[Freeipa-devel] nis plug-in setup question

Rob Crittenden rcritten at redhat.com
Thu May 7 01:42:24 UTC 2009 

yi zhang wrote:
> Rob Crittenden wrote:
>> yi zhang wrote:
>>> Nalin:
>>> I need your help to determine whether I have any missed step(s) in my 
>>> configuration.
>>>
>>> I am trying to config IPA (v2) server as NIS server. And here is the 
>>> config I have in ds
>>> ---
>>> dn: cn=NIS Server, cn=plugins, cn=config
>>> objectClass: top
>>> objectClass: nsSlapdPlugin
>>> objectClass: extensibleObject
>>> cn: NIS Server
>>> nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so
>>> nsslapd-pluginInitfunc: nis_plugin_init
>>> nsslapd-pluginType: object
>>> nsslapd-pluginEnabled: on
>>> nsslapd-pluginDescription: NIS Server Plugin
>>> nsslapd-pluginVendor: redhat.com
>>> nsslapd-pluginVersion: 0
>>> nsslapd-pluginID: nis-plugin
>>> nis-tcp-wrappers-name: ypserv
>>> nsslapd-pluginarg0: 514
>>> -------------
>>> dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS 
>>> Server,cn=plugins,cn=config
>>> objectclass: extensibleObject
>>> nis-domain: idm.lab.bos.redhat.com
>>> nis-map: users
>>> nis-base: ou=People, dc=example, dc=com
>>> nis-base: ou=nisGroup, 
>>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>> nis-filter: (objectClass=posixAccount)
>>> nis-key-format: %{uid}
>>> nis-value-format: 
>>> %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some 
>>> Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash}
>>> nis-disallowed-chars: :
>>> -----------------
>>>
>>> I have such data there:
>>>
>>> [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D 
>>> "cn=directory manager" -w redhat123 -s sub -b 
>>> "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*"
>>> version: 1
>>> dn: uid=nisuser12, ou=nisGroup, 
>>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,
>>> dc=com
>>> objectClass: top
>>> objectClass: posixAccount
>>> cn: nisuser
>>> uid: nisuser12
>>> uidNumber: 30001
>>> gidNumber: 3001
>>> homeDirectory: /home/nisuser01
>>> loginShell: /bin/bash
>>> userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw==
>>>
>>> ===========
>>>
>>> After I config one nis client connect to this server 
>>> (mv32a-vm.idm.lab.bos.redhat.com),
>>>
>>> <QA>[root at mv64a-vm ~]# authconfig-tui
>>> Stopping portmap:                                          [  OK  ]
>>> Starting portmap:                                          [  OK  ]
>>> Shutting down NIS services:                                [  OK  ]
>>> Turning on allow_ypbind SELinux boolean
>>> Binding to the NIS domain:                                 [  OK  ]
>>> Listening for an NIS domain server..
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]# getent passwd | grep nisuser
>>> <QA>[root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com
>>>   program vers proto   port
>>>    100000    2   tcp    111  portmapper
>>>    100000    2   udp    111  portmapper
>>>    100024    1   udp    918  status
>>>    100024    1   tcp    921  status
>>>    100021    1   udp  36144  nlockmgr
>>>    100021    3   udp  36144  nlockmgr
>>>    100021    4   udp  36144  nlockmgr
>>>    100021    1   tcp  39591  nlockmgr
>>>    100021    3   tcp  39591  nlockmgr
>>>    100021    4   tcp  39591  nlockmgr
>>>    100004    2   udp    541  ypserv
>>>    100004    2   tcp    541  ypserv
>>> <QA>[root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com
>>> The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com 
>>> (10.16.98.120)' can't be established.
>>> RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6.
>>> Are you sure you want to continue connecting (yes/no)? yes
>>> Warning: Permanently added 
>>> 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of 
>>> known hosts.
>>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>>> Permission denied, please try again.
>>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>>> Permission denied, please try again.
>>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>>> Permission denied (publickey,gssapi-with-mic,password).
>>>
>>> <QA>[root at mv64a-vm ~]# vi /var/log/secure
>>> May  6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error 
>>> retrieving information about user nisuser12
>>> May  6 03:23:58 mv64a-vm sshd[2979]: Failed password for invalid user 
>>> nisuser12 from 10.16.98.120 port 55116 ssh2
>>> May  6 03:23:59 mv64a-vm sshd[2980]: Connection closed by 10.16.98.120
>>> May  6 03:23:59 mv64a-vm sshd[2979]: PAM 2 more authentication 
>>> failures; logname= uid=0 euid=0 tty=ssh ruser= 
>>> rhost=mv64a-vm.idm.lab.bos.redhat.com
>>>
>>> yp.conf on client (mv64a-vm) has only one line
>>> domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com
>>>
>>> /etc/nsswitch.conf has
>>> hosts:      files nis dns
>>>
>>> firewall is not an issue, i stopped iptables on both client and server
>>>
>>> What I did wrong?
>>>
>>> Thanks
>>
>> I have code and config that will do this for you sort of automagically 
>> in IPA (at least for passwd and group). I haven't tested it with nss 
>> yet but it works with ypcat.
> What is the command to config it, and what are the procedures?

Sorry, I wasn't very clear. I haven't committed the changes yet. I 
expect to do so tomorrow morning once I re-test with Nalin's new package.

rob

> Thanks!
> 
> Yi
>>
>> Nalin is working on an issue in slapi-nis I found today and once 
>> that's resolved I'll feel comfortable releasing my patch, then you can 
>> give it a go.
>>
>> So if can hold off a day or two it may be better to test my 
>> configuration.
>>
>> rob
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090506/d4dd4805/attachment.bin>

More information about the Freeipa-devel mailing list