NIS:
NIS即网络信息系统(Network Information Service),是对主机帐号等系统信息提供集中管理的网络服务。。用户登录任何一台NIS客户机都会从NIS服务器进行登录认证,可实现用户帐号的集中管理
1.先安装NIS所需的包
[root@teach ~]# yum install ypserv
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package ypserv.x86_64 0:2.19-31.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================
Installing:
ypserv x86_64 2.19-31.el6 centos6 131 k
Transaction Summary
=============================================================================================================================
Install 1 Package(s)
Total download size: 131 k
Installed size: 319 k
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : ypserv-2.19-31.el6.x86_64 1/1
Verifying : ypserv-2.19-31.el6.x86_64 1/1
Installed:
ypserv.x86_64 0:2.19-31.el6
Complete!
2.设置NIS域名,特别注意的是,用这种重定向设置也可以达到目的,也可以用vim直接把/etc/sysconfig/network文件
[root@teach ~]# cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=teach
NISDOMAIN=teach
3.在/etc/rc.d/rc.local这个文件中写入这个域名
/bin/nisdomainname teach
4.设置域名解析
etc/hosts:记录主机和IP地址对应关系,如果没有DNS系统,则NIS服务器的hosts文件需要每一台NIS客户端的主机记录。
192.168.242.128 my-test1
172.16.10.1 salt
172.16.10.1 teach
5、编辑vim /etc/ypserv.conf配置文件,这个主要是设置客户访问NIS服务器的权限
vim /etc/ypserv.conf
在整个ypserv.conf主配置文件中,最为重要的就是限制客户端或从服务器的查询权限。
格式为:
Host : Domain : Map : Security
Host:指定客户端,可以指定具体IP地址,也可以指定一个网段
Domain:设置NIS域名,这里的NIS域名和DNS中的域名并没有关系哈~两者是两套不同系统哈~在同一个NIS域中,客户端可以从NIS服务器上查询用户名和密码,从NIS服务器可以与主服务器同步数据库内容
Map:设置可用数据库名称,可以用“*”代替所有数据库
Security:安全性设置。主要有none、port和deny三种参数设置。
none:没有任何安全限制,可以连接NIS服务器。
port:只允许小于1024以下的端口连接NIS服务器。
deny:拒绝连接NIS服务器。
通常设置思路是允许所有内网客户端连接NIS服务器,除此之外的客户端都拒绝连接哈~
ypserv.conf文件是逐行解释执行,所以要注意设置顺序
127.0.0.1/255.0.0.0 :* :* :none
192.168.1.0/255.255.255.0 :* :* :none
* :* :* :deny
[root@teach ~]# vim /etc/ypserv.conf
127.0.0.1/255.0.0.0:*:*:none
192.168.242.0/255.255.255.0:*:*:none
[root@teach ~]# /etc/init.d/ypserv start
Setting NIS domain name teach: [ OK ]
Starting YP server services: [ OK ]
6.用命令/usr/lib/yp/ypinit -m来构建NIS数据库
[root@teach ~]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of the hosts which will run NIS
servers. teach is in the list of NIS server hosts. Please continue to add
the names for the other hosts, one per line. When you are done with the
list, type a <control D>.
next host to add: teach
next host to add:
next host to add:
The current list of NIS servers looks like this:
teach
Is this correct? [y/n: y] y
We need a few minutes to build the databases...
Building /var/yp/teach/ypservers...
Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/teach'
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/teach'
teach has been set up as a NIS master server.
Now you can run ypinit -s teach on all slave server.
[root@teach ~]# useradd yys1
[root@teach ~]# useradd yys2
7.重启这三个服务
[root@teach ~]# /etc/init.d/ypserv restart
Stopping YP server services: [ OK ]
Starting YP server services: [ OK ]
#允许客户端可以自行更改用户密码的服务
[root@teach ~]# /etc/init.d/yppasswdd restart
Stopping YP passwd service: [FAILED]
Starting YP passwd service: [ OK ]
[root@teach ~]# /etc/init.d/yppasswdd restart
Stopping YP passwd service: [ OK ]
Starting YP passwd service: [ OK ]
[root@teach ~]# passwd yys1
Changing password for user yys1.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
Sorry, passwords do not match.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
[root@teach ~]# passwd yys2
Changing password for user yys2.
New password:
BAD PASSWORD: it is too simplistic/systematic
BAD PASSWORD: is too simple
Retype new password:
passwd: all authentication tokens updated successfully.
8.建立信任群
可以使用/etc/netgroup文件来建立NIS服务器所信任的客户端
[root@teach yp]# touch /etc/netgroup
[root@teach yp]# ll /etc/netgroup
-rw-r--r--. 1 root root 0 Sep 9 14:54 /etc/netgroup
9.客户端
[root@client01 ~]# yum install ypbind yp-tools
[root@client01 ~]# nisdomainname teach
[root@client01 ~]# vim /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=client01
NISDOMAIN=teach
[root@client01 ~]# vim /etc/rc.local
/bin/nisdomainname teach
[root@client01 ~]# vim /etc/hosts
172.16.10.1 nis
[root@client01 ~]# vim /etc/yp.conf
domain teach server nis
[root@client01 ~]# /etc/init.d/rpcbind restart
Stopping rpcbind service: [ OK ]
Starting rpcbind service: [ OK ]
[root@client01 ~]# /etc/init.d/ypbind restart
Stopping NIS service: [ OK ]
Starting NIS service: [ OK ]
ypwhich 显示NIS主机名
[root@client01 ~]# ypwhich
nis
ypwhich -x 则显示NIS客户端与服务器通信使用了哪些数据库文件
[root@client01 ~]# ypwhich -x
Use "ethers" for map "ethers.byname"
Use "aliases" for map "mail.aliases"
Use "services" for map "services.byname"
Use "protocols" for map "protocols.bynumber"
Use "hosts" for map "hosts.byname"
Use "networks" for map "networks.byaddr"
Use "group" for map "group.byname"
Use "passwd" for map "passwd.byname"
ypcat
ypcat命令可以查看NIS服务器上使用者帐号及密码信息,也可以查看NIS服务器上的/etc/hosts文件记录哪些主机信息
ypcat passwd:查看NIS服务器上帐号密码等信息
[root@client01 ~]# ypcat hosts
172.16.10.1 salt
192.168.242.128 my-test1
172.16.10.1 teach
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
ypcat hosts:查看NIS服务器上的/etc/hosts文件记录哪些主机信息
[root@client01 ~]# ypcat passwd
salt:!!:501:501::/home/salt:/bin/bash
yys1:$6$BYlFSaUy$O1QfCL2vs08fjw9CwjqpbMHy0hYZUj1MafJnBgBnuJGpstu3EYPzAfKeUo1rK4zhQNVnjCc6yBK9uWdcAYIVt0:502:502::/home/yys1:/bin/bash
eddy:!!:500:500::/home/eddy:/bin/bash
yys2:$6$Acd.0uc9$5lICHuW6O.vdwNz5cem9bRvwAQm/vouG5tX48cexjIvUHYTVw8R5Jow6YkVbc1qfTWF7yzfxXSHtMwzjjCRR9.:503:503::/home/yys2:/bin/bash
test1:$6$M.CukPhT$tX8fmebBu0FelqylkLxYJwxopUNQygWCnUuN21yeHlHNyWEhPoYBHWBcjT7FAZ78OzhqKXFGpynQTigqER40t1:504:504::/home/test1:/bin/bash
设置 /etc/nsswitch.conf 文件,以指定通过 nis 进行身份认证
passwd: files nis
shadow: files nis
group: files nis
hosts: files nis dns
10.验证
[root@teach ~]# ssh yys1@192.168.242.128
yys1@192.168.242.128's password:
Last login: Fri Sep 9 15:13:02 2016
Could not chdir to home directory /home/yys1: No such file or directory
-bash-4.1$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
11.注意
11.1 当一切正常启动后,就可以用 yptest 进行测试了,如果输出到 Test 9: yp_all 且只有一项错误,即Test 3: yp_match
WARNING: No such key in map (Map passwd.byname, key nobody)的话, 则不用管它,说明一切正常,NIS 可以正常使用了。此时在服务器上新建个用户并设好密码后,在客户端就能以此用户登录了
11.2 创建用户后重新到 /var/yp 下 make 更新数据库即可
客户端无论是用 passwd 还是用 yppasswd 修改密码,结果都一样,即通过 yppasswdd 服务修改的是NIS服务器上的密码。但在服务器端,如果只通过 passwd 修改密码,客户端密码暂时没有修改,需通过 root 在 /var/yp 下 make 一下更新数据库才有效;如果在服务器端用 yppasswd 修改密码,则客户端即时生效
最好都用yppasswd
rhel6中,原来的 portmap 服务由 rpcbind 服务取代(protmap包改名为rpcbind包)。若 rpcbind 服务重启了,ypxxx 的服务最好也重启一下
就介绍到这里了,大家也能看出其实这个服务安全性是比较差的
1.知道服务器上用户有那些
2.能看到密码
2.要完全使用的话需要把服务器上的home共享出来
建议生产上不要使用NIS
LDAP:
默认安装了LDAP,但没有装ldap-server和ldap-client
于是yum安装
yum install -y openldap openldap-servers openldap-clients
不建议编译源码包,有依赖比较麻烦
网上很多人说在安装openladp之前,需要先安装Berkeley,作为ladp的存储方案,这个不是必须的,可以不装!
安装以后进行配置
[root@teach ~]# cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf
[root@teach ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
[root@teach ~]# mv /etc/openldap/slapd.d{,.bak}
然后通过vi修改slapd.conf,步骤如下
1. 设置目录树的后缀
找到语句:
suffix "dc=my-domain,dc=com"
将其改为:
suffix "dc=example,dc=com"
2.该语句设置LDAP管理员的DN
找到语句:
rootdn "cn=Manager,dc=my-domain,dc=com"
将其改为:
rootdn "cn=Manager,dc=example,dc=com"
3.设置LDAP管理员的口令
找到语句:
rootpw secret
将其改为:
rootpw {SSHA}NXV9Fl28qCHMmA6P sjhVX0uejTKE6OYr
口令也可以用明文
配置文件修改之后分下权限
chown ldap.ldap /etc/openldap/*
chown ldap.ldap /var/lib/ldap/*
新建目录
mkdir /etc/openldap/cacerts
然后重启下系统(一定要重启)
然后开启服务
su root
service slapd start
默认的启动端口是389,因为1024以下端口需要用root才能绑定,当然也可以修改端口
slapd -f /etc/openldap/slapd.conf -h ldap://3891
等服务启动以后可以导入一些初始数据
新建文件example.ldif
dn:dc=example,dc=com
objectclass:dcObject
objectclass:organization
o:Example, Inc.
dc:example
dn:cn=Manager,dc=example,dc=com
objectclass:organizationalRole
cn:Manager
然后通过命令导入
/usr/bin/ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f example.ldif
提示输入密码 既是manager的密码
然后导入成功
这样LDAP的安装配置算是完成了 方便管理可以安装ldapBrower
这个直接去官网下载 http://www.ldapbrowser.com/download.htm
配置连接