NIS

第一篇【NIS】深入了解NIS 

1     环境准备

操作系统：CentOS7.2

服务端安装如下软件：

软件名称	功能
ypserv	NIS Server端的服务进程
rpcbind	提供RPC服务

客户端安装如下软件：

软件名称	功能
yp-tools	提供NIS相关的查询指令功能(yp-tools和ypbind必须同时安装)
ypbind	NIS Client端的服务进程(yp-tools和ypbind必须同时安装)

Yptools和ypbind互相依赖，需要如下方式安装 

[root@node2deps-centos72_1511]# rpm -ivh yp-tools-2.14-3.el7.x86_64.rpmypbind-1.37.1-7.el7.x86_64.rpm

网络拓扑：

Hostname	IP地址	角色	软件
node0	192.168.192.90	NIS Master Server，NIS Client	ypserv, rpcbind, yp-tools, ypbind
node1	192.168.192.91	NIS Slave Server，NIS Client	ypserv, rpcbind, yp-tools, ypbind
node2	192.168.192.92	NIS Client	yp-tools, ypbind

NIS 的域名为 hikuss

 

2     搭建

2.1   Masterserver 端配置

2.1.1  设置NIS域名

设置 NIS 的域名，新增如下内容：

临时设置：

[root@node0 nis]# nisdomainname hikuss

永久设置：

[root@node0 nis]# cat /etc/sysconfig/network
# Created by anaconda
# 设定nis的域名
NISDOMAIN=hikuss
# 设定nis固定在1011端口，方便设定防火墙规则
YPSERV_ARGS="-p 1011"

2.1.2  设置hosts

设定IP地址与主机名的对应关系/etc/hosts，新增如下内容 

[root@node0 nis]# cat /etc/hosts
192.168.192.90 node0
192.168.192.91 node1
192.168.192.92 node2

2.1.3  设置主要配置文件/etc/ypserv.conf

设定server端的主配置文件/etc/ypserv.conf

[root@node0 nis]# cat /etc/ypserv.conf
#
# ypserv.conf   Inthis file you can set certain options for the NIS server,
#       andyou can deny or restrict access to certain maps based
#       on theoriginating host.
#
#       Seeypserv.conf(5) for a description of the syntax.
#

# Some options for ypserv. This things are all notneeded, if
# you have a Linux net.

# NIS 服务器大多使用于内部局域网络，只要有/etc/hosts 即可，不用 DNS
dns: no

# How many map file handles should be cached ?
# 默认会有30个数据库被读入内存当中，账号多的话，可以调大点。
files: 30

# Should we register ypserv with SLP ?
# slp: no
# After how many seconds we should re-registerypserv with SLP ?
# slp_timeout: 3600

# xfr requests are only allowed from ports <1024
xfr_check_port: yes

# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NISservers in your
# network that do not run the same server as you.
# 与 master/slave 有关，将同步更新的数据库比对所使用的端口，放置于 <1024 内。
# 底下则是设定限制客户端或 slave server查询的权限，利用冒号隔成四部分：
# [主机名/IP] : [NIS域名] : [可用数据库名称map] : [安全限制security]
# [主机名/IP]   ：可以使用network/netmask 如 192.168.124.0/255.255.255.0
# [NIS域名]   ：hikuss
# [可用数据库名称]：就是由 NIS 制作出来的数据库名称；
# [安全限制]      ：包括没有限制 (none)、仅能使用 <1024 (port) 及拒绝 (deny)
# 一般来说，你可以依照我们的网域来设定成为底下的模样：
# Host                     : Domain  : Map              : Security
#
# *                        : *       : passwd.byname    : port
# *                        : *       : passwd.byuid     : port
127.0.0.0/255.255.255.0     : * : * : none
192.168.192.0/255.255.255.0 : * : * : none
*                           : * : * : deny
# 星号 (*) 代表任何数据都接受的意思。上面三行的意思是，1）开放 lo 内部接口、
# 2）开放内部 LAN 网域，3）且杜绝所有其他来源的 NIS 要求的意思。
# 还有一个简单作法，你可以先将上面三行批注，然后加入底下这一行即可：
*                         : * : * : none
#这样会允许任何主机连接到 NIS server，可以配合防火墙规则再做过滤。

# Not everybody should see the shadow passwords,not secure, since
# under MSDOG everbody is root and can access ports< 1024 !!!
*              : *      : shadow.byname    : port
*              : *      : passwd.adjunct.byname : port

# If you comment out the next rule, ypserv andrpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps.This will make
# the security check a little bit slower, but youonly have to
# change the keys on the master server, not theconfiguration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES,you should create
# a rule for them above, that's much faster.
# *                        : *       : *                : none

2.1.4  设置防火墙

让yppasswdd启动在固定端口，方便防火墙管理

[root@node0 nis]# vi /etc/sysconfig/yppasswdd
YPPASSWDD_ARGS="--port 1012"

 

2.1.5  启动及开机启动

启动如下命令： 

[root@node0 nis]# systemctlstart ypserv
[root@node0 nis]# systemctlstart rpcbind
[root@node0 nis]# systemctl statrtyppasswdd.service

 设置开机启动

 [root@node0 nis]# systemctl enable ypserv
Created symlink from/etc/systemd/system/multi-user.target.wants/ypserv.service to/usr/lib/systemd/system/ypserv.service.
 [root@node0 nis]# systemctl enable rpcbind
Created symlink from/etc/systemd/system/sockets.target.wants/rpcbind.socket to/usr/lib/systemd/system/rpcbind.socket.
[root@node0 nis]# systemctl enableyppasswdd.service
Created symlink from/etc/systemd/system/multi-user.target.wants/yppasswdd.service to/usr/lib/systemd/system/yppasswdd.service.

2.1.6  建立NIS账户和资料库

1. 新建5个账号

[root@node0 nis]# for i in `seq 1 5`; do echo"=====create nisuser$i====="; useradd -u 100$i nisuser$i; echopassword | passwd --stdin nisuser$i; done

2. 建立资料库

ypinit命令初始化主服务器和常见NIS映射表。默认的ypinit同make命令给出的操作一样。

按照提示 ctrl+D，确认即可完成资料库建立。 

[root@node0 nis]# /usr/lib64/yp/ypinit -m

At this point, we have to construct a list of thehosts which will run NIS
servers. node0 is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
    next hostto add:  node0
    next hostto add:
The current list of NIS servers looks like this:

node0

Is this correct? [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/hikuss/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/hikuss'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/hikuss'

node0 has been set up as a NIS master server.

Now you can run ypinit -s node0 on all slaveserver.
[root@node0 nis]#

2.1.7  更新NIS账户和资料库

在 server 端新增账号或者删除账号或者修改账号信息后，就得要重新制作数据库，make -C /var/yp

[root@node0 nis]# cd /var/yp
[root@node0 yp]# make

或者

[root@node0 nis]# make -C /var/yp
make: Entering directory `/var/yp'
gmake[1]: Entering directory `/var/yp/hikuss'
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/hikuss'
make: Leaving directory `/var/yp'
[root@node0 nis]#

把信息写进资料库，让后 client 端才可以读取到最新信息
 

2.1.8  与Slave相关的设定

当执行了 ypinit -m 之后，所有的主机上面的账号相关档案会被转成数据库档案， 这些数据库会被放置到 /var/yp/"nisdomainname" 当中， 

[root@node0 nis]# ls /var/yp/hikuss/
group.bygid  hosts.byaddr  mail.aliases  passwd.byname protocols.byname   rpc.byname    services.byname         ypservers
group.byname hosts.byname  netid.byname  passwd.byuid  protocols.bynumber rpc.bynumber services.byservicename
[root@node0 nis]#

1. 若变更了使用者帐号密码参数，针对这个档案进行数据库更新：

[root@node0 nis]# cd /var/yp/
[root@node0 yp]# make passwd

或

 [root@node0 nis]# make -C /var/yp passwd

make: Entering directory `/var/yp'
Updating passwd.byname...
Updating passwd.byuid...
make: Leaving directory `/var/yp'

2. 开启Slave服务推送

将 /var/yp/Makefile中的NOPUSH定义修改为false  

[root@node0 nis]# grep "NOPUSH="/var/yp/Makefile
# slave servers (NOPUSH=true). If you have slaveservers, change this
# to "NOPUSH=false" and put all hostnamesof your slave servers in the file
NOPUSH=false
[root@node0 nis]#

3. 指定Slave服务主机，告诉master要把数据给谁->node1

[root@node0 nis]# cat /var/yp/ypservers
node0
node1
[root@node0 nis]#

4. 启动 ypxfrd服务

可以让 slave 服务器主动链接上 ypxfrd 来更新数据库， 可以免除系统管理原自己手动更新。

[root@node0 ~]# systemctl start ypxfrd

设置为自动启动

[root@node0 ~]# systemctl enable ypxfrd

此外，如果 master 机器想要直接将某些特定的数据库直接传给 slave 主机的话， 那么可以使用 yppush 这个指令。

例如：#yppush -h slave.abcnis  passwd.*

2.2   Slave server端配置

2.2.1  设置NIS域名

设置 NIS 的域名，新增如下内容

临时设置：

[root@node0 nis]# nisdomainname hikuss

永久设置：

 [root@node0 nis]# cat /etc/sysconfig/network

# Created by anaconda
NISDOMAIN=hikuss
YPSERV_ARGS="-p 1011"

2.2.2  设置hosts

设定IP地址与主机名的对应关系/etc/hosts，新增如下内容

[root@node0 nis]# cat /etc/hosts
192.168.192.90 node0
192.168.192.91 node1
192.168.192.92 node2

2.2.3  设置主要配置文件/etc/ypserv.conf

设定server端的主配置文件/etc/ypserv.conf 

[root@node0 nis]# cat /etc/ypserv.conf
#
# ypserv.conf   Inthis file you can set certain options for the NIS server,
#       andyou can deny or restrict access to certain maps based
#       on theoriginating host.
#
#       Seeypserv.conf(5) for a description of the syntax.
#

# Some options for ypserv. This things are all notneeded, if
# you have a Linux net.

# How many map file handles should be cached ?
files: 30

# Should we register ypserv with SLP ?
# slp: no
# After how many seconds we should re-register ypservwith SLP ?
# slp_timeout: 3600

# xfr requests are only allowed from ports <1024
xfr_check_port: yes

# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NISservers in your
# network that do not run the same server as you.
# Host                     : Domain  : Map              : Security
#
# *                        : *       : passwd.byname    : port
# *                        : *       : passwd.byuid     : port
127.0.0.0/255.255.255.0     : * : * : none
192.168.192.0/255.255.255.0 : * : * : none
*                           : * : * : deny

# Not everybody should see the shadow passwords,not secure, since
# under MSDOG everbody is root and can access ports< 1024 !!!
*              : *       : shadow.byname    : port
*              : *      : passwd.adjunct.byname : port
# If you comment out the next rule, ypserv andrpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps.This will make
# the security check a little bit slower, but youonly have to
# change the keys on the master server, not theconfiguration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES,you should create
# a rule for them above, that's much faster.

2.2.4  设置防火墙

让yppasswdd启动在固定端口，方便防火墙管理 

[root@node0 nis]# vi /etc/sysconfig/yppasswdd
YPPASSWDD_ARGS="--port 1012"

2.2.5  启动及开机启动

启动如下命令： 

[root@node0 nis]# systemctlstart ypserv
[root@node0 nis]# systemctlstart rpcbind
[root@node0 nis]#

设置开机启动 

 [root@node0 nis]# systemctl enable ypserv
Created symlink from/etc/systemd/system/multi-user.target.wants/ypserv.service to/usr/lib/systemd/system/ypserv.service.
 [root@node0 nis]# systemctl enable rpcbind
Created symlink from/etc/systemd/system/sockets.target.wants/rpcbind.socket to/usr/lib/systemd/system/rpcbind.socket.
[root@node0 nis]#

2.2.6  拉取数据库

获取源数据库

[root@node1 nis]# /usr/lib64/yp/ypinit -s node0
The local host's domain name hasn't been set.  Please set it.

因为nisdomain没有设置，解决方法：

[root@node1 nis]# nisdomainname hikuss

继续测试：

[root@node1 nis]# /usr/lib64/yp/ypinit -s node0
We will need a few minutes to copy the data fromnode0.
Transferring netid.byname...
Trying ypxfrd ... not running
….

node1's NIS data base has been set up.
If there were warnings, please figure out what wentwrong, and fix it.

At this point, make sure that /etc/passwd and/etc/group have
been edited so that when the NIS is activated, thedata bases you
have just created will be used, instead of the /etcASCII files.
[root@node1 nis]#

原因是Master server端ypxfrd没有启动。解决方案如下：

[root@node0 ~]# systemctl start ypxfrd

继续获取：

[root@node1 nis]# /usr/lib64/yp/ypinit -s node0
We will need a few minutes to copy the data fromnode0.
Transferring netid.byname...
Trying ypxfrd ... success

Transferring mail.aliases...
Trying ypxfrd ... success
…
Transferring ypservers...
Trying ypxfrd ... success


node1's NIS data base has been set up.
If there were warnings, please figure out what wentwrong, and fix it.

At this point, make sure that /etc/passwd and/etc/group have
been edited so that when the NIS is activated, thedata bases you
have just created will be used, instead of the /etcASCII files.
[root@node1 nis]#

测试结果：

[root@node1 ~]# ypcat -h localhost passwd.byname
nisuser1:$1$2e4n/ePv$xnfaSHSSUZhApRpjHn1Lw.:1001:1001::/home/nisuser1:/bin/bash
nisuser2:$1$NBitWXE9$43ezdKoamgw0ze8PnIOtT/:1002:1002::/home/nisuser2:/bin/bash
nisuser3:$1$GUtQO.zB$38oGHfzgWGYG84cKa7bkZ0:1003:1003::/home/nisuser3:/bin/bash
nisuser4:$1$nc3FDwqx$aKhlazecXTmDSmGciCBkG1:1004:1004::/home/nisuser4:/bin/bash
nisuser5:$1$krWvFybT$yUwL3dCDVz0qp5Sg7wifX1:1005:1005::/home/nisuser5:/bin/bash
[root@node1 ~]#

2.2.7  设置数据同步时间

利用crontab设置数据同步时间，在/etc/crontab最后添加如下同步命令：

*/5 * * * * /usr/lib64/yp/ypxfr -h node0 passwd.byname
*/5 * * * * /usr/lib64/yp/ypxfr -h node0 passwd.byuid

更改配置文件/usr/lib64/yp/ypxfr_1perday，/usr/lib64/yp/ypxfr_1perhour， /usr/lib64/yp/ypxfr_2perday：

$YPBINDIR/ypxfr $map -h node0

2.3   Client端配置

安装软件：

[root@node2deps-centos72_1511]# rpm -ivh yp-tools-2.14-3.el7.x86_64.rpmypbind-1.37.1-7.el7.x86_64.rpm

/etc/sysconfig/network：加入 NIS 的域名

/etc/hosts：至少需要有各个 NIS 服务器的 IP 与主机名对应；

/etc/yp.conf：这个则是 ypbind 的主要配置文件，里面主要设定NIS 服务器所在

/etc/sysconfig/authconfig：规范账号登入时的允许认证机制；

/etc/pam.d/system-auth ：因为账号通常由 PAM 模块所管理， 所以必须要在 PAM 模块内加入 NIS 的支持才行！

/etc/nsswitch.conf ：设定账号密码与相关信息的查询顺序，默认是先找 /etc/passwd 再找 NIS 数据库；

2.3.1  设置NIS域名

设置 NIS 的域名，新增如下内容：

临时设置：

[root@node0 nis]# nisdomainname hikuss

永久设置：

 [root@node0 nis]# cat /etc/sysconfig/network

# Created by anaconda
NISDOMAIN=hikuss
YPSERV_ARGS="-p 1011"

2.3.2  设置hosts

设定IP地址与主机名的对应关系/etc/hosts，新增如下内容

[root@node0 nis]# cat /etc/hosts
192.168.192.90 node0
192.168.192.91 node1
192.168.192.92 node2

 

2.3.3  设施ypbind连接server-方法1

2.3.3.1     账户信息的读取顺序

配置账户信息的读取顺序

[root@node2 nis]# vim /etc/nsswitch.conf
…
passwd:    files nis sss
shadow:    files nis sss
group:     files nis sss
…
hosts:      files nis dns
…
[root@node2 nis]#

2.3.3.2     配置/etc/yp.conf

配置/etc/yp.conf，最后添加如下两行代码：

domain hikuss server node0
domain hikuss server node1
ypserver node0
ypserver node1

2.3.3.3     设置账号登入认证机制

登入时的允许认证机制 

[root@node2 nis]# grep NIS/etc/sysconfig/authconfig
USENIS=yes

2.3.3.4     设置PAM授权

修改文件/etc/pam.d/system-auth，增加nis

…
password   sufficient    pam_unix.so md5shadow nis nullok try_first_passuse_authtok
…

2.3.4  设施ypbind连接server-方法2

[root@node1 nis]#setup

1. 第一步：选择authentication

2. 第二步：设置nis

3. 第三步：设置nis服务器

  

2.3.5  启动及开机启动

启动如下命令：

[root@node0 nis]# systemctlstart rpcbind
[root@node0 nis]# systemctlstart ypbind
[root@node0 nis]#

设置开机启动 

[root@node2 nis]# systemctlenable ypbind
Created symlink from/etc/systemd/system/multi-user.target.wants/ypbind.service to /usr/lib/systemd/system/ypbind.service.
[root@node0 nis]# systemctlenable rpcbind
Created symlink from/etc/systemd/system/sockets.target.wants/rpcbind.socket to/usr/lib/systemd/system/rpcbind.socket.
[root@node0 nis]#

2.4   Client测试

2.4.1  yptest

yptest用来测试 server 端和 client 端能否正常通讯

#如果配置成功，会返回成功的结果

#如果返回fail，则根据提示进行排查

[root@node2 nis]# yptest
Test 1: domainname
Configured domainname is "hikuss"

Test 2: ypbind
Used NIS server: node0

Test 3: yp_match
WARNING: No such key in map (Map passwd.byname, keynobody)

Test 4: yp_first
cephceph:$1$X9Z9IOh1$QJtLqBSk75qIf/h3oaRBO0:1000:1000:ceph:/home/ceph:/bin/bash

Test 5: yp_next
…
Test 6: yp_master
node0

Test 7: yp_order
1478832908

Test 8: yp_maplist
…

Test 9: yp_all
…
1 tests failed
[root@node2 nis]#

从这个测试当中可能发现一些错误，就是在 Test 3 出现的那个警告信息啦。只是说没有该数据库而已～ 该错误是可以忽略的。

重点在第 9 个步骤 yp_all 必须要有列出你 NIS server 上头的所有帐户信息，如果有出现账号相关数据的话，那么应该就算验证成功了！

  

2.4.2  ypwhich

ypwhich用来查看资料库映射数据

1. 查看NIS domain

[root@node2 nis]# ypwhich
node0
[root@node2 nis]#

2. 查看数据库映射 

[root@node2 nis]# ypwhich -x
Use "ethers"    for map "ethers.byname"
Use "aliases"   for map "mail.aliases"
Use "services"  for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks"  for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd"    for map "passwd.byname"
[root@node2 nis]#

2.4.3  ypcat

利用ypcat读取数据库内容 

[root@node2 nis]# ypcat -?
Usage: ypcat [-kt] [-d domain] [-h hostname]mapname | -x
ypcat - print values of all keys in a NIS database

  -ddomain      Use 'domain' instead of thedefault domain
  -hhostname    Query ypserv on 'hostname'instead the current one
  -k             Display map keys
  -t             Inhibits map nickname translation
  -x             Display the map nickname translationtable
  -?,--help     Give this help list
     --usage    Give a short usagemessage
     --version  Print program version
[root@node2 nis]#

1. 查看数据库映射 

[root@node2 nis]# ypcat -x
Use "ethers"    for map "ethers.byname"
Use "aliases"   for map "mail.aliases"
Use "services"  for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks"  for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd"    for map "passwd.byname"
[root@node2 nis]#

2. 查看数据库映射ypcat -k <map> 

[root@node2 nis]# ypcat -k passwd
cephceph:$1$X9Z9IOh1$QJtLqBSk75qIf/h3oaRBO0:1000:1000:ceph:/home/ceph:/bin/bash
nisuser1nisuser1:$1$2e4n/ePv$xnfaSHSSUZhApRpjHn1Lw.:1001:1001::/home/nisuser1:/bin/bash
nisuser2 nisuser2:$1$NBitWXE9$43ezdKoamgw0ze8PnIOtT/:1002:1002::/home/nisuser2:/bin/bash
nisuser3nisuser3:$1$GUtQO.zB$38oGHfzgWGYG84cKa7bkZ0:1003:1003::/home/nisuser3:/bin/bash
nisuser4nisuser4:$1$nc3FDwqx$aKhlazecXTmDSmGciCBkG1:1004:1004::/home/nisuser4:/bin/bash
nisuser5nisuser5:$1$krWvFybT$yUwL3dCDVz0qp5Sg7wifX1:1005:1005::/home/nisuser5:/bin/bash
[root@node2 nis]#

---轻轻地我走了，正如我轻轻地来---