FindPage
View Source:
KnowledgeBase/FreeBSD/NIS4Jails
Note:
You are viewing an old version of this page.
View the current version.
On host: Assuming NIS domain name 'cdn-mtumishi' and a master of 'master.mtumishi.cyberleo.net': /etc/rc.conf: <code brush="bash"> # Jail networking gateway_enable="YES" cloned_interfaces="lo1" ipv4_addrs_lo1="10.4.4.1-7/24" # NIS stuff nisdomainname="cdn-mtumishi" rpcbind_enable="YES" rpcbind_flags="-h 10.4.4.1" nis_server_enable="YES" nis_server_flags="-h 127.0.0.1 -h 10.4.4.1" nis_yppasswdd_enable="YES" nis_yppasswdd_flags="-a -v" nis_client_enable="YES" nis_client_flags="-m -S cdn-mtumishi,master" </code> /etc/hosts: <code brush="plain"> 10.4.4.1 master.mtumishi.cyberleo.net master 10.4.4.* other jail names </code> Populate /var/yp/master.passwd with the master list; same format as /etc/master.passwd Populate /var/yp/ypservers with the list of servers; currently fqdn and short-dn <code brush="plain"> master.mtumishi.cyberleo.net master.mtumishi.cyberleo.net master master </code> Populate /var/yp/securenets with the network information <code brush="plain"> # allow connections from local host -- mandatory 127.0.0.1 255.255.255.255 # allow connections from private subnet 10.4.4.0 255.255.255.0 </code> Populate /var/yp/netgroup according to your allocation policy: <code brush="plain"> # Group definitions U-ADMINS (,adminusername,cdn-mtumishi) (,anotheradmin,cdn-mtumishi) U-EVERYONE U-ADMINS (,mortaluser,cdn-mtumishi) (,anothermortal,cdn-mtumishi) # Host definitions H-MASTER U-ADMINS H-PUB U-EVERYONE H-MAIN U-ADMINS (,mortaluser,cdn-mtumishi) </code> Then invoke 'make' in /var/yp to populate NIS databases. Remember to invoke 'make' to rebuild maps after changing anything that might be exported; look in /var/yp/cdn-mtumishi for details. Then start services rpcbind, ypserv, yppasswdd, ypbind in that order. Append to host /etc/master.passwd the magic import string, which will import all authorized users as-is, and all other users with a replacement 'nologin' shell. Leave off the last line to avoid importing users who cannot log in anyways. <code brush="plain"> +@MASTER::::::::: +:::::::::/usr/sbin/nologin </code> Append to host /etc/group the magic import string, which will import all groups and star out their passwords: <code brush="plain"> +:*:: </code> Use ypwhich to see what the current ypbind is bound to; use ypcat passwd to retrieve a map from NIS. Use ypchsh to try and change information. ---- When creating a new jail, do this: In master: Add H-SHORTHOSTNAME to /var/yp/netgroup and assign ADMINS and whomever else should have access In jail: append /etc/rc.conf <code brush="bash"> nisdomainname="cdn-mtumishi" nis_client_enable="YES" nis_client_flags="-m -S cdn-mtumishi,master" </code> append /etc/hosts <code brush="plain"> 10.4.4.1 master.mtumishi.cyberleo.net master </code> patch /etc/nsswitch.conf <code brush="diff"> -hosts: files dns +hosts: files nis dns </code> append /etc/master.passwd <code brush="plain"> +@H-SHORTHOSTNAME::::::::: +:::::::::/usr/sbin/nologin </code> append /etc/group <code brush="plain"> +:*:: </code> configure pam_exec to create home directories upon first user login /root/bin/check_user.sh: <code brush="bash"> #!/bin/sh -e # Runs as root with an environment like this: #PAM_SM_FUNC=pam function #PWD=/ #PAM_RHOST=remote host #PAM_SERVICE=service #PAM_USER=username # # PAM_SM_FUNC can be one of: # auth: # - pam_sm_setcred # - pam_sm_authenticate # account: # - pam_sm_acct_mgmt # session: # - pam_sm_open_session # - pam_sm_close_session # password: # - pam_sm_chauthtok # Check that the user's homedir exists; if not, create it and populate from the # skel directory /usr/share/skel, a-la adduser USER_HOME="$(sh -c "echo ~${PAM_USER}")" USER_GROUP="$(id -g "${PAM_USER}")" create_home_struct() { # Do nothing [ -e /home -a -e /usr/home ] && return # Nothing exists; create /home with proper permissions [ ! -e /home -a ! -e /usr/home ] && { mkdir -p /home chmod 711 /home } # /usr/home exists, but /home does not; symlink [ ! -e /home -a -e /usr/home ] && { ln -sf usr/home /home } # /home exists, but /usr/home does not; symlink [ -e /home -a ! -e /usr/home ] && { ln -sf ../home /usr/home } } getpwnam() { [ "${1}" ] || return 1 /usr/sbin/pw usershow "${1}" } user_can_login() { IFS=: read login pass uid gid unknown unknown unknown gecos home shell beyond sed -e 's/#.*$//; /^[[:space:]]*$/d' /etc/shells | grep -q "^${shell}$" } create_home_dir() { [ -d "${USER_HOME}" ] && return create_home_struct getpwnam "${PAM_USER}" | user_can_login || return /usr/sbin/pw usermod "${PAM_USER}" -m } case "${PAM_SM_FUNC}" in pam_sm_acct_mgmt) create_home_dir ;; *) ;; esac </code> /etc/pam.d/mkhomedir: <code brush="plain"> # # Create home directory if it does not exist # account optional pam_exec.so -- /root/bin/check_user.sh </code> Patch /etc/pam.d/system <code brush="diff"> +account include mkhomedir </code> Patch /etc/pam.d/sshd <code brush="diff"> +account include mkhomedir </code> Patch /etc/pam.d/other <code brush="diff"> +account include mkhomedir </code> Patch other pam.d files as necessary to enable homedir creation for those services.