[Freeipa-devel] nis plug-in setup question
Rob Crittenden
rcritten at redhat.com
Thu May 7 01:42:24 UTC 2009
yi zhang wrote:
> Rob Crittenden wrote:
>> yi zhang wrote:
>>> Nalin:
>>> I need your help to determine whether I have any missed step(s) in my
>>> configuration.
>>>
>>> I am trying to config IPA (v2) server as NIS server. And here is the
>>> config I have in ds
>>> ---
>>> dn: cn=NIS Server, cn=plugins, cn=config
>>> objectClass: top
>>> objectClass: nsSlapdPlugin
>>> objectClass: extensibleObject
>>> cn: NIS Server
>>> nsslapd-pluginPath: /usr/lib/dirsrv/plugins/nisserver-plugin.so
>>> nsslapd-pluginInitfunc: nis_plugin_init
>>> nsslapd-pluginType: object
>>> nsslapd-pluginEnabled: on
>>> nsslapd-pluginDescription: NIS Server Plugin
>>> nsslapd-pluginVendor: redhat.com
>>> nsslapd-pluginVersion: 0
>>> nsslapd-pluginID: nis-plugin
>>> nis-tcp-wrappers-name: ypserv
>>> nsslapd-pluginarg0: 514
>>> -------------
>>> dn: nis-domain=idm.lab.bos.redhat.com+nis-map=users,cn=NIS
>>> Server,cn=plugins,cn=config
>>> objectclass: extensibleObject
>>> nis-domain: idm.lab.bos.redhat.com
>>> nis-map: users
>>> nis-base: ou=People, dc=example, dc=com
>>> nis-base: ou=nisGroup,
>>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
>>> nis-filter: (objectClass=posixAccount)
>>> nis-key-format: %{uid}
>>> nis-value-format:
>>> %{uid}:%{userPassword-:*}:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some
>>> Unnamed User}}:%{homeDirectory}:%{loginShell:-/bin/bash}
>>> nis-disallowed-chars: :
>>> -----------------
>>>
>>> I have such data there:
>>>
>>> [root at mv32a-vm nis-plugin]# /usr/lib/mozldap/ldapsearch -D
>>> "cn=directory manager" -w redhat123 -s sub -b
>>> "ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" "uid=nisuser*"
>>> version: 1
>>> dn: uid=nisuser12, ou=nisGroup,
>>> ou=nisaccounts,dc=idm,dc=lab,dc=bos,dc=redhat,
>>> dc=com
>>> objectClass: top
>>> objectClass: posixAccount
>>> cn: nisuser
>>> uid: nisuser12
>>> uidNumber: 30001
>>> gidNumber: 3001
>>> homeDirectory: /home/nisuser01
>>> loginShell: /bin/bash
>>> userPassword: {SSHA}n0nwUjq6mn9e2jU8ZOotg6vjN3GA/g20R3jPyw==
>>>
>>> ===========
>>>
>>> After I config one nis client connect to this server
>>> (mv32a-vm.idm.lab.bos.redhat.com),
>>>
>>> <QA>[root at mv64a-vm ~]# authconfig-tui
>>> Stopping portmap: [ OK ]
>>> Starting portmap: [ OK ]
>>> Shutting down NIS services: [ OK ]
>>> Turning on allow_ypbind SELinux boolean
>>> Binding to the NIS domain: [ OK ]
>>> Listening for an NIS domain server..
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]#
>>> <QA>[root at mv64a-vm ~]# getent passwd | grep nisuser
>>> <QA>[root at mv64a-vm ~]# rpcinfo -p mv32a-vm.idm.lab.bos.redhat.com
>>> program vers proto port
>>> 100000 2 tcp 111 portmapper
>>> 100000 2 udp 111 portmapper
>>> 100024 1 udp 918 status
>>> 100024 1 tcp 921 status
>>> 100021 1 udp 36144 nlockmgr
>>> 100021 3 udp 36144 nlockmgr
>>> 100021 4 udp 36144 nlockmgr
>>> 100021 1 tcp 39591 nlockmgr
>>> 100021 3 tcp 39591 nlockmgr
>>> 100021 4 tcp 39591 nlockmgr
>>> 100004 2 udp 541 ypserv
>>> 100004 2 tcp 541 ypserv
>>> <QA>[root at mv64a-vm ~]# ssh nisuser12 at mv64a-vm.idm.lab.bos.redhat.com
>>> The authenticity of host 'mv64a-vm.idm.lab.bos.redhat.com
>>> (10.16.98.120)' can't be established.
>>> RSA key fingerprint is db:dc:f5:7b:85:4b:2f:d7:be:27:40:5d:b8:0a:c0:a6.
>>> Are you sure you want to continue connecting (yes/no)? yes
>>> Warning: Permanently added
>>> 'mv64a-vm.idm.lab.bos.redhat.com,10.16.98.120' (RSA) to the list of
>>> known hosts.
>>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>>> Permission denied, please try again.
>>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>>> Permission denied, please try again.
>>> nisuser12 at mv64a-vm.idm.lab.bos.redhat.com's password:
>>> Permission denied (publickey,gssapi-with-mic,password).
>>>
>>> <QA>[root at mv64a-vm ~]# vi /var/log/secure
>>> May 6 03:23:57 mv64a-vm sshd[2979]: pam_succeed_if(sshd:auth): error
>>> retrieving information about user nisuser12
>>> May 6 03:23:58 mv64a-vm sshd[2979]: Failed password for invalid user
>>> nisuser12 from 10.16.98.120 port 55116 ssh2
>>> May 6 03:23:59 mv64a-vm sshd[2980]: Connection closed by 10.16.98.120
>>> May 6 03:23:59 mv64a-vm sshd[2979]: PAM 2 more authentication
>>> failures; logname= uid=0 euid=0 tty=ssh ruser=
>>> rhost=mv64a-vm.idm.lab.bos.redhat.com
>>>
>>> yp.conf on client (mv64a-vm) has only one line
>>> domain idm.lab.bos.redhat.com server mv32a-vm.idm.lab.bos.redhat.com
>>>
>>> /etc/nsswitch.conf has
>>> hosts: files nis dns
>>>
>>> firewall is not an issue, i stopped iptables on both client and server
>>>
>>> What I did wrong?
>>>
>>> Thanks
>>
>> I have code and config that will do this for you sort of automagically
>> in IPA (at least for passwd and group). I haven't tested it with nss
>> yet but it works with ypcat.
> What is the command to config it, and what are the procedures?
Sorry, I wasn't very clear. I haven't committed the changes yet. I
expect to do so tomorrow morning once I re-test with Nalin's new package.
rob
> Thanks!
>
> Yi
>>
>> Nalin is working on an issue in slapi-nis I found today and once
>> that's resolved I'll feel comfortable releasing my patch, then you can
>> give it a go.
>>
>> So if can hold off a day or two it may be better to test my
>> configuration.
>>
>> rob
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090506/d4dd4805/attachment.bin>
More information about the Freeipa-devel
mailing list