Shulou(Shulou.com)06/02 Report--

Set up NIS server to realize centralized authentication of users

Overview of NIS Server

NIS network information service, the mode is CCompact S mode. NIS is a network product that centrally controls several system management databases. NIS simplifies the management of UNIX and LINUX desktop customers, and the client can use the management files of the central server. Users of desktop systems do not need to build their own / etc/passwd. The administrator simply needs to use the files that maintain the NIS server.

Users in Linux system are divided into two categories by region: local users and remote users (NIS,LDAP,AD).

Ypbind is the client process that defines the NIS server. Once the server location is determined, the client is bound to the server, and all client queries are sent to the NIS server.

Ypserv is the server process that answers client queries.

Scenarios used:

In a large domain, if there are multiple Linux hosts, in case each host needs to set the same account and password, if there is an account master server to manage the accounts of all hosts in the domain, when other hosts have the need to log in, they go to the master server to ask for relevant account number, password and other user information. If you want to add, modify, or delete user data, just go to this master server to deal with it, so that you can reduce the steps of repeatedly setting user accounts!

NIS workflow

The application structure of NIS service is divided into two roles: NIS server and NIS client. NIS server centrally maintains user account information (database) for NIS client to query. Users login to any NIS client will log in and authenticate from NIS server, which can realize the centralized management of user account.

1.Nis Master first makes the files related to account and password into database files.

two。 If the account password changes, you need to re-create the database file and resynchronize the Master/Slave.

If 3.NIS client has login requirements, it will first query its local files such as / etc/passwd, / etc/shadow, etc.

4. If the relevant account data cannot be found locally in NIS Client, the query will be broadcast to the host of the entire NIS domain.

5. Every NIS server (regardless of master/slave) can respond, basically "first responder first"

One: experimental objectives

Actual combat: configure NIS server to achieve centralized authentication.

Practice: automatically mount NIS user's home directory on the client side

Second, the experimental environment

NIS server: xuegod63 IP:192.168.1.63

Web server: xuegod64 IP:192.168.1.64

Client: xuegod62 IP:192.168.1.62

Three: experimental code

1. Environment building

1) NIS server: xuegod63:

[root@xuegod63] # rpm-ivh / mnt/Packages/ypserv-2.19-22.el6.x86_64.rpm

# the main package for the NIS service.

[root@xuegod63 ~] # service iptables stop

2) NIS client: xuegod64

[root@xuegod64 ~] # rpm-ivh / mnt/Packages/ypbind-1.20.4-29.el6.x86_64.rpm # NIS client, ypind process package

[root@xuegod64 ~] # rpm-ivh / mnt/Packages/yp-tools-2.9-12.el6.x86_64.rpm # NIS client tool for querying database information.

[root@xuegod63 ~] # rpm-qf `which yppasswd `# use yppasswd to remotely modify the password of a NIS server user

Yp-tools-2.9-12.el6.x86_64

[root@xuegod64 ~] # service iptables stop

NIS server related documentation

/ etc/ypserv.conf

NIS master configuration file, which controls whether NIS clients can access the NIS server

/ etc/hosts

Record the corresponding relationship between the host and the IP address. If there is no DNS system, the hosts file of the NIS server needs to store the host record of each NIS client.

Practice: configure NIS server to achieve centralized authentication

Through the NIS server, you can use the account nisuser1 to log in to the company's samba server, mail server, WEB server, etc.

Authentication process:

Domain name of NIS server: NIS

Server hostname: xuegod63.cn

Client hostname: xuegod64.cn

1. Install NIS server: xuegod63

1) create a dedicated directory for nis users (to facilitate later implementation: NIS+autofs function)

[root@xuegod63 ~] # mkdir / home/nishome/

[root@xuegod63] # useradd-d / home/nishome/nisuser1 nisuser1

[root@xuegod63 ~] # useradd-d / home/nishome/nisuser2-s / sbin/nologin nisuser2 # later test whether you can use this account to log in to other systems

[root@xuegod63 ~] # echo 123456 | passwd-- stdin nisuser1

[root@xuegod63 ~] # echo 123456 | passwd-- stdin nisuser2

2) set the NIS domain name

NIS will use the domain name to distinguish the password data of the account, so you must specify the same NIS domain name on both the server and the client.

[root@xuegod63 ~] # nisdomainname

(none)

Method 1: permanently effective, and the machine needs to be restarted

[root@xuegod63 ~] # vim / etc/sysconfig/network # at the end of the file, add the following

Cat / etc/sysconfig/network

NETWORKING=yes

HOSTNAME=xuegod63.cn

NISDOMAIN=xuegod.cn

[root@xuegod63 ~] # service network restart

Method 2: temporarily effective

[root@xuegod63 ~] # nisdomainname xuegod.cn # is temporarily effective, same as hosname usage

[root@xuegod63 ~] # nisdomainname

Xuegod.cn

3) configure hosts file: correspondence between hostname and IP

[root@xuegod63 ~] # vim / etc/hosts

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

:: 1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.1.63 xuegod63.cn

192.168.1.64 xuegod64.cn

4) set / etc/ypserv.conf main configuration file

[root@xuegod63 ~] # vim / etc/ypserv.conf

Configuration: allow all intranet clients to connect to the NIS server, but all other clients refuse to connect.

As shown in the figure:

Ypserv.conf files are interpreted and executed line by line, so pay attention to setting the order

The format of the parameter is:

Host:

Specify the client, you can specify a specific IP address, or you can specify a network segment

Domain:

Set the NIS domain name. There is no relationship between the NIS domain name here and the domain name in DNS.

Map:

Set the available database name, and you can replace all databases with "*"

Security:

Security settings. There are mainly three kinds of parameter settings: none, port and deny.

None:

There are no security restrictions and you can connect to the NIS server.

Port:

Only ports less than 1024 are allowed to connect to the NIS server.

Deny:

Refuse to connect to the NIS server.

5) establish NIS database

(1) the ypserv service must be started first, otherwise an error will be reported when setting up the NIS database.

[root@xuegod63 ~] # service ypserv start

(2) create a database:

[root@xuegod63 ~] # ll / usr/lib64/yp/ypinit # using this command, you must write an absolute path

-rwxr-xr-x 1 root root 4088 Aug 31 2011 / usr/lib64/yp/ypinit

[root@xuegod63 ~] # echo $PATH # is not in PATH

/ usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin:/root/bin

[root@xuegod63 conf] # / usr/lib64/yp/ypinit-m # here must be full path, m-master

Next host to add: xuegod63.cn

Next host to add: # Ctrl+D end input

Is this correct? [y/n: y] y

We need a few minutes to build the databases...

Building / var/yp/xuegod.cn/ypservers...

Running / var/yp/Makefile... # which NIS database file is generated

Gmake [1]: Leaving directory `/ var/yp/xuegod.cn'

Xuegod63.cn has been set up as a NIS master server.

Now you can run ypinit-s xuegod63.cn on all slave server.

[root@xuegod63 ~] # ls / var/yp # generates a xuegod.cn directory.

Binding Makefile nicknames xuegod.cn ypservers

Description: each time you manually change the contents of the database (such as updating the user password). You need to execute: / usr/lib64/yp/ypinit-m

6) restart the service: do not restart, otherwise adding new data will not take effect

[root@xuegod63 ~] # service ypserv restart

[root@xuegod63 ~] # / etc/init.d/yppasswdd restart

[root@xuegod63 ~] # chkconfig ypserv on

[root@xuegod63 ~] # chkconfig yppasswdd on

2. Configure the client: xuegod64

1) install NIS client tools

[root@xuegod64 ~] # rpm-ivh / mnt/Packages/ypbind-1.20.4-29.el6.x86_64.rpm [root@xuegod64 ~] # rpm-ivh / mnt/Packages/yp-tools-2.9-12.el6.x86_64.rpm

2) join the domain

[root@xuegod64 ~] # system-config-authentication # this command needs to be executed in the graphical interface

Select "NIS" in "User Account Configuration" and fill in the corresponding NIS information, as shown in the following figure

After clicking "Apply", test as shown below:

Note: if the binding fails here, it should be the problem with the firewall, which should be turned off.

(1) View the modified content after executing system-config-authentication:

[root@xuegod64 Desktop] # cat / etc/sysconfig/network

HOSTNAME=xuegod64.cn

NETWORKING=yes

NISDOMAIN=xuegod.cn

[root@xuegod64 Desktop] #

[root@xuegod64 Desktop] # vim / etc/nsswitch.conf # modify password authentication method

33 passwd: files nis

34 shadow: files nis

35 group: files nis

3. Test login

1) remote login on xuegod63:

[root@xuegod63 ~] # ssh nisuser1@192.168.1.64

Nisuser1@192.168.1.64's password:

Could not chdir to home directory / home/nishome/nisuser1: No such file or directory

-bash-4.1 $

2) Test on xueogd64:

[root@xuegod64 Desktop] # su-nisuser1

Su: warning: cannot change directory to / home/nishome/nisuser1: No such file or directory

-bash-4.1 $

# the NIS account can be used to log in to the system, which means the configuration is successful.

3) View the configuration file of NIS customer Service ypbind

[root@xuegod64 ~] # tail / etc/yp.conf # specifies the NIS server address. Look at the last line and set the hostname and NIS domain name of the NIS server in the client / etc/yp.conf file.

Domain xuegod.cn server 192.168.1.63

4) restart the ypbind service

[root@xuegod64 Desktop] # service ypbind restart restart the ypbind service

[root@xuegod64 Desktop] # chkconfig ypbind on setting to boot the ypbind service

5) Test and modify password

The yppasswd client can use the yppasswd command to change the account and password

Note: the length of the password cannot be less than 6 characters. In addition, you can update the contents of the NIS database by using the yppasswd command. Change the password through yppasswd (1)

[root@xuegod63 ~] # ssh nisuser1@192.168.1.64

-bash-4.1$ yppasswd

Changing NIS account information for nisuser1 on xuegod63.cn.

Please enter old password:123456

Changing NIS password for nisuser1 on xuegod63.cn.

Please enter new password:123456789

Please retype new password:123456789

The NIS password has been changed on xuegod63.cn.

(2) Log in with the new password:

[root@xuegod64 ~] # ssh nisuser1@192.168.1.64

Nisuser1@192.168.1.64's password: 123456789

Last login: Thu Apr 16 20:11:20 2015 from xuegod64.cn

Could not chdir to home directory / home/nishome/nisuser1: No such file or directory

-bash-4.1 $

Method 2:

[root@xuegod63 ~] # ssh nisuser1@192.168.1.64

-bash-4.1$ passwd # use the passwd command directly. The new password is more complicated.

Practice: automatically mount NIS user's home directory on the client side

Description: xuegod63 configures NFS to share NIS users' home directories, NIS users log in on the client side, and use autofs to automatically mount NIS users' home directories.

:

1. Xuegod63 configure NFS

1) install xuegod63 and configure NFS:

[root@xuegod63] # rpm-ivh / mnt/Packeges/nfs-utils-1.2.3-15.el6.x86_64

[root@xuegod63 ~] # ls / home/nishome/

Nisuser1 nisuser2

[root@xuegod63 ~] # vim / etc/exports # writes the following

/ home/nishome 192.168.1.0 Compact 255.255.255.0 (rw,sync)

2) start the service and set the boot self-startup

[root@xuegod63 ~] # / etc/init.d/nfs restart

[root@xuegod63] # showmount-e 192.168.1.63

Export list for 192.168.1.63:

/ home/nishome 192.168.1.0/255.255.255.0 、

[root@xuegod63 ~] # chkconfig nfs on

2. Xuegod64 all NIS clients, install autofs

1) install autofs

[root@xuegod64 Desktop] # rpm-qf / etc/init.d/autofs

Autofs-5.0.5-39.el6.x86_64

[root@xuegod64 Desktop] # yum install-y autofs

2) configure autofs

[root@xuegod64 Desktop] # vim / etc/auto.master # autofs Service Master profile

8 / home/nishome / etc/auto.nishome # / home/nishome mount point

# if you want to mount / home/nishome automatically, go to the configuration file / etc/auto.nishome.

3) modify the configuration file

[root@xuegod64 ~] # vim / etc/auto.nishome

*-rw 192.168.1.63 all files under the directory of HomeUnix HomeUnix Nishome & #

# autofs supports the mount directory to be indicated by the wildcard "*", while the user name in the network path uses "&" to indicate that if you enter the local / home/nishome (this prefix has been fixed in / etc/auto.master just now), the corresponding directory on / home/nishome/ on 192.168.1.63 will be hung.

4) restart the service and boot:

[root@xuegod64 ~] # / etc/init.d/autofs restart

[root@xuegod64 ~] # chkconfig autofs on

3. Test:

1) Test remote login on Xuegod63

[root@xuegod63 ~] # ssh nisuser1@192.168.1.64

Nisuser1@192.168.1.64's password: 123456

Last login: Thu Apr 16 22:04:25 2015 from xuegod63.cn

[nisuser1@xuegod64 ~] $

、

Nis not only does centralized authentication, but also has other functions.

# distribute different software and tools in different users' home directories: log in to different accounts and have the corresponding software or scripts

[root@xuegod63 ~] # echo "cp-rv / var/www/html / tmp/" > / home/nishome/nisuser1/auto-back.sh

[root@xuegod63 ~] # chmod + x! $

Chmod + x / home/nishome/nisuser1/auto-back.sh

(1) use nisuser1 as a dedicated backup user:

[root@xuegod63 ~] # ssh nisuser1@192.168.1.64

Nisuser1@192.168.1.64's password:

[nisuser1@xuegod64] $. / auto-back.sh

`/ var/www/html'->` / tmp/html'

`/ var/www/html/index.html'->` / tmp/html/index.html'

(2) Review: mount mounts the nfs file:

[root@xuegod64 ~] # mount 192.168.1.63:/home/nishome / opt/

[root@xuegod64 ~] # ls / opt/

Nisuser1 nisuser2

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.