network-nis.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<div class="PROCEDURE">
<ol type="1">
<li>
<pre class="PROGRAMLISTING">
nisdomainname="test-domain"
</pre>

This line will set the NIS domainname to <span class="emphasis"><i
class="EMPHASIS">test-domain</i></span> upon network setup (e.g. after reboot).<br />
<br />
</li>

<li>
<pre class="PROGRAMLISTING">
nis_server_enable="YES"
</pre>

This will tell FreeBSD to start up the NIS server processes when the networking is next
brought up.<br />
<br />
</li>

<li>
<pre class="PROGRAMLISTING">
nis_yppasswdd_enable="YES"
</pre>

This will enable the <tt class="COMMAND">rpc.yppasswdd</tt> daemon which, as mentioned
above, will allow users to change their NIS password from a client machine.<br />
<br />
</li>
</ol>
</div>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Depending on your NIS setup, you may need to add further entries. See the
<a href="network-nis.html#NETWORK-NIS-SERVER-IS-CLIENT">section about NIS servers that
are also NIS clients</a>, below, for details.</p>
</blockquote>
</div>

<p>Now, all you have to do is to run the command <tt class="COMMAND">/etc/netstart</tt>
as superuser. It will set up everything for you, using the values you defined in <tt
class="FILENAME">/etc/rc.conf</tt>.</p>
</div>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN27109" name="AEN27109">19.9.4.2.2. Initializing the NIS
Maps</a></h4>

<p>The <span class="emphasis"><i class="EMPHASIS">NIS maps</i></span> are database files,
that are kept in the <tt class="FILENAME">/var/yp</tt> directory. They are generated from
configuration files in the <tt class="FILENAME">/etc</tt> directory of the NIS master,
with one exception: the <tt class="FILENAME">/etc/master.passwd</tt> file. This is for a
good reason; you do not want to propagate passwords to your <tt
class="USERNAME">root</tt> and other administrative accounts to all the servers in the
NIS domain. Therefore, before we initialize the NIS maps, you should:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">cp /etc/master.passwd /var/yp/master.passwd</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /var/yp</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">vi master.passwd</kbd>
</pre>

<p>You should remove all entries regarding system accounts (<tt
class="USERNAME">bin</tt>, <tt class="USERNAME">tty</tt>, <tt class="USERNAME">kmem</tt>,
<tt class="USERNAME">games</tt>, etc), as well as any accounts that you do not want to be
propagated to the NIS clients (for example <tt class="USERNAME">root</tt> and any other
UID 0 (superuser) accounts).</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Make sure the <tt class="FILENAME">/var/yp/master.passwd</tt> is neither
group nor world readable (mode 600)! Use the <tt class="COMMAND">chmod</tt> command, if
appropriate.</p>
</blockquote>
</div>

<p>When you have finished, it is time to initialize the NIS maps! FreeBSD includes a
script named <tt class="COMMAND">ypinit</tt> to do this for you (see its manual page for
more information). Note that this script is available on most <span
class="TRADEMARK">UNIX</span> Operating Systems, but not on all. On Digital UNIX/Compaq
Tru64 UNIX it is called <tt class="COMMAND">ypsetup</tt>. Because we are generating maps
for an NIS master, we are going to pass the <var class="OPTION">-m</var> option to <tt
class="COMMAND">ypinit</tt>. To generate the NIS maps, assuming you already performed the
steps above, run:</p>

<pre class="SCREEN">
ellington<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ypinit -m test-domain</kbd>
Server Type: MASTER Domain: test-domain
Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.
Do you want this procedure to quit on non-fatal errors? [y/n: n] <kbd
class="USERINPUT">n</kbd>
Ok, please remember to go back and redo manually whatever fails.
If you don't, something might not work.
At this point, we have to construct a list of this domains YP servers.
rod.darktech.org is already known as master server.
Please continue to add any slave servers, one per line. When you are
done with the list, type a &lt;control D&gt;.
master server   :  ellington
next host to add:  <kbd class="USERINPUT">coltrane</kbd>
next host to add:  <kbd class="USERINPUT">^D</kbd>
The current list of NIS servers looks like this:
ellington
coltrane
Is this correct?  [y/n: y] <kbd class="USERINPUT">y</kbd>

[..output from map generation..]

NIS Map update completed.
ellington has been setup as an YP master server without any errors.
</pre>

<p><tt class="COMMAND">ypinit</tt> should have created <tt
class="FILENAME">/var/yp/Makefile</tt> from <tt
class="FILENAME">/var/yp/Makefile.dist</tt>. When created, this file assumes that you are
operating in a single server NIS environment with only FreeBSD machines. Since <span
class="emphasis"><i class="EMPHASIS">test-domain</i></span> has a slave server as well,
you must edit <tt class="FILENAME">/var/yp/Makefile</tt>:</p>

<pre class="SCREEN">
ellington<samp class="PROMPT">#</samp> <kbd class="USERINPUT">vi /var/yp/Makefile</kbd>
</pre>

<p>You should comment out the line that says</p>

<pre class="PROGRAMLISTING">
NOPUSH = "True"
</pre>

<p>(if it is not commented out already).</p>
</div>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN27164" name="AEN27164">19.9.4.2.3. Setting up a NIS Slave
Server</a></h4>

<p>Setting up an NIS slave server is even more simple than setting up the master. Log on
to the slave server and edit the file <tt class="FILENAME">/etc/rc.conf</tt> as you did
before. The only difference is that we now must use the <var class="OPTION">-s</var>
option when running <tt class="COMMAND">ypinit</tt>. The <var class="OPTION">-s</var>
option requires the name of the NIS master be passed to it as well, so our command line
looks like:</p>

<pre class="SCREEN">
coltrane<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">ypinit -s ellington test-domain</kbd>

Server Type: SLAVE Domain: test-domain Master: ellington

Creating an YP server will require that you answer a few questions.
Questions will all be asked at the beginning of the procedure.

Do you want this procedure to quit on non-fatal errors? [y/n: n]  <kbd
class="USERINPUT">n</kbd>

Ok, please remember to go back and redo manually whatever fails.
If you don't, something might not work.
There will be no further questions. The remainder of the procedure
should take a few minutes, to copy the databases from ellington.
Transferring netgroup...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byuser...
ypxfr: Exiting: Map successfully transferred
Transferring netgroup.byhost...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byuid...
ypxfr: Exiting: Map successfully transferred
Transferring passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring group.bygid...
ypxfr: Exiting: Map successfully transferred
Transferring group.byname...
ypxfr: Exiting: Map successfully transferred
Transferring services.byname...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring rpc.byname...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.byname...
ypxfr: Exiting: Map successfully transferred
Transferring master.passwd.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byname...
ypxfr: Exiting: Map successfully transferred
Transferring networks.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring netid.byname...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byaddr...
ypxfr: Exiting: Map successfully transferred
Transferring protocols.bynumber...
ypxfr: Exiting: Map successfully transferred
Transferring ypservers...
ypxfr: Exiting: Map successfully transferred
Transferring hosts.byname...
ypxfr: Exiting: Map successfully transferred

coltrane has been setup as an YP slave server without any errors.
Don't forget to update map ypservers on ellington.
</pre>

<p>You should now have a directory called <tt class="FILENAME">/var/yp/test-domain</tt>.
Copies of the NIS master server's maps should be in this directory. You will need to make
sure that these stay updated. The following <tt class="FILENAME">/etc/crontab</tt>
entries on your slave servers should do the job:</p>

<pre class="PROGRAMLISTING">
20      *       *       *       *       root   /usr/libexec/ypxfr passwd.byname
21      *       *       *       *       root   /usr/libexec/ypxfr passwd.byuid
</pre>

<p>These two lines force the slave to sync its maps with the maps on the master server.
Although these entries are not mandatory, since the master server attempts to ensure any
changes to its NIS maps are communicated to its slaves and because password information
is vital to systems depending on the server, it is a good idea to force the updates. This
is more important on busy networks where map updates might not always complete.</p>

<p>Now, run the command <tt class="COMMAND">/etc/netstart</tt> on the slave server as
well, which again starts the NIS server.</p>
</div>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN27185" name="AEN27185">19.9.4.3. NIS Clients</a></h3>

<p>An NIS client establishes what is called a binding to a particular NIS server using
the <tt class="COMMAND">ypbind</tt> daemon. <tt class="COMMAND">ypbind</tt> checks the
system's default domain (as set by the <tt class="COMMAND">domainname</tt> command), and
begins broadcasting RPC requests on the local network. These requests specify the name of
the domain for which <tt class="COMMAND">ypbind</tt> is attempting to establish a
binding. If a server that has been configured to serve the requested domain receives one
of the broadcasts, it will respond to <tt class="COMMAND">ypbind</tt>, which will record
the server's address. If there are several servers available (a master and several
slaves, for example), <tt class="COMMAND">ypbind</tt> will use the address of the first
one to respond. From that point on, the client system will direct all of its NIS requests
to that server. <tt class="COMMAND">ypbind</tt> will occasionally ``ping'' the server to
make sure it is still up and running. If it fails to receive a reply to one of its pings
within a reasonable amount of time, <tt class="COMMAND">ypbind</tt> will mark the domain
as unbound and begin broadcasting again in the hopes of locating another server.</p>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN27197" name="AEN27197">19.9.4.3.1. Setting Up a NIS
Client</a></h4>

<p>Setting up a FreeBSD machine to be a NIS client is fairly straightforward.</p>

<div class="PROCEDURE">
<ol type="1">
<li>
<p>Edit the file <tt class="FILENAME">/etc/rc.conf</tt> and add the following lines in
order to set the NIS domainname and start <tt class="COMMAND">ypbind</tt> upon network
startup:</p>

<pre class="PROGRAMLISTING">
nisdomainname="test-domain"
nis_client_enable="YES"
</pre>
</li>

<li>
<p>To import all possible password entries from the NIS server, remove all user accounts
from your <tt class="FILENAME">/etc/master.passwd</tt> file and use <tt
class="COMMAND">vipw</tt> to add the following line to the end of the file:</p>

<pre class="PROGRAMLISTING">
+:::::::::
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> This line will afford anyone with a valid account in the NIS server's
password maps an account. There are many ways to configure your NIS client by changing
this line. See the <a href="network-nis.html#NETWORK-NETGROUPS">netgroups section</a>
below for more information. For more detailed reading see O'Reilly's book on <var
class="LITERAL">Managing NFS and NIS</var>.</p>
</blockquote>
</div>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> You should keep at least one local account (i.e. not imported via NIS) in
your <tt class="FILENAME">/etc/master.passwd</tt> and this account should also be a
member of the group <tt class="GROUPNAME">wheel</tt>. If there is something wrong with
NIS, this account can be used to log in remotely, become root, and fix things.</p>
</blockquote>
</div>
</li>

<li>
<p>To import all possible group entries from the NIS server, add this line to your <tt
class="FILENAME">/etc/group</tt> file:</p>

<pre class="PROGRAMLISTING">
+:*::
</pre>
</li>
</ol>
</div>

<p>After completing these steps, you should be able to run <tt class="COMMAND">ypcat
passwd</tt> and see the NIS server's passwd map.</p>
</div>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN27228" name="AEN27228">19.9.5. NIS Security</a></h2>

<p>In general, any remote user can issue an RPC to <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ypserv</span>(8)</span> and retrieve the contents of your NIS maps,
provided the remote user knows your domainname. To prevent such unauthorized
transactions, <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ypserv</span>(8)</span> supports a feature called securenets which
can be used to restrict access to a given set of hosts. At startup, <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ypserv</span>(8)</span> will attempt to
load the securenets information from a file called <tt
class="FILENAME">/var/yp/securenets</tt>.</p>

<div class="NOTE">
<blockquote class="NOTE">