|
|
Network Information Service (NIS)网络信息服务
25.1 Overview
Central information database
Can provide user, group, name resolution, home directory, and authentication information.
Packages 包
ypserv - Provides the ypserv and yppasswdd daemons. ypserv provides the NIS service and yppasswdd allows the user to change their password and possibly
their shell and GECOS information (see below).
ypserv包提供ypserv服务器和ypasswdd服务.
ypbind - Provides ypbind daemon that is used by clients to connect to an NIS server. ypbind提供联系ypserv服务器的客户端
yp-tools - Provides various NIS client programs.
portmap - Not part of NIS, but is required for it to work. RPC程序
Ports
Assigned by portmap.
Supported NIS Versions
Both ypbind and ypserv support versions 1 & 2.
Topology
Flat namespace. No sub-domains are allowed.
Only one master per domain.
Multiple slave servers are allowed. This provides fault tolerance and load sharing.
Limitations
Low Security - Designed when networks could be trusted (e.g. No sniffers installed, no one tries to bypass the service).
Low Scalability - Replication of data between servers isn't very efficient. NIS has a flat name space that can't be delegated out by subdomain to help ease administration. This limits the use of NIS in larger networks.
Only runs on *nix - Limited use in heterogeneous environments.
25.2 NIS Client Info
Startup
Two options for finding NIS server:
Broadcast
ypbind contacts it's NIS server by sending a broadcast message. This can be a security risk since a rogue NIS server could answer all NIS broadcasts in order to collect authentication information.
/etc/yp.conf 客户机配置服务器的位置
NIS servers for the client's domain can be listed in this file. This is more secure since clients contact the NIS server directly instead of broadcasting. This file is modified by authconfig when you select NIS authentication.
Configuration
Use authconfig to configure the client machine to use NIS. You must specified the following: 加入NIS 域
The domain the client will belong to.
An NIS domain server (master or slave).
authconfig automatically starts the ypbind daemon for you.
Configure /etc/nsswitch.conf.
Make sure that "nis" is listed for any information that will be stored in NIS. For example:
passwd: files nis # Check for users in the local system file first, then NIS
shadow: files nis # Same as above, only for the users' passwords
hosts: files nis dns # Check the local files, then NIS, then DNS for host information
The order specified is important. For example, if user steve is defined in both the system files and the NIS map and we have the same setup as the nsswitch.conf file above, the information about user steve (passwd, GECOS, etc.) will be retrieved from the local system files and not from the NIS map.
To change this, we would need to reverse the order listed above for the passwd and shadow entries so that "nis" comes before "files".
Client Side Tools 客户命令介绍
ypwhich - Determines which master or slave NIS server the client is using.
ypcat - Used to print keys in an NIS map. For example, to print information in the passwd file:
ypcat passwd
ypchfn - Change your GECOS information in NIS.
yppasswdd must be started with "-e chfn" in order for users to be able change their GECOS information.
ypchsh - Change your login shell in NIS.
yppasswdd must be started with "-e chsh" in order for users be able to change their login shell.
yppasswd - Change your NIS password.
yppush - Used to copy NIS information from masters to slaves. Called automatically if "NOPUSH=false" in the /var/yp/Makefile.
ypmatch - Used to print the value of one or more keys in an NIS map.
For example, to print and entry for user steve in the passwd file:
ypmatch steve passwd
25.3 NIS Server
Configuration 如何建立NIS服务器
Specify your domain in /etc/sysconfig/network by inserting the following line:
NISDOMAIN=somedomain 设定NIS域名(重启才生效)
This will set your domain name at bootup. To set it now, use the domainname command:
domainname somedomain设定NIS域名(现在先设定)
SECURITY NOTE: The domain specified should not be the same as your DNS domain. NIS domains should be kept secret in order to improve security. If an NIS domain is known and the NIS server can be reached, any client can connect to the domain.
Master Servers
Make sure the host name has been changed to something other than localhost.localdomain. This can cause problems for slave servers if it's not changed.
Specify the networks that are allowed to connect to the NIS server in /var/yp/securenets.
Change /var/yp/Makefile to fit your needs. This file includes a list of possible information that NIS can store. makefile中设定你服务器需要共享的信息
A few options:
NOPUSH=true # Set to false if you have slave servers
MERGE_PASSWD=true # Should we merge the shadow file with the password file?
MERGE_GROUP=true # Should we merge the gshadow file with the group file?
MINUID=500 # Lowest uid to include in the NIS map
MINGID=500 # Lowest gid to include in the NIS map
Start portmap and ypserv:
service portmap start
service ypserv start
Create the NIS map:
/usr/lib/yp/ypinit -m初始化主NIS服务器
You may receiving the following message:
Could not read ypservers map: 3 Can't bind to server which serves this domain
This does not appear to be a critical error. The NIS map is still created.
If you only want to include login and group information in your NIS map, you could use the following instead of ypinit:
make passwd shadow group增加共享信息,后执行make更新数据库
Any time you change information on the master server that affects the NIS map, you must re-run the "make" command. User passwords are the exception to this rule. They are updated automatically.
Slave Servers
Put an entry in /etc/hosts for the master NIS server.
All names of the slave servers must be specified in the /var/yp/ypservers file on the master server.
Start portmap and ypserv:
service portmap start 重启服务
service ypserv start
Execute ypinit:
/usr/lib/yp/ypinit -s <masterserver>初始化从NIS服务器
If specifying the IP address of the master server doesn't work, specify the hostname (from /etc/hosts) of the master server instead.
You may see the following message several times:
Trying ypxfrd ... not running
Everything still appears to transfer ok from the master server.
Replication
yppush is automatically called whenever the master server's database are updated. yppush transfers the NIS map from the master to the slaves. In order for replication to work, ypbind must be running on the master server.
ypxfr is similar to yppush except that it transfers the NIS map from the NIS server to the localhost. It is usually invoked by ypinit or ypserver.
Debugging 排错
Check NIS using rpcinfo:
rpcinfo -p localhost看RPC是否正常
Verify portmap is running.
25.4 Using Automounter to Automount User Home Directories 配置自动挂载域用户家目录
First, add the following line to /etc/auto.master:
/home /etc/auto.home --timeout 60
Then, create the /etc/auto.home file with the following contents:
* -rw,soft,intr 192.168.1.20:/home/&
In this case, 192.168.1.20 is the IP address of the NFS server.
Unmount /home on the client machine if it is a separate partition.
Restart autofs.
On the NFS server, put the following line in /etc/exports
/home 192.168.1.0(rw) NFS共享出/home目录
Start (or restart) NFS on the NIS server. |
|
IP卡
狗仔卡
发表于 2005-4-19 14:38:51
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主