NFS + NIS madness

NFS + NIS madness

Oron Peled oron at actcom.co.il
Sun Nov 27 19:14:09 IST 2011 

On Sunday, 27 בNovember 2011 12:30:52 Hetz Ben Hamo wrote:
> Hi,
> Doesn't help. Actually the problem is bigger..

Isolate the problem in steps:
1. Check NIS as a directory service (without even using it in nsswitch).
   Here is a quick checklist -- no use trying a step if previous one failed:

   * Verify ypbind is running via ps(1)

   * Verify it successfully bound to the NIS domain via ypwhich(1):
     - Failed binding is #1 error in NIS

     - Verify domainname(1) match (server/client)

     - Verify client access correct server (/etc/yp.conf)

     - Modern (90's) NIS servers don't answer RPC broadcasts (security)
       so you must specify the server in the clients /etc/yp.conf

     - Modern (90's) NIS servers only answer subnets listed in
       their /var/yp/securenets -- have you added yours to this file?

   * Verify it returns correct information via ypcat(1), ypmatch(1):
     - Enumeration: ypcat passwd
       Modern NIS server enumerate users/groups with id's above specific
       threshold (e.g: 500 and above), so "system" users should not be
       listed. Maybe your NIS server start above 1000.

     - Lookup (e.g: your "vic" user): ypmatch vic passwd

   * If any of these does not work correctly, you need to fix NIS
     configuration -- don't try to debug nsswitch until all these
     tests are OK.

2. Only if all items in 1. passed OK, check its integration in NSS
   (name service switch):

   * Verify enumeration:
     - getent passwd

   * Verify lookup:
     - getent passwd vic

   * Or equivalently:
     - id vic

   * If previous items in 2. weren't OK, but items on 1. were OK,
     you have a problem in /etc/nsswitch.conf:

     - The simplest config is to have "files nis" in the lines
       of "passwd", "shadow" and "group"

     - A "compat" line in those three lines serves a special form
       of "files" where special lines in these files can (selectively)
       include data from NIS. Examples:
         +oron     # include only oron's record from NIS
         + at foobar  # include everybody from netgroup (NOT group) foobar
         -badguy   # Obviously
         +         # Everybody (except badguy -- line order affect results)

     - This means that a "passwd: files nis" in /etc/nsswitch.conf is
       equivalent to "passwd: compat" with a '+' in the end of /etc/passwd.

Hope it helps,

-- 
Oron Peled                                 Voice: +972-4-8228492
oron at actcom.co.il                  http://users.actcom.co.il/~oron
When you say "I wrote a program that crashed Windows", people just stare
at you blankly and say "Hey, I got those with the system, *for free*"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20111127/37e7969b/attachment.html>

More information about the Linux-il mailing list