ypserv端的怪问题

cxfcxf · 发表于 2005-11-6 13:25:19

我在nis serv端添加了PAM的限制在本地可以使用但是在client端既然仍然可以LOGIN。。。
我用listfile的办法添加了ASD用户不能登陆在本地可行。。可是既然客户端仍然可以用这个用户LOGIN
pam文件是system-auth
listfile是/etc/security/asd
本地实行可以限制asd这个用户
但是client段仍然可以登陆重起NIS无用已经同步
实在想不出是什么问题。。。以前我也做过。。就可以。可是这次试了2台客户端都失败。。
请问还有可能是什么问题

zaiwen · 发表于 2005-11-7 08:23:05

I had this problem before and thus know exactly what's wrong.

You are doing on wrong side: the setting should be on CLIENT side, not on SERVER side. You want to block the NIS user from logging on to your CLIENT machine, not on to your SERVER machine, so you should do the authentication on the CLIENT side.

On server side, if you don't want to a user to be enabled as NIS user, just remove this user and update your map (userdel; /var/yp/make)

ON CLIENT side,
1. first add file /etc/security/asd to include nisuser that you don't want to login.
2. in system-auth,
account required pam_listfile.so item=user sense=deny file=/etc/security/asd
onerr=fail

If you are using allow instead of deny, make sure you don't deny the root and local user on the client side:
account sufficient pam_listfile.so item=user sense=allow file=/path/to/nisuser
onerr=fail
account sufficient pam_localuser.so

cxfcxf · 发表于 2005-11-7 11:28:23

现在的疑问是要是我有一台NIS SERVER 其他所有 client都使用server的认证 client本地只有ROOT用户
按照意思是只能到client端一个一个来限制人物的登陆？？而不能做到 server端直接限制所有client端的人物登陆么/？
比如server有个用户asd client段只有ROOT用户
我要限制asd登陆client只能到client端去用PAM？server端不能限制client端的NIS用户登录？？

zaiwen · 发表于 2005-11-7 22:22:15

NO, you can't.

I know it sounds confusing, but think it over and it is reasonable.

When you login on the client with the NIS user, you are logging on to the CLIENT machine, not the server machine.

cxfcxf · 发表于 2005-11-9 10:31:24

no i think if i mount my server's home directory by nfs
the user who login is login just like server's user
why he/she cann't be limited in server's pam??

zaiwen · 发表于 2005-11-9 22:17:06

Have you done the test again as I have suggested? You will see what I mean

I also export my server's home directory by nfs and automount from client.

Yes, the user who login is login just like server's user. That's the whole point of using NIS: central user/password database, and home directory, but remember this user is actually working on the client side and he has to be limited by client's pam

		自动登录	找回密码
密码			注册