Disponível somente no TrabalhosFeitos
  • Páginas : 7 (1697 palavras )
  • Download(s) : 0
  • Publicado : 9 de janeiro de 2012
Ler documento completo
Amostra do texto
SettingUpNISHowTo - Community Ubuntu Documentation

Login to Edit Ubuntu Documentation > Community Documentation > SettingUpNISHowTo

Needs Expansion: This article is incomplete, and needs to be expanded. More info... This needs to be written. It needs to be *easy* link: Seealso the HOWTO in the package. My attempt at satisfying the above:

NIS Server Config
Matthew Caron Note: This assumes your server and clients have static IP addresses. NIS with dynamic IP addresses present a serious security hazard. See the "Security" section, below, for a discussion of security problems inherent with NIS and how to avoid them. 1. (Warty only) Add any client name and IPaddresses to /etc/hosts. The server's IP should already be here. I do not mean, I mean the real IP available to the world. This ensures that NIS will still work even if DNS goes down. You could rely on DNS if you wanted, it's up to you. 2. Add the following line to hosts.allow:

Where the "list of IP addresses" string is, you need to make a list of IP addresses that consists of the server andall clients. These have to be IP addresses because of a limitation in portmap (it doesn't like hostnames). 3. Install NIS:

You will be asked for the name of your NIS domain. This can be anything; you're naming it. It just has to be the same domain for the server and all clients. Also note that if you don't yet have an NIS server set up, your initial install will wait about a minute beforetiming out while trying to bind. 4. Edit /etc/default/portmap and comment out the ARGS="-i" line 5. Edit /etc/default/nis and set the NISSERVER line to NISSERVER = master 6. Edit /etc/yp.conf and add a server line of the form:

where is the name of your domain (entered when you installed nis) and is the name of the server you're setting all this up on. (This lives in /etc/defaultdomainfor the curious) 7. Edit /var/yp/Makefile and read the instructions. It probably won't need a lot of modification. The only thing I changed was the MINGID line so that the group memberships would be propagated across the domain. I set it to 1. 8. Edit /etc/ypserv.securenets and add lines to restrict access to domain members. I use lines for specific hosts, like:

IMPORTANT!!!: comment out the0.0.0.0 line. Otherwise, everyone gets access. (See "Security" below for discussion of why this is bad). 9. Build the DB for the first time, run:

1 of 4

30-12-2011 11:21

SettingUpNISHowTo - Community Ubuntu Documentation

and follow the instructions. This will probably throw some errors about not being able to talk to certain things.This is okay. (Other errors probably aren't). 10. Restart everything:

Note that I had some problems with portmap releasing the port which it was listening on and ended up having to reboot the machine for it to take effect. You can test it with ypcat passwd. 11. If you change anything (add a user, etc.), make sure to do:

Security: NIS is a dangerous thing. Anyone who can get access to thedaemon can dump your password lists. If they can do that, then they have your passwords. It doesn't matter that the passwords are encrypted; they are plaintext equivalent (since authentication is done with encrypted passwords, you don't need to know the text password, you just need to write an app to provide the encrypted one to the authentication system correctly). So, let's make sure that doesn'thappen. How? Well, first, we restrict access: 1. Only allow domain members to talk to the appropriate services in hosts.allow. This implied that hosts.deny is set to something like ALL:ALL in order for this to work. 2. Limit who the server will respond to by putting domain members in /etc/securenets 3. (Alternatively?) To enable NIS password verification from non-privileged processes the following...
tracking img