务器
9.1. The Server Program ypserv
This document only describes how to set up the "ypserv" NIS server.
The NIS server software can be found on:
Site Directory File Name ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.gz ftp.kernel.org /pub/linux/utils/net/NIS ypserv-2.9.tar.bz2
The server setup is the same for both traditional NIS and NYS.
Compile the software to generate the ypserv and makedbm programs. ypserv-2.x only supports the securenets file for access restrictions.
Now edit /var/yp/securenets and /etc/ypserv.conf. For more information, read the ypserv(8) and ypserv.conf(5) manual pages./ securenets用于安全配置,ypserv.conf是服务器的配置文件/
Make sure the portmapper (portmap(8)) is running, and start the server ypserv. The command /*rpcinfo看ypserv是否被portmap监听*/
% rpcinfo -u localhost ypserv
should output something like
program 100004 version 1 ready and waiting program 100004 version 2 ready and waiting
Now generate the NIS (YP) database. On the master, run /*建立主数据库*/
% /usr/lib/yp/ypinit –m
On a slave make sure that ypwhich -m works. This means, that your slave must be configured as NIS client before you could run
% /usr/lib/yp/ypinit -s masterhost
to install the host as NIS slave./*建立从服务器*/
That's it, your server is up and running.
If you have bigger problems, you could start ypserv and ypbind in debug mode on different xterms. The debug output should show you what goes wrong.
If you need to update a map, run make in the /var/yp directory on the NIS master. This will update a map if the source file is newer, and push the This will ensure that most NIS maps are kept up-to-date, even if an update is missed because the slave was down at the time the update was done on the master./*在/var/yp目录中用make来更新数据库,不能用ypinit*/
You can add a slave at every time later. At first, make sure that the new slave server has permissions to contact the NIS master. Then run
% /usr/lib/yp/ypinit -s masterhost
on the new slave. On the master server, add the new slave server name to /var/yp/ypservers and run make in /var/yp to update the map./建立从服务器/
If you want to restrict access for users to your NIS server, you'll have to setup the NIS server as a client as well by running ypbind and adding the plus-entries to /etc/passwd _halfway_ the password file. The library functions will ignore all normal entries after the first NIS entry, and will get the rest of the info through NIS. This way the NIS access rules are maintained. An example:
root:x:0:0:root:/root:/bin/bash daemon:*:1:1:daemon:/usr/sbin: bin:*:2:2:bin:/bin: sys:*:3:3:sys:/dev: sync:*:4:100:sync:/bin:/bin/sync games:*:5:100:games:/usr/games: man:*:6:100:man:/var/catman: lp:*:7:7:lp:/var/spool/lpd: mail:*:8:8:mail:/var/spool/mail: news:*:9:9:news:/var/spool/news: uucp:*:10:50:uucp:/var/spool/uucp: nobody:*:65534:65534:noone at all,,,,:/dev/null: +miquels:::::: +:*:::::/etc/NoShell [ All normal users AFTER this line! ] tester:*:299:10:Just a test account:/tmp: miquels:1234567890123:101:10:Miquel van Smoorenburg:/home/miquels:/bin/zsh
Thus the user "tester" will exist, but have a shell of /etc/NoShell. miquels will have normal access.
Alternatively, you could edit the /var/yp/Makefile file and set NIS to use another source password file. On large systems the NIS password and group files are usually stored in /etc/yp/. If you do this the normal tools to administrate the password file such as passwd, chfn, adduser will not work anymore and you need special homemade tools for this.
9.3. The Program rpc.ypxfrd
rpc.ypxfrd is used for speed up the transfer of very large NIS maps from a NIS master to NIS slave servers. If a NIS slave server receives a message that there is a new map, it will start ypxfr for transfering the new map. ypxfr will read the contents of a map from the master server using the yp_all() function. This process can take several minutes when there are very large maps which have to store by the database library.
The rpc.ypxfrd server speeds up the transfer process by allowing NIS slave servers to simply copy the master server's map files rather than building their own from scratch. rpc.ypxfrd uses an RPC-based file transfer protocol, so that there is no need for building a new map.
rpc.ypxfrd can be started by inetd. But since it starts very slow, it should be started with ypserv. You need to start rpc.ypxfrd only on the NIS master server./* rpc.ypxfrd用来加速主从服务器的同步传递速度*/
9.4. The Program rpc.yppasswdd
Whenever users change their passwords, the NIS password database and probably other NIS databases, which depend on the NIS password database, should be updated. The program "rpc.yppasswdd" is a server that handles password changes and makes sure that the NIS information will be updated accordingly. rpc.yppasswdd is now integrated in ypserv. You don't need the older, separate yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldn't use them any longer./*rpc.yppasswd用来当域用户在域中更改密码后可以及时同步到nis服务器的密码数据库中,无此服务就不会同步*/
You need to start rpc.yppasswdd only on the NIS master server. By default, users are not allowed to change their full name or the login shell. You can allow this with the -e chfn or -e chsh option.
If your passwd and shadow files are not in another directory then /etc, you need to add the -D option. For example, if you have put all source files in /etc/yp and wish to allow the user to change his shell, you need to start rpc.yppasswdd with the following parameters:
rpc.yppasswdd -D /etc/yp -e chsh
or
rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh
There is nothing more to do. You just need to make sure, that rpc.yppasswdd uses the same files as /var/yp/Makefile. Errors will be logged using syslog.
10. Verifying the NIS/NYS Installation
If everything is fine (as it should be), you should be able to verify your installation with a few simple commands. Assuming, for example, your passwd file is being supplied by NIS, the command
% ypcat passwd
should give you the contents of your NIS passwd file. The command
% ypmatch userid passwd
(where userid is the login name of an arbitrary user) should give you the user's entry in the NIS passwd file. The "ypcat" and "ypmatch" programs should be included with your distribution of traditional NIS or NYS.
11. Creating and Updating NIS maps
11.1. Creating new NIS maps
The initial NIS maps will be created by running
% /usr/lib/yp/ypinit -m
This is done when setting up the NIS master server for the first time. For more information about this, read Section 9. If you wish to add new maps to your server or remove old one, you need to edit the /var/yp/Makefile and change the all: rule. Add or remove the name of the rule, which generates the map.
If you delete a map, you also have to remove the corresponding files.
After this change, you only need to run
% make -C /var/yp
and the maps should be created.
11.2. Updating NIS maps
If you modify the sources for the NIS maps (for example if you create a new user by adding the account to the passwd file), you need to regenerate the NIS maps. This is done by a simple
% make -C /var/yp
This command will check which sources have changed, creates the maps new and tell ypserv that the maps have changed.
13. Changing passwords with rpasswd
The standard way to change a NIS password is to call yppasswd, on some systems this is only an alias for passwd. This commands uses the yppasswd protocol and needs a running rpc.yppasswdd process on the NIS master server. The protocol has the disadvantage, that the old password will be send in clear text over the network. This is not so problematic, if the password change was successfull. In this case, the old password is replaced with the new one. But if the password change fails, an attacker can use the clear password to login as this user. Even more worse: If the system administrator changes the NIS password for another user, the root password of the NIS master server is transfered in clear text over the network. And this one will not be changed.
One solution is to not use yppasswd for changing the password. Instead, a good alternative is the rpasswd command from the pwdutils package.
Site Directory File Name ftp.kernel.org /pub/linux/utils/net/NIS pwdutils-2.3.tar.gz ftp.suse.com /pub/people/kukuk/pam/pam_pwcheck pam_pwcheck-2.2.tar.bz2 ftp.suse.com /pub/people/kukuk/pam/pam_unix2 pam_unix2-1.16.tar.bz2
rpasswd changes passwords for user accounts on a remote server over a secure SSL connection. A normal user may only change the password for their own account, if the user knows the password of the administrator account (in the moment this is the root password on the server), he may change the password for any account if he calls rpasswd with the -a option.
13.2. Client Configuration
On every client only the configuration file /etc/rpasswd.conf which contains the name of the server is neded. If the server does not run on the default port, the correct port can alse be mentioned here:
# rpasswdd runs on master.example.comserver master.example.com# Port 774 is the default portport 774
14. Common Problems and Troubleshooting NIS
Here are some common problems reported by various users:
1. The libraries for 4.5.19 are broken. NIS won't work with it.
2. If you upgrade the libraries from 4.5.19 to 4.5.24 then the su command breaks. You need to get the su command from the slackware 1.2.0 distribution. Incidentally that's where you can get the updated libraries.
3. When a NIS server goes down and comes up again ypbind starts complaining with messages like:
yp_match: clnt_call: RPC: Unable to receive; errno = Connection refused
4. and logins are refused for those who are registered in the NIS database. Try to login as root and kill ypbind and start it up again. An update to ypbind 3.3 or higher should also help.
5. After upgrading the libc to a version greater then 5.4.20, the YP tools will not work any longer. You need yp-tools 1.2 or later for libc >= 5.4.21 and glibc 2.x. For earlier libc version you need yp-clients 2.2. yp-tools 2.x should work for all libraries.
6. In libc 5.4.21 - 5.4.35 yp_maplist is broken, you need 5.4.36 or later, or some YP programs like ypwhich will segfault.
7. libc 5 with traditional NIS doesn't support shadow passwords over NIS. You need libc5 + NYS or glibc 2.x.
8. ypcat shadow doesn't show the shadow map. This is correct, the name of the shadow map is shadow.byname, not shadow.
9. Solaris doesn't use always privileged ports. So don't use password mangling if you have a Solaris client. |
|
IP卡
狗仔卡
发表于 2005-1-1 12:44:49
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡