NIS的由来与功能
NIS:Network InformationService网络信息服务。用于对网络中的多台Linux系统的帐号和密码的集中管理和维护,也就是说可以用同一个帐号登录域中的Linux系统,不需要所登录的系统中存在该帐号,所有的帐号的管理都是由NIS服务器来完成的。
NIS主要提供了用户名、密码、用户的家目录、UID等信息的管理,但是并没有提供文件系统,因此还需要借助NFS,将用户的家目录共享出去。
NIS是由sun公司开发的,以前称为yp(yellow page黄页),由于注册商标的问题,改为了NIS。但是软件包的名称依然是yp开头的。NIS和NFS一样也是依赖于RPC的,因此在使用NIS之前需要先安装RPC软件。
在一个大型的网络里面,如果所有的Linux系统都向NIS服务器进行用户名和密码的查询请求的话,则NIS服务器的负载会很大,同时也存在单点故障,为了提供高可靠性和可用性,建议对NIS服务器采用Master和Slave的架构。master和slave都可以为客户端提供查询的工作,对于数据库的更新,可以是master主动的告知,也可以是slave主动的要求向master
更新。nis client如果有登录需求时,先查询本地的/etc/passwd和/etc/shadow档案,判断是否有相应的用户,如果有,则本地用户优先,如果没有则开始向NIS服务器查询,不管是master还是slave都可以提供客户端的查询,先响应者优先。
映射文件的访问控制
可以通过修改主配置文件: /etc/ypserv.conf 来设定对映射文件的访问权限.
配置文件的语法/格式
<设置项目>:<值>
<主机名称/IP>:<网段名称>:<数据库类型>:<安全性>
* 主机名称/IP:通常可以这样设置:192.168.16.0/255.255.255.0,表示192.168.16.0/24整个网段;
* 网段名称:通常设置为即可;
* 数据库类型:可以使用 '’ 来表示所有类型;
* 安全性:主要有三种参数:
o none:可以无条件进入本机;
o port:仅允许1024以下的端口进入;
o deny:不允许其它用户进入本机;
下面是默认配置
# Host : Domain : Map : Security
#
# * : * : passwd.byname : port/mangle
# * : * : passwd.byuid : port/mangle # This is the default - restrict access to the shadow password file,
# allow access to all others.
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port
* : * : * : none
搭建NIS
服务
aptitude install -y nis
环境
server:10.10.70.101
client:10.10.70.102
server配置
#创建一个测试用户
adduser nistest
# 第11行,设置nis主服务器
root@dlp:~# vi /etc/default/nis
NISSERVER=master
root@dlp:~# vi /etc/ypserv.securenets
#默认文件是全部网段都允许
#添加注释
#0.0.0.0 0.0.0.0
#::/0
# 加到末尾:允许NIS客户端与NIS服务器绑定的IP范围
255.255.255.0 10.10.70.0
root@dlp:~# vi /etc/hosts
127.0.0.1 localhost
# 为NIS添加自己的IP地址
10.10.70.101 Linux1.srv.world Linux1
# 新建:设置域名
root@dlp:~# vi /etc/defaultdomain
srv.world
root@dlp:~# systemctl restart rpcbind ypserv yppasswdd ypxfrd
root@dlp:~# systemctl enable rpcbind ypserv yppasswdd ypxfrd
# 更新NIS数据库
root@dlp:~# /usr/lib/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. dlp.srv.world is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: dlp.srv.world
next host to add: # Ctrl + D key
The current list of NIS servers looks like this:
dlp.srv.world
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/srv.world/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory '/var/yp/srv.world'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating netgroup...
Updating netgroup.byhost...
Updating netgroup.byuser...
Updating shadow.byname...
gmake[1]: Leaving directory '/var/yp/srv.world'
dlp.srv.world has been set up as a NIS master server.
Now you can run ypinit -s dlp.srv.world on all slave server.
如果您添加了本地服务器中的用户或组、主机,也需要将它们应用到NIS数据库中。
root@dlp:~# cd /var/yp
root@dlp:/var/yp# make
client配置
root@node01:~# vi /etc/yp.conf
#
# yp.conf Configuration file for the ypbind process. You can define
# NIS servers manually here if they can't be found by
# broadcasting on the local net (which is the default).
#
# See the manual page of ypbind for the syntax of this file.
#
# IMPORTANT: For the "ypserver", use IP addresses, or make sure that
# the host is in /etc/hosts. This file is only interpreted
# once, and if DNS isn't reachable yet the ypserver cannot
# be resolved and ypbind won't ever bind to the server.
# ypserver ypserver.network.com
# 加到末尾: [域名][服务器][NIS服务器的主机名]
domain srv.world server Linux1.srv.world
root@node01:~# vi /etc/nsswitch.conf
# 第七行,添加
passwd: files systemd nis
group: files systemd nis
shadow: files nis
gshadow: files
hosts: files dns nis
root@dlp:~# vi /etc/defaultdomain
# 创建:新域名
srv.world
# 如果需要,设置如下(自动创建主目录)
root@node01:~# vi /etc/pam.d/common-session
# add to the end
session optional pam_mkhomedir.so skel=/etc/skel umask=077
root@node01:~# systemctl restart rpcbind nscd ypbind
root@node01:~# systemctl enable rpcbind ypbind
root@node01:~# exit
node01 login: bullseye # NIS user
Password:
Linux node01.srv.world 5.10.0-8-amd64 #1 SMP Debian 5.10.46-4 (2021-08-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Creating directory '/home/bullseye'.
bullseye@node01:~$ # just logined
# 修改NIS密码如下所示
bullseye@node01:~$ yppasswd
Changing NIS account information for bullseye on dlp.srv.world.
Please enter old password:
Changing NIS password for bullseye on dlp.srv.world.
Please enter new password:
Please retype new password:
The NIS password has been changed on dlp.srv.world.
bullseye@node01:~$
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
