Monday, July 13, 2009

How to Configure NIS Server (Network Information Services)

Network Information Services (NIS) enables you to create user accounts that can be shared across all systems on your network. The user account is created only on the NIS server. NIS clients download the necessary username and password data from the NIS server to verify each user login.

An advantage of NIS is that users need to change their passwords on the NIS server only, instead of every system on the network. This makes NIS popular in computer training labs, distributed software development projects or any other situation where groups of people have to share many different computers.

The disadvantages are that NIS doesn't encrypt the username and password information sent to the clients with each login and that all users have access to the encrypted passwords stored on the NIS server.

§ We need to have a main Linux server, having a large amount of disk space and will be used as both the NIS server and NFS-based file server.

§ Users logging into the PCs will be assigned home directories on server and not on the PCs themselves.

§ Each user's home directory will be automatically mounted with each user login on the PCs using NFS.

§ NIS RPMs need to be installed on the server and client as ypserve and yp-tools are on the server, and ypbind and yp-tools are on the client.

1. Configure Server as an NFS server to make its /home directory available to the Linux workstations.

2. Configure Client as an NFS client that can access Server's /home directory.

3. Configure Server as an NIS server.

4. Create a user account (nisuser) on Server that doesn't exist on Client. Convert the account to a NIS user account.

5. Configure Client as an NIS client.

6. Test a remote login from Server to Client using the username and password of the account nisuser.

Steps to configure the NFS server

1. Edit the /etc/exports file to allow NFS mounts of the /home directory with read/write access.

/home *(rw,sync)

2. NFS will read the /etc/exports file for the new entry, and make /home available to the network with the exportfs command.

#exportfs -a

3. Make sure the required nfs, nfslock, and portmap daemons are both running and configured to start after the next reboot.

# chkconfig nfslock on

# chkconfig nfs on

# chkconfig portmap on

# service portmap start

Starting portmapper: [ OK ]

# service nfslock start

Starting NFS statd: [ OK ]

# service nfs start

Starting NFS services: [ OK ]

Starting NFS quotas: [ OK ]

Starting NFS daemon: [ OK ]

Starting NFS mountd: [ OK ]

We have successfully configured our NFS Server.

We also need to configure the NFS clients to mount their /home directories on the NFS server.

1. Here we have to make sure the required netfs, nfslock, and portmap daemons are running and configured to start after the next reboot.

# chkconfig nfslock on

# chkconfig netfs on

# chkconfig portmap on

# service portmap start

Starting portmapper: [ OK ]

# service netfs start

Mounting other filesystems: [ OK ]

# service nfslock start

Starting NFS statd: [ OK ]

2. We can keep a copy of the old /home directory, and create a new directory /home on which we'll mount the NFS server's directory.

# mv /home /home.save

# mkdir /home

3. Here we have to make sure that we can mount Server's /home directory on the new /home directory we had just created. Unmount it once everything looks correct.

# mount *.*.*.*:/home /home/

# umount /home

4. Start configuring autofs automounting. Edit your /etc/auto.master file to refer to file /etc/auto.home for mounting information whenever the /home directory is accessed. After five minutes, autofs unmounts the directory.

#/etc/auto.master

/home /etc/auto.home --timeout 600

5. Edit file /etc/auto.home to do the NFS mount whenever the /home directory is accessed. If the line is too long to view on your screen, you can add a \ character at the end to continue on the next line.

#/etc/auto.home

* --fstype=nfs *.*.*.*:/home/&

6. Start autofs and make sure it starts after the next reboot with the chkconfig command.

# chkconfig autofs on

# service autofs restart

Stopping automount:[ OK ]

Starting automount:[ OK ]

All newly added Linux users will now be assigned a home directory under the new remote /home directory.

Configuration of The NIS Server

Install the NIS Server Packages

ypserve and yp-tools on the server

Edit Your /etc/sysconfig/network File

#/etc/sysconfig/network

NISDOMAIN="domainname"

Edit Your /etc/yp.conf File

NIS servers also have to be NIS clients themselves, so we'll have to edit the NIS client configuration file /etc/yp.conf to list the domain's NIS server as being the server itself or localhost.

# /etc/yp.conf - ypbind configuration file

ypserver 127.0.0.1

# service portmap start

Starting portmapper: [ OK ]

# service yppasswdd start

Starting YP passwd service: [ OK ]

# service ypserv start

Setting NIS domain name DOMAINNAME: [ OK ]

Starting YP server services: [ OK ]

# chkconfig portmap on

# chkconfig yppasswdd on

# chkconfig ypserv on

Required NIS Server Daemons

Portmap == The foundation RPC daemon upon which NIS runs.

Yppasswdd == Lets users change their passwords on the NIS server from NIS clients

Ypserv == Main NIS server daemon

Ypbind == Main NIS client daemon

For the portmap info.

# rpcinfo -p localhost

Initialize Your NIS Domain

# /usr/lib/yp/ypinit -m

Note: Be sure portmap is running before trying this step or you'll get errors, such as:

failed to send 'clear' to local ypserv: RPC: Port mapper failureUpdating group.bygid...

You will have to delete the /var/yp/DOMAINNAME directory and restart portmap, yppasswd, and ypserv before you'll be able to do this again successfully.

Start The ypbind and ypxfrd Daemons

# service ypbind start

Binding to the NIS domain: [ OK ]

Listening for an NIS domain server.

# service ypxfrd start

Starting YP map server: [ OK ]

# chkconfig ypbind on

# chkconfig ypxfrd on

Make Sure The Daemons Are Running

All the NIS daemons use RPC port mapping and, therefore, are listed using the rpcinfo command when they are running correctly.

# rpcinfo -p localhost

program vers proto port

100000 2 tcp 111 portmapper

100000 2 udp 111 portmapper

100003 2 udp 2049 nfs

100003 3 udp 2049 nfs

100021 1 udp 1024 nlockmgr

100021 3 udp 1024 nlockmgr

100021 4 udp 1024 nlockmgr

100004 2 udp 784 ypserv

100004 1 udp 784 ypserv

100004 2 tcp 787 ypserv

100004 1 tcp 787 ypserv

100009 1 udp 798 yppasswdd

600100069 1 udp 850 fypxfrd

600100069 1 tcp 852 fypxfrd

100007 2 udp 924 ypbind

100007 1 udp 924 ypbind

100007 2 tcp 927 ypbind

100007 1 tcp 927 ypbind

Add NIS User

# useradd -g users nisuser

# passwd nisuser

Changing password for user nisuser.

New password:

Retype new password:

passwd: all authentication tokens updated successfully.

# cd /var/yp

# make

gmake[1]: Entering directory `/var/yp/DOMAINNAME'

Updating passwd.byname...

Updating passwd.byuid...

Updating netid.byname...

gmake[1]: Leaving directory `/var/yp/DOMAINNAME'

Configuring The NIS Client

Run authconfig

The authconfig or the authconfig-tui program automatically configures your NIS files after prompting you for the IP address and domain of the NIS server.

# authconfig-tui

Once finished, it should create an /etc/yp.conf file that defines, amongst other things, the IP address of the NIS server for a particular domain. It also edits the /etc/sysconfig/network file to define the NIS domain to which the NIS client belongs.

# /etc/yp.conf - ypbind configuration file

domain DOMAINNAME server *.*.*.*

#/etc/sysconfig/network

NISDOMAIN=DOMAINNAME

Start The NIS Client Related Daemons

Start the ypbind NIS client, and portmap daemons in the /etc/init.d directory and use the chkconfig command to ensure they start after the next reboot.

# service portmap start

Starting portmapper: [ OK ]

# service ypbind start

Binding to the NIS domain:

Listening for an NIS domain server.

# chkconfig ypbind on

# chkconfig portmap on

Test Logins via The NIS Server

Logging In Via Telnet

Try logging into the NIS client via telnet if it is enabled

# telnet 192.168.1.2

Trying 192.168.1.2

Connected to 192.168.1.2.

Escape character is '^]'.

Red Hat Linux release 9 (Shrike)

Kernel 2.4.20-6 on an i686

login: nisuser

Password:

Last login: Sun Nov 16 22:03:51 from 192-168-1-100

[nisuser@Client nisuser]$

Logging In Via SSH

Try logging into the NIS client via SSH.

# ssh -l nisuser 192.168.1.102

nisuser@192.168.1.102's password:

[nisuser@Client nisuser]$

Friday, July 10, 2009

Linux Startup Services


Startup services are services run at boot time. They may be provided by daemon programs running in the background or are one time only programs run during the bootup to provide some function to the system. Here we can have a brief overview of these services. Those services that can be started using Redhat's linuxconf program. Not all are necessarily daemon programs. Also it is possible to set up other startup programs, daemons, or services that are not included in this list. There are 3 basic categories to these services.

  • A one time only program run at bootup to provide a function to the system such as kudzu, or keytable.
  • A program run as a daemon upon startup that provides system services such as gpm, autofs, cron, and atd.
  • A program run as a daemon upon startup that provides networking services such as dhcpd, bootparamd, arpwatch, gated, and httpd.

amd

Runs the automount daemon for remote filesystem mounting such as nfs.

apmd

Monitors battery status and can shut down the system if power is low.

arpwatch

Keeps track of ethernet IP address parings what are resolved using the ARP protocol. This allows system administrators to note new IP addresses being used. It maintains a database in /var/arpwatch/arp.dat.

atd

Runs commands scheduled by the "at" program at their scheduled times. Jobs are stored in /var/spool/at

autofs

Also called the automount daemon, it is used to automatically mount filesystems on demand. It is especially worthwhile for working with removeable media such as floppies or CD ROM disks.

bootparamd

Allows remote computers to boot from a Linux box using the BOOTP network protocol. This allows the remote computer to get its IP address if the server knows the hardware address of the remote machine. The DHCP protocol is an upgrade to this protocol since it is more automated.

crond

A daeman that executes scheduled commands according to the /etc/crontab file. It can be used to clean up temporary files in /tmp and /var/tmp and other places.

dhcpd

Provides DHCP services to "lease" out IP addresses to remote machines.

firewall

gated

Provides routing services for BGP and other protocols. Alternative to routed. Supports IGP (Interior gateway protocol) and EGP (Exterior Gateway Protocol).

gpm

Provides mouse support to Linux.

httpd

The Apache hypertext transfer protocol Web server.

identd

Server implementing the TCP/IP proposed standard IDENT user identification protocol in RFC 1413. It returns user information to a remote host that a user is requesting a service from. Also called auth.

inet

The internet super daemon (inetd) that provides all the services specified in /etc/inetd.conf.

innd

The Usenet news server

isdn

Provides ISDN (networking interface) services. See the isdnctrl man page for more information. The isdnctrl program is used to set up isdn interfaces. Pertinent files are /etc/sysconfig/activeisdn, /dev/isnnctrl, /etc/sysconfig/provider, and /var/log/isdn.log.

keytable

Loads the appropriate keyboard map from /etc/sysconfig/keyboard. This does not set up a daemon program to reside in the background, but just loads the keyboard keytable and the system font.

kudzu

Detects and configures new or changed hardware on a system. This program is run once when the system boots and does not run as a daemon in the background.

ldap

Lightweight directory access protocol package which provides client/server based directory database services which runs on UNIX platforms over TCP/IP. RFC is 1777.

linuxconf

According to Redhat it is a post startup hook for linuxconf. It does not run as a daemon.

lpd

Provides printing services to Linux. It is a print spooler daemon.

mars-nwe

Loads the MARS Netware compatible file and print server daemon called nwserv. Allows a Linux machine to be used as a file and printserver for netware based clients using IPX/SPX.

mcserv

Allows users on remote machines to use the midcommander file manager to work with files. It uses the PAM library for authentication.

named

Provides DNS services. It is a name server used to translate local IP addresses to names and vice-versa.

netfs

Mounts and unmounts Network Fils System (NFS), Windows (SMB), and Netware (NCP) file systems. The mount command is used to perform this operation and no daemon is run in the background.

network

Brings up all the network interfaces under the directory /etc/sysconfig/network-scripts. Also controls IP_forwarding and IP_defrag.

nfs

Provides Network File System server services

nfslock

NFS file locking service. Starts the daemons rpc.locked and rpc.statd. The rpc.statd daemon implements the Network Status Monitor (NSM) RPC protocol which is a reboot notification service used to implement file lock recovery when an NFS server crashes and reboots.

nscd

The name switch cache daemon. which handles password and group lookups for running programs and caches the information for the next query. Normally this daemon is used to support NIS.

pcmcia

Provides access to PCMCIA (PC Cards) services configured in the /etc/exports file.

portmap

Provides Remote Procedure Call (RPC) support for other protocols like NFS.

postgresql

Runs the postgres database and provides SQL services. It runs the daemon postmaster.

pulse

Heartbeat daemon for monitoring the health of lvs (Redhat clustering services) cluster nodes. This tool is used for clustering machines.

pxe

A preboot execution environment (PXE) server. Allows network boot of other PXE machines. PXE is a standard developed by Intel for a means of booting various operating systems on remote machines.

random

Saves and restores a random value used to generate better random numbers for security. No daemon program is invoked for this operation.

routed

Provides for automatic router table updates using the RIP dynamic routing information protocol.

rstatd

The rstat protocol allows users on a network to get performance information for any machine on the network. Runs the rpc.rstatd daemon which provides performance statistics retrieved from the kernel usually by using the "rup" command.

rusersd

Provides services that allow users to find one another over the network.

rwalld

Provides users with an ability to use the rwall command to write messages on remote terminals.

rwhod

The rwho protocol lets remote users get a list of all users logged onto a machine by running the rwho daemon.

sendmail

The sendmail mail transport agent daemon used to move e-mail from one machine to another.

smb

Provides SMB (Samba) client/server services which include file and print services. It allows Linux computers to exchange file and printer services with Microsoft Windows based systems.

snmpd

Provides Simple Network Management Protocol support to Linux.

squid

Runs the squid proxy web server

syslog

System logging daemon which records system events to log files usually in the directory "/var/log". The actual name of the daemon is klogd.

xfs

X font file server

xntpd

Starts the Network Time Protocol NTPv3 daemon. NTP provides a means to synchronize time and coordinate time distribution in a large, diverse internet operating at all speeds. RFC 1305 describes this protocol.

ypbind

Binds YP/NIS clients to a yellow pages server. NIS (Network Information Service) is a name service created by Sun.

yppasswdd

Allows users to change their passwords on systems running YP/NIS

ypserv

This daemon provides the YP/NIS (Network Information System) server functions

Linux Deamons

Here we can have a brief overview of miscellaneous daemons running on the system and their function.

init

The first process to start after the kernel. It controls the system runlevel and adapts any child whose parent dies.

nmbd

Responds to netbios name service requests for Samba works in conjunction with Samba which is why it is not mentioned under startup services..

update (kupdate)

Does a sync every 30 seconds. A sync is an updating of memory pages, or virtual memory pages that have been changed, but not saved to the swap disk

bdflush (kflushd)

Started by update - does a more imperfect sync more frequently

(kpiod)

(kswapd)

getty

Listens for connections at terminals

Friday, May 22, 2009

Run Level Services

You will notice that there are quite a lot of services enabled on your system. But many runlevel services (Stand-Alone Services) are not related services like kudzu which is responsible for detecting and configuring new and/or changed hardware on your system. This service is only run during the boot process. Ensure not to disable runlevel services that are needed by the system to run smoothly.

Here are examples of Red Hat Runlevel System Services which you may or may not want to enable:

  • gpm needed if you want to use the mouse at the console
  • kudzu important for detecting new hardware
  • syslog important for syslog services
  • netfs needed only if there are NFS shares that should be mounted at boot time
  • network important for starting network interfaces (e.g. eth0, eth1, bonding,...)
  • random used for the system entropy pool
  • atd needed if the at(1) service is used instead of cron
  • apmd Advanced Power Management (APM) daemon is used for laptops and some desktops
  • isdn needed if ISDN is being used
  • iptables needed if Netfilter (iptables) Firewall is being used
  • ip6tables needed if ip6tables Firewall is being used
  • pcmcia not needed on servers - needed for laptops
  • irqbalance important for distributing interrupts across all CPUs
  • sendmail needed if Sendmail is used - Procmail should be used which is more secure
  • autofs needed if automounter is used - production applications should not be dependent on automounter
  • sshd important for logins via SSH
  • portmap needed if e.g. NFS is being used
  • nfslock needed if NFS shares are mounted
  • nfs needed if server runs the NFS server
  • mdmonitor needed only if software RAID is being used
  • crond important for running cron jobs
  • xinetd needed if xinetd services are being used, see /etc/xinetd.d/ for list of services
  • cups needed if CUPS is used for the printing system
  • rhnsd needed if server should connect to RHN to check for software updates etc.
  • sysstat needed to reset system statistics logs
  • audit needed only if Linux Audit Subsystem (LAuS) should run for collecting system call audit records
  • psacct needed only if kernel process accounting information is needed
  • smartd important for monitoring disk problems if hard disks support SMART technology
  • netdump important if kernel oops data and memory dumps should be sent to a Netdump server for server crashes

The start/stop scripts of all runlevel services can be found in the /etc/init.d directory. For example, if you don't know what the atd service does, go to/etc/init.d and open the file atd. And in the script look for lines that start programs. In the atd script the "daemon /usr/sbin/atd" line starts the binary atd. Now having the name of the program that is started by this service, you can check the online pages of atd by running man atd. This will help you to find out more about a system service.

To permanently disable e.g. the runlevel service nfs, run:

chkconfig nfs off

To immediately disable the runlevel service nfs, run:

/etc/init.d/nfs stop

Saturday, January 24, 2009

Add user in LDAP Database using Script

Adding the user in LDAP database using the script
 
#!/bin/bash
 
adduser $1
 
passwd $1
 
cat /etc/passwd | grep $1  >> /tmp/changeldappasswd.tmp
 
/usr/share/openldap/migration/migrate_passwd.pl /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
 
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/mydomain/ > /tmp/changeldappasswd.ldif
 
ldapadd -f /tmp/changeldappasswd.ldif -x -D "cn=Manager,dc=mydomain,dc=com" -w secret
 
rm -rf /tmp/changeldappasswd.*

OUTPUT: 
ldapadd -f changeldappasswd.ldif -x -D "cn=Manager,dc=mydomain,dc=com" -w secret adding new entry "uid=test,ou=People,dc=mydomain,dc=com"
 
Output of  this script will be like this (if you want to check the temporary files before completion)
 
# cat /tmp/changeldappasswd.ldif
dn: uid=test,ou=People,dc=mydomain,dc=com
uid: test
cn: test
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$RilVIlhw$yUZNJ8VpXDxr9xzsOQ6pi1
shadowLastChange: 14268
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 503
gidNumber: 503
homeDirectory: /home/test