[Freeipa-devel] nis plug-in setup question

yi zhang yzhang at redhat.com
Wed May 6 22:10:23 UTC 2009 

Rob Crittenden wrote:
> yi zhang wrote:
>> Nalin:
>> I need your help to determine whether I have any missed step(s) in my 
>> configuration.
>>
>> I am trying to config IPA (v2) server as NIS server. And here is the 
>> config I have in ds
>> ---
>> dn: cn=NIS Server, cn=plugins, cn=config
>> objectClass: top
>> objectClass: nsSlapdPlugin
>> objectClass: extensibleObject
>> cn: NIS Server
>> nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so
>> nsslapd-pluginInitfunc: nis_plugin_init
>> nsslapd-pluginType: object
>> nsslapd-pluginEnabled: on
>> nsslapd-pluginDescription: NIS Server Plugin
>> nsslapd-pluginVendor: redhat.com
>> nsslapd-pluginVersion: 0
>> nsslapd-pluginID: nis-plugin
>> nis-tcp-wrappers-name: ypserv
>> nsslapd-pluginarg0: 514
>> -------------
>> dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS 
>> Server,cn=plugins,cn=config
>> objectclass: extensibleObject
>> nis-domain: idm.lab.bos.redhat.com
>> nis-map: users
>> nis-base: ou=People, dc=example, dc=com
>> nis-base: ou=nisGroup, 
>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>> nis-filter: (objectClass=posixAccount)
>> nis-key-format: %{uid}
>> nis-value-format: 
>> %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some 
>> Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash}
>> nis-disallowed-chars: :
>> -----------------
>>
>> I have such data there:
>>
>> [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D 
>> "cn=directory manager" -w redhat123 -s sub -b 
>> "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*"
>> version: 1
>> dn: uid=nisuser12, ou=nisGroup, 
>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,
>> dc=com
>> objectClass: top
>> objectClass: posixAccount
>> cn: nisuser
>> uid: nisuser12
>> uidNumber: 30001
>> gidNumber: 3001
>> homeDirectory: /home/nisuser01
>> loginShell: /bin/bash
>> userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw==
>>
>> ===========
>>
>> After I config one nis client connect to this server 
>> (mv32a-vm.idm.lab.bos.redhat.com),
>>
>> <QA>[root at mv64a-vm ~]# authconfig-tui
>> Stopping portmap:                                          [  OK  ]
>> Starting portmap:                                          [  OK  ]
>> Shutting down NIS services:                                [  OK  ]
>> Turning on allow_ypbind SELinux boolean
>> Binding to the NIS domain:                                 [  OK  ]
>> Listening for an NIS domain server..
>> <QA>[root at mv64a-vm ~]#
>> <QA>[root at mv64a-vm ~]#
>> <QA>[root at mv64a-vm ~]#
>> <QA>[root at mv64a-vm ~]#
>> <QA>[root at mv64a-vm ~]# getent passwd | grep nisuser
>> <QA>[root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com
>>   program vers proto   port
>>    100000    2   tcp    111  portmapper
>>    100000    2   udp    111  portmapper
>>    100024    1   udp    918  status
>>    100024    1   tcp    921  status
>>    100021    1   udp  36144  nlockmgr
>>    100021    3   udp  36144  nlockmgr
>>    100021    4   udp  36144  nlockmgr
>>    100021    1   tcp  39591  nlockmgr
>>    100021    3   tcp  39591  nlockmgr
>>    100021    4   tcp  39591  nlockmgr
>>    100004    2   udp    541  ypserv
>>    100004    2   tcp    541  ypserv
>> <QA>[root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com
>> The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com 
>> (10.16.98.120)' can't be established.
>> RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6.
>> Are you sure you want to continue connecting (yes/no)? yes
>> Warning: Permanently added 
>> 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of 
>> known hosts.
>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>> Permission denied, please try again.
>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>> Permission denied, please try again.
>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>> Permission denied (publickey,gssapi-with-mic,password).
>>
>> <QA>[root at mv64a-vm ~]# vi /var/log/secure
>> May  6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error 
>> retrieving information about user nisuser12
>> May  6 03:23:58 mv64a-vm sshd[2979]: Failed password for invalid user 
>> nisuser12 from 10.16.98.120 port 55116 ssh2
>> May  6 03:23:59 mv64a-vm sshd[2980]: Connection closed by 10.16.98.120
>> May  6 03:23:59 mv64a-vm sshd[2979]: PAM 2 more authentication 
>> failures; logname= uid=0 euid=0 tty=ssh ruser= 
>> rhost=mv64a-vm.idm.lab.bos.redhat.com
>>
>> yp.conf on client (mv64a-vm) has only one line
>> domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com
>>
>> /etc/nsswitch.conf has
>> hosts:      files nis dns
>>
>> firewall is not an issue, i stopped iptables on both client and server
>>
>> What I did wrong?
>>
>> Thanks
>
> I have code and config that will do this for you sort of automagically 
> in IPA (at least for passwd and group). I haven't tested it with nss 
> yet but it works with ypcat.
What is the command to config it, and what are the procedures?
Thanks!

Yi
>
> Nalin is working on an issue in slapi-nis I found today and once 
> that's resolved I'll feel comfortable releasing my patch, then you can 
> give it a go.
>
> So if can hold off a day or two it may be better to test my 
> configuration.
>
> rob

More information about the Freeipa-devel mailing list