Simplest Enterprise Continuous Integration Solutions

Saturday, February 26, 2011

Enterprise Linux - NIS Configuration

  • NIS Server
Make sure portmap, yppasswdd, ypserv, yp-tools, ypbind, ypxfrd are installed
[root@linux64-server ~]# yum install ypserv -y
[root@linux64-server ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=linux64-server
DHCP_HOSTNAME=linux64-server
NISDOMAIN=MY-NIS-NETWORK
[root@linux64-server ~]# cat /etc/yp.conf
# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
#       Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
#       Use  broadcast  on  the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
#       Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
#       Use server HOSTNAME for the  local  domain.  The
#       IP-address of server must be listed in /etc/hosts.
#
# broadcast
#       If no server for the default domain is specified or
#       none of them is rechable, try a broadcast call to
#       find a server.
#
domain MY-NIS-NETWORK server 10.3.20.100
[root@linux64-server ~]# cat /etc/ypserv.conf
#
# ypserv.conf   In this file you can set certain options for the NIS server,
#               and you can deny or restrict access to certain maps based
#               on the originating host.
#
#               See ypserv.conf(5) for a description of the syntax.
#


# Some options for ypserv. This things are all not needed, if
# you have a Linux net.


# Should we do DNS lookups for hosts not found in the hosts table ?
# This option is ignored in the moment.
dns: no


# How many map file handles should be cached ?
files: 30


# Should we register ypserv with SLP ?
#slp: no
# After how many seconds we should re-register ypserv with SLP ?
#slp_timeout: 3600


# xfr requests are only allowed from ports < 1024
xfr_check_port: yes


# The following, when uncommented,  will give you shadow like passwords.
# Note that it will not work if you have slave NIS servers in your
# network that do not run the same server as you.


# Host                     : Domain  : Map              : Security
#
# *                        : *       : passwd.byname    : port
# *                        : *       : passwd.byuid     : port


# Not everybody should see the shadow passwords, not secure, since
# under MSDOG everbody is root and can access ports < 1024 !!!
*                          : *       : shadow.byname    : port
*                          : *       : passwd.adjunct.byname : port


# If you comment out the next rule, ypserv and rpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps. This will make
# the security check a little bit slower, but you only have to
# change the keys on the master server, not the configuration files
# on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES, you should create
# a rule for them above, that's much faster.
# *                        : *       : *                : none
[root@linux64-server ~]# domainname MY-NIS-NETWORK
[root@linux64-server ~]# ypdomainname MY-NIS-NETWORK 
[root@linux64-server yp]# cat /var/yp/securenets
host 127.0.0.1
255.255.255.0   10.3.20.0
[root@linux64-server ~]# service portmap restart
Stopping portmap:                                          [  OK  ]
Starting portmap:                                          [  OK  ]
[root@linux64-server ~]# chkconfig portmap on
[root@linux64-server ~]# service ypserv restart
Stopping YP server services:                               [  OK  ]
Starting YP server services:                               [  OK  ] 
[root@linux64-server ~]# chkconfig ypserv on
[root@linux64-server ~]# rpcinfo -u localhost ypserv
program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting
[root@linux64-server ~]# /usr/lib64/yp/ypinit -m


At this point, we have to construct a list of the hosts which will run NIS
servers.  linux64-server is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a .
        next host to add:  linux64-server
        next host to add:
The current list of NIS servers looks like this:


linux64-server


Is this correct?  [y/n: y]  y
We need a few minutes to build the databases...
Building /var/yp/MY-NIS-NETWORK/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/MY-NIS-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/MY-NIS-NETWORK'


linux64-server has been set up as a NIS master server.


Now you can run ypinit -s linux64-server on all slave server.
[root@linux64-server ~]# service ypbind start
Binding to the NIS domain:                                 [  OK  ]
Listening for an NIS domain server.
[root@linux64-server ~]# chkconfig ypbind on on[root@linux64-server ~]# service yppasswdd start
Starting YP passwd service:                                [  OK  ]
[root@linux64-server ~]# chkconfig yppasswdd on on[root@linux64-server ~]# service ypxfrd start
Starting YP map server:                                    [  OK  ]
[root@linux64-server ~]# chkconfig ypxfrd on
  • NIS user
[root@linux64-server ~]# useradd -g users nisuser
[root@linux64-server ~]# passwd nisuser
Changing password for user nisuser.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@linux64-server ~]# cd /var/yp
[root@bigboy yp]# make
gmake[1]: Entering directory `/var/yp/MY-NIS-NETWORK'
Updating passwd.byname...
Updating passwd.byuid...
Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/MY-NIS-NETWORK'
  • NIS Client
Make sure portmap, yppasswdd, yp-tools are installed
[root@linux64-client1 ~]# cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=no
HOSTNAME=linux64-client1
DHCP_HOSTNAME=linux64-client1
NISDOMAIN=MY-NIS-NETWORK
[root@linux64-client1 ~]# cat /etc/yp.conf
# /etc/yp.conf - ypbind configuration file
# Valid entries are
#
# domain NISDOMAIN server HOSTNAME
#       Use server HOSTNAME for the domain NISDOMAIN.
#
# domain NISDOMAIN broadcast
#       Use  broadcast  on  the local net for domain NISDOMAIN
#
# domain NISDOMAIN slp
#       Query local SLP server for ypserver supporting NISDOMAIN
#
# ypserver HOSTNAME
#       Use server HOSTNAME for the  local  domain.  The
#       IP-address of server must be listed in /etc/hosts.
#
# broadcast
#       If no server for the default domain is specified or
#       none of them is rechable, try a broadcast call to
#       find a server.
#
domain MY-NIS-NETWORK server 10.3.20.100
[root@linux64-client1 ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1               localhost.localdomain localhost
::1             localhost6.localdomain6 localhost6
10.3.20.100     linux64-server
[root@linux64-client1 ~]# domainname MY-NIS-NETWORK
[root@linux64-client1 ~]# ypdomainname MY-NIS-NETWORK 
[root@linux64-client1 ~]# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#


# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis



passwd:     files       nis
shadow:     files       nis
group:      files       nis


#hosts:     db files nisplus nis dns
hosts:      files dns


# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files


bootparams: nisplus [NOTFOUND=return] files


ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files


netgroup:   nisplus


publickey:  nisplus


automount:  files nisplus
aliases:    files nisplus
[root@linux64-client1 ~]# service portmap start
Starting portmap:                                          [  OK  ]
[root@linux64-client1 ~]# chkconfig portmap on
[root@linux64-client1 ~]# service ypbind start
Binding to the NIS domain:                                 [  OK  ]
Listening for an NIS domain server.
[root@linux64-client1 ~]# chkconfig ypbind on
[root@linux64-client1 ~]# rpcinfo -u localhost ypbind
program 100007 version 1 ready and waiting
program 100007 version 2 ready and waiting
[root@linux64-client1 ~]# ypcat passwd

nisuser:$1$/iEACA7I$S.nInc1zfDgZk9wh0NgvN/:502:100::/home/nisuser:/bin/bash

Saturday, February 5, 2011

Enterprise Linux - NFS Configuration

Export the file system (i.e. /home) from the linux64-server (IP address 10.3.20.100) host and mount it on linux64-client1 (IP address 10.3.20.201) and linux64-client2 (IP address 10.3.20.202)
  • NFS Server
Make sure nfslock, nfs, portmap are installed and daemons are running.
Verify filesystems
[root@linux64-server ~]# cat /proc/filesystems
nodev   sysfs
nodev   rootfs
nodev   bdev
nodev   proc
nodev   cgroup
nodev   cpuset
nodev   tmpfs
nodev   binfmt_misc
nodev   debugfs
nodev   securityfs
nodev   sockfs
nodev   usbfs
nodev   pipefs
nodev   anon_inodefs
nodev   inotifyfs
nodev   devpts
        ext3
        ext4
nodev   ramfs
nodev   hugetlbfs
        iso9660
nodev   mqueue
nodev   rpc_pipefs
nodev   autofs
nodev   nfsd
Verify portmap tcp/udp port
[root@linux64-server ~]# cat /etc/services | grep 111
sunrpc          111/tcp         portmapper      # RPC 4.0 portmapper TCP
sunrpc          111/udp         portmapper      # RPC 4.0 portmapper UDP
nfsd-status     1110/tcp                        # Cluster status info
Verify nfsd tcp/udp port
[root@linux64-server ~]# cat /etc/services | grep 2049
nfs             2049/tcp        nfsd
nfs             2049/udp        nfsd
Verify nfs functioning
[root@linux64-server ~]# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp    649  status
    100024    1   tcp    652  status
    100011    1   udp    980  rquotad
    100011    2   udp    980  rquotad
    100011    1   tcp    983  rquotad
    100011    2   tcp    983  rquotad
    100003    2   udp   2049  nfs
    100003    3   udp   2049  nfs
    100003    4   udp   2049  nfs
    100021    1   udp  52604  nlockmgr
    100021    3   udp  52604  nlockmgr
    100021    4   udp  52604  nlockmgr
    100021    1   tcp  34614  nlockmgr
    100021    3   tcp  34614  nlockmgr
    100021    4   tcp  34614  nlockmgr
    100003    2   tcp   2049  nfs
    100003    3   tcp   2049  nfs
    100003    4   tcp   2049  nfs
    100005    1   udp   1003  mountd
    100005    1   tcp   1006  mountd
    100005    2   udp   1003  mountd
    100005    2   tcp   1006  mountd
    100005    3   udp   1003  mountd
    100005    3   tcp   1006  mountd
Server exports file

By default, NFS shares change the root user to the nfsnobody user, an unprivileged user account. In this way, all root-created files are owned by nfsnobody, which prevents uploading of programs with the setuid bit set.
If no_root_squash is used, remote root users are able to change any file on the shared file system and leave trojaned applications for other users to inadvertently execute.
[root@linux64-server ~]# cat /etc/exports

/home 10.3.20.201(rw,sync) 10.3.23.202(rw,sync)

[root@linux64-server ~]# exportfs -a

Start daemons

[root@linux64-server ~]# chkconfig nfslock on
[root@linux64-server ~]# service nfslock start
Starting NFS statd:                                        [  OK  ]
[root@linux64-server ~]# chkconfig portmap on
[root@linux64-server ~]# service portmap start
Starting portmapper:                                       [  OK  ]
[root@linux64-server ~]# chkconfig nfs on [root@linux64-server ~]# service nfs restart
Shutting down NFS mountd:                                  [  OK  ]
Shutting down NFS daemon:                                  [  OK  ]
Shutting down NFS quotas:                                  [  OK  ]
Shutting down NFS services:                                [  OK  ]
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]
  • NFS Client
Make sure netfs, nfslock, portmap are installed and daemons are running.

[root@linux64-client1 ~]# chkconfig nfslock on
[root@linux64-client1 ~]# service nfslock start 
Starting NFS statd:                                        [  OK  ]
[root@linux64-client1 ~]# chkconfig portmap on
[root@linux64-client1 ~]# service portmap start
Starting portmapper:                                       [  OK  ]
[root@linux64-client1 ~]# chkconfig netfs on
[root@linux64-client1 ~]# service netfs start
Mounting other filesystems:                                [  OK  ]
[root@linux64-client1 ~]# mv /home /home.save
[root@linux64-client1 ~]mkdir /home
Manual mount
[root@linux64-client1 ~]# mount 10.3.20.100:/home /home
[root@linux64-client1 ~]# umount /home
Configure /etc/fstab automount
[root@linux64-client1 ~]# echo "10.3.20.100:/home /home nfs defaults 0 0" >> /etc/fstab
[root@linux64-client1 ~]# mount -a
[root@linux64-client1 ~]# mount
/dev/mapper/VolGroup00-LogVol00 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on /boot type ext3 (rw)
tmpfs on /dev/shm type tmpfs (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
10.3.20.100:/home on /home type nfs (rw,addr=10.3.20.100)