Shulou(Shulou.com)06/03 Report--

In this blog post, let's take a look at the configuration and usage of NIS services that are often used with NFS. NIS (Network Information Services) allows account login and other services such as hostname resolution, xinetd network service configuration, etc., to be completed centrally on a NIS Server server, which greatly facilitates the enterprise operation and maintenance staff. This paper mainly focuses on the use and configuration of login authentication of NIS user account. It is important to note that NIS clients and servers do not use encryption algorithms when communicating, so it is recommended to use NIS only in independent networks or private networks protected by firewalls.

Introduction to NIS

The NIS service moves many files that need to be provided locally to the server, and whenever the client needs to use these files, it can initiate a request to the server to obtain these files. Generally speaking, the commonly used files are: / etc/passwd,/etc/shadow,/etc/groups,/etc/hosts,/etc/services,/etc/networks,/etc/rpc,/etc/protocols,/etc/aliases and so on. The cluster composed of NIS Server and NIS Client is called a NIS domain. Time synchronization must occur in every NIS domain, which can generally be achieved by using NTP services.

In fact, with the development of science and technology, LDAP has gradually replaced NIS as the choice of more and more enterprises in centralized authentication services, because compared with NIS, LDAP has the advantages of cross-platform, better web client support and desktop application support. Friends who want to know can do it on their own.

NIS server-side configuration

The RPM packages required for NIS server-side configuration are:

L Ypbind rpc port binding service

L Portmap rpc port mapping service, which has been replaced by rpcbind service on centos6

L Ypserv NIS server service

L Yp-tools NIS supports commands (ypcat,yppasswd,ypwhich … )

L Nscd handles password and group queries and caches. This service is required for both LDAP and NIS. It defines the files that NIS supports querying, for example, authentication requires the support of passwd shadow and group files. Its configuration file is located in / etc/ncsd.conf.

Configuration files that need to be modified on the NIS SERVER side

This file is mainly used to set the domain name of NISDOMAIN. / etc/sysconfig/network-

For example:

NETWORKING=yes

HOSTNAME=nisServerName

NISDOMAIN=lab2

This file is mainly used to set the IP address of NIS Server and the NIS domain domain it is located in. This file should be set on the client side. If the server itself intends to do NIS authentication, it also needs to be set on the server side.

For example: domain lab2 server 127.0.0.1

In this example, it is assumed that NIS Server itself needs to do nis authentication when logging in, so change the address of server to its own loopback address, and lab2 is the domain name of the NISDOMAIN domain.

/ etc/nsswitch.conf---- this file defines the search order in which the system will find the corresponding account information when it logs in

Passwd: files nis

Shadow: files nis

Group: files nis

The meaning of the above configuration file is: when the system logs in, it first looks for the local / etc/passwd (/ etc/shadow,/etc/group), and if no relevant authentication information is found, it will look for the corresponding configuration file on the NIS server.

/ etc/ypserv.conf this file is used to set 1) the relevant properties of NIS Server and 2) which files can be accessed by which clients. The meanings are as follows:

= related properties of NIS SERVER =

Dns: whether no uses dns to resolve hostname

Files: 30 number of cache files

Slp: whether no uses slp

Slp_timeout: 3600 slp timeout

Xfr_check_port: whether yes checks the ports used by xfr

= access rules =

*: shadow.byname: port

*: passwd.adjunct.byname: port

The form of access rules is as follows:

Host:domain:map:security

Host: defines the address range of end hosts that can use NIS services * means that all hosts are allowed to access

Domain: defines the domain domain to which this rule applies * represents all NIS domain domains

Map: the name of the mapping file. * represents all mapping files.

Security: there are three options for none,port,deny

None: allow all acc

Port: access is allowed if the source of the access port number is less than 1024, otherwise access is not allowed.

Deny: access to this mapping is not allowed

Therefore, if the nis client debugging fails, you can compile the access rules:

*: none tests whether the NIS Server cannot be accessed due to a policy problem.

When the setup is complete, execute the following command as the root user:

# nisdomainname name-of-domain-set the nisdomain domain name, effective immediately. Restart fails.

# service rpcbind start

# service yppasswdd start

# service ypserv start

# / usr/lib64/yp/ypinit-m

The ypint-m command configures the local NIS Server as a primary NIS Server with the-m parameter, which converts the native / etc/passwd,/etc/shadow, / etc/hosts, and so on files to NIS GNU dbm database format, and produces a make file.

Finally, we can use the rpcinfo-p localhost command to check that native rpcbind and ypserv and other services are enabled and running.

This is the configuration on the NIS server side. Let's take a look at the configuration on the NIS Client side.

NIS client configuration

Required RPM package:

Ypbind

Rpcbind

Yp-tools

The modification configuration file: / etc/sysconfig/network, / etc/yp.conf, / etc/nsswitch.conf, etc., is similar to the modification on the server side, so I won't repeat it.

Then run the command:

Service rpcbind restart

Service ypbind restart

Run the command: rpcinfo-u localhost ypbind to see if the portmapper service has been started successfully and that ypbind has been successfully registered. In fact, there is a graphical configuration tool authconfig-tui for client configuration, which is very easy to use, as long as you simply enable NIS and set the hostname of the NIS server.

Through the above steps, you can set up the configuration of the NIS Server side and the client side, and then test through the address of the ssh client side to see if the NIS service has been set up successfully. At this time, there is a small problem, because when the client successfully authenticates through the server and logs in, it will find the user's home directory locally, but at this time we do not have the corresponding user's home directory on the client side, so there will be a small problem, and the solution is very simple, that is, the user's home directory / home will be exported through NFS on the server side, and mounted on the client side. This is also one of the reasons why NFS and NIS are used together.

All right, about NIS, let's share it here. If there is something wrong, you are welcome to criticize and correct it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.