NIS Server
NIS master Server:将文件建成数据库,并提供slave server来更新
NIS slave Server:以master Server的数据库为数据库来源
NIS Client:向Master/slave请求账号验证
NIS slave Server:以master Server的数据库为数据库来源
NIS Client:向Master/slave请求账号验证
install
portmap rpc必须
ypbind-1.19-12.el5 nis client端设置软件
yp-tools-2.9-0.1 提供nis相关的查询命令功能
ypserv-2.19-5.el5 nis server
ypbind-1.19-12.el5 nis client端设置软件
yp-tools-2.9-0.1 提供nis相关的查询命令功能
ypserv-2.19-5.el5 nis server
创建用户
[root@centos1 ~]# useradd nistest
[root@centos1 ~]# passwd nistest
Changing password for user nistest.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@centos1 ~]# useradd nistest
[root@centos1 ~]# passwd nistest
Changing password for user nistest.
New UNIX password:
BAD PASSWORD: it is too simplistic/systematic
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
设置NIS域名
vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=centos1
NISDOMAIN=nononis
vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=centos1
NISDOMAIN=nononis
vim /etc/rc.d/rc.local(开机设置nis域名)
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/sbin/nisdomainname nononis
/sbin/nisdomainname nononis
vim /etc/ypserv.conf
在整个ypserv.conf主配置文件中,最为重要的就是限制客户端或从服务器的查询权限。
格式为:
Host : Domain : Map : Security
Host:指定客户端,可以指定具体IP地址,也可以指定一个网段
Domain:设置NIS域名,这里的NIS域名和DNS中的域名并没有关系哈~两者是两套不同系统哈~在同一个NIS域中,客户端可以从NIS服务器上查询用户名和密码,从NIS服务器可以与主服务器同步数据库内容
Map:设置可用数据库名称,可以用“*”代替所有数据库
Security:安全性设置。主要有none、port和deny三种参数设置。
none:没有任何安全限制,可以连接NIS服务器。
port:只允许小于1024以下的端口连接NIS服务器。
deny:拒绝连接NIS服务器。
通常设置思路是允许所有内网客户端连接NIS服务器,除此之外的客户端都拒绝连接哈~
ypserv.conf文件是逐行解释执行,所以要注意设置顺序
127.0.0.1/255.0.0.0:*:*:none
192.168.1.0/255.255.255.0:*:*:none
*:*:*:deny
在整个ypserv.conf主配置文件中,最为重要的就是限制客户端或从服务器的查询权限。
格式为:
Host : Domain : Map : Security
Host:指定客户端,可以指定具体IP地址,也可以指定一个网段
Domain:设置NIS域名,这里的NIS域名和DNS中的域名并没有关系哈~两者是两套不同系统哈~在同一个NIS域中,客户端可以从NIS服务器上查询用户名和密码,从NIS服务器可以与主服务器同步数据库内容
Map:设置可用数据库名称,可以用“*”代替所有数据库
Security:安全性设置。主要有none、port和deny三种参数设置。
none:没有任何安全限制,可以连接NIS服务器。
port:只允许小于1024以下的端口连接NIS服务器。
deny:拒绝连接NIS服务器。
通常设置思路是允许所有内网客户端连接NIS服务器,除此之外的客户端都拒绝连接哈~
ypserv.conf文件是逐行解释执行,所以要注意设置顺序
127.0.0.1/255.0.0.0:*:*:none
192.168.1.0/255.255.255.0:*:*:none
*:*:*:deny
设置/etc/hosts,/etc/netgroup
修改/etc/hosts文件添加,用vi /etc/hosts:
192.168.1.51 centos1
192.168.1.52 centos2
192.168.1.104 ubuntu
建立信任群
可以使用/etc/netgroup文件来建立NIS服务器所信任的客户端
格式:host,user,domain
如果这个文件没有内容,则代表所有的主机、帐号和域名都接受哈~因为已经在/etc/ypserv.conf中设置好了关于安全的项目,默认此文件不存在,所以这个文件只要建立就可以了。
touch /etc/netgroup
192.168.1.51 centos1
192.168.1.52 centos2
192.168.1.104 ubuntu
建立信任群
可以使用/etc/netgroup文件来建立NIS服务器所信任的客户端
格式:host,user,domain
如果这个文件没有内容,则代表所有的主机、帐号和域名都接受哈~因为已经在/etc/ypserv.conf中设置好了关于安全的项目,默认此文件不存在,所以这个文件只要建立就可以了。
touch /etc/netgroup
start nis server
[root@centos1 ~]# /etc/init.d/portmap start
Starting portmap: [ OK ]
[root@centos1 ~]# /etc/init.d/ypserv start
Setting NIS domain name nononis: [ OK ]
Starting YP server services: [ OK ]
[root@centos1 ~]# /etc/init.d/yppasswdd start
Starting YP passwd service: [ OK ]
[root@centos1 ~]#
[root@centos1 ~]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 918 status
100024 1 tcp 921 status
100011 1 udp 767 rquotad
100011 2 udp 767 rquotad
100011 1 tcp 770 rquotad
100011 2 tcp 770 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 36423 nlockmgr
100021 3 udp 36423 nlockmgr
100021 4 udp 36423 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 57049 nlockmgr
100021 3 tcp 57049 nlockmgr
100021 4 tcp 57049 nlockmgr
100005 1 udp 794 mountd
100005 1 tcp 797 mountd
100005 2 udp 794 mountd
100005 2 tcp 797 mountd
100005 3 udp 794 mountd
100005 3 tcp 797 mountd
100004 2 udp 845 ypserv
100004 1 udp 845 ypserv
100004 2 tcp 848 ypserv
100004 1 tcp 848 ypserv
100009 1 udp 851 yppasswdd
Starting portmap: [ OK ]
[root@centos1 ~]# /etc/init.d/ypserv start
Setting NIS domain name nononis: [ OK ]
Starting YP server services: [ OK ]
[root@centos1 ~]# /etc/init.d/yppasswdd start
Starting YP passwd service: [ OK ]
[root@centos1 ~]#
[root@centos1 ~]# rpcinfo -p localhost
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 918 status
100024 1 tcp 921 status
100011 1 udp 767 rquotad
100011 2 udp 767 rquotad
100011 1 tcp 770 rquotad
100011 2 tcp 770 rquotad
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 36423 nlockmgr
100021 3 udp 36423 nlockmgr
100021 4 udp 36423 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 57049 nlockmgr
100021 3 tcp 57049 nlockmgr
100021 4 tcp 57049 nlockmgr
100005 1 udp 794 mountd
100005 1 tcp 797 mountd
100005 2 udp 794 mountd
100005 2 tcp 797 mountd
100005 3 udp 794 mountd
100005 3 tcp 797 mountd
100004 2 udp 845 ypserv
100004 1 udp 845 ypserv
100004 2 tcp 848 ypserv
100004 1 tcp 848 ypserv
100009 1 udp 851 yppasswdd
[root@centos1 ~]# rpcinfo -u localhost ypserv
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
建立数据库
[root@centos1 ~]# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. centos1 is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a.
next host to add: centos1
next host to add:
The current list of NIS servers looks like this:
servers. centos1 is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a
next host to add: centos1
next host to add:
The current list of NIS servers looks like this:
centos1
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/nononis/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/nononis'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/nononis'
We need a few minutes to build the databases...
Building /var/yp/nononis/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/nononis'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/nononis'
centos1 has been set up as a NIS master server.
Now you can run ypinit -s centos1 on all slave server.
通知ypserv与yppasswdd数据库的变更
[root@centos1 ~]# /etc/init.d/ypserv restart
Stopping YP server services: [ OK ]
Starting YP server services: [ OK ]
[root@centos1 ~]# /etc/init.d/yppasswdd restart
Stopping YP passwd service: [ OK ]
Starting YP passwd service: [ OK ]
[root@centos1 ~]#
[root@centos1 ~]# /etc/init.d/ypserv restart
Stopping YP server services: [ OK ]
Starting YP server services: [ OK ]
[root@centos1 ~]# /etc/init.d/yppasswdd restart
Stopping YP passwd service: [ OK ]
Starting YP passwd service: [ OK ]
[root@centos1 ~]#
与数据库有关的设置
[root@centos1 ~]# cd /var/yp/nononis/
[root@centos1 nononis]# ll
total 2196
-rw------- 1 root root 12431 Dec 29 10:55 group.bygid
-rw------- 1 root root 12437 Dec 29 10:55 group.byname
-rw------- 1 root root 12654 Dec 29 10:55 hosts.byaddr
-rw------- 1 root root 12747 Dec 29 10:55 hosts.byname
-rw------- 1 root root 13169 Dec 29 10:55 mail.aliases
-rw------- 1 root root 13358 Dec 29 10:55 netid.byname
-rw------- 1 root root 12557 Dec 29 10:55 passwd.byname
-rw------- 1 root root 12551 Dec 29 10:55 passwd.byuid
-rw------- 1 root root 29211 Dec 29 10:55 protocols.byname
-rw------- 1 root root 14568 Dec 29 10:55 protocols.bynumber
-rw------- 1 root root 16379 Dec 29 10:55 rpc.byname
-rw------- 1 root root 14231 Dec 29 10:55 rpc.bynumber
-rw------- 1 root root 766110 Dec 29 10:55 services.byname
-rw------- 1 root root 1470490 Dec 29 10:55 services.byservicename
-rw------- 1 root root 12349 Dec 29 10:55 ypservers
[root@centos1 nononis]#
[root@centos1 nononis]# ll
total 2196
-rw------- 1 root root 12431 Dec 29 10:55 group.bygid
-rw------- 1 root root 12437 Dec 29 10:55 group.byname
-rw------- 1 root root 12654 Dec 29 10:55 hosts.byaddr
-rw------- 1 root root 12747 Dec 29 10:55 hosts.byname
-rw------- 1 root root 13169 Dec 29 10:55 mail.aliases
-rw------- 1 root root 13358 Dec 29 10:55 netid.byname
-rw------- 1 root root 12557 Dec 29 10:55 passwd.byname
-rw------- 1 root root 12551 Dec 29 10:55 passwd.byuid
-rw------- 1 root root 29211 Dec 29 10:55 protocols.byname
-rw------- 1 root root 14568 Dec 29 10:55 protocols.bynumber
-rw------- 1 root root 16379 Dec 29 10:55 rpc.byname
-rw------- 1 root root 14231 Dec 29 10:55 rpc.bynumber
-rw------- 1 root root 766110 Dec 29 10:55 services.byname
-rw------- 1 root root 1470490 Dec 29 10:55 services.byservicename
-rw------- 1 root root 12349 Dec 29 10:55 ypservers
[root@centos1 nononis]#
数据库传输
vim /var/yp/Makefile
NOPUSH=false
vim /var/yp/Makefile
NOPUSH=false
vim /var/yp/ypservers
centos1.nononis
centos2.nononis
centos1.nononis
centos2.nononis
[root@centos1 nononis]# /etc/init.d/ypxfrd start
Starting YP map server: [ OK ]
Starting YP map server: [ OK ]
NIS Slave setup
设置NIS域名
vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=centos2
NISDOMAIN=nononis
vim /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=centos2
NISDOMAIN=nononis
vim /etc/rc.d/rc.local(开机设置nis域名)
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
/sbin/nisdomainname nononis
/sbin/nisdomainname nononis
/etc/ypserv.conf中加入
127.0.0.1/255.0.0.0:*:*:none
192.168.1.0/255.255.255.0:*:*:none
*:*:*:deny
127.0.0.1/255.0.0.0:*:*:none
192.168.1.0/255.255.255.0:*:*:none
*:*:*:deny
设置/etc/hosts,/etc/netgroup
修改/etc/hosts文件添加,用vi /etc/hosts:
192.168.1.51 centos1
192.168.1.52 centos2
192.168.1.104 ubuntu
192.168.1.51 centos1
192.168.1.52 centos2
192.168.1.104 ubuntu
touch /etc/netgroup
启动所有服务并建立数据库
[root@centos2 ~]# /etc/init.d/portmap start
Starting portmap: [ OK ]
[root@centos2 ~]# /etc/init.d/ypserv start
Starting YP server services: [ OK ]
[root@centos2 ~]#
[root@centos2 ~]# /etc/init.d/portmap start
Starting portmap: [ OK ]
[root@centos2 ~]# /etc/init.d/ypserv start
Starting YP server services: [ OK ]
[root@centos2 ~]#
[root@centos2 ~]# /usr/lib/yp/ypinit -s centos1
We will need a few minutes to copy the data from centos1.
Transferring mail.aliases...
Trying ypxfrd ... success
We will need a few minutes to copy the data from centos1.
Transferring mail.aliases...
Trying ypxfrd ... success
Transferring protocols.byname...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring passwd.byname...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring group.bygid...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring ypservers...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring protocols.bynumber...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring hosts.byname...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring services.byname...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring rpc.bynumber...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring hosts.byaddr...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring rpc.byname...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring group.byname...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring netid.byname...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring passwd.byuid...
Trying ypxfrd ... success
Trying ypxfrd ... success
Transferring services.byservicename...
Trying ypxfrd ... success
Trying ypxfrd ... success
centos2's NIS data base has been set up.
If there were warnings, please figure out what went wrong, and fix it.
At this point, make sure that /etc/passwd and /etc/group have
been edited so that when the NIS is activated, the data bases you
have just created will be used, instead of the /etc ASCII files.
been edited so that when the NIS is activated, the data bases you
have just created will be used, instead of the /etc ASCII files.
从NIS服务器同步设置
主NIS服务器更新数据并使用ypinit -m命令重新生成数据库后,从NIS服务器上的数据就会不一致哈
我们可以在从NIS服务器上使用ypxfr命令同步数据库信息保持数据状态为最新
ypxfr -h NIS主服务器IP或主机名 数据库文件
ypxfr -h nononis passwd.byname
ypxfr -h nononis passwd.byuid
主NIS服务器更新数据并使用ypinit -m命令重新生成数据库后,从NIS服务器上的数据就会不一致哈
我们可以在从NIS服务器上使用ypxfr命令同步数据库信息保持数据状态为最新
ypxfr -h NIS主服务器IP或主机名 数据库文件
ypxfr -h nononis passwd.byname
ypxfr -h nononis passwd.byuid
可以写入把他写入/etc/crontab让其自动执行
NIS客户端设置
客户端必须安装ypbind和yp-tools这两个软件包
客户端必须安装ypbind和yp-tools这两个软件包
1、加入NIS域
确保客户端和服务器的NIS域名相同,可以使用nisdomainname命令设置,然后设置开机自动配置NIS域名
[root@fedora12]# nisdomainname nononis
[root@fedora12]# vi /etc/rc.d/rc.local
确保客户端和服务器的NIS域名相同,可以使用nisdomainname命令设置,然后设置开机自动配置NIS域名
[root@fedora12]# nisdomainname nononis
[root@fedora12]# vi /etc/rc.d/rc.local
vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=fedora12.nono.com
NISDOMAIN=nonois
NETWORKING=yes
HOSTNAME=fedora12.nono.com
NISDOMAIN=nonois
vi /etc/hosts
192.168.1.51 centos1
192.168.1.52 centos2
192.168.1.51 centos1
192.168.1.52 centos2
a.修改/etc/nsswitch.conf中以下几项。nis为新增加的。
passwd: files nis
shadow: files nis
group: files nis
hosts: files dns nis
b.修改/etc/sysconfig/authconfig文件
USENIS=no 改为 USENIS=yes
c.修改/etc/pam.d/system-auth文件,这个行后面添加了nis
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
d.修改/etc/yp.conf文件,在其中加入一条
domain nonois server centos1
service ypbind restart
passwd: files nis
shadow: files nis
group: files nis
hosts: files dns nis
b.修改/etc/sysconfig/authconfig文件
USENIS=no 改为 USENIS=yes
c.修改/etc/pam.d/system-auth文件,这个行后面添加了nis
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow nis
d.修改/etc/yp.conf文件,在其中加入一条
domain nonois server centos1
service ypbind restart
客户端检测
yp-tools软件包中自带一些测试工具,可以帮助我们更好得了解NIS客户端和服务器通信情况
1、yptest
yptest命令测试数据库内容等所有与NIS相关的信息
yp-tools软件包中自带一些测试工具,可以帮助我们更好得了解NIS客户端和服务器通信情况
1、yptest
yptest命令测试数据库内容等所有与NIS相关的信息
[root@fedora12 ~]# yptest
Test 1: domainname
Configured domainname is "nononis"
Test 1: domainname
Configured domainname is "nononis"
Test 2: ypbind
Used NIS server: centos1
Used NIS server: centos1
Test 3: yp_match
WARNING: No such key in map (Map passwd.byname, key nobody)
WARNING: No such key in map (Map passwd.byname, key nobody)
Test 4: yp_first
nono nono:$1$iIXQMm62$Qh5WRH9X3DMWHYv4D2KzK/:500:500::/home/nono:/bin/bash
nono nono:$1$iIXQMm62$Qh5WRH9X3DMWHYv4D2KzK/:500:500::/home/nono:/bin/bash
Test 5: yp_next
nistest nistest:$1$VyKinLaT$SJYLGOTZ1xuVqR42yQvED1:501:501::/home/nistest:/bin/bash
nistest nistest:$1$VyKinLaT$SJYLGOTZ1xuVqR42yQvED1:501:501::/home/nistest:/bin/bash
Test 6: yp_master
centos1
centos1
Test 7: yp_order
1262055338
1262055338
Test 8: yp_maplist
mail.aliases
protocols.byname
passwd.byname
group.bygid
ypservers
protocols.bynumber
hosts.byname
services.byname
rpc.bynumber
hosts.byaddr
rpc.byname
group.byname
netid.byname
passwd.byuid
services.byservicename
mail.aliases
protocols.byname
passwd.byname
group.bygid
ypservers
protocols.bynumber
hosts.byname
services.byname
rpc.bynumber
hosts.byaddr
rpc.byname
group.byname
netid.byname
passwd.byuid
services.byservicename
Test 9: yp_all
nono nono:$1$iIXQMm62$Qh5WRH9X3DMWHYv4D2KzK/:500:500::/home/nono:/bin/bash
nistest nistest:$1$VyKinLaT$SJYLGOTZ1xuVqR42yQvED1:501:501::/home/nistest:/bin/bash
1 tests failed
[root@fedora12 ~]#
如果 Test 9: yp_all下面出现NIS服务器上的所有帐号信息则表示配置成功,否则我们就要检查上面的配置是否存在问题
nono nono:$1$iIXQMm62$Qh5WRH9X3DMWHYv4D2KzK/:500:500::/home/nono:/bin/bash
nistest nistest:$1$VyKinLaT$SJYLGOTZ1xuVqR42yQvED1:501:501::/home/nistest:/bin/bash
1 tests failed
[root@fedora12 ~]#
如果 Test 9: yp_all下面出现NIS服务器上的所有帐号信息则表示配置成功,否则我们就要检查上面的配置是否存在问题
2、ypwhich
ypwhich命令主要测试NIS客户端与服务器之间通信使用的是哪些数据库文件
只使用ypwhich命令只显示NIS主机名
-bash-4.0$ ypwhich
centos1
ypwhich命令主要测试NIS客户端与服务器之间通信使用的是哪些数据库文件
只使用ypwhich命令只显示NIS主机名
-bash-4.0$ ypwhich
centos1
3、ypcat
ypcat命令可以查看NIS服务器上使用者帐号及密码信息,也可以查看NIS服务器上的/etc/hosts文件记录哪些主机信息
ypcat passwd:查看NIS服务器上帐号密码等信息
ypcat hosts:查看NIS服务器上的/etc/hosts文件记录哪些主机信息
ypcat命令可以查看NIS服务器上使用者帐号及密码信息,也可以查看NIS服务器上的/etc/hosts文件记录哪些主机信息
ypcat passwd:查看NIS服务器上帐号密码等信息
ypcat hosts:查看NIS服务器上的/etc/hosts文件记录哪些主机信息
4、ypmatch
ypmatch nistest passwd:查询指定用户帐号密码信息
ypmatch nistest passwd:查询指定用户帐号密码信息
5、yppasswd
客户端可以使用yppasswd命令修改帐号和密码
客户端可以使用yppasswd命令修改帐号和密码