Using the passwd and group MapsLinux Network Administrators GuidePrevChapter 13. The Network Information SystemNextUsing the passwd and group Maps
One of the major applications of NIS is synchronizing user and account
information on all hosts in an NIS domain. Consequently, you usually keep
only a small local /etc/passwd file, to which
site-wide information from the NIS maps is appended. However, simply
enabling NIS lookups for this service in nsswitch.conf
is not nearly enough.When relying on the password information distributed by NIS, you first
have to make sure that the numeric user IDs of any users you have in
your local passwd file match the NIS server's idea of
user IDs. Consistency in user IDs is important for other purposes as
well, like mounting NFS volumes from other hosts in your network.
If any of the numeric IDs in /etc/passwd or
/etc/group differ from those in the maps, you have to
adjust file ownerships for all files that belong to that user. First, you
should change all uids and gids in passwd and
group to the new values, then find that all files
that belong to the users just changed and change their
ownership. Assume news
used to have a user ID of 9 and okir
had a user ID of 103, which were changed to some other value; you could
then
issue the following commands as root:
# find / -uid 9 -print >/tmp/uid.9
# find / -uid 103 -print >/tmp/uid.103
# cat /tmp/uid.9 | xargs chown news
# cat /tmp/uid.103 | xargs chown okirIt is important that you execute these commands with the new
passwd file installed, and that you collect all
filenames before you change the ownership of any of them. To update the
group ownerships of files, use a similar method with the gid instead of the
uid, and chgrp instead of chown.Once you do this, the numerical uids and gids on your system will
agree with those on all other hosts in your NIS domain. The next step
is to add configuration lines to nsswitch.conf
that enable NIS lookups for user and group information:
# /etc/nsswitch.conf - passwd and group treatment
passwd: nis files
group: nis files
This affects where the login command and all its
friends look for user information. When a user tries to log in,
login queries the NIS maps first, and if this
lookup fails, falls back to the local files. Usually, you will remove
almost all users from your local files, and only leave entries for
root and generic accounts like
mail in it. This is because
some vital system tasks may have to map uids to usernames or vice
versa. For example, administrative cron jobs may
execute the su command to temporarily become
news, or the UUCP subsystem may
mail a status report. If news
and uucp don't have entries in
the local passwd file, these jobs will fail
miserably during an NIS brownout.Lastly, if you are using either the old NIS implementation (supported by the
compat mode for the
passwd and group files in the
NYS or glibc implementations), you must insert the unwieldy special entries
into them. These entries represent where the NIS derived records will
be inserted into the database of information. The entries can be added
anywhere, but are usually just added to the end. The entries to add for the
/etc/passwd file are:
+::::::
and for the /etc/groups file:
+:::With both glibc 2.x and NYS you can override parameters in a user’s
record received from the NIS server by creating entries with a “+”
prepended to the login name, and exclude specified users by creating
entries with a “-” prepended to the login name.
For example the entries:
+stuart::::::/bin/jacl
-jedd::::::
would override the shell specified for the user
stuart supplied by the NIS server,
and would disallow the user jedd from
logging in on this machine. Any fields left blank use the information
supplied by the NIS server.There are two big caveats in order here. First, the setup as described up to
here works only for login suites that don't use shadow passwords. The
intricacies of using shadow passwords with NIS will be discussed in the next
section.
Second, the login commands are not the only ones that access the
passwd file—look at the ls
command, which most people use almost constantly. Whenever compiling a long
listing, ls displays the symbolic names for user
and group owners of a file; that is, for each uid and gid it encounters,
it has to query the NIS server. An NIS query takes slightly longer to
perform than the equivalent lookup in a local file. You may find that sharing
your passwd and group information
using NIS causes a noticable reduction in the performance of some programs that
use this information frequently.Still, this is not the whole story. Imagine what happens if a user wants to
change her password. Usually, she will invoke passwd, which
reads the new password and updates the local passwd file.
This is impossible with NIS, since that file isn't available locally anymore,
but having users log into the NIS server whenever they want to change their
passwords is not an option, either. Therefore, NIS provides a drop-in
replacement for passwd called yppasswd,
which handles password changes under NIS. To change the password
on the server host, it contacts the yppasswdd daemon on
that host via RPC, and provides it with the updated password information.
Usually you install yppasswd over the normal program by
doing something like this:
# cd /bin
# mv passwd passwd.old
# ln yppasswd passwdAt the same time, you have to install rpc.yppasswdd on the
server and start it from a network script. This will effectively hide any of
the contortions of NIS from your users.PrevHomeNextChoosing the Right MapsUpUsing NIS with Shadow Support
Wyszukiwarka
Podobne podstrony:
x 087 2 nis shadowx 087 2 nisx 087 2 nis securenetsx 087 2 nis serverx 087 2 nis ypx 087 2 nis clientsx 087 2 nis nsswitchx 087 2 nis nisplusNIS HOWTO pl 1 (2)x 087 2 accounting zeroing counterNIS HOWTO pl 8 (2)x 087 2 cnews miscx 087 2 cnews nfsx 087 2 mail deliveryx 087 2 masq namelookupsx 087 2 firewall filteringmethodsx 087 2 accountingwięcej podobnych podstron