Another YP question

Rick Stevens rstevens at vitalstream.com
Wed Oct 6 21:33:24 UTC 2004 

Waldher, Travis R wrote:
>  
> 
> 
>>-----Original Message-----
>>From: Rick Stevens [mailto:rstevens at vitalstream.com] 
>>Sent: Wednesday, October 06, 2004 2:05 PM
>>To: Getting started with Red Hat Linux
>>Subject: Re: Another YP question
>>
>>Waldher, Travis R wrote:
>>
>>> 
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Rick Stevens [mailto:rstevens at vitalstream.com]
>>>>Sent: Wednesday, October 06, 2004 1:44 PM
>>>>To: Getting started with Red Hat Linux
>>>>Subject: Re: Another YP question
>>>>
>>>>Waldher, Travis R wrote:
>>>>
>>>>
>>>>>"At this point, make sure that /etc/passwd and /etc/group 
>>
>>have been 
>>
>>>>>edited so that when the NIS is activated, the data bases
>>>>
>>>>you have just
>>>>
>>>>
>>>>>created will be used, instead of the /etc ASCII files."
>>>>>
>>>>>What do I need to do to guarantee this.  I've read
>>>>
>>>>something about a
>>>>
>>>>
>>>>>"+::" entry, but not sure how to implement it.  How do I 
>>
>>test it to 
>>
>>>>>verify it is working?
>>>>
>>>>Well, the last line of /etc/passwd should be:
>>>>
>>>>	+:*:0:0:::
>>>>
>>>>("plus-colon-splat-colon-zero-colon-zero-colon-colon-colon"). 
>>>>A similar line should be at the end of /etc/shadow and /etc/group.
>>>>
>>>>You must also make sure your /etc/nsswitch.conf file includes NIS:
>>>>
>>>>passwd:     files nis nisplus
>>>>shadow:     files nis nisplus
>>>>group:      files nis nisplus
>>>>
>>>>("nisplus" can also be written "nis+")
>>>>
>>>>
>>>>
>>>>>More importantly, did I just make sense? LOL
>>>>
>>>>Only to someone who speaks NIS.  ;-)  I'd recommend you get the 
>>>>dreaded O'Reilly "sloth" book ("Managing NFS and NIS") if 
>>
>>you're going 
>>
>>>>to do a lot with NIS/NIS+.  It's a handy reference.
>>>
>>>
>>>I added that to those three files, the question I have is, how do I 
>>>know it's working?
>>>
>>>Also, in the nsswitch.conf, would just having
>>>
>>>Passwd:	files nis 
>>>Shadow: 	files nis
>>>Group:	files nis
>>>
>>>Cause it to not work?
>>
>>No, because it should check the local files first.
> 
> 
> Ok.. I'll go deeper.
> 
> We are currently testing AS3.0 for using it as a NIS Master among other
> things.
> 
> It would greatly decomplicate our lives, scripts, etc. if we could use
> the /etc/passwd, etc. files instead of having to use a
> /etc/passwd.mydomain.  One advantage is, would be to can some of our
> home grown tools and use the built in GUI's.

If you use the standard "getpw*()" system calls, the NIS stuff
supplements what's in the local /etc/passwd (/etc/group, etc.) files.
You should be able to use anything on the system.

> The problem is, we want to control access to the NIS Master, but since
> everyone would be in /etc/passwd, they would be able to login to it.

And?  If you set the permissions correctly, they couldn't do any damage
even if they should log into the NIS server.

I'd also suggest you base your NIS maps on files SEPARATE from the /etc
tree.  If you then make sure the NIS server's /etc/nsswitch.conf file
does NOT contain "nis" or "nis+" entries, only people in the server's
/etc/passwd file can log in to the server itself.

> I was wondering if we parked the +:*:0:0::: in the middle of the passwd
> file would the OS stop reading it at that point and go to NIS.  I would
> assume it would work (I don't know if NIS would like it), and if it
> doesn't, then how do I know that flag is even working in the first
> place? (am I making sense?)

That line may not have an effect on the logins as logins are really
handled by PAM, and PAM knows to go search the NIS maps if "nis[+]" is
specified in /etc/nsswitch.conf and the username isn't found locally.

> The other option I've considered is change the order to "nis files", so
> that netgroups would handle the permissions, and "hopefully" if NIS
> died, the system would look at the local files for authentication.

Yes, going to "nis files" would cause the lookup to go to the local
files if NIS doesn't answer.  Those are short forms of the file using
default actions.  Any given search of a map (local file, NIS, whatever)
can result in one of four results:

	SUCCESS
	NOTFOUND
	UNAVAIL
	TRYAGAIN

Each of those has a choice of actions: "continue" or "return".  The
default action of "SUCCESS" is "RETURN" (don't bother checking any
further).  The default action of the other three status items is
"CONTINE" (try the next entry in the line).

> Or do you see other ways around this?

As I said, if you DON'T use the pure /etc files as the basis of your
NIS server's NIS maps and instead use copies (see "man ypserv.conf"),
you can separate the NIS logins from local logins on the NIS server.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      I won't rise to the occasion, but I'll slide over to it.      -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list