REHL 6.5----NIS实现集中化认证

NIS概述：

NIS服务的应用结构分为NIS服务器和NIS客户机两种角色，NIS服务器集中维护用户的帐号信息（数据库）供NIS客户机进行查询，用户登录任何一台NIS客户机都会从NIS服务器进行登录认证，可实现用户帐号的集中管理。

1.NIS Master先将帐号密码相关文件制作成数据库文件；

2.若有帐号密码变动时，需要重新制作数据库文件并重新同步Master/Slave。

3.NIS client 若有登入需求时，会先查询其本机的 /etc/passwd, /etc/shadow 等档案；

4.若在 NIS Client 本机找不到相关的账号数据，才开始向整个 NIS 网域的主机广播查询；

5.每部 NIS server (不论 master/slave) 都可以响应，基本上是『先响应者优先』。

运行模式：

C/S模式

NIS进程	介绍
ypbind	定义NIS服务端进程
ypserv	服务进程，回答客户端查询服务
ypxfrd	高速映射传送
rpc.yppasswdd	NIS口令更新进程
rpc.upupdated	修改其他映射，如public.key

NIS提供的命令

名称	功能
makedbm	为NIS映射创建dbm文件
ypcat	列出映射中的数据
ypinit	生成并安装NIS数据库，初始化NIS客户端ypservers列表
ypmatch	查找映射中的特定项
yppoll	从server中获取映射顺序编号
yppush	从NIS主服务器向NIS从服务器传数据
ypset	设置特定服务器的绑定
ypwhich	列出NIS服务器的名称以及昵称转换表
ypxfrd	从主NIS 服务器向从输NIS服务器传输

安装部署

主机名	IP	所需软件
master	192.168.30.130	ypserv
slave	192.168.30.131	ypbind、yp-tools

在master上

[root@master ~]# yum install -y ypserv

在slave上

[root@slave ~]# yum install -y ypbind yp-tools

在master上，开始ypserv配置Z:

建立NIS测试用户
[root@master ~]# mkdir /home/NISHOME
[root@master ~]# useradd -d /home/NISHOME/nis-user01 nis-user01
[root@master ~]# useradd -d /home/NISHOME/nis-user02 -s /sbin/nologin nis-user02
[root@master ~]# echo "nis-user01:123456" | chpasswd
[root@master ~]# echo "nis-user02:123456" | chpasswd

配置NIS域名

[root@master ~]# vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=master
GATEWAY=192.168.30.2
NTPSERVERARGS=iburst
NISDOMAIN=SiShen.cn     #添加此行，重启生效,NIS域名不是NISDOMAINNAME

[root@master ~]# nisdomainname SiShen.cn #临时生效
[root@master ~]# nisdomainname 
SiShen.cn

配置hosts文件

[root@master ~]# vim /etc/hosts #添加所有的NIS客户端，包括NIS Server自己
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.30.130 master sishen.cn
192.168.30.131 slave   

配置ypserv.conf

[root@master ~]# vim /etc/ypserv.conf 
# Host                     : Domain  : Map              : Security 
#
# *                        : *       : passwd.byname    : port 
# *                        : *       : passwd.byuid     : port
127.0.0.0/255.255.255.0    : *       : *                : none
192.168.30.0/255.255.255.0 : *       : *                : none
*                          : *       : *                : deny
# 其他不要动

建立NIS数据库

[root@master ~]# service ypserv restart 
Stopping YP server services:                               [  OK  ]
Starting YP server services:                               [  OK  ]
[root@master ~]# /etc/init.d/yppasswdd restart 
Stopping YP passwd service:                                [  OK  ]
Starting YP passwd service:                                [  OK  ]
[root@master ~]# /usr/lib64/yp/ypinit -m #由于要使用绝对路径，如果不知道ypinit这个命令绝对路径，可以使用find或者rpm -qpl查询

At this point, we have to construct a list of the hosts which will run NIS
servers.  master is in the list of NIS server hosts.  Please continue to add
the names for the other hosts, one per line.  When you are done with the
list, type a <control D>.
    next host to add:  master
    next host to add:  SiShen.cn    #输入NISDOMAIN
    next host to add:               #Ctrl+D 结束输入
The current list of NIS servers looks like this:

master
SiShen.cn

Is this correct?  [y/n: y]  y   # 输入Y，回车
We need a few minutes to build the databases...
Building /var/yp/SiShen.cn/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/SiShen.cn'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/SiShen.cn'

master has been set up as a NIS master server.

Now you can run ypinit -s master on all slave server.

#注意每次手动更改数据库内容后，若需要更新用户名和密码，都需要手动执行/usr/lib64/ypinit -m这个命令

[root@master ~]# ll /var/yp/SiShen.cn/ypservers 
-rw------- 1 root root 12364 May 25 14:53 /var/yp/SiShen.cn/ypservers
[root@master ~]# ll /var/yp/SiShen.cn/
total 2704
-rw------- 1 root root   12472 May 25 14:53 group.bygid
-rw------- 1 root root   12493 May 25 14:53 group.byname
-rw------- 1 root root   12648 May 25 14:53 hosts.byaddr
-rw------- 1 root root   12878 May 25 14:53 hosts.byname
-rw------- 1 root root   13170 May 25 14:53 mail.aliases
-rw------- 1 root root   13382 May 25 14:53 netid.byname
-rw------- 1 root root   13040 May 25 14:53 passwd.byname
-rw------- 1 root root   13019 May 25 14:53 passwd.byuid
-rw------- 1 root root   28950 May 25 14:53 protocols.byname
-rw------- 1 root root   14659 May 25 14:53 protocols.bynumber
-rw------- 1 root root   16380 May 25 14:53 rpc.byname
-rw------- 1 root root   14232 May 25 14:53 rpc.bynumber
-rw------- 1 root root 1134592 May 25 14:53 services.byname
-rw------- 1 root root 1601575 May 25 14:53 services.byservicename
-rw------- 1 root root   12364 May 25 14:53 ypservers

重启服务

[root@master ~]# /etc/init.d/ypserv restart
Stopping YP server services:                               [  OK  ]
Starting YP server services:                               [  OK  ]
[root@master ~]# /etc/init.d/yppasswdd restart
Stopping YP passwd service:                                [  OK  ]
Starting YP passwd service:                                [  OK  ]

 启动NIS服务

[root@master ~]# /etc/init.d/ypserv restart 
Stopping YP server services:                               [  OK  ]
Starting YP server services:                               [  OK  ]
[root@master ~]# /etc/init.d/yppasswdd restart  #不执行这步，添加的新数据无法生效
Stopping YP passwd service:                                [FAILED]
Starting YP passwd service:                                [  OK  ]

配置客户端

[root@slave ~]# system-config-authentication #需要图形化界面支持

修改hosts文件

[root@slave ~]# vim /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.30.131 slave  WebServer
192.168.30.130 sishen.cn

在master上测试登录

[root@master ~]# ssh nis-user01@192.168.30.131
The authenticity of host '192.168.30.131 (192.168.30.131)' can't be established.
RSA key fingerprint is 6f:9c:9a:d0:c8:41:25:45:41:11:7f:e4:2b:73:ce:a1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.30.131' (RSA) to the list of known hosts.
nis-user01@192.168.30.131's password: 
Last login: Fri May 25 21:59:23 2018 from slave
Could not chdir to home directory /home/NISHOME/nis-user01: No such file or directory
-bash-4.1$ 

可以看出nis-user01没有挂载家目录

在slave上测试登录

[root@slave ~]# su - nis-user01
su: warning: cannot change directory to /home/NISHOME/nis-user01: No such file or directory
-bash-4.1$ 

使用system-config-authentication这个命令后，有三个文件发生了变化

[root@slave ~]# cat /etc/sysconfig/network
HOSTNAME=slave
NETWORKING=yes
GATEWAY=192.168.30.2
NISDOMAIN=SiShen.cn    #此行为执行system-config-authentication之后自动添加的

[root@slave ~]# cat /etc/nsswitch.conf | grep nis
#    nisplus            Use NIS+ (NIS version 3)
#    nis            Use NIS (NIS version 2), also called YP
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files nis    #执行system-config-authentication之后修改了密码的验证凡是
shadow:     files nis
group:      files nis
[root@slave ~]# tail /etc/yp.conf 
# ypserver HOSTNAME
#    Use server HOSTNAME for the  local  domain.  The
#    IP-address of server must be listed in /etc/hosts.
#
# broadcast
#    If no server for the default domain is specified or
#    none of them is rechable, try a broadcast call to
#    find a server.
#
domain SiShen.cn server 192.168.30.130   #执行system-config-authentication之后，自动添加的此行内容
#这样就可以知道，在没有桌面环境的情况下，通过修改这三个文件一样可以达到效果

服务端配置NFS服务

[root@master ~]# yum install -y nfs-utils
[root@master ~]# vim /etc/exports 
/home/NISHOME   192.168.30.0/255.255.255.0(rw,sync)
[root@master ~]# service nfs restart 
Shutting down NFS daemon:                                  [  OK  ]
Shutting down NFS mountd:                                  [  OK  ]
Shutting down NFS quotas:                                  [  OK  ]
Shutting down RPC idmapd:                                  [  OK  ]
Starting NFS services:                                     [  OK  ]
Starting NFS quotas:                                       [  OK  ]
Starting NFS mountd:                                       [  OK  ]
Starting NFS daemon:                                       [  OK  ]
Starting RPC idmapd:                                       [  OK  ]
[root@master ~]# showmount -e
Export list for master:
/home/NISHOME 192.168.30.0/255.255.255.0
[root@master ~]# chkconfig nfs on

配置NIS客户端自动挂载

[root@slave ~]# yum install -y autofs
[root@slave ~]# vim /etc/auto.master
#
# Sample auto.master file
# This is an automounter map and it has the following format
# key [ -mount-options-separated-by-comma ] location
# For details of the format look at autofs(5).
#
/misc   /etc/auto.misc
/home/NISHOME /etc/auto.NISHOME   #添加此行内容
[root@slave ~]# vim /etc/auto.NISHOME #新建该文件
* -rw  192.168.30.130:/home/NISHOME/&
重启服务
[root@slave ~]# service autofs restart 
Loading autofs4:                                           [  OK  ]
Starting automount:                                        [  OK  ]
[root@slave ~]# chkconfig autofs on

测试自动挂载

首先在master上执行

[root@master ~]# ssh nis-user01@192.168.30.131
nis-user01@192.168.30.131's password: 
Last login: Fri May 25 23:01:17 2018 from master
[nis-user01@slave ~]$ 

在slave上登录测试

[root@slave ~]# su - nis-user01
[nis-user01@slave ~]$ 

创建测试文件

[root@master ~]# touch /home/NISHOME/nis-user01/nis-user01.txt
[root@master ~]# echo nis-user010000001010101 > !$
echo nis-user010000001010101 > /home/NISHOME/nis-user01/nis-user01.txt
[nis-user01@slave ~]$ hostname 
slave
[nis-user01@slave ~]$ whoami 
nis-user01
[nis-user01@slave ~]$ ls
nis-user01.txt
[nis-user01@slave ~]$ cat nis-user01.txt 
nis-user010000001010101

在slave上查看获取到的nis用户

[root@slave ~]# getent passwd | grep nis
nis-user02:$6$pyV.l/R923J/GZ/a$jRXirQknPkiMDzYBNu.3Q2aY9EK5o1fNkKZc6oHFYIybi6eG/.28DJdg3s0QH7Vr6GPSt69wnlZuNPXw5OzPb/:503:503::/home/NISHOME/nis-user02:/sbin/nologin
nis-user01:$6$Qm.G9juWScrpGTSM$QNQifFrrDwoUim0hh.aZszSDO8CifUs8Z/UkvhxirlElRLvajqz26woMIGUSnPMgrN2reJfzB3pk1eqQtNkUs.:502:502::/home/NISHOME/nis-user01:/bin/bash

 测试家目录

[nis-user01@slave ~]$ touch slave-nisuser01
[root@master ~]# ls /home/NISHOME/nis-user01/
nis-user01.txt  slave-nisuser01
[root@slave ~]# ls /home/NISHOME/nis-user01/
ls: cannot open directory /home/NISHOME/nis-user01/: Permission denied

 测试nis-user02登录，nis-user02无法登录

[root@slave ~]# su - nis-user02
This account is currently not available.

NIS用户密码修改方式

[root@master ~]# ssh nis-user01@192.168.30.131
nis-user01@192.168.30.131's password: 
Last login: Fri May 25 22:17:32 2018 from www.sishen.cn
Could not chdir to home directory /home/NISHOME/nis-user01: No such file or directory
-bash-4.1$ yppasswd 
Changing NIS account information for nis-user01 on master.
Please enter old password:
Changing NIS password for nis-user01 on master.
Please enter new password:
Please retype new password:

The NIS password has been changed on master.

如果不适用autofs，可以在slave上

这样可虽然可以有目录，但是不支持家目录漫游，在其他地方登陆的时候就没有账号的数据文件了。