CDNWiki - KnowledgeBase / FreeBSD / NIS4 Jails

Host

Assuming NIS domain name 'cdn-mtumishi' and a master of 'master.mtumishi.cyberleo.net':

/etc/rc.conf:

# Jail networking
gateway_enable="YES"
cloned_interfaces="lo1"
ipv4_addrs_lo1="10.4.4.1-7/24"

# NIS stuff
nisdomainname="cdn-mtumishi"
rpcbind_enable="YES"
rpcbind_flags="-h 10.4.4.1"
nis_server_enable="YES"
nis_server_flags="-h 127.0.0.1 -h 10.4.4.1"
nis_yppasswdd_enable="YES"
nis_yppasswdd_flags="-a -v"
nis_client_enable="YES"
nis_client_flags="-m -S cdn-mtumishi,master"

/etc/hosts:

10.4.4.1 master.mtumishi.cyberleo.net master
10.4.4.* other jail names

Populate /var/yp/master.passwd with the master list; same format as /etc/master.passwd

Then start services rpcbind, ypserv, yppasswdd, ypbind in that order. Some may not start until after the NIS domain is initialized fully.

Initialize the NIS domain

ypinit -m cdn-mtumishi

Populate /var/yp/ypservers with the list of servers; currently fqdn and short-dn

master.mtumishi.cyberleo.net master.mtumishi.cyberleo.net
master master

Populate /var/yp/securenets with the network information

# allow connections from local host -- mandatory
127.0.0.1     255.255.255.255
# allow connections from private subnet
10.4.4.0 255.255.255.0

Populate /var/yp/netgroup according to your allocation policy:

# Group definitions
U-ADMINS        (,adminusername,cdn-mtumishi) (,anotheradmin,cdn-mtumishi)
U-EVERYONE      U-ADMINS (,mortaluser,cdn-mtumishi) (,anothermortal,cdn-mtumishi)

# Host definitions
H-MASTER        U-ADMINS
H-PUB           U-EVERYONE
H-MAIN          U-ADMINS (,mortaluser,cdn-mtumishi)

Then invoke 'make' in /var/yp to populate NIS databases. Remember to invoke 'make' to rebuild maps after changing anything that might be exported; look in /var/yp/cdn-mtumishi for details.

Then restart services rpcbind, ypserv, yppasswdd, ypbind in that order, now that the NIS domain is fully initialized.

Append to host /etc/master.passwd the magic import string, which will import all authorized users as-is, and all other users with a replacement 'nologin' shell. Leave off the last line to avoid importing users who cannot log in anyways.

+@MASTER:::::::::
+:::::::::/usr/sbin/nologin

Append to host /etc/group the magic import string, which will import all groups and star out their passwords:

+:*::

Use ypwhich to see what the current ypbind is bound to; use ypcat passwd to retrieve a map from NIS. Use ypchsh to try and change information.

Jail

When creating a new jail, do this:

In master: Add H-SHORTHOSTNAME to /var/yp/netgroup and assign ADMINS and whomever else should have access

In jail:

append /etc/rc.conf

nisdomainname="cdn-mtumishi"
nis_client_enable="YES"
nis_client_flags="-m -S cdn-mtumishi,master"

append /etc/hosts

10.4.4.1 master.mtumishi.cyberleo.net master

patch /etc/nsswitch.conf

-hosts: files dns
+hosts: files nis dns

append /etc/master.passwd

+@H-SHORTHOSTNAME:::::::::
# Include this only if you want to see users who cannot log in
+:::::::::/usr/sbin/nologin

append /etc/group

+:*::

configure pam_exec to create home directories upon first user login

/root/bin/check_user.sh:

#!/bin/sh -e

# Runs as root with an environment like this:
#PAM_SM_FUNC=pam function
#PWD=/
#PAM_RHOST=remote host
#PAM_SERVICE=service
#PAM_USER=username
#
# PAM_SM_FUNC can be one of:
# auth:
# - pam_sm_setcred
# - pam_sm_authenticate
# account:
# - pam_sm_acct_mgmt
# session:
# - pam_sm_open_session
# - pam_sm_close_session
# password:
# - pam_sm_chauthtok

# Check that the user's homedir exists; if not, create it and populate from the
# skel directory /usr/share/skel, a-la adduser

USER_HOME="$(sh -c "echo ~${PAM_USER}")"
USER_GROUP="$(id -g "${PAM_USER}")"

create_home_struct() {
  # Do nothing
  [ -e /home -a -e /usr/home ] && return

  # Nothing exists; create /home with proper permissions
  [ ! -e /home -a ! -e /usr/home ] && {
    mkdir -p /home
    chown root:wheel /home
    chmod 751 /home
  }

  # /usr/home exists, but /home does not; symlink
  [ ! -e /home -a -e /usr/home ] && {
    ln -sf usr/home /home
  }

  # /home exists, but /usr/home does not; symlink
  [ -e /home -a ! -e /usr/home ] && {
    ln -sf ../home /usr/home
  }
}

getpwnam() {
  [ "${1}" ] || return 1
  /usr/sbin/pw usershow "${1}"
}

user_can_login() {
  IFS=: read login pass uid gid unknown unknown unknown gecos home shell beyond
  sed -e 's/#.*$//; /^[[:space:]]*$/d' /etc/shells | grep -q "^${shell}$"
}

create_home_dir() {
  [ -d "${USER_HOME}" ] && return
  create_home_struct
  getpwnam "${PAM_USER}" | user_can_login || return
  /usr/sbin/pw usermod "${PAM_USER}" -m
}

case "${PAM_SM_FUNC}" in
pam_sm_acct_mgmt)
  create_home_dir
  ;;
*) ;;
esac

/etc/pam.d/mkhomedir:

#
# Create home directory if it does not exist
#
account         optional        pam_exec.so     -- /root/bin/check_user.sh

Patch /etc/pam.d/system

+account        include         mkhomedir

Patch /etc/pam.d/sshd

+account        include         mkhomedir

Patch /etc/pam.d/other

+account        include         mkhomedir

Patch other pam.d files as necessary to enable homedir creation for those services.