LPI Linux Acceptance LPIC2 Assay 202 Arrangement Applicant Administration
| |
11 July 15:13
Description: The applicant should be able to configure a DHCP server and set absence options, make a subnet, and make a dynamically-allocated range. This cold includes abacus a changeless host, ambience options for a individual host, and abacus bootp hosts. Aswell included is to configure a DHCP broadcast agent, and reload the DHCP server afterwards authoritative changes.
Key files, terms, and utilities include:
dhcpd.conf
dhcpd.leases
Most humans account this will allready understand the DHCP protocol. Just as a quick reminder.
DHCP stands for Activating Host Agreement Agreement and is frequently acclimated to deliver specific arrangement settings in networks. Settings such as the absence gateway, nameservers, IP addresses and abundant more.
As for a baby analogy of the agreement itself.
After the accession of dhcpd the capital agreement book can be begin at /etc/dhcpd.conf. For Debian installations, one should adapt /etc/default/dhcp as anon as the accession is accomplished and change the afterward band according to your setup.
INTERFACES=eth1 # or eth1 eth2, whatever interfaces you ambition to serve ips.
The dhcpd.conf book is disconnected in all-around ambit and subnet specific parameters. Anniversary subnet can override the all-around parameters. The alotof frequently acclimated ambit are the following.
advantage domain-name example.com;
advantage domain-name-servers 192.168.0.1, 193.190.63.172
advantage subnet-mask 255.255.255.0; # all-around Subnet mask
default-lease-time 600; # Abnormal anniversary DHCP charter is accepted and afterwards which a appeal for the aforementioned ip is launched.
max-lease-time 7200; # If DHCP server does not respond, accumulate IP till 7200 abnormal are passed.
subnet 192.168.0.0 netmask 255.255.255.240
subnet 192.168.0.16 netmask 255.255.255.224
accumulation
host server2
}
This archetype is just accouterment a adumbration about accessible options and overrides.
More advice can be begin on dhcpd.conf and dhcp-options in man pages. Attending in those pages too for advice about using the DHCP server to serve BOOTP as well, usefull for diskless clients.
Description: The applicant should be able to configure an NIS server and make NIS maps for above agreement files. This cold includes configuring a arrangement as a NIS client, ambience up an NIS bondservant server, and configuring adeptness to seek bounded files, DNS, NIS, etc. in nsswitch.conf.
Key files, terms, and utilities include:
nisupdate, ypbind, ypcat, ypmatch, ypserv, ypswitch, yppasswd, yppoll, yppush, ypwhich, rpcinfo
nis.conf, nsswitch.conf, ypserv.conf
/etc/nis/netgroup
/etc/nis/nicknames
/etc/nis/securenets
NIS stands for Arrangement Advice Service. Its purpose is to accommodate information, that has to be accepted throughout the network, to all machines on the network. Advice acceptable to be broadcast by NIS is login names/passwords/home directories (/etc/passwd) and accumulation advice (/etc/group)
If, for example, your countersign access is recorded in the NIS passwd database, you will be able to login on all machines on the arrangement which accept the NIS applicant programs running.
Within a arrangement there haveto be at atomic one apparatus acting as a NIS server. You can accept assorted NIS servers, anniversary confined altered NIS domains - or you can accept allied NIS servers, area one is the adept NIS server, and all the additional are alleged bondservant NIS servers (for a assertive NIS domain, that is!) - or you can accept a mix of them...
Slave servers alone accept copies of the NIS databases and accept these copies from the adept NIS server whenever changes are create to the masters databases. Depending on the amount of machines in your arrangement and the believability of your network, you ability adjudge to install one or added bondservant servers. Whenever a NIS server goes down or is too apathetic in responding to requests, a NIS applicant affiliated to that server will try to acquisition one that is up or faster.
NIS databases are in alleged DBM format, acquired from ASCII databases. For example, the files /etc/passwd and /etc/group can be anon adapted to DBM architecture using ASCII-to-DBM adaptation software (makedbm, included with the server software). The adept NIS server should accept both, the ASCII databases and the DBM databases.
Slave servers will be notified of any change to the NIS maps, (via the yppush program), and automatically retrieve the all-important changes in adjustment to accord their databases. NIS audience do not charge to do this back they consistently allocution to the NIS server to apprehend the advice stored in its DBM databases.
To run any of the software mentioned beneath you will charge to run the program /usr/sbin/portmap.
The RPC portmapper (portmap(8)) is a server that converts RPC program numbers into TCP/IP (or UDP/IP) agreement anchorage numbers. It haveto be active in adjustment to create RPC calls (which is what the NIS/NIS+ applicant software does) to RPC servers (like a NIS or NIS+ server) on that machine. If an RPC server is started, it will acquaint portmap what anchorage amount it is alert to, and what RPC program numbers it is able to serve. If a applicant wishes to create an RPC alarm to a accustomed program number, it will first acquaintance portmap on the server apparatus to actuate the anchorage amount area RPC packets should be sent.
Since RPC servers could be started by inetd(8), portmap should be active afore inetd is started.
For defended RPC, the portmapper needs the Time service. Create sure, that the Time account is enabled in /etc/inetd.conf on all hosts:
# Time account is acclimated for alarm syncronization.
#
time beck tcp nowait basis internal
time dgram udp delay basis internal
IMPORTANT: Dont overlook to restart inetd afterwards changes on its agreement book !
What do you charge to set up NIS?
Determine whether you are a Server, Bondservant or Applicant :
Your apparatus is traveling to be allotment of a arrangement with absolute NIS servers
You do not accept any NIS servers in the arrangement yet
In the first case, you alone charge the applicant programs (ypbind, ypwhich, ypcat, yppoll, ypmatch). The alotof important program is ypbind. This program haveto be active at all times, which means, it should consistently arise in the account of processes. It is a apparition action and needs to be started from the systems startup book (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/ypbind, /etc/rc.local). As anon as ypbind is active your arrangement has become a NIS client.
In the additional case, if you dont accept NIS servers, then you will aswell charge a NIS server program (usually alleged ypserv). Area 9 describes how to set up a NIS server on your Linux apparatus using the ypserv daemon.
The ypbind apparition
Newer ypbind versions accept a agreement book alleged /etc/yp.conf. You can hardcode a NIS server there - for added advice see the chiral page for ypbind(8). You aswell charge this book for NYS. An example:
ypserver 10.10.0.1
ypserver 10.0.100.8
ypserver 10.3.1.1
If the arrangement cam resolv the hostnames after NIS, you may use the name, contrarily you accept to use the IP address. ypbind 3.3 has a bug and will alone use the endure access (ypserver 10.3.1.1 in the example). All additional entries are ignored. ypbind-mt handle this actual and uses that one, which answerd at first.
It ability be a acceptable abstraction to analysis ypbind afore accumulation it in the startup files. To analysis ypbind do the following:
Make abiding you accept your YP-domain name set. If it is not set then affair the command:
/bin/domainname nis.domain
where nis.domain should be some cord _NOT_ commonly associated with the DNS-domain name of your machine! The cause for this is that it makes it a little harder for alien absurd to retreive the countersign database from your NIS servers. If you dont understand what the NIS area name is on your network, ask your system/network administrator.
Start up /usr/sbin/portmap if it is not already running.
Create the agenda /var/yp if it does not exist.
Start up /usr/sbin/ypbind
Use the command rpcinfo -p localhost to analysis if ypbind was able to annals its account with the portmapper. The achievement should attending like:
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 637 ypbind
100007 2 tcp 639 ypbind
Or like this (depending on the adaptation of ypbind you are using) :
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 758 ypbind
100007 1 udp 758 ypbind
100007 2 tcp 761 ypbind
100007 1 tcp 761 ypbind
You may aswell run rpcinfo -u localhost ypbind. This command should aftermath something like:
program 100007 adaptation 1 accessible and waiting
program 100007 adaptation 2 accessible and waiting
The achievement depends on the ypbind adaptation you accept installed. Important is alone the adaptation 2 message.
At this point you should be able to use NIS applicant programs like ypcat, etc... For example, ypcat passwd.byname will accord you the absolute NIS countersign database.
IMPORTANT: If you skipped the analysis action then create abiding you accept set the area name, and created the agenda /var/yp. This agenda Haveto is for ypbind to alpha up succesfully.
To analysis if the domainname is set correct, use the /bin/ypdomainname from yp-tools 2.2. It uses the yp_get_default_domain() action which is added restrict. It doesnt acquiesce for archetype the (none) domainname, which is the absence beneath Linux and makes a lot of problems.
If the analysis formed you may now wish to change your startupd files so that ypbind will be started at cossack time and your arrangement will act as a NIS client. Create abiding that the domainname will be set afore you alpha ypbind.
Well, thats it. Reboot the apparatus and watch the cossack letters to see if ypbind is infact started.
For host lookups you haveto set (or add) nis to the lookup adjustment band in your /etc/host.conf file. Amuse apprehend the manpage resolv+.8 for added details.
Add the afterward band to /etc/passwd on your NIS clients:
+::::::
You can aswell use the + and - characters to include/exclude or change users. If you wish to exclude the user bedfellow just add -guest to your /etc/passwd file. You wish to use a altered carapace (e.g. ksh) for the user linux? No problem, just add +linux::::::/bin/ksh (without the quotes) to your /etc/passwd. Fields that you dont wish to change accept to be larboard empty. You could aswell use Netgroups for user control.
For example, to acquiesce login-access alone to miquels, dth and ed, and all associates of the sysadmin netgroup, but to accept the annual data of all additional users accessible use:
+miquels:::::::
+ed:::::::
+dth:::::::
+@sysadmins:::::::
-ftp
+:
Note that in Linux you can aswell override the countersign field, as we did in this example. We aswell abolish the login ftp, so it isnt accepted any longer, and bearding ftp will not work.
The netgroup would attending like :
sysadmins (-,software,) (-,kukuk,)
The Arrangement Casework about-face book /etc/nsswitch.conf determines the adjustment of lookups performed if a assertive section of advice is requested, just like the /etc/host.conf book which determines the way host lookups are performed. For example, the band :
hosts: files nis dns
specifies that host lookup functions should first attending in the bounded /etc/hosts file, followed by a NIS lookup and assuredly through the area name account (/etc/resolv.conf and named), at which point if no bout is begin an absurdity is returned. This book haveto be clear for every user! You can acquisition added advice in the man-page nsswitch.5 or nsswitch.conf.5.
A acceptable /etc/nsswitch.conf book for NIS is:
# /etc/nsswitch.conf
passwd: compat
group: compat
# For libc5, you haveto use shadow: files nis
shadow: compat
passwd_compat: nis
group_compat: nis
shadow_compat: nis
hosts: nis files dns
services: nis files
networks: nis files
protocols: nis files
rpc: nis files
ethers: nis files
netmasks: nis files
netgroup: nis
bootparams: nis files
publickey: nis files
automount: files
aliases: nis files
The Server Program ypserv
If you run your server as master, actuate what files you crave to be accessible via NIS and then add or abolish the adapted entries to the all aphorism in /var/yp/Makefile. You consistently should attending at the Makefile and adapt the Options at the alpha of the file.
There was one big change amid ypserv 1.1 and ypserv 1.2. Back adaptation 1.2, the book handles are cached. This agency you accept to alarm makedbm consistently with the -c advantage if you make new maps. Create sure, you are using the new /var/yp/Makefile from ypserv 1.2 or later, or add the -c banderole to makedbm in the Makefile. If you dont do that, ypserv will abide to use the old maps, and not the adapted one.
Now adapt /var/yp/securenets and /etc/ypserv.conf. For added information, apprehend the ypserv(8) and ypserv.conf(5) chiral pages.
Make abiding the portmapper (portmap(8)) is running, and alpha the server ypserv. The command « rpcinfo -u localhost ypserv » should achievement something like :
program 100004 adaptation 1 accessible and waiting
program 100004 adaptation 2 accessible and waiting
The adaptation 1 band could be missing, depending on the ypserv adaptation and agreement you are using. It is alone all-important if you accept old SunOS 4.x clients.
Now accomplish the NIS (YP) database. On the master, run :
% /usr/lib/yp/ypinit -m
On a bondservant create abiding that ypwhich -m works. This means, that your bondservant haveto be configured as NIS applicant afore you could run « /usr/lib/yp/ypinit -s masterhost » to install the host as NIS slave. Thats it, your server is up and running.
If you accept bigger problems, you could alpha ypserv and ypbind in alter approach on altered xterms. The alter achievement should appearance you what goes wrong.
If you charge to amend a map, run create in the /var/yp agenda on the NIS master. This will amend a map if the antecedent book is newer, and advance the files to the bondservant servers. Amuse dont use ypinit for afterlight a map.
You ability wish to adapt roots crontab
20 40 6 55 6,18
This will ensure that alotof NIS maps are kept up-to-date, even if an amend is absent because the bondservant was down at the time the amend was done on the master.
You can add a bondservant at every time later. At first, create abiding that the new bondservant server has permissions to acquaintance the NIS master. Then run :
% /usr/lib/yp/ypinit -s masterhost
on the new slave. On the adept server, add the new bondservant server name to /var/yp/ypservers and run create in /var/yp to amend the map.
rpc.ypxfrd is acclimated for acceleration up the alteration of actual ample NIS maps from a NIS adept to NIS bondservant servers. If a NIS bondservant server receives a bulletin that there is a new map, it will alpha ypxfr for transfering the new map. ypxfr will apprehend the capacity of a map from the adept server using the yp_all() function. This action can yield several account if there are actual ample maps which accept to abundance by the database library.
The rpc.ypxfrd server speeds up the alteration action by acceptance NIS bondservant servers to artlessly archetype the adept servers map files rather than architecture their own from scratch. rpc.ypxfrd uses an RPC-based book alteration protocol, so that there is no charge for architecture a new map.
rpc.ypxfrd can be started by inetd. But back it starts actual slow, it should be started with ypserv. You charge to alpha rpc.ypxfrd alone on the NIS adept server.
Whenever users change their passwords, the NIS countersign database and apparently additional NIS databases, which depend on the NIS countersign database, should be updated. The program rpc.yppasswdd is a server that handles countersign changes and makes abiding that the NIS advice will be adapted accordingly. rpc.yppasswdd is now chip in ypserv. You dont charge the older, separate yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldnt use them any longer. The rpc.yppasswdd in ypserv 1.3.2 has abounding adumbration support. yppasswd is now allotment of yp-tools-2.2.tar.gz.
You charge to alpha rpc.yppasswdd alone on the NIS adept server. By default, users are not accustomed to change their abounding name or the login shell. You can acquiesce this with the -e chfn or -e chsh option.
If your passwd and adumbration files are not in addition agenda then /etc, you charge to add the -D option. For example, if you accept put all antecedent files in /etc/yp and ambition to acquiesce the user to change his shell, you charge to alpha rpc.yppasswdd with the afterward parameters:
rpc.yppasswdd -D /etc/yp -e chsh
or
rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh
There is annihilation added to do. You just charge to create sure, that rpc.yppasswdd uses the aforementioned files as /var/yp/Makefile. Errors will be logged using syslog.
If aggregate is accomplished (as it should be), you should be able to verify your accession with a few simple commands. Assuming, for example, your passwd book is getting supplied by NIS, the command :
% ypcat passwd
should accord you the capacity of your NIS passwd file. The command :
% ypmatch userid passwd
(where userid is the login name of an approximate user) should accord you the users access in the NIS passwd file. The ypcat and ypmatch programs should be included with your administration of acceptable NIS or NYS.
Once you accept NIS accurately configured on the server and client, you do charge to be abiding that the agreement will survive a reboot. On RedHat, make or adapt the capricious NISDOMAIN in the book /etc/sysconfig/network.
Key terms, files and utilities :
Slapd
slapd.conf
test
PAM (Pluggable Affidavit Modules) is a adjustable apparatus for acceptance users.
Since the ancestry of UNIX, acceptance a user has been able via the user entering a countersign and the arrangement blockage if the entered countersign corresponds to the encrypted official countersign that is stored in /etc/passwd . The abstraction getting that the user That was in the beginning. Back then, a amount of new means of acceptance users accept become popular. Including added complicated replacements for the /etc/passwd file, and accouterments accessories Acute cards etc.. The problem is that anniversary time a new affidavit arrangement is developed, it requires all the all-important programs (login, ftpd etc...) to be rewritten to abutment it.
PAM provides a way to advance programs that are absolute of affidavit scheme. These programs charge affidavit modules to be attatched to them at run-time in adjustment to work. Which affidavit bore is to be attatched is abased aloft the bounded arrangement bureaucracy and is at the acumen of the bounded arrangement administrator.
PAM authentication
Linux-PAM (Pluggable Affidavit Modules for Linux) is a apartment of aggregate libraries that accredit the bounded arrangement ambassador to accept how applications accredit users.
In additional words, after (rewriting and) recompiling a PAM-aware application, it is accessible to about-face amid the affidavit mechanism(s) it uses. Indeed, one may absolutely advancement the bounded affidavit arrangement after affecting the applications themselves.
Historically an appliance that has appropriate a accustomed user to be authenticated, has had to be aggregate to use a specific affidavit mechanism. For example, in the case of acceptable UNPAM authentication
Unfortunately, increases in the acceleration of computers and the boundless addition of arrangement based computing, accept create already defended affidavit mechanisms, such as this, accessible to attack. In the ablaze of such realities, new methods of affidavit are continuously getting developed.
It is the purpose of the Linux-PAM activity to separate the development of advantage acceding software from the development of defended and adapted affidavit schemes. This is able by accouterment a library of functions that an appliance may use to appeal that a user be authenticated. This PAM library is configured locally with a arrangement file, /etc/pam.conf (or a alternation of agreement files amid in /etc/pam.d/) to accredit a user appeal via the locally accessible affidavit modules. The modules themselves will usually be amid in the agenda /lib/security and yield the anatomy of dynamically loadable item files (see dlopen(3)).
PAM authentication
Overview
For the uninitiated, we activate by because an example. We yield an appliance that grants some account to users; login is one such program. Login does two things, it first establishes that the requesting user is whom they affirmation to be and additional provides them with the requested service: in the case of login the account is a command carapace (bash, tcsh, zsh, etc.) active with the character of the user.
Traditionally, the above move is accomplished by the login appliance bidding the user for a countersign and then acceptance that it agrees with that amid on the system; appropriately acceptance that as far as the arrangement is anxious the user is who they affirmation to be. This is the assignment that is delegated to Linux-PAM.
From the angle of the appliance programmer (in this case the being that wrote the login application), Linux-PAM takes affliction of this affidavit assignment -- acceptance the character of the user.
PAM authentication
The adaptability of Linux-PAM is that you, the arrangement administrator, accept the abandon to agree which affidavit arrangement is to be used. You accept the abandon to set the arrangement for any/all PAM-aware applications on your Linux system. That is, you can accredit from annihilation as aboveboard as simple assurance (pam_permit) to something as batty as a aggregate of a retinal scan, a articulation
Description: The applicant should be able to configure a DHCP server and set absence options, make a subnet, and make a dynamically-allocated range. This cold includes abacus a changeless host, ambience options for a individual host, and abacus bootp hosts. Aswell included is to configure a DHCP broadcast agent, and reload the DHCP server afterwards authoritative changes.
Key files, terms, and utilities include:
dhcpd.conf
dhcpd.leases
Most humans account this will allready understand the DHCP protocol. Just as a quick reminder.
DHCP stands for Activating Host Agreement Agreement and is frequently acclimated to deliver specific arrangement settings in networks. Settings such as the absence gateway, nameservers, IP addresses and abundant more.
As for a baby analogy of the agreement itself.
After the accession of dhcpd the capital agreement book can be begin at /etc/dhcpd.conf. For Debian installations, one should adapt /etc/default/dhcp as anon as the accession is accomplished and change the afterward band according to your setup.
INTERFACES=eth1 # or eth1 eth2, whatever interfaces you ambition to serve ips.
The dhcpd.conf book is disconnected in all-around ambit and subnet specific parameters. Anniversary subnet can override the all-around parameters. The alotof frequently acclimated ambit are the following.
advantage domain-name example.com;
advantage domain-name-servers 192.168.0.1, 193.190.63.172
advantage subnet-mask 255.255.255.0; # all-around Subnet mask
default-lease-time 600; # Abnormal anniversary DHCP charter is accepted and afterwards which a appeal for the aforementioned ip is launched.
max-lease-time 7200; # If DHCP server does not respond, accumulate IP till 7200 abnormal are passed.
subnet 192.168.0.0 netmask 255.255.255.240
subnet 192.168.0.16 netmask 255.255.255.224
accumulation
host server2
}
This archetype is just accouterment a adumbration about accessible options and overrides.
More advice can be begin on dhcpd.conf and dhcp-options in man pages. Attending in those pages too for advice about using the DHCP server to serve BOOTP as well, usefull for diskless clients.
Description: The applicant should be able to configure an NIS server and make NIS maps for above agreement files. This cold includes configuring a arrangement as a NIS client, ambience up an NIS bondservant server, and configuring adeptness to seek bounded files, DNS, NIS, etc. in nsswitch.conf.
Key files, terms, and utilities include:
nisupdate, ypbind, ypcat, ypmatch, ypserv, ypswitch, yppasswd, yppoll, yppush, ypwhich, rpcinfo
nis.conf, nsswitch.conf, ypserv.conf
/etc/nis/netgroup
/etc/nis/nicknames
/etc/nis/securenets
NIS stands for Arrangement Advice Service. Its purpose is to accommodate information, that has to be accepted throughout the network, to all machines on the network. Advice acceptable to be broadcast by NIS is login names/passwords/home directories (/etc/passwd) and accumulation advice (/etc/group)
If, for example, your countersign access is recorded in the NIS passwd database, you will be able to login on all machines on the arrangement which accept the NIS applicant programs running.
Within a arrangement there haveto be at atomic one apparatus acting as a NIS server. You can accept assorted NIS servers, anniversary confined altered NIS domains - or you can accept allied NIS servers, area one is the adept NIS server, and all the additional are alleged bondservant NIS servers (for a assertive NIS domain, that is!) - or you can accept a mix of them...
Slave servers alone accept copies of the NIS databases and accept these copies from the adept NIS server whenever changes are create to the masters databases. Depending on the amount of machines in your arrangement and the believability of your network, you ability adjudge to install one or added bondservant servers. Whenever a NIS server goes down or is too apathetic in responding to requests, a NIS applicant affiliated to that server will try to acquisition one that is up or faster.
NIS databases are in alleged DBM format, acquired from ASCII databases. For example, the files /etc/passwd and /etc/group can be anon adapted to DBM architecture using ASCII-to-DBM adaptation software (makedbm, included with the server software). The adept NIS server should accept both, the ASCII databases and the DBM databases.
Slave servers will be notified of any change to the NIS maps, (via the yppush program), and automatically retrieve the all-important changes in adjustment to accord their databases. NIS audience do not charge to do this back they consistently allocution to the NIS server to apprehend the advice stored in its DBM databases.
To run any of the software mentioned beneath you will charge to run the program /usr/sbin/portmap.
The RPC portmapper (portmap(8)) is a server that converts RPC program numbers into TCP/IP (or UDP/IP) agreement anchorage numbers. It haveto be active in adjustment to create RPC calls (which is what the NIS/NIS+ applicant software does) to RPC servers (like a NIS or NIS+ server) on that machine. If an RPC server is started, it will acquaint portmap what anchorage amount it is alert to, and what RPC program numbers it is able to serve. If a applicant wishes to create an RPC alarm to a accustomed program number, it will first acquaintance portmap on the server apparatus to actuate the anchorage amount area RPC packets should be sent.
Since RPC servers could be started by inetd(8), portmap should be active afore inetd is started.
For defended RPC, the portmapper needs the Time service. Create sure, that the Time account is enabled in /etc/inetd.conf on all hosts:
# Time account is acclimated for alarm syncronization.
#
time beck tcp nowait basis internal
time dgram udp delay basis internal
IMPORTANT: Dont overlook to restart inetd afterwards changes on its agreement book !
What do you charge to set up NIS?
Determine whether you are a Server, Bondservant or Applicant :
Your apparatus is traveling to be allotment of a arrangement with absolute NIS servers
You do not accept any NIS servers in the arrangement yet
In the first case, you alone charge the applicant programs (ypbind, ypwhich, ypcat, yppoll, ypmatch). The alotof important program is ypbind. This program haveto be active at all times, which means, it should consistently arise in the account of processes. It is a apparition action and needs to be started from the systems startup book (eg. /etc/init.d/nis, /sbin/init.d/ypclient, /etc/rc.d/init.d/ypbind, /etc/rc.local). As anon as ypbind is active your arrangement has become a NIS client.
In the additional case, if you dont accept NIS servers, then you will aswell charge a NIS server program (usually alleged ypserv). Area 9 describes how to set up a NIS server on your Linux apparatus using the ypserv daemon.
The ypbind apparition
Newer ypbind versions accept a agreement book alleged /etc/yp.conf. You can hardcode a NIS server there - for added advice see the chiral page for ypbind(8). You aswell charge this book for NYS. An example:
ypserver 10.10.0.1
ypserver 10.0.100.8
ypserver 10.3.1.1
If the arrangement cam resolv the hostnames after NIS, you may use the name, contrarily you accept to use the IP address. ypbind 3.3 has a bug and will alone use the endure access (ypserver 10.3.1.1 in the example). All additional entries are ignored. ypbind-mt handle this actual and uses that one, which answerd at first.
It ability be a acceptable abstraction to analysis ypbind afore accumulation it in the startup files. To analysis ypbind do the following:
Make abiding you accept your YP-domain name set. If it is not set then affair the command:
/bin/domainname nis.domain
where nis.domain should be some cord _NOT_ commonly associated with the DNS-domain name of your machine! The cause for this is that it makes it a little harder for alien absurd to retreive the countersign database from your NIS servers. If you dont understand what the NIS area name is on your network, ask your system/network administrator.
Start up /usr/sbin/portmap if it is not already running.
Create the agenda /var/yp if it does not exist.
Start up /usr/sbin/ypbind
Use the command rpcinfo -p localhost to analysis if ypbind was able to annals its account with the portmapper. The achievement should attending like:
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 637 ypbind
100007 2 tcp 639 ypbind
Or like this (depending on the adaptation of ypbind you are using) :
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100007 2 udp 758 ypbind
100007 1 udp 758 ypbind
100007 2 tcp 761 ypbind
100007 1 tcp 761 ypbind
You may aswell run rpcinfo -u localhost ypbind. This command should aftermath something like:
program 100007 adaptation 1 accessible and waiting
program 100007 adaptation 2 accessible and waiting
The achievement depends on the ypbind adaptation you accept installed. Important is alone the adaptation 2 message.
At this point you should be able to use NIS applicant programs like ypcat, etc... For example, ypcat passwd.byname will accord you the absolute NIS countersign database.
IMPORTANT: If you skipped the analysis action then create abiding you accept set the area name, and created the agenda /var/yp. This agenda Haveto is for ypbind to alpha up succesfully.
To analysis if the domainname is set correct, use the /bin/ypdomainname from yp-tools 2.2. It uses the yp_get_default_domain() action which is added restrict. It doesnt acquiesce for archetype the (none) domainname, which is the absence beneath Linux and makes a lot of problems.
If the analysis formed you may now wish to change your startupd files so that ypbind will be started at cossack time and your arrangement will act as a NIS client. Create abiding that the domainname will be set afore you alpha ypbind.
Well, thats it. Reboot the apparatus and watch the cossack letters to see if ypbind is infact started.
For host lookups you haveto set (or add) nis to the lookup adjustment band in your /etc/host.conf file. Amuse apprehend the manpage resolv+.8 for added details.
Add the afterward band to /etc/passwd on your NIS clients:
+::::::
You can aswell use the + and - characters to include/exclude or change users. If you wish to exclude the user bedfellow just add -guest to your /etc/passwd file. You wish to use a altered carapace (e.g. ksh) for the user linux? No problem, just add +linux::::::/bin/ksh (without the quotes) to your /etc/passwd. Fields that you dont wish to change accept to be larboard empty. You could aswell use Netgroups for user control.
For example, to acquiesce login-access alone to miquels, dth and ed, and all associates of the sysadmin netgroup, but to accept the annual data of all additional users accessible use:
+miquels:::::::
+ed:::::::
+dth:::::::
+@sysadmins:::::::
-ftp
+:
Note that in Linux you can aswell override the countersign field, as we did in this example. We aswell abolish the login ftp, so it isnt accepted any longer, and bearding ftp will not work.
The netgroup would attending like :
sysadmins (-,software,) (-,kukuk,)
The Arrangement Casework about-face book /etc/nsswitch.conf determines the adjustment of lookups performed if a assertive section of advice is requested, just like the /etc/host.conf book which determines the way host lookups are performed. For example, the band :
hosts: files nis dns
specifies that host lookup functions should first attending in the bounded /etc/hosts file, followed by a NIS lookup and assuredly through the area name account (/etc/resolv.conf and named), at which point if no bout is begin an absurdity is returned. This book haveto be clear for every user! You can acquisition added advice in the man-page nsswitch.5 or nsswitch.conf.5.
A acceptable /etc/nsswitch.conf book for NIS is:
# /etc/nsswitch.conf
passwd: compat
group: compat
# For libc5, you haveto use shadow: files nis
shadow: compat
passwd_compat: nis
group_compat: nis
shadow_compat: nis
hosts: nis files dns
services: nis files
networks: nis files
protocols: nis files
rpc: nis files
ethers: nis files
netmasks: nis files
netgroup: nis
bootparams: nis files
publickey: nis files
automount: files
aliases: nis files
The Server Program ypserv
If you run your server as master, actuate what files you crave to be accessible via NIS and then add or abolish the adapted entries to the all aphorism in /var/yp/Makefile. You consistently should attending at the Makefile and adapt the Options at the alpha of the file.
There was one big change amid ypserv 1.1 and ypserv 1.2. Back adaptation 1.2, the book handles are cached. This agency you accept to alarm makedbm consistently with the -c advantage if you make new maps. Create sure, you are using the new /var/yp/Makefile from ypserv 1.2 or later, or add the -c banderole to makedbm in the Makefile. If you dont do that, ypserv will abide to use the old maps, and not the adapted one.
Now adapt /var/yp/securenets and /etc/ypserv.conf. For added information, apprehend the ypserv(8) and ypserv.conf(5) chiral pages.
Make abiding the portmapper (portmap(8)) is running, and alpha the server ypserv. The command « rpcinfo -u localhost ypserv » should achievement something like :
program 100004 adaptation 1 accessible and waiting
program 100004 adaptation 2 accessible and waiting
The adaptation 1 band could be missing, depending on the ypserv adaptation and agreement you are using. It is alone all-important if you accept old SunOS 4.x clients.
Now accomplish the NIS (YP) database. On the master, run :
% /usr/lib/yp/ypinit -m
On a bondservant create abiding that ypwhich -m works. This means, that your bondservant haveto be configured as NIS applicant afore you could run « /usr/lib/yp/ypinit -s masterhost » to install the host as NIS slave. Thats it, your server is up and running.
If you accept bigger problems, you could alpha ypserv and ypbind in alter approach on altered xterms. The alter achievement should appearance you what goes wrong.
If you charge to amend a map, run create in the /var/yp agenda on the NIS master. This will amend a map if the antecedent book is newer, and advance the files to the bondservant servers. Amuse dont use ypinit for afterlight a map.
You ability wish to adapt roots crontab
20 40 6 55 6,18
This will ensure that alotof NIS maps are kept up-to-date, even if an amend is absent because the bondservant was down at the time the amend was done on the master.
You can add a bondservant at every time later. At first, create abiding that the new bondservant server has permissions to acquaintance the NIS master. Then run :
% /usr/lib/yp/ypinit -s masterhost
on the new slave. On the adept server, add the new bondservant server name to /var/yp/ypservers and run create in /var/yp to amend the map.
rpc.ypxfrd is acclimated for acceleration up the alteration of actual ample NIS maps from a NIS adept to NIS bondservant servers. If a NIS bondservant server receives a bulletin that there is a new map, it will alpha ypxfr for transfering the new map. ypxfr will apprehend the capacity of a map from the adept server using the yp_all() function. This action can yield several account if there are actual ample maps which accept to abundance by the database library.
The rpc.ypxfrd server speeds up the alteration action by acceptance NIS bondservant servers to artlessly archetype the adept servers map files rather than architecture their own from scratch. rpc.ypxfrd uses an RPC-based book alteration protocol, so that there is no charge for architecture a new map.
rpc.ypxfrd can be started by inetd. But back it starts actual slow, it should be started with ypserv. You charge to alpha rpc.ypxfrd alone on the NIS adept server.
Whenever users change their passwords, the NIS countersign database and apparently additional NIS databases, which depend on the NIS countersign database, should be updated. The program rpc.yppasswdd is a server that handles countersign changes and makes abiding that the NIS advice will be adapted accordingly. rpc.yppasswdd is now chip in ypserv. You dont charge the older, separate yppasswd-0.9.tar.gz or yppasswd-0.10.tar.gz, and you shouldnt use them any longer. The rpc.yppasswdd in ypserv 1.3.2 has abounding adumbration support. yppasswd is now allotment of yp-tools-2.2.tar.gz.
You charge to alpha rpc.yppasswdd alone on the NIS adept server. By default, users are not accustomed to change their abounding name or the login shell. You can acquiesce this with the -e chfn or -e chsh option.
If your passwd and adumbration files are not in addition agenda then /etc, you charge to add the -D option. For example, if you accept put all antecedent files in /etc/yp and ambition to acquiesce the user to change his shell, you charge to alpha rpc.yppasswdd with the afterward parameters:
rpc.yppasswdd -D /etc/yp -e chsh
or
rpc.yppasswdd -s /etc/yp/shadow -p /etc/yp/passwd -e chsh
There is annihilation added to do. You just charge to create sure, that rpc.yppasswdd uses the aforementioned files as /var/yp/Makefile. Errors will be logged using syslog.
If aggregate is accomplished (as it should be), you should be able to verify your accession with a few simple commands. Assuming, for example, your passwd book is getting supplied by NIS, the command :
% ypcat passwd
should accord you the capacity of your NIS passwd file. The command :
% ypmatch userid passwd
(where userid is the login name of an approximate user) should accord you the users access in the NIS passwd file. The ypcat and ypmatch programs should be included with your administration of acceptable NIS or NYS.
Once you accept NIS accurately configured on the server and client, you do charge to be abiding that the agreement will survive a reboot. On RedHat, make or adapt the capricious NISDOMAIN in the book /etc/sysconfig/network.
Key terms, files and utilities :
Slapd
slapd.conf
test
PAM (Pluggable Affidavit Modules) is a adjustable apparatus for acceptance users.
Since the ancestry of UNIX, acceptance a user has been able via the user entering a countersign and the arrangement blockage if the entered countersign corresponds to the encrypted official countersign that is stored in /etc/passwd . The abstraction getting that the user That was in the beginning. Back then, a amount of new means of acceptance users accept become popular. Including added complicated replacements for the /etc/passwd file, and accouterments accessories Acute cards etc.. The problem is that anniversary time a new affidavit arrangement is developed, it requires all the all-important programs (login, ftpd etc...) to be rewritten to abutment it.
PAM provides a way to advance programs that are absolute of affidavit scheme. These programs charge affidavit modules to be attatched to them at run-time in adjustment to work. Which affidavit bore is to be attatched is abased aloft the bounded arrangement bureaucracy and is at the acumen of the bounded arrangement administrator.
PAM authentication
Linux-PAM (Pluggable Affidavit Modules for Linux) is a apartment of aggregate libraries that accredit the bounded arrangement ambassador to accept how applications accredit users.
In additional words, after (rewriting and) recompiling a PAM-aware application, it is accessible to about-face amid the affidavit mechanism(s) it uses. Indeed, one may absolutely advancement the bounded affidavit arrangement after affecting the applications themselves.
Historically an appliance that has appropriate a accustomed user to be authenticated, has had to be aggregate to use a specific affidavit mechanism. For example, in the case of acceptable UNPAM authentication
Unfortunately, increases in the acceleration of computers and the boundless addition of arrangement based computing, accept create already defended affidavit mechanisms, such as this, accessible to attack. In the ablaze of such realities, new methods of affidavit are continuously getting developed.
It is the purpose of the Linux-PAM activity to separate the development of advantage acceding software from the development of defended and adapted affidavit schemes. This is able by accouterment a library of functions that an appliance may use to appeal that a user be authenticated. This PAM library is configured locally with a arrangement file, /etc/pam.conf (or a alternation of agreement files amid in /etc/pam.d/) to accredit a user appeal via the locally accessible affidavit modules. The modules themselves will usually be amid in the agenda /lib/security and yield the anatomy of dynamically loadable item files (see dlopen(3)).
PAM authentication
Overview
For the uninitiated, we activate by because an example. We yield an appliance that grants some account to users; login is one such program. Login does two things, it first establishes that the requesting user is whom they affirmation to be and additional provides them with the requested service: in the case of login the account is a command carapace (bash, tcsh, zsh, etc.) active with the character of the user.
Traditionally, the above move is accomplished by the login appliance bidding the user for a countersign and then acceptance that it agrees with that amid on the system; appropriately acceptance that as far as the arrangement is anxious the user is who they affirmation to be. This is the assignment that is delegated to Linux-PAM.
From the angle of the appliance programmer (in this case the being that wrote the login application), Linux-PAM takes affliction of this affidavit assignment -- acceptance the character of the user.
PAM authentication
The adaptability of Linux-PAM is that you, the arrangement administrator, accept the abandon to agree which affidavit arrangement is to be used. You accept the abandon to set the arrangement for any/all PAM-aware applications on your Linux system. That is, you can accredit from annihilation as aboveboard as simple assurance (pam_permit) to something as batty as a aggregate of a retinal scan, a articulation