I think most UNIX network administrators have more or less had such troubles: a user needs to work on multiple different UNIX systems and log on to different UNIX systems, save their documents, and the administrator needs to create an account for him on every UNIX system, set the password, set the group information, and create a directory for him to work properly on all machines. At the same time, you also need to create an FTP server. Each time you have to save its files on this FTP server, then, when he logs on to another UNIX system, he will retrieve the files he needs from the FTP server. This is not only troublesome, but also inconvenient to manage, because once an employee leaves one day, the management will go to every UNIX System to delete his account and files, to ensure that he cannot log on to those machines. In addition, it is inconvenient to manage some system information. For example, you must create an identical hosts file on each host, to ensure that the machine names and IP addresses of all machines are correct. However, the Administrator only needs to change the hosts file for each UNIX machine.
From the above problems, we can see that most of the things we have changed are identical, with the same account, the same directory, and the same hosts file. If there are few machines, once you manage more than 200 machines, you may spend the whole day on repetitive tasks.
Maybe you have to ask, what methods do UNIX administrators on large networks use to solve these problems? Of course, they cannot change these settings for each machine. They use the NIS and NFS services we will introduce today.
Next we will introduce you to the ideas and methods for establishing NIS and NFS services in FreeBSD.
Note: The following is our lab environment)
Cat. mydomain. nis OpenBSD3.3 NIS and NFS client
Dog. mydomain. nis FreeBSD4.8 the NIS master server and NFS server store the account information, group information, and user files of all users in the network)
Bee. mydomain. nis FreeBSD4.5 NIS secondary server
1. Use NIS to share system information
NIS is a service system developed by Sun Microsystem for sharing user data, group data, host data, protocols, and other data among UNIX systems. It was first named Yello Page, sun renamed the trademark as NIS due to trademark conflicts, but YP is widely used in many cases. Thanks to the emergence of NIS, UNIX network management has been greatly promoted, so now almost all UNIX systems support it. The FreeBSD system is no exception. FreeBSD currently provides NIS v2 and is compatible with NIS v1.
We can see that if a user wants to work on multiple UNIX systems, most of them use the same user name, belong to the same group, and use the same password. We can store the information on one machine for unified management. Other machines obtain the information from this machine. 1. Change the information of a user, the Administrator only needs to modify the information on the machine where the information is stored, and other machines automatically receive the changed information, instead of setting the information one by the Administrator, this is the basic way NIS works.
NIS uses a domain to manage the information to be shared. This information is enough for the NIS database. All machines with the same domain name can use the database with the same domain name. These databases are stored on one machine. This machine is the master server of NIS, and other machines use it to query the NIS database. However, for stability considerations, you can also create one or more NIS secondary servers to maintain data synchronization with the NIS primary server. When the primary server encounters a fault, it undertakes the tasks of the primary server.
Next let's take a look at how to create an NIS master server in FreeBSD.
First, because NIS are managed based on the domain, you need to set a domain name for the server. You can view your current domain name through domainname. Note: the domain name here has nothing to do with the DNS domain name, it only serves to divide a network into several parts, so it can be any value, of course, you can also set it to your DNS domain name ):
Dog # domainname
If mydomain. nis is displayed as null, it indicates that you have not set your domain name. You can also set and change your domain name through domainname:
Dog # domainname mydomain. nis after the domain name is set, start to work later.
By default, FreeBSD stores the NIS data in each domain under/var/yp/yourdomainname. You need to share the information such as the master. copy passwd to/var/yp. Note that FreeBSD uses MD5 to encrypt user passwords by default. Therefore, if you are on a network with multiple UNIX systems, in addition, if some UNIX systems do not support MD5 encryption, you need to change the encryption method of your password to the supported encryption methods such as DES). Otherwise, you will not be able to log on to those machines.
You can change the default encryption method of FreeBSD as follows:
Dog # vi/etc/login. conf and then edit the user's class. If it is not specified, it is the default class). Then add passwd_format = des: \. des indicates DES encryption, while md5 indicates MD5 encryption, blf indicates Blowfish encryption), for example:
Default :\
: Passwd_format = des :\
: Datasize = infinity :\
... After saving and exiting, you need to use cap_mkdb to generate the BDBerkeley Database) format Database file:
Dog # cap_mkdb/etc/login. conf will update or generate the login. conf. db file in the/etc directory.
Now we only changed the default encryption method of the password, but the real password has not changed, so we need to use the passwd command to change the password of each user to be shared, and then the master. copy passwd to the/var/yp directory, and change the master to ensure security. passwd file permissions:
Dog # cp/etc/master. passwd/var/yp/master. passwd
Dog # chmod 0600/var/yp/master. passwd also takes security considerations into consideration. It is best to delete users that you do not need or should not share, such as root users and default system users bin and daemon)
Now we can initialize our NIS master server and use the ypinit (8) command for initialization:
Dog # cd/var/yp
Dog # ypinit-m mydomain. nis here-m indicates generating the master server, while mydomain. nis is your domain name.
During initialization, you will be asked some questions:
Do you want this procedure to quit on non-fatal errors? [Y/n: n] directly select n and then set the name of the NIS server, including the primary server and secondary server, because we only have one primary server, press Ctrl-D to exit. If you want to create more secondary servers, enter the name of your NIS secondary server. Then your server information is displayed:
The current list of NIS servers looks like this:
Dog.mattcell.com
Is this correct? [Y/n: y] If there is no error, select y
Next, start the initialization process. Some error information will be generated during this process, but ignore it because your NIS service process ypserv has not been started. The following message is displayed:
Dog.mattcell.com has been setup as an YP master server without any errors. This indicates that your NIS master server has been initialized.
Now we need to start our NIS daemon: ypserv (8). Because ypserv uses the RPC service, we need to run portmap (8) to use its RPC service first, if you need to change the password on the client, you need to run rpc on the NIS server. yppasswdd (8) daemon:
Dog # portmap
Dog # ypserv
Dog # rpc. yppasswdd in order to enable these commands to automatically start when the system starts, add the following settings in/etc/rc. conf:
Portmap_enable = "YES"
Nisdomainname = "mydomain. nis"
Nis_server_enable = "YES"
Nis_yppasswdd_enable = "YES" Our NIS master server is now running. You can run the following command to test its operation:
Dog # ypbind start the NIS client Support Program
Dog # ypcat passwd query/etc/passwd information on the NIS Server
Dog # ypcat master. passwd query/etc/master. passwd information on the NIS Server
Dog # ypcat group query/etc/group information on the NIS Server
Dog # ypcat hosts query/etc/hosts information on the NIS Server
Dog # ypcat networks query/etc/networks information on the NIS Server
Dog # ypcat netgroup query/etc/netgroup information on the NIS Server
Dog # ypcat services Query/etc/services Information on the NIS Server
Dog # ypcat protocols query/etc/protocols information on the NIS Server
Dog # ypcat ypservers query NIS Server Information
Dog # killall-9 ypbind closes the NIS client support program. Let's take a look at how to share this information from the client.
First, ensure that the client's NIS domain name must be consistent with the NIS Server domain name. Because the client needs to query information on the NIS server, you need to start a daemon ypbind (8) on the client to provide support for NIS. Similarly, ypbind also uses the RPC service, therefore, you need to run the portmap (8) process before running it:
Cat # domainname mydomain. nis
Cat # portmap
Cat # ypbind Here cat this machine will send a broadcast to the network to find the NIS master server. Similarly, you can add the information to rc. conf to make them run automatically:
Nisdomainname = "mydomain. nis"
Portmap_enable = "YES"
Nis_client_enable = "YES"
Nis_client_flags = "-S mydomain. nis, dog. mydomain. nis, bee. mydomain. nis "here, nis_client_flags sets the NIS domain name to mydomain. nis, and set the list of NIS servers: dog. mydomain. nis, bee. domain. nis, which is helpful for remote users, because in this case, it is more difficult to rely on ypbind to use broadcast to find the server.
Next, you need to set the system to use NIS to accept user information, which needs to be added at the end of/etc/master. passwd:
+ :::::::::: In this case, if a user in the machine cat. mydomain. nis) log on to this machine. login first checks whether the user's account information exists locally. If yes, it uses local information. If not, it is obtained through NIS.
In the same way, if you want to share group information, add the following to the last line of/etc/group:
+: *: You can also share the hosts information on the NIS server. You need to add the nis query option in/etc/host. conf:
# $ FreeBSD: src/etc/host. conf
# First try the/etc/hosts file
Hosts
# Second use YP/NIS
Nis
# Now try the DNS
In this case, when you try to query the IP address of a machine, the system will first find the corresponding record in/etc/hosts, if not, use NIS to query the hosts file on the NIS master server. If not, use DNS to find the hosts file.
Note:/etc/host. conf is replaced by/etc/nsswitch. conf after FreeBSD5.0)
Now you can use the account on the dog. mydomain. nis server to log on to cat. mydomain. nis:
FreeBSD (i386)
Login: matthew
Passwd: note that because we have. mydomain. there is no HOME directory created for the user matthew on nis, so the system will prompt that the HOME directory is not found, so ignore it, because we will solve this problem later.
If you want to change your password on the NIS server on the client, you can use yppasswd (1) to change the server to run the rpc. yppasswdd Daemon ):
Matthew @ cat $ yppasswd
Changing NIS passwd for matthew on dog. mydomain. nis.
Old Password:
New Password:
Retype new passwd: NIS password has been changed on dog. mydomain. nis.
Next let's take a look at how to change the NIS database on the new NIS server.
If we change some data on the NIS server, such as adding users and groups. Note: The master has been changed. after passwd, you must set/etc/master. after passwd is copied to the/var/yp directory again and unnecessary users are deleted, the NIS client cannot use the changed data immediately, because the NIS database is stored under/var/yp/yourdomainname, We need to update the NIS database:
Dog # cd/var/yp
Dog # make then make will automatically update the NIS database according to Makefile. Note that because the NIS database is a real-time query, we do not need to restart the ypserv daemon.
Create an NIS secondary server
If you are worried that your NIS master server will cause users to be unable to log on to the server for stability, you can create one or more NIS slave servers, and the Creation method is relatively simple.
First, perform initialization. However, because its NIS database is directly obtained from the master server, it is executed directly on the machine where you want to act as the slave server:
Bee # cd/var/yp
Bee # ypinit-s dog. mydomain. ns mydomain. in nis,-s specifies the name of the NIS master server, followed by mydomain. nis indicates the NIS domain name to be initialized, that is, the NIS domain name of the secondary server ).
Then modify/etc/rc on the secondary server. conf so that the NIS service can run automatically. To enable automatic synchronization of data on the master server, you need to start the NIS synchronization process rpc. ypxfrd:
Portmap_enable = "YES"
Nisdomainname = "mydomain. nis"
Nis_server_enable = "YES"
Nis_yppasswd_enable = "YES"
Nis_ypxfrd_enable = "YES"
In addition, to support synchronous data transmission, you need to change one setting on the master server, because the master server only takes into account one NIS Server by default.
We need to comment out NOPUSH = "True" in/var/yp/Makefile:
# NOPUSH = "True"
If you have not prepared to install the secondary server before initializing the primary server, you have not entered the name of the secondary server, but now you have to use the secondary server, then, you can add your secondary server in the following ways:
Dog # cd/var/yp
Dog # vi ypservers add your auxiliary server name. here our auxiliary server name is bee. mydomain. nis:
Dog. mydomain. nis dog. mydomain. nis
Bee. mydomain. nis bee. mydomain. nis now your secondary server automatically guarantees Data Synchronization After each master server update.
Advanced Settings of NIS
In the above example, we allow all users on the NIS master server to log on to the NIS client at this time as cat). Can we allow only some users to log on, or are some users not allowed?
The answer is yes. When we want to allow a user to log on, we can add the following content to master. passwd:
+ Matthew: :::::::: this indicates that +) matthew on the NIS server is allowed to log on to this machine, if no user name is specified after "+", the system will allow all users to log on by default, which is the case above.
If you want to disable the logon of a user:
-Badman :::::::::::: this indicates that-) The badman on the NIS server cannot log on to this machine. Note that the system processes the master. passwd is matched from the first line. Once a row matches, it is not processed for the following rows, therefore, if you want to prohibit some users from logging on and allow all other users to log on, you must write-user ::::::::: Previously, otherwise the user can still log on to the system:
-Badman :::::::::
-Hacker :::::::::
+ ::::::::: The above settings make it impossible for badman and hacker on the NIS server to log on to these machines, and other users can log on.
In another situation, I only allow some users to log on to my system, but do not allow other users to log on. However, I must ensure that the user information is consistent with the Service Information on the NIS server, in this way, the user name and group name can be correctly displayed when the user id and other functions are used. This can also be achieved by using the following methods in the/etc/master of the client. add the following content to passwd:
+ Matthew :::::::::
+ Guest:/home/ftp:
+ :::::::::/Sbin/nologin the preceding settings allow matthew to log on to this machine, and guest to log on, however, the HOME Directory will be stored in/home/ftp, and the shell of other users will be changed to/sbin/nologin, so other users cannot log on, however, the user information can be synchronized with the NIS server.