• Print
• View
• History
• Login

Install YP/NIS

install NIS/YP server on gridvm

Following http://us.fixstars.com/products/y-hpc/userguide/config.shtml

# yum install ypbind ypserv yp-tools
# mkdir /etc/yp
# cd /etc/yp
# ln -sf /etc/hosts .
# ln -sf /etc/rpc .
# ln -sf /etc/services .
# ln -sf /etc/protocols .
# ln -sf /etc/netgroup .

Fix the port on which ypserv listens: gridvm:/etc/sysconfig/network

NETWORKING=yes
NISDOMAIN=ujcluster
YPSERV_ARGS=-p834
HOSTNAME=gridvm.grid.uj.ac.za

/etc/dhcpd.conf

option nis-domain               "ujcluster";

/etc/sysconfig/yppasswdd

ETCDIR=/etc/yp
YPPASSWDD_ARGS="--port 835"

/var/yp/Makefile :

...
YPSRCDIR = /etc/yp
YPPWDDIR = /etc/yp
...
all:  passwd group hosts rpc services netid protocols mail \
      auto.master auto.home netgrp \
        # netgrp shadow publickey networks ethers bootparams printcap \
        # amd.home auto.master auto.home auto.local passwd.adjunct \
        # timezone locale netmasks
...

/etc/yp/Makefile

ALL:
	$(MAKE) -C /var/yp

/etc/yp/auto.master

/nfs    yp:auto.home

/etc/yp/auto.host

home    -fstype=nfs4,rw,hard,intr,nodev,nosuid  head:/home
data    -fstype=nfs4,rw,hard,intr,nodev,nosuid  head:/data
glite   -fstype=nfs4,ro,hard,intr,nodev         head:/glite
osg     -fstype=nfs4,ro,hard,intr,nodev         head:/osg

# domainname ujcluster
# service portmap start
# service ypserv start
# service yppasswdd on
# chkconfig portmap on
# chkconfig ypserv on
# chkconfig yppasswdd on
# cd /etc/yp
# make

Allow client hosts to connect to RPC:

/etc/hosts.allow :

portmap : 127. : ALLOW
portmap : 10.0.0. : ALLOW
portmap : glite-ui glite-ce : ALLOW
portmap : osg-ui osg-ce : ALLOW
#portmap : @grid : ALLOW
portmap : ALL : DENY

(for some reason the @grid netgroup syntax does not seem to work in hosts.allow)

iptables :

-A RH-Firewall-1-INPUT -s 152.106.18.0/255.255.255.0 -p udp -m udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 152.106.18.0/255.255.255.0 -p udp -m udp --dport 834 -j ACCEPT
-A RH-Firewall-1-INPUT -s 152.106.18.0/255.255.255.0 -p udp -m udp --dport 835 -j ACCEPT
-A RH-Firewall-1-INPUT -s 152.106.18.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s 152.106.18.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 834 -j ACCEPT
-A RH-Firewall-1-INPUT -s 152.106.18.0/255.255.255.0 -p tcp -m state --state NEW -m tcp --dport 835 -j ACCEPT

Install NIS on WNs

• /etc/sysconfig/network : NISDOMAIN=ujcluster
• /etc/yp.conf : domain ujcluster server gridvm

/etc/nsswitch.conf

passwd:     files nis
shadow:     files nis
group:      files nis

hosts:      files dns nis
netgroup:   files nis
automount:  files nis

check that all WNs have got the new domain name

shm domainname
shm service ypbind restart
shm ypcat passwd

/etc/nsswitch.conf

passwd:     files nis
shadow:     files nis
group:      files nis

#hosts:     db files ldap nis dns
hosts:      files dns nis
netgroup:   files nis
automount:  files nis
aliases:    files nis

Install NIS on glite-ui and osg-ui

These hosts don't use DHCP, so they don't automatically get the NIS domain info. Also, they are on the wide wild internet, so we can not leave portmap open - not even during brief tests.

/etc/sysconfig/network :

NETWORKING=yes
NISDOMAIN=ujcluster
HOSTNAME=glite-ui.grid.uj.ac.za

/etc/yp.conf :

domain ujcluster server gridvm

/etc/hosts.allow :

portmap : 127. : ALLOW
portmap : gridvm : ALLOW
portmap : ALL : DENY

To use the same yp:auto.home of the WNs, we need to add a route to reach the 10.0.0.1 IP of eth1 on gridvm from the UI.

/etc/sysconfig/network-scripts/route-eth0 :

10.0.0.254 via 152.106.18.254

Now we can activate NIS and AutoFS:

# service ypbind restart
# chkconfig ypbind on
# yptest
# yppasswd sergio
# service autofs start
# chkconfig autofs on
# #restart IDmapd after changing to NIS
# service rpcidmapd restart

On gridvm and on the CEs, we do not want non-admin users to login, so we use compat mode for merging NIS passwd and /etc/passwd: /etc/nsswitch.conf

passwd:     compat
shadow:     compat
group:      compat

#hosts:     db files ldap nis dns
hosts:      files dns nis
netgroup:   files nis
automount:  files nis
aliases:    files nis

/etc/passwd :

...
+::::::/bin/nologin

Enforcing strong passwords with NIS/YP

Unfortunately, the yppasswdd does not use PAM, and so it does not enforce strong password rules configured in /etc/pam.d/system-auth . For this reason we have to disable direct use of yppasswd by running

# chmod o-rwx /usr/bin/yppasswd

on the UIs, so that users can only go through the local passwd, which does enforce PAM rules.

To make passwd understand that it must pass through the YP service to actually update the password, it's necessary to adjust /etc/pam.d/system-auth, adding nis to the options of pam_unix:

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so use_authtok md5 shadow nis
password    required      /lib/security/$ISA/pam_deny.so

on the occasion, we also remove nullok.

Finally, to make sure that yppasswdd cannot be used from other hosts, it's necessary to block it. This cannot be done with tcp_wrappers, because yppasswd is under portmap (even if the port if fixed); instead, since the port is fixed, we can use iptables to block it, like

-A INPUT -s 152.106.18.250 -p udp --dport 835 -j ACCEPT
-A INPUT -s 152.106.18.252 -p udp --dport 835 -j ACCEPT
-A INPUT -p udp --dport 835 -j DROP

To further improve password strength, see

• http://www.linux.com/feature/39115
• http://penguinsecurity.net/wiki/index.php?title=Enforce_strong_passwords_with_pam_passwdqc

Use pam_passwdqc with mostly default settings. Do not add use_authtok to pam_passwdqc, it seems not to work with NIS; let instead pam_unix do the old password request.

#password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    required      /lib/security/$ISA/pam_passwdqc.so enforce=users 
password    sufficient    /lib/security/$ISA/pam_unix.so use_authtok md5 shadow nis
password    required      /lib/security/$ISA/pam_deny.so

Prevent authconfig from messing with authentication settings:

rpm -e authconfig authconfig-gtk