CDNWiki - Diff: KnowledgeBase/FreeBSD/NIS4Jails

Note: You are viewing an old version of this page. View the current version.

Differences between version 2 and previous revision of KnowledgeBase/FreeBSD/NIS4Jails.

Other diffs: Previous Major Revision, Previous Author

Newer page:	version 2	Last edited on Saturday, 15 December 2012 2:08:14	by CyberLeo	Revert
Older page:	version 1	Last edited on Saturday, 15 December 2012 2:07:33	by CyberLeo	Revert

@@ -54,9 +54,9 @@

H-PUB U-EVERYONE

H-MAIN U-ADMINS (,mortaluser,cdn-mtumishi)

</code>

-Then invoke 'make' in /var/yp to populate NIS databases. Remember to invoke 'make' after changing anything that might be exported; look in /var/yp/cdn-mtumishi for details.

+Then invoke 'make' in /var/yp to populate NIS databases. Remember to invoke 'make' to rebuild maps after changing anything that might be exported; look in /var/yp/cdn-mtumishi for details.

Then start services rpcbind, ypserv, yppasswdd, ypbind in that order.

Append to host /etc/master.passwd the magic import string, which will import all authorized users as-is, and all other users with a replacement 'nologin' shell:

version 2

On host:

Assuming NIS domain name 'cdn-mtumishi' and a master of 'master.mtumishi.cyberleo.net':

/etc/rc.conf:

# Jail networking
gateway_enable="YES"
cloned_interfaces="lo1"
ipv4_addrs_lo1="10.4.4.1-7/24"

# NIS stuff
#nisdomainname="cdn-mtumishi"
rpcbind_enable="YES"
rpcbind_flags="-h 10.4.4.1"
nis_server_enable="YES"
nis_server_flags="-h 127.0.0.1 -h 10.4.4.1"
nis_yppasswdd_enable="YES"
nis_yppasswdd_flags="-a -v"
nis_client_enable="YES"
nis_client_flags="-m -S cdn-mtumishi,master"

/etc/hosts:

10.4.4.1 master.mtumishi.cyberleo.net master
10.4.4.* other jail names

Populate /var/yp/master.passwd with the master list; same format as /etc/master.passwd

Populate /var/yp/ypservers with the list of servers; currently fqdn and short-dn

master.mtumishi.cyberleo.net master.mtumishi.cyberleo.net
master master

Populate /var/yp/securenets with the network information

# allow connections from local host -- mandatory
127.0.0.1     255.255.255.255
# allow connections from private subnet
10.4.4.0 255.255.255.0

Populate /var/yp/netgroup according to your allocation policy:

# Group definitions
U-ADMINS        (,adminusername,cdn-mtumishi) (,anotheradmin,cdn-mtumishi)
U-EVERYONE      U-ADMINS (,mortaluser,cdn-mtumishi) (,anothermortal,cdn-mtumishi)

# Host definitions
H-MASTER        U-ADMINS
H-PUB           U-EVERYONE
H-MAIN          U-ADMINS (,mortaluser,cdn-mtumishi)

Then invoke 'make' in /var/yp to populate NIS databases. Remember to invoke 'make' to rebuild maps after changing anything that might be exported; look in /var/yp/cdn-mtumishi for details.

Then start services rpcbind, ypserv, yppasswdd, ypbind in that order.

Append to host /etc/master.passwd the magic import string, which will import all authorized users as-is, and all other users with a replacement 'nologin' shell:

+@MASTER:::::::::
+:::::::::/usr/sbin/nologin

Append to host /etc/group the magic import string, which will import all groups and star out their passwords:

+:*::

Use ypwhich to see what the current ypbind is bound to; use ypcat passwd to retrieve a map from NIS. Use ypchsh to try and change information.

When creating a new jail, do this:

In master: Add H-SHORTHOSTNAME to /var/yp/netgroup and assign ADMINS and whomever else should have access

In jail:

append /etc/rc.conf

nisdomainname="cdn-mtumishi"
nis_client_enable="YES"
nis_client_flags="-m -S cdn-mtumishi,master"

append /etc/hosts

10.4.4.1 master.mtumishi.cyberleo.net master

patch /etc/nsswitch.conf

-hosts: files dns
+hosts: files nis dns

append /etc/master.passwd

+@H-SHORTHOSTNAME:::::::::
+:::::::::/usr/sbin/nologin

append /etc/group

+:*::

configure pam_exec to create home directories upon first user login haven't figured this one out yet.